BIP374: Add message to rand computation

andrewtoth commented at 6:36 pm on February 6, 2025: contributor

Include the message in the rand computation to avoid leaking a as described here.

BIP374: Add message to rand computation d92a428077

BIP374: Update reference and test vectors 27d4d380bd

andrewtoth force-pushed on Feb 6, 2025

murchandamus commented at 6:49 pm on February 6, 2025: contributor

This might be a good point to introduce a Changelog?

jonatack added the label Proposed BIP modification on Feb 6, 2025

jonatack added the label Bug fix on Feb 6, 2025

jonatack commented at 5:05 pm on February 22, 2025: member

This might be a good point to introduce a Changelog? @andrewtoth would you like to add a changelog here? I suppose an editor can add one if you prefer.

Add changelog 44b8f19fb3

andrewtoth commented at 7:10 pm on February 22, 2025: contributor

@jonatack @murchandamus I’ve added a changelog section.

in bip-0374.mediawiki:125 in 44b8f19fb3 outdated

117@@ -118,6 +118,12 @@ This proposal is compatible with all older clients.
118 A reference python implementation is included [https://github.com/bitcoin/bips/blob/master/bip-0374/reference.py here].
119 Test vectors can be generated by running <code>./bip-0374/gen_test_vectors.py</code> which will produce a CSV file of random test vectors for both generating and verifying proofs. These can be run against the reference implementation with <code>./bip-0374/run_test_vectors.py</code>.
120 
121+== Changelog ==
122+
123+To help implementors understand updates to this BIP, we keep a list of substantial changes.
124+
125+* 2025-02: Add the message to the rand computation

murchandamus commented at 7:29 pm on February 25, 2025:

Perhaps you could use the formatting proposed by BIP3, even if it’s not active at this time:

The version 1.0.0 is reserved for the move to Proposed, so probably 0.1.0 or 0.2.0, if you want to backfill 0.1.0 would be appropriate.

andrewtoth commented at 9:28 pm on February 25, 2025:

Done!

murchandamus commented at 7:32 pm on February 25, 2025: contributor

Perhaps you could use

Format changelog according to BIP3 186b944c93

in bip-0374.mediawiki:123 in 44b8f19fb3 outdated

117@@ -118,6 +118,12 @@ This proposal is compatible with all older clients.
118 A reference python implementation is included [https://github.com/bitcoin/bips/blob/master/bip-0374/reference.py here].
119 Test vectors can be generated by running <code>./bip-0374/gen_test_vectors.py</code> which will produce a CSV file of random test vectors for both generating and verifying proofs. These can be run against the reference implementation with <code>./bip-0374/run_test_vectors.py</code>.
120 
121+== Changelog ==
122+
123+To help implementors understand updates to this BIP, we keep a list of substantial changes.

jonatack commented at 10:11 pm on February 25, 2025:

s/implementors/implementers/ (see #1766)

(or simply drop this line)

in bip-0374.mediawiki:127 in 186b944c93 outdated

122+
123+To help implementors understand updates to this BIP, we keep a list of substantial changes.
124+
125+* 0.2.0 (2025-02):
126+** Add the message to the rand computation
127+* 0.1.0 (2024-12):

jonatack commented at 10:14 pm on February 25, 2025:

0* 0.1.0 (2024-12-26):

in bip-0374.mediawiki:125 in 186b944c93 outdated

117@@ -118,6 +118,15 @@ This proposal is compatible with all older clients.
118 A reference python implementation is included [https://github.com/bitcoin/bips/blob/master/bip-0374/reference.py here].
119 Test vectors can be generated by running <code>./bip-0374/gen_test_vectors.py</code> which will produce a CSV file of random test vectors for both generating and verifying proofs. These can be run against the reference implementation with <code>./bip-0374/run_test_vectors.py</code>.
120 
121+== Changelog ==
122+
123+To help implementors understand updates to this BIP, we keep a list of substantial changes.
124+
125+* 0.2.0 (2025-02):

jonatack commented at 10:15 pm on February 25, 2025:

Maybe the date of opening this PR, or the current date of the latest push.

0* 0.2.0 (2025-02-25):

in bip-0374.mediawiki:77 in 186b944c93 outdated

72@@ -73,12 +73,12 @@ The algorithm ''GenerateProof(a, B, r, G, m)'' is defined as:
73 * Let ''A = a⋅G''.
74 * Let ''C = a⋅B''.
75 * Let ''t'' be the byte-wise xor of ''bytes(32, a)'' and ''hash<sub>BIP0374/aux</sub>(r)''.
76-* Let ''rand = hash<sub>BIP0374/nonce</sub>(t || cbytes(A) || cbytes(C))''.
77+* Let ''m' = m if m is provided, otherwise an empty byte array''.
78+* Let ''rand = hash<sub>BIP0374/nonce</sub>(t || cbytes(A) || cbytes(C) || m')''.<ref name="why_include_m_in_rand"> ''' Why include the message in the rand computation?''' Not including the message in the rand compution could leak ''a'' if two proofs were constructed for the same ''a'', ''B'', and ''G'' but different ''m'' and all-zero ''r''.</ref>

jonatack commented at 10:20 pm on February 25, 2025:

0* Let ''rand = hash<sub>BIP0374/nonce</sub>(t || cbytes(A) || cbytes(C) || m')''.<ref name="why_include_m_in_rand"> ''' Why include the message in the rand computation?''' Not including the message in the rand compution could leak ''a'' if two proofs were constructed for the same ''a'', ''B'', and ''G'' but a different message ''m'' and an all-zero ''r''.</ref>

jonatack commented at 10:23 pm on February 25, 2025: member

ACK with a few suggestions

Add creation date

Co-authored-by: Jon Atack <jon@atack.com>

3726f1db6f

Grammar fix

Co-authored-by: Jon Atack <jon@atack.com>

e83a2b8047

update changelog cc98505440

jonatack commented at 4:37 pm on February 27, 2025: member

ACK cc985054405d88182894b49a05009f4e608a6cdd

jonatack merged this on Feb 27, 2025

jonatack closed this on Feb 27, 2025

andrewtoth deleted the branch on Feb 27, 2025

BIP374: Add message to rand computation #1758