BIP-374: Pass G and m to VerifyProof in GenerateProof self-check #2011

pull Forostovec wants to merge 1 commits into bitcoin:master from Forostovec:master changing 1 files +1 −1
  1. Forostovec commented at 10:23 am on October 19, 2025: contributor

    Problem: In GenerateProof step 85 the self-check calls VerifyProof(A, B, C, proof) without G and m, but VerifyProof is defined as VerifyProof(A, B, C, proof, G, m). This omission breaks self-check when a non-empty message m is used or when a non-default generator G is passed.

    Evidence: Spec definition requires G and m:

    The algorithm ''VerifyProof(A, B, C, proof, G, m)'' is defined as:
* Fail if any of ''is_infinite(A)'', ''is_infinite(B)'', ''is_infinite(C)'', ''is_infinite(G)''
* Let ''e = int(proof[0:32])''.
* Let ''s = int(proof[32:64])''; fail if ''s ≥ n''.

    Reference implementation passes G and m in the self-check: bip-0374/reference.py

    proof = e.to_bytes(32, \"big\") + s.to_bytes(32, \"big\")
if not dleq_verify_proof(A, B, C, proof, G=G, m=m):
    return None

    GenerateProof includes m in challenge derivation and treats G as an input, so omitting them in VerifyProof recomputes a different challenge and will fail for non-empty m and non-default G.

  2. BIP-374: Pass G and m to VerifyProof in GenerateProof self-check 1bb1aee5b0
  3. murchandamus added the label Pending acceptance on Oct 21, 2025
  4. murchandamus added the label Bug fix on Oct 21, 2025
  5. jonatack commented at 7:31 pm on October 21, 2025: member
    LGTM ACK, the change to the VerifyProof call here in GenerateProof seems to align with both VerifyProof in the BIP draft and how dleq_verify_proof is called from dleq_generate_proof in the reference.py code.
  6. murchandamus commented at 7:37 pm on October 21, 2025: contributor
    cc: @andrewtoth
  7. andrewtoth approved
  8. andrewtoth commented at 0:14 am on October 23, 2025: contributor

    ACK 1bb1aee5b0b6f5e0d2ca2c72970cc6de727df1bf

    Nice catch.

  9. jonatack removed the label Pending acceptance on Oct 23, 2025
  10. jonatack merged this on Oct 23, 2025
  11. jonatack closed this on Oct 23, 2025


Forostovec jonatack murchandamus andrewtoth

Labels
Bug fix

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-10-27 15:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me