BIP-327: correct DeterministicSign pubnonce and key length #2066

pull lisenokdonbassenok wants to merge 1 commits into bitcoin:master from lisenokdonbassenok:fix/bip327-deterministicsign-spec changing 1 files +2 −2
  1. lisenokdonbassenok commented at 10:58 am on December 24, 2025: none
    The DeterministicSign specification currently describes pk_1..u as u 32-byte arrays and sets pubnonce = cbytes(R*_2) || cbytes(R*_2). Both statements conflict with the rest of BIP-0327, the Python reference implementation and the published test vectors. Individual public keys are plain compressed points of length 33 bytes everywhere else in the BIP, and the reference code derives pubnonce as cbytes(R*_1) || cbytes(R*_2), which is the format expected by NonceAgg and PartialSigVerify. This change updates the DeterministicSign section to use 33-byte plain public keys and to define pubnonce as (R*_1, R*_2), aligning the written specification with the existing reference implementation and test vectors without changing any executable code.
  2. BIP-327: correct DeterministicSign pubnonce and key length dcdf9c9d42
  3. murchandamus added the label Pending acceptance on Dec 24, 2025
  4. murchandamus added the label Bug fix on Dec 24, 2025
  5. in bip-0327.mediawiki:609 in dcdf9c9d42 
    605@@ -606,7 +606,7 @@ Algorithm ''DeterministicSign(sk, aggothernonce, pk<sub>1..u</sub>, tweak<sub>1.
606 ** The secret signing key ''sk'': a 32-byte array
607 ** The aggregate public nonce ''aggothernonce'' (see [[#modifications-to-nonce-generation|above]]): a 66-byte array
608 ** The number ''u'' of individual public keys with ''0 < u < 2^32''
609-** The individual public keys ''pk<sub>1..u</sub>'': ''u'' 32-byte arrays
    murchandamus commented at 3:06 pm on December 24, 2025:
    Given that the line right above states that keys are between 0 < u < 2^32, it seems to me that we are looking at an x-only key and the text is already correct, but maybe I’m misinterpreting that.
  6. in bip-0327.mediawiki:626 in dcdf9c9d42 
    622@@ -623,7 +623,7 @@ Algorithm ''DeterministicSign(sk, aggothernonce, pk<sub>1..u</sub>, tweak<sub>1.
623 * Let ''k<sub>i</sub> = int(hash<sub>MuSig/deterministic/nonce</sub>(sk' || aggothernonce || aggpk || bytes(8, len(m)) || m || bytes(1, i - 1))) mod n'' for ''i = 1,2''
624 * Fail if ''k<sub>1</sub> = 0'' or ''k<sub>2</sub> = 0''
625 * Let ''R<sub>⁎,1</sub> = k<sub>1</sub>⋅G, R<sub>⁎,2</sub> = k<sub>2</sub>⋅G''
626-* Let ''pubnonce = cbytes(R<sub>⁎,2</sub>) || cbytes(R<sub>⁎,2</sub>)''
627+* Let ''pubnonce = cbytes(R<sub>⁎,1</sub>) || cbytes(R<sub>⁎,2</sub>)''
    murchandamus commented at 3:08 pm on December 24, 2025:
    This one seems right to me.
  7. murchandamus commented at 3:11 pm on December 24, 2025: contributor
    @jonasnick, @real-or-random, could either of you take a look at this?


lisenokdonbassenok murchandamus

Labels
Pending acceptance Bug fix

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-12-27 06:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me