BIP-327: correct DeterministicSign pubnonce and key length #2066

pull lisenokdonbassenok wants to merge 2 commits into bitcoin:master from lisenokdonbassenok:fix/bip327-deterministicsign-spec changing 1 files +5 −2
  1. lisenokdonbassenok commented at 10:58 am on December 24, 2025: none
    The DeterministicSign specification currently describes pk_1..u as u 32-byte arrays and sets pubnonce = cbytes(R*_2) || cbytes(R*_2). Both statements conflict with the rest of BIP-0327, the Python reference implementation and the published test vectors. Individual public keys are plain compressed points of length 33 bytes everywhere else in the BIP, and the reference code derives pubnonce as cbytes(R*_1) || cbytes(R*_2), which is the format expected by NonceAgg and PartialSigVerify. This change updates the DeterministicSign section to use 33-byte plain public keys and to define pubnonce as (R*_1, R*_2), aligning the written specification with the existing reference implementation and test vectors without changing any executable code.
  2. BIP-327: correct DeterministicSign pubnonce and key length dcdf9c9d42
  3. murchandamus added the label Pending acceptance on Dec 24, 2025
  4. murchandamus added the label Bug fix on Dec 24, 2025
  5. in bip-0327.mediawiki:609 in dcdf9c9d42 outdated 
    605@@ -606,7 +606,7 @@ Algorithm ''DeterministicSign(sk, aggothernonce, pk<sub>1..u</sub>, tweak<sub>1.
606 ** The secret signing key ''sk'': a 32-byte array
607 ** The aggregate public nonce ''aggothernonce'' (see [[#modifications-to-nonce-generation|above]]): a 66-byte array
608 ** The number ''u'' of individual public keys with ''0 < u < 2^32''
609-** The individual public keys ''pk<sub>1..u</sub>'': ''u'' 32-byte arrays
    murchandamus commented at 3:06 pm on December 24, 2025:
    Given that the line right above states that keys are between 0 < u < 2^32, it seems to me that we are looking at an x-only key and the text is already correct, but maybe I’m misinterpreting that.
    real-or-random commented at 12:27 pm on December 28, 2025:

    maybe I’m misinterpreting that.

    You are. u is the number of public keys involved in signing and not related to their length.

  6. in bip-0327.mediawiki:626 in dcdf9c9d42 outdated 
    622@@ -623,7 +623,7 @@ Algorithm ''DeterministicSign(sk, aggothernonce, pk<sub>1..u</sub>, tweak<sub>1.
623 * Let ''k<sub>i</sub> = int(hash<sub>MuSig/deterministic/nonce</sub>(sk' || aggothernonce || aggpk || bytes(8, len(m)) || m || bytes(1, i - 1))) mod n'' for ''i = 1,2''
624 * Fail if ''k<sub>1</sub> = 0'' or ''k<sub>2</sub> = 0''
625 * Let ''R<sub>⁎,1</sub> = k<sub>1</sub>⋅G, R<sub>⁎,2</sub> = k<sub>2</sub>⋅G''
626-* Let ''pubnonce = cbytes(R<sub>⁎,2</sub>) || cbytes(R<sub>⁎,2</sub>)''
627+* Let ''pubnonce = cbytes(R<sub>⁎,1</sub>) || cbytes(R<sub>⁎,2</sub>)''
    murchandamus commented at 3:08 pm on December 24, 2025:
    This one seems right to me.
  7. murchandamus commented at 3:11 pm on December 24, 2025: contributor
    @jonasnick, @real-or-random, could either of you take a look at this?
  8. real-or-random commented at 12:31 pm on December 28, 2025: contributor

    Thanks, not sure how we ended up with DeterministicSign so different.

    All of the changes proposed here are correct. But I don’t think they’re sufficient. DeterministicSign also doesn’t take a keyagg context and doesn’t support tweaking (i.e., negation of the sk). Perhaps it’s better to fix all of this in a single PR and also add a changelog entry. @lisenokdonbassenok Would you be willing to do these changes too?

  9. add changelog ca8c9c6384
  10. lisenokdonbassenok commented at 8:34 am on December 29, 2025: none

    Thanks, not sure how we ended up with DeterministicSign so different.

    All of the changes proposed here are correct. But I don’t think they’re sufficient. DeterministicSign also doesn’t take a keyagg context and doesn’t support tweaking (i.e., negation of the sk). Perhaps it’s better to fix all of this in a single PR and also add a changelog entry.

    @lisenokdonbassenok Would you be willing to do these changes too?

    So I need only to add changelog?

  11. siv2r commented at 6:52 pm on January 2, 2026: contributor

    DeterministicSign also doesn’t take a keyagg context and doesn’t support tweaking (i.e., negation of the sk).

    I’m a bit confused here. From what I understand, DeterministicSign takes the list of public keys and tweaks, then internally computes the keyagg context and applies the tweaks. It calls Sign internally, which handles the secret key negation. What needs to fixed here?

  12. murchandamus commented at 7:39 pm on January 2, 2026: contributor

    Thanks, not sure how we ended up with DeterministicSign so different. All of the changes proposed here are correct. But I don’t think they’re sufficient. DeterministicSign also doesn’t take a keyagg context and doesn’t support tweaking (i.e., negation of the sk). Perhaps it’s better to fix all of this in a single PR and also add a changelog entry. @lisenokdonbassenok Would you be willing to do these changes too?

    So I need only to add changelog? @real-or-random, looking at the PR Author’s GitHub profile and their response to you, I suspect that this is an LLM-assisted pull request by a PR farmer. If so, they likely don’t actually understand what you are asking for and will beat around the bush for a few weeks until someone else provides a suggested code change to incorporate. Please feel free to save us all some time and make your own PR that incorporates these changes and makes the additional fixes you propose.

  13. real-or-random commented at 2:11 pm on January 5, 2026: contributor

    DeterministicSign also doesn’t take a keyagg context and doesn’t support tweaking (i.e., negation of the sk).

    I’m a bit confused here. From what I understand, DeterministicSign takes the list of public keys and tweaks, then internally computes the keyagg context and applies the tweaks. It calls Sign internally, which handles the secret key negation. What needs to fixed here?

    You’re right! No additional changes need to be done.

    @real-or-random, looking at the PR Author’s GitHub profile and their response to you, I suspect that this is an LLM-assisted pull request by a PR farmer. If so, they likely don’t actually understand what you are asking for and will beat around the bush for a few weeks until someone else provides a suggested code change to incorporate. Please feel free to save us all some time and make your own PR that incorporates these changes and makes the additional fixes you propose.

    See #2071.

  14. lisenokdonbassenok closed this on Jan 5, 2026


lisenokdonbassenok murchandamus real-or-random siv2r

Labels
Pending acceptance Bug fix

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-01-16 16:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me