Schnorr is not compatible with BIP340 #1365

issue paulmillr openend this issue on June 28, 2023
  1. paulmillr commented at 1:52 pm on June 28, 2023: contributor

    I believe this has been mentioned in comment #757 (comment), but nevertheless decided to open an issue for visibility.

    BIP340 https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki#default-signing clearly says auxRand should always be used even if it’s all-zero. It also provides exact algorithm to calculate nonce from it.

    Right now, libsecp256k1, when auxRand was not passed, uses its own nonce generation algorithm.

    It would be good to make the library follow specification.

  2. paulmillr cross-referenced this on Jun 28, 2023 from issue Insight on Default Value Strategy for `auxRand` in Schnorr Signing by landabaso
  3. sipa commented at 1:58 pm on June 28, 2023: contributor
    I don’t think that’s the case? Passing auxrand == NULL should behave identically as passing a pointer to 32 0x00 bytes. This is even tested explicitly: https://github.com/bitcoin-core/secp256k1/blob/acf5c55ae6a94e5ca847e07def40427547876101/src/modules/schnorrsig/tests_impl.h#L110-L114
  4. paulmillr commented at 2:01 pm on June 28, 2023: contributor
    @landabaso do your tests say otherwise?
  5. sipa commented at 2:04 pm on June 28, 2023: contributor

    I see the linked issue now. I think there is some confusion.

    • noble-curves, if no auxrand is specified, generates 32 random bytes and uses those.
    • libsecp256k1, if no auxrand is specified, acts as if 32 0x00 bytes are passed.

    Both are BIP340 compliant (emphasis mine):

    If randomness is not available at all at signing time, a simple counter wide enough to not repeat in practice (e.g., 64 bits or wider) and padded with null bytes to a 32 byte-array can be used, or even the constant array with 32 null bytes. Using any non-repeating value increases protection against fault injection attacks. Using unpredictable randomness additionally increases protection against other side-channel attacks, and is recommended whenever available.

    Using random nonces is recommended and obviously better, but libsecp256k1 has no access to high-quality randomness; it’s up to the caller to provide it.

  6. paulmillr commented at 2:06 pm on June 28, 2023: contributor
    Thanks for clarifying this! Your behavior is perfectly fine. The topicstarter just wanted to replicate libsecp behavior, so I guess we can point to use 32 0x00 bytes and be done.
  7. paulmillr closed this on Jun 28, 2023
  8. real-or-random commented at 2:21 pm on June 28, 2023: contributor
    I was about to say that this should be documented, but it turns out that it is documented: https://github.com/bitcoin-core/secp256k1/blob/0fa84f869d51e1b71113d81fcd518ebcee08709a/include/secp256k1_schnorrsig.h#L113-L117


paulmillr sipa real-or-random

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-11-23 03:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me