We should have "safer" tweak functions that do the hashing automatically and include the inner point in the hash. See #1015
-
real-or-random commented at 11:32 AM on November 16, 2021: contributor
-
sipa commented at 8:50 PM on December 7, 2021: contributor
These would be BIP341-specifiek tweaking functions then that take the merkle_root as input? I believe that's sufficient to make the construction safe.
If we had a way to have callers provide their own SHA512 functions to a context, we could also add BIP32-specific tweak functions (or if we had SHA512 hashing to the library, which feels like scope creep, but I'm also not strongly against it).
-
real-or-random commented at 10:17 AM on January 25, 2022: contributor
What I had in mind were rather "generic" tweak functions that for example take
tag,tweak, andpkand then outputpk + SHA256(tag || pk || tweak). This are safe becausepkis included and my hope was that this should cover all current uses becausetagandtweakare simply prefixes and suffixes topk. But I don't think it's that simple, BIP341 hashes xonly keys and I guess some other applications hash the 33-byte pk. We could still havetweakandxonly_tweakfunctions, we'll need them anyway.And then we could provide convenience wrappers, e.g., for BIP341.
Unfortunately BIP32 needs a different interface because HMAC-SHA512 is not a hash function but takes two inputs... We could have an abstract
H(tag, pk, tweak)with implementationsH(tag, pk, tweak) = SHA256(tag || pk || tweak)andH(tag, pk, tweak) = HMAC-SHA512(tag, pk || tweak).I don't know. If all of this is too complex in an API, we could still implement it this way under the hood.
- real-or-random cross-referenced this on Jul 2, 2022 from issue Expose Generator and Point at Infinity as Constants by ProofOfKeags
