BIP 340 improvements #893

pull sipa wants to merge 30 commits into bitcoin:master from sipa:bip-taproot changing 5 files +263 −167
  1. sipa commented at 3:57 AM on February 24, 2020: member

    This makes a number of changes to BIP 340:

    • The tie-breaker for public keys with implicit Y coordinate is changed from square to even. This improves signing speed, and makes integration with existing key generation easier. This also has implications for BIP 341.
    • The nonce generation function is improved to take certain failure scenarios into account (precomputed public key, fault injection attacks, power analysis).
    • Recommendations around using of signing-time randomness and verification are strengthened as these reduce vulnerabilities against the above attacks significantly.
    • The tags are updated to make sure accidental use of earlier draft code breaks consistently.
    • Various contributed improvements.

    This is rebased on top of #892 to avoid conflicts.

  2. Update bip-0340.mediawiki 4b18c45e74
  3. missing space 2a122f20c5
  4. BIP-340: Stress that secret key should be fresh and if not then RFC6979 shouldn't be used 8b4f79b6f6
  5. BIP-340: Improve wording of recommendation for fresh secret keys ddc31eb6f6
  6. Switch to even-y tiebreaker for pubkeys 6581a87ff2
  7. Change tags to prevent inconsistent breakage with earlier draft d11cf65b6c
  8. notes about precomputed pubkey data 8a009b90d8
  9. Include d in nonce rather than d' 455504b3af
  10. give bip32 conversion its own section 453947f43a
  11. Switch to new synth nonce scheme and make it default 806b46fde1
  12. Address comments 88d30c704f
  13. in bip-0340.mediawiki:172 in 88d30c704f outdated 
     171 | +* Let ''sig = bytes(R) || bytes((k + ed) mod n)''.
 172 | +* If ''Verify(bytes(P), m, sig)'' (see below) returns failure, abort<ref>Verifying the signature before leaving the signer prevents random or attacker provoked computation errors. This prevents publishing invalid signatures which may leak information about the secret key. It is recommended, but can be omitted if the computation cost is prohibitive.</ref>.
 173 | +* Return the signature ''sig''.
 174 |  
 175 | -When an RNG is available at signing time, up to 32 bytes of its output should be included in ''a''. The result is then called a ''synthetic nonce''. Doing so may improve protection against [https://moderncrypto.org/mail-archive/curves/2017/000925.html fault injection attacks and side-channel attacks]. Therefore, '''synthetic nonces are recommended in settings where these attacks are a concern''' - in particular on offline signing devices. Adding more than 32 bytes serves no security purpose. Note that while this means the resulting nonce is not deterministic, its normal security properties do not depend on the quality of the RNG, and in fact using a completely broken RNG is still secure.
 176 | +The auxiliary random data should be set to fresh randomness generated at signing time, resulting in what is called a ''synthetic nonce''. If no randomness is available, a simple counter can be used as well, or even nothing at all. Using any non-repeating value increases protection against [https://moderncrypto.org/mail-archive/curves/2017/000925.html fault injection attacks]. Using unpredictable randomness additionally increases protection against other side-channel attacks, and is '''recommended whenever available'''. Note that while this means the resulting nonce is not deterministic, the randomness is only supplemental to security. The normal security properties (excluding side-channel attacks) do not depend on the quality of the signing-time RNG.
    jonasnick commented at 11:07 AM on February 24, 2020:

    Perhaps s/should be set to fresh randomness/should be set to 32 bytes of fresh randomness/ to provide a clear recommendation.

    jonasnick commented at 2:18 PM on March 7, 2020:

    this is resolved

  14. jonasnick commented at 11:07 AM on February 24, 2020: contributor

    ACK mod nit (EDIT)

  15. jonasnick commented at 11:10 AM on February 24, 2020: contributor

    With this PR the test vectors would be out of sync. Would be better to include the updates from https://github.com/sipa/bips/pull/196 (still WIP at the moment).

  16. Fix a few minor issues
     * Recommend a byte length for aux random data
 * Clarify that with signature verification by default at the end of the signing algorithm, using public keys from untrusted sources is not an issue.  
 *  A few editorial nits
    4f482a6748
  17. sipa renamed this:
    BIP 340 improvements
    [WIP, dontmerge] BIP 340 improvements
    on Feb 25, 2020
  18. sipa commented at 12:33 AM on February 25, 2020: member

    I'm marking this as WIP until those things are resolved, but leaving this open for exposure.

  19. in bip-0340.mediawiki:156 in 88d30c704f outdated 
     151 |  Input:
 152 |  * The secret key ''sk'': a 32-byte array
 153 |  * The message ''m'': a 32-byte array
 154 | +* Auxiliary random data ''a'': a byte array of length 0 to 32 (inclusive)
 155 |  
 156 |  The algorithm ''Sign(sk, m)'' is defined as:
    LLFourn commented at 3:33 AM on February 26, 2020:

    missing a as an argument.

  20. in bip-0340.mediawiki:154 in 88d30c704f outdated 
     149 |  ==== Default Signing ====
 150 |  
 151 |  Input:
 152 |  * The secret key ''sk'': a 32-byte array
 153 |  * The message ''m'': a 32-byte array
 154 | +* Auxiliary random data ''a'': a byte array of length 0 to 32 (inclusive)
    jonasnick commented at 1:44 PM on February 28, 2020:

    How about we fix a to be 32 bytes (or alternatively 0 or 32 bytes). This would make the test vectors much simpler because otherwise we will want to have a test vector with an a that is in between. Making the libsecp compatible with variable len a is unnecessarily complicated as the caller would need to provide a byte array for a that also encodes the length. So either we make a (0 or 32 bytes) or we need to design the test vectors such that only one of them has an in-between a and skip that one it in libsecp.

    jonasnick commented at 2:18 PM on March 7, 2020:

    this is resolved

  21. Switch to only 32 bytes aux cd19095fb0
  22. BIP 340: Update reference code and test vectors as follows:
     - use evenness as tiebreaker
 - using different tags for nonce- and challenge hashing
 - add pubkey to nonce function.
    d41e778ca1
  23. BIP 340: Use synthetic nonces in reference code and test vectors b6b5f58e6e
  24. BIP 340: Verify sig before returning it 9bfa53e9fb
  25. Merge pull request #199 from real-or-random/patch-16
    Fix a few minor issues
    9abbfa53c9
  26. BIP-0341: Avoid decompressing the output public key in script spends 4ea021f28c
  27. Merge pull request #196 from jonasnick/update-ref
    Update reference code and test vectors
    f71b5cbb5c
  28. Merge pull request #201 from jonasnick/tweak-bytes-only
    BIP-0341: Avoid decompressing the output public key in script spends
    39ba507e01
  29. Optionally print intermediate values in reference code
    and make reference code and pseudocode more consistent with each other
    a6301c5af0
  30. Make code and output a little bit more readable 8c5be91975
  31. Fix typo 003d38cedb
  32. fixup! Optionally print intermediate values in reference code 07d938a214
  33. When checking test vectors, handle RuntimeException in signing
    This is better for playing around with the code. Now these
these exceptions can really be raised when the verification
during signing fails.
    72657270d8
  34. BIP-0341: Replace notion of is_negated with parity bit 0916da6594
  35. Merge pull request #200 from real-or-random/prints
    Add debug print for intermediate values
    038615b7c7
  36. Merge pull request #203 from jonasnick/remove-is-negated
    BIP-0341: Replace notion of is_negated with parity bit
    1d999cf678
  37. BIP-0340: Add typing annotations to reference.py
    Passes mypy's strict-mode with mypy 0.770.
    756129cccf
  38. Merge pull request #202 from ysangkok/bip-0340-typing
    Typing annotations for BIP-0340
    cf2937c811
  39. sipa renamed this:
    [WIP, dontmerge] BIP 340 improvements
    BIP 340 improvements
    on Apr 10, 2020
  40. sipa commented at 8:46 PM on April 10, 2020: member

    @luke-jr This is ready for merge.

  41. jonasnick commented at 4:16 PM on April 12, 2020: contributor

    Didn't we promise on the mailing list to provide better rationale for aux_rand (https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-March/017711.html) and expanding on how to make up for losing the ability to spot check (https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-March/017667.html)? Should we do this here or in a separate PR @sipa?

  42. sipa commented at 5:48 PM on April 12, 2020: member

    @jonasnick Sure, but I think those can be done independently. I mostly want to get the even/odd tiebreaker stuff into the published BIP.

  43. jonasnick approved
  44. jonasnick commented at 7:11 PM on April 12, 2020: contributor

    Okay, let's get the BIP up to date first.

    ACK cf2937c8111919ae9edf020cd39af288969fd5e4

  45. real-or-random approved
  46. real-or-random commented at 1:25 PM on April 16, 2020: contributor

    ACK cf2937c8111919ae9edf020cd39af288969fd5e4

  47. ajtowns commented at 12:28 PM on April 18, 2020: contributor

    This PR has an un-squashed "fixup!" commit, as well as a bunch of merges from PRs against sipa's tree... Seems a bit clunky?

    Otherwise, ACK cf2937c8111919ae9edf020cd39af288969fd5e4

  48. luke-jr merged this on Apr 30, 2020
  49. luke-jr closed this on Apr 30, 2020
Contributors
sipajonasnickLLFournreal-or-randomajtowns
Linked (view graph)
#892 Typo in BIP340
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-19 06:50 UTC