diff --git a/bip-0352.mediawiki b/bip-0352.mediawiki index 4462efca..47449b83 100644 --- a/bip-0352.mediawiki +++ b/bip-0352.mediawiki @@ -298,13 +298,14 @@ After the inputs have been selected, the sender can create one or more outputs f * Let ''a = a1 + a2 + ... + an'', where each ''ai'' has been negated if necessary ** If ''a = 0'', fail * Let ''input_hash = hashBIP0352/Inputs(outpointL || A)'', where ''outpointL'' is the smallest ''outpoint'' lexicographically used in the transaction and ''A = a·G'' +** If ''input_hash'' is not a valid scalar, i.e., if ''input_hash = 0'' or ''input_hash'' is larger or equal to the secp256k1 group order, fail * Group receiver silent payment addresses by ''Bscan'' (e.g. each group consists of one ''Bscan'' and one or more ''Bm'') * For each group: ** Let ''ecdh_shared_secret = input_hash·a·Bscan'' ** Let ''k = 0'' ** For each ''Bm'' in the group: *** Let ''tk = hashBIP0352/SharedSecret(serP(ecdh_shared_secret) || ser32(k))'' -**** If ''tk'' is not valid tweak, i.e., if ''tk = 0'' or ''tk'' is larger or equal to the secp256k1 group order, fail +**** If ''tk'' is not a valid scalar, i.e., if ''tk = 0'' or ''tk'' is larger or equal to the secp256k1 group order, fail *** Let ''Pmn = Bm + tk·G'' *** Encode ''Pmn'' as a [https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki BIP341] taproot output *** Optionally, repeat with k++ to create additional outputs for the current ''Bm'' @@ -331,12 +332,13 @@ If each of the checks in ''[[#scanning-silent-payment-eligible-transactions|Scan * Let ''A = A1 + A2 + ... + An'', where each ''Ai'' is the public key of an input from the ''[[#inputs-for-shared-secret-derivation|Inputs For Shared Secret Derivation]]'' list ** If ''A'' is the point at infinity, skip the transaction * Let ''input_hash = hashBIP0352/Inputs(outpointL || A)'', where ''outpointL'' is the smallest ''outpoint'' lexicographically used in the transaction +** If ''input_hash'' is not a valid scalar, i.e., if ''input_hash = 0'' or ''input_hash'' is larger or equal to the secp256k1 group order, fail * Let ''ecdh_shared_secret = input_hash·bscan·A'' * Check for outputs: ** Let ''outputs_to_check'' be the taproot output keys from all taproot outputs in the transaction (spent and unspent). ** Starting with ''k = 0'': *** Let ''tk = hashBIP0352/SharedSecret(serP(ecdh_shared_secret) || ser32(k))'' -**** If ''tk'' is not valid tweak, i.e., if ''tk = 0'' or ''tk'' is larger or equal to the secp256k1 group order, fail +**** If ''tk'' is not a valid scalar, i.e., if ''tk = 0'' or ''tk'' is larger or equal to the secp256k1 group order, fail *** Compute ''Pk = Bspend + tk·G'' *** For each ''output'' in ''outputs_to_check'': **** If ''Pk'' equals ''output'': @@ -484,6 +486,8 @@ The MAJOR version is incremented if changes to the BIP are introduc The MINOR version is incremented whenever the inputs or the output of an algorithm changes in a backward-compatible way or new backward-compatible functionality is added. The PATCH version is incremented for other changes that are noteworthy (bug fixes, test vectors, important clarifications, etc.). +* '''1.0.2''' (2025-07-25): +** Clarify how to handle the improbable corner case where the output of SHA256 is equal to 0 or greater than or equal to the secp256k1 curve order. * '''1.0.1''' (2024-06-22): ** Add steps to fail if private key sum is zero (for sender) or public key sum is point at infinity (for receiver), add corresponding test vectors. * '''1.0.0''' (2024-05-08):