From 0b590d0d5d94f428b39b7d62332abebe7d236b40 Mon Sep 17 00:00:00 2001
From: Andrew Toth <andrewstoth@gmail.com>
Date: Sat, 21 Dec 2024 16:17:11 -0500
Subject: [PATCH] Add footnote recommending using fresh randomness for each
 proof

---
 bip-DLEQ.mediawiki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bip-DLEQ.mediawiki b/bip-DLEQ.mediawiki
index b6ed6e4a..c03260be 100644
--- a/bip-DLEQ.mediawiki
+++ b/bip-DLEQ.mediawiki
@@ -62,7 +62,7 @@ The following generates a proof that the result of ''a⋅B'' and the result of '
 Input:
 * The secret key ''a'': a 256-bit unsigned integer
 * The public key ''B'': a point on the curve
-* Auxiliary random data ''r'': a 32-byte array
+* Auxiliary random data ''r'': a 32-byte array<ref name="why_include_auxiliary_random_data"> ''' Why include auxiliary random data?''' The auxiliary random data should be set to fresh randomness for each proof. The same rationale and recommendations from [https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki#default-signing BIP340] should be applied.</ref> 
 * The generator point ''G'': a point on the curve<ref name="why_include_G"> ''' Why include the generator point G as an input?''' While all other BIPs have used the generator point from secp256k1, passing it as an input here lets this algorithm be used for other curves.</ref>
 * An optional message ''m'': a 32-byte array<ref name="why_include_a_message"> ''' Why include a message as an input?''' This could be useful for protocols that want to authorize on a compound statement, not just knowledge of a scalar. This allows the protocol to combine knowledge of the scalar and the statement.</ref>