bitcoin/bips
1
0
Fork 0
mirror of https://github.com/bitcoin/bips.git synced 2026-06-22 17:37:25 +00:00
Code Issues Releases Wiki Activity

BIP374: Add message to rand computation (#1758)

Browse Source 
* BIP374: Add message to rand computation

* BIP374: Update reference and test vectors

* Add changelog

* Format changelog according to BIP3

* Add creation date

Co-authored-by: Jon Atack <jon@atack.com>

* Grammar fix

Co-authored-by: Jon Atack <jon@atack.com>

* update changelog

---------

Co-authored-by: Jon Atack <jon@atack.com>
This commit is contained in:
Andrew Toth
2025-02-27 11:37:46 -05:00
committed by GitHub
parent cc81fde273
commit 24b4354e64
4 changed files with 34 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
bip-0374.mediawiki
View File

@@ -73,12 +73,12 @@ The algorithm ''GenerateProof(a, B, r, G, m)'' is defined as:
* Let ''A = a⋅G''.
* Let ''C = a⋅B''.
* Let ''t'' be the byte-wise xor of ''bytes(32, a)'' and ''hash<sub>BIP0374/aux</sub>(r)''.
* Let ''rand = hash<sub>BIP0374/nonce</sub>(t || cbytes(A) || cbytes(C))''.
* Let ''m' = m if m is provided, otherwise an empty byte array''.
* Let ''rand = hash<sub>BIP0374/nonce</sub>(t || cbytes(A) || cbytes(C) || m')''.<ref name="why_include_m_in_rand"> ''' Why include the message in the rand computation?''' Not including the message in the rand compution could leak ''a'' if two proofs were constructed for the same ''a'', ''B'', and ''G'' but a different message ''m'' and an all-zero ''r''.</ref>
* Let ''k = int(rand) mod n''.
* Fail if ''k = 0''.
* Let ''R<sub>1</sub> = k⋅G''.
* Let ''R<sub>2</sub> = k⋅B''.
* Let ''m' = m if m is provided, otherwise an empty byte array''.
* Let ''e = int(hash<sub>BIP0374/challenge</sub>(cbytes(A) || cbytes(B) || cbytes(C) || cbytes(G) || cbytes(R<sub>1</sub>) || cbytes(R<sub>2</sub>) || m'))''.
* Let ''s = (k + e⋅a) mod n''.
* Let ''proof = bytes(32, e) || bytes(32, s)''.
@@ -118,6 +118,13 @@ This proposal is compatible with all older clients.
A reference python implementation is included [https://github.com/bitcoin/bips/blob/master/bip-0374/reference.py here].
Test vectors can be generated by running <code>./bip-0374/gen_test_vectors.py</code> which will produce a CSV file of random test vectors for both generating and verifying proofs. These can be run against the reference implementation with <code>./bip-0374/run_test_vectors.py</code>.
== Changelog ==
* 0.2.0 (2025-02-27):
** Add the message to the rand computation
* 0.1.0 (2024-12-26):
** Initial version
== Footnotes ==
<references />