diff --git a/bip-0374.mediawiki b/bip-0374.mediawiki index 46a47ba0..0abb8957 100644 --- a/bip-0374.mediawiki +++ b/bip-0374.mediawiki @@ -74,7 +74,7 @@ The algorithm ''GenerateProof(a, B, r, G, m)'' is defined as: * Let ''C = a⋅B''. * Let ''t'' be the byte-wise xor of ''bytes(32, a)'' and ''hashBIP0374/aux(r)''. * Let ''m' = m if m is provided, otherwise an empty byte array''. -* Let ''rand = hashBIP0374/nonce(t || cbytes(A) || cbytes(C) || m')''. ''' Why include the message in the rand computation?''' Not including the message in the rand compution could leak ''a'' if two proofs were constructed for the same ''a'', ''B'', and ''G'' but a different message ''m'' and an all-zero ''r''. +* Let ''rand = hashBIP0374/nonce(t || cbytes(A) || cbytes(C) || m')''. ''' Why include the message in the rand computation?''' Not including the message in the rand computation could leak ''a'' if two proofs were constructed for the same ''a'', ''B'', and ''G'' but a different message ''m'' and an all-zero ''r''. * Let ''k = int(rand) mod n''. * Fail if ''k = 0''. * Let ''R1 = k⋅G''.