Address siv2r's comments #67
Conversation
README.md
Outdated
|
|
||
| [^mr-kem]: This implements a multi-recipient multi-key key encapsulation mechanism (MR-MK-KEM) secure under the static Diffie-Hellman assumption [[Theorem 2, PPS14](https://doi.org/10.1145/2590296.2590329)]. | ||
|
|
||
| When `j = i` (i.e., when a participant encrypts a VSS share for themselves), the computationally expensive ECDH key exchange is unnecessary. | ||
| Instead, the participant repurposes the secret decryption key as a symmetric key, such that`pad_ii` is computed as the tagged hash of the decryption key, public encryption nonce, and context. |
There was a problem hiding this comment.
| Instead, the participant repurposes the secret decryption key as a symmetric key, such that`pad_ii` is computed as the tagged hash of the decryption key, public encryption nonce, and context. | |
| Instead, the participant repurposes the secret decryption key as a symmetric key, such that `pad_ii` is computed as the tagged SHA256 of the decryption key, public encryption nonce, and context. |
(We write tagged SHA256 elsewhere.)
Do you think it makes sense to add a reference/footnote to BIP340 at the first occurrence of "tagged SHA256"?
If yes, then perhaps "Tagged hash" is even better, as this is the term used in BIP340. In either case, I think it's a good idea to use the same term throughout the doc.
There was a problem hiding this comment.
Yes, makes sense, done.
python/secp256k1proto/bip340.py
Outdated
| @@ -25,9 +25,9 @@ def schnorr_sign( | |||
| P = d0 * G | |||
| assert not P.infinity | |||
| d = d0 if P.has_even_y() else GE.ORDER - d0 | |||
| t = xor_bytes(bytes_from_int(d), tagged_hash("BIP0340/aux", aux_rand)) | |||
| t = xor_bytes(bytes_from_int(d), tagged_hash(f"{tag_prefix}/aux", aux_rand)) | |||
There was a problem hiding this comment.
Have you considered simple concatenation using + instead of an f-string? Seems more natural to me, but perhaps it's just me.
There was a problem hiding this comment.
Switched to + (I had asked an LLM which told me that the format string version is the recommended and the most idiomatic variant in python 3).
|
ACK
I tested this code ( |
This commit makes the reference code work with python 3.9, the oldest version that is not end-of-life.
Tag prefix is applied to all tagged hashes, in particular those related to nonce generation. Without this commit, the API is extremely dangerous because signing twice with the same secret key but different challenge_tag would result in nonce reuse.
jonasnick
force-pushed
the
sivs-comments
branch
from
b6d0675 to
49a0446
Compare
Yes. That's the one thing that's easy in NixOS ;) |
No description provided.