bip-schnorr: nonce uses hash instead of PRF #197
Comments
|
The assumption here is that You could also rely on a function which is designed primarily as PRF, e.g. AES or ChaCha20 but this simply needs more code on the signer side. Moreover, these functions are permutations, which means we need to make sure that the input has the same length as the output (or play tricks). That's also annoying with the discussion in #195 in mind. edit: I think your misunderstanding here is that you assume that a hash function cannot be a PRF. And this is true syntactically (hash has one input, PRF has two inputs) but given a "good" hash function such as SHA256, we can also use it as PRF if we add the key to the hashed data. |
|
Thanks for the explanation. Correct, my concern was that the construct wasn't a PRF. My thinking was that while the Since the assumption is that in practice this construct is actually a PRF under the specified restrictions, then I don't have a further specific concern about it right now. |
For the nonce generation step of the signing algorithm, I see:
Wouldn't the proper primitive to use be a PRF such as HMAC-SHA-256?
Also, shortly after in the
Synthetic noncessection,appears like it should be a PRF / HMAC-SHA-256 invocation with get_32_bytes_from_rng() as the key to the HMAC invocation.
The resource linked from the BIP, fault injection attacks and side-channel attacks, says: "With synthetic nonces, nonce derivation is a PRF keyed by the random input Z."
The text was updated successfully, but these errors were encountered: