Signing/verifying BIP340 Schnorr when the message is not 32 bytes #702
Comments
|
We actually talked about it on IRC today, |
|
I think we may just have to eat the breakage -- we want to discourage people to directly use We are also planning to drop the |
|
Please confirm if my understanding is correct. Schnorr signature needs |
Basically yes. as a previous version of the BIP only supported pre-hashing |
…f 32 bytes `Message` df98b16 Make schnorr sign/verify accept a message slice (Elichai Turkel) Pull request description: As discussed on #702 and on IRC, BIP340 has evolved from supporting only "pre-hashed" 32 byte messages, to supporting messages of "any length" and as such we should allow the users to pass a message of any length. Note that passing exactly 32 bytes will make the API behave exactly as before (ie it will produce the same signatures). I added all the test vectors from: https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv To make sure the API is correct even for empty messages and shorter/longer ones :) ACKs for top commit: Kixunil: ACK df98b16 apoelstra: ACK df98b16 thanks for all the new test vectors\! Tree-SHA512: bd99ea8e17fcc6fd71ad39a87c7c21761f325006998a61b33b6f2abc9f892f90a4236bd25615cb34dc83214a70dcdd34ce3e7cece7d6f971c3843505356c97c5
|
Please publish the merged fix soon. |
If I'm understanding the API correctly, it's not currently possible to use this crate to sign or verify BIP340 messages that are not exactly 32 bytes long. Is this correct? If so is there any change of adding such support? It seems
libsecp256k1already supports this, usingsecp256k1_schnorrsig_sign_custom, and for verification the plainsecp256k1_schnorrsig_verifyaccepts any input length.The text was updated successfully, but these errors were encountered: