You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think the proper way is to change secp256k1proto to split APrimeFE.from_int into a APrimeFE.from_int_wrapping, which wraps around, and a APrimeFE.from_int_checked, which raises OverflowError. (APrimeFE is the abstract superclass of Scalar).
Then we can use the appropriate function everywhere. (Not sure if we want to touch bip340.py though, I tried to keep this as close as possible to the reference code in the BIP, so it's okay to work with integers there and keep the explicit %.)
Scalar(int_from_bytes(...)) is also used for generating pads (self_pad and ecdh). I think this is acceptable since we’re generating random numbers,
Acceptable, but probably better to do this in a consistent way unless you really want to wrap around.
The wrapping there was intentional: Wrapping is not only acceptable when the input is uniformly random (or a hash), it yields simpler code because it removes an error path. This was the rationale for why we wrap in BIP340, after a long discussion.
I think the proper way is to change secp256k1proto to split
APrimeFE.from_int
into aAPrimeFE.from_int_wrapping
, which wraps around, and aAPrimeFE.from_int_checked
, which raisesOverflowError
. (APrimeFE
is the abstract superclass ofScalar
).Then we can use the appropriate function everywhere. (Not sure if we want to touch bip340.py though, I tried to keep this as close as possible to the reference code in the BIP, so it's okay to work with integers there and keep the explicit
%
.)The wrapping there was intentional: Wrapping is not only acceptable when the input is uniformly random (or a hash), it yields simpler code because it removes an error path. This was the rationale for why we wrap in BIP340, after a long discussion.
But the ECDH implementation is supposed to replicate whatever libsecp256k1 does, and it errors out in case of overflow...
And then, if we wrap in ECDH, we may as well wrap in
self_pad
for consistency. Sigh.Originally posted by @real-or-random in #76 (comment)
The text was updated successfully, but these errors were encountered: