Comments (2)
The assumption here is that f(k, x) = SHA256(k || x)
is a PRF for fixed-length x
. There are many valid other choices, e.g., HMAC-SHA256, but the reason why rely on SHA256 is that it's anyway used in the signature scheme and we have never seen any concerns that the function as defined above is not a good PRF. If those concerns existed, then HMAC-SHA256 would probably be a bad choice too.
You could also rely on a function which is designed primarily as PRF, e.g. AES or ChaCha20 but this simply needs more code on the signer side. Moreover, these functions are permutations, which means we need to make sure that the input has the same length as the output (or play tricks). That's also annoying with the discussion in #195 in mind.
edit: I think your misunderstanding here is that you assume that a hash function cannot be a PRF. And this is true syntactically (hash has one input, PRF has two inputs) but given a "good" hash function such as SHA256, we can also use it as PRF if we add the key to the hashed data.
from bips.
Thanks for the explanation.
Correct, my concern was that the construct wasn't a PRF. My thinking was that while the SHA256(k || x)
output might seem suitable for this use, a PRF would have output that is theoretically provably pseudorandom.
Since the assumption is that in practice this construct is actually a PRF under the specified restrictions, then I don't have a further specific concern about it right now.
from bips.
Related Issues (20)
- bip-schnorr/taproot agree on terminology of points HOT 6
- bip-taproot: Add security argument HOT 5
- bip-taproot: Internal pubkey construction seems to be inconsistent. HOT 3
- bip-taproot: Motivation section doesn't address motivation clearly HOT 2
- Diagram under "Constructing and spending Taproot outputs" doesn't show HOT 2
- bip-taproot/tapscript: Prevention length-extension attacks in public key tweaking HOT 6
- bip-schnorr: Euler's criterion
- bip-schnorr: Inaccurate proof of quadratic residuosity HOT 2
- Syntactical issue in taproot footnote 16 HOT 2
- bip-taproot: Publick key tweak resulting in point-at-infinity HOT 5
- bip-schnorr: Add k values to test-vectors HOT 8
- Avoiding the EC multiplication during signing by using precomputed pubkey data HOT 15
- Squareness vs oddness tie-breaker for public keys HOT 8
- Discussion on power analysis attacks HOT 47
- Synthetic randomness for batch verification HOT 2
- Clarify relationship between synthetic nonces and anti-covert-channel HOT 1
- BIP340: clarify impact of pre-hashed messages, or support variable-length messages HOT 71
- bip340: Cite malleability issues with other schemes
- bip-340: Reduce size of batch verification randomizers to 128 bits HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bips.