From 7f3611d2398f053d4c1a9889cb20d814bd6abedd Mon Sep 17 00:00:00 2001
From: Jonas Nick <jonasd.nick@gmail.com>
Date: Mon, 26 Aug 2019 11:32:04 +0000
Subject: Use a tagged hash in bip-schnorr nonce derivation

---
 bip-schnorr/reference.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'bip-schnorr')

diff --git a/bip-schnorr/reference.py b/bip-schnorr/reference.py
index f89b3c4..4f0d1df 100644
--- a/bip-schnorr/reference.py
+++ b/bip-schnorr/reference.py
@@ -5,6 +5,10 @@ p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
 n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
 G = (0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798, 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8)
 
+def tagged_hash(tag, msg):
+    tag_hash = hashlib.sha256(tag.encode()).digest()
+    return hashlib.sha256(tag_hash + tag_hash + msg).digest()
+
 def point_add(P1, P2):
     if (P1 is None):
         return P2
@@ -61,7 +65,7 @@ def schnorr_sign(msg, seckey0):
         raise ValueError('The secret key must be an integer in the range 1..n-1.')
     P = point_mul(G, seckey0)
     seckey = seckey0 if (jacobi(P[1]) == 1) else n - seckey0
-    k0 = int_from_bytes(hash_sha256(bytes_from_int(seckey) + msg)) % n
+    k0 = int_from_bytes(tagged_hash("BIPSchnorrDerive", bytes_from_int(seckey) + msg)) % n
     if k0 == 0:
         raise RuntimeError('Failure. This happens only with negligible probability.')
     R = point_mul(G, k0)
-- 
cgit v1.2.3