Assessment reports>Babylon Chain>Low findings>Differences between ,signHash, and ,Sign
Category: Coding Mistakes

Differences between signHash and Sign

Low Severity
Low Impact
Low Likelihood

Description

Babylon's eots.signHash is adapted from btcd's btcec.Sign, but it differs in several ways:

  • It does not check that the nonce (privateRand) is nonzero.

  • It does not make use of the "BIP0340/aux" tag for the private key, nor the "BIP0340/nonce" tag for the nonce.

Impact

If the nonce is uniformly random, it will only be zero with probability , which is already the security parameter of the signature scheme.

Tagged hashes are a defense-in-depth against cross-context hash collisions, which are similarly low probability.

Recommendations

Add the corresponding tags and checks to eots.signHash — if this part of the extractable one-time signatures (EOTS) signature scheme remains after fixing the interaction with BIP-32.

Remediation

Tracked by https://github.com/babylonchain/babylon/issues/691

Zellic © 2025Back to top ↑