Differences between signHash
and Sign
Description
Babylon's eots.signHash
is adapted from btcd's btcec.Sign
, but it differs in several ways:
It does not check that the nonce (
privateRand
) is nonzero.It does not make use of the
"BIP0340/aux"
tag for the private key, nor the"BIP0340/nonce"
tag for the nonce.
Impact
If the nonce is uniformly random, it will only be zero with probability , which is already the security parameter of the signature scheme.
Tagged hashes are a defense-in-depth against cross-context hash collisions, which are similarly low probability.
Recommendations
Add the corresponding tags and checks to eots.signHash
— if this part of the extractable one-time signatures (EOTS) signature scheme remains after fixing the interaction with BIP-32.
Remediation
Tracked by https://github.com/babylonchain/babylon/issues/691↗