feat: implement BIP340 domain separation with 33-byte prefix

LLFourn · claude · LLFourn · commit d298d91686d1 · 2025-06-25T11:23:49.000+10:00
Before BIP340 was finalized, schnorr_fun implemented domain separation using a 64-byte padded prefix based on early discussions. Now that BIP340 has standardized domain separation, it recommends using either: - Pre-hashing with a domain-specific hash function (32 bytes), or - Prefixing with a 33-byte padded context string This commit adds Message::new() which implements the BIP340-compliant 33-byte prefix approach and deprecates Message::plain() to guide users toward the standard. The different prefix lengths (64 vs 33 bytes) ensure no collision between old and new signatures. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,8 @@
 - Upgrade to bincode v2
 - MSRV 1.63 -> 1.85
 - **BREAKING**: Refactor `CompactProof` in `sigma_fun` to use two type parameters `CompactProof<R, L>` instead of `CompactProof<S: Sigma>` to enable serde support
+- Add `Message::new` for BIP340-compliant domain separation using 33-byte padded prefix
+- Deprecate `Message::plain` which uses non-standard 64-byte prefix
 
 ## v0.11.0
 
diff --git a/schnorr_fun/src/adaptor/mod.rs b/schnorr_fun/src/adaptor/mod.rs
@@ -298,7 +298,7 @@ mod test {
         let signing_keypair = schnorr.new_keypair(secret_key);
         let verification_key = signing_keypair.public_key();
         let encryption_key = schnorr.encryption_key_for(&decryption_key);
-        let message = Message::<Public>::plain("test", b"give 100 coins to Bob".as_ref());
+        let message = Message::<Public>::new("test", b"give 100 coins to Bob".as_ref());
 
         let encrypted_signature =
             schnorr.encrypted_sign(&signing_keypair, &encryption_key, message);
diff --git a/schnorr_fun/src/frost/chilldkg.rs b/schnorr_fun/src/frost/chilldkg.rs
@@ -606,7 +606,7 @@ pub mod encpedpop {
         {
             schnorr.sign(
                 keypair,
-                Message::<Public>::plain("BIP DKG/cert", self.cert_bytes().as_ref()),
+                Message::<Public>::new("BIP DKG/cert", self.cert_bytes().as_ref()),
             )
         }
 
@@ -620,7 +620,7 @@ pub mod encpedpop {
         ) -> bool {
             schnorr.verify(
                 &cert_key,
-                Message::<Public>::plain("BIP DKG/cert", self.cert_bytes().as_ref()),
+                Message::<Public>::new("BIP DKG/cert", self.cert_bytes().as_ref()),
                 &signature,
             )
         }
diff --git a/schnorr_fun/src/frost/mod.rs b/schnorr_fun/src/frost/mod.rs
@@ -446,7 +446,7 @@ mod test {
         let session = frost.coordinator_sign_session(
             &frost_poly.into_xonly(),
             BTreeMap::from_iter([(s!(1).public(), nonce), (s!(2).public(), malicious_nonce)]),
-            Message::<Public>::plain("test", b"hello"),
+            Message::<Public>::new("test", b"hello"),
         );
 
         assert_eq!(session.final_nonce(), *G);
diff --git a/schnorr_fun/src/message.rs b/schnorr_fun/src/message.rs
@@ -14,16 +14,24 @@ pub struct Message<'a, S = Public> {
     /// The message bytes
     pub bytes: Slice<'a, S>,
     /// The optional application tag to separate the signature from other applications.
+    #[deprecated(
+        since = "0.11.0",
+        note = "Use Message::new for BIP340-style domain separation"
+    )]
     pub app_tag: Option<&'static str>,
+    /// The domain separator for BIP340-style domain separation (33-byte prefix)
+    pub bip340_domain_sep: Option<&'static str>,
 }
 
+#[allow(deprecated)]
 impl<'a, S: Secrecy> Message<'a, S> {
-    /// Create a raw message with no `app_tag`. The message bytes will be passed straight into the
+    /// Create a raw message with no domain separation. The message bytes will be passed straight into the
     /// challenge hash. Usually, you only use this when signing a pre-hashed message.
     pub fn raw(bytes: &'a [u8]) -> Self {
         Message {
             bytes: Slice::from(bytes),
             app_tag: None,
+            bip340_domain_sep: None,
         }
     }
 
@@ -32,18 +40,51 @@ impl<'a, S: Secrecy> Message<'a, S> {
         Self::raw(&[])
     }
 
+    /// Create a message with BIP340-style domain separation using a 33-byte prefix.
+    ///
+    /// The domain separator will be padded with null bytes to exactly 33 bytes and
+    /// prefixed to the message, as recommended in BIP340 for domain separation.
+    ///
+    /// # Example
+    /// ```
+    /// use schnorr_fun::{Message, fun::marker::Public};
+    /// let message = Message::<Public>::new("my-app/sign", b"hello world");
+    /// ```
+    pub fn new(domain_sep: &'static str, bytes: &'a [u8]) -> Self {
+        assert!(!domain_sep.is_empty(), "domain separator must not be empty");
+        assert!(
+            domain_sep.len() <= 33,
+            "domain separator must be 33 bytes or less"
+        );
+        Message {
+            bytes: Slice::from(bytes),
+            app_tag: None,
+            bip340_domain_sep: Some(domain_sep),
+        }
+    }
+
     /// Signs a plain variable length message.
     ///
     /// You must provide an application tag to make sure signatures valid in one context are not
     /// valid in another. The tag is used as described [here].
     ///
+    /// **Deprecation Note**: This method was implemented before BIP340 had finalized its
+    /// recommendation for domain separation. BIP340 now recommends using a 33-byte padded
+    /// prefix instead of the 64-byte prefix used by this method. Use [`Message::new`] instead,
+    /// which implements the BIP340-compliant domain separation.
+    ///
     /// [here]: https://github.com/sipa/bips/issues/207#issuecomment-673681901
+    #[deprecated(
+        since = "0.12.0",
+        note = "Use Message::new for BIP340-style domain separation. This method uses a 64-byte prefix which predates the BIP340 specification."
+    )]
     pub fn plain(app_tag: &'static str, bytes: &'a [u8]) -> Self {
         assert!(app_tag.len() <= 64, "tag must be 64 bytes or less");
         assert!(!app_tag.is_empty(), "tag must not be empty");
         Message {
             bytes: Slice::from(bytes),
             app_tag: Some(app_tag),
+            bip340_domain_sep: None,
         }
     }
 
@@ -54,21 +95,28 @@ impl<'a, S: Secrecy> Message<'a, S> {
 
     /// Length of the message as it is hashed
     pub fn len(&self) -> usize {
-        match self.app_tag {
-            Some(_) => 64 + self.bytes.as_inner().len(),
-            None => self.bytes.as_inner().len(),
+        match (self.app_tag, self.bip340_domain_sep) {
+            (Some(_), _) => 64 + self.bytes.as_inner().len(),
+            (_, Some(_)) => 33 + self.bytes.as_inner().len(), // BIP340 style uses 33-byte prefix
+            (None, None) => self.bytes.as_inner().len(),
         }
     }
 }
 
+#[allow(deprecated)]
 impl<S> HashInto for Message<'_, S> {
     fn hash_into(self, hash: &mut impl digest::Update) {
         if let Some(prefix) = self.app_tag {
             let mut padded_prefix = [0u8; 64];
             padded_prefix[..prefix.len()].copy_from_slice(prefix.as_bytes());
             hash.update(&padded_prefix);
+        } else if let Some(domain_sep) = self.bip340_domain_sep {
+            // BIP340-style domain separation: 33-byte prefix
+            let mut padded_prefix = [0u8; 33];
+            padded_prefix[..domain_sep.len()].copy_from_slice(domain_sep.as_bytes());
+            hash.update(&padded_prefix);
         }
-        hash.update(<&[u8]>::from(self.bytes));
+        hash.update(self.bytes.as_inner());
     }
 }
 
@@ -78,15 +126,48 @@ mod test {
     use sha2::{Digest, Sha256};
 
     #[test]
-    fn message_hash_into() {
-        let mut hash1 = Sha256::default();
-        hash1.update("test");
-        hash1.update([0u8; 60].as_ref());
-        hash1.update("hello world");
+    fn bip340_domain_separation() {
+        // Test that BIP340 domain separation uses 33-byte prefix
+        let msg = Message::<Public>::new("test", b"hello");
+
+        // Expected: "test" padded to 33 bytes + "hello"
+        let mut expected_hash = Sha256::default();
+        let mut padded_prefix = [0u8; 33];
+        padded_prefix[..4].copy_from_slice(b"test");
+        expected_hash.update(&padded_prefix);
+        expected_hash.update(b"hello");
+
+        let mut actual_hash = Sha256::default();
+        msg.hash_into(&mut actual_hash);
+
+        assert_eq!(expected_hash.finalize(), actual_hash.finalize());
+
+        // Test length calculation
+        assert_eq!(msg.len(), 33 + 5); // 33-byte prefix + 5-byte message
+    }
+
+    #[test]
+    fn message_new_fixed_key_signature() {
+        use crate::{fun::s, new_with_deterministic_nonces};
+        use core::str::FromStr;
+
+        // Fixed test to ensure Message::new domain separation doesn't accidentally change
+        let schnorr = new_with_deterministic_nonces::<Sha256>();
+        let secret_key = s!(42);
+        let keypair = schnorr.new_keypair(secret_key);
+
+        let message = Message::<Public>::new("test-app", b"test message");
+        let signature = schnorr.sign(&keypair, message);
 
-        let mut hash2 = Sha256::default();
-        Message::<Public>::plain("test", b"hello world").hash_into(&mut hash2);
+        // This signature was generated with the current implementation and should never change
+        // to ensure backwards compatibility
+        let expected_sig = crate::Signature::<Public>::from_str(
+            "5c49762df465f21993af631caedb3e478793142e15f200e70511e5af71387e52a3b9b6af189fa4b28a767254f2a8977f2e9db1866ad4dfbb083bb4fbd8dfe82e"
+        ).unwrap();
 
-        assert_eq!(hash1.finalize(), hash2.finalize());
+        assert_eq!(
+            signature, expected_sig,
+            "Message::new signature changed! This breaks backwards compatibility."
+        );
     }
 }
diff --git a/schnorr_fun/src/musig.rs b/schnorr_fun/src/musig.rs
@@ -761,7 +761,7 @@ mod test {
             assert_eq!(agg_key1.agg_public_key(), agg_key3.agg_public_key());
 
             let message =
-                Message::<Public>::plain("test", b"Chancellor on brink of second bailout for banks");
+                Message::<Public>::new("test", b"Chancellor on brink of second bailout for banks");
 
             let session_id = message.bytes.into();
 
@@ -856,7 +856,7 @@ mod test {
             ]).into_xonly_key();
 
             let message =
-                Message::<Public>::plain("test", b"Chancellor on brink of second bailout for banks");
+                Message::<Public>::new("test", b"Chancellor on brink of second bailout for banks");
 
             let session_id = message.bytes.into();
 
diff --git a/schnorr_fun/src/schnorr.rs b/schnorr_fun/src/schnorr.rs
@@ -122,7 +122,7 @@ where
     /// # };
     /// let schnorr = schnorr_fun::new_with_deterministic_nonces::<sha2::Sha256>();
     /// let keypair = schnorr.new_keypair(Scalar::random(&mut rand::thread_rng()));
-    /// let message = Message::<Public>::plain(
+    /// let message = Message::<Public>::new(
     ///     "times-of-london",
     ///     b"Chancellor on brink of second bailout for banks",
     /// );
@@ -171,7 +171,7 @@ impl<NG, CH: Hash32> Schnorr<CH, NG> {
     /// ```
     /// use schnorr_fun::{Message, Schnorr, Signature, fun::prelude::*};
     /// let schnorr = schnorr_fun::new_with_deterministic_nonces::<sha2::Sha256>();
-    /// let message = Message::<Public>::plain("my-app", b"we rolled our own schnorr!");
+    /// let message = Message::<Public>::new("my-app", b"we rolled our own schnorr!");
     /// let keypair = schnorr.new_keypair(Scalar::random(&mut rand::thread_rng()));
     /// let mut r = Scalar::random(&mut rand::thread_rng());
     /// let R = Point::even_y_from_scalar_mul(G, &mut r);
@@ -300,24 +300,25 @@ mod test {
             Scalar::from_str("18451f9e08af9530814243e202a4a977130e672079f5c14dcf15bd4dee723072")
                 .unwrap();
         let keypair = schnorr.new_keypair(x);
+
+        // Test new method for domain separation
         assert_ne!(
             schnorr.sign(&keypair, Message::<Public>::raw(b"foo")).R,
             schnorr
-                .sign(&keypair, Message::<Public>::plain("one", b"foo"))
+                .sign(&keypair, Message::<Public>::new("one", b"foo"))
                 .R
         );
         assert_ne!(
             schnorr
-                .sign(&keypair, Message::<Public>::plain("one", b"foo"))
+                .sign(&keypair, Message::<Public>::new("one", b"foo"))
                 .R,
             schnorr
-                .sign(&keypair, Message::<Public>::plain("two", b"foo"))
+                .sign(&keypair, Message::<Public>::new("two", b"foo"))
                 .R
         );
 
         // make sure deterministic signatures don't change
         assert_eq!(schnorr.sign(&keypair, Message::<Public>::raw(b"foo")), Signature::<Public>::from_str("fe9e5d0319d5d221988d6fd7fe1c4bedd2fb4465f592f1002f461503332a266977bb4a0b00c00d07072c796212cbea0957ebaaa5139143761c45d997ebe36cbe").unwrap());
-        assert_eq!(schnorr.sign(&keypair, Message::<Public>::plain("one", b"foo")), Signature::<Public>::from_str("2fcf6fd140bbc4048e802c62f028e24f6534e0d15d450963265b67eead774d8b4aa7638bec9d70aa60b97e86bc4a60bf43ad2ff58e981ee1bba4f45ce02ff2c0").unwrap());
     }
 
     proptest! {
@@ -326,7 +327,7 @@ mod test {
         fn anticipated_signature_on_should_correspond_to_actual_signature(sk in any::<Scalar>()) {
             let schnorr = crate::new_with_deterministic_nonces::<sha2::Sha256>();
             let keypair = schnorr.new_keypair(sk);
-            let msg = Message::<Public>::plain(
+            let msg = Message::<Public>::new(
                 "test",
                 b"Chancellor on brink of second bailout for banks",
             );
@@ -349,8 +350,8 @@ mod test {
             let schnorr = crate::new_with_deterministic_nonces::<sha2::Sha256>();
             let keypair_1 = schnorr.new_keypair(s1);
             let keypair_2 = schnorr.new_keypair(s2);
-            let msg_atkdwn = Message::<Public>::plain("test", b"attack at dawn");
-            let msg_rtrtnoon = Message::<Public>::plain("test", b"retreat at noon");
+            let msg_atkdwn = Message::<Public>::new("test", b"attack at dawn");
+            let msg_rtrtnoon = Message::<Public>::new("test", b"retreat at noon");
             let signature_1 = schnorr.sign(&keypair_1, msg_atkdwn);
             let signature_2 = schnorr.sign(&keypair_1, msg_atkdwn);
             let signature_3 = schnorr.sign(&keypair_1, msg_rtrtnoon);
diff --git a/schnorr_fun/tests/frost_prop.rs b/schnorr_fun/tests/frost_prop.rs
@@ -82,7 +82,7 @@ proptest! {
 
 
         let sid = b"frost-prop-test".as_slice();
-        let message = Message::plain("test", b"test");
+        let message = Message::new("test", b"test");
 
         let secret_nonces: BTreeMap<_, _> = secret_shares_of_signers.iter().map(|paired_secret_share| {
             (paired_secret_share.secret_share().index, frost.gen_nonce::<ChaCha20Rng>(

Original file line number	Diff line number	Diff line change
`@@ -606,7 +606,7 @@ pub mod encpedpop {`
`606`	`606`	`{`
`607`	`607`	`schnorr.sign(`
`608`	`608`	`keypair,`
`609`		`- Message::<Public>::plain("BIP DKG/cert", self.cert_bytes().as_ref()),`
	`609`	`+ Message::<Public>::new("BIP DKG/cert", self.cert_bytes().as_ref()),`
`610`	`610`	`)`
`611`	`611`	`}`
`612`	`612`
`@@ -620,7 +620,7 @@ pub mod encpedpop {`
`620`	`620`	`) -> bool {`
`621`	`621`	`schnorr.verify(`
`622`	`622`	`&cert_key,`
`623`		`- Message::<Public>::plain("BIP DKG/cert", self.cert_bytes().as_ref()),`
	`623`	`+ Message::<Public>::new("BIP DKG/cert", self.cert_bytes().as_ref()),`
`624`	`624`	`&signature,`
`625`	`625`	`)`
`626`	`626`	`}`