feat: implement BIP340 domain separation with 33-byte prefix

This implements proper domain separation as recommended in BIP340.
The old Message::plain() method that used a 64-byte prefix (which
predated the BIP340 specification) has been deprecated in favor of
the new Message::new() method that uses BIP340's recommended 33-byte
padded prefix for domain separation.

Author: LLFourn

CHANGELOG.md

@@ -10,6 +10,8 @@
   - `hash_to_curve` - Simple try-and-increment with uniform distribution (recommended)
   - `hash_to_curve_sswu` - RFC 9380 compliant constant-time hashing
   - `hash_to_curve_rfc9381_tai` - RFC 9381 VRF try-and-increment format
+- Add `Message::new` for BIP340-compliant domain separation using 33-byte padded prefix
+- Deprecate `Message::plain` which uses non-standard 64-byte prefix
 
 ## v0.11.0
 
@@ -21,7 +23,6 @@
 - Add `Hash32` trait to collect all the useful hash traits we use all over the place
 - Add our own take on [chill-dkg](ttps://github.com/BlockstreamResearch/bip-frost-dkg/tree/master) WIP BIP
 
-
 ## v0.10.0
 
 - Change `Scalar::from_bytes` to work for `Scalar<_, NonZero>` as well.
@@ -67,7 +68,6 @@
 - Change the `from_bytes` type commands to not assume secrecy in `Scalar` and `Point`.
 - Update to rust-secp256k1 v0.25.0
 
-
 ## 0.7.1
 
 - Fix critical bug in MuSig2 implementation where multiple tweaks would break it
@@ -88,4 +88,3 @@
 ## 0.6.1
 
 - Fix serialization of `Point<EvenY>`
-

schnorr_fun/src/adaptor/mod.rs

@@ -298,7 +298,7 @@ mod test {
         let signing_keypair = schnorr.new_keypair(secret_key);
         let verification_key = signing_keypair.public_key();
         let encryption_key = schnorr.encryption_key_for(&decryption_key);
-        let message = Message::<Public>::plain("test", b"give 100 coins to Bob".as_ref());
+        let message = Message::<Public>::new("test", b"give 100 coins to Bob".as_ref());
 
         let encrypted_signature =
             schnorr.encrypted_sign(&signing_keypair, &encryption_key, message);

schnorr_fun/src/frost/chilldkg.rs

@@ -606,7 +606,7 @@ pub mod encpedpop {
         {
             schnorr.sign(
                 keypair,
-                Message::<Public>::plain("BIP DKG/cert", self.cert_bytes().as_ref()),
+                Message::<Public>::new("BIP DKG/cert", self.cert_bytes().as_ref()),
             )
         }
 
@@ -620,7 +620,7 @@ pub mod encpedpop {
         ) -> bool {
             schnorr.verify(
                 &cert_key,
-                Message::<Public>::plain("BIP DKG/cert", self.cert_bytes().as_ref()),
+                Message::<Public>::new("BIP DKG/cert", self.cert_bytes().as_ref()),
                 &signature,
             )
         }

schnorr_fun/src/frost/mod.rs

@@ -446,7 +446,7 @@ mod test {
         let session = frost.coordinator_sign_session(
             &frost_poly.into_xonly(),
             BTreeMap::from_iter([(s!(1).public(), nonce), (s!(2).public(), malicious_nonce)]),
-            Message::<Public>::plain("test", b"hello"),
+            Message::<Public>::new("test", b"hello"),
         );
 
         assert_eq!(session.final_nonce(), *G);

schnorr_fun/src/message.rs

@@ -14,16 +14,26 @@ pub struct Message<'a, S = Public> {
     /// The message bytes
     pub bytes: Slice<'a, S>,
     /// The optional application tag to separate the signature from other applications.
+    #[deprecated(
+        since = "0.11.0",
+        note = "Use Message::new for BIP340-style domain separation"
+    )]
     pub app_tag: Option<&'static str>,
+    /// The domain separator for [BIP340]-style domain separation (33-byte prefix)
+    ///
+    /// [BIP340]: https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
+    pub bip340_domain_sep: Option<&'static str>,
 }
 
+#[allow(deprecated)]
 impl<'a, S: Secrecy> Message<'a, S> {
-    /// Create a raw message with no `app_tag`. The message bytes will be passed straight into the
+    /// Create a raw message with no domain separation. The message bytes will be passed straight into the
     /// challenge hash. Usually, you only use this when signing a pre-hashed message.
     pub fn raw(bytes: &'a [u8]) -> Self {
         Message {
             bytes: Slice::from(bytes),
             app_tag: None,
+            bip340_domain_sep: None,
         }
     }
 
@@ -32,18 +42,55 @@ impl<'a, S: Secrecy> Message<'a, S> {
         Self::raw(&[])
     }
 
+    /// Create a message with [BIP340]-style domain separation using a 33-byte prefix.
+    ///
+    /// The domain separator will be padded with null bytes to exactly 33 bytes and
+    /// prefixed to the message, as recommended in [BIP340] for domain separation.
+    ///
+    /// [BIP340]: https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
+    ///
+    /// # Example
+    /// ```
+    /// use schnorr_fun::{Message, fun::marker::Public};
+    /// let message = Message::<Public>::new("my-app/sign", b"hello world");
+    /// ```
+    pub fn new(domain_sep: &'static str, bytes: &'a [u8]) -> Self {
+        assert!(!domain_sep.is_empty(), "domain separator must not be empty");
+        assert!(
+            domain_sep.len() <= 33,
+            "domain separator must be 33 bytes or less"
+        );
+        Message {
+            bytes: Slice::from(bytes),
+            app_tag: None,
+            bip340_domain_sep: Some(domain_sep),
+        }
+    }
+
     /// Signs a plain variable length message.
     ///
     /// You must provide an application tag to make sure signatures valid in one context are not
     /// valid in another. The tag is used as described [here].
     ///
+    /// **Deprecation Note**: This method was implemented before [BIP340] had finalized its
+    /// recommendation for domain separation. [BIP340] now recommends using a 33-byte padded
+    /// prefix instead of the 64-byte prefix used by this method. Use [`Message::new`] instead,
+    /// which implements the [BIP340]-compliant domain separation.
+    ///
+    /// [BIP340]: https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
+    ///
     /// [here]: https://github.com/sipa/bips/issues/207#issuecomment-673681901
+    #[deprecated(
+        since = "0.12.0",
+        note = "Use Message::new for BIP340-style domain separation. This method uses a 64-byte prefix which predates the BIP340 specification."
+    )]
     pub fn plain(app_tag: &'static str, bytes: &'a [u8]) -> Self {
         assert!(app_tag.len() <= 64, "tag must be 64 bytes or less");
         assert!(!app_tag.is_empty(), "tag must not be empty");
         Message {
             bytes: Slice::from(bytes),
             app_tag: Some(app_tag),
+            bip340_domain_sep: None,
         }
     }
 
@@ -54,21 +101,28 @@ impl<'a, S: Secrecy> Message<'a, S> {
 
     /// Length of the message as it is hashed
     pub fn len(&self) -> usize {
-        match self.app_tag {
-            Some(_) => 64 + self.bytes.as_inner().len(),
-            None => self.bytes.as_inner().len(),
+        match (self.app_tag, self.bip340_domain_sep) {
+            (Some(_), _) => 64 + self.bytes.as_inner().len(),
+            (_, Some(_)) => 33 + self.bytes.as_inner().len(), // BIP340 style uses 33-byte prefix
+            (None, None) => self.bytes.as_inner().len(),
         }
     }
 }
 
+#[allow(deprecated)]
 impl<S> HashInto for Message<'_, S> {
     fn hash_into(self, hash: &mut impl digest::Update) {
         if let Some(prefix) = self.app_tag {
             let mut padded_prefix = [0u8; 64];
             padded_prefix[..prefix.len()].copy_from_slice(prefix.as_bytes());
             hash.update(&padded_prefix);
+        } else if let Some(domain_sep) = self.bip340_domain_sep {
+            // BIP340-style domain separation: 33-byte prefix
+            let mut padded_prefix = [0u8; 33];
+            padded_prefix[..domain_sep.len()].copy_from_slice(domain_sep.as_bytes());
+            hash.update(&padded_prefix);
         }
-        hash.update(<&[u8]>::from(self.bytes));
+        hash.update(self.bytes.as_inner());
     }
 }
 
@@ -78,15 +132,48 @@ mod test {
     use sha2::{Digest, Sha256};
 
     #[test]
-    fn message_hash_into() {
-        let mut hash1 = Sha256::default();
-        hash1.update("test");
-        hash1.update([0u8; 60].as_ref());
-        hash1.update("hello world");
+    fn bip340_domain_separation() {
+        // Test that BIP340 domain separation uses 33-byte prefix
+        let msg = Message::<Public>::new("test", b"hello");
+
+        // Expected: "test" padded to 33 bytes + "hello"
+        let mut expected_hash = Sha256::default();
+        let mut padded_prefix = [0u8; 33];
+        padded_prefix[..4].copy_from_slice(b"test");
+        expected_hash.update(&padded_prefix);
+        expected_hash.update(b"hello");
+
+        let mut actual_hash = Sha256::default();
+        msg.hash_into(&mut actual_hash);
+
+        assert_eq!(expected_hash.finalize(), actual_hash.finalize());
+
+        // Test length calculation
+        assert_eq!(msg.len(), 33 + 5); // 33-byte prefix + 5-byte message
+    }
+
+    #[test]
+    fn message_new_fixed_key_signature() {
+        use crate::{fun::s, new_with_deterministic_nonces};
+        use core::str::FromStr;
+
+        // Fixed test to ensure Message::new domain separation doesn't accidentally change
+        let schnorr = new_with_deterministic_nonces::<Sha256>();
+        let secret_key = s!(42);
+        let keypair = schnorr.new_keypair(secret_key);
+
+        let message = Message::<Public>::new("test-app", b"test message");
+        let signature = schnorr.sign(&keypair, message);
 
-        let mut hash2 = Sha256::default();
-        Message::<Public>::plain("test", b"hello world").hash_into(&mut hash2);
+        // This signature was generated with the current implementation and should never change
+        // to ensure backwards compatibility
+        let expected_sig = crate::Signature::<Public>::from_str(
+            "5c49762df465f21993af631caedb3e478793142e15f200e70511e5af71387e52a3b9b6af189fa4b28a767254f2a8977f2e9db1866ad4dfbb083bb4fbd8dfe82e"
+        ).unwrap();
 
-        assert_eq!(hash1.finalize(), hash2.finalize());
+        assert_eq!(
+            signature, expected_sig,
+            "Message::new signature changed! This breaks backwards compatibility."
+        );
     }
 }

schnorr_fun/src/musig.rs

@@ -761,7 +761,7 @@ mod test {
             assert_eq!(agg_key1.agg_public_key(), agg_key3.agg_public_key());
 
             let message =
-                Message::<Public>::plain("test", b"Chancellor on brink of second bailout for banks");
+                Message::<Public>::new("test", b"Chancellor on brink of second bailout for banks");
 
             let session_id = message.bytes.into();
 
@@ -856,7 +856,7 @@ mod test {
             ]).into_xonly_key();
 
             let message =
-                Message::<Public>::plain("test", b"Chancellor on brink of second bailout for banks");
+                Message::<Public>::new("test", b"Chancellor on brink of second bailout for banks");
 
             let session_id = message.bytes.into();
 

schnorr_fun/src/schnorr.rs

@@ -91,7 +91,9 @@ where
     CH: Default + Tag,
     NG: Default + Tag,
 {
-    /// Returns a Schnorr instance tagged in the default way according to BIP340.
+    /// Returns a Schnorr instance tagged in the default way according to [BIP340].
+    ///
+    /// [BIP340]: https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
     ///
     /// # Examples
     ///
@@ -122,7 +124,7 @@ where
     /// # };
     /// let schnorr = schnorr_fun::new_with_deterministic_nonces::<sha2::Sha256>();
     /// let keypair = schnorr.new_keypair(Scalar::random(&mut rand::thread_rng()));
-    /// let message = Message::<Public>::plain(
+    /// let message = Message::<Public>::new(
     ///     "times-of-london",
     ///     b"Chancellor on brink of second bailout for banks",
     /// );
@@ -171,7 +173,7 @@ impl<NG, CH: Hash32> Schnorr<CH, NG> {
     /// ```
     /// use schnorr_fun::{Message, Schnorr, Signature, fun::prelude::*};
     /// let schnorr = schnorr_fun::new_with_deterministic_nonces::<sha2::Sha256>();
-    /// let message = Message::<Public>::plain("my-app", b"we rolled our own schnorr!");
+    /// let message = Message::<Public>::new("my-app", b"we rolled our own schnorr!");
     /// let keypair = schnorr.new_keypair(Scalar::random(&mut rand::thread_rng()));
     /// let mut r = Scalar::random(&mut rand::thread_rng());
     /// let R = Point::even_y_from_scalar_mul(G, &mut r);
@@ -300,24 +302,25 @@ mod test {
             Scalar::from_str("18451f9e08af9530814243e202a4a977130e672079f5c14dcf15bd4dee723072")
                 .unwrap();
         let keypair = schnorr.new_keypair(x);
+
+        // Test new method for domain separation
         assert_ne!(
             schnorr.sign(&keypair, Message::<Public>::raw(b"foo")).R,
             schnorr
-                .sign(&keypair, Message::<Public>::plain("one", b"foo"))
+                .sign(&keypair, Message::<Public>::new("one", b"foo"))
                 .R
         );
         assert_ne!(
             schnorr
-                .sign(&keypair, Message::<Public>::plain("one", b"foo"))
+                .sign(&keypair, Message::<Public>::new("one", b"foo"))
                 .R,
             schnorr
-                .sign(&keypair, Message::<Public>::plain("two", b"foo"))
+                .sign(&keypair, Message::<Public>::new("two", b"foo"))
                 .R
         );
 
         // make sure deterministic signatures don't change
         assert_eq!(schnorr.sign(&keypair, Message::<Public>::raw(b"foo")), Signature::<Public>::from_str("fe9e5d0319d5d221988d6fd7fe1c4bedd2fb4465f592f1002f461503332a266977bb4a0b00c00d07072c796212cbea0957ebaaa5139143761c45d997ebe36cbe").unwrap());
-        assert_eq!(schnorr.sign(&keypair, Message::<Public>::plain("one", b"foo")), Signature::<Public>::from_str("2fcf6fd140bbc4048e802c62f028e24f6534e0d15d450963265b67eead774d8b4aa7638bec9d70aa60b97e86bc4a60bf43ad2ff58e981ee1bba4f45ce02ff2c0").unwrap());
     }
 
     proptest! {
@@ -326,7 +329,7 @@ mod test {
         fn anticipated_signature_on_should_correspond_to_actual_signature(sk in any::<Scalar>()) {
             let schnorr = crate::new_with_deterministic_nonces::<sha2::Sha256>();
             let keypair = schnorr.new_keypair(sk);
-            let msg = Message::<Public>::plain(
+            let msg = Message::<Public>::new(
                 "test",
                 b"Chancellor on brink of second bailout for banks",
             );
@@ -349,8 +352,8 @@ mod test {
             let schnorr = crate::new_with_deterministic_nonces::<sha2::Sha256>();
             let keypair_1 = schnorr.new_keypair(s1);
             let keypair_2 = schnorr.new_keypair(s2);
-            let msg_atkdwn = Message::<Public>::plain("test", b"attack at dawn");
-            let msg_rtrtnoon = Message::<Public>::plain("test", b"retreat at noon");
+            let msg_atkdwn = Message::<Public>::new("test", b"attack at dawn");
+            let msg_rtrtnoon = Message::<Public>::new("test", b"retreat at noon");
             let signature_1 = schnorr.sign(&keypair_1, msg_atkdwn);
             let signature_2 = schnorr.sign(&keypair_1, msg_atkdwn);
             let signature_3 = schnorr.sign(&keypair_1, msg_rtrtnoon);

schnorr_fun/tests/against_c_lib.rs

@@ -12,10 +12,12 @@ use secp256kfun::{
 };
 use sha2::Sha256;
 
-/// Compliance type for no aux BIP340 libsecp256k1 implementation.
+/// Compliance type for no aux [BIP340] libsecp256k1 implementation.
 ///
 /// This type is expected to be used in [`Schnorr`] context and receive a tag "BIP0340" to be
-/// compatible with BIP 340 no auxiliary data, i.e. aux is set to null 32-bytes array.
+/// compatible with [BIP340] no auxiliary data, i.e. aux is set to null 32-bytes array.
+///
+/// [BIP340]: https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
 #[derive(Clone, Debug, Default)]
 struct Bip340NoAux {
     nonce_hash: Sha256,

schnorr_fun/tests/frost_prop.rs

@@ -82,7 +82,7 @@ proptest! {
 
 
         let sid = b"frost-prop-test".as_slice();
-        let message = Message::plain("test", b"test");
+        let message = Message::new("test", b"test");
 
         let secret_nonces: BTreeMap<_, _> = secret_shares_of_signers.iter().map(|paired_secret_share| {
             (paired_secret_share.secret_share().index, frost.gen_nonce::<ChaCha20Rng>(