Why do we provide schnorr signing with aux randomness?

[tcharding]

I learned that the auxillary randomness is to help prevent side channel attacks. Is that the only thing its for? We do not document the sign_with_aux_rand other than

    /// Creates a schnorr signature using the given auxiliary random data.

Using this function means the signature is non-deterministic which means that signing the same thing twice with different randomness creates different signatures. This might all be obvious to a cryptographer but to me it was surprising to think that different sigs came from signing the same thing, especially when the actual call into the secp lib is far from the code one is reasoning about.

According to this post (2 years old) Core does not support aux data.

What was the reason we chose to support this and why do we elect to use it in bitcoin? This came up while reviewing rust-bitcoin/rust-bitcoin#5293

Is this the blessed way to sign if one has randomness available or are there benefits to deterministic sigs that should be outline in the docs? Also should bitcoin::Psbt document that the schnorr sigs are not deterministic? Should Psbt provide a way to sign deterministically?

Thanks

P.S maybe this should be a discussion in github.com/rust-bitcoin/rust-bitcoin?

[apoelstra]

Yes, it's a sidechannel thing. Core doesn't do it because they're dumb (which is what the SE post says, that (a) nobody has bothered implementing it, and (b) they "like" deterministic signatures for unspecified reasons).

I agree we could expand our documentation here. In particular, one reason to use deterministic signatures is that they're easier to audit, sorta, but if auditability is a concern then using anti-exfil is a better solution.