BIP340 Schnorr should accept arbitrary length messages

[randombit]

BIP340 was modified last year to allow arbitrary length inputs instead of just 32 bytes. But verify_prehash continues to require the message be exactly 32 bytes. Curiously (IIUC) it's already possible to sign messages longer than 32 bytes, as I don't see any length check in that code. As I understand it all that's required is to remove the line

let prehash: [u8; 32] = prehash.try_into().map_err(|_| Error::new())?;

and pass the arbitrarily sized prehash to the inner tagged hash.

[tarcieri]

We can support this, but I wonder if verify_prehash is perhaps the wrong method name in that case, since its contract is the input must be the output of a cryptographic digest function: https://docs.rs/signature/latest/signature/hazmat/trait.PrehashVerifier.html#tymethod.verify_prehash

Or that is to say, we can add another method verify_prehash calls, if only to preserve the existing trait impl. Possibly verify_raw?

Curiously (IIUC) it's already possible to sign messages longer than 32 bytes, as I don't see any length check in that code.

Huh? How?

[randombit]

Huh? How?

Sorry, that's not the case - I misread the signing code.

[tarcieri]

This is an odd detail in the section of BIP340 you linked above:

If large messages are not pre-hashed, the algorithms of the signature scheme will perform more hashing internally.

So this is in fact some separate signing/verification mode that conditionally hashes depending on the input length?

[randombit]

I'm assuming that's referring to the inner tagged hash that actually generates the Schnorr challenge and by "more hashing" they mean "more iterations of the compression function"

[tarcieri]

But all those things remain the same for small messages as well?

[tarcieri]

@randombit if you're familiar with the specific semantics of this (I'm still a bit unclear) perhaps you could open a PR which implements this?