PR discussed: bitcoindevkit/bdk#1395
-
Why does BDK needs pseudorandom number generators (PRNG)? Particularly in signing and in building a transaction.
-
Why when signing a tx?
A: Because of nonces, even if you don't use a PRNG, you get deterministic nonce generated which depends on the private key and the message. Example code in libsecp256k1, and check section 3 of RFC-6979: Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA).
-
Why when building a tx?
A: BDK shuffle the inputs and outputs of a transaction, by default. Branch and bound is the default coin selection option.
-
What are the privacy implications of how transaction input/outputs are ordered?
A: It can hide inferred details of the wallet in the inputs, given that the coin selection algorithm output ordering is randomized now; and also help to make change addresses higher to detect, given that the change addresses in the outputs order is randomized. BDK also uses the single random draw as a fallback to branch and bound during coin selection.
-
What is the impact on users when changing how coin selection behaves?
A: Susceptible for fingerprinting, given a coin selection default behavior, for example.
-
What are some different coin selection strategies that could replace single random draw? A: full rabbit hole on itself. Check Coin selection on Bitcoin Optech.
-
-
How would you bring your own PRNG?
A: You can do this with rust by using a
rand::thread_rngor anything that implements therand::Rngtrait -
How would you bring your own PRNG in WASM?
A: The
getrandomcrate that provides an interface to the operating system’s random number generator can be used. More specifically thejsfeature assumes that you are building for an environment containing JavaScript, and will call the appropriate methods. It supports both a web browser and Node.js.