I found two inconsistencies while reviewing/implementing the Halfagg BIP:
(pretty minor) The signature of the IncAggregate function is missing the second input parameter pm_aggd when called within Aggregate.
The BIP340 challenge in VerifyAggregate is inconsistent between the BIP and the hacspec implementation. The BIP uses pki, the 32 bytes public key, while the hacspec implementation uses the corresponding point Pi. I wasn't sure which one was the correct way, for now, I updated the BIP but maybe the hacspec implementation is supposed to be fixed instead. Since I was using the test vectors from the hacspec implementation to confirm my code was correct it was just more convenient to assume the hacspec code is correct.
I found two inconsistencies while reviewing/implementing the Halfagg BIP:
pm_aggdwhen called withinAggregate.VerifyAggregateis inconsistent between the BIP and the hacspec implementation. The BIP usespki, the 32 bytes public key, while the hacspec implementation uses the corresponding pointPi. I wasn't sure which one was the correct way, for now, I updated the BIP but maybe the hacspec implementation is supposed to be fixed instead. Since I was using the test vectors from the hacspec implementation to confirm my code was correct it was just more convenient to assume the hacspec code is correct.FWIW, my Python implementation can be found can be found here: https://github.com/fjahr/cisa-playground/blob/main/halfagg.py My main goal with this was to review the BIP so I tried to keep it as close to the BIP as possible.