Skip to content

Comments:BIP 0340

Jump to bottom Edit New page
Martin Zumsande edited this page Aug 26, 2022 · 8 revisions

Removed a wall of misinformation, since it's being linked elsewhere while the comments below are being ignored. -- Greg Maxwell, 2021 May 30

The comments above appear to be misinformed. Nearly all ECDSA implementations today, including all the ones used in Bitcoin software that I know about, already use derandomized RFC6979 nonce generation for secp256k1. BIP340 too specifies such a nonce generation algorithm - one that is inspired by Ed25519's in fact. It permits adding randomness as research has shown this improves resistance to certain fault & side-channel attacks, but the randomness is not critical for security (it is purely additive). Lastly, the entire nonce generation concern is an implementation aspect that's orthogonal for the signature scheme - it can be done well, or badly, either with ECDSA or Schnorr/BIP340. BIP340 chooses to specify it, in the hope that implementations adopt it as a best practice, but circumstances may call for alternative nonce generation algorithms too. -- Pieter Wuille, 2021 Mar 07.

(xpub)[xpub6DUDkMuqNHfWyAQS5mCPdLYtv5BNPCdaqDZqDLHTvacY5DgCTtSRySEkTnPFagNpcqZKhnTwWiYsVgEnXsRT2NbaDsmw1smEZTJ3PWtP1aR]

Add a custom sidebar
Clone this wiki locally