1
0
mirror of https://github.com/bitcoin/bips.git synced 2024-11-20 10:11:46 +01:00

Update bip-schnorr.mediawiki

Co-Authored-By: Tim Ruffing <tim@timruffing.de>
This commit is contained in:
Pieter Wuille 2019-10-25 10:18:17 -07:00 committed by GitHub
parent f95ac70606
commit 322ce53625
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -151,7 +151,7 @@ The algorithm ''Sign(sk, m)'' is defined as:
It should be noted that various alternative signing algorithms can be used to produce equally valid signatures. The algorithm in the previous section will always produce the same signature for a given message and public key, but the ''k'' value (and hence ''R'') may be generated in other ways, producing a different, but still valid, signature (in other words, it is not a ''unique'' signature scheme).
'''Synthetic nonces''' When actual randomness is available, it can be appended to the input to ''hash<sub>BIPSchnorrDerive</sub>''s, after ''d'' and ''m''. This may improve protection against [https://moderncrypto.org/mail-archive/curves/2017/000925.html fault injection attacks].
'''Synthetic nonces''' When a random number generator (RNG) is available, 32 bytes of RNG output can be appended to the input to ''hash<sub>BIPSchnorrDerive</sub>''. This will changes the corresponding line in the signing algorithm to ''k' = int(hash<sub>BIPSchnorrDerive</sub>(bytes(d) || m || get_32_bytes_from_rng())) mod n'', where ''get_32_bytes_from_rng()'' is the call the RNG. Adding RNG output may improve protection against [https://moderncrypto.org/mail-archive/curves/2017/000925.html fault injection attacks and side-channel attacks]. It is safe to add randomness from a low-quality randomness source, i.e., an RNG with low entropy.
'''Nonce exfiltration protection''' It is possible to strengthen the nonce generation algorithm using a second device. In this case, the second device contributes randomness which the actual signer provably incorporates into its nonce. This prevents certain attacks where the signer device is compromised and intentionally tries to leak the private key through its nonce selection.