mirrors/bitcoin-bips
1
0
Fork 0
mirror of https://github.com/bitcoin/bips.git synced 2025-02-26 08:59:43 +01:00
Code Issues Projects Releases Wiki Activity

Drop other curve comment

Browse source
This commit is contained in:
Pieter Wuille 2019-10-15 12:26:21 -07:00
parent 8c0b29cc94
commit cdf7dd8cca
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
bip-schnorr.mediawiki
View file

@ -150,7 +150,7 @@ The algorithm ''Sign(sk, m)'' is defined as:
* Let ''e = int(hash<sub>BIPSchnorr</sub>(bytes(R) || bytes(P) || m)) mod n''.
* Return the signature ''bytes(R) || bytes((k + ed) mod n)''.
'''Above deterministic derivation of ''R'' is designed specifically for this signing algorithm and may not be secure when used in other signature schemes or for other curves.'''
'''Above deterministic derivation of ''R'' is designed specifically for this signing algorithm and may not be secure when used in other signature schemes.'''
For example, using the same derivation in the MuSig multi-signature scheme leaks the secret key (see the [https://eprint.iacr.org/2018/068 MuSig paper] for details).
Note that this is not a ''unique signature'' scheme: while this algorithm will always produce the same signature for a given message and public key, ''k'' (and hence ''R'') may be generated in other ways (such as by a CSPRNG) producing a different, but still valid, signature.