Skip to content

Comments:BIP 0340

Jump to bottom Edit New page
Gregory Maxwell edited this page May 30, 2021 · 9 revisions

Removed a wall of [https://github.com/bitcoin/bips/wiki/Comments:BIP-0340/930bacddcd1c1494eefed084d2755e33366232a2#major-request-urgent-this-bip-should-be-canned misinformation], since it's being linked elsewhere while the comments below are being ignored. -- Greg Maxwell, 2021 May 30

The comments above appear to be misinformed. Nearly all ECDSA implementations today, including all the ones used in Bitcoin software that I know about, already use derandomized RFC6979 nonce generation for secp256k1. BIP340 too specifies such a nonce generation algorithm - one that is inspired by Ed25519's in fact. It permits adding randomness as research has shown this improves resistance to certain fault & side-channel attacks, but the randomness is not critical for security (it is purely additive). Lastly, the entire nonce generation concern is an implementation aspect that's orthogonal for the signature scheme - it can be done well, or badly, either with ECDSA or Schnorr/BIP340. BIP340 chooses to specify it, in the hope that implementations adopt it as a best practice, but circumstances may call for alternative nonce generation algorithms too. -- Pieter Wuille, 2021 Mar 07.

Add a custom footer
Add a custom sidebar
Clone this wiki locally