More on key generation

sipa · sipa · commit 2a9a70c92ac3 · 2019-10-15T18:03:31.000-07:00
diff --git a/bip-schnorr.mediawiki b/bip-schnorr.mediawiki
@@ -125,10 +125,9 @@ The algorithm ''PubKey(sk)'' is defined as:
 * Fail if ''d = 0'' or ''d &ge; n''.
 * Return ''bytes(d⋅G)''.
 
-Note that ''PubKey(sk) = PubKey(bytes(n - int(sk))'', so every public key has two corresponding private keys.
+Note that we use a very different public key format (32 bytes) than the ones used by existing systems (which typically use elliptic curve points as public keys, or 33-byte or 65-byte encodings of them). A side effect is that ''PubKey(sk) = PubKey(bytes(n - int(sk))'', so every public key has two corresponding private keys.
 
-Alternatively, the public key can be created according to [https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki BIP32] which describes the derivation of 33-byte compressed public keys.
-In order to translate such public keys into bip-schnorr compatible keys, the first byte must be dropped.
+As an alternative to generating keys randomly, it is also possible and safe to repurpose existing key generation algorithms for ECDSA in a compatible way. The private keys constructed by such an algorithm can be used as ''sk'' directly. The public keys constructed by such an algorithm (assuming they use the 33-byte compressed encoding) need to be converted by dropping the first byte. Specifically, [https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki BIP32] and schemes built on top of it remain usable.
 
 ==== Signing ====
 
