You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: bip-0340.mediawiki
+2-3Lines changed: 2 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -128,7 +128,6 @@ The following conventions are used, with constants as defined for [https://www.s
128
128
*** Fail if ''c ≠ y<sup>2</sup> mod p''.
129
129
*** Return the unique point ''P'' such that ''x(P) = x'' and ''y(P) = y'', or fail if no such point exists.
130
130
** The function ''lift_x_even_y(x)'', where ''x'' is an integer in range ''0..p-1'', returns the point ''P'' for which ''x(P) = x'' and ''has_even_y(P)'', or fails if no such point exists. If such a point does exist, it is always equal to either ''lift_x_square_y(x)'' or ''-lift_x_square_y(x)'', which suggests implementing it in terms of ''lift_x_square_y'', and optionally negating the result.
131
-
** The function ''extbytes(P)'', where ''P'' is a point, returns the compressed 33-byte encoding of P, that is ''0x02 || bytes(x(P))'' if ''has_even_y(P)'' or ''0x03 || bytes(x(P))'' otherwise.
132
131
** The function ''hash<sub>tag</sub>(x)'' where ''tag'' is a UTF-8 encoded tag name and ''x'' is a byte array returns the 32-byte hash ''SHA256(SHA256(tag) || SHA256(tag) || x)''.
133
132
134
133
==== Public Key Generation ====
@@ -155,8 +154,8 @@ The algorithm ''Sign(sk, m)'' is defined as:
155
154
* Let ''d' = int(sk)''
156
155
* Fail if ''d' = 0'' or ''d' ≥ n''
157
156
* Let ''P = d'⋅G''
158
-
* Let ''rand = hash<sub>BIP340/nonce</sub>(bytes(d') || extbytes(P) || m)''<ref>Including the [https://moderncrypto.org/mail-archive/curves/2020/001012.html public key as input to the nonce hash] helps ensure the robustness of the signing algorithm, preventing leakage of the secret key if the calculation of the public key ''P'' is performed incorrectly or maliciously, for example due to being left to the caller for performance reasons.</ref>.
159
157
* Let ''d = d' '' if ''has_even_y(P)'', otherwise let ''d = n - d' ''.
158
+
* Let ''rand = hash<sub>BIP340/nonce</sub>(bytes(d) || bytes(P) || m)''<ref>Including the [https://moderncrypto.org/mail-archive/curves/2020/001012.html public key as input to the nonce hash] helps ensure the robustness of the signing algorithm by preventing leakage of the secret key if the calculation of the public key ''P'' is performed incorrectly or maliciously, for example if it is left to the caller for performance reasons.</ref>.
160
159
* Let ''k' = int(rand) mod n''<ref>Note that in general, taking a uniformly random 256-bit integer modulo the curve order will produce an unacceptably biased result. However, for the secp256k1 curve, the order is sufficiently close to ''2<sup>256</sup>'' that this bias is not observable (''1 - n / 2<sup>256</sup>'' is around ''1.27 * 2<sup>-128</sup>'').</ref>.
161
160
* Fail if ''k' = 0''.
162
161
* Let ''R = k'⋅G''.
@@ -177,7 +176,7 @@ It should be noted that various alternative signing algorithms can be used to pr
177
176
'''Multisignatures''' This signature scheme is compatible with various types of multisignature and threshold schemes such as [https://eprint.iacr.org/2018/068 MuSig], where a single public key requires holders of multiple secret keys to participate in signing (see Applications below).
178
177
'''It is important to note that multisignature signing schemes in general are insecure with the ''rand'' generation from the default signing algorithm above (or any other deterministic method).'''
179
178
180
-
'''Precomputed public key data''' For many uses the compressed 33-byte encoding of the public key may already be known, making it easy to evaluate ''extbytes(P)'', ''has_even_y(P)'' and ''bytes(P)''. As such, having signers supply this directly may be more efficient than calculating them from the secret key. However, if this optimization is used, signers must ensure the public key is correctly calculated and not taken from untrusted sources.
179
+
'''Precomputed public key data''' For many uses the compressed 33-byte encoding of the public key corresponding to the secret key may already be known, making it easy to evaluate ''has_even_y(P)'' and ''bytes(P)''. As such, having signers supply this directly may be more efficient than recalculating the public key from the secret key. However, if this optimization is used, signers must ensure the public key is correctly calculated and not taken from untrusted sources.
0 commit comments