@@ -135,6 +135,8 @@ ECDSA signatures use deterministic k, conforming to [RFC 6979](https://www.rfc-e
135135EdDSA conforms to [ RFC 8032] ( https://www.rfc-editor.org/rfc/rfc8032 ) .
136136Schnorr (secp256k1-only) conforms to [ BIP 340] ( https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki ) .
137137
138+ Messages are always hashed first.
139+
138140#### ristretto255, decaf448
139141
140142``` ts
@@ -160,12 +162,10 @@ const sig = secp256k1.sign(msg, secretKey);
160162const sigKeccak = secp256k1 .sign (keccak256 (msg), secretKey, { prehash: false });
161163```
162164
163- ECDSA ` sign() ` allows providing ` prehash: false ` , which enables using custom hashes.
165+ Default sign() and verify() behavior (` prehash: true ` ) applies built-in hash function to message first.
166+ For secp256k1 that's sha256, for p521 that's sha512.
164167
165- A ECDSA signature is not just "math over elliptic curve points".
166- It's actually math + hashing: p256 is in fact p256 point + sha256 hash.
167- By default, we hash messages. To use custom hash methods,
168- make sure to disable prehashing.
168+ Providing ` prehash: false ` allows user to specify their own hash function (e.g. use secp256k1 + keccak256).
169169
170170> [ !NOTE]
171171> Previously, in noble-curves v1, ` prehash: false ` was the default.
@@ -188,8 +188,12 @@ const sigNoRec = secp256k1.sign(msg, secretKey, { format: 'compact' });
188188const sigInstance = secp256k1 .Signature .fromBytes (sigRec, ' recovered'
189189```
190190
191+ Public key recovery - only supported with ECDSA.
192+
191193> [ !NOTE]
192- > Only ECDSA supports public key recovery.
194+ > Key recovery is a simple math operation.
195+ > There are no guarantees the signing was actually done.
196+ > It's always possible to forge signatures which would recover into specific public key.
193197
194198#### Hedged ECDSA with noise
195199
0 commit comments