Skip to content
Greg Tonoski edited this page Oct 25, 2024 · 9 revisions

Removed a wall of misinformation, since it's being linked elsewhere while the comments below are being ignored. -- Greg Maxwell, 2021 May 30


The comments above appear to be misinformed. Nearly all ECDSA implementations today, including all the ones used in Bitcoin software that I know about, already use derandomized RFC6979 nonce generation for secp256k1. BIP340 too specifies such a nonce generation algorithm - one that is inspired by Ed25519's in fact. It permits adding randomness as research has shown this improves resistance to certain fault & side-channel attacks, but the randomness is not critical for security (it is purely additive). Lastly, the entire nonce generation concern is an implementation aspect that's orthogonal for the signature scheme - it can be done well, or badly, either with ECDSA or Schnorr/BIP340. BIP340 chooses to specify it, in the hope that implementations adopt it as a best practice, but circumstances may call for alternative nonce generation algorithms too. -- Pieter Wuille, 2021 Mar 07.

2024-Oct-25 minor comment: "byte" is used in the specification without definition and the one from C does not suit well in this context. I would suggest either defining bytes as consecutive groups of 8 bits or not using it at all (e.g. 512 bits instead of "64-byte[s]") for clarity.