Author: Lloyd Fournier 2020-02-27 04:55:21
Published on: 2020-02-27T04:55:21+00:00
The bitcoin-dev mailing list has been active in discussing BIP 340-342, with some small changes to the semantical content being suggested. The Y coordinate of 32-byte public keys is changed from implicitly square to implicitly even, which simplifies integration with existing key generation infrastructure and makes signing slightly faster, though verification becomes negligibly slower. The internal R point in the signature remains implicitly square for validation performance gains, but for public keys, evenness matters more for integration with existing infrastructure. Non-deterministic signatures are preferable in many cases, and the update elaborates on the inclusion of signing-time randomness to protect against fault injection attacks. The update also recommends including the public key in the nonce generation to mitigate the risk of trivial leakage of private keys and uses a different method of mixing in the randomness to protect against differential power analysis. The tags used in the tagged hashes in BIP 340 have also been changed to ensure consistent failure of code written for earlier BIP texts. It is suggested that nonce exfiltration protection and MuSig standards would be important for compatibility across wallets.
Updated on: 2023-06-13T23:40:20.457458+00:00