summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPieter Wuille <pieter.wuille@gmail.com>2020-08-04 10:05:35 -0700
committerGitHub <noreply@github.com>2020-08-04 10:05:35 -0700
commit05a03f2d6180ffc3168ba13651aa13d9d84c69b5 (patch)
tree5ba713e3cf923c1fa954350f1264a7c77ac5fb16
parente331aadf9212bada40ca624b51c623f3e624e268 (diff)
parente98888322f039c78e073d73d3df0c521b1246fa6 (diff)
Merge pull request #209 from real-or-random/patch-17
BIP340: Fix typo
-rw-r--r--bip-0340.mediawiki2
1 files changed, 1 insertions, 1 deletions
diff --git a/bip-0340.mediawiki b/bip-0340.mediawiki
index 835ad64..fe5ed4d 100644
--- a/bip-0340.mediawiki
+++ b/bip-0340.mediawiki
@@ -158,7 +158,7 @@ The algorithm ''Sign(sk, m)'' is defined as:
* Fail if ''d' = 0'' or ''d' &ge; n''
* Let ''P = d'⋅G''
* Let ''d = d' '' if ''has_even_y(P)'', otherwise let ''d = n - d' ''.
-* Let ''t'' be the byte-wise xor of ''bytes(d)'' and ''H<sub>BIP340/aux</sub>(a)''<ref>The auxiliary random data is hashed (with a unique tag) as a precaution against situations where the randomness may be correlated with the private key itself. It is xored with the private key (rather than combined with it in a hash) to reduce the number of operations exposed to the actual secret key.</ref>.
+* Let ''t'' be the byte-wise xor of ''bytes(d)'' and ''hash<sub>BIP340/aux</sub>(a)''<ref>The auxiliary random data is hashed (with a unique tag) as a precaution against situations where the randomness may be correlated with the private key itself. It is xored with the private key (rather than combined with it in a hash) to reduce the number of operations exposed to the actual secret key.</ref>.
* Let ''rand = hash<sub>BIP340/nonce</sub>(t || bytes(P) || m)''<ref>Including the [https://moderncrypto.org/mail-archive/curves/2020/001012.html public key as input to the nonce hash] helps ensure the robustness of the signing algorithm by preventing leakage of the secret key if the calculation of the public key ''P'' is performed incorrectly or maliciously, for example if it is left to the caller for performance reasons.</ref>.
* Let ''k' = int(rand) mod n''<ref>Note that in general, taking a uniformly random 256-bit integer modulo the curve order will produce an unacceptably biased result. However, for the secp256k1 curve, the order is sufficiently close to ''2<sup>256</sup>'' that this bias is not observable (''1 - n / 2<sup>256</sup>'' is around ''1.27 * 2<sup>-128</sup>'').</ref>.
* Fail if ''k' = 0''.