diff options
author | Pieter Wuille <pieter.wuille@gmail.com> | 2020-08-04 10:05:35 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-08-04 10:05:35 -0700 |
commit | 05a03f2d6180ffc3168ba13651aa13d9d84c69b5 (patch) | |
tree | 5ba713e3cf923c1fa954350f1264a7c77ac5fb16 | |
parent | e331aadf9212bada40ca624b51c623f3e624e268 (diff) | |
parent | e98888322f039c78e073d73d3df0c521b1246fa6 (diff) |
Merge pull request #209 from real-or-random/patch-17
BIP340: Fix typo
-rw-r--r-- | bip-0340.mediawiki | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/bip-0340.mediawiki b/bip-0340.mediawiki index 835ad64..fe5ed4d 100644 --- a/bip-0340.mediawiki +++ b/bip-0340.mediawiki @@ -158,7 +158,7 @@ The algorithm ''Sign(sk, m)'' is defined as: * Fail if ''d' = 0'' or ''d' ≥ n'' * Let ''P = d'⋅G'' * Let ''d = d' '' if ''has_even_y(P)'', otherwise let ''d = n - d' ''. -* Let ''t'' be the byte-wise xor of ''bytes(d)'' and ''H<sub>BIP340/aux</sub>(a)''<ref>The auxiliary random data is hashed (with a unique tag) as a precaution against situations where the randomness may be correlated with the private key itself. It is xored with the private key (rather than combined with it in a hash) to reduce the number of operations exposed to the actual secret key.</ref>. +* Let ''t'' be the byte-wise xor of ''bytes(d)'' and ''hash<sub>BIP340/aux</sub>(a)''<ref>The auxiliary random data is hashed (with a unique tag) as a precaution against situations where the randomness may be correlated with the private key itself. It is xored with the private key (rather than combined with it in a hash) to reduce the number of operations exposed to the actual secret key.</ref>. * Let ''rand = hash<sub>BIP340/nonce</sub>(t || bytes(P) || m)''<ref>Including the [https://moderncrypto.org/mail-archive/curves/2020/001012.html public key as input to the nonce hash] helps ensure the robustness of the signing algorithm by preventing leakage of the secret key if the calculation of the public key ''P'' is performed incorrectly or maliciously, for example if it is left to the caller for performance reasons.</ref>. * Let ''k' = int(rand) mod n''<ref>Note that in general, taking a uniformly random 256-bit integer modulo the curve order will produce an unacceptably biased result. However, for the secp256k1 curve, the order is sufficiently close to ''2<sup>256</sup>'' that this bias is not observable (''1 - n / 2<sup>256</sup>'' is around ''1.27 * 2<sup>-128</sup>'').</ref>. * Fail if ''k' = 0''. |