diff options
| author | Pieter Wuille <pieter.wuille@gmail.com> | 2019-10-25 10:18:17 -0700 |
|---|---|---|
| committer | Pieter Wuille <pieter.wuille@gmail.com> | 2020-01-19 14:47:33 -0800 |
| commit | 83cebb5326b8fbebb39fb34f77a755b3a9dfe942 (patch) | |
| tree | 5ca7bb8a1b36e7e13f74928f30c514fe57f88dd8 | |
| parent | 1695f073d3c9f6f3ea838fd1356adbd036d30bdd (diff) | |
| download | bips-83cebb5326b8fbebb39fb34f77a755b3a9dfe942.tar.xz | |
Update bip-schnorr.mediawiki
Co-Authored-By: Tim Ruffing <tim@timruffing.de>
| -rw-r--r-- | bip-schnorr.mediawiki | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/bip-schnorr.mediawiki b/bip-schnorr.mediawiki index 44b2c84..f8d0f47 100644 --- a/bip-schnorr.mediawiki +++ b/bip-schnorr.mediawiki @@ -151,7 +151,7 @@ The algorithm ''Sign(sk, m)'' is defined as: It should be noted that various alternative signing algorithms can be used to produce equally valid signatures. The algorithm in the previous section will always produce the same signature for a given message and public key, but the ''k'' value (and hence ''R'') may be generated in other ways, producing a different, but still valid, signature (in other words, it is not a ''unique'' signature scheme). -'''Synthetic nonces''' When actual randomness is available, it can be appended to the input to ''hash<sub>BIPSchnorrDerive</sub>''s, after ''d'' and ''m''. This may improve protection against [https://moderncrypto.org/mail-archive/curves/2017/000925.html fault injection attacks]. +'''Synthetic nonces''' When a random number generator (RNG) is available, 32 bytes of RNG output can be appended to the input to ''hash<sub>BIPSchnorrDerive</sub>''. This will changes the corresponding line in the signing algorithm to ''k' = int(hash<sub>BIPSchnorrDerive</sub>(bytes(d) || m || get_32_bytes_from_rng())) mod n'', where ''get_32_bytes_from_rng()'' is the call the RNG. Adding RNG output may improve protection against [https://moderncrypto.org/mail-archive/curves/2017/000925.html fault injection attacks and side-channel attacks]. It is safe to add randomness from a low-quality randomness source, i.e., an RNG with low entropy. '''Nonce exfiltration protection''' It is possible to strengthen the nonce generation algorithm using a second device. In this case, the second device contributes randomness which the actual signer provably incorporates into its nonce. This prevents certain attacks where the signer device is compromised and intentionally tries to leak the private key through its nonce selection. |