diff options
| author | Pieter Wuille <pieter.wuille@gmail.com> | 2019-10-15 12:26:21 -0700 |
|---|---|---|
| committer | Pieter Wuille <pieter.wuille@gmail.com> | 2020-01-19 14:47:33 -0800 |
| commit | 96a199ac8c6a457723ec37534c0db673e20716ee (patch) | |
| tree | 242b37275e4b56c6d162fe4e31310f25f0b26fae | |
| parent | 281df660b95de712a846cb3462cccb131073bc45 (diff) | |
| download | bips-96a199ac8c6a457723ec37534c0db673e20716ee.tar.xz | |
Drop other curve comment
| -rw-r--r-- | bip-schnorr.mediawiki | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/bip-schnorr.mediawiki b/bip-schnorr.mediawiki index dbc474b..5dd5305 100644 --- a/bip-schnorr.mediawiki +++ b/bip-schnorr.mediawiki @@ -150,7 +150,7 @@ The algorithm ''Sign(sk, m)'' is defined as: * Let ''e = int(hash<sub>BIPSchnorr</sub>(bytes(R) || bytes(P) || m)) mod n''. * Return the signature ''bytes(R) || bytes((k + ed) mod n)''. -'''Above deterministic derivation of ''R'' is designed specifically for this signing algorithm and may not be secure when used in other signature schemes or for other curves.''' +'''Above deterministic derivation of ''R'' is designed specifically for this signing algorithm and may not be secure when used in other signature schemes.''' For example, using the same derivation in the MuSig multi-signature scheme leaks the secret key (see the [https://eprint.iacr.org/2018/068 MuSig paper] for details). Note that this is not a ''unique signature'' scheme: while this algorithm will always produce the same signature for a given message and public key, ''k'' (and hence ''R'') may be generated in other ways (such as by a CSPRNG) producing a different, but still valid, signature. |