BIP-0340: note that adapting the spec to other curves is insecure

author: Jonas Nick <jonasd.nick@gmail.com> 2020-07-18 20:03:17 +0000
committer: Jonas Nick <jonasd.nick@gmail.com> 2020-07-21 18:44:46 +0000
commit: 7e9b4dd6200b8f612555a95a59ab5e1c757c593f (patch)
tree: 84df9c4684b8552927f7b8bfdf6bec0d2cf71115 /bip-0340.mediawiki
parent: 2611302d8362dad4e46dc6e29c5681a57d7b9b24 (diff)
download: bips-7e9b4dd6200b8f612555a95a59ab5e1c757c593f.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/bip-0340.mediawiki b/bip-0340.mediawiki
index 51ba90d..27e7c5a 100644
--- a/bip-0340.mediawiki
+++ b/bip-0340.mediawiki
@@ -99,7 +99,7 @@ This proposal suggests to include the tag by prefixing the hashed data with ''SH
 
 === Specification ===
 
-The following conventions are used, with constants as defined for [https://www.secg.org/sec2-v2.pdf secp256k1]:
+The following conventions are used, with constants as defined for [https://www.secg.org/sec2-v2.pdf secp256k1]. We note that adapting this specification to other elliptic curves is not straightforward and can result in an insecure scheme<ref>Among other pitfalls, using the specification with a curve whose order is not close to the size of the range of the nonce derivation function is insecure.</ref>.
 * Lowercase variables represent integers or byte arrays.
 ** The constant ''p'' refers to the field size, ''0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F''.
 ** The constant ''n'' refers to the curve order, ''0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141''.
author	Jonas Nick <jonasd.nick@gmail.com>	2020-07-18 20:03:17 +0000
committer	Jonas Nick <jonasd.nick@gmail.com>	2020-07-21 18:44:46 +0000
commit	7e9b4dd6200b8f612555a95a59ab5e1c757c593f (patch)
tree	84df9c4684b8552927f7b8bfdf6bec0d2cf71115 /bip-0340.mediawiki
parent	2611302d8362dad4e46dc6e29c5681a57d7b9b24 (diff)
download	bips-7e9b4dd6200b8f612555a95a59ab5e1c757c593f.tar.xz