summaryrefslogtreecommitdiff
path: root/bip-0340.mediawiki
diff options
context:
space:
mode:
authorTim Ruffing <crypto@timruffing.de>2020-08-04 18:57:16 +0200
committerGitHub <noreply@github.com>2020-08-04 18:57:16 +0200
commite98888322f039c78e073d73d3df0c521b1246fa6 (patch)
tree5ba713e3cf923c1fa954350f1264a7c77ac5fb16 /bip-0340.mediawiki
parente331aadf9212bada40ca624b51c623f3e624e268 (diff)
BIP340: Fix typo
Diffstat (limited to 'bip-0340.mediawiki')
-rw-r--r--bip-0340.mediawiki2
1 files changed, 1 insertions, 1 deletions
diff --git a/bip-0340.mediawiki b/bip-0340.mediawiki
index 835ad64..fe5ed4d 100644
--- a/bip-0340.mediawiki
+++ b/bip-0340.mediawiki
@@ -158,7 +158,7 @@ The algorithm ''Sign(sk, m)'' is defined as:
* Fail if ''d' = 0'' or ''d' &ge; n''
* Let ''P = d'⋅G''
* Let ''d = d' '' if ''has_even_y(P)'', otherwise let ''d = n - d' ''.
-* Let ''t'' be the byte-wise xor of ''bytes(d)'' and ''H<sub>BIP340/aux</sub>(a)''<ref>The auxiliary random data is hashed (with a unique tag) as a precaution against situations where the randomness may be correlated with the private key itself. It is xored with the private key (rather than combined with it in a hash) to reduce the number of operations exposed to the actual secret key.</ref>.
+* Let ''t'' be the byte-wise xor of ''bytes(d)'' and ''hash<sub>BIP340/aux</sub>(a)''<ref>The auxiliary random data is hashed (with a unique tag) as a precaution against situations where the randomness may be correlated with the private key itself. It is xored with the private key (rather than combined with it in a hash) to reduce the number of operations exposed to the actual secret key.</ref>.
* Let ''rand = hash<sub>BIP340/nonce</sub>(t || bytes(P) || m)''<ref>Including the [https://moderncrypto.org/mail-archive/curves/2020/001012.html public key as input to the nonce hash] helps ensure the robustness of the signing algorithm by preventing leakage of the secret key if the calculation of the public key ''P'' is performed incorrectly or maliciously, for example if it is left to the caller for performance reasons.</ref>.
* Let ''k' = int(rand) mod n''<ref>Note that in general, taking a uniformly random 256-bit integer modulo the curve order will produce an unacceptably biased result. However, for the secp256k1 curve, the order is sufficiently close to ''2<sup>256</sup>'' that this bias is not observable (''1 - n / 2<sup>256</sup>'' is around ''1.27 * 2<sup>-128</sup>'').</ref>.
* Fail if ''k' = 0''.