summaryrefslogtreecommitdiff
path: root/bip-schnorr.mediawiki
AgeCommit message (Collapse)Author
2020-01-19Update acknowledgements, remove authorsPieter Wuille
2020-01-19Clarify nonce generationTim Ruffing
- Separate nonce generation into getting a random byte string and converting it to a suitable scalar ... - ... to make clear that the byte string can be generated differently. - Make the warning a little bit more prominent and improve writing
2020-01-19Update authorsPieter Wuille
2020-01-19Update bip-schnorr.mediawikiPieter Wuille
Co-Authored-By: Tim Ruffing <crypto@timruffing.de>
2020-01-19Linearity makes sign-for-sum-of-keys easier, not possible entirely.Pieter Wuille
I'm sure it's possible to construct a complex MPC that can sign for the sum of keys under ECDSA as well.
2020-01-19Update bip-schnorr.mediawikiTim Ruffing
2020-01-19Mention that we don't change the hash functionTim Ruffing
2020-01-19Completely specifiedPieter Wuille
2020-01-19Low-S ECDSA is non-malleable under nonstandard assumptionsPieter Wuille
2020-01-19Replace private key with secret keyJonas Nick
2020-01-19Clarify why we don't want short hashesTim Ruffing
This is supposed to supersede https://github.com/sipa/bips/pull/158. I tried to say this carefully. I don't think that multiparty signing is in general broken with short hashes. For example the attack in #158 could be avoided by letting everybody not only commit to the nonce but also to the message. It's just that using a collision-resistant hash just eliminates the problem entirely...
2020-01-19Fix reference formattingHennadii Stepanov
2020-01-19Replace BIP66 link with BIP146Orfeas Stefanos Thyfronitis Litos
BIP66 does not mention the inherent ECDSA malleability, but BIP146 does
2020-01-19Link to proof sketch of security of implicit YOrfeas Stefanos Thyfronitis Litos
Thanks to @ajtowns for providing the link
2020-01-19Improve clarity of footnotes for lift_xJonas Nick
2020-01-19Replace references to Euler's criterion with Legendre symbol in bip-schnorrJonas Nick
2020-01-19Fix bip-schnorr footnote 7 by specifying that we're referring to P's y ↵Jonas Nick
coordinate and not some undefined 'x'
2020-01-19NitsKalle Rosenbaum
2020-01-19Fix paragraph naming and typoHennadii Stepanov
2020-01-19Rephrase "previous design choice" to "list above"Orfeas Stefanos Thyfronitis Litos
2020-01-19grammar typo fix: inserted "be"stefanwouldgo
2020-01-19Add missing dots that denote multiplicationDmitry Petukhov
Throughout the document, elliptic curve multiplication is denoted with dots, as in `d'⋅G` as opposed to `d'G`. This is not the case in one place in the 'Default Signing' section, and one place in 'Adaptor Signatures' section Missing dots are added for consistency.
2020-01-19Add missing quoteOrfeas Stefanos Thyfronitis Litos
2020-01-19Fix typo in schnorr, footnote 2Orfeas Stefanos Thyfronitis Litos
2020-01-19G refers to secp256k1 base point rather generatorHennadii Stepanov
2020-01-19improve rationale for key prefixingTim Ruffing
2020-01-19Settle on notation: is_square(y), has_square_y(P)Pieter Wuille
2020-01-19typosTim Ruffing
2020-01-19Update bip-schnorr.mediawikiPieter Wuille
Co-Authored-By: Tim Ruffing <tim@timruffing.de>
2020-01-19Update bip-schnorr.mediawikiPieter Wuille
Co-Authored-By: Tim Ruffing <tim@timruffing.de>
2020-01-19Elaborate on default and alternative signingPieter Wuille
2020-01-19Change reference for ECDSA proofsTim Ruffing
Refer to Manuel Fersch's dissertation for provable security of ECDSA. It's freely accessible and multiple results put well in context.
2020-01-19More on key generationPieter Wuille
2020-01-19Clarify interaction x-only keys with verificationPieter Wuille
2020-01-19Update bip-schnorr.mediawikiPieter Wuille
Co-Authored-By: Tim Ruffing <tim@timruffing.de>
2020-01-19Explain that MuSig needs key prefixingPieter Wuille
2020-01-19bip-schnorr: more on (e,s)Tim Ruffing
2020-01-19bip-schnorr: more on provable securityTim Ruffing
I'll try to get a link to the CCS paper that does not have a paywall...
2020-01-19TypoPieter Wuille
2020-01-19Drop other curve commentPieter Wuille
2020-01-19Prefix infinite with is_Pieter Wuille
2020-01-19Apply suggestions from code reviewPieter Wuille
Co-Authored-By: Tim Ruffing <tim@timruffing.de>
2020-01-19Formulate claims about BatchVerify more accuratelyPieter Wuille
2020-01-19Use is_square/is_positive and introduce algorithm namesPieter Wuille
2020-01-19HTTPS links where possiblePieter Wuille
2020-01-19Small fixes from review with real-or-randomPieter Wuille
2020-01-19Link to Schnorr's paper instead of WikipediaTim Ruffing
2020-01-19Standardize on secret key in bip-schnorrJonas Nick
2020-01-19Euler's Criterion prime only nitElichai Turkel
2020-01-19Mention SHA256 block sizeJonas Nick
Rebased by Pieter Wuille