From 7e9b4dd6200b8f612555a95a59ab5e1c757c593f Mon Sep 17 00:00:00 2001
From: Jonas Nick <jonasd.nick@gmail.com>
Date: Sat, 18 Jul 2020 20:03:17 +0000
Subject: BIP-0340: note that adapting the spec to other curves is insecure

---
 bip-0340.mediawiki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'bip-0340.mediawiki')

diff --git a/bip-0340.mediawiki b/bip-0340.mediawiki
index 51ba90d..27e7c5a 100644
--- a/bip-0340.mediawiki
+++ b/bip-0340.mediawiki
@@ -99,7 +99,7 @@ This proposal suggests to include the tag by prefixing the hashed data with ''SH
 
 === Specification ===
 
-The following conventions are used, with constants as defined for [https://www.secg.org/sec2-v2.pdf secp256k1]:
+The following conventions are used, with constants as defined for [https://www.secg.org/sec2-v2.pdf secp256k1]. We note that adapting this specification to other elliptic curves is not straightforward and can result in an insecure scheme<ref>Among other pitfalls, using the specification with a curve whose order is not close to the size of the range of the nonce derivation function is insecure.</ref>.
 * Lowercase variables represent integers or byte arrays.
 ** The constant ''p'' refers to the field size, ''0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F''.
 ** The constant ''n'' refers to the curve order, ''0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141''.
-- 
cgit v1.2.3