Andrew Poelstra

@guidovranken one potential source of old versions might be the bundled copies of `libsecp256k1` in [rust-secp256k1](https://github.com/rust-bitcoin/rust-secp256k1/). These are in the directory `secp256k1-sys/depend/secp256k1`; the revision used is recorded in the file...

ISTR trying "a better" group law from EFD, many years ago, which turned out to be slower because of normalization even though it technically required fewer ops. May be worth...

What if we renamed the `_impl.h` files to `.c` and compiled them as independent units in CI? So both forms of compilation would be supported.

My intention was to do the bare minimum to test compiling the `_impl`s in CI. Agreed that we should not make it easy or natural for library users to do...

@sipa I am working on a Jacobi symbol function. It's slightly nontrivial (in particular I need a div_mod operator first). I lost all day today (and most of yesterday) to...

Very interesting. The recommendation in NIST SP800-56A / 5.7.1.2 seems dangerous, not only because it will give the same shared secret for ±scalar and ±point, but also because its output...

@ajtowns We don't have a concrete reason why discarding y is dangerous (and indeed maybe it's perfectly safe for all real applications). But the consequence "there are two public keys...

@ajtowns It's not just "one bit of protection", which would indeed be irrelevant. It's the difference between the map `point -> shared secret` being bijective or not, which is a...

Thanks for this! It's super helpful that all the recent context changes are now visible in the docs.

In particular, in rust-wasm it is very difficult to get randomness (there are definitely ways to get randomness in JS but for some reason these are not exposed in WASM...