Gregory Maxwell

For the scalar update even just having two random 256 bit (scalar,point) pairs stored in the context and randomly choosing one to add to the running scalar blinding with each...

Right. Even a single attacker unknown random increment should break most attacks, but a choice of two can be done for the runtime cost of a single additional CMOV and...

> Do we want to split signing/verification contexts entirely? One problem for that is functions which need both kinds of context (I don't think there are in secp256k1, but IIRC...

oh that is super nice! one bit is what I really wanted, and one bit is what you provided.

I realized that the specifics in the suggestion I gave above are a little broken, it shouldn't just add one constant or another constant, it should add one constant or...

Convince bitcoin to drop the use of recovery, then it can just be removed.

apolestra was working on a legendre symbol implementation for the library. I'd be in favor of adoption a construction as standard that used X only and the signs of the...

@peterdettman one could sort the pubkeys but alas, that doesn't always work. I don't know ultimately but we should try to think it through. In general we've tried to avoid...

@ajtowns "x-only" is mostly orthogonal with your ask there-- x-only in the sense of this pull is performing the computation from a 'compressed' point without the sqrt needed to recover...

The issue is that it creates a malleable result, where two different points result in the same shared secret. This general shape of issue is known to produce security vulnerabilities...