Jonas Nick
Jonas Nick
> But is there a reason why we can't simply invoke the Schwartz–Zippel lemma? I think we can. Initially I thought that the Schwartz-Zippel Lemma as stated on wikipedia required...
@sipa if you have no objections or concerns, I'd open a PR to the main BIP repo.
> `H(priv || pub || msg || randomness])`. All the secret data goes into the first compression, and all attacker-controlled data goes into the second compression, so I think the...
This synthetic nonce idea added to the WIP reference code update PR: https://github.com/sipa/bips/pull/196/commits/f84cd7740978608b9901a84fc11da407bd947f0c
> H(rand||privkey||pubkey||msg) (the second block contains both private and attacker-controlled data). Doesn't the second block consist of `` ?
> I'm not sure, but I wouldn't be surprised if hashing privkey isn't already attackable even without a pubkey in there (guess certain bits, know what tweak was added, compute...
> I have not seen an argument yet for why 32 bytes is significantly better than 23. The argument in this thread is that with 23 bytes you'll have 9...
> wouldn't then H(priv||rand32||pub||msg) also be a problem because then the second compression has a secret input (the midstate) and an attacker-controlled input (pub and msg)? The attacks discussed in...
> if the pubkey is under attacker control (through grinding the tweak), it's never exposed to the private key directly. Isn't it still a problem that they're masked by the...