Pieter Wuille

-0, I don't see why this can't be left to the author, given how rare it is.

@jonasnick I don't mean to imply that running with more than 1 iteration doesn't add anything; it clearly adds cases that aren't performed otherwise. I literally meant that I don't...

@apoelstra We've discussed this a bit IRL, and it seems to me there are just a whole lot of only vaguely-overlapping concerns: * The fact that the scratch space API...

Very concepty comment (after IRL discussion with @achow101 and @furszy) Since this code is effectively introducing an analogue of the existing `IsMine()` logic, it would be useful to add tests...

utACK 6a00ea17c136e67a66f3558dd2d02a07860b0afe

I don't think anything in the Bitcoin Core codebase actually needs the `std::shared_ptr` way of storing miniscript subnodes, and `std::unique_ptr` would suffice. The `std::shared_ptr`s were inherited from the miniscript codebase,...

Ideas: - Smaller G table for verification - Use 16-entry table with only the combinations of b0,b1,b2,b3 for G_(b0_1 + b1_2^64 + b2_2^128 + b3*2^192) (suggested by @gmaxwell as well),...

@elichai There really isn't any need for that. We have perfectly fine variable time and constant time algorithms. There is also no need to run without tables entirely; just make...

#1058 will support signing & key generation with a 2 KiB precomputed table.

They may guarantee wiping those bytes of memory. I don't think they can guarantee that the compiler didn't copy parts of that data to other places (like the stack).