pull down to refresh

In ECDSA, we use RFC6979 to use a deterministic nonce based on the private key and message, this prevents accidental reuse of the nonce value.
It seems these conventions have not been specified in Schnorr. We probably need an RFC or BIP on ensuring deterministic nonces in Schnorr too to ensure that wallet or library implementers do not get this wrong.
Biased nonces can lead to complete private key compromise! https://ecc2017.cs.ru.nl/slides/ecc2017-tibouchi.pdf
deleted by author
reply
deleted by author