Open maaku opened 5 years ago
Renamed issue as it has become apparent this is something we should do.
The Ed25519 scheme is described on page 8 of this document:
Upon reflection, this really shouldn’t be a release blocker for 0.10. It doesn’t matter too much if older clients use the inefficient scheme. It is rather unlikely that anyone would need to go back and make proofs for signatures produced by older clients. We should put a note in the code that the scheme deployed now is depreciated, however, then we can remove the project tag for rebasing to 0.10. (While we’re at it, make the same note for BIP32 key derivation.)
Notes made. Removing project tag.
v11 released without this; bumping to v13 which is the first release that uses BIP32 keys in any visible way.
Oops. v13 was released already. Bumping to v14.
The deterministic signing code for Bitcoin Core uses RFC 6979, which is an internet standard for deterministic nonce selection. It is however an excessively conservative algorithm with an unnecessary number of hashing steps, due to the author's decision to rely on existing approved primitives rather than optimize for speed:
However in our use case where it would be useful to report a zero-knowledge proof that the algorithm was followed in the construction of a signature, e.g. to prove a hardware signer is not compromised, we want this algorithm to be as simple as possible to express in an arithmetic circuit. A straight hash should work, as is done by Ed25519.