[API BREAK] Use rfc6979 as default nonce-generation function #163

pull sipa wants to merge 3 commits into bitcoin-core:master from sipa:hashfp changing 8 files +566 −48
  1. sipa commented at 5:13 PM on December 13, 2014: contributor

    Builds on top of #162, but also provides a safe default when not specifying a nonce generation function explicitly.

    This means incorporation of a SHA256 / HMAC / RFC6979 implementation inside libsecp256k1. It's an increase of around 10 kilobytes of object size on x86_64, which I think is acceptable, despite it being likely code duplication (as callers already need to compute hashes too).

  2. sipa force-pushed on Dec 13, 2014
  3. sipa commented at 5:35 PM on December 13, 2014: contributor

    Also, rfc6979 is painfully slow. It takes >50k CPU cycles to compute the nonce here, while the rest of the signing process takes around 180k cycles.

  4. sipa force-pushed on Dec 13, 2014
  5. aalness commented at 11:03 PM on December 13, 2014: none

    Compared the HMAC-SHA256 and RFC6979 implementations to those in Bitcoin Core. Didn't notice any flaws in the port. Also tested the SHA256 implementation and ran some crude benchmarks out of curiosity.

    I really like having this as the default. Much less foot-shooting-off potential.

  6. sipa force-pushed on Dec 18, 2014
  7. sipa force-pushed on Dec 18, 2014
  8. [API BREAK] Use a nonce-generation function instead of a nonce c6e7f4e8d8
  9. Implement SHA256 / HMAC-SHA256 / RFC6979. b37fbc280e
  10. Use rfc6979 as default nonce generation function bbd5ba7cfa
  11. sipa force-pushed on Dec 20, 2014
  12. sipa commented at 1:41 PM on December 20, 2014: contributor

    Rebased after #169.

  13. sipa commented at 1:50 AM on December 23, 2014: contributor

    @gmaxwell Opinion?

  14. gmaxwell commented at 5:47 AM on December 23, 2014: contributor

    (ut)ACK (will also test, but I don't see any reason to wait on merging it)

  15. sipa merged this on Dec 23, 2014
  16. sipa closed this on Dec 23, 2014
  17. sipa referenced this in commit b450c34843 on Dec 23, 2014
  18. Kagami cross-referenced this on Jan 20, 2015 from issue Use deterministicGenerateK from secp256k1 by Kagami
  19. Sajjon cross-referenced this on Mar 21, 2019 from issue Deterministic signatures RFC6979 by Sajjon
  20. longfin cross-referenced this on Aug 25, 2022 from issue Deterministic nonce on ECDSA signing by OnedgeLee
Contributors
sipaaalnessgmaxwell
Linked (view graph)
#162 [API BREAK] Use a nonce-generation function instead of a nonce#169 Make signing fail if a too small buffer is passed.
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-14 11:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me