Oddbean new post about | logout
benthecarman | 9 months ago (raw) | root | parent | reply | flag +1 
 I know you can, but basically every implementation today just generates a random nonce so you can't rely on them being able to do sigs with specific nonces.
waxwing | 9 months ago (raw) | root | parent | reply | flag 
 OK, that makes sense. Doesn't the libsecp API let you specify the additional randomness yourself though? I vaguely remember it does but i wouldn't be surprised if that's a bit fiddly.

A recollection from years ago, I remember gmax telling me he talked to Pornin quite a bit about the RFC6979 spec and that he thought it was unnecessarily complicated (difficult to disagree if you read it!) - the main concept is of course f(privkey, msg) where f acts as a PRNG. Vitalik implemented it wrong in pybitcointools (less of a 'burn' than it might sound, since the error didn't break anything except with negl. prob ... so it's more just an example of how complicated it was).