Neat. Some minor notes as an outsider who just spent an hour implementing and playing with this:
-In several places you have things like "Let k = int(hash(bytes(d) || m)) mod n", but reference code says things like "e = sha256(R[0].to_bytes(32, byteorder="big") + bytes_point(point_mul(G, seckey)) + msg)", no modulo. Confusing. -x is not defined in "The signature is *bytes(x(R)) || bytes(k + ex mod n)*", apparently it's the private key. -jacobi function is great at exposing bugs in divmod implementations, due to the full 256 bit exponent. Add a line about it being something to watch for? -"bytes" notation is defined as "turn to bytes" for an integer, but the same for a point is "take X with prefix and turn to bytes". Confusing, might be a good idea to name it differently? -Finally, it would have been nice to have a larger set of test vectors in a JSON or CSV file, covering all the edge cases. Artem
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
