That is an interesting point. Does the same concern apply to anti nonce covert channel protocols? In those, the host would mix in a random nonce of its own. The process is still deterministic and can be checked during signing, but unless the host persists the nonce contributions it provides, one can't check how the nonce was computed for past signatures. I am unsure how desirable this property would be in practice, though. I am guessing not that desirable, but it would be good to hear other opinions.
See https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-February/017655.html and https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-February/017663.html Best, Marko _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
