-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add extra API for offline/online phases in ECDSA signing #1610
Comments
Indeed, and this is the drawback of this. It's a major footgun, and I'm sure this is the reason why it's currently implemented this way. Personally, I'm a bit on the fence. We're about to add a MuSig2 module, which is also prone to nonce-reuse failures -- but in that case, it is unavoidable to split nonce generation and the actual signing into two separate steps. In the end, I don't think I'm against giving users advanced and dangerous features, but they should be clearly marked as such. I'd love to hear your use case and scenario here. Noone has asked for this before, and I doubt many users will benefit. (And anyway, ECDSA can be considered somewhat deprecated in Bitcoin, but okay, the same could be done for Schnorr signing). Do you personally need/want this, or is this is just a suggestion for improvement? It would be interesting to know what other contributors and maintainers think. |
We'd love to split the ECDSA signing operation into two steps:
The advantage here is that the offline step can be precomputed arbitrarily early and do "most of the computational work". This is very useful for signers that have a lot of idle time before the signing request comes in, but little time to compute and return the signature. For example, hardware wallets.
In ECDSA, the offline step can essentially compute nonce generation + scalar multiplication + nonce modular inversion. These values ("precomputed material") are input to the online part. The online part just finishes the ECDSA computation. The online part is extremely fast (we're seeing around 5000x faster than the offline phase in a non-libsecp256k1 proof-of-concept).
The precomputed material is secret, can only be used once and needs to be wiped after usage.
API-wise this would probably mean adding two functions:
secp256k1_ecdsa_sign_split_phase_precompute()
secp256k1_ecdsa_sign_split_phase_online()
The composition of the two functions compute
secp256k1_ecdsa_sign()
. The input/output behavior does not change.Is there any appetite for this? Happy to write the code for this.
The text was updated successfully, but these errors were encountered: