1/ I published a public comment for BIP340 a few months ago on the official Bitcoin GitHub

After publishing said comment, it was later removed (censored) by Gregory Maxwell (@Blockstream CTO "formerly"; listed as a co-founder of @Blockstream as well).

github.com/bitcoin/bips/b…

2/ To start off, what Gregory Maxwell wrote is a demonstrable lie - full stop.

You can view my original comment here - github.com/bitcoin/bips/w…

As screenshots, what I wrote was comprehensive, to the point + included numerous references to published (peer-reviewed)

3/ Before getting into all of that, let me address Gregory Maxwell's claim that my comment was "linked elsewhere while the comments below are ignored"; this is actually false.

4/ On May 22nd, 2021 (more than a week before Maxwell's false update), I updated my public Telegram channel to inform everyone of my comment and *included* Peter Wiulle's response to my comment as well.

5/ Additionally, Peter Wiulle conceded *numerous* points I made above in his response (read it closely).

Additionally though - Wiulle is *100% wrong in many of his responses here*; I'll go through those briefly.

7/ Elliptic curve coord. pairings (x, y) are co-factors plotted over a finite field; 'x' (private key) has a direct relationship to 'y' (pubkey)

The 'order' (n) = lowest prime order cyclic subgroup ; this is the order of the curve base point ('G')

8/ Given the above, for signatures we can create a proof via taking a random value (k), multiplying it by the curve base point (G) to arrive at a diff 'y' (R) on the elliptic curve [R=kG]; thus the corresponding priv. key is R*x, where x = private key

9/ From this point you can create a proof that says

's' = k^(-1) * (h + r*x)(modulo 'n')
‘s’ is determined by the [inverse of ‘k’] multiplied by [hash of the message output when XOR’d with ‘r*x’] which is modulo'd with 'n' ; 'n' = lowest prime order of cyclic subgroup

11/ In that thread, I cite the name of the study, "Biased Nonce Sense: Lattice Attacks Against Weak ECDSA Signatures in Cryptocurrencies"

Curiously, the researchers documented conversations they had *directly* with Gregory Maxwell about this issue.

13/ The researchers make it clear *in the Abstract*, "If this nonce is not generated uniformly at random, an attacker can potentially exploit this bias to compute the long-term signing key."

eprint.iacr.org/2019/023.pdf

14a/ The researchers explicitly state they reached out to Greg Maxwell about these nuances in secp256k1 nonce generation on the blockchain (and they record his response noting an out-of-bound, 'SHA1' hash is used to "sweep 'dust' transactions" <-- is this even documented?

15/ The researchers note the fact Bitcoin switched to "deterministic nonces" back in 2015/2016; however as we can see in the study's excerpt attached to this tweet - that did not mitigate this problem entirely (by any means)

16/ Revisiting RFC 6979 is critical here, bc the nonce is *supposed* to be deterministic now for Bitcoin (this change was made in '15), last pic is most relevant - "performing a simple modular reduction would induce biases that would be detrimental to signature security."

16a/ Knowing that's true, I wonder if that's what is causing the leakage of nonce values - bc the full signature proof is: k^-1 * (h + r * privKey)(mod 'n') ; 'n' = prime curve order

16b/ Looking to verify signature; you'll notice that the random point used during signing is supposed to be recoverable to check the proof ; however doing so requires deriving the modulo inverse of 's'...

16c/ IF one were to use the regular formula (k^-1 rep. the modulo by 'n' ; n = lowest prime order of the curve), then you end up with 'k' outright. 'k' in rfc6979 = h+privKey

The attached screenshot is from libsecp256k1 ; I wonder if this spec. (mandating mod.) is the culprit