That is an interesting point. Does the same concern apply to anti nonce
covert channel protocols? In those, the host would mix in a random nonce
of its own. The process is still deterministic and can be checked during
signing, but unless the host persists the nonce contributions it
provides, one ca
Thanks for starting this initiative; it has been a long standing goal of
mine to implement and release this protocol. Your blog post on the topic
actually inspired me to pick up this work again a few months ago.
Jonas Nick has implemented the protocol in the secp256k1 library for
Schnorr sigs here