Non interactive anti-exfil

anti-exfil-nonce-generation.md

Signing protocol:

x: private key
X: public key
m: message to sign
n: nonce extra

1. signing device

q = hash(x|m|n)
Q = q·G
k = q + hash(Q|m|n)
R = k·G
e = hash(R|X|m)

s = k + x·e

2. return to wallet app

Q, s

3. wallet app calculates

R = Q + hash(Q|m|n)·G
R, s

4. verify

e = hash(R|X|m)

s·G ?= R + e·X