[bitcoindev] [BIP Proposal] Informational BIP on Low-R Signature Grinding

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

* [bitcoindev] [BIP Proposal] Informational BIP on Low-R Signature Grinding
@ 2026-06-09  7:02 Sean Gilligan
  2026-06-09 20:48 ` Murch
  0 siblings, 1 reply; 3+ messages in thread
From: Sean Gilligan @ 2026-06-09  7:02 UTC (permalink / raw)
  To: bitcoindev

Hi Everyone,

I would like to propose a new informational BIP to formally document the 
Low-R signature algorithm used by Bitcoin Core and many other wallets.

It was implemented in 2018 in Bitcoin Core by PR 1366 [0]. The Low-r 
grinding page on Bitcoin Optech [1] references several other 
implementations.

While working on secp256k1-jdk [2] (a new wrapper for secp256k1 for 
Java/JDK/JVM-languages) we ended up looking at the C++ implementation 
for reference and at rust-secp256k1 for a test vector. Since all wallets 
should implement the algorithm identically (for privacy reasons) it 
would be helpful to have the behavior clearly documented in an 
informational BIP.

I have spoken with a handful of developers who think having a BIP would 
be a good idea and it was suggested on PR 13666.

It should be short and relatively simple and also have a nice collection 
of test vectors.

What do people think? Any suggestions on what should be included or 
pointers to test vectors?

Thanks,

Sean

[0] https://github.com/bitcoin/bitcoin/pull/13666
[1] https://bitcoinops.org/en/topics/low-r-grinding/
[2] https://github.com/bitcoinj/secp256k1-jdk

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/44b6bccc-c34f-491c-9f8f-fac5045290de%40msgilligan.com.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [bitcoindev] [BIP Proposal] Informational BIP on Low-R Signature Grinding
  2026-06-09  7:02 [bitcoindev] [BIP Proposal] Informational BIP on Low-R Signature Grinding Sean Gilligan
@ 2026-06-09 20:48 ` Murch
  2026-06-09 23:12   ` Sean Gilligan
  0 siblings, 1 reply; 3+ messages in thread
From: Murch @ 2026-06-09 20:48 UTC (permalink / raw)
  To: bitcoindev

Hi Sean,

Thanks for proposing this idea. It would be splendid if someone were to 
write up the best practices for low-r signature grinding. You don’t need 
to worry about test vectors too much in advance, they are only required 
for advancing a BIP to the Complete status, so if people have more 
suggestions, those could also added to the document after the PR is open 
or even after it has been published in Draft.

Cheers,
Murch

On 2026-06-09 00:02, Sean Gilligan wrote:
> Hi Everyone,
>
> I would like to propose a new informational BIP to formally document 
> the Low-R signature algorithm used by Bitcoin Core and many other 
> wallets.
>
> It was implemented in 2018 in Bitcoin Core by PR 1366 [0]. The Low-r 
> grinding page on Bitcoin Optech [1] references several other 
> implementations.
>
> While working on secp256k1-jdk [2] (a new wrapper for secp256k1 for 
> Java/JDK/JVM-languages) we ended up looking at the C++ implementation 
> for reference and at rust-secp256k1 for a test vector. Since all 
> wallets should implement the algorithm identically (for privacy 
> reasons) it would be helpful to have the behavior clearly documented 
> in an informational BIP.
>
> I have spoken with a handful of developers who think having a BIP 
> would be a good idea and it was suggested on PR 13666.
>
> It should be short and relatively simple and also have a nice 
> collection of test vectors.
>
> What do people think? Any suggestions on what should be included or 
> pointers to test vectors?
>
> Thanks,
>
> Sean
>
> [0] https://github.com/bitcoin/bitcoin/pull/13666
> [1] https://bitcoinops.org/en/topics/low-r-grinding/
> [2] https://github.com/bitcoinj/secp256k1-jdk
>

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/40918d93-092c-451a-96e1-03f363ac3720%40murch.one.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [bitcoindev] [BIP Proposal] Informational BIP on Low-R Signature Grinding
  2026-06-09 20:48 ` Murch
@ 2026-06-09 23:12   ` Sean Gilligan
  0 siblings, 0 replies; 3+ messages in thread
From: Sean Gilligan @ 2026-06-09 23:12 UTC (permalink / raw)
  To: Murch, bitcoindev

Thanks Murch!

We will start work on a Draft. Worrying about the test vectors later 
sounds like a great idea. They are important and probably the hardest 
part of the effort, but aren't necessary for a draft.

As recommended in BIP 3, we'll create a PR against our fork of the BIPs 
repo and report back when we have made some progress.

Regards,

Sean


On 6/9/26 1:48 PM, Murch wrote:
> Hi Sean,
>
> Thanks for proposing this idea. It would be splendid if someone were 
> to write up the best practices for low-r signature grinding. You don’t 
> need to worry about test vectors too much in advance, they are only 
> required for advancing a BIP to the Complete status, so if people have 
> more suggestions, those could also added to the document after the PR 
> is open or even after it has been published in Draft.
>
> Cheers,
> Murch
>
> On 2026-06-09 00:02, Sean Gilligan wrote:
>> Hi Everyone,
>>
>> I would like to propose a new informational BIP to formally document 
>> the Low-R signature algorithm used by Bitcoin Core and many other 
>> wallets.
>>
>> It was implemented in 2018 in Bitcoin Core by PR 1366 [0]. The Low-r 
>> grinding page on Bitcoin Optech [1] references several other 
>> implementations.
>>
>> While working on secp256k1-jdk [2] (a new wrapper for secp256k1 for 
>> Java/JDK/JVM-languages) we ended up looking at the C++ implementation 
>> for reference and at rust-secp256k1 for a test vector. Since all 
>> wallets should implement the algorithm identically (for privacy 
>> reasons) it would be helpful to have the behavior clearly documented 
>> in an informational BIP.
>>
>> I have spoken with a handful of developers who think having a BIP 
>> would be a good idea and it was suggested on PR 13666.
>>
>> It should be short and relatively simple and also have a nice 
>> collection of test vectors.
>>
>> What do people think? Any suggestions on what should be included or 
>> pointers to test vectors?
>>
>> Thanks,
>>
>> Sean
>>
>> [0] https://github.com/bitcoin/bitcoin/pull/13666
>> [1] https://bitcoinops.org/en/topics/low-r-grinding/
>> [2] https://github.com/bitcoinj/secp256k1-jdk
>>
>

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/d44d4a53-4895-4f0a-8411-ca7627c2324b%40msgilligan.com.


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-09 23:14 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09  7:02 [bitcoindev] [BIP Proposal] Informational BIP on Low-R Signature Grinding Sean Gilligan
2026-06-09 20:48 ` Murch
2026-06-09 23:12   ` Sean Gilligan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox