Schnorr signature nonces


#1

I was reading Least Authority’s audit report, and saw (in Suggestion 1) that the Schnorr signatures had been switched to using HKDF to generate nonces, rather than the method in RFC 6979. This concerned me a little because Schnorr, like ECDSA, requires nonces that are very close to uniform on the scalar range. Digging into the code a bit more, though, it appears to use rejection sampling which would be fine. However I can’t be sure of this (the code is split between several files and relies on inheritance), so I added this comment. I didn’t want that to be overlooked because it’s a comment on a closed PR, so I’m posting here as well.