https://wuille.net Posts by Pieter Wuille Thu, 16 Apr 2026 00:00:00 +0000 https://wuille.net/posts/binomial-randomness-extractors/ https://wuille.net/posts/binomial-randomness-extractors/ Thu, 16 Apr 2026 00:00:00 +0000 This post introduces an approach for [randomness extraction](https://en.wikipedia.org/wiki/Randomness_extractor) from sequences of independent observations from an *unknown* but unchanging probability distribution (including coin tosses, dice rolls, thermal noise observations, ...). It only requires basic arithmetic ($+$, $-$, $\times$) and a *count trailing zeroes* (ctz) operation on fixed-width integers, and can be implemented without table lookups or other timing side-channels. Variants are provided for binary and multi-valued input symbols. We analyze how much entropy it can extract, and its performance. <p><a href="https://wuille.net/posts/binomial-randomness-extractors/">Read more…</a></p> https://wuille.net/posts/secp256k1-tutorial/ https://wuille.net/posts/secp256k1-tutorial/ Sun, 22 Jun 2025 00:00:00 +0000 This is a summary on groups and fields as abstract mathematical objects, and the properties that will be relevant to us. It's something between a cheat sheet and a full course, without proofs or rigorous theorems, but there are links for further reading. <p><a href="https://wuille.net/posts/secp256k1-tutorial/">Read more…</a></p> https://wuille.net/posts/bitcoin-difficulty-adjustment/ https://wuille.net/posts/bitcoin-difficulty-adjustment/ Thu, 30 Jun 2022 00:00:00 +0000 In this document, we analyze the probabilistic behavior of Bitcoin's difficulty adjustment rules under the following assumptions: <p><a href="https://wuille.net/posts/bitcoin-difficulty-adjustment/">Read more…</a></p> https://wuille.net/posts/private-authentication-protocols/ https://wuille.net/posts/private-authentication-protocols/ Tue, 17 May 2022 00:00:00 +0000 Authentication protocols are used to verify that network connections are not being monitored through a man-in-the-middle attack (MitM). But the commonly used constructions for authentication&mdash;often some framework surrounding a digital signature or key exchange protocol&mdash;reveal considerable amounts of identifying information to the participants (and MitMs). This information can potentially be used to track otherwise anonymous users around the network and correlate users across multiple services, if keys are reused. <p><a href="https://wuille.net/posts/private-authentication-protocols/">Read more…</a></p> https://wuille.net/posts/elligator-square-for-bn/ https://wuille.net/posts/elligator-square-for-bn/ Sun, 10 Oct 2021 00:00:00 +0000 This document explains how to efficiently implement the Elligator Squared algorithm for BN curves and BN-like curves like `secp256k1`. <p><a href="https://wuille.net/posts/elligator-square-for-bn/">Read more…</a></p> https://wuille.net/posts/uniform-range-extraction/ https://wuille.net/posts/uniform-range-extraction/ Sat, 17 Jul 2021 00:00:00 +0000 This document introduces a technique for extracting multiple numbers in any range from a single hash function result, while optimizing for various uniformity properties. <p><a href="https://wuille.net/posts/uniform-range-extraction/">Read more…</a></p> https://wuille.net/posts/minimizing-golomb-filters/ https://wuille.net/posts/minimizing-golomb-filters/ Thu, 24 May 2018 00:00:00 +0000 A Golomb Coded Set (GCS) is a set of $N$ distinct integers within the range $[0..MN-1]$, whose order does not matter, and stored by applying a Golomb-Rice coder with parameter $B$ to the differences between subsequent elements after sorting. When the integers are hashes of elements from a set, this is an efficient encoding of a probabilistic data structure with false positive rate $1/M$. It is asymptotically $1 / \log(2)$ (around 1.44) times more compact than Bloom filters, but harder to update or query. <p><a href="https://wuille.net/posts/minimizing-golomb-filters/">Read more…</a></p>