Merge 991afd90f4 into 4aa18e329a

Added note about Shnorr signatures, and removed point 3 as it is true only for ECDSA signatures.

06.md

@@ -10,10 +10,14 @@ Basic key derivation from mnemonic seed phrase
 
 [BIP32](https://bips.xyz/32) is used to derive the path `m/44'/1237'/<account>'/0/0` (according to the Nostr entry on [SLIP44](https://github.com/satoshilabs/slips/blob/master/slip-0044.md)).
 
-A basic client can simply use an `account` of `0` to derive a single key. For more advanced use-cases you can increment `account`, allowing generation of practically infinite keys from the 5-level path with hardened derivation.
+A basic client can simply use an `account` of `0` to derive a single key. For more advanced use-cases you can increment `account`, allowing the generation of practically infinite keys from the 5-level path with hardened derivation.
 
-Other types of clients can still get fancy and use other derivation paths for their own other purposes.
+Other types of clients may choose to get fancy and use other derivation paths for their own alternative purposes.
 
+Because Nostr uses [Schnorr signatures standard for the curve `secp256k1`](https://bips.xyz/340), public keys have extra compression compared to Bitcoin ECDSA compressed public keys, meaning that the y-coordinate is not only omitted, but parity is not even indicated with the '03'(odd), nor '02' (even) prefixes. In other words, only the x-coordinate is included without any extra prefix marker. This matters in three contexts (there may be others):
+ - When borrowing code from Bitcoin public/private key ECDSA cryptography. This will output 33-byte public keys with a 02/03 prefix (compressed) or 04 (uncompressed). The first byte (prefix) needs to be removed.
+ - Conversion of a public key, to bech32. The pure x-coordinate value without prefix must be used as the input, not a compressed public key.
+ 
 ### Test vectors
 
 mnemonic: leader monkey parrot ring guide accident before fence cannon height naive bean\