diff --git a/doc/musig-spec.mediawiki b/doc/musig-spec.mediawiki index 239f2c48..b3f967bb 100644 --- a/doc/musig-spec.mediawiki +++ b/doc/musig-spec.mediawiki @@ -1,5 +1,5 @@ 
-  Title: MuSig Key Aggregation
+  Title: MuSig
   Author:
   Status: Draft
   License: BSD-2-Clause
@@ -10,7 +10,7 @@
 
 === Abstract ===
 
-This document describes MuSig Key Aggregation in libsecp256k1-zkp.
+This document proposes a standard for the MuSig2 protocol that supports ''tweaking'' and outputs [https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki BIP340] public keys and signatures.
 
 === Copyright ===
 
@@ -65,10 +65,10 @@ The following conventions are used, with constants as defined for [https://www.s
 ==== Key Sorting ====
 
 Input:
-* The number ''u'' of signatures with ''0 < u < 2^32''
+* The number ''u'' of public keys with ''0 < u < 2^32''
 * The public keys ''pk1..u'': ''u'' 32-byte arrays
 
-The algorithm ''KeySort(pk1..u)'' is defined as:
+The algorithm '''''KeySort(pk1..u)''''' is defined as:
 * Return ''pk1..u'' sorted in lexicographical order.
 
 ==== Key Aggregation ====
@@ -77,11 +77,11 @@ Input:
 * The number ''u'' of public keys with ''0 < u < 2^32''
 * The public keys ''pk1..u'': ''u'' 32-byte arrays
 
-The algorithm ''KeyAgg(pk1..u)'' is defined as:
+The algorithm '''''KeyAgg(pk1..u)''''' is defined as:
 * Let ''Q = KeyAggInternal(pk1..u)''; fail if that fails.
 * Return ''bytes(Q)''.
 
-The algorithm ''KeyAggInternal(pk1..u)'' is defined as:
+The algorithm '''''KeyAggInternal(pk1..u)''''' is defined as:
 * For ''i = 1 .. u'':
 ** Let ''ai = KeyAggCoeff(pk1..u, pki)''.
 ** Let ''Pi = point(pki)''; fail if that fails.
@@ -89,16 +89,16 @@ The algorithm ''KeyAggInternal(pk1..u)'' is defined as:
 * Fail if ''is_infinite(Q)''.
 * Return ''Q''.
 
-The algorithm ''HashKeys(pk1..u)'' is defined as:
+The algorithm '''''HashKeys(pk1..u)''''' is defined as:
 * Return ''hashKeyAgg list(pk1 || pk2 || ... || pku)''
 
-The algorithm ''IsSecond(pk1..u, pk')'' is defined as:
+The algorithm '''''IsSecond(pk1..u, pk')''''' is defined as:
 * For ''j = 1 .. u'':
 ** If ''pkj ≠ pk1'':
 *** Return ''true'' if ''pkj = pk' '', otherwise return ''false''.
 * Return ''false''
 
-The algorithm ''KeyAggCoeff(pk1..u, pk')'' is defined as:
+The algorithm '''''KeyAggCoeff(pk1..u, pk')''''' is defined as:
 * Let ''L = HashKeys(pk1..u)''.
 * If ''IsSecond(pk1..u, pk')'':
 ** Return 1
@@ -106,7 +106,7 @@ The algorithm ''KeyAggCoeff(pk1..u, pk')'' is defined as:
 
 ==== Nonce Generation ====
 
-The algorithm ''NonceGen()'' is defined as:
+The algorithm '''''NonceGen()''''' is defined as:
 * Generate two random integers ''k1, k2'' in the range ''1...n-1''
 * Let ''R*1 = k1⋅G, R*2 = k2⋅G''
 * Let ''pubnonce = cbytes(R*1) || cbytes(R*2)''
@@ -118,7 +118,7 @@ The algorithm ''NonceGen()'' is defined as:
 * The number ''u'' of ''pubnonces'' with ''0 < u < 2^32''
 * The public nonces ''pubnonce1..u'': ''u'' 66-byte arrays
 
-The algorithm ''NonceAgg(pubnonce1..u)'' is defined as:
+The algorithm '''''NonceAgg(pubnonce1..u)''''' is defined as:
 * For ''i = 1 .. 2'':
 ** For ''j = 1 .. u'':
 *** Let ''Ri,j = pointc(pubnoncej[(i-1)*33:i*33])''; fail if that fails
@@ -156,7 +156,7 @@ Input:
 * The public keys ''pk1..u'': ''u'' 32-byte arrays
 * The message ''m'': a 32-byte array
 
-The algorithm ''Sign(secnonce, sk, aggnonce, pk1..u, m)'' is defined as:
+The algorithm '''''Sign(secnonce, sk, aggnonce, pk1..u, m)''''' is defined as:
 * Let ''R1 = pointc(aggnonce[0:33]), R2 = pointc(aggnonce[33:66])''; fail if that fails
 * Let ''Q = KeyAggInternal(pk1..u)''; fail if that fails
 * Let ''b = int(hashMuSig/noncecoef(aggnonce || bytes(Q) || m)) mod n''
@@ -187,7 +187,7 @@ Input:
 * The message ''m'': a 32-byte array
 * The index of the signer ''i'' in the public nonces and public keys with ''0 < i ≤ u''
 
-The algorithm ''PartialSigVerify(psig, pubnonce1..u, pk1..u, m, i)'' is defined as:
+The algorithm '''''PartialSigVerify(psig, pubnonce1..u, pk1..u, m, i)''''' is defined as:
 * Let ''aggnonce = NonceAgg(pubnonce1..u)''; fail if that fails
 * Run ''PartialSigVerifyInternal(psig, pubnoncei, aggnonce, pk1..u, pki, m)''
 * Return success iff no failure occurred before reaching this point.
@@ -203,7 +203,7 @@ Input:
 * The public key of the signer ''pk*'' (in ''pk1..u''): a 32-byte array
 * The message ''m'': a 32-byte array
 
-The algorithm ''PartialSigVerifyInternal(psig, pubnonce, aggnonce, pk1..u, pk*, m)'' is defined as:
+The algorithm '''''PartialSigVerifyInternal(psig, pubnonce, aggnonce, pk1..u, pk*, m)''''' is defined as:
 * Let ''s = int(psig)''; fail if ''s ≥ n''
 * Let ''R1 = pointc(aggnonce[0:33]), R2 = pointc(aggnonce[33:66])''; fail if that fails
 * Let ''Q = KeyAggInternal(pk1..u)''; fail if that fails
@@ -226,7 +226,7 @@ Input:
 * The number ''u'' of signatures with ''0 < u < 2^32''
 * The partial signatures ''psig1..u'': ''u'' 32-byte arrays
 
-The algorithm ''PartialSigAgg(R, psig1..u)'' is defined as:
+The algorithm '''''PartialSigAgg(R, psig1..u)''''' is defined as:
 * For ''i = 1 .. u'':
 ** Let ''si = int(psigi)''; fail if ''si ≥ n''.
 * Let ''s = s1 + ... + su mod n''