From e463ea42bb1fe48e30e6d289461cff4fa0935f77 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Sun, 3 Apr 2022 23:42:40 +0000 Subject: [PATCH] musig-spec: mention stateless signing in signing flow --- doc/musig-spec.mediawiki | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/musig-spec.mediawiki b/doc/musig-spec.mediawiki index 68d29514..4f4149f4 100644 --- a/doc/musig-spec.mediawiki +++ b/doc/musig-spec.mediawiki @@ -90,6 +90,11 @@ This technique reduces the overall communication. The aggregator node does not need to be trusted for the scheme's security to hold. All the aggregator node can do is prevent the signing session from succeeding by sending out incorrect aggregate nonces. +In general, MuSig2 signers are stateful in the sense that they first generate ''secnonce'' and then need to store it until they receive the other signer's ''pubnonces'' or the ''aggnonce''. +However, it is possible for one of the signers to be stateless. +This signer waits until it receives the ''pubnonce'' of all the other signers and until session parameters such as a message to sign, public keys, and tweaks are determined. +Then, the signer can run ''NonceGen'', ''NonceAgg'' and ''Sign'' in sequence and send out its ''pubnonce'' along with its partial signature. + If any signer sends an incorrect partial signature, i.e., one that has not then been created with ''Sign'' and the right arguments for the session, the MuSig2 protocol may fail to output a valid Schnorr signature. This standard provides the method ''PartialSigVerify'' to verify the correctness of partial signatures. If partial signatures are authenticated, this method can be used to identify disruptive signers and hold them accountable.