musig-spec: add Session Context to simplify sign/verify/sigagg
Besides reducing the number of arguments, this also removes the R argument from PartialSigAgg which was not defined precisely: * The final nonce ''R'' as created during ''Sign'' or ''PartialSigVerify'': a point Moreover, this paves the way for adding the tweaking, which requires PartialSigAgg to also have access to challenge e and can now be easily computed from the Session Context.
This commit is contained in:
		
							parent
							
								
									3aec4332b5
								
							
						
					
					
						commit
						fb060a0c4e
					
				| @ -60,6 +60,8 @@ The following conventions are used, with constants as defined for [https://www.s | |||||||
| ** The function ''point(x)'', where ''x'' is a 32-byte array ("x-only" serialization), returns ''lift_x(int(x))''. Fail if ''lift_x'' fails. | ** The function ''point(x)'', where ''x'' is a 32-byte array ("x-only" serialization), returns ''lift_x(int(x))''. Fail if ''lift_x'' fails. | ||||||
| ** The function ''pointc(x)'', where ''x'' is a 33-byte array (compressed serialization), sets ''P = lift_x(int(x[1:33]))'' and fails if that fails. If ''x[0] = 2'' it returns ''P'' and if ''x[0] = 3'' it returns ''-P''. Otherwise, it fails. | ** The function ''pointc(x)'', where ''x'' is a 33-byte array (compressed serialization), sets ''P = lift_x(int(x[1:33]))'' and fails if that fails. If ''x[0] = 2'' it returns ''P'' and if ''x[0] = 3'' it returns ''-P''. Otherwise, it fails. | ||||||
| ** The function ''hash<sub>tag</sub>(x)'' where ''tag'' is a UTF-8 encoded tag name and ''x'' is a byte array returns the 32-byte hash ''SHA256(SHA256(tag) || SHA256(tag) || x)''. | ** The function ''hash<sub>tag</sub>(x)'' where ''tag'' is a UTF-8 encoded tag name and ''x'' is a byte array returns the 32-byte hash ''SHA256(SHA256(tag) || SHA256(tag) || x)''. | ||||||
|  | * Other: | ||||||
|  | ** Tuples are written by listing the elements within parentheses and separated by commas. For example, ''(2, 3, 1)'' is a tuple. | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| ==== Key Sorting ==== | ==== Key Sorting ==== | ||||||
| @ -126,35 +128,51 @@ The algorithm '''''NonceAgg(pubnonce<sub>1..u</sub>)''''' is defined as: | |||||||
| ** <div id="NonceAgg infinity"></div>Let ''R<sub>i</sub> = R'<sub>i</sub>'' if not ''is_infinite(R'<sub>i</sub>)'', otherwise let R<sub>i</sub> = G'' (see [[#dealing-with-infinity-in-nonce-aggregation|Dealing with Infinity in Nonce Aggregation]]) | ** <div id="NonceAgg infinity"></div>Let ''R<sub>i</sub> = R'<sub>i</sub>'' if not ''is_infinite(R'<sub>i</sub>)'', otherwise let R<sub>i</sub> = G'' (see [[#dealing-with-infinity-in-nonce-aggregation|Dealing with Infinity in Nonce Aggregation]]) | ||||||
| * Return ''aggnonce = cbytes(R<sub>1</sub>) || cbytes(R<sub>2</sub>)'' | * Return ''aggnonce = cbytes(R<sub>1</sub>) || cbytes(R<sub>2</sub>)'' | ||||||
| 
 | 
 | ||||||
| ==== Signing ==== | ==== Session Context ==== | ||||||
| 
 | 
 | ||||||
| Input: | The Session Context is a data structure consisting of the following elements: | ||||||
| * The secret nonce ''secnonce'' that has never been used as input to ''Sign'' before: a 64-byte array |  | ||||||
| * The secret key ''sk'': a 32-byte array |  | ||||||
| * The aggregate public nonce ''aggnonce'': a 66-byte array | * The aggregate public nonce ''aggnonce'': a 66-byte array | ||||||
| * The number ''u'' of public keys with ''0 < u < 2^32'' | * The number ''u'' of public keys with ''0 < u < 2^32'' | ||||||
| * The public keys ''pk<sub>1..u</sub>'': ''u'' 32-byte arrays | * The public keys ''pk<sub>1..u</sub>'': ''u'' 32-byte arrays | ||||||
| * The message ''m'': a 32-byte array | * The message ''m'': a 32-byte array | ||||||
| 
 | 
 | ||||||
| The algorithm '''''Sign(secnonce, sk, aggnonce, pk<sub>1..u</sub>, m)''''' is defined as: | We write "Let ''(aggnonce, u, pk<sub>1..u</sub>, m) = session_ctx''" to assign names to the elements of a Session Context. | ||||||
| * Let ''R<sub>1</sub> = pointc(aggnonce[0:33]), R<sub>2</sub> = pointc(aggnonce[33:66])''; fail if that fails | 
 | ||||||
|  | The algorithm '''''GetSessionValues(session_ctx)''''' is defined as: | ||||||
|  | * Let ''(aggnonce, u, pk<sub>1..u</sub>, m) = session_ctx'' | ||||||
| * Let ''Q = KeyAggInternal(pk<sub>1..u</sub>)''; fail if that fails | * Let ''Q = KeyAggInternal(pk<sub>1..u</sub>)''; fail if that fails | ||||||
| * Let ''b = int(hash<sub>MuSig/noncecoef</sub>(aggnonce || bytes(Q) || m)) mod n'' | * Let ''b = int(hash<sub>MuSig/noncecoef</sub>(aggnonce || bytes(Q) || m)) mod n'' | ||||||
|  | * Let ''R<sub>1</sub> = pointc(aggnonce[0:33]), R<sub>2</sub> = pointc(aggnonce[33:66])''; fail if that fails | ||||||
| * Let ''R = R<sub>1</sub> + b⋅R<sub>2</sub>'' | * Let ''R = R<sub>1</sub> + b⋅R<sub>2</sub>'' | ||||||
| * Fail if ''is_infinite(R)'' | * Fail if ''is_infinite(R)'' | ||||||
|  | * Let ''e = int(hash<sub>BIP0340/challenge</sub>(bytes(R) || bytes(Q) || m)) mod n'' | ||||||
|  | * Return ''(Q, b, R, e)'' | ||||||
|  | 
 | ||||||
|  | The algorithm '''''GetSessionKeyAggCoeff(session_ctx, P)''''' is defined as: | ||||||
|  | * Let ''(_, u, pk<sub>1..u</sub>, _) = session_ctx'' | ||||||
|  | * Return ''KeyAggCoeff(pk<sub>1..u</sub>, bytes(P))'' | ||||||
|  | 
 | ||||||
|  | ==== Signing ==== | ||||||
|  | 
 | ||||||
|  | Input: | ||||||
|  | * The secret nonce ''secnonce'' that has never been used as input to ''Sign'' before: a 64-byte array | ||||||
|  | * The secret key ''sk'': a 32-byte array | ||||||
|  | * The ''session_ctx'': a [[#session-context|Session Context]] data structure | ||||||
|  | 
 | ||||||
|  | The algorithm '''''Sign(secnonce, sk, session_ctx)''''' is defined as: | ||||||
|  | * Let ''(Q, b, R, e) = GetSessionValues(session_ctx)''; fail if that fails | ||||||
| * Let ''k'<sub>1</sub> = int(secnonce[0:32]), k'<sub>2</sub> = int(secnonce[32:64])'' | * Let ''k'<sub>1</sub> = int(secnonce[0:32]), k'<sub>2</sub> = int(secnonce[32:64])'' | ||||||
| * Fail if ''k'<sub>i</sub> = 0'' or ''k'<sub>i</sub> ≥ n'' for ''i = 1..2'' | * Fail if ''k'<sub>i</sub> = 0'' or ''k'<sub>i</sub> ≥ n'' for ''i = 1..2'' | ||||||
| * Let ''k<sub>1</sub> = k'<sub>1</sub>, k<sub>2</sub> = k'<sub>2</sub> '' if ''has_even_y(R)'', otherwise let ''k<sub>1</sub> = n - k'<sub>1</sub>, k<sub>2</sub> = n - k<sub>2</sub>'' | * Let ''k<sub>1</sub> = k'<sub>1</sub>, k<sub>2</sub> = k'<sub>2</sub> '' if ''has_even_y(R)'', otherwise let ''k<sub>1</sub> = n - k'<sub>1</sub>, k<sub>2</sub> = n - k<sub>2</sub>'' | ||||||
| * Let ''d' = int(sk)'' | * Let ''d' = int(sk)'' | ||||||
| * Fail if ''d' = 0'' or ''d' ≥ n'' | * Fail if ''d' = 0'' or ''d' ≥ n'' | ||||||
| * Let ''P = d'⋅G'' | * Let ''P = d'⋅G'' | ||||||
|  | * Let ''mu = GetSessionKeyAggCoeff(session_ctx, P)''; fail if that fails | ||||||
| * Let ''d = n - d' '' if ''has_even_y(P) `XOR` has_even_y(Q)'', otherwise let ''d = d' '' | * Let ''d = n - d' '' if ''has_even_y(P) `XOR` has_even_y(Q)'', otherwise let ''d = d' '' | ||||||
| * Let ''e = int(hash<sub>BIP0340/challenge</sub>(bytes(R) || bytes(Q) || m)) mod n'' |  | ||||||
| * Let ''mu = KeyAggCoeff(pk<sub>1..u</sub>, bytes(P))'' |  | ||||||
| * Let ''s = (k<sub>1</sub> + b⋅k<sub>2</sub> + e⋅mu⋅d) mod n'' | * Let ''s = (k<sub>1</sub> + b⋅k<sub>2</sub> + e⋅mu⋅d) mod n'' | ||||||
| * Let ''psig = bytes(s)'' | * Let ''psig = bytes(s)'' | ||||||
| * Let ''pubnonce = cbytes(k'<sub>1</sub>⋅G) || cbytes(k'<sub>2</sub>⋅G)'' | * Let ''pubnonce = cbytes(k'<sub>1</sub>⋅G) || cbytes(k'<sub>2</sub>⋅G)'' | ||||||
| * If ''PartialSigVerifyInternal(psig, pubnonce, aggnonce, pk<sub>1..u</sub>, bytes(P), m)'' (see below) returns failure, abort<ref>Verifying the signature before leaving the signer prevents random or attacker provoked computation errors. This prevents publishing invalid signatures which may leak information about the secret key. It is recommended, but can be omitted if the computation cost is prohibitive.</ref>. | * If ''PartialSigVerifyInternal(psig, pubnonce, bytes(P), session_ctx)'' (see below) returns failure, abort<ref>Verifying the signature before leaving the signer prevents random or attacker provoked computation errors. This prevents publishing invalid signatures which may leak information about the secret key. It is recommended, but can be omitted if the computation cost is prohibitive.</ref>. | ||||||
| * Return partial signature ''psig'' | * Return partial signature ''psig'' | ||||||
| 
 | 
 | ||||||
| ==== Partial Signature Verification ==== | ==== Partial Signature Verification ==== | ||||||
| @ -169,7 +187,8 @@ Input: | |||||||
| 
 | 
 | ||||||
| The algorithm '''''PartialSigVerify(psig, pubnonce<sub>1..u</sub>, pk<sub>1..u</sub>, m, i)''''' is defined as: | The algorithm '''''PartialSigVerify(psig, pubnonce<sub>1..u</sub>, pk<sub>1..u</sub>, m, i)''''' is defined as: | ||||||
| * Let ''aggnonce = NonceAgg(pubnonce<sub>1..u</sub>)''; fail if that fails | * Let ''aggnonce = NonceAgg(pubnonce<sub>1..u</sub>)''; fail if that fails | ||||||
| * Run ''PartialSigVerifyInternal(psig, pubnonce<sub>i</sub>, aggnonce, pk<sub>1..u</sub>, pk<sub>i</sub>, m)'' | * Let ''session_ctx = (aggnonce, u, pk<sub>1..u</sub>, m)'' | ||||||
|  | * Run ''PartialSigVerifyInternal(psig, pubnonce<sub>i</sub>, pk<sub>i</sub>, session_ctx)'' | ||||||
| * Return success iff no failure occurred before reaching this point. | * Return success iff no failure occurred before reaching this point. | ||||||
| 
 | 
 | ||||||
| ===== PartialSigVerifyInternal ===== | ===== PartialSigVerifyInternal ===== | ||||||
| @ -177,36 +196,30 @@ The algorithm '''''PartialSigVerify(psig, pubnonce<sub>1..u</sub>, pk<sub>1..u</ | |||||||
| Input: | Input: | ||||||
| * The partial signature ''psig'': a 32-byte array | * The partial signature ''psig'': a 32-byte array | ||||||
| * The public nonce of the signer ''pubnonce'': a 66-byte array | * The public nonce of the signer ''pubnonce'': a 66-byte array | ||||||
| * The aggregate public nonce ''aggnonce'': a 66-byte array | * The public key of the signer ''pk<sup>*</sup>'' (in ''pk<sub>1..u</sub>'' of the session_ctx''): a 32-byte array | ||||||
| * The number ''u'' of public keys with ''0 < u < 2^32'' | * The ''session_ctx'': a [[#session-context|Session Context]] data structure | ||||||
| * The public keys ''pk<sub>1..u</sub>'': ''u'' 32-byte arrays |  | ||||||
| * The public key of the signer ''pk<sup>*</sup>'' (in ''pk<sub>1..u</sub>''): a 32-byte array |  | ||||||
| * The message ''m'': a 32-byte array |  | ||||||
| 
 | 
 | ||||||
| The algorithm '''''PartialSigVerifyInternal(psig, pubnonce, aggnonce, pk<sub>1..u</sub>, pk<sup>*</sup>, m)''''' is defined as: | The algorithm '''''PartialSigVerifyInternal(psig, pubnonce, pk<sup>*</sup>, session_ctx)''''' is defined as: | ||||||
|  | * Let ''(Q, b, R, e) = GetSessionValues(session_ctx)''; fail if that fails | ||||||
| * Let ''s = int(psig)''; fail if ''s ≥ n'' | * Let ''s = int(psig)''; fail if ''s ≥ n'' | ||||||
| * Let ''R<sub>1</sub> = pointc(aggnonce[0:33]), R<sub>2</sub> = pointc(aggnonce[33:66])''; fail if that fails |  | ||||||
| * Let ''Q = KeyAggInternal(pk<sub>1..u</sub>)''; fail if that fails |  | ||||||
| * Let ''b = int(hash<sub>MuSig/noncecoef</sub>(aggnonce || bytes(Q) || m)) mod n'' |  | ||||||
| * Let ''R = R<sub>1</sub> + b⋅R<sub>2</sub>'' |  | ||||||
| * Let ''R<sup>*</sup><sub>1</sub> = pointc(pubnonce[0:33]), R<sup>*</sup><sub>2</sub> = pointc(pubnonce[33:66])'' | * Let ''R<sup>*</sup><sub>1</sub> = pointc(pubnonce[0:33]), R<sup>*</sup><sub>2</sub> = pointc(pubnonce[33:66])'' | ||||||
| * Let ''R<sup>*</sup>' = R<sup>*</sup><sub>1</sub> + b⋅R<sup>*</sup><sub>2</sub>'' | * Let ''R<sup>*</sup>' = R<sup>*</sup><sub>1</sub> + b⋅R<sup>*</sup><sub>2</sub>'' | ||||||
| * Let ''R<sup>*</sup> = R<sup>*</sup>' '' if ''has_even_y(R)'', otherwise let ''R<sup>*</sup> = -R<sup>*</sup>' '' | * Let ''R<sup>*</sup> = R<sup>*</sup>' '' if ''has_even_y(R)'', otherwise let ''R<sup>*</sup> = -R<sup>*</sup>' '' | ||||||
| * Let ''e = int(hash<sub>BIP0340/challenge</sub>(bytes(R) || bytes(Q) || m)) mod n'' |  | ||||||
| * Let ''mu = KeyAggCoeff(pk<sub>1..u</sub>, pk<sup>*</sup>)'' |  | ||||||
| * Let ''P' = point(pk<sup>*</sup>)''; fail if that fails | * Let ''P' = point(pk<sup>*</sup>)''; fail if that fails | ||||||
| * Let ''P = P' '' if ''has_even_y(Q)'', otherwise let ''P = -P' '' | * Let ''P = P' '' if ''has_even_y(Q)'', otherwise let ''P = -P' '' | ||||||
|  | * Let ''mu = GetSessionKeyAggCoeff(session_ctx, P)''; fail if that fails | ||||||
| * Fail if ''s⋅G ≠ R<sup>*</sup> + e⋅mu⋅P'' | * Fail if ''s⋅G ≠ R<sup>*</sup> + e⋅mu⋅P'' | ||||||
| * Return success iff no failure occurred before reaching this point. | * Return success iff no failure occurred before reaching this point. | ||||||
| 
 | 
 | ||||||
| ==== Partial Signature Aggregation ==== | ==== Partial Signature Aggregation ==== | ||||||
| 
 | 
 | ||||||
| Input: | Input: | ||||||
| * The final nonce ''R'' as created during  ''Sign'' or ''PartialSigVerify'': a point |  | ||||||
| * The number ''u'' of signatures with ''0 < u < 2^32'' | * The number ''u'' of signatures with ''0 < u < 2^32'' | ||||||
| * The partial signatures ''psig<sub>1..u</sub>'': ''u'' 32-byte arrays | * The partial signatures ''psig<sub>1..u</sub>'': ''u'' 32-byte arrays | ||||||
|  | * The ''session_ctx'': a [[#session-context|Session Context]] data structure | ||||||
| 
 | 
 | ||||||
| The algorithm '''''PartialSigAgg(R, psig<sub>1..u</sub>)''''' is defined as: | The algorithm '''''PartialSigAgg(psig<sub>1..u</sub>, session_ctx)''''' is defined as: | ||||||
|  | * Let ''(_, _, R, _) = GetSessionValues(session_ctx)''; fail if that fails | ||||||
| * For ''i = 1 .. u'': | * For ''i = 1 .. u'': | ||||||
| ** Let ''s<sub>i</sub> = int(psig<sub>i</sub>)''; fail if ''s<sub>i</sub> ≥ n''. | ** Let ''s<sub>i</sub> = int(psig<sub>i</sub>)''; fail if ''s<sub>i</sub> ≥ n''. | ||||||
| * Let ''s = s<sub>1</sub> + ... + s<sub>u</sub> mod n'' | * Let ''s = s<sub>1</sub> + ... + s<sub>u</sub> mod n'' | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user