376733b58b282a4985dd78d0125749473f0aeff3 musig-spec: clarify hashing in noncegen by converting ints to bytes (Jonas Nick)
Pull request description:
ACKs for top commit:
real-or-random:
ACK 376733b58b282a4985dd78d0125749473f0aeff3
Tree-SHA512: c4708c476094d242fe7312177e345932bd40b52549007b43d2e5e4efc094101624d8583647f305bcbd042692a9d0117eda38f71e22fee0e0f49d677d9f512a8e
- KeyAggCoeff' -> KeyAggCoeffInternal for consistency
- In Sign, add mod n when calculating d
- In Tweak, reorder the parameters to (Q, gacc, tacc, tweak, is_xonly) because
the first three are "state" arguments
- Rename Tweak function to ApplyTweak to avoid confusion with tweak (the
vector). This becomes apparent in the python reference code.
- add BIP header & abstract
- rename MuSig to MuSig2 because some people may want to use the 3-round version
- remove applications because we don't need to motivate an informational BIP
- x-only -> X-only
- remove overly repetetitive "The algorithm [...] is defined as"
- move "Remarks" and "Design" out of "Description" section and move "Test
vectors and ..." into "Description" section. The idea is that the Description
contains everything that is absolutely required to implement the BIP (safely).
Also fix bug in description that resulted in a wrong definition of t.
And rename keyagg coefficient from 'mu' to 'a' since we don't use the term "musig
coefficient" anymore and a is what is used in the paper.
Besides reducing the number of arguments, this also removes the R argument from
PartialSigAgg which was not defined precisely:
* The final nonce ''R'' as created during ''Sign'' or ''PartialSigVerify'': a point
Moreover, this paves the way for adding the tweaking, which requires
PartialSigAgg to also have access to challenge e and can now be easily computed
from the Session Context.
We will need more of these explanations and it's better if they do not interfere
the specification section. The remarks section is intended for content that's
not required for implementing the spec.
Instead of using eta=-delta, use zeta=-(delta+1/2) to represent
delta. This variant only needs at most 590 iterations for 256-bit
inputs rather than 724 (by convex hull bounds analysis).
This adds a long comment explaining the algorithm and implementation choices by building
it up step by step in Python.
Comments in the code are also reworked/added, with references to the long explanation.
