musig-spec: add optional arguments to strengthen nonce function #177
Conversation
doc/musig-spec.mediawiki
Outdated
| * The secret signing key ''sk'': a 32-byte array or 0-byte array (optional argument) | ||
| * The aggregate public key ''aggpk'': a 32-byte array or 0-byte array (optional argument) | ||
| * The message ''m'': a 32-byte array or 0-byte array (optional argument) | ||
| * The length ''l'' of auxiliary entropy ''ent'': an integer ''≥ 0'' | ||
| * The auxiliary entropy ''ent'': an l-byte array (optional argument) |
There was a problem hiding this comment.
If your pseudocode language is expressive enough to compute len(sk), couldn't it also compute len(ent) then?
There was a problem hiding this comment.
I didn't do this for consistency with other variable length arguments (number of pubkeys, nonces, etc) but I reconsidered and len(ent) is quite a bit nicer.
doc/musig-spec.mediawiki
Outdated
| * The aggregate public key ''aggpk'': a 32-byte array or 0-byte array (optional argument) | ||
| * The message ''m'': a 32-byte array or 0-byte array (optional argument) | ||
| * The length ''l'' of auxiliary entropy ''ent'': an integer ''≥ 0'' | ||
| * The auxiliary entropy ''ent'': an l-byte array (optional argument) |
There was a problem hiding this comment.
We should also say explain the "security considerations" here, similarly to how the aux argument is explained in BIP340:
- What is a good "ent" string? (For example, even some session identifier / context string can be good, or a counter can be good).
- What are the implications of providing or not providing the arguments? This may be difficult to explain because there are so many optional arguments. But I think it boils down to mostly case distinction between sk present vs sk not present.
Is "entropy" the right term here? Maybe "context" is better? I don't know. A counter is useful here but what's the entropy of a counter? But in this case, my suggestion "context" isn't much better... Another idea is just "aux" plus have a proper explanation.
There was a problem hiding this comment.
I tried avoiding aux to avoid confusion with the aux argument in BIP340 which also affects nonce generation but has a different purpose. I renamed the auxiliary input to in and added explanations to the NonceGeneration section.
This is a defense-in-depth measure that may help if the value is not drawn uniformly at random. The handling of sk is similar to BIP340.
jonasnick
force-pushed
the
musig-spec-nonce-gen
branch
from
4bd0c0f to
1a086ba
Compare
fd51a62 musig-spec: add authors (Jonas Nick) f56e223 musig-spec: explain NonceGen and tweaking in signing flow context (Jonas Nick) e463ea4 musig-spec: mention stateless signing in signing flow (Jonas Nick) a29b961 musig-spec: add acknowledgements and improve abstract (Jonas Nick) 1a086ba musig-spec: add optional arguments to strengthen nonce function (Jonas Nick) 8d04ac3 musig-spec: remove unnecessary and inconsistent input paragraph (Jonas Nick) Pull request description: Based on #177 It's likely we're missing people in the acknowledgements. Ping me if you think you are. ACKs for top commit: real-or-random: ACK fd51a62 Tree-SHA512: 5240b783c15f76655b2593422dc7c76de1c5e298bbe2f39858daca4ee1b1877f1ff179b4043e6f1f75f8c804b734f4bb739d38a18a54b094d8640c57fd074ed9
No description provided.