Closed ssantos21 closed 1 year ago
Is it possible to generate
b1.P
(instead ofb1.G
) as a public nonce for secret nonceb1
using secp256k1-zkp lib?secp256k1_musig_nonce_gen
doesn't seem to support this.
No, you'd need to fork the library. Our implementation supports only MuSig2 as specified in BIP327.
blinded MuSig2
Note that this is not at all an "official" variant of MuSig2. (I'm not even sure it actually resembles MuSig2.) We can't vouch for its security. Blind Schnorr signatures (even in the single-signer case) are vulnerable to Wagner's attack when concurrent signing sessions are possible.
Thanks for the answer.
So I forked this library and added the blinding factor. Regarding the Wagner's attack, as blinded signature is intended to be used on statechain servers, it might be mitigated by the client committing the values of the blinding nonce used (labeled f) and the value of R2 used in a signing session to the server before the server responds with their value of R1.
The scheme is s = (k1 + b⋅k2 + e⋅a⋅d) + f*P mod n
, where f
is the blinding factor and P
is the aggregated public key.
And the challenge is e1 = e + f
or e1 = e - f
depending on the XOR(final nonce parity, aggregated public key parity)
.
The function for this is:
secp256k1_blinded_musig_nonce_process
And I also added two new functions so that the server doesn't know the aggregated public key and the key aggregation coefficient.
The client sends the secret key negation and keyaggcoef
information to the server.
secp256k1_musig_get_keyaggcoef_and_negation_seckey
secp256k1_blinded_musig_partial_sign
I'm trying to implement a blinded MuSig2 protocol as suggested in https://github.com/commerceblock/mercury/blob/master/layer/protocol.md#signature-generation.
The protocol considers the aggregated nonce as
R_1 = R1_1 + r2_1.G + b1.P
, whereR1_1
andR2_1
are public nonces (secp256k1_musig_pubnonce
),b1
is a secret nonce (blind factor /secp256k1_musig_secnonce
) andP
is the aggregated public key (secp256k1_xonly_pubkey
).Is it possible to generate
b1.P
(instead ofb1.G
) as a public nonce for secret nonceb1
using secp256k1-zkp lib?secp256k1_musig_nonce_gen
doesn't seem to support this.