Closed LLFourn closed 1 year ago
From an API perspective I think this is much clearer for the user, that "session_id must be different for every signing attempt"/signing session
Am i understanding correctly that for a deterministic nonce gen:
let session_id = b"signing-ominous-message-about-banks-attempt-1".as_slice();
let mut nonce_rng: ChaCha20Rng = frost.gen_nonce_rng(&frost_key, &my_secret_share, session_id);
let my_nonce = frost.gen_nonce(&mut nonce_rng);
we would only ever use nonce_rng
once? But with a synthetic noncegen, we can safely reuse nonce_rng
to create more nonces in following sessions?
we would only ever use
nonce_rng
once? But with a synthetic noncegen, we can safely reusenonce_rng
to create more nonces in following sessions?
No you can use the nonce rng to create as many nonces as you want for the session. You're right we need to explicitly state this and give an example. A bitcoin transaction is a good example.
Simplify nonce generation. We only provide a method where the user can supply a session id, secret, joint public key and we give them an RNG they can derive nonces from.
I removed optional arguments to force the user to focus on generating a session id that gives security guarantees and not hoping that combinations of message and public keys etc makes it unique.
Also
Frost
andMuSig
now have own uniquely tagged nonce generator so there can be full domain separation between multisigs and single sigs with the sameSchnorr
instance.