[forst][musig] Clean up nonce generation

LLFourn / secp256kfun

A pure-rust secp256k1 library optimised for fun

BSD Zero Clause License

100 stars 28 forks source link

[forst][musig] Clean up nonce generation #140

Closed LLFourn closed 1 year ago

LLFourn commented 1 year ago

Simplify nonce generation. We only provide a method where the user can supply a session id, secret, joint public key and we give them an RNG they can derive nonces from.

I removed optional arguments to force the user to focus on generating a session id that gives security guarantees and not hoping that combinations of message and public keys etc makes it unique.

Also Frost and MuSig now have own uniquely tagged nonce generator so there can be full domain separation between multisigs and single sigs with the same Schnorr instance.

nickfarrow commented 1 year ago

From an API perspective I think this is much clearer for the user, that "session_id must be different for every signing attempt"/signing session

Am i understanding correctly that for a deterministic nonce gen:

let session_id = b"signing-ominous-message-about-banks-attempt-1".as_slice();
let mut nonce_rng: ChaCha20Rng = frost.gen_nonce_rng(&frost_key, &my_secret_share, session_id);
let my_nonce = frost.gen_nonce(&mut nonce_rng);

we would only ever use nonce_rng once? But with a synthetic noncegen, we can safely reuse nonce_rng to create more nonces in following sessions?

LLFourn commented 1 year ago

we would only ever use nonce_rng once? But with a synthetic noncegen, we can safely reuse nonce_rng to create more nonces in following sessions?

No you can use the nonce rng to create as many nonces as you want for the session. You're right we need to explicitly state this and give an example. A bitcoin transaction is a good example.