siv2r / bip-frost-signing

A BIP draft for BIP340-compatible FROST threshold signing protocol
12 stars 3 forks source link

FROST signing for BIP340-compatible Threshold Signatures (BIP draft)

Abstract

This document proposes a standard for the Flexible Round-Optimized Schnorr Threshold (FROST) signing protocol. The standard is compatible with BIP340 public keys and signatures. It supports tweaking, which allows deriving BIP32 child keys from the group public key and creating BIP341 Taproot outputs with key and script paths.

Copyright

This document is licensed under the 3-clause BSD license.

Introduction

This document proposes the FROST signing protocol based on the FROST3 variant (see section 2.3) introduced in ROAST[RRJSS22], instead of the original FROST[KG20]. Key generation for FROST signing is out of scope for this document. However, we specify the requirements that a key generation method must satisfy to be compatible with this signing protocol.

Many sections of this document have been directly copied or modified from BIP327 due to the similarities between the FROST3 and MuSig2 signature schemes.

Motivation

The FROST signature scheme [KG20,CKM21,BTZ21,CGRS23] enables t-of-n Schnorr threshold signatures, in which a threshold t of some set of n signers is required to produce a signature. FROST remains unforgeable as long as at most t-1 signers are compromised, and remains functional as long as t honest signers do not lose their secret key material. It supports any choice of t as long as 1 ≤ t ≤ n.[^t-edge-cases]

The primary motivation is to create a standard that allows users of different software projects to jointly control Taproot outputs (BIP341). Such an output contains a public key which, in this case, would be the group public key derived from the public shares of threshold signers. It can be spent using FROST to produce a signature for the key-based spending path.

The on-chain footprint of a FROST Taproot output is essentially a single BIP340 public key, and a transaction spending the output only requires a single signature cooperatively produced by threshold signers. This is more compact and has lower verification cost than signers providing n individual public keys and t signatures, as would be required by an t-of-n policy implemented using OP_CHECKSIGADD as introduced in (BIP342). As a side effect, the numbers t and n of signers are not limited by any consensus rules when using FROST.

Moreover, FROST offers a higher level of privacy than OP_CHECKSIGADD: FROST Taproot outputs are indistinguishable for a blockchain observer from regular, single-signer Taproot outputs even though they are actually controlled by multiple signers. By tweaking a group public key, the shared Taproot output can have script spending paths that are hidden unless used.

There are threshold-signature schemes other than FROST that are fully compatible with Schnorr signatures. The FROST variant proposed below stands out by combining all the following features:

Design

Overview

Implementers must make sure to understand this section thoroughly to avoid subtle mistakes that may lead to catastrophic failure.

Optionality of Features

The goal of this proposal is to support a wide range of possible application scenarios. Given a specific application scenario, some features may be unnecessary or not desirable, and implementers can choose not to support them. Such optional features include:

Key Generation

We distinguish between two public key types, namely plain public keys, the key type traditionally used in Bitcoin, and X-only public keys. Plain public keys are byte strings of length 33 (often called compressed format). In contrast, X-only public keys are 32-byte strings defined in BIP340.

FROST generates signatures that are verifiable as if produced by a single signer using a secret key s with the corresponding public key. As a threshold signing protocol, the group secret key s is shared among all _MAXPARTICIPANTS participants using Shamir's secret sharing, and at least _MINPARTICIPANTS participants must collaborate to issue a valid signature.
  _MINPARTICIPANTS is a positive non-zero integer lesser than or equal to _MAXPARTICIPANTS
  _MAXPARTICIPANTS MUST be a positive integer lesser than the secp256k1 curve order.

In particular, FROST signing assumes each participant is configured with the following information:

[!NOTE] The definitions for the secp256k1 curve and its order can be found in the Notation section.

As key generation for FROST signing is beyond the scope of this document, we do not specify how this information is configured and distributed to the participants. Generally, there are two possible key generation mechanisms: one involves a single, trusted dealer (see Appendix D of FROST RFC draft), and the other requires performing a distributed key generation protocol (see BIP FROST DKG draft).

For a key generation mechanism to be compatible with FROST signing, the participant information it generates MUST successfully pass both the ValidateGroupPubkey and ValidatePubshares functions (see Key Generation Compatibility).

[!IMPORTANT] It should be noted that while passing these functions ensures functional compatibility, it does not guarantee the security of the key generation mechanism.

General Signing Flow

FROST signing is designed to be executed by a predetermined number of signer participants, referred to as _NUMPARTICIPANTS. This value is a positive non-zero integer that MUST be at least _MINPARTICIPANTS and MUST NOT exceed _MAXPARTICIPANTS. Therefore, the selection of signing participants from the participant group must be performed outside the signing protocol, prior to its initiation.

Whenever the signing participants want to sign a message, the basic order of operations to create a threshold-signature is as follows:

First broadcast round: The signers start the signing session by running NonceGen to compute secnonce and pubnonce.[^nonce-serialization-detail] Then, the signers broadcast their pubnonce to each other and run NonceAgg to compute an aggregate nonce.

Second broadcast round: At this point, every signer has the required data to sign, which, in the algorithms specified below, is stored in a data structure called Session Context. Every signer computes a partial signature by running Sign with the participant identifier, the secret share, the secnonce and the session context. Then, the signers broadcast their partial signatures to each other and run PartialSigAgg to obtain the final signature. If all signers behaved honestly, the result passes BIP340 verification.

Both broadcast rounds can be optimized by using an aggregator who collects all signers' nonces or partial signatures, aggregates them using NonceAgg or PartialSigAgg, respectively, and broadcasts the aggregate result back to the signers. A malicious aggregator can force the signing session to fail to produce a valid Schnorr signature but cannot negatively affect the unforgeability of the scheme, i.e., even a malicious aggregator colluding with all but one signer cannot forge a signature.

[!IMPORTANT] The Sign algorithm must not be executed twice with the same secnonce. Otherwise, it is possible to extract the secret signing key from the two partial signatures output by the two executions of Sign. To avoid accidental reuse of secnonce, an implementation may securely erase the secnonce argument by overwriting it with 64 zero bytes after it has been read by Sign. A secnonce consisting of only zero bytes is invalid for Sign and will cause it to fail.

To simplify the specification of the algorithms, some intermediary values are unnecessarily recomputed from scratch, e.g., when executing GetSessionValues multiple times. Actual implementations can cache these values. As a result, the Session Context may look very different in implementations or may not exist at all. However, computation of GetSessionValues and storage of the result must be protected against modification from an untrusted third party. This party would have complete control over the aggregate public key and message to be signed.

Nonce Generation

[!IMPORTANT] NonceGen must have access to a high-quality random generator to draw an unbiased, uniformly random value rand'. In contrast to BIP340 signing, the values k1 and k2 must not be derived deterministically from the session parameters because deriving nonces deterministically allows for a complete key-recovery attack in multi-party discrete logarithm-based signatures.

The optional arguments to NonceGen enable a defense-in-depth mechanism that may prevent secret share exposure if rand' is accidentally not drawn uniformly at random. If the value rand' was identical in two NonceGen invocations, but any other argument was different, the secnonce would still be guaranteed to be different as well (with overwhelming probability), and thus accidentally using the same secnonce for Sign in both sessions would be avoided. Therefore, it is recommended to provide the optional arguments secshare, pubshare, _grouppk, and m if these session parameters are already determined during nonce generation. The auxiliary input _extrain can contain additional contextual data that has a chance of changing between NonceGen runs, e.g., a supposedly unique session id (taken from the application), a session counter wide enough not to repeat in practice, any nonces by other signers (if already known), or the serialization of a data structure containing multiple of the above. However, the protection provided by the optional arguments should only be viewed as a last resort. In most conceivable scenarios, the assumption that the arguments are different between two executions of NonceGen is relatively strong, particularly when facing an active adversary.

In some applications, it is beneficial to generate and send a pubnonce before the other signers, their pubshare, or the message to sign is known. In this case, only the available arguments are provided to the NonceGen algorithm. After this preprocessing phase, the Sign algorithm can be run immediately when the message and set of signers is determined. This way, the final signature is created quicker and with fewer round trips. However, applications that use this method presumably store the nonces for a longer time and must therefore be even more careful not to reuse them. Moreover, this method is not compatible with the defense-in-depth mechanism described in the previous paragraph.

Instead of every signer broadcasting their pubnonce to every other signer, the signers can send their pubnonce to a single aggregator node that runs NonceAgg and sends the aggnonce back to the signers. This technique reduces the overall communication. A malicious aggregator can force the signing session to fail to produce a valid Schnorr signature but cannot negatively affect the unforgeability of the scheme.

In general, FROST signers are stateful in the sense that they first generate secnonce and then need to store it until they receive the other signers' pubnonces or the aggnonce. However, it is possible for one of the signers to be stateless. This signer waits until it receives the pubnonce of all the other signers and until session parameters such as a message to sign, participant identifiers, participant public shares, and tweaks are determined. Then, the signer can run NonceGen, NonceAgg and Sign in sequence and send out its pubnonce along with its partial signature. Stateless signers may want to consider signing deterministically (see Modifications to Nonce Generation) to remove the reliance on the random number generator in the NonceGen algorithm.

Identifying Disruptive Signers

The signing protocol makes it possible to identify malicious signers who send invalid contributions to a signing session in order to make the signing session abort and prevent the honest signers from obtaining a valid signature. This property is called "identifiable aborts" and ensures that honest parties can assign blame to malicious signers who cause an abort in the signing protocol.

Aborts are identifiable for an honest party if the following conditions hold in a signing session:

If these conditions hold and an honest party (signer or aggregator) runs an algorithm that fails due to invalid protocol contributions from malicious signers, then the algorithm run by the honest party will output the participant identifier of exactly one malicious signer. Additionally, if the honest parties agree on the contributions sent by all signers in the signing session, all the honest parties who run the aborting algorithm will identify the same malicious signer.

Further Remarks

Some of the algorithms specified below may also assign blame to a malicious aggregator. While this is possible for some particular misbehavior of the aggregator, it is not guaranteed that a malicious aggregator can be identified. More specifically, a malicious aggregator (whose existence violates the second condition above) can always make signing abort and wrongly hold honest signers accountable for the abort (e.g., by claiming to have received an invalid contribution from a particular honest signer).

The only purpose of the algorithm PartialSigVerify is to ensure identifiable aborts, and it is not necessary to use it when identifiable aborts are not desired. In particular, partial signatures are not signatures. An adversary can forge a partial signature, i.e., create a partial signature without knowing the secret share for that particular participant public share.[^partialsig-forgery] However, if PartialSigVerify succeeds for all partial signatures then PartialSigAgg will return a valid Schnorr signature.

Tweaking the Group Public Key

The group public key can be tweaked, which modifies the key as defined in the Tweaking Definition subsection. In order to apply a tweak, the Tweak Context output by TweakCtxInit is provided to the ApplyTweak algorithm with the _is_xonlyt argument set to false for plain tweaking and true for X-only tweaking. The resulting Tweak Context can be used to apply another tweak with ApplyTweak or obtain the group public key with GetXonlyPubkey or GetPlainPubkey.

The purpose of supporting tweaking is to ensure compatibility with existing uses of tweaking, i.e., that the result of signing is a valid signature for the tweaked public key. The FROST signing algorithms take arbitrary tweaks as input but accepting arbitrary tweaks may negatively affect the security of the scheme.[^arbitrary-tweaks] Instead, signers should obtain the tweaks according to other specifications. This typically involves deriving the tweaks from a hash of the aggregate public key and some other information. Depending on the specific scheme that is used for tweaking, either the plain or the X-only aggregate public key is required. For example, to do BIP32 derivation, you call GetPlainPubkey to be able to compute the tweak, whereas BIP341 TapTweaks require X-only public keys that are obtained with GetXonlyPubkey.

The tweak mode provided to ApplyTweak depends on the application: Plain tweaking can be used to derive child public keys from an aggregate public key using BIP32. On the other hand, X-only tweaking is required for Taproot tweaking per BIP341. A Taproot-tweaked public key commits to a script path, allowing users to create transaction outputs that are spendable either with a FROST threshold-signature or by providing inputs that satisfy the script path. Script path spends require a control block that contains a parity bit for the tweaked X-only public key. The bit can be obtained with _GetPlainPubkey(tweakctx)[0] & 1.

Algorithms

The following specification of the algorithms has been written with a focus on clarity. As a result, the specified algorithms are not always optimal in terms of computation and space. In particular, some values are recomputed but can be cached in actual implementations (see General Signing Flow).

Notation

The following conventions are used, with constants as defined for secp256k1. We note that adapting this proposal to other elliptic curves is not straightforward and can result in an insecure scheme.

Key Generation Compatibility

Internal Algorithm PlainPubkeyGen(sk):[^pubkey-gen-ecdsa]

Algorithm ValidatePubshares(secshare1..u, pubshare1..u)

Algorithm _ValidateGroupPubkey(threshold, grouppk, id1..u, pubshare1..u):

Key Derivation and Tweaking

Tweak Context

The Tweak Context is a data structure consisting of the following elements:

We write "Let _(Q, gacc, tacc) = tweakctx" to assign names to the elements of a Tweak Context.

Algorithm TweakCtxInit(id1..u, pubshare1..u):

Algorithm DeriveGroupPubkey(id1..u, pubshare1..u)

Internal Algorithm _DeriveInterpolatingValue(id1..u, myid):

Internal Algorithm _DeriveInterpolatingValueInternal(id1..u, myid):

Algorithm _GetXonlyPubkey(tweakctx):

Algorithm _GetPlainPubkey(tweakctx):

Applying Tweaks

Algorithm _ApplyTweak(tweak_ctx, tweak, is_xonlyt):

Nonce Generation

Algorithm _NonceGen(secshare, pubshare, group_pk, m, extrain):

Nonce Aggregation

Algorithm NonceAgg(pubnonce1..u, id1..u):

Session Context

The Session Context is a data structure consisting of the following elements:

We write "Let _(u, id1..u, pubshare1..u, aggnonce, v, tweak1..v, is_xonly_t1..v, m) = sessionctx" to assign names to the elements of a Session Context.

Algorithm _GetSessionValues(sessionctx):

Algorithm _GetSessionInterpolatingValue(session_ctx, myid):

Algorithm _SessionHasSignerPubshare(session_ctx, signerpubshare):

Signing

Algorithm _Sign(secnonce, secshare, my_id, sessionctx):

Partial Signature Verification

Algorithm _PartialSigVerify(psig, id1..u, pubnonce1..u, pubshare1..u, tweak1..v, is_xonlyt1..v, m, i):

Internal Algorithm _PartialSigVerifyInternal(psig, my_id, pubnonce, pubshare, sessionctx):

Partial Signature Aggregation

Algorithm _PartialSigAgg(psig1..u, id1..u, sessionctx):

Test Vectors & Reference Code

We provide a naive, highly inefficient, and non-constant time pure Python 3 reference implementation of the group public key tweaking, nonce generation, partial signing, and partial signature verification algorithms.

Standalone JSON test vectors are also available in the same directory, to facilitate porting the test vectors into other implementations.

[!CAUTION] The reference implementation is for demonstration purposes only and not to be used in production environments.

Remarks on Security and Correctness

Modifications to Nonce Generation

Implementers must avoid modifying the NonceGen algorithm without being fully aware of the implications. We provide two modifications to NonceGen that are secure when applied correctly and may be useful in special circumstances, summarized in the following table.

needs secure randomness needs secure counter needs to keep state securely needs aggregate nonce of all other signers (only possible for one signer)
NonceGen
CounterNonceGen
DeterministicSign

First, on systems where obtaining uniformly random values is much harder than maintaining a global atomic counter, it can be beneficial to modify NonceGen. The resulting algorithm CounterNonceGen does not draw rand' uniformly at random but instead sets rand' to the value of an atomic counter that is incremented whenever it is read. With this modification, the secret share secshare of the signer generating the nonce is not an optional argument and must be provided to NonceGen. The security of the resulting scheme then depends on the requirement that reading the counter must never yield the same counter value in two NonceGen invocations with the same secshare.

Second, if there is a unique signer who is supposed to send the pubnonce last, it is possible to modify nonce generation for this single signer to not require high-quality randomness. Such a nonce generation algorithm DeterministicSign is specified below. Note that the only optional argument is rand, which can be omitted if randomness is entirely unavailable. DeterministicSign requires the argument aggothernonce which should be set to the output of NonceAgg run on the pubnonce value of all other signers (but can be provided by an untrusted party). Hence, using DeterministicSign is only possible for the last signer to generate a nonce and makes the signer stateless, similar to the stateless signer described in the Nonce Generation section.

Deterministic and Stateless Signing for a Single Signer

Algorithm _DeterministicSign(secshare, my_id, aggothernonce, id1..u, pubshare1..u, tweak1..v, is_xonlyt1..v, m, rand):

Tweaking Definition

Two modes of tweaking the group public key are supported. They correspond to the following algorithms:

Algorithm ApplyPlainTweak(P, t):

Algorithm ApplyXonlyTweak(P, t):

Negation of the Secret Share when Signing

During the signing process, the Sign algorithm might have to negate the secret share in order to produce a partial signature for an X-only group public key. This public key is derived from u public shares and u participant identifiers (denoted by the signer set U) and then tweaked v times (X-only or plain).

The following elliptic curve points arise as intermediate steps when creating a signature:
Pi as computed in any compatible key generation method is the point corresponding to the i-th signer's public share. Defining di' to be the i-th signer's secret share as an integer, i.e., the d’ value as computed in the Sign algorithm of the i-th signer, we have:
  Pi = di'⋅G
Q0 is the group public key derived from the signer’s public shares. It is identical to the value Q computed in DeriveGroupPubkey and therefore defined as:
  Q0 = λ1, U⋅P1 + λ2, U⋅P2 + ... + λu, U⋅Pu
Qi is the tweaked group public key after the i-th execution of ApplyTweak for 1 ≤ i ≤ v. It holds that
  Qi = f(i-1) + ti⋅G for i = 1, ..., v where
    f(i-1) := with_even_y(Qi-1) if is_xonly_ti and
    f(i-1) := Qi-1 otherwise.
with_even_y(Qv) is the final result of the group public key derivation and tweaking operations. It corresponds to the output of GetXonlyPubkey applied on the final Tweak Context.

The signer's goal is to produce a partial signature corresponding to the final result of group pubkey derivation and tweaking, i.e., the X-only public key with_even_y(Qv).

For 1 ≤ i ≤ v, we denote the value g computed in the i-th execution of ApplyTweak by gi-1. Therefore, gi-1 is -1 mod n if and only if _is_xonlyti is true and Qi-1 has an odd Y coordinate. In other words, gi-1 indicates whether Qi-1 needed to be negated to apply an X-only tweak:
  f(i-1) = gi-1⋅Qi-1 for 1 ≤ i ≤ v.
Furthermore, the Sign and PartialSigVerify algorithms set value g depending on whether Qv needed to be negated to produce the (X-only) final output. For consistency, this value g is referred to as gv in this section.
  _with_eveny(Qv) = gv⋅Qv.

So, the (X-only) final public key is
  _with_eveny(Qv)
    = gv⋅Qv
    = gv⋅(f(v-1) + tv⋅G)
    = gv⋅(gv-1⋅(f(v-2) + tv-1⋅G) + tv⋅G)
    = gv⋅gv-1⋅f(v-2) + gv⋅(tv + gv-1⋅tv-1)⋅G
    = gv⋅gv-1⋅f(v-2) + (sumi=v-1..v ti⋅prodj=i..v gj)⋅G
    = gv⋅gv-1⋅...⋅g1⋅f(0) + (sumi=1..v ti⋅prodj=i..v gj)⋅G
    = gv⋅...⋅g0⋅Q0 + gv⋅taccv⋅G
  where tacci is computed by TweakCtxInit and ApplyTweak as follows:
    tacc0 = 0
    tacci = ti + gi-1⋅tacci-1 for i=1..v mod n
  for which it holds that gv⋅taccv = sumi=1..v ti⋅prodj=i..v gj.

TweakCtxInit and ApplyTweak compute
  gacc0 = 1
  gacci = gi-1⋅gacci-1 for i=1..v mod n
So we can rewrite above equation for the final public key as
  _with_eveny(Qv) = gv⋅gaccv⋅Q0 + gv⋅taccv⋅G.

Then we have
  _with_eveny(Qv) - gv⋅taccv⋅G
    = gv⋅gaccv⋅Q0
    = gv⋅gaccv⋅(λ1, U⋅P1 + ... + λu, U⋅Pu)
    = gv⋅gaccv⋅(λ1, U⋅d1'⋅G + ... + λu, U⋅du'⋅G)
    = sumi=1..u(gv⋅gaccv⋅λi, U⋅di')*G.

Intuitively, gacci tracks accumulated sign flipping and tacci tracks the accumulated tweak value after applying the first i individual tweaks. Additionally, gv indicates whether Qv needed to be negated to produce the final X-only result. Thus, signer i multiplies its secret share di' with gv⋅gaccv in the Sign algorithm.

Negation of the Pubshare when Partially Verifying

As explained in Negation Of The Secret Share When Signing the signer uses a possibly negated secret share
  d = gv⋅gaccv⋅d' mod n
when producing a partial signature to ensure that the aggregate signature will correspond to a group public key with even Y coordinate.

The PartialSigVerifyInternal algorithm is supposed to check
  s⋅G = Re + e⋅λ⋅d⋅G.

The verifier doesn't have access to d⋅G but can construct it using the participant public share pubshare as follows:
d⋅G
  = gv⋅gaccv⋅d'⋅G
  = gv⋅gaccv⋅cpoint(pubshare)

Note that the group public key and list of tweaks are inputs to partial signature verification, so the verifier can also construct gv and gaccv.

Dealing with Infinity in Nonce Aggregation

If the nonce aggregator provides aggnonce = bytes(33,0) || bytes(33,0), either the nonce aggregator is dishonest or there is at least one dishonest signer (except with negligible probability). If signing aborted in this case, it would be impossible to determine who is dishonest. Therefore, signing continues so that the culprit is revealed when collecting and verifying partial signatures.

However, the final nonce R of a BIP340 Schnorr signature cannot be the point at infinity. If we would nonetheless allow the final nonce to be the point at infinity, then the scheme would lose the following property: if PartialSigVerify succeeds for all partial signatures, then PartialSigAgg will return a valid Schnorr signature. Since this is a valuable feature, we modify FROST3 (which is defined in the section 2.3 of the ROAST paper) to avoid producing an invalid Schnorr signature while still allowing detection of the dishonest signer: In GetSessionValues, if the final nonce R would be the point at infinity, set it to the generator instead (an arbitrary choice).

This modification to GetSessionValues does not affect the unforgeability of the scheme. Given a successful adversary against the unforgeability game (EUF-CMA) for the modified scheme, a reduction can win the unforgeability game for the original scheme by simulating the modification towards the adversary: When the adversary provides aggnonce' = bytes(33, 0) || bytes(33, 0), the reduction sets _aggnonce = cbytesext(G) || bytes(33, 0). For any other aggnonce', the reduction sets aggnonce = aggnonce'. (The case that the adversary provides an aggnonce' ≠ bytes(33, 0) || bytes(33, 0) but nevertheless R' in GetSessionValues is the point at infinity happens only with negligible probability.)

Backwards Compatibility

This document proposes a standard for the FROST threshold signature scheme that is compatible with BIP340. FROST is not compatible with ECDSA signatures traditionally used in Bitcoin.

[^t-edge-cases]: While t = n and t = 1 are in principle supported, simpler alternatives are available in these cases. In the case t = n, using a dedicated n-of-n multi-signature scheme such as MuSig2 (see BIP327) instead of FROST avoids the need for an interactive DKG. The case t = 1 can be realized by letting one signer generate an ordinary BIP340 key pair and transmitting the key pair to every other signer, who can check its consistency and then simply use the ordinary BIP340 signing algorithm. Signers still need to ensure that they agree on a key pair. A detailed specification for this key sharing protocol is not in the scope of this document.

[^nonce-serialization-detail]: We treat the secnonce and pubnonce as grammatically singular even though they include serializations of two scalars and two elliptic curve points, respectively. This treatment may be confusing for readers familiar with the MuSig2 paper. However, serialization is a technical detail that is irrelevant for users of MuSig2 interfaces.

[^pubkey-gen-ecdsa]: The PlainPubkeyGen algorithm matches the key generation procedure traditionally used for ECDSA in Bitcoin

[^itertools-combinations]: This line represents a loop over every possible combination of t elements sourced from the int_ids array. This operation is equivalent to invoking the itertools.combinations(int_ids, t) function call in Python.

[^calc-signer-pubshares]: This _signerpubshare1..t list can be computed from the input pubshare1..u list.
Method 1 - use itertools.combinations(zip(int_ids, pubshares), t)
Method 2 - For i = 1..t : signer_pubsharei = pubsharesigner_idi

[^arbitrary-tweaks]: It is an open question whether allowing arbitrary tweaks from an adversary affects the unforgeability of FROST.

[^partialsig-forgery]: Assume a malicious participant intends to forge a partial signature for the participant with public share P. It participates in the signing session pretending to be two distinct signers: one with the public share P and the other with its own public share. The adversary then sets the nonce for the second signer in such a way that allows it to generate a partial signature for P. As a side effect, it cannot generate a valid partial signature for its own public share. An explanation of the steps required to create a partial signature forgery can be found in this document.

[^liftx-soln]: Given a candidate X coordinate x in the range 0..p-1, there exist either exactly two or exactly zero valid Y coordinates. If no valid Y coordinate exists, then x is not a valid X coordinate either, i.e., no point P exists for which x(P) = x. The valid Y coordinates for a given candidate x are the square roots of c = x3 + 7 mod p and they can be computed as y = ±c(p+1)/4 mod p (see Quadratic residue) if they exist, which can be checked by squaring and comparing with c.

[^max-msg-len]: In theory, the allowed message size is restricted because SHA256 accepts byte strings only up to size of 2^61-1 bytes (and because of the 8-byte length encoding).

[^sk-xor-rand]: The random data is hashed (with a unique tag) as a precaution against situations where the randomness may be correlated with the secret signing key itself. It is xored with the secret key (rather than combined with it in a hash) to reduce the number of operations exposed to the actual secret key.

[^secnonce-ser]: The algorithms as specified here assume that the secnonce is stored as a 64-byte array using the serialization secnonce = bytes(32, k1) || bytes(32, k2). The same format is used in the reference implementation and in the test vectors. However, since the secnonce is (obviously) not meant to be sent over the wire, compatibility between implementations is not a concern, and this method of storing the secnonce is merely a suggestion.
The secnonce is effectively a local data structure of the signer which comprises the value triple (k1, k2), and implementations may choose any suitable method to carry it from NonceGen (first communication round) to Sign (second communication round). In particular, implementations may choose to hide the secnonce in internal state without exposing it in an API explicitly, e.g., in an effort to prevent callers from reusing a secnonce accidentally.

[^why-verify-partialsig]: Verifying the signature before leaving the signer prevents random or adversarially provoked computation errors. This prevents publishing invalid signatures which may leak information about the secret key. It is recommended but can be omitted if the computation cost is prohibitive.

[^lambda-cant-fail]: _GetSessionInterpolatingValue(session_ctx, myid) cannot fail when called from PartialSigVerifyInternal.