w3f / schnorrkel

Schnorr VRFs and signatures on the Ristretto group
BSD 3-Clause "New" or "Revised" License
315 stars 94 forks source link

What Is The Signing Context For? #79

Closed AtropineTears closed 2 years ago

AtropineTears commented 2 years ago

Hello,

I am trying to use schnorr signatures and know that to sign you need a nonce. I know you cannot use the same nonce twice.

My question is that with schnorr signatures, is the signing context made into the nonce. In other words, how do I sign a message by using the signing context if I do not want anything in the signing context? Can I use a static value for the signing context and safely make more signatures with the same signing context?

Sorry if this is a naive question or confusing.

Thank you

burdges commented 2 years ago

A signing context is static yes. It exists for domain separation, which works via merlin labels, but merlin stupidly uses only &'static [u8] labels, which causes some headaches with external signers, etc.

If you're working with existing systems, then you'll maybe be forced into specific contexts, like b"substsrate" or whatever, and may still need more domain separation. If you're doing you own thing then just make up a relevant [u8] for yourself.

We handle nonces internally here, but some protocols require system randomness, while others survive derandomized. We'll replace the musig stuff, which should be the only one requiring system randomness.

As for what likely confused you..

We extract nonces from our merlin transcript so that everything gets hashed. If the context was excluded somehow, then someone could trick a users with a derandomized or rewindable signing device into signing the same message with two different contexts, and leaking their secret key.

Yes, I'm perhaps let the trait forest grow overly complex there. I was obeying the advise of the dalek and merlin devs, which maybe a bit too abstraction heavy.

AtropineTears commented 2 years ago

Okay thank you for the detailed response. Much appreciated.

AtropineTears commented 2 years ago

So just to be clear, if I use some static signing context, like 'b"Project 1"'

It is fine to sign multiple messages with it without changing the signing context or should I use a rng to get a different context everytime. I only want it to sign messages and do not want the private key to be leaked.

burdges commented 2 years ago

Yes exactly, but if you're working with an existing project then they've already chosen this [u8] for you.