burdges
commented
2 years ago A signing context is static yes. It exists for domain separation, which works via merlin labels, but merlin stupidly uses only &'static [u8] labels, which causes some headaches with external signers, etc.
If you're working with existing systems, then you'll maybe be forced into specific contexts, like b"substsrate" or whatever, and may still need more domain separation. If you're doing you own thing then just make up a relevant [u8] for yourself.
We handle nonces internally here, but some protocols require system randomness, while others survive derandomized. We'll replace the musig stuff, which should be the only one requiring system randomness.
As for what likely confused you..
We extract nonces from our merlin transcript so that everything gets hashed. If the context was excluded somehow, then someone could trick a users with a derandomized or rewindable signing device into signing the same message with two different contexts, and leaking their secret key.
Yes, I'm perhaps let the trait forest grow overly complex there. I was obeying the advise of the dalek and merlin devs, which maybe a bit too abstraction heavy.
AtropineTears
Hello,
I am trying to use schnorr signatures and know that to sign you need a nonce. I know you cannot use the same nonce twice.
My question is that with schnorr signatures, is the signing context made into the nonce. In other words, how do I sign a message by using the signing context if I do not want anything in the signing context? Can I use a static value for the signing context and safely make more signatures with the same signing context?
Sorry if this is a naive question or confusing.
Thank you