musig-spec: describe NonceGen, NonceAgg, Sign,PartialSig{Verify,Agg}

doc/musig-spec.mediawiki

@@ -27,6 +27,7 @@ This document is licensed under the 2-clause BSD license.
 * The KeyAgg coefficient is computed by hashing the key instead of key index. Otherwise, if the pubkey list gets sorted, the signer needs to translate between key indices pre- and post-sorting.
 * The second unique key in the pubkey list given to ''KeyAgg'' gets the constant KeyAgg coefficient 1 which saves an exponentiation (see the MuSig2* appendix in the [https://eprint.iacr.org/2020/1261 MuSig2 paper]).
 * The public key inputs are serialized using x-only (32 byte) instead of compressed (33 byte) serialization. The reason for this is that as x-only keys are becoming more common, the full key may not be available.
+* The public nonces are serialized in compressed format (33 bytes). We accept the small overhead compared to x-only serialization to avoid complicating the specification.
 
 === Specification ===
 
@@ -46,7 +47,7 @@ The following conventions are used, with constants as defined for [https://www.s
 ** The function ''bytes(x)'', where ''x'' is an integer, returns the 32-byte encoding of ''x'', most significant byte first.
 ** The function ''bytes(P)'', where ''P'' is a point, returns ''bytes(x(P))''.
 ** The function ''has_even_y(P)'', where ''P'' is a point for which ''not is_infinite(P)'', returns ''y(P) mod 2 = 0''.
-** The function ''cbytes(P)'', where ''P'' is a point, returns ''a || bytes(P)'' where ''a'' is ''2'' if ''has_even_y(P)'' and ''3'' otherwise.
+** The function ''cbytes(P)'', where ''P'' is a point, returns ''a || bytes(P)'' where ''a'' is a byte that is ''2'' if ''has_even_y(P)'' and ''3'' otherwise.
 ** The function ''int(x)'', where ''x'' is a 32-byte array, returns the 256-bit unsigned integer whose most significant byte first encoding is ''x''.
 ** The function ''lift_x(x)'', where ''x'' is an integer in range ''0..2<sup>256</sup>-1'', returns the point ''P'' for which ''x(P) = x''<ref>
     Given a candidate X coordinate ''x'' in the range ''0..p-1'', there exist either exactly two or exactly zero valid Y coordinates. If no valid Y coordinate exists, then ''x'' is not a valid X coordinate either, i.e., no point ''P'' exists for which ''x(P) = x''. The valid Y coordinates for a given candidate ''x'' are the square roots of ''c = x<sup>3</sup> + 7 mod p'' and they can be computed as ''y = &plusmn;c<sup>(p+1)/4</sup> mod p'' (see [https://en.wikipedia.org/wiki/Quadratic_residue#Prime_or_prime_power_modulus Quadratic residue]) if they exist, which can be checked by squaring and comparing with ''c''.</ref> and ''has_even_y(P)'', or fails if ''x'' is greater than ''p-1'' or no such point exists. The function ''lift_x(x)'' is equivalent to the following pseudocode:
@@ -56,6 +57,8 @@ The following conventions are used, with constants as defined for [https://www.s
 *** Fail if ''c &ne; y'<sup>2</sup> mod p''.
 *** Let ''y = y' '' if ''y' mod 2 = 0'', otherwise let ''y = p - y' ''.
 *** Return the unique point ''P'' such that ''x(P) = x'' and ''y(P) = y''.
+** The function ''point(x)'', where ''x'' is a 32-byte array ("x-only" serialization), returns ''lift_x(int(x))''. Fail if ''lift_x'' fails.
+** The function ''pointc(x)'', where ''x'' is a 33-byte array (compressed serialization), sets ''P = lift_x(int(x[1:33]))'' and fails if that fails. If ''x[0] = 2'' it returns ''P'' and if ''x[0] = 3'' it returns ''-P''. Otherwise, it fails.
 ** The function ''hash<sub>tag</sub>(x)'' where ''tag'' is a UTF-8 encoded tag name and ''x'' is a byte array returns the 32-byte hash ''SHA256(SHA256(tag) || SHA256(tag) || x)''.
 
 
@@ -75,12 +78,16 @@ Input:
 * The public keys ''pk<sub>1..u</sub>'': ''u'' 32-byte arrays
 
 The algorithm ''KeyAgg(pk<sub>1..u</sub>)'' is defined as:
+* Let ''Q = KeyAggInternal(pk<sub>1..u</sub>)''; fail if that fails.
+* Return ''bytes(Q)''.
+
+The algorithm ''KeyAggInternal(pk<sub>1..u</sub>)'' is defined as:
 * For ''i = 1 .. u'':
 ** Let ''a<sub>i</sub> = KeyAggCoeff(pk<sub>1..u</sub>, pk<sub>i</sub>)''.
-** Let ''P<sub>i</sub> = lift_x(int(pk<sub>i</sub>))''; fail if it fails.
+** Let ''P<sub>i</sub> = point(pk<sub>i</sub>)''; fail if that fails.
 * Let ''Q = a<sub>1</sub>⋅P<sub>1</sub> + a<sub>2</sub>⋅P<sub>1</sub> + ... + a<sub>u</sub>⋅P<sub>u</sub>''
 * Fail if ''is_infinite(Q)''.
-* Return ''bytes(Q)''.
+* Return ''Q''.
 
 The algorithm ''HashKeys(pk<sub>1..u</sub>)'' is defined as:
 * Return ''hash<sub>KeyAgg list</sub>(pk<sub>1</sub> || pk<sub>2</sub> || ... || pk<sub>u</sub>)''
@@ -97,12 +104,136 @@ The algorithm ''KeyAggCoeff(pk<sub>1..u</sub>, pk)'' is defined as:
 ** Return 1
 * Return ''int(hash<sub>KeyAgg coefficient</sub>(L || pk)) mod n''
 
+==== Nonce Generation ====
+
+The algorithm ''NonceGen()'' is defined as:
+* Generate two random integers ''k<sub>1</sub>, k<sub>2</sub>'' in the range ''1...n-1''
+* Let ''R<sup>*</sup><sub>1</sub> = k<sub>1</sub>⋅G, R<sup>*</sup><sub>2</sub> = k<sub>2</sub>⋅G''
+* Let ''pubnonce = cbytes(R<sup>*</sup><sub>1</sub>) || cbytes(R<sup>*</sup><sub>2</sub>)''
+* Let ''secnonce = bytes(k<sub>1</sub>) || bytes(k<sub>2</sub>)''
+* Return ''secnonce'' and ''pubnonce''
+
+==== Nonce Aggregation ====
+
+* The number ''u'' of ''pubnonces'' with ''0 < u < 2^32''
+* The public nonces ''pubnonce<sub>1..u</sub>'': ''u'' 66-byte arrays
+
+The algorithm ''NonceAgg(pubnonce<sub>1..u</sub>)'' is defined as:
+* For ''i = 1 .. 2'':
+** For ''j = 1 .. u'':
+*** Let ''R<sub>i,j</sub> = pointc(pubnonce<sub>j</sub>[(i-1)*33:i*33])''; fail if that fails
+** Let ''R'<sub>i</sub> = R<sub>i,1</sub> + R<sub>i,2</sub> + ... + R<sub>i,u</sub>''
+** Let ''R<sub>i</sub> = R'<sub>i</sub>'' if not ''is_infinite(R'<sub>i</sub>)'', otherwise let R<sub>i</sub> = G''
+* Return ''aggnonce = cbytes(R<sub>1</sub>) || cbytes(R<sub>2</sub>)''
+
+==== Signing ====
+
+Input:
+* The secret nonce ''secnonce'' that has never been used as input to ''Sign'' before: a 64-byte array
+* The secret key ''sk'': a 32-byte array
+* The aggregate public nonce ''aggnonce'': a 66-byte array
+* The number ''u'' of public keys with ''0 < u < 2^32''
+* The public keys ''pk<sub>1..u</sub>'': ''u'' 32-byte arrays
+* The message ''m'': a 32-byte array
+
+The algorithm ''Sign(secnonce, sk, aggnonce, pk<sub>1..u</sub>, m)'' is defined as:
+* Let ''R<sub>1</sub> = pointc(aggnonce[0:33]), R<sub>2</sub> = pointc(aggnonce[33:66])''; fail if that fails
+* Let ''Q = KeyAggInternal(pk<sub>1..u</sub>)''; fail if that fails
+* Let ''b = int(hash<sub>MuSig/noncecoef</sub>(aggnonce || bytes(Q) || m)) mod n''
+* Let ''R = R<sub>1</sub> + b⋅R<sub>2</sub>''
+* Fail if ''is_infinite(R)''
+* Let ''k'<sub>1</sub> = int(secnonce[0:32]), k'<sub>2</sub> = int(secnonce[32:64])''
+* Fail if ''k'<sub>i</sub> = 0'' or ''k'<sub>i</sub> &ge; n'' for ''i = 1..2''
+* Let ''k<sub>1</sub> = k'<sub>1</sub>, k<sub>2</sub> = k'<sub>2</sub> '' if ''has_even_y(R)'', otherwise let ''k<sub>1</sub> = n - k'<sub>1</sub>, k<sub>2</sub> = n - k<sub>2</sub>''
+* Let ''d' = int(sk)''
+* Fail if ''d' = 0'' or ''d' &ge; n''
+* Let ''P = d'⋅G''
+* Let ''d = n - d' '' if ''has_even_y(P) `XOR` has_even_y(Q)'', otherwise let ''d = d' ''
+* Let ''e = int(hash<sub>BIP0340/challenge</sub>(bytes(R) || bytes(Q) || m)) mod n''
+* Let ''mu = KeyAggCoeff(pk<sub>1..u</sub>, bytes(P))''
+* Let ''s = (k<sub>1</sub> + b⋅k<sub>2</sub> + e⋅mu⋅d) mod n''
+* Let ''psig = bytes(s)''
+* Let ''pubnonce = cbytes(k'<sub>1</sub>⋅G) || cbytes(k'<sub>2</sub>⋅G)''
+* If ''PartialSigVerifyInternal(psig, pubnonce, aggnonce, pk<sub>1..u</sub>, bytes(P), m)'' (see below) returns failure, abort<ref>Verifying the signature before leaving the signer prevents random or attacker provoked computation errors. This prevents publishing invalid signatures which may leak information about the secret key. It is recommended, but can be omitted if the computation cost is prohibitive.</ref>.
+* Return partial signature ''psig
+
+==== Partial Signature Verification ====
+
+Input:
+* The partial signature ''psig'': a 32-byte array
+* The number ''u'' of public nonces and public keys with ''0 < u < 2^32''
+* The public nonces ''pubnonce<sub>1..u</sub>'': ''u'' 66-byte arrays
+* The public keys ''pk<sub>1..u</sub>'': ''u'' 32-byte arrays
+* The message ''m'': a 32-byte array
+* The index of the signer ''i'' in the public nonces and public keys with ''0 < i <= u''
+
+The algorithm ''PartialSigVerify(psig, pubnonce<sub>1..u</sub>, pk<sub>1..u</sub>, m, i)'' is defined as:
+* Let ''aggnonce = NonceAgg(pubnonce<sub>1..u</sub>)''; fail if that fails
+* Run ''PartialSigVerifyInternal(psig, pubnonce<sub>i</sub>, aggnonce, pk<sub>1..u</sub>, pk<sub>i</sub>, m)''
+* Return success iff no failure occurred before reaching this point.
+
+===== PartialSigVerifyInternal =====
+
+Input:
+* The partial signature ''psig'': a 32-byte array
+* The public nonce of the signer ''pubnonce'': a 66-byte array
+* The aggregate public nonce ''aggnonce'': a 66-byte array
+* The number ''u'' of public keys with ''0 < u < 2^32''
+* The public keys ''pk<sub>1..u</sub>'': ''u'' 32-byte arrays
+* The public key of the signer ''pk<sup>*</sup>'' (in ''pk<sub>1..u</sub>''): a 32-byte array
+* The message ''m'': a 32-byte array
+
+The algorithm ''PartialSigVerifyInternal(psig, pubnonce, aggnonce, pk<sub>1..u</sub>, pk<sup>*</sup>, m)'' is defined as:
+* Let ''s = int(psig)''; fail if ''s &ge; n''
+* Let ''R<sub>1</sub> = pointc(aggnonce[0:33]), R<sub>2</sub> = pointc(aggnonce[33:66])''; fail if that fails
+* Let ''Q = KeyAggInternal(pk<sub>1..u</sub>)''; fail if that fails
+* Let ''b = int(hash<sub>MuSig/noncecoef</sub>(aggnonce || bytes(Q) || m)) mod n''
+* Let ''R = R<sub>1</sub> + b⋅R<sub>2</sub>''
+* Let ''R<sup>*</sup><sub>1</sub> = pointc(pubnonce[0:33]), R<sup>*</sup><sub>2</sub> = pointc(pubnonce[33:66])''
+* Let ''R<sup>*</sup>' = R<sup>*</sup><sub>1</sub> + b⋅R<sup>*</sup><sub>2</sub>''
+* Let ''R<sup>*</sup> = R<sup>*</sup>' '' if ''has_even_y(R)'', otherwise let ''R<sup>*</sup> = -R<sup>*</sup>' ''
+* Let ''e = int(hash<sub>BIP0340/challenge</sub>(bytes(R) || bytes(Q) || m)) mod n''
+* Let ''mu = KeyAggCoeff(pk<sub>1..u</sub>, pk<sup>*</sup>)''
+* Let ''P' = point(pk<sup>*</sup>)''; fail if that fails
+* Let ''P = P' '' if ''has_even_y(Q)'', otherwise let ''P = -P' ''
+* Fail if ''s⋅G &ne; R<sup>*</sup> + e⋅mu⋅P''
+* Return success iff no failure occurred before reaching this point.
+
+==== Partial Signature Aggregation ====
+
+Input:
+* The final nonce ''R'' as created during  ''Sign'' or ''PartialSigVerify'': a point
+* The number ''u'' of signatures with ''0 < u < 2^32''
+* The partial signatures ''sig<sub>1..u</sub>'': ''u'' 32-byte arrays
+
+The algorithm ''SigAgg(R, sig<sub>1..u</sub>)'' is defined as:
+* For ''i = 1 .. u'':
+** Let ''s<sub>i</sub> = int(sig<sub>i</sub>)''; fail if ''s<sub>i</sub> &ge; n''.
+* Let ''s = s<sub>1</sub> + ... + s<sub>u</sub> mod n''
+* Return ''sig = ''bytes(R) || bytes(s)''
+
+=== Signing Flow ===
+
+Note that this specification unnecessarily recomputes intermediary values (such as the aggregate public key) that can be cached in real implementations.
+
+There are multiple ways to use above algorithms and arrive at a final Schnorr signature.
+One of them can be described as follows:
+The signers ''1'' to ''n'' each run ''NonceGen'' to compute ''secnonce'' and ''pubnonce''.
+Every signer sends its public key and ''pubnonce'' to every other signer and all signers agree on a single message to sign.
+Then, the signers run ''NonceAgg'' and ''Sign'' with their secret signing key and ''secnonce''.
+They send the resulting partial signature to every other signer and combine them with the ''SigAgg'' algorithm.
+
+''IMPORTANT'': The ''Sign'' algorithm must '''not''' be executed twice with the same ''secnonce''.
+Otherwise, it is possible to extract the secret signing key from the partial signatures.
+An implementation may invalidate the secnonce argument after ''Sign'' to avoid any reuse.
+Avoiding reuse also implies that the ''NonceGen'' algorithm must compute unbiased, uniformly random values ''k<sub>1</sub>'' and ''k<sub>2</sub>''.
+
 == Applications ==
 
 == Test Vectors and Reference Code ==
 
 There are some vectors in libsecp256k1's [https://github.com/ElementsProject/secp256k1-zkp/blob/master/src/modules/musig/tests_impl.h MuSig test file].
-Search for the ''musig_test_vectors_keyagg'' function.
+Search for the ''musig_test_vectors_keyagg'' and ''musig_test_vectors_sign'' functions.
 
 == Footnotes ==