Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id C8711C002D for ; Thu, 28 Apr 2022 19:16:35 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id A7EB940C57 for ; Thu, 28 Apr 2022 19:16:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FiamFjEL_xIv for ; Thu, 28 Apr 2022 19:16:34 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) by smtp2.osuosl.org (Postfix) with ESMTPS id AA6DA4017E for ; Thu, 28 Apr 2022 19:16:34 +0000 (UTC) Received: by mail-ed1-x530.google.com with SMTP id p4so6685525edx.0 for ; Thu, 28 Apr 2022 12:16:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:message-id:date:mime-version:user-agent:subject :content-language:to:references:in-reply-to :content-transfer-encoding; bh=YXMdYbcA6V3EZ1TJ/GhVzqxzxZ6+ASh3KKB7JhkzYF4=; b=iRz3GyIuTH1C1txxsmeyYPH5vpUIwAs0Uk7MJw8kYhhPvXioXVKlUjfLXMnRDpO16A 5m8Zl6u1zpkiE39ItiIgQg/rJFxGvUKNcS8tOYb6WaloROHeMuiqxFZlN+Vx3WyriqTZ 8M7Flhlw980T/Vxnj5brPEtaV6lTHVECWnKuCKzPhkzqdkfES+sFGSo8cpyutxPWtWYi EIrAhYRsmRzdQdhvKbs3iZ5u6r3h99GGXD8X9rdCDwu6RA09SbboJl0cubz8fhnqBtee RgUOMuX7eu6KiW1xH5Ym8OeVBA6bIo39iLbamdDCqxBkE/WrmAwMy+N3FKyqflQMwFwe BYKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:date:mime-version:user-agent :subject:content-language:to:references:in-reply-to :content-transfer-encoding; bh=YXMdYbcA6V3EZ1TJ/GhVzqxzxZ6+ASh3KKB7JhkzYF4=; b=vChxF+V+6P6CaYIlkynUFBvQzRsPJOaLq+uFCHd4qsnai4CqHduL1vu/il3r42nHzh akZCrXRytQYniegywi3HYNwxFaU8y0WXf1DsMV1qd6IouQd5JfiQq/K1abnEixopjvmg 2AIJyjnqm7nsbbWmYUdplQw730qRLYJatGpJCjfbHZuyoVjosknHDQEWYxYwHYA7UvL2 aZTdf+kMmKF7KvqKFw2giuOLB8PoRXnFba0wdhVVbO18uVcbTXGogowMcdCeg35Xy/oT JGDkn4+nV6+tZC73/Uw0Tg38dYSDeNvs17Frp5pjJEsX+zYGrevDqroSmvrxyUAD5lbJ IwZg== X-Gm-Message-State: AOAM531pjVzRcRvGNPCbjI99i1A2d20wIpQR7XegdUhqyFekWiE9yK4k RSk/gS5lT6AfomRosxWWvHs= X-Google-Smtp-Source: ABdhPJxhU0Z/Szm0xbp6MYQx0Iwgua/OW7e1pSqTMjU1ReWebzQugRd5ZXPKzAIm4tBHbFp9Onllfw== X-Received: by 2002:a05:6402:2945:b0:41d:aad:c824 with SMTP id ed5-20020a056402294500b0041d0aadc824mr37300504edb.364.1651173392768; Thu, 28 Apr 2022 12:16:32 -0700 (PDT) Received: from [192.168.1.12] (188-22-200-58.adsl.highway.telekom.at. [188.22.200.58]) by smtp.googlemail.com with ESMTPSA id r20-20020aa7da14000000b0042617ba63cdsm1987654eds.87.2022.04.28.12.16.30 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 28 Apr 2022 12:16:31 -0700 (PDT) From: Jonas Nick X-Google-Original-From: Jonas Nick Message-ID: Date: Thu, 28 Apr 2022 19:18:34 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1 Content-Language: en-US-large To: Olaoluwa Osuntokun , Bitcoin Protocol Discussion References: <46175970-d2ab-a58e-7010-f29820849604@gmail.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 28 Apr 2022 20:40:22 +0000 Subject: Re: [bitcoin-dev] MuSig2 BIP X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2022 19:16:35 -0000 Happy to hear that the BIP draft is already useful and thank you, Laolu, for extracting the test vectors. > an implementation must make the _pre tweaked_ combined key available to the caller To apply the Taproot tweak with the key aggregation algorithm as specified you would have to do the following (slightly simplified): P := KeyAgg(pk_1, ..., pk_n, tweaks = []) t := hash_TapTweak(P, root) Q := KeyAgg(pk_1, ..., pk_n, tweaks = [t]) This unnecessarily recomputes the pre-tweaked key aggregate. In the BIP, there are more places where the specified algorithms unnecessarily recompute certain values. I believe this is justified if it makes the spec significantly easier to understand. In this case, however, it's clear that calling KeyAgg multiple times for the same set of public keys is not intuitive at all. This is something I had not fully considered before. Thanks for bringing it up. The approach you're taking in btcd makes a lot of sense to me. But in the specification, we want to avoid specifying how exactly the tweaks are derived. In the libsecp256k1-zkp implementation, key aggregation and tweaking are separated into different functions. But this requires keeping state between key aggregation and tweaking, which is why we had not chosen this approach for the BIP. I will investigate how in the BIP, we can also split key aggregation and tweaking and minimize complexity. > My reading here is that [...] last party doesn't (?) need to worry about their > nonces Your reading is mostly right. Brandon describes correctly how and why to modify the nonce generation algorithm. I opened a PR that replaces the description of this signing mode with a precise specification. Indeed, the result is that the last party doesn't need to worry about their nonce (even if the other parties use bad randomness). [0] https://github.com/jonasnick/bips/pull/11