Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document partial signature forgeability #10

Merged
merged 2 commits into from
Dec 31, 2024
Merged

Document partial signature forgeability #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8d5ea6f
Document partial signature forgeability
AaronFeickert Dec 23, 2024
fa192a5
Add reference link
AaronFeickert Dec 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ If you're not already familiar with MuSig2, the process of cooperative signing r
1. All signers share their public keys with one-another. The group computes an _aggregated public key_ which they collectively control.
2. In the **first signing round,** signers generate and share _nonces_ (random numbers) with one-another. These nonces have both secret and public versions. Only the public nonce (AKA `PubNonce`) should be shared, while the corresponding secret nonce (AKA `SecNonce`) must be kept secret.
3. Once every signer has received the public nonces of every other signer, each signer makes a _partial signature_ for a message using their secret key and secret nonce.
4. In the **second signing round,** signers share their partial signatures with one-another. Partial signatures can be verified to place blame on misbehaving signers.
4. In the **second signing round,** signers share their partial signatures with one-another. Partial signatures can be verified to place blame on misbehaving signers (but are not themselves unforgeable).
5. A valid set of partial signatures can be aggregated into a final signature, which is just a normal [Schnorr signature](https://en.wikipedia.org/wiki/Schnorr_signature), valid under the aggregated public key.

## Choice of Backbone
Expand Down
8 changes: 8 additions & 0 deletions src/signing.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,10 @@ pub fn sign_partial<T: From<PartialSignature>>(
/// to be valid once it is adapted with the discrete log (secret key)
/// of `adaptor_point`.
///
/// Note that partial signatures are _not_ unforgeable!
/// Validity of a partial signature should not be relied on for this property.
/// See <https://gist.github.com/AdamISZ/ca974ed67889cedc738c4a1f65ff620b> for details.
///
/// Returns an error if the given public key doesn't belong to the
/// `key_agg_ctx`, or if the signature is invalid.
pub fn verify_partial_adaptor(
Expand Down Expand Up @@ -187,6 +191,10 @@ pub fn verify_partial_adaptor(
/// a signing session, the resulting aggregated signature is guaranteed
/// to be valid.
///
/// Note that partial signatures are _not_ unforgeable!
/// Validity of a partial signature should not be relied on for this property.
/// See <https://gist.github.com/AdamISZ/ca974ed67889cedc738c4a1f65ff620b> for details.
///
/// This function is effectively the same as invoking [`verify_partial_adaptor`]
/// but passing [`MaybePoint::Infinity`] as the adaptor point.
///
Expand Down
Loading