fixup: respond to jonasnick comments

BlockstreamResearch · Apr 5, 2022 · f71c297 · f71c297
1 parent fa399a4
commit f71c297
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/doc/musig-reference.py b/doc/musig-reference.py
@@ -236,6 +236,7 @@ def get_session_key_agg_coeff(session_ctx: SessionContext, P: Point) -> int:
     (_, pubkeys, _, _, _) = session_ctx
     return key_agg_coeff(pubkeys, bytes_from_point(P))
 
+# Callers should overwrite secnonce with zeros after calling sign.
 def sign(secnonce: bytes, sk: bytes, session_ctx: SessionContext) -> bytes:
     (Q, gacc_v, _, b, R, e) = get_session_values(session_ctx)
     k_1_ = int_from_bytes(secnonce[0:32])
@@ -342,6 +343,9 @@ def test_sign_vectors():
 
     session_ctx = SessionContext(aggnonce, [pk, X[0], X[1]], [], [], msg)
     assert sign(secnonce, sk, session_ctx) == expected[0]
+    # WARNING: An actual implementation should clear the secnonce after use,
+    # e.g. by setting secnonce = bytes(64) after usage. Reusing the secnonce, as
+    # we do here for testing purposes, can leak the secret key.
 
     session_ctx = SessionContext(aggnonce, [X[0], pk, X[1]], [], [], msg)
     assert sign(secnonce, sk, session_ctx) == expected[1]
@@ -385,6 +389,9 @@ def test_tweak_vectors():
     # A single x-only tweak
     session_ctx = SessionContext(aggnonce, [X[0], X[1], pk], tweaks[:1], [True], msg)
     assert sign(secnonce, sk, session_ctx) == expected[0]
+    # WARNING: An actual implementation should clear the secnonce after use,
+    # e.g. by setting secnonce = bytes(64) after usage. Reusing the secnonce, as
+    # we do here for testing purposes, can leak the secret key.
 
     # A single ordinary tweak
     session_ctx = SessionContext(aggnonce, [X[0], X[1], pk], tweaks[:1], [False], msg)
@@ -432,6 +439,8 @@ def test_sign_and_verify_random(iters):
 
         session_ctx = SessionContext(aggnonce, pubkeys, tweaks, is_xonly, msg)
         psig_1 = sign(secnonce_1, sk_1, session_ctx)
+        # Clear the secnonce after use
+        secnonce_1 = bytes(64)
         assert partial_sig_verify(psig_1, pubnonces, pubkeys, tweaks, is_xonly, msg, 0)
 
         # Wrong signer index
@@ -441,6 +450,8 @@ def test_sign_and_verify_random(iters):
         assert not partial_sig_verify(psig_1, pubnonces, pubkeys, tweaks, is_xonly, secrets.token_bytes(32), 0)
 
         psig_2 = sign(secnonce_2, sk_2, session_ctx)
+        # Clear the secnonce after use
+        secnonce_2 = bytes(64)
         assert partial_sig_verify(psig_2, pubnonces, pubkeys, tweaks, is_xonly, msg, 1)
 
         sig = partial_sig_agg([psig_1, psig_2], session_ctx)

diff --git a/doc/musig-spec.mediawiki b/doc/musig-spec.mediawiki
@@ -248,7 +248,7 @@ Avoiding reuse also implies that the ''NonceGen'' algorithm must compute unbiase
 There are some vectors in libsecp256k1's [https://github.com/ElementsProject/secp256k1-zkp/blob/master/src/modules/musig/tests_impl.h MuSig test file].
 Search for the ''musig_test_vectors_keyagg'' and ''musig_test_vectors_sign'' functions.
 
-We provide a naive, highly inefficient, and non-constant time [[musig-reference.py|pure Python 3.7 reference implementation of the key aggregation, partial signing, and partial signature verification algorithms]].
+We provide a naive, highly inefficient, and non-constant time [[musig-reference.py|pure Python 3 reference implementation of the key aggregation, partial signing, and partial signature verification algorithms]].
 The reference implementation is for demonstration purposes only and not to be used in production environments.
 
 == Footnotes ==