fixup! rename g->gacc and define similar to tacc for consistency

BlockstreamResearch · Mar 19, 2022 · 8e4939e · 8e4939e
1 parent 69497f8
commit 8e4939e
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 26 deletions.
diff --git a/doc/musig-spec.mediawiki b/doc/musig-spec.mediawiki
@@ -123,27 +123,29 @@ So, the (x-only) final public key is
 </poem>
 
 <poem>
-The ''KeyAggInternal'' algorithm computes
-    ''g = g<sub>v-1</sub>⋅...⋅g<sub>0</sub>'' if ''g > 0'', otherwise ''g = 1''. So we can rewrite above equation for the final public key as
-  ''with_even_y(Q<sub>v</sub>) = g<sub>v</sub>⋅g⋅Q<sub>0</sub> + g<sub>v</sub>⋅tacc<sub>v</sub>⋅G''.
+''KeyAggInternal'' and ''Tweak'' compute
+    ''gacc<sub>0</sub> = 1
+    gacc<sub>i</sub> = g<sub>i-1</sub>⋅gacc<sub>i-1</sub> for i=1..v''
+So we can rewrite above equation for the final public key as
+  ''with_even_y(Q<sub>v</sub>) = g<sub>v</sub>⋅gacc<sub>v</sub>⋅Q<sub>0</sub> + g<sub>v</sub>⋅tacc<sub>v</sub>⋅G''.
 </poem>
 
 <poem>
 Then we have
     ''with_even_y(Q<sub>v</sub>) - g<sub>v</sub>⋅tacc<sub>v</sub>⋅G
-        = g<sub>v</sub>⋅g⋅Q<sub>0</sub>
-        = g<sub>v</sub>⋅g⋅(a<sub>1</sub>⋅P<sub>1</sub> + ... + a<sub>u</sub>⋅P<sub>u</sub>)
-        = g<sub>v</sub>⋅g⋅(a<sub>1</sub>⋅gp<sub>1</sub>⋅d'<sub>1</sub>⋅G + ... + a<sub>u</sub>⋅gp<sub>u</sub>⋅d'<sub>u</sub>⋅G)
-        = sum<sub>i=1..u</sub>(g<sub>v</sub>⋅g⋅gp<sub>i</sub>⋅a<sub>i</sub>⋅d'<sub>i</sub>)*G''.
+        = g<sub>v</sub>⋅gacc<sub>v</sub>⋅Q<sub>0</sub>
+        = g<sub>v</sub>⋅gacc<sub>v</sub>⋅(a<sub>1</sub>⋅P<sub>1</sub> + ... + a<sub>u</sub>⋅P<sub>u</sub>)
+        = g<sub>v</sub>⋅gacc<sub>v</sub>⋅(a<sub>1</sub>⋅gp<sub>1</sub>⋅d'<sub>1</sub>⋅G + ... + a<sub>u</sub>⋅gp<sub>u</sub>⋅d'<sub>u</sub>⋅G)
+        = sum<sub>i=1..u</sub>(g<sub>v</sub>⋅gacc<sub>v</sub>⋅gp<sub>i</sub>⋅a<sub>i</sub>⋅d'<sub>i</sub>)*G''.
 </poem>
 
-Thus, signer ''i'' multiplies its secret key ''d'<sub>i</sub>'' with ''g<sub>v</sub>⋅g⋅gp<sub>i</sub>'' in the ''[[#Sign negation|Sign]]'' algorithm.
+Thus, signer ''i'' multiplies its secret key ''d'<sub>i</sub>'' with ''g<sub>v</sub>⋅gacc<sub>v</sub>⋅gp<sub>i</sub>'' in the ''[[#Sign negation|Sign]]'' algorithm.
 
 === Negation Of The Public Key When Partially Verifying ===
 
 <poem>
 As explained in [[#negation-of-the-secret-key-when-signing|Negation Of The Secret Key When Signing]] the signer uses a possibly negated secret key
-    ''d = g<sub>v</sub>⋅g⋅gp⋅d' ''
+    ''d = g<sub>v</sub>⋅gacc<sub>v</sub>⋅gp⋅d' ''
 when producing a partial signature to ensure that the aggregate signature will correspond to an aggregate public key with even Y coordinate.
 </poem>
 
@@ -155,8 +157,8 @@ The ''[[#SigVerify negation|PartialSigVerifyInternal]]'' algorithm is supposed t
 <poem>
 The verifier doesn't have access to ''d⋅G'', but can construct it using the xonly public key ''pk<sup>*</sup>'' as follows:
 ''d⋅G
-    = g<sub>v</sub>⋅g⋅gp⋅d'⋅G
-    = g<sub>v</sub>⋅g⋅point(pk<sup>*</sup>)''
+    = g<sub>v</sub>⋅gacc<sub>v</sub>⋅gp⋅d'⋅G
+    = g<sub>v</sub>⋅gacc<sub>v</sub>⋅point(pk<sup>*</sup>)''
 </poem>
 
 === Dealing with Infinity in Nonce Aggregation ===
@@ -210,12 +212,10 @@ The algorithm ''KeyAggInternal(pk<sub>1..u</sub>, tweak<sub>1..v</sub>, is_xonly
 * Let ''Q<sub>0</sub> = a<sub>1</sub>⋅P<sub>1</sub> + a<sub>2</sub>⋅P<sub>1</sub> + ... + a<sub>u</sub>⋅P<sub>u</sub>''
 * Fail if ''is_infinite(Q<sub>0</sub>)''.
 * Let ''tacc<sub>0</sub> = 0''
+* Let ''gacc<sub>0</sub> = 1''
 * For ''i = 1 .. v'':
-** Let ''(Q<sub>i</sub>, g<sub>i-1</sub>, tacc<sub>i</sub>) = Tweak(Q<sub>i-1</sub>, tweak<sub>i</sub>, tacc<sub>i-1</sub>, is_xonly_t<sub>i</sub>)''; fail if that fails
-* If ''v > 0'':
-** Let ''g = g<sub>0</sub>⋅...⋅g<sub>v-1</sub>''
-* Else: let ''g = 1''
-* Return ''(Q<sub>v</sub>, g, tacc<sub>v</sub>)''.
+** Let ''(Q<sub>i</sub>, gacc<sub>i</sub>, tacc<sub>i</sub>) = Tweak(Q<sub>i-1</sub>, gacc<sub>i-1</sub>, tweak<sub>i</sub>, tacc<sub>i-1</sub>, is_xonly_t<sub>i</sub>)''; fail if that fails
+* Return ''(Q<sub>v</sub>, gacc<sub>v</sub>, tacc<sub>v</sub>)''.
 
 The algorithm ''HashKeys(pk<sub>1..u</sub>)'' is defined as:
 * Return ''hash<sub>KeyAgg list</sub>(pk<sub>1</sub> || pk<sub>2</sub> || ... || pk<sub>u</sub>)''
@@ -232,15 +232,16 @@ The algorithm ''KeyAggCoeff(pk<sub>1..u</sub>, pk')'' is defined as:
 ** Return 1
 * Return ''int(hash<sub>KeyAgg coefficient</sub>(L || pk')) mod n''
 
-The algorithm ''Tweak(Q<sub>i-1</sub>, tweak<sub>i</sub>, tacc<sub>i-1</sub>, is_xonly_t<sub>i</sub>)'' is defined as:
+The algorithm ''Tweak(Q<sub>i-1</sub>, gacc<sub>i-1</sub>, tweak<sub>i</sub>, tacc<sub>i-1</sub>, is_xonly_t<sub>i</sub>)'' is defined as:
 * If ''is_xonly_t<sub>i</sub>'' and ''not has_even_y(Q<sub>i-1</sub>)'':
 ** Let ''g<sub>i-1</sub> = -1''
 * Else: let ''g<sub>i-1</sub> = 1''
 * Let ''t<sub>i</sub> = int(tweak<sub>i</sub>)''; fail if ''t &ge; n''
 * Let ''Q<sub>i</sub> = g<sub>i-1</sub>⋅Q<sub>i-1</sub> + t<sub>i</sub>⋅G''
+* Let ''gacc<sub>i</sub> = g<sub>i-1</sub>⋅gacc<sub>i-1</sub>''
 * Let ''tacc<sub>i</sub> = t<sub>i</sub> + g<sub>i-1</sub>⋅tacc<sub>i-1</sub> mod n''
 ** Fail if ''is_infinite(Q<sub>i</sub>)''
-* Return ''(Q<sub>i</sub>, g<sub>i-1</sub>, tacc<sub>i</sub>)''
+* Return ''(Q<sub>i</sub>, gacc<sub>i</sub>, tacc<sub>i</sub>)''
 
 ==== Nonce Generation ====
 
@@ -279,13 +280,13 @@ We write "Let ''(aggnonce, u, pk<sub>1..u</sub>, v, tweak<sub>1..v</sub>, is_xon
 
 The algorithm ''GetSessionValues(session_ctx)'' is defined as:
 * Let ''(aggnonce, u, pk<sub>1..u</sub>, v, tweak<sub>1..v</sub>, is_xonly_t<sub>1..v</sub>, m) = session_ctx''
-* Let ''(Q, g, tacc<sub>v</sub>) = KeyAggInternal(pk<sub>1..u</sub>, tweak<sub>1..v</sub>, is_xonly_t<sub>1..v</sub>)''; fail if that fails
+* Let ''(Q, gacc<sub>v</sub>, tacc<sub>v</sub>) = KeyAggInternal(pk<sub>1..u</sub>, tweak<sub>1..v</sub>, is_xonly_t<sub>1..v</sub>)''; fail if that fails
 * Let ''b = int(hash<sub>MuSig/noncecoef</sub>(aggnonce || bytes(Q) || m)) mod n''
 * Let ''R<sub>1</sub> = pointc(aggnonce[0:33]), R<sub>2</sub> = pointc(aggnonce[33:66])''; fail if that fails
 * Let ''R = R<sub>1</sub> + b⋅R<sub>2</sub>''
 * Fail if ''is_infinite(R)''
 * Let ''e = int(hash<sub>BIP0340/challenge</sub>(bytes(R) || bytes(Q) || m)) mod n''
-* Return ''(Q, g, tacc<sub>v</sub>, b, R, e)''
+* Return ''(Q, gacc<sub>v</sub>, tacc<sub>v</sub>, b, R, e)''
 
 The algorithm ''GetSessionKeyAggCoeff(session_ctx, P)'' is defined as:
 * Let ''(_, u, pk<sub>1..u</sub>, _, _, _, _) = session_ctx''
@@ -299,7 +300,7 @@ Input:
 * The ''session_ctx'': a [[#session-context|Session Context]] data structure
 
 The algorithm ''Sign(secnonce, sk, session_ctx)'' is defined as:
-* Let ''(Q, g, _, b, R, e) = GetSessionValues(session_ctx)''; fail if that fails
+* Let ''(Q, gacc<sub>v</sub>, _, b, R, e) = GetSessionValues(session_ctx)''; fail if that fails
 * Let ''k'<sub>1</sub> = int(secnonce[0:32]), k'<sub>2</sub> = int(secnonce[32:64])''
 * Fail if ''k'<sub>i</sub> = 0'' or ''k'<sub>i</sub> &ge; n'' for ''i = 1..2''
 * Let ''k<sub>1</sub> = k'<sub>1</sub>, k<sub>2</sub> = k'<sub>2</sub> '' if ''has_even_y(R)'', otherwise let ''k<sub>1</sub> = n - k'<sub>1</sub>, k<sub>2</sub> = n - k<sub>2</sub>''
@@ -309,7 +310,7 @@ The algorithm ''Sign(secnonce, sk, session_ctx)'' is defined as:
 * Let ''a = GetSessionKeyAggCoeff(session_ctx, P)''; fail if that fails
 * Let ''gp = 1'' if ''has_even_y(P)'', otherwise let ''gp = -1''
 * Let ''g<sub>v</sub> = 1'' if ''has_even_y(Q)'', otherwise let ''g<sub>v</sub> = -1''
-* <div id="Sign negation"></div>Let ''d = g<sub>v</sub>⋅g⋅gp⋅d' '' (See [[negation-of-the-secret-key-when-signing|Negation Of The Secret Key When Signing]])
+* <div id="Sign negation"></div>Let ''d = g<sub>v</sub>⋅gacc<sub>v</sub>⋅gp⋅d' '' (See [[negation-of-the-secret-key-when-signing|Negation Of The Secret Key When Signing]])
 * Let ''s = (k<sub>1</sub> + b⋅k<sub>2</sub> + e⋅a⋅d) mod n''
 * Let ''psig = bytes(s)''
 * Let ''pubnonce = cbytes(k'<sub>1</sub>⋅G) || cbytes(k'<sub>2</sub>⋅G)''
@@ -344,13 +345,13 @@ Input:
 * The ''session_ctx'': a [[#session-context|Session Context]] data structure
 
 The algorithm ''PartialSigVerifyInternal(psig, pubnonce, pk<sup>*</sup>, session_ctx)'' is defined as:
-* Let ''(Q, g, _, b, R, e) = GetSessionValues(session_ctx)''; fail if that fails
+* Let ''(Q, gacc<sub>v</sub>, _, b, R, e) = GetSessionValues(session_ctx)''; fail if that fails
 * Let ''s = int(psig)''; fail if ''s &ge; n''
 * Let ''R<sup>*</sup><sub>1</sub> = pointc(pubnonce[0:33]), R<sup>*</sup><sub>2</sub> = pointc(pubnonce[33:66])''
 * Let ''R<sup>*</sup>' = R<sup>*</sup><sub>1</sub> + b⋅R<sup>*</sup><sub>2</sub>''
 * Let ''R<sup>*</sup> = R<sup>*</sup>' '' if ''has_even_y(R)'', otherwise let ''R<sup>*</sup> = -R<sup>*</sup>' ''
 * Let ''g<sub>v</sub> = 1'' if ''has_even_y(Q)'', otherwise let ''g<sub>v</sub> = -1''
-* Let ''g' = g<sub>v</sub>⋅g mod n''
+* Let ''g' = g<sub>v</sub>⋅gacc<sub>v</sub> mod n''
 * <div id="SigVerify negation"></div>Let ''P = g'⋅point(pk<sup>*</sup>)''; fail if that fails (See [[#negation-of-the-public-key-when-partially-verifying|Negation Of The Public Key When Verifying]])
 * Let ''a = GetSessionKeyAggCoeff(session_ctx, P)''; fail if that fails
 * Fail if ''s⋅G &ne; R<sup>*</sup> + e⋅a⋅P''

diff --git a/src/modules/musig/keyagg.h b/src/modules/musig/keyagg.h
@@ -20,8 +20,8 @@ typedef struct {
     unsigned char pk_hash[32];
     /* tweak is identical to value tacc[v] in the specification. */
     secp256k1_scalar tweak;
-    /* parity_acc corresponds to g in the spec. If g is -1, parity_acc is 1.
-     * Otherwise, parity_acc is 0. */
+    /* parity_acc corresponds to gacc[v] in the spec. If gacc[v] is -1,
+     * parity_acc is 1. Otherwise, parity_acc is 0. */
     int parity_acc;
 } secp256k1_keyagg_cache_internal;