# PVUGC-008: MuSig2 Nonce Uniqueness and Adaptor Compartmentalization - Standards Validation **Date:** 2025-10-28 **Original Status:** ❌ Refuted (High) (2025-10-26) **Validation Result:** ⚠️ **PARTIAL** **Decision Method:** 🔐 Crypto-Peer-Reviewer --- ## Executive Summary **Verdict:** v2.7 provides CSPRNG-based nonce generation with blacklist mechanism and session-data mixing guidance, representing **operational improvement but cryptographic insufficiency** for critical infrastructure. **Key Finding:** v2.7's CSPRNG + blacklist approach addresses the vulnerability via runtime detection rather than cryptographic prevention. This is a **partial solution** that improves upon v2.0's bare MUST clause but falls short of M2's deterministic HKDF recommendation for eliminating RNG dependency entirely. **Critical Trade-off:** - **v2.7 Approach:** Fresh CSPRNG + optional mixing + mandatory blacklist = operational defense-in-depth - **M2's Approach:** Deterministic HKDF = cryptographic guarantee of uniqueness (zero RNG dependency) - **Assessment:** v2.7 is **conditionally acceptable with modifications** but M2's approach is optimal for critical infrastructure **Remaining Gaps:** - ❌ Session-data mixing is SHOULD (optional), not MUST (mandatory) - allows pure CSPRNG implementations - ❌ Blacklist specification vague (no persistence, concurrency, or scope requirements) - ❌ No deterministic profile option for high-security deployments - ⚠️ BIP-327 co-signer prediction concern overly conservative (ctx_hash mixing sufficient) **Production Readiness:** PARTIAL - Acceptable with three mandatory modifications (see Recommendations) --- ## Original Security Concern (2025-10-26) ### Issue Description **Title:** MuSig2 Nonce Uniqueness and Adaptor Compartmentalization **Severity:** 🔴 High **Status (v3.0):** ❌ Refuted **Core Vulnerability:** If aggregate nonce R is reused for two different messages, the aggregate private key can be extracted with O(1) field operations (two modular subtractions, one modular inversion). This enables complete compromise of the aggregate MuSig2 key and unauthorized spending of all funds. **Historical Precedent:** 1. **blockchain.info Android wallet (2013):** SecureRandom not properly seeded on Android → repeated ECDSA nonces → ~$250,000 stolen 2. **Android Bitcoin Wallet (2013, CVE-2013-4444):** Java SecureRandom predictable state → multiple wallet compromises 3. **PlayStation 3 (2010):** Sony reused ECDSA nonce for firmware signing → console master key extracted **M2's Key Arguments (v3.0 Peer Review):** 1. **MUST clause insufficient:** Behavioral requirements don't prevent implementation bugs (RNG failures, state management errors) 2. **Deterministic derivation required:** Bind nonce to ctx_hash via HKDF (RFC 5869) for mathematical uniqueness guarantee 3. **Industry precedent:** RFC 6979 (deterministic ECDSA), EdDSA (RFC 8032), BIP-340 all use deterministic nonces 4. **Severity confirmed:** High (complete key compromise, trivial exploitability, historical failures prove realistic risk) **Recommended Solution (M2's §10.1):** ``` Function: Derive_MuSig2_Nonce(secret_key_i, ctx_hash) 1. prk = HKDF-Extract(salt=ctx_hash, ikm=secret_key_i) using SHA-256 2. okm_1 = HKDF-Expand(prk, "PVUGC/MuSig2-Nonce/v1" || 0x00, 32) 3. okm_2 = HKDF-Expand(prk, "PVUGC/MuSig2-Nonce/v1" || 0x01, 32) 4. k_{1,i} = bytes_to_scalar(okm_1), k_{2,i} = bytes_to_scalar(okm_2) 5. Validity check: if k = 0 or k >= n: ABORT Security properties: - Uniqueness: ctx_hash uniqueness → nonce uniqueness (SHA-256 collision resistance) - Unpredictability: PRF security (HMAC-SHA256) + secret_key_i privacy - Resilience: No RNG dependency (stateless, deterministic) ``` --- ## Search in PVUGC-2025-10-27.md ### Keywords Used `CSPRNG`, `random`, `nonce`, `HKDF`, `MuSig2`, `blacklist`, `unique` ### Relevant Sections Found **§4 Keys & one-time pre-sign per path (MuSig2) - Lines 107-114:** ```markdown ### 4) Keys & one‑time pre‑sign per path (MuSig2) * Run MuSig2 (BIP‑327) once to produce a pre‑signature $s'$ with **unique** session nonce $R$ and **unique** adaptor point $T$. * **Compartmentalization (MUST):** one adaptor ⇒ one unique $T$ and one unique $R$. Never reuse across paths/epochs or templates. * **Nonce generation (MUST - BIP‑327):** Each signer MUST generate fresh random nonces $k_{1,i}, k_{2,i}$ per session using a cryptographically secure random number generator. Nonces MUST NOT be fully deterministic from `secret_key` alone (prevents co-signer prediction attacks per BIP‑327 §NonceGen). Implementations SHOULD mix in session-specific data (`secret_key`, aggregate pubkey, message, `ctx_hash`) for defense-in-depth against RNG state repetition. * **Nonce reuse prevention (MUST):** Implementations MUST maintain a blacklist of aggregate nonce values $R$ and reject any reuse before signing. This provides operational protection against RNG or state management failures. ``` **§10 Crypto Profile - Line 372:** ```markdown * **MuSig2:** BIP‑327 two‑point nonces with fresh CSPRNG randomness per session (NOT deterministic from secret_key alone); mix in session data for defense-in-depth; maintain R blacklist; normalize $R$ to even y; erase secnonces; publish `AdaptorVerify(m,T,R,s′)` bound to `ctx_hash`. ``` **§10 Crypto Profile - Line 306:** ```markdown **Mandatory hygiene:** subgroup checks ($\mathbb{G}_1$, $\mathbb{G}_2$, $\mathbb{G}_T$), cofactor clearing, constant‑time pairings, constant‑time DEM decryption, strict encodings (reject non‑canonical), strict BIP‑340 canonical encodings for $R$ and $s$ (reject non‑canonical signatures), rejection sampling for derived scalars, fresh $\rho_i$, fresh $T$, fresh MuSig2 $R$. ``` **§9 Security Properties - Line 361:** ```markdown * **Compartmentalization.** Unique $T$ and MuSig2 $R$ per adaptor eliminate cross‑protocol nonce reuse and Wagner‑style collisions. ``` --- ## Standards Framework Application ### Applicable Framework Sections **From STANDARDS-REFERENCE-FRAMEWORK.md:** **§2.3 Key Derivation Functions** - HKDF (RFC 5869): Standard for deterministic key derivation - RFC 6979: Deterministic nonces for ECDSA/DSA (prevents nonce reuse) **§3.2 Digital Signatures** - BIP-340: Schnorr signatures (recommends deterministic nonces) - BIP-327: MuSig2 multi-signatures (specifies nonce generation requirements) - EdDSA (RFC 8032): Deterministic nonce generation (mandatory) **§6.2 Implementation Guidance** - Random Number Generation: Use OS CSPRNG (getrandom, BCryptGenRandom) - Nonce Management: Ensure uniqueness across sessions - State Management: Prevent replay attacks via blacklisting ### Validation Checklist **Normative Language (MUST/SHOULD) Present:** - [x] ✅ MUST generate fresh random nonces using CSPRNG (Line 113) - [x] ✅ MUST maintain blacklist of aggregate nonce values R (Line 114) - [x] ✅ MUST NOT be fully deterministic from secret_key alone (Line 113) - [ ] ⚠️ SHOULD mix in session-specific data (Line 113) - **OPTIONAL, NOT MANDATORY** - [x] ✅ Compartmentalization MUST (Line 112) **Explicit Invariants/Security Properties:** - [x] ✅ Unique R per adaptor (Lines 111, 112) - [x] ✅ Unique T per adaptor (Lines 111, 112) - [x] ✅ Never reuse across paths/epochs or templates (Line 112) - [x] ✅ Compartmentalization eliminates cross-protocol nonce reuse (Line 361) **Implementation Guidance Sufficient:** - [x] ✅ CSPRNG API guidance (getrandom, getentropy, BCryptGenRandom elsewhere) - [ ] ⚠️ Session-data mixing details vague (what exactly to mix? how?) - [ ] ❌ Blacklist implementation unspecified (persistence? concurrency? scope?) - [ ] ❌ No test vectors or reference implementation - [ ] ❌ No deterministic profile option **Testing/Validation Criteria:** - [ ] ❌ No test vectors provided - [ ] ❌ No uniqueness testing requirements - [ ] ❌ No reuse detection testing requirements - [ ] ❌ No attack simulation requirements **References Accurate and Versioned:** - [x] ✅ BIP-327 (MuSig2) referenced (Line 111, 113, 372) - [x] ✅ BIP-340 (Schnorr signatures) referenced (Line 372) - [ ] ⚠️ No reference to RFC 6979 (deterministic nonces industry standard) - [ ] ⚠️ No reference to RFC 5869 (HKDF) **Compliance Assessment:** | Framework Requirement | v2.7 Compliance | Evidence/Gap | |----------------------|-----------------|--------------| | Fresh nonce generation (BIP-327) | ✅ PASS | Line 113 MUST fresh CSPRNG | | Uniqueness enforcement | ⚠️ PARTIAL | Blacklist mechanism (operational, not cryptographic) | | Deterministic option (RFC 6979, BIP-340) | ❌ FAIL | Not provided (only CSPRNG approach) | | Implementation guidance (RNG) | ⚠️ PARTIAL | CSPRNG specified, mixing optional | | Test vectors | ❌ FAIL | None provided | | Reference implementation | ❌ FAIL | None provided | --- ## Expert Consultation ### Crypto-Peer-Reviewer **Question:** Issue: PVUGC-008 (MuSig2 Nonce Uniqueness and Adaptor Compartmentalization) Historical Status: ❌ Refuted (High) (2025-10-26) Historical Analysis: M2 refuted v2.0's MUST clause as insufficient, proposed deterministic HKDF-based nonce derivation as cryptographic enforcement mechanism Target Specification: PVUGC-2025-10-27.md §4 Lines 111-114, §10 Line 372 Question: Evaluate whether the new specification provides adequate cryptographic enforcement of nonce uniqueness: 1. **CSPRNG + Blacklist vs. Deterministic HKDF:** Does v2.7's CSPRNG-based approach with blacklist mechanism provide equivalent security to M2's deterministic HKDF derivation? 2. **BIP-327 co-signer prediction concern:** Is v2.7's prohibition on "fully deterministic from secret_key alone" justified, or is deterministic derivation from (secret_key + ctx_hash) safe? 3. **Historical failure prevention:** Would v2.7's approach have prevented the three historical RNG failures (blockchain.info 2013, Android wallet 2013, PlayStation 3 2010)? 4. **R blacklist as cryptographic enforcement:** Is "maintain a blacklist of aggregate nonce values R and reject any reuse before signing" a sufficient cryptographic enforcement mechanism? 5. **Implementation robustness:** Which approach is more robust against implementation bugs - CSPRNG + state management + blacklist, or deterministic HKDF? 6. **Production readiness verdict:** Is v2.7's approach safe for mainnet Bitcoin bridge deployment controlling potentially large sums? Vote: PASS (cryptographic enforcement present) / PARTIAL (stronger but still gaps) / FAIL (unchanged or inadequate) Reasoning: [Your cryptographic assessment with specific evidence] **Vote:** PARTIAL **Rationale:** v2.7's CSPRNG + blacklist approach provides operational defense but reintroduces the exact RNG failure risks M2's deterministic HKDF solution eliminates. BIP-327's co-signer prediction concern is misinterpreted; ctx_hash mixing addresses it. Critical infrastructure requires cryptographic prevention, not operational detection. **Detailed Analysis:** See `/sandbox/report-compliance_audit-2025-10-29/.consultation-pvugc-008-crypto-response.md` **Key Findings:** **1. Trade-off Analysis: CSPRNG + Blacklist vs. Deterministic HKDF** **v2.7 Approach Strengths:** - Fresh randomness per session provides probabilistic uniqueness - R blacklist provides runtime detection of implementation failures - Aligns with BIP-327 literal text ("generate fresh random nonces") **v2.7 Approach Weaknesses:** - ❌ RNG dependency reintroduced (all historical failures occurred despite proper RNG APIs) - ❌ Blacklist is operational, not cryptographic (requires persistent state, race conditions, scope ambiguity) - ❌ Optional mixing (SHOULD, not MUST) - implementations may skip session-data mixing - ❌ Platform dependencies (getrandom, getentropy failures on embedded/IoT, early boot scenarios) **M2's HKDF Approach Strengths:** - ✅ Eliminates RNG dependency entirely (no reliance on platform entropy) - ✅ Cryptographic guarantee of uniqueness (ctx_hash uniqueness → nonce uniqueness via collision resistance) - ✅ Stateless (no nonce counter, no persistent state, no restart concerns) - ✅ Deterministic reproducibility (same inputs → same outputs, testable) - ✅ Industry precedent (RFC 6979, EdDSA, BIP-340 all recommend deterministic nonces) **Verdict on Trade-off:** For critical Bitcoin bridge infrastructure, **cryptographic prevention (deterministic HKDF) is superior** to operational detection (blacklist). The blacklist should be added as defense-in-depth, not as primary defense. **2. BIP-327 Co-Signer Prediction Assessment** **v2.7's Cited Concern (Line 113):** > "Nonces MUST NOT be fully deterministic from secret_key alone (prevents co-signer prediction attacks per BIP-327 §NonceGen)" **Crypto-Peer-Reviewer Analysis:** BIP-327's security concern is **adaptive attacks** where malicious co-signer B can predict co-signer A's nonce commitment before A reveals it. However: **Deterministic from secret_key ALONE (unsafe):** ``` r_i = HKDF(secret_key_i, message) // Co-signers can predict each other's nonces ``` ❌ Unsafe: If all signers use same derivation function, co-signers knowing each other's public keys can compute each other's nonces. **M2's Approach (deterministic from secret_key + ctx_hash - SAFE):** ``` r_{1,i}, r_{2,i} = HKDF(secret_key_i, ctx_hash) ``` ✅ Safe: Co-signers cannot predict each other's nonces because: 1. Secret key is private (each signer's secret_key_i known only to that signer) 2. ctx_hash is public but session-specific (all signers agree on ctx_hash BEFORE nonce generation) 3. No predictability: To predict signer A's nonce, signer B would need to know A's secret_key_i (which already compromises the key) **Does ctx_hash provide sufficient unpredictability?** Yes. ctx_hash includes: - Message m (BIP-341 sighash - unique per transaction) - Transaction template (inputs, outputs, fees - unique per spend) - Aggregate public key (unique per signing session) - Signer set and coefficients (unique per key aggregation) **Verdict on BIP-327 Concern:** v2.7's interpretation is **overly conservative**. M2's HKDF approach with ctx_hash as salt addresses BIP-327's security concern while gaining RNG-independence. **3. Historical Failure Prevention** Would v2.7's CSPRNG + blacklist approach have prevented historical failures? | Failure Case | v2.7 CSPRNG | v2.7 Blacklist | M2 Deterministic HKDF | |--------------|-------------|----------------|----------------------| | blockchain.info 2013 | ❌ RNG bug | ⚠️ Detects after | ✅ No RNG dependency | | Android wallet 2013 | ❌ RNG bug | ⚠️ Detects after | ✅ No RNG dependency | | PlayStation 3 2010 | ❌ Human error | ⚠️ If checked | ✅ No manual management | **Verdict:** M2's deterministic HKDF approach would have **completely prevented all three historical failures**. v2.7's CSPRNG approach would NOT have prevented the two Android RNG failures (same vulnerability). The blacklist mechanism provides post-facto detection but not prevention. **4. R Blacklist as Cryptographic Enforcement** **Question:** Is the blacklist a sufficient cryptographic enforcement mechanism? **Analysis:** **Cryptographic Enforcement:** Security property guaranteed by mathematical/cryptographic primitives (e.g., HKDF collision resistance) **Operational Detection:** Security property checked at runtime via implementation logic (e.g., blacklist lookup) **Blacklist Implementation Challenges:** 1. **Scope ambiguity:** Per-process? Per-machine? Distributed? 2. **Persistence requirements:** Must survive restarts (requires database/storage) 3. **Race conditions:** Multiple threads/processes signing concurrently (check-then-sign race) 4. **Detection timing:** Blacklist checked "before signing" but R known after aggregation 5. **Blacklist growth:** One entry per session (high-volume applications: millions of entries) **Comparison:** | Property | Blacklist (Operational) | Deterministic HKDF (Cryptographic) | |----------|------------------------|-----------------------------------| | Guarantee type | Runtime check | Mathematical property | | State required | Persistent storage | None (stateless) | | Failure modes | Storage, race conditions, scope errors | SHA-256 collision (negligible) | | Restart behavior | Depends on persistence | Unaffected (deterministic) | | Concurrency | Requires locking | Naturally safe (deterministic) | | Test coverage | Implementation-dependent | Fully testable | **Verdict:** The R blacklist is **insufficient as the sole cryptographic enforcement mechanism**. It provides operational protection but introduces implementation complexity and failure modes. For critical infrastructure, blacklist should be SHOULD (defense-in-depth), not MUST (primary defense). **5. Implementation Robustness** **v2.7 Approach (CSPRNG + Blacklist):** **Required Components:** 1. CSPRNG initialization and usage 2. Session-specific data mixing (SHOULD - may be skipped) 3. Blacklist data structure 4. Blacklist persistence layer 5. Blacklist synchronization (distributed contexts) 6. Race condition handling 7. Error handling for storage failures **Implementation Risks:** - RNG initialization (platform-specific APIs, early boot scenarios, virtualized environments) - Mixing logic (if SHOULD not MUST, implementations may skip) - Blacklist implementation (database choice, transaction semantics, concurrent access, distributed synchronization) - Testing challenges (cannot test all RNG states, cannot simulate all failure modes) **M2's Approach (Deterministic HKDF):** **Required Components:** 1. HKDF-Extract (HMAC-SHA256) 2. HKDF-Expand (HMAC-SHA256) 3. Scalar validity check (r = 0 or r >= n) 4. Domain separation tags 5. (Optional) Blacklist for defense-in-depth **Implementation Risks:** - HKDF implementation (use standard library - well-tested implementations available) - Input serialization (correct encoding of ctx_hash) - Testing (fully deterministic - can use test vectors from RFC 5869) **Comparative Analysis:** | Aspect | CSPRNG + Blacklist | Deterministic HKDF | |--------|-------------------|-------------------| | Lines of code | ~500-1000 | ~100-200 | | External dependencies | OS APIs, database, sync primitives | Hash library (standard) | | State management | Complex (persistent, concurrent) | None | | Platform-specific code | High (RNG APIs vary) | Low (hash libraries portable) | | Testing complexity | High (non-deterministic, state-dependent) | Low (deterministic, pure function) | | Failure modes | Many (RNG, storage, races) | Few (hash collision - negligible) | **Verdict:** Deterministic HKDF approach is **significantly more robust** - simpler implementation, deterministic testing, no state management, portable, industry precedent (RFC 6979, EdDSA, BIP-340). **6. Production Readiness Verdict** **Question:** Is v2.7's approach safe for mainnet Bitcoin bridge deployment? **Critical Infrastructure Requirements:** 1. Irreversibility (Bitcoin transactions cannot be reversed) 2. High value (bridge may control significant funds) 3. Distributed deployment (multiple implementations, platforms, environments) 4. Long-term security (keys may be used over months/years) 5. Attack surface (public, high-value target) **v2.7 Risk Assessment:** **Acceptable Risks:** - Adaptor signature cryptography (Schnorr, MuSig2) - well-understood - Context binding (ctx_hash) - adequately specified - CSPRNG quality on modern platforms - generally good **Unacceptable Risks:** 1. **RNG Dependency:** Historical evidence (three major failures), platform variability, zero tolerance (single nonce reuse = complete key compromise) 2. **Blacklist as Primary Defense:** Operational mechanism (not cryptographic guarantee), state management risks, detection vs. prevention 3. **Optional Mixing (SHOULD):** Implementation variability, testing gap, weakens defense **Verdict:** **PARTIAL - v2.7 is conditionally acceptable with modifications** **Required Changes for Production Readiness:** **Change 1: Make Session-Data Mixing MANDATORY (Change SHOULD to MUST)** ``` Current (Line 113): "Implementations SHOULD mix in session-specific data..." Recommended: "Implementations MUST mix in session-specific data (secret_key, aggregate pubkey, message, ctx_hash) using HKDF-Extract(salt=ctx_hash, ikm=secret_key) before CSPRNG expansion for defense-in-depth against RNG state repetition." ``` **Rationale:** Provides deterministic base layer (similar to M2's approach) + CSPRNG adds additional entropy (defense-in-depth). Mandatory ensures all implementations protected. **Change 2: Strengthen Blacklist Specification** ``` Add to Line 114: "Blacklist implementation MUST: - Use atomic check-and-insert operations (prevent race conditions) - Persist to durable storage (survive restarts) - Verify integrity on load (detect corruption) - Scope: per signing key, per protocol instance - Implement distributed consensus if multi-instance deployment" ``` **Rationale:** Current specification too vague. Implementation details critical for security. **Change 3: Add Deterministic Derivation as RECOMMENDED Profile** ``` Add to §4 (after Line 115): "Alternative Profile (RECOMMENDED for high-security deployments): Implementations MAY use deterministic nonce derivation per §10.1 (if added) instead of fresh CSPRNG. If using deterministic derivation, the R blacklist SHOULD still be implemented for defense-in-depth but is not required for correctness." ``` **Rationale:** Allows high-security deployments to use M2's approach. Maintains compatibility with BIP-327-compliant implementations. **Modified v2.7 Assessment:** With these three modifications: - **Mandatory mixing:** Provides deterministic base + CSPRNG augmentation - **Strengthened blacklist:** Improves operational robustness - **Deterministic option:** Allows high-security deployments **Verdict:** Modified v2.7 (with changes above) is **acceptable for production**. **Without modifications:** Current v2.7 has unacceptable risks for critical infrastructure due to: 1. Optional mixing (allows pure CSPRNG implementations) 2. Vague blacklist specification (implementation-dependent quality) 3. No deterministic option for risk-averse deployments --- ## Final Determination **Result:** ⚠️ **PARTIAL** **Lead Auditor Reasoning:** v2.7's CSPRNG + blacklist approach represents **significant progress** from v2.0's bare MUST clause but **falls short of cryptographic enforcement** recommended by M2's peer review. **Strengths of v2.7 Approach:** 1. ✅ Fresh CSPRNG randomness per session (probabilistic uniqueness) 2. ✅ R blacklist mechanism (runtime detection of failures) 3. ✅ Session-data mixing guidance (defense-in-depth, though optional) 4. ✅ Explicit compartmentalization MUST clause (unique R, T per adaptor) 5. ✅ BIP-327 compliance (fresh nonces, not deterministic from secret_key alone) **Critical Gaps:** 1. ❌ **Session-data mixing is optional (SHOULD, not MUST):** Allows implementations to rely solely on CSPRNG, reintroducing RNG failure risks M2's analysis highlights 2. ❌ **Blacklist specification vague:** No requirements for persistence (survive restarts?), concurrency (atomic operations?), scope (per-process? per-machine? distributed?) 3. ❌ **No deterministic profile option:** High-security deployments have no path to eliminate RNG dependency entirely 4. ⚠️ **BIP-327 co-signer prediction concern overly conservative:** Deterministic derivation from (secret_key + ctx_hash) is safe; v2.7 prohibits it unnecessarily **Evidence-Based Assessment:** **Historical Failure Prevention:** - v2.7 CSPRNG approach would NOT have prevented blockchain.info 2013 (SecureRandom bug) - v2.7 CSPRNG approach would NOT have prevented Android wallet 2013 (SecureRandom predictability) - v2.7 Blacklist might have detected PlayStation 3 2010 (if checked), but detection is post-facto - M2's deterministic HKDF would have prevented ALL THREE failures (zero RNG dependency) **Standards Framework Compliance:** - ✅ BIP-327 (MuSig2) compliance: Yes (fresh nonces, blacklist detection) - ⚠️ RFC 6979 (deterministic nonces) adoption: No (industry standard not offered as option) - ⚠️ RFC 5869 (HKDF) usage: Mentioned in mixing guidance but not required - ✅ BIP-340 (Schnorr) alignment: Yes (R normalization, canonical encodings) **Production Readiness:** **Current v2.7 (unmodified):** ⚠️ **NOT PRODUCTION-READY** for critical infrastructure - Reason 1: Optional mixing allows pure CSPRNG implementations (unacceptable RNG dependency) - Reason 2: Vague blacklist specification creates implementation-dependent quality - Reason 3: No deterministic option for high-security deployments requiring zero RNG risk **Modified v2.7 (with three changes):** ✅ **PRODUCTION-READY** (acceptable) - Change 1: Mandatory mixing (SHOULD → MUST with HKDF-Extract base) - Change 2: Strengthen blacklist specification (persistence, atomicity, scope requirements) - Change 3: Add deterministic profile option (RECOMMENDED for high-security) **M2's Approach (optimal):** ✅ **OPTIMAL FOR CRITICAL INFRASTRUCTURE** - Reason: Cryptographic guarantee of uniqueness, zero RNG dependency, stateless, industry precedent **Acceptance Criteria for Full Resolution:** This issue can be considered **RESOLVED** when: 1. **Specification changes:** - [ ] Change Line 113 "SHOULD mix" to "MUST derive with HKDF-Extract base + CSPRNG expansion" - [ ] Add concrete blacklist implementation requirements to Line 114 (persistence, atomicity, scope) - [ ] Add §10.1 deterministic profile option (RECOMMENDED for high-security deployments) 2. **Implementation guidance:** - [ ] Test vectors provided (minimum 10 covering uniqueness, determinism, edge cases) - [ ] Reference implementation (demonstrating both CSPRNG+mixing and deterministic profiles) - [ ] Blacklist implementation example (persistence, concurrency, distributed scenarios) 3. **External review:** - [ ] Independent cryptographic audit of modified approach - [ ] Validation that mandatory mixing provides adequate deterministic base - [ ] Confirmation that deterministic profile option meets M2's security requirements **Interim Recommendation:** **FOR IMMEDIATE DEPLOYMENT:** Adopt modified v2.7 with three mandatory changes (acceptable but not optimal) **FOR OPTIMAL SECURITY:** Adopt M2's deterministic HKDF approach (§10.1) as primary method with blacklist as defense-in-depth (recommended for critical infrastructure controlling large sums) --- ## Gaps (Detailed) ### Gap 1: Optional Session-Data Mixing (CRITICAL) **Location:** Line 113 **Current Text:** > "Implementations SHOULD mix in session-specific data (`secret_key`, aggregate pubkey, message, `ctx_hash`) for defense-in-depth against RNG state repetition." **Issue:** SHOULD (optional) rather than MUST (mandatory) allows implementations to skip mixing and rely solely on CSPRNG. **Impact:** - Pure CSPRNG implementations vulnerable to RNG failures (blockchain.info 2013, Android 2013) - No deterministic base layer to guarantee uniqueness if RNG fails - Testing gap (cannot verify all implementations mix correctly) **Framework Reference:** - RFC 6979 §3.2: Deterministic nonce generation prevents RNG failures - BIP-340 Nonce Generation: "Nonces SHOULD be derived deterministically" - Industry best practice: Don't rely solely on RNG for cryptographic critical values **Recommendation:** ``` Change to MUST: "Implementations MUST derive nonce base material using HKDF-Extract: base = HKDF-Extract(salt=ctx_hash, ikm=secret_key) Then expand with CSPRNG mixing: k_{1,i} = base || CSPRNG(32 bytes) k_{2,i} = base || CSPRNG(32 bytes) Derive scalars via HKDF-Expand(base, "PVUGC/MuSig2-Nonce/v1" || counter). This ensures deterministic uniqueness (via ctx_hash) with additional randomness (via CSPRNG) for defense-in-depth." ``` **Acceptance Criteria:** - [ ] Line 113 changed from SHOULD to MUST - [ ] HKDF-Extract with salt=ctx_hash, ikm=secret_key specified - [ ] CSPRNG mixing specified as additional layer (not sole defense) - [ ] Test vectors provided validating mixing produces different outputs --- ### Gap 2: Blacklist Specification Vagueness (HIGH) **Location:** Line 114 **Current Text:** > "Implementations MUST maintain a blacklist of aggregate nonce values $R$ and reject any reuse before signing. This provides operational protection against RNG or state management failures." **Issue:** No specification of: - Persistence (survive restarts?) - Concurrency (atomic check-and-insert?) - Scope (per-process? per-machine? distributed?) - Integrity (detect corruption?) - Synchronization (multi-instance deployment?) **Impact:** - Weak implementations possible (in-memory blacklist cleared on restart) - Race conditions (check-then-sign without atomicity) - Scope confusion (blacklist not shared across distributed signers) - Storage corruption undetected **Framework Reference:** - §6.2 Implementation Guidance: State management requires persistence, atomicity, integrity verification - Database best practices: ACID properties for security-critical operations **Recommendation:** ``` Add concrete requirements: "Blacklist implementation requirements: - Scope: Per aggregate public key, scoped to protocol instance - Persistence: MUST survive process restarts (durable storage) - Atomicity: Check-and-insert MUST be atomic operation (prevent races) - Integrity: Verify blacklist integrity on load (detect corruption) - Synchronization: Distributed deployments MUST use consensus mechanism - Performance: Index by R_x (x-only coordinate) for O(1) lookup - Storage: Implementations SHOULD support pruning after key rotation" ``` **Acceptance Criteria:** - [ ] Line 114 expanded with concrete implementation requirements - [ ] Persistence requirement specified (durable storage) - [ ] Atomicity requirement specified (prevent race conditions) - [ ] Scope requirement specified (per-key, per-instance) - [ ] Reference implementation demonstrating blacklist with persistence --- ### Gap 3: No Deterministic Profile Option (HIGH) **Location:** §4 (after Line 115) **Current Text:** (None - deterministic profile not offered) **Issue:** High-security deployments have no option to eliminate RNG dependency entirely via deterministic nonce derivation. **Impact:** - Critical infrastructure controlling large sums cannot achieve zero-RNG-risk profile - M2's peer review recommendation (deterministic HKDF) not adopted - No path for implementations to follow RFC 6979 / EdDSA / BIP-340 precedent **Framework Reference:** - RFC 6979: Deterministic ECDSA nonce generation (industry standard for preventing RNG failures) - RFC 8032 (EdDSA): Deterministic nonces mandatory (no randomness) - BIP-340: "Nonces SHOULD be derived deterministically" **Recommendation:** ``` Add new section: "### Alternative Nonce Generation Profile (RECOMMENDED for High-Security) For deployments requiring maximum robustness against RNG failures, implementations MAY use fully deterministic nonce derivation: Function: Derive_MuSig2_Nonce_Deterministic(secret_key_i, ctx_hash) 1. prk = HKDF-Extract(salt=ctx_hash, ikm=secret_key_i) using SHA-256 2. okm_1 = HKDF-Expand(prk, "PVUGC/MuSig2-Nonce/v1" || 0x00, 32) 3. okm_2 = HKDF-Expand(prk, "PVUGC/MuSig2-Nonce/v1" || 0x01, 32) 4. k_{1,i} = bytes_to_scalar(okm_1), k_{2,i} = bytes_to_scalar(okm_2) 5. Validity check: if k = 0 or k >= n: ABORT Security properties: - Uniqueness: ctx_hash uniqueness → nonce uniqueness (SHA-256 collision resistance) - Unpredictability: PRF security (HMAC-SHA256) + secret_key_i privacy - Resilience: No RNG dependency (stateless, deterministic) If using deterministic profile: - R blacklist SHOULD still be implemented (defense-in-depth) but is not required for correctness - Nonce commitment phase MUST still be used per BIP-327 (prevents adaptive attacks) Precedent: RFC 6979 (deterministic ECDSA), EdDSA (RFC 8032), BIP-340 (recommends deterministic nonces)" ``` **Acceptance Criteria:** - [ ] §10.1 (or equivalent) added with complete deterministic profile specification - [ ] HKDF parameters specified (salt=ctx_hash, ikm=secret_key, info tags) - [ ] Security properties formally stated (uniqueness, unpredictability, resilience) - [ ] Test vectors provided (minimum 5 for deterministic profile) - [ ] Reference implementation demonstrating deterministic derivation --- ### Gap 4: BIP-327 Co-Signer Prediction Misinterpretation (MEDIUM) **Location:** Line 113 **Current Text:** > "Nonces MUST NOT be fully deterministic from `secret_key` alone (prevents co-signer prediction attacks per BIP‑327 §NonceGen)." **Issue:** This prohibition is **overly conservative** and incorrectly interprets BIP-327's security concern. **Analysis:** **BIP-327's actual concern:** Malicious co-signer B predicting co-signer A's nonce commitment before A reveals it (enables Wagner's attack with adaptive nonce selection). **Unsafe approach (what BIP-327 warns against):** ``` r_i = HKDF(secret_key_i, message) // Deterministic from secret_key ALONE ``` ❌ If all signers use same derivation function, co-signers knowing each other's public keys can compute each other's nonces. **M2's approach (safe):** ``` r_{1,i}, r_{2,i} = HKDF(secret_key_i, ctx_hash) // Deterministic from secret_key + ctx_hash ``` ✅ Co-signers cannot predict each other's nonces because: 1. secret_key_i is private (known only to signer i) 2. ctx_hash is public but session-specific (all signers agree BEFORE nonce generation) 3. To predict signer A's nonce, signer B needs A's secret_key_i (already compromises the key) **Impact:** - v2.7 prohibits safe deterministic derivation from (secret_key + ctx_hash) - Unnecessarily forces RNG dependency - Misinterprets BIP-327 security requirement **Framework Reference:** - BIP-327 §NonceGen: Actual requirement is nonce commitment phase (prevents adaptive attacks), not fresh randomness per se - RFC 6979 §3: Deterministic nonces safe when derived from (secret_key + message) **Recommendation:** ``` Clarify Line 113: "Nonces MUST NOT be deterministic from `secret_key` alone. However, deterministic derivation from (secret_key + ctx_hash) via HKDF is safe and RECOMMENDED for high-security deployments (see Alternative Profile). The ctx_hash provides session-specific differentiation preventing co-signer prediction attacks." ``` **Acceptance Criteria:** - [ ] Line 113 clarified to distinguish "secret_key alone" from "secret_key + ctx_hash" - [ ] Documentation explains why ctx_hash mixing prevents co-signer prediction - [ ] Alternative deterministic profile explicitly permitted and recommended --- ## Recommendations ### Normative (MUST) - Specification Changes **Priority 1: Make Session-Data Mixing MANDATORY (CRITICAL)** **Current:** Line 113 - "Implementations SHOULD mix in session-specific data..." **Recommended Change:** ```markdown **Nonce generation (MUST - BIP‑327):** Each signer MUST generate nonces per the following procedure: 1. Derive deterministic base material: base = HKDF-Extract(salt=ctx_hash, ikm=secret_key_i) using SHA-256 2. Expand with CSPRNG mixing (defense-in-depth): k_{1,i} = HKDF-Expand(base, "PVUGC/MuSig2-Nonce/v1" || 0x00 || CSPRNG(32), 32) k_{2,i} = HKDF-Expand(base, "PVUGC/MuSig2-Nonce/v1" || 0x01 || CSPRNG(32), 32) 3. Validity check: if k = 0 or k >= n: ABORT This provides deterministic uniqueness (via ctx_hash) with additional randomness (via CSPRNG) for defense-in-depth against RNG state repetition. ``` **Rationale:** Combines M2's deterministic base (prevents RNG failures) with v2.7's randomness (addresses BIP-327 fresh randomness preference). Mandatory ensures all implementations protected. **Acceptance Criteria:** - [ ] Line 113 changed from SHOULD to MUST - [ ] HKDF-Extract specified with salt=ctx_hash, ikm=secret_key - [ ] CSPRNG mixing specified as additional layer - [ ] Validity check specified (reject k=0 or k>=n) --- **Priority 2: Strengthen Blacklist Specification (HIGH)** **Current:** Line 114 - "Implementations MUST maintain a blacklist..." **Recommended Addition:** ```markdown **Nonce reuse prevention (MUST):** Implementations MUST maintain a blacklist of aggregate nonce values $R$ and reject any reuse before signing. Blacklist implementation requirements: - **Scope:** Per aggregate public key, scoped to protocol instance - **Persistence:** MUST survive process restarts (durable storage: database, file) - **Atomicity:** Check-and-insert MUST be atomic operation (prevent race conditions) - **Integrity:** Verify blacklist integrity on load (detect corruption via checksums) - **Synchronization:** Distributed deployments MUST use consensus mechanism or shared storage - **Performance:** Index by R_x (x-only coordinate) for O(1) lookup - **Storage:** Implementations SHOULD support pruning after key rotation This provides operational protection against RNG or state management failures. ``` **Rationale:** Current specification too vague. Concrete requirements ensure robust implementations and prevent weak/incomplete blacklist mechanisms. **Acceptance Criteria:** - [ ] Line 114 expanded with concrete implementation requirements - [ ] Persistence specified (durable storage) - [ ] Atomicity specified (prevent races) - [ ] Integrity verification specified (detect corruption) - [ ] Reference implementation provided demonstrating blacklist with all requirements --- **Priority 3: Add Deterministic Profile Option (HIGH)** **Location:** New section §10.1 (or after Line 115 in §4) **Recommended Addition:** ```markdown ### Alternative Nonce Generation Profile (RECOMMENDED for High-Security) For deployments requiring maximum robustness against RNG failures, implementations MAY use fully deterministic nonce derivation: **Function:** `Derive_MuSig2_Nonce_Deterministic(secret_key_i, ctx_hash)` **Algorithm:** 1. Extract: Per RFC 6979 convention, ctx_hash (public context) is salt, secret_key_i (private) is IKM - prk = HKDF-Extract(salt=ctx_hash, ikm=secret_key_i) using SHA-256 2. Expand: Two nonces for BIP-327 two-nonce MuSig2 - okm_1 = HKDF-Expand(prk, "PVUGC/MuSig2-Nonce/v1" || 0x00, 32) - okm_2 = HKDF-Expand(prk, "PVUGC/MuSig2-Nonce/v1" || 0x01, 32) 3. Scalar Conversion: - k_{1,i} = bytes_to_integer(okm_1) (big-endian) - k_{2,i} = bytes_to_integer(okm_2) (big-endian) 4. Validity Check: - if k = 0 or k >= n: ABORT (invalid scalar) - where n = secp256k1 order 5. Output: (k_{1,i}, k_{2,i}) (valid scalars in [1, n-1]) **Security Properties:** - **Uniqueness:** ctx_hash uniqueness → nonce uniqueness (SHA-256 collision resistance) - **Unpredictability:** PRF security (HMAC-SHA256) + secret_key_i privacy - **Resilience:** No RNG dependency (stateless, deterministic, reproducible) - **Domain Separation:** Tag "PVUGC/MuSig2-Nonce/v1" prevents cross-protocol reuse **If using deterministic profile:** - R blacklist SHOULD still be implemented (defense-in-depth) but not required for correctness - Nonce commitment phase MUST still be used per BIP-327 (prevents adaptive attacks) - Co-signer prediction safe: ctx_hash provides session-specific differentiation **Precedent:** RFC 6979 (deterministic ECDSA), EdDSA (RFC 8032), BIP-340 (recommends deterministic nonces) **Test Vectors:** (Minimum 5 vectors covering determinism, uniqueness, edge cases) ``` **Rationale:** Allows high-security deployments to eliminate RNG dependency entirely. Follows industry standards (RFC 6979, EdDSA, BIP-340). Aligns with M2's peer review recommendation. **Acceptance Criteria:** - [ ] §10.1 (or equivalent) added to specification - [ ] Complete algorithm specified (HKDF parameters, validity checks) - [ ] Security properties formally stated - [ ] Test vectors provided (minimum 5) - [ ] Reference implementation provided --- ### Recommended (SHOULD) - Implementation and Testing **Recommendation 4: Provide Test Vectors** **Deliverable:** Minimum 15 test vectors covering: **Mandatory Mixing Profile (10 vectors):** 1. Normal case (different ctx_hash, same secret_key) 2. Normal case (same ctx_hash, different secret_key) 3. Edge case (ctx_hash differing by 1 bit - avalanche test) 4. Edge case (secret_key = 0x01 - minimum valid key) 5. Edge case (secret_key = n-1 - maximum valid key) 6. Two-nonce independence (k_{1,i} ≠ k_{2,i} for same ctx_hash) 7. CSPRNG mixing verification (different CSPRNG → different k) 8. Validity check (k=0 rejection scenario - artificial) 9. Validity check (k>=n rejection scenario - artificial) 10. Determinism with mixing (same inputs → same base, different final k due to CSPRNG) **Deterministic Profile (5 vectors):** 1. Normal case (different ctx_hash → different k_{1,i}, k_{2,i}) 2. Determinism (same inputs → same outputs, repeated 3 times) 3. Context sensitivity (ctx_hash differs by 1 bit → different k) 4. Two-nonce independence (k_{1,i} ≠ k_{2,i}) 5. Edge case (secret_key near boundary values) **Test Vector Format:** ``` Test Vector #N: Profile: [Mandatory Mixing / Deterministic] secret_key_i: [hex 32 bytes] ctx_hash: [hex 32 bytes] CSPRNG_seed: [hex 64 bytes] (for mandatory mixing profile only) Expected Intermediate Values: prk: [hex 32 bytes] (HKDF-Extract output) okm_1: [hex 32 bytes] (HKDF-Expand output, first nonce) okm_2: [hex 32 bytes] (HKDF-Expand output, second nonce) Expected Output: k_{1,i}: [hex 32 bytes] (first scalar, big-endian) k_{2,i}: [hex 32 bytes] (second scalar, big-endian) R_{1,i}: [hex 33 bytes] (compressed public key, 0x02 or 0x03 prefix) R_{2,i}: [hex 33 bytes] (compressed public key, 0x02 or 0x03 prefix) ``` **Acceptance Criteria:** - [ ] 15+ test vectors provided - [ ] Vectors cover mandatory mixing and deterministic profiles - [ ] Vectors include edge cases and negative tests - [ ] Reference implementation validates against all vectors --- **Recommendation 5: Reference Implementation** **Deliverable:** Reference implementation demonstrating: **Core Functionality:** 1. Mandatory mixing profile (HKDF-Extract base + CSPRNG expansion) 2. Deterministic profile (fully deterministic HKDF derivation) 3. Blacklist mechanism (persistent storage, atomic operations, integrity checks) 4. BIP-327 integration (two-nonce generation, nonce aggregation, R normalization) 5. Secnonce erasure (immediate after signing) **Implementation Requirements:** - Language: Rust or C++ (with libsecp256k1) - Dependencies: Standard cryptographic libraries (OpenSSL, RustCrypto, arkworks) - Constant-time: HMAC-SHA256 constant-time, scalar operations constant-time - Testing: Unit tests for all functions, integration tests for full MuSig2 flow - Documentation: API documentation, usage examples, security considerations **Code Structure (~500 lines):** ``` src/ nonce.rs // Nonce derivation (mandatory mixing + deterministic profiles) blacklist.rs // R blacklist (persistent storage, atomicity) musig2.rs // BIP-327 integration (nonce aggregation, signing) tests/ test_vectors.rs // Test vector validation uniqueness_test.rs // 1000+ uniqueness tests attack_sim.rs // Key extraction attack simulation (negative test) ``` **Acceptance Criteria:** - [ ] Reference implementation complete (both profiles) - [ ] All test vectors pass - [ ] Blacklist demonstrates persistence and atomicity - [ ] Constant-time implementation verified - [ ] Documentation complete (API docs, usage guide) --- **Recommendation 6: External Cryptographic Review** **Scope:** 1. Review modified §4 nonce generation specification (mandatory mixing) 2. Review §10.1 deterministic profile specification 3. Validate HKDF parameter choices (salt=ctx_hash, ikm=secret_key, info tags) 4. Verify security properties (uniqueness, unpredictability, resilience) 5. Compare with RFC 6979, BIP-340, BIP-327 approaches 6. Review reference implementation for side-channels 7. Validate test suite coverage **Timeline:** 2-3 months **Deliverable:** Independent audit report **Recommended Reviewers:** - Academic cryptographers (publications on Schnorr/MuSig) - Bitcoin Core developers (BIP-340, BIP-327 expertise) - Professional security auditors (Trail of Bits, NCC Group, Kudelski Security) **Acceptance Criteria:** - [ ] External review scheduled and completed - [ ] Audit report received with findings - [ ] All audit findings addressed - [ ] Reviewer confirms modified specification is sound --- ## Summary of Recommendations | Recommendation | Priority | Change Type | Impact | |---------------|----------|-------------|--------| | 1. Mandatory mixing | MUST | Change SHOULD → MUST | Prevents pure CSPRNG failures | | 2. Strengthen blacklist spec | MUST | Add requirements | Ensures robust implementations | | 3. Add deterministic option | MUST | Add alternative profile | Enables high-security deployments | | 4. Provide test vectors | SHOULD | Add 15+ test vectors | Validates implementations | | 5. Reference implementation | SHOULD | Provide code | Demonstrates both profiles | | 6. External review | SHOULD | Independent audit | Validates security properties | **With these recommendations implemented:** - ✅ Mandatory deterministic base layer (via HKDF mixing) - prevents RNG failures - ✅ Optional CSPRNG augmentation - addresses BIP-327 fresh randomness preference - ✅ Robust blacklist specification - operational defense-in-depth - ✅ Deterministic option - for risk-averse deployments (optimal for critical infrastructure) **Production readiness verdict:** - **Current v2.7 (unmodified):** ⚠️ PARTIAL - Unacceptable risks for critical infrastructure - **Modified v2.7 (with Recommendations 1-3):** ✅ ACCEPTABLE - Layered defense with deterministic base - **M2's deterministic HKDF approach:** ✅ OPTIMAL - Maximum robustness for high-value bridges --- ## Cross-References **Specification:** - PVUGC-2025-10-27.md §4 Lines 111-114 (MuSig2 nonce generation) - PVUGC-2025-10-27.md §10 Line 372 (Crypto profile summary) - PVUGC-2025-10-27.md §10 Line 306 (Mandatory hygiene - fresh MuSig2 R) - PVUGC-2025-10-27.md §9 Line 361 (Compartmentalization security property) **Historical Analysis:** - report-peer_review-2025-10-26/PVUGC-008.md (v3.0 - M2's refutation and deterministic HKDF specification) - report-preliminary-2025-10-07/PVUGC-008-musig2-compartmentalization.md (v1.0 - initial identification) - report-update-2025-10-07/PVUGC-008-musig2-compartmentalization.md (v2.0 - MUST clause added, 720 lines analysis) **Expert Consultations:** - .consultation-pvugc-008-crypto.md (consultation prompt) - .consultation-pvugc-008-crypto-response.md (detailed analysis - PARTIAL vote) **Related Issues:** - PVUGC-005 (Context Binding) - ctx_hash uniqueness is foundation for nonce uniqueness **External Standards:** - BIP-327: MuSig2 for BIP340-compatible Multi-Signatures - BIP-340: Schnorr Signatures for secp256k1 - RFC 5869: HMAC-based Extract-and-Expand Key Derivation Function (HKDF) - RFC 6979: Deterministic Usage of DSA and ECDSA - RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA) --- **Report prepared by:** Claude (Standards Compliance Auditor) **Consultation:** Crypto-Peer-Reviewer Agent (Vote: PARTIAL) **Report date:** 2025-10-28 **Report version:** Standards Validation v2.0 --- **END OF REPORT**