State minimization in MuSig2 signing sessions

State minimization in MuSig2 signing sessions

Original Postby salvatoshi

Posted on: March 6, 2024 18:17 UTC

In the realm of enhancing security for Ledger device implementations, an intriguing discussion emerged regarding nonce generation methodologies.

The conversation highlighted a proposal for utilizing the True Random Number Generator (TRNG) available in the Secure Element of Ledger devices as a foundational element for nonce generation. This approach contrasts with the alternative method involving CounterNonceGen, which necessitates the development of a secure atomic counter to serve as the nonce generator. The discourse suggests that despite the differing mechanisms—TRNG versus an atomic counter—the overarching strategy for managing psbt-level signing sessions could remain consistent.

The dialogue further explored the complexities associated with employing CounterNonceGen for psbt-level sessions, particularly emphasizing the importance of committing to both the initial counter value and the anticipated number of signatures for a given psbt within the session's state, identified by session_id. This commitment is deemed crucial, especially when facilitating multiple psbt signing flows concurrently, to ensure the security and integrity of the signing process. Such a structured approach aims at mitigating risks related to nonce reuse, thereby bolstering the overall auditability and reliability of the nonce generation and management system.