Add note about nonce reuse in the implementation of compute_rand_i_j

LedgerHQ · Dec 3, 2024 · 6f50e7a · 6f50e7a
1 parent f2b0f90
commit 6f50e7a
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/src/musig/musig_sessions.c b/src/musig/musig_sessions.c
@@ -75,6 +75,11 @@ void compute_rand_i_j(const musig_psbt_session_t *psbt_session,
                       int i,
                       int j,
                       uint8_t out[static 32]) {
+    // It is extremely important that different choices of the root of randomness, i and j always
+    // produce a different result in out.
+    // Failure would be catastrophic as it would cause nonce reuse, which in MuSig2 allows attackers
+    // to recover the private key.
+
     cx_sha256_t hash_context;
     cx_sha256_init(&hash_context);
     crypto_hash_update(&hash_context.header, psbt_session->_rand_root, CX_SHA256_SIZE);