Schnorrkel uprev

[sugargoat]

Soundtrack of this PR: DJ Fauci

Motivation

We we were previously carrying a patch of Schnorrkel in order to pass in our own rng, which enabled us to build in no_std. However, as mentioned in w3f/schnorrkel#55, we can use attach_rng instead. This requires us to use the Merlin Transcript directly, as opposed to the signing_context, which is a wrapper around a Transcript. This is fine, as the signing context functionality is preserved in this revision.

In this PR

• Remove patch to schnorrkel and uprev to "0.9"
• Add context_tag to digest as well, addressing remaining FIXME

MC-1619, MC-1761

[cbeck88]

I think it would be a good idea to add as a prefix, the length of the context_tag as well, since it is variable length
that prevents situations where "", private_key1 "privatekey1 foo" has the same nonce as a signature from another context"privatekey1", privatekey1, "foo")

[cbeck88]

(i dont think we need framing around the message because it is the last thing in the sequence)

[cbeck88]

i think this kind of framing is what merlin does: https://merlin.cool/transcript/ops.html#appending-messages

[isislovecruft]

I agree that including the lengths of any variable-length tags/context/etc. is a good idea. For simplicity's sake, you probably just want to use merlin again for the nonce generation here, using Transcript.build_rng(), so that you're getting identical behaviour w.r.t. domain separation as you are in the Schnorrkel signature (or, at least, no worse, since Schnorrkel is also using merlin).

[cbeck88]

LGTM otherwise!

[isislovecruft]

Looks good to me.

[isislovecruft]

I agree that including the lengths of any variable-length tags/context/etc. is a good idea. For simplicity's sake, you probably just want to use merlin again for the nonce generation here, using Transcript.build_rng(), so that you're getting identical behaviour w.r.t. domain separation as you are in the Schnorrkel signature (or, at least, no worse, since Schnorrkel is also using merlin).

[xoloki]

LGTM