Round 1: Nonce Generation and Aggregation

Round 1 in NestedMuSig2 mirrors MuSig2 in spirit but adds an explicit layered aggregation structure.

Each leaf signer runs Sign, samples ν = 2 random nonce scalars, and publishes a commitment for each:

Ri,j=gri,jR_{i,j} = g^{r_{i,j}}

An internal node then combines child commitments coordinate-wise with SignAgg:

Rj=iRi,jR'_j = \prod_i R_{i,j}

These R-prime values are the internal aggregate nonces. They are pre-binding values and must be retained for Round 2 calculations.

Next comes SignAggExt, which is the critical defense step:

b=Hnon(X~,R1,,Rν)b = H_{\text{non}}(\tilde{X}, R'_1, \ldots, R'_\nu)
Rj=(Rj)bj1R_j = (R'_j)^{b^{j-1}}

The output R_j values are the external aggregate nonces that propagate upward. Without this binding transform, aggregated nonce vectors are malleable in ways that enable Wagner-style and ROS-style attacks against multi-party signing flows.

A key timing insight from the paper is when each hash appears. During Round 1, every level, including the root, runs SignAggExt with H_non over pre-binding nonce aggregates, and no message is hashed yet. The H_non_bar(X̃, R'_1, ..., R'_ν, m) distinction appears in Round 2, where Sign' computes the root-level binding value b_0 and includes the message.

That split is essential for real systems. Lower-level nonce exchange and aggregation stay message-independent, so they can complete before final message construction, fee finalization, or policy checks.

Keep the distinction clear:

  • Internal aggregate: pre-binding output from SignAgg, needed by Sign'.
  • External aggregate: post-binding output from SignAggExt, forwarded to the parent.

If you only keep the external values, Round 2 cannot reconstruct the required cascade correctly for deeper signers.

Operationally, Round 1 is also where robust transcript handling matters. Each node should record which child outputs were included, in which coordinate slots, and which aggregate key was used for the binding hash. If a participant later disputes a signature failure, these Round 1 artifacts are the first place to check for mismatched inputs. In production settings, treating Round 1 as a signed transcript phase, not just a temporary cache, makes debugging and blame workflows much more reliable.

Nonce secrets are strictly single-use. Reusing a nonce across signing sessions is catastrophic for Schnorr-based schemes and can reveal secret keys.

The demo below shows both layers for a small two-leaf tree.

Round 1 Demo

Rj=Ri,j, Rj=(Rj)bj1R'_j = \prod R_{i,j},\ R_j = (R'_j)^{b^{j-1}}

Alice commitments

R1 02954e...27f1
R2 03a343...9e64

Bob commitments

R1 03aff0...afd1
R2 0329e0...fc08

Internal aggregate (SignAgg)

R'1 025985...607c
R'2 03b1c6...c924

External aggregate (SignAggExt)

b b6b204...d030
R1 025985...607c
R2 02602a...ff76