bitcoin
diff --git a/‎bip-0445.md‎
Lines changed: 9 additions & 11 deletions b/‎bip-0445.md‎
Lines changed: 9 additions & 11 deletions
diff --git a/‎bip-0445/python/example.py‎
Lines changed: 2 additions & 2 deletions b/‎bip-0445/python/example.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎bip-0445/python/frost_ref/signing.py‎
Lines changed: 19 additions & 32 deletions b/‎bip-0445/python/frost_ref/signing.py‎
Lines changed: 19 additions & 32 deletions
@@ -178,7 +178,7 @@ Aborts are identifiable for an honest party if the following conditions hold in
 - Nonce aggregation is performed honestly (e.g., because the honest signer performs nonce aggregation on its own or because the coordinator is trusted).
 - The partial signatures received from all signers are verified using the algorithm *PartialSigVerify*.
 
-If these conditions hold and an honest party (signer or coordinator) runs an algorithm that fails due to invalid protocol contributions from malicious signers, then the algorithm run by the honest party will output the participant identifier of exactly one malicious signer.
+If these conditions hold and an honest party (signer or coordinator) runs an algorithm that fails due to invalid protocol contributions from malicious signers, then the algorithm run by the honest party will output the index (within the input list) of exactly one malicious signer.
 Additionally, if the honest parties agree on the contributions sent by all signers in the signing session, all the honest parties who run the aborting algorithm will identify the same malicious signer.
 
 #### Further Remarks
@@ -439,15 +439,14 @@ Algorithm *NonceGen(secshare, pubshare, thresh_pk, m, extra_in)*:
 
 ### Nonce Aggregation
 
-Algorithm *NonceAgg(pubnonce<sub>1..u</sub>, id<sub>1..u</sub>)*:
+Algorithm *NonceAgg(pubnonce<sub>1..u</sub>)*:
 
 - Inputs:
   - The number *u* of signing participants: an integer with *t ≤ u ≤ n*
   - The list of participant public nonces *pubnonce<sub>1..u</sub>*: *u* 66-byte array, each an output of *NonceGen*
-  - The list of participant identifiers *id<sub>1..u</sub>*: *u* integers, each with *0 ≤ id<sub>i</sub> ≤ n-1*
 - For *j = 1 .. 2*:
   - For *i = 1 .. u*:
-    - Let *R<sub>i,j</sub> = cpoint(pubnonce<sub>i</sub>[(j-1)\*33:j\*33])*; fail if that fails and blame signer *id<sub>i</sub>* for invalid *pubnonce*
+    - Let *R<sub>i,j</sub> = cpoint(pubnonce<sub>i</sub>[(j-1)\*33:j\*33])*; fail if that fails and blame signer at index *i* for invalid *pubnonce*
   - Let *R<sub>j</sub> = R<sub>1,j</sub> + R<sub>2,j</sub> + ... + R<sub>u,j</sub>*
 - Return *aggnonce = cbytes_ext(R<sub>1</sub>) || cbytes_ext(R<sub>2</sub>)*
 
@@ -534,8 +533,9 @@ Algorithm *PartialSigVerify(psig, pubnonce<sub>1..u</sub>, signers_ctx, tweak<su
   - The list of tweak modes *is_xonly_t<sub>1..v</sub>* : *v* booleans
   - The message *m*: a byte array[^max-msg-len]
   - The index *i* of the signer in the list of public nonces where *0 < i ≤ u*
+- ValidateSignersCtx(signers_ctx); fail if that fails
 - Let *(_, _, u, id<sub>1..u</sub>, pubshare<sub>1..u</sub>, _) = signers_ctx*
-- Let *aggnonce = NonceAgg(pubnonce<sub>1..u</sub>, id<sub>1..u</sub>)*; fail if that fails
+- Let *aggnonce = NonceAgg(pubnonce<sub>1..u</sub>)*; fail if that fails
 - Let *session_ctx = (signers_ctx, aggnonce, v, tweak<sub>1..v</sub>, is_xonly_t<sub>1..v</sub>, m)*
 - Run *PartialSigVerifyInternal(psig, id<sub>i</sub>, pubnonce<sub>i</sub>, pubshare<sub>i</sub>, session_ctx)*
 - Return success iff no failure occurred before reaching this point.
@@ -560,16 +560,15 @@ Internal Algorithm *PartialSigVerifyInternal(psig, my_id, pubnonce, pubshare, se
 
 ### Partial Signature Aggregation
 
-Algorithm *PartialSigAgg(psig<sub>1..u</sub>, id<sub>1..u</sub>, session_ctx)*:
+Algorithm *PartialSigAgg(psig<sub>1..u</sub>, session_ctx)*:
 
 - Inputs:
   - The number *u* of signatures with *t ≤ u ≤ n*
   - The list of partial signatures *psig<sub>1..u</sub>*: *u* 32-byte arrays, each an output of *Sign*
-  - The list of participant identifiers *id<sub>1..u</sub>*: *u* distinct integers, each with *0 ≤ id<sub>i</sub> ≤ n-1*
   - The *session_ctx*: a [Session Context](#session-context) data structure
 - Let *(Q, _, tacc, _, _, _, R, e) = GetSessionValues(session_ctx)*; fail if that fails
 - For *i = 1 .. u*:
-  - Let *s<sub>i</sub> = scalar_from_bytes_nonzero_checked(psig<sub>i</sub>)*; fail if that fails and blame signer *id<sub>i</sub>* for invalid partial signature.
+  - Let *s<sub>i</sub> = scalar_from_bytes_nonzero_checked(psig<sub>i</sub>)*; fail if that fails and blame signer at index *i* for invalid partial signature.
 - Let *g = Scalar(1)* if *has_even_y(Q)*, otherwise let *g = Scalar(-1)*
 - Let *s = s<sub>1</sub> + ... + s<sub>u</sub> + e &middot; g &middot; tacc &ensp;(mod ord)*
 - Return *sig = xbytes(R) || scalar_to_bytes(s)*
@@ -639,12 +638,10 @@ Algorithm *DeterministicSign(secshare, my_id, aggothernonce, signers_ctx, tweak<
 - Let *my_pubshare = cbytes(d &middot; G)*
 - Fail if *my_pubshare* is not present in *pubshare<sub>1..u</sub>*
 - Let *secnonce = scalar_to_bytes(k<sub>1</sub>) || scalar_to_bytes(k<sub>2</sub>)*
-- Let *aggnonce = NonceAgg((pubnonce, aggothernonce), (my_id, COORDINATOR_ID))*[^coordinator-id-sentinel]; fail if that fails and blame coordinator for invalid *aggothernonce*.
+- Let *aggnonce = NonceAgg((pubnonce, aggothernonce))*; fail if that fails and blame coordinator for invalid *aggothernonce*.
 - Let *session_ctx = (signers_ctx, aggnonce, v, tweak<sub>1..v</sub>, is_xonly_t<sub>1..v</sub>, m)*
 - Return (pubnonce, Sign(secnonce, secshare, my_id, session_ctx))
 
-[^coordinator-id-sentinel]: *COORDINATOR_ID* is a sentinel value (not an actual participant identifier) used to track the source of *aggothernonce* for error attribution. If *NonceAgg* fails, the coordinator is blamed for providing an invalid *aggothernonce*. In the reference implementation, *COORDINATOR_ID* is represented as *None*.
-
 ### Tweaking Definition
 
 Two modes of tweaking the threshold public key are supported. They correspond to the following algorithms:
@@ -785,6 +782,7 @@ This document proposes a standard for the FROST threshold signature scheme that
 
 ## Changelog
 
+- *0.4.1* (2026-03-03): Assign blame to signer index (of the input list) instead of their identifier value
 - *0.4.0* (2026-01-30): Number 445 was assigned to this BIP.
 - *0.3.6* (2026-01-28): Add MIT license file for reference code and other auxiliary files.
 - *0.3.5* (2026-01-25): Update secp256k1lab to latest version, remove stub file, and fix formatting in the BIP text.
 
@@ -160,7 +160,7 @@ async def coordinator(
         pubnonces.append(pubnonce)
 
     # Aggregate nonces
-    aggnonce = nonce_agg(pubnonces, signer_ids)
+    aggnonce = nonce_agg(pubnonces)
     chans.send_all(aggnonce)
 
     # Round 2: Collect partial signatures
@@ -174,7 +174,7 @@ async def coordinator(
         psigs.append(psig)
 
     # Aggregate partial signatures
-    final_sig = partial_sig_agg(psigs, signer_ids, session_ctx)
+    final_sig = partial_sig_agg(psigs, session_ctx)
     chans.send_all(final_sig)
 
     return final_sig
 
@@ -8,7 +8,7 @@
 # be used in production environments. The code is vulnerable to timing attacks,
 # for example.
 
-from typing import List, Optional, Tuple, NewType, NamedTuple, Sequence, Literal
+from typing import List, Optional, Tuple, NewType, NamedTuple, Literal
 import secrets
 
 from secp256k1lab.secp256k1 import G, GE, Scalar
@@ -37,10 +37,9 @@
 # values. Actual implementations should not crash when receiving invalid
 # contributions. Instead, they should hold the offending party accountable.
 class InvalidContributionError(Exception):
-    def __init__(self, signer_id: Optional[int], contrib: ContribKind) -> None:
-        # participant identifier of the signer who sent the invalid value
-        self.id = signer_id
-        # contrib is one of "pubkey", "pubnonce", "aggnonce", or "psig".
+    def __init__(self, signer_index: Optional[int], contrib: ContribKind) -> None:
+        # index of the signer who sent the invalid value, or None for coordinator
+        self.signer_index = signer_index
         self.contrib = contrib
 
 
@@ -60,11 +59,11 @@ def derive_interpolating_value(ids: List[int], my_id: int) -> Scalar:
 
 def derive_thresh_pubkey(ids: List[int], pubshares: List[PlainPk]) -> PlainPk:
     Q = GE()
-    for my_id, pubshare in zip(ids, pubshares):
+    for idx, (my_id, pubshare) in enumerate(zip(ids, pubshares)):
         try:
             X_i = GE.from_bytes_compressed(pubshare)
         except ValueError:
-            raise InvalidContributionError(my_id, "pubshare")
+            raise InvalidContributionError(idx, "pubshare")
         lam_i = derive_interpolating_value(ids, my_id)
         Q = Q + lam_i * X_i
     # Q is not the point at infinity except with negligible probability.
@@ -88,13 +87,13 @@ def validate_signers_ctx(signers_ctx: SignersContext) -> None:
         raise ValueError("The number of signers must be between t and n.")
     if len(pubshares) != len(ids):
         raise ValueError("The pubshares and ids arrays must have the same length.")
-    for i, pubshare in zip(ids, pubshares):
+    for idx, (i, pubshare) in enumerate(zip(ids, pubshares)):
         if not 0 <= i <= n - 1:
             raise ValueError(f"The participant identifier {i} is out of range.")
         try:
             _ = GE.from_bytes_compressed(pubshare)
         except ValueError:
-            raise InvalidContributionError(i, "pubshare")
+            raise InvalidContributionError(idx, "pubshare")
     if len(set(ids)) != len(ids):
         raise ValueError("The participant identifier list contains duplicate elements.")
     if derive_thresh_pubkey(ids, pubshares) != thresh_pk:
@@ -235,20 +234,15 @@ def nonce_gen(
 # in each function that takes `ids` as argument?
 
 
-# `ids` is typed as Sequence[Optional[int]] so that callers can pass either
-# List[int] or List[Optional[int]] without triggering mypy invariance errors.
-# Sequence is read-only and covariant.
-def nonce_agg(pubnonces: List[bytes], ids: Sequence[Optional[int]]) -> bytes:
-    if len(pubnonces) != len(ids):
-        raise ValueError("The pubnonces and ids arrays must have the same length.")
+def nonce_agg(pubnonces: List[bytes]) -> bytes:
     aggnonce = b""
     for j in (1, 2):
         R_j = GE()
-        for my_id, pubnonce in zip(ids, pubnonces):
+        for idx, pubnonce in enumerate(pubnonces):
             try:
                 R_ij = GE.from_bytes_compressed(pubnonce[(j - 1) * 33 : j * 33])
             except ValueError:
-                raise InvalidContributionError(my_id, "pubnonce")
+                raise InvalidContributionError(idx, "pubnonce")
             R_j = R_j + R_ij
         aggnonce += R_j.to_bytes_compressed_with_infinity()
     return aggnonce
@@ -375,9 +369,6 @@ def det_nonce_hash(
     return tagged_hash("FROST/deterministic/nonce", buf)
 
 
-COORDINATOR_ID = None
-
-
 def deterministic_sign(
     secshare: bytes,
     my_id: int,
@@ -414,11 +405,10 @@ def deterministic_sign(
     pubnonce = R1_partial.to_bytes_compressed() + R2_partial.to_bytes_compressed()
     secnonce = bytearray(k_1.to_bytes() + k_2.to_bytes())
     try:
-        aggnonce = nonce_agg([pubnonce, aggothernonce], [my_id, COORDINATOR_ID])
+        aggnonce = nonce_agg([pubnonce, aggothernonce])
     except Exception:
-        # Since `pubnonce` can never be invalid, blame coordinator's pubnonce.
-        # REVIEW: should we introduce an unknown participant or coordinator error?
-        raise InvalidContributionError(COORDINATOR_ID, "aggothernonce")
+        # pubnonce is always valid, so any failure is due to aggothernonce.
+        raise InvalidContributionError(None, "aggothernonce")
     session_ctx = SessionContext(aggnonce, signers_ctx, tweaks, is_xonly, msg)
     psig = sign(secnonce, secshare, my_id, session_ctx)
     return (pubnonce, psig)
@@ -439,7 +429,7 @@ def partial_sig_verify(
         raise ValueError("The pubnonces and ids arrays must have the same length.")
     if len(tweaks) != len(is_xonly):
         raise ValueError("The tweaks and is_xonly arrays must have the same length.")
-    aggnonce = nonce_agg(pubnonces, ids)
+    aggnonce = nonce_agg(pubnonces)
     session_ctx = SessionContext(aggnonce, signers_ctx, tweaks, is_xonly, msg)
     return partial_sig_verify_internal(
         psig, ids[i], pubnonces[i], pubshares[i], session_ctx
@@ -480,19 +470,16 @@ def partial_sig_verify_internal(
     return s * G == Re_s + (e * a * g_) * P
 
 
-def partial_sig_agg(
-    psigs: List[bytes], ids: List[int], session_ctx: SessionContext
-) -> bytes:
-    assert COORDINATOR_ID not in ids
+def partial_sig_agg(psigs: List[bytes], session_ctx: SessionContext) -> bytes:
+    (Q, _, tacc, ids, _, _, R, e) = get_session_values(session_ctx)
     if len(psigs) != len(ids):
         raise ValueError("The psigs and ids arrays must have the same length.")
-    (Q, _, tacc, _, _, _, R, e) = get_session_values(session_ctx)
     s = Scalar(0)
-    for my_id, psig in zip(ids, psigs):
+    for idx, psig in enumerate(psigs):
         try:
             s_i = Scalar.from_bytes_checked(psig)
         except ValueError:
-            raise InvalidContributionError(my_id, "psig")
+            raise InvalidContributionError(idx, "psig")
         s = s + s_i
     g = Scalar(1) if Q.has_even_y() else Scalar(-1)
     s = s + e * g * tacc