Add a lot of test vectors and improve handling of invalid contributions in reference code

[jonasnick]

Fixes #5 and #2.

Based on #8.

[real-or-random]

Concept ACK on having InvalidContributionErrors

[Roasbeef]

I ported the existing test vectors to JSON in this PR: #10

Once this PR is stable/merged, I can update my PR to include those new test vectors.

[jonasnick]

Just realized that this doesn't fully address #5 because there are still no tests for nonce generation.

[real-or-random]

This is a very clean approach, I think.

[robot-dreams]

Overall looks great—I like the InvalidContributionError approach.

[robot-dreams]

ACK 8d79d3b

[real-or-random]

Initially, I thought that we should document that None means the aggregator is faulty.

But this gets complicated because the guarantees are different. The aggregator is trusted for robustness/identifiable aborts, so the ability to blame aggregator is of limited use, and a malicious aggregator could always claim that someone else is wrong. So having an InvalidContributionError for the aggregator may convey the wrong impression that a honest can identify the disruptive party even when an aggregator is used, and that a malicious aggregator can be identified reliably.

Maybe it would be clearer to simply raise a ValueError instead? This will clearly separate the guaranteed ability to identify disruptive signers (identifiable abort) from other errors, and I think that's cleaner. Yet another alternative is to have a separate exception for the aggregator but this seems overkill to me.

---

In any case, the BIP text can be made clearer here.

• For example, it currently doesn't say anything about blaming the aggregator. If we keep the InvalidContributionError, then we should elaborate in the text.
• Also, it currently says "This standard specifies a partial signature verification algorithm to identify disruptive signers. It is incompatible with third-party nonce aggregation because the individual nonce is required for partial verification." That's not entirely true. The aggregator can still identify disruptive parties. We could also refer to ROAST now for a more formal discussion of IA.
• "All the aggregator node can do is prevent the signing session from succeeding by sending out incorrect aggregate nonces." It can also send a wrong final sig.

But all of this should be done in a separate PR.

[real-or-random]

some (micro)-nits

[real-or-random]

Suggested change

	# - InvalidContributionError for indicating that a participant (or the
	# aggregator) is misbehaving in the protocol
	# - InvalidContributionError for indicating that a signer (or the
	# aggregator) is misbehaving in the protocol.

[real-or-random]

Suggested change

	# output of a hash function is 0), and can't be manually triggered by any
	# participant
	# output of a hash function is 0) and can't be manually triggered by any
	# signer.

[real-or-random]

Suggested change

	# representation doesn't have the correct format)
	# representation doesn't have the correct format).

[real-or-random]

Suggested change

	# examine it with`except_fn`.
	# examine it with `except_fn`.

[real-or-random]

Do you want to merge this or #20 first? This will affect some of the test vectors here.

Maybe it would be clearer to simply raise a ValueError instead?

Hm on a second thought, I don't know... ValueError is not a good idea either because then signers could crash. Maybe a separate exception is really better?

[jonasnick]

Do you want to merge this or #20 first?

I'd like to merge this first, since other PRs (separate tweaking from keyagg) are based on it.

[jonasnick]

Fixed nits

[real-or-random]

ACK 141919e

let's keep the InvalidContributionError, and I can open a PR that improves the explanations