Public Shares in the Session Object

[jesseposner]

I believe the 2 places that pubshares are used are (1) deriving the 33-byte group public key and (2) verifying a partial signature.

To accomplish (1), the BIP requires all pubshares be saved to the session object. But wouldn't it be more efficient to simply save the 33-byte group public key to the session object rather than the pubshares? For (2), PartialSigVerify would only need the individual public share for the sig being verified.

[siv2r]

The BIP prioritizes the readability and simplicity of the algorithms over their efficiency. This is mentioned in the General Signing Flow section:

To simplify the specification of the algorithms, some intermediary values are unnecessarily recomputed from scratch, e.g., when executing GetSessionValues multiple times. Actual implementations can cache these values. As a result, the Session Context may look very different in implementations or may not exist at all.

Therefore, an implementation isn't required to strictly follow the defined data structure and can optimize it as needed.

We can observe this in the case of MuSig2. While BIP327 defines the Session Context with individual public keys, the session object in the implementation does not include any public keys, not even the group public key.

[siv2r]

group public key to the session object rather than the pubshares

I initially considered this design but chose to use pubshares because they clearly identify the participants in the signing session. However, we could also argue that replacing pubshares with the group pubkey would not impact this clarity, as our session object, unlike BIP327, includes participant identifiers.