Implement sign-to-contract scheme for BIP-340 signatures

[dr-orlovsky]

The library already has an API for sign-to-contract signature tweaks for ECDSA, but not BIP-340 Schnorrs. This issue is to colect a feedback on the best way of its implementation before I will start work on a PR.

[jonasnick]

I have a very old implementation that adds sign-to-contract commitments to the schnorrsig module bitcoin-core/secp256k1#589. Way after this PR was opened, we added the secp256k1_schnorrsig_extraparams struct. One of the motivations for doing this was to allow creating sign-to-contract tweaks in schnorrsig_sign_custom. So I think most of my old PR can be reused after rebasing it, since it contains some useful concepts like ec_commitment, s2c_opening and tests, and also adding the fields unsigned char s2c_data and secp256k1_s2c_opening *s2c_opening to the extraparams.

[dr-orlovsky]

Excellent, thank you! But how do you think, can we do that in the original library? It will be really preferable for me to have it there.

[jonasnick]

I think it could be reasonably added to upstream libsecp since it doesn't require a separate module.

[dr-orlovsky]

Thank you. I rebased your commits with fixups on the master in https://github.com/LNP-BP/secp256k1/tree/schnorr-commitments

Now I will integrate these types into existing custom signature type following your way of doing that on this PR

[benma]

@dr-orlovsky what is the status of your work? Do you plan on continuing it? I'd be very interested in using this to implement the antiklepto/anti-exfil protocol in the BitBox02 for Schnorr sigs (it's already deployed for ECDSA sigs).

[dr-orlovsky]

Hi @benma! Yes, I would like to continue, but in the mean time I am out of timing capacity to do that :( Feel free to grab it if you'd like...

[benma]

@dr-orlovsky thanks, I'll take this task then

[benma]

I opened a draft implementation here: bitcoin-core/secp256k1#1140