You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Make aborts identifiable, so that signers can be blamed if they send garbage. In particular, this means updating the partial_sig_agg failure case to return the index of the offending sig.
Allow signing variable length messages (i.e. with length != 32) as proposed for BIP-340 by adding an msglen argument to all function currently only taking an msg32.
Consider adding a flag to the secp256k1_musig_partial_sign interface. If true it would do a partial signature verification before returning (H/T @robot-dreams).i
Consider treating pre_sig64 argument of musig_adapt and musig_extract_adaptor as secret (for constant-timeness test)
Internal
musig_nonce_gen currently rejects session_id32=0 if there's no seckey. This check could be stronger and reject weak entropy counters, for example in a endianness-independent way by checking that the middle 16-bytes are not all 0 (H/T @robot-dreams).
Unify handling of cryptographically unreachable code, i.e., always use VERIFY_CHECK instead of returning 0.
API
msglenargument to all function currently only taking anmsg32.secp256k1_musig_partial_signinterface. If true it would do a partial signature verification before returning (H/T @robot-dreams).ipre_sig64argument ofmusig_adaptandmusig_extract_adaptoras secret (for constant-timeness test)Internal
musig_nonce_gencurrently rejectssession_id32=0if there's noseckey. This check could be stronger and reject weak entropy counters, for example in a endianness-independent way by checking that the middle 16-bytes are not all 0 (H/T @robot-dreams).ecmult_multi) inpubkey_aggwhen confidence in its implementation is higher.TODOitems: "use multiexp to compute-s*G + e*mu*pubkey + aggnonce[0] + b*aggnonce[1]" and "Cache mu".The text was updated successfully, but these errors were encountered: