Remove *Poly types

We don't want to provide an API for general polynomial arithmetic just yet. It is very easy to roll yourself anyway. I provide a suggestion about how to generate scalar polynomials securely that was lacking before. And other assorted changes to docs and APIs like allow making verification shares to be zero.
LLFourn · Oct 12, 2022 · c03eaf1 · c03eaf1
1 parent bf3bb56
commit c03eaf1
Show file tree

Hide file tree

Showing 5 changed files with 266 additions and 362 deletions.
diff --git a/schnorr_fun/Cargo.toml b/schnorr_fun/Cargo.toml
@@ -28,6 +28,7 @@ sha2 = "0.10"
 secp256kfun = { path = "../secp256kfun", version = "0.7.1", default-features = false, features = ["alloc", "libsecp_compat", "proptest"] }
 secp256k1 = { version = "0.22", features = ["std", "global-context"]}
 serde_json = "1"
+rand_chacha = { version = "0.3" }
 
 
 [target.'cfg(not(target_arch = "wasm32"))'.dev-dependencies]

diff --git a/schnorr_fun/src/binonce.rs b/schnorr_fun/src/binonce.rs
@@ -125,9 +125,11 @@ impl NonceKeyPair {
     ///
     ///   How important the `session_id` is depends on whether you add a `message` and whether you are using randomness in your `nonce_gen`.
     ///   If you are using a deterministic `nonce_gen` it is crucial that this is set to a unique value for each signing session.
-    ///   If your application doesn't naturally provide you with a unique value store a counter.
     ///
-    /// Optionally you may pass in `public_key` and `message` which should be passed in when available.
+    /// Optionally you may pass in:
+    ///
+    /// - `public_key`: The public key we're signing under (if we know it at nonce generation time).
+    /// - `message`: The message we're signing (if we know it at nonce generation time)
     ///
     /// [`MuSig::sign`]: crate::musig::MuSig::sign
     pub fn generate(
@@ -141,7 +143,13 @@ impl NonceKeyPair {
         let msg_len = (message.len() as u64).to_be_bytes();
         let sid_len = (session_id.len() as u64).to_be_bytes();
         let pk_bytes = public_key
-            .map(|p| p.normalize().to_bytes())
+            // NOTE: the `.normalize` here is very important. Even though the public key is already
+            // normalized we want it in particular to be Normal so that it serialzes correctly
+            // regardless of whether you pass in a Normal or EvenY point.
+            .map(|public_key| {
+                let public_key: Point<Normal> = public_key.normalize();
+                public_key.to_bytes()
+            })
             .unwrap_or([0u8; 33]);
         let r1 = derive_nonce!(
             nonce_gen => nonce_gen,