dfinity
diff --git a/‎Cargo.Bazel.Fuzzing.json.lock
Lines changed: 8 additions & 1 deletion b/‎Cargo.Bazel.Fuzzing.json.lock
Lines changed: 8 additions & 1 deletion
diff --git a/‎Cargo.Bazel.Fuzzing.toml.lock
Lines changed: 1 addition & 0 deletions b/‎Cargo.Bazel.Fuzzing.toml.lock
Lines changed: 1 addition & 0 deletions
diff --git a/‎Cargo.Bazel.json.lock
Lines changed: 8 additions & 1 deletion b/‎Cargo.Bazel.json.lock
Lines changed: 8 additions & 1 deletion
diff --git a/‎Cargo.Bazel.toml.lock
Lines changed: 1 addition & 0 deletions b/‎Cargo.Bazel.toml.lock
Lines changed: 1 addition & 0 deletions
diff --git a/‎Cargo.lock
Lines changed: 3 additions & 0 deletions b/‎Cargo.lock
Lines changed: 3 additions & 0 deletions
diff --git a/‎bazel/external_crates.bzl
Lines changed: 7 additions & 0 deletions b/‎bazel/external_crates.bzl
Lines changed: 7 additions & 0 deletions
diff --git a/‎rs/consensus/src/idkg/payload_builder.rs
Lines changed: 1 addition & 0 deletions b/‎rs/consensus/src/idkg/payload_builder.rs
Lines changed: 1 addition & 0 deletions
diff --git a/‎rs/consensus/src/idkg/signer.rs
Lines changed: 2 additions & 0 deletions b/‎rs/consensus/src/idkg/signer.rs
Lines changed: 2 additions & 0 deletions
diff --git a/‎rs/crypto/benches/tschnorr.rs
Lines changed: 4 additions & 0 deletions b/‎rs/crypto/benches/tschnorr.rs
Lines changed: 4 additions & 0 deletions
diff --git a/‎rs/crypto/internal/crypto_lib/threshold_sig/canister_threshold_sig/src/lib.rs
Lines changed: 13 additions & 2 deletions b/‎rs/crypto/internal/crypto_lib/threshold_sig/canister_threshold_sig/src/lib.rs
Lines changed: 13 additions & 2 deletions
@@ -1,5 +1,5 @@
 {
-  "checksum": "7661b2c9fdc930e58622dc8df6307c9e805eb95556ad2b11b93ca0561235524a",
+  "checksum": "d49c2d6535ae0e33df43f23bf7877c04341c237a0782c81faa1e85ae9a4e8a6b",
   "crates": {
     "abnf 0.12.0": {
       "name": "abnf",
@@ -19214,6 +19214,10 @@
               "id": "scraper 0.17.1",
               "target": "scraper"
             },
+            {
+              "id": "secp256k1 0.22.2",
+              "target": "secp256k1"
+            },
             {
               "id": "semver 1.0.22",
               "target": "semver"
@@ -62768,6 +62772,8 @@
         ],
         "crate_features": {
           "common": [
+            "default",
+            "global-context",
             "rand",
             "rand-std",
             "recovery",
@@ -85537,6 +85543,7 @@
     "scoped_threadpool 0.1.9",
     "scopeguard 1.2.0",
     "scraper 0.17.1",
+    "secp256k1 0.22.2",
     "semver 1.0.22",
     "serde 1.0.203",
     "serde-bytes-repr 0.1.5",
 
@@ -3215,6 +3215,7 @@ dependencies = [
  "scoped_threadpool",
  "scopeguard",
  "scraper",
+ "secp256k1 0.22.2",
  "semver",
  "serde",
  "serde-bytes-repr",
 
@@ -1,5 +1,5 @@
 {
-  "checksum": "d4b611a5f338012769866b27437875353f5d76dbabb9b135418806599a3b8912",
+  "checksum": "4002433162202c7300c4f17bf7105e405ab6e3b9f9cd9e3d56c3ebe98e04d509",
   "crates": {
     "abnf 0.12.0": {
       "name": "abnf",
@@ -19037,6 +19037,10 @@
               "id": "scraper 0.17.1",
               "target": "scraper"
             },
+            {
+              "id": "secp256k1 0.22.2",
+              "target": "secp256k1"
+            },
             {
               "id": "semver 1.0.22",
               "target": "semver"
@@ -62608,6 +62612,8 @@
         ],
         "crate_features": {
           "common": [
+            "default",
+            "global-context",
             "rand",
             "rand-std",
             "recovery",
@@ -85410,6 +85416,7 @@
     "scoped_threadpool 0.1.9",
     "scopeguard 1.2.0",
     "scraper 0.17.1",
+    "secp256k1 0.22.2",
     "semver 1.0.22",
     "serde 1.0.203",
     "serde-bytes-repr 0.1.5",
 
@@ -3204,6 +3204,7 @@ dependencies = [
  "scoped_threadpool",
  "scopeguard",
  "scraper",
+ "secp256k1 0.22.2",
  "semver",
  "serde",
  "serde-bytes-repr",
 
@@ -1080,6 +1080,13 @@ def external_crates_repository(name, cargo_lockfile, lockfile, sanitizers_enable
             "scraper": crate.spec(
                 version = "^0.17.1",
             ),
+            "secp256k1": crate.spec(
+                version = "^0.22",
+                features = [
+                    "global-context",
+                    "rand-std",
+                ],
+            ),
             "semver": crate.spec(
                 version = "^1.0.9",
                 features = [
 
@@ -1920,6 +1920,7 @@ mod tests {
                         &key_transcript,
                         &[1; 64],
                         Randomness::from([0; 32]),
+                        None,
                         &derivation_path,
                         algorithm,
                         &mut rng,
 
@@ -1361,6 +1361,7 @@ mod tests {
                             &key_transcript,
                             &[0; 32],
                             Randomness::from([0; 32]),
+                            None,
                             &derivation_path,
                             algorithm_for_key_id(&key_id),
                             &mut rng,
@@ -2111,6 +2112,7 @@ mod tests {
                     &key_transcript,
                     &message,
                     Randomness::from(context.nonce.unwrap()),
+                    None,
                     &derivation_path,
                     algorithm,
                     &mut rng,
 
@@ -64,6 +64,7 @@ fn bench_create_sig_share<M: Measurement, R: RngCore + CryptoRng>(
                     &key_transcript,
                     &message,
                     seed,
+                    None,
                     &derivation_path,
                     test_case.alg,
                     rng,
@@ -103,6 +104,7 @@ fn bench_verify_sig_share<M: Measurement, R: RngCore + CryptoRng>(
                     &key_transcript,
                     &message,
                     seed,
+                    None,
                     &derivation_path,
                     test_case.alg,
                     rng,
@@ -153,6 +155,7 @@ fn bench_combine_sig_shares<M: Measurement, R: RngCore + CryptoRng>(
                     &key_transcript,
                     &message,
                     seed,
+                    None,
                     &derivation_path,
                     test_case.alg,
                     rng,
@@ -194,6 +197,7 @@ fn bench_verify_combined_sig<M: Measurement, R: RngCore + CryptoRng>(
                     &key_transcript,
                     &message,
                     seed,
+                    None,
                     &derivation_path,
                     test_case.alg,
                     rng,
 
@@ -965,9 +965,13 @@ impl From<CanisterThresholdError> for ThresholdBip340GenerateSigShareInternalErr
 /// The presig_transcript is the transcript of the pre-signature (kappa)
 ///
 /// The message can be of any length
+///
+/// If taproot_tree_root is Some then this generates a Taproot tweaked
+/// signature, using the provided hash to derive a tweak
 pub fn create_bip340_signature_share(
     derivation_path: &DerivationPath,
     message: &[u8],
+    taproot_tree_root: Option<&[u8]>,
     nonce: Randomness,
     key_transcript: &IDkgTranscriptInternal,
     presig_transcript: &IDkgTranscriptInternal,
@@ -977,6 +981,7 @@ pub fn create_bip340_signature_share(
     ThresholdBip340SignatureShareInternal::new(
         derivation_path,
         message,
+        taproot_tree_root,
         nonce,
         key_transcript,
         key_opening,
@@ -1012,7 +1017,8 @@ impl From<CanisterThresholdError> for ThresholdBip340VerifySigShareInternalError
 pub fn verify_bip340_signature_share(
     sig_share: &ThresholdBip340SignatureShareInternal,
     derivation_path: &DerivationPath,
-    hashed_message: &[u8],
+    message: &[u8],
+    taproot_tree_root: Option<&[u8]>,
     randomness: Randomness,
     signer_index: NodeIndex,
     key_transcript: &IDkgTranscriptInternal,
@@ -1021,7 +1027,8 @@ pub fn verify_bip340_signature_share(
     sig_share
         .verify(
             derivation_path,
-            hashed_message,
+            message,
+            taproot_tree_root,
             randomness,
             signer_index,
             key_transcript,
@@ -1059,6 +1066,7 @@ impl From<CanisterThresholdError> for ThresholdBip340CombineSigSharesInternalErr
 pub fn combine_bip340_signature_shares(
     derivation_path: &DerivationPath,
     message: &[u8],
+    taproot_tree_root: Option<&[u8]>,
     randomness: Randomness,
     key_transcript: &IDkgTranscriptInternal,
     presig_transcript: &IDkgTranscriptInternal,
@@ -1069,6 +1077,7 @@ pub fn combine_bip340_signature_shares(
     ThresholdBip340CombinedSignatureInternal::new(
         derivation_path,
         message,
+        taproot_tree_root,
         randomness,
         key_transcript,
         presig_transcript,
@@ -1106,6 +1115,7 @@ pub fn verify_threshold_bip340_signature(
     signature: &ThresholdBip340CombinedSignatureInternal,
     derivation_path: &DerivationPath,
     message: &[u8],
+    taproot_tree_root: Option<&[u8]>,
     randomness: Randomness,
     presig_transcript: &IDkgTranscriptInternal,
     key_transcript: &IDkgTranscriptInternal,
@@ -1114,6 +1124,7 @@ pub fn verify_threshold_bip340_signature(
         .verify(
             derivation_path,
             message,
+            taproot_tree_root,
             randomness,
             presig_transcript,
             key_transcript,