musig2 wrappers over libsecp

[curiecrypt]

This PR aims to update the library so that the end users do not need to make calls from secp256k1 as mentioned in #30. The following list provides the changes:

1. Library functions are updated not to take any secp256k1 parameters, including secp256k1_context. Context creation is now handled in library functions.

2. Defined constants renamed, i.e., SCALAR_BYTES is changed to MUSIG2_SCALAR_BYTES.

3. A new type (musig2_pubkey) representing the x_only public key of secp256k1 is defined. MuSig2 library does not require full-size public keys; thus, instead of calling secp256k1_xonly_pubkey, users will call musig2_pubkey.

4. The function musig2_prepare_signer_to_register is created. This function

   • serializes signers' public key and batch commitments in compressed format,
   • called by musig2_prepare_signer_to_register,
   • returns serialized_pk (33-byte) and serialized_comm_list, which is a list of 33-byte commitments with V * NR_MESSAGES elements. So, after initialization, these return values can be directly used to register the signer (Collecting public keys and batch commitments.

5. Verification of the final signature with secp256k1_schnorrsig_verify is implemented in the library function musig2_verify_musig2.

Note that the documentation and comments are not completed yet.

---

This closes #30.

[iquerejeta]

I believe this is only used internally. It could be static.

[iquerejeta]

Freeing the context within the function might result in a double free, or in using a freed pointer. This should be handled externally, as we might want to continue with the same context if the serialisation failed

[iquerejeta]

Same here

[iquerejeta]

It seems that what prepare_signer_to_register really does is serialise the pubkey and batched commitments. What do you think of having a function serialise_shareable_context, that takes as input mcs and the two pointers for the serialised data? In this way we explicitly distinguish both calls

[iquerejeta]

It's counterintuitive that BYTES_COMPRESSED is larger than BYTES. I would find a different name to the former (maybe something to do with omit sign bit or something of the sort)

[iquerejeta]

I suggest that the serialisation is separated from the initialisation function.

[iquerejeta]

These changes look good. Have a look at my comments, and change what you consider, but other than that, happy to see this merged.

[iquerejeta]

We should be consistent with freeing the context. Both errors are the same (=0), so the function caller will always react the same way for failures. This means that the outcome of both failures needs to be the same wrt freeing the context. Either we free the context in or out of the function, but we cannot do both.

[iquerejeta]

It could be confusing for someone reading the code in the future to see these two functions: musig2_prepare_verifier and musig2_verify_musig2, and see that in both we create a new context and destroy it. For sake of clarity, I would comment why we do this, and the design decision for not doing it in a single function.

[iquerejeta]

Suggested change

	int musig2_verify_musig2(unsigned char *signature, const unsigned char *msg, int msg_len, musig2_aggr_pubkey *aggr_pk){
	int musig2_verify(unsigned char *signature, const unsigned char *msg, int msg_len, musig2_aggr_pubkey *aggr_pk){

[iquerejeta]

I'm not convinced by this naming. But this is just a suggestion. You'll be the main maintainer of the lib, so you can make the final call. The following is my reasoning:

• MUSIG2_PARSIG_BYTES is a bit confusing, because we define musig2_partial_signature to be two values with a total of 64 bytes. This variable is really used to determine the size of the 'scalar part' of the partial signature.
• I think I would remove the parsig bytes, and simply useSCALAR_BYTES and MUSIG2_BYTES for referring to the size of the signatures.

[iquerejeta]

Sorry, for the double comments. I'm using the code editor to review the PR and something clearly went wrong 😅