f some comments and add explanation about why an s2c_opening has a nonce_is_negated field

jonasnick · jonasnick · commit 779458a2be5f · 2019-07-04T20:54:51.000Z
diff --git a/include/secp256k1.h b/include/secp256k1.h
@@ -81,9 +81,9 @@ typedef struct {
     unsigned char data[64];
 } secp256k1_ecdsa_signature;
 
-/** Data structure that holds a sign-to-contract ("s2c") opening. Sign-to-contract
- *  allows a signer to commit to some data as part of a signature. It can be used as
- *  an Out-argument in certain signing functions.
+/** Data structure that holds a sign-to-contract ("s2c") opening information.
+ *  Sign-to-contract allows a signer to commit to some data as part of a signature. It
+ *  can be used as an Out-argument in certain signing functions.
  *
  *  This structure is not opaque, but it is strongly discouraged to read or write to
  *  it directly.
@@ -97,7 +97,10 @@ typedef struct {
     uint64_t magic;
     /* Public nonce before applying the sign-to-contract commitment */
     secp256k1_pubkey original_pubnonce;
-    /* Integer indicating if signing algorithm negated the nonce */
+    /* Byte indicating if signing algorithm negated the nonce. Alternatively when
+     * verifying we could compute the EC commitment of original_pubnonce and the
+     * data and negate if this would not be a valid nonce. But this would prevent
+     * batch verification of sign-to-contract commitments. */
     unsigned char nonce_is_negated;
 } secp256k1_s2c_opening;
 
diff --git a/src/modules/schnorrsig/main_impl.h b/src/modules/schnorrsig/main_impl.h
@@ -74,7 +74,7 @@ int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, secp256k1_schnorrsig
     ARG_CHECK(seckey != NULL);
     /* sign-to-contract commitments only work with the default nonce function,
      * because we need to ensure that s2c_data is actually hashed into the nonce and
-     * not just ignored. */
+     * not just ignored because otherwise this could result in nonce reuse. */
     ARG_CHECK(s2c_data32 == NULL || (noncefp == NULL || noncefp == secp256k1_nonce_function_bipschnorr));
     /* s2c_opening and s2c_data32 should be either both non-NULL or both NULL. */
     ARG_CHECK((s2c_opening != NULL) == (s2c_data32 != NULL));
