fix pre_sign. Now example passess

siv2r · siv2r · commit 7de7a2a84fc2 · 2024-10-11T16:27:53.000+05:30
diff --git a/examples/schnorr_adaptor.c b/examples/schnorr_adaptor.c
@@ -40,7 +40,7 @@ int main(void) {
      * for instance, the upstream PTLC secret he discovers. */
 	unsigned char sec_adaptor[32];
 	/* Secret adaptor t' (identical to t) that Alice extracts from
-     * her pre-signature and BIP340 signature  */
+     * the pre-signature and BIP340 signature  */
 	unsigned char extracted_sec_adaptor[32];
 
     secp256k1_context* ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
@@ -53,7 +53,7 @@ int main(void) {
 	}
 	/* Adaptor point T (= t*G) is given to Alice by original PTLC sender */
 	return_val = secp256k1_ec_pubkey_create(ctx, &adaptor_pk, sec_adaptor);
-	assert(return_val == 1);
+	assert(return_val);
 
     /* Alice generates her keypair, and the message hash to sign */
 	if (!fill_random(alice_seckey, sizeof(alice_seckey))) {
@@ -72,19 +72,19 @@ int main(void) {
 	/* Alice creates a pre-signature using the adaptor point T(=Z+A+B),
      * and sends it to Bob */
 	return_val = secp256k1_schnorr_adaptor_presign(ctx, pre_signature, msg_hash, &alice_keypair, &adaptor_pk, NULL);
-	assert(return_val == 1);
+	assert(return_val);
 
 	/* Bob extracts T from the pre-signature */
 	return_val = secp256k1_schnorr_adaptor_extract(ctx, &extracted_adaptor_pk, pre_signature, msg_hash, &alice_pubkey);
-    assert(return_val == 1);
+    assert(return_val);
     assert(secp256k1_ec_pubkey_cmp(ctx, &adaptor_pk, &extracted_adaptor_pk) == 0);
 
 	/* Bob forwards the PTLC. Bob's outgoing PTLC (Z+A+B+C) is claimed
      * by Carol. Bob decides to go to chain with the full signature to
      * claim PTLC, subtracting local secret `c`.
      */
 	return_val = secp256k1_schnorr_adaptor_adapt(ctx, signature, pre_signature, sec_adaptor);
-	assert(return_val == 1);
+	assert(return_val);
     /* Signature should be valid! */
     is_signature_valid = secp256k1_schnorrsig_verify(ctx, signature, msg_hash, 32, &alice_pubkey);
 	assert(is_signature_valid);
@@ -96,9 +96,10 @@ int main(void) {
 	assert(memcmp(sec_adaptor, extracted_sec_adaptor, sizeof(sec_adaptor)) == 0);
 
 	/* Alice subtracts out local blinding factor `b`, can now claim incoming
-	 * PTLC from Alice with sec_adaptor(=z+a) */
-
-	printf("Success!\n");
+	 * PTLC from Alice with sec_adaptor(=z+a)
+	 */
 
+	printf("Success!\n\n");
+	secp256k1_context_destroy(ctx);
     return 0;
 }
diff --git a/schnorr_adaptor_example b/schnorr_adaptor_example
diff --git a/src/modules/schnorr_adaptor/main_impl.h b/src/modules/schnorr_adaptor/main_impl.h
@@ -108,7 +108,7 @@ static int secp256k1_schnorr_adaptor_presign_internal(const secp256k1_context *c
     secp256k1_ge r, rp;
     secp256k1_ge pk;
     secp256k1_ge adaptor_ge;
-    unsigned char nonce32[32] = {0};
+    unsigned char nonce32[32] = { 0 };
     unsigned char pk_buf[32];
     unsigned char seckey[32];
     unsigned char adaptor_buff[33];
@@ -177,11 +177,12 @@ static int secp256k1_schnorr_adaptor_presign_internal(const secp256k1_context *c
     if (secp256k1_fe_is_odd(&rp.y)) {
         secp256k1_scalar_negate(&k, &k);
     }
+    ret &= secp256k1_eckey_pubkey_serialize(&rp, pre_sig65, &cmprssd_len, 1);
+
     secp256k1_schnorrsig_challenge(&e, &pre_sig65[1], msg32, 32, pk_buf);
     secp256k1_scalar_mul(&e, &e, &sk);
     secp256k1_scalar_add(&e, &e, &k);
     secp256k1_scalar_get_b32(&pre_sig65[33], &e);
-    ret &= secp256k1_eckey_pubkey_serialize(&rp, pre_sig65, &cmprssd_len, 1);
 
     secp256k1_memczero(pre_sig65, 65, !ret);
     secp256k1_scalar_clear(&k);
@@ -233,7 +234,7 @@ int secp256k1_schnorr_adaptor_extract(const secp256k1_context *ctx, secp256k1_pu
     secp256k1_fe_get_b32(buf, &pk.x);
     secp256k1_schnorrsig_challenge(&e, &pre_sig65[1], msg32, 32, buf);
 
-    /* Compute R = s*G - e*P */
+    /* Compute R = s*G + (-e)*P */
     secp256k1_scalar_negate(&e, &e);
     secp256k1_gej_set_ge(&pkj, &pk);
     secp256k1_ecmult(&rj, &pkj, &e, &s);
@@ -245,12 +246,13 @@ int secp256k1_schnorr_adaptor_extract(const secp256k1_context *ctx, secp256k1_pu
      *
      * `adaptor_presign` negates the secret nonce k when R’.y is odd, during
      * the computation of the s value (i.e., presig[33:65]). Therefore, we need
-     * to negate R = k*G (if R'.y is odd) before subtracting it from R'.
+     * to negate R = k*G (if R'.y is odd) before subtracting it from R' = R + T.
      *
      *  T =  R' - R if R'.y is even
-     *    =  R' + R if R'.y is odd
+     *    =  R' + R  if R'.y is odd
      */
-    if (secp256k1_fe_is_odd(&rp.y)) {
+    secp256k1_fe_normalize_var(&rp.y);
+    if (!secp256k1_fe_is_odd(&rp.y)) {
         secp256k1_gej_neg(&rj, &rj);
     }
     secp256k1_gej_add_ge_var(&adaptor_gej, &rj, &rp, NULL);
