Skip to content

Commit 419c05c

Browse files
theStacktheStack
committed
musig2: dedup nonce calculation (R = R1 + b*R2)
introduce a helper that is used both for calculating the final nonce in `secp256k1_musig_nonce_process` and the "effective" nonce needed for verifying a partial signature in `secp256k1_musig_partial_sig_verify`.
1 parent 5dccc7b commit 419c05c

File tree

1 file changed

+11
-9
lines changed

1 file changed

+11
-9
lines changed

src/modules/musig/session_impl.h

+11-9
Original file line numberDiff line numberDiff line change
@@ -562,20 +562,24 @@ static void secp256k1_musig_compute_noncehash(unsigned char *noncehash, secp256k
562562
secp256k1_sha256_finalize(&sha, noncehash);
563563
}
564564

565+
static void compute_nonce_from_points_and_coeff(secp256k1_gej *noncej, const secp256k1_ge *noncepoints, const secp256k1_scalar *b) {
566+
secp256k1_gej noncepoint2j;
567+
568+
/* nonce = noncepoints[0] + b*noncepoints[1] */
569+
secp256k1_gej_set_ge(&noncepoint2j, &noncepoints[1]);
570+
secp256k1_ecmult(noncej, &noncepoint2j, b, NULL);
571+
secp256k1_gej_add_ge_var(noncej, noncej, &noncepoints[0], NULL);
572+
}
573+
565574
static int secp256k1_musig_nonce_process_internal(int *fin_nonce_parity, unsigned char *fin_nonce, secp256k1_scalar *b, secp256k1_ge *aggnonce, const unsigned char *agg_pk32, const unsigned char *msg) {
566575
unsigned char noncehash[32];
567576
secp256k1_ge fin_nonce_pt;
568577
secp256k1_gej fin_nonce_ptj;
569-
secp256k1_gej aggnoncej[2];
570578

571579
secp256k1_musig_compute_noncehash(noncehash, aggnonce, agg_pk32, msg);
572-
secp256k1_gej_set_ge(&aggnoncej[0], &aggnonce[0]);
573-
secp256k1_gej_set_ge(&aggnoncej[1], &aggnonce[1]);
574580
/* fin_nonce = aggnonce[0] + b*aggnonce[1] */
575581
secp256k1_scalar_set_b32(b, noncehash, NULL);
576-
secp256k1_gej_set_infinity(&fin_nonce_ptj);
577-
secp256k1_ecmult(&fin_nonce_ptj, &aggnoncej[1], b, NULL);
578-
secp256k1_gej_add_ge_var(&fin_nonce_ptj, &fin_nonce_ptj, &aggnonce[0], NULL);
582+
compute_nonce_from_points_and_coeff(&fin_nonce_ptj, aggnonce, b);
579583
secp256k1_ge_set_gej(&fin_nonce_pt, &fin_nonce_ptj);
580584
if (secp256k1_ge_is_infinity(&fin_nonce_pt)) {
581585
fin_nonce_pt = secp256k1_ge_const_g;
@@ -734,9 +738,7 @@ int secp256k1_musig_partial_sig_verify(const secp256k1_context* ctx, const secp2
734738
if (!secp256k1_musig_pubnonce_load(ctx, nonce_pt, pubnonce)) {
735739
return 0;
736740
}
737-
secp256k1_gej_set_ge(&rj, &nonce_pt[1]);
738-
secp256k1_ecmult(&rj, &rj, &session_i.noncecoef, NULL);
739-
secp256k1_gej_add_ge_var(&rj, &rj, &nonce_pt[0], NULL);
741+
compute_nonce_from_points_and_coeff(&rj, nonce_pt, &session_i.noncecoef);
740742

741743
if (!secp256k1_pubkey_load(ctx, &pkp, pubkey)) {
742744
return 0;

0 commit comments

Comments
 (0)