From 5b4eb18ec5e8ccd9b6a5b5f23fe47e72481b7349 Mon Sep 17 00:00:00 2001
From: Jonas Nick <jonasd.nick@gmail.com>
Date: Thu, 12 Dec 2019 21:45:02 +0000
Subject: [PATCH] musig: shorten partial nonce byte array from 33 to 32 bytes

---
 include/secp256k1_musig.h      | 13 +++++++------
 src/modules/musig/example.c    |  2 +-
 src/modules/musig/main_impl.h  | 22 ++++++++++++----------
 src/modules/musig/tests_impl.h | 18 +++++++++---------
 4 files changed, 29 insertions(+), 26 deletions(-)

diff --git a/include/secp256k1_musig.h b/include/secp256k1_musig.h
index c3e225e8..52b78ef0 100644
--- a/include/secp256k1_musig.h
+++ b/include/secp256k1_musig.h
@@ -75,7 +75,8 @@ typedef struct {
     int has_secret_data;
     unsigned char seckey[32];
     unsigned char secnonce[32];
-    secp256k1_pubkey nonce;
+    secp256k1_xonly_pubkey nonce;
+    int partial_nonce_parity;
     unsigned char nonce_commitments_hash[32];
     secp256k1_xonly_pubkey combined_nonce;
     int combined_nonce_parity;
@@ -111,7 +112,7 @@ typedef struct {
 typedef struct {
     int present;
     uint32_t index;
-    secp256k1_pubkey nonce;
+    secp256k1_xonly_pubkey nonce;
     unsigned char nonce_commitment[32];
 } secp256k1_musig_session_signer_data;
 
@@ -207,7 +208,7 @@ SECP256K1_API int secp256k1_musig_session_init(
  *           signers: an array of signers' data initialized with
  *                    `musig_session_init`. Array length must equal to
  *                    `n_commitments` (cannot be NULL)
- *  Out:     nonce33: filled with a 33-byte public nonce which is supposed to be
+ *  Out:     nonce32: filled with a 32-byte public nonce which is supposed to be
  *                    sent to the other signers and then used in `musig_set nonce`
  *                    (cannot be NULL)
  *  In:  commitments: array of pointers to 32-byte nonce commitments (cannot be NULL)
@@ -220,7 +221,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_session_get_publi
     const secp256k1_context* ctx,
     secp256k1_musig_session *session,
     secp256k1_musig_session_signer_data *signers,
-    unsigned char *nonce33,
+    unsigned char *nonce32,
     const unsigned char *const *commitments,
     size_t n_commitments,
     const unsigned char *msg32
@@ -266,12 +267,12 @@ SECP256K1_API int secp256k1_musig_session_init_verifier(
  *          signer: pointer to the signer data to update (cannot be NULL). Must have
  *                  been used with `musig_session_get_public_nonce` or initialized
  *                  with `musig_session_init_verifier`.
- *  In:    nonce33: signer's alleged public nonce (cannot be NULL)
+ *  In:    nonce32: signer's alleged public nonce (cannot be NULL)
  */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_set_nonce(
     const secp256k1_context* ctx,
     secp256k1_musig_session_signer_data *signer,
-    const unsigned char *nonce33
+    const unsigned char *nonce32
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
 
 /** Updates a session with the combined public nonce of all signers. The combined
diff --git a/src/modules/musig/example.c b/src/modules/musig/example.c
index 43d982be..2c5b7006 100644
--- a/src/modules/musig/example.c
+++ b/src/modules/musig/example.c
@@ -45,7 +45,7 @@ int sign(const secp256k1_context* ctx, unsigned char seckeys[][32], const secp25
     unsigned char nonce_commitment[N_SIGNERS][32];
     const unsigned char *nonce_commitment_ptr[N_SIGNERS];
     secp256k1_musig_session_signer_data signer_data[N_SIGNERS][N_SIGNERS];
-    unsigned char nonce[N_SIGNERS][33];
+    unsigned char nonce[N_SIGNERS][32];
     int i, j;
     secp256k1_musig_partial_signature partial_sig[N_SIGNERS];
 
diff --git a/src/modules/musig/main_impl.h b/src/modules/musig/main_impl.h
index 99f054cc..7f750945 100644
--- a/src/modules/musig/main_impl.h
+++ b/src/modules/musig/main_impl.h
@@ -141,7 +141,7 @@ int secp256k1_musig_session_init(const secp256k1_context* ctx, secp256k1_musig_s
     secp256k1_sha256 sha;
     secp256k1_gej pj;
     secp256k1_ge p;
-    unsigned char nonce_ser[33];
+    unsigned char nonce_ser[32];
     size_t nonce_ser_size = sizeof(nonce_ser);
 
     VERIFY_CHECK(ctx != NULL);
@@ -221,10 +221,12 @@ int secp256k1_musig_session_init(const secp256k1_context* ctx, secp256k1_musig_s
     /* Compute public nonce and commitment */
     secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &secret);
     secp256k1_ge_set_gej(&p, &pj);
-    secp256k1_pubkey_save(&session->nonce, &p);
+    secp256k1_fe_normalize_var(&p.y);
+    session->partial_nonce_parity = secp256k1_extrakeys_ge_even_y(&p);
+    secp256k1_xonly_pubkey_save(&session->nonce, &p);
 
     secp256k1_sha256_initialize(&sha);
-    secp256k1_ec_pubkey_serialize(ctx, nonce_ser, &nonce_ser_size, &session->nonce, SECP256K1_EC_COMPRESSED);
+    secp256k1_xonly_pubkey_serialize(ctx, nonce_ser, &session->nonce);
     secp256k1_sha256_write(&sha, nonce_ser, nonce_ser_size);
     secp256k1_sha256_finalize(&sha, nonce_commitment32);
 
@@ -237,7 +239,7 @@ int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp2
     secp256k1_sha256 sha;
     unsigned char nonce_commitments_hash[32];
     size_t i;
-    unsigned char nonce_ser[33];
+    unsigned char nonce_ser[32];
     size_t nonce_ser_size = sizeof(nonce_ser);
     (void) ctx;
 
@@ -271,7 +273,7 @@ int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp2
     secp256k1_sha256_finalize(&sha, nonce_commitments_hash);
     memcpy(session->nonce_commitments_hash, nonce_commitments_hash, 32);
 
-    secp256k1_ec_pubkey_serialize(ctx, nonce_ser, &nonce_ser_size, &session->nonce, SECP256K1_EC_COMPRESSED);
+    secp256k1_xonly_pubkey_serialize(ctx, nonce_ser, &session->nonce);
     memcpy(nonce, &nonce_ser, nonce_ser_size);
     session->round = 1;
     return 1;
@@ -326,14 +328,14 @@ int secp256k1_musig_set_nonce(const secp256k1_context* ctx, secp256k1_musig_sess
     ARG_CHECK(nonce != NULL);
 
     secp256k1_sha256_initialize(&sha);
-    secp256k1_sha256_write(&sha, nonce, 33);
+    secp256k1_sha256_write(&sha, nonce, 32);
     secp256k1_sha256_finalize(&sha, commit);
 
     if (memcmp(commit, signer->nonce_commitment, 32) != 0) {
         return 0;
     }
     memcpy(&signer->nonce, nonce, sizeof(*nonce));
-    if (!secp256k1_ec_pubkey_parse(ctx, &signer->nonce, nonce, 33)) {
+    if (!secp256k1_xonly_pubkey_parse(ctx, &signer->nonce, nonce)) {
         return 0;
     }
     signer->present = 1;
@@ -362,7 +364,7 @@ int secp256k1_musig_session_combine_nonces(const secp256k1_context* ctx, secp256
             return 0;
         }
         secp256k1_sha256_write(&sha, signers[i].nonce_commitment, 32);
-        secp256k1_pubkey_load(ctx, &noncep, &signers[i].nonce);
+        secp256k1_xonly_pubkey_load(ctx, &noncep, &signers[i].nonce);
         secp256k1_gej_add_ge_var(&combined_noncej, &combined_noncej, &noncep, NULL);
     }
     secp256k1_sha256_finalize(&sha, nonce_commitments_hash);
@@ -458,7 +460,7 @@ int secp256k1_musig_partial_sign(const secp256k1_context* ctx, const secp256k1_m
         secp256k1_scalar_clear(&k);
         return 0;
     }
-    if (session->combined_nonce_parity) {
+    if (session->partial_nonce_parity != session->combined_nonce_parity) {
         secp256k1_scalar_negate(&k, &k);
     }
 
@@ -543,7 +545,7 @@ int secp256k1_musig_partial_sig_verify(const secp256k1_context* ctx, const secp2
     secp256k1_musig_coefficient(&mu, session->pre_session.pk_hash, signer->index);
     secp256k1_scalar_mul(&e, &e, &mu);
 
-    if (!secp256k1_pubkey_load(ctx, &rp, &signer->nonce)) {
+    if (!secp256k1_xonly_pubkey_load(ctx, &rp, &signer->nonce)) {
         return 0;
     }
     /* If the MuSig-combined point has an odd Y coordinate, the signers will
diff --git a/src/modules/musig/tests_impl.h b/src/modules/musig/tests_impl.h
index 0ea712b4..18f3b2ef 100644
--- a/src/modules/musig/tests_impl.h
+++ b/src/modules/musig/tests_impl.h
@@ -31,7 +31,7 @@ void musig_simple_test(secp256k1_scratch_space *scratch) {
     unsigned char session_id[2][32];
     secp256k1_xonly_pubkey pk[2];
     const unsigned char *ncs[2];
-    unsigned char public_nonce[3][33];
+    unsigned char public_nonce[3][32];
     secp256k1_musig_partial_signature partial_sig[2];
     unsigned char final_sig[64];
 
@@ -238,7 +238,7 @@ void musig_api_tests(secp256k1_scratch_space *scratch) {
     /** Signing step 0 -- exchange nonce commitments */
     ecount = 0;
     {
-        unsigned char nonce[33];
+        unsigned char nonce[32];
         secp256k1_musig_session session_0_tmp;
 
         memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp));
@@ -252,7 +252,7 @@ void musig_api_tests(secp256k1_scratch_space *scratch) {
     /** Signing step 1 -- exchange nonces */
     ecount = 0;
     {
-        unsigned char public_nonce[3][33];
+        unsigned char public_nonce[3][32];
         secp256k1_musig_session session_0_tmp;
 
         memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp));
@@ -479,7 +479,7 @@ void musig_state_machine_diff_signer_msghash_test(unsigned char *msghash, secp25
     secp256k1_xonly_pubkey pks_tmp[2];
     secp256k1_xonly_pubkey combined_pk_tmp;
     secp256k1_musig_pre_session pre_session_tmp;
-    unsigned char nonce[33];
+    unsigned char nonce[32];
 
     /* Set up signers with different public keys */
     secp256k1_testrand256(sk_dummy);
@@ -512,7 +512,7 @@ int musig_state_machine_diff_signers_combine_nonce_test(secp256k1_xonly_pubkey *
     secp256k1_musig_session_signer_data *signers_to_use;
     unsigned char nonce_commitment[32];
     unsigned char session_id[32];
-    unsigned char nonce[33];
+    unsigned char nonce[32];
     const unsigned char *ncs[2];
 
     /* Initialize new signers */
@@ -545,7 +545,7 @@ void musig_state_machine_late_msg_test(secp256k1_xonly_pubkey *pks, secp256k1_xo
     secp256k1_musig_session_signer_data signers[2];
     unsigned char nonce_commitment[32];
     const unsigned char *ncs[2];
-    unsigned char nonce[33];
+    unsigned char nonce[32];
     secp256k1_musig_partial_signature partial_sig;
 
     secp256k1_context_set_illegal_callback(ctx_tmp, counting_illegal_callback_fn, &ecount);
@@ -586,7 +586,7 @@ void musig_state_machine_tests(secp256k1_scratch_space *scratch) {
     secp256k1_xonly_pubkey pk[2];
     secp256k1_xonly_pubkey combined_pk;
     secp256k1_musig_pre_session pre_session;
-    unsigned char nonce[2][33];
+    unsigned char nonce[2][32];
     const unsigned char *ncs[2];
     secp256k1_musig_partial_signature partial_sig[2];
     unsigned char sig[64];
@@ -706,8 +706,8 @@ void scriptless_atomic_swap(secp256k1_scratch_space *scratch) {
     unsigned char noncommit_b[2][32];
     const unsigned char *noncommit_a_ptr[2];
     const unsigned char *noncommit_b_ptr[2];
-    unsigned char pubnon_a[2][33];
-    unsigned char pubnon_b[2][33];
+    unsigned char pubnon_a[2][32];
+    unsigned char pubnon_b[2][32];
     int combined_nonce_parity_a;
     int combined_nonce_parity_b;
     secp256k1_musig_session_signer_data data_a[2];