Merge ElementsProject/secp256k1-zkp#151: MuSig: Add Minimal Compatibility with BIP32 Tweaking

8088eddc53 musig: add test vector for ordinary (non xonly) tweaking (Elliott Jin)
57a17929fc musig: add ordinary and xonly tweaking to the example (Jonas Nick)
37107361a0 musig: allow ordinary, non-xonly tweaking (Jonas Nick)
c519b46879 musig: add pubkey_get to obtain a full pubkey from a keyagg_cache (Jonas Nick)

Pull request description:

  In short, `musig_pubkey_tweak_add` now allows for xonly _and_ "ordinary" tweaking. Also, in order to allow using `ec_pubkey_tweak_add` on the non-xonly aggregate public key, there's a new function `musig_pubkey_get` that allows obtaining it from the `keyagg_cache`.

  One alternative would be that instead of adding `musig_pubkey_get`, we could change `pubkey_agg` to output an ordinary (non-xonly) pubkey. Then users of the API who do not need ordinary (BIP32) tweaking would be forced to call `xonly_pubkey_from_pubkey`. And we'd probably want to change the spec. And it would be a bit weird to output a pubkey that can't be directly schnorrsig_verify'd.

  Based on #131

ACKs for top commit:
  robot-dreams:
    ACK 8088eddc53 based on https://github.com/ElementsProject/secp256k1-zkp/pull/151#issuecomment-1005198409 and the following `range-diff`:

Tree-SHA512: a4a0100f0470c870f88a8da27dbcc4684fcc2caabb368d4340e962e08d5ee04634e6289bafa3448dbfd0b5793a3e70de5bd6ddca7a619cc3220ff762d518a8fe

include/secp256k1_musig.h

@@ -223,16 +223,77 @@ SECP256K1_API int secp256k1_musig_pubkey_agg(
     size_t n_pubkeys
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(5);
 
-/** Tweak an x-only public key in a given keyagg_cache by adding
- *  the generator multiplied with `tweak32` to it.
+/** Obtain the aggregate public key from a keyagg_cache.
+ *
+ *  This is only useful if you need the non-xonly public key, in particular for
+ *  ordinary (non-xonly) tweaking or batch-verifying multiple key aggregations
+ *  (not implemented).
+ *
+ *  Returns: 0 if the arguments are invalid, 1 otherwise
+ *  Args:        ctx: pointer to a context object
+ *  Out:      agg_pk: the MuSig-aggregated public key.
+ *  In: keyagg_cache: pointer to a `musig_keyagg_cache` struct initialized by
+ *                    `musig_pubkey_agg`
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_get(
+    const secp256k1_context* ctx,
+    secp256k1_pubkey *agg_pk,
+    secp256k1_musig_keyagg_cache *keyagg_cache
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Apply ordinary "EC" tweaking to a public key in a given keyagg_cache by
+ *  adding the generator multiplied with `tweak32` to it. This is useful for
+ *  deriving child keys from an aggregate public key via BIP32.
+ *
+ *  The tweaking method is the same as `secp256k1_ec_pubkey_tweak_add`. So after
+ *  the following pseudocode buf and buf2 have identical contents (absent
+ *  earlier failures).
+ *
+ *  secp256k1_musig_pubkey_agg(..., keyagg_cache, pubkeys, ...)
+ *  secp256k1_musig_pubkey_get(..., agg_pk, keyagg_cache)
+ *  secp256k1_musig_pubkey_ec_tweak_add(..., output_pk, tweak32, keyagg_cache)
+ *  secp256k1_ec_pubkey_serialize(..., buf, output_pk)
+ *  secp256k1_ec_pubkey_tweak_add(..., agg_pk, tweak32)
+ *  secp256k1_ec_pubkey_serialize(..., buf2, agg_pk)
+ *
+ *  This function is required if you want to _sign_ for a tweaked aggregate key.
+ *  On the other hand, if you are only computing a public key, but not intending
+ *  to create a signature for it, you can just use
+ *  `secp256k1_ec_pubkey_tweak_add`.
+ *
+ *  Returns: 0 if the arguments are invalid or the resulting public key would be
+ *           invalid (only when the tweak is the negation of the corresponding
+ *           secret key). 1 otherwise.
+ *  Args:            ctx: pointer to a context object initialized for verification
+ *  Out:   output_pubkey: pointer to a public key to store the result. Will be set
+ *                        to an invalid value if this function returns 0. If you
+ *                        do not need it, this arg can be NULL.
+ *  In/Out: keyagg_cache: pointer to a `musig_keyagg_cache` struct initialized by
+ *                       `musig_pubkey_agg`
+ *  In:          tweak32: pointer to a 32-byte tweak. If the tweak is invalid
+ *                        according to `secp256k1_ec_seckey_verify`, this function
+ *                        returns 0. For uniformly random 32-byte arrays the
+ *                        chance of being invalid is negligible (around 1 in
+ *                        2^128).
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_ec_tweak_add(
+    const secp256k1_context* ctx,
+    secp256k1_pubkey *output_pubkey,
+    secp256k1_musig_keyagg_cache *keyagg_cache,
+    const unsigned char *tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+/** Apply x-only tweaking to a public key in a given keyagg_cache by adding the
+ *  generator multiplied with `tweak32` to it. This is useful for creating
+ *  Taproot outputs.
  *
  *  The tweaking method is the same as `secp256k1_xonly_pubkey_tweak_add`. So in
  *  the following pseudocode xonly_pubkey_tweak_add_check (absent earlier
  *  failures) returns 1.
  *
  *  secp256k1_musig_pubkey_agg(..., agg_pk, keyagg_cache, pubkeys, ...)
- *  secp256k1_musig_pubkey_tweak_add(..., output_pubkey, tweak32, keyagg_cache)
- *  secp256k1_xonly_pubkey_serialize(..., buf, output_pubkey)
+ *  secp256k1_musig_pubkey_xonly_tweak_add(..., output_pk, tweak32, keyagg_cache)
+ *  secp256k1_xonly_pubkey_serialize(..., buf, output_pk)
  *  secp256k1_xonly_pubkey_tweak_add_check(..., buf, ..., agg_pk, tweak32)
  *
  *  This function is required if you want to _sign_ for a tweaked aggregate key.
@@ -255,7 +316,7 @@ SECP256K1_API int secp256k1_musig_pubkey_agg(
  *                        chance of being invalid is negligible (around 1 in
  *                        2^128).
  */
-SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_tweak_add(
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_xonly_tweak_add(
     const secp256k1_context* ctx,
     secp256k1_pubkey *output_pubkey,
     secp256k1_musig_keyagg_cache *keyagg_cache,