Merge ElementsProject/secp256k1-zkp#158: Small musig improvements

d895b10c18 musig: mention musig.md in example (Jonas Nick) 588009d26f musig: improve doc of partial_sig_verify regarding signing sessions (Jonas Nick) b1094953c4 musig: remove superfluous comment (Jonas Nick) Pull request description: ACKs for top commit: robot-dreams: ACK d895b10c18 real-or-random: ACK d895b10c18 Tree-SHA512: 35169240868500bb27e5a6b8779f090d3f33a6c0cb1a4574e6e53e9c52782f454fe7df6d49b68e0acdd174e25a756bf6267339f0d4e94f28d5ae49145f21e298
2022-01-25 10:53:30 +01:00
parent 772df3694e d895b10c18
commit 8fd97d8116
3 changed files with 21 additions and 15 deletions
--- a/include/secp256k1_musig.h
+++ b/include/secp256k1_musig.h
@@ -459,6 +459,18 @@ SECP256K1_API int secp256k1_musig_partial_sign(
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6);

 /** Verifies an individual signer's partial signature
+ *
+ *  The signature is verified for a specific signing session. In order to avoid
+ *  accidentally verifying a signature from a different or non-existing signing
+ *  session, you must ensure the following:
+ *    1. The `keyagg_cache` argument is identical to the one used to create the
+ *       `session` with `musig_nonce_process`.
+ *    2. The `pubkey` argument must be identical to the one sent by the signer
+ *       before aggregating it with `musig_pubkey_agg` to create the
+ *       `keyagg_cache`.
+ *    3. The `pubnonce` argument must be identical to the one sent by the signer
+ *       before aggregating it with `musig_nonce_agg` and using the result to
+ *       create the `session` with `musig_nonce_process`.
 *
 *  This function is essential when using protocols with adaptor signatures.
 *  However, it is not essential for regular MuSig sessions, in the sense that if any
@@ -469,13 +481,14 @@ SECP256K1_API int secp256k1_musig_partial_sign(
 *  Returns: 0 if the arguments are invalid or the partial signature does not
 *           verify, 1 otherwise
 *  Args         ctx: pointer to a context object, initialized for verification
- *  In:  partial_sig: pointer to partial signature to verify
- *          pubnonce: public nonce sent by the signer who produced the signature
- *            pubkey: public key of the signer who produced the signature
+ *  In:  partial_sig: pointer to partial signature to verify, sent by
+ *                    the signer associated with `pubnonce` and `pubkey`
+ *          pubnonce: public nonce of the signer in the signing session
+ *            pubkey: public key of the signer in the signing session
 *      keyagg_cache: pointer to the keyagg_cache that was output when the
- *                    aggregate public key for this session
+ *                    aggregate public key for this signing session
 *           session: pointer to the session that was created with
- *                    musig_nonce_process
+ *                    `musig_nonce_process`
 */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_verify(
    const secp256k1_context* ctx,