f3126fdfec norm arg: remove prove edge tests which are now covered by vectors (Jonas Nick)
847ed9ecb2 norm arg: add verification to prove vectors (Jonas Nick)
cf797ed2a4 norm arg: add prove test vectors (Jonas Nick)
095c1e749c norm arg: add prove_const to tests (Jonas Nick)
bf7bf8a64f norm arg: split norm_arg_zero into prove_edge and verify_zero_len (Jonas Nick)
a70c4d4a8a norm arg: add test vector for |n| = 0 (Jonas Nick)
f5e4b16f0f norm arg: add test vector for sign bit malleability (Jonas Nick)
c0de361fc5 norm arg: allow X and R to be the point at infinity (Jonas Nick)
f22834f202 norm arg: add verify vector for n = [0], l = [0] (Jonas Nick)
d8e7f3763b musig: move ge_{serialize,parse}_ext to module-independent file (Jonas Nick)
Pull request description:
ACKs for top commit:
Liam-Eagen:
ACK f3126fd
Tree-SHA512: 1aad86521fce74435beabe7690c7fcc38ad9ae7a884ddcab69ef825b573433f700723a7672d29df1b4465bc33d5957b6a46f657f988cfd2cc73fa94a3472357d
- 0.7.0: Change ''NonceGen'' such that output when message is not present is different from when message is present but has length 0.
- 0.6.0: Change order of arguments and serialization of the message in the ''NonceGen'' hash function
Also fix bug in description that resulted in a wrong definition of t.
And rename keyagg coefficient from 'mu' to 'a' since we don't use the term "musig
coefficient" anymore and a is what is used in the paper.
69b392f3cb musig: move explanation for aggnonce=inf to spec (Jonas Nick)
4824220bb7 musig-spec: describe NonceGen, NonceAgg, Sign,PartialSig{Verify,Agg} (Jonas Nick)
3c122d0780 musig-spec: improve definition of lift_x (Jonas Nick)
e0bb2d7009 musig-spec: improve KeyAgg description (Jonas Nick)
b8f4e75d89 musig-spec: move to doc directory (Jonas Nick)
Pull request description:
Will wait before adding tweaking until #151 is merged.
ACKs for top commit:
robot-dreams:
ACK 69b392f3cb based on:
real-or-random:
ACK 69b392f3cb I haven't looked at every detail but it's certainly ready to be merged as draft spec
Tree-SHA512: e3aa0265a9d7a7648e03ca42575397100edd5af43f0224937af51aa5c77efc451d7938149bdc711f69e24fb9291438453b8cd762affaa1a2e7bcc89f121485df
8088eddc53 musig: add test vector for ordinary (non xonly) tweaking (Elliott Jin)
57a17929fc musig: add ordinary and xonly tweaking to the example (Jonas Nick)
37107361a0 musig: allow ordinary, non-xonly tweaking (Jonas Nick)
c519b46879 musig: add pubkey_get to obtain a full pubkey from a keyagg_cache (Jonas Nick)
Pull request description:
In short, `musig_pubkey_tweak_add` now allows for xonly _and_ "ordinary" tweaking. Also, in order to allow using `ec_pubkey_tweak_add` on the non-xonly aggregate public key, there's a new function `musig_pubkey_get` that allows obtaining it from the `keyagg_cache`.
One alternative would be that instead of adding `musig_pubkey_get`, we could change `pubkey_agg` to output an ordinary (non-xonly) pubkey. Then users of the API who do not need ordinary (BIP32) tweaking would be forced to call `xonly_pubkey_from_pubkey`. And we'd probably want to change the spec. And it would be a bit weird to output a pubkey that can't be directly schnorrsig_verify'd.
Based on #131
ACKs for top commit:
robot-dreams:
ACK 8088eddc53 based on https://github.com/ElementsProject/secp256k1-zkp/pull/151#issuecomment-1005198409 and the following `range-diff`:
Tree-SHA512: a4a0100f0470c870f88a8da27dbcc4684fcc2caabb368d4340e962e08d5ee04634e6289bafa3448dbfd0b5793a3e70de5bd6ddca7a619cc3220ff762d518a8fe
8f093be374 musig: use tagged hash for the list of pubkeys to aggregate (Jonas Nick)
a6a768a4bf musig: make key agg test vector more precise (Jonas Nick)
Pull request description:
Top commit has no ACKs.
Tree-SHA512: 5369dc5b4039dd4cda2c50282db2882c088b96e1daa5801240f92be1832ed8f29317fdbfc3cab211707155c284a68dc593967f3141703e2544f6b8dc1553e44d
