Require message in musig protocol in an earlier state. In particular,

remove the set_msg function and require the message in get_public_nonce
at the latest.

Author: jonasnick

include/secp256k1_musig.h

@@ -151,9 +151,9 @@ SECP256K1_API int secp256k1_musig_pubkey_combine(
  *                     NULL). If a non-unique session_id32 was given then a partial
  *                     signature will LEAK THE SECRET KEY.
  *              msg32: the 32-byte message to be signed. Shouldn't be NULL unless you
- *                     require sharing public nonces before the message is known
+ *                     require sharing nonce commitments before the message is known
  *                     because it reduces nonce misuse resistance. If NULL, must be
- *                     set with `musig_session_set_msg` before signing and verifying.
+ *                     set with `musig_session_get_public_nonce`.
  *        combined_pk: the combined public key of all signers (cannot be NULL)
  *          pk_hash32: the 32-byte hash of the signers' individual keys (cannot be
  *                     NULL)
@@ -190,14 +190,17 @@ SECP256K1_API int secp256k1_musig_session_initialize(
  *  In:  commitments: array of 32-byte nonce commitments (cannot be NULL)
  *     n_commitments: the length of commitments and signers array. Must be the total
  *                    number of signers participating in the MuSig.
+ *             msg32: the 32-byte message to be signed. Must be NULL if already
+ *                    set with `musig_session_initialize` otherwise can not be NULL.
  */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_session_get_public_nonce(
     const secp256k1_context* ctx,
     secp256k1_musig_session *session,
     secp256k1_musig_session_signer_data *signers,
     secp256k1_pubkey *nonce,
     const unsigned char *const *commitments,
-    size_t n_commitments
+    size_t n_commitments,
+    const unsigned char *msg32
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
 
 /** Initializes a verifier session that can be used for verifying nonce commitments
@@ -209,9 +212,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_session_get_publi
  *  Out:     session: the session structure to initialize (cannot be NULL)
  *           signers: an array of signers' data to be initialized. Array length must
  *                    equal to `n_signers`(cannot be NULL)
- *  In:        msg32: the 32-byte message to be signed If NULL, must be set with
- *                    `musig_session_set_msg` before using the session for verifying
- *                    partial signatures.
+ *  In:        msg32: the 32-byte message to be signed (cannot be NULL)
  *       combined_pk: the combined public key of all signers (cannot be NULL)
  *         pk_hash32: the 32-byte hash of the signers' individual keys (cannot be NULL)
  *       commitments: array of 32-byte nonce commitments. Array length must equal to
@@ -229,7 +230,7 @@ SECP256K1_API int secp256k1_musig_session_initialize_verifier(
     const unsigned char *pk_hash32,
     const unsigned char *const *commitments,
     size_t n_signers
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(7);
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(7);
 
 /** Checks a signer's public nonce against a commitment to said nonce, and update
  *  data structure if they match
@@ -275,20 +276,6 @@ SECP256K1_API int secp256k1_musig_session_combine_nonces(
     const secp256k1_pubkey *adaptor
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
 
-/** Sets the message of a session if previously unset
- *
- *  Returns 1 if the message was not set yet and is now successfully set
- *          0 otherwise
- *  Args:    ctx: pointer to a context object (cannot be NULL)
- *       session: the session structure to update with the message (cannot be NULL)
- *  In:    msg32: the 32-byte message to be signed (cannot be NULL)
- */
-SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_session_set_msg(
-    const secp256k1_context* ctx,
-    secp256k1_musig_session *session,
-    const unsigned char *msg32
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
-
 /** Serialize a MuSig partial signature or adaptor signature
  *
  *  Returns: 1 when the signature could be serialized, 0 otherwise

src/modules/musig/example.c

@@ -77,7 +77,7 @@ int sign(const secp256k1_context* ctx, unsigned char seckeys[][32], const secp25
     /* Communication round 1: Exchange nonce commitments */
     for (i = 0; i < N_SIGNERS; i++) {
         /* Set nonce commitments in the signer data and get the own public nonce */
-        if (!secp256k1_musig_session_get_public_nonce(ctx, &musig_session[i], signer_data[i], &nonce[i], nonce_commitment_ptr, N_SIGNERS)) {
+        if (!secp256k1_musig_session_get_public_nonce(ctx, &musig_session[i], signer_data[i], &nonce[i], nonce_commitment_ptr, N_SIGNERS, NULL)) {
             return 0;
         }
     }

src/modules/musig/main_impl.h

@@ -211,7 +211,7 @@ int secp256k1_musig_session_initialize(const secp256k1_context* ctx, secp256k1_m
     return 1;
 }
 
-int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, secp256k1_pubkey *nonce, const unsigned char *const *commitments, size_t n_commitments) {
+int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, secp256k1_pubkey *nonce, const unsigned char *const *commitments, size_t n_commitments, const unsigned char *msg32) {
     secp256k1_sha256 sha;
     unsigned char nonce_commitments_hash[32];
     size_t i;
@@ -222,6 +222,10 @@ int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp2
     ARG_CHECK(signers != NULL);
     ARG_CHECK(nonce != NULL);
     ARG_CHECK(commitments != NULL);
+    /* If the message was not set during initialization it must be set now. */
+    ARG_CHECK(!(!session->msg_is_set && msg32 == NULL));
+    /* The message can only be set once. */
+    ARG_CHECK(!(session->msg_is_set && msg32 != NULL));
 
     if (!session->has_secret_data || n_commitments != session->n_signers) {
         return 0;
@@ -230,6 +234,10 @@ int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp2
         ARG_CHECK(commitments[i] != NULL);
     }
 
+    if (msg32 != NULL) {
+        memcpy(session->msg, msg32, 32);
+        session->msg_is_set = 1;
+    }
     secp256k1_sha256_initialize(&sha);
     for (i = 0; i < n_commitments; i++) {
         memcpy(signers[i].nonce_commitment, commitments[i], 32);
@@ -254,6 +262,7 @@ int secp256k1_musig_session_initialize_verifier(const secp256k1_context* ctx, se
     VERIFY_CHECK(ctx != NULL);
     ARG_CHECK(session != NULL);
     ARG_CHECK(signers != NULL);
+    ARG_CHECK(msg32 != NULL);
     ARG_CHECK(combined_pk != NULL);
     ARG_CHECK(pk_hash32 != NULL);
     ARG_CHECK(commitments != NULL);
@@ -278,11 +287,8 @@ int secp256k1_musig_session_initialize_verifier(const secp256k1_context* ctx, se
 
     memcpy(session->pk_hash, pk_hash32, 32);
     session->nonce_is_set = 0;
-    session->msg_is_set = 0;
-    if (msg32 != NULL) {
-        memcpy(session->msg, msg32, 32);
-        session->msg_is_set = 1;
-    }
+    session->msg_is_set = 1;
+    memcpy(session->msg, msg32, 32);
     session->has_secret_data = 0;
     session->nonce_commitments_hash_is_set = 0;
 
@@ -373,19 +379,6 @@ int secp256k1_musig_session_combine_nonces(const secp256k1_context* ctx, secp256
     return 1;
 }
 
-int secp256k1_musig_session_set_msg(const secp256k1_context* ctx, secp256k1_musig_session *session, const unsigned char *msg32) {
-    VERIFY_CHECK(ctx != NULL);
-    ARG_CHECK(session != NULL);
-    ARG_CHECK(msg32 != NULL);
-
-    if (session->msg_is_set) {
-        return 0;
-    }
-    memcpy(session->msg, msg32, 32);
-    session->msg_is_set = 1;
-    return 1;
-}
-
 int secp256k1_musig_partial_signature_serialize(const secp256k1_context* ctx, unsigned char *out32, const secp256k1_musig_partial_signature* sig) {
     VERIFY_CHECK(ctx != NULL);
     ARG_CHECK(out32 != NULL);

src/modules/musig/musig.md

@@ -91,6 +91,8 @@ signature process, which is also a supported mode) acts as follows.
    length-32 byte arrays which can be communicated however is communicated.
 3. Once all signers nonce commitments have been received, the signer records
    these commitments with the function `secp256k1_musig_session_get_public_nonce`.
+   If the signer did not provide a message to `secp256k1_musig_session_initialize`,
+   a message must be provided now.
    This function updates in place
    - the session state `session`
    - the array of signer data `signers`
@@ -111,9 +113,6 @@ signature process, which is also a supported mode) acts as follows.
    - the array of signer data `signers`
    It outputs an auxiliary integer `nonce_is_negated` and has an auxiliary input
    `adaptor`. Both of these may be set to NULL for ordinary signing purposes.
-   If the signer did not provide a message to `secp256k1_musig_session_initialize`,
-   a message must be provided now by calling `secp256k1_musig_session_set_msg` which
-   updates the session state in place.
 6. The signer computes a partial signature `s_i` using the function
    `secp256k1_musig_partial_sign` which takes the session state as input and
    partial signature as output.