f renamed 'opening' to 'original_nonce' and 'data_commitment' to 'data_hash'

Author: jonasnick

include/secp256k1.h

@@ -92,7 +92,7 @@ typedef struct {
  */
 typedef struct {
     unsigned char data[32];
-    unsigned char data_commitment[32];
+    unsigned char data_hash[32];
     secp256k1_pubkey original_pubnonce;
 } secp256k1_s2c_commit_context;
 
@@ -500,17 +500,18 @@ SECP256K1_API int secp256k1_s2c_commit_context_create(
     const unsigned char *data32
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
 
-/** Gets the opening of a sign-to-contract commitment from an s2c_ctx after signing.
- *  The "opening" is the original public nonce before adding the s2c commitment tweak.
+/** Gets the original nonce of a sign-to-contract commitment from an s2c_ctx after signing.
+ *  The original nonce is the signature nonce minus the s2c commitment tweak. Together
+ *  with the committed data this is the opening of the commitment.
  *
- *  Returns: 1 if getting the opening was successful, 0 otherwise
- *  Args:    ctx: a secp256k1 context object
- *  Out: opening: pointer to a pubkey object where the opening will be placed  (cannot be NULL)
- *  In:  s2c_ctx: pointer to an s2c context to get the opening from (cannot be NULL)
+ *  Returns: 1 if getting the original nonce was successful, 0 otherwise
+ *  Args:           ctx: a secp256k1 context object
+ *  Out: original_nonce: pointer to a pubkey object where the original nonce will be placed  (cannot be NULL)
+ *  In:         s2c_ctx: pointer to an s2c context to get the original nonce from (cannot be NULL)
  */
-SECP256K1_API int secp256k1_s2c_commit_get_opening(
+SECP256K1_API int secp256k1_s2c_commit_get_original_nonce(
     secp256k1_context *ctx,
-    secp256k1_pubkey *opening,
+    secp256k1_pubkey *original_nonce,
     const secp256k1_s2c_commit_context *s2c_ctx
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
 

include/secp256k1_schnorrsig.h

@@ -66,19 +66,19 @@ SECP256K1_API int secp256k1_schnorrsig_parse(
  *  commit-reveal protocol as follows:
  *  1. The host draws the randomness, commits to it with the anti_nonce_sidechan_host_commit
  *     function and sends the commitment to the client.
- *  2. The client commits to its sign-to-contract opening (which is the nonce without the
+ *  2. The client commits to its sign-to-contract original nonce (which is the nonce without the
  *     sign-to-contract tweak) using the hosts commitment by calling the
- *     secp256k1_schnorrsig_anti_nonce_sidechan_client_commit function. The client gets the opening
- *     of the sign-to-contract commitment using secp256k1_s2c_commit_get_opening and sends it to the
- *     host.
+ *     secp256k1_schnorrsig_anti_nonce_sidechan_client_commit function. The client gets the original
+ *     nonce of the sign-to-contract commitment using secp256k1_s2c_commit_get_original_nonce and
+ *     sends it to the host.
  *  3. The host replies with the randomness generated in step 1.
  *  4. The client uses anti_nonce_sidechan_client_setrand to check that the hosts commitment opens
  *     to the provided randomness. If not, it waits until the host sends the correct randomness or
  *     the protocol restarts. If the randomness matches the commitment, the client signs with the
  *     nonce_function_bipschnorr using the s2c context as nonce data and sends the signature and
  *     negated nonce flag to the host.
  *  5. The host checks that the signature contains an sign-to-contract commitment to the randomness
- *     by calling verify_s2c_commit with the opening received in step 2 and the signature and
+ *     by calling verify_s2c_commit with the original nonce received in step 2 and the signature and
  *     negated nonce flag received in step 4. If verification does not succeed, it waits until the
  *     client sends a signature with a correct commitment or the protocol is restarted.
  */
@@ -196,14 +196,14 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify_batch
  *  Args:    ctx: a secp256k1 context object, initialized for verification.
  *  In:      sig: the signature containing the sign-to-contract commitment (cannot be NULL)
  *        data32: the 32-byte data that was committed to (cannot be NULL)
- *       opening: pointer to the opening created when signing (cannot be NULL)
+ *       original_nonce: pointer to the original_nonce created when signing (cannot be NULL)
  * negated_nonce: integer indicating if signing algorithm negated the nonce (can be NULL)
  */
 SECP256K1_API int secp256k1_schnorrsig_verify_s2c_commit(
     const secp256k1_context* ctx,
     const secp256k1_schnorrsig *sig,
     const unsigned char *data32,
-    const secp256k1_pubkey *opening,
+    const secp256k1_pubkey *original_nonce,
     int negated_nonce
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 

src/modules/schnorrsig/main_impl.h

@@ -29,15 +29,15 @@ int secp256k1_schnorrsig_parse(const secp256k1_context* ctx, secp256k1_schnorrsi
     return 1;
 }
 
-int secp256k1_schnorrsig_verify_s2c_commit(const secp256k1_context* ctx, const secp256k1_schnorrsig *sig, const unsigned char *data32, const secp256k1_pubkey *opening, int negated_nonce) {
+int secp256k1_schnorrsig_verify_s2c_commit(const secp256k1_context* ctx, const secp256k1_schnorrsig *sig, const unsigned char *data32, const secp256k1_pubkey *original_nonce, int negated_nonce) {
     secp256k1_fe rx;
     secp256k1_ge R;
     secp256k1_pubkey pubnonce;
 
     VERIFY_CHECK(ctx != NULL);
     ARG_CHECK(sig != NULL);
     ARG_CHECK(data32 != NULL);
-    ARG_CHECK(opening != NULL);
+    ARG_CHECK(original_nonce != NULL);
 
     if (!secp256k1_fe_set_b32(&rx, &sig->data[0])) {
         return 0;
@@ -49,7 +49,7 @@ int secp256k1_schnorrsig_verify_s2c_commit(const secp256k1_context* ctx, const s
         secp256k1_ge_neg(&R, &R);
     }
     secp256k1_pubkey_save(&pubnonce, &R);
-    return secp256k1_ec_commit_verify(ctx, &pubnonce, opening, data32, 32);
+    return secp256k1_ec_commit_verify(ctx, &pubnonce, original_nonce, data32, 32);
 }
 
 int secp256k1_schnorrsig_anti_nonce_sidechan_host_commit(secp256k1_context *ctx, unsigned char *rand_commitment32, const unsigned char *rand32) {
@@ -74,7 +74,7 @@ int secp256k1_schnorrsig_anti_nonce_sidechan_client_commit(secp256k1_context *ct
     ARG_CHECK(seckey32 != NULL);
     ARG_CHECK(rand_commitment32 != NULL);
 
-    memcpy(s2c_ctx->data_commitment, rand_commitment32, 32);
+    memcpy(s2c_ctx->data_hash, rand_commitment32, 32);
     return secp256k1_nonce_function_bipschnorr_no_s2c(ctx, nonce32, msg32, seckey32, NULL, s2c_ctx, 0);
 }
 
@@ -89,7 +89,7 @@ int secp256k1_schnorrsig_anti_nonce_sidechan_client_setrand(secp256k1_context *c
     secp256k1_sha256_initialize(&sha);
     secp256k1_sha256_write(&sha, rand32, 32);
     secp256k1_sha256_finalize(&sha, rand_hash);
-    if (memcmp(rand_hash, s2c_ctx->data_commitment, 32) != 0) {
+    if (memcmp(rand_hash, s2c_ctx->data_hash, 32) != 0) {
         return 0;
     }
     memcpy(s2c_ctx->data, rand32, 32);

src/modules/schnorrsig/tests_impl.h

@@ -710,7 +710,7 @@ void test_schnorrsig_anti_nonce_sidechannel(void) {
     unsigned char rand32[32];
     unsigned char rand_commitment32[32];
     secp256k1_s2c_commit_context s2c_ctx;
-    secp256k1_pubkey s2c_opening;
+    secp256k1_pubkey s2c_original_nonce;
     secp256k1_schnorrsig sig;
     int negated_nonce;
 
@@ -724,15 +724,15 @@ void test_schnorrsig_anti_nonce_sidechannel(void) {
     /* Host sends rand_commitment32 to client. */
     CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_client_commit(ctx, &s2c_ctx, msg32, key32, rand_commitment32) == 1);
 
-    /* Client sends s2c opening. Host replies with rand32. */
+    /* Client sends s2c original nonce. Host replies with rand32. */
     CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_client_setrand(ctx, &s2c_ctx, rand32) == 1);
     /* Providing wrong data results in an error. */
     CHECK(secp256k1_schnorrsig_anti_nonce_sidechan_client_setrand(ctx, &s2c_ctx, rand_commitment32) == 0);
-    CHECK(secp256k1_s2c_commit_get_opening(ctx, &s2c_opening, &s2c_ctx) == 1);
+    CHECK(secp256k1_s2c_commit_get_original_nonce(ctx, &s2c_original_nonce, &s2c_ctx) == 1);
     CHECK(secp256k1_schnorrsig_sign(ctx, &sig, &negated_nonce, msg32, key32, NULL, &s2c_ctx) == 1);
 
     /* Client sends signature to host. */
-    CHECK(secp256k1_schnorrsig_verify_s2c_commit(ctx, &sig, rand32, &s2c_opening, negated_nonce) == 1);
+    CHECK(secp256k1_schnorrsig_verify_s2c_commit(ctx, &sig, rand32, &s2c_original_nonce, negated_nonce) == 1);
 }
 
 void run_schnorrsig_tests(void) {

src/secp256k1.c

@@ -629,7 +629,7 @@ int secp256k1_ec_commit(const secp256k1_context* ctx, secp256k1_pubkey *commitme
 }
 
 /* Compute the seckey of an ec commitment from the original secret key of the pubkey as seckey +
- * hash(pubkey, data)*G. */
+ * hash(pubkey, data). */
 int secp256k1_ec_commit_seckey(const secp256k1_context* ctx, unsigned char *seckey, const secp256k1_pubkey *pubkey, const unsigned char *data, size_t n) {
     unsigned char tweak[32];
     secp256k1_pubkey pubkey_tmp;
@@ -696,16 +696,16 @@ int secp256k1_s2c_commit_context_create(secp256k1_context *ctx, secp256k1_s2c_co
     memcpy(s2c_ctx->data, data32, 32);
     secp256k1_sha256_initialize(&sha);
     secp256k1_sha256_write(&sha, data32, 32);
-    secp256k1_sha256_finalize(&sha, s2c_ctx->data_commitment);
+    secp256k1_sha256_finalize(&sha, s2c_ctx->data_hash);
     return 1;
 }
 
-int secp256k1_s2c_commit_get_opening(secp256k1_context *ctx, secp256k1_pubkey *opening, const secp256k1_s2c_commit_context *s2c_ctx) {
+int secp256k1_s2c_commit_get_original_nonce(secp256k1_context *ctx, secp256k1_pubkey *original_nonce, const secp256k1_s2c_commit_context *s2c_ctx) {
     VERIFY_CHECK(ctx != NULL);
-    ARG_CHECK(opening != NULL);
+    ARG_CHECK(original_nonce != NULL);
     ARG_CHECK(s2c_ctx != NULL);
 
-    memcpy(opening, &s2c_ctx->original_pubnonce, sizeof(secp256k1_pubkey));
+    memcpy(original_nonce, &s2c_ctx->original_pubnonce, sizeof(secp256k1_pubkey));
     return 1;
 }
 
@@ -729,7 +729,7 @@ static int secp256k1_nonce_function_bipschnorr_no_s2c(const secp256k1_context *c
     } else {
         /* Do a sign-to-contract commitment if data is provided */
         secp256k1_s2c_commit_context *s2c_ctx = (secp256k1_s2c_commit_context *)data;
-        secp256k1_sha256_write(&sha, s2c_ctx->data_commitment, 32);
+        secp256k1_sha256_write(&sha, s2c_ctx->data_hash, 32);
         secp256k1_sha256_finalize(&sha, nonce32);
 
         if (!secp256k1_ec_pubkey_create(ctx, &s2c_ctx->original_pubnonce, nonce32)) {

src/tests.c

@@ -4062,7 +4062,7 @@ void test_nonce_function_bipschnorr_s2c(void) {
     unsigned char data32[32];
     secp256k1_s2c_commit_context s2c_ctx;
     secp256k1_pubkey pubnonce;
-    secp256k1_pubkey opening;
+    secp256k1_pubkey original_nonce;
 
     secp256k1_rand256(msg32);
     secp256k1_rand256(key32);
@@ -4071,9 +4071,9 @@ void test_nonce_function_bipschnorr_s2c(void) {
 
     CHECK(secp256k1_s2c_commit_context_create(ctx, &s2c_ctx, data32) == 1);
     CHECK(secp256k1_nonce_function_bipschnorr(ctx, nonce32, msg32, key32, NULL, &s2c_ctx, 0) == 1);
-    CHECK(secp256k1_s2c_commit_get_opening(ctx, &opening, &s2c_ctx) == 1);
+    CHECK(secp256k1_s2c_commit_get_original_nonce(ctx, &original_nonce, &s2c_ctx) == 1);
     CHECK(secp256k1_ec_pubkey_create(ctx, &pubnonce, nonce32) == 1);
-    CHECK(secp256k1_ec_commit_verify(ctx, &pubnonce, &opening, data32, 32) == 1);
+    CHECK(secp256k1_ec_commit_verify(ctx, &pubnonce, &original_nonce, data32, 32) == 1);
 }
 
 void run_nonce_function_bipschnorr_tests(void) {