aboutsummaryrefslogtreecommitdiff
path: root/vendor/secp256k1/secp256k1_musig.h
diff options
context:
space:
mode:
authorLibravatar vnugent <public@vaughnnugent.com>2024-11-13 22:25:32 -0500
committerLibravatar vnugent <public@vaughnnugent.com>2024-11-13 22:25:32 -0500
commit5cf1addc4a7b70aafda5ad8953f114a206df93cc (patch)
treed478524ea1ed7676f530f2eb26af644024d6aeca /vendor/secp256k1/secp256k1_musig.h
parent0baa4afd4716ad4d6d2f37b9d4af4fc839d16d7c (diff)
integrate mbedtls testing and remove mbedtls fetch
Diffstat (limited to 'vendor/secp256k1/secp256k1_musig.h')
-rw-r--r--vendor/secp256k1/secp256k1_musig.h588
1 files changed, 588 insertions, 0 deletions
diff --git a/vendor/secp256k1/secp256k1_musig.h b/vendor/secp256k1/secp256k1_musig.h
new file mode 100644
index 0000000..11b8f08
--- /dev/null
+++ b/vendor/secp256k1/secp256k1_musig.h
@@ -0,0 +1,588 @@
+#ifndef SECP256K1_MUSIG_H
+#define SECP256K1_MUSIG_H
+
+#include "secp256k1_extrakeys.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/** This module implements BIP 327 "MuSig2 for BIP340-compatible
+ * Multi-Signatures"
+ * (https://github.com/bitcoin/bips/blob/master/bip-0327.mediawiki)
+ * v1.0.0. You can find an example demonstrating the musig module in
+ * examples/musig.c.
+ *
+ * The module also supports BIP 341 ("Taproot") public key tweaking.
+ *
+ * It is recommended to read the documentation in this include file carefully.
+ * Further notes on API usage can be found in doc/musig.md
+ *
+ * Since the first version of MuSig is essentially replaced by MuSig2, we use
+ * MuSig, musig and MuSig2 synonymously unless noted otherwise.
+ */
+
+/** Opaque data structures
+ *
+ * The exact representation of data inside the opaque data structures is
+ * implementation defined and not guaranteed to be portable between different
+ * platforms or versions. With the exception of `secp256k1_musig_secnonce`, the
+ * data structures can be safely copied/moved. If you need to convert to a
+ * format suitable for storage, transmission, or comparison, use the
+ * corresponding serialization and parsing functions.
+ */
+
+/** Opaque data structure that caches information about public key aggregation.
+ *
+ * Guaranteed to be 197 bytes in size. No serialization and parsing functions
+ * (yet).
+ */
+typedef struct secp256k1_musig_keyagg_cache {
+ unsigned char data[197];
+} secp256k1_musig_keyagg_cache;
+
+/** Opaque data structure that holds a signer's _secret_ nonce.
+ *
+ * Guaranteed to be 132 bytes in size.
+ *
+ * WARNING: This structure MUST NOT be copied or read or written to directly. A
+ * signer who is online throughout the whole process and can keep this
+ * structure in memory can use the provided API functions for a safe standard
+ * workflow.
+ *
+ * Copying this data structure can result in nonce reuse which will leak the
+ * secret signing key.
+ */
+typedef struct secp256k1_musig_secnonce {
+ unsigned char data[132];
+} secp256k1_musig_secnonce;
+
+/** Opaque data structure that holds a signer's public nonce.
+ *
+ * Guaranteed to be 132 bytes in size. Serialized and parsed with
+ * `musig_pubnonce_serialize` and `musig_pubnonce_parse`.
+ */
+typedef struct secp256k1_musig_pubnonce {
+ unsigned char data[132];
+} secp256k1_musig_pubnonce;
+
+/** Opaque data structure that holds an aggregate public nonce.
+ *
+ * Guaranteed to be 132 bytes in size. Serialized and parsed with
+ * `musig_aggnonce_serialize` and `musig_aggnonce_parse`.
+ */
+typedef struct secp256k1_musig_aggnonce {
+ unsigned char data[132];
+} secp256k1_musig_aggnonce;
+
+/** Opaque data structure that holds a MuSig session.
+ *
+ * This structure is not required to be kept secret for the signing protocol to
+ * be secure. Guaranteed to be 133 bytes in size. No serialization and parsing
+ * functions (yet).
+ */
+typedef struct secp256k1_musig_session {
+ unsigned char data[133];
+} secp256k1_musig_session;
+
+/** Opaque data structure that holds a partial MuSig signature.
+ *
+ * Guaranteed to be 36 bytes in size. Serialized and parsed with
+ * `musig_partial_sig_serialize` and `musig_partial_sig_parse`.
+ */
+typedef struct secp256k1_musig_partial_sig {
+ unsigned char data[36];
+} secp256k1_musig_partial_sig;
+
+/** Parse a signer's public nonce.
+ *
+ * Returns: 1 when the nonce could be parsed, 0 otherwise.
+ * Args: ctx: pointer to a context object
+ * Out: nonce: pointer to a nonce object
+ * In: in66: pointer to the 66-byte nonce to be parsed
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubnonce_parse(
+ const secp256k1_context *ctx,
+ secp256k1_musig_pubnonce *nonce,
+ const unsigned char *in66
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Serialize a signer's public nonce
+ *
+ * Returns: 1 always
+ * Args: ctx: pointer to a context object
+ * Out: out66: pointer to a 66-byte array to store the serialized nonce
+ * In: nonce: pointer to the nonce
+ */
+SECP256K1_API int secp256k1_musig_pubnonce_serialize(
+ const secp256k1_context *ctx,
+ unsigned char *out66,
+ const secp256k1_musig_pubnonce *nonce
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Parse an aggregate public nonce.
+ *
+ * Returns: 1 when the nonce could be parsed, 0 otherwise.
+ * Args: ctx: pointer to a context object
+ * Out: nonce: pointer to a nonce object
+ * In: in66: pointer to the 66-byte nonce to be parsed
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_aggnonce_parse(
+ const secp256k1_context *ctx,
+ secp256k1_musig_aggnonce *nonce,
+ const unsigned char *in66
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Serialize an aggregate public nonce
+ *
+ * Returns: 1 always
+ * Args: ctx: pointer to a context object
+ * Out: out66: pointer to a 66-byte array to store the serialized nonce
+ * In: nonce: pointer to the nonce
+ */
+SECP256K1_API int secp256k1_musig_aggnonce_serialize(
+ const secp256k1_context *ctx,
+ unsigned char *out66,
+ const secp256k1_musig_aggnonce *nonce
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Parse a MuSig partial signature.
+ *
+ * Returns: 1 when the signature could be parsed, 0 otherwise.
+ * Args: ctx: pointer to a context object
+ * Out: sig: pointer to a signature object
+ * In: in32: pointer to the 32-byte signature to be parsed
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_parse(
+ const secp256k1_context *ctx,
+ secp256k1_musig_partial_sig *sig,
+ const unsigned char *in32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Serialize a MuSig partial signature
+ *
+ * Returns: 1 always
+ * Args: ctx: pointer to a context object
+ * Out: out32: pointer to a 32-byte array to store the serialized signature
+ * In: sig: pointer to the signature
+ */
+SECP256K1_API int secp256k1_musig_partial_sig_serialize(
+ const secp256k1_context *ctx,
+ unsigned char *out32,
+ const secp256k1_musig_partial_sig *sig
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Computes an aggregate public key and uses it to initialize a keyagg_cache
+ *
+ * Different orders of `pubkeys` result in different `agg_pk`s.
+ *
+ * Before aggregating, the pubkeys can be sorted with `secp256k1_ec_pubkey_sort`
+ * which ensures the same `agg_pk` result for the same multiset of pubkeys.
+ * This is useful to do before `pubkey_agg`, such that the order of pubkeys
+ * does not affect the aggregate public key.
+ *
+ * Returns: 0 if the arguments are invalid, 1 otherwise
+ * Args: ctx: pointer to a context object
+ * Out: agg_pk: the MuSig-aggregated x-only public key. If you do not need it,
+ * this arg can be NULL.
+ * keyagg_cache: if non-NULL, pointer to a musig_keyagg_cache struct that
+ * is required for signing (or observing the signing session
+ * and verifying partial signatures).
+ * In: pubkeys: input array of pointers to public keys to aggregate. The order
+ * is important; a different order will result in a different
+ * aggregate public key.
+ * n_pubkeys: length of pubkeys array. Must be greater than 0.
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_agg(
+ const secp256k1_context *ctx,
+ secp256k1_xonly_pubkey *agg_pk,
+ secp256k1_musig_keyagg_cache *keyagg_cache,
+ const secp256k1_pubkey * const *pubkeys,
+ size_t n_pubkeys
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(4);
+
+/** Obtain the aggregate public key from a keyagg_cache.
+ *
+ * This is only useful if you need the non-xonly public key, in particular for
+ * plain (non-xonly) tweaking or batch-verifying multiple key aggregations
+ * (not implemented).
+ *
+ * Returns: 0 if the arguments are invalid, 1 otherwise
+ * Args: ctx: pointer to a context object
+ * Out: agg_pk: the MuSig-aggregated public key.
+ * In: keyagg_cache: pointer to a `musig_keyagg_cache` struct initialized by
+ * `musig_pubkey_agg`
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_get(
+ const secp256k1_context *ctx,
+ secp256k1_pubkey *agg_pk,
+ const secp256k1_musig_keyagg_cache *keyagg_cache
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Apply plain "EC" tweaking to a public key in a given keyagg_cache by adding
+ * the generator multiplied with `tweak32` to it. This is useful for deriving
+ * child keys from an aggregate public key via BIP 32 where `tweak32` is set to
+ * a hash as defined in BIP 32.
+ *
+ * Callers are responsible for deriving `tweak32` in a way that does not reduce
+ * the security of MuSig (for example, by following BIP 32).
+ *
+ * The tweaking method is the same as `secp256k1_ec_pubkey_tweak_add`. So after
+ * the following pseudocode buf and buf2 have identical contents (absent
+ * earlier failures).
+ *
+ * secp256k1_musig_pubkey_agg(..., keyagg_cache, pubkeys, ...)
+ * secp256k1_musig_pubkey_get(..., agg_pk, keyagg_cache)
+ * secp256k1_musig_pubkey_ec_tweak_add(..., output_pk, tweak32, keyagg_cache)
+ * secp256k1_ec_pubkey_serialize(..., buf, ..., output_pk, ...)
+ * secp256k1_ec_pubkey_tweak_add(..., agg_pk, tweak32)
+ * secp256k1_ec_pubkey_serialize(..., buf2, ..., agg_pk, ...)
+ *
+ * This function is required if you want to _sign_ for a tweaked aggregate key.
+ * If you are only computing a public key but not intending to create a
+ * signature for it, use `secp256k1_ec_pubkey_tweak_add` instead.
+ *
+ * Returns: 0 if the arguments are invalid, 1 otherwise
+ * Args: ctx: pointer to a context object
+ * Out: output_pubkey: pointer to a public key to store the result. Will be set
+ * to an invalid value if this function returns 0. If you
+ * do not need it, this arg can be NULL.
+ * In/Out: keyagg_cache: pointer to a `musig_keyagg_cache` struct initialized by
+ * `musig_pubkey_agg`
+ * In: tweak32: pointer to a 32-byte tweak. The tweak is valid if it passes
+ * `secp256k1_ec_seckey_verify` and is not equal to the
+ * secret key corresponding to the public key represented
+ * by keyagg_cache or its negation. For uniformly random
+ * 32-byte arrays the chance of being invalid is
+ * negligible (around 1 in 2^128).
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_ec_tweak_add(
+ const secp256k1_context *ctx,
+ secp256k1_pubkey *output_pubkey,
+ secp256k1_musig_keyagg_cache *keyagg_cache,
+ const unsigned char *tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+/** Apply x-only tweaking to a public key in a given keyagg_cache by adding the
+ * generator multiplied with `tweak32` to it. This is useful for creating
+ * Taproot outputs where `tweak32` is set to a TapTweak hash as defined in BIP
+ * 341.
+ *
+ * Callers are responsible for deriving `tweak32` in a way that does not reduce
+ * the security of MuSig (for example, by following Taproot BIP 341).
+ *
+ * The tweaking method is the same as `secp256k1_xonly_pubkey_tweak_add`. So in
+ * the following pseudocode xonly_pubkey_tweak_add_check (absent earlier
+ * failures) returns 1.
+ *
+ * secp256k1_musig_pubkey_agg(..., agg_pk, keyagg_cache, pubkeys, ...)
+ * secp256k1_musig_pubkey_xonly_tweak_add(..., output_pk, keyagg_cache, tweak32)
+ * secp256k1_xonly_pubkey_serialize(..., buf, output_pk)
+ * secp256k1_xonly_pubkey_tweak_add_check(..., buf, ..., agg_pk, tweak32)
+ *
+ * This function is required if you want to _sign_ for a tweaked aggregate key.
+ * If you are only computing a public key but not intending to create a
+ * signature for it, use `secp256k1_xonly_pubkey_tweak_add` instead.
+ *
+ * Returns: 0 if the arguments are invalid, 1 otherwise
+ * Args: ctx: pointer to a context object
+ * Out: output_pubkey: pointer to a public key to store the result. Will be set
+ * to an invalid value if this function returns 0. If you
+ * do not need it, this arg can be NULL.
+ * In/Out: keyagg_cache: pointer to a `musig_keyagg_cache` struct initialized by
+ * `musig_pubkey_agg`
+ * In: tweak32: pointer to a 32-byte tweak. The tweak is valid if it passes
+ * `secp256k1_ec_seckey_verify` and is not equal to the
+ * secret key corresponding to the public key represented
+ * by keyagg_cache or its negation. For uniformly random
+ * 32-byte arrays the chance of being invalid is
+ * negligible (around 1 in 2^128).
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_xonly_tweak_add(
+ const secp256k1_context *ctx,
+ secp256k1_pubkey *output_pubkey,
+ secp256k1_musig_keyagg_cache *keyagg_cache,
+ const unsigned char *tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+/** Starts a signing session by generating a nonce
+ *
+ * This function outputs a secret nonce that will be required for signing and a
+ * corresponding public nonce that is intended to be sent to other signers.
+ *
+ * MuSig differs from regular Schnorr signing in that implementers _must_ take
+ * special care to not reuse a nonce. This can be ensured by following these rules:
+ *
+ * 1. Each call to this function must have a UNIQUE session_secrand32 that must
+ * NOT BE REUSED in subsequent calls to this function and must be KEPT
+ * SECRET (even from other signers).
+ * 2. If you already know the seckey, message or aggregate public key
+ * cache, they can be optionally provided to derive the nonce and increase
+ * misuse-resistance. The extra_input32 argument can be used to provide
+ * additional data that does not repeat in normal scenarios, such as the
+ * current time.
+ * 3. Avoid copying (or serializing) the secnonce. This reduces the possibility
+ * that it is used more than once for signing.
+ *
+ * If you don't have access to good randomness for session_secrand32, but you
+ * have access to a non-repeating counter, then see
+ * secp256k1_musig_nonce_gen_counter.
+ *
+ * Remember that nonce reuse will leak the secret key!
+ * Note that using the same seckey for multiple MuSig sessions is fine.
+ *
+ * Returns: 0 if the arguments are invalid and 1 otherwise
+ * Args: ctx: pointer to a context object (not secp256k1_context_static)
+ * Out: secnonce: pointer to a structure to store the secret nonce
+ * pubnonce: pointer to a structure to store the public nonce
+ * In/Out:
+ * session_secrand32: a 32-byte session_secrand32 as explained above. Must be unique to this
+ * call to secp256k1_musig_nonce_gen and must be uniformly
+ * random. If the function call is successful, the
+ * session_secrand32 buffer is invalidated to prevent reuse.
+ * In:
+ * seckey: the 32-byte secret key that will later be used for signing, if
+ * already known (can be NULL)
+ * pubkey: public key of the signer creating the nonce. The secnonce
+ * output of this function cannot be used to sign for any
+ * other public key. While the public key should correspond
+ * to the provided seckey, a mismatch will not cause the
+ * function to return 0.
+ * msg32: the 32-byte message that will later be signed, if already known
+ * (can be NULL)
+ * keyagg_cache: pointer to the keyagg_cache that was used to create the aggregate
+ * (and potentially tweaked) public key if already known
+ * (can be NULL)
+ * extra_input32: an optional 32-byte array that is input to the nonce
+ * derivation function (can be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_gen(
+ const secp256k1_context *ctx,
+ secp256k1_musig_secnonce *secnonce,
+ secp256k1_musig_pubnonce *pubnonce,
+ unsigned char *session_secrand32,
+ const unsigned char *seckey,
+ const secp256k1_pubkey *pubkey,
+ const unsigned char *msg32,
+ const secp256k1_musig_keyagg_cache *keyagg_cache,
+ const unsigned char *extra_input32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(6);
+
+
+/** Alternative way to generate a nonce and start a signing session
+ *
+ * This function outputs a secret nonce that will be required for signing and a
+ * corresponding public nonce that is intended to be sent to other signers.
+ *
+ * This function differs from `secp256k1_musig_nonce_gen` by accepting a
+ * non-repeating counter value instead of a secret random value. This requires
+ * that a secret key is provided to `secp256k1_musig_nonce_gen_counter`
+ * (through the keypair argument), as opposed to `secp256k1_musig_nonce_gen`
+ * where the seckey argument is optional.
+ *
+ * MuSig differs from regular Schnorr signing in that implementers _must_ take
+ * special care to not reuse a nonce. This can be ensured by following these rules:
+ *
+ * 1. The nonrepeating_cnt argument must be a counter value that never repeats,
+ * i.e., you must never call `secp256k1_musig_nonce_gen_counter` twice with
+ * the same keypair and nonrepeating_cnt value. For example, this implies
+ * that if the same keypair is used with `secp256k1_musig_nonce_gen_counter`
+ * on multiple devices, none of the devices should have the same counter
+ * value as any other device.
+ * 2. If the seckey, message or aggregate public key cache is already available
+ * at this stage, any of these can be optionally provided, in which case
+ * they will be used in the derivation of the nonce and increase
+ * misuse-resistance. The extra_input32 argument can be used to provide
+ * additional data that does not repeat in normal scenarios, such as the
+ * current time.
+ * 3. Avoid copying (or serializing) the secnonce. This reduces the possibility
+ * that it is used more than once for signing.
+ *
+ * Remember that nonce reuse will leak the secret key!
+ * Note that using the same keypair for multiple MuSig sessions is fine.
+ *
+ * Returns: 0 if the arguments are invalid and 1 otherwise
+ * Args: ctx: pointer to a context object (not secp256k1_context_static)
+ * Out: secnonce: pointer to a structure to store the secret nonce
+ * pubnonce: pointer to a structure to store the public nonce
+ * In:
+ * nonrepeating_cnt: the value of a counter as explained above. Must be
+ * unique to this call to secp256k1_musig_nonce_gen.
+ * keypair: keypair of the signer creating the nonce. The secnonce
+ * output of this function cannot be used to sign for any
+ * other keypair.
+ * msg32: the 32-byte message that will later be signed, if already known
+ * (can be NULL)
+ * keyagg_cache: pointer to the keyagg_cache that was used to create the aggregate
+ * (and potentially tweaked) public key if already known
+ * (can be NULL)
+ * extra_input32: an optional 32-byte array that is input to the nonce
+ * derivation function (can be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_gen_counter(
+ const secp256k1_context *ctx,
+ secp256k1_musig_secnonce *secnonce,
+ secp256k1_musig_pubnonce *pubnonce,
+ uint64_t nonrepeating_cnt,
+ const secp256k1_keypair *keypair,
+ const unsigned char *msg32,
+ const secp256k1_musig_keyagg_cache *keyagg_cache,
+ const unsigned char *extra_input32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5);
+
+/** Aggregates the nonces of all signers into a single nonce
+ *
+ * This can be done by an untrusted party to reduce the communication
+ * between signers. Instead of everyone sending nonces to everyone else, there
+ * can be one party receiving all nonces, aggregating the nonces with this
+ * function and then sending only the aggregate nonce back to the signers.
+ *
+ * If the aggregator does not compute the aggregate nonce correctly, the final
+ * signature will be invalid.
+ *
+ * Returns: 0 if the arguments are invalid, 1 otherwise
+ * Args: ctx: pointer to a context object
+ * Out: aggnonce: pointer to an aggregate public nonce object for
+ * musig_nonce_process
+ * In: pubnonces: array of pointers to public nonces sent by the
+ * signers
+ * n_pubnonces: number of elements in the pubnonces array. Must be
+ * greater than 0.
+ */
+SECP256K1_API int secp256k1_musig_nonce_agg(
+ const secp256k1_context *ctx,
+ secp256k1_musig_aggnonce *aggnonce,
+ const secp256k1_musig_pubnonce * const *pubnonces,
+ size_t n_pubnonces
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Takes the aggregate nonce and creates a session that is required for signing
+ * and verification of partial signatures.
+ *
+ * Returns: 0 if the arguments are invalid, 1 otherwise
+ * Args: ctx: pointer to a context object
+ * Out: session: pointer to a struct to store the session
+ * In: aggnonce: pointer to an aggregate public nonce object that is the
+ * output of musig_nonce_agg
+ * msg32: the 32-byte message to sign
+ * keyagg_cache: pointer to the keyagg_cache that was used to create the
+ * aggregate (and potentially tweaked) pubkey
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_process(
+ const secp256k1_context *ctx,
+ secp256k1_musig_session *session,
+ const secp256k1_musig_aggnonce *aggnonce,
+ const unsigned char *msg32,
+ const secp256k1_musig_keyagg_cache *keyagg_cache
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Produces a partial signature
+ *
+ * This function overwrites the given secnonce with zeros and will abort if given a
+ * secnonce that is all zeros. This is a best effort attempt to protect against nonce
+ * reuse. However, this is of course easily defeated if the secnonce has been
+ * copied (or serialized). Remember that nonce reuse will leak the secret key!
+ *
+ * For signing to succeed, the secnonce provided to this function must have
+ * been generated for the provided keypair. This means that when signing for a
+ * keypair consisting of a seckey and pubkey, the secnonce must have been
+ * created by calling musig_nonce_gen with that pubkey. Otherwise, the
+ * illegal_callback is called.
+ *
+ * This function does not verify the output partial signature, deviating from
+ * the BIP 327 specification. It is recommended to verify the output partial
+ * signature with `secp256k1_musig_partial_sig_verify` to prevent random or
+ * adversarially provoked computation errors.
+ *
+ * Returns: 0 if the arguments are invalid or the provided secnonce has already
+ * been used for signing, 1 otherwise
+ * Args: ctx: pointer to a context object
+ * Out: partial_sig: pointer to struct to store the partial signature
+ * In/Out: secnonce: pointer to the secnonce struct created in
+ * musig_nonce_gen that has been never used in a
+ * partial_sign call before and has been created for the
+ * keypair
+ * In: keypair: pointer to keypair to sign the message with
+ * keyagg_cache: pointer to the keyagg_cache that was output when the
+ * aggregate public key for this session
+ * session: pointer to the session that was created with
+ * musig_nonce_process
+ */
+SECP256K1_API int secp256k1_musig_partial_sign(
+ const secp256k1_context *ctx,
+ secp256k1_musig_partial_sig *partial_sig,
+ secp256k1_musig_secnonce *secnonce,
+ const secp256k1_keypair *keypair,
+ const secp256k1_musig_keyagg_cache *keyagg_cache,
+ const secp256k1_musig_session *session
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6);
+
+/** Verifies an individual signer's partial signature
+ *
+ * The signature is verified for a specific signing session. In order to avoid
+ * accidentally verifying a signature from a different or non-existing signing
+ * session, you must ensure the following:
+ * 1. The `keyagg_cache` argument is identical to the one used to create the
+ * `session` with `musig_nonce_process`.
+ * 2. The `pubkey` argument must be identical to the one sent by the signer
+ * before aggregating it with `musig_pubkey_agg` to create the
+ * `keyagg_cache`.
+ * 3. The `pubnonce` argument must be identical to the one sent by the signer
+ * before aggregating it with `musig_nonce_agg` and using the result to
+ * create the `session` with `musig_nonce_process`.
+ *
+ * It is not required to call this function in regular MuSig sessions, because
+ * if any partial signature does not verify, the final signature will not
+ * verify either, so the problem will be caught. However, this function
+ * provides the ability to identify which specific partial signature fails
+ * verification.
+ *
+ * Returns: 0 if the arguments are invalid or the partial signature does not
+ * verify, 1 otherwise
+ * Args ctx: pointer to a context object
+ * In: partial_sig: pointer to partial signature to verify, sent by
+ * the signer associated with `pubnonce` and `pubkey`
+ * pubnonce: public nonce of the signer in the signing session
+ * pubkey: public key of the signer in the signing session
+ * keyagg_cache: pointer to the keyagg_cache that was output when the
+ * aggregate public key for this signing session
+ * session: pointer to the session that was created with
+ * `musig_nonce_process`
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_verify(
+ const secp256k1_context *ctx,
+ const secp256k1_musig_partial_sig *partial_sig,
+ const secp256k1_musig_pubnonce *pubnonce,
+ const secp256k1_pubkey *pubkey,
+ const secp256k1_musig_keyagg_cache *keyagg_cache,
+ const secp256k1_musig_session *session
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6);
+
+/** Aggregates partial signatures
+ *
+ * Returns: 0 if the arguments are invalid, 1 otherwise (which does NOT mean
+ * the resulting signature verifies).
+ * Args: ctx: pointer to a context object
+ * Out: sig64: complete (but possibly invalid) Schnorr signature
+ * In: session: pointer to the session that was created with
+ * musig_nonce_process
+ * partial_sigs: array of pointers to partial signatures to aggregate
+ * n_sigs: number of elements in the partial_sigs array. Must be
+ * greater than 0.
+ */
+SECP256K1_API int secp256k1_musig_partial_sig_agg(
+ const secp256k1_context *ctx,
+ unsigned char *sig64,
+ const secp256k1_musig_session *session,
+ const secp256k1_musig_partial_sig * const *partial_sigs,
+ size_t n_sigs
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif