update libsecp256k1 to v0.6.0

6 files changed, 619 insertions, 52 deletions

diff --git a/vendor/secp256k1/include/secp256k1/secp256k1.h b/vendor/secp256k1/include/secp256k1/secp256k1.h
index cfbdd52..c6e9417 100644
--- a/vendor/secp256k1/include/secp256k1/secp256k1.h
+++ b/vendor/secp256k1/include/secp256k1/secp256k1.h
@@ -49,19 +49,6 @@ extern "C" {
  */
 typedef struct secp256k1_context_struct secp256k1_context;
 
-/** Opaque data structure that holds rewritable "scratch space"
- *
- *  The purpose of this structure is to replace dynamic memory allocations,
- *  because we target architectures where this may not be available. It is
- *  essentially a resizable (within specified parameters) block of bytes,
- *  which is initially created either by memory allocation or TODO as a pointer
- *  into some fixed rewritable space.
- *
- *  Unlike the context object, this cannot safely be shared between threads
- *  without additional synchronization logic.
- */
-typedef struct secp256k1_scratch_space_struct secp256k1_scratch_space;
-
 /** Opaque data structure that holds a parsed and valid public key.
  *
  *  The exact representation of data inside is implementation defined and not
@@ -71,11 +58,11 @@ typedef struct secp256k1_scratch_space_struct secp256k1_scratch_space;
  *  use secp256k1_ec_pubkey_serialize and secp256k1_ec_pubkey_parse. To
  *  compare keys, use secp256k1_ec_pubkey_cmp.
  */
-typedef struct {
+typedef struct secp256k1_pubkey {
     unsigned char data[64];
 } secp256k1_pubkey;
 
-/** Opaque data structured that holds a parsed ECDSA signature.
+/** Opaque data structure that holds a parsed ECDSA signature.
  *
  *  The exact representation of data inside is implementation defined and not
  *  guaranteed to be portable between different platforms or versions. It is
@@ -84,7 +71,7 @@ typedef struct {
  *  comparison, use the secp256k1_ecdsa_signature_serialize_* and
  *  secp256k1_ecdsa_signature_parse_* functions.
  */
-typedef struct {
+typedef struct secp256k1_ecdsa_signature {
     unsigned char data[64];
 } secp256k1_ecdsa_signature;
 
@@ -147,6 +134,15 @@ typedef int (*secp256k1_nonce_function)(
      * 1. If using Libtool, it defines DLL_EXPORT automatically.
      * 2. In other cases, SECP256K1_DLL_EXPORT must be defined. */
 #   define SECP256K1_API extern __declspec (dllexport)
+#  else
+    /* Building libsecp256k1 as a static library on Windows.
+     * No declspec is needed, and so we would want the non-Windows-specific
+     * logic below take care of this case. However, this may result in setting
+     * __attribute__ ((visibility("default"))), which is supposed to be a noop
+     * on Windows but may trigger warnings when compiling with -flto due to a
+     * bug in GCC, see
+     * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=116478 . */
+#   define SECP256K1_API extern
 #  endif
   /* The user must define SECP256K1_STATIC when consuming libsecp256k1 as a static
    * library on Windows. */
@@ -156,11 +152,12 @@ typedef int (*secp256k1_nonce_function)(
 # endif
 #endif
 #ifndef SECP256K1_API
+/* All cases not captured by the Windows-specific logic. */
 # if defined(__GNUC__) && (__GNUC__ >= 4) && defined(SECP256K1_BUILD)
-   /* Building libsecp256k1 on non-Windows using GCC or compatible. */
+   /* Building libsecp256k1 using GCC or compatible. */
 #  define SECP256K1_API extern __attribute__ ((visibility ("default")))
 # else
-   /* All cases not captured above. */
+   /* Fall back to standard C's extern. */
 #  define SECP256K1_API extern
 # endif
 #endif
@@ -392,29 +389,6 @@ SECP256K1_API void secp256k1_context_set_error_callback(
     const void *data
 ) SECP256K1_ARG_NONNULL(1);
 
-/** Create a secp256k1 scratch space object.
- *
- *  Returns: a newly created scratch space.
- *  Args: ctx:  pointer to a context object.
- *  In:   size: amount of memory to be available as scratch space. Some extra
- *              (<100 bytes) will be allocated for extra accounting.
- */
-SECP256K1_API SECP256K1_WARN_UNUSED_RESULT secp256k1_scratch_space *secp256k1_scratch_space_create(
-    const secp256k1_context *ctx,
-    size_t size
-) SECP256K1_ARG_NONNULL(1);
-
-/** Destroy a secp256k1 scratch space.
- *
- *  The pointer may not be used afterwards.
- *  Args:       ctx: pointer to a context object.
- *          scratch: space to destroy
- */
-SECP256K1_API void secp256k1_scratch_space_destroy(
-    const secp256k1_context *ctx,
-    secp256k1_scratch_space *scratch
-) SECP256K1_ARG_NONNULL(1);
-
 /** Parse a variable-length public key into the pubkey object.
  *
  *  Returns: 1 if the public key was fully valid.
@@ -679,12 +653,14 @@ SECP256K1_API int secp256k1_ecdsa_sign(
     const void *ndata
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
-/** Verify an ECDSA secret key.
+/** Verify an elliptic curve secret key.
  *
  *  A secret key is valid if it is not 0 and less than the secp256k1 curve order
  *  when interpreted as an integer (most significant byte first). The
  *  probability of choosing a 32-byte string uniformly at random which is an
- *  invalid secret key is negligible.
+ *  invalid secret key is negligible. However, if it does happen it should
+ *  be assumed that the randomness source is severely broken and there should
+ *  be no retry.
  *
  *  Returns: 1: secret key is valid
  *           0: secret key is invalid
diff --git a/vendor/secp256k1/include/secp256k1/secp256k1_ellswift.h b/vendor/secp256k1/include/secp256k1/secp256k1_ellswift.h
index ae37287..0d1293e 100644
--- a/vendor/secp256k1/include/secp256k1/secp256k1_ellswift.h
+++ b/vendor/secp256k1/include/secp256k1/secp256k1_ellswift.h
@@ -35,7 +35,7 @@ extern "C" {
  *
  * If the Y coordinate is relevant, it is given the same parity as t.
  *
- * Changes w.r.t. the the paper:
+ * Changes w.r.t. the paper:
  * - The u=0, t=0, and u^3+t^2+7=0 conditions result in decoding to the point
  *   at infinity in the paper. Here they are remapped to finite points.
  * - The paper uses an additional encoding bit for the parity of y. Here the
diff --git a/vendor/secp256k1/include/secp256k1/secp256k1_extrakeys.h b/vendor/secp256k1/include/secp256k1/secp256k1_extrakeys.h
index ad70b92..48c9869 100644
--- a/vendor/secp256k1/include/secp256k1/secp256k1_extrakeys.h
+++ b/vendor/secp256k1/include/secp256k1/secp256k1_extrakeys.h
@@ -19,7 +19,7 @@ extern "C" {
  *  use secp256k1_xonly_pubkey_serialize and secp256k1_xonly_pubkey_parse. To
  *  compare keys, use secp256k1_xonly_pubkey_cmp.
  */
-typedef struct {
+typedef struct secp256k1_xonly_pubkey {
     unsigned char data[64];
 } secp256k1_xonly_pubkey;
 
@@ -30,7 +30,7 @@ typedef struct {
  *  guaranteed to be portable between different platforms or versions. It is
  *  however guaranteed to be 96 bytes in size, and can be safely copied/moved.
  */
-typedef struct {
+typedef struct secp256k1_keypair {
     unsigned char data[96];
 } secp256k1_keypair;
 
@@ -155,10 +155,13 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_
     const unsigned char *tweak32
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
 
-/** Compute the keypair for a secret key.
+/** Compute the keypair for a valid secret key.
  *
- *  Returns: 1: secret was valid, keypair is ready to use
- *           0: secret was invalid, try again with a different secret
+ *  See the documentation of `secp256k1_ec_seckey_verify` for more information
+ *  about the validity of secret keys.
+ *
+ *  Returns: 1: secret key is valid
+ *           0: secret key is invalid
  *  Args:    ctx: pointer to a context object (not secp256k1_context_static).
  *  Out: keypair: pointer to the created keypair.
  *  In:   seckey: pointer to a 32-byte secret key.
diff --git a/vendor/secp256k1/include/secp256k1/secp256k1_musig.h b/vendor/secp256k1/include/secp256k1/secp256k1_musig.h
new file mode 100644
index 0000000..11b8f08
--- /dev/null
+++ b/vendor/secp256k1/include/secp256k1/secp256k1_musig.h
@@ -0,0 +1,588 @@
+#ifndef SECP256K1_MUSIG_H
+#define SECP256K1_MUSIG_H
+
+#include "secp256k1_extrakeys.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/** This module implements BIP 327 "MuSig2 for BIP340-compatible
+ *  Multi-Signatures"
+ *  (https://github.com/bitcoin/bips/blob/master/bip-0327.mediawiki)
+ *  v1.0.0. You can find an example demonstrating the musig module in
+ *  examples/musig.c.
+ *
+ *  The module also supports BIP 341 ("Taproot") public key tweaking.
+ *
+ *  It is recommended to read the documentation in this include file carefully.
+ *  Further notes on API usage can be found in doc/musig.md
+ *
+ *  Since the first version of MuSig is essentially replaced by MuSig2, we use
+ *  MuSig, musig and MuSig2 synonymously unless noted otherwise.
+ */
+
+/** Opaque data structures
+ *
+ *  The exact representation of data inside the opaque data structures is
+ *  implementation defined and not guaranteed to be portable between different
+ *  platforms or versions. With the exception of `secp256k1_musig_secnonce`, the
+ *  data structures can be safely copied/moved. If you need to convert to a
+ *  format suitable for storage, transmission, or comparison, use the
+ *  corresponding serialization and parsing functions.
+ */
+
+/** Opaque data structure that caches information about public key aggregation.
+ *
+ *  Guaranteed to be 197 bytes in size. No serialization and parsing functions
+ *  (yet).
+ */
+typedef struct secp256k1_musig_keyagg_cache {
+    unsigned char data[197];
+} secp256k1_musig_keyagg_cache;
+
+/** Opaque data structure that holds a signer's _secret_ nonce.
+ *
+ *  Guaranteed to be 132 bytes in size.
+ *
+ *  WARNING: This structure MUST NOT be copied or read or written to directly. A
+ *  signer who is online throughout the whole process and can keep this
+ *  structure in memory can use the provided API functions for a safe standard
+ *  workflow.
+ *
+ *  Copying this data structure can result in nonce reuse which will leak the
+ *  secret signing key.
+ */
+typedef struct secp256k1_musig_secnonce {
+    unsigned char data[132];
+} secp256k1_musig_secnonce;
+
+/** Opaque data structure that holds a signer's public nonce.
+ *
+ *  Guaranteed to be 132 bytes in size. Serialized and parsed with
+ *  `musig_pubnonce_serialize` and `musig_pubnonce_parse`.
+ */
+typedef struct secp256k1_musig_pubnonce {
+    unsigned char data[132];
+} secp256k1_musig_pubnonce;
+
+/** Opaque data structure that holds an aggregate public nonce.
+ *
+ *  Guaranteed to be 132 bytes in size. Serialized and parsed with
+ *  `musig_aggnonce_serialize` and `musig_aggnonce_parse`.
+ */
+typedef struct secp256k1_musig_aggnonce {
+    unsigned char data[132];
+} secp256k1_musig_aggnonce;
+
+/** Opaque data structure that holds a MuSig session.
+ *
+ *  This structure is not required to be kept secret for the signing protocol to
+ *  be secure. Guaranteed to be 133 bytes in size. No serialization and parsing
+ *  functions (yet).
+ */
+typedef struct secp256k1_musig_session {
+    unsigned char data[133];
+} secp256k1_musig_session;
+
+/** Opaque data structure that holds a partial MuSig signature.
+ *
+ *  Guaranteed to be 36 bytes in size. Serialized and parsed with
+ *  `musig_partial_sig_serialize` and `musig_partial_sig_parse`.
+ */
+typedef struct secp256k1_musig_partial_sig {
+    unsigned char data[36];
+} secp256k1_musig_partial_sig;
+
+/** Parse a signer's public nonce.
+ *
+ *  Returns: 1 when the nonce could be parsed, 0 otherwise.
+ *  Args:    ctx: pointer to a context object
+ *  Out:   nonce: pointer to a nonce object
+ *  In:     in66: pointer to the 66-byte nonce to be parsed
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubnonce_parse(
+    const secp256k1_context *ctx,
+    secp256k1_musig_pubnonce *nonce,
+    const unsigned char *in66
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Serialize a signer's public nonce
+ *
+ *  Returns: 1 always
+ *  Args:    ctx: pointer to a context object
+ *  Out:   out66: pointer to a 66-byte array to store the serialized nonce
+ *  In:    nonce: pointer to the nonce
+ */
+SECP256K1_API int secp256k1_musig_pubnonce_serialize(
+    const secp256k1_context *ctx,
+    unsigned char *out66,
+    const secp256k1_musig_pubnonce *nonce
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Parse an aggregate public nonce.
+ *
+ *  Returns: 1 when the nonce could be parsed, 0 otherwise.
+ *  Args:    ctx: pointer to a context object
+ *  Out:   nonce: pointer to a nonce object
+ *  In:     in66: pointer to the 66-byte nonce to be parsed
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_aggnonce_parse(
+    const secp256k1_context *ctx,
+    secp256k1_musig_aggnonce *nonce,
+    const unsigned char *in66
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Serialize an aggregate public nonce
+ *
+ *  Returns: 1 always
+ *  Args:    ctx: pointer to a context object
+ *  Out:   out66: pointer to a 66-byte array to store the serialized nonce
+ *  In:    nonce: pointer to the nonce
+ */
+SECP256K1_API int secp256k1_musig_aggnonce_serialize(
+    const secp256k1_context *ctx,
+    unsigned char *out66,
+    const secp256k1_musig_aggnonce *nonce
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Parse a MuSig partial signature.
+ *
+ *  Returns: 1 when the signature could be parsed, 0 otherwise.
+ *  Args:    ctx: pointer to a context object
+ *  Out:     sig: pointer to a signature object
+ *  In:     in32: pointer to the 32-byte signature to be parsed
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_parse(
+    const secp256k1_context *ctx,
+    secp256k1_musig_partial_sig *sig,
+    const unsigned char *in32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Serialize a MuSig partial signature
+ *
+ *  Returns: 1 always
+ *  Args:    ctx: pointer to a context object
+ *  Out:   out32: pointer to a 32-byte array to store the serialized signature
+ *  In:      sig: pointer to the signature
+ */
+SECP256K1_API int secp256k1_musig_partial_sig_serialize(
+    const secp256k1_context *ctx,
+    unsigned char *out32,
+    const secp256k1_musig_partial_sig *sig
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Computes an aggregate public key and uses it to initialize a keyagg_cache
+ *
+ *  Different orders of `pubkeys` result in different `agg_pk`s.
+ *
+ *  Before aggregating, the pubkeys can be sorted with `secp256k1_ec_pubkey_sort`
+ *  which ensures the same `agg_pk` result for the same multiset of pubkeys.
+ *  This is useful to do before `pubkey_agg`, such that the order of pubkeys
+ *  does not affect the aggregate public key.
+ *
+ *  Returns: 0 if the arguments are invalid, 1 otherwise
+ *  Args:        ctx: pointer to a context object
+ *  Out:      agg_pk: the MuSig-aggregated x-only public key. If you do not need it,
+ *                    this arg can be NULL.
+ *      keyagg_cache: if non-NULL, pointer to a musig_keyagg_cache struct that
+ *                    is required for signing (or observing the signing session
+ *                    and verifying partial signatures).
+ *   In:     pubkeys: input array of pointers to public keys to aggregate. The order
+ *                    is important; a different order will result in a different
+ *                    aggregate public key.
+ *         n_pubkeys: length of pubkeys array. Must be greater than 0.
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_agg(
+    const secp256k1_context *ctx,
+    secp256k1_xonly_pubkey *agg_pk,
+    secp256k1_musig_keyagg_cache *keyagg_cache,
+    const secp256k1_pubkey * const *pubkeys,
+    size_t n_pubkeys
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(4);
+
+/** Obtain the aggregate public key from a keyagg_cache.
+ *
+ *  This is only useful if you need the non-xonly public key, in particular for
+ *  plain (non-xonly) tweaking or batch-verifying multiple key aggregations
+ *  (not implemented).
+ *
+ *  Returns: 0 if the arguments are invalid, 1 otherwise
+ *  Args:        ctx: pointer to a context object
+ *  Out:      agg_pk: the MuSig-aggregated public key.
+ *  In: keyagg_cache: pointer to a `musig_keyagg_cache` struct initialized by
+ *                    `musig_pubkey_agg`
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_get(
+    const secp256k1_context *ctx,
+    secp256k1_pubkey *agg_pk,
+    const secp256k1_musig_keyagg_cache *keyagg_cache
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Apply plain "EC" tweaking to a public key in a given keyagg_cache by adding
+ *  the generator multiplied with `tweak32` to it. This is useful for deriving
+ *  child keys from an aggregate public key via BIP 32 where `tweak32` is set to
+ *  a hash as defined in BIP 32.
+ *
+ *  Callers are responsible for deriving `tweak32` in a way that does not reduce
+ *  the security of MuSig (for example, by following BIP 32).
+ *
+ *  The tweaking method is the same as `secp256k1_ec_pubkey_tweak_add`. So after
+ *  the following pseudocode buf and buf2 have identical contents (absent
+ *  earlier failures).
+ *
+ *  secp256k1_musig_pubkey_agg(..., keyagg_cache, pubkeys, ...)
+ *  secp256k1_musig_pubkey_get(..., agg_pk, keyagg_cache)
+ *  secp256k1_musig_pubkey_ec_tweak_add(..., output_pk, tweak32, keyagg_cache)
+ *  secp256k1_ec_pubkey_serialize(..., buf, ..., output_pk, ...)
+ *  secp256k1_ec_pubkey_tweak_add(..., agg_pk, tweak32)
+ *  secp256k1_ec_pubkey_serialize(..., buf2, ..., agg_pk, ...)
+ *
+ *  This function is required if you want to _sign_ for a tweaked aggregate key.
+ *  If you are only computing a public key but not intending to create a
+ *  signature for it, use `secp256k1_ec_pubkey_tweak_add` instead.
+ *
+ *  Returns: 0 if the arguments are invalid, 1 otherwise
+ *  Args:            ctx: pointer to a context object
+ *  Out:   output_pubkey: pointer to a public key to store the result. Will be set
+ *                        to an invalid value if this function returns 0. If you
+ *                        do not need it, this arg can be NULL.
+ *  In/Out: keyagg_cache: pointer to a `musig_keyagg_cache` struct initialized by
+ *                       `musig_pubkey_agg`
+ *  In:          tweak32: pointer to a 32-byte tweak. The tweak is valid if it passes
+ *                        `secp256k1_ec_seckey_verify` and is not equal to the
+ *                        secret key corresponding to the public key represented
+ *                        by keyagg_cache or its negation. For uniformly random
+ *                        32-byte arrays the chance of being invalid is
+ *                        negligible (around 1 in 2^128).
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_ec_tweak_add(
+    const secp256k1_context *ctx,
+    secp256k1_pubkey *output_pubkey,
+    secp256k1_musig_keyagg_cache *keyagg_cache,
+    const unsigned char *tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+/** Apply x-only tweaking to a public key in a given keyagg_cache by adding the
+ *  generator multiplied with `tweak32` to it. This is useful for creating
+ *  Taproot outputs where `tweak32` is set to a TapTweak hash as defined in BIP
+ *  341.
+ *
+ *  Callers are responsible for deriving `tweak32` in a way that does not reduce
+ *  the security of MuSig (for example, by following Taproot BIP 341).
+ *
+ *  The tweaking method is the same as `secp256k1_xonly_pubkey_tweak_add`. So in
+ *  the following pseudocode xonly_pubkey_tweak_add_check (absent earlier
+ *  failures) returns 1.
+ *
+ *  secp256k1_musig_pubkey_agg(..., agg_pk, keyagg_cache, pubkeys, ...)
+ *  secp256k1_musig_pubkey_xonly_tweak_add(..., output_pk, keyagg_cache, tweak32)
+ *  secp256k1_xonly_pubkey_serialize(..., buf, output_pk)
+ *  secp256k1_xonly_pubkey_tweak_add_check(..., buf, ..., agg_pk, tweak32)
+ *
+ *  This function is required if you want to _sign_ for a tweaked aggregate key.
+ *  If you are only computing a public key but not intending to create a
+ *  signature for it, use `secp256k1_xonly_pubkey_tweak_add` instead.
+ *
+ *  Returns: 0 if the arguments are invalid, 1 otherwise
+ *  Args:            ctx: pointer to a context object
+ *  Out:   output_pubkey: pointer to a public key to store the result. Will be set
+ *                        to an invalid value if this function returns 0. If you
+ *                        do not need it, this arg can be NULL.
+ *  In/Out: keyagg_cache: pointer to a `musig_keyagg_cache` struct initialized by
+ *                       `musig_pubkey_agg`
+ *  In:          tweak32: pointer to a 32-byte tweak. The tweak is valid if it passes
+ *                        `secp256k1_ec_seckey_verify` and is not equal to the
+ *                        secret key corresponding to the public key represented
+ *                        by keyagg_cache or its negation. For uniformly random
+ *                        32-byte arrays the chance of being invalid is
+ *                        negligible (around 1 in 2^128).
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_xonly_tweak_add(
+    const secp256k1_context *ctx,
+    secp256k1_pubkey *output_pubkey,
+    secp256k1_musig_keyagg_cache *keyagg_cache,
+    const unsigned char *tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+/** Starts a signing session by generating a nonce
+ *
+ *  This function outputs a secret nonce that will be required for signing and a
+ *  corresponding public nonce that is intended to be sent to other signers.
+ *
+ *  MuSig differs from regular Schnorr signing in that implementers _must_ take
+ *  special care to not reuse a nonce. This can be ensured by following these rules:
+ *
+ *  1. Each call to this function must have a UNIQUE session_secrand32 that must
+ *     NOT BE REUSED in subsequent calls to this function and must be KEPT
+ *     SECRET (even from other signers).
+ *  2. If you already know the seckey, message or aggregate public key
+ *     cache, they can be optionally provided to derive the nonce and increase
+ *     misuse-resistance. The extra_input32 argument can be used to provide
+ *     additional data that does not repeat in normal scenarios, such as the
+ *     current time.
+ *  3. Avoid copying (or serializing) the secnonce. This reduces the possibility
+ *     that it is used more than once for signing.
+ *
+ *  If you don't have access to good randomness for session_secrand32, but you
+ *  have access to a non-repeating counter, then see
+ *  secp256k1_musig_nonce_gen_counter.
+ *
+ *  Remember that nonce reuse will leak the secret key!
+ *  Note that using the same seckey for multiple MuSig sessions is fine.
+ *
+ *  Returns: 0 if the arguments are invalid and 1 otherwise
+ *  Args:         ctx: pointer to a context object (not secp256k1_context_static)
+ *  Out:     secnonce: pointer to a structure to store the secret nonce
+ *           pubnonce: pointer to a structure to store the public nonce
+ *  In/Out:
+ *  session_secrand32: a 32-byte session_secrand32 as explained above. Must be unique to this
+ *                     call to secp256k1_musig_nonce_gen and must be uniformly
+ *                     random. If the function call is successful, the
+ *                     session_secrand32 buffer is invalidated to prevent reuse.
+ *  In:
+ *             seckey: the 32-byte secret key that will later be used for signing, if
+ *                     already known (can be NULL)
+ *             pubkey: public key of the signer creating the nonce. The secnonce
+ *                     output of this function cannot be used to sign for any
+ *                     other public key. While the public key should correspond
+ *                     to the provided seckey, a mismatch will not cause the
+ *                     function to return 0.
+ *              msg32: the 32-byte message that will later be signed, if already known
+ *                     (can be NULL)
+ *       keyagg_cache: pointer to the keyagg_cache that was used to create the aggregate
+ *                     (and potentially tweaked) public key if already known
+ *                     (can be NULL)
+ *      extra_input32: an optional 32-byte array that is input to the nonce
+ *                     derivation function (can be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_gen(
+    const secp256k1_context *ctx,
+    secp256k1_musig_secnonce *secnonce,
+    secp256k1_musig_pubnonce *pubnonce,
+    unsigned char *session_secrand32,
+    const unsigned char *seckey,
+    const secp256k1_pubkey *pubkey,
+    const unsigned char *msg32,
+    const secp256k1_musig_keyagg_cache *keyagg_cache,
+    const unsigned char *extra_input32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(6);
+
+
+/** Alternative way to generate a nonce and start a signing session
+ *
+ *  This function outputs a secret nonce that will be required for signing and a
+ *  corresponding public nonce that is intended to be sent to other signers.
+ *
+ *  This function differs from `secp256k1_musig_nonce_gen` by accepting a
+ *  non-repeating counter value instead of a secret random value. This requires
+ *  that a secret key is provided to `secp256k1_musig_nonce_gen_counter`
+ *  (through the keypair argument), as opposed to `secp256k1_musig_nonce_gen`
+ *  where the seckey argument is optional.
+ *
+ *  MuSig differs from regular Schnorr signing in that implementers _must_ take
+ *  special care to not reuse a nonce. This can be ensured by following these rules:
+ *
+ *  1. The nonrepeating_cnt argument must be a counter value that never repeats,
+ *     i.e., you must never call `secp256k1_musig_nonce_gen_counter` twice with
+ *     the same keypair and nonrepeating_cnt value. For example, this implies
+ *     that if the same keypair is used with `secp256k1_musig_nonce_gen_counter`
+ *     on multiple devices, none of the devices should have the same counter
+ *     value as any other device.
+ *  2. If the seckey, message or aggregate public key cache is already available
+ *     at this stage, any of these can be optionally provided, in which case
+ *     they will be used in the derivation of the nonce and increase
+ *     misuse-resistance. The extra_input32 argument can be used to provide
+ *     additional data that does not repeat in normal scenarios, such as the
+ *     current time.
+ *  3. Avoid copying (or serializing) the secnonce. This reduces the possibility
+ *     that it is used more than once for signing.
+ *
+ *  Remember that nonce reuse will leak the secret key!
+ *  Note that using the same keypair for multiple MuSig sessions is fine.
+ *
+ *  Returns: 0 if the arguments are invalid and 1 otherwise
+ *  Args:         ctx: pointer to a context object (not secp256k1_context_static)
+ *  Out:     secnonce: pointer to a structure to store the secret nonce
+ *           pubnonce: pointer to a structure to store the public nonce
+ *  In:
+ *   nonrepeating_cnt: the value of a counter as explained above. Must be
+ *                     unique to this call to secp256k1_musig_nonce_gen.
+ *            keypair: keypair of the signer creating the nonce. The secnonce
+ *                     output of this function cannot be used to sign for any
+ *                     other keypair.
+ *              msg32: the 32-byte message that will later be signed, if already known
+ *                     (can be NULL)
+ *       keyagg_cache: pointer to the keyagg_cache that was used to create the aggregate
+ *                     (and potentially tweaked) public key if already known
+ *                     (can be NULL)
+ *      extra_input32: an optional 32-byte array that is input to the nonce
+ *                     derivation function (can be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_gen_counter(
+    const secp256k1_context *ctx,
+    secp256k1_musig_secnonce *secnonce,
+    secp256k1_musig_pubnonce *pubnonce,
+    uint64_t nonrepeating_cnt,
+    const secp256k1_keypair *keypair,
+    const unsigned char *msg32,
+    const secp256k1_musig_keyagg_cache *keyagg_cache,
+    const unsigned char *extra_input32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5);
+
+/** Aggregates the nonces of all signers into a single nonce
+ *
+ *  This can be done by an untrusted party to reduce the communication
+ *  between signers. Instead of everyone sending nonces to everyone else, there
+ *  can be one party receiving all nonces, aggregating the nonces with this
+ *  function and then sending only the aggregate nonce back to the signers.
+ *
+ *  If the aggregator does not compute the aggregate nonce correctly, the final
+ *  signature will be invalid.
+ *
+ *  Returns: 0 if the arguments are invalid, 1 otherwise
+ *  Args:           ctx: pointer to a context object
+ *  Out:       aggnonce: pointer to an aggregate public nonce object for
+ *                       musig_nonce_process
+ *  In:       pubnonces: array of pointers to public nonces sent by the
+ *                       signers
+ *          n_pubnonces: number of elements in the pubnonces array. Must be
+ *                       greater than 0.
+ */
+SECP256K1_API int secp256k1_musig_nonce_agg(
+    const secp256k1_context *ctx,
+    secp256k1_musig_aggnonce *aggnonce,
+    const secp256k1_musig_pubnonce * const *pubnonces,
+    size_t n_pubnonces
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Takes the aggregate nonce and creates a session that is required for signing
+ *  and verification of partial signatures.
+ *
+ *  Returns: 0 if the arguments are invalid, 1 otherwise
+ *  Args:          ctx: pointer to a context object
+ *  Out:       session: pointer to a struct to store the session
+ *  In:       aggnonce: pointer to an aggregate public nonce object that is the
+ *                      output of musig_nonce_agg
+ *              msg32:  the 32-byte message to sign
+ *       keyagg_cache:  pointer to the keyagg_cache that was used to create the
+ *                      aggregate (and potentially tweaked) pubkey
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_process(
+    const secp256k1_context *ctx,
+    secp256k1_musig_session *session,
+    const secp256k1_musig_aggnonce *aggnonce,
+    const unsigned char *msg32,
+    const secp256k1_musig_keyagg_cache *keyagg_cache
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Produces a partial signature
+ *
+ *  This function overwrites the given secnonce with zeros and will abort if given a
+ *  secnonce that is all zeros. This is a best effort attempt to protect against nonce
+ *  reuse. However, this is of course easily defeated if the secnonce has been
+ *  copied (or serialized). Remember that nonce reuse will leak the secret key!
+ *
+ *  For signing to succeed, the secnonce provided to this function must have
+ *  been generated for the provided keypair. This means that when signing for a
+ *  keypair consisting of a seckey and pubkey, the secnonce must have been
+ *  created by calling musig_nonce_gen with that pubkey. Otherwise, the
+ *  illegal_callback is called.
+ *
+ *  This function does not verify the output partial signature, deviating from
+ *  the BIP 327 specification. It is recommended to verify the output partial
+ *  signature with `secp256k1_musig_partial_sig_verify` to prevent random or
+ *  adversarially provoked computation errors.
+ *
+ *  Returns: 0 if the arguments are invalid or the provided secnonce has already
+ *           been used for signing, 1 otherwise
+ *  Args:         ctx: pointer to a context object
+ *  Out:  partial_sig: pointer to struct to store the partial signature
+ *  In/Out:  secnonce: pointer to the secnonce struct created in
+ *                     musig_nonce_gen that has been never used in a
+ *                     partial_sign call before and has been created for the
+ *                     keypair
+ *  In:       keypair: pointer to keypair to sign the message with
+ *       keyagg_cache: pointer to the keyagg_cache that was output when the
+ *                     aggregate public key for this session
+ *            session: pointer to the session that was created with
+ *                     musig_nonce_process
+ */
+SECP256K1_API int secp256k1_musig_partial_sign(
+    const secp256k1_context *ctx,
+    secp256k1_musig_partial_sig *partial_sig,
+    secp256k1_musig_secnonce *secnonce,
+    const secp256k1_keypair *keypair,
+    const secp256k1_musig_keyagg_cache *keyagg_cache,
+    const secp256k1_musig_session *session
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6);
+
+/** Verifies an individual signer's partial signature
+ *
+ *  The signature is verified for a specific signing session. In order to avoid
+ *  accidentally verifying a signature from a different or non-existing signing
+ *  session, you must ensure the following:
+ *    1. The `keyagg_cache` argument is identical to the one used to create the
+ *       `session` with `musig_nonce_process`.
+ *    2. The `pubkey` argument must be identical to the one sent by the signer
+ *       before aggregating it with `musig_pubkey_agg` to create the
+ *       `keyagg_cache`.
+ *    3. The `pubnonce` argument must be identical to the one sent by the signer
+ *       before aggregating it with `musig_nonce_agg` and using the result to
+ *       create the `session` with `musig_nonce_process`.
+ *
+ *  It is not required to call this function in regular MuSig sessions, because
+ *  if any partial signature does not verify, the final signature will not
+ *  verify either, so the problem will be caught. However, this function
+ *  provides the ability to identify which specific partial signature fails
+ *  verification.
+ *
+ *  Returns: 0 if the arguments are invalid or the partial signature does not
+ *           verify, 1 otherwise
+ *  Args         ctx: pointer to a context object
+ *  In:  partial_sig: pointer to partial signature to verify, sent by
+ *                    the signer associated with `pubnonce` and `pubkey`
+ *          pubnonce: public nonce of the signer in the signing session
+ *            pubkey: public key of the signer in the signing session
+ *      keyagg_cache: pointer to the keyagg_cache that was output when the
+ *                    aggregate public key for this signing session
+ *           session: pointer to the session that was created with
+ *                    `musig_nonce_process`
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_verify(
+    const secp256k1_context *ctx,
+    const secp256k1_musig_partial_sig *partial_sig,
+    const secp256k1_musig_pubnonce *pubnonce,
+    const secp256k1_pubkey *pubkey,
+    const secp256k1_musig_keyagg_cache *keyagg_cache,
+    const secp256k1_musig_session *session
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6);
+
+/** Aggregates partial signatures
+ *
+ *  Returns: 0 if the arguments are invalid, 1 otherwise (which does NOT mean
+ *           the resulting signature verifies).
+ *  Args:         ctx: pointer to a context object
+ *  Out:        sig64: complete (but possibly invalid) Schnorr signature
+ *  In:       session: pointer to the session that was created with
+ *                     musig_nonce_process
+ *       partial_sigs: array of pointers to partial signatures to aggregate
+ *             n_sigs: number of elements in the partial_sigs array. Must be
+ *                     greater than 0.
+ */
+SECP256K1_API int secp256k1_musig_partial_sig_agg(
+    const secp256k1_context *ctx,
+    unsigned char *sig64,
+    const secp256k1_musig_session *session,
+    const secp256k1_musig_partial_sig * const *partial_sigs,
+    size_t n_sigs
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/vendor/secp256k1/include/secp256k1/secp256k1_recovery.h b/vendor/secp256k1/include/secp256k1/secp256k1_recovery.h
index 341b8ba..93a2e4c 100644
--- a/vendor/secp256k1/include/secp256k1/secp256k1_recovery.h
+++ b/vendor/secp256k1/include/secp256k1/secp256k1_recovery.h
@@ -7,7 +7,7 @@
 extern "C" {
 #endif
 
-/** Opaque data structured that holds a parsed ECDSA signature,
+/** Opaque data structure that holds a parsed ECDSA signature,
  *  supporting pubkey recovery.
  *
  *  The exact representation of data inside is implementation defined and not
@@ -21,7 +21,7 @@ extern "C" {
  *  recoverability) will have identical representation, so they can be
  *  memcmp'ed.
  */
-typedef struct {
+typedef struct secp256k1_ecdsa_recoverable_signature {
     unsigned char data[65];
 } secp256k1_ecdsa_recoverable_signature;
 
diff --git a/vendor/secp256k1/include/secp256k1/secp256k1_schnorrsig.h b/vendor/secp256k1/include/secp256k1/secp256k1_schnorrsig.h
index 23163de..013d4ee 100644
--- a/vendor/secp256k1/include/secp256k1/secp256k1_schnorrsig.h
+++ b/vendor/secp256k1/include/secp256k1/secp256k1_schnorrsig.h
@@ -79,7 +79,7 @@ SECP256K1_API const secp256k1_nonce_function_hardened secp256k1_nonce_function_b
  *             secp256k1_nonce_function_bip340 is used, then ndata must be a
  *             pointer to 32-byte auxiliary randomness as per BIP-340.
  */
-typedef struct {
+typedef struct secp256k1_schnorrsig_extraparams {
     unsigned char magic[4];
     secp256k1_nonce_function_hardened noncefp;
     void *ndata;