From 82dae5be6a70d20a2f74fb72732a7f4009faeb51 Mon Sep 17 00:00:00 2001
From: yeastplume <yeastplume@gmail.com>
Date: Sun, 7 Jan 2018 21:29:36 +0000
Subject: [PATCH] clean up of api, docs, tests for single-signer aggsig

---
 include/secp256k1_aggsig.h      | 23 +++++-----
 src/modules/aggsig/tests_impl.h | 79 +++++++++++++++++----------------
 2 files changed, 52 insertions(+), 50 deletions(-)

diff --git a/include/secp256k1_aggsig.h b/include/secp256k1_aggsig.h
index f61ccbc..d2ba15f 100644
--- a/include/secp256k1_aggsig.h
+++ b/include/secp256k1_aggsig.h
@@ -87,16 +87,15 @@ SECP256K1_API int secp256k1_aggsig_generate_nonce(
  *  Returns: 1 on success
  *  Args:    ctx: an existing context object, initialized for signing (cannot be NULL)
  *  In:    seed: A random seed value
- *  Out:   secnonce32: The secure nonce (scalar)
+ *  Out:   secnonce32: The secure nonce (scalar), guaranteed to be Jacobi 1
  */
-SECP256K1_API int secp256k1_aggsig_export_nonces_single(
+SECP256K1_API int secp256k1_aggsig_export_secnonce_single(
     const secp256k1_context* ctx,
     unsigned char* secnonce32,
-    secp256k1_pubkey* pubkey_nonce,
     const unsigned char* seed
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_WARN_UNUSED_RESULT;
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_WARN_UNUSED_RESULT;
 
-/** Generate a single-signer signature, without a stored context 
+/** Generate a single-signer signature (or partial sig), without a stored context 
  *
  *  Returns: 1 on success, 0 on failure
  *  Args:    ctx: an existing context object, initialized for signing (cannot be NULL)
@@ -104,9 +103,10 @@ SECP256K1_API int secp256k1_aggsig_export_nonces_single(
  *  In:      msg32: the message to sign (cannot be NULL)
  *           seckey32: the secret signing key (cannot be NULL)
  *           secnonce32: secret nonce to use. If NULL, a nonce will be generated
- *           pubnonce: If this is non-NULL, encode this value in e instead of the derived
- *           public nonce of secnonce32
- *           final_nonce_sum: If intending to add the signatures, include the final nonce sum to know whether the sec nonce should be negated
+ *           pubnonce_for_e: If this is non-NULL, encode this value in e instead of the derived
+ *           pubnonce_total: If non-NULL, allow this signature to be included in combined sig
+ *               in all cases by negating secnonce32 if the public nonce total has jacobi symbol 
+ *               -1. secnonce32 must also be provided
  *           seed: a 32-byte seed to use for the nonce-generating RNG (cannot be NULL)
  */
 
@@ -165,8 +165,7 @@ SECP256K1_API int secp256k1_aggsig_combine_signatures(
  *  Out:     sig64: the completed signature (s1+s2,n1+n2) (cannot be NULL)
  *  In:     sig1_64: a signature (from which s1 will2be taken)
  *          sig2_64: another signature (from which s1 will be taken)
- *          pubnonce1: public nonce1
- *          pubnonce2: public nonce2 (to be added to 1)
+ *          pubnonce_total: the total of all public nonces, will simple become R (negated if needed)
  */
 
 SECP256K1_API int secp256k1_aggsig_add_signatures_single(
@@ -186,6 +185,8 @@ SECP256K1_API int secp256k1_aggsig_add_signatures_single(
  *           msg32: the message to verify (cannot be NULL)
  *           pubnonce: if non-NULL, override the public nonce used to calculate e
  *           pubkey: the public key (cannot be NULL)
+ *           is_partial: whether to ignore the jacobi symbol of the combined R, set this to 1
+ *               to verify partial signatures that may have had their secret nonces negated
  */
 int secp256k1_aggsig_verify_single(
     const secp256k1_context* ctx,
@@ -193,7 +194,7 @@ int secp256k1_aggsig_verify_single(
     const unsigned char *msg32,
     const secp256k1_pubkey *pubnonce,
     const secp256k1_pubkey *pubkey,
-    int is_partial)
+    const int is_partial)
 SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5) SECP256K1_WARN_UNUSED_RESULT;
 
 /** Verify an aggregate signature
diff --git a/src/modules/aggsig/tests_impl.h b/src/modules/aggsig/tests_impl.h
index 15f7400..00543dd 100644
--- a/src/modules/aggsig/tests_impl.h
+++ b/src/modules/aggsig/tests_impl.h
@@ -35,6 +35,7 @@ void test_aggsig_api(void) {
     int32_t ecount = 0;
 
     size_t i;
+    size_t j;
 
     secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
     secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount);
@@ -165,60 +166,60 @@ void test_aggsig_api(void) {
     /* Overriding sec nonce and pub nonce encoded in e */
     memset(sig, 0, sizeof(sig));
     CHECK(secp256k1_aggsig_sign_single(sign, sig, msg, seckeys[0], seckeys[1], &pubkeys[3], NULL, seed));
-    /*CHECK(secp256k1_aggsig_verify_single(vrfy, sig, msg, &pubkeys[3], &pubkeys[0]));*/
+    CHECK(secp256k1_aggsig_verify_single(vrfy, sig, msg, &pubkeys[3], &pubkeys[0], 0));
 
     /* Testing aggsig exchange algorithm for Grin */
     /* ****************************************** */
 
+    for (i=0;i<20;i++){
+        memset(sig, 0, sizeof(sig));
+        memset(sig, 0, sizeof(sig2));
+        memset(sig, 0, sizeof(combined_sig));
 
-    memset(sig, 0, sizeof(sig));
-    memset(sig, 0, sizeof(sig2));
-    memset(sig, 0, sizeof(combined_sig));
+        /* Create a couple of nonces */
+        /* Randomise seed to make it more interesting */
+        random_scalar_order_test(&tmp_s);
+        secp256k1_scalar_get_b32(seed, &tmp_s);
+        CHECK(secp256k1_aggsig_export_secnonce_single(sign, sec_nonces[0], seed));
+        random_scalar_order_test(&tmp_s);
+        secp256k1_scalar_get_b32(seed, &tmp_s);
+        CHECK(secp256k1_aggsig_export_secnonce_single(sign, sec_nonces[1], seed));
 
-    /* Create a couple of nonces */
-		printf("STARTING GRIN EXCHANGE\n");
-    /* Randomise seed to make it more interesting */
-    random_scalar_order_test(&tmp_s);
-    secp256k1_scalar_get_b32(seed, &tmp_s);
-    CHECK(secp256k1_aggsig_export_secnonce_single(sign, sec_nonces[0], seed));
-    random_scalar_order_test(&tmp_s);
-    secp256k1_scalar_get_b32(seed, &tmp_s);
-    CHECK(secp256k1_aggsig_export_secnonce_single(sign, sec_nonces[1], seed));
+        for (j = 0; j < 2; j++) {
+            CHECK(secp256k1_ec_pubkey_create(ctx, &pub_nonces[j], sec_nonces[j]) == 1);
+        }
 
-    for (i = 0; i < 2; i++) {
-        CHECK(secp256k1_ec_pubkey_create(ctx, &pub_nonces[i], sec_nonces[i]) == 1);
-    }
+        /* Combine pubnonces */
+        pubkey_combiner[0]=&pub_nonces[0];
+        pubkey_combiner[1]=&pub_nonces[1];
+        CHECK(secp256k1_ec_pubkey_combine(ctx, &combiner_sum, pubkey_combiner, 2) == 1);
 
-    /* Combine pubnonces */
-    pubkey_combiner[0]=&pub_nonces[0];
-    pubkey_combiner[1]=&pub_nonces[1];
-    CHECK(secp256k1_ec_pubkey_combine(ctx, &combiner_sum, pubkey_combiner, 2) == 1);
+        /* Create 2 partial signatures (Sender, Receiver)*/
+        CHECK(secp256k1_aggsig_sign_single(sign, sig, msg, seckeys[0], sec_nonces[0], &combiner_sum, &combiner_sum, seed));
 
-    /* Create 2 partial signatures (Sender, Receiver)*/
-		printf("\nSIGN FIRST\n");
-    CHECK(secp256k1_aggsig_sign_single(sign, sig, msg, seckeys[0], sec_nonces[0], &combiner_sum, &combiner_sum, seed));
+        /* Receiver verifies sender's Sig and signs */
+        CHECK(secp256k1_aggsig_verify_single(vrfy, sig, msg, &combiner_sum, &pubkeys[0], 1));
 
-    /* Receiver verifies sender's Sig and signs */
-    CHECK(secp256k1_aggsig_verify_single(vrfy, sig, msg, &combiner_sum, &pubkeys[0], 1));
-		printf("POST_VERIFY FIRST\n\n");
-		printf("\nSIGN SECOND\n");
-    CHECK(secp256k1_aggsig_sign_single(sign, sig2, msg, seckeys[1], sec_nonces[1], &combiner_sum, &combiner_sum, seed));
+        CHECK(secp256k1_aggsig_sign_single(sign, sig2, msg, seckeys[1], sec_nonces[1], &combiner_sum, &combiner_sum, seed));
+        /* sender verifies receiver's Sig then creates final combined sig */
+        CHECK(secp256k1_aggsig_verify_single(vrfy, sig2, msg, &combiner_sum, &pubkeys[1], 1));
 
-    /* sender verifies receiver's Sig then creates final combined sig */
-    CHECK(secp256k1_aggsig_verify_single(vrfy, sig2, msg, &combiner_sum, &pubkeys[1], 1));
-		printf("POST_VERIFY SECOND\n\n");
+        /* Add 2 sigs and nonces */
+        CHECK(secp256k1_aggsig_add_signatures_single(sign, combined_sig, sig, sig2, &combiner_sum));
 
-    /* Add 2 sigs and nonces */
-    CHECK(secp256k1_aggsig_add_signatures_single(sign, combined_sig, sig, sig2, &combiner_sum));
+        /* Combine pubkeys */
+        pubkey_combiner[0]=&pubkeys[0];
+        pubkey_combiner[1]=&pubkeys[1];
+        CHECK(secp256k1_ec_pubkey_combine(ctx, &combiner_sum_2, pubkey_combiner, 2) == 1);
 
-    /* Combine pubkeys */
-    pubkey_combiner[0]=&pubkeys[0];
-    pubkey_combiner[1]=&pubkeys[1];
-    CHECK(secp256k1_ec_pubkey_combine(ctx, &combiner_sum_2, pubkey_combiner, 2) == 1);
+        /* Ensure added sigs verify properly */
+        CHECK(secp256k1_aggsig_verify_single(vrfy, combined_sig, msg, &combiner_sum, &combiner_sum_2, 0));
 
-    /* Ensure added sigs verify properly */
-    CHECK(secp256k1_aggsig_verify_single(vrfy, combined_sig, msg, &combiner_sum, &combiner_sum_2, 0));
+        /* And anything else doesnt' */
+        CHECK(!secp256k1_aggsig_verify_single(vrfy, combined_sig, msg, &pub_nonces[0], &combiner_sum_2, 0));
+        CHECK(!secp256k1_aggsig_verify_single(vrfy, combined_sig, msg, &combiner_sum, &pub_nonces[1], 0));
 
+    }
     /*** End aggsig for Grin exchange test ***/
 
     /* cleanup */