Schnorr (Incremental) Half Aggregation

.github/workflows/ci.yml

@@ -40,6 +40,7 @@ env:
  MUSIG: 'no'
  ECDSAADAPTOR: 'no'
  BPPP: 'no'
+ SCHNORRSIG_HALFAGG: 'no'
  ### test options
  SECP256K1_TEST_ITERS:
  BENCH: 'yes'
@@ -78,14 +79,14 @@ jobs:
  matrix:
  configuration:
  - env_vars: { WIDEMUL: 'int64', RECOVERY: 'yes' }
- - env_vars: { WIDEMUL: 'int64', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes' }
+ - env_vars: { WIDEMUL: 'int64', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes'}
  - env_vars: { WIDEMUL: 'int128' }
  - env_vars: { WIDEMUL: 'int128_struct', ELLSWIFT: 'yes' }
  - env_vars: { WIDEMUL: 'int128', RECOVERY: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes' }
- - env_vars: { WIDEMUL: 'int128', ECDH: 'yes', SCHNORRSIG: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes'}
+ - env_vars: { WIDEMUL: 'int128', ECDH: 'yes', SCHNORRSIG: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes'}
  - env_vars: { WIDEMUL: 'int128', ASM: 'x86_64', ELLSWIFT: 'yes' }
- - env_vars: { RECOVERY: 'yes', SCHNORRSIG: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes'}
- - env_vars: { CTIMETESTS: 'no', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', CPPFLAGS: '-DVERIFY' }
+ - env_vars: { RECOVERY: 'yes', SCHNORRSIG: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes'}
+ - env_vars: { CTIMETESTS: 'no', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', CPPFLAGS: '-DVERIFY' }
  - env_vars: { BUILD: 'distcheck', WITH_VALGRIND: 'no', CTIMETESTS: 'no', BENCH: 'no' }
  - env_vars: { CPPFLAGS: '-DDETERMINISTIC' }
  - env_vars: { CFLAGS: '-O0', CTIMETESTS: 'no' }
@@ -156,6 +157,7 @@ jobs:
  MUSIG: 'yes'
  ECDSAADAPTOR: 'yes'
  BPPP: 'yes'
+ SCHNORRSIG_HALFAGG: 'yes'
  CC: ${{ matrix.cc }}
 
  steps:
@@ -208,6 +210,7 @@ jobs:
  MUSIG: 'yes'
  ECDSAADAPTOR: 'yes'
  BPPP: 'yes'
+ SCHNORRSIG_HALFAGG: 'yes'
  CTIMETESTS: 'no'
 
  steps:
@@ -267,6 +270,7 @@ jobs:
  MUSIG: 'yes'
  ECDSAADAPTOR: 'yes'
  BPPP: 'yes'
+ SCHNORRSIG_HALFAGG: 'yes'
  CTIMETESTS: 'no'
 
  steps:
@@ -320,6 +324,7 @@ jobs:
  MUSIG: 'yes'
  ECDSAADAPTOR: 'yes'
  BPPP: 'yes'
+ SCHNORRSIG_HALFAGG: 'yes'
  CTIMETESTS: 'no'
 
  strategy:
@@ -383,6 +388,7 @@ jobs:
  MUSIG: 'yes'
  ECDSAADAPTOR: 'yes'
  BPPP: 'yes'
+ SCHNORRSIG_HALFAGG: 'yes'
  CTIMETESTS: 'no'
 
  steps:
@@ -443,6 +449,7 @@ jobs:
  MUSIG: 'yes'
  ECDSAADAPTOR: 'yes'
  BPPP: 'yes'
+ SCHNORRSIG_HALFAGG: 'yes'
  CTIMETESTS: 'no'
  SECP256K1_TEST_ITERS: 2
 
@@ -502,6 +509,7 @@ jobs:
  MUSIG: 'yes'
  ECDSAADAPTOR: 'yes'
  BPPP: 'yes'
+ SCHNORRSIG_HALFAGG: 'yes'
  CTIMETESTS: 'no'
  CFLAGS: '-fsanitize=undefined,address -g'
  UBSAN_OPTIONS: 'print_stacktrace=1:halt_on_error=1'
@@ -567,6 +575,7 @@ jobs:
  MUSIG: 'yes'
  ECDSAADAPTOR: 'yes'
  BPPP: 'yes'
+ SCHNORRSIG_HALFAGG: 'yes'
  CTIMETESTS: 'yes'
  CC: 'clang'
  SECP256K1_TEST_ITERS: 32
@@ -622,6 +631,7 @@ jobs:
  MUSIG: 'yes'
  ECDSAADAPTOR: 'yes'
  BPPP: 'yes'
+ SCHNORRSIG_HALFAGG: 'yes'
  CTIMETESTS: 'no'
 
  strategy:
@@ -678,15 +688,15 @@ jobs:
  fail-fast: false
  matrix:
  env_vars:
- - { WIDEMUL: 'int64', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes' }
+ - { WIDEMUL: 'int64', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes' }
  - { WIDEMUL: 'int128_struct', ECMULTGENPRECISION: 2, ECMULTWINDOW: 4 }
- - { WIDEMUL: 'int128', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes' }
+ - { WIDEMUL: 'int128', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes' }
  - { WIDEMUL: 'int128', RECOVERY: 'yes' }
- - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes' }
- - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', CC: 'gcc' }
- - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', WRAPPER_CMD: 'valgrind --error-exitcode=42', SECP256K1_TEST_ITERS: 2 }
- - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', CC: 'gcc', WRAPPER_CMD: 'valgrind --error-exitcode=42', SECP256K1_TEST_ITERS: 2 }
- - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', CPPFLAGS: '-DVERIFY', CTIMETESTS: 'no' }
+ - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes' }
+ - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', CC: 'gcc' }
+ - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', WRAPPER_CMD: 'valgrind --error-exitcode=42', SECP256K1_TEST_ITERS: 2 }
+ - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', CC: 'gcc', WRAPPER_CMD: 'valgrind --error-exitcode=42', SECP256K1_TEST_ITERS: 2 }
+ - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', CPPFLAGS: '-DVERIFY', CTIMETESTS: 'no' }
  - BUILD: 'distcheck'
 
  steps:
@@ -805,6 +815,7 @@ jobs:
  MUSIG: 'yes'
  ECDSAADAPTOR: 'yes'
  BPPP: 'yes'
+ SCHNORRSIG_HALFAGG: 'yes'
 
  steps:
  - name: Checkout

Makefile.am

@@ -265,6 +265,10 @@ EXTRA_DIST += src/wycheproof/WYCHEPROOF_COPYING
 EXTRA_DIST += src/wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.json
 EXTRA_DIST += tools/tests_wycheproof_generate.py
 
+if ENABLE_MODULE_SCHNORRSIG_HALFAGG
+include src/modules/schnorrsig_halfagg/Makefile.am.include
+endif
+
 if ENABLE_MODULE_BPPP
 include src/modules/bppp/Makefile.am.include
 endif

ci/ci.sh

@@ -13,7 +13,7 @@ print_environment() {
  # does not rely on bash.
  for var in WERROR_CFLAGS MAKEFLAGS BUILD \
  ECMULTWINDOW ECMULTGENPRECISION ASM WIDEMUL WITH_VALGRIND EXTRAFLAGS \
- EXPERIMENTAL ECDH RECOVERY SCHNORRSIG ELLSWIFT \
+ EXPERIMENTAL ECDH RECOVERY SCHNORRSIG SCHNORRSIG_HALFAGG ELLSWIFT \
  ECDSA_S2C GENERATOR RANGEPROOF WHITELIST MUSIG ECDSAADAPTOR BPPP \
  SECP256K1_TEST_ITERS BENCH SECP256K1_BENCH_ITERS CTIMETESTS\
  EXAMPLES \
@@ -82,6 +82,7 @@ esac
  --enable-module-rangeproof="$RANGEPROOF" --enable-module-whitelist="$WHITELIST" --enable-module-generator="$GENERATOR" \
  --enable-module-schnorrsig="$SCHNORRSIG" --enable-module-musig="$MUSIG" --enable-module-ecdsa-adaptor="$ECDSAADAPTOR" \
  --enable-module-schnorrsig="$SCHNORRSIG" \
+ --enable-module-schnorrsig-halfagg="$SCHNORRSIG_HALFAGG" \
  --enable-examples="$EXAMPLES" \
  --enable-ctime-tests="$CTIMETESTS" \
  --with-valgrind="$WITH_VALGRIND" \

configure.ac

@@ -184,6 +184,10 @@ AC_ARG_ENABLE(module_schnorrsig,
  AS_HELP_STRING([--enable-module-schnorrsig],[enable schnorrsig module [default=yes]]), [],
  [SECP_SET_DEFAULT([enable_module_schnorrsig], [yes], [yes])])
 
+AC_ARG_ENABLE(module_schnorrsig_halfagg,
+ AS_HELP_STRING([--enable-module-schnorrsig-halfagg],[enable schnorrsig half-aggregation module (experimental) [default=no]]), [],
+ [SECP_SET_DEFAULT([enable_module_schnorrsig_halfagg], [no], [yes])])
+
 AC_ARG_ENABLE(module_ellswift,
  AS_HELP_STRING([--enable-module-ellswift],[enable ElligatorSwift module [default=yes]]), [],
  [SECP_SET_DEFAULT([enable_module_ellswift], [yes], [yes])])
@@ -445,6 +449,11 @@ SECP_CFLAGS="$SECP_CFLAGS $WERROR_CFLAGS"
 
 # Processing must be done in a reverse topological sorting of the dependency graph
 # (dependent module first).
+if test x"$enable_module_schnorrsig_halfagg" = x"yes"; then
+ SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_SCHNORRSIG_HALFAGG=1"
+ enable_module_schnorrsig=yes
+fi
+
 if test x"$enable_module_bppp" = x"yes"; then
  if test x"$enable_module_generator" = x"no"; then
  AC_MSG_ERROR([Module dependency error: You have disabled the generator module explicitly, but it is required by the bppp module.])
@@ -497,7 +506,6 @@ if test x"$enable_module_generator" = x"yes"; then
  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_GENERATOR=1"
 fi
 
-
 if test x"$enable_module_ellswift" = x"yes"; then
  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_ELLSWIFT=1"
 fi
@@ -544,6 +552,9 @@ else
  # module (which automatically enables the module dependencies) we want to
  # print an error for the dependent module, not the module dependency. Hence,
  # we first test dependent modules.
+ if test x"$enable_module_schnorrsig_halfagg" = x"yes"; then
+ AC_MSG_ERROR([Schnorrsig Half-Aggregation module is experimental. Use --enable-experimental to allow.])
+ fi
  if test x"$enable_module_bppp" = x"yes"; then
  AC_MSG_ERROR([Bulletproofs++ module is experimental. Use --enable-experimental to allow.])
  fi
@@ -599,6 +610,7 @@ AM_CONDITIONAL([ENABLE_MODULE_MUSIG], [test x"$enable_module_musig" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_ECDSA_S2C], [test x"$enable_module_ecdsa_s2c" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_ECDSA_ADAPTOR], [test x"$enable_module_ecdsa_adaptor" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_BPPP], [test x"$enable_module_bppp" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_SCHNORRSIG_HALFAGG], [test x"$enable_module_schnorrsig_halfagg" = x"yes"])
 AM_CONDITIONAL([USE_REDUCED_SURJECTION_PROOF_SIZE], [test x"$use_reduced_surjection_proof_size" = x"yes"])
 AM_CONDITIONAL([USE_EXTERNAL_ASM], [test x"$enable_external_asm" = x"yes"])
 AM_CONDITIONAL([USE_ASM_ARM], [test x"$set_asm" = x"arm32"])
@@ -638,18 +650,19 @@ echo " module musig = $enable_module_musig"
 echo " module ecdsa-s2c = $enable_module_ecdsa_s2c"
 echo " module ecdsa-adaptor = $enable_module_ecdsa_adaptor"
 echo " module bppp = $enable_module_bppp"
+echo " module schnorrsig-halfagg = $enable_module_schnorrsig_halfagg"
 echo
-echo " asm = $set_asm"
-echo " ecmult window size = $set_ecmult_window"
-echo " ecmult gen prec. bits = $set_ecmult_gen_precision"
+echo " asm  = $set_asm"
+echo " ecmult window size  = $set_ecmult_window"
+echo " ecmult gen prec. bits  = $set_ecmult_gen_precision"
 # Hide test-only options unless they're used.
 if test x"$set_widemul" != xauto; then
-echo " wide multiplication = $set_widemul"
+echo " wide multiplication  = $set_widemul"
 fi
 echo
-echo " valgrind = $enable_valgrind"
-echo " CC = $CC"
-echo " CPPFLAGS = $CPPFLAGS"
-echo " SECP_CFLAGS = $SECP_CFLAGS"
-echo " CFLAGS = $CFLAGS"
-echo " LDFLAGS = $LDFLAGS"
+echo " valgrind  = $enable_valgrind"
+echo " CC  = $CC"
+echo " CPPFLAGS  = $CPPFLAGS"
+echo " SECP_CFLAGS  = $SECP_CFLAGS"
+echo " CFLAGS  = $CFLAGS"
+echo " LDFLAGS  = $LDFLAGS"

include/secp256k1_schnorrsig_halfagg.h

@@ -0,0 +1,107 @@
+#ifndef SECP256K1_SCHNORRSIG_HALFAGG_H
+#define SECP256K1_SCHNORRSIG_HALFAGG_H
+
+#include "secp256k1.h"
+#include "secp256k1_extrakeys.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+/** Incrementally (Half-)Aggregate a sequence of Schnorr
+ * signatures to an existing half-aggregate signature.
+ *
+ * Returns 1 on success, 0 on failure.
+ * Args: ctx: a secp256k1 context object.
+ * In/Out: aggsig: pointer to the serialized aggregate signature
+ * that is input. The first 32*(n_before+1) of this
+ * array should hold the input aggsig. It will be
+ * overwritten by the new serialized aggregate signature.
+ * It should be large enough for that, see aggsig_len.
+ * aggsig_len: size of aggsig array in bytes.
+ * Should be large enough to hold the new
+ * serialized aggregate signature, i.e.,
+ * should satisfy aggsig_size >= 32*(n_before+n_new+1).
+ * It will be overwritten to be the exact size of the
+ * resulting aggsig.
+ * In: all_pubkeys: Array of (n_before + n_new) many x-only public keys,
+ * including both the ones for the already aggregated signature
+ * and the ones for the signatures that should be added.
+ * Can only be NULL if n_before + n_new is 0.
+ * all_msgs32: Array of (n_before + n_new) many 32-byte messages,
+ * including both the ones for the already aggregated signature
+ * and the ones for the signatures that should be added.
+ * Can only be NULL if n_before + n_new is 0.
+ * new_sigs64: Array of n_new many 64-byte signatures, containing the new
+ * signatures that should be added. Can only be NULL if n_new is 0.
+ * n_before: Number of signatures that have already been aggregated
+ * in the input aggregate signature.
+ * n_new: Number of signatures that should now be added
+ * to the aggregate signature.
+ */
+SECP256K1_API int secp256k1_schnorrsig_inc_aggregate(
+ const secp256k1_context *ctx,
+ unsigned char *aggsig,
+ size_t *aggsig_len,
+ const secp256k1_xonly_pubkey* all_pubkeys,
+ const unsigned char *all_msgs32,
+ const unsigned char *new_sigs64,
+ size_t n_before,
+ size_t n_new
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** (Half-)Aggregate a sequence of Schnorr signatures.
+ *
+ * Returns 1 on success, 0 on failure.
+ * Args: ctx: a secp256k1 context object.
+ * Out: aggsig: pointer to an array of aggsig_len many bytes to
+ * store the serialized aggregate signature.
+ * In/Out: aggsig_len: size of the aggsig array that is passed in bytes;
+ * will be overwritten to be the exact size of aggsig.
+ * In: pubkeys: Array of n many x-only public keys.
+ * Can only be NULL if n is 0.
+ * msgs32: Array of n many 32-byte messages.
+ * Can only be NULL if n is 0.
+ * sigs64: Array of n many 64-byte signatures.
+ * Can only be NULL if n is 0.
+ * n: number of signatures to be aggregated.
+ */
+SECP256K1_API int secp256k1_schnorrsig_aggregate(
+ const secp256k1_context *ctx,
+ unsigned char *aggsig,
+ size_t *aggsig_len,
+ const secp256k1_xonly_pubkey *pubkeys,
+ const unsigned char *msgs32,
+ const unsigned char *sigs64,
+ size_t n
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Verify a (Half-)aggregate Schnorr signature.
+ *
+ * Returns: 1: correct signature.
+ * 0: incorrect signature.
+ * Args: ctx: a secp256k1 context object.
+ * In: pubkeys: Array of n many x-only public keys. Can only be NULL if n is 0.
+ * msgs32: Array of n many 32-byte messages. Can only be NULL if n is 0.
+ * n: number of signatures to that have been aggregated.
+ * aggsig: Pointer to an array of aggsig_size many bytes
+ * containing the serialized aggregate
+ * signature to be verified.
+ * aggsig_len: Size of the aggregate signature in bytes.
+ * Should be aggsig_len = 32*(n+1)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_aggverify(
+ const secp256k1_context *ctx,
+ const secp256k1_xonly_pubkey *pubkeys,
+ const unsigned char *msgs32,
+ size_t n,
+ const unsigned char *aggsig,
+ size_t aggsig_len
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(5);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SECP256K1_SCHNORRSIG_HALFAGG_H */

src/modules/schnorrsig_halfagg/Makefile.am.include

@@ -0,0 +1,3 @@
+include_HEADERS += include/secp256k1_schnorrsig_halfagg.h
+noinst_HEADERS += src/modules/schnorrsig_halfagg/main_impl.h
+noinst_HEADERS += src/modules/schnorrsig_halfagg/tests_impl.h