Squashed 'src/secp256k1/' changes from efe85c70a2..a3be00ce24

a3be00ce24 Merge 70bb68536d27d44ed0b0ae76be6790ae38d77ef6 into a9db9f2d75ac9df0312dec0c329266969bcc2946
70bb68536d build: allow enabling the musig module in cmake
fce0857aa0 Add module "musig" that implements MuSig2 multi-signatures (BIP 327)
13b226ea60 group: add ge_to_bytes and ge_from_bytes
e1ba262f16 extrakeys: add secp256k1_pubkey_sort
a9db9f2d75 Merge bitcoin-core/secp256k1#1480: Get rid of untested sizeof(secp256k1_ge_storage) == 64 code path
74b7c3b53e Merge bitcoin-core/secp256k1#1476: include: make docs more consistent
ba5d72d626 assumptions: Use new STATIC_ASSERT macro
e53c2d9ffc Require that sizeof(secp256k1_ge_storage) == 64
d0ba2abbff util: Add STATIC_ASSERT macro
da7bc1b803 include: in doc, remove article in front of "pointer"
aa3dd5280b include: make doc about ctx more consistent
e3f690015a include: remove obvious "cannot be NULL" doc
d373bf6d08 Merge bitcoin-core/secp256k1#1474: tests: restore scalar_mul test
79e094517c Merge bitcoin-core/secp256k1#1473: Fix typos
3dbfb48946 tests: restore scalar_mul test
d77170a88d Fix typos

git-subtree-dir: src/secp256k1
git-subtree-split: a3be00ce24a9073312a9f4c39433481ba137423e

.cirrus.yml

@@ -21,6 +21,7 @@ env:
  ECDH: no
  RECOVERY: no
  SCHNORRSIG: no
+ MUSIG: no
  ELLSWIFT: no
  ### test options
  SECP256K1_TEST_ITERS:
@@ -67,6 +68,7 @@ task:
  ECDH: yes
  RECOVERY: yes
  SCHNORRSIG: yes
+ MUSIG: yes
  ELLSWIFT: yes
  matrix:
  # Currently only gcc-snapshot, the other compilers are tested on GHA with QEMU
@@ -83,6 +85,7 @@ task:
  ECDH: yes
  RECOVERY: yes
  SCHNORRSIG: yes
+ MUSIG: yes
  ELLSWIFT: yes
  WRAPPER_CMD: 'valgrind --error-exitcode=42'
  SECP256K1_TEST_ITERS: 2

.github/workflows/ci.yml

@@ -32,6 +32,7 @@ env:
  ECDH: 'no'
  RECOVERY: 'no'
  SCHNORRSIG: 'no'
+ MUSIG: 'no'
  ELLSWIFT: 'no'
  ### test options
  SECP256K1_TEST_ITERS:
@@ -71,18 +72,18 @@ jobs:
  matrix:
  configuration:
  - env_vars: { WIDEMUL: 'int64', RECOVERY: 'yes' }
- - env_vars: { WIDEMUL: 'int64', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes' }
+ - env_vars: { WIDEMUL: 'int64', ECDH: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes' }
  - env_vars: { WIDEMUL: 'int128' }
- - env_vars: { WIDEMUL: 'int128_struct', ELLSWIFT: 'yes' }
- - env_vars: { WIDEMUL: 'int128', RECOVERY: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes' }
- - env_vars: { WIDEMUL: 'int128', ECDH: 'yes', SCHNORRSIG: 'yes' }
- - env_vars: { WIDEMUL: 'int128', ASM: 'x86_64', ELLSWIFT: 'yes' }
+ - env_vars: { WIDEMUL: 'int128_struct',  ELLSWIFT: 'yes' }
+ - env_vars: { WIDEMUL: 'int128', RECOVERY: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes' }
+ - env_vars: { WIDEMUL: 'int128', ECDH: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes' }
+ - env_vars: { WIDEMUL: 'int128', ASM: 'x86_64',  ELLSWIFT: 'yes' }
  - env_vars: { RECOVERY: 'yes', SCHNORRSIG: 'yes' }
  - env_vars: { CTIMETESTS: 'no', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', CPPFLAGS: '-DVERIFY' }
  - env_vars: { BUILD: 'distcheck', WITH_VALGRIND: 'no', CTIMETESTS: 'no', BENCH: 'no' }
  - env_vars: { CPPFLAGS: '-DDETERMINISTIC' }
  - env_vars: { CFLAGS: '-O0', CTIMETESTS: 'no' }
- - env_vars: { CFLAGS: '-O1', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes' }
+ - env_vars: { CFLAGS: '-O1', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes' }
  - env_vars: { ECMULTGENPRECISION: 2, ECMULTWINDOW: 2 }
  - env_vars: { ECMULTGENPRECISION: 8, ECMULTWINDOW: 4 }
  cc:
@@ -140,6 +141,7 @@ jobs:
  ECDH: 'yes'
  RECOVERY: 'yes'
  SCHNORRSIG: 'yes'
+ MUSIG: 'yes'
  ELLSWIFT: 'yes'
  CC: ${{ matrix.cc }}
 
@@ -184,6 +186,7 @@ jobs:
  ECDH: 'yes'
  RECOVERY: 'yes'
  SCHNORRSIG: 'yes'
+ MUSIG: 'yes'
  ELLSWIFT: 'yes'
  CTIMETESTS: 'no'
 
@@ -235,6 +238,7 @@ jobs:
  ECDH: 'yes'
  RECOVERY: 'yes'
  SCHNORRSIG: 'yes'
+ MUSIG: 'yes'
  ELLSWIFT: 'yes'
  CTIMETESTS: 'no'
 
@@ -280,6 +284,7 @@ jobs:
  ECDH: 'yes'
  RECOVERY: 'yes'
  SCHNORRSIG: 'yes'
+ MUSIG: 'yes'
  ELLSWIFT: 'yes'
  CTIMETESTS: 'no'
 
@@ -335,6 +340,7 @@ jobs:
  ECDH: 'yes'
  RECOVERY: 'yes'
  SCHNORRSIG: 'yes'
+ MUSIG: 'yes'
  ELLSWIFT: 'yes'
  CTIMETESTS: 'no'
 
@@ -387,6 +393,7 @@ jobs:
  ECDH: 'yes'
  RECOVERY: 'yes'
  SCHNORRSIG: 'yes'
+ MUSIG: 'yes'
  ELLSWIFT: 'yes'
  CTIMETESTS: 'no'
  SECP256K1_TEST_ITERS: 2
@@ -438,6 +445,7 @@ jobs:
  ECDH: 'yes'
  RECOVERY: 'yes'
  SCHNORRSIG: 'yes'
+ MUSIG: 'yes'
  ELLSWIFT: 'yes'
  CTIMETESTS: 'no'
  CFLAGS: '-fsanitize=undefined,address -g'
@@ -495,6 +503,7 @@ jobs:
  ECDH: 'yes'
  RECOVERY: 'yes'
  SCHNORRSIG: 'yes'
+ MUSIG: 'yes'
  ELLSWIFT: 'yes'
  CTIMETESTS: 'yes'
  CC: 'clang'
@@ -542,6 +551,7 @@ jobs:
  ECDH: 'yes'
  RECOVERY: 'yes'
  SCHNORRSIG: 'yes'
+ MUSIG: 'yes'
  ELLSWIFT: 'yes'
  CTIMETESTS: 'no'
 
@@ -599,15 +609,15 @@ jobs:
  fail-fast: false
  matrix:
  env_vars:
- - { WIDEMUL: 'int64', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes' }
+ - { WIDEMUL: 'int64', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes' }
  - { WIDEMUL: 'int128_struct', ECMULTGENPRECISION: 2, ECMULTWINDOW: 4 }
- - { WIDEMUL: 'int128', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes' }
+ - { WIDEMUL: 'int128', ECDH: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes' }
  - { WIDEMUL: 'int128', RECOVERY: 'yes' }
- - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes' }
- - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', CC: 'gcc' }
- - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', WRAPPER_CMD: 'valgrind --error-exitcode=42', SECP256K1_TEST_ITERS: 2 }
- - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', CC: 'gcc', WRAPPER_CMD: 'valgrind --error-exitcode=42', SECP256K1_TEST_ITERS: 2 }
- - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', CPPFLAGS: '-DVERIFY', CTIMETESTS: 'no' }
+ - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes' }
+ - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes', CC: 'gcc' }
+ - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes', WRAPPER_CMD: 'valgrind --error-exitcode=42', SECP256K1_TEST_ITERS: 2 }
+ - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes', CC: 'gcc', WRAPPER_CMD: 'valgrind --error-exitcode=42', SECP256K1_TEST_ITERS: 2 }
+ - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', MUSIG: 'yes', ELLSWIFT: 'yes', CPPFLAGS: '-DVERIFY', CTIMETESTS: 'no' }
  - BUILD: 'distcheck'
 
  steps:
@@ -717,6 +727,7 @@ jobs:
  ECDH: 'yes'
  RECOVERY: 'yes'
  SCHNORRSIG: 'yes'
+ MUSIG: 'yes'
  ELLSWIFT: 'yes'
 
  steps:

CMakeLists.txt

@@ -63,6 +63,11 @@ endif()
 
 option(SECP256K1_ENABLE_MODULE_EXTRAKEYS "Enable extrakeys module." ON)
 option(SECP256K1_ENABLE_MODULE_SCHNORRSIG "Enable schnorrsig module." ON)
+option(SECP256K1_ENABLE_MODULE_MUSIG "Enable musig module." ON)
+if(SECP256K1_ENABLE_MODULE_MUSIG)
+ set(SECP256K1_ENABLE_MODULE_SCHNORRSIG ON)
+ add_compile_definitions(ENABLE_MODULE_MUSIG=1)
+endif()
 if(SECP256K1_ENABLE_MODULE_SCHNORRSIG)
  set(SECP256K1_ENABLE_MODULE_EXTRAKEYS ON)
  add_compile_definitions(ENABLE_MODULE_SCHNORRSIG=1)
@@ -275,6 +280,7 @@ message(" ECDH ................................ ${SECP256K1_ENABLE_MODULE_ECDH}
 message(" ECDSA pubkey recovery ............... ${SECP256K1_ENABLE_MODULE_RECOVERY}")
 message(" extrakeys ........................... ${SECP256K1_ENABLE_MODULE_EXTRAKEYS}")
 message(" schnorrsig .......................... ${SECP256K1_ENABLE_MODULE_SCHNORRSIG}")
+message(" musig ............................... ${SECP256K1_ENABLE_MODULE_MUSIG}")
 message(" ElligatorSwift ...................... ${SECP256K1_ENABLE_MODULE_ELLSWIFT}")
 message("Parameters:")
 message(" ecmult window size .................. ${SECP256K1_ECMULT_WINDOW_SIZE}")

CONTRIBUTING.md

@@ -44,7 +44,7 @@ The Contributor Workflow & Peer Review in libsecp256k1 are similar to Bitcoin Co
 
 In addition, libsecp256k1 tries to maintain the following coding conventions:
 
-* No runtime heap allocation (e.g., no `malloc`) unless explicitly requested by the caller (via `secp256k1_context_create` or `secp256k1_scratch_space_create`, for example). Morever, it should be possible to use the library without any heap allocations.
+* No runtime heap allocation (e.g., no `malloc`) unless explicitly requested by the caller (via `secp256k1_context_create` or `secp256k1_scratch_space_create`, for example). Moreover, it should be possible to use the library without any heap allocations.
 * The tests should cover all lines and branches of the library (see [Test coverage](#coverage)).
 * Operations involving secret data should be tested for being constant time with respect to the secrets (see [src/ctime_tests.c](src/ctime_tests.c)).
 * Local variables containing secret data should be cleared explicitly to try to delete secrets from memory.

Makefile.am

@@ -182,6 +182,17 @@ schnorr_example_LDFLAGS += -lbcrypt
 endif
 TESTS += schnorr_example
 endif
+if ENABLE_MODULE_MUSIG
+noinst_PROGRAMS += musig_example
+musig_example_SOURCES = examples/musig.c
+musig_example_CPPFLAGS = -I$(top_srcdir)/include -DSECP256K1_STATIC
+musig_example_LDADD = libsecp256k1.la
+musig_example_LDFLAGS = -static
+if BUILD_WINDOWS
+musig_example_LDFLAGS += -lbcrypt
+endif
+TESTS += musig_example
+endif
 endif
 
 ### Precomputed tables
@@ -268,6 +279,10 @@ if ENABLE_MODULE_SCHNORRSIG
 include src/modules/schnorrsig/Makefile.am.include
 endif
 
+if ENABLE_MODULE_MUSIG
+include src/modules/musig/Makefile.am.include
+endif
+
 if ENABLE_MODULE_ELLSWIFT
 include src/modules/ellswift/Makefile.am.include
 endif

README.md

@@ -20,6 +20,7 @@ Features:
 * Optional module for public key recovery.
 * Optional module for ECDH key exchange.
 * Optional module for Schnorr signatures according to [BIP-340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
+* Optional module for the MuSig2 multi-signature scheme according to [BIP-327](https://github.com/bitcoin/bips/blob/master/bip-0327.mediawiki).
 
 Implementation details
 ----------------------

ci/ci.sh

@@ -13,7 +13,7 @@ print_environment() {
  # does not rely on bash.
  for var in WERROR_CFLAGS MAKEFLAGS BUILD \
  ECMULTWINDOW ECMULTGENPRECISION ASM WIDEMUL WITH_VALGRIND EXTRAFLAGS \
- EXPERIMENTAL ECDH RECOVERY SCHNORRSIG ELLSWIFT \
+ EXPERIMENTAL ECDH RECOVERY SCHNORRSIG MUSIG ELLSWIFT \
  SECP256K1_TEST_ITERS BENCH SECP256K1_BENCH_ITERS CTIMETESTS\
  EXAMPLES \
  HOST WRAPPER_CMD \
@@ -77,6 +77,7 @@ esac
  --enable-module-ecdh="$ECDH" --enable-module-recovery="$RECOVERY" \
  --enable-module-ellswift="$ELLSWIFT" \
  --enable-module-schnorrsig="$SCHNORRSIG" \
+ --enable-module-musig="$MUSIG" \
  --enable-examples="$EXAMPLES" \
  --enable-ctime-tests="$CTIMETESTS" \
  --with-valgrind="$WITH_VALGRIND" \

configure.ac

@@ -184,6 +184,10 @@ AC_ARG_ENABLE(module_schnorrsig,
  AS_HELP_STRING([--enable-module-schnorrsig],[enable schnorrsig module [default=yes]]), [],
  [SECP_SET_DEFAULT([enable_module_schnorrsig], [yes], [yes])])
 
+AC_ARG_ENABLE(module_musig,
+ AS_HELP_STRING([--enable-module-musig],[enable MuSig2 module [default=yes]]), [],
+ [SECP_SET_DEFAULT([enable_module_musig], [yes], [yes])])
+
 AC_ARG_ENABLE(module_ellswift,
  AS_HELP_STRING([--enable-module-ellswift],[enable ElligatorSwift module [default=yes]]), [],
  [SECP_SET_DEFAULT([enable_module_ellswift], [yes], [yes])])
@@ -387,6 +391,10 @@ SECP_CFLAGS="$SECP_CFLAGS $WERROR_CFLAGS"
 ### Handle module options
 ###
 
+# Besides testing whether modules are enabled, the following code also enables
+# module dependencies. The order of the tests matters: the dependency must be
+# tested first.
+
 if test x"$enable_module_ecdh" = x"yes"; then
  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_ECDH=1"
 fi
@@ -395,21 +403,24 @@ if test x"$enable_module_recovery" = x"yes"; then
  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_RECOVERY=1"
 fi
 
+if test x"$enable_module_musig" = x"yes"; then
+ SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_MUSIG=1"
+ enable_module_schnorrsig=yes
+fi
+
 if test x"$enable_module_schnorrsig" = x"yes"; then
  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_SCHNORRSIG=1"
  enable_module_extrakeys=yes
 fi
 
-if test x"$enable_module_ellswift" = x"yes"; then
- SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_ELLSWIFT=1"
-fi
-
-# Test if extrakeys is set after the schnorrsig module to allow the schnorrsig
-# module to set enable_module_extrakeys=yes
 if test x"$enable_module_extrakeys" = x"yes"; then
  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_EXTRAKEYS=1"
 fi
 
+if test x"$enable_module_ellswift" = x"yes"; then
+ SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_ELLSWIFT=1"
+fi
+
 if test x"$enable_external_default_callbacks" = x"yes"; then
  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_EXTERNAL_DEFAULT_CALLBACKS=1"
 fi
@@ -446,6 +457,7 @@ AM_CONDITIONAL([ENABLE_MODULE_ECDH], [test x"$enable_module_ecdh" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_RECOVERY], [test x"$enable_module_recovery" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_EXTRAKEYS], [test x"$enable_module_extrakeys" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_SCHNORRSIG], [test x"$enable_module_schnorrsig" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_MUSIG], [test x"$enable_module_musig" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_ELLSWIFT], [test x"$enable_module_ellswift" = x"yes"])
 AM_CONDITIONAL([USE_EXTERNAL_ASM], [test x"$enable_external_asm" = x"yes"])
 AM_CONDITIONAL([USE_ASM_ARM], [test x"$set_asm" = x"arm32"])
@@ -468,6 +480,7 @@ echo " module ecdh = $enable_module_ecdh"
 echo " module recovery = $enable_module_recovery"
 echo " module extrakeys = $enable_module_extrakeys"
 echo " module schnorrsig = $enable_module_schnorrsig"
+echo " module musig = $enable_module_musig"
 echo " module ellswift = $enable_module_ellswift"
 echo
 echo " asm = $set_asm"

contrib/lax_der_parsing.h

@@ -67,8 +67,8 @@ extern "C" {
  *
  * Returns: 1 when the signature could be parsed, 0 otherwise.
  * Args: ctx: a secp256k1 context object
- * Out: sig: a pointer to a signature object
- * In: input: a pointer to the signature to be parsed
+ * Out: sig: pointer to a signature object
+ * In: input: pointer to the signature to be parsed
  * inputlen: the length of the array pointed to be input
  *
  * This function will accept any valid DER encoded signature, even if the

doc/musig.md

@@ -0,0 +1,51 @@
+Notes on the musig module API
+===========================
+
+The following sections contain additional notes on the API of the musig module (`include/secp256k1_musig.h`).
+A usage example can be found in `examples/musig.c`.
+
+# API misuse
+
+The musig API is designed to be as misuse resistant as possible.
+However, the MuSig protocol has some additional failure modes (mainly due to interactivity) that do not appear in single-signing.
+While the results can be catastrophic (e.g. leaking of the secret key), it is unfortunately not possible for the musig implementation to rule out all such failure modes.
+
+Therefore, users of the musig module must take great care to make sure of the following:
+
+1. A unique nonce per signing session is generated in `secp256k1_musig_nonce_gen`.
+ See the corresponding comment in `include/secp256k1_musig.h` for how to ensure that.
+2. The `secp256k1_musig_secnonce` structure is never copied or serialized.
+ See also the comment on `secp256k1_musig_secnonce` in `include/secp256k1_musig.h`.
+3. Opaque data structures are never written to or read from directly.
+ Instead, only the provided accessor functions are used.
+
+# Key Aggregation and (Taproot) Tweaking
+
+Given a set of public keys, the aggregate public key is computed with `secp256k1_musig_pubkey_agg`.
+A (Taproot) tweak can be added to the resulting public key with `secp256k1_xonly_pubkey_tweak_add` and a plain tweak can be added with `secp256k1_ec_pubkey_tweak_add`.
+
+# Signing
+
+This is covered by `examples/musig.c`.
+Essentially, the protocol proceeds in the following steps:
+
+1. Generate a keypair with `secp256k1_keypair_create` and obtain the public key with `secp256k1_keypair_pub`.
+2. Call `secp256k1_musig_pubkey_agg` with the pubkeys of all participants.
+3. Optionally add a (Taproot) tweak with `secp256k1_musig_pubkey_xonly_tweak_add` and a plain tweak with `secp256k1_musig_pubkey_ec_tweak_add`.
+4. Generate a pair of secret and public nonce with `secp256k1_musig_nonce_gen` and send the public nonce to the other signers.
+5. Someone (not necessarily the signer) aggregates the public nonce with `secp256k1_musig_nonce_agg` and sends it to the signers.
+6. Process the aggregate nonce with `secp256k1_musig_nonce_process`.
+7. Create a partial signature with `secp256k1_musig_partial_sign`.
+8. Verify the partial signatures (optional in some scenarios) with `secp256k1_musig_partial_sig_verify`.
+9. Someone (not necessarily the signer) obtains all partial signatures and aggregates them into the final Schnorr signature using `secp256k1_musig_partial_sig_agg`.
+
+The aggregate signature can be verified with `secp256k1_schnorrsig_verify`.
+
+Note that steps 1 to 5 can happen before the message to be signed is known to the signers.
+Therefore, the communication round to exchange nonces can be viewed as a pre-processing step that is run whenever convenient to the signers.
+This disables some of the defense-in-depth measures that may protect against API misuse in some cases.
+Similarly, the API supports an alternative protocol flow where generating the aggregate key (steps 1 to 3) is allowed to happen after exchanging nonces (steps 4 to 5).
+
+# Verification
+
+A participant who wants to verify the partial signatures, but does not sign itself may do so using the above instructions except that the verifier skips steps 1, 4 and 7.

examples/CMakeLists.txt

@@ -28,3 +28,7 @@ endif()
 if(SECP256K1_ENABLE_MODULE_SCHNORRSIG)
  add_example(schnorr)
 endif()
+
+if(SECP256K1_ENABLE_MODULE_MUSIG)
+ add_example(musig)
+endif()