btcec/schnorr/musig2: XOR rand with secret key

This commit XORs the secret key (if a secret key is specified) with the random bytes as per MuSig2 Spec (https://github.com/jonasnick/bips/blob/musig2/bip-musig2.mediawiki#nonce-generation-1)
2025-02-23 14:40:44 +01:00 · 2022-06-24 14:27:13 +02:00 · 2022-06-24 14:27:13 +02:00 · 3376655b9c
commit 3376655b9c
parent 04aac1ec7d
1 changed files with 11 additions and 1 deletions
--- a/btcec/schnorr/musig2/nonces.go
+++ b/btcec/schnorr/musig2/nonces.go
@ -31,7 +31,7 @@ var (

 	// NonceGenTag is used to generate the value (from a set of required an
 	// optional field) that will be used as the part of the secret nonce.
-	NonceGenTag = []byte("Musig/nonce")
+	NonceGenTag = []byte("MuSig/nonce")

 	byteOrder = binary.BigEndian
 )
@ -270,6 +270,16 @@ func GenNonces(options ...NonceGenOption) (*Nonces, error) {
 		return nil, err
 	}

+	// If the options contain a secret key, we XOR it with with the tagged
+	// random bytes.
+	if len(opts.secretKey) == 32 {
+		taggedHash := chainhash.TaggedHash(NonceAuxTag, randBytes[:])
+
+		for i := 0; i < chainhash.HashSize; i++ {
+			randBytes[i] = opts.secretKey[i] ^ taggedHash[i]
+		}
+	}
+
 	// Using our randomness and the set of optional params, generate our
 	// two secret nonces: k1 and k2.
 	k1, err := genNonceAuxBytes(randBytes[:], 1, opts)