musig2: add WithExternalCombinedNonce option to Sign

sputn1ck · sputn1ck · commit 37e656c6d12f · 2025-10-07T20:13:54.000+02:00
This commits adds a new functional option to the Session.Sign function which allows specifying an external
combined Nonce. This is useful when a central coordinator aggregates all nonces.
diff --git a/btcec/schnorr/musig2/context.go b/btcec/schnorr/musig2/context.go
@@ -554,15 +554,31 @@ func (s *Session) RegisterPubNonce(nonce [PubNonceSize]byte) (bool, error) {
 func (s *Session) Sign(msg [32]byte,
 	signOpts ...SignOption) (*PartialSignature, error) {
 
-	switch {
 	// If no local nonce is present, then this means we already signed, so
 	// we'll return an error to prevent nonce re-use.
-	case s.localNonces == nil:
+	if s.localNonces == nil {
 		return nil, ErrSigningContextReuse
+	}
+
+	opts := defaultSignOptions()
+	for _, opt := range signOpts {
+		opt(opts)
+	}
 
-	// We also need to make sure we have the combined nonce, otherwise this
-	// function was called too early.
-	case s.combinedNonce == nil:
+	// Determine which combined nonce to use: external or internal.
+	var combinedNonce *[PubNonceSize]byte
+	switch {
+	case opts.externalCombinedNonce != nil:
+		// Use the externally provided combined nonce from the
+		// coordinator.
+		combinedNonce = opts.externalCombinedNonce
+
+	case s.combinedNonce != nil:
+		// Use the internally aggregated combined nonce.
+		combinedNonce = s.combinedNonce
+
+	default:
+		// Neither external nor internal combined nonce is available.
 		return nil, ErrCombinedNonceUnavailable
 	}
 
@@ -580,7 +596,7 @@ func (s *Session) Sign(msg [32]byte,
 	}
 
 	partialSig, err := Sign(
-		s.localNonces.SecNonce, s.ctx.signingKey, *s.combinedNonce,
+		s.localNonces.SecNonce, s.ctx.signingKey, *combinedNonce,
 		s.ctx.opts.keySet, msg, signOpts...,
 	)
 
diff --git a/btcec/schnorr/musig2/musig2_test.go b/btcec/schnorr/musig2/musig2_test.go
@@ -439,3 +439,79 @@ func (mr *memsetRandReader) Read(buf []byte) (n int, err error) {
 	}
 	return len(buf), nil
 }
+
+// TestSigningWithAggregatedNonce tests the aggregated nonce signing flow where
+// a coordinator aggregates nonces and distributes the combined nonce to
+// participants, rather than each participant aggregating nonces themselves.
+func TestSigningWithAggregatedNonce(t *testing.T) {
+	const numSigners = 5
+
+	// Generate signers.
+	signerKeys := make([]*btcec.PrivateKey, numSigners)
+	signSet := make([]*btcec.PublicKey, numSigners)
+	for i := 0; i < numSigners; i++ {
+		privKey, err := btcec.NewPrivateKey()
+		if err != nil {
+			t.Fatalf("unable to gen priv key: %v", err)
+		}
+		signerKeys[i] = privKey
+		signSet[i] = privKey.PubKey()
+	}
+
+	// Each signer creates a context and session.
+	sessions := make([]*Session, numSigners)
+	for i, signerKey := range signerKeys {
+		signCtx, err := NewContext(
+			signerKey, false, WithKnownSigners(signSet),
+		)
+		if err != nil {
+			t.Fatalf("unable to generate context: %v", err)
+		}
+
+		session, err := signCtx.NewSession()
+		if err != nil {
+			t.Fatalf("unable to generate new session: %v", err)
+		}
+		sessions[i] = session
+	}
+
+	// Phase 1: Coordinator collects all public nonces.
+	pubNonces := make([][PubNonceSize]byte, numSigners)
+	for i, session := range sessions {
+		pubNonces[i] = session.PublicNonce()
+	}
+
+	// Phase 2: Coordinator aggregates nonces.
+	combinedNonce, err := AggregateNonces(pubNonces)
+	if err != nil {
+		t.Fatalf("unable to aggregate nonces: %v", err)
+	}
+
+	// Phase 3: Coordinator distributes combined nonce to all participants.
+	// Participants sign using the external combined nonce.
+	msg := sha256.Sum256([]byte("coordinator-based signing"))
+
+	partialSigs := make([]*PartialSignature, numSigners)
+	for i, session := range sessions {
+		// Participants use WithExternalCombinedNonce instead of
+		// RegisterPubNonce.
+		sig, err := session.Sign(msg, WithExternalCombinedNonce(combinedNonce))
+		if err != nil {
+			t.Fatalf("signer %d unable to sign: %v", i, err)
+		}
+		partialSigs[i] = sig
+	}
+
+	// Phase 4: Combine all partial signatures (can be done by any party).
+	finalSig := CombineSigs(partialSigs[0].R, partialSigs)
+
+	// Verify the final signature.
+	combinedKey, _, _, err := AggregateKeys(signSet, false)
+	if err != nil {
+		t.Fatalf("unable to aggregate keys: %v", err)
+	}
+
+	if !finalSig.Verify(msg[:], combinedKey.FinalKey) {
+		t.Fatalf("final signature is invalid")
+	}
+}
diff --git a/btcec/schnorr/musig2/sign.go b/btcec/schnorr/musig2/sign.go
@@ -134,6 +134,10 @@ type signOptions struct {
 	// 86 style, where we don't expect an actual tweak and instead just
 	// commit to the public key itself.
 	bip86Tweak bool
+
+	// externalCombinedNonce allows a caller to provide a pre-aggregated
+	// combined nonce.
+	externalCombinedNonce *[PubNonceSize]byte
 }
 
 // defaultSignOptions returns the default set of signing operations.
@@ -195,6 +199,17 @@ func WithBip86SignTweak() SignOption {
 	}
 }
 
+// WithExternalCombinedNonce allows a caller to specify a pre-aggregated
+// combined nonce for signing. This is useful in coordinator-based signing
+// protocols where a coordinator collects all individual public nonces,
+// aggregates them, and then distributes the combined nonce to all participants.
+func WithExternalCombinedNonce(combinedNonce [PubNonceSize]byte) SignOption {
+	return func(o *signOptions) {
+		nonceCopy := combinedNonce
+		o.externalCombinedNonce = &nonceCopy
+	}
+}
+
 // computeSigningNonce calculates the final nonce used for signing. This will
 // be the R value used in the final signature.
 func computeSigningNonce(combinedNonce [PubNonceSize]byte,
