musig2: add Session.RegisterCombinedNonce

This commit adds a new function to musig2.Session, which allows the caller
to add an external aggregated nonce to the session.

Author: sputn1ck

btcec/schnorr/musig2/context.go

@@ -548,6 +548,32 @@ func (s *Session) RegisterPubNonce(nonce [PubNonceSize]byte) (bool, error) {
 	return haveAllNonces, nil
 }
 
+// RegisterCombinedNonce allows a caller to directly register a combined nonce
+// that was generated externally. This is useful in coordinator-based
+// protocols where the coordinator aggregates all nonces and distributes the
+// combined nonce to participants, rather than each participant aggregating
+// nonces themselves.
+func (s *Session) RegisterCombinedNonce(
+	combinedNonce [PubNonceSize]byte) error {
+
+	// If we already have a combined nonce, then this method was called too
+	// many times.
+	if s.combinedNonce != nil {
+		return ErrAlredyHaveAllNonces
+	}
+
+	// We also don't allow this method to be called if we already registered
+	// some public nonces.
+	if len(s.pubNonces) != 1 {
+		return fmt.Errorf("cannot register combined nonce after " +
+			"registering public nonces")
+	}
+
+	// Otherwise, we'll just set the combined nonce directly.
+	s.combinedNonce = &combinedNonce
+	return nil
+}
+
 // Sign generates a partial signature for the target message, using the target
 // context. If this method is called more than once per context, then an error
 // is returned, as that means a nonce was re-used.

btcec/schnorr/musig2/musig2_test.go

@@ -439,3 +439,83 @@ func (mr *memsetRandReader) Read(buf []byte) (n int, err error) {
 	}
 	return len(buf), nil
 }
+
+// TestSigningWithAggregatedNonce tests the aggregated nonce signing flow where
+// a coordinator aggregates nonces and distributes the combined nonce to
+// participants, rather than each participant aggregating nonces themselves.
+func TestSigningWithAggregatedNonce(t *testing.T) {
+	const numSigners = 5
+
+	// Generate signers.
+	signerKeys := make([]*btcec.PrivateKey, numSigners)
+	signSet := make([]*btcec.PublicKey, numSigners)
+	for i := 0; i < numSigners; i++ {
+		privKey, err := btcec.NewPrivateKey()
+		if err != nil {
+			t.Fatalf("unable to gen priv key: %v", err)
+		}
+		signerKeys[i] = privKey
+		signSet[i] = privKey.PubKey()
+	}
+
+	// Each signer creates a context and session.
+	sessions := make([]*Session, numSigners)
+	for i, signerKey := range signerKeys {
+		signCtx, err := NewContext(
+			signerKey, false, WithKnownSigners(signSet),
+		)
+		if err != nil {
+			t.Fatalf("unable to generate context: %v", err)
+		}
+
+		session, err := signCtx.NewSession()
+		if err != nil {
+			t.Fatalf("unable to generate new session: %v", err)
+		}
+		sessions[i] = session
+	}
+
+	// Phase 1: Coordinator collects all public nonces.
+	pubNonces := make([][PubNonceSize]byte, numSigners)
+	for i, session := range sessions {
+		pubNonces[i] = session.PublicNonce()
+	}
+
+	// Phase 2: Coordinator aggregates nonces.
+	combinedNonce, err := AggregateNonces(pubNonces)
+	if err != nil {
+		t.Fatalf("unable to aggregate nonces: %v", err)
+	}
+
+	// Phase 3: Coordinator distributes combined nonce to all participants.
+	// Participants sign using the external combined nonce.
+	msg := sha256.Sum256([]byte("coordinator-based signing"))
+
+	partialSigs := make([]*PartialSignature, numSigners)
+	for i, session := range sessions {
+		// Participants first register the combined nonce.
+		err = session.RegisterCombinedNonce(combinedNonce)
+		if err != nil {
+			t.Fatalf("signer %d unable to register combined nonce: %v",
+				i, err)
+		}
+		sig, err := session.Sign(msg)
+		if err != nil {
+			t.Fatalf("signer %d unable to sign: %v", i, err)
+		}
+		partialSigs[i] = sig
+	}
+
+	// Phase 4: Combine all partial signatures (can be done by any party).
+	finalSig := CombineSigs(partialSigs[0].R, partialSigs)
+
+	// Verify the final signature.
+	combinedKey, _, _, err := AggregateKeys(signSet, false)
+	if err != nil {
+		t.Fatalf("unable to aggregate keys: %v", err)
+	}
+
+	if !finalSig.Verify(msg[:], combinedKey.FinalKey) {
+		t.Fatalf("final signature is invalid")
+	}
+}