Clarification Request: Is Schnorr output-on-error behavior intentional #94
Description
Requesting maintainer clarification for:
src/cbmpc/protocol/schnorr_2p.cpp(schnorr2p::sign_batch)src/cbmpc/protocol/schnorr_mp.cpp(schnorrmp::sign_batch)
Observed behavior
In both paths, sigs[...] is populated before final signature verification.
If verification fails, the function returns an error while caller-visible sigs[...] remains populated.
Clarification requested
Is this by design?
Specifically, on error should:
- outputs be considered undefined/tainted and discarded by callers, or
- the API be fail-closed (all-or-nothing outputs)?
Why this question is important
- I could not find explicit API contract text in the Schnorr headers (
schnorr_2p.h,schnorr_mp.h) stating that outputs may remain populated on error. - I also could not find explicit Schnorr documentation language stating this is intentional behavior.
- In contrast,
docs/secure-usage.pdfexplicitly documents caveats around ECDSAsign_with_global_abortand special error handling, which suggests this project does document non-standard error semantics when intended.
Because of that asymmetry, it is unclear whether Schnorr output-on-error is intentional API behavior or an unintended edge case.
Suggested direction (if not intentional)
Use all-or-nothing outputs:
- build signatures in temporary local buffers
- verify all signatures
- only then move/copy into caller-owned
sigs - on failure, return error without exposing newly-constructed signature bytes in
sigs
If behavior is intentional, please document the contract explicitly for callers.
I can share detailed repros privately if useful.