Claude also caught a hard-to-catch bug in the #1777 port: secp256k1_ecdsa_adaptor_encrypt falls back to a static-context wrapper for nonce generation instead of dispatching to the _impl function with the actual context. This way a custom SHA256 compression function set on the context is silently ignored for adaptor signature nonce generation. We discussed it internally, and the fix will be included in this PR.
After the investigation, it turned out that the fix is more involved than expected. The nonce generation for the dleq proof inside secp256k1_dleq_prove also goes through the same static context wrapper, so both call sites need to be addressed.
Our fix plan is to restructure where the nonce is computed: moving it out of dleq_impl.h into main_impl.h and passing a pre-computed scalar to secp256k1_dleq_prove. This is required since we decided to apply the approach used for schnorrsig from #1777. The idea is to modify the internal nonce_function_ecdsa_adaptor_impl function to take hash context and call it if noncefp is NULL, keeping the public API wrapper unchanged and uncalled. The complication is that dleq_impl.h is included at the top of main_impl.h, so nonce_function_ecdsa_adaptor_impl isn't defined yet when dleq_impl.h is processed. That's why we decided to move nonce computation to main_impl.h. If you have any other thoughts on this, please share.
Originally posted by @mllwchrry in #357 (comment)
After the investigation, it turned out that the fix is more involved than expected. The nonce generation for the dleq proof inside
secp256k1_dleq_provealso goes through the same static context wrapper, so both call sites need to be addressed.Our fix plan is to restructure where the nonce is computed: moving it out of
dleq_impl.hintomain_impl.hand passing a pre-computed scalar tosecp256k1_dleq_prove. This is required since we decided to apply the approach used for schnorrsig from #1777. The idea is to modify the internalnonce_function_ecdsa_adaptor_implfunction to take hash context and call it ifnoncefpis NULL, keeping the public API wrapper unchanged and uncalled. The complication is thatdleq_impl.his included at the top ofmain_impl.h, sononce_function_ecdsa_adaptor_implisn't defined yet whendleq_impl.his processed. That's why we decided to move nonce computation tomain_impl.h. If you have any other thoughts on this, please share.Originally posted by @mllwchrry in #357 (comment)