btcec/schnorr/musig2: Allow infinity nonces

btcec/schnorr/musig2/nonces.go

@@ -359,23 +359,6 @@ func AggregateNonces(pubNonces [][PubNonceSize]byte) ([PubNonceSize]byte, error)
 			)
 		}
 
-		// Now that we've aggregated all the points, we need to check
-		// if this point is the point at infinity, if so, then we'll
-		// just return the generator. At a later step, the malicious
-		// party will be detected.
-		if aggregateNonce == infinityPoint {
-			// TODO(roasbeef): better way to get the generator w/
-			// the new API? -- via old curve params instead?
-			var generator btcec.JacobianPoint
-			one := new(btcec.ModNScalar).SetInt(1)
-			btcec.ScalarBaseMultNonConst(one, &generator)
-
-			generator.ToAffine()
-			return btcec.NewPublicKey(
-				&generator.X, &generator.Y,
-			), nil
-		}
-
 		aggregateNonce.ToAffine()
 		return btcec.NewPublicKey(
 			&aggregateNonce.X, &aggregateNonce.Y,
@@ -392,18 +375,28 @@ func AggregateNonces(pubNonces [][PubNonceSize]byte) ([PubNonceSize]byte, error)
 	if err != nil {
 		return finalNonce, err
 	}
+
 	combinedNonce2, err := combineNonces(func(n [PubNonceSize]byte) []byte {
 		return n[btcec.PubKeyBytesLenCompressed:]
 	})
 	if err != nil {
 		return finalNonce, err
 	}
 
-	copy(finalNonce[:], combinedNonce1.SerializeCompressed())
+	copy(finalNonce[:], NoncePubkeyToBytes(combinedNonce1))
 	copy(
 		finalNonce[btcec.PubKeyBytesLenCompressed:],
-		combinedNonce2.SerializeCompressed(),
+		NoncePubkeyToBytes(combinedNonce2),
 	)
 
 	return finalNonce, nil
 }
+
+// NoncePubkeyToBytes returns the serialize compressed format of the nonce.
+// If the nonce is the infinity point it returns a slice of zeros.
+func NoncePubkeyToBytes(nonce *btcec.PublicKey) []byte {
+	if nonce.X().Int64() == 0 && nonce.Y().Int64() == 0 {
+		return make([]byte, btcec.PubKeyBytesLenCompressed)
+	}
+	return nonce.SerializeCompressed()
+}