From f4e79bd548b5cac8c3dc2d45462d374444475a78 Mon Sep 17 00:00:00 2001
From: sputn1ck <kon@kon.ninja>
Date: Wed, 29 Jun 2022 13:16:52 +0200
Subject: [PATCH] btcec/schnorr/musig2: Allow infinity nonces

---
 btcec/schnorr/musig2/nonces.go | 31 ++++++++++++-------------------
 1 file changed, 12 insertions(+), 19 deletions(-)

diff --git a/btcec/schnorr/musig2/nonces.go b/btcec/schnorr/musig2/nonces.go
index 7719c09c43..8980469646 100644
--- a/btcec/schnorr/musig2/nonces.go
+++ b/btcec/schnorr/musig2/nonces.go
@@ -359,23 +359,6 @@ func AggregateNonces(pubNonces [][PubNonceSize]byte) ([PubNonceSize]byte, error)
 			)
 		}
 
-		// Now that we've aggregated all the points, we need to check
-		// if this point is the point at infinity, if so, then we'll
-		// just return the generator. At a later step, the malicious
-		// party will be detected.
-		if aggregateNonce == infinityPoint {
-			// TODO(roasbeef): better way to get the generator w/
-			// the new API? -- via old curve params instead?
-			var generator btcec.JacobianPoint
-			one := new(btcec.ModNScalar).SetInt(1)
-			btcec.ScalarBaseMultNonConst(one, &generator)
-
-			generator.ToAffine()
-			return btcec.NewPublicKey(
-				&generator.X, &generator.Y,
-			), nil
-		}
-
 		aggregateNonce.ToAffine()
 		return btcec.NewPublicKey(
 			&aggregateNonce.X, &aggregateNonce.Y,
@@ -392,6 +375,7 @@ func AggregateNonces(pubNonces [][PubNonceSize]byte) ([PubNonceSize]byte, error)
 	if err != nil {
 		return finalNonce, err
 	}
+
 	combinedNonce2, err := combineNonces(func(n [PubNonceSize]byte) []byte {
 		return n[btcec.PubKeyBytesLenCompressed:]
 	})
@@ -399,11 +383,20 @@ func AggregateNonces(pubNonces [][PubNonceSize]byte) ([PubNonceSize]byte, error)
 		return finalNonce, err
 	}
 
-	copy(finalNonce[:], combinedNonce1.SerializeCompressed())
+	copy(finalNonce[:], NoncePubkeyToBytes(combinedNonce1))
 	copy(
 		finalNonce[btcec.PubKeyBytesLenCompressed:],
-		combinedNonce2.SerializeCompressed(),
+		NoncePubkeyToBytes(combinedNonce2),
 	)
 
 	return finalNonce, nil
 }
+
+// NoncePubkeyToBytes returns the serialize compressed format of the nonce.
+// If the nonce is the infinity point it returns a slice of zeros.
+func NoncePubkeyToBytes(nonce *btcec.PublicKey) []byte {
+	if nonce.X().Int64() == 0 && nonce.Y().Int64() == 0 {
+		return make([]byte, btcec.PubKeyBytesLenCompressed)
+	}
+	return nonce.SerializeCompressed()
+}