musig: Add warning to SecretNonce::dangerous_into_bytes about encoding instability

Ademan · Ademan · commit 8fd68a7a8b4e · 2025-06-19T03:21:27.000-05:00
libsecp256k1 states that the byte format
`SecretNonce::dangerous_into_bytes` returns is not guaranteed to be
stable, and therefore rust-secp256k1 users must be careful to only pass
the result of `dangerous_into_bytes` to a compatible
`dangerous_from_bytes`, according to version and platform. The simplest
and most conservative strategy is to only consider same-versioned and
same-platform bytes as compatible. In practice, the format is unlikely
to change much if at all between most versions, so more permissive
strategies can be employed with research and great care by the user.
diff --git a/src/musig.rs b/src/musig.rs
@@ -653,7 +653,7 @@ impl KeyAggCache {
 /// thing that can or should be done with this nonce is to call [`Session::partial_sign`],
 /// which will take ownership. This is to prevent accidental reuse of the nonce.
 ///
-/// See the warning on [`Self::dangerous_into_bytes`] for more information about
+/// See the warnings on [`Self::dangerous_into_bytes`] for more information about
 /// the risks of non-standard workflows.
 #[allow(missing_copy_implementations)]
 #[derive(Debug)]
@@ -684,13 +684,20 @@ impl SecretNonce {
     ///
     /// See <https://blockstream.com/2019/02/18/musig-a-new-multisignature-standard/>
     /// for more details about these risks.
+    ///
+    /// # Warning:
+    ///
+    /// The underlying library, libsecp256k1, does not guarantee the byte format will be consistent
+    /// across versions or platforms. Special care should be taken to ensure the returned bytes are
+    /// only ever passed to `dangerous_from_bytes` from the same libsecp256k1 version, and the same
+    /// platform.
     pub fn dangerous_into_bytes(self) -> [u8; secp256k1_sys::MUSIG_SECNONCE_SIZE] {
         self.0.dangerous_into_bytes()
     }
 
     /// Function to create a new [`SecretNonce`] from a 32 byte array.
     ///
-    /// Refer to the warning on [`SecretNonce::dangerous_into_bytes`] for more details.
+    /// Refer to the warnings on [`SecretNonce::dangerous_into_bytes`] for more details.
     pub fn dangerous_from_bytes(array: [u8; secp256k1_sys::MUSIG_SECNONCE_SIZE]) -> Self {
         SecretNonce(ffi::MusigSecNonce::dangerous_from_bytes(array))
     }
