Changelog

0.2.0 (2026-04-10)

• Security hardening and API changes:
  • Bind SecNonce values to the originating signer public key and reject nonce/key mismatches during signing
  • Replace panic-based validation in signing, verification, context creation, tweaking, and nonce generation with structured MuSig2Error results
  • Eliminate all remaining error calls from library code (publicNonce, getSigningNonce, isEvenPub)
  • Make SecNonce opaque and require checked construction via mkSecNonce or the nonce generation APIs
  • Remove Eq and Ord instances from SecNonce to discourage storing nonces in collections
  • Move secNonceScalars out of public API into Internal module to prevent leaking secret nonce scalars
  • Strip secret scalar values from MuSig2Error constructors to prevent leaking secrets through error logging
  • Reject out-of-range partial signatures during aggPartials instead of reducing them modulo the curve order
  • Update nonce generation and session construction APIs to return checked Either results
  • Add security considerations documentation (nonce reuse, non-constant-time arithmetic, no zeroization)
  • Refresh tests, benchmarks, and documentation to cover the new checked API and regression cases

0.1.3 (2026-01-04)

• Performance improvements:
  • Cache KeyAggContext in SessionContext to avoid redundant EC operations
  • Replace lazy foldl with strict foldl' to prevent space leaks
  • Add strictness annotations to SessionContext fields
  • Replace O(n) list indexing with O(log n) Seq.lookup in partialSigVerify
  • Optimize integerToBytes32 to eliminate intermediate list allocation
  • Fix NFData instances in benchmarks for accurate measurements

0.1.2 (2025-12-30)

• Fix Hackage build failure by implementing modQ locally to support ppad-secp256k1 0.5.0+.

0.1.1 (2025-12-22)

• Bump ppad-secp256k1 to 0.5.0. More efficient and faster EC operations.

0.1.0 (2025-09-20)

• Initial release, full BIP-0327 support except Deterministic and Stateless Signing for a Single Signer