Bitcoin Core 31.99.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Distributed under the MIT software license, see the accompanying *
3 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
4 ***********************************************************************/
5
6#ifndef SECP256K1_MODULE_MUSIG_TESTS_IMPL_H
7#define SECP256K1_MODULE_MUSIG_TESTS_IMPL_H
8
9#include <stdlib.h>
10#include <string.h>
11
12#include "../../../include/secp256k1.h"
13#include "../../../include/secp256k1_extrakeys.h"
14#include "../../../include/secp256k1_musig.h"
15
16#include "session.h"
17#include "keyagg.h"
18#include "../../scalar.h"
19#include "../../field.h"
20#include "../../group.h"
21#include "../../hash.h"
22#include "../../util.h"
23#include "../../unit_test.h"
24
25#include "vectors.h"
26
27static int create_keypair_and_pk(secp256k1_keypair *keypair, secp256k1_pubkey *pk, const unsigned char *sk) {
28 int ret;
29 secp256k1_keypair keypair_tmp;
30 ret = secp256k1_keypair_create(CTX, &keypair_tmp, sk);
31 ret &= secp256k1_keypair_pub(CTX, pk, &keypair_tmp);
32 if (keypair != NULL) {
33 *keypair = keypair_tmp;
34 }
35 return ret;
36}
37
38/* Just a simple (non-tweaked) 2-of-2 MuSig aggregate, sign, verify
39 * test. */
40static void musig_simple_test_internal(void) {
41 unsigned char sk[2][32];
42 secp256k1_keypair keypair[2];
43 secp256k1_musig_pubnonce pubnonce[2];
44 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
45 secp256k1_musig_aggnonce aggnonce;
46 unsigned char msg[32];
47 secp256k1_xonly_pubkey agg_pk;
48 secp256k1_musig_keyagg_cache keyagg_cache;
49 unsigned char session_secrand[2][32];
50 secp256k1_musig_secnonce secnonce[2];
51 secp256k1_pubkey pk[2];
52 const secp256k1_pubkey *pk_ptr[2];
53 secp256k1_musig_partial_sig partial_sig[2];
54 const secp256k1_musig_partial_sig *partial_sig_ptr[2];
55 unsigned char final_sig[64];
56 secp256k1_musig_session session;
57 int i;
58
59 testrand256(msg);
60 for (i = 0; i < 2; i++) {
61 testrand256(sk[i]);
62 pk_ptr[i] = &pk[i];
63 pubnonce_ptr[i] = &pubnonce[i];
64 partial_sig_ptr[i] = &partial_sig[i];
65
66 CHECK(create_keypair_and_pk(&keypair[i], &pk[i], sk[i]));
67 if (i == 0) {
68 testrand256(session_secrand[i]);
69 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[i], &pubnonce[i], session_secrand[i], sk[i], &pk[i], NULL, NULL, NULL) == 1);
70 } else {
71 uint64_t nonrepeating_cnt = 0;
72 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[i], &pubnonce[i], nonrepeating_cnt, &keypair[i], NULL, NULL, NULL) == 1);
73 }
74 }
75
76 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1);
77 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
78 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1);
79
80 for (i = 0; i < 2; i++) {
81 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[i], &secnonce[i], &keypair[i], &keyagg_cache, &session) == 1);
82 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[i], &pubnonce[i], &pk[i], &keyagg_cache, &session) == 1);
83 }
84
85 CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, 2) == 1);
86 CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, msg, sizeof(msg), &agg_pk) == 1);
87}
88
89/* Generate two pubnonces such that both group elements of their sum (calculated
90 * with secp256k1_musig_sum_pubnonces) are infinity. */
91static void pubnonce_summing_to_inf(secp256k1_musig_pubnonce *pubnonce) {
92 secp256k1_ge ge[2];
93 int i;
94 secp256k1_gej summed_pubnonces[2];
95 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
96
97 testutil_random_ge_test(&ge[0]);
98 testutil_random_ge_test(&ge[1]);
99
100 for (i = 0; i < 2; i++) {
101 secp256k1_musig_pubnonce_save(&pubnonce[i], ge);
102 pubnonce_ptr[i] = &pubnonce[i];
103 secp256k1_ge_neg(&ge[0], &ge[0]);
104 secp256k1_ge_neg(&ge[1], &ge[1]);
105 }
106
107 secp256k1_musig_sum_pubnonces(CTX, summed_pubnonces, pubnonce_ptr, 2);
108 CHECK(secp256k1_gej_is_infinity(&summed_pubnonces[0]));
109 CHECK(secp256k1_gej_is_infinity(&summed_pubnonces[1]));
110}
111
112int memcmp_and_randomize(unsigned char *value, const unsigned char *expected, size_t len) {
113 int ret;
114 size_t i;
115 ret = secp256k1_memcmp_var(value, expected, len);
116 for (i = 0; i < len; i++) {
117 value[i] = testrand_bits(8);
118 }
119 return ret;
120}
121
122static void musig_api_tests(void) {
123 secp256k1_musig_partial_sig partial_sig[2];
124 const secp256k1_musig_partial_sig *partial_sig_ptr[2];
125 secp256k1_musig_partial_sig invalid_partial_sig;
126 const secp256k1_musig_partial_sig *invalid_partial_sig_ptr[2];
127 unsigned char pre_sig[64];
128 unsigned char buf[32];
129 unsigned char sk[2][32];
130 secp256k1_keypair keypair[2];
131 secp256k1_keypair invalid_keypair;
132 unsigned char max64[64];
133 unsigned char zeros132[132] = { 0 };
134 unsigned char session_secrand[2][32];
135 unsigned char nonrepeating_cnt = 0;
136 secp256k1_musig_secnonce secnonce[2];
137 secp256k1_musig_secnonce secnonce_tmp;
138 secp256k1_musig_secnonce invalid_secnonce;
139 secp256k1_musig_pubnonce pubnonce[2];
140 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
141 unsigned char pubnonce_ser[66];
142 secp256k1_musig_pubnonce inf_pubnonce[2];
143 const secp256k1_musig_pubnonce *inf_pubnonce_ptr[2];
144 secp256k1_musig_pubnonce invalid_pubnonce;
145 const secp256k1_musig_pubnonce *invalid_pubnonce_ptr[1];
146 secp256k1_musig_aggnonce aggnonce;
147 unsigned char aggnonce_ser[66];
148 unsigned char msg[32];
149 secp256k1_xonly_pubkey agg_pk;
150 secp256k1_pubkey full_agg_pk;
151 secp256k1_musig_keyagg_cache keyagg_cache;
152 secp256k1_musig_keyagg_cache invalid_keyagg_cache;
153 secp256k1_musig_session session;
154 secp256k1_musig_session invalid_session;
155 secp256k1_pubkey pk[2];
156 const secp256k1_pubkey *pk_ptr[2];
157 secp256k1_pubkey invalid_pk;
158 const secp256k1_pubkey *invalid_pk_ptr2[2];
159 const secp256k1_pubkey *invalid_pk_ptr3[3];
160 unsigned char tweak[32];
161 int i;
162
164 memset(max64, 0xff, sizeof(max64));
165 memset(&invalid_keypair, 0, sizeof(invalid_keypair));
166 memset(&invalid_pk, 0, sizeof(invalid_pk));
167 memset(&invalid_secnonce, 0, sizeof(invalid_secnonce));
168 memset(&invalid_partial_sig, 0, sizeof(invalid_partial_sig));
169 pubnonce_summing_to_inf(inf_pubnonce);
170 /* Simulate structs being uninitialized by setting it to 0s. We don't want
171 * to produce undefined behavior by actually providing uninitialized
172 * structs. */
173 memset(&invalid_keyagg_cache, 0, sizeof(invalid_keyagg_cache));
174 memset(&invalid_pk, 0, sizeof(invalid_pk));
175 memset(&invalid_pubnonce, 0, sizeof(invalid_pubnonce));
176 memset(&invalid_session, 0, sizeof(invalid_session));
177
178 testrand256(msg);
179 testrand256(tweak);
180 for (i = 0; i < 2; i++) {
181 pk_ptr[i] = &pk[i];
182 invalid_pk_ptr2[i] = &invalid_pk;
183 invalid_pk_ptr3[i] = &pk[i];
184 pubnonce_ptr[i] = &pubnonce[i];
185 inf_pubnonce_ptr[i] = &inf_pubnonce[i];
186 partial_sig_ptr[i] = &partial_sig[i];
187 invalid_partial_sig_ptr[i] = &partial_sig[i];
188 testrand256(session_secrand[i]);
189 testrand256(sk[i]);
190 CHECK(create_keypair_and_pk(&keypair[i], &pk[i], sk[i]));
191 }
192 invalid_pubnonce_ptr[0] = &invalid_pubnonce;
193 invalid_partial_sig_ptr[0] = &invalid_partial_sig;
194 /* invalid_pk_ptr3 has two valid, one invalid pk, which is important to test
195 * musig_pubkey_agg */
196 invalid_pk_ptr3[2] = &invalid_pk;
197
201 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1);
202 CHECK(secp256k1_musig_pubkey_agg(CTX, NULL, &keyagg_cache, pk_ptr, 2) == 1);
203 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, NULL, pk_ptr, 2) == 1);
204 /* check that NULL in array of public key pointers is not allowed */
205 for (i = 0; i < 2; i++) {
206 const secp256k1_pubkey *original_ptr = pk_ptr[i];
207 pk_ptr[i] = NULL;
208 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, NULL, pk_ptr, 2));
209 pk_ptr[i] = original_ptr;
210 }
211 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, NULL, 2));
212 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
213 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, invalid_pk_ptr2, 2));
214 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
215 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, invalid_pk_ptr3, 3));
216 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
217 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 0));
218 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
219 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, NULL, 0));
220 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
221
222 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1);
223
224 /* pubkey_get */
225 CHECK(secp256k1_musig_pubkey_get(CTX, &full_agg_pk, &keyagg_cache) == 1);
226 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_get(CTX, NULL, &keyagg_cache));
227 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_get(CTX, &full_agg_pk, NULL));
228 CHECK(secp256k1_memcmp_var(&full_agg_pk, zeros132, sizeof(full_agg_pk)) == 0);
229
231 {
232 int (*tweak_func[2]) (const secp256k1_context* ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32);
233 tweak_func[0] = secp256k1_musig_pubkey_ec_tweak_add;
234 tweak_func[1] = secp256k1_musig_pubkey_xonly_tweak_add;
235 for (i = 0; i < 2; i++) {
236 secp256k1_pubkey tmp_output_pk;
237 secp256k1_musig_keyagg_cache tmp_keyagg_cache = keyagg_cache;
238 CHECK((*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, tweak) == 1);
239 /* Reset keyagg_cache */
240 tmp_keyagg_cache = keyagg_cache;
241 CHECK((*tweak_func[i])(CTX, NULL, &tmp_keyagg_cache, tweak) == 1);
242 tmp_keyagg_cache = keyagg_cache;
243 CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, NULL, tweak));
244 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
245 tmp_keyagg_cache = keyagg_cache;
246 CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, NULL));
247 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
248 tmp_keyagg_cache = keyagg_cache;
249 CHECK((*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, max64) == 0);
250 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
251 tmp_keyagg_cache = keyagg_cache;
252 /* Uninitialized keyagg_cache */
253 CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, &invalid_keyagg_cache, tweak));
254 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
255 }
256 }
257
259 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64) == 1);
260 /* nonce_gen, if successful, sets session_secrand to the zero array, which
261 * makes subsequent nonce_gen calls with the same session_secrand fail. So
262 * check that session_secrand is indeed the zero array and fill it with
263 * random values again. */
264 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
265
266 CHECK_ILLEGAL(STATIC_CTX, secp256k1_musig_nonce_gen(STATIC_CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64));
267 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
268
269 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, NULL, &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64));
270
271 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], NULL, session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64));
272 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
273
274 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], NULL, sk[0], &pk[0], msg, &keyagg_cache, max64));
275 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
276
277 /* session_secrand = 0 is disallowed because it indicates a faulty RNG */
278 memcpy(&session_secrand[0], zeros132, sizeof(session_secrand[0]));
279 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], zeros132, sk[0], &pk[0], msg, &keyagg_cache, max64) == 0);
280 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
281 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
282
283 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], NULL, &pk[0], msg, &keyagg_cache, max64) == 1);
284 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
285
286 /* invalid seckey */
287 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], max64, &pk[0], msg, &keyagg_cache, max64) == 0);
288 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
289
290 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], NULL, msg, &keyagg_cache, max64));
291 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
292
293 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &invalid_pk, msg, &keyagg_cache, max64));
294 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
295
296 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], NULL, &keyagg_cache, max64) == 1);
297 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
298
299 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, NULL, max64) == 1);
300 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
301
302 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &invalid_keyagg_cache, max64));
303 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
304
305 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, NULL) == 1);
306 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
307
308 /* Every in-argument except session_secrand and pubkey can be NULL */
309 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], NULL, &pk[0], NULL, NULL, NULL) == 1);
310 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[1], &pubnonce[1], session_secrand[1], sk[1], &pk[1], NULL, NULL, NULL) == 1);
311
313 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64) == 1);
314 CHECK_ILLEGAL(STATIC_CTX, secp256k1_musig_nonce_gen_counter(STATIC_CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64));
315 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
316 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, NULL, &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64));
317 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], NULL, nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64));
318 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
319 /* using nonce_gen_counter requires keypair */
320 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, NULL, msg, &keyagg_cache, max64));
321 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
322 /* invalid keypair */
323 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &invalid_keypair, msg, &keyagg_cache, max64));
324 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
325 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], NULL, &keyagg_cache, max64) == 1);
326 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, NULL, max64) == 1);
327 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &invalid_keyagg_cache, max64));
328 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
329 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt,&keypair[0], msg, &keyagg_cache, NULL) == 1);
330
331 /* Every in-argument except nonrepeating_cnt and keypair can be NULL */
332 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], NULL, NULL, NULL) == 1);
333 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[1], &pubnonce[1], nonrepeating_cnt, &keypair[1], NULL, NULL, NULL) == 1);
334
335
337 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, NULL, &pubnonce[0]));
338 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, NULL));
339 CHECK(memcmp_and_randomize(pubnonce_ser, zeros132, sizeof(pubnonce_ser)) == 0);
340 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &invalid_pubnonce));
341 CHECK(memcmp_and_randomize(pubnonce_ser, zeros132, sizeof(pubnonce_ser)) == 0);
342 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &pubnonce[0]) == 1);
343
344 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], pubnonce_ser) == 1);
345 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_parse(CTX, NULL, pubnonce_ser));
346 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], NULL));
347 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], zeros132) == 0);
348 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], pubnonce_ser) == 1);
349
350 {
351 /* Check that serialize and parse results in the same value */
352 secp256k1_musig_pubnonce tmp;
353 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &pubnonce[0]) == 1);
354 CHECK(secp256k1_musig_pubnonce_parse(CTX, &tmp, pubnonce_ser) == 1);
355 CHECK(secp256k1_memcmp_var(&tmp, &pubnonce[0], sizeof(tmp)) == 0);
356 }
357
359 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
360 /* check that NULL in array of public nonce pointers is not allowed */
361 for (i = 0; i < 2; i++) {
362 const secp256k1_musig_pubnonce *original_ptr = pubnonce_ptr[i];
363 pubnonce_ptr[i] = NULL;
364 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2));
365 pubnonce_ptr[i] = original_ptr;
366 }
367 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, NULL, pubnonce_ptr, 2));
368 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, NULL, 2));
369 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 0));
370 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, invalid_pubnonce_ptr, 1));
371 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, inf_pubnonce_ptr, 2) == 1);
372 {
373 /* Check that the aggnonce encodes two points at infinity */
374 secp256k1_ge aggnonce_pt[2];
375 secp256k1_musig_aggnonce_load(CTX, aggnonce_pt, &aggnonce);
376 for (i = 0; i < 2; i++) {
377 secp256k1_ge_is_infinity(&aggnonce_pt[i]);
378 }
379 }
380 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
381
383 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1);
384 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, NULL, &aggnonce));
385 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, NULL));
386 CHECK(memcmp_and_randomize(aggnonce_ser, zeros132, sizeof(aggnonce_ser)) == 0);
387 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, (secp256k1_musig_aggnonce*) &invalid_pubnonce));
388 CHECK(memcmp_and_randomize(aggnonce_ser, zeros132, sizeof(aggnonce_ser)) == 0);
389 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1);
390
391 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, aggnonce_ser) == 1);
392 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_parse(CTX, NULL, aggnonce_ser));
393 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_parse(CTX, &aggnonce, NULL));
394 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, zeros132) == 1);
395 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, aggnonce_ser) == 1);
396
397 {
398 /* Check that serialize and parse results in the same value */
399 secp256k1_musig_aggnonce tmp;
400 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1);
401 CHECK(secp256k1_musig_aggnonce_parse(CTX, &tmp, aggnonce_ser) == 1);
402 CHECK(secp256k1_memcmp_var(&tmp, &aggnonce, sizeof(tmp)) == 0);
403 }
404
406 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1);
407 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, NULL, &aggnonce, msg, &keyagg_cache));
408 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, NULL, msg, &keyagg_cache));
409 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, (secp256k1_musig_aggnonce*) &invalid_pubnonce, msg, &keyagg_cache));
410 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, NULL, &keyagg_cache));
411 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, NULL));
412 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &invalid_keyagg_cache));
413
414 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1);
415
416 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
417 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &session) == 1);
418 /* The secnonce is set to 0 and subsequent signing attempts fail */
419 CHECK(secp256k1_memcmp_var(&secnonce_tmp, zeros132, sizeof(secnonce_tmp)) == 0);
420 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &session));
421 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
422 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, NULL, &secnonce_tmp, &keypair[0], &keyagg_cache, &session));
423 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
424 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], NULL, &keypair[0], &keyagg_cache, &session));
425 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &invalid_secnonce, &keypair[0], &keyagg_cache, &session));
426 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, NULL, &keyagg_cache, &session));
427 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
428 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &invalid_keypair, &keyagg_cache, &session));
429 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
430 {
431 unsigned char sk_tmp[32];
432 secp256k1_keypair keypair_tmp;
433 testrand256(sk_tmp);
434 CHECK(secp256k1_keypair_create(CTX, &keypair_tmp, sk_tmp));
435 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair_tmp, &keyagg_cache, &session));
436 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
437 }
438 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], NULL, &session));
439 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
440 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &invalid_keyagg_cache, &session));
441 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
442 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, NULL));
443 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
444 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &invalid_session));
445 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
446
447 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce[0], &keypair[0], &keyagg_cache, &session) == 1);
448 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[1], &secnonce[1], &keypair[1], &keyagg_cache, &session) == 1);
449
450 CHECK(secp256k1_musig_partial_sig_serialize(CTX, buf, &partial_sig[0]) == 1);
451 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, NULL, &partial_sig[0]));
452 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, buf, NULL));
453 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, buf, &invalid_partial_sig));
454 CHECK(secp256k1_musig_partial_sig_parse(CTX, &partial_sig[0], buf) == 1);
455 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_parse(CTX, NULL, buf));
456 {
457 /* Check that parsing failure results in an invalid sig */
458 secp256k1_musig_partial_sig tmp;
459 CHECK(secp256k1_musig_partial_sig_parse(CTX, &tmp, max64) == 0);
460 CHECK(secp256k1_memcmp_var(&tmp, zeros132, sizeof(partial_sig[0])) == 0);
461 }
462 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_parse(CTX, &partial_sig[0], NULL));
463
464 {
465 /* Check that serialize and parse results in the same value */
466 secp256k1_musig_partial_sig tmp;
467 CHECK(secp256k1_musig_partial_sig_serialize(CTX, buf, &partial_sig[0]) == 1);
468 CHECK(secp256k1_musig_partial_sig_parse(CTX, &tmp, buf) == 1);
469 CHECK(secp256k1_memcmp_var(&tmp, &partial_sig[0], sizeof(tmp)) == 0);
470 }
471
473 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 1);
474 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 0);
475 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, NULL, &pubnonce[0], &pk[0], &keyagg_cache, &session));
476 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &invalid_partial_sig, &pubnonce[0], &pk[0], &keyagg_cache, &session));
477 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], NULL, &pk[0], &keyagg_cache, &session));
478 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &invalid_pubnonce, &pk[0], &keyagg_cache, &session));
479 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], NULL, &keyagg_cache, &session));
480 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &invalid_pk, &keyagg_cache, &session));
481 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], NULL, &session));
482 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &invalid_keyagg_cache, &session));
483 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, NULL));
484 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &invalid_session));
485
486 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 1);
487 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[1], &pk[1], &keyagg_cache, &session) == 1);
488
490 CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 2) == 1);
491 /* check that NULL in array of partial signature pointers is not allowed */
492 for (i = 0; i < 2; i++) {
493 const secp256k1_musig_partial_sig *original_ptr = partial_sig_ptr[i];
494 partial_sig_ptr[i] = NULL;
495 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 2));
496 partial_sig_ptr[i] = original_ptr;
497 }
498 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, NULL, &session, partial_sig_ptr, 2));
499 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, NULL, partial_sig_ptr, 2));
500 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &invalid_session, partial_sig_ptr, 2));
501 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, NULL, 2));
502 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, invalid_partial_sig_ptr, 2));
503 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 0));
504 CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 1) == 1);
505 CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 2) == 1);
506}
507
508static void musig_nonce_bitflip(const secp256k1_hash_ctx *hash_ctx, unsigned char **args, size_t n_flip, size_t n_bytes) {
509 secp256k1_scalar k1[2], k2[2];
510
511 secp256k1_nonce_function_musig(hash_ctx, k1, args[0], args[1], args[2], args[3], args[4], args[5]);
512 testrand_flip(args[n_flip], n_bytes);
513 secp256k1_nonce_function_musig(hash_ctx, k2, args[0], args[1], args[2], args[3], args[4], args[5]);
514 CHECK(secp256k1_scalar_eq(&k1[0], &k2[0]) == 0);
515 CHECK(secp256k1_scalar_eq(&k1[1], &k2[1]) == 0);
516}
517
518static void musig_nonce_test(void) {
519 unsigned char *args[6];
520 unsigned char session_secrand[32];
521 unsigned char sk[32];
522 unsigned char pk[33];
523 unsigned char msg[32];
524 unsigned char agg_pk[32];
525 unsigned char extra_input[32];
526 int i, j;
527 secp256k1_scalar k[6][2];
528
529 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX);
530 testrand_bytes_test(session_secrand, sizeof(session_secrand));
531 testrand_bytes_test(sk, sizeof(sk));
532 testrand_bytes_test(pk, sizeof(pk));
533 testrand_bytes_test(msg, sizeof(msg));
534 testrand_bytes_test(agg_pk, sizeof(agg_pk));
535 testrand_bytes_test(extra_input, sizeof(extra_input));
536
537 /* Check that a bitflip in an argument results in different nonces. */
538 args[0] = session_secrand;
539 args[1] = msg;
540 args[2] = sk;
541 args[3] = pk;
542 args[4] = agg_pk;
543 args[5] = extra_input;
544 for (i = 0; i < COUNT; i++) {
545 musig_nonce_bitflip(hash_ctx, args, 0, sizeof(session_secrand));
546 musig_nonce_bitflip(hash_ctx, args, 1, sizeof(msg));
547 musig_nonce_bitflip(hash_ctx, args, 2, sizeof(sk));
548 musig_nonce_bitflip(hash_ctx, args, 3, sizeof(pk));
549 musig_nonce_bitflip(hash_ctx, args, 4, sizeof(agg_pk));
550 musig_nonce_bitflip(hash_ctx, args, 5, sizeof(extra_input));
551 }
552 /* Check that if any argument is NULL, a different nonce is produced than if
553 * any other argument is NULL. */
554 memcpy(msg, session_secrand, sizeof(msg));
555 memcpy(sk, session_secrand, sizeof(sk));
556 memcpy(pk, session_secrand, sizeof(session_secrand));
557 memcpy(agg_pk, session_secrand, sizeof(agg_pk));
558 memcpy(extra_input, session_secrand, sizeof(extra_input));
559 secp256k1_nonce_function_musig(hash_ctx, k[0], args[0], args[1], args[2], args[3], args[4], args[5]);
560 secp256k1_nonce_function_musig(hash_ctx, k[1], args[0], NULL, args[2], args[3], args[4], args[5]);
561 secp256k1_nonce_function_musig(hash_ctx, k[2], args[0], args[1], NULL, args[3], args[4], args[5]);
562 secp256k1_nonce_function_musig(hash_ctx, k[3], args[0], args[1], args[2], NULL, args[4], args[5]);
563 secp256k1_nonce_function_musig(hash_ctx, k[4], args[0], args[1], args[2], args[3], NULL, args[5]);
564 secp256k1_nonce_function_musig(hash_ctx, k[5], args[0], args[1], args[2], args[3], args[4], NULL);
565 for (i = 0; i < 6; i++) {
566 CHECK(!secp256k1_scalar_eq(&k[i][0], &k[i][1]));
567 for (j = i+1; j < 6; j++) {
568 CHECK(!secp256k1_scalar_eq(&k[i][0], &k[j][0]));
569 CHECK(!secp256k1_scalar_eq(&k[i][1], &k[j][1]));
570 }
571 }
572}
573
574/* Checks that the initialized tagged hashes have the expected
575 * state. */
576static void sha256_tag_test(void) {
577 secp256k1_sha256 sha;
578 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX);
579 {
580 /* "KeyAgg list" */
581 static const unsigned char tag[] = {'K', 'e', 'y', 'A', 'g', 'g', ' ', 'l', 'i', 's', 't'};
582 secp256k1_musig_keyagglist_sha256(&sha);
583 test_sha256_tag_midstate(hash_ctx, &sha, tag, sizeof(tag));
584 }
585 {
586 /* "KeyAgg coefficient" */
587 static const unsigned char tag[] = {'K', 'e', 'y', 'A', 'g', 'g', ' ', 'c', 'o', 'e', 'f', 'f', 'i', 'c', 'i', 'e', 'n', 't'};
588 secp256k1_musig_keyaggcoef_sha256(&sha);
589 test_sha256_tag_midstate(hash_ctx, &sha, tag, sizeof(tag));
590 }
591 {
592 /* "MuSig/aux" */
593 static const unsigned char tag[] = { 'M', 'u', 'S', 'i', 'g', '/', 'a', 'u', 'x' };
594 secp256k1_nonce_function_musig_sha256_tagged_aux(&sha);
595 test_sha256_tag_midstate(hash_ctx, &sha, tag, sizeof(tag));
596 }
597 {
598 /* "MuSig/nonce" */
599 static const unsigned char tag[] = { 'M', 'u', 'S', 'i', 'g', '/', 'n', 'o', 'n', 'c', 'e' };
600 secp256k1_nonce_function_musig_sha256_tagged(&sha);
601 test_sha256_tag_midstate(hash_ctx, &sha, tag, sizeof(tag));
602 }
603 {
604 /* "MuSig/noncecoef" */
605 static const unsigned char tag[] = { 'M', 'u', 'S', 'i', 'g', '/', 'n', 'o', 'n', 'c', 'e', 'c', 'o', 'e', 'f' };
606 secp256k1_musig_compute_noncehash_sha256_tagged(&sha);
607 test_sha256_tag_midstate(hash_ctx, &sha, tag, sizeof(tag));
608 }
609}
610
611/* Attempts to create a signature for the aggregate public key using given secret
612 * keys and keyagg_cache. */
613static void musig_tweak_test_helper(const secp256k1_xonly_pubkey* agg_pk, const unsigned char *sk0, const unsigned char *sk1, secp256k1_musig_keyagg_cache *keyagg_cache) {
614 secp256k1_pubkey pk[2];
615 unsigned char session_secrand[2][32];
616 unsigned char msg[32];
617 secp256k1_musig_secnonce secnonce[2];
618 secp256k1_musig_pubnonce pubnonce[2];
619 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
620 secp256k1_musig_aggnonce aggnonce;
621 secp256k1_keypair keypair[2];
622 secp256k1_musig_session session;
623 secp256k1_musig_partial_sig partial_sig[2];
624 const secp256k1_musig_partial_sig *partial_sig_ptr[2];
625 unsigned char final_sig[64];
626 int i;
627
628 for (i = 0; i < 2; i++) {
629 pubnonce_ptr[i] = &pubnonce[i];
630 partial_sig_ptr[i] = &partial_sig[i];
631
632 testrand256(session_secrand[i]);
633 }
634 CHECK(create_keypair_and_pk(&keypair[0], &pk[0], sk0) == 1);
635 CHECK(create_keypair_and_pk(&keypair[1], &pk[1], sk1) == 1);
636 testrand256(msg);
637
638 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk0, &pk[0], NULL, NULL, NULL) == 1);
639 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[1], &pubnonce[1], session_secrand[1], sk1, &pk[1], NULL, NULL, NULL) == 1);
640
641 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
642 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, keyagg_cache) == 1);
643
644 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce[0], &keypair[0], keyagg_cache, &session) == 1);
645 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[1], &secnonce[1], &keypair[1], keyagg_cache, &session) == 1);
646
647 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], keyagg_cache, &session) == 1);
648 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[1], &pk[1], keyagg_cache, &session) == 1);
649
650 CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, 2) == 1);
651 CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, msg, sizeof(msg), agg_pk) == 1);
652}
653
654/* Create aggregate public key P[0], tweak multiple times (using xonly and
655 * plain tweaking) and test signing. */
656static void musig_tweak_test_internal(void) {
657 unsigned char sk[2][32];
658 secp256k1_pubkey pk[2];
659 const secp256k1_pubkey *pk_ptr[2];
660 secp256k1_musig_keyagg_cache keyagg_cache;
661 enum { N_TWEAKS = 8 };
662 secp256k1_pubkey P[N_TWEAKS + 1];
663 secp256k1_xonly_pubkey P_xonly[N_TWEAKS + 1];
664 int i;
665
666 /* Key Setup */
667 for (i = 0; i < 2; i++) {
668 pk_ptr[i] = &pk[i];
669 testrand256(sk[i]);
670 CHECK(create_keypair_and_pk(NULL, &pk[i], sk[i]) == 1);
671 }
672 /* Compute P0 = keyagg(pk0, pk1) and test signing for it */
673 CHECK(secp256k1_musig_pubkey_agg(CTX, &P_xonly[0], &keyagg_cache, pk_ptr, 2) == 1);
674 musig_tweak_test_helper(&P_xonly[0], sk[0], sk[1], &keyagg_cache);
675 CHECK(secp256k1_musig_pubkey_get(CTX, &P[0], &keyagg_cache));
676
677 /* Compute Pi = f(Pj) + tweaki*G where where j = i-1 and try signing for
678 * that key. If xonly is set to true, the function f normalizes the input
679 * point to have an even X-coordinate ("xonly-tweaking").
680 * Otherwise, the function f is the identity function. */
681 for (i = 1; i <= N_TWEAKS; i++) {
682 unsigned char tweak[32];
683 int P_parity;
684 int xonly = testrand_bits(1);
685
686 testrand256(tweak);
687 if (xonly) {
688 CHECK(secp256k1_musig_pubkey_xonly_tweak_add(CTX, &P[i], &keyagg_cache, tweak) == 1);
689 } else {
690 CHECK(secp256k1_musig_pubkey_ec_tweak_add(CTX, &P[i], &keyagg_cache, tweak) == 1);
691 }
692 CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &P_xonly[i], &P_parity, &P[i]));
693 /* Check that musig_pubkey_tweak_add produces same result as
694 * xonly_pubkey_tweak_add or ec_pubkey_tweak_add. */
695 if (xonly) {
696 unsigned char P_serialized[32];
697 CHECK(secp256k1_xonly_pubkey_serialize(CTX, P_serialized, &P_xonly[i]));
698 CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, P_serialized, P_parity, &P_xonly[i-1], tweak) == 1);
699 } else {
700 secp256k1_pubkey tmp_key = P[i-1];
701 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &tmp_key, tweak));
702 CHECK(secp256k1_memcmp_var(&tmp_key, &P[i], sizeof(tmp_key)) == 0);
703 }
704 /* Test signing for P[i] */
705 musig_tweak_test_helper(&P_xonly[i], sk[0], sk[1], &keyagg_cache);
706 }
707}
708
709int musig_vectors_keyagg_and_tweak(enum MUSIG_ERROR *error,
710 secp256k1_musig_keyagg_cache *keyagg_cache,
711 unsigned char *agg_pk_ser,
712 const unsigned char pubkeys33[][33],
713 const unsigned char tweaks32[][32],
714 size_t key_indices_len,
715 const size_t *key_indices,
716 size_t tweak_indices_len,
717 const size_t *tweak_indices,
718 const int *is_xonly) {
719 secp256k1_pubkey pubkeys[MUSIG_VECTORS_MAX_PUBKEYS];
720 const secp256k1_pubkey *pk_ptr[MUSIG_VECTORS_MAX_PUBKEYS];
721 int i;
722 secp256k1_pubkey agg_pk;
723 secp256k1_xonly_pubkey agg_pk_xonly;
724
725 for (i = 0; i < (int)key_indices_len; i++) {
726 if (!secp256k1_ec_pubkey_parse(CTX, &pubkeys[i], pubkeys33[key_indices[i]], 33)) {
727 *error = MUSIG_PUBKEY;
728 return 0;
729 }
730 pk_ptr[i] = &pubkeys[i];
731 }
732 if (!secp256k1_musig_pubkey_agg(CTX, NULL, keyagg_cache, pk_ptr, key_indices_len)) {
733 *error = MUSIG_OTHER;
734 return 0;
735 }
736
737 for (i = 0; i < (int)tweak_indices_len; i++) {
738 if (is_xonly[i]) {
739 if (!secp256k1_musig_pubkey_xonly_tweak_add(CTX, NULL, keyagg_cache, tweaks32[tweak_indices[i]])) {
740 *error = MUSIG_TWEAK;
741 return 0;
742 }
743 } else {
744 if (!secp256k1_musig_pubkey_ec_tweak_add(CTX, NULL, keyagg_cache, tweaks32[tweak_indices[i]])) {
745 *error = MUSIG_TWEAK;
746 return 0;
747 }
748 }
749 }
750 if (!secp256k1_musig_pubkey_get(CTX, &agg_pk, keyagg_cache)) {
751 *error = MUSIG_OTHER;
752 return 0;
753 }
754
755 if (!secp256k1_xonly_pubkey_from_pubkey(CTX, &agg_pk_xonly, NULL, &agg_pk)) {
756 *error = MUSIG_OTHER;
757 return 0;
758 }
759
760 if (agg_pk_ser != NULL) {
761 if (!secp256k1_xonly_pubkey_serialize(CTX, agg_pk_ser, &agg_pk_xonly)) {
762 *error = MUSIG_OTHER;
763 return 0;
764 }
765 }
766
767 return 1;
768}
769
770static void musig_test_vectors_keyagg(void) {
771 size_t i;
772 const struct musig_key_agg_vector *vector = &musig_key_agg_vector;
773
774 for (i = 0; i < ARRAY_SIZE(vector->valid_case); i++) {
775 const struct musig_key_agg_valid_test_case *c = &vector->valid_case[i];
776 enum MUSIG_ERROR error;
777 secp256k1_musig_keyagg_cache keyagg_cache;
778 unsigned char agg_pk[32];
779
780 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, agg_pk, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, 0, NULL, NULL));
781 CHECK(secp256k1_memcmp_var(agg_pk, c->expected, sizeof(agg_pk)) == 0);
782 }
783
784 for (i = 0; i < ARRAY_SIZE(vector->error_case); i++) {
785 const struct musig_key_agg_error_test_case *c = &vector->error_case[i];
786 enum MUSIG_ERROR error;
787 secp256k1_musig_keyagg_cache keyagg_cache;
788
789 CHECK(!musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
790 CHECK(c->error == error);
791 }
792}
793
794static void musig_test_vectors_noncegen(void) {
795 size_t i;
796 const struct musig_nonce_gen_vector *vector = &musig_nonce_gen_vector;
797
798 for (i = 0; i < ARRAY_SIZE(vector->test_case); i++) {
799 const struct musig_nonce_gen_test_case *c = &vector->test_case[i];
800 secp256k1_musig_keyagg_cache keyagg_cache;
801 secp256k1_musig_keyagg_cache *keyagg_cache_ptr = NULL;
802 unsigned char session_secrand32[32];
803 secp256k1_musig_secnonce secnonce;
804 secp256k1_musig_pubnonce pubnonce;
805 const unsigned char *sk = NULL;
806 const unsigned char *msg = NULL;
807 const unsigned char *extra_in = NULL;
808 secp256k1_pubkey pk;
809 unsigned char pubnonce66[66];
810
811 memcpy(session_secrand32, c->rand_, 32);
812 if (c->has_sk) {
813 sk = c->sk;
814 }
815 if (c->has_aggpk) {
816 /* Create keyagg_cache from aggpk */
817 secp256k1_keyagg_cache_internal cache_i;
818 secp256k1_xonly_pubkey aggpk;
819 memset(&cache_i, 0, sizeof(cache_i));
820 CHECK(secp256k1_xonly_pubkey_parse(CTX, &aggpk, c->aggpk));
821 CHECK(secp256k1_xonly_pubkey_load(CTX, &cache_i.pk, &aggpk));
822 secp256k1_keyagg_cache_save(&keyagg_cache, &cache_i);
823 keyagg_cache_ptr = &keyagg_cache;
824 }
825 if (c->has_msg) {
826 msg = c->msg;
827 }
828 if (c->has_extra_in) {
829 extra_in = c->extra_in;
830 }
831
832 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk, c->pk, sizeof(c->pk)));
833 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce, &pubnonce, session_secrand32, sk, &pk, msg, keyagg_cache_ptr, extra_in) == 1);
834 CHECK(secp256k1_memcmp_var(&secnonce.data[4], c->expected_secnonce, 2*32) == 0);
835 /* The last element of the secnonce is the public key (uncompressed in
836 * secp256k1_musig_secnonce, compressed in the test vector secnonce). */
837 CHECK(secp256k1_memcmp_var(&secnonce.data[4+2*32], &pk, sizeof(pk)) == 0);
838 CHECK(secp256k1_memcmp_var(&c->expected_secnonce[2*32], c->pk, sizeof(c->pk)) == 0);
839
840 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce66, &pubnonce) == 1);
841 CHECK(sizeof(c->expected_pubnonce) == sizeof(pubnonce66));
842 CHECK(secp256k1_memcmp_var(pubnonce66, c->expected_pubnonce, sizeof(pubnonce66)) == 0);
843 }
844}
845
846
847static void musig_test_vectors_nonceagg(void) {
848 size_t i;
849 int j;
850 const struct musig_nonce_agg_vector *vector = &musig_nonce_agg_vector;
851
852 for (i = 0; i < ARRAY_SIZE(vector->valid_case); i++) {
853 const struct musig_nonce_agg_test_case *c = &vector->valid_case[i];
854 secp256k1_musig_pubnonce pubnonce[2];
855 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
856 secp256k1_musig_aggnonce aggnonce;
857 unsigned char aggnonce66[66];
858
859 for (j = 0; j < 2; j++) {
860 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pnonces[c->pnonce_indices[j]]) == 1);
861 pubnonce_ptr[j] = &pubnonce[j];
862 }
863 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2));
864 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce66, &aggnonce));
865 CHECK(secp256k1_memcmp_var(aggnonce66, c->expected, 33) == 0);
866 }
867 for (i = 0; i < ARRAY_SIZE(vector->error_case); i++) {
868 const struct musig_nonce_agg_test_case *c = &vector->error_case[i];
869 secp256k1_musig_pubnonce pubnonce[2];
870 for (j = 0; j < 2; j++) {
871 int expected = c->invalid_nonce_idx != j;
872 CHECK(expected == secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pnonces[c->pnonce_indices[j]]));
873 }
874 }
875}
876
877static void musig_test_set_secnonce(secp256k1_musig_secnonce *secnonce, const unsigned char *secnonce64, const secp256k1_pubkey *pubkey) {
878 secp256k1_ge pk;
879 secp256k1_scalar k[2];
880
881 secp256k1_scalar_set_b32(&k[0], &secnonce64[0], NULL);
882 secp256k1_scalar_set_b32(&k[1], &secnonce64[32], NULL);
883 CHECK(secp256k1_pubkey_load(CTX, &pk, pubkey));
884 secp256k1_musig_secnonce_save(secnonce, k, &pk);
885}
886
887static void musig_test_vectors_signverify(void) {
888 size_t i;
889 const struct musig_sign_verify_vector *vector = &musig_sign_verify_vector;
890
891 for (i = 0; i < ARRAY_SIZE(vector->valid_case); i++) {
892 const struct musig_valid_case *c = &vector->valid_case[i];
893 enum MUSIG_ERROR error;
894 secp256k1_musig_keyagg_cache keyagg_cache;
895 secp256k1_pubkey pubkey;
896 secp256k1_musig_pubnonce pubnonce;
897 secp256k1_musig_aggnonce aggnonce;
898 secp256k1_musig_session session;
899 secp256k1_musig_partial_sig partial_sig;
900 secp256k1_musig_secnonce secnonce;
901 secp256k1_keypair keypair;
902 unsigned char partial_sig32[32];
903
904 CHECK(secp256k1_keypair_create(CTX, &keypair, vector->sk));
905 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
906
907 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonces[c->aggnonce_index]));
908 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache));
909
910 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0])));
911 musig_test_set_secnonce(&secnonce, vector->secnonces[0], &pubkey);
912 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
913 CHECK(secp256k1_musig_partial_sig_serialize(CTX, partial_sig32, &partial_sig));
914 CHECK(secp256k1_memcmp_var(partial_sig32, c->expected, sizeof(partial_sig32)) == 0);
915
916 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[0]));
917 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig, &pubnonce, &pubkey, &keyagg_cache, &session));
918 }
919 for (i = 0; i < ARRAY_SIZE(vector->sign_error_case); i++) {
920 const struct musig_sign_error_case *c = &vector->sign_error_case[i];
921 enum MUSIG_ERROR error;
922 secp256k1_musig_keyagg_cache keyagg_cache;
923 secp256k1_pubkey pubkey;
924 secp256k1_musig_aggnonce aggnonce;
925 secp256k1_musig_session session;
926 secp256k1_musig_partial_sig partial_sig;
927 secp256k1_musig_secnonce secnonce;
928 secp256k1_keypair keypair;
929 int expected;
930
931 if (i == 0) {
932 /* Skip this vector since the implementation does not error out when
933 * the signing key does not belong to any pubkey. */
934 continue;
935 }
936
937 expected = c->error != MUSIG_PUBKEY;
938 CHECK(expected == musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
939 CHECK(expected || c->error == error);
940 if (!expected) {
941 continue;
942 }
943 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0])));
944 CHECK(secp256k1_keypair_create(CTX, &keypair, vector->sk));
945
946 expected = c->error != MUSIG_AGGNONCE;
947 CHECK(expected == secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonces[c->aggnonce_index]));
948 if (!expected) {
949 continue;
950 }
951 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache));
952
953 expected = c->error != MUSIG_SECNONCE;
954 CHECK(!expected);
955 musig_test_set_secnonce(&secnonce, vector->secnonces[c->secnonce_index], &pubkey);
956 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
957 }
958 for (i = 0; i < ARRAY_SIZE(vector->verify_fail_case); i++) {
959 const struct musig_verify_fail_error_case *c = &vector->verify_fail_case[i];
960 enum MUSIG_ERROR error;
961 secp256k1_musig_keyagg_cache keyagg_cache;
962 secp256k1_musig_aggnonce aggnonce;
963 secp256k1_musig_session session;
964 secp256k1_musig_partial_sig partial_sig;
965 enum { NUM_PUBNONCES = 3 };
966 secp256k1_musig_pubnonce pubnonce[NUM_PUBNONCES];
967 const secp256k1_musig_pubnonce *pubnonce_ptr[NUM_PUBNONCES];
968 secp256k1_pubkey pubkey;
969 int expected;
970 size_t j;
971
972 CHECK(NUM_PUBNONCES <= c->nonce_indices_len);
973 for (j = 0; j < c->nonce_indices_len; j++) {
974 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pubnonces[c->nonce_indices[j]]));
975 pubnonce_ptr[j] = &pubnonce[j];
976 }
977
978 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
979 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, c->nonce_indices_len) == 1);
980 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache));
981
982 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[c->signer_index], sizeof(vector->pubkeys[0])));
983
984 expected = c->error != MUSIG_SIG;
985 CHECK(expected == secp256k1_musig_partial_sig_parse(CTX, &partial_sig, c->sig));
986 if (!expected) {
987 continue;
988 }
989 expected = c->error != MUSIG_SIG_VERIFY;
990 CHECK(expected == secp256k1_musig_partial_sig_verify(CTX, &partial_sig, pubnonce, &pubkey, &keyagg_cache, &session));
991 }
992 for (i = 0; i < ARRAY_SIZE(vector->verify_error_case); i++) {
993 const struct musig_verify_fail_error_case *c = &vector->verify_error_case[i];
994 enum MUSIG_ERROR error;
995 secp256k1_musig_keyagg_cache keyagg_cache;
996 secp256k1_musig_pubnonce pubnonce;
997 int expected;
998
999 expected = c->error != MUSIG_PUBKEY;
1000 CHECK(expected == musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
1001 CHECK(expected || c->error == error);
1002 if (!expected) {
1003 continue;
1004 }
1005 expected = c->error != MUSIG_PUBNONCE;
1006 CHECK(expected == secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[c->nonce_indices[c->signer_index]]));
1007 }
1008}
1009
1010static void musig_test_vectors_tweak(void) {
1011 size_t i;
1012 const struct musig_tweak_vector *vector = &musig_tweak_vector;
1013 secp256k1_pubkey pubkey;
1014 secp256k1_musig_aggnonce aggnonce;
1015 secp256k1_musig_secnonce secnonce;
1016
1017 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonce));
1018 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0])));
1019
1020 for (i = 0; i < ARRAY_SIZE(vector->valid_case); i++) {
1021 const struct musig_tweak_case *c = &vector->valid_case[i];
1022 enum MUSIG_ERROR error;
1023 secp256k1_musig_keyagg_cache keyagg_cache;
1024 secp256k1_musig_pubnonce pubnonce;
1025 secp256k1_musig_session session;
1026 secp256k1_musig_partial_sig partial_sig;
1027 secp256k1_keypair keypair;
1028 unsigned char partial_sig32[32];
1029
1030 musig_test_set_secnonce(&secnonce, vector->secnonce, &pubkey);
1031
1032 CHECK(secp256k1_keypair_create(CTX, &keypair, vector->sk));
1033 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
1034
1035 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msg, &keyagg_cache));
1036
1037 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
1038 CHECK(secp256k1_musig_partial_sig_serialize(CTX, partial_sig32, &partial_sig));
1039 CHECK(secp256k1_memcmp_var(partial_sig32, c->expected, sizeof(partial_sig32)) == 0);
1040
1041 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[c->nonce_indices[c->signer_index]]));
1042 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig, &pubnonce, &pubkey, &keyagg_cache, &session));
1043 }
1044 for (i = 0; i < ARRAY_SIZE(vector->error_case); i++) {
1045 const struct musig_tweak_case *c = &vector->error_case[i];
1046 enum MUSIG_ERROR error;
1047 secp256k1_musig_keyagg_cache keyagg_cache;
1048 CHECK(!musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
1049 CHECK(error == MUSIG_TWEAK);
1050 }
1051}
1052
1053static void musig_test_vectors_sigagg(void) {
1054 size_t i, j;
1055 const struct musig_sig_agg_vector *vector = &musig_sig_agg_vector;
1056
1057 for (i = 0; i < ARRAY_SIZE(vector->valid_case); i++) {
1058 const struct musig_sig_agg_case *c = &vector->valid_case[i];
1059 enum MUSIG_ERROR error;
1060 unsigned char final_sig[64];
1061 secp256k1_musig_keyagg_cache keyagg_cache;
1062 unsigned char agg_pk32[32];
1063 secp256k1_xonly_pubkey agg_pk;
1064 secp256k1_musig_aggnonce aggnonce;
1065 secp256k1_musig_session session;
1066 secp256k1_musig_partial_sig partial_sig[ARRAY_SIZE(vector->psigs)];
1067 const secp256k1_musig_partial_sig *partial_sig_ptr[ARRAY_SIZE(vector->psigs)];
1068
1069 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, agg_pk32, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
1070 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, c->aggnonce));
1071 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msg, &keyagg_cache));
1072 for (j = 0; j < c->psig_indices_len; j++) {
1073 CHECK(secp256k1_musig_partial_sig_parse(CTX, &partial_sig[j], vector->psigs[c->psig_indices[j]]));
1074 partial_sig_ptr[j] = &partial_sig[j];
1075 }
1076
1077 CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, c->psig_indices_len) == 1);
1078 CHECK(secp256k1_memcmp_var(final_sig, c->expected, sizeof(final_sig)) == 0);
1079
1080 CHECK(secp256k1_xonly_pubkey_parse(CTX, &agg_pk, agg_pk32));
1081 CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, vector->msg, sizeof(vector->msg), &agg_pk) == 1);
1082 }
1083 for (i = 0; i < ARRAY_SIZE(vector->error_case); i++) {
1084 const struct musig_sig_agg_case *c = &vector->error_case[i];
1085 secp256k1_musig_partial_sig partial_sig[ARRAY_SIZE(vector->psigs)];
1086 for (j = 0; j < c->psig_indices_len; j++) {
1087 int expected = c->invalid_sig_idx != (int)j;
1088 CHECK(expected == secp256k1_musig_partial_sig_parse(CTX, &partial_sig[j], vector->psigs[c->psig_indices[j]]));
1089 }
1090 }
1091}
1092
1093/* Since the BIP doesn't provide static test vectors for nonce_gen_counter, we
1094 * define a static test here */
1095static void musig_test_static_nonce_gen_counter(void) {
1096 secp256k1_musig_secnonce secnonce;
1097 secp256k1_musig_pubnonce pubnonce;
1098 unsigned char pubnonce66[66];
1099 secp256k1_pubkey pk;
1100 secp256k1_keypair keypair;
1101 uint64_t nonrepeating_cnt = 0;
1102 unsigned char sk[32] = {
1103 0xEE, 0xC1, 0xCB, 0x7D, 0x1B, 0x72, 0x54, 0xC5,
1104 0xCA, 0xB0, 0xD9, 0xC6, 0x1A, 0xB0, 0x2E, 0x64,
1105 0x3D, 0x46, 0x4A, 0x59, 0xFE, 0x6C, 0x96, 0xA7,
1106 0xEF, 0xE8, 0x71, 0xF0, 0x7C, 0x5A, 0xEF, 0x54,
1107 };
1108 unsigned char expected_secnonce[64] = {
1109 0x84, 0x2F, 0x13, 0x80, 0xCD, 0x17, 0xA1, 0x98,
1110 0xFC, 0x3D, 0xAD, 0x3B, 0x7D, 0xA7, 0x49, 0x29,
1111 0x41, 0xF4, 0x69, 0x76, 0xF2, 0x70, 0x2F, 0xF7,
1112 0xC6, 0x6F, 0x24, 0xF4, 0x72, 0x03, 0x6A, 0xF1,
1113 0xDA, 0x3F, 0x95, 0x2D, 0xDE, 0x4A, 0x2D, 0xA6,
1114 0xB6, 0x32, 0x57, 0x07, 0xCE, 0x87, 0xA4, 0xE3,
1115 0x61, 0x6D, 0x06, 0xFC, 0x5F, 0x81, 0xA9, 0xC9,
1116 0x93, 0x86, 0xD2, 0x0A, 0x99, 0xCE, 0xCF, 0x99,
1117 };
1118 unsigned char expected_pubnonce[66] = {
1119 0x03, 0xA5, 0xB9, 0xB6, 0x90, 0x79, 0x42, 0xEA,
1120 0xCD, 0xDA, 0x49, 0xA3, 0x66, 0x01, 0x6E, 0xC2,
1121 0xE6, 0x24, 0x04, 0xA1, 0xBF, 0x4A, 0xB6, 0xD4,
1122 0xDB, 0x82, 0x06, 0x7B, 0xC3, 0xAD, 0xF0, 0x86,
1123 0xD7, 0x03, 0x32, 0x05, 0xDB, 0x9E, 0xB3, 0x4D,
1124 0x5C, 0x7C, 0xE0, 0x28, 0x48, 0xCA, 0xC6, 0x8A,
1125 0x83, 0xED, 0x73, 0xE3, 0x88, 0x34, 0x77, 0xF5,
1126 0x63, 0xF2, 0x3C, 0xE9, 0xA1, 0x1A, 0x77, 0x21,
1127 0xEC, 0x64,
1128 };
1129
1130 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
1131 CHECK(secp256k1_keypair_pub(CTX, &pk, &keypair));
1132 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce, &pubnonce, nonrepeating_cnt, &keypair, NULL, NULL, NULL) == 1);
1133
1134 CHECK(secp256k1_memcmp_var(&secnonce.data[4], expected_secnonce, 2*32) == 0);
1135 CHECK(secp256k1_memcmp_var(&secnonce.data[4+2*32], &pk, sizeof(pk)) == 0);
1136
1137 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce66, &pubnonce) == 1);
1138 CHECK(secp256k1_memcmp_var(pubnonce66, expected_pubnonce, sizeof(pubnonce66)) == 0);
1139}
1140
1141/* --- Test registry --- */
1142REPEAT_TEST(musig_simple_test)
1143/* Run multiple times to ensure that pk and nonce have different y parities */
1144REPEAT_TEST(musig_tweak_test)
1145
1146static const struct tf_test_entry tests_musig[] = {
1147 CASE1(musig_simple_test),
1148 CASE1(musig_api_tests),
1149 CASE1(musig_nonce_test),
1150 CASE1(musig_tweak_test),
1151 CASE1(sha256_tag_test),
1152 CASE1(musig_test_vectors_keyagg),
1153 CASE1(musig_test_vectors_noncegen),
1154 CASE1(musig_test_vectors_nonceagg),
1155 CASE1(musig_test_vectors_signverify),
1156 CASE1(musig_test_vectors_tweak),
1157 CASE1(musig_test_vectors_sigagg),
1158 CASE1(musig_test_static_nonce_gen_counter),
1159};
1160
1161#endif
ret
int ret
Definition: bitcoin-cli.cpp:1402
args
ArgsManager & args
Definition: bitcoind.cpp:278
secp256k1_xonly_pubkey_load
static SECP256K1_INLINE int secp256k1_xonly_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_xonly_pubkey *pubkey)
Definition: main_impl.h:14
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_musig_keyaggcoef_sha256
static void secp256k1_musig_keyaggcoef_sha256(secp256k1_sha256 *sha)
Definition: keyagg_impl.h:93
secp256k1_musig_keyagglist_sha256
static void secp256k1_musig_keyagglist_sha256(secp256k1_sha256 *sha)
Definition: keyagg_impl.h:64
secp256k1_keyagg_cache_save
static void secp256k1_keyagg_cache_save(secp256k1_musig_keyagg_cache *cache, const secp256k1_keyagg_cache_internal *cache_i)
Definition: keyagg_impl.h:31
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
tests_musig
static const struct tf_test_entry tests_musig[]
Definition: tests_impl.h:1146
musig_test_vectors_keyagg
static void musig_test_vectors_keyagg(void)
Definition: tests_impl.h:770
musig_nonce_test
static void musig_nonce_test(void)
Definition: tests_impl.h:518
musig_vectors_keyagg_and_tweak
int musig_vectors_keyagg_and_tweak(enum MUSIG_ERROR *error, secp256k1_musig_keyagg_cache *keyagg_cache, unsigned char *agg_pk_ser, const unsigned char pubkeys33[][33], const unsigned char tweaks32[][32], size_t key_indices_len, const size_t *key_indices, size_t tweak_indices_len, const size_t *tweak_indices, const int *is_xonly)
Definition: tests_impl.h:709
musig_test_set_secnonce
static void musig_test_set_secnonce(secp256k1_musig_secnonce *secnonce, const unsigned char *secnonce64, const secp256k1_pubkey *pubkey)
Definition: tests_impl.h:877
sha256_tag_test
static void sha256_tag_test(void)
Definition: tests_impl.h:576
create_keypair_and_pk
static int create_keypair_and_pk(secp256k1_keypair *keypair, secp256k1_pubkey *pk, const unsigned char *sk)
Definition: tests_impl.h:27
musig_api_tests
static void musig_api_tests(void)
Definition: tests_impl.h:122
musig_test_vectors_sigagg
static void musig_test_vectors_sigagg(void)
Definition: tests_impl.h:1053
musig_test_vectors_signverify
static void musig_test_vectors_signverify(void)
Definition: tests_impl.h:887
pubnonce_summing_to_inf
static void pubnonce_summing_to_inf(secp256k1_musig_pubnonce *pubnonce)
Definition: tests_impl.h:91
musig_test_static_nonce_gen_counter
static void musig_test_static_nonce_gen_counter(void)
Definition: tests_impl.h:1095
memcmp_and_randomize
int memcmp_and_randomize(unsigned char *value, const unsigned char *expected, size_t len)
Definition: tests_impl.h:112
musig_test_vectors_nonceagg
static void musig_test_vectors_nonceagg(void)
Definition: tests_impl.h:847
musig_tweak_test_internal
static void musig_tweak_test_internal(void)
Definition: tests_impl.h:656
musig_nonce_bitflip
static void musig_nonce_bitflip(const secp256k1_hash_ctx *hash_ctx, unsigned char **args, size_t n_flip, size_t n_bytes)
Definition: tests_impl.h:508
musig_tweak_test_helper
static void musig_tweak_test_helper(const secp256k1_xonly_pubkey *agg_pk, const unsigned char *sk0, const unsigned char *sk1, secp256k1_musig_keyagg_cache *keyagg_cache)
Definition: tests_impl.h:613
musig_test_vectors_noncegen
static void musig_test_vectors_noncegen(void)
Definition: tests_impl.h:794
musig_simple_test_internal
static void musig_simple_test_internal(void)
Definition: tests_impl.h:40
musig_test_vectors_tweak
static void musig_test_vectors_tweak(void)
Definition: tests_impl.h:1010
tweak
static int tweak(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *cache)
Definition: musig.c:64
test_vectors_musig2_generate.data
data
Definition: test_vectors_musig2_generate.py:98
tests_wycheproof_generate_ecdh.sk
sk
Definition: tests_wycheproof_generate_ecdh.py:101
tests_wycheproof_generate_ecdh.pk
def pk
Definition: tests_wycheproof_generate_ecdh.py:115
tests_wycheproof_generate_ecdsa.msg
msg
Definition: tests_wycheproof_generate_ecdsa.py:52
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:271
ARRAY_SIZE
#define ARRAY_SIZE(arr)
Definition: util.h:184
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:259
secp256k1_get_hash_context
static SECP256K1_INLINE const secp256k1_hash_ctx * secp256k1_get_hash_context(const secp256k1_context *ctx)
Definition: secp256k1.c:238
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:269
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:722
secp256k1_xonly_pubkey_from_pubkey
SECP256K1_API int secp256k1_xonly_pubkey_from_pubkey(const secp256k1_context *ctx, secp256k1_xonly_pubkey *xonly_pubkey, int *pk_parity, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Converts a secp256k1_pubkey into a secp256k1_xonly_pubkey.
Definition: main_impl.h:99
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:44
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a valid secret key.
Definition: main_impl.h:196
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:22
secp256k1_keypair_pub
SECP256K1_API int secp256k1_keypair_pub(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Get the public key from a keypair.
Definition: main_impl.h:224
secp256k1_musig_pubkey_ec_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_ec_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Apply plain "EC" tweaking to a public key in a given keyagg_cache by adding the generator multiplied ...
Definition: keyagg_impl.h:267
secp256k1_musig_pubkey_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Apply x-only tweaking to a public key in a given keyagg_cache by adding the generator multiplied with...
Definition: keyagg_impl.h:271
secp256k1_musig_aggnonce_serialize
SECP256K1_API int secp256k1_musig_aggnonce_serialize(const secp256k1_context *ctx, unsigned char *out66, const secp256k1_musig_aggnonce *nonce) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an aggregate public nonce.
Definition: session_impl.h:244
secp256k1_musig_partial_sig_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_parse(const secp256k1_context *ctx, secp256k1_musig_partial_sig *sig, const unsigned char *in32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a MuSig partial signature.
Definition: session_impl.h:262
secp256k1_musig_pubnonce_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubnonce_parse(const secp256k1_context *ctx, secp256k1_musig_pubnonce *nonce, const unsigned char *in66) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a signer's public nonce.
Definition: session_impl.h:188
secp256k1_musig_nonce_agg
SECP256K1_API int secp256k1_musig_nonce_agg(const secp256k1_context *ctx, secp256k1_musig_aggnonce *aggnonce, const secp256k1_musig_pubnonce *const *pubnonces, size_t n_pubnonces) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Aggregates the nonces of all signers into a single nonce.
Definition: session_impl.h:512
secp256k1_musig_partial_sign
SECP256K1_API int secp256k1_musig_partial_sign(const secp256k1_context *ctx, secp256k1_musig_partial_sig *partial_sig, secp256k1_musig_secnonce *secnonce, const secp256k1_keypair *keypair, const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_session *session) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6)
Produces a partial signature.
Definition: session_impl.h:634
secp256k1_musig_aggnonce_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_aggnonce_parse(const secp256k1_context *ctx, secp256k1_musig_aggnonce *nonce, const unsigned char *in66) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an aggregate public nonce.
Definition: session_impl.h:227
secp256k1_musig_pubkey_get
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_get(const secp256k1_context *ctx, secp256k1_pubkey *agg_pk, const secp256k1_musig_keyagg_cache *keyagg_cache) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Obtain the aggregate public key from a keyagg_cache.
Definition: keyagg_impl.h:217
secp256k1_musig_nonce_gen
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_gen(const secp256k1_context *ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, unsigned char *session_secrand32, const unsigned char *seckey, const secp256k1_pubkey *pubkey, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(6)
Starts a signing session by generating a nonce.
Definition: session_impl.h:437
secp256k1_musig_partial_sig_serialize
SECP256K1_API int secp256k1_musig_partial_sig_serialize(const secp256k1_context *ctx, unsigned char *out32, const secp256k1_musig_partial_sig *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize a MuSig partial signature.
Definition: session_impl.h:281
secp256k1_musig_partial_sig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_verify(const secp256k1_context *ctx, const secp256k1_musig_partial_sig *partial_sig, const secp256k1_musig_pubnonce *pubnonce, const secp256k1_pubkey *pubkey, const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_session *session) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6)
Verifies an individual signer's partial signature.
Definition: session_impl.h:704
secp256k1_musig_partial_sig_agg
SECP256K1_API int secp256k1_musig_partial_sig_agg(const secp256k1_context *ctx, unsigned char *sig64, const secp256k1_musig_session *session, const secp256k1_musig_partial_sig *const *partial_sigs, size_t n_sigs) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Aggregates partial signatures.
Definition: session_impl.h:767
secp256k1_musig_nonce_gen_counter
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_gen_counter(const secp256k1_context *ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, uint64_t nonrepeating_cnt, const secp256k1_keypair *keypair, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Alternative way to generate a nonce and start a signing session.
Definition: session_impl.h:465
secp256k1_musig_pubkey_agg
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_agg(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_pubkey *const *pubkeys, size_t n_pubkeys) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(4)
Computes an aggregate public key and uses it to initialize a keyagg_cache.
Definition: keyagg_impl.h:156
secp256k1_musig_nonce_process
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_process(const secp256k1_context *ctx, secp256k1_musig_session *session, const secp256k1_musig_aggnonce *aggnonce, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Takes the aggregate nonce and creates a session that is required for signing and verification of part...
Definition: session_impl.h:588
secp256k1_musig_pubnonce_serialize
SECP256K1_API int secp256k1_musig_pubnonce_serialize(const secp256k1_context *ctx, unsigned char *out66, const secp256k1_musig_pubnonce *nonce) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize a signer's public nonce.
Definition: session_impl.h:208
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:215
secp256k1_musig_secnonce_save
static void secp256k1_musig_secnonce_save(secp256k1_musig_secnonce *secnonce, const secp256k1_scalar *k, const secp256k1_ge *pk)
Definition: session_impl.h:50
secp256k1_musig_sum_pubnonces
static int secp256k1_musig_sum_pubnonces(const secp256k1_context *ctx, secp256k1_gej *summed_pubnonces, const secp256k1_musig_pubnonce *const *pubnonces, size_t n_pubnonces)
Definition: session_impl.h:493
secp256k1_musig_compute_noncehash_sha256_tagged
static void secp256k1_musig_compute_noncehash_sha256_tagged(secp256k1_sha256 *sha)
Definition: session_impl.h:535
secp256k1_nonce_function_musig_sha256_tagged_aux
static void secp256k1_nonce_function_musig_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: session_impl.h:311
secp256k1_nonce_function_musig_sha256_tagged
static void secp256k1_nonce_function_musig_sha256_tagged(secp256k1_sha256 *sha)
Definition: session_impl.h:321
secp256k1_musig_aggnonce_load
static int secp256k1_musig_aggnonce_load(const secp256k1_context *ctx, secp256k1_ge *ges, const secp256k1_musig_aggnonce *nonce)
Definition: session_impl.h:118
secp256k1_nonce_function_musig
static void secp256k1_nonce_function_musig(const secp256k1_hash_ctx *hash_ctx, secp256k1_scalar *k, const unsigned char *session_secrand, const unsigned char *msg32, const unsigned char *seckey32, const unsigned char *pk33, const unsigned char *agg_pk32, const unsigned char *extra_input32)
Definition: session_impl.h:329
secp256k1_musig_pubnonce_save
static void secp256k1_musig_pubnonce_save(secp256k1_musig_pubnonce *nonce, const secp256k1_ge *ges)
Definition: session_impl.h:88
musig_key_agg_error_test_case
Definition: vectors.h:24
musig_key_agg_error_test_case::is_xonly
int is_xonly[1]
Definition: vectors.h:29
musig_key_agg_error_test_case::error
enum MUSIG_ERROR error
Definition: vectors.h:30
musig_key_agg_error_test_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:25
musig_key_agg_error_test_case::key_indices
size_t key_indices[4]
Definition: vectors.h:26
musig_key_agg_error_test_case::tweak_indices_len
size_t tweak_indices_len
Definition: vectors.h:27
musig_key_agg_error_test_case::tweak_indices
size_t tweak_indices[1]
Definition: vectors.h:28
musig_key_agg_valid_test_case
Definition: vectors.h:18
musig_key_agg_valid_test_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:19
musig_key_agg_valid_test_case::expected
unsigned char expected[32]
Definition: vectors.h:21
musig_key_agg_valid_test_case::key_indices
size_t key_indices[4]
Definition: vectors.h:20
musig_key_agg_vector
Definition: vectors.h:33
musig_key_agg_vector::error_case
struct musig_key_agg_error_test_case error_case[5]
Definition: vectors.h:37
musig_key_agg_vector::pubkeys
unsigned char pubkeys[7][33]
Definition: vectors.h:34
musig_key_agg_vector::valid_case
struct musig_key_agg_valid_test_case valid_case[4]
Definition: vectors.h:36
musig_key_agg_vector::tweaks
unsigned char tweaks[2][32]
Definition: vectors.h:35
musig_nonce_agg_test_case
Definition: vectors.h:95
musig_nonce_agg_test_case::expected
unsigned char expected[66]
Definition: vectors.h:98
musig_nonce_agg_test_case::invalid_nonce_idx
int invalid_nonce_idx
Definition: vectors.h:100
musig_nonce_agg_test_case::pnonce_indices
size_t pnonce_indices[2]
Definition: vectors.h:96
musig_nonce_agg_vector
Definition: vectors.h:103
musig_nonce_agg_vector::pnonces
unsigned char pnonces[7][66]
Definition: vectors.h:104
musig_nonce_agg_vector::error_case
struct musig_nonce_agg_test_case error_case[3]
Definition: vectors.h:106
musig_nonce_agg_vector::valid_case
struct musig_nonce_agg_test_case valid_case[2]
Definition: vectors.h:105
musig_nonce_gen_test_case
Definition: vectors.h:69
musig_nonce_gen_test_case::has_msg
int has_msg
Definition: vectors.h:76
musig_nonce_gen_test_case::extra_in
unsigned char extra_in[32]
Definition: vectors.h:79
musig_nonce_gen_test_case::rand_
unsigned char rand_[32]
Definition: vectors.h:70
musig_nonce_gen_test_case::expected_pubnonce
unsigned char expected_pubnonce[66]
Definition: vectors.h:81
musig_nonce_gen_test_case::sk
unsigned char sk[32]
Definition: vectors.h:72
musig_nonce_gen_test_case::has_sk
int has_sk
Definition: vectors.h:71
musig_nonce_gen_test_case::msg
unsigned char msg[32]
Definition: vectors.h:77
musig_nonce_gen_test_case::has_aggpk
int has_aggpk
Definition: vectors.h:74
musig_nonce_gen_test_case::has_extra_in
int has_extra_in
Definition: vectors.h:78
musig_nonce_gen_test_case::expected_secnonce
unsigned char expected_secnonce[97]
Definition: vectors.h:80
musig_nonce_gen_test_case::pk
unsigned char pk[33]
Definition: vectors.h:73
musig_nonce_gen_test_case::aggpk
unsigned char aggpk[32]
Definition: vectors.h:75
musig_nonce_gen_vector
Definition: vectors.h:84
musig_nonce_gen_vector::test_case
struct musig_nonce_gen_test_case test_case[2]
Definition: vectors.h:85
musig_sig_agg_case
Definition: vectors.h:288
musig_sig_agg_case::is_xonly
int is_xonly[3]
Definition: vectors.h:293
musig_sig_agg_case::tweak_indices
size_t tweak_indices[3]
Definition: vectors.h:292
musig_sig_agg_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:289
musig_sig_agg_case::psig_indices_len
size_t psig_indices_len
Definition: vectors.h:295
musig_sig_agg_case::invalid_sig_idx
int invalid_sig_idx
Definition: vectors.h:300
musig_sig_agg_case::tweak_indices_len
size_t tweak_indices_len
Definition: vectors.h:291
musig_sig_agg_case::expected
unsigned char expected[64]
Definition: vectors.h:298
musig_sig_agg_case::psig_indices
size_t psig_indices[2]
Definition: vectors.h:296
musig_sig_agg_case::aggnonce
unsigned char aggnonce[66]
Definition: vectors.h:294
musig_sig_agg_case::key_indices
size_t key_indices[2]
Definition: vectors.h:290
musig_sig_agg_vector
Definition: vectors.h:303
musig_sig_agg_vector::pubkeys
unsigned char pubkeys[4][33]
Definition: vectors.h:304
musig_sig_agg_vector::msg
unsigned char msg[32]
Definition: vectors.h:307
musig_sig_agg_vector::tweaks
unsigned char tweaks[3][32]
Definition: vectors.h:305
musig_sig_agg_vector::psigs
unsigned char psigs[9][32]
Definition: vectors.h:306
musig_sig_agg_vector::error_case
struct musig_sig_agg_case error_case[1]
Definition: vectors.h:309
musig_sig_agg_vector::valid_case
struct musig_sig_agg_case valid_case[4]
Definition: vectors.h:308
musig_sign_error_case
Definition: vectors.h:141
musig_sign_error_case::error
enum MUSIG_ERROR error
Definition: vectors.h:147
musig_sign_error_case::secnonce_index
size_t secnonce_index
Definition: vectors.h:146
musig_sign_error_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:142
musig_sign_error_case::msg_index
size_t msg_index
Definition: vectors.h:145
musig_sign_error_case::aggnonce_index
size_t aggnonce_index
Definition: vectors.h:144
musig_sign_error_case::key_indices
size_t key_indices[3]
Definition: vectors.h:143
musig_sign_verify_vector
Definition: vectors.h:161
musig_sign_verify_vector::verify_fail_case
struct musig_verify_fail_error_case verify_fail_case[3]
Definition: vectors.h:170
musig_sign_verify_vector::sign_error_case
struct musig_sign_error_case sign_error_case[6]
Definition: vectors.h:169
musig_sign_verify_vector::verify_error_case
struct musig_verify_fail_error_case verify_error_case[2]
Definition: vectors.h:171
musig_sign_verify_vector::sk
unsigned char sk[32]
Definition: vectors.h:162
musig_sign_verify_vector::msgs
unsigned char msgs[1][32]
Definition: vectors.h:167
musig_sign_verify_vector::aggnonces
unsigned char aggnonces[5][66]
Definition: vectors.h:166
musig_sign_verify_vector::secnonces
unsigned char secnonces[2][194]
Definition: vectors.h:164
musig_sign_verify_vector::pubkeys
unsigned char pubkeys[4][33]
Definition: vectors.h:163
musig_sign_verify_vector::pubnonces
unsigned char pubnonces[5][194]
Definition: vectors.h:165
musig_sign_verify_vector::valid_case
struct musig_valid_case valid_case[4]
Definition: vectors.h:168
musig_tweak_case
Definition: vectors.h:228
musig_tweak_case::tweak_indices_len
size_t tweak_indices_len
Definition: vectors.h:233
musig_tweak_case::key_indices
size_t key_indices[3]
Definition: vectors.h:230
musig_tweak_case::is_xonly
int is_xonly[4]
Definition: vectors.h:235
musig_tweak_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:229
musig_tweak_case::nonce_indices
size_t nonce_indices[3]
Definition: vectors.h:232
musig_tweak_case::expected
unsigned char expected[32]
Definition: vectors.h:237
musig_tweak_case::signer_index
size_t signer_index
Definition: vectors.h:236
musig_tweak_case::tweak_indices
size_t tweak_indices[4]
Definition: vectors.h:234
musig_tweak_vector
Definition: vectors.h:240
musig_tweak_vector::msg
unsigned char msg[32]
Definition: vectors.h:244
musig_tweak_vector::secnonce
unsigned char secnonce[97]
Definition: vectors.h:242
musig_tweak_vector::sk
unsigned char sk[32]
Definition: vectors.h:241
musig_tweak_vector::valid_case
struct musig_tweak_case valid_case[5]
Definition: vectors.h:248
musig_tweak_vector::aggnonce
unsigned char aggnonce[66]
Definition: vectors.h:243
musig_tweak_vector::pubnonces
unsigned char pubnonces[3][194]
Definition: vectors.h:246
musig_tweak_vector::pubkeys
unsigned char pubkeys[3][33]
Definition: vectors.h:245
musig_tweak_vector::tweaks
unsigned char tweaks[5][32]
Definition: vectors.h:247
musig_tweak_vector::error_case
struct musig_tweak_case error_case[1]
Definition: vectors.h:249
musig_valid_case
Definition: vectors.h:132
musig_valid_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:133
musig_valid_case::key_indices
size_t key_indices[3]
Definition: vectors.h:134
musig_valid_case::aggnonce_index
size_t aggnonce_index
Definition: vectors.h:135
musig_valid_case::msg_index
size_t msg_index
Definition: vectors.h:136
musig_valid_case::expected
unsigned char expected[32]
Definition: vectors.h:138
musig_verify_fail_error_case
Definition: vectors.h:150
musig_verify_fail_error_case::key_indices
size_t key_indices[3]
Definition: vectors.h:153
musig_verify_fail_error_case::msg_index
size_t msg_index
Definition: vectors.h:156
musig_verify_fail_error_case::signer_index
size_t signer_index
Definition: vectors.h:157
musig_verify_fail_error_case::error
enum MUSIG_ERROR error
Definition: vectors.h:158
musig_verify_fail_error_case::sig
unsigned char sig[32]
Definition: vectors.h:151
musig_verify_fail_error_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:152
musig_verify_fail_error_case::nonce_indices_len
size_t nonce_indices_len
Definition: vectors.h:154
musig_verify_fail_error_case::nonce_indices
size_t nonce_indices[3]
Definition: vectors.h:155
secp256k1_context_struct
Definition: secp256k1.c:61
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_hash_ctx
Definition: hash.h:13
secp256k1_keyagg_cache_internal
Definition: keyagg.h:15
secp256k1_keyagg_cache_internal::pk
secp256k1_ge pk
Definition: keyagg.h:16
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_musig_aggnonce
Opaque data structure that holds an aggregate public nonce.
Definition: secp256k1_musig.h:77
secp256k1_musig_keyagg_cache
This module implements BIP 327 "MuSig2 for BIP340-compatible Multi-Signatures" (https://github....
Definition: secp256k1_musig.h:43
secp256k1_musig_partial_sig
Opaque data structure that holds a partial MuSig signature.
Definition: secp256k1_musig.h:96
secp256k1_musig_pubnonce
Opaque data structure that holds a signer's public nonce.
Definition: secp256k1_musig.h:68
secp256k1_musig_secnonce
Opaque data structure that holds a signer's secret nonce.
Definition: secp256k1_musig.h:59
secp256k1_musig_secnonce::data
unsigned char data[132]
Definition: secp256k1_musig.h:60
secp256k1_musig_session
Opaque data structure that holds a MuSig session.
Definition: secp256k1_musig.h:87
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:62
secp256k1_pubkey::data
unsigned char data[64]
Definition: secp256k1.h:63
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_sha256
Definition: hash.h:19
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
secp256k1_xonly_pubkey::data
unsigned char data[64]
Definition: secp256k1_extrakeys.h:23
tf_test_entry
Definition: unit_test.h:53
testrand_flip
static void testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
testrand256
static void testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
testrand_bits
static SECP256K1_INLINE uint64_t testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_bytes_test
static void testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
test_sha256_tag_midstate
static void test_sha256_tag_midstate(const secp256k1_hash_ctx *hash_ctx, secp256k1_sha256 *sha_tagged, const unsigned char *tag, size_t taglen)
Definition: tests.c:770
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:79
CTX
static secp256k1_context * CTX
Definition: tests.c:42
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:43
testutil_random_ge_test
static void testutil_random_ge_test(secp256k1_ge *ge)
Definition: testutil.h:99
COUNT
int COUNT
Definition: unit_test.c:23
CASE1
#define CASE1(name)
Definition: unit_test.h:27
REPEAT_TEST
#define REPEAT_TEST(fn)
Definition: unit_test.h:36
musig_sig_agg_vector
static const struct musig_sig_agg_vector musig_sig_agg_vector
Definition: vectors.h:312
musig_tweak_vector
static const struct musig_tweak_vector musig_tweak_vector
Definition: vectors.h:252
musig_nonce_agg_vector
static const struct musig_nonce_agg_vector musig_nonce_agg_vector
Definition: vectors.h:109
MUSIG_ERROR
MUSIG_ERROR
Automatically generated by .
Definition: vectors.h:7
MUSIG_AGGNONCE
@ MUSIG_AGGNONCE
Definition: vectors.h:11
MUSIG_TWEAK
@ MUSIG_TWEAK
Definition: vectors.h:9
MUSIG_SIG_VERIFY
@ MUSIG_SIG_VERIFY
Definition: vectors.h:14
MUSIG_PUBNONCE
@ MUSIG_PUBNONCE
Definition: vectors.h:10
MUSIG_SIG
@ MUSIG_SIG
Definition: vectors.h:13
MUSIG_PUBKEY
@ MUSIG_PUBKEY
Definition: vectors.h:8
MUSIG_OTHER
@ MUSIG_OTHER
Definition: vectors.h:15
MUSIG_SECNONCE
@ MUSIG_SECNONCE
Definition: vectors.h:12
MUSIG_VECTORS_MAX_PUBKEYS
@ MUSIG_VECTORS_MAX_PUBKEYS
Definition: vectors.h:346
musig_key_agg_vector
static const struct musig_key_agg_vector musig_key_agg_vector
Definition: vectors.h:40
musig_nonce_gen_vector
static const struct musig_nonce_gen_vector musig_nonce_gen_vector
Definition: vectors.h:88
musig_sign_verify_vector
static const struct musig_sign_verify_vector musig_sign_verify_vector
Definition: vectors.h:174
Generated on Thu Apr 16 2026 20:00:28 for Bitcoin Core by doxygen 1.9.4