Bitcoin Core 30.99.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Distributed under the MIT software license, see the accompanying *
3 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
4 ***********************************************************************/
5
6#ifndef SECP256K1_MODULE_MUSIG_TESTS_IMPL_H
7#define SECP256K1_MODULE_MUSIG_TESTS_IMPL_H
8
9#include <stdlib.h>
10#include <string.h>
11
12#include "../../../include/secp256k1.h"
13#include "../../../include/secp256k1_extrakeys.h"
14#include "../../../include/secp256k1_musig.h"
15
16#include "session.h"
17#include "keyagg.h"
18#include "../../scalar.h"
19#include "../../field.h"
20#include "../../group.h"
21#include "../../hash.h"
22#include "../../util.h"
23#include "../../unit_test.h"
24
25#include "vectors.h"
26
27static int create_keypair_and_pk(secp256k1_keypair *keypair, secp256k1_pubkey *pk, const unsigned char *sk) {
28 int ret;
29 secp256k1_keypair keypair_tmp;
30 ret = secp256k1_keypair_create(CTX, &keypair_tmp, sk);
31 ret &= secp256k1_keypair_pub(CTX, pk, &keypair_tmp);
32 if (keypair != NULL) {
33 *keypair = keypair_tmp;
34 }
35 return ret;
36}
37
38/* Just a simple (non-tweaked) 2-of-2 MuSig aggregate, sign, verify
39 * test. */
40static void musig_simple_test_internal(void) {
41 unsigned char sk[2][32];
42 secp256k1_keypair keypair[2];
43 secp256k1_musig_pubnonce pubnonce[2];
44 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
45 secp256k1_musig_aggnonce aggnonce;
46 unsigned char msg[32];
47 secp256k1_xonly_pubkey agg_pk;
48 secp256k1_musig_keyagg_cache keyagg_cache;
49 unsigned char session_secrand[2][32];
50 secp256k1_musig_secnonce secnonce[2];
51 secp256k1_pubkey pk[2];
52 const secp256k1_pubkey *pk_ptr[2];
53 secp256k1_musig_partial_sig partial_sig[2];
54 const secp256k1_musig_partial_sig *partial_sig_ptr[2];
55 unsigned char final_sig[64];
56 secp256k1_musig_session session;
57 int i;
58
59 testrand256(msg);
60 for (i = 0; i < 2; i++) {
61 testrand256(sk[i]);
62 pk_ptr[i] = &pk[i];
63 pubnonce_ptr[i] = &pubnonce[i];
64 partial_sig_ptr[i] = &partial_sig[i];
65
66 CHECK(create_keypair_and_pk(&keypair[i], &pk[i], sk[i]));
67 if (i == 0) {
68 testrand256(session_secrand[i]);
69 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[i], &pubnonce[i], session_secrand[i], sk[i], &pk[i], NULL, NULL, NULL) == 1);
70 } else {
71 uint64_t nonrepeating_cnt = 0;
72 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[i], &pubnonce[i], nonrepeating_cnt, &keypair[i], NULL, NULL, NULL) == 1);
73 }
74 }
75
76 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1);
77 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
78 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1);
79
80 for (i = 0; i < 2; i++) {
81 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[i], &secnonce[i], &keypair[i], &keyagg_cache, &session) == 1);
82 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[i], &pubnonce[i], &pk[i], &keyagg_cache, &session) == 1);
83 }
84
85 CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, 2) == 1);
86 CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, msg, sizeof(msg), &agg_pk) == 1);
87}
88
89/* Generate two pubnonces such that both group elements of their sum (calculated
90 * with secp256k1_musig_sum_pubnonces) are infinity. */
91static void pubnonce_summing_to_inf(secp256k1_musig_pubnonce *pubnonce) {
92 secp256k1_ge ge[2];
93 int i;
94 secp256k1_gej summed_pubnonces[2];
95 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
96
97 testutil_random_ge_test(&ge[0]);
98 testutil_random_ge_test(&ge[1]);
99
100 for (i = 0; i < 2; i++) {
101 secp256k1_musig_pubnonce_save(&pubnonce[i], ge);
102 pubnonce_ptr[i] = &pubnonce[i];
103 secp256k1_ge_neg(&ge[0], &ge[0]);
104 secp256k1_ge_neg(&ge[1], &ge[1]);
105 }
106
107 secp256k1_musig_sum_pubnonces(CTX, summed_pubnonces, pubnonce_ptr, 2);
108 CHECK(secp256k1_gej_is_infinity(&summed_pubnonces[0]));
109 CHECK(secp256k1_gej_is_infinity(&summed_pubnonces[1]));
110}
111
112int memcmp_and_randomize(unsigned char *value, const unsigned char *expected, size_t len) {
113 int ret;
114 size_t i;
115 ret = secp256k1_memcmp_var(value, expected, len);
116 for (i = 0; i < len; i++) {
117 value[i] = testrand_bits(8);
118 }
119 return ret;
120}
121
122static void musig_api_tests(void) {
123 secp256k1_musig_partial_sig partial_sig[2];
124 const secp256k1_musig_partial_sig *partial_sig_ptr[2];
125 secp256k1_musig_partial_sig invalid_partial_sig;
126 const secp256k1_musig_partial_sig *invalid_partial_sig_ptr[2];
127 unsigned char pre_sig[64];
128 unsigned char buf[32];
129 unsigned char sk[2][32];
130 secp256k1_keypair keypair[2];
131 secp256k1_keypair invalid_keypair;
132 unsigned char max64[64];
133 unsigned char zeros132[132] = { 0 };
134 unsigned char session_secrand[2][32];
135 unsigned char nonrepeating_cnt = 0;
136 secp256k1_musig_secnonce secnonce[2];
137 secp256k1_musig_secnonce secnonce_tmp;
138 secp256k1_musig_secnonce invalid_secnonce;
139 secp256k1_musig_pubnonce pubnonce[2];
140 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
141 unsigned char pubnonce_ser[66];
142 secp256k1_musig_pubnonce inf_pubnonce[2];
143 const secp256k1_musig_pubnonce *inf_pubnonce_ptr[2];
144 secp256k1_musig_pubnonce invalid_pubnonce;
145 const secp256k1_musig_pubnonce *invalid_pubnonce_ptr[1];
146 secp256k1_musig_aggnonce aggnonce;
147 unsigned char aggnonce_ser[66];
148 unsigned char msg[32];
149 secp256k1_xonly_pubkey agg_pk;
150 secp256k1_pubkey full_agg_pk;
151 secp256k1_musig_keyagg_cache keyagg_cache;
152 secp256k1_musig_keyagg_cache invalid_keyagg_cache;
153 secp256k1_musig_session session;
154 secp256k1_musig_session invalid_session;
155 secp256k1_pubkey pk[2];
156 const secp256k1_pubkey *pk_ptr[2];
157 secp256k1_pubkey invalid_pk;
158 const secp256k1_pubkey *invalid_pk_ptr2[2];
159 const secp256k1_pubkey *invalid_pk_ptr3[3];
160 unsigned char tweak[32];
161 int i;
162
164 memset(max64, 0xff, sizeof(max64));
165 memset(&invalid_keypair, 0, sizeof(invalid_keypair));
166 memset(&invalid_pk, 0, sizeof(invalid_pk));
167 memset(&invalid_secnonce, 0, sizeof(invalid_secnonce));
168 memset(&invalid_partial_sig, 0, sizeof(invalid_partial_sig));
169 pubnonce_summing_to_inf(inf_pubnonce);
170 /* Simulate structs being uninitialized by setting it to 0s. We don't want
171 * to produce undefined behavior by actually providing uninitialized
172 * structs. */
173 memset(&invalid_keyagg_cache, 0, sizeof(invalid_keyagg_cache));
174 memset(&invalid_pk, 0, sizeof(invalid_pk));
175 memset(&invalid_pubnonce, 0, sizeof(invalid_pubnonce));
176 memset(&invalid_session, 0, sizeof(invalid_session));
177
178 testrand256(msg);
179 testrand256(tweak);
180 for (i = 0; i < 2; i++) {
181 pk_ptr[i] = &pk[i];
182 invalid_pk_ptr2[i] = &invalid_pk;
183 invalid_pk_ptr3[i] = &pk[i];
184 pubnonce_ptr[i] = &pubnonce[i];
185 inf_pubnonce_ptr[i] = &inf_pubnonce[i];
186 partial_sig_ptr[i] = &partial_sig[i];
187 invalid_partial_sig_ptr[i] = &partial_sig[i];
188 testrand256(session_secrand[i]);
189 testrand256(sk[i]);
190 CHECK(create_keypair_and_pk(&keypair[i], &pk[i], sk[i]));
191 }
192 invalid_pubnonce_ptr[0] = &invalid_pubnonce;
193 invalid_partial_sig_ptr[0] = &invalid_partial_sig;
194 /* invalid_pk_ptr3 has two valid, one invalid pk, which is important to test
195 * musig_pubkey_agg */
196 invalid_pk_ptr3[2] = &invalid_pk;
197
201 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1);
202 CHECK(secp256k1_musig_pubkey_agg(CTX, NULL, &keyagg_cache, pk_ptr, 2) == 1);
203 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, NULL, pk_ptr, 2) == 1);
204 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, NULL, 2));
205 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
206 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, invalid_pk_ptr2, 2));
207 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
208 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, invalid_pk_ptr3, 3));
209 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
210 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 0));
211 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
212 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, NULL, 0));
213 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
214
215 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1);
216
217 /* pubkey_get */
218 CHECK(secp256k1_musig_pubkey_get(CTX, &full_agg_pk, &keyagg_cache) == 1);
219 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_get(CTX, NULL, &keyagg_cache));
220 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_get(CTX, &full_agg_pk, NULL));
221 CHECK(secp256k1_memcmp_var(&full_agg_pk, zeros132, sizeof(full_agg_pk)) == 0);
222
224 {
225 int (*tweak_func[2]) (const secp256k1_context* ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32);
226 tweak_func[0] = secp256k1_musig_pubkey_ec_tweak_add;
227 tweak_func[1] = secp256k1_musig_pubkey_xonly_tweak_add;
228 for (i = 0; i < 2; i++) {
229 secp256k1_pubkey tmp_output_pk;
230 secp256k1_musig_keyagg_cache tmp_keyagg_cache = keyagg_cache;
231 CHECK((*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, tweak) == 1);
232 /* Reset keyagg_cache */
233 tmp_keyagg_cache = keyagg_cache;
234 CHECK((*tweak_func[i])(CTX, NULL, &tmp_keyagg_cache, tweak) == 1);
235 tmp_keyagg_cache = keyagg_cache;
236 CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, NULL, tweak));
237 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
238 tmp_keyagg_cache = keyagg_cache;
239 CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, NULL));
240 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
241 tmp_keyagg_cache = keyagg_cache;
242 CHECK((*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, max64) == 0);
243 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
244 tmp_keyagg_cache = keyagg_cache;
245 /* Uninitialized keyagg_cache */
246 CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, &invalid_keyagg_cache, tweak));
247 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
248 }
249 }
250
252 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64) == 1);
253 /* nonce_gen, if successful, sets session_secrand to the zero array, which
254 * makes subsequent nonce_gen calls with the same session_secrand fail. So
255 * check that session_secrand is indeed the zero array and fill it with
256 * random values again. */
257 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
258
259 CHECK_ILLEGAL(STATIC_CTX, secp256k1_musig_nonce_gen(STATIC_CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64));
260 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
261
262 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, NULL, &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64));
263
264 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], NULL, session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64));
265 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
266
267 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], NULL, sk[0], &pk[0], msg, &keyagg_cache, max64));
268 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
269
270 /* session_secrand = 0 is disallowed because it indicates a faulty RNG */
271 memcpy(&session_secrand[0], zeros132, sizeof(session_secrand[0]));
272 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], zeros132, sk[0], &pk[0], msg, &keyagg_cache, max64) == 0);
273 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
274 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
275
276 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], NULL, &pk[0], msg, &keyagg_cache, max64) == 1);
277 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
278
279 /* invalid seckey */
280 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], max64, &pk[0], msg, &keyagg_cache, max64) == 0);
281 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
282
283 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], NULL, msg, &keyagg_cache, max64));
284 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
285
286 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &invalid_pk, msg, &keyagg_cache, max64));
287 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
288
289 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], NULL, &keyagg_cache, max64) == 1);
290 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
291
292 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, NULL, max64) == 1);
293 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
294
295 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &invalid_keyagg_cache, max64));
296 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
297
298 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, NULL) == 1);
299 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
300
301 /* Every in-argument except session_secrand and pubkey can be NULL */
302 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], NULL, &pk[0], NULL, NULL, NULL) == 1);
303 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[1], &pubnonce[1], session_secrand[1], sk[1], &pk[1], NULL, NULL, NULL) == 1);
304
306 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64) == 1);
307 CHECK_ILLEGAL(STATIC_CTX, secp256k1_musig_nonce_gen_counter(STATIC_CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64));
308 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
309 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, NULL, &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64));
310 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], NULL, nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64));
311 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
312 /* using nonce_gen_counter requires keypair */
313 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, NULL, msg, &keyagg_cache, max64));
314 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
315 /* invalid keypair */
316 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &invalid_keypair, msg, &keyagg_cache, max64));
317 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
318 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], NULL, &keyagg_cache, max64) == 1);
319 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, NULL, max64) == 1);
320 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &invalid_keyagg_cache, max64));
321 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
322 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt,&keypair[0], msg, &keyagg_cache, NULL) == 1);
323
324 /* Every in-argument except nonrepeating_cnt and keypair can be NULL */
325 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], NULL, NULL, NULL) == 1);
326 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[1], &pubnonce[1], nonrepeating_cnt, &keypair[1], NULL, NULL, NULL) == 1);
327
328
330 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, NULL, &pubnonce[0]));
331 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, NULL));
332 CHECK(memcmp_and_randomize(pubnonce_ser, zeros132, sizeof(pubnonce_ser)) == 0);
333 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &invalid_pubnonce));
334 CHECK(memcmp_and_randomize(pubnonce_ser, zeros132, sizeof(pubnonce_ser)) == 0);
335 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &pubnonce[0]) == 1);
336
337 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], pubnonce_ser) == 1);
338 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_parse(CTX, NULL, pubnonce_ser));
339 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], NULL));
340 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], zeros132) == 0);
341 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], pubnonce_ser) == 1);
342
343 {
344 /* Check that serialize and parse results in the same value */
345 secp256k1_musig_pubnonce tmp;
346 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &pubnonce[0]) == 1);
347 CHECK(secp256k1_musig_pubnonce_parse(CTX, &tmp, pubnonce_ser) == 1);
348 CHECK(secp256k1_memcmp_var(&tmp, &pubnonce[0], sizeof(tmp)) == 0);
349 }
350
352 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
353 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, NULL, pubnonce_ptr, 2));
354 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, NULL, 2));
355 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 0));
356 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, invalid_pubnonce_ptr, 1));
357 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, inf_pubnonce_ptr, 2) == 1);
358 {
359 /* Check that the aggnonce encodes two points at infinity */
360 secp256k1_ge aggnonce_pt[2];
361 secp256k1_musig_aggnonce_load(CTX, aggnonce_pt, &aggnonce);
362 for (i = 0; i < 2; i++) {
363 secp256k1_ge_is_infinity(&aggnonce_pt[i]);
364 }
365 }
366 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
367
369 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1);
370 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, NULL, &aggnonce));
371 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, NULL));
372 CHECK(memcmp_and_randomize(aggnonce_ser, zeros132, sizeof(aggnonce_ser)) == 0);
373 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, (secp256k1_musig_aggnonce*) &invalid_pubnonce));
374 CHECK(memcmp_and_randomize(aggnonce_ser, zeros132, sizeof(aggnonce_ser)) == 0);
375 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1);
376
377 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, aggnonce_ser) == 1);
378 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_parse(CTX, NULL, aggnonce_ser));
379 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_parse(CTX, &aggnonce, NULL));
380 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, zeros132) == 1);
381 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, aggnonce_ser) == 1);
382
383 {
384 /* Check that serialize and parse results in the same value */
385 secp256k1_musig_aggnonce tmp;
386 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1);
387 CHECK(secp256k1_musig_aggnonce_parse(CTX, &tmp, aggnonce_ser) == 1);
388 CHECK(secp256k1_memcmp_var(&tmp, &aggnonce, sizeof(tmp)) == 0);
389 }
390
392 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1);
393 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, NULL, &aggnonce, msg, &keyagg_cache));
394 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, NULL, msg, &keyagg_cache));
395 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, (secp256k1_musig_aggnonce*) &invalid_pubnonce, msg, &keyagg_cache));
396 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, NULL, &keyagg_cache));
397 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, NULL));
398 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &invalid_keyagg_cache));
399
400 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1);
401
402 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
403 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &session) == 1);
404 /* The secnonce is set to 0 and subsequent signing attempts fail */
405 CHECK(secp256k1_memcmp_var(&secnonce_tmp, zeros132, sizeof(secnonce_tmp)) == 0);
406 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &session));
407 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
408 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, NULL, &secnonce_tmp, &keypair[0], &keyagg_cache, &session));
409 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
410 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], NULL, &keypair[0], &keyagg_cache, &session));
411 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &invalid_secnonce, &keypair[0], &keyagg_cache, &session));
412 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, NULL, &keyagg_cache, &session));
413 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
414 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &invalid_keypair, &keyagg_cache, &session));
415 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
416 {
417 unsigned char sk_tmp[32];
418 secp256k1_keypair keypair_tmp;
419 testrand256(sk_tmp);
420 CHECK(secp256k1_keypair_create(CTX, &keypair_tmp, sk_tmp));
421 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair_tmp, &keyagg_cache, &session));
422 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
423 }
424 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], NULL, &session));
425 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
426 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &invalid_keyagg_cache, &session));
427 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
428 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, NULL));
429 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
430 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &invalid_session));
431 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
432
433 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce[0], &keypair[0], &keyagg_cache, &session) == 1);
434 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[1], &secnonce[1], &keypair[1], &keyagg_cache, &session) == 1);
435
436 CHECK(secp256k1_musig_partial_sig_serialize(CTX, buf, &partial_sig[0]) == 1);
437 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, NULL, &partial_sig[0]));
438 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, buf, NULL));
439 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, buf, &invalid_partial_sig));
440 CHECK(secp256k1_musig_partial_sig_parse(CTX, &partial_sig[0], buf) == 1);
441 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_parse(CTX, NULL, buf));
442 {
443 /* Check that parsing failure results in an invalid sig */
444 secp256k1_musig_partial_sig tmp;
445 CHECK(secp256k1_musig_partial_sig_parse(CTX, &tmp, max64) == 0);
446 CHECK(secp256k1_memcmp_var(&tmp, zeros132, sizeof(partial_sig[0])) == 0);
447 }
448 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_parse(CTX, &partial_sig[0], NULL));
449
450 {
451 /* Check that serialize and parse results in the same value */
452 secp256k1_musig_partial_sig tmp;
453 CHECK(secp256k1_musig_partial_sig_serialize(CTX, buf, &partial_sig[0]) == 1);
454 CHECK(secp256k1_musig_partial_sig_parse(CTX, &tmp, buf) == 1);
455 CHECK(secp256k1_memcmp_var(&tmp, &partial_sig[0], sizeof(tmp)) == 0);
456 }
457
459 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 1);
460 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 0);
461 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, NULL, &pubnonce[0], &pk[0], &keyagg_cache, &session));
462 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &invalid_partial_sig, &pubnonce[0], &pk[0], &keyagg_cache, &session));
463 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], NULL, &pk[0], &keyagg_cache, &session));
464 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &invalid_pubnonce, &pk[0], &keyagg_cache, &session));
465 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], NULL, &keyagg_cache, &session));
466 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &invalid_pk, &keyagg_cache, &session));
467 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], NULL, &session));
468 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &invalid_keyagg_cache, &session));
469 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, NULL));
470 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &invalid_session));
471
472 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 1);
473 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[1], &pk[1], &keyagg_cache, &session) == 1);
474
476 CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 2) == 1);
477 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, NULL, &session, partial_sig_ptr, 2));
478 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, NULL, partial_sig_ptr, 2));
479 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &invalid_session, partial_sig_ptr, 2));
480 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, NULL, 2));
481 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, invalid_partial_sig_ptr, 2));
482 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 0));
483 CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 1) == 1);
484 CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 2) == 1);
485}
486
487static void musig_nonce_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes) {
488 secp256k1_scalar k1[2], k2[2];
489
490 secp256k1_nonce_function_musig(k1, args[0], args[1], args[2], args[3], args[4], args[5]);
491 testrand_flip(args[n_flip], n_bytes);
492 secp256k1_nonce_function_musig(k2, args[0], args[1], args[2], args[3], args[4], args[5]);
493 CHECK(secp256k1_scalar_eq(&k1[0], &k2[0]) == 0);
494 CHECK(secp256k1_scalar_eq(&k1[1], &k2[1]) == 0);
495}
496
497static void musig_nonce_test(void) {
498 unsigned char *args[6];
499 unsigned char session_secrand[32];
500 unsigned char sk[32];
501 unsigned char pk[33];
502 unsigned char msg[32];
503 unsigned char agg_pk[32];
504 unsigned char extra_input[32];
505 int i, j;
506 secp256k1_scalar k[6][2];
507
508 testrand_bytes_test(session_secrand, sizeof(session_secrand));
509 testrand_bytes_test(sk, sizeof(sk));
510 testrand_bytes_test(pk, sizeof(pk));
511 testrand_bytes_test(msg, sizeof(msg));
512 testrand_bytes_test(agg_pk, sizeof(agg_pk));
513 testrand_bytes_test(extra_input, sizeof(extra_input));
514
515 /* Check that a bitflip in an argument results in different nonces. */
516 args[0] = session_secrand;
517 args[1] = msg;
518 args[2] = sk;
519 args[3] = pk;
520 args[4] = agg_pk;
521 args[5] = extra_input;
522 for (i = 0; i < COUNT; i++) {
523 musig_nonce_bitflip(args, 0, sizeof(session_secrand));
524 musig_nonce_bitflip(args, 1, sizeof(msg));
525 musig_nonce_bitflip(args, 2, sizeof(sk));
526 musig_nonce_bitflip(args, 3, sizeof(pk));
527 musig_nonce_bitflip(args, 4, sizeof(agg_pk));
528 musig_nonce_bitflip(args, 5, sizeof(extra_input));
529 }
530 /* Check that if any argument is NULL, a different nonce is produced than if
531 * any other argument is NULL. */
532 memcpy(msg, session_secrand, sizeof(msg));
533 memcpy(sk, session_secrand, sizeof(sk));
534 memcpy(pk, session_secrand, sizeof(session_secrand));
535 memcpy(agg_pk, session_secrand, sizeof(agg_pk));
536 memcpy(extra_input, session_secrand, sizeof(extra_input));
537 secp256k1_nonce_function_musig(k[0], args[0], args[1], args[2], args[3], args[4], args[5]);
538 secp256k1_nonce_function_musig(k[1], args[0], NULL, args[2], args[3], args[4], args[5]);
539 secp256k1_nonce_function_musig(k[2], args[0], args[1], NULL, args[3], args[4], args[5]);
540 secp256k1_nonce_function_musig(k[3], args[0], args[1], args[2], NULL, args[4], args[5]);
541 secp256k1_nonce_function_musig(k[4], args[0], args[1], args[2], args[3], NULL, args[5]);
542 secp256k1_nonce_function_musig(k[5], args[0], args[1], args[2], args[3], args[4], NULL);
543 for (i = 0; i < 6; i++) {
544 CHECK(!secp256k1_scalar_eq(&k[i][0], &k[i][1]));
545 for (j = i+1; j < 6; j++) {
546 CHECK(!secp256k1_scalar_eq(&k[i][0], &k[j][0]));
547 CHECK(!secp256k1_scalar_eq(&k[i][1], &k[j][1]));
548 }
549 }
550}
551
552/* Checks that the initialized tagged hashes have the expected
553 * state. */
554static void sha256_tag_test(void) {
555 secp256k1_sha256 sha;
556 {
557 /* "KeyAgg list" */
558 static const unsigned char tag[] = {'K', 'e', 'y', 'A', 'g', 'g', ' ', 'l', 'i', 's', 't'};
559 secp256k1_musig_keyagglist_sha256(&sha);
560 test_sha256_tag_midstate(&sha, tag, sizeof(tag));
561 }
562 {
563 /* "KeyAgg coefficient" */
564 static const unsigned char tag[] = {'K', 'e', 'y', 'A', 'g', 'g', ' ', 'c', 'o', 'e', 'f', 'f', 'i', 'c', 'i', 'e', 'n', 't'};
565 secp256k1_musig_keyaggcoef_sha256(&sha);
566 test_sha256_tag_midstate(&sha, tag, sizeof(tag));
567 }
568 {
569 /* "MuSig/aux" */
570 static const unsigned char tag[] = { 'M', 'u', 'S', 'i', 'g', '/', 'a', 'u', 'x' };
571 secp256k1_nonce_function_musig_sha256_tagged_aux(&sha);
572 test_sha256_tag_midstate(&sha, tag, sizeof(tag));
573 }
574 {
575 /* "MuSig/nonce" */
576 static const unsigned char tag[] = { 'M', 'u', 'S', 'i', 'g', '/', 'n', 'o', 'n', 'c', 'e' };
577 secp256k1_nonce_function_musig_sha256_tagged(&sha);
578 test_sha256_tag_midstate(&sha, tag, sizeof(tag));
579 }
580 {
581 /* "MuSig/noncecoef" */
582 static const unsigned char tag[] = { 'M', 'u', 'S', 'i', 'g', '/', 'n', 'o', 'n', 'c', 'e', 'c', 'o', 'e', 'f' };
583 secp256k1_musig_compute_noncehash_sha256_tagged(&sha);
584 test_sha256_tag_midstate(&sha, tag, sizeof(tag));
585 }
586}
587
588/* Attempts to create a signature for the aggregate public key using given secret
589 * keys and keyagg_cache. */
590static void musig_tweak_test_helper(const secp256k1_xonly_pubkey* agg_pk, const unsigned char *sk0, const unsigned char *sk1, secp256k1_musig_keyagg_cache *keyagg_cache) {
591 secp256k1_pubkey pk[2];
592 unsigned char session_secrand[2][32];
593 unsigned char msg[32];
594 secp256k1_musig_secnonce secnonce[2];
595 secp256k1_musig_pubnonce pubnonce[2];
596 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
597 secp256k1_musig_aggnonce aggnonce;
598 secp256k1_keypair keypair[2];
599 secp256k1_musig_session session;
600 secp256k1_musig_partial_sig partial_sig[2];
601 const secp256k1_musig_partial_sig *partial_sig_ptr[2];
602 unsigned char final_sig[64];
603 int i;
604
605 for (i = 0; i < 2; i++) {
606 pubnonce_ptr[i] = &pubnonce[i];
607 partial_sig_ptr[i] = &partial_sig[i];
608
609 testrand256(session_secrand[i]);
610 }
611 CHECK(create_keypair_and_pk(&keypair[0], &pk[0], sk0) == 1);
612 CHECK(create_keypair_and_pk(&keypair[1], &pk[1], sk1) == 1);
613 testrand256(msg);
614
615 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk0, &pk[0], NULL, NULL, NULL) == 1);
616 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[1], &pubnonce[1], session_secrand[1], sk1, &pk[1], NULL, NULL, NULL) == 1);
617
618 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
619 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, keyagg_cache) == 1);
620
621 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce[0], &keypair[0], keyagg_cache, &session) == 1);
622 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[1], &secnonce[1], &keypair[1], keyagg_cache, &session) == 1);
623
624 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], keyagg_cache, &session) == 1);
625 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[1], &pk[1], keyagg_cache, &session) == 1);
626
627 CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, 2) == 1);
628 CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, msg, sizeof(msg), agg_pk) == 1);
629}
630
631/* Create aggregate public key P[0], tweak multiple times (using xonly and
632 * plain tweaking) and test signing. */
633static void musig_tweak_test_internal(void) {
634 unsigned char sk[2][32];
635 secp256k1_pubkey pk[2];
636 const secp256k1_pubkey *pk_ptr[2];
637 secp256k1_musig_keyagg_cache keyagg_cache;
638 enum { N_TWEAKS = 8 };
639 secp256k1_pubkey P[N_TWEAKS + 1];
640 secp256k1_xonly_pubkey P_xonly[N_TWEAKS + 1];
641 int i;
642
643 /* Key Setup */
644 for (i = 0; i < 2; i++) {
645 pk_ptr[i] = &pk[i];
646 testrand256(sk[i]);
647 CHECK(create_keypair_and_pk(NULL, &pk[i], sk[i]) == 1);
648 }
649 /* Compute P0 = keyagg(pk0, pk1) and test signing for it */
650 CHECK(secp256k1_musig_pubkey_agg(CTX, &P_xonly[0], &keyagg_cache, pk_ptr, 2) == 1);
651 musig_tweak_test_helper(&P_xonly[0], sk[0], sk[1], &keyagg_cache);
652 CHECK(secp256k1_musig_pubkey_get(CTX, &P[0], &keyagg_cache));
653
654 /* Compute Pi = f(Pj) + tweaki*G where where j = i-1 and try signing for
655 * that key. If xonly is set to true, the function f normalizes the input
656 * point to have an even X-coordinate ("xonly-tweaking").
657 * Otherwise, the function f is the identity function. */
658 for (i = 1; i <= N_TWEAKS; i++) {
659 unsigned char tweak[32];
660 int P_parity;
661 int xonly = testrand_bits(1);
662
663 testrand256(tweak);
664 if (xonly) {
665 CHECK(secp256k1_musig_pubkey_xonly_tweak_add(CTX, &P[i], &keyagg_cache, tweak) == 1);
666 } else {
667 CHECK(secp256k1_musig_pubkey_ec_tweak_add(CTX, &P[i], &keyagg_cache, tweak) == 1);
668 }
669 CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &P_xonly[i], &P_parity, &P[i]));
670 /* Check that musig_pubkey_tweak_add produces same result as
671 * xonly_pubkey_tweak_add or ec_pubkey_tweak_add. */
672 if (xonly) {
673 unsigned char P_serialized[32];
674 CHECK(secp256k1_xonly_pubkey_serialize(CTX, P_serialized, &P_xonly[i]));
675 CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, P_serialized, P_parity, &P_xonly[i-1], tweak) == 1);
676 } else {
677 secp256k1_pubkey tmp_key = P[i-1];
678 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &tmp_key, tweak));
679 CHECK(secp256k1_memcmp_var(&tmp_key, &P[i], sizeof(tmp_key)) == 0);
680 }
681 /* Test signing for P[i] */
682 musig_tweak_test_helper(&P_xonly[i], sk[0], sk[1], &keyagg_cache);
683 }
684}
685
686int musig_vectors_keyagg_and_tweak(enum MUSIG_ERROR *error,
687 secp256k1_musig_keyagg_cache *keyagg_cache,
688 unsigned char *agg_pk_ser,
689 const unsigned char pubkeys33[][33],
690 const unsigned char tweaks32[][32],
691 size_t key_indices_len,
692 const size_t *key_indices,
693 size_t tweak_indices_len,
694 const size_t *tweak_indices,
695 const int *is_xonly) {
696 secp256k1_pubkey pubkeys[MUSIG_VECTORS_MAX_PUBKEYS];
697 const secp256k1_pubkey *pk_ptr[MUSIG_VECTORS_MAX_PUBKEYS];
698 int i;
699 secp256k1_pubkey agg_pk;
700 secp256k1_xonly_pubkey agg_pk_xonly;
701
702 for (i = 0; i < (int)key_indices_len; i++) {
703 if (!secp256k1_ec_pubkey_parse(CTX, &pubkeys[i], pubkeys33[key_indices[i]], 33)) {
704 *error = MUSIG_PUBKEY;
705 return 0;
706 }
707 pk_ptr[i] = &pubkeys[i];
708 }
709 if (!secp256k1_musig_pubkey_agg(CTX, NULL, keyagg_cache, pk_ptr, key_indices_len)) {
710 *error = MUSIG_OTHER;
711 return 0;
712 }
713
714 for (i = 0; i < (int)tweak_indices_len; i++) {
715 if (is_xonly[i]) {
716 if (!secp256k1_musig_pubkey_xonly_tweak_add(CTX, NULL, keyagg_cache, tweaks32[tweak_indices[i]])) {
717 *error = MUSIG_TWEAK;
718 return 0;
719 }
720 } else {
721 if (!secp256k1_musig_pubkey_ec_tweak_add(CTX, NULL, keyagg_cache, tweaks32[tweak_indices[i]])) {
722 *error = MUSIG_TWEAK;
723 return 0;
724 }
725 }
726 }
727 if (!secp256k1_musig_pubkey_get(CTX, &agg_pk, keyagg_cache)) {
728 *error = MUSIG_OTHER;
729 return 0;
730 }
731
732 if (!secp256k1_xonly_pubkey_from_pubkey(CTX, &agg_pk_xonly, NULL, &agg_pk)) {
733 *error = MUSIG_OTHER;
734 return 0;
735 }
736
737 if (agg_pk_ser != NULL) {
738 if (!secp256k1_xonly_pubkey_serialize(CTX, agg_pk_ser, &agg_pk_xonly)) {
739 *error = MUSIG_OTHER;
740 return 0;
741 }
742 }
743
744 return 1;
745}
746
747static void musig_test_vectors_keyagg(void) {
748 size_t i;
749 const struct musig_key_agg_vector *vector = &musig_key_agg_vector;
750
751 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
752 const struct musig_key_agg_valid_test_case *c = &vector->valid_case[i];
753 enum MUSIG_ERROR error;
754 secp256k1_musig_keyagg_cache keyagg_cache;
755 unsigned char agg_pk[32];
756
757 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, agg_pk, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, 0, NULL, NULL));
758 CHECK(secp256k1_memcmp_var(agg_pk, c->expected, sizeof(agg_pk)) == 0);
759 }
760
761 for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) {
762 const struct musig_key_agg_error_test_case *c = &vector->error_case[i];
763 enum MUSIG_ERROR error;
764 secp256k1_musig_keyagg_cache keyagg_cache;
765
766 CHECK(!musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
767 CHECK(c->error == error);
768 }
769}
770
771static void musig_test_vectors_noncegen(void) {
772 size_t i;
773 const struct musig_nonce_gen_vector *vector = &musig_nonce_gen_vector;
774
775 for (i = 0; i < sizeof(vector->test_case)/sizeof(vector->test_case[0]); i++) {
776 const struct musig_nonce_gen_test_case *c = &vector->test_case[i];
777 secp256k1_musig_keyagg_cache keyagg_cache;
778 secp256k1_musig_keyagg_cache *keyagg_cache_ptr = NULL;
779 unsigned char session_secrand32[32];
780 secp256k1_musig_secnonce secnonce;
781 secp256k1_musig_pubnonce pubnonce;
782 const unsigned char *sk = NULL;
783 const unsigned char *msg = NULL;
784 const unsigned char *extra_in = NULL;
785 secp256k1_pubkey pk;
786 unsigned char pubnonce66[66];
787
788 memcpy(session_secrand32, c->rand_, 32);
789 if (c->has_sk) {
790 sk = c->sk;
791 }
792 if (c->has_aggpk) {
793 /* Create keyagg_cache from aggpk */
794 secp256k1_keyagg_cache_internal cache_i;
795 secp256k1_xonly_pubkey aggpk;
796 memset(&cache_i, 0, sizeof(cache_i));
797 CHECK(secp256k1_xonly_pubkey_parse(CTX, &aggpk, c->aggpk));
798 CHECK(secp256k1_xonly_pubkey_load(CTX, &cache_i.pk, &aggpk));
799 secp256k1_keyagg_cache_save(&keyagg_cache, &cache_i);
800 keyagg_cache_ptr = &keyagg_cache;
801 }
802 if (c->has_msg) {
803 msg = c->msg;
804 }
805 if (c->has_extra_in) {
806 extra_in = c->extra_in;
807 }
808
809 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk, c->pk, sizeof(c->pk)));
810 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce, &pubnonce, session_secrand32, sk, &pk, msg, keyagg_cache_ptr, extra_in) == 1);
811 CHECK(secp256k1_memcmp_var(&secnonce.data[4], c->expected_secnonce, 2*32) == 0);
812 /* The last element of the secnonce is the public key (uncompressed in
813 * secp256k1_musig_secnonce, compressed in the test vector secnonce). */
814 CHECK(secp256k1_memcmp_var(&secnonce.data[4+2*32], &pk, sizeof(pk)) == 0);
815 CHECK(secp256k1_memcmp_var(&c->expected_secnonce[2*32], c->pk, sizeof(c->pk)) == 0);
816
817 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce66, &pubnonce) == 1);
818 CHECK(sizeof(c->expected_pubnonce) == sizeof(pubnonce66));
819 CHECK(secp256k1_memcmp_var(pubnonce66, c->expected_pubnonce, sizeof(pubnonce66)) == 0);
820 }
821}
822
823
824static void musig_test_vectors_nonceagg(void) {
825 size_t i;
826 int j;
827 const struct musig_nonce_agg_vector *vector = &musig_nonce_agg_vector;
828
829 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
830 const struct musig_nonce_agg_test_case *c = &vector->valid_case[i];
831 secp256k1_musig_pubnonce pubnonce[2];
832 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
833 secp256k1_musig_aggnonce aggnonce;
834 unsigned char aggnonce66[66];
835
836 for (j = 0; j < 2; j++) {
837 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pnonces[c->pnonce_indices[j]]) == 1);
838 pubnonce_ptr[j] = &pubnonce[j];
839 }
840 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2));
841 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce66, &aggnonce));
842 CHECK(secp256k1_memcmp_var(aggnonce66, c->expected, 33) == 0);
843 }
844 for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) {
845 const struct musig_nonce_agg_test_case *c = &vector->error_case[i];
846 secp256k1_musig_pubnonce pubnonce[2];
847 for (j = 0; j < 2; j++) {
848 int expected = c->invalid_nonce_idx != j;
849 CHECK(expected == secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pnonces[c->pnonce_indices[j]]));
850 }
851 }
852}
853
854static void musig_test_set_secnonce(secp256k1_musig_secnonce *secnonce, const unsigned char *secnonce64, const secp256k1_pubkey *pubkey) {
855 secp256k1_ge pk;
856 secp256k1_scalar k[2];
857
858 secp256k1_scalar_set_b32(&k[0], &secnonce64[0], NULL);
859 secp256k1_scalar_set_b32(&k[1], &secnonce64[32], NULL);
860 CHECK(secp256k1_pubkey_load(CTX, &pk, pubkey));
861 secp256k1_musig_secnonce_save(secnonce, k, &pk);
862}
863
864static void musig_test_vectors_signverify(void) {
865 size_t i;
866 const struct musig_sign_verify_vector *vector = &musig_sign_verify_vector;
867
868 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
869 const struct musig_valid_case *c = &vector->valid_case[i];
870 enum MUSIG_ERROR error;
871 secp256k1_musig_keyagg_cache keyagg_cache;
872 secp256k1_pubkey pubkey;
873 secp256k1_musig_pubnonce pubnonce;
874 secp256k1_musig_aggnonce aggnonce;
875 secp256k1_musig_session session;
876 secp256k1_musig_partial_sig partial_sig;
877 secp256k1_musig_secnonce secnonce;
878 secp256k1_keypair keypair;
879 unsigned char partial_sig32[32];
880
881 CHECK(secp256k1_keypair_create(CTX, &keypair, vector->sk));
882 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
883
884 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonces[c->aggnonce_index]));
885 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache));
886
887 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0])));
888 musig_test_set_secnonce(&secnonce, vector->secnonces[0], &pubkey);
889 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
890 CHECK(secp256k1_musig_partial_sig_serialize(CTX, partial_sig32, &partial_sig));
891 CHECK(secp256k1_memcmp_var(partial_sig32, c->expected, sizeof(partial_sig32)) == 0);
892
893 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[0]));
894 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig, &pubnonce, &pubkey, &keyagg_cache, &session));
895 }
896 for (i = 0; i < sizeof(vector->sign_error_case)/sizeof(vector->sign_error_case[0]); i++) {
897 const struct musig_sign_error_case *c = &vector->sign_error_case[i];
898 enum MUSIG_ERROR error;
899 secp256k1_musig_keyagg_cache keyagg_cache;
900 secp256k1_pubkey pubkey;
901 secp256k1_musig_aggnonce aggnonce;
902 secp256k1_musig_session session;
903 secp256k1_musig_partial_sig partial_sig;
904 secp256k1_musig_secnonce secnonce;
905 secp256k1_keypair keypair;
906 int expected;
907
908 if (i == 0) {
909 /* Skip this vector since the implementation does not error out when
910 * the signing key does not belong to any pubkey. */
911 continue;
912 }
913
914 expected = c->error != MUSIG_PUBKEY;
915 CHECK(expected == musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
916 CHECK(expected || c->error == error);
917 if (!expected) {
918 continue;
919 }
920 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0])));
921 CHECK(secp256k1_keypair_create(CTX, &keypair, vector->sk));
922
923 expected = c->error != MUSIG_AGGNONCE;
924 CHECK(expected == secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonces[c->aggnonce_index]));
925 if (!expected) {
926 continue;
927 }
928 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache));
929
930 expected = c->error != MUSIG_SECNONCE;
931 CHECK(!expected);
932 musig_test_set_secnonce(&secnonce, vector->secnonces[c->secnonce_index], &pubkey);
933 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
934 }
935 for (i = 0; i < sizeof(vector->verify_fail_case)/sizeof(vector->verify_fail_case[0]); i++) {
936 const struct musig_verify_fail_error_case *c = &vector->verify_fail_case[i];
937 enum MUSIG_ERROR error;
938 secp256k1_musig_keyagg_cache keyagg_cache;
939 secp256k1_musig_aggnonce aggnonce;
940 secp256k1_musig_session session;
941 secp256k1_musig_partial_sig partial_sig;
942 enum { NUM_PUBNONCES = 3 };
943 secp256k1_musig_pubnonce pubnonce[NUM_PUBNONCES];
944 const secp256k1_musig_pubnonce *pubnonce_ptr[NUM_PUBNONCES];
945 secp256k1_pubkey pubkey;
946 int expected;
947 size_t j;
948
949 CHECK(NUM_PUBNONCES <= c->nonce_indices_len);
950 for (j = 0; j < c->nonce_indices_len; j++) {
951 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pubnonces[c->nonce_indices[j]]));
952 pubnonce_ptr[j] = &pubnonce[j];
953 }
954
955 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
956 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, c->nonce_indices_len) == 1);
957 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache));
958
959 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[c->signer_index], sizeof(vector->pubkeys[0])));
960
961 expected = c->error != MUSIG_SIG;
962 CHECK(expected == secp256k1_musig_partial_sig_parse(CTX, &partial_sig, c->sig));
963 if (!expected) {
964 continue;
965 }
966 expected = c->error != MUSIG_SIG_VERIFY;
967 CHECK(expected == secp256k1_musig_partial_sig_verify(CTX, &partial_sig, pubnonce, &pubkey, &keyagg_cache, &session));
968 }
969 for (i = 0; i < sizeof(vector->verify_error_case)/sizeof(vector->verify_error_case[0]); i++) {
970 const struct musig_verify_fail_error_case *c = &vector->verify_error_case[i];
971 enum MUSIG_ERROR error;
972 secp256k1_musig_keyagg_cache keyagg_cache;
973 secp256k1_musig_pubnonce pubnonce;
974 int expected;
975
976 expected = c->error != MUSIG_PUBKEY;
977 CHECK(expected == musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
978 CHECK(expected || c->error == error);
979 if (!expected) {
980 continue;
981 }
982 expected = c->error != MUSIG_PUBNONCE;
983 CHECK(expected == secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[c->nonce_indices[c->signer_index]]));
984 }
985}
986
987static void musig_test_vectors_tweak(void) {
988 size_t i;
989 const struct musig_tweak_vector *vector = &musig_tweak_vector;
990 secp256k1_pubkey pubkey;
991 secp256k1_musig_aggnonce aggnonce;
992 secp256k1_musig_secnonce secnonce;
993
994 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonce));
995 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0])));
996
997 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
998 const struct musig_tweak_case *c = &vector->valid_case[i];
999 enum MUSIG_ERROR error;
1000 secp256k1_musig_keyagg_cache keyagg_cache;
1001 secp256k1_musig_pubnonce pubnonce;
1002 secp256k1_musig_session session;
1003 secp256k1_musig_partial_sig partial_sig;
1004 secp256k1_keypair keypair;
1005 unsigned char partial_sig32[32];
1006
1007 musig_test_set_secnonce(&secnonce, vector->secnonce, &pubkey);
1008
1009 CHECK(secp256k1_keypair_create(CTX, &keypair, vector->sk));
1010 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
1011
1012 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msg, &keyagg_cache));
1013
1014 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
1015 CHECK(secp256k1_musig_partial_sig_serialize(CTX, partial_sig32, &partial_sig));
1016 CHECK(secp256k1_memcmp_var(partial_sig32, c->expected, sizeof(partial_sig32)) == 0);
1017
1018 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[c->nonce_indices[c->signer_index]]));
1019 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig, &pubnonce, &pubkey, &keyagg_cache, &session));
1020 }
1021 for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) {
1022 const struct musig_tweak_case *c = &vector->error_case[i];
1023 enum MUSIG_ERROR error;
1024 secp256k1_musig_keyagg_cache keyagg_cache;
1025 CHECK(!musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
1026 CHECK(error == MUSIG_TWEAK);
1027 }
1028}
1029
1030static void musig_test_vectors_sigagg(void) {
1031 size_t i, j;
1032 const struct musig_sig_agg_vector *vector = &musig_sig_agg_vector;
1033
1034 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
1035 const struct musig_sig_agg_case *c = &vector->valid_case[i];
1036 enum MUSIG_ERROR error;
1037 unsigned char final_sig[64];
1038 secp256k1_musig_keyagg_cache keyagg_cache;
1039 unsigned char agg_pk32[32];
1040 secp256k1_xonly_pubkey agg_pk;
1041 secp256k1_musig_aggnonce aggnonce;
1042 secp256k1_musig_session session;
1043 secp256k1_musig_partial_sig partial_sig[(sizeof(vector->psigs)/sizeof(vector->psigs[0]))];
1044 const secp256k1_musig_partial_sig *partial_sig_ptr[(sizeof(vector->psigs)/sizeof(vector->psigs[0]))];
1045
1046 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, agg_pk32, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
1047 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, c->aggnonce));
1048 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msg, &keyagg_cache));
1049 for (j = 0; j < c->psig_indices_len; j++) {
1050 CHECK(secp256k1_musig_partial_sig_parse(CTX, &partial_sig[j], vector->psigs[c->psig_indices[j]]));
1051 partial_sig_ptr[j] = &partial_sig[j];
1052 }
1053
1054 CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, c->psig_indices_len) == 1);
1055 CHECK(secp256k1_memcmp_var(final_sig, c->expected, sizeof(final_sig)) == 0);
1056
1057 CHECK(secp256k1_xonly_pubkey_parse(CTX, &agg_pk, agg_pk32));
1058 CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, vector->msg, sizeof(vector->msg), &agg_pk) == 1);
1059 }
1060 for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) {
1061 const struct musig_sig_agg_case *c = &vector->error_case[i];
1062 secp256k1_musig_partial_sig partial_sig[(sizeof(vector->psigs)/sizeof(vector->psigs[0]))];
1063 for (j = 0; j < c->psig_indices_len; j++) {
1064 int expected = c->invalid_sig_idx != (int)j;
1065 CHECK(expected == secp256k1_musig_partial_sig_parse(CTX, &partial_sig[j], vector->psigs[c->psig_indices[j]]));
1066 }
1067 }
1068}
1069
1070/* Since the BIP doesn't provide static test vectors for nonce_gen_counter, we
1071 * define a static test here */
1072static void musig_test_static_nonce_gen_counter(void) {
1073 secp256k1_musig_secnonce secnonce;
1074 secp256k1_musig_pubnonce pubnonce;
1075 unsigned char pubnonce66[66];
1076 secp256k1_pubkey pk;
1077 secp256k1_keypair keypair;
1078 uint64_t nonrepeating_cnt = 0;
1079 unsigned char sk[32] = {
1080 0xEE, 0xC1, 0xCB, 0x7D, 0x1B, 0x72, 0x54, 0xC5,
1081 0xCA, 0xB0, 0xD9, 0xC6, 0x1A, 0xB0, 0x2E, 0x64,
1082 0x3D, 0x46, 0x4A, 0x59, 0xFE, 0x6C, 0x96, 0xA7,
1083 0xEF, 0xE8, 0x71, 0xF0, 0x7C, 0x5A, 0xEF, 0x54,
1084 };
1085 unsigned char expected_secnonce[64] = {
1086 0x84, 0x2F, 0x13, 0x80, 0xCD, 0x17, 0xA1, 0x98,
1087 0xFC, 0x3D, 0xAD, 0x3B, 0x7D, 0xA7, 0x49, 0x29,
1088 0x41, 0xF4, 0x69, 0x76, 0xF2, 0x70, 0x2F, 0xF7,
1089 0xC6, 0x6F, 0x24, 0xF4, 0x72, 0x03, 0x6A, 0xF1,
1090 0xDA, 0x3F, 0x95, 0x2D, 0xDE, 0x4A, 0x2D, 0xA6,
1091 0xB6, 0x32, 0x57, 0x07, 0xCE, 0x87, 0xA4, 0xE3,
1092 0x61, 0x6D, 0x06, 0xFC, 0x5F, 0x81, 0xA9, 0xC9,
1093 0x93, 0x86, 0xD2, 0x0A, 0x99, 0xCE, 0xCF, 0x99,
1094 };
1095 unsigned char expected_pubnonce[66] = {
1096 0x03, 0xA5, 0xB9, 0xB6, 0x90, 0x79, 0x42, 0xEA,
1097 0xCD, 0xDA, 0x49, 0xA3, 0x66, 0x01, 0x6E, 0xC2,
1098 0xE6, 0x24, 0x04, 0xA1, 0xBF, 0x4A, 0xB6, 0xD4,
1099 0xDB, 0x82, 0x06, 0x7B, 0xC3, 0xAD, 0xF0, 0x86,
1100 0xD7, 0x03, 0x32, 0x05, 0xDB, 0x9E, 0xB3, 0x4D,
1101 0x5C, 0x7C, 0xE0, 0x28, 0x48, 0xCA, 0xC6, 0x8A,
1102 0x83, 0xED, 0x73, 0xE3, 0x88, 0x34, 0x77, 0xF5,
1103 0x63, 0xF2, 0x3C, 0xE9, 0xA1, 0x1A, 0x77, 0x21,
1104 0xEC, 0x64,
1105 };
1106
1107 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
1108 CHECK(secp256k1_keypair_pub(CTX, &pk, &keypair));
1109 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce, &pubnonce, nonrepeating_cnt, &keypair, NULL, NULL, NULL) == 1);
1110
1111 CHECK(secp256k1_memcmp_var(&secnonce.data[4], expected_secnonce, 2*32) == 0);
1112 CHECK(secp256k1_memcmp_var(&secnonce.data[4+2*32], &pk, sizeof(pk)) == 0);
1113
1114 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce66, &pubnonce) == 1);
1115 CHECK(secp256k1_memcmp_var(pubnonce66, expected_pubnonce, sizeof(pubnonce66)) == 0);
1116}
1117
1118/* --- Test registry --- */
1119REPEAT_TEST(musig_simple_test)
1120/* Run multiple times to ensure that pk and nonce have different y parities */
1121REPEAT_TEST(musig_tweak_test)
1122
1123static const struct tf_test_entry tests_musig[] = {
1124 CASE1(musig_simple_test),
1125 CASE1(musig_api_tests),
1126 CASE1(musig_nonce_test),
1127 CASE1(musig_tweak_test),
1128 CASE1(sha256_tag_test),
1129 CASE1(musig_test_vectors_keyagg),
1130 CASE1(musig_test_vectors_noncegen),
1131 CASE1(musig_test_vectors_nonceagg),
1132 CASE1(musig_test_vectors_signverify),
1133 CASE1(musig_test_vectors_tweak),
1134 CASE1(musig_test_vectors_sigagg),
1135 CASE1(musig_test_static_nonce_gen_counter),
1136};
1137
1138#endif
ret
int ret
Definition: bitcoin-cli.cpp:1351
args
ArgsManager & args
Definition: bitcoind.cpp:277
secp256k1_xonly_pubkey_load
static SECP256K1_INLINE int secp256k1_xonly_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_xonly_pubkey *pubkey)
Definition: main_impl.h:14
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_musig_keyaggcoef_sha256
static void secp256k1_musig_keyaggcoef_sha256(secp256k1_sha256 *sha)
Definition: keyagg_impl.h:99
secp256k1_musig_keyagglist_sha256
static void secp256k1_musig_keyagglist_sha256(secp256k1_sha256 *sha)
Definition: keyagg_impl.h:64
secp256k1_keyagg_cache_save
static void secp256k1_keyagg_cache_save(secp256k1_musig_keyagg_cache *cache, const secp256k1_keyagg_cache_internal *cache_i)
Definition: keyagg_impl.h:31
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
tests_musig
static const struct tf_test_entry tests_musig[]
Definition: tests_impl.h:1123
musig_test_vectors_keyagg
static void musig_test_vectors_keyagg(void)
Definition: tests_impl.h:747
musig_nonce_test
static void musig_nonce_test(void)
Definition: tests_impl.h:497
musig_vectors_keyagg_and_tweak
int musig_vectors_keyagg_and_tweak(enum MUSIG_ERROR *error, secp256k1_musig_keyagg_cache *keyagg_cache, unsigned char *agg_pk_ser, const unsigned char pubkeys33[][33], const unsigned char tweaks32[][32], size_t key_indices_len, const size_t *key_indices, size_t tweak_indices_len, const size_t *tweak_indices, const int *is_xonly)
Definition: tests_impl.h:686
musig_test_set_secnonce
static void musig_test_set_secnonce(secp256k1_musig_secnonce *secnonce, const unsigned char *secnonce64, const secp256k1_pubkey *pubkey)
Definition: tests_impl.h:854
sha256_tag_test
static void sha256_tag_test(void)
Definition: tests_impl.h:554
create_keypair_and_pk
static int create_keypair_and_pk(secp256k1_keypair *keypair, secp256k1_pubkey *pk, const unsigned char *sk)
Definition: tests_impl.h:27
musig_api_tests
static void musig_api_tests(void)
Definition: tests_impl.h:122
musig_test_vectors_sigagg
static void musig_test_vectors_sigagg(void)
Definition: tests_impl.h:1030
musig_test_vectors_signverify
static void musig_test_vectors_signverify(void)
Definition: tests_impl.h:864
pubnonce_summing_to_inf
static void pubnonce_summing_to_inf(secp256k1_musig_pubnonce *pubnonce)
Definition: tests_impl.h:91
musig_test_static_nonce_gen_counter
static void musig_test_static_nonce_gen_counter(void)
Definition: tests_impl.h:1072
memcmp_and_randomize
int memcmp_and_randomize(unsigned char *value, const unsigned char *expected, size_t len)
Definition: tests_impl.h:112
musig_nonce_bitflip
static void musig_nonce_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes)
Definition: tests_impl.h:487
musig_test_vectors_nonceagg
static void musig_test_vectors_nonceagg(void)
Definition: tests_impl.h:824
musig_tweak_test_internal
static void musig_tweak_test_internal(void)
Definition: tests_impl.h:633
musig_tweak_test_helper
static void musig_tweak_test_helper(const secp256k1_xonly_pubkey *agg_pk, const unsigned char *sk0, const unsigned char *sk1, secp256k1_musig_keyagg_cache *keyagg_cache)
Definition: tests_impl.h:590
musig_test_vectors_noncegen
static void musig_test_vectors_noncegen(void)
Definition: tests_impl.h:771
musig_simple_test_internal
static void musig_simple_test_internal(void)
Definition: tests_impl.h:40
musig_test_vectors_tweak
static void musig_test_vectors_tweak(void)
Definition: tests_impl.h:987
tweak
static int tweak(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *cache)
Definition: musig.c:64
test_vectors_musig2_generate.data
data
Definition: test_vectors_musig2_generate.py:98
tests_wycheproof_generate_ecdh.sk
sk
Definition: tests_wycheproof_generate_ecdh.py:101
tests_wycheproof_generate_ecdh.pk
def pk
Definition: tests_wycheproof_generate_ecdh.py:115
tests_wycheproof_generate_ecdsa.msg
msg
Definition: tests_wycheproof_generate_ecdsa.py:52
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:268
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:240
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:250
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:687
secp256k1_xonly_pubkey_from_pubkey
SECP256K1_API int secp256k1_xonly_pubkey_from_pubkey(const secp256k1_context *ctx, secp256k1_xonly_pubkey *xonly_pubkey, int *pk_parity, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Converts a secp256k1_pubkey into a secp256k1_xonly_pubkey.
Definition: main_impl.h:99
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:44
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a valid secret key.
Definition: main_impl.h:196
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:22
secp256k1_keypair_pub
SECP256K1_API int secp256k1_keypair_pub(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Get the public key from a keypair.
Definition: main_impl.h:224
secp256k1_musig_pubkey_ec_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_ec_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Apply plain "EC" tweaking to a public key in a given keyagg_cache by adding the generator multiplied ...
Definition: keyagg_impl.h:283
secp256k1_musig_pubkey_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Apply x-only tweaking to a public key in a given keyagg_cache by adding the generator multiplied with...
Definition: keyagg_impl.h:287
secp256k1_musig_aggnonce_serialize
SECP256K1_API int secp256k1_musig_aggnonce_serialize(const secp256k1_context *ctx, unsigned char *out66, const secp256k1_musig_aggnonce *nonce) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an aggregate public nonce.
Definition: session_impl.h:257
secp256k1_musig_partial_sig_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_parse(const secp256k1_context *ctx, secp256k1_musig_partial_sig *sig, const unsigned char *in32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a MuSig partial signature.
Definition: session_impl.h:275
secp256k1_musig_pubnonce_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubnonce_parse(const secp256k1_context *ctx, secp256k1_musig_pubnonce *nonce, const unsigned char *in66) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a signer's public nonce.
Definition: session_impl.h:194
secp256k1_musig_nonce_agg
SECP256K1_API int secp256k1_musig_nonce_agg(const secp256k1_context *ctx, secp256k1_musig_aggnonce *aggnonce, const secp256k1_musig_pubnonce *const *pubnonces, size_t n_pubnonces) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Aggregates the nonces of all signers into a single nonce.
Definition: session_impl.h:544
secp256k1_musig_partial_sign
SECP256K1_API int secp256k1_musig_partial_sign(const secp256k1_context *ctx, secp256k1_musig_partial_sig *partial_sig, secp256k1_musig_secnonce *secnonce, const secp256k1_keypair *keypair, const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_session *session) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6)
Produces a partial signature.
Definition: session_impl.h:666
secp256k1_musig_aggnonce_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_aggnonce_parse(const secp256k1_context *ctx, secp256k1_musig_aggnonce *nonce, const unsigned char *in66) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an aggregate public nonce.
Definition: session_impl.h:240
secp256k1_musig_pubkey_get
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_get(const secp256k1_context *ctx, secp256k1_pubkey *agg_pk, const secp256k1_musig_keyagg_cache *keyagg_cache) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Obtain the aggregate public key from a keyagg_cache.
Definition: keyagg_impl.h:233
secp256k1_musig_nonce_gen
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_gen(const secp256k1_context *ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, unsigned char *session_secrand32, const unsigned char *seckey, const secp256k1_pubkey *pubkey, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(6)
Starts a signing session by generating a nonce.
Definition: session_impl.h:469
secp256k1_musig_partial_sig_serialize
SECP256K1_API int secp256k1_musig_partial_sig_serialize(const secp256k1_context *ctx, unsigned char *out32, const secp256k1_musig_partial_sig *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize a MuSig partial signature.
Definition: session_impl.h:294
secp256k1_musig_partial_sig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_verify(const secp256k1_context *ctx, const secp256k1_musig_partial_sig *partial_sig, const secp256k1_musig_pubnonce *pubnonce, const secp256k1_pubkey *pubkey, const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_session *session) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6)
Verifies an individual signer's partial signature.
Definition: session_impl.h:736
secp256k1_musig_partial_sig_agg
SECP256K1_API int secp256k1_musig_partial_sig_agg(const secp256k1_context *ctx, unsigned char *sig64, const secp256k1_musig_session *session, const secp256k1_musig_partial_sig *const *partial_sigs, size_t n_sigs) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Aggregates partial signatures.
Definition: session_impl.h:799
secp256k1_musig_nonce_gen_counter
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_gen_counter(const secp256k1_context *ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, uint64_t nonrepeating_cnt, const secp256k1_keypair *keypair, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Alternative way to generate a nonce and start a signing session.
Definition: session_impl.h:497
secp256k1_musig_pubkey_agg
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_agg(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_pubkey *const *pubkeys, size_t n_pubkeys) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(4)
Computes an aggregate public key and uses it to initialize a keyagg_cache.
Definition: keyagg_impl.h:175
secp256k1_musig_nonce_process
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_process(const secp256k1_context *ctx, secp256k1_musig_session *session, const secp256k1_musig_aggnonce *aggnonce, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Takes the aggregate nonce and creates a session that is required for signing and verification of part...
Definition: session_impl.h:620
secp256k1_musig_pubnonce_serialize
SECP256K1_API int secp256k1_musig_pubnonce_serialize(const secp256k1_context *ctx, unsigned char *out66, const secp256k1_musig_pubnonce *nonce) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize a signer's public nonce.
Definition: session_impl.h:214
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:224
secp256k1_musig_secnonce_save
static void secp256k1_musig_secnonce_save(secp256k1_musig_secnonce *secnonce, const secp256k1_scalar *k, const secp256k1_ge *pk)
Definition: session_impl.h:57
secp256k1_musig_sum_pubnonces
static int secp256k1_musig_sum_pubnonces(const secp256k1_context *ctx, secp256k1_gej *summed_pubnonces, const secp256k1_musig_pubnonce *const *pubnonces, size_t n_pubnonces)
Definition: session_impl.h:525
secp256k1_nonce_function_musig
static void secp256k1_nonce_function_musig(secp256k1_scalar *k, const unsigned char *session_secrand, const unsigned char *msg32, const unsigned char *seckey32, const unsigned char *pk33, const unsigned char *agg_pk32, const unsigned char *extra_input32)
Definition: session_impl.h:352
secp256k1_musig_compute_noncehash_sha256_tagged
static void secp256k1_musig_compute_noncehash_sha256_tagged(secp256k1_sha256 *sha)
Definition: session_impl.h:562
secp256k1_nonce_function_musig_sha256_tagged_aux
static void secp256k1_nonce_function_musig_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: session_impl.h:324
secp256k1_nonce_function_musig_sha256_tagged
static void secp256k1_nonce_function_musig_sha256_tagged(secp256k1_sha256 *sha)
Definition: session_impl.h:339
secp256k1_musig_aggnonce_load
static int secp256k1_musig_aggnonce_load(const secp256k1_context *ctx, secp256k1_ge *ges, const secp256k1_musig_aggnonce *nonce)
Definition: session_impl.h:124
secp256k1_musig_pubnonce_save
static void secp256k1_musig_pubnonce_save(secp256k1_musig_pubnonce *nonce, const secp256k1_ge *ges)
Definition: session_impl.h:94
musig_key_agg_error_test_case
Definition: vectors.h:24
musig_key_agg_error_test_case::is_xonly
int is_xonly[1]
Definition: vectors.h:29
musig_key_agg_error_test_case::error
enum MUSIG_ERROR error
Definition: vectors.h:30
musig_key_agg_error_test_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:25
musig_key_agg_error_test_case::key_indices
size_t key_indices[4]
Definition: vectors.h:26
musig_key_agg_error_test_case::tweak_indices_len
size_t tweak_indices_len
Definition: vectors.h:27
musig_key_agg_error_test_case::tweak_indices
size_t tweak_indices[1]
Definition: vectors.h:28
musig_key_agg_valid_test_case
Definition: vectors.h:18
musig_key_agg_valid_test_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:19
musig_key_agg_valid_test_case::expected
unsigned char expected[32]
Definition: vectors.h:21
musig_key_agg_valid_test_case::key_indices
size_t key_indices[4]
Definition: vectors.h:20
musig_key_agg_vector
Definition: vectors.h:33
musig_key_agg_vector::error_case
struct musig_key_agg_error_test_case error_case[5]
Definition: vectors.h:37
musig_key_agg_vector::pubkeys
unsigned char pubkeys[7][33]
Definition: vectors.h:34
musig_key_agg_vector::valid_case
struct musig_key_agg_valid_test_case valid_case[4]
Definition: vectors.h:36
musig_key_agg_vector::tweaks
unsigned char tweaks[2][32]
Definition: vectors.h:35
musig_nonce_agg_test_case
Definition: vectors.h:95
musig_nonce_agg_test_case::expected
unsigned char expected[66]
Definition: vectors.h:98
musig_nonce_agg_test_case::invalid_nonce_idx
int invalid_nonce_idx
Definition: vectors.h:100
musig_nonce_agg_test_case::pnonce_indices
size_t pnonce_indices[2]
Definition: vectors.h:96
musig_nonce_agg_vector
Definition: vectors.h:103
musig_nonce_agg_vector::pnonces
unsigned char pnonces[7][66]
Definition: vectors.h:104
musig_nonce_agg_vector::error_case
struct musig_nonce_agg_test_case error_case[3]
Definition: vectors.h:106
musig_nonce_agg_vector::valid_case
struct musig_nonce_agg_test_case valid_case[2]
Definition: vectors.h:105
musig_nonce_gen_test_case
Definition: vectors.h:69
musig_nonce_gen_test_case::has_msg
int has_msg
Definition: vectors.h:76
musig_nonce_gen_test_case::extra_in
unsigned char extra_in[32]
Definition: vectors.h:79
musig_nonce_gen_test_case::rand_
unsigned char rand_[32]
Definition: vectors.h:70
musig_nonce_gen_test_case::expected_pubnonce
unsigned char expected_pubnonce[66]
Definition: vectors.h:81
musig_nonce_gen_test_case::sk
unsigned char sk[32]
Definition: vectors.h:72
musig_nonce_gen_test_case::has_sk
int has_sk
Definition: vectors.h:71
musig_nonce_gen_test_case::msg
unsigned char msg[32]
Definition: vectors.h:77
musig_nonce_gen_test_case::has_aggpk
int has_aggpk
Definition: vectors.h:74
musig_nonce_gen_test_case::has_extra_in
int has_extra_in
Definition: vectors.h:78
musig_nonce_gen_test_case::expected_secnonce
unsigned char expected_secnonce[97]
Definition: vectors.h:80
musig_nonce_gen_test_case::pk
unsigned char pk[33]
Definition: vectors.h:73
musig_nonce_gen_test_case::aggpk
unsigned char aggpk[32]
Definition: vectors.h:75
musig_nonce_gen_vector
Definition: vectors.h:84
musig_nonce_gen_vector::test_case
struct musig_nonce_gen_test_case test_case[2]
Definition: vectors.h:85
musig_sig_agg_case
Definition: vectors.h:288
musig_sig_agg_case::is_xonly
int is_xonly[3]
Definition: vectors.h:293
musig_sig_agg_case::tweak_indices
size_t tweak_indices[3]
Definition: vectors.h:292
musig_sig_agg_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:289
musig_sig_agg_case::psig_indices_len
size_t psig_indices_len
Definition: vectors.h:295
musig_sig_agg_case::invalid_sig_idx
int invalid_sig_idx
Definition: vectors.h:300
musig_sig_agg_case::tweak_indices_len
size_t tweak_indices_len
Definition: vectors.h:291
musig_sig_agg_case::expected
unsigned char expected[64]
Definition: vectors.h:298
musig_sig_agg_case::psig_indices
size_t psig_indices[2]
Definition: vectors.h:296
musig_sig_agg_case::aggnonce
unsigned char aggnonce[66]
Definition: vectors.h:294
musig_sig_agg_case::key_indices
size_t key_indices[2]
Definition: vectors.h:290
musig_sig_agg_vector
Definition: vectors.h:303
musig_sig_agg_vector::pubkeys
unsigned char pubkeys[4][33]
Definition: vectors.h:304
musig_sig_agg_vector::msg
unsigned char msg[32]
Definition: vectors.h:307
musig_sig_agg_vector::tweaks
unsigned char tweaks[3][32]
Definition: vectors.h:305
musig_sig_agg_vector::psigs
unsigned char psigs[9][32]
Definition: vectors.h:306
musig_sig_agg_vector::error_case
struct musig_sig_agg_case error_case[1]
Definition: vectors.h:309
musig_sig_agg_vector::valid_case
struct musig_sig_agg_case valid_case[4]
Definition: vectors.h:308
musig_sign_error_case
Definition: vectors.h:141
musig_sign_error_case::error
enum MUSIG_ERROR error
Definition: vectors.h:147
musig_sign_error_case::secnonce_index
size_t secnonce_index
Definition: vectors.h:146
musig_sign_error_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:142
musig_sign_error_case::msg_index
size_t msg_index
Definition: vectors.h:145
musig_sign_error_case::aggnonce_index
size_t aggnonce_index
Definition: vectors.h:144
musig_sign_error_case::key_indices
size_t key_indices[3]
Definition: vectors.h:143
musig_sign_verify_vector
Definition: vectors.h:161
musig_sign_verify_vector::verify_fail_case
struct musig_verify_fail_error_case verify_fail_case[3]
Definition: vectors.h:170
musig_sign_verify_vector::sign_error_case
struct musig_sign_error_case sign_error_case[6]
Definition: vectors.h:169
musig_sign_verify_vector::verify_error_case
struct musig_verify_fail_error_case verify_error_case[2]
Definition: vectors.h:171
musig_sign_verify_vector::sk
unsigned char sk[32]
Definition: vectors.h:162
musig_sign_verify_vector::msgs
unsigned char msgs[1][32]
Definition: vectors.h:167
musig_sign_verify_vector::aggnonces
unsigned char aggnonces[5][66]
Definition: vectors.h:166
musig_sign_verify_vector::secnonces
unsigned char secnonces[2][194]
Definition: vectors.h:164
musig_sign_verify_vector::pubkeys
unsigned char pubkeys[4][33]
Definition: vectors.h:163
musig_sign_verify_vector::pubnonces
unsigned char pubnonces[5][194]
Definition: vectors.h:165
musig_sign_verify_vector::valid_case
struct musig_valid_case valid_case[4]
Definition: vectors.h:168
musig_tweak_case
Definition: vectors.h:228
musig_tweak_case::tweak_indices_len
size_t tweak_indices_len
Definition: vectors.h:233
musig_tweak_case::key_indices
size_t key_indices[3]
Definition: vectors.h:230
musig_tweak_case::is_xonly
int is_xonly[4]
Definition: vectors.h:235
musig_tweak_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:229
musig_tweak_case::nonce_indices
size_t nonce_indices[3]
Definition: vectors.h:232
musig_tweak_case::expected
unsigned char expected[32]
Definition: vectors.h:237
musig_tweak_case::signer_index
size_t signer_index
Definition: vectors.h:236
musig_tweak_case::tweak_indices
size_t tweak_indices[4]
Definition: vectors.h:234
musig_tweak_vector
Definition: vectors.h:240
musig_tweak_vector::msg
unsigned char msg[32]
Definition: vectors.h:244
musig_tweak_vector::secnonce
unsigned char secnonce[97]
Definition: vectors.h:242
musig_tweak_vector::sk
unsigned char sk[32]
Definition: vectors.h:241
musig_tweak_vector::valid_case
struct musig_tweak_case valid_case[5]
Definition: vectors.h:248
musig_tweak_vector::aggnonce
unsigned char aggnonce[66]
Definition: vectors.h:243
musig_tweak_vector::pubnonces
unsigned char pubnonces[3][194]
Definition: vectors.h:246
musig_tweak_vector::pubkeys
unsigned char pubkeys[3][33]
Definition: vectors.h:245
musig_tweak_vector::tweaks
unsigned char tweaks[5][32]
Definition: vectors.h:247
musig_tweak_vector::error_case
struct musig_tweak_case error_case[1]
Definition: vectors.h:249
musig_valid_case
Definition: vectors.h:132
musig_valid_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:133
musig_valid_case::key_indices
size_t key_indices[3]
Definition: vectors.h:134
musig_valid_case::aggnonce_index
size_t aggnonce_index
Definition: vectors.h:135
musig_valid_case::msg_index
size_t msg_index
Definition: vectors.h:136
musig_valid_case::expected
unsigned char expected[32]
Definition: vectors.h:138
musig_verify_fail_error_case
Definition: vectors.h:150
musig_verify_fail_error_case::key_indices
size_t key_indices[3]
Definition: vectors.h:153
musig_verify_fail_error_case::msg_index
size_t msg_index
Definition: vectors.h:156
musig_verify_fail_error_case::signer_index
size_t signer_index
Definition: vectors.h:157
musig_verify_fail_error_case::error
enum MUSIG_ERROR error
Definition: vectors.h:158
musig_verify_fail_error_case::sig
unsigned char sig[32]
Definition: vectors.h:151
musig_verify_fail_error_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:152
musig_verify_fail_error_case::nonce_indices_len
size_t nonce_indices_len
Definition: vectors.h:154
musig_verify_fail_error_case::nonce_indices
size_t nonce_indices[3]
Definition: vectors.h:155
secp256k1_context_struct
Definition: secp256k1.c:61
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_keyagg_cache_internal
Definition: keyagg.h:15
secp256k1_keyagg_cache_internal::pk
secp256k1_ge pk
Definition: keyagg.h:16
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_musig_aggnonce
Opaque data structure that holds an aggregate public nonce.
Definition: secp256k1_musig.h:77
secp256k1_musig_keyagg_cache
This module implements BIP 327 "MuSig2 for BIP340-compatible Multi-Signatures" (https://github....
Definition: secp256k1_musig.h:43
secp256k1_musig_partial_sig
Opaque data structure that holds a partial MuSig signature.
Definition: secp256k1_musig.h:96
secp256k1_musig_pubnonce
Opaque data structure that holds a signer's public nonce.
Definition: secp256k1_musig.h:68
secp256k1_musig_secnonce
Opaque data structure that holds a signer's secret nonce.
Definition: secp256k1_musig.h:59
secp256k1_musig_secnonce::data
unsigned char data[132]
Definition: secp256k1_musig.h:60
secp256k1_musig_session
Opaque data structure that holds a MuSig session.
Definition: secp256k1_musig.h:87
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61
secp256k1_pubkey::data
unsigned char data[64]
Definition: secp256k1.h:62
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_sha256
Definition: hash.h:13
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
secp256k1_xonly_pubkey::data
unsigned char data[64]
Definition: secp256k1_extrakeys.h:23
tf_test_entry
Definition: unit_test.h:51
testrand_flip
static void testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
testrand256
static void testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
testrand_bits
static SECP256K1_INLINE uint64_t testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_bytes_test
static void testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:79
CTX
static secp256k1_context * CTX
Definition: tests.c:42
test_sha256_tag_midstate
static void test_sha256_tag_midstate(secp256k1_sha256 *sha_tagged, const unsigned char *tag, size_t taglen)
Definition: tests.c:627
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:43
testutil_random_ge_test
static void testutil_random_ge_test(secp256k1_ge *ge)
Definition: testutil.h:90
COUNT
int COUNT
Definition: unit_test.c:23
CASE1
#define CASE1(name)
Definition: unit_test.h:25
REPEAT_TEST
#define REPEAT_TEST(fn)
Definition: unit_test.h:34
musig_sig_agg_vector
static const struct musig_sig_agg_vector musig_sig_agg_vector
Definition: vectors.h:312
musig_tweak_vector
static const struct musig_tweak_vector musig_tweak_vector
Definition: vectors.h:252
musig_nonce_agg_vector
static const struct musig_nonce_agg_vector musig_nonce_agg_vector
Definition: vectors.h:109
MUSIG_ERROR
MUSIG_ERROR
Automatically generated by .
Definition: vectors.h:7
MUSIG_AGGNONCE
@ MUSIG_AGGNONCE
Definition: vectors.h:11
MUSIG_TWEAK
@ MUSIG_TWEAK
Definition: vectors.h:9
MUSIG_SIG_VERIFY
@ MUSIG_SIG_VERIFY
Definition: vectors.h:14
MUSIG_PUBNONCE
@ MUSIG_PUBNONCE
Definition: vectors.h:10
MUSIG_SIG
@ MUSIG_SIG
Definition: vectors.h:13
MUSIG_PUBKEY
@ MUSIG_PUBKEY
Definition: vectors.h:8
MUSIG_OTHER
@ MUSIG_OTHER
Definition: vectors.h:15
MUSIG_SECNONCE
@ MUSIG_SECNONCE
Definition: vectors.h:12
MUSIG_VECTORS_MAX_PUBKEYS
@ MUSIG_VECTORS_MAX_PUBKEYS
Definition: vectors.h:346
musig_key_agg_vector
static const struct musig_key_agg_vector musig_key_agg_vector
Definition: vectors.h:40
musig_nonce_gen_vector
static const struct musig_nonce_gen_vector musig_nonce_gen_vector
Definition: vectors.h:88
musig_sign_verify_vector
static const struct musig_sign_verify_vector musig_sign_verify_vector
Definition: vectors.h:174
Generated on Sat Nov 8 2025 20:00:31 for Bitcoin Core by doxygen 1.9.4