Bitcoin Core 28.99.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Distributed under the MIT software license, see the accompanying *
3 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
4 ***********************************************************************/
5
6#ifndef SECP256K1_MODULE_MUSIG_TESTS_IMPL_H
7#define SECP256K1_MODULE_MUSIG_TESTS_IMPL_H
8
9#include <stdlib.h>
10#include <string.h>
11
12#include "../../../include/secp256k1.h"
13#include "../../../include/secp256k1_extrakeys.h"
14#include "../../../include/secp256k1_musig.h"
15
16#include "session.h"
17#include "keyagg.h"
18#include "../../scalar.h"
19#include "../../field.h"
20#include "../../group.h"
21#include "../../hash.h"
22#include "../../util.h"
23
24#include "vectors.h"
25
26static int create_keypair_and_pk(secp256k1_keypair *keypair, secp256k1_pubkey *pk, const unsigned char *sk) {
27 int ret;
28 secp256k1_keypair keypair_tmp;
29 ret = secp256k1_keypair_create(CTX, &keypair_tmp, sk);
30 ret &= secp256k1_keypair_pub(CTX, pk, &keypair_tmp);
31 if (keypair != NULL) {
32 *keypair = keypair_tmp;
33 }
34 return ret;
35}
36
37/* Just a simple (non-tweaked) 2-of-2 MuSig aggregate, sign, verify
38 * test. */
39static void musig_simple_test(void) {
40 unsigned char sk[2][32];
41 secp256k1_keypair keypair[2];
42 secp256k1_musig_pubnonce pubnonce[2];
43 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
44 secp256k1_musig_aggnonce aggnonce;
45 unsigned char msg[32];
46 secp256k1_xonly_pubkey agg_pk;
47 secp256k1_musig_keyagg_cache keyagg_cache;
48 unsigned char session_secrand[2][32];
49 secp256k1_musig_secnonce secnonce[2];
50 secp256k1_pubkey pk[2];
51 const secp256k1_pubkey *pk_ptr[2];
52 secp256k1_musig_partial_sig partial_sig[2];
53 const secp256k1_musig_partial_sig *partial_sig_ptr[2];
54 unsigned char final_sig[64];
55 secp256k1_musig_session session;
56 int i;
57
58 testrand256(msg);
59 for (i = 0; i < 2; i++) {
60 testrand256(sk[i]);
61 pk_ptr[i] = &pk[i];
62 pubnonce_ptr[i] = &pubnonce[i];
63 partial_sig_ptr[i] = &partial_sig[i];
64
65 CHECK(create_keypair_and_pk(&keypair[i], &pk[i], sk[i]));
66 if (i == 0) {
67 testrand256(session_secrand[i]);
68 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[i], &pubnonce[i], session_secrand[i], sk[i], &pk[i], NULL, NULL, NULL) == 1);
69 } else {
70 uint64_t nonrepeating_cnt = 0;
71 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[i], &pubnonce[i], nonrepeating_cnt, &keypair[i], NULL, NULL, NULL) == 1);
72 }
73 }
74
75 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1);
76 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
77 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1);
78
79 for (i = 0; i < 2; i++) {
80 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[i], &secnonce[i], &keypair[i], &keyagg_cache, &session) == 1);
81 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[i], &pubnonce[i], &pk[i], &keyagg_cache, &session) == 1);
82 }
83
84 CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, 2) == 1);
85 CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, msg, sizeof(msg), &agg_pk) == 1);
86}
87
88/* Generate two pubnonces such that both group elements of their sum (calculated
89 * with secp256k1_musig_sum_pubnonces) are infinity. */
90static void pubnonce_summing_to_inf(secp256k1_musig_pubnonce *pubnonce) {
91 secp256k1_ge ge[2];
92 int i;
93 secp256k1_gej summed_pubnonces[2];
94 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
95
96 testutil_random_ge_test(&ge[0]);
97 testutil_random_ge_test(&ge[1]);
98
99 for (i = 0; i < 2; i++) {
100 secp256k1_musig_pubnonce_save(&pubnonce[i], ge);
101 pubnonce_ptr[i] = &pubnonce[i];
102 secp256k1_ge_neg(&ge[0], &ge[0]);
103 secp256k1_ge_neg(&ge[1], &ge[1]);
104 }
105
106 secp256k1_musig_sum_pubnonces(CTX, summed_pubnonces, pubnonce_ptr, 2);
107 CHECK(secp256k1_gej_is_infinity(&summed_pubnonces[0]));
108 CHECK(secp256k1_gej_is_infinity(&summed_pubnonces[1]));
109}
110
111int memcmp_and_randomize(unsigned char *value, const unsigned char *expected, size_t len) {
112 int ret;
113 size_t i;
114 ret = secp256k1_memcmp_var(value, expected, len);
115 for (i = 0; i < len; i++) {
116 value[i] = testrand_bits(8);
117 }
118 return ret;
119}
120
121static void musig_api_tests(void) {
122 secp256k1_musig_partial_sig partial_sig[2];
123 const secp256k1_musig_partial_sig *partial_sig_ptr[2];
124 secp256k1_musig_partial_sig invalid_partial_sig;
125 const secp256k1_musig_partial_sig *invalid_partial_sig_ptr[2];
126 unsigned char pre_sig[64];
127 unsigned char buf[32];
128 unsigned char sk[2][32];
129 secp256k1_keypair keypair[2];
130 secp256k1_keypair invalid_keypair;
131 unsigned char max64[64];
132 unsigned char zeros132[132] = { 0 };
133 unsigned char session_secrand[2][32];
134 unsigned char nonrepeating_cnt = 0;
135 secp256k1_musig_secnonce secnonce[2];
136 secp256k1_musig_secnonce secnonce_tmp;
137 secp256k1_musig_secnonce invalid_secnonce;
138 secp256k1_musig_pubnonce pubnonce[2];
139 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
140 unsigned char pubnonce_ser[66];
141 secp256k1_musig_pubnonce inf_pubnonce[2];
142 const secp256k1_musig_pubnonce *inf_pubnonce_ptr[2];
143 secp256k1_musig_pubnonce invalid_pubnonce;
144 const secp256k1_musig_pubnonce *invalid_pubnonce_ptr[1];
145 secp256k1_musig_aggnonce aggnonce;
146 unsigned char aggnonce_ser[66];
147 unsigned char msg[32];
148 secp256k1_xonly_pubkey agg_pk;
149 secp256k1_pubkey full_agg_pk;
150 secp256k1_musig_keyagg_cache keyagg_cache;
151 secp256k1_musig_keyagg_cache invalid_keyagg_cache;
152 secp256k1_musig_session session;
153 secp256k1_musig_session invalid_session;
154 secp256k1_pubkey pk[2];
155 const secp256k1_pubkey *pk_ptr[2];
156 secp256k1_pubkey invalid_pk;
157 const secp256k1_pubkey *invalid_pk_ptr2[2];
158 const secp256k1_pubkey *invalid_pk_ptr3[3];
159 unsigned char tweak[32];
160 int i;
161
163 memset(max64, 0xff, sizeof(max64));
164 memset(&invalid_keypair, 0, sizeof(invalid_keypair));
165 memset(&invalid_pk, 0, sizeof(invalid_pk));
166 memset(&invalid_secnonce, 0, sizeof(invalid_secnonce));
167 memset(&invalid_partial_sig, 0, sizeof(invalid_partial_sig));
168 pubnonce_summing_to_inf(inf_pubnonce);
169 /* Simulate structs being uninitialized by setting it to 0s. We don't want
170 * to produce undefined behavior by actually providing uninitialized
171 * structs. */
172 memset(&invalid_keyagg_cache, 0, sizeof(invalid_keyagg_cache));
173 memset(&invalid_pk, 0, sizeof(invalid_pk));
174 memset(&invalid_pubnonce, 0, sizeof(invalid_pubnonce));
175 memset(&invalid_session, 0, sizeof(invalid_session));
176
177 testrand256(msg);
178 testrand256(tweak);
179 for (i = 0; i < 2; i++) {
180 pk_ptr[i] = &pk[i];
181 invalid_pk_ptr2[i] = &invalid_pk;
182 invalid_pk_ptr3[i] = &pk[i];
183 pubnonce_ptr[i] = &pubnonce[i];
184 inf_pubnonce_ptr[i] = &inf_pubnonce[i];
185 partial_sig_ptr[i] = &partial_sig[i];
186 invalid_partial_sig_ptr[i] = &partial_sig[i];
187 testrand256(session_secrand[i]);
188 testrand256(sk[i]);
189 CHECK(create_keypair_and_pk(&keypair[i], &pk[i], sk[i]));
190 }
191 invalid_pubnonce_ptr[0] = &invalid_pubnonce;
192 invalid_partial_sig_ptr[0] = &invalid_partial_sig;
193 /* invalid_pk_ptr3 has two valid, one invalid pk, which is important to test
194 * musig_pubkey_agg */
195 invalid_pk_ptr3[2] = &invalid_pk;
196
200 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1);
201 CHECK(secp256k1_musig_pubkey_agg(CTX, NULL, &keyagg_cache, pk_ptr, 2) == 1);
202 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, NULL, pk_ptr, 2) == 1);
203 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, NULL, 2));
204 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
205 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, invalid_pk_ptr2, 2));
206 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
207 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, invalid_pk_ptr3, 3));
208 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
209 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 0));
210 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
211 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, NULL, 0));
212 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
213
214 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1);
215
216 /* pubkey_get */
217 CHECK(secp256k1_musig_pubkey_get(CTX, &full_agg_pk, &keyagg_cache) == 1);
218 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_get(CTX, NULL, &keyagg_cache));
219 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_get(CTX, &full_agg_pk, NULL));
220 CHECK(secp256k1_memcmp_var(&full_agg_pk, zeros132, sizeof(full_agg_pk)) == 0);
221
223 {
224 int (*tweak_func[2]) (const secp256k1_context* ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32);
225 tweak_func[0] = secp256k1_musig_pubkey_ec_tweak_add;
226 tweak_func[1] = secp256k1_musig_pubkey_xonly_tweak_add;
227 for (i = 0; i < 2; i++) {
228 secp256k1_pubkey tmp_output_pk;
229 secp256k1_musig_keyagg_cache tmp_keyagg_cache = keyagg_cache;
230 CHECK((*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, tweak) == 1);
231 /* Reset keyagg_cache */
232 tmp_keyagg_cache = keyagg_cache;
233 CHECK((*tweak_func[i])(CTX, NULL, &tmp_keyagg_cache, tweak) == 1);
234 tmp_keyagg_cache = keyagg_cache;
235 CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, NULL, tweak));
236 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
237 tmp_keyagg_cache = keyagg_cache;
238 CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, NULL));
239 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
240 tmp_keyagg_cache = keyagg_cache;
241 CHECK((*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, max64) == 0);
242 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
243 tmp_keyagg_cache = keyagg_cache;
244 /* Uninitialized keyagg_cache */
245 CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, &invalid_keyagg_cache, tweak));
246 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
247 }
248 }
249
251 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64) == 1);
252 /* nonce_gen, if successful, sets session_secrand to the zero array, which
253 * makes subsequent nonce_gen calls with the same session_secrand fail. So
254 * check that session_secrand is indeed the zero array and fill it with
255 * random values again. */
256 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
257
258 CHECK_ILLEGAL(STATIC_CTX, secp256k1_musig_nonce_gen(STATIC_CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64));
259 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
260
261 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, NULL, &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64));
262
263 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], NULL, session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64));
264 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
265
266 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], NULL, sk[0], &pk[0], msg, &keyagg_cache, max64));
267 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
268
269 /* session_secrand = 0 is disallowed because it indicates a faulty RNG */
270 memcpy(&session_secrand[0], zeros132, sizeof(session_secrand[0]));
271 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], zeros132, sk[0], &pk[0], msg, &keyagg_cache, max64) == 0);
272 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
273 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
274
275 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], NULL, &pk[0], msg, &keyagg_cache, max64) == 1);
276 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
277
278 /* invalid seckey */
279 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], max64, &pk[0], msg, &keyagg_cache, max64) == 0);
280 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
281
282 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], NULL, msg, &keyagg_cache, max64));
283 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
284
285 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &invalid_pk, msg, &keyagg_cache, max64));
286 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
287
288 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], NULL, &keyagg_cache, max64) == 1);
289 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
290
291 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, NULL, max64) == 1);
292 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
293
294 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &invalid_keyagg_cache, max64));
295 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
296
297 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, NULL) == 1);
298 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
299
300 /* Every in-argument except session_secrand and pubkey can be NULL */
301 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], NULL, &pk[0], NULL, NULL, NULL) == 1);
302 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[1], &pubnonce[1], session_secrand[1], sk[1], &pk[1], NULL, NULL, NULL) == 1);
303
305 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64) == 1);
306 CHECK_ILLEGAL(STATIC_CTX, secp256k1_musig_nonce_gen_counter(STATIC_CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64));
307 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
308 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, NULL, &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64));
309 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], NULL, nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64));
310 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
311 /* using nonce_gen_counter requires keypair */
312 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, NULL, msg, &keyagg_cache, max64));
313 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
314 /* invalid keypair */
315 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &invalid_keypair, msg, &keyagg_cache, max64));
316 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
317 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], NULL, &keyagg_cache, max64) == 1);
318 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, NULL, max64) == 1);
319 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &invalid_keyagg_cache, max64));
320 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
321 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt,&keypair[0], msg, &keyagg_cache, NULL) == 1);
322
323 /* Every in-argument except nonrepeating_cnt and keypair can be NULL */
324 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], NULL, NULL, NULL) == 1);
325 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[1], &pubnonce[1], nonrepeating_cnt, &keypair[1], NULL, NULL, NULL) == 1);
326
327
329 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, NULL, &pubnonce[0]));
330 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, NULL));
331 CHECK(memcmp_and_randomize(pubnonce_ser, zeros132, sizeof(pubnonce_ser)) == 0);
332 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &invalid_pubnonce));
333 CHECK(memcmp_and_randomize(pubnonce_ser, zeros132, sizeof(pubnonce_ser)) == 0);
334 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &pubnonce[0]) == 1);
335
336 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], pubnonce_ser) == 1);
337 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_parse(CTX, NULL, pubnonce_ser));
338 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], NULL));
339 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], zeros132) == 0);
340 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], pubnonce_ser) == 1);
341
342 {
343 /* Check that serialize and parse results in the same value */
344 secp256k1_musig_pubnonce tmp;
345 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &pubnonce[0]) == 1);
346 CHECK(secp256k1_musig_pubnonce_parse(CTX, &tmp, pubnonce_ser) == 1);
347 CHECK(secp256k1_memcmp_var(&tmp, &pubnonce[0], sizeof(tmp)) == 0);
348 }
349
351 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
352 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, NULL, pubnonce_ptr, 2));
353 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, NULL, 2));
354 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 0));
355 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, invalid_pubnonce_ptr, 1));
356 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, inf_pubnonce_ptr, 2) == 1);
357 {
358 /* Check that the aggnonce encodes two points at infinity */
359 secp256k1_ge aggnonce_pt[2];
360 secp256k1_musig_aggnonce_load(CTX, aggnonce_pt, &aggnonce);
361 for (i = 0; i < 2; i++) {
362 secp256k1_ge_is_infinity(&aggnonce_pt[i]);
363 }
364 }
365 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
366
368 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1);
369 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, NULL, &aggnonce));
370 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, NULL));
371 CHECK(memcmp_and_randomize(aggnonce_ser, zeros132, sizeof(aggnonce_ser)) == 0);
372 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, (secp256k1_musig_aggnonce*) &invalid_pubnonce));
373 CHECK(memcmp_and_randomize(aggnonce_ser, zeros132, sizeof(aggnonce_ser)) == 0);
374 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1);
375
376 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, aggnonce_ser) == 1);
377 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_parse(CTX, NULL, aggnonce_ser));
378 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_parse(CTX, &aggnonce, NULL));
379 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, zeros132) == 1);
380 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, aggnonce_ser) == 1);
381
382 {
383 /* Check that serialize and parse results in the same value */
384 secp256k1_musig_aggnonce tmp;
385 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1);
386 CHECK(secp256k1_musig_aggnonce_parse(CTX, &tmp, aggnonce_ser) == 1);
387 CHECK(secp256k1_memcmp_var(&tmp, &aggnonce, sizeof(tmp)) == 0);
388 }
389
391 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1);
392 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, NULL, &aggnonce, msg, &keyagg_cache));
393 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, NULL, msg, &keyagg_cache));
394 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, (secp256k1_musig_aggnonce*) &invalid_pubnonce, msg, &keyagg_cache));
395 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, NULL, &keyagg_cache));
396 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, NULL));
397 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &invalid_keyagg_cache));
398
399 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1);
400
401 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
402 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &session) == 1);
403 /* The secnonce is set to 0 and subsequent signing attempts fail */
404 CHECK(secp256k1_memcmp_var(&secnonce_tmp, zeros132, sizeof(secnonce_tmp)) == 0);
405 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &session));
406 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
407 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, NULL, &secnonce_tmp, &keypair[0], &keyagg_cache, &session));
408 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
409 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], NULL, &keypair[0], &keyagg_cache, &session));
410 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &invalid_secnonce, &keypair[0], &keyagg_cache, &session));
411 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, NULL, &keyagg_cache, &session));
412 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
413 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &invalid_keypair, &keyagg_cache, &session));
414 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
415 {
416 unsigned char sk_tmp[32];
417 secp256k1_keypair keypair_tmp;
418 testrand256(sk_tmp);
419 CHECK(secp256k1_keypair_create(CTX, &keypair_tmp, sk_tmp));
420 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair_tmp, &keyagg_cache, &session));
421 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
422 }
423 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], NULL, &session));
424 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
425 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &invalid_keyagg_cache, &session));
426 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
427 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, NULL));
428 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
429 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &invalid_session));
430 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
431
432 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce[0], &keypair[0], &keyagg_cache, &session) == 1);
433 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[1], &secnonce[1], &keypair[1], &keyagg_cache, &session) == 1);
434
435 CHECK(secp256k1_musig_partial_sig_serialize(CTX, buf, &partial_sig[0]) == 1);
436 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, NULL, &partial_sig[0]));
437 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, buf, NULL));
438 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, buf, &invalid_partial_sig));
439 CHECK(secp256k1_musig_partial_sig_parse(CTX, &partial_sig[0], buf) == 1);
440 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_parse(CTX, NULL, buf));
441 {
442 /* Check that parsing failure results in an invalid sig */
443 secp256k1_musig_partial_sig tmp;
444 CHECK(secp256k1_musig_partial_sig_parse(CTX, &tmp, max64) == 0);
445 CHECK(secp256k1_memcmp_var(&tmp, zeros132, sizeof(partial_sig[0])) == 0);
446 }
447 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_parse(CTX, &partial_sig[0], NULL));
448
449 {
450 /* Check that serialize and parse results in the same value */
451 secp256k1_musig_partial_sig tmp;
452 CHECK(secp256k1_musig_partial_sig_serialize(CTX, buf, &partial_sig[0]) == 1);
453 CHECK(secp256k1_musig_partial_sig_parse(CTX, &tmp, buf) == 1);
454 CHECK(secp256k1_memcmp_var(&tmp, &partial_sig[0], sizeof(tmp)) == 0);
455 }
456
458 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 1);
459 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 0);
460 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, NULL, &pubnonce[0], &pk[0], &keyagg_cache, &session));
461 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &invalid_partial_sig, &pubnonce[0], &pk[0], &keyagg_cache, &session));
462 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], NULL, &pk[0], &keyagg_cache, &session));
463 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &invalid_pubnonce, &pk[0], &keyagg_cache, &session));
464 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], NULL, &keyagg_cache, &session));
465 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &invalid_pk, &keyagg_cache, &session));
466 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], NULL, &session));
467 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &invalid_keyagg_cache, &session));
468 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, NULL));
469 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &invalid_session));
470
471 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 1);
472 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[1], &pk[1], &keyagg_cache, &session) == 1);
473
475 CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 2) == 1);
476 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, NULL, &session, partial_sig_ptr, 2));
477 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, NULL, partial_sig_ptr, 2));
478 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &invalid_session, partial_sig_ptr, 2));
479 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, NULL, 2));
480 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, invalid_partial_sig_ptr, 2));
481 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 0));
482 CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 1) == 1);
483 CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 2) == 1);
484}
485
486static void musig_nonce_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes) {
487 secp256k1_scalar k1[2], k2[2];
488
489 secp256k1_nonce_function_musig(k1, args[0], args[1], args[2], args[3], args[4], args[5]);
490 testrand_flip(args[n_flip], n_bytes);
491 secp256k1_nonce_function_musig(k2, args[0], args[1], args[2], args[3], args[4], args[5]);
492 CHECK(secp256k1_scalar_eq(&k1[0], &k2[0]) == 0);
493 CHECK(secp256k1_scalar_eq(&k1[1], &k2[1]) == 0);
494}
495
496static void musig_nonce_test(void) {
497 unsigned char *args[6];
498 unsigned char session_secrand[32];
499 unsigned char sk[32];
500 unsigned char pk[33];
501 unsigned char msg[32];
502 unsigned char agg_pk[32];
503 unsigned char extra_input[32];
504 int i, j;
505 secp256k1_scalar k[6][2];
506
507 testrand_bytes_test(session_secrand, sizeof(session_secrand));
508 testrand_bytes_test(sk, sizeof(sk));
509 testrand_bytes_test(pk, sizeof(pk));
510 testrand_bytes_test(msg, sizeof(msg));
511 testrand_bytes_test(agg_pk, sizeof(agg_pk));
512 testrand_bytes_test(extra_input, sizeof(extra_input));
513
514 /* Check that a bitflip in an argument results in different nonces. */
515 args[0] = session_secrand;
516 args[1] = msg;
517 args[2] = sk;
518 args[3] = pk;
519 args[4] = agg_pk;
520 args[5] = extra_input;
521 for (i = 0; i < COUNT; i++) {
522 musig_nonce_bitflip(args, 0, sizeof(session_secrand));
523 musig_nonce_bitflip(args, 1, sizeof(msg));
524 musig_nonce_bitflip(args, 2, sizeof(sk));
525 musig_nonce_bitflip(args, 3, sizeof(pk));
526 musig_nonce_bitflip(args, 4, sizeof(agg_pk));
527 musig_nonce_bitflip(args, 5, sizeof(extra_input));
528 }
529 /* Check that if any argument is NULL, a different nonce is produced than if
530 * any other argument is NULL. */
531 memcpy(msg, session_secrand, sizeof(msg));
532 memcpy(sk, session_secrand, sizeof(sk));
533 memcpy(pk, session_secrand, sizeof(session_secrand));
534 memcpy(agg_pk, session_secrand, sizeof(agg_pk));
535 memcpy(extra_input, session_secrand, sizeof(extra_input));
536 secp256k1_nonce_function_musig(k[0], args[0], args[1], args[2], args[3], args[4], args[5]);
537 secp256k1_nonce_function_musig(k[1], args[0], NULL, args[2], args[3], args[4], args[5]);
538 secp256k1_nonce_function_musig(k[2], args[0], args[1], NULL, args[3], args[4], args[5]);
539 secp256k1_nonce_function_musig(k[3], args[0], args[1], args[2], NULL, args[4], args[5]);
540 secp256k1_nonce_function_musig(k[4], args[0], args[1], args[2], args[3], NULL, args[5]);
541 secp256k1_nonce_function_musig(k[5], args[0], args[1], args[2], args[3], args[4], NULL);
542 for (i = 0; i < 6; i++) {
543 CHECK(!secp256k1_scalar_eq(&k[i][0], &k[i][1]));
544 for (j = i+1; j < 6; j++) {
545 CHECK(!secp256k1_scalar_eq(&k[i][0], &k[j][0]));
546 CHECK(!secp256k1_scalar_eq(&k[i][1], &k[j][1]));
547 }
548 }
549}
550
551static void sha256_tag_test_internal(secp256k1_sha256 *sha_tagged, unsigned char *tag, size_t taglen) {
552 secp256k1_sha256 sha;
553 secp256k1_sha256_initialize_tagged(&sha, tag, taglen);
554 test_sha256_eq(&sha, sha_tagged);
555}
556
557/* Checks that the initialized tagged hashes have the expected
558 * state. */
559static void sha256_tag_test(void) {
560 secp256k1_sha256 sha;
561 {
562 char tag[] = "KeyAgg list";
563 secp256k1_musig_keyagglist_sha256(&sha);
564 sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag) - 1);
565 }
566 {
567 char tag[] = "KeyAgg coefficient";
568 secp256k1_musig_keyaggcoef_sha256(&sha);
569 sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag) - 1);
570 }
571 {
572 unsigned char tag[] = "MuSig/aux";
573 secp256k1_nonce_function_musig_sha256_tagged_aux(&sha);
574 sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag) - 1);
575 }
576 {
577 unsigned char tag[] = "MuSig/nonce";
578 secp256k1_nonce_function_musig_sha256_tagged(&sha);
579 sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag) - 1);
580 }
581 {
582 unsigned char tag[] = "MuSig/noncecoef";
583 secp256k1_musig_compute_noncehash_sha256_tagged(&sha);
584 sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag) - 1);
585 }
586}
587
588/* Attempts to create a signature for the aggregate public key using given secret
589 * keys and keyagg_cache. */
590static void musig_tweak_test_helper(const secp256k1_xonly_pubkey* agg_pk, const unsigned char *sk0, const unsigned char *sk1, secp256k1_musig_keyagg_cache *keyagg_cache) {
591 secp256k1_pubkey pk[2];
592 unsigned char session_secrand[2][32];
593 unsigned char msg[32];
594 secp256k1_musig_secnonce secnonce[2];
595 secp256k1_musig_pubnonce pubnonce[2];
596 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
597 secp256k1_musig_aggnonce aggnonce;
598 secp256k1_keypair keypair[2];
599 secp256k1_musig_session session;
600 secp256k1_musig_partial_sig partial_sig[2];
601 const secp256k1_musig_partial_sig *partial_sig_ptr[2];
602 unsigned char final_sig[64];
603 int i;
604
605 for (i = 0; i < 2; i++) {
606 pubnonce_ptr[i] = &pubnonce[i];
607 partial_sig_ptr[i] = &partial_sig[i];
608
609 testrand256(session_secrand[i]);
610 }
611 CHECK(create_keypair_and_pk(&keypair[0], &pk[0], sk0) == 1);
612 CHECK(create_keypair_and_pk(&keypair[1], &pk[1], sk1) == 1);
613 testrand256(msg);
614
615 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk0, &pk[0], NULL, NULL, NULL) == 1);
616 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[1], &pubnonce[1], session_secrand[1], sk1, &pk[1], NULL, NULL, NULL) == 1);
617
618 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
619 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, keyagg_cache) == 1);
620
621 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce[0], &keypair[0], keyagg_cache, &session) == 1);
622 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[1], &secnonce[1], &keypair[1], keyagg_cache, &session) == 1);
623
624 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], keyagg_cache, &session) == 1);
625 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[1], &pk[1], keyagg_cache, &session) == 1);
626
627 CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, 2) == 1);
628 CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, msg, sizeof(msg), agg_pk) == 1);
629}
630
631/* Create aggregate public key P[0], tweak multiple times (using xonly and
632 * plain tweaking) and test signing. */
633static void musig_tweak_test(void) {
634 unsigned char sk[2][32];
635 secp256k1_pubkey pk[2];
636 const secp256k1_pubkey *pk_ptr[2];
637 secp256k1_musig_keyagg_cache keyagg_cache;
638 enum { N_TWEAKS = 8 };
639 secp256k1_pubkey P[N_TWEAKS + 1];
640 secp256k1_xonly_pubkey P_xonly[N_TWEAKS + 1];
641 int i;
642
643 /* Key Setup */
644 for (i = 0; i < 2; i++) {
645 pk_ptr[i] = &pk[i];
646 testrand256(sk[i]);
647 CHECK(create_keypair_and_pk(NULL, &pk[i], sk[i]) == 1);
648 }
649 /* Compute P0 = keyagg(pk0, pk1) and test signing for it */
650 CHECK(secp256k1_musig_pubkey_agg(CTX, &P_xonly[0], &keyagg_cache, pk_ptr, 2) == 1);
651 musig_tweak_test_helper(&P_xonly[0], sk[0], sk[1], &keyagg_cache);
652 CHECK(secp256k1_musig_pubkey_get(CTX, &P[0], &keyagg_cache));
653
654 /* Compute Pi = f(Pj) + tweaki*G where where j = i-1 and try signing for
655 * that key. If xonly is set to true, the function f normalizes the input
656 * point to have an even X-coordinate ("xonly-tweaking").
657 * Otherwise, the function f is the identity function. */
658 for (i = 1; i <= N_TWEAKS; i++) {
659 unsigned char tweak[32];
660 int P_parity;
661 int xonly = testrand_bits(1);
662
663 testrand256(tweak);
664 if (xonly) {
665 CHECK(secp256k1_musig_pubkey_xonly_tweak_add(CTX, &P[i], &keyagg_cache, tweak) == 1);
666 } else {
667 CHECK(secp256k1_musig_pubkey_ec_tweak_add(CTX, &P[i], &keyagg_cache, tweak) == 1);
668 }
669 CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &P_xonly[i], &P_parity, &P[i]));
670 /* Check that musig_pubkey_tweak_add produces same result as
671 * xonly_pubkey_tweak_add or ec_pubkey_tweak_add. */
672 if (xonly) {
673 unsigned char P_serialized[32];
674 CHECK(secp256k1_xonly_pubkey_serialize(CTX, P_serialized, &P_xonly[i]));
675 CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, P_serialized, P_parity, &P_xonly[i-1], tweak) == 1);
676 } else {
677 secp256k1_pubkey tmp_key = P[i-1];
678 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &tmp_key, tweak));
679 CHECK(secp256k1_memcmp_var(&tmp_key, &P[i], sizeof(tmp_key)) == 0);
680 }
681 /* Test signing for P[i] */
682 musig_tweak_test_helper(&P_xonly[i], sk[0], sk[1], &keyagg_cache);
683 }
684}
685
686int musig_vectors_keyagg_and_tweak(enum MUSIG_ERROR *error,
687 secp256k1_musig_keyagg_cache *keyagg_cache,
688 unsigned char *agg_pk_ser,
689 const unsigned char pubkeys33[][33],
690 const unsigned char tweaks32[][32],
691 size_t key_indices_len,
692 const size_t *key_indices,
693 size_t tweak_indices_len,
694 const size_t *tweak_indices,
695 const int *is_xonly) {
696 secp256k1_pubkey pubkeys[MUSIG_VECTORS_MAX_PUBKEYS];
697 const secp256k1_pubkey *pk_ptr[MUSIG_VECTORS_MAX_PUBKEYS];
698 int i;
699 secp256k1_pubkey agg_pk;
700 secp256k1_xonly_pubkey agg_pk_xonly;
701
702 for (i = 0; i < (int)key_indices_len; i++) {
703 if (!secp256k1_ec_pubkey_parse(CTX, &pubkeys[i], pubkeys33[key_indices[i]], 33)) {
704 *error = MUSIG_PUBKEY;
705 return 0;
706 }
707 pk_ptr[i] = &pubkeys[i];
708 }
709 if (!secp256k1_musig_pubkey_agg(CTX, NULL, keyagg_cache, pk_ptr, key_indices_len)) {
710 *error = MUSIG_OTHER;
711 return 0;
712 }
713
714 for (i = 0; i < (int)tweak_indices_len; i++) {
715 if (is_xonly[i]) {
716 if (!secp256k1_musig_pubkey_xonly_tweak_add(CTX, NULL, keyagg_cache, tweaks32[tweak_indices[i]])) {
717 *error = MUSIG_TWEAK;
718 return 0;
719 }
720 } else {
721 if (!secp256k1_musig_pubkey_ec_tweak_add(CTX, NULL, keyagg_cache, tweaks32[tweak_indices[i]])) {
722 *error = MUSIG_TWEAK;
723 return 0;
724 }
725 }
726 }
727 if (!secp256k1_musig_pubkey_get(CTX, &agg_pk, keyagg_cache)) {
728 *error = MUSIG_OTHER;
729 return 0;
730 }
731
732 if (!secp256k1_xonly_pubkey_from_pubkey(CTX, &agg_pk_xonly, NULL, &agg_pk)) {
733 *error = MUSIG_OTHER;
734 return 0;
735 }
736
737 if (agg_pk_ser != NULL) {
738 if (!secp256k1_xonly_pubkey_serialize(CTX, agg_pk_ser, &agg_pk_xonly)) {
739 *error = MUSIG_OTHER;
740 return 0;
741 }
742 }
743
744 return 1;
745}
746
747static void musig_test_vectors_keyagg(void) {
748 size_t i;
749 const struct musig_key_agg_vector *vector = &musig_key_agg_vector;
750
751 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
752 const struct musig_key_agg_valid_test_case *c = &vector->valid_case[i];
753 enum MUSIG_ERROR error;
754 secp256k1_musig_keyagg_cache keyagg_cache;
755 unsigned char agg_pk[32];
756
757 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, agg_pk, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, 0, NULL, NULL));
758 CHECK(secp256k1_memcmp_var(agg_pk, c->expected, sizeof(agg_pk)) == 0);
759 }
760
761 for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) {
762 const struct musig_key_agg_error_test_case *c = &vector->error_case[i];
763 enum MUSIG_ERROR error;
764 secp256k1_musig_keyagg_cache keyagg_cache;
765
766 CHECK(!musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
767 CHECK(c->error == error);
768 }
769}
770
771static void musig_test_vectors_noncegen(void) {
772 size_t i;
773 const struct musig_nonce_gen_vector *vector = &musig_nonce_gen_vector;
774
775 for (i = 0; i < sizeof(vector->test_case)/sizeof(vector->test_case[0]); i++) {
776 const struct musig_nonce_gen_test_case *c = &vector->test_case[i];
777 secp256k1_musig_keyagg_cache keyagg_cache;
778 secp256k1_musig_keyagg_cache *keyagg_cache_ptr = NULL;
779 unsigned char session_secrand32[32];
780 secp256k1_musig_secnonce secnonce;
781 secp256k1_musig_pubnonce pubnonce;
782 const unsigned char *sk = NULL;
783 const unsigned char *msg = NULL;
784 const unsigned char *extra_in = NULL;
785 secp256k1_pubkey pk;
786 unsigned char pubnonce66[66];
787
788 memcpy(session_secrand32, c->rand_, 32);
789 if (c->has_sk) {
790 sk = c->sk;
791 }
792 if (c->has_aggpk) {
793 /* Create keyagg_cache from aggpk */
794 secp256k1_keyagg_cache_internal cache_i;
795 secp256k1_xonly_pubkey aggpk;
796 memset(&cache_i, 0, sizeof(cache_i));
797 CHECK(secp256k1_xonly_pubkey_parse(CTX, &aggpk, c->aggpk));
798 CHECK(secp256k1_xonly_pubkey_load(CTX, &cache_i.pk, &aggpk));
799 secp256k1_keyagg_cache_save(&keyagg_cache, &cache_i);
800 keyagg_cache_ptr = &keyagg_cache;
801 }
802 if (c->has_msg) {
803 msg = c->msg;
804 }
805 if (c->has_extra_in) {
806 extra_in = c->extra_in;
807 }
808
809 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk, c->pk, sizeof(c->pk)));
810 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce, &pubnonce, session_secrand32, sk, &pk, msg, keyagg_cache_ptr, extra_in) == 1);
811 CHECK(secp256k1_memcmp_var(&secnonce.data[4], c->expected_secnonce, 2*32) == 0);
812 /* The last element of the secnonce is the public key (uncompressed in
813 * secp256k1_musig_secnonce, compressed in the test vector secnonce). */
814 CHECK(secp256k1_memcmp_var(&secnonce.data[4+2*32], &pk, sizeof(pk)) == 0);
815 CHECK(secp256k1_memcmp_var(&c->expected_secnonce[2*32], c->pk, sizeof(c->pk)) == 0);
816
817 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce66, &pubnonce) == 1);
818 CHECK(sizeof(c->expected_pubnonce) == sizeof(pubnonce66));
819 CHECK(secp256k1_memcmp_var(pubnonce66, c->expected_pubnonce, sizeof(pubnonce66)) == 0);
820 }
821}
822
823
824static void musig_test_vectors_nonceagg(void) {
825 size_t i;
826 int j;
827 const struct musig_nonce_agg_vector *vector = &musig_nonce_agg_vector;
828
829 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
830 const struct musig_nonce_agg_test_case *c = &vector->valid_case[i];
831 secp256k1_musig_pubnonce pubnonce[2];
832 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
833 secp256k1_musig_aggnonce aggnonce;
834 unsigned char aggnonce66[66];
835
836 for (j = 0; j < 2; j++) {
837 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pnonces[c->pnonce_indices[j]]) == 1);
838 pubnonce_ptr[j] = &pubnonce[j];
839 }
840 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2));
841 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce66, &aggnonce));
842 CHECK(secp256k1_memcmp_var(aggnonce66, c->expected, 33) == 0);
843 }
844 for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) {
845 const struct musig_nonce_agg_test_case *c = &vector->error_case[i];
846 secp256k1_musig_pubnonce pubnonce[2];
847 for (j = 0; j < 2; j++) {
848 int expected = c->invalid_nonce_idx != j;
849 CHECK(expected == secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pnonces[c->pnonce_indices[j]]));
850 }
851 }
852}
853
854static void musig_test_set_secnonce(secp256k1_musig_secnonce *secnonce, const unsigned char *secnonce64, const secp256k1_pubkey *pubkey) {
855 secp256k1_ge pk;
856 secp256k1_scalar k[2];
857
858 secp256k1_scalar_set_b32(&k[0], &secnonce64[0], NULL);
859 secp256k1_scalar_set_b32(&k[1], &secnonce64[32], NULL);
860 CHECK(secp256k1_pubkey_load(CTX, &pk, pubkey));
861 secp256k1_musig_secnonce_save(secnonce, k, &pk);
862}
863
864static void musig_test_vectors_signverify(void) {
865 size_t i;
866 const struct musig_sign_verify_vector *vector = &musig_sign_verify_vector;
867
868 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
869 const struct musig_valid_case *c = &vector->valid_case[i];
870 enum MUSIG_ERROR error;
871 secp256k1_musig_keyagg_cache keyagg_cache;
872 secp256k1_pubkey pubkey;
873 secp256k1_musig_pubnonce pubnonce;
874 secp256k1_musig_aggnonce aggnonce;
875 secp256k1_musig_session session;
876 secp256k1_musig_partial_sig partial_sig;
877 secp256k1_musig_secnonce secnonce;
878 secp256k1_keypair keypair;
879 unsigned char partial_sig32[32];
880
881 CHECK(secp256k1_keypair_create(CTX, &keypair, vector->sk));
882 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
883
884 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonces[c->aggnonce_index]));
885 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache));
886
887 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0])));
888 musig_test_set_secnonce(&secnonce, vector->secnonces[0], &pubkey);
889 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
890 CHECK(secp256k1_musig_partial_sig_serialize(CTX, partial_sig32, &partial_sig));
891 CHECK(secp256k1_memcmp_var(partial_sig32, c->expected, sizeof(partial_sig32)) == 0);
892
893 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[0]));
894 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig, &pubnonce, &pubkey, &keyagg_cache, &session));
895 }
896 for (i = 0; i < sizeof(vector->sign_error_case)/sizeof(vector->sign_error_case[0]); i++) {
897 const struct musig_sign_error_case *c = &vector->sign_error_case[i];
898 enum MUSIG_ERROR error;
899 secp256k1_musig_keyagg_cache keyagg_cache;
900 secp256k1_pubkey pubkey;
901 secp256k1_musig_aggnonce aggnonce;
902 secp256k1_musig_session session;
903 secp256k1_musig_partial_sig partial_sig;
904 secp256k1_musig_secnonce secnonce;
905 secp256k1_keypair keypair;
906 int expected;
907
908 if (i == 0) {
909 /* Skip this vector since the implementation does not error out when
910 * the signing key does not belong to any pubkey. */
911 continue;
912 }
913 expected = c->error != MUSIG_PUBKEY;
914 CHECK(expected == musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
915 CHECK(expected || c->error == error);
916 if (!expected) {
917 continue;
918 }
919
920 expected = c->error != MUSIG_AGGNONCE;
921 CHECK(expected == secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonces[c->aggnonce_index]));
922 if (!expected) {
923 continue;
924 }
925 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache));
926
927 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0])));
928 musig_test_set_secnonce(&secnonce, vector->secnonces[c->secnonce_index], &pubkey);
929 expected = c->error != MUSIG_SECNONCE;
930 if (expected) {
931 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
932 } else {
933 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
934 }
935 }
936 for (i = 0; i < sizeof(vector->verify_fail_case)/sizeof(vector->verify_fail_case[0]); i++) {
937 const struct musig_verify_fail_error_case *c = &vector->verify_fail_case[i];
938 enum MUSIG_ERROR error;
939 secp256k1_musig_keyagg_cache keyagg_cache;
940 secp256k1_musig_aggnonce aggnonce;
941 secp256k1_musig_session session;
942 secp256k1_musig_partial_sig partial_sig;
943 enum { NUM_PUBNONCES = 3 };
944 secp256k1_musig_pubnonce pubnonce[NUM_PUBNONCES];
945 const secp256k1_musig_pubnonce *pubnonce_ptr[NUM_PUBNONCES];
946 secp256k1_pubkey pubkey;
947 int expected;
948 size_t j;
949
950 CHECK(NUM_PUBNONCES <= c->nonce_indices_len);
951 for (j = 0; j < c->nonce_indices_len; j++) {
952 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pubnonces[c->nonce_indices[j]]));
953 pubnonce_ptr[j] = &pubnonce[j];
954 }
955
956 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
957 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, c->nonce_indices_len) == 1);
958 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache));
959
960 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[c->signer_index], sizeof(vector->pubkeys[0])));
961
962 expected = c->error != MUSIG_SIG;
963 CHECK(expected == secp256k1_musig_partial_sig_parse(CTX, &partial_sig, c->sig));
964 if (!expected) {
965 continue;
966 }
967 expected = c->error != MUSIG_SIG_VERIFY;
968 CHECK(expected == secp256k1_musig_partial_sig_verify(CTX, &partial_sig, pubnonce, &pubkey, &keyagg_cache, &session));
969 }
970 for (i = 0; i < sizeof(vector->verify_error_case)/sizeof(vector->verify_error_case[0]); i++) {
971 const struct musig_verify_fail_error_case *c = &vector->verify_error_case[i];
972 enum MUSIG_ERROR error;
973 secp256k1_musig_keyagg_cache keyagg_cache;
974 secp256k1_musig_pubnonce pubnonce;
975 int expected;
976
977 expected = c->error != MUSIG_PUBKEY;
978 CHECK(expected == musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
979 CHECK(expected || c->error == error);
980 if (!expected) {
981 continue;
982 }
983 expected = c->error != MUSIG_PUBNONCE;
984 CHECK(expected == secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[c->nonce_indices[c->signer_index]]));
985 }
986}
987
988static void musig_test_vectors_tweak(void) {
989 size_t i;
990 const struct musig_tweak_vector *vector = &musig_tweak_vector;
991 secp256k1_pubkey pubkey;
992 secp256k1_musig_aggnonce aggnonce;
993 secp256k1_musig_secnonce secnonce;
994
995 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonce));
996 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0])));
997
998 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
999 const struct musig_tweak_case *c = &vector->valid_case[i];
1000 enum MUSIG_ERROR error;
1001 secp256k1_musig_keyagg_cache keyagg_cache;
1002 secp256k1_musig_pubnonce pubnonce;
1003 secp256k1_musig_session session;
1004 secp256k1_musig_partial_sig partial_sig;
1005 secp256k1_keypair keypair;
1006 unsigned char partial_sig32[32];
1007
1008 musig_test_set_secnonce(&secnonce, vector->secnonce, &pubkey);
1009
1010 CHECK(secp256k1_keypair_create(CTX, &keypair, vector->sk));
1011 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
1012
1013 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msg, &keyagg_cache));
1014
1015 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
1016 CHECK(secp256k1_musig_partial_sig_serialize(CTX, partial_sig32, &partial_sig));
1017 CHECK(secp256k1_memcmp_var(partial_sig32, c->expected, sizeof(partial_sig32)) == 0);
1018
1019 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[c->nonce_indices[c->signer_index]]));
1020 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig, &pubnonce, &pubkey, &keyagg_cache, &session));
1021 }
1022 for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) {
1023 const struct musig_tweak_case *c = &vector->error_case[i];
1024 enum MUSIG_ERROR error;
1025 secp256k1_musig_keyagg_cache keyagg_cache;
1026 CHECK(!musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
1027 CHECK(error == MUSIG_TWEAK);
1028 }
1029}
1030
1031static void musig_test_vectors_sigagg(void) {
1032 size_t i, j;
1033 const struct musig_sig_agg_vector *vector = &musig_sig_agg_vector;
1034
1035 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
1036 const struct musig_sig_agg_case *c = &vector->valid_case[i];
1037 enum MUSIG_ERROR error;
1038 unsigned char final_sig[64];
1039 secp256k1_musig_keyagg_cache keyagg_cache;
1040 unsigned char agg_pk32[32];
1041 secp256k1_xonly_pubkey agg_pk;
1042 secp256k1_musig_aggnonce aggnonce;
1043 secp256k1_musig_session session;
1044 secp256k1_musig_partial_sig partial_sig[(sizeof(vector->psigs)/sizeof(vector->psigs[0]))];
1045 const secp256k1_musig_partial_sig *partial_sig_ptr[(sizeof(vector->psigs)/sizeof(vector->psigs[0]))];
1046
1047 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, agg_pk32, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
1048 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, c->aggnonce));
1049 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msg, &keyagg_cache));
1050 for (j = 0; j < c->psig_indices_len; j++) {
1051 CHECK(secp256k1_musig_partial_sig_parse(CTX, &partial_sig[j], vector->psigs[c->psig_indices[j]]));
1052 partial_sig_ptr[j] = &partial_sig[j];
1053 }
1054
1055 CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, c->psig_indices_len) == 1);
1056 CHECK(secp256k1_memcmp_var(final_sig, c->expected, sizeof(final_sig)) == 0);
1057
1058 CHECK(secp256k1_xonly_pubkey_parse(CTX, &agg_pk, agg_pk32));
1059 CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, vector->msg, sizeof(vector->msg), &agg_pk) == 1);
1060 }
1061 for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) {
1062 const struct musig_sig_agg_case *c = &vector->error_case[i];
1063 secp256k1_musig_partial_sig partial_sig[(sizeof(vector->psigs)/sizeof(vector->psigs[0]))];
1064 for (j = 0; j < c->psig_indices_len; j++) {
1065 int expected = c->invalid_sig_idx != (int)j;
1066 CHECK(expected == secp256k1_musig_partial_sig_parse(CTX, &partial_sig[j], vector->psigs[c->psig_indices[j]]));
1067 }
1068 }
1069}
1070
1071/* Since the BIP doesn't provide static test vectors for nonce_gen_counter, we
1072 * define a static test here */
1073static void musig_test_static_nonce_gen_counter(void) {
1074 secp256k1_musig_secnonce secnonce;
1075 secp256k1_musig_pubnonce pubnonce;
1076 unsigned char pubnonce66[66];
1077 secp256k1_pubkey pk;
1078 secp256k1_keypair keypair;
1079 uint64_t nonrepeating_cnt = 0;
1080 unsigned char sk[32] = {
1081 0xEE, 0xC1, 0xCB, 0x7D, 0x1B, 0x72, 0x54, 0xC5,
1082 0xCA, 0xB0, 0xD9, 0xC6, 0x1A, 0xB0, 0x2E, 0x64,
1083 0x3D, 0x46, 0x4A, 0x59, 0xFE, 0x6C, 0x96, 0xA7,
1084 0xEF, 0xE8, 0x71, 0xF0, 0x7C, 0x5A, 0xEF, 0x54,
1085 };
1086 unsigned char expected_secnonce[64] = {
1087 0x84, 0x2F, 0x13, 0x80, 0xCD, 0x17, 0xA1, 0x98,
1088 0xFC, 0x3D, 0xAD, 0x3B, 0x7D, 0xA7, 0x49, 0x29,
1089 0x41, 0xF4, 0x69, 0x76, 0xF2, 0x70, 0x2F, 0xF7,
1090 0xC6, 0x6F, 0x24, 0xF4, 0x72, 0x03, 0x6A, 0xF1,
1091 0xDA, 0x3F, 0x95, 0x2D, 0xDE, 0x4A, 0x2D, 0xA6,
1092 0xB6, 0x32, 0x57, 0x07, 0xCE, 0x87, 0xA4, 0xE3,
1093 0x61, 0x6D, 0x06, 0xFC, 0x5F, 0x81, 0xA9, 0xC9,
1094 0x93, 0x86, 0xD2, 0x0A, 0x99, 0xCE, 0xCF, 0x99,
1095 };
1096 unsigned char expected_pubnonce[66] = {
1097 0x03, 0xA5, 0xB9, 0xB6, 0x90, 0x79, 0x42, 0xEA,
1098 0xCD, 0xDA, 0x49, 0xA3, 0x66, 0x01, 0x6E, 0xC2,
1099 0xE6, 0x24, 0x04, 0xA1, 0xBF, 0x4A, 0xB6, 0xD4,
1100 0xDB, 0x82, 0x06, 0x7B, 0xC3, 0xAD, 0xF0, 0x86,
1101 0xD7, 0x03, 0x32, 0x05, 0xDB, 0x9E, 0xB3, 0x4D,
1102 0x5C, 0x7C, 0xE0, 0x28, 0x48, 0xCA, 0xC6, 0x8A,
1103 0x83, 0xED, 0x73, 0xE3, 0x88, 0x34, 0x77, 0xF5,
1104 0x63, 0xF2, 0x3C, 0xE9, 0xA1, 0x1A, 0x77, 0x21,
1105 0xEC, 0x64,
1106 };
1107
1108 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
1109 CHECK(secp256k1_keypair_pub(CTX, &pk, &keypair));
1110 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce, &pubnonce, nonrepeating_cnt, &keypair, NULL, NULL, NULL) == 1);
1111
1112 CHECK(secp256k1_memcmp_var(&secnonce.data[4], expected_secnonce, 2*32) == 0);
1113 CHECK(secp256k1_memcmp_var(&secnonce.data[4+2*32], &pk, sizeof(pk)) == 0);
1114
1115 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce66, &pubnonce) == 1);
1116 CHECK(secp256k1_memcmp_var(pubnonce66, expected_pubnonce, sizeof(pubnonce66)) == 0);
1117}
1118
1119static void run_musig_tests(void) {
1120 int i;
1121
1122 for (i = 0; i < COUNT; i++) {
1123 musig_simple_test();
1124 }
1125 musig_api_tests();
1126 musig_nonce_test();
1127 for (i = 0; i < COUNT; i++) {
1128 /* Run multiple times to ensure that pk and nonce have different y
1129 * parities */
1130 musig_tweak_test();
1131 }
1132 sha256_tag_test();
1133 musig_test_vectors_keyagg();
1134 musig_test_vectors_noncegen();
1135 musig_test_vectors_nonceagg();
1136 musig_test_vectors_signverify();
1137 musig_test_vectors_tweak();
1138 musig_test_vectors_sigagg();
1139
1140 musig_test_static_nonce_gen_counter();
1141}
1142
1143#endif
ret
int ret
Definition: bitcoin-cli.cpp:1354
args
ArgsManager & args
Definition: bitcoind.cpp:277
secp256k1_xonly_pubkey_load
static SECP256K1_INLINE int secp256k1_xonly_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_xonly_pubkey *pubkey)
Definition: main_impl.h:14
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:163
secp256k1_musig_keyaggcoef_sha256
static void secp256k1_musig_keyaggcoef_sha256(secp256k1_sha256 *sha)
Definition: keyagg_impl.h:99
secp256k1_musig_keyagglist_sha256
static void secp256k1_musig_keyagglist_sha256(secp256k1_sha256 *sha)
Definition: keyagg_impl.h:64
secp256k1_keyagg_cache_save
static void secp256k1_keyagg_cache_save(secp256k1_musig_keyagg_cache *cache, const secp256k1_keyagg_cache_internal *cache_i)
Definition: keyagg_impl.h:31
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
musig_test_vectors_keyagg
static void musig_test_vectors_keyagg(void)
Definition: tests_impl.h:747
musig_nonce_test
static void musig_nonce_test(void)
Definition: tests_impl.h:496
musig_vectors_keyagg_and_tweak
int musig_vectors_keyagg_and_tweak(enum MUSIG_ERROR *error, secp256k1_musig_keyagg_cache *keyagg_cache, unsigned char *agg_pk_ser, const unsigned char pubkeys33[][33], const unsigned char tweaks32[][32], size_t key_indices_len, const size_t *key_indices, size_t tweak_indices_len, const size_t *tweak_indices, const int *is_xonly)
Definition: tests_impl.h:686
run_musig_tests
static void run_musig_tests(void)
Definition: tests_impl.h:1119
musig_tweak_test
static void musig_tweak_test(void)
Definition: tests_impl.h:633
musig_test_set_secnonce
static void musig_test_set_secnonce(secp256k1_musig_secnonce *secnonce, const unsigned char *secnonce64, const secp256k1_pubkey *pubkey)
Definition: tests_impl.h:854
sha256_tag_test
static void sha256_tag_test(void)
Definition: tests_impl.h:559
create_keypair_and_pk
static int create_keypair_and_pk(secp256k1_keypair *keypair, secp256k1_pubkey *pk, const unsigned char *sk)
Definition: tests_impl.h:26
musig_api_tests
static void musig_api_tests(void)
Definition: tests_impl.h:121
musig_test_vectors_sigagg
static void musig_test_vectors_sigagg(void)
Definition: tests_impl.h:1031
musig_test_vectors_signverify
static void musig_test_vectors_signverify(void)
Definition: tests_impl.h:864
pubnonce_summing_to_inf
static void pubnonce_summing_to_inf(secp256k1_musig_pubnonce *pubnonce)
Definition: tests_impl.h:90
sha256_tag_test_internal
static void sha256_tag_test_internal(secp256k1_sha256 *sha_tagged, unsigned char *tag, size_t taglen)
Definition: tests_impl.h:551
musig_test_static_nonce_gen_counter
static void musig_test_static_nonce_gen_counter(void)
Definition: tests_impl.h:1073
memcmp_and_randomize
int memcmp_and_randomize(unsigned char *value, const unsigned char *expected, size_t len)
Definition: tests_impl.h:111
musig_nonce_bitflip
static void musig_nonce_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes)
Definition: tests_impl.h:486
musig_test_vectors_nonceagg
static void musig_test_vectors_nonceagg(void)
Definition: tests_impl.h:824
musig_tweak_test_helper
static void musig_tweak_test_helper(const secp256k1_xonly_pubkey *agg_pk, const unsigned char *sk0, const unsigned char *sk1, secp256k1_musig_keyagg_cache *keyagg_cache)
Definition: tests_impl.h:590
musig_simple_test
static void musig_simple_test(void)
Definition: tests_impl.h:39
musig_test_vectors_noncegen
static void musig_test_vectors_noncegen(void)
Definition: tests_impl.h:771
musig_test_vectors_tweak
static void musig_test_vectors_tweak(void)
Definition: tests_impl.h:988
tweak
static int tweak(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *cache)
Definition: musig.c:63
test_vectors_musig2_generate.data
data
Definition: test_vectors_musig2_generate.py:98
tests_wycheproof_generate.msg
def msg
Definition: tests_wycheproof_generate.py:56
tests_wycheproof_generate.pk
def pk
Definition: tests_wycheproof_generate.py:69
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:255
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:240
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:250
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:695
secp256k1_keypair_pub
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_pub(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Get the public key from a keypair.
Definition: main_impl.h:224
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:44
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a valid secret key.
Definition: main_impl.h:196
secp256k1_xonly_pubkey_from_pubkey
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_from_pubkey(const secp256k1_context *ctx, secp256k1_xonly_pubkey *xonly_pubkey, int *pk_parity, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Converts a secp256k1_pubkey into a secp256k1_xonly_pubkey.
Definition: main_impl.h:99
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:22
secp256k1_musig_pubkey_ec_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_ec_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Apply plain "EC" tweaking to a public key in a given keyagg_cache by adding the generator multiplied ...
Definition: keyagg_impl.h:283
secp256k1_musig_pubkey_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Apply x-only tweaking to a public key in a given keyagg_cache by adding the generator multiplied with...
Definition: keyagg_impl.h:287
secp256k1_musig_aggnonce_serialize
SECP256K1_API int secp256k1_musig_aggnonce_serialize(const secp256k1_context *ctx, unsigned char *out66, const secp256k1_musig_aggnonce *nonce) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an aggregate public nonce.
Definition: session_impl.h:257
secp256k1_musig_partial_sig_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_parse(const secp256k1_context *ctx, secp256k1_musig_partial_sig *sig, const unsigned char *in32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a MuSig partial signature.
Definition: session_impl.h:275
secp256k1_musig_pubnonce_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubnonce_parse(const secp256k1_context *ctx, secp256k1_musig_pubnonce *nonce, const unsigned char *in66) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a signer's public nonce.
Definition: session_impl.h:194
secp256k1_musig_nonce_agg
SECP256K1_API int secp256k1_musig_nonce_agg(const secp256k1_context *ctx, secp256k1_musig_aggnonce *aggnonce, const secp256k1_musig_pubnonce *const *pubnonces, size_t n_pubnonces) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Aggregates the nonces of all signers into a single nonce.
Definition: session_impl.h:536
secp256k1_musig_partial_sign
SECP256K1_API int secp256k1_musig_partial_sign(const secp256k1_context *ctx, secp256k1_musig_partial_sig *partial_sig, secp256k1_musig_secnonce *secnonce, const secp256k1_keypair *keypair, const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_session *session) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6)
Produces a partial signature.
Definition: session_impl.h:658
secp256k1_musig_aggnonce_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_aggnonce_parse(const secp256k1_context *ctx, secp256k1_musig_aggnonce *nonce, const unsigned char *in66) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an aggregate public nonce.
Definition: session_impl.h:240
secp256k1_musig_pubkey_get
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_get(const secp256k1_context *ctx, secp256k1_pubkey *agg_pk, const secp256k1_musig_keyagg_cache *keyagg_cache) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Obtain the aggregate public key from a keyagg_cache.
Definition: keyagg_impl.h:233
secp256k1_musig_nonce_gen
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_gen(const secp256k1_context *ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, unsigned char *session_secrand32, const unsigned char *seckey, const secp256k1_pubkey *pubkey, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(6)
Starts a signing session by generating a nonce.
Definition: session_impl.h:461
secp256k1_musig_partial_sig_serialize
SECP256K1_API int secp256k1_musig_partial_sig_serialize(const secp256k1_context *ctx, unsigned char *out32, const secp256k1_musig_partial_sig *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize a MuSig partial signature.
Definition: session_impl.h:294
secp256k1_musig_partial_sig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_verify(const secp256k1_context *ctx, const secp256k1_musig_partial_sig *partial_sig, const secp256k1_musig_pubnonce *pubnonce, const secp256k1_pubkey *pubkey, const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_session *session) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6)
Verifies an individual signer's partial signature.
Definition: session_impl.h:728
secp256k1_musig_partial_sig_agg
SECP256K1_API int secp256k1_musig_partial_sig_agg(const secp256k1_context *ctx, unsigned char *sig64, const secp256k1_musig_session *session, const secp256k1_musig_partial_sig *const *partial_sigs, size_t n_sigs) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Aggregates partial signatures.
Definition: session_impl.h:791
secp256k1_musig_nonce_gen_counter
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_gen_counter(const secp256k1_context *ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, uint64_t nonrepeating_cnt, const secp256k1_keypair *keypair, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Alternative way to generate a nonce and start a signing session.
Definition: session_impl.h:489
secp256k1_musig_pubkey_agg
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_agg(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_pubkey *const *pubkeys, size_t n_pubkeys) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(4)
Computes an aggregate public key and uses it to initialize a keyagg_cache.
Definition: keyagg_impl.h:175
secp256k1_musig_nonce_process
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_process(const secp256k1_context *ctx, secp256k1_musig_session *session, const secp256k1_musig_aggnonce *aggnonce, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Takes the aggregate nonce and creates a session that is required for signing and verification of part...
Definition: session_impl.h:612
secp256k1_musig_pubnonce_serialize
SECP256K1_API int secp256k1_musig_pubnonce_serialize(const secp256k1_context *ctx, unsigned char *out66, const secp256k1_musig_pubnonce *nonce) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize a signer's public nonce.
Definition: session_impl.h:214
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:221
secp256k1_musig_secnonce_save
static void secp256k1_musig_secnonce_save(secp256k1_musig_secnonce *secnonce, const secp256k1_scalar *k, const secp256k1_ge *pk)
Definition: session_impl.h:57
secp256k1_musig_sum_pubnonces
static int secp256k1_musig_sum_pubnonces(const secp256k1_context *ctx, secp256k1_gej *summed_pubnonces, const secp256k1_musig_pubnonce *const *pubnonces, size_t n_pubnonces)
Definition: session_impl.h:517
secp256k1_nonce_function_musig
static void secp256k1_nonce_function_musig(secp256k1_scalar *k, const unsigned char *session_secrand, const unsigned char *msg32, const unsigned char *seckey32, const unsigned char *pk33, const unsigned char *agg_pk32, const unsigned char *extra_input32)
Definition: session_impl.h:352
secp256k1_musig_compute_noncehash_sha256_tagged
static void secp256k1_musig_compute_noncehash_sha256_tagged(secp256k1_sha256 *sha)
Definition: session_impl.h:554
secp256k1_nonce_function_musig_sha256_tagged_aux
static void secp256k1_nonce_function_musig_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: session_impl.h:324
secp256k1_nonce_function_musig_sha256_tagged
static void secp256k1_nonce_function_musig_sha256_tagged(secp256k1_sha256 *sha)
Definition: session_impl.h:339
secp256k1_musig_aggnonce_load
static int secp256k1_musig_aggnonce_load(const secp256k1_context *ctx, secp256k1_ge *ges, const secp256k1_musig_aggnonce *nonce)
Definition: session_impl.h:124
secp256k1_musig_pubnonce_save
static void secp256k1_musig_pubnonce_save(secp256k1_musig_pubnonce *nonce, const secp256k1_ge *ges)
Definition: session_impl.h:94
musig_key_agg_error_test_case
Definition: vectors.h:24
musig_key_agg_error_test_case::is_xonly
int is_xonly[1]
Definition: vectors.h:29
musig_key_agg_error_test_case::error
enum MUSIG_ERROR error
Definition: vectors.h:30
musig_key_agg_error_test_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:25
musig_key_agg_error_test_case::key_indices
size_t key_indices[4]
Definition: vectors.h:26
musig_key_agg_error_test_case::tweak_indices_len
size_t tweak_indices_len
Definition: vectors.h:27
musig_key_agg_error_test_case::tweak_indices
size_t tweak_indices[1]
Definition: vectors.h:28
musig_key_agg_valid_test_case
Definition: vectors.h:18
musig_key_agg_valid_test_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:19
musig_key_agg_valid_test_case::expected
unsigned char expected[32]
Definition: vectors.h:21
musig_key_agg_valid_test_case::key_indices
size_t key_indices[4]
Definition: vectors.h:20
musig_key_agg_vector
Definition: vectors.h:33
musig_key_agg_vector::error_case
struct musig_key_agg_error_test_case error_case[5]
Definition: vectors.h:37
musig_key_agg_vector::pubkeys
unsigned char pubkeys[7][33]
Definition: vectors.h:34
musig_key_agg_vector::valid_case
struct musig_key_agg_valid_test_case valid_case[4]
Definition: vectors.h:36
musig_key_agg_vector::tweaks
unsigned char tweaks[2][32]
Definition: vectors.h:35
musig_nonce_agg_test_case
Definition: vectors.h:95
musig_nonce_agg_test_case::expected
unsigned char expected[66]
Definition: vectors.h:98
musig_nonce_agg_test_case::invalid_nonce_idx
int invalid_nonce_idx
Definition: vectors.h:100
musig_nonce_agg_test_case::pnonce_indices
size_t pnonce_indices[2]
Definition: vectors.h:96
musig_nonce_agg_vector
Definition: vectors.h:103
musig_nonce_agg_vector::pnonces
unsigned char pnonces[7][66]
Definition: vectors.h:104
musig_nonce_agg_vector::error_case
struct musig_nonce_agg_test_case error_case[3]
Definition: vectors.h:106
musig_nonce_agg_vector::valid_case
struct musig_nonce_agg_test_case valid_case[2]
Definition: vectors.h:105
musig_nonce_gen_test_case
Definition: vectors.h:69
musig_nonce_gen_test_case::has_msg
int has_msg
Definition: vectors.h:76
musig_nonce_gen_test_case::extra_in
unsigned char extra_in[32]
Definition: vectors.h:79
musig_nonce_gen_test_case::rand_
unsigned char rand_[32]
Definition: vectors.h:70
musig_nonce_gen_test_case::expected_pubnonce
unsigned char expected_pubnonce[66]
Definition: vectors.h:81
musig_nonce_gen_test_case::sk
unsigned char sk[32]
Definition: vectors.h:72
musig_nonce_gen_test_case::has_sk
int has_sk
Definition: vectors.h:71
musig_nonce_gen_test_case::msg
unsigned char msg[32]
Definition: vectors.h:77
musig_nonce_gen_test_case::has_aggpk
int has_aggpk
Definition: vectors.h:74
musig_nonce_gen_test_case::has_extra_in
int has_extra_in
Definition: vectors.h:78
musig_nonce_gen_test_case::expected_secnonce
unsigned char expected_secnonce[97]
Definition: vectors.h:80
musig_nonce_gen_test_case::pk
unsigned char pk[33]
Definition: vectors.h:73
musig_nonce_gen_test_case::aggpk
unsigned char aggpk[32]
Definition: vectors.h:75
musig_nonce_gen_vector
Definition: vectors.h:84
musig_nonce_gen_vector::test_case
struct musig_nonce_gen_test_case test_case[2]
Definition: vectors.h:85
musig_sig_agg_case
Definition: vectors.h:288
musig_sig_agg_case::is_xonly
int is_xonly[3]
Definition: vectors.h:293
musig_sig_agg_case::tweak_indices
size_t tweak_indices[3]
Definition: vectors.h:292
musig_sig_agg_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:289
musig_sig_agg_case::psig_indices_len
size_t psig_indices_len
Definition: vectors.h:295
musig_sig_agg_case::invalid_sig_idx
int invalid_sig_idx
Definition: vectors.h:300
musig_sig_agg_case::tweak_indices_len
size_t tweak_indices_len
Definition: vectors.h:291
musig_sig_agg_case::expected
unsigned char expected[64]
Definition: vectors.h:298
musig_sig_agg_case::psig_indices
size_t psig_indices[2]
Definition: vectors.h:296
musig_sig_agg_case::aggnonce
unsigned char aggnonce[66]
Definition: vectors.h:294
musig_sig_agg_case::key_indices
size_t key_indices[2]
Definition: vectors.h:290
musig_sig_agg_vector
Definition: vectors.h:303
musig_sig_agg_vector::pubkeys
unsigned char pubkeys[4][33]
Definition: vectors.h:304
musig_sig_agg_vector::msg
unsigned char msg[32]
Definition: vectors.h:307
musig_sig_agg_vector::tweaks
unsigned char tweaks[3][32]
Definition: vectors.h:305
musig_sig_agg_vector::psigs
unsigned char psigs[9][32]
Definition: vectors.h:306
musig_sig_agg_vector::error_case
struct musig_sig_agg_case error_case[1]
Definition: vectors.h:309
musig_sig_agg_vector::valid_case
struct musig_sig_agg_case valid_case[4]
Definition: vectors.h:308
musig_sign_error_case
Definition: vectors.h:141
musig_sign_error_case::error
enum MUSIG_ERROR error
Definition: vectors.h:147
musig_sign_error_case::secnonce_index
size_t secnonce_index
Definition: vectors.h:146
musig_sign_error_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:142
musig_sign_error_case::msg_index
size_t msg_index
Definition: vectors.h:145
musig_sign_error_case::aggnonce_index
size_t aggnonce_index
Definition: vectors.h:144
musig_sign_error_case::key_indices
size_t key_indices[3]
Definition: vectors.h:143
musig_sign_verify_vector
Definition: vectors.h:161
musig_sign_verify_vector::verify_fail_case
struct musig_verify_fail_error_case verify_fail_case[3]
Definition: vectors.h:170
musig_sign_verify_vector::sign_error_case
struct musig_sign_error_case sign_error_case[6]
Definition: vectors.h:169
musig_sign_verify_vector::verify_error_case
struct musig_verify_fail_error_case verify_error_case[2]
Definition: vectors.h:171
musig_sign_verify_vector::sk
unsigned char sk[32]
Definition: vectors.h:162
musig_sign_verify_vector::msgs
unsigned char msgs[1][32]
Definition: vectors.h:167
musig_sign_verify_vector::aggnonces
unsigned char aggnonces[5][66]
Definition: vectors.h:166
musig_sign_verify_vector::secnonces
unsigned char secnonces[2][194]
Definition: vectors.h:164
musig_sign_verify_vector::pubkeys
unsigned char pubkeys[4][33]
Definition: vectors.h:163
musig_sign_verify_vector::pubnonces
unsigned char pubnonces[5][194]
Definition: vectors.h:165
musig_sign_verify_vector::valid_case
struct musig_valid_case valid_case[4]
Definition: vectors.h:168
musig_tweak_case
Definition: vectors.h:228
musig_tweak_case::tweak_indices_len
size_t tweak_indices_len
Definition: vectors.h:233
musig_tweak_case::key_indices
size_t key_indices[3]
Definition: vectors.h:230
musig_tweak_case::is_xonly
int is_xonly[4]
Definition: vectors.h:235
musig_tweak_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:229
musig_tweak_case::nonce_indices
size_t nonce_indices[3]
Definition: vectors.h:232
musig_tweak_case::expected
unsigned char expected[32]
Definition: vectors.h:237
musig_tweak_case::signer_index
size_t signer_index
Definition: vectors.h:236
musig_tweak_case::tweak_indices
size_t tweak_indices[4]
Definition: vectors.h:234
musig_tweak_vector
Definition: vectors.h:240
musig_tweak_vector::msg
unsigned char msg[32]
Definition: vectors.h:244
musig_tweak_vector::secnonce
unsigned char secnonce[97]
Definition: vectors.h:242
musig_tweak_vector::sk
unsigned char sk[32]
Definition: vectors.h:241
musig_tweak_vector::valid_case
struct musig_tweak_case valid_case[5]
Definition: vectors.h:248
musig_tweak_vector::aggnonce
unsigned char aggnonce[66]
Definition: vectors.h:243
musig_tweak_vector::pubnonces
unsigned char pubnonces[3][194]
Definition: vectors.h:246
musig_tweak_vector::pubkeys
unsigned char pubkeys[3][33]
Definition: vectors.h:245
musig_tweak_vector::tweaks
unsigned char tweaks[5][32]
Definition: vectors.h:247
musig_tweak_vector::error_case
struct musig_tweak_case error_case[1]
Definition: vectors.h:249
musig_valid_case
Definition: vectors.h:132
musig_valid_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:133
musig_valid_case::key_indices
size_t key_indices[3]
Definition: vectors.h:134
musig_valid_case::aggnonce_index
size_t aggnonce_index
Definition: vectors.h:135
musig_valid_case::msg_index
size_t msg_index
Definition: vectors.h:136
musig_valid_case::expected
unsigned char expected[32]
Definition: vectors.h:138
musig_verify_fail_error_case
Definition: vectors.h:150
musig_verify_fail_error_case::key_indices
size_t key_indices[3]
Definition: vectors.h:153
musig_verify_fail_error_case::msg_index
size_t msg_index
Definition: vectors.h:156
musig_verify_fail_error_case::signer_index
size_t signer_index
Definition: vectors.h:157
musig_verify_fail_error_case::error
enum MUSIG_ERROR error
Definition: vectors.h:158
musig_verify_fail_error_case::sig
unsigned char sig[32]
Definition: vectors.h:151
musig_verify_fail_error_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:152
musig_verify_fail_error_case::nonce_indices_len
size_t nonce_indices_len
Definition: vectors.h:154
musig_verify_fail_error_case::nonce_indices
size_t nonce_indices[3]
Definition: vectors.h:155
secp256k1_context_struct
Definition: secp256k1.c:61
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_keyagg_cache_internal
Definition: keyagg.h:15
secp256k1_keyagg_cache_internal::pk
secp256k1_ge pk
Definition: keyagg.h:16
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_musig_aggnonce
Opaque data structure that holds an aggregate public nonce.
Definition: secp256k1_musig.h:77
secp256k1_musig_keyagg_cache
This module implements BIP 327 "MuSig2 for BIP340-compatible Multi-Signatures" (https://github....
Definition: secp256k1_musig.h:43
secp256k1_musig_partial_sig
Opaque data structure that holds a partial MuSig signature.
Definition: secp256k1_musig.h:96
secp256k1_musig_pubnonce
Opaque data structure that holds a signer's public nonce.
Definition: secp256k1_musig.h:68
secp256k1_musig_secnonce
Opaque data structure that holds a signer's secret nonce.
Definition: secp256k1_musig.h:59
secp256k1_musig_secnonce::data
unsigned char data[132]
Definition: secp256k1_musig.h:60
secp256k1_musig_session
Opaque data structure that holds a MuSig session.
Definition: secp256k1_musig.h:87
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61
secp256k1_pubkey::data
unsigned char data[64]
Definition: secp256k1.h:62
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_sha256
Definition: hash.h:13
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
secp256k1_xonly_pubkey::data
unsigned char data[64]
Definition: secp256k1_extrakeys.h:23
testrand_flip
static void testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
testrand256
static void testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
testrand_bits
static SECP256K1_INLINE uint64_t testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_bytes_test
static void testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
COUNT
static int COUNT
Definition: tests.c:40
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:78
CTX
static secp256k1_context * CTX
Definition: tests.c:41
test_sha256_eq
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:614
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:42
testutil_random_ge_test
static void testutil_random_ge_test(secp256k1_ge *ge)
Definition: testutil.h:82
MUSIG_VECTORS_MAX_PUBKEYS
@ MUSIG_VECTORS_MAX_PUBKEYS
Definition: vectors.h:346
musig_sig_agg_vector
static const struct musig_sig_agg_vector musig_sig_agg_vector
Definition: vectors.h:312
musig_tweak_vector
static const struct musig_tweak_vector musig_tweak_vector
Definition: vectors.h:252
musig_nonce_agg_vector
static const struct musig_nonce_agg_vector musig_nonce_agg_vector
Definition: vectors.h:109
MUSIG_ERROR
MUSIG_ERROR
Automatically generated by .
Definition: vectors.h:7
MUSIG_AGGNONCE
@ MUSIG_AGGNONCE
Definition: vectors.h:11
MUSIG_TWEAK
@ MUSIG_TWEAK
Definition: vectors.h:9
MUSIG_SIG_VERIFY
@ MUSIG_SIG_VERIFY
Definition: vectors.h:14
MUSIG_PUBNONCE
@ MUSIG_PUBNONCE
Definition: vectors.h:10
MUSIG_SIG
@ MUSIG_SIG
Definition: vectors.h:13
MUSIG_PUBKEY
@ MUSIG_PUBKEY
Definition: vectors.h:8
MUSIG_OTHER
@ MUSIG_OTHER
Definition: vectors.h:15
MUSIG_SECNONCE
@ MUSIG_SECNONCE
Definition: vectors.h:12
musig_key_agg_vector
static const struct musig_key_agg_vector musig_key_agg_vector
Definition: vectors.h:40
musig_nonce_gen_vector
static const struct musig_nonce_gen_vector musig_nonce_gen_vector
Definition: vectors.h:88
musig_sign_verify_vector
static const struct musig_sign_verify_vector musig_sign_verify_vector
Definition: vectors.h:174
Generated on Wed Dec 18 2024 20:00:11 for Bitcoin Core by doxygen 1.9.4