Bitcoin Core 30.99.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Distributed under the MIT software license, see the accompanying *
3 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
4 ***********************************************************************/
5
6#ifndef SECP256K1_MODULE_MUSIG_TESTS_IMPL_H
7#define SECP256K1_MODULE_MUSIG_TESTS_IMPL_H
8
9#include <stdlib.h>
10#include <string.h>
11
12#include "../../../include/secp256k1.h"
13#include "../../../include/secp256k1_extrakeys.h"
14#include "../../../include/secp256k1_musig.h"
15
16#include "session.h"
17#include "keyagg.h"
18#include "../../scalar.h"
19#include "../../field.h"
20#include "../../group.h"
21#include "../../hash.h"
22#include "../../util.h"
23#include "../../unit_test.h"
24
25#include "vectors.h"
26
27static int create_keypair_and_pk(secp256k1_keypair *keypair, secp256k1_pubkey *pk, const unsigned char *sk) {
28 int ret;
29 secp256k1_keypair keypair_tmp;
30 ret = secp256k1_keypair_create(CTX, &keypair_tmp, sk);
31 ret &= secp256k1_keypair_pub(CTX, pk, &keypair_tmp);
32 if (keypair != NULL) {
33 *keypair = keypair_tmp;
34 }
35 return ret;
36}
37
38/* Just a simple (non-tweaked) 2-of-2 MuSig aggregate, sign, verify
39 * test. */
40static void musig_simple_test_internal(void) {
41 unsigned char sk[2][32];
42 secp256k1_keypair keypair[2];
43 secp256k1_musig_pubnonce pubnonce[2];
44 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
45 secp256k1_musig_aggnonce aggnonce;
46 unsigned char msg[32];
47 secp256k1_xonly_pubkey agg_pk;
48 secp256k1_musig_keyagg_cache keyagg_cache;
49 unsigned char session_secrand[2][32];
50 secp256k1_musig_secnonce secnonce[2];
51 secp256k1_pubkey pk[2];
52 const secp256k1_pubkey *pk_ptr[2];
53 secp256k1_musig_partial_sig partial_sig[2];
54 const secp256k1_musig_partial_sig *partial_sig_ptr[2];
55 unsigned char final_sig[64];
56 secp256k1_musig_session session;
57 int i;
58
59 testrand256(msg);
60 for (i = 0; i < 2; i++) {
61 testrand256(sk[i]);
62 pk_ptr[i] = &pk[i];
63 pubnonce_ptr[i] = &pubnonce[i];
64 partial_sig_ptr[i] = &partial_sig[i];
65
66 CHECK(create_keypair_and_pk(&keypair[i], &pk[i], sk[i]));
67 if (i == 0) {
68 testrand256(session_secrand[i]);
69 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[i], &pubnonce[i], session_secrand[i], sk[i], &pk[i], NULL, NULL, NULL) == 1);
70 } else {
71 uint64_t nonrepeating_cnt = 0;
72 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[i], &pubnonce[i], nonrepeating_cnt, &keypair[i], NULL, NULL, NULL) == 1);
73 }
74 }
75
76 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1);
77 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
78 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1);
79
80 for (i = 0; i < 2; i++) {
81 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[i], &secnonce[i], &keypair[i], &keyagg_cache, &session) == 1);
82 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[i], &pubnonce[i], &pk[i], &keyagg_cache, &session) == 1);
83 }
84
85 CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, 2) == 1);
86 CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, msg, sizeof(msg), &agg_pk) == 1);
87}
88
89/* Generate two pubnonces such that both group elements of their sum (calculated
90 * with secp256k1_musig_sum_pubnonces) are infinity. */
91static void pubnonce_summing_to_inf(secp256k1_musig_pubnonce *pubnonce) {
92 secp256k1_ge ge[2];
93 int i;
94 secp256k1_gej summed_pubnonces[2];
95 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
96
97 testutil_random_ge_test(&ge[0]);
98 testutil_random_ge_test(&ge[1]);
99
100 for (i = 0; i < 2; i++) {
101 secp256k1_musig_pubnonce_save(&pubnonce[i], ge);
102 pubnonce_ptr[i] = &pubnonce[i];
103 secp256k1_ge_neg(&ge[0], &ge[0]);
104 secp256k1_ge_neg(&ge[1], &ge[1]);
105 }
106
107 secp256k1_musig_sum_pubnonces(CTX, summed_pubnonces, pubnonce_ptr, 2);
108 CHECK(secp256k1_gej_is_infinity(&summed_pubnonces[0]));
109 CHECK(secp256k1_gej_is_infinity(&summed_pubnonces[1]));
110}
111
112int memcmp_and_randomize(unsigned char *value, const unsigned char *expected, size_t len) {
113 int ret;
114 size_t i;
115 ret = secp256k1_memcmp_var(value, expected, len);
116 for (i = 0; i < len; i++) {
117 value[i] = testrand_bits(8);
118 }
119 return ret;
120}
121
122static void musig_api_tests(void) {
123 secp256k1_musig_partial_sig partial_sig[2];
124 const secp256k1_musig_partial_sig *partial_sig_ptr[2];
125 secp256k1_musig_partial_sig invalid_partial_sig;
126 const secp256k1_musig_partial_sig *invalid_partial_sig_ptr[2];
127 unsigned char pre_sig[64];
128 unsigned char buf[32];
129 unsigned char sk[2][32];
130 secp256k1_keypair keypair[2];
131 secp256k1_keypair invalid_keypair;
132 unsigned char max64[64];
133 unsigned char zeros132[132] = { 0 };
134 unsigned char session_secrand[2][32];
135 unsigned char nonrepeating_cnt = 0;
136 secp256k1_musig_secnonce secnonce[2];
137 secp256k1_musig_secnonce secnonce_tmp;
138 secp256k1_musig_secnonce invalid_secnonce;
139 secp256k1_musig_pubnonce pubnonce[2];
140 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
141 unsigned char pubnonce_ser[66];
142 secp256k1_musig_pubnonce inf_pubnonce[2];
143 const secp256k1_musig_pubnonce *inf_pubnonce_ptr[2];
144 secp256k1_musig_pubnonce invalid_pubnonce;
145 const secp256k1_musig_pubnonce *invalid_pubnonce_ptr[1];
146 secp256k1_musig_aggnonce aggnonce;
147 unsigned char aggnonce_ser[66];
148 unsigned char msg[32];
149 secp256k1_xonly_pubkey agg_pk;
150 secp256k1_pubkey full_agg_pk;
151 secp256k1_musig_keyagg_cache keyagg_cache;
152 secp256k1_musig_keyagg_cache invalid_keyagg_cache;
153 secp256k1_musig_session session;
154 secp256k1_musig_session invalid_session;
155 secp256k1_pubkey pk[2];
156 const secp256k1_pubkey *pk_ptr[2];
157 secp256k1_pubkey invalid_pk;
158 const secp256k1_pubkey *invalid_pk_ptr2[2];
159 const secp256k1_pubkey *invalid_pk_ptr3[3];
160 unsigned char tweak[32];
161 int i;
162
164 memset(max64, 0xff, sizeof(max64));
165 memset(&invalid_keypair, 0, sizeof(invalid_keypair));
166 memset(&invalid_pk, 0, sizeof(invalid_pk));
167 memset(&invalid_secnonce, 0, sizeof(invalid_secnonce));
168 memset(&invalid_partial_sig, 0, sizeof(invalid_partial_sig));
169 pubnonce_summing_to_inf(inf_pubnonce);
170 /* Simulate structs being uninitialized by setting it to 0s. We don't want
171 * to produce undefined behavior by actually providing uninitialized
172 * structs. */
173 memset(&invalid_keyagg_cache, 0, sizeof(invalid_keyagg_cache));
174 memset(&invalid_pk, 0, sizeof(invalid_pk));
175 memset(&invalid_pubnonce, 0, sizeof(invalid_pubnonce));
176 memset(&invalid_session, 0, sizeof(invalid_session));
177
178 testrand256(msg);
179 testrand256(tweak);
180 for (i = 0; i < 2; i++) {
181 pk_ptr[i] = &pk[i];
182 invalid_pk_ptr2[i] = &invalid_pk;
183 invalid_pk_ptr3[i] = &pk[i];
184 pubnonce_ptr[i] = &pubnonce[i];
185 inf_pubnonce_ptr[i] = &inf_pubnonce[i];
186 partial_sig_ptr[i] = &partial_sig[i];
187 invalid_partial_sig_ptr[i] = &partial_sig[i];
188 testrand256(session_secrand[i]);
189 testrand256(sk[i]);
190 CHECK(create_keypair_and_pk(&keypair[i], &pk[i], sk[i]));
191 }
192 invalid_pubnonce_ptr[0] = &invalid_pubnonce;
193 invalid_partial_sig_ptr[0] = &invalid_partial_sig;
194 /* invalid_pk_ptr3 has two valid, one invalid pk, which is important to test
195 * musig_pubkey_agg */
196 invalid_pk_ptr3[2] = &invalid_pk;
197
201 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1);
202 CHECK(secp256k1_musig_pubkey_agg(CTX, NULL, &keyagg_cache, pk_ptr, 2) == 1);
203 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, NULL, pk_ptr, 2) == 1);
204 /* check that NULL in array of public key pointers is not allowed */
205 for (i = 0; i < 2; i++) {
206 const secp256k1_pubkey *original_ptr = pk_ptr[i];
207 pk_ptr[i] = NULL;
208 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, NULL, pk_ptr, 2));
209 pk_ptr[i] = original_ptr;
210 }
211 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, NULL, 2));
212 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
213 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, invalid_pk_ptr2, 2));
214 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
215 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, invalid_pk_ptr3, 3));
216 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
217 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 0));
218 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
219 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, NULL, 0));
220 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
221
222 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1);
223
224 /* pubkey_get */
225 CHECK(secp256k1_musig_pubkey_get(CTX, &full_agg_pk, &keyagg_cache) == 1);
226 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_get(CTX, NULL, &keyagg_cache));
227 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_get(CTX, &full_agg_pk, NULL));
228 CHECK(secp256k1_memcmp_var(&full_agg_pk, zeros132, sizeof(full_agg_pk)) == 0);
229
231 {
232 int (*tweak_func[2]) (const secp256k1_context* ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32);
233 tweak_func[0] = secp256k1_musig_pubkey_ec_tweak_add;
234 tweak_func[1] = secp256k1_musig_pubkey_xonly_tweak_add;
235 for (i = 0; i < 2; i++) {
236 secp256k1_pubkey tmp_output_pk;
237 secp256k1_musig_keyagg_cache tmp_keyagg_cache = keyagg_cache;
238 CHECK((*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, tweak) == 1);
239 /* Reset keyagg_cache */
240 tmp_keyagg_cache = keyagg_cache;
241 CHECK((*tweak_func[i])(CTX, NULL, &tmp_keyagg_cache, tweak) == 1);
242 tmp_keyagg_cache = keyagg_cache;
243 CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, NULL, tweak));
244 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
245 tmp_keyagg_cache = keyagg_cache;
246 CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, NULL));
247 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
248 tmp_keyagg_cache = keyagg_cache;
249 CHECK((*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, max64) == 0);
250 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
251 tmp_keyagg_cache = keyagg_cache;
252 /* Uninitialized keyagg_cache */
253 CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, &invalid_keyagg_cache, tweak));
254 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
255 }
256 }
257
259 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64) == 1);
260 /* nonce_gen, if successful, sets session_secrand to the zero array, which
261 * makes subsequent nonce_gen calls with the same session_secrand fail. So
262 * check that session_secrand is indeed the zero array and fill it with
263 * random values again. */
264 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
265
266 CHECK_ILLEGAL(STATIC_CTX, secp256k1_musig_nonce_gen(STATIC_CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64));
267 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
268
269 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, NULL, &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64));
270
271 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], NULL, session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64));
272 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
273
274 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], NULL, sk[0], &pk[0], msg, &keyagg_cache, max64));
275 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
276
277 /* session_secrand = 0 is disallowed because it indicates a faulty RNG */
278 memcpy(&session_secrand[0], zeros132, sizeof(session_secrand[0]));
279 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], zeros132, sk[0], &pk[0], msg, &keyagg_cache, max64) == 0);
280 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
281 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
282
283 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], NULL, &pk[0], msg, &keyagg_cache, max64) == 1);
284 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
285
286 /* invalid seckey */
287 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], max64, &pk[0], msg, &keyagg_cache, max64) == 0);
288 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
289
290 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], NULL, msg, &keyagg_cache, max64));
291 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
292
293 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &invalid_pk, msg, &keyagg_cache, max64));
294 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
295
296 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], NULL, &keyagg_cache, max64) == 1);
297 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
298
299 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, NULL, max64) == 1);
300 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
301
302 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &invalid_keyagg_cache, max64));
303 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
304
305 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, NULL) == 1);
306 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
307
308 /* Every in-argument except session_secrand and pubkey can be NULL */
309 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], NULL, &pk[0], NULL, NULL, NULL) == 1);
310 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[1], &pubnonce[1], session_secrand[1], sk[1], &pk[1], NULL, NULL, NULL) == 1);
311
313 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64) == 1);
314 CHECK_ILLEGAL(STATIC_CTX, secp256k1_musig_nonce_gen_counter(STATIC_CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64));
315 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
316 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, NULL, &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64));
317 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], NULL, nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64));
318 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
319 /* using nonce_gen_counter requires keypair */
320 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, NULL, msg, &keyagg_cache, max64));
321 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
322 /* invalid keypair */
323 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &invalid_keypair, msg, &keyagg_cache, max64));
324 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
325 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], NULL, &keyagg_cache, max64) == 1);
326 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, NULL, max64) == 1);
327 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &invalid_keyagg_cache, max64));
328 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
329 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt,&keypair[0], msg, &keyagg_cache, NULL) == 1);
330
331 /* Every in-argument except nonrepeating_cnt and keypair can be NULL */
332 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], NULL, NULL, NULL) == 1);
333 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[1], &pubnonce[1], nonrepeating_cnt, &keypair[1], NULL, NULL, NULL) == 1);
334
335
337 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, NULL, &pubnonce[0]));
338 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, NULL));
339 CHECK(memcmp_and_randomize(pubnonce_ser, zeros132, sizeof(pubnonce_ser)) == 0);
340 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &invalid_pubnonce));
341 CHECK(memcmp_and_randomize(pubnonce_ser, zeros132, sizeof(pubnonce_ser)) == 0);
342 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &pubnonce[0]) == 1);
343
344 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], pubnonce_ser) == 1);
345 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_parse(CTX, NULL, pubnonce_ser));
346 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], NULL));
347 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], zeros132) == 0);
348 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], pubnonce_ser) == 1);
349
350 {
351 /* Check that serialize and parse results in the same value */
352 secp256k1_musig_pubnonce tmp;
353 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &pubnonce[0]) == 1);
354 CHECK(secp256k1_musig_pubnonce_parse(CTX, &tmp, pubnonce_ser) == 1);
355 CHECK(secp256k1_memcmp_var(&tmp, &pubnonce[0], sizeof(tmp)) == 0);
356 }
357
359 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
360 /* check that NULL in array of public nonce pointers is not allowed */
361 for (i = 0; i < 2; i++) {
362 const secp256k1_musig_pubnonce *original_ptr = pubnonce_ptr[i];
363 pubnonce_ptr[i] = NULL;
364 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2));
365 pubnonce_ptr[i] = original_ptr;
366 }
367 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, NULL, pubnonce_ptr, 2));
368 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, NULL, 2));
369 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 0));
370 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, invalid_pubnonce_ptr, 1));
371 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, inf_pubnonce_ptr, 2) == 1);
372 {
373 /* Check that the aggnonce encodes two points at infinity */
374 secp256k1_ge aggnonce_pt[2];
375 secp256k1_musig_aggnonce_load(CTX, aggnonce_pt, &aggnonce);
376 for (i = 0; i < 2; i++) {
377 secp256k1_ge_is_infinity(&aggnonce_pt[i]);
378 }
379 }
380 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
381
383 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1);
384 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, NULL, &aggnonce));
385 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, NULL));
386 CHECK(memcmp_and_randomize(aggnonce_ser, zeros132, sizeof(aggnonce_ser)) == 0);
387 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, (secp256k1_musig_aggnonce*) &invalid_pubnonce));
388 CHECK(memcmp_and_randomize(aggnonce_ser, zeros132, sizeof(aggnonce_ser)) == 0);
389 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1);
390
391 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, aggnonce_ser) == 1);
392 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_parse(CTX, NULL, aggnonce_ser));
393 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_parse(CTX, &aggnonce, NULL));
394 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, zeros132) == 1);
395 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, aggnonce_ser) == 1);
396
397 {
398 /* Check that serialize and parse results in the same value */
399 secp256k1_musig_aggnonce tmp;
400 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1);
401 CHECK(secp256k1_musig_aggnonce_parse(CTX, &tmp, aggnonce_ser) == 1);
402 CHECK(secp256k1_memcmp_var(&tmp, &aggnonce, sizeof(tmp)) == 0);
403 }
404
406 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1);
407 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, NULL, &aggnonce, msg, &keyagg_cache));
408 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, NULL, msg, &keyagg_cache));
409 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, (secp256k1_musig_aggnonce*) &invalid_pubnonce, msg, &keyagg_cache));
410 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, NULL, &keyagg_cache));
411 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, NULL));
412 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &invalid_keyagg_cache));
413
414 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1);
415
416 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
417 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &session) == 1);
418 /* The secnonce is set to 0 and subsequent signing attempts fail */
419 CHECK(secp256k1_memcmp_var(&secnonce_tmp, zeros132, sizeof(secnonce_tmp)) == 0);
420 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &session));
421 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
422 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, NULL, &secnonce_tmp, &keypair[0], &keyagg_cache, &session));
423 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
424 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], NULL, &keypair[0], &keyagg_cache, &session));
425 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &invalid_secnonce, &keypair[0], &keyagg_cache, &session));
426 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, NULL, &keyagg_cache, &session));
427 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
428 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &invalid_keypair, &keyagg_cache, &session));
429 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
430 {
431 unsigned char sk_tmp[32];
432 secp256k1_keypair keypair_tmp;
433 testrand256(sk_tmp);
434 CHECK(secp256k1_keypair_create(CTX, &keypair_tmp, sk_tmp));
435 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair_tmp, &keyagg_cache, &session));
436 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
437 }
438 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], NULL, &session));
439 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
440 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &invalid_keyagg_cache, &session));
441 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
442 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, NULL));
443 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
444 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &invalid_session));
445 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
446
447 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce[0], &keypair[0], &keyagg_cache, &session) == 1);
448 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[1], &secnonce[1], &keypair[1], &keyagg_cache, &session) == 1);
449
450 CHECK(secp256k1_musig_partial_sig_serialize(CTX, buf, &partial_sig[0]) == 1);
451 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, NULL, &partial_sig[0]));
452 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, buf, NULL));
453 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, buf, &invalid_partial_sig));
454 CHECK(secp256k1_musig_partial_sig_parse(CTX, &partial_sig[0], buf) == 1);
455 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_parse(CTX, NULL, buf));
456 {
457 /* Check that parsing failure results in an invalid sig */
458 secp256k1_musig_partial_sig tmp;
459 CHECK(secp256k1_musig_partial_sig_parse(CTX, &tmp, max64) == 0);
460 CHECK(secp256k1_memcmp_var(&tmp, zeros132, sizeof(partial_sig[0])) == 0);
461 }
462 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_parse(CTX, &partial_sig[0], NULL));
463
464 {
465 /* Check that serialize and parse results in the same value */
466 secp256k1_musig_partial_sig tmp;
467 CHECK(secp256k1_musig_partial_sig_serialize(CTX, buf, &partial_sig[0]) == 1);
468 CHECK(secp256k1_musig_partial_sig_parse(CTX, &tmp, buf) == 1);
469 CHECK(secp256k1_memcmp_var(&tmp, &partial_sig[0], sizeof(tmp)) == 0);
470 }
471
473 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 1);
474 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 0);
475 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, NULL, &pubnonce[0], &pk[0], &keyagg_cache, &session));
476 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &invalid_partial_sig, &pubnonce[0], &pk[0], &keyagg_cache, &session));
477 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], NULL, &pk[0], &keyagg_cache, &session));
478 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &invalid_pubnonce, &pk[0], &keyagg_cache, &session));
479 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], NULL, &keyagg_cache, &session));
480 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &invalid_pk, &keyagg_cache, &session));
481 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], NULL, &session));
482 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &invalid_keyagg_cache, &session));
483 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, NULL));
484 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &invalid_session));
485
486 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 1);
487 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[1], &pk[1], &keyagg_cache, &session) == 1);
488
490 CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 2) == 1);
491 /* check that NULL in array of partial signature pointers is not allowed */
492 for (i = 0; i < 2; i++) {
493 const secp256k1_musig_partial_sig *original_ptr = partial_sig_ptr[i];
494 partial_sig_ptr[i] = NULL;
495 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 2));
496 partial_sig_ptr[i] = original_ptr;
497 }
498 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, NULL, &session, partial_sig_ptr, 2));
499 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, NULL, partial_sig_ptr, 2));
500 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &invalid_session, partial_sig_ptr, 2));
501 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, NULL, 2));
502 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, invalid_partial_sig_ptr, 2));
503 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 0));
504 CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 1) == 1);
505 CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 2) == 1);
506}
507
508static void musig_nonce_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes) {
509 secp256k1_scalar k1[2], k2[2];
510
511 secp256k1_nonce_function_musig(k1, args[0], args[1], args[2], args[3], args[4], args[5]);
512 testrand_flip(args[n_flip], n_bytes);
513 secp256k1_nonce_function_musig(k2, args[0], args[1], args[2], args[3], args[4], args[5]);
514 CHECK(secp256k1_scalar_eq(&k1[0], &k2[0]) == 0);
515 CHECK(secp256k1_scalar_eq(&k1[1], &k2[1]) == 0);
516}
517
518static void musig_nonce_test(void) {
519 unsigned char *args[6];
520 unsigned char session_secrand[32];
521 unsigned char sk[32];
522 unsigned char pk[33];
523 unsigned char msg[32];
524 unsigned char agg_pk[32];
525 unsigned char extra_input[32];
526 int i, j;
527 secp256k1_scalar k[6][2];
528
529 testrand_bytes_test(session_secrand, sizeof(session_secrand));
530 testrand_bytes_test(sk, sizeof(sk));
531 testrand_bytes_test(pk, sizeof(pk));
532 testrand_bytes_test(msg, sizeof(msg));
533 testrand_bytes_test(agg_pk, sizeof(agg_pk));
534 testrand_bytes_test(extra_input, sizeof(extra_input));
535
536 /* Check that a bitflip in an argument results in different nonces. */
537 args[0] = session_secrand;
538 args[1] = msg;
539 args[2] = sk;
540 args[3] = pk;
541 args[4] = agg_pk;
542 args[5] = extra_input;
543 for (i = 0; i < COUNT; i++) {
544 musig_nonce_bitflip(args, 0, sizeof(session_secrand));
545 musig_nonce_bitflip(args, 1, sizeof(msg));
546 musig_nonce_bitflip(args, 2, sizeof(sk));
547 musig_nonce_bitflip(args, 3, sizeof(pk));
548 musig_nonce_bitflip(args, 4, sizeof(agg_pk));
549 musig_nonce_bitflip(args, 5, sizeof(extra_input));
550 }
551 /* Check that if any argument is NULL, a different nonce is produced than if
552 * any other argument is NULL. */
553 memcpy(msg, session_secrand, sizeof(msg));
554 memcpy(sk, session_secrand, sizeof(sk));
555 memcpy(pk, session_secrand, sizeof(session_secrand));
556 memcpy(agg_pk, session_secrand, sizeof(agg_pk));
557 memcpy(extra_input, session_secrand, sizeof(extra_input));
558 secp256k1_nonce_function_musig(k[0], args[0], args[1], args[2], args[3], args[4], args[5]);
559 secp256k1_nonce_function_musig(k[1], args[0], NULL, args[2], args[3], args[4], args[5]);
560 secp256k1_nonce_function_musig(k[2], args[0], args[1], NULL, args[3], args[4], args[5]);
561 secp256k1_nonce_function_musig(k[3], args[0], args[1], args[2], NULL, args[4], args[5]);
562 secp256k1_nonce_function_musig(k[4], args[0], args[1], args[2], args[3], NULL, args[5]);
563 secp256k1_nonce_function_musig(k[5], args[0], args[1], args[2], args[3], args[4], NULL);
564 for (i = 0; i < 6; i++) {
565 CHECK(!secp256k1_scalar_eq(&k[i][0], &k[i][1]));
566 for (j = i+1; j < 6; j++) {
567 CHECK(!secp256k1_scalar_eq(&k[i][0], &k[j][0]));
568 CHECK(!secp256k1_scalar_eq(&k[i][1], &k[j][1]));
569 }
570 }
571}
572
573/* Checks that the initialized tagged hashes have the expected
574 * state. */
575static void sha256_tag_test(void) {
576 secp256k1_sha256 sha;
577 {
578 /* "KeyAgg list" */
579 static const unsigned char tag[] = {'K', 'e', 'y', 'A', 'g', 'g', ' ', 'l', 'i', 's', 't'};
580 secp256k1_musig_keyagglist_sha256(&sha);
581 test_sha256_tag_midstate(&sha, tag, sizeof(tag));
582 }
583 {
584 /* "KeyAgg coefficient" */
585 static const unsigned char tag[] = {'K', 'e', 'y', 'A', 'g', 'g', ' ', 'c', 'o', 'e', 'f', 'f', 'i', 'c', 'i', 'e', 'n', 't'};
586 secp256k1_musig_keyaggcoef_sha256(&sha);
587 test_sha256_tag_midstate(&sha, tag, sizeof(tag));
588 }
589 {
590 /* "MuSig/aux" */
591 static const unsigned char tag[] = { 'M', 'u', 'S', 'i', 'g', '/', 'a', 'u', 'x' };
592 secp256k1_nonce_function_musig_sha256_tagged_aux(&sha);
593 test_sha256_tag_midstate(&sha, tag, sizeof(tag));
594 }
595 {
596 /* "MuSig/nonce" */
597 static const unsigned char tag[] = { 'M', 'u', 'S', 'i', 'g', '/', 'n', 'o', 'n', 'c', 'e' };
598 secp256k1_nonce_function_musig_sha256_tagged(&sha);
599 test_sha256_tag_midstate(&sha, tag, sizeof(tag));
600 }
601 {
602 /* "MuSig/noncecoef" */
603 static const unsigned char tag[] = { 'M', 'u', 'S', 'i', 'g', '/', 'n', 'o', 'n', 'c', 'e', 'c', 'o', 'e', 'f' };
604 secp256k1_musig_compute_noncehash_sha256_tagged(&sha);
605 test_sha256_tag_midstate(&sha, tag, sizeof(tag));
606 }
607}
608
609/* Attempts to create a signature for the aggregate public key using given secret
610 * keys and keyagg_cache. */
611static void musig_tweak_test_helper(const secp256k1_xonly_pubkey* agg_pk, const unsigned char *sk0, const unsigned char *sk1, secp256k1_musig_keyagg_cache *keyagg_cache) {
612 secp256k1_pubkey pk[2];
613 unsigned char session_secrand[2][32];
614 unsigned char msg[32];
615 secp256k1_musig_secnonce secnonce[2];
616 secp256k1_musig_pubnonce pubnonce[2];
617 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
618 secp256k1_musig_aggnonce aggnonce;
619 secp256k1_keypair keypair[2];
620 secp256k1_musig_session session;
621 secp256k1_musig_partial_sig partial_sig[2];
622 const secp256k1_musig_partial_sig *partial_sig_ptr[2];
623 unsigned char final_sig[64];
624 int i;
625
626 for (i = 0; i < 2; i++) {
627 pubnonce_ptr[i] = &pubnonce[i];
628 partial_sig_ptr[i] = &partial_sig[i];
629
630 testrand256(session_secrand[i]);
631 }
632 CHECK(create_keypair_and_pk(&keypair[0], &pk[0], sk0) == 1);
633 CHECK(create_keypair_and_pk(&keypair[1], &pk[1], sk1) == 1);
634 testrand256(msg);
635
636 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk0, &pk[0], NULL, NULL, NULL) == 1);
637 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[1], &pubnonce[1], session_secrand[1], sk1, &pk[1], NULL, NULL, NULL) == 1);
638
639 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
640 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, keyagg_cache) == 1);
641
642 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce[0], &keypair[0], keyagg_cache, &session) == 1);
643 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[1], &secnonce[1], &keypair[1], keyagg_cache, &session) == 1);
644
645 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], keyagg_cache, &session) == 1);
646 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[1], &pk[1], keyagg_cache, &session) == 1);
647
648 CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, 2) == 1);
649 CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, msg, sizeof(msg), agg_pk) == 1);
650}
651
652/* Create aggregate public key P[0], tweak multiple times (using xonly and
653 * plain tweaking) and test signing. */
654static void musig_tweak_test_internal(void) {
655 unsigned char sk[2][32];
656 secp256k1_pubkey pk[2];
657 const secp256k1_pubkey *pk_ptr[2];
658 secp256k1_musig_keyagg_cache keyagg_cache;
659 enum { N_TWEAKS = 8 };
660 secp256k1_pubkey P[N_TWEAKS + 1];
661 secp256k1_xonly_pubkey P_xonly[N_TWEAKS + 1];
662 int i;
663
664 /* Key Setup */
665 for (i = 0; i < 2; i++) {
666 pk_ptr[i] = &pk[i];
667 testrand256(sk[i]);
668 CHECK(create_keypair_and_pk(NULL, &pk[i], sk[i]) == 1);
669 }
670 /* Compute P0 = keyagg(pk0, pk1) and test signing for it */
671 CHECK(secp256k1_musig_pubkey_agg(CTX, &P_xonly[0], &keyagg_cache, pk_ptr, 2) == 1);
672 musig_tweak_test_helper(&P_xonly[0], sk[0], sk[1], &keyagg_cache);
673 CHECK(secp256k1_musig_pubkey_get(CTX, &P[0], &keyagg_cache));
674
675 /* Compute Pi = f(Pj) + tweaki*G where where j = i-1 and try signing for
676 * that key. If xonly is set to true, the function f normalizes the input
677 * point to have an even X-coordinate ("xonly-tweaking").
678 * Otherwise, the function f is the identity function. */
679 for (i = 1; i <= N_TWEAKS; i++) {
680 unsigned char tweak[32];
681 int P_parity;
682 int xonly = testrand_bits(1);
683
684 testrand256(tweak);
685 if (xonly) {
686 CHECK(secp256k1_musig_pubkey_xonly_tweak_add(CTX, &P[i], &keyagg_cache, tweak) == 1);
687 } else {
688 CHECK(secp256k1_musig_pubkey_ec_tweak_add(CTX, &P[i], &keyagg_cache, tweak) == 1);
689 }
690 CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &P_xonly[i], &P_parity, &P[i]));
691 /* Check that musig_pubkey_tweak_add produces same result as
692 * xonly_pubkey_tweak_add or ec_pubkey_tweak_add. */
693 if (xonly) {
694 unsigned char P_serialized[32];
695 CHECK(secp256k1_xonly_pubkey_serialize(CTX, P_serialized, &P_xonly[i]));
696 CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, P_serialized, P_parity, &P_xonly[i-1], tweak) == 1);
697 } else {
698 secp256k1_pubkey tmp_key = P[i-1];
699 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &tmp_key, tweak));
700 CHECK(secp256k1_memcmp_var(&tmp_key, &P[i], sizeof(tmp_key)) == 0);
701 }
702 /* Test signing for P[i] */
703 musig_tweak_test_helper(&P_xonly[i], sk[0], sk[1], &keyagg_cache);
704 }
705}
706
707int musig_vectors_keyagg_and_tweak(enum MUSIG_ERROR *error,
708 secp256k1_musig_keyagg_cache *keyagg_cache,
709 unsigned char *agg_pk_ser,
710 const unsigned char pubkeys33[][33],
711 const unsigned char tweaks32[][32],
712 size_t key_indices_len,
713 const size_t *key_indices,
714 size_t tweak_indices_len,
715 const size_t *tweak_indices,
716 const int *is_xonly) {
717 secp256k1_pubkey pubkeys[MUSIG_VECTORS_MAX_PUBKEYS];
718 const secp256k1_pubkey *pk_ptr[MUSIG_VECTORS_MAX_PUBKEYS];
719 int i;
720 secp256k1_pubkey agg_pk;
721 secp256k1_xonly_pubkey agg_pk_xonly;
722
723 for (i = 0; i < (int)key_indices_len; i++) {
724 if (!secp256k1_ec_pubkey_parse(CTX, &pubkeys[i], pubkeys33[key_indices[i]], 33)) {
725 *error = MUSIG_PUBKEY;
726 return 0;
727 }
728 pk_ptr[i] = &pubkeys[i];
729 }
730 if (!secp256k1_musig_pubkey_agg(CTX, NULL, keyagg_cache, pk_ptr, key_indices_len)) {
731 *error = MUSIG_OTHER;
732 return 0;
733 }
734
735 for (i = 0; i < (int)tweak_indices_len; i++) {
736 if (is_xonly[i]) {
737 if (!secp256k1_musig_pubkey_xonly_tweak_add(CTX, NULL, keyagg_cache, tweaks32[tweak_indices[i]])) {
738 *error = MUSIG_TWEAK;
739 return 0;
740 }
741 } else {
742 if (!secp256k1_musig_pubkey_ec_tweak_add(CTX, NULL, keyagg_cache, tweaks32[tweak_indices[i]])) {
743 *error = MUSIG_TWEAK;
744 return 0;
745 }
746 }
747 }
748 if (!secp256k1_musig_pubkey_get(CTX, &agg_pk, keyagg_cache)) {
749 *error = MUSIG_OTHER;
750 return 0;
751 }
752
753 if (!secp256k1_xonly_pubkey_from_pubkey(CTX, &agg_pk_xonly, NULL, &agg_pk)) {
754 *error = MUSIG_OTHER;
755 return 0;
756 }
757
758 if (agg_pk_ser != NULL) {
759 if (!secp256k1_xonly_pubkey_serialize(CTX, agg_pk_ser, &agg_pk_xonly)) {
760 *error = MUSIG_OTHER;
761 return 0;
762 }
763 }
764
765 return 1;
766}
767
768static void musig_test_vectors_keyagg(void) {
769 size_t i;
770 const struct musig_key_agg_vector *vector = &musig_key_agg_vector;
771
772 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
773 const struct musig_key_agg_valid_test_case *c = &vector->valid_case[i];
774 enum MUSIG_ERROR error;
775 secp256k1_musig_keyagg_cache keyagg_cache;
776 unsigned char agg_pk[32];
777
778 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, agg_pk, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, 0, NULL, NULL));
779 CHECK(secp256k1_memcmp_var(agg_pk, c->expected, sizeof(agg_pk)) == 0);
780 }
781
782 for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) {
783 const struct musig_key_agg_error_test_case *c = &vector->error_case[i];
784 enum MUSIG_ERROR error;
785 secp256k1_musig_keyagg_cache keyagg_cache;
786
787 CHECK(!musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
788 CHECK(c->error == error);
789 }
790}
791
792static void musig_test_vectors_noncegen(void) {
793 size_t i;
794 const struct musig_nonce_gen_vector *vector = &musig_nonce_gen_vector;
795
796 for (i = 0; i < sizeof(vector->test_case)/sizeof(vector->test_case[0]); i++) {
797 const struct musig_nonce_gen_test_case *c = &vector->test_case[i];
798 secp256k1_musig_keyagg_cache keyagg_cache;
799 secp256k1_musig_keyagg_cache *keyagg_cache_ptr = NULL;
800 unsigned char session_secrand32[32];
801 secp256k1_musig_secnonce secnonce;
802 secp256k1_musig_pubnonce pubnonce;
803 const unsigned char *sk = NULL;
804 const unsigned char *msg = NULL;
805 const unsigned char *extra_in = NULL;
806 secp256k1_pubkey pk;
807 unsigned char pubnonce66[66];
808
809 memcpy(session_secrand32, c->rand_, 32);
810 if (c->has_sk) {
811 sk = c->sk;
812 }
813 if (c->has_aggpk) {
814 /* Create keyagg_cache from aggpk */
815 secp256k1_keyagg_cache_internal cache_i;
816 secp256k1_xonly_pubkey aggpk;
817 memset(&cache_i, 0, sizeof(cache_i));
818 CHECK(secp256k1_xonly_pubkey_parse(CTX, &aggpk, c->aggpk));
819 CHECK(secp256k1_xonly_pubkey_load(CTX, &cache_i.pk, &aggpk));
820 secp256k1_keyagg_cache_save(&keyagg_cache, &cache_i);
821 keyagg_cache_ptr = &keyagg_cache;
822 }
823 if (c->has_msg) {
824 msg = c->msg;
825 }
826 if (c->has_extra_in) {
827 extra_in = c->extra_in;
828 }
829
830 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk, c->pk, sizeof(c->pk)));
831 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce, &pubnonce, session_secrand32, sk, &pk, msg, keyagg_cache_ptr, extra_in) == 1);
832 CHECK(secp256k1_memcmp_var(&secnonce.data[4], c->expected_secnonce, 2*32) == 0);
833 /* The last element of the secnonce is the public key (uncompressed in
834 * secp256k1_musig_secnonce, compressed in the test vector secnonce). */
835 CHECK(secp256k1_memcmp_var(&secnonce.data[4+2*32], &pk, sizeof(pk)) == 0);
836 CHECK(secp256k1_memcmp_var(&c->expected_secnonce[2*32], c->pk, sizeof(c->pk)) == 0);
837
838 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce66, &pubnonce) == 1);
839 CHECK(sizeof(c->expected_pubnonce) == sizeof(pubnonce66));
840 CHECK(secp256k1_memcmp_var(pubnonce66, c->expected_pubnonce, sizeof(pubnonce66)) == 0);
841 }
842}
843
844
845static void musig_test_vectors_nonceagg(void) {
846 size_t i;
847 int j;
848 const struct musig_nonce_agg_vector *vector = &musig_nonce_agg_vector;
849
850 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
851 const struct musig_nonce_agg_test_case *c = &vector->valid_case[i];
852 secp256k1_musig_pubnonce pubnonce[2];
853 const secp256k1_musig_pubnonce *pubnonce_ptr[2];
854 secp256k1_musig_aggnonce aggnonce;
855 unsigned char aggnonce66[66];
856
857 for (j = 0; j < 2; j++) {
858 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pnonces[c->pnonce_indices[j]]) == 1);
859 pubnonce_ptr[j] = &pubnonce[j];
860 }
861 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2));
862 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce66, &aggnonce));
863 CHECK(secp256k1_memcmp_var(aggnonce66, c->expected, 33) == 0);
864 }
865 for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) {
866 const struct musig_nonce_agg_test_case *c = &vector->error_case[i];
867 secp256k1_musig_pubnonce pubnonce[2];
868 for (j = 0; j < 2; j++) {
869 int expected = c->invalid_nonce_idx != j;
870 CHECK(expected == secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pnonces[c->pnonce_indices[j]]));
871 }
872 }
873}
874
875static void musig_test_set_secnonce(secp256k1_musig_secnonce *secnonce, const unsigned char *secnonce64, const secp256k1_pubkey *pubkey) {
876 secp256k1_ge pk;
877 secp256k1_scalar k[2];
878
879 secp256k1_scalar_set_b32(&k[0], &secnonce64[0], NULL);
880 secp256k1_scalar_set_b32(&k[1], &secnonce64[32], NULL);
881 CHECK(secp256k1_pubkey_load(CTX, &pk, pubkey));
882 secp256k1_musig_secnonce_save(secnonce, k, &pk);
883}
884
885static void musig_test_vectors_signverify(void) {
886 size_t i;
887 const struct musig_sign_verify_vector *vector = &musig_sign_verify_vector;
888
889 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
890 const struct musig_valid_case *c = &vector->valid_case[i];
891 enum MUSIG_ERROR error;
892 secp256k1_musig_keyagg_cache keyagg_cache;
893 secp256k1_pubkey pubkey;
894 secp256k1_musig_pubnonce pubnonce;
895 secp256k1_musig_aggnonce aggnonce;
896 secp256k1_musig_session session;
897 secp256k1_musig_partial_sig partial_sig;
898 secp256k1_musig_secnonce secnonce;
899 secp256k1_keypair keypair;
900 unsigned char partial_sig32[32];
901
902 CHECK(secp256k1_keypair_create(CTX, &keypair, vector->sk));
903 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
904
905 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonces[c->aggnonce_index]));
906 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache));
907
908 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0])));
909 musig_test_set_secnonce(&secnonce, vector->secnonces[0], &pubkey);
910 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
911 CHECK(secp256k1_musig_partial_sig_serialize(CTX, partial_sig32, &partial_sig));
912 CHECK(secp256k1_memcmp_var(partial_sig32, c->expected, sizeof(partial_sig32)) == 0);
913
914 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[0]));
915 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig, &pubnonce, &pubkey, &keyagg_cache, &session));
916 }
917 for (i = 0; i < sizeof(vector->sign_error_case)/sizeof(vector->sign_error_case[0]); i++) {
918 const struct musig_sign_error_case *c = &vector->sign_error_case[i];
919 enum MUSIG_ERROR error;
920 secp256k1_musig_keyagg_cache keyagg_cache;
921 secp256k1_pubkey pubkey;
922 secp256k1_musig_aggnonce aggnonce;
923 secp256k1_musig_session session;
924 secp256k1_musig_partial_sig partial_sig;
925 secp256k1_musig_secnonce secnonce;
926 secp256k1_keypair keypair;
927 int expected;
928
929 if (i == 0) {
930 /* Skip this vector since the implementation does not error out when
931 * the signing key does not belong to any pubkey. */
932 continue;
933 }
934
935 expected = c->error != MUSIG_PUBKEY;
936 CHECK(expected == musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
937 CHECK(expected || c->error == error);
938 if (!expected) {
939 continue;
940 }
941 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0])));
942 CHECK(secp256k1_keypair_create(CTX, &keypair, vector->sk));
943
944 expected = c->error != MUSIG_AGGNONCE;
945 CHECK(expected == secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonces[c->aggnonce_index]));
946 if (!expected) {
947 continue;
948 }
949 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache));
950
951 expected = c->error != MUSIG_SECNONCE;
952 CHECK(!expected);
953 musig_test_set_secnonce(&secnonce, vector->secnonces[c->secnonce_index], &pubkey);
954 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
955 }
956 for (i = 0; i < sizeof(vector->verify_fail_case)/sizeof(vector->verify_fail_case[0]); i++) {
957 const struct musig_verify_fail_error_case *c = &vector->verify_fail_case[i];
958 enum MUSIG_ERROR error;
959 secp256k1_musig_keyagg_cache keyagg_cache;
960 secp256k1_musig_aggnonce aggnonce;
961 secp256k1_musig_session session;
962 secp256k1_musig_partial_sig partial_sig;
963 enum { NUM_PUBNONCES = 3 };
964 secp256k1_musig_pubnonce pubnonce[NUM_PUBNONCES];
965 const secp256k1_musig_pubnonce *pubnonce_ptr[NUM_PUBNONCES];
966 secp256k1_pubkey pubkey;
967 int expected;
968 size_t j;
969
970 CHECK(NUM_PUBNONCES <= c->nonce_indices_len);
971 for (j = 0; j < c->nonce_indices_len; j++) {
972 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pubnonces[c->nonce_indices[j]]));
973 pubnonce_ptr[j] = &pubnonce[j];
974 }
975
976 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
977 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, c->nonce_indices_len) == 1);
978 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache));
979
980 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[c->signer_index], sizeof(vector->pubkeys[0])));
981
982 expected = c->error != MUSIG_SIG;
983 CHECK(expected == secp256k1_musig_partial_sig_parse(CTX, &partial_sig, c->sig));
984 if (!expected) {
985 continue;
986 }
987 expected = c->error != MUSIG_SIG_VERIFY;
988 CHECK(expected == secp256k1_musig_partial_sig_verify(CTX, &partial_sig, pubnonce, &pubkey, &keyagg_cache, &session));
989 }
990 for (i = 0; i < sizeof(vector->verify_error_case)/sizeof(vector->verify_error_case[0]); i++) {
991 const struct musig_verify_fail_error_case *c = &vector->verify_error_case[i];
992 enum MUSIG_ERROR error;
993 secp256k1_musig_keyagg_cache keyagg_cache;
994 secp256k1_musig_pubnonce pubnonce;
995 int expected;
996
997 expected = c->error != MUSIG_PUBKEY;
998 CHECK(expected == musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
999 CHECK(expected || c->error == error);
1000 if (!expected) {
1001 continue;
1002 }
1003 expected = c->error != MUSIG_PUBNONCE;
1004 CHECK(expected == secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[c->nonce_indices[c->signer_index]]));
1005 }
1006}
1007
1008static void musig_test_vectors_tweak(void) {
1009 size_t i;
1010 const struct musig_tweak_vector *vector = &musig_tweak_vector;
1011 secp256k1_pubkey pubkey;
1012 secp256k1_musig_aggnonce aggnonce;
1013 secp256k1_musig_secnonce secnonce;
1014
1015 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonce));
1016 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0])));
1017
1018 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
1019 const struct musig_tweak_case *c = &vector->valid_case[i];
1020 enum MUSIG_ERROR error;
1021 secp256k1_musig_keyagg_cache keyagg_cache;
1022 secp256k1_musig_pubnonce pubnonce;
1023 secp256k1_musig_session session;
1024 secp256k1_musig_partial_sig partial_sig;
1025 secp256k1_keypair keypair;
1026 unsigned char partial_sig32[32];
1027
1028 musig_test_set_secnonce(&secnonce, vector->secnonce, &pubkey);
1029
1030 CHECK(secp256k1_keypair_create(CTX, &keypair, vector->sk));
1031 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
1032
1033 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msg, &keyagg_cache));
1034
1035 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
1036 CHECK(secp256k1_musig_partial_sig_serialize(CTX, partial_sig32, &partial_sig));
1037 CHECK(secp256k1_memcmp_var(partial_sig32, c->expected, sizeof(partial_sig32)) == 0);
1038
1039 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[c->nonce_indices[c->signer_index]]));
1040 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig, &pubnonce, &pubkey, &keyagg_cache, &session));
1041 }
1042 for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) {
1043 const struct musig_tweak_case *c = &vector->error_case[i];
1044 enum MUSIG_ERROR error;
1045 secp256k1_musig_keyagg_cache keyagg_cache;
1046 CHECK(!musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
1047 CHECK(error == MUSIG_TWEAK);
1048 }
1049}
1050
1051static void musig_test_vectors_sigagg(void) {
1052 size_t i, j;
1053 const struct musig_sig_agg_vector *vector = &musig_sig_agg_vector;
1054
1055 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
1056 const struct musig_sig_agg_case *c = &vector->valid_case[i];
1057 enum MUSIG_ERROR error;
1058 unsigned char final_sig[64];
1059 secp256k1_musig_keyagg_cache keyagg_cache;
1060 unsigned char agg_pk32[32];
1061 secp256k1_xonly_pubkey agg_pk;
1062 secp256k1_musig_aggnonce aggnonce;
1063 secp256k1_musig_session session;
1064 secp256k1_musig_partial_sig partial_sig[(sizeof(vector->psigs)/sizeof(vector->psigs[0]))];
1065 const secp256k1_musig_partial_sig *partial_sig_ptr[(sizeof(vector->psigs)/sizeof(vector->psigs[0]))];
1066
1067 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, agg_pk32, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
1068 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, c->aggnonce));
1069 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msg, &keyagg_cache));
1070 for (j = 0; j < c->psig_indices_len; j++) {
1071 CHECK(secp256k1_musig_partial_sig_parse(CTX, &partial_sig[j], vector->psigs[c->psig_indices[j]]));
1072 partial_sig_ptr[j] = &partial_sig[j];
1073 }
1074
1075 CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, c->psig_indices_len) == 1);
1076 CHECK(secp256k1_memcmp_var(final_sig, c->expected, sizeof(final_sig)) == 0);
1077
1078 CHECK(secp256k1_xonly_pubkey_parse(CTX, &agg_pk, agg_pk32));
1079 CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, vector->msg, sizeof(vector->msg), &agg_pk) == 1);
1080 }
1081 for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) {
1082 const struct musig_sig_agg_case *c = &vector->error_case[i];
1083 secp256k1_musig_partial_sig partial_sig[(sizeof(vector->psigs)/sizeof(vector->psigs[0]))];
1084 for (j = 0; j < c->psig_indices_len; j++) {
1085 int expected = c->invalid_sig_idx != (int)j;
1086 CHECK(expected == secp256k1_musig_partial_sig_parse(CTX, &partial_sig[j], vector->psigs[c->psig_indices[j]]));
1087 }
1088 }
1089}
1090
1091/* Since the BIP doesn't provide static test vectors for nonce_gen_counter, we
1092 * define a static test here */
1093static void musig_test_static_nonce_gen_counter(void) {
1094 secp256k1_musig_secnonce secnonce;
1095 secp256k1_musig_pubnonce pubnonce;
1096 unsigned char pubnonce66[66];
1097 secp256k1_pubkey pk;
1098 secp256k1_keypair keypair;
1099 uint64_t nonrepeating_cnt = 0;
1100 unsigned char sk[32] = {
1101 0xEE, 0xC1, 0xCB, 0x7D, 0x1B, 0x72, 0x54, 0xC5,
1102 0xCA, 0xB0, 0xD9, 0xC6, 0x1A, 0xB0, 0x2E, 0x64,
1103 0x3D, 0x46, 0x4A, 0x59, 0xFE, 0x6C, 0x96, 0xA7,
1104 0xEF, 0xE8, 0x71, 0xF0, 0x7C, 0x5A, 0xEF, 0x54,
1105 };
1106 unsigned char expected_secnonce[64] = {
1107 0x84, 0x2F, 0x13, 0x80, 0xCD, 0x17, 0xA1, 0x98,
1108 0xFC, 0x3D, 0xAD, 0x3B, 0x7D, 0xA7, 0x49, 0x29,
1109 0x41, 0xF4, 0x69, 0x76, 0xF2, 0x70, 0x2F, 0xF7,
1110 0xC6, 0x6F, 0x24, 0xF4, 0x72, 0x03, 0x6A, 0xF1,
1111 0xDA, 0x3F, 0x95, 0x2D, 0xDE, 0x4A, 0x2D, 0xA6,
1112 0xB6, 0x32, 0x57, 0x07, 0xCE, 0x87, 0xA4, 0xE3,
1113 0x61, 0x6D, 0x06, 0xFC, 0x5F, 0x81, 0xA9, 0xC9,
1114 0x93, 0x86, 0xD2, 0x0A, 0x99, 0xCE, 0xCF, 0x99,
1115 };
1116 unsigned char expected_pubnonce[66] = {
1117 0x03, 0xA5, 0xB9, 0xB6, 0x90, 0x79, 0x42, 0xEA,
1118 0xCD, 0xDA, 0x49, 0xA3, 0x66, 0x01, 0x6E, 0xC2,
1119 0xE6, 0x24, 0x04, 0xA1, 0xBF, 0x4A, 0xB6, 0xD4,
1120 0xDB, 0x82, 0x06, 0x7B, 0xC3, 0xAD, 0xF0, 0x86,
1121 0xD7, 0x03, 0x32, 0x05, 0xDB, 0x9E, 0xB3, 0x4D,
1122 0x5C, 0x7C, 0xE0, 0x28, 0x48, 0xCA, 0xC6, 0x8A,
1123 0x83, 0xED, 0x73, 0xE3, 0x88, 0x34, 0x77, 0xF5,
1124 0x63, 0xF2, 0x3C, 0xE9, 0xA1, 0x1A, 0x77, 0x21,
1125 0xEC, 0x64,
1126 };
1127
1128 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
1129 CHECK(secp256k1_keypair_pub(CTX, &pk, &keypair));
1130 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce, &pubnonce, nonrepeating_cnt, &keypair, NULL, NULL, NULL) == 1);
1131
1132 CHECK(secp256k1_memcmp_var(&secnonce.data[4], expected_secnonce, 2*32) == 0);
1133 CHECK(secp256k1_memcmp_var(&secnonce.data[4+2*32], &pk, sizeof(pk)) == 0);
1134
1135 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce66, &pubnonce) == 1);
1136 CHECK(secp256k1_memcmp_var(pubnonce66, expected_pubnonce, sizeof(pubnonce66)) == 0);
1137}
1138
1139/* --- Test registry --- */
1140REPEAT_TEST(musig_simple_test)
1141/* Run multiple times to ensure that pk and nonce have different y parities */
1142REPEAT_TEST(musig_tweak_test)
1143
1144static const struct tf_test_entry tests_musig[] = {
1145 CASE1(musig_simple_test),
1146 CASE1(musig_api_tests),
1147 CASE1(musig_nonce_test),
1148 CASE1(musig_tweak_test),
1149 CASE1(sha256_tag_test),
1150 CASE1(musig_test_vectors_keyagg),
1151 CASE1(musig_test_vectors_noncegen),
1152 CASE1(musig_test_vectors_nonceagg),
1153 CASE1(musig_test_vectors_signverify),
1154 CASE1(musig_test_vectors_tweak),
1155 CASE1(musig_test_vectors_sigagg),
1156 CASE1(musig_test_static_nonce_gen_counter),
1157};
1158
1159#endif
ret
int ret
Definition: bitcoin-cli.cpp:1350
args
ArgsManager & args
Definition: bitcoind.cpp:277
secp256k1_xonly_pubkey_load
static SECP256K1_INLINE int secp256k1_xonly_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_xonly_pubkey *pubkey)
Definition: main_impl.h:14
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_musig_keyaggcoef_sha256
static void secp256k1_musig_keyaggcoef_sha256(secp256k1_sha256 *sha)
Definition: keyagg_impl.h:99
secp256k1_musig_keyagglist_sha256
static void secp256k1_musig_keyagglist_sha256(secp256k1_sha256 *sha)
Definition: keyagg_impl.h:64
secp256k1_keyagg_cache_save
static void secp256k1_keyagg_cache_save(secp256k1_musig_keyagg_cache *cache, const secp256k1_keyagg_cache_internal *cache_i)
Definition: keyagg_impl.h:31
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
tests_musig
static const struct tf_test_entry tests_musig[]
Definition: tests_impl.h:1144
musig_test_vectors_keyagg
static void musig_test_vectors_keyagg(void)
Definition: tests_impl.h:768
musig_nonce_test
static void musig_nonce_test(void)
Definition: tests_impl.h:518
musig_vectors_keyagg_and_tweak
int musig_vectors_keyagg_and_tweak(enum MUSIG_ERROR *error, secp256k1_musig_keyagg_cache *keyagg_cache, unsigned char *agg_pk_ser, const unsigned char pubkeys33[][33], const unsigned char tweaks32[][32], size_t key_indices_len, const size_t *key_indices, size_t tweak_indices_len, const size_t *tweak_indices, const int *is_xonly)
Definition: tests_impl.h:707
musig_test_set_secnonce
static void musig_test_set_secnonce(secp256k1_musig_secnonce *secnonce, const unsigned char *secnonce64, const secp256k1_pubkey *pubkey)
Definition: tests_impl.h:875
sha256_tag_test
static void sha256_tag_test(void)
Definition: tests_impl.h:575
create_keypair_and_pk
static int create_keypair_and_pk(secp256k1_keypair *keypair, secp256k1_pubkey *pk, const unsigned char *sk)
Definition: tests_impl.h:27
musig_api_tests
static void musig_api_tests(void)
Definition: tests_impl.h:122
musig_test_vectors_sigagg
static void musig_test_vectors_sigagg(void)
Definition: tests_impl.h:1051
musig_test_vectors_signverify
static void musig_test_vectors_signverify(void)
Definition: tests_impl.h:885
pubnonce_summing_to_inf
static void pubnonce_summing_to_inf(secp256k1_musig_pubnonce *pubnonce)
Definition: tests_impl.h:91
musig_test_static_nonce_gen_counter
static void musig_test_static_nonce_gen_counter(void)
Definition: tests_impl.h:1093
memcmp_and_randomize
int memcmp_and_randomize(unsigned char *value, const unsigned char *expected, size_t len)
Definition: tests_impl.h:112
musig_nonce_bitflip
static void musig_nonce_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes)
Definition: tests_impl.h:508
musig_test_vectors_nonceagg
static void musig_test_vectors_nonceagg(void)
Definition: tests_impl.h:845
musig_tweak_test_internal
static void musig_tweak_test_internal(void)
Definition: tests_impl.h:654
musig_tweak_test_helper
static void musig_tweak_test_helper(const secp256k1_xonly_pubkey *agg_pk, const unsigned char *sk0, const unsigned char *sk1, secp256k1_musig_keyagg_cache *keyagg_cache)
Definition: tests_impl.h:611
musig_test_vectors_noncegen
static void musig_test_vectors_noncegen(void)
Definition: tests_impl.h:792
musig_simple_test_internal
static void musig_simple_test_internal(void)
Definition: tests_impl.h:40
musig_test_vectors_tweak
static void musig_test_vectors_tweak(void)
Definition: tests_impl.h:1008
tweak
static int tweak(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *cache)
Definition: musig.c:64
test_vectors_musig2_generate.data
data
Definition: test_vectors_musig2_generate.py:98
tests_wycheproof_generate_ecdh.sk
sk
Definition: tests_wycheproof_generate_ecdh.py:101
tests_wycheproof_generate_ecdh.pk
def pk
Definition: tests_wycheproof_generate_ecdh.py:115
tests_wycheproof_generate_ecdsa.msg
msg
Definition: tests_wycheproof_generate_ecdsa.py:52
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:269
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:240
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:250
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:695
secp256k1_xonly_pubkey_from_pubkey
SECP256K1_API int secp256k1_xonly_pubkey_from_pubkey(const secp256k1_context *ctx, secp256k1_xonly_pubkey *xonly_pubkey, int *pk_parity, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Converts a secp256k1_pubkey into a secp256k1_xonly_pubkey.
Definition: main_impl.h:99
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:44
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a valid secret key.
Definition: main_impl.h:196
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:22
secp256k1_keypair_pub
SECP256K1_API int secp256k1_keypair_pub(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Get the public key from a keypair.
Definition: main_impl.h:224
secp256k1_musig_pubkey_ec_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_ec_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Apply plain "EC" tweaking to a public key in a given keyagg_cache by adding the generator multiplied ...
Definition: keyagg_impl.h:279
secp256k1_musig_pubkey_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Apply x-only tweaking to a public key in a given keyagg_cache by adding the generator multiplied with...
Definition: keyagg_impl.h:283
secp256k1_musig_aggnonce_serialize
SECP256K1_API int secp256k1_musig_aggnonce_serialize(const secp256k1_context *ctx, unsigned char *out66, const secp256k1_musig_aggnonce *nonce) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an aggregate public nonce.
Definition: session_impl.h:244
secp256k1_musig_partial_sig_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_parse(const secp256k1_context *ctx, secp256k1_musig_partial_sig *sig, const unsigned char *in32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a MuSig partial signature.
Definition: session_impl.h:262
secp256k1_musig_pubnonce_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubnonce_parse(const secp256k1_context *ctx, secp256k1_musig_pubnonce *nonce, const unsigned char *in66) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a signer's public nonce.
Definition: session_impl.h:188
secp256k1_musig_nonce_agg
SECP256K1_API int secp256k1_musig_nonce_agg(const secp256k1_context *ctx, secp256k1_musig_aggnonce *aggnonce, const secp256k1_musig_pubnonce *const *pubnonces, size_t n_pubnonces) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Aggregates the nonces of all signers into a single nonce.
Definition: session_impl.h:522
secp256k1_musig_partial_sign
SECP256K1_API int secp256k1_musig_partial_sign(const secp256k1_context *ctx, secp256k1_musig_partial_sig *partial_sig, secp256k1_musig_secnonce *secnonce, const secp256k1_keypair *keypair, const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_session *session) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6)
Produces a partial signature.
Definition: session_impl.h:649
secp256k1_musig_aggnonce_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_aggnonce_parse(const secp256k1_context *ctx, secp256k1_musig_aggnonce *nonce, const unsigned char *in66) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an aggregate public nonce.
Definition: session_impl.h:227
secp256k1_musig_pubkey_get
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_get(const secp256k1_context *ctx, secp256k1_pubkey *agg_pk, const secp256k1_musig_keyagg_cache *keyagg_cache) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Obtain the aggregate public key from a keyagg_cache.
Definition: keyagg_impl.h:229
secp256k1_musig_nonce_gen
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_gen(const secp256k1_context *ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, unsigned char *session_secrand32, const unsigned char *seckey, const secp256k1_pubkey *pubkey, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(6)
Starts a signing session by generating a nonce.
Definition: session_impl.h:447
secp256k1_musig_partial_sig_serialize
SECP256K1_API int secp256k1_musig_partial_sig_serialize(const secp256k1_context *ctx, unsigned char *out32, const secp256k1_musig_partial_sig *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize a MuSig partial signature.
Definition: session_impl.h:281
secp256k1_musig_partial_sig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_verify(const secp256k1_context *ctx, const secp256k1_musig_partial_sig *partial_sig, const secp256k1_musig_pubnonce *pubnonce, const secp256k1_pubkey *pubkey, const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_session *session) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6)
Verifies an individual signer's partial signature.
Definition: session_impl.h:719
secp256k1_musig_partial_sig_agg
SECP256K1_API int secp256k1_musig_partial_sig_agg(const secp256k1_context *ctx, unsigned char *sig64, const secp256k1_musig_session *session, const secp256k1_musig_partial_sig *const *partial_sigs, size_t n_sigs) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Aggregates partial signatures.
Definition: session_impl.h:782
secp256k1_musig_nonce_gen_counter
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_gen_counter(const secp256k1_context *ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, uint64_t nonrepeating_cnt, const secp256k1_keypair *keypair, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Alternative way to generate a nonce and start a signing session.
Definition: session_impl.h:475
secp256k1_musig_pubkey_agg
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_agg(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_pubkey *const *pubkeys, size_t n_pubkeys) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(4)
Computes an aggregate public key and uses it to initialize a keyagg_cache.
Definition: keyagg_impl.h:168
secp256k1_musig_nonce_process
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_process(const secp256k1_context *ctx, secp256k1_musig_session *session, const secp256k1_musig_aggnonce *aggnonce, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Takes the aggregate nonce and creates a session that is required for signing and verification of part...
Definition: session_impl.h:603
secp256k1_musig_pubnonce_serialize
SECP256K1_API int secp256k1_musig_pubnonce_serialize(const secp256k1_context *ctx, unsigned char *out66, const secp256k1_musig_pubnonce *nonce) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize a signer's public nonce.
Definition: session_impl.h:208
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:224
secp256k1_musig_secnonce_save
static void secp256k1_musig_secnonce_save(secp256k1_musig_secnonce *secnonce, const secp256k1_scalar *k, const secp256k1_ge *pk)
Definition: session_impl.h:50
secp256k1_musig_sum_pubnonces
static int secp256k1_musig_sum_pubnonces(const secp256k1_context *ctx, secp256k1_gej *summed_pubnonces, const secp256k1_musig_pubnonce *const *pubnonces, size_t n_pubnonces)
Definition: session_impl.h:503
secp256k1_nonce_function_musig
static void secp256k1_nonce_function_musig(secp256k1_scalar *k, const unsigned char *session_secrand, const unsigned char *msg32, const unsigned char *seckey32, const unsigned char *pk33, const unsigned char *agg_pk32, const unsigned char *extra_input32)
Definition: session_impl.h:339
secp256k1_musig_compute_noncehash_sha256_tagged
static void secp256k1_musig_compute_noncehash_sha256_tagged(secp256k1_sha256 *sha)
Definition: session_impl.h:545
secp256k1_nonce_function_musig_sha256_tagged_aux
static void secp256k1_nonce_function_musig_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: session_impl.h:311
secp256k1_nonce_function_musig_sha256_tagged
static void secp256k1_nonce_function_musig_sha256_tagged(secp256k1_sha256 *sha)
Definition: session_impl.h:326
secp256k1_musig_aggnonce_load
static int secp256k1_musig_aggnonce_load(const secp256k1_context *ctx, secp256k1_ge *ges, const secp256k1_musig_aggnonce *nonce)
Definition: session_impl.h:118
secp256k1_musig_pubnonce_save
static void secp256k1_musig_pubnonce_save(secp256k1_musig_pubnonce *nonce, const secp256k1_ge *ges)
Definition: session_impl.h:88
musig_key_agg_error_test_case
Definition: vectors.h:24
musig_key_agg_error_test_case::is_xonly
int is_xonly[1]
Definition: vectors.h:29
musig_key_agg_error_test_case::error
enum MUSIG_ERROR error
Definition: vectors.h:30
musig_key_agg_error_test_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:25
musig_key_agg_error_test_case::key_indices
size_t key_indices[4]
Definition: vectors.h:26
musig_key_agg_error_test_case::tweak_indices_len
size_t tweak_indices_len
Definition: vectors.h:27
musig_key_agg_error_test_case::tweak_indices
size_t tweak_indices[1]
Definition: vectors.h:28
musig_key_agg_valid_test_case
Definition: vectors.h:18
musig_key_agg_valid_test_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:19
musig_key_agg_valid_test_case::expected
unsigned char expected[32]
Definition: vectors.h:21
musig_key_agg_valid_test_case::key_indices
size_t key_indices[4]
Definition: vectors.h:20
musig_key_agg_vector
Definition: vectors.h:33
musig_key_agg_vector::error_case
struct musig_key_agg_error_test_case error_case[5]
Definition: vectors.h:37
musig_key_agg_vector::pubkeys
unsigned char pubkeys[7][33]
Definition: vectors.h:34
musig_key_agg_vector::valid_case
struct musig_key_agg_valid_test_case valid_case[4]
Definition: vectors.h:36
musig_key_agg_vector::tweaks
unsigned char tweaks[2][32]
Definition: vectors.h:35
musig_nonce_agg_test_case
Definition: vectors.h:95
musig_nonce_agg_test_case::expected
unsigned char expected[66]
Definition: vectors.h:98
musig_nonce_agg_test_case::invalid_nonce_idx
int invalid_nonce_idx
Definition: vectors.h:100
musig_nonce_agg_test_case::pnonce_indices
size_t pnonce_indices[2]
Definition: vectors.h:96
musig_nonce_agg_vector
Definition: vectors.h:103
musig_nonce_agg_vector::pnonces
unsigned char pnonces[7][66]
Definition: vectors.h:104
musig_nonce_agg_vector::error_case
struct musig_nonce_agg_test_case error_case[3]
Definition: vectors.h:106
musig_nonce_agg_vector::valid_case
struct musig_nonce_agg_test_case valid_case[2]
Definition: vectors.h:105
musig_nonce_gen_test_case
Definition: vectors.h:69
musig_nonce_gen_test_case::has_msg
int has_msg
Definition: vectors.h:76
musig_nonce_gen_test_case::extra_in
unsigned char extra_in[32]
Definition: vectors.h:79
musig_nonce_gen_test_case::rand_
unsigned char rand_[32]
Definition: vectors.h:70
musig_nonce_gen_test_case::expected_pubnonce
unsigned char expected_pubnonce[66]
Definition: vectors.h:81
musig_nonce_gen_test_case::sk
unsigned char sk[32]
Definition: vectors.h:72
musig_nonce_gen_test_case::has_sk
int has_sk
Definition: vectors.h:71
musig_nonce_gen_test_case::msg
unsigned char msg[32]
Definition: vectors.h:77
musig_nonce_gen_test_case::has_aggpk
int has_aggpk
Definition: vectors.h:74
musig_nonce_gen_test_case::has_extra_in
int has_extra_in
Definition: vectors.h:78
musig_nonce_gen_test_case::expected_secnonce
unsigned char expected_secnonce[97]
Definition: vectors.h:80
musig_nonce_gen_test_case::pk
unsigned char pk[33]
Definition: vectors.h:73
musig_nonce_gen_test_case::aggpk
unsigned char aggpk[32]
Definition: vectors.h:75
musig_nonce_gen_vector
Definition: vectors.h:84
musig_nonce_gen_vector::test_case
struct musig_nonce_gen_test_case test_case[2]
Definition: vectors.h:85
musig_sig_agg_case
Definition: vectors.h:288
musig_sig_agg_case::is_xonly
int is_xonly[3]
Definition: vectors.h:293
musig_sig_agg_case::tweak_indices
size_t tweak_indices[3]
Definition: vectors.h:292
musig_sig_agg_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:289
musig_sig_agg_case::psig_indices_len
size_t psig_indices_len
Definition: vectors.h:295
musig_sig_agg_case::invalid_sig_idx
int invalid_sig_idx
Definition: vectors.h:300
musig_sig_agg_case::tweak_indices_len
size_t tweak_indices_len
Definition: vectors.h:291
musig_sig_agg_case::expected
unsigned char expected[64]
Definition: vectors.h:298
musig_sig_agg_case::psig_indices
size_t psig_indices[2]
Definition: vectors.h:296
musig_sig_agg_case::aggnonce
unsigned char aggnonce[66]
Definition: vectors.h:294
musig_sig_agg_case::key_indices
size_t key_indices[2]
Definition: vectors.h:290
musig_sig_agg_vector
Definition: vectors.h:303
musig_sig_agg_vector::pubkeys
unsigned char pubkeys[4][33]
Definition: vectors.h:304
musig_sig_agg_vector::msg
unsigned char msg[32]
Definition: vectors.h:307
musig_sig_agg_vector::tweaks
unsigned char tweaks[3][32]
Definition: vectors.h:305
musig_sig_agg_vector::psigs
unsigned char psigs[9][32]
Definition: vectors.h:306
musig_sig_agg_vector::error_case
struct musig_sig_agg_case error_case[1]
Definition: vectors.h:309
musig_sig_agg_vector::valid_case
struct musig_sig_agg_case valid_case[4]
Definition: vectors.h:308
musig_sign_error_case
Definition: vectors.h:141
musig_sign_error_case::error
enum MUSIG_ERROR error
Definition: vectors.h:147
musig_sign_error_case::secnonce_index
size_t secnonce_index
Definition: vectors.h:146
musig_sign_error_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:142
musig_sign_error_case::msg_index
size_t msg_index
Definition: vectors.h:145
musig_sign_error_case::aggnonce_index
size_t aggnonce_index
Definition: vectors.h:144
musig_sign_error_case::key_indices
size_t key_indices[3]
Definition: vectors.h:143
musig_sign_verify_vector
Definition: vectors.h:161
musig_sign_verify_vector::verify_fail_case
struct musig_verify_fail_error_case verify_fail_case[3]
Definition: vectors.h:170
musig_sign_verify_vector::sign_error_case
struct musig_sign_error_case sign_error_case[6]
Definition: vectors.h:169
musig_sign_verify_vector::verify_error_case
struct musig_verify_fail_error_case verify_error_case[2]
Definition: vectors.h:171
musig_sign_verify_vector::sk
unsigned char sk[32]
Definition: vectors.h:162
musig_sign_verify_vector::msgs
unsigned char msgs[1][32]
Definition: vectors.h:167
musig_sign_verify_vector::aggnonces
unsigned char aggnonces[5][66]
Definition: vectors.h:166
musig_sign_verify_vector::secnonces
unsigned char secnonces[2][194]
Definition: vectors.h:164
musig_sign_verify_vector::pubkeys
unsigned char pubkeys[4][33]
Definition: vectors.h:163
musig_sign_verify_vector::pubnonces
unsigned char pubnonces[5][194]
Definition: vectors.h:165
musig_sign_verify_vector::valid_case
struct musig_valid_case valid_case[4]
Definition: vectors.h:168
musig_tweak_case
Definition: vectors.h:228
musig_tweak_case::tweak_indices_len
size_t tweak_indices_len
Definition: vectors.h:233
musig_tweak_case::key_indices
size_t key_indices[3]
Definition: vectors.h:230
musig_tweak_case::is_xonly
int is_xonly[4]
Definition: vectors.h:235
musig_tweak_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:229
musig_tweak_case::nonce_indices
size_t nonce_indices[3]
Definition: vectors.h:232
musig_tweak_case::expected
unsigned char expected[32]
Definition: vectors.h:237
musig_tweak_case::signer_index
size_t signer_index
Definition: vectors.h:236
musig_tweak_case::tweak_indices
size_t tweak_indices[4]
Definition: vectors.h:234
musig_tweak_vector
Definition: vectors.h:240
musig_tweak_vector::msg
unsigned char msg[32]
Definition: vectors.h:244
musig_tweak_vector::secnonce
unsigned char secnonce[97]
Definition: vectors.h:242
musig_tweak_vector::sk
unsigned char sk[32]
Definition: vectors.h:241
musig_tweak_vector::valid_case
struct musig_tweak_case valid_case[5]
Definition: vectors.h:248
musig_tweak_vector::aggnonce
unsigned char aggnonce[66]
Definition: vectors.h:243
musig_tweak_vector::pubnonces
unsigned char pubnonces[3][194]
Definition: vectors.h:246
musig_tweak_vector::pubkeys
unsigned char pubkeys[3][33]
Definition: vectors.h:245
musig_tweak_vector::tweaks
unsigned char tweaks[5][32]
Definition: vectors.h:247
musig_tweak_vector::error_case
struct musig_tweak_case error_case[1]
Definition: vectors.h:249
musig_valid_case
Definition: vectors.h:132
musig_valid_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:133
musig_valid_case::key_indices
size_t key_indices[3]
Definition: vectors.h:134
musig_valid_case::aggnonce_index
size_t aggnonce_index
Definition: vectors.h:135
musig_valid_case::msg_index
size_t msg_index
Definition: vectors.h:136
musig_valid_case::expected
unsigned char expected[32]
Definition: vectors.h:138
musig_verify_fail_error_case
Definition: vectors.h:150
musig_verify_fail_error_case::key_indices
size_t key_indices[3]
Definition: vectors.h:153
musig_verify_fail_error_case::msg_index
size_t msg_index
Definition: vectors.h:156
musig_verify_fail_error_case::signer_index
size_t signer_index
Definition: vectors.h:157
musig_verify_fail_error_case::error
enum MUSIG_ERROR error
Definition: vectors.h:158
musig_verify_fail_error_case::sig
unsigned char sig[32]
Definition: vectors.h:151
musig_verify_fail_error_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:152
musig_verify_fail_error_case::nonce_indices_len
size_t nonce_indices_len
Definition: vectors.h:154
musig_verify_fail_error_case::nonce_indices
size_t nonce_indices[3]
Definition: vectors.h:155
secp256k1_context_struct
Definition: secp256k1.c:61
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_keyagg_cache_internal
Definition: keyagg.h:15
secp256k1_keyagg_cache_internal::pk
secp256k1_ge pk
Definition: keyagg.h:16
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_musig_aggnonce
Opaque data structure that holds an aggregate public nonce.
Definition: secp256k1_musig.h:77
secp256k1_musig_keyagg_cache
This module implements BIP 327 "MuSig2 for BIP340-compatible Multi-Signatures" (https://github....
Definition: secp256k1_musig.h:43
secp256k1_musig_partial_sig
Opaque data structure that holds a partial MuSig signature.
Definition: secp256k1_musig.h:96
secp256k1_musig_pubnonce
Opaque data structure that holds a signer's public nonce.
Definition: secp256k1_musig.h:68
secp256k1_musig_secnonce
Opaque data structure that holds a signer's secret nonce.
Definition: secp256k1_musig.h:59
secp256k1_musig_secnonce::data
unsigned char data[132]
Definition: secp256k1_musig.h:60
secp256k1_musig_session
Opaque data structure that holds a MuSig session.
Definition: secp256k1_musig.h:87
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61
secp256k1_pubkey::data
unsigned char data[64]
Definition: secp256k1.h:62
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_sha256
Definition: hash.h:13
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
secp256k1_xonly_pubkey::data
unsigned char data[64]
Definition: secp256k1_extrakeys.h:23
tf_test_entry
Definition: unit_test.h:51
testrand_flip
static void testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
testrand256
static void testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
testrand_bits
static SECP256K1_INLINE uint64_t testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_bytes_test
static void testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:79
CTX
static secp256k1_context * CTX
Definition: tests.c:42
test_sha256_tag_midstate
static void test_sha256_tag_midstate(secp256k1_sha256 *sha_tagged, const unsigned char *tag, size_t taglen)
Definition: tests.c:627
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:43
testutil_random_ge_test
static void testutil_random_ge_test(secp256k1_ge *ge)
Definition: testutil.h:90
COUNT
int COUNT
Definition: unit_test.c:23
CASE1
#define CASE1(name)
Definition: unit_test.h:25
REPEAT_TEST
#define REPEAT_TEST(fn)
Definition: unit_test.h:34
musig_sig_agg_vector
static const struct musig_sig_agg_vector musig_sig_agg_vector
Definition: vectors.h:312
musig_tweak_vector
static const struct musig_tweak_vector musig_tweak_vector
Definition: vectors.h:252
musig_nonce_agg_vector
static const struct musig_nonce_agg_vector musig_nonce_agg_vector
Definition: vectors.h:109
MUSIG_ERROR
MUSIG_ERROR
Automatically generated by .
Definition: vectors.h:7
MUSIG_AGGNONCE
@ MUSIG_AGGNONCE
Definition: vectors.h:11
MUSIG_TWEAK
@ MUSIG_TWEAK
Definition: vectors.h:9
MUSIG_SIG_VERIFY
@ MUSIG_SIG_VERIFY
Definition: vectors.h:14
MUSIG_PUBNONCE
@ MUSIG_PUBNONCE
Definition: vectors.h:10
MUSIG_SIG
@ MUSIG_SIG
Definition: vectors.h:13
MUSIG_PUBKEY
@ MUSIG_PUBKEY
Definition: vectors.h:8
MUSIG_OTHER
@ MUSIG_OTHER
Definition: vectors.h:15
MUSIG_SECNONCE
@ MUSIG_SECNONCE
Definition: vectors.h:12
MUSIG_VECTORS_MAX_PUBKEYS
@ MUSIG_VECTORS_MAX_PUBKEYS
Definition: vectors.h:346
musig_key_agg_vector
static const struct musig_key_agg_vector musig_key_agg_vector
Definition: vectors.h:40
musig_nonce_gen_vector
static const struct musig_nonce_gen_vector musig_nonce_gen_vector
Definition: vectors.h:88
musig_sign_verify_vector
static const struct musig_sign_verify_vector musig_sign_verify_vector
Definition: vectors.h:174
Generated on Tue Feb 24 2026 20:00:36 for Bitcoin Core by doxygen 1.9.4