musig_8cpp_source.html

// Copyright (c) 2024-present The Bitcoin Core developers

// Distributed under the MIT software license, see the accompanying

// file COPYING or http://www.opensource.org/licenses/mit-license.php.


#include <musig.h>

#include <support/allocators/secure.h>


#include <secp256k1_musig.h>


static bool GetMuSig2KeyAggCache(const std::vector<CPubKey>& pubkeys, secp256k1_musig_keyagg_cache& keyagg_cache)

{

    // Parse the pubkeys

    std::vector<secp256k1_pubkey> secp_pubkeys;

    std::vector<const secp256k1_pubkey*> pubkey_ptrs;

    for (const CPubKey& pubkey : pubkeys) {

        if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &secp_pubkeys.emplace_back(), pubkey.data(), pubkey.size())) {

            return false;

        }

    }

    pubkey_ptrs.reserve(secp_pubkeys.size());

    for (const secp256k1_pubkey& p : secp_pubkeys) {

        pubkey_ptrs.push_back(&p);

    }


    // Aggregate the pubkey

    if (!secp256k1_musig_pubkey_agg(secp256k1_context_static, nullptr, &keyagg_cache, pubkey_ptrs.data(), pubkey_ptrs.size())) {

        return false;

    }

    return true;

}


static std::optional<CPubKey> GetCPubKeyFromMuSig2KeyAggCache(secp256k1_musig_keyagg_cache& keyagg_cache)

{

    // Get the plain aggregated pubkey

    secp256k1_pubkey agg_pubkey;

    if (!secp256k1_musig_pubkey_get(secp256k1_context_static, &agg_pubkey, &keyagg_cache)) {

        return std::nullopt;

    }


    // Turn into CPubKey

    unsigned char ser_agg_pubkey[CPubKey::COMPRESSED_SIZE];

    size_t ser_agg_pubkey_len = CPubKey::COMPRESSED_SIZE;

    secp256k1_ec_pubkey_serialize(secp256k1_context_static, ser_agg_pubkey, &ser_agg_pubkey_len, &agg_pubkey, SECP256K1_EC_COMPRESSED);

    return CPubKey(ser_agg_pubkey, ser_agg_pubkey + ser_agg_pubkey_len);

}


std::optional<CPubKey> MuSig2AggregatePubkeys(const std::vector<CPubKey>& pubkeys, secp256k1_musig_keyagg_cache& keyagg_cache, const std::optional<CPubKey>& expected_aggregate)

{

    if (!GetMuSig2KeyAggCache(pubkeys, keyagg_cache)) {

        return std::nullopt;

    }

    std::optional<CPubKey> agg_key = GetCPubKeyFromMuSig2KeyAggCache(keyagg_cache);

    if (!agg_key.has_value()) return std::nullopt;

    if (expected_aggregate.has_value() && expected_aggregate != agg_key) return std::nullopt;

    return agg_key;

}


std::optional<CPubKey> MuSig2AggregatePubkeys(const std::vector<CPubKey>& pubkeys)

{

    secp256k1_musig_keyagg_cache keyagg_cache;

    return MuSig2AggregatePubkeys(pubkeys, keyagg_cache, std::nullopt);

}


CExtPubKey CreateMuSig2SyntheticXpub(const CPubKey& pubkey)

{

    CExtPubKey extpub;

    extpub.nDepth = 0;

    std::memset(extpub.vchFingerprint, 0, 4);

    extpub.nChild = 0;

    extpub.chaincode = MUSIG_CHAINCODE;

    extpub.pubkey = pubkey;

    return extpub;

}


class MuSig2SecNonceImpl

{

private:

    secure_unique_ptr<secp256k1_musig_secnonce> m_nonce;


public:

    MuSig2SecNonceImpl() : m_nonce{make_secure_unique<secp256k1_musig_secnonce>()} {}


    // Delete copy constructors

    MuSig2SecNonceImpl(const MuSig2SecNonceImpl&) = delete;

    MuSig2SecNonceImpl& operator=(const MuSig2SecNonceImpl&) = delete;


    secp256k1_musig_secnonce* Get() const { return m_nonce.get(); }

    void Invalidate() { m_nonce.reset(); }

    bool IsValid() { return m_nonce != nullptr; }

};


MuSig2SecNonce::MuSig2SecNonce() : m_impl{std::make_unique<MuSig2SecNonceImpl>()} {}


MuSig2SecNonce::MuSig2SecNonce(MuSig2SecNonce&&) noexcept = default;

MuSig2SecNonce& MuSig2SecNonce::operator=(MuSig2SecNonce&&) noexcept = default;


MuSig2SecNonce::~MuSig2SecNonce() = default;


secp256k1_musig_secnonce* MuSig2SecNonce::Get() const

{

    return m_impl->Get();

}


void MuSig2SecNonce::Invalidate()

{

    return m_impl->Invalidate();

}


bool MuSig2SecNonce::IsValid()

{

    return m_impl->IsValid();

}


uint256 MuSig2SessionID(const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256& sighash)

{

    HashWriter hasher;

    hasher << script_pubkey << part_pubkey << sighash;

    return hasher.GetSHA256();

}


std::optional<std::vector<uint8_t>> CreateMuSig2AggregateSig(const std::vector<CPubKey>& part_pubkeys, const CPubKey& aggregate_pubkey, const std::vector<std::pair<uint256, bool>>& tweaks, const uint256& sighash, const std::map<CPubKey, std::vector<uint8_t>>& pubnonces, const std::map<CPubKey, uint256>& partial_sigs)

{

    if (!part_pubkeys.size()) return std::nullopt;


    // Get the keyagg cache and aggregate pubkey

    secp256k1_musig_keyagg_cache keyagg_cache;

    if (!MuSig2AggregatePubkeys(part_pubkeys, keyagg_cache, aggregate_pubkey)) return std::nullopt;


    // Check if enough pubnonces and partial sigs

    if (pubnonces.size() != part_pubkeys.size()) return std::nullopt;

    if (partial_sigs.size() != part_pubkeys.size()) return std::nullopt;


    // Parse the pubnonces and partial sigs

    std::vector<std::tuple<secp256k1_pubkey, secp256k1_musig_pubnonce, secp256k1_musig_partial_sig>> signers_data;

    std::vector<const secp256k1_musig_pubnonce*> pubnonce_ptrs;

    std::vector<const secp256k1_musig_partial_sig*> partial_sig_ptrs;

    for (const CPubKey& part_pk : part_pubkeys) {

        const auto& pn_it = pubnonces.find(part_pk);

        if (pn_it == pubnonces.end()) return std::nullopt;

        const std::vector<uint8_t> pubnonce = pn_it->second;

        if (pubnonce.size() != MUSIG2_PUBNONCE_SIZE) return std::nullopt;

        const auto& it = partial_sigs.find(part_pk);

        if (it == partial_sigs.end()) return std::nullopt;

        const uint256& partial_sig = it->second;


        auto& [secp_pk, secp_pn, secp_ps] = signers_data.emplace_back();


        if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &secp_pk, part_pk.data(), part_pk.size())) {

            return std::nullopt;

        }


        if (!secp256k1_musig_pubnonce_parse(secp256k1_context_static, &secp_pn, pubnonce.data())) {

            return std::nullopt;

        }


        if (!secp256k1_musig_partial_sig_parse(secp256k1_context_static, &secp_ps, partial_sig.data())) {

            return std::nullopt;

        }

    }

    pubnonce_ptrs.reserve(signers_data.size());

    partial_sig_ptrs.reserve(signers_data.size());

    for (auto& [_, pn, ps] : signers_data) {

        pubnonce_ptrs.push_back(&pn);

        partial_sig_ptrs.push_back(&ps);

    }


    // Aggregate nonces

    secp256k1_musig_aggnonce aggnonce;

    if (!secp256k1_musig_nonce_agg(secp256k1_context_static, &aggnonce, pubnonce_ptrs.data(), pubnonce_ptrs.size())) {

        return std::nullopt;

    }


    // Apply tweaks

    for (const auto& [tweak, xonly] : tweaks) {

        if (xonly) {

            if (!secp256k1_musig_pubkey_xonly_tweak_add(secp256k1_context_static, nullptr, &keyagg_cache, tweak.data())) {

                return std::nullopt;

            }

        } else if (!secp256k1_musig_pubkey_ec_tweak_add(secp256k1_context_static, nullptr, &keyagg_cache, tweak.data())) {

            return std::nullopt;

        }

    }


    // Create musig_session

    secp256k1_musig_session session;

    if (!secp256k1_musig_nonce_process(secp256k1_context_static, &session, &aggnonce, sighash.data(), &keyagg_cache)) {

        return std::nullopt;

    }


    // Verify partial sigs

    for (const auto& [pk, pb, ps] : signers_data) {

        if (!secp256k1_musig_partial_sig_verify(secp256k1_context_static, &ps, &pb, &pk, &keyagg_cache, &session)) {

            return std::nullopt;

        }

    }


    // Aggregate partial sigs

    std::vector<uint8_t> sig;

    sig.resize(64);

    if (!secp256k1_musig_partial_sig_agg(secp256k1_context_static, sig.data(), &session, partial_sig_ptrs.data(), partial_sig_ptrs.size())) {

        return std::nullopt;

    }


    return sig;

}

CPubKey
An encapsulated public key.
Definition: pubkey.h:34

CPubKey::COMPRESSED_SIZE
static constexpr unsigned int COMPRESSED_SIZE
Definition: pubkey.h:40

HashWriter
A writer stream (for serialization) that computes a 256-bit hash.
Definition: hash.h:101

HashWriter::GetSHA256
uint256 GetSHA256()
Compute the SHA256 hash of all data written to this object.
Definition: hash.h:126

MuSig2SecNonce
MuSig2SecNonce encapsulates a secret nonce in use in a MuSig2 signing session.
Definition: musig.h:49

MuSig2SecNonce::Invalidate
void Invalidate()
Definition: musig.cpp:105

MuSig2SecNonce::IsValid
bool IsValid()
Definition: musig.cpp:110

MuSig2SecNonce::MuSig2SecNonce
MuSig2SecNonce()
Definition: musig.cpp:93

MuSig2SecNonce::Get
secp256k1_musig_secnonce * Get() const
Definition: musig.cpp:100

MuSig2SecNonce::m_impl
std::unique_ptr< MuSig2SecNonceImpl > m_impl
Definition: musig.h:51

MuSig2SecNonceImpl
Definition: musig.cpp:76

MuSig2SecNonceImpl::Get
secp256k1_musig_secnonce * Get() const
Definition: musig.cpp:88

MuSig2SecNonceImpl::operator=
MuSig2SecNonceImpl & operator=(const MuSig2SecNonceImpl &)=delete

MuSig2SecNonceImpl::m_nonce
secure_unique_ptr< secp256k1_musig_secnonce > m_nonce
The actual secnonce itself.
Definition: musig.cpp:79

MuSig2SecNonceImpl::IsValid
bool IsValid()
Definition: musig.cpp:90

MuSig2SecNonceImpl::Invalidate
void Invalidate()
Definition: musig.cpp:89

MuSig2SecNonceImpl::MuSig2SecNonceImpl
MuSig2SecNonceImpl(const MuSig2SecNonceImpl &)=delete

MuSig2SecNonceImpl::MuSig2SecNonceImpl
MuSig2SecNonceImpl()
Definition: musig.cpp:82

base_blob::data
constexpr const unsigned char * data() const
Definition: uint256.h:98

uint256
256-bit opaque blob.
Definition: uint256.h:196

tweak
static int tweak(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *cache)
Definition: musig.c:64

CreateMuSig2SyntheticXpub
CExtPubKey CreateMuSig2SyntheticXpub(const CPubKey &pubkey)
Construct the BIP 328 synthetic xpub for a pubkey.
Definition: musig.cpp:64

CreateMuSig2AggregateSig
std::optional< std::vector< uint8_t > > CreateMuSig2AggregateSig(const std::vector< CPubKey > &part_pubkeys, const CPubKey &aggregate_pubkey, const std::vector< std::pair< uint256, bool > > &tweaks, const uint256 &sighash, const std::map< CPubKey, std::vector< uint8_t > > &pubnonces, const std::map< CPubKey, uint256 > &partial_sigs)
Definition: musig.cpp:122

MuSig2SessionID
uint256 MuSig2SessionID(const CPubKey &script_pubkey, const CPubKey &part_pubkey, const uint256 &sighash)
Definition: musig.cpp:115

GetCPubKeyFromMuSig2KeyAggCache
static std::optional< CPubKey > GetCPubKeyFromMuSig2KeyAggCache(secp256k1_musig_keyagg_cache &keyagg_cache)
Definition: musig.cpp:32

GetMuSig2KeyAggCache
static bool GetMuSig2KeyAggCache(const std::vector< CPubKey > &pubkeys, secp256k1_musig_keyagg_cache &keyagg_cache)
Definition: musig.cpp:10

MuSig2AggregatePubkeys
std::optional< CPubKey > MuSig2AggregatePubkeys(const std::vector< CPubKey > &pubkeys, secp256k1_musig_keyagg_cache &keyagg_cache, const std::optional< CPubKey > &expected_aggregate)
Compute the full aggregate pubkey from the given participant pubkeys in their current order.
Definition: musig.cpp:47

musig.h

MUSIG2_PUBNONCE_SIZE
constexpr size_t MUSIG2_PUBNONCE_SIZE
Definition: musig.h:26

MUSIG_CHAINCODE
constexpr uint256 MUSIG_CHAINCODE
Definition: musig.h:19

std
Definition: setup_common.h:265

tests_wycheproof_generate_ecdh.pk
def pk
Definition: tests_wycheproof_generate_ecdh.py:115

secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:268

secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:250

SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:224

secp256k1_context_static
SECP256K1_API const secp256k1_context *const secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:245

secp256k1_musig.h

secp256k1_musig_pubkey_ec_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_ec_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Apply plain "EC" tweaking to a public key in a given keyagg_cache by adding the generator multiplied ...
Definition: keyagg_impl.h:283

secp256k1_musig_pubkey_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Apply x-only tweaking to a public key in a given keyagg_cache by adding the generator multiplied with...
Definition: keyagg_impl.h:287

secp256k1_musig_partial_sig_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_parse(const secp256k1_context *ctx, secp256k1_musig_partial_sig *sig, const unsigned char *in32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a MuSig partial signature.
Definition: session_impl.h:275

secp256k1_musig_pubnonce_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubnonce_parse(const secp256k1_context *ctx, secp256k1_musig_pubnonce *nonce, const unsigned char *in66) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a signer's public nonce.
Definition: session_impl.h:194

secp256k1_musig_nonce_agg
SECP256K1_API int secp256k1_musig_nonce_agg(const secp256k1_context *ctx, secp256k1_musig_aggnonce *aggnonce, const secp256k1_musig_pubnonce *const *pubnonces, size_t n_pubnonces) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Aggregates the nonces of all signers into a single nonce.
Definition: session_impl.h:544

secp256k1_musig_pubkey_get
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_get(const secp256k1_context *ctx, secp256k1_pubkey *agg_pk, const secp256k1_musig_keyagg_cache *keyagg_cache) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Obtain the aggregate public key from a keyagg_cache.
Definition: keyagg_impl.h:233

secp256k1_musig_partial_sig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_verify(const secp256k1_context *ctx, const secp256k1_musig_partial_sig *partial_sig, const secp256k1_musig_pubnonce *pubnonce, const secp256k1_pubkey *pubkey, const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_session *session) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6)
Verifies an individual signer's partial signature.
Definition: session_impl.h:736

secp256k1_musig_partial_sig_agg
SECP256K1_API int secp256k1_musig_partial_sig_agg(const secp256k1_context *ctx, unsigned char *sig64, const secp256k1_musig_session *session, const secp256k1_musig_partial_sig *const *partial_sigs, size_t n_sigs) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Aggregates partial signatures.
Definition: session_impl.h:799

secp256k1_musig_pubkey_agg
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_agg(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_pubkey *const *pubkeys, size_t n_pubkeys) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(4)
Computes an aggregate public key and uses it to initialize a keyagg_cache.
Definition: keyagg_impl.h:175

secp256k1_musig_nonce_process
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_process(const secp256k1_context *ctx, secp256k1_musig_session *session, const secp256k1_musig_aggnonce *aggnonce, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Takes the aggregate nonce and creates a session that is required for signing and verification of part...
Definition: session_impl.h:620

secure.h

make_secure_unique
secure_unique_ptr< T > make_secure_unique(Args &&... as)
Definition: secure.h:71

secure_unique_ptr
std::unique_ptr< T, SecureUniqueDeleter< T > > secure_unique_ptr
Definition: secure.h:68

CExtPubKey
Definition: pubkey.h:346

CExtPubKey::chaincode
ChainCode chaincode
Definition: pubkey.h:351

CExtPubKey::vchFingerprint
unsigned char vchFingerprint[4]
Definition: pubkey.h:349

CExtPubKey::nDepth
unsigned char nDepth
Definition: pubkey.h:348

CExtPubKey::pubkey
CPubKey pubkey
Definition: pubkey.h:352

CExtPubKey::nChild
unsigned int nChild
Definition: pubkey.h:350

secp256k1_musig_aggnonce
Opaque data structure that holds an aggregate public nonce.
Definition: secp256k1_musig.h:77

secp256k1_musig_aggnonce::data
unsigned char data[132]
Definition: secp256k1_musig.h:78

secp256k1_musig_keyagg_cache
This module implements BIP 327 "MuSig2 for BIP340-compatible Multi-Signatures" (https://github....
Definition: secp256k1_musig.h:43

secp256k1_musig_keyagg_cache::data
unsigned char data[197]
Definition: secp256k1_musig.h:44

secp256k1_musig_secnonce
Opaque data structure that holds a signer's secret nonce.
Definition: secp256k1_musig.h:59

secp256k1_musig_session
Opaque data structure that holds a MuSig session.
Definition: secp256k1_musig.h:87

secp256k1_musig_session::data
unsigned char data[133]
Definition: secp256k1_musig.h:88

secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61

_
consteval auto _(util::TranslatedLiteral str)
Definition: translation.h:79