 |
Bitcoin Core 28.99.0
P2P Digital Currency
|
|
Bitcoin Core 28.99.0
P2P Digital Currency
|
#include <string.h>#include "../../../include/secp256k1.h"#include "../../../include/secp256k1_extrakeys.h"#include "../../../include/secp256k1_musig.h"#include "keyagg.h"#include "session.h"#include "../../eckey.h"#include "../../hash.h"#include "../../scalar.h"#include "../../util.h"Go to the source code of this file.
Functions | |
| static void | secp256k1_musig_ge_serialize_ext (unsigned char *out33, secp256k1_ge *ge) |
| static int | secp256k1_musig_ge_parse_ext (secp256k1_ge *ge, const unsigned char *in33) |
| static void | secp256k1_musig_secnonce_save (secp256k1_musig_secnonce *secnonce, const secp256k1_scalar *k, const secp256k1_ge *pk) |
| static int | secp256k1_musig_secnonce_load (const secp256k1_context *ctx, secp256k1_scalar *k, secp256k1_ge *pk, const secp256k1_musig_secnonce *secnonce) |
| static void | secp256k1_musig_secnonce_invalidate (const secp256k1_context *ctx, secp256k1_musig_secnonce *secnonce, int flag) |
| static void | secp256k1_musig_pubnonce_save (secp256k1_musig_pubnonce *nonce, const secp256k1_ge *ges) |
| static int | secp256k1_musig_pubnonce_load (const secp256k1_context *ctx, secp256k1_ge *ges, const secp256k1_musig_pubnonce *nonce) |
| static void | secp256k1_musig_aggnonce_save (secp256k1_musig_aggnonce *nonce, const secp256k1_ge *ges) |
| static int | secp256k1_musig_aggnonce_load (const secp256k1_context *ctx, secp256k1_ge *ges, const secp256k1_musig_aggnonce *nonce) |
| static void | secp256k1_musig_session_save (secp256k1_musig_session *session, const secp256k1_musig_session_internal *session_i) |
| static int | secp256k1_musig_session_load (const secp256k1_context *ctx, secp256k1_musig_session_internal *session_i, const secp256k1_musig_session *session) |
| static void | secp256k1_musig_partial_sig_save (secp256k1_musig_partial_sig *sig, secp256k1_scalar *s) |
| static int | secp256k1_musig_partial_sig_load (const secp256k1_context *ctx, secp256k1_scalar *s, const secp256k1_musig_partial_sig *sig) |
| int | secp256k1_musig_pubnonce_parse (const secp256k1_context *ctx, secp256k1_musig_pubnonce *nonce, const unsigned char *in66) |
| Parse a signer's public nonce. More... | |
| int | secp256k1_musig_pubnonce_serialize (const secp256k1_context *ctx, unsigned char *out66, const secp256k1_musig_pubnonce *nonce) |
| Serialize a signer's public nonce. More... | |
| int | secp256k1_musig_aggnonce_parse (const secp256k1_context *ctx, secp256k1_musig_aggnonce *nonce, const unsigned char *in66) |
| Parse an aggregate public nonce. More... | |
| int | secp256k1_musig_aggnonce_serialize (const secp256k1_context *ctx, unsigned char *out66, const secp256k1_musig_aggnonce *nonce) |
| Serialize an aggregate public nonce. More... | |
| int | secp256k1_musig_partial_sig_parse (const secp256k1_context *ctx, secp256k1_musig_partial_sig *sig, const unsigned char *in32) |
| Parse a MuSig partial signature. More... | |
| int | secp256k1_musig_partial_sig_serialize (const secp256k1_context *ctx, unsigned char *out32, const secp256k1_musig_partial_sig *sig) |
| Serialize a MuSig partial signature. More... | |
| static void | secp256k1_nonce_function_musig_helper (secp256k1_sha256 *sha, unsigned int prefix_size, const unsigned char *data, unsigned char len) |
| static void | secp256k1_nonce_function_musig_sha256_tagged_aux (secp256k1_sha256 *sha) |
| static void | secp256k1_nonce_function_musig_sha256_tagged (secp256k1_sha256 *sha) |
| static void | secp256k1_nonce_function_musig (secp256k1_scalar *k, const unsigned char *session_secrand, const unsigned char *msg32, const unsigned char *seckey32, const unsigned char *pk33, const unsigned char *agg_pk32, const unsigned char *extra_input32) |
| static int | secp256k1_musig_nonce_gen_internal (const secp256k1_context *ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, const unsigned char *input_nonce, const unsigned char *seckey, const secp256k1_pubkey *pubkey, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) |
| int | secp256k1_musig_nonce_gen (const secp256k1_context *ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, unsigned char *session_secrand32, const unsigned char *seckey, const secp256k1_pubkey *pubkey, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) |
| Starts a signing session by generating a nonce. More... | |
| int | secp256k1_musig_nonce_gen_counter (const secp256k1_context *ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, uint64_t nonrepeating_cnt, const secp256k1_keypair *keypair, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) |
| Alternative way to generate a nonce and start a signing session. More... | |
| static int | secp256k1_musig_sum_pubnonces (const secp256k1_context *ctx, secp256k1_gej *summed_pubnonces, const secp256k1_musig_pubnonce *const *pubnonces, size_t n_pubnonces) |
| int | secp256k1_musig_nonce_agg (const secp256k1_context *ctx, secp256k1_musig_aggnonce *aggnonce, const secp256k1_musig_pubnonce *const *pubnonces, size_t n_pubnonces) |
| Aggregates the nonces of all signers into a single nonce. More... | |
| static void | secp256k1_musig_compute_noncehash_sha256_tagged (secp256k1_sha256 *sha) |
| static void | secp256k1_musig_compute_noncehash (unsigned char *noncehash, secp256k1_ge *aggnonce, const unsigned char *agg_pk32, const unsigned char *msg) |
| static void | secp256k1_effective_nonce (secp256k1_gej *out_nonce, const secp256k1_ge *nonce_pts, const secp256k1_scalar *b) |
| static void | secp256k1_musig_nonce_process_internal (int *fin_nonce_parity, unsigned char *fin_nonce, secp256k1_scalar *b, secp256k1_ge *aggnonce_pts, const unsigned char *agg_pk32, const unsigned char *msg) |
| int | secp256k1_musig_nonce_process (const secp256k1_context *ctx, secp256k1_musig_session *session, const secp256k1_musig_aggnonce *aggnonce, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache) |
| Takes the aggregate nonce and creates a session that is required for signing and verification of partial signatures. More... | |
| static void | secp256k1_musig_partial_sign_clear (secp256k1_scalar *sk, secp256k1_scalar *k) |
| int | secp256k1_musig_partial_sign (const secp256k1_context *ctx, secp256k1_musig_partial_sig *partial_sig, secp256k1_musig_secnonce *secnonce, const secp256k1_keypair *keypair, const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_session *session) |
| Produces a partial signature. More... | |
| int | secp256k1_musig_partial_sig_verify (const secp256k1_context *ctx, const secp256k1_musig_partial_sig *partial_sig, const secp256k1_musig_pubnonce *pubnonce, const secp256k1_pubkey *pubkey, const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_session *session) |
| Verifies an individual signer's partial signature. More... | |
| int | secp256k1_musig_partial_sig_agg (const secp256k1_context *ctx, unsigned char *sig64, const secp256k1_musig_session *session, const secp256k1_musig_partial_sig *const *partial_sigs, size_t n_sigs) |
| Aggregates partial signatures. More... | |
Variables | |
| static const unsigned char | secp256k1_musig_secnonce_magic [4] = { 0x22, 0x0e, 0xdc, 0xf1 } |
| static const unsigned char | secp256k1_musig_pubnonce_magic [4] = { 0xf5, 0x7a, 0x3d, 0xa0 } |
| static const unsigned char | secp256k1_musig_aggnonce_magic [4] = { 0xa8, 0xb7, 0xe4, 0x67 } |
| static const unsigned char | secp256k1_musig_session_cache_magic [4] = { 0x9d, 0xed, 0xe9, 0x17 } |
| static const unsigned char | secp256k1_musig_partial_sig_magic [4] = { 0xeb, 0xfb, 0x1a, 0x32 } |
|
static |
Definition at line 584 of file session_impl.h.
|
static |
Definition at line 124 of file session_impl.h.
| int secp256k1_musig_aggnonce_parse | ( | const secp256k1_context * | ctx, |
| secp256k1_musig_aggnonce * | nonce, | ||
| const unsigned char * | in66 | ||
| ) |
Parse an aggregate public nonce.
Returns: 1 when the nonce could be parsed, 0 otherwise. Args: ctx: pointer to a context object Out: nonce: pointer to a nonce object In: in66: pointer to the 66-byte nonce to be parsed
Definition at line 240 of file session_impl.h.
|
static |
Definition at line 116 of file session_impl.h.
| int secp256k1_musig_aggnonce_serialize | ( | const secp256k1_context * | ctx, |
| unsigned char * | out66, | ||
| const secp256k1_musig_aggnonce * | nonce | ||
| ) |
Serialize an aggregate public nonce.
Returns: 1 always Args: ctx: pointer to a context object Out: out66: pointer to a 66-byte array to store the serialized nonce In: nonce: pointer to the nonce
Definition at line 257 of file session_impl.h.
|
static |
Definition at line 568 of file session_impl.h.
|
static |
Definition at line 554 of file session_impl.h.
|
static |
Definition at line 42 of file session_impl.h.
|
static |
Definition at line 24 of file session_impl.h.
| int secp256k1_musig_nonce_agg | ( | const secp256k1_context * | ctx, |
| secp256k1_musig_aggnonce * | aggnonce, | ||
| const secp256k1_musig_pubnonce *const * | pubnonces, | ||
| size_t | n_pubnonces | ||
| ) |
Aggregates the nonces of all signers into a single nonce.
This can be done by an untrusted party to reduce the communication between signers. Instead of everyone sending nonces to everyone else, there can be one party receiving all nonces, aggregating the nonces with this function and then sending only the aggregate nonce back to the signers.
If the aggregator does not compute the aggregate nonce correctly, the final signature will be invalid.
Returns: 0 if the arguments are invalid, 1 otherwise Args: ctx: pointer to a context object Out: aggnonce: pointer to an aggregate public nonce object for musig_nonce_process In: pubnonces: array of pointers to public nonces sent by the signers n_pubnonces: number of elements in the pubnonces array. Must be greater than 0.
Definition at line 536 of file session_impl.h.
| int secp256k1_musig_nonce_gen | ( | const secp256k1_context * | ctx, |
| secp256k1_musig_secnonce * | secnonce, | ||
| secp256k1_musig_pubnonce * | pubnonce, | ||
| unsigned char * | session_secrand32, | ||
| const unsigned char * | seckey, | ||
| const secp256k1_pubkey * | pubkey, | ||
| const unsigned char * | msg32, | ||
| const secp256k1_musig_keyagg_cache * | keyagg_cache, | ||
| const unsigned char * | extra_input32 | ||
| ) |
Starts a signing session by generating a nonce.
This function outputs a secret nonce that will be required for signing and a corresponding public nonce that is intended to be sent to other signers.
MuSig differs from regular Schnorr signing in that implementers must take special care to not reuse a nonce. This can be ensured by following these rules:
If you don't have access to good randomness for session_secrand32, but you have access to a non-repeating counter, then see secp256k1_musig_nonce_gen_counter.
Remember that nonce reuse will leak the secret key! Note that using the same seckey for multiple MuSig sessions is fine.
Returns: 0 if the arguments are invalid and 1 otherwise Args: ctx: pointer to a context object (not secp256k1_context_static) Out: secnonce: pointer to a structure to store the secret nonce pubnonce: pointer to a structure to store the public nonce In/Out: session_secrand32: a 32-byte session_secrand32 as explained above. Must be unique to this call to secp256k1_musig_nonce_gen and must be uniformly random. If the function call is successful, the session_secrand32 buffer is invalidated to prevent reuse. In: seckey: the 32-byte secret key that will later be used for signing, if already known (can be NULL) pubkey: public key of the signer creating the nonce. The secnonce output of this function cannot be used to sign for any other public key. While the public key should correspond to the provided seckey, a mismatch will not cause the function to return 0. msg32: the 32-byte message that will later be signed, if already known (can be NULL) keyagg_cache: pointer to the keyagg_cache that was used to create the aggregate (and potentially tweaked) public key if already known (can be NULL) extra_input32: an optional 32-byte array that is input to the nonce derivation function (can be NULL)
Definition at line 461 of file session_impl.h.
| int secp256k1_musig_nonce_gen_counter | ( | const secp256k1_context * | ctx, |
| secp256k1_musig_secnonce * | secnonce, | ||
| secp256k1_musig_pubnonce * | pubnonce, | ||
| uint64_t | nonrepeating_cnt, | ||
| const secp256k1_keypair * | keypair, | ||
| const unsigned char * | msg32, | ||
| const secp256k1_musig_keyagg_cache * | keyagg_cache, | ||
| const unsigned char * | extra_input32 | ||
| ) |
Alternative way to generate a nonce and start a signing session.
This function outputs a secret nonce that will be required for signing and a corresponding public nonce that is intended to be sent to other signers.
This function differs from secp256k1_musig_nonce_gen by accepting a non-repeating counter value instead of a secret random value. This requires that a secret key is provided to secp256k1_musig_nonce_gen_counter (through the keypair argument), as opposed to secp256k1_musig_nonce_gen where the seckey argument is optional.
MuSig differs from regular Schnorr signing in that implementers must take special care to not reuse a nonce. This can be ensured by following these rules:
secp256k1_musig_nonce_gen_counter twice with the same keypair and nonrepeating_cnt value. For example, this implies that if the same keypair is used with secp256k1_musig_nonce_gen_counter on multiple devices, none of the devices should have the same counter value as any other device.Remember that nonce reuse will leak the secret key! Note that using the same keypair for multiple MuSig sessions is fine.
Returns: 0 if the arguments are invalid and 1 otherwise Args: ctx: pointer to a context object (not secp256k1_context_static) Out: secnonce: pointer to a structure to store the secret nonce pubnonce: pointer to a structure to store the public nonce In: nonrepeating_cnt: the value of a counter as explained above. Must be unique to this call to secp256k1_musig_nonce_gen. keypair: keypair of the signer creating the nonce. The secnonce output of this function cannot be used to sign for any other keypair. msg32: the 32-byte message that will later be signed, if already known (can be NULL) keyagg_cache: pointer to the keyagg_cache that was used to create the aggregate (and potentially tweaked) public key if already known (can be NULL) extra_input32: an optional 32-byte array that is input to the nonce derivation function (can be NULL)
Definition at line 489 of file session_impl.h.
|
static |
Definition at line 395 of file session_impl.h.
| int secp256k1_musig_nonce_process | ( | const secp256k1_context * | ctx, |
| secp256k1_musig_session * | session, | ||
| const secp256k1_musig_aggnonce * | aggnonce, | ||
| const unsigned char * | msg32, | ||
| const secp256k1_musig_keyagg_cache * | keyagg_cache | ||
| ) |
Takes the aggregate nonce and creates a session that is required for signing and verification of partial signatures.
Returns: 0 if the arguments are invalid, 1 otherwise Args: ctx: pointer to a context object Out: session: pointer to a struct to store the session In: aggnonce: pointer to an aggregate public nonce object that is the output of musig_nonce_agg msg32: the 32-byte message to sign keyagg_cache: pointer to the keyagg_cache that was used to create the aggregate (and potentially tweaked) pubkey
Definition at line 612 of file session_impl.h.
|
static |
Definition at line 592 of file session_impl.h.
| int secp256k1_musig_partial_sig_agg | ( | const secp256k1_context * | ctx, |
| unsigned char * | sig64, | ||
| const secp256k1_musig_session * | session, | ||
| const secp256k1_musig_partial_sig *const * | partial_sigs, | ||
| size_t | n_sigs | ||
| ) |
Aggregates partial signatures.
Returns: 0 if the arguments are invalid, 1 otherwise (which does NOT mean the resulting signature verifies). Args: ctx: pointer to a context object Out: sig64: complete (but possibly invalid) Schnorr signature In: session: pointer to the session that was created with musig_nonce_process partial_sigs: array of pointers to partial signatures to aggregate n_sigs: number of elements in the partial_sigs array. Must be greater than 0.
Definition at line 791 of file session_impl.h.
|
static |
Definition at line 184 of file session_impl.h.
| int secp256k1_musig_partial_sig_parse | ( | const secp256k1_context * | ctx, |
| secp256k1_musig_partial_sig * | sig, | ||
| const unsigned char * | in32 | ||
| ) |
Parse a MuSig partial signature.
Returns: 1 when the signature could be parsed, 0 otherwise. Args: ctx: pointer to a context object Out: sig: pointer to a signature object In: in32: pointer to the 32-byte signature to be parsed
Definition at line 275 of file session_impl.h.
|
static |
Definition at line 179 of file session_impl.h.
| int secp256k1_musig_partial_sig_serialize | ( | const secp256k1_context * | ctx, |
| unsigned char * | out32, | ||
| const secp256k1_musig_partial_sig * | sig | ||
| ) |
Serialize a MuSig partial signature.
Returns: 1 always Args: ctx: pointer to a context object Out: out32: pointer to a 32-byte array to store the serialized signature In: sig: pointer to the signature
Definition at line 294 of file session_impl.h.
| int secp256k1_musig_partial_sig_verify | ( | const secp256k1_context * | ctx, |
| const secp256k1_musig_partial_sig * | partial_sig, | ||
| const secp256k1_musig_pubnonce * | pubnonce, | ||
| const secp256k1_pubkey * | pubkey, | ||
| const secp256k1_musig_keyagg_cache * | keyagg_cache, | ||
| const secp256k1_musig_session * | session | ||
| ) |
Verifies an individual signer's partial signature.
The signature is verified for a specific signing session. In order to avoid accidentally verifying a signature from a different or non-existing signing session, you must ensure the following:
keyagg_cache argument is identical to the one used to create the session with musig_nonce_process.pubkey argument must be identical to the one sent by the signer before aggregating it with musig_pubkey_agg to create the keyagg_cache.pubnonce argument must be identical to the one sent by the signer before aggregating it with musig_nonce_agg and using the result to create the session with musig_nonce_process.It is not required to call this function in regular MuSig sessions, because if any partial signature does not verify, the final signature will not verify either, so the problem will be caught. However, this function provides the ability to identify which specific partial signature fails verification.
Returns: 0 if the arguments are invalid or the partial signature does not verify, 1 otherwise Args ctx: pointer to a context object In: partial_sig: pointer to partial signature to verify, sent by the signer associated with pubnonce and pubkey pubnonce: public nonce of the signer in the signing session pubkey: public key of the signer in the signing session keyagg_cache: pointer to the keyagg_cache that was output when the aggregate public key for this signing session session: pointer to the session that was created with musig_nonce_process
Definition at line 728 of file session_impl.h.
| int secp256k1_musig_partial_sign | ( | const secp256k1_context * | ctx, |
| secp256k1_musig_partial_sig * | partial_sig, | ||
| secp256k1_musig_secnonce * | secnonce, | ||
| const secp256k1_keypair * | keypair, | ||
| const secp256k1_musig_keyagg_cache * | keyagg_cache, | ||
| const secp256k1_musig_session * | session | ||
| ) |
Produces a partial signature.
This function overwrites the given secnonce with zeros and will abort if given a secnonce that is all zeros. This is a best effort attempt to protect against nonce reuse. However, this is of course easily defeated if the secnonce has been copied (or serialized). Remember that nonce reuse will leak the secret key!
For signing to succeed, the secnonce provided to this function must have been generated for the provided keypair. This means that when signing for a keypair consisting of a seckey and pubkey, the secnonce must have been created by calling musig_nonce_gen with that pubkey. Otherwise, the illegal_callback is called.
This function does not verify the output partial signature, deviating from the BIP 327 specification. It is recommended to verify the output partial signature with secp256k1_musig_partial_sig_verify to prevent random or adversarially provoked computation errors.
Returns: 0 if the arguments are invalid or the provided secnonce has already been used for signing, 1 otherwise Args: ctx: pointer to a context object Out: partial_sig: pointer to struct to store the partial signature In/Out: secnonce: pointer to the secnonce struct created in musig_nonce_gen that has been never used in a partial_sign call before and has been created for the keypair In: keypair: pointer to keypair to sign the message with keyagg_cache: pointer to the keyagg_cache that was output when the aggregate public key for this session session: pointer to the session that was created with musig_nonce_process
Definition at line 658 of file session_impl.h.
|
static |
Definition at line 652 of file session_impl.h.
|
static |
Definition at line 104 of file session_impl.h.
| int secp256k1_musig_pubnonce_parse | ( | const secp256k1_context * | ctx, |
| secp256k1_musig_pubnonce * | nonce, | ||
| const unsigned char * | in66 | ||
| ) |
Parse a signer's public nonce.
Returns: 1 when the nonce could be parsed, 0 otherwise. Args: ctx: pointer to a context object Out: nonce: pointer to a nonce object In: in66: pointer to the 66-byte nonce to be parsed
Definition at line 194 of file session_impl.h.
|
static |
Definition at line 94 of file session_impl.h.
| int secp256k1_musig_pubnonce_serialize | ( | const secp256k1_context * | ctx, |
| unsigned char * | out66, | ||
| const secp256k1_musig_pubnonce * | nonce | ||
| ) |
Serialize a signer's public nonce.
Returns: 1 always Args: ctx: pointer to a context object Out: out66: pointer to a 66-byte array to store the serialized nonce In: nonce: pointer to the nonce
Definition at line 214 of file session_impl.h.
|
static |
Definition at line 80 of file session_impl.h.
|
static |
Definition at line 64 of file session_impl.h.
|
static |
Definition at line 57 of file session_impl.h.
|
static |
Definition at line 160 of file session_impl.h.
|
static |
Definition at line 144 of file session_impl.h.
|
static |
Definition at line 517 of file session_impl.h.
|
static |
Definition at line 352 of file session_impl.h.
|
static |
Definition at line 305 of file session_impl.h.
|
static |
Definition at line 339 of file session_impl.h.
|
static |
Definition at line 324 of file session_impl.h.
|
static |
Definition at line 114 of file session_impl.h.
|
static |
Definition at line 177 of file session_impl.h.
|
static |
Definition at line 90 of file session_impl.h.
|
static |
Definition at line 55 of file session_impl.h.
|
static |
Definition at line 134 of file session_impl.h.
1.9.4