Bitcoin Core  29.1.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Distributed under the MIT software license, see the accompanying *
3  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
4  ***********************************************************************/
5 
6 #ifndef SECP256K1_MODULE_MUSIG_TESTS_IMPL_H
7 #define SECP256K1_MODULE_MUSIG_TESTS_IMPL_H
8 
9 #include <stdlib.h>
10 #include <string.h>
11 
12 #include "../../../include/secp256k1.h"
13 #include "../../../include/secp256k1_extrakeys.h"
14 #include "../../../include/secp256k1_musig.h"
15 
16 #include "session.h"
17 #include "keyagg.h"
18 #include "../../scalar.h"
19 #include "../../field.h"
20 #include "../../group.h"
21 #include "../../hash.h"
22 #include "../../util.h"
23 
24 #include "vectors.h"
25 
26 static int create_keypair_and_pk(secp256k1_keypair *keypair, secp256k1_pubkey *pk, const unsigned char *sk) {
27  int ret;
28  secp256k1_keypair keypair_tmp;
29  ret = secp256k1_keypair_create(CTX, &keypair_tmp, sk);
30  ret &= secp256k1_keypair_pub(CTX, pk, &keypair_tmp);
31  if (keypair != NULL) {
32  *keypair = keypair_tmp;
33  }
34  return ret;
35 }
36 
37 /* Just a simple (non-tweaked) 2-of-2 MuSig aggregate, sign, verify
38  * test. */
39 static void musig_simple_test(void) {
40  unsigned char sk[2][32];
41  secp256k1_keypair keypair[2];
42  secp256k1_musig_pubnonce pubnonce[2];
43  const secp256k1_musig_pubnonce *pubnonce_ptr[2];
44  secp256k1_musig_aggnonce aggnonce;
45  unsigned char msg[32];
46  secp256k1_xonly_pubkey agg_pk;
47  secp256k1_musig_keyagg_cache keyagg_cache;
48  unsigned char session_secrand[2][32];
49  secp256k1_musig_secnonce secnonce[2];
50  secp256k1_pubkey pk[2];
51  const secp256k1_pubkey *pk_ptr[2];
52  secp256k1_musig_partial_sig partial_sig[2];
53  const secp256k1_musig_partial_sig *partial_sig_ptr[2];
54  unsigned char final_sig[64];
55  secp256k1_musig_session session;
56  int i;
57 
58  testrand256(msg);
59  for (i = 0; i < 2; i++) {
60  testrand256(sk[i]);
61  pk_ptr[i] = &pk[i];
62  pubnonce_ptr[i] = &pubnonce[i];
63  partial_sig_ptr[i] = &partial_sig[i];
64 
65  CHECK(create_keypair_and_pk(&keypair[i], &pk[i], sk[i]));
66  if (i == 0) {
67  testrand256(session_secrand[i]);
68  CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[i], &pubnonce[i], session_secrand[i], sk[i], &pk[i], NULL, NULL, NULL) == 1);
69  } else {
70  uint64_t nonrepeating_cnt = 0;
71  CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[i], &pubnonce[i], nonrepeating_cnt, &keypair[i], NULL, NULL, NULL) == 1);
72  }
73  }
74 
75  CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1);
76  CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
77  CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1);
78 
79  for (i = 0; i < 2; i++) {
80  CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[i], &secnonce[i], &keypair[i], &keyagg_cache, &session) == 1);
81  CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[i], &pubnonce[i], &pk[i], &keyagg_cache, &session) == 1);
82  }
83 
84  CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, 2) == 1);
85  CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, msg, sizeof(msg), &agg_pk) == 1);
86 }
87 
88 /* Generate two pubnonces such that both group elements of their sum (calculated
89  * with secp256k1_musig_sum_pubnonces) are infinity. */
90 static void pubnonce_summing_to_inf(secp256k1_musig_pubnonce *pubnonce) {
91  secp256k1_ge ge[2];
92  int i;
93  secp256k1_gej summed_pubnonces[2];
94  const secp256k1_musig_pubnonce *pubnonce_ptr[2];
95 
96  testutil_random_ge_test(&ge[0]);
97  testutil_random_ge_test(&ge[1]);
98 
99  for (i = 0; i < 2; i++) {
100  secp256k1_musig_pubnonce_save(&pubnonce[i], ge);
101  pubnonce_ptr[i] = &pubnonce[i];
102  secp256k1_ge_neg(&ge[0], &ge[0]);
103  secp256k1_ge_neg(&ge[1], &ge[1]);
104  }
105 
106  secp256k1_musig_sum_pubnonces(CTX, summed_pubnonces, pubnonce_ptr, 2);
107  CHECK(secp256k1_gej_is_infinity(&summed_pubnonces[0]));
108  CHECK(secp256k1_gej_is_infinity(&summed_pubnonces[1]));
109 }
110 
111 int memcmp_and_randomize(unsigned char *value, const unsigned char *expected, size_t len) {
112  int ret;
113  size_t i;
114  ret = secp256k1_memcmp_var(value, expected, len);
115  for (i = 0; i < len; i++) {
116  value[i] = testrand_bits(8);
117  }
118  return ret;
119 }
120 
121 static void musig_api_tests(void) {
122  secp256k1_musig_partial_sig partial_sig[2];
123  const secp256k1_musig_partial_sig *partial_sig_ptr[2];
124  secp256k1_musig_partial_sig invalid_partial_sig;
125  const secp256k1_musig_partial_sig *invalid_partial_sig_ptr[2];
126  unsigned char pre_sig[64];
127  unsigned char buf[32];
128  unsigned char sk[2][32];
129  secp256k1_keypair keypair[2];
130  secp256k1_keypair invalid_keypair;
131  unsigned char max64[64];
132  unsigned char zeros132[132] = { 0 };
133  unsigned char session_secrand[2][32];
134  unsigned char nonrepeating_cnt = 0;
135  secp256k1_musig_secnonce secnonce[2];
136  secp256k1_musig_secnonce secnonce_tmp;
137  secp256k1_musig_secnonce invalid_secnonce;
138  secp256k1_musig_pubnonce pubnonce[2];
139  const secp256k1_musig_pubnonce *pubnonce_ptr[2];
140  unsigned char pubnonce_ser[66];
141  secp256k1_musig_pubnonce inf_pubnonce[2];
142  const secp256k1_musig_pubnonce *inf_pubnonce_ptr[2];
143  secp256k1_musig_pubnonce invalid_pubnonce;
144  const secp256k1_musig_pubnonce *invalid_pubnonce_ptr[1];
145  secp256k1_musig_aggnonce aggnonce;
146  unsigned char aggnonce_ser[66];
147  unsigned char msg[32];
148  secp256k1_xonly_pubkey agg_pk;
149  secp256k1_pubkey full_agg_pk;
150  secp256k1_musig_keyagg_cache keyagg_cache;
151  secp256k1_musig_keyagg_cache invalid_keyagg_cache;
152  secp256k1_musig_session session;
153  secp256k1_musig_session invalid_session;
154  secp256k1_pubkey pk[2];
155  const secp256k1_pubkey *pk_ptr[2];
156  secp256k1_pubkey invalid_pk;
157  const secp256k1_pubkey *invalid_pk_ptr2[2];
158  const secp256k1_pubkey *invalid_pk_ptr3[3];
159  unsigned char tweak[32];
160  int i;
161 
163  memset(max64, 0xff, sizeof(max64));
164  memset(&invalid_keypair, 0, sizeof(invalid_keypair));
165  memset(&invalid_pk, 0, sizeof(invalid_pk));
166  memset(&invalid_secnonce, 0, sizeof(invalid_secnonce));
167  memset(&invalid_partial_sig, 0, sizeof(invalid_partial_sig));
168  pubnonce_summing_to_inf(inf_pubnonce);
169  /* Simulate structs being uninitialized by setting it to 0s. We don't want
170  * to produce undefined behavior by actually providing uninitialized
171  * structs. */
172  memset(&invalid_keyagg_cache, 0, sizeof(invalid_keyagg_cache));
173  memset(&invalid_pk, 0, sizeof(invalid_pk));
174  memset(&invalid_pubnonce, 0, sizeof(invalid_pubnonce));
175  memset(&invalid_session, 0, sizeof(invalid_session));
176 
177  testrand256(msg);
178  testrand256(tweak);
179  for (i = 0; i < 2; i++) {
180  pk_ptr[i] = &pk[i];
181  invalid_pk_ptr2[i] = &invalid_pk;
182  invalid_pk_ptr3[i] = &pk[i];
183  pubnonce_ptr[i] = &pubnonce[i];
184  inf_pubnonce_ptr[i] = &inf_pubnonce[i];
185  partial_sig_ptr[i] = &partial_sig[i];
186  invalid_partial_sig_ptr[i] = &partial_sig[i];
187  testrand256(session_secrand[i]);
188  testrand256(sk[i]);
189  CHECK(create_keypair_and_pk(&keypair[i], &pk[i], sk[i]));
190  }
191  invalid_pubnonce_ptr[0] = &invalid_pubnonce;
192  invalid_partial_sig_ptr[0] = &invalid_partial_sig;
193  /* invalid_pk_ptr3 has two valid, one invalid pk, which is important to test
194  * musig_pubkey_agg */
195  invalid_pk_ptr3[2] = &invalid_pk;
196 
200  CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1);
201  CHECK(secp256k1_musig_pubkey_agg(CTX, NULL, &keyagg_cache, pk_ptr, 2) == 1);
202  CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, NULL, pk_ptr, 2) == 1);
203  CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, NULL, 2));
204  CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
205  CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, invalid_pk_ptr2, 2));
206  CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
207  CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, invalid_pk_ptr3, 3));
208  CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
209  CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 0));
210  CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
211  CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, NULL, 0));
212  CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0);
213 
214  CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1);
215 
216  /* pubkey_get */
217  CHECK(secp256k1_musig_pubkey_get(CTX, &full_agg_pk, &keyagg_cache) == 1);
218  CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_get(CTX, NULL, &keyagg_cache));
219  CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_get(CTX, &full_agg_pk, NULL));
220  CHECK(secp256k1_memcmp_var(&full_agg_pk, zeros132, sizeof(full_agg_pk)) == 0);
221 
223  {
224  int (*tweak_func[2]) (const secp256k1_context* ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32);
225  tweak_func[0] = secp256k1_musig_pubkey_ec_tweak_add;
226  tweak_func[1] = secp256k1_musig_pubkey_xonly_tweak_add;
227  for (i = 0; i < 2; i++) {
228  secp256k1_pubkey tmp_output_pk;
229  secp256k1_musig_keyagg_cache tmp_keyagg_cache = keyagg_cache;
230  CHECK((*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, tweak) == 1);
231  /* Reset keyagg_cache */
232  tmp_keyagg_cache = keyagg_cache;
233  CHECK((*tweak_func[i])(CTX, NULL, &tmp_keyagg_cache, tweak) == 1);
234  tmp_keyagg_cache = keyagg_cache;
235  CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, NULL, tweak));
236  CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
237  tmp_keyagg_cache = keyagg_cache;
238  CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, NULL));
239  CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
240  tmp_keyagg_cache = keyagg_cache;
241  CHECK((*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, max64) == 0);
242  CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
243  tmp_keyagg_cache = keyagg_cache;
244  /* Uninitialized keyagg_cache */
245  CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, &invalid_keyagg_cache, tweak));
246  CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0);
247  }
248  }
249 
251  CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64) == 1);
252  /* nonce_gen, if successful, sets session_secrand to the zero array, which
253  * makes subsequent nonce_gen calls with the same session_secrand fail. So
254  * check that session_secrand is indeed the zero array and fill it with
255  * random values again. */
256  CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
257 
258  CHECK_ILLEGAL(STATIC_CTX, secp256k1_musig_nonce_gen(STATIC_CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64));
259  CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
260 
261  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, NULL, &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64));
262 
263  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], NULL, session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64));
264  CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
265 
266  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], NULL, sk[0], &pk[0], msg, &keyagg_cache, max64));
267  CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
268 
269  /* session_secrand = 0 is disallowed because it indicates a faulty RNG */
270  memcpy(&session_secrand[0], zeros132, sizeof(session_secrand[0]));
271  CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], zeros132, sk[0], &pk[0], msg, &keyagg_cache, max64) == 0);
272  CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
273  CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
274 
275  CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], NULL, &pk[0], msg, &keyagg_cache, max64) == 1);
276  CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
277 
278  /* invalid seckey */
279  CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], max64, &pk[0], msg, &keyagg_cache, max64) == 0);
280  CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
281 
282  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], NULL, msg, &keyagg_cache, max64));
283  CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
284 
285  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &invalid_pk, msg, &keyagg_cache, max64));
286  CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
287 
288  CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], NULL, &keyagg_cache, max64) == 1);
289  CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
290 
291  CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, NULL, max64) == 1);
292  CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
293 
294  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &invalid_keyagg_cache, max64));
295  CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
296 
297  CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, NULL) == 1);
298  CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0);
299 
300  /* Every in-argument except session_secrand and pubkey can be NULL */
301  CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], NULL, &pk[0], NULL, NULL, NULL) == 1);
302  CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[1], &pubnonce[1], session_secrand[1], sk[1], &pk[1], NULL, NULL, NULL) == 1);
303 
305  CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64) == 1);
306  CHECK_ILLEGAL(STATIC_CTX, secp256k1_musig_nonce_gen_counter(STATIC_CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64));
307  CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
308  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, NULL, &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64));
309  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], NULL, nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64));
310  CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
311  /* using nonce_gen_counter requires keypair */
312  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, NULL, msg, &keyagg_cache, max64));
313  CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
314  /* invalid keypair */
315  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &invalid_keypair, msg, &keyagg_cache, max64));
316  CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
317  CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], NULL, &keyagg_cache, max64) == 1);
318  CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, NULL, max64) == 1);
319  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &invalid_keyagg_cache, max64));
320  CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0);
321  CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt,&keypair[0], msg, &keyagg_cache, NULL) == 1);
322 
323  /* Every in-argument except nonrepeating_cnt and keypair can be NULL */
324  CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], NULL, NULL, NULL) == 1);
325  CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[1], &pubnonce[1], nonrepeating_cnt, &keypair[1], NULL, NULL, NULL) == 1);
326 
327 
329  CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, NULL, &pubnonce[0]));
330  CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, NULL));
331  CHECK(memcmp_and_randomize(pubnonce_ser, zeros132, sizeof(pubnonce_ser)) == 0);
332  CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &invalid_pubnonce));
333  CHECK(memcmp_and_randomize(pubnonce_ser, zeros132, sizeof(pubnonce_ser)) == 0);
334  CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &pubnonce[0]) == 1);
335 
336  CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], pubnonce_ser) == 1);
337  CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_parse(CTX, NULL, pubnonce_ser));
338  CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], NULL));
339  CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], zeros132) == 0);
340  CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], pubnonce_ser) == 1);
341 
342  {
343  /* Check that serialize and parse results in the same value */
344  secp256k1_musig_pubnonce tmp;
345  CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &pubnonce[0]) == 1);
346  CHECK(secp256k1_musig_pubnonce_parse(CTX, &tmp, pubnonce_ser) == 1);
347  CHECK(secp256k1_memcmp_var(&tmp, &pubnonce[0], sizeof(tmp)) == 0);
348  }
349 
351  CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
352  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, NULL, pubnonce_ptr, 2));
353  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, NULL, 2));
354  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 0));
355  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, invalid_pubnonce_ptr, 1));
356  CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, inf_pubnonce_ptr, 2) == 1);
357  {
358  /* Check that the aggnonce encodes two points at infinity */
359  secp256k1_ge aggnonce_pt[2];
360  secp256k1_musig_aggnonce_load(CTX, aggnonce_pt, &aggnonce);
361  for (i = 0; i < 2; i++) {
362  secp256k1_ge_is_infinity(&aggnonce_pt[i]);
363  }
364  }
365  CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
366 
368  CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1);
369  CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, NULL, &aggnonce));
370  CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, NULL));
371  CHECK(memcmp_and_randomize(aggnonce_ser, zeros132, sizeof(aggnonce_ser)) == 0);
372  CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, (secp256k1_musig_aggnonce*) &invalid_pubnonce));
373  CHECK(memcmp_and_randomize(aggnonce_ser, zeros132, sizeof(aggnonce_ser)) == 0);
374  CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1);
375 
376  CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, aggnonce_ser) == 1);
377  CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_parse(CTX, NULL, aggnonce_ser));
378  CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_parse(CTX, &aggnonce, NULL));
379  CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, zeros132) == 1);
380  CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, aggnonce_ser) == 1);
381 
382  {
383  /* Check that serialize and parse results in the same value */
384  secp256k1_musig_aggnonce tmp;
385  CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1);
386  CHECK(secp256k1_musig_aggnonce_parse(CTX, &tmp, aggnonce_ser) == 1);
387  CHECK(secp256k1_memcmp_var(&tmp, &aggnonce, sizeof(tmp)) == 0);
388  }
389 
391  CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1);
392  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, NULL, &aggnonce, msg, &keyagg_cache));
393  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, NULL, msg, &keyagg_cache));
394  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, (secp256k1_musig_aggnonce*) &invalid_pubnonce, msg, &keyagg_cache));
395  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, NULL, &keyagg_cache));
396  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, NULL));
397  CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &invalid_keyagg_cache));
398 
399  CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1);
400 
401  memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
402  CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &session) == 1);
403  /* The secnonce is set to 0 and subsequent signing attempts fail */
404  CHECK(secp256k1_memcmp_var(&secnonce_tmp, zeros132, sizeof(secnonce_tmp)) == 0);
405  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &session));
406  memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
407  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, NULL, &secnonce_tmp, &keypair[0], &keyagg_cache, &session));
408  memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
409  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], NULL, &keypair[0], &keyagg_cache, &session));
410  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &invalid_secnonce, &keypair[0], &keyagg_cache, &session));
411  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, NULL, &keyagg_cache, &session));
412  memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
413  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &invalid_keypair, &keyagg_cache, &session));
414  memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
415  {
416  unsigned char sk_tmp[32];
417  secp256k1_keypair keypair_tmp;
418  testrand256(sk_tmp);
419  CHECK(secp256k1_keypair_create(CTX, &keypair_tmp, sk_tmp));
420  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair_tmp, &keyagg_cache, &session));
421  memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
422  }
423  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], NULL, &session));
424  memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
425  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &invalid_keyagg_cache, &session));
426  memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
427  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, NULL));
428  memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
429  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &invalid_session));
430  memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
431 
432  CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce[0], &keypair[0], &keyagg_cache, &session) == 1);
433  CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[1], &secnonce[1], &keypair[1], &keyagg_cache, &session) == 1);
434 
435  CHECK(secp256k1_musig_partial_sig_serialize(CTX, buf, &partial_sig[0]) == 1);
436  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, NULL, &partial_sig[0]));
437  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, buf, NULL));
438  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, buf, &invalid_partial_sig));
439  CHECK(secp256k1_musig_partial_sig_parse(CTX, &partial_sig[0], buf) == 1);
440  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_parse(CTX, NULL, buf));
441  {
442  /* Check that parsing failure results in an invalid sig */
443  secp256k1_musig_partial_sig tmp;
444  CHECK(secp256k1_musig_partial_sig_parse(CTX, &tmp, max64) == 0);
445  CHECK(secp256k1_memcmp_var(&tmp, zeros132, sizeof(partial_sig[0])) == 0);
446  }
447  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_parse(CTX, &partial_sig[0], NULL));
448 
449  {
450  /* Check that serialize and parse results in the same value */
451  secp256k1_musig_partial_sig tmp;
452  CHECK(secp256k1_musig_partial_sig_serialize(CTX, buf, &partial_sig[0]) == 1);
453  CHECK(secp256k1_musig_partial_sig_parse(CTX, &tmp, buf) == 1);
454  CHECK(secp256k1_memcmp_var(&tmp, &partial_sig[0], sizeof(tmp)) == 0);
455  }
456 
458  CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 1);
459  CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 0);
460  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, NULL, &pubnonce[0], &pk[0], &keyagg_cache, &session));
461  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &invalid_partial_sig, &pubnonce[0], &pk[0], &keyagg_cache, &session));
462  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], NULL, &pk[0], &keyagg_cache, &session));
463  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &invalid_pubnonce, &pk[0], &keyagg_cache, &session));
464  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], NULL, &keyagg_cache, &session));
465  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &invalid_pk, &keyagg_cache, &session));
466  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], NULL, &session));
467  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &invalid_keyagg_cache, &session));
468  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, NULL));
469  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &invalid_session));
470 
471  CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 1);
472  CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[1], &pk[1], &keyagg_cache, &session) == 1);
473 
475  CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 2) == 1);
476  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, NULL, &session, partial_sig_ptr, 2));
477  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, NULL, partial_sig_ptr, 2));
478  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &invalid_session, partial_sig_ptr, 2));
479  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, NULL, 2));
480  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, invalid_partial_sig_ptr, 2));
481  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 0));
482  CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 1) == 1);
483  CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 2) == 1);
484 }
485 
486 static void musig_nonce_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes) {
487  secp256k1_scalar k1[2], k2[2];
488 
489  secp256k1_nonce_function_musig(k1, args[0], args[1], args[2], args[3], args[4], args[5]);
490  testrand_flip(args[n_flip], n_bytes);
491  secp256k1_nonce_function_musig(k2, args[0], args[1], args[2], args[3], args[4], args[5]);
492  CHECK(secp256k1_scalar_eq(&k1[0], &k2[0]) == 0);
493  CHECK(secp256k1_scalar_eq(&k1[1], &k2[1]) == 0);
494 }
495 
496 static void musig_nonce_test(void) {
497  unsigned char *args[6];
498  unsigned char session_secrand[32];
499  unsigned char sk[32];
500  unsigned char pk[33];
501  unsigned char msg[32];
502  unsigned char agg_pk[32];
503  unsigned char extra_input[32];
504  int i, j;
505  secp256k1_scalar k[6][2];
506 
507  testrand_bytes_test(session_secrand, sizeof(session_secrand));
508  testrand_bytes_test(sk, sizeof(sk));
509  testrand_bytes_test(pk, sizeof(pk));
510  testrand_bytes_test(msg, sizeof(msg));
511  testrand_bytes_test(agg_pk, sizeof(agg_pk));
512  testrand_bytes_test(extra_input, sizeof(extra_input));
513 
514  /* Check that a bitflip in an argument results in different nonces. */
515  args[0] = session_secrand;
516  args[1] = msg;
517  args[2] = sk;
518  args[3] = pk;
519  args[4] = agg_pk;
520  args[5] = extra_input;
521  for (i = 0; i < COUNT; i++) {
522  musig_nonce_bitflip(args, 0, sizeof(session_secrand));
523  musig_nonce_bitflip(args, 1, sizeof(msg));
524  musig_nonce_bitflip(args, 2, sizeof(sk));
525  musig_nonce_bitflip(args, 3, sizeof(pk));
526  musig_nonce_bitflip(args, 4, sizeof(agg_pk));
527  musig_nonce_bitflip(args, 5, sizeof(extra_input));
528  }
529  /* Check that if any argument is NULL, a different nonce is produced than if
530  * any other argument is NULL. */
531  memcpy(msg, session_secrand, sizeof(msg));
532  memcpy(sk, session_secrand, sizeof(sk));
533  memcpy(pk, session_secrand, sizeof(session_secrand));
534  memcpy(agg_pk, session_secrand, sizeof(agg_pk));
535  memcpy(extra_input, session_secrand, sizeof(extra_input));
536  secp256k1_nonce_function_musig(k[0], args[0], args[1], args[2], args[3], args[4], args[5]);
537  secp256k1_nonce_function_musig(k[1], args[0], NULL, args[2], args[3], args[4], args[5]);
538  secp256k1_nonce_function_musig(k[2], args[0], args[1], NULL, args[3], args[4], args[5]);
539  secp256k1_nonce_function_musig(k[3], args[0], args[1], args[2], NULL, args[4], args[5]);
540  secp256k1_nonce_function_musig(k[4], args[0], args[1], args[2], args[3], NULL, args[5]);
541  secp256k1_nonce_function_musig(k[5], args[0], args[1], args[2], args[3], args[4], NULL);
542  for (i = 0; i < 6; i++) {
543  CHECK(!secp256k1_scalar_eq(&k[i][0], &k[i][1]));
544  for (j = i+1; j < 6; j++) {
545  CHECK(!secp256k1_scalar_eq(&k[i][0], &k[j][0]));
546  CHECK(!secp256k1_scalar_eq(&k[i][1], &k[j][1]));
547  }
548  }
549 }
550 
551 static void sha256_tag_test_internal(secp256k1_sha256 *sha_tagged, unsigned char *tag, size_t taglen) {
552  secp256k1_sha256 sha;
553  secp256k1_sha256_initialize_tagged(&sha, tag, taglen);
554  test_sha256_eq(&sha, sha_tagged);
555 }
556 
557 /* Checks that the initialized tagged hashes have the expected
558  * state. */
559 static void sha256_tag_test(void) {
560  secp256k1_sha256 sha;
561  {
562  char tag[] = "KeyAgg list";
563  secp256k1_musig_keyagglist_sha256(&sha);
564  sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag) - 1);
565  }
566  {
567  char tag[] = "KeyAgg coefficient";
568  secp256k1_musig_keyaggcoef_sha256(&sha);
569  sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag) - 1);
570  }
571  {
572  unsigned char tag[] = "MuSig/aux";
573  secp256k1_nonce_function_musig_sha256_tagged_aux(&sha);
574  sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag) - 1);
575  }
576  {
577  unsigned char tag[] = "MuSig/nonce";
578  secp256k1_nonce_function_musig_sha256_tagged(&sha);
579  sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag) - 1);
580  }
581  {
582  unsigned char tag[] = "MuSig/noncecoef";
583  secp256k1_musig_compute_noncehash_sha256_tagged(&sha);
584  sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag) - 1);
585  }
586 }
587 
588 /* Attempts to create a signature for the aggregate public key using given secret
589  * keys and keyagg_cache. */
590 static void musig_tweak_test_helper(const secp256k1_xonly_pubkey* agg_pk, const unsigned char *sk0, const unsigned char *sk1, secp256k1_musig_keyagg_cache *keyagg_cache) {
591  secp256k1_pubkey pk[2];
592  unsigned char session_secrand[2][32];
593  unsigned char msg[32];
594  secp256k1_musig_secnonce secnonce[2];
595  secp256k1_musig_pubnonce pubnonce[2];
596  const secp256k1_musig_pubnonce *pubnonce_ptr[2];
597  secp256k1_musig_aggnonce aggnonce;
598  secp256k1_keypair keypair[2];
599  secp256k1_musig_session session;
600  secp256k1_musig_partial_sig partial_sig[2];
601  const secp256k1_musig_partial_sig *partial_sig_ptr[2];
602  unsigned char final_sig[64];
603  int i;
604 
605  for (i = 0; i < 2; i++) {
606  pubnonce_ptr[i] = &pubnonce[i];
607  partial_sig_ptr[i] = &partial_sig[i];
608 
609  testrand256(session_secrand[i]);
610  }
611  CHECK(create_keypair_and_pk(&keypair[0], &pk[0], sk0) == 1);
612  CHECK(create_keypair_and_pk(&keypair[1], &pk[1], sk1) == 1);
613  testrand256(msg);
614 
615  CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk0, &pk[0], NULL, NULL, NULL) == 1);
616  CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[1], &pubnonce[1], session_secrand[1], sk1, &pk[1], NULL, NULL, NULL) == 1);
617 
618  CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1);
619  CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, keyagg_cache) == 1);
620 
621  CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce[0], &keypair[0], keyagg_cache, &session) == 1);
622  CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[1], &secnonce[1], &keypair[1], keyagg_cache, &session) == 1);
623 
624  CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], keyagg_cache, &session) == 1);
625  CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[1], &pk[1], keyagg_cache, &session) == 1);
626 
627  CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, 2) == 1);
628  CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, msg, sizeof(msg), agg_pk) == 1);
629 }
630 
631 /* Create aggregate public key P[0], tweak multiple times (using xonly and
632  * plain tweaking) and test signing. */
633 static void musig_tweak_test(void) {
634  unsigned char sk[2][32];
635  secp256k1_pubkey pk[2];
636  const secp256k1_pubkey *pk_ptr[2];
637  secp256k1_musig_keyagg_cache keyagg_cache;
638  enum { N_TWEAKS = 8 };
639  secp256k1_pubkey P[N_TWEAKS + 1];
640  secp256k1_xonly_pubkey P_xonly[N_TWEAKS + 1];
641  int i;
642 
643  /* Key Setup */
644  for (i = 0; i < 2; i++) {
645  pk_ptr[i] = &pk[i];
646  testrand256(sk[i]);
647  CHECK(create_keypair_and_pk(NULL, &pk[i], sk[i]) == 1);
648  }
649  /* Compute P0 = keyagg(pk0, pk1) and test signing for it */
650  CHECK(secp256k1_musig_pubkey_agg(CTX, &P_xonly[0], &keyagg_cache, pk_ptr, 2) == 1);
651  musig_tweak_test_helper(&P_xonly[0], sk[0], sk[1], &keyagg_cache);
652  CHECK(secp256k1_musig_pubkey_get(CTX, &P[0], &keyagg_cache));
653 
654  /* Compute Pi = f(Pj) + tweaki*G where where j = i-1 and try signing for
655  * that key. If xonly is set to true, the function f normalizes the input
656  * point to have an even X-coordinate ("xonly-tweaking").
657  * Otherwise, the function f is the identity function. */
658  for (i = 1; i <= N_TWEAKS; i++) {
659  unsigned char tweak[32];
660  int P_parity;
661  int xonly = testrand_bits(1);
662 
663  testrand256(tweak);
664  if (xonly) {
665  CHECK(secp256k1_musig_pubkey_xonly_tweak_add(CTX, &P[i], &keyagg_cache, tweak) == 1);
666  } else {
667  CHECK(secp256k1_musig_pubkey_ec_tweak_add(CTX, &P[i], &keyagg_cache, tweak) == 1);
668  }
669  CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &P_xonly[i], &P_parity, &P[i]));
670  /* Check that musig_pubkey_tweak_add produces same result as
671  * xonly_pubkey_tweak_add or ec_pubkey_tweak_add. */
672  if (xonly) {
673  unsigned char P_serialized[32];
674  CHECK(secp256k1_xonly_pubkey_serialize(CTX, P_serialized, &P_xonly[i]));
675  CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, P_serialized, P_parity, &P_xonly[i-1], tweak) == 1);
676  } else {
677  secp256k1_pubkey tmp_key = P[i-1];
678  CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &tmp_key, tweak));
679  CHECK(secp256k1_memcmp_var(&tmp_key, &P[i], sizeof(tmp_key)) == 0);
680  }
681  /* Test signing for P[i] */
682  musig_tweak_test_helper(&P_xonly[i], sk[0], sk[1], &keyagg_cache);
683  }
684 }
685 
686 int musig_vectors_keyagg_and_tweak(enum MUSIG_ERROR *error,
687  secp256k1_musig_keyagg_cache *keyagg_cache,
688  unsigned char *agg_pk_ser,
689  const unsigned char pubkeys33[][33],
690  const unsigned char tweaks32[][32],
691  size_t key_indices_len,
692  const size_t *key_indices,
693  size_t tweak_indices_len,
694  const size_t *tweak_indices,
695  const int *is_xonly) {
696  secp256k1_pubkey pubkeys[MUSIG_VECTORS_MAX_PUBKEYS];
697  const secp256k1_pubkey *pk_ptr[MUSIG_VECTORS_MAX_PUBKEYS];
698  int i;
699  secp256k1_pubkey agg_pk;
700  secp256k1_xonly_pubkey agg_pk_xonly;
701 
702  for (i = 0; i < (int)key_indices_len; i++) {
703  if (!secp256k1_ec_pubkey_parse(CTX, &pubkeys[i], pubkeys33[key_indices[i]], 33)) {
704  *error = MUSIG_PUBKEY;
705  return 0;
706  }
707  pk_ptr[i] = &pubkeys[i];
708  }
709  if (!secp256k1_musig_pubkey_agg(CTX, NULL, keyagg_cache, pk_ptr, key_indices_len)) {
710  *error = MUSIG_OTHER;
711  return 0;
712  }
713 
714  for (i = 0; i < (int)tweak_indices_len; i++) {
715  if (is_xonly[i]) {
716  if (!secp256k1_musig_pubkey_xonly_tweak_add(CTX, NULL, keyagg_cache, tweaks32[tweak_indices[i]])) {
717  *error = MUSIG_TWEAK;
718  return 0;
719  }
720  } else {
721  if (!secp256k1_musig_pubkey_ec_tweak_add(CTX, NULL, keyagg_cache, tweaks32[tweak_indices[i]])) {
722  *error = MUSIG_TWEAK;
723  return 0;
724  }
725  }
726  }
727  if (!secp256k1_musig_pubkey_get(CTX, &agg_pk, keyagg_cache)) {
728  *error = MUSIG_OTHER;
729  return 0;
730  }
731 
732  if (!secp256k1_xonly_pubkey_from_pubkey(CTX, &agg_pk_xonly, NULL, &agg_pk)) {
733  *error = MUSIG_OTHER;
734  return 0;
735  }
736 
737  if (agg_pk_ser != NULL) {
738  if (!secp256k1_xonly_pubkey_serialize(CTX, agg_pk_ser, &agg_pk_xonly)) {
739  *error = MUSIG_OTHER;
740  return 0;
741  }
742  }
743 
744  return 1;
745 }
746 
747 static void musig_test_vectors_keyagg(void) {
748  size_t i;
749  const struct musig_key_agg_vector *vector = &musig_key_agg_vector;
750 
751  for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
752  const struct musig_key_agg_valid_test_case *c = &vector->valid_case[i];
753  enum MUSIG_ERROR error;
754  secp256k1_musig_keyagg_cache keyagg_cache;
755  unsigned char agg_pk[32];
756 
757  CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, agg_pk, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, 0, NULL, NULL));
758  CHECK(secp256k1_memcmp_var(agg_pk, c->expected, sizeof(agg_pk)) == 0);
759  }
760 
761  for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) {
762  const struct musig_key_agg_error_test_case *c = &vector->error_case[i];
763  enum MUSIG_ERROR error;
764  secp256k1_musig_keyagg_cache keyagg_cache;
765 
766  CHECK(!musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
767  CHECK(c->error == error);
768  }
769 }
770 
771 static void musig_test_vectors_noncegen(void) {
772  size_t i;
773  const struct musig_nonce_gen_vector *vector = &musig_nonce_gen_vector;
774 
775  for (i = 0; i < sizeof(vector->test_case)/sizeof(vector->test_case[0]); i++) {
776  const struct musig_nonce_gen_test_case *c = &vector->test_case[i];
777  secp256k1_musig_keyagg_cache keyagg_cache;
778  secp256k1_musig_keyagg_cache *keyagg_cache_ptr = NULL;
779  unsigned char session_secrand32[32];
780  secp256k1_musig_secnonce secnonce;
781  secp256k1_musig_pubnonce pubnonce;
782  const unsigned char *sk = NULL;
783  const unsigned char *msg = NULL;
784  const unsigned char *extra_in = NULL;
785  secp256k1_pubkey pk;
786  unsigned char pubnonce66[66];
787 
788  memcpy(session_secrand32, c->rand_, 32);
789  if (c->has_sk) {
790  sk = c->sk;
791  }
792  if (c->has_aggpk) {
793  /* Create keyagg_cache from aggpk */
794  secp256k1_keyagg_cache_internal cache_i;
795  secp256k1_xonly_pubkey aggpk;
796  memset(&cache_i, 0, sizeof(cache_i));
797  CHECK(secp256k1_xonly_pubkey_parse(CTX, &aggpk, c->aggpk));
798  CHECK(secp256k1_xonly_pubkey_load(CTX, &cache_i.pk, &aggpk));
799  secp256k1_keyagg_cache_save(&keyagg_cache, &cache_i);
800  keyagg_cache_ptr = &keyagg_cache;
801  }
802  if (c->has_msg) {
803  msg = c->msg;
804  }
805  if (c->has_extra_in) {
806  extra_in = c->extra_in;
807  }
808 
809  CHECK(secp256k1_ec_pubkey_parse(CTX, &pk, c->pk, sizeof(c->pk)));
810  CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce, &pubnonce, session_secrand32, sk, &pk, msg, keyagg_cache_ptr, extra_in) == 1);
811  CHECK(secp256k1_memcmp_var(&secnonce.data[4], c->expected_secnonce, 2*32) == 0);
812  /* The last element of the secnonce is the public key (uncompressed in
813  * secp256k1_musig_secnonce, compressed in the test vector secnonce). */
814  CHECK(secp256k1_memcmp_var(&secnonce.data[4+2*32], &pk, sizeof(pk)) == 0);
815  CHECK(secp256k1_memcmp_var(&c->expected_secnonce[2*32], c->pk, sizeof(c->pk)) == 0);
816 
817  CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce66, &pubnonce) == 1);
818  CHECK(sizeof(c->expected_pubnonce) == sizeof(pubnonce66));
819  CHECK(secp256k1_memcmp_var(pubnonce66, c->expected_pubnonce, sizeof(pubnonce66)) == 0);
820  }
821 }
822 
823 
824 static void musig_test_vectors_nonceagg(void) {
825  size_t i;
826  int j;
827  const struct musig_nonce_agg_vector *vector = &musig_nonce_agg_vector;
828 
829  for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
830  const struct musig_nonce_agg_test_case *c = &vector->valid_case[i];
831  secp256k1_musig_pubnonce pubnonce[2];
832  const secp256k1_musig_pubnonce *pubnonce_ptr[2];
833  secp256k1_musig_aggnonce aggnonce;
834  unsigned char aggnonce66[66];
835 
836  for (j = 0; j < 2; j++) {
837  CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pnonces[c->pnonce_indices[j]]) == 1);
838  pubnonce_ptr[j] = &pubnonce[j];
839  }
840  CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2));
841  CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce66, &aggnonce));
842  CHECK(secp256k1_memcmp_var(aggnonce66, c->expected, 33) == 0);
843  }
844  for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) {
845  const struct musig_nonce_agg_test_case *c = &vector->error_case[i];
846  secp256k1_musig_pubnonce pubnonce[2];
847  for (j = 0; j < 2; j++) {
848  int expected = c->invalid_nonce_idx != j;
849  CHECK(expected == secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pnonces[c->pnonce_indices[j]]));
850  }
851  }
852 }
853 
854 static void musig_test_set_secnonce(secp256k1_musig_secnonce *secnonce, const unsigned char *secnonce64, const secp256k1_pubkey *pubkey) {
855  secp256k1_ge pk;
856  secp256k1_scalar k[2];
857 
858  secp256k1_scalar_set_b32(&k[0], &secnonce64[0], NULL);
859  secp256k1_scalar_set_b32(&k[1], &secnonce64[32], NULL);
860  CHECK(secp256k1_pubkey_load(CTX, &pk, pubkey));
861  secp256k1_musig_secnonce_save(secnonce, k, &pk);
862 }
863 
864 static void musig_test_vectors_signverify(void) {
865  size_t i;
866  const struct musig_sign_verify_vector *vector = &musig_sign_verify_vector;
867 
868  for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
869  const struct musig_valid_case *c = &vector->valid_case[i];
870  enum MUSIG_ERROR error;
871  secp256k1_musig_keyagg_cache keyagg_cache;
872  secp256k1_pubkey pubkey;
873  secp256k1_musig_pubnonce pubnonce;
874  secp256k1_musig_aggnonce aggnonce;
875  secp256k1_musig_session session;
876  secp256k1_musig_partial_sig partial_sig;
877  secp256k1_musig_secnonce secnonce;
878  secp256k1_keypair keypair;
879  unsigned char partial_sig32[32];
880 
881  CHECK(secp256k1_keypair_create(CTX, &keypair, vector->sk));
882  CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
883 
884  CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonces[c->aggnonce_index]));
885  CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache));
886 
887  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0])));
888  musig_test_set_secnonce(&secnonce, vector->secnonces[0], &pubkey);
889  CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
890  CHECK(secp256k1_musig_partial_sig_serialize(CTX, partial_sig32, &partial_sig));
891  CHECK(secp256k1_memcmp_var(partial_sig32, c->expected, sizeof(partial_sig32)) == 0);
892 
893  CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[0]));
894  CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig, &pubnonce, &pubkey, &keyagg_cache, &session));
895  }
896  for (i = 0; i < sizeof(vector->sign_error_case)/sizeof(vector->sign_error_case[0]); i++) {
897  const struct musig_sign_error_case *c = &vector->sign_error_case[i];
898  enum MUSIG_ERROR error;
899  secp256k1_musig_keyagg_cache keyagg_cache;
900  secp256k1_pubkey pubkey;
901  secp256k1_musig_aggnonce aggnonce;
902  secp256k1_musig_session session;
903  secp256k1_musig_partial_sig partial_sig;
904  secp256k1_musig_secnonce secnonce;
905  secp256k1_keypair keypair;
906  int expected;
907 
908  if (i == 0) {
909  /* Skip this vector since the implementation does not error out when
910  * the signing key does not belong to any pubkey. */
911  continue;
912  }
913  expected = c->error != MUSIG_PUBKEY;
914  CHECK(expected == musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
915  CHECK(expected || c->error == error);
916  if (!expected) {
917  continue;
918  }
919 
920  expected = c->error != MUSIG_AGGNONCE;
921  CHECK(expected == secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonces[c->aggnonce_index]));
922  if (!expected) {
923  continue;
924  }
925  CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache));
926 
927  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0])));
928  musig_test_set_secnonce(&secnonce, vector->secnonces[c->secnonce_index], &pubkey);
929  expected = c->error != MUSIG_SECNONCE;
930  if (expected) {
931  CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
932  } else {
933  CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
934  }
935  }
936  for (i = 0; i < sizeof(vector->verify_fail_case)/sizeof(vector->verify_fail_case[0]); i++) {
937  const struct musig_verify_fail_error_case *c = &vector->verify_fail_case[i];
938  enum MUSIG_ERROR error;
939  secp256k1_musig_keyagg_cache keyagg_cache;
940  secp256k1_musig_aggnonce aggnonce;
941  secp256k1_musig_session session;
942  secp256k1_musig_partial_sig partial_sig;
943  enum { NUM_PUBNONCES = 3 };
944  secp256k1_musig_pubnonce pubnonce[NUM_PUBNONCES];
945  const secp256k1_musig_pubnonce *pubnonce_ptr[NUM_PUBNONCES];
946  secp256k1_pubkey pubkey;
947  int expected;
948  size_t j;
949 
950  CHECK(NUM_PUBNONCES <= c->nonce_indices_len);
951  for (j = 0; j < c->nonce_indices_len; j++) {
952  CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pubnonces[c->nonce_indices[j]]));
953  pubnonce_ptr[j] = &pubnonce[j];
954  }
955 
956  CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
957  CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, c->nonce_indices_len) == 1);
958  CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache));
959 
960  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[c->signer_index], sizeof(vector->pubkeys[0])));
961 
962  expected = c->error != MUSIG_SIG;
963  CHECK(expected == secp256k1_musig_partial_sig_parse(CTX, &partial_sig, c->sig));
964  if (!expected) {
965  continue;
966  }
967  expected = c->error != MUSIG_SIG_VERIFY;
968  CHECK(expected == secp256k1_musig_partial_sig_verify(CTX, &partial_sig, pubnonce, &pubkey, &keyagg_cache, &session));
969  }
970  for (i = 0; i < sizeof(vector->verify_error_case)/sizeof(vector->verify_error_case[0]); i++) {
971  const struct musig_verify_fail_error_case *c = &vector->verify_error_case[i];
972  enum MUSIG_ERROR error;
973  secp256k1_musig_keyagg_cache keyagg_cache;
974  secp256k1_musig_pubnonce pubnonce;
975  int expected;
976 
977  expected = c->error != MUSIG_PUBKEY;
978  CHECK(expected == musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL));
979  CHECK(expected || c->error == error);
980  if (!expected) {
981  continue;
982  }
983  expected = c->error != MUSIG_PUBNONCE;
984  CHECK(expected == secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[c->nonce_indices[c->signer_index]]));
985  }
986 }
987 
988 static void musig_test_vectors_tweak(void) {
989  size_t i;
990  const struct musig_tweak_vector *vector = &musig_tweak_vector;
991  secp256k1_pubkey pubkey;
992  secp256k1_musig_aggnonce aggnonce;
993  secp256k1_musig_secnonce secnonce;
994 
995  CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonce));
996  CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0])));
997 
998  for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
999  const struct musig_tweak_case *c = &vector->valid_case[i];
1000  enum MUSIG_ERROR error;
1001  secp256k1_musig_keyagg_cache keyagg_cache;
1002  secp256k1_musig_pubnonce pubnonce;
1003  secp256k1_musig_session session;
1004  secp256k1_musig_partial_sig partial_sig;
1005  secp256k1_keypair keypair;
1006  unsigned char partial_sig32[32];
1007 
1008  musig_test_set_secnonce(&secnonce, vector->secnonce, &pubkey);
1009 
1010  CHECK(secp256k1_keypair_create(CTX, &keypair, vector->sk));
1011  CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
1012 
1013  CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msg, &keyagg_cache));
1014 
1015  CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session));
1016  CHECK(secp256k1_musig_partial_sig_serialize(CTX, partial_sig32, &partial_sig));
1017  CHECK(secp256k1_memcmp_var(partial_sig32, c->expected, sizeof(partial_sig32)) == 0);
1018 
1019  CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[c->nonce_indices[c->signer_index]]));
1020  CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig, &pubnonce, &pubkey, &keyagg_cache, &session));
1021  }
1022  for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) {
1023  const struct musig_tweak_case *c = &vector->error_case[i];
1024  enum MUSIG_ERROR error;
1025  secp256k1_musig_keyagg_cache keyagg_cache;
1026  CHECK(!musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
1027  CHECK(error == MUSIG_TWEAK);
1028  }
1029 }
1030 
1031 static void musig_test_vectors_sigagg(void) {
1032  size_t i, j;
1033  const struct musig_sig_agg_vector *vector = &musig_sig_agg_vector;
1034 
1035  for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) {
1036  const struct musig_sig_agg_case *c = &vector->valid_case[i];
1037  enum MUSIG_ERROR error;
1038  unsigned char final_sig[64];
1039  secp256k1_musig_keyagg_cache keyagg_cache;
1040  unsigned char agg_pk32[32];
1041  secp256k1_xonly_pubkey agg_pk;
1042  secp256k1_musig_aggnonce aggnonce;
1043  secp256k1_musig_session session;
1044  secp256k1_musig_partial_sig partial_sig[(sizeof(vector->psigs)/sizeof(vector->psigs[0]))];
1045  const secp256k1_musig_partial_sig *partial_sig_ptr[(sizeof(vector->psigs)/sizeof(vector->psigs[0]))];
1046 
1047  CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, agg_pk32, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly));
1048  CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, c->aggnonce));
1049  CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msg, &keyagg_cache));
1050  for (j = 0; j < c->psig_indices_len; j++) {
1051  CHECK(secp256k1_musig_partial_sig_parse(CTX, &partial_sig[j], vector->psigs[c->psig_indices[j]]));
1052  partial_sig_ptr[j] = &partial_sig[j];
1053  }
1054 
1055  CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, c->psig_indices_len) == 1);
1056  CHECK(secp256k1_memcmp_var(final_sig, c->expected, sizeof(final_sig)) == 0);
1057 
1058  CHECK(secp256k1_xonly_pubkey_parse(CTX, &agg_pk, agg_pk32));
1059  CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, vector->msg, sizeof(vector->msg), &agg_pk) == 1);
1060  }
1061  for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) {
1062  const struct musig_sig_agg_case *c = &vector->error_case[i];
1063  secp256k1_musig_partial_sig partial_sig[(sizeof(vector->psigs)/sizeof(vector->psigs[0]))];
1064  for (j = 0; j < c->psig_indices_len; j++) {
1065  int expected = c->invalid_sig_idx != (int)j;
1066  CHECK(expected == secp256k1_musig_partial_sig_parse(CTX, &partial_sig[j], vector->psigs[c->psig_indices[j]]));
1067  }
1068  }
1069 }
1070 
1071 /* Since the BIP doesn't provide static test vectors for nonce_gen_counter, we
1072  * define a static test here */
1073 static void musig_test_static_nonce_gen_counter(void) {
1074  secp256k1_musig_secnonce secnonce;
1075  secp256k1_musig_pubnonce pubnonce;
1076  unsigned char pubnonce66[66];
1077  secp256k1_pubkey pk;
1078  secp256k1_keypair keypair;
1079  uint64_t nonrepeating_cnt = 0;
1080  unsigned char sk[32] = {
1081  0xEE, 0xC1, 0xCB, 0x7D, 0x1B, 0x72, 0x54, 0xC5,
1082  0xCA, 0xB0, 0xD9, 0xC6, 0x1A, 0xB0, 0x2E, 0x64,
1083  0x3D, 0x46, 0x4A, 0x59, 0xFE, 0x6C, 0x96, 0xA7,
1084  0xEF, 0xE8, 0x71, 0xF0, 0x7C, 0x5A, 0xEF, 0x54,
1085  };
1086  unsigned char expected_secnonce[64] = {
1087  0x84, 0x2F, 0x13, 0x80, 0xCD, 0x17, 0xA1, 0x98,
1088  0xFC, 0x3D, 0xAD, 0x3B, 0x7D, 0xA7, 0x49, 0x29,
1089  0x41, 0xF4, 0x69, 0x76, 0xF2, 0x70, 0x2F, 0xF7,
1090  0xC6, 0x6F, 0x24, 0xF4, 0x72, 0x03, 0x6A, 0xF1,
1091  0xDA, 0x3F, 0x95, 0x2D, 0xDE, 0x4A, 0x2D, 0xA6,
1092  0xB6, 0x32, 0x57, 0x07, 0xCE, 0x87, 0xA4, 0xE3,
1093  0x61, 0x6D, 0x06, 0xFC, 0x5F, 0x81, 0xA9, 0xC9,
1094  0x93, 0x86, 0xD2, 0x0A, 0x99, 0xCE, 0xCF, 0x99,
1095  };
1096  unsigned char expected_pubnonce[66] = {
1097  0x03, 0xA5, 0xB9, 0xB6, 0x90, 0x79, 0x42, 0xEA,
1098  0xCD, 0xDA, 0x49, 0xA3, 0x66, 0x01, 0x6E, 0xC2,
1099  0xE6, 0x24, 0x04, 0xA1, 0xBF, 0x4A, 0xB6, 0xD4,
1100  0xDB, 0x82, 0x06, 0x7B, 0xC3, 0xAD, 0xF0, 0x86,
1101  0xD7, 0x03, 0x32, 0x05, 0xDB, 0x9E, 0xB3, 0x4D,
1102  0x5C, 0x7C, 0xE0, 0x28, 0x48, 0xCA, 0xC6, 0x8A,
1103  0x83, 0xED, 0x73, 0xE3, 0x88, 0x34, 0x77, 0xF5,
1104  0x63, 0xF2, 0x3C, 0xE9, 0xA1, 0x1A, 0x77, 0x21,
1105  0xEC, 0x64,
1106  };
1107 
1108  CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
1109  CHECK(secp256k1_keypair_pub(CTX, &pk, &keypair));
1110  CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce, &pubnonce, nonrepeating_cnt, &keypair, NULL, NULL, NULL) == 1);
1111 
1112  CHECK(secp256k1_memcmp_var(&secnonce.data[4], expected_secnonce, 2*32) == 0);
1113  CHECK(secp256k1_memcmp_var(&secnonce.data[4+2*32], &pk, sizeof(pk)) == 0);
1114 
1115  CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce66, &pubnonce) == 1);
1116  CHECK(secp256k1_memcmp_var(pubnonce66, expected_pubnonce, sizeof(pubnonce66)) == 0);
1117 }
1118 
1119 static void run_musig_tests(void) {
1120  int i;
1121 
1122  for (i = 0; i < COUNT; i++) {
1123  musig_simple_test();
1124  }
1125  musig_api_tests();
1126  musig_nonce_test();
1127  for (i = 0; i < COUNT; i++) {
1128  /* Run multiple times to ensure that pk and nonce have different y
1129  * parities */
1130  musig_tweak_test();
1131  }
1132  sha256_tag_test();
1133  musig_test_vectors_keyagg();
1134  musig_test_vectors_noncegen();
1135  musig_test_vectors_nonceagg();
1136  musig_test_vectors_signverify();
1137  musig_test_vectors_tweak();
1138  musig_test_vectors_sigagg();
1139 
1140  musig_test_static_nonce_gen_counter();
1141 }
1142 
1143 #endif
musig_verify_fail_error_case::nonce_indices
size_t nonce_indices[3]
Definition: vectors.h:155
musig_sign_verify_vector::sign_error_case
struct musig_sign_error_case sign_error_case[6]
Definition: vectors.h:169
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
musig_tweak_test
static void musig_tweak_test(void)
Definition: tests_impl.h:633
secp256k1_musig_pubkey_get
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_get(const secp256k1_context *ctx, secp256k1_pubkey *agg_pk, const secp256k1_musig_keyagg_cache *keyagg_cache) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Obtain the aggregate public key from a keyagg_cache.
Definition: keyagg_impl.h:233
musig_test_vectors_tweak
static void musig_test_vectors_tweak(void)
Definition: tests_impl.h:988
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_musig_keyagg_cache
This module implements BIP 327 "MuSig2 for BIP340-compatible Multi-Signatures" (https://github.com/bitcoin/bips/blob/master/bip-0327.mediawiki) v1.0.0.
Definition: secp256k1_musig.h:43
musig_sign_error_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:142
ret
int ret
Definition: bitcoin-cli.cpp:1358
musig_key_agg_error_test_case::key_indices
size_t key_indices[4]
Definition: vectors.h:26
secp256k1_musig_pubnonce_serialize
SECP256K1_API int secp256k1_musig_pubnonce_serialize(const secp256k1_context *ctx, unsigned char *out66, const secp256k1_musig_pubnonce *nonce) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize a signer&#39;s public nonce.
Definition: session_impl.h:214
secp256k1_musig_partial_sign
SECP256K1_API int secp256k1_musig_partial_sign(const secp256k1_context *ctx, secp256k1_musig_partial_sig *partial_sig, secp256k1_musig_secnonce *secnonce, const secp256k1_keypair *keypair, const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_session *session) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6)
Produces a partial signature.
Definition: session_impl.h:658
musig_tweak_case::nonce_indices
size_t nonce_indices[3]
Definition: vectors.h:232
musig_sign_error_case::aggnonce_index
size_t aggnonce_index
Definition: vectors.h:144
musig_sign_error_case::key_indices
size_t key_indices[3]
Definition: vectors.h:143
tests_wycheproof_generate.pk
def pk
Definition: tests_wycheproof_generate.py:69
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
testutil_random_ge_test
static void testutil_random_ge_test(secp256k1_ge *ge)
Definition: testutil.h:82
musig_nonce_agg_test_case
Definition: vectors.h:95
musig_nonce_agg_vector::valid_case
struct musig_nonce_agg_test_case valid_case[2]
Definition: vectors.h:105
secp256k1_nonce_function_musig
static void secp256k1_nonce_function_musig(secp256k1_scalar *k, const unsigned char *session_secrand, const unsigned char *msg32, const unsigned char *seckey32, const unsigned char *pk33, const unsigned char *agg_pk32, const unsigned char *extra_input32)
Definition: session_impl.h:352
tests_wycheproof_generate.msg
def msg
Definition: tests_wycheproof_generate.py:56
musig_nonce_gen_test_case::has_aggpk
int has_aggpk
Definition: vectors.h:74
musig_nonce_gen_test_case::rand_
unsigned char rand_[32]
Definition: vectors.h:70
secp256k1_keyagg_cache_save
static void secp256k1_keyagg_cache_save(secp256k1_musig_keyagg_cache *cache, const secp256k1_keyagg_cache_internal *cache_i)
Definition: keyagg_impl.h:31
memcmp_and_randomize
int memcmp_and_randomize(unsigned char *value, const unsigned char *expected, size_t len)
Definition: tests_impl.h:111
musig_nonce_gen_test_case::pk
unsigned char pk[33]
Definition: vectors.h:73
secp256k1_musig_aggnonce
Opaque data structure that holds an aggregate public nonce.
Definition: secp256k1_musig.h:77
musig_tweak_case
Definition: vectors.h:228
musig_key_agg_vector::tweaks
unsigned char tweaks[2][32]
Definition: vectors.h:35
musig_tweak_vector::valid_case
struct musig_tweak_case valid_case[5]
Definition: vectors.h:248
musig_tweak_vector::msg
unsigned char msg[32]
Definition: vectors.h:244
secp256k1_xonly_pubkey::data
unsigned char data[64]
Definition: secp256k1_extrakeys.h:23
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a valid secret key.
Definition: main_impl.h:196
musig_simple_test
static void musig_simple_test(void)
Definition: tests_impl.h:39
musig_key_agg_vector
static const struct musig_key_agg_vector musig_key_agg_vector
Definition: vectors.h:40
musig_tweak_vector::pubnonces
unsigned char pubnonces[3][194]
Definition: vectors.h:246
test_vectors_musig2_generate.data
data
Definition: test_vectors_musig2_generate.py:98
musig_verify_fail_error_case::nonce_indices_len
size_t nonce_indices_len
Definition: vectors.h:154
secp256k1_nonce_function_musig_sha256_tagged
static void secp256k1_nonce_function_musig_sha256_tagged(secp256k1_sha256 *sha)
Definition: session_impl.h:339
musig_sign_verify_vector
static const struct musig_sign_verify_vector musig_sign_verify_vector
Definition: vectors.h:174
musig_sig_agg_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:289
secp256k1_musig_nonce_agg
SECP256K1_API int secp256k1_musig_nonce_agg(const secp256k1_context *ctx, secp256k1_musig_aggnonce *aggnonce, const secp256k1_musig_pubnonce *const *pubnonces, size_t n_pubnonces) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Aggregates the nonces of all signers into a single nonce.
Definition: session_impl.h:536
secp256k1_musig_keyagglist_sha256
static void secp256k1_musig_keyagglist_sha256(secp256k1_sha256 *sha)
Definition: keyagg_impl.h:64
musig_nonce_agg_vector::error_case
struct musig_nonce_agg_test_case error_case[3]
Definition: vectors.h:106
musig_sig_agg_case::tweak_indices
size_t tweak_indices[3]
Definition: vectors.h:292
secp256k1_musig_secnonce_save
static void secp256k1_musig_secnonce_save(secp256k1_musig_secnonce *secnonce, const secp256k1_scalar *k, const secp256k1_ge *pk)
Definition: session_impl.h:57
secp256k1_keypair_pub
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_pub(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Get the public key from a keypair.
Definition: main_impl.h:224
musig_tweak_vector::tweaks
unsigned char tweaks[5][32]
Definition: vectors.h:247
musig_tweak_case::is_xonly
int is_xonly[4]
Definition: vectors.h:235
musig_valid_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:133
sha256_tag_test
static void sha256_tag_test(void)
Definition: tests_impl.h:559
musig_key_agg_valid_test_case::expected
unsigned char expected[32]
Definition: vectors.h:21
secp256k1_musig_partial_sig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_verify(const secp256k1_context *ctx, const secp256k1_musig_partial_sig *partial_sig, const secp256k1_musig_pubnonce *pubnonce, const secp256k1_pubkey *pubkey, const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_session *session) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6)
Verifies an individual signer&#39;s partial signature.
Definition: session_impl.h:728
secp256k1_musig_pubnonce_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubnonce_parse(const secp256k1_context *ctx, secp256k1_musig_pubnonce *nonce, const unsigned char *in66) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a signer&#39;s public nonce.
Definition: session_impl.h:194
musig_key_agg_error_test_case
Definition: vectors.h:24
musig_sig_agg_vector::msg
unsigned char msg[32]
Definition: vectors.h:307
musig_tweak_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:229
secp256k1_sha256
Definition: hash.h:13
musig_verify_fail_error_case::signer_index
size_t signer_index
Definition: vectors.h:157
musig_valid_case::key_indices
size_t key_indices[3]
Definition: vectors.h:134
secp256k1_musig_keyaggcoef_sha256
static void secp256k1_musig_keyaggcoef_sha256(secp256k1_sha256 *sha)
Definition: keyagg_impl.h:99
musig_tweak_vector
static const struct musig_tweak_vector musig_tweak_vector
Definition: vectors.h:252
mp::memcpy
memcpy(result.begin(), stream.data(), stream.size())
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_context_struct
Definition: secp256k1.c:61
musig_tweak_vector::error_case
struct musig_tweak_case error_case[1]
Definition: vectors.h:249
musig_key_agg_error_test_case::tweak_indices
size_t tweak_indices[1]
Definition: vectors.h:28
test_sha256_eq
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:614
musig_nonce_agg_test_case::pnonce_indices
size_t pnonce_indices[2]
Definition: vectors.h:96
musig_tweak_case::key_indices
size_t key_indices[3]
Definition: vectors.h:230
testrand256
static void testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
musig_sign_error_case::error
enum MUSIG_ERROR error
Definition: vectors.h:147
musig_vectors_keyagg_and_tweak
int musig_vectors_keyagg_and_tweak(enum MUSIG_ERROR *error, secp256k1_musig_keyagg_cache *keyagg_cache, unsigned char *agg_pk_ser, const unsigned char pubkeys33[][33], const unsigned char tweaks32[][32], size_t key_indices_len, const size_t *key_indices, size_t tweak_indices_len, const size_t *tweak_indices, const int *is_xonly)
Definition: tests_impl.h:686
musig_test_static_nonce_gen_counter
static void musig_test_static_nonce_gen_counter(void)
Definition: tests_impl.h:1073
musig_key_agg_vector
Definition: vectors.h:33
tweak
static int tweak(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *cache)
Definition: musig.c:63
musig_sig_agg_case::psig_indices_len
size_t psig_indices_len
Definition: vectors.h:295
musig_sign_verify_vector::verify_error_case
struct musig_verify_fail_error_case verify_error_case[2]
Definition: vectors.h:171
musig_key_agg_error_test_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:25
secp256k1_musig_partial_sig
Opaque data structure that holds a partial MuSig signature.
Definition: secp256k1_musig.h:96
musig_sig_agg_case::is_xonly
int is_xonly[3]
Definition: vectors.h:293
musig_key_agg_vector::pubkeys
unsigned char pubkeys[7][33]
Definition: vectors.h:34
testrand_flip
static void testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
musig_sign_verify_vector::valid_case
struct musig_valid_case valid_case[4]
Definition: vectors.h:168
secp256k1_musig_pubkey_ec_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_ec_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Apply plain "EC" tweaking to a public key in a given keyagg_cache by adding the generator multiplied ...
Definition: keyagg_impl.h:283
musig_tweak_case::tweak_indices_len
size_t tweak_indices_len
Definition: vectors.h:233
musig_nonce_gen_test_case::extra_in
unsigned char extra_in[32]
Definition: vectors.h:79
musig_sig_agg_case
Definition: vectors.h:288
musig_nonce_bitflip
static void musig_nonce_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes)
Definition: tests_impl.h:486
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:42
secp256k1_musig_partial_sig_serialize
SECP256K1_API int secp256k1_musig_partial_sig_serialize(const secp256k1_context *ctx, unsigned char *out32, const secp256k1_musig_partial_sig *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize a MuSig partial signature.
Definition: session_impl.h:294
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:695
secp256k1_xonly_pubkey_from_pubkey
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_from_pubkey(const secp256k1_context *ctx, secp256k1_xonly_pubkey *xonly_pubkey, int *pk_parity, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Converts a secp256k1_pubkey into a secp256k1_xonly_pubkey.
Definition: main_impl.h:99
musig_nonce_agg_vector::pnonces
unsigned char pnonces[7][66]
Definition: vectors.h:104
musig_test_vectors_signverify
static void musig_test_vectors_signverify(void)
Definition: tests_impl.h:864
secp256k1_musig_aggnonce_load
static int secp256k1_musig_aggnonce_load(const secp256k1_context *ctx, secp256k1_ge *ges, const secp256k1_musig_aggnonce *nonce)
Definition: session_impl.h:124
secp256k1_musig_nonce_process
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_process(const secp256k1_context *ctx, secp256k1_musig_session *session, const secp256k1_musig_aggnonce *aggnonce, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Takes the aggregate nonce and creates a session that is required for signing and verification of part...
Definition: session_impl.h:612
musig_nonce_agg_vector
Definition: vectors.h:103
musig_nonce_gen_test_case
Definition: vectors.h:69
secp256k1_musig_sum_pubnonces
static int secp256k1_musig_sum_pubnonces(const secp256k1_context *ctx, secp256k1_gej *summed_pubnonces, const secp256k1_musig_pubnonce *const *pubnonces, size_t n_pubnonces)
Definition: session_impl.h:517
musig_sig_agg_vector::pubkeys
unsigned char pubkeys[4][33]
Definition: vectors.h:304
musig_valid_case::msg_index
size_t msg_index
Definition: vectors.h:136
musig_verify_fail_error_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:152
secp256k1_musig_pubkey_agg
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_agg(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_pubkey *const *pubkeys, size_t n_pubkeys) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(4)
Computes an aggregate public key and uses it to initialize a keyagg_cache.
Definition: keyagg_impl.h:175
args
ArgsManager & args
Definition: bitcoind.cpp:277
musig_sig_agg_vector::tweaks
unsigned char tweaks[3][32]
Definition: vectors.h:305
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
musig_sign_error_case::secnonce_index
size_t secnonce_index
Definition: vectors.h:146
musig_test_vectors_keyagg
static void musig_test_vectors_keyagg(void)
Definition: tests_impl.h:747
musig_test_vectors_nonceagg
static void musig_test_vectors_nonceagg(void)
Definition: tests_impl.h:824
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:22
musig_nonce_gen_vector
Definition: vectors.h:84
musig_sig_agg_case::expected
unsigned char expected[64]
Definition: vectors.h:298
musig_tweak_vector::aggnonce
unsigned char aggnonce[66]
Definition: vectors.h:243
secp256k1_musig_aggnonce_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_aggnonce_parse(const secp256k1_context *ctx, secp256k1_musig_aggnonce *nonce, const unsigned char *in66) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an aggregate public nonce.
Definition: session_impl.h:240
CTX
static secp256k1_context * CTX
Definition: tests.c:41
musig_verify_fail_error_case::msg_index
size_t msg_index
Definition: vectors.h:156
secp256k1_musig_pubnonce_save
static void secp256k1_musig_pubnonce_save(secp256k1_musig_pubnonce *nonce, const secp256k1_ge *ges)
Definition: session_impl.h:94
musig_sign_verify_vector::aggnonces
unsigned char aggnonces[5][66]
Definition: vectors.h:166
musig_sign_verify_vector::verify_fail_case
struct musig_verify_fail_error_case verify_fail_case[3]
Definition: vectors.h:170
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
musig_valid_case
Definition: vectors.h:132
secp256k1_musig_partial_sig_agg
SECP256K1_API int secp256k1_musig_partial_sig_agg(const secp256k1_context *ctx, unsigned char *sig64, const secp256k1_musig_session *session, const secp256k1_musig_partial_sig *const *partial_sigs, size_t n_sigs) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Aggregates partial signatures.
Definition: session_impl.h:791
musig_tweak_vector::secnonce
unsigned char secnonce[97]
Definition: vectors.h:242
secp256k1_musig_secnonce
Opaque data structure that holds a signer&#39;s secret nonce.
Definition: secp256k1_musig.h:59
musig_sign_verify_vector::pubnonces
unsigned char pubnonces[5][194]
Definition: vectors.h:165
testrand_bytes_test
static void testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
musig_sig_agg_vector::error_case
struct musig_sig_agg_case error_case[1]
Definition: vectors.h:309
musig_sig_agg_vector
Definition: vectors.h:303
musig_sig_agg_case::key_indices
size_t key_indices[2]
Definition: vectors.h:290
MUSIG_ERROR
MUSIG_ERROR
Automatically generated by .
Definition: vectors.h:7
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
secp256k1_nonce_function_musig_sha256_tagged_aux
static void secp256k1_nonce_function_musig_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: session_impl.h:324
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:250
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
musig_nonce_gen_test_case::aggpk
unsigned char aggpk[32]
Definition: vectors.h:75
musig_verify_fail_error_case::key_indices
size_t key_indices[3]
Definition: vectors.h:153
musig_test_vectors_noncegen
static void musig_test_vectors_noncegen(void)
Definition: tests_impl.h:771
musig_sig_agg_case::invalid_sig_idx
int invalid_sig_idx
Definition: vectors.h:300
musig_key_agg_error_test_case::error
enum MUSIG_ERROR error
Definition: vectors.h:30
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_musig_nonce_gen
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_gen(const secp256k1_context *ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, unsigned char *session_secrand32, const unsigned char *seckey, const secp256k1_pubkey *pubkey, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(6)
Starts a signing session by generating a nonce.
Definition: session_impl.h:461
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
musig_nonce_gen_test_case::expected_pubnonce
unsigned char expected_pubnonce[66]
Definition: vectors.h:81
musig_valid_case::aggnonce_index
size_t aggnonce_index
Definition: vectors.h:135
musig_sign_verify_vector
Definition: vectors.h:161
musig_sign_verify_vector::secnonces
unsigned char secnonces[2][194]
Definition: vectors.h:164
musig_api_tests
static void musig_api_tests(void)
Definition: tests_impl.h:121
musig_tweak_vector::sk
unsigned char sk[32]
Definition: vectors.h:241
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:163
secp256k1_musig_pubnonce
Opaque data structure that holds a signer&#39;s public nonce.
Definition: secp256k1_musig.h:68
musig_tweak_case::tweak_indices
size_t tweak_indices[4]
Definition: vectors.h:234
musig_key_agg_vector::valid_case
struct musig_key_agg_valid_test_case valid_case[4]
Definition: vectors.h:36
secp256k1_musig_aggnonce_serialize
SECP256K1_API int secp256k1_musig_aggnonce_serialize(const secp256k1_context *ctx, unsigned char *out66, const secp256k1_musig_aggnonce *nonce) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an aggregate public nonce.
Definition: session_impl.h:257
secp256k1_pubkey::data
unsigned char data[64]
Definition: secp256k1.h:62
musig_test_set_secnonce
static void musig_test_set_secnonce(secp256k1_musig_secnonce *secnonce, const unsigned char *secnonce64, const secp256k1_pubkey *pubkey)
Definition: tests_impl.h:854
musig_tweak_case::signer_index
size_t signer_index
Definition: vectors.h:236
secp256k1_musig_session
Opaque data structure that holds a MuSig session.
Definition: secp256k1_musig.h:87
musig_nonce_gen_vector::test_case
struct musig_nonce_gen_test_case test_case[2]
Definition: vectors.h:85
musig_sig_agg_case::tweak_indices_len
size_t tweak_indices_len
Definition: vectors.h:291
secp256k1_musig_pubkey_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Apply x-only tweaking to a public key in a given keyagg_cache by adding the generator multiplied with...
Definition: keyagg_impl.h:287
musig_key_agg_error_test_case::is_xonly
int is_xonly[1]
Definition: vectors.h:29
musig_key_agg_valid_test_case::key_indices_len
size_t key_indices_len
Definition: vectors.h:19
musig_sign_error_case::msg_index
size_t msg_index
Definition: vectors.h:145
musig_tweak_test_helper
static void musig_tweak_test_helper(const secp256k1_xonly_pubkey *agg_pk, const unsigned char *sk0, const unsigned char *sk1, secp256k1_musig_keyagg_cache *keyagg_cache)
Definition: tests_impl.h:590
musig_nonce_gen_test_case::sk
unsigned char sk[32]
Definition: vectors.h:72
musig_verify_fail_error_case::sig
unsigned char sig[32]
Definition: vectors.h:151
secp256k1_musig_secnonce::data
unsigned char data[132]
Definition: secp256k1_musig.h:60
musig_verify_fail_error_case::error
enum MUSIG_ERROR error
Definition: vectors.h:158
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:255
testrand_bits
static SECP256K1_INLINE uint64_t testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
musig_tweak_vector
Definition: vectors.h:240
sha256_tag_test_internal
static void sha256_tag_test_internal(secp256k1_sha256 *sha_tagged, unsigned char *tag, size_t taglen)
Definition: tests_impl.h:551
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:44
musig_nonce_gen_test_case::expected_secnonce
unsigned char expected_secnonce[97]
Definition: vectors.h:80
musig_sig_agg_case::aggnonce
unsigned char aggnonce[66]
Definition: vectors.h:294
musig_verify_fail_error_case
Definition: vectors.h:150
musig_nonce_gen_test_case::msg
unsigned char msg[32]
Definition: vectors.h:77
secp256k1_keyagg_cache_internal::pk
secp256k1_ge pk
Definition: keyagg.h:16
musig_test_vectors_sigagg
static void musig_test_vectors_sigagg(void)
Definition: tests_impl.h:1031
musig_tweak_case::expected
unsigned char expected[32]
Definition: vectors.h:237
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:240
musig_sign_verify_vector::pubkeys
unsigned char pubkeys[4][33]
Definition: vectors.h:163
musig_nonce_gen_vector
static const struct musig_nonce_gen_vector musig_nonce_gen_vector
Definition: vectors.h:88
musig_key_agg_error_test_case::tweak_indices_len
size_t tweak_indices_len
Definition: vectors.h:27
musig_nonce_gen_test_case::has_extra_in
int has_extra_in
Definition: vectors.h:78
musig_tweak_vector::pubkeys
unsigned char pubkeys[3][33]
Definition: vectors.h:245
secp256k1_xonly_pubkey_load
static SECP256K1_INLINE int secp256k1_xonly_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_xonly_pubkey *pubkey)
Definition: main_impl.h:14
musig_key_agg_valid_test_case
Definition: vectors.h:18
secp256k1_musig_compute_noncehash_sha256_tagged
static void secp256k1_musig_compute_noncehash_sha256_tagged(secp256k1_sha256 *sha)
Definition: session_impl.h:554
musig_sig_agg_vector::psigs
unsigned char psigs[9][32]
Definition: vectors.h:306
secp256k1_keyagg_cache_internal
Definition: keyagg.h:15
musig_sign_verify_vector::msgs
unsigned char msgs[1][32]
Definition: vectors.h:167
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:78
musig_nonce_gen_test_case::has_sk
int has_sk
Definition: vectors.h:71
musig_sig_agg_case::psig_indices
size_t psig_indices[2]
Definition: vectors.h:296
musig_sign_verify_vector::sk
unsigned char sk[32]
Definition: vectors.h:162
musig_sig_agg_vector::valid_case
struct musig_sig_agg_case valid_case[4]
Definition: vectors.h:308
musig_key_agg_valid_test_case::key_indices
size_t key_indices[4]
Definition: vectors.h:20
create_keypair_and_pk
static int create_keypair_and_pk(secp256k1_keypair *keypair, secp256k1_pubkey *pk, const unsigned char *sk)
Definition: tests_impl.h:26
musig_valid_case::expected
unsigned char expected[32]
Definition: vectors.h:138
COUNT
static int COUNT
Definition: tests.c:40
musig_nonce_agg_test_case::expected
unsigned char expected[66]
Definition: vectors.h:98
musig_key_agg_vector::error_case
struct musig_key_agg_error_test_case error_case[5]
Definition: vectors.h:37
musig_nonce_test
static void musig_nonce_test(void)
Definition: tests_impl.h:496
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:221
secp256k1_musig_nonce_gen_counter
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_gen_counter(const secp256k1_context *ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, uint64_t nonrepeating_cnt, const secp256k1_keypair *keypair, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Alternative way to generate a nonce and start a signing session.
Definition: session_impl.h:489
musig_nonce_agg_test_case::invalid_nonce_idx
int invalid_nonce_idx
Definition: vectors.h:100
pubnonce_summing_to_inf
static void pubnonce_summing_to_inf(secp256k1_musig_pubnonce *pubnonce)
Definition: tests_impl.h:90
musig_sign_error_case
Definition: vectors.h:141
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61
run_musig_tests
static void run_musig_tests(void)
Definition: tests_impl.h:1119
secp256k1_musig_partial_sig_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_parse(const secp256k1_context *ctx, secp256k1_musig_partial_sig *sig, const unsigned char *in32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a MuSig partial signature.
Definition: session_impl.h:275
musig_nonce_agg_vector
static const struct musig_nonce_agg_vector musig_nonce_agg_vector
Definition: vectors.h:109
musig_sig_agg_vector
static const struct musig_sig_agg_vector musig_sig_agg_vector
Definition: vectors.h:312
musig_nonce_gen_test_case::has_msg
int has_msg
Definition: vectors.h:76
Generated on Wed Sep 3 2025 12:00:00 for Bitcoin Core by   doxygen 1.8.14