doc/html/musig_8cpp_source.html

 // Copyright (c) 2024-present The Bitcoin Core developers
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.

 #include <musig.h>
 #include <support/allocators/secure.h>

 #include <secp256k1_musig.h>

 using namespace util::hex_literals;
 constexpr uint256 MUSIG_CHAINCODE{
     // Use immediate lambda to work around GCC-14 bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117966
     []() consteval { return uint256{"868087ca02a6f974c4598924c36b57762d32cb45717167e300622c7167e38965"_hex_u8}; }(),
 };

 static bool GetMuSig2KeyAggCache(const std::vector<CPubKey>& pubkeys, secp256k1_musig_keyagg_cache& keyagg_cache)
 {
     // Parse the pubkeys
     std::vector<secp256k1_pubkey> secp_pubkeys;
     std::vector<const secp256k1_pubkey*> pubkey_ptrs;
     for (const CPubKey& pubkey : pubkeys) {
         if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &secp_pubkeys.emplace_back(), pubkey.data(), pubkey.size())) {
             return false;
         }
     }
     pubkey_ptrs.reserve(secp_pubkeys.size());
     for (const secp256k1_pubkey& p : secp_pubkeys) {
         pubkey_ptrs.push_back(&p);
     }

     // Aggregate the pubkey
     if (!secp256k1_musig_pubkey_agg(secp256k1_context_static, nullptr, &keyagg_cache, pubkey_ptrs.data(), pubkey_ptrs.size())) {
         return false;
     }
     return true;
 }

 static std::optional<CPubKey> GetCPubKeyFromMuSig2KeyAggCache(secp256k1_musig_keyagg_cache& keyagg_cache)
 {
     // Get the plain aggregated pubkey
     secp256k1_pubkey agg_pubkey;
     if (!secp256k1_musig_pubkey_get(secp256k1_context_static, &agg_pubkey, &keyagg_cache)) {
         return std::nullopt;
     }

     // Turn into CPubKey
     unsigned char ser_agg_pubkey[CPubKey::COMPRESSED_SIZE];
     size_t ser_agg_pubkey_len = CPubKey::COMPRESSED_SIZE;
     secp256k1_ec_pubkey_serialize(secp256k1_context_static, ser_agg_pubkey, &ser_agg_pubkey_len, &agg_pubkey, SECP256K1_EC_COMPRESSED);
     return CPubKey(ser_agg_pubkey, ser_agg_pubkey + ser_agg_pubkey_len);
 }

 std::optional<CPubKey> MuSig2AggregatePubkeys(const std::vector<CPubKey>& pubkeys, secp256k1_musig_keyagg_cache& keyagg_cache, const std::optional<CPubKey>& expected_aggregate)
 {
     if (!GetMuSig2KeyAggCache(pubkeys, keyagg_cache)) {
         return std::nullopt;
     }
     std::optional<CPubKey> agg_key = GetCPubKeyFromMuSig2KeyAggCache(keyagg_cache);
     if (!agg_key.has_value()) return std::nullopt;
     if (expected_aggregate.has_value() && expected_aggregate != agg_key) return std::nullopt;
     return agg_key;
 }

 std::optional<CPubKey> MuSig2AggregatePubkeys(const std::vector<CPubKey>& pubkeys)
 {
     secp256k1_musig_keyagg_cache keyagg_cache;
     return MuSig2AggregatePubkeys(pubkeys, keyagg_cache, std::nullopt);
 }

 CExtPubKey CreateMuSig2SyntheticXpub(const CPubKey& pubkey)
 {
     CExtPubKey extpub;
     extpub.nDepth = 0;
     std::memset(extpub.vchFingerprint, 0, 4);
     extpub.nChild = 0;
     extpub.chaincode = MUSIG_CHAINCODE;
     extpub.pubkey = pubkey;
     return extpub;
 }

 class MuSig2SecNonceImpl
 {
 private:
     secure_unique_ptr<secp256k1_musig_secnonce> m_nonce;

 public:
     MuSig2SecNonceImpl() : m_nonce{make_secure_unique<secp256k1_musig_secnonce>()} {}

     // Delete copy constructors
     MuSig2SecNonceImpl(const MuSig2SecNonceImpl&) = delete;
     MuSig2SecNonceImpl& operator=(const MuSig2SecNonceImpl&) = delete;

     secp256k1_musig_secnonce* Get() const { return m_nonce.get(); }
     void Invalidate() { m_nonce.reset(); }
     bool IsValid() { return m_nonce != nullptr; }
 };

 MuSig2SecNonce::MuSig2SecNonce() : m_impl{std::make_unique<MuSig2SecNonceImpl>()} {}

 MuSig2SecNonce::MuSig2SecNonce(MuSig2SecNonce&&) noexcept = default;
 MuSig2SecNonce& MuSig2SecNonce::operator=(MuSig2SecNonce&&) noexcept = default;

 MuSig2SecNonce::~MuSig2SecNonce() = default;

 secp256k1_musig_secnonce* MuSig2SecNonce::Get() const
 {
     return m_impl->Get();
 }

 void MuSig2SecNonce::Invalidate()
 {
     return m_impl->Invalidate();
 }

 bool MuSig2SecNonce::IsValid()
 {
     return m_impl->IsValid();
 }

 uint256 MuSig2SessionID(const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256& sighash)
 {
     HashWriter hasher;
     hasher << script_pubkey << part_pubkey << sighash;
     return hasher.GetSHA256();
 }

 std::optional<std::vector<uint8_t>> CreateMuSig2AggregateSig(const std::vector<CPubKey>& part_pubkeys, const CPubKey& aggregate_pubkey, const std::vector<std::pair<uint256, bool>>& tweaks, const uint256& sighash, const std::map<CPubKey, std::vector<uint8_t>>& pubnonces, const std::map<CPubKey, uint256>& partial_sigs)
 {
     if (!part_pubkeys.size()) return std::nullopt;

     // Get the keyagg cache and aggregate pubkey
     secp256k1_musig_keyagg_cache keyagg_cache;
     if (!MuSig2AggregatePubkeys(part_pubkeys, keyagg_cache, aggregate_pubkey)) return std::nullopt;

     // Check if enough pubnonces and partial sigs
     if (pubnonces.size() != part_pubkeys.size()) return std::nullopt;
     if (partial_sigs.size() != part_pubkeys.size()) return std::nullopt;

     // Parse the pubnonces and partial sigs
     std::vector<std::tuple<secp256k1_pubkey, secp256k1_musig_pubnonce, secp256k1_musig_partial_sig>> signers_data;
     std::vector<const secp256k1_musig_pubnonce*> pubnonce_ptrs;
     std::vector<const secp256k1_musig_partial_sig*> partial_sig_ptrs;
     for (const CPubKey& part_pk : part_pubkeys) {
         const auto& pn_it = pubnonces.find(part_pk);
         if (pn_it == pubnonces.end()) return std::nullopt;
         const std::vector<uint8_t> pubnonce = pn_it->second;
         if (pubnonce.size() != MUSIG2_PUBNONCE_SIZE) return std::nullopt;
         const auto& it = partial_sigs.find(part_pk);
         if (it == partial_sigs.end()) return std::nullopt;
         const uint256& partial_sig = it->second;

         auto& [secp_pk, secp_pn, secp_ps] = signers_data.emplace_back();

         if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &secp_pk, part_pk.data(), part_pk.size())) {
             return std::nullopt;
         }

         if (!secp256k1_musig_pubnonce_parse(secp256k1_context_static, &secp_pn, pubnonce.data())) {
             return std::nullopt;
         }

         if (!secp256k1_musig_partial_sig_parse(secp256k1_context_static, &secp_ps, partial_sig.data())) {
             return std::nullopt;
         }
     }
     pubnonce_ptrs.reserve(signers_data.size());
     partial_sig_ptrs.reserve(signers_data.size());
     for (auto& [_, pn, ps] : signers_data) {
         pubnonce_ptrs.push_back(&pn);
         partial_sig_ptrs.push_back(&ps);
     }

     // Aggregate nonces
     secp256k1_musig_aggnonce aggnonce;
     if (!secp256k1_musig_nonce_agg(secp256k1_context_static, &aggnonce, pubnonce_ptrs.data(), pubnonce_ptrs.size())) {
         return std::nullopt;
     }

     // Apply tweaks
     for (const auto& [tweak, xonly] : tweaks) {
         if (xonly) {
             if (!secp256k1_musig_pubkey_xonly_tweak_add(secp256k1_context_static, nullptr, &keyagg_cache, tweak.data())) {
                 return std::nullopt;
             }
         } else if (!secp256k1_musig_pubkey_ec_tweak_add(secp256k1_context_static, nullptr, &keyagg_cache, tweak.data())) {
             return std::nullopt;
         }
     }

     // Create musig_session
     secp256k1_musig_session session;
     if (!secp256k1_musig_nonce_process(secp256k1_context_static, &session, &aggnonce, sighash.data(), &keyagg_cache)) {
         return std::nullopt;
     }

     // Verify partial sigs
     for (const auto& [pk, pb, ps] : signers_data) {
         if (!secp256k1_musig_partial_sig_verify(secp256k1_context_static, &ps, &pb, &pk, &keyagg_cache, &session)) {
             return std::nullopt;
         }
     }

     // Aggregate partial sigs
     std::vector<uint8_t> sig;
     sig.resize(64);
     if (!secp256k1_musig_partial_sig_agg(secp256k1_context_static, sig.data(), &session, partial_sig_ptrs.data(), partial_sig_ptrs.size())) {
         return std::nullopt;
     }

     return sig;
 }
secp256k1_musig_aggnonce::data
unsigned char data[132]
Definition: secp256k1_musig.h:78

secp256k1_musig_pubkey_get
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_get(const secp256k1_context *ctx, secp256k1_pubkey *agg_pk, const secp256k1_musig_keyagg_cache *keyagg_cache) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Obtain the aggregate public key from a keyagg_cache.
Definition: keyagg_impl.h:229

secp256k1_musig_keyagg_cache::data
unsigned char data[197]
Definition: secp256k1_musig.h:44

secp256k1_musig_keyagg_cache
This module implements BIP 327 "MuSig2 for BIP340-compatible Multi-Signatures" (https://github.com/bitcoin/bips/blob/master/bip-0327.mediawiki) v1.0.0.
Definition: secp256k1_musig.h:43

CExtPubKey::vchFingerprint
unsigned char vchFingerprint[4]
Definition: pubkey.h:339

secp256k1_musig_aggnonce
Opaque data structure that holds an aggregate public nonce.
Definition: secp256k1_musig.h:77

secp256k1_context_static
SECP256K1_API const secp256k1_context *const secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:245

secp256k1_musig_nonce_agg
SECP256K1_API int secp256k1_musig_nonce_agg(const secp256k1_context *ctx, secp256k1_musig_aggnonce *aggnonce, const secp256k1_musig_pubnonce *const *pubnonces, size_t n_pubnonces) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Aggregates the nonces of all signers into a single nonce.
Definition: session_impl.h:522

CExtPubKey::nDepth
unsigned char nDepth
Definition: pubkey.h:338

secp256k1_musig_partial_sig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_verify(const secp256k1_context *ctx, const secp256k1_musig_partial_sig *partial_sig, const secp256k1_musig_pubnonce *pubnonce, const secp256k1_pubkey *pubkey, const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_session *session) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6)
Verifies an individual signer&#39;s partial signature.
Definition: session_impl.h:719

secp256k1_musig_pubnonce_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubnonce_parse(const secp256k1_context *ctx, secp256k1_musig_pubnonce *nonce, const unsigned char *in66) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a signer&#39;s public nonce.
Definition: session_impl.h:188

MuSig2SecNonce
MuSig2SecNonce encapsulates a secret nonce in use in a MuSig2 signing session.
Definition: musig.h:39

MUSIG2_PUBNONCE_SIZE
constexpr size_t MUSIG2_PUBNONCE_SIZE
Definition: musig.h:17

secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:268

MuSig2SessionID
uint256 MuSig2SessionID(const CPubKey &script_pubkey, const CPubKey &part_pubkey, const uint256 &sighash)
Definition: musig.cpp:122

CExtPubKey::chaincode
ChainCode chaincode
Definition: pubkey.h:341

_
consteval auto _(util::TranslatedLiteral str)
Definition: translation.h:79

MuSig2SecNonceImpl::IsValid
bool IsValid()
Definition: musig.cpp:97

tweak
static int tweak(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *cache)
Definition: musig.c:64

CExtPubKey::nChild
unsigned int nChild
Definition: pubkey.h:340

secp256k1_musig.h

secure_unique_ptr
std::unique_ptr< T, SecureUniqueDeleter< T > > secure_unique_ptr
Definition: secure.h:63

secp256k1_musig_pubkey_ec_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_ec_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Apply plain "EC" tweaking to a public key in a given keyagg_cache by adding the generator multiplied ...
Definition: keyagg_impl.h:279

MuSig2SecNonceImpl::m_nonce
secure_unique_ptr< secp256k1_musig_secnonce > m_nonce
The actual secnonce itself.
Definition: musig.cpp:86

MuSig2SecNonce::Get
secp256k1_musig_secnonce * Get() const
Definition: musig.cpp:107

SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:224

secp256k1_musig_nonce_process
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_process(const secp256k1_context *ctx, secp256k1_musig_session *session, const secp256k1_musig_aggnonce *aggnonce, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Takes the aggregate nonce and creates a session that is required for signing and verification of part...
Definition: session_impl.h:603

CPubKey::COMPRESSED_SIZE
static constexpr unsigned int COMPRESSED_SIZE
Definition: pubkey.h:40

HashWriter::GetSHA256
uint256 GetSHA256()
Compute the SHA256 hash of all data written to this object.
Definition: hash.h:126

secp256k1_musig_pubkey_agg
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_agg(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_pubkey *const *pubkeys, size_t n_pubkeys) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(4)
Computes an aggregate public key and uses it to initialize a keyagg_cache.
Definition: keyagg_impl.h:168

HashWriter
A writer stream (for serialization) that computes a 256-bit hash.
Definition: hash.h:100

MuSig2SecNonceImpl
Definition: musig.cpp:82

CPubKey
An encapsulated public key.
Definition: pubkey.h:33

secp256k1_musig_partial_sig_agg
SECP256K1_API int secp256k1_musig_partial_sig_agg(const secp256k1_context *ctx, unsigned char *sig64, const secp256k1_musig_session *session, const secp256k1_musig_partial_sig *const *partial_sigs, size_t n_sigs) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Aggregates partial signatures.
Definition: session_impl.h:782

secp256k1_musig_session::data
unsigned char data[133]
Definition: secp256k1_musig.h:88

MuSig2SecNonce::IsValid
bool IsValid()
Definition: musig.cpp:117

secp256k1_musig_secnonce
Opaque data structure that holds a signer&#39;s secret nonce.
Definition: secp256k1_musig.h:59

secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:250

util::hex_literals
""_hex is a compile-time user-defined literal returning a std::array<std::byte>, equivalent to ParseH...
Definition: strencodings.h:400

GetCPubKeyFromMuSig2KeyAggCache
static std::optional< CPubKey > GetCPubKeyFromMuSig2KeyAggCache(secp256k1_musig_keyagg_cache &keyagg_cache)
Definition: musig.cpp:39

CreateMuSig2SyntheticXpub
CExtPubKey CreateMuSig2SyntheticXpub(const CPubKey &pubkey)
Construct the BIP 328 synthetic xpub for a pubkey.
Definition: musig.cpp:71

MuSig2SecNonceImpl::Get
secp256k1_musig_secnonce * Get() const
Definition: musig.cpp:95

MuSig2SecNonce::m_impl
std::unique_ptr< MuSig2SecNonceImpl > m_impl
Definition: musig.h:42

MuSig2AggregatePubkeys
std::optional< CPubKey > MuSig2AggregatePubkeys(const std::vector< CPubKey > &pubkeys, secp256k1_musig_keyagg_cache &keyagg_cache, const std::optional< CPubKey > &expected_aggregate)
Compute the full aggregate pubkey from the given participant pubkeys in their current order...
Definition: musig.cpp:54

uint256
256-bit opaque blob.
Definition: uint256.h:195

secp256k1_musig_session
Opaque data structure that holds a MuSig session.
Definition: secp256k1_musig.h:87

secp256k1_musig_pubkey_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Apply x-only tweaking to a public key in a given keyagg_cache by adding the generator multiplied with...
Definition: keyagg_impl.h:283

MuSig2SecNonce::Invalidate
void Invalidate()
Definition: musig.cpp:112

base_blob::data
constexpr const unsigned char * data() const
Definition: uint256.h:97

MuSig2SecNonceImpl::MuSig2SecNonceImpl
MuSig2SecNonceImpl()
Definition: musig.cpp:89

GetMuSig2KeyAggCache
static bool GetMuSig2KeyAggCache(const std::vector< CPubKey > &pubkeys, secp256k1_musig_keyagg_cache &keyagg_cache)
Definition: musig.cpp:17

MuSig2SecNonceImpl::Invalidate
void Invalidate()
Definition: musig.cpp:96

MuSig2SecNonce::MuSig2SecNonce
MuSig2SecNonce()
Definition: musig.cpp:100

CExtPubKey::pubkey
CPubKey pubkey
Definition: pubkey.h:342

musig.h

CExtPubKey
Definition: pubkey.h:336

CreateMuSig2AggregateSig
std::optional< std::vector< uint8_t > > CreateMuSig2AggregateSig(const std::vector< CPubKey > &part_pubkeys, const CPubKey &aggregate_pubkey, const std::vector< std::pair< uint256, bool >> &tweaks, const uint256 &sighash, const std::map< CPubKey, std::vector< uint8_t >> &pubnonces, const std::map< CPubKey, uint256 > &partial_sigs)
Definition: musig.cpp:129

secure.h

tests_wycheproof_generate_ecdh.pk
def pk
Definition: tests_wycheproof_generate_ecdh.py:115

secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61

MUSIG_CHAINCODE
constexpr uint256 MUSIG_CHAINCODE
Definition: musig.cpp:12

secp256k1_musig_partial_sig_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_parse(const secp256k1_context *ctx, secp256k1_musig_partial_sig *sig, const unsigned char *in32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a MuSig partial signature.
Definition: session_impl.h:262