github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/src/modules/musig/tests_impl.h (about) 1 /*********************************************************************** 2 * Distributed under the MIT software license, see the accompanying * 3 * file COPYING or https://www.opensource.org/licenses/mit-license.php.* 4 ***********************************************************************/ 5 6 #ifndef SECP256K1_MODULE_MUSIG_TESTS_IMPL_H 7 #define SECP256K1_MODULE_MUSIG_TESTS_IMPL_H 8 9 #include <stdlib.h> 10 #include <string.h> 11 12 #include "../../../include/secp256k1.h" 13 #include "../../../include/secp256k1_extrakeys.h" 14 #include "../../../include/secp256k1_musig.h" 15 16 #include "session.h" 17 #include "keyagg.h" 18 #include "../../scalar.h" 19 #include "../../field.h" 20 #include "../../group.h" 21 #include "../../hash.h" 22 #include "../../util.h" 23 24 #include "vectors.h" 25 26 static int create_keypair_and_pk(secp256k1_keypair *keypair, secp256k1_pubkey *pk, const unsigned char *sk) { 27 int ret; 28 secp256k1_keypair keypair_tmp; 29 ret = secp256k1_keypair_create(CTX, &keypair_tmp, sk); 30 ret &= secp256k1_keypair_pub(CTX, pk, &keypair_tmp); 31 if (keypair != NULL) { 32 *keypair = keypair_tmp; 33 } 34 return ret; 35 } 36 37 /* Just a simple (non-tweaked) 2-of-2 MuSig aggregate, sign, verify 38 * test. */ 39 static void musig_simple_test(void) { 40 unsigned char sk[2][32]; 41 secp256k1_keypair keypair[2]; 42 secp256k1_musig_pubnonce pubnonce[2]; 43 const secp256k1_musig_pubnonce *pubnonce_ptr[2]; 44 secp256k1_musig_aggnonce aggnonce; 45 unsigned char msg[32]; 46 secp256k1_xonly_pubkey agg_pk; 47 secp256k1_musig_keyagg_cache keyagg_cache; 48 unsigned char session_secrand[2][32]; 49 secp256k1_musig_secnonce secnonce[2]; 50 secp256k1_pubkey pk[2]; 51 const secp256k1_pubkey *pk_ptr[2]; 52 secp256k1_musig_partial_sig partial_sig[2]; 53 const secp256k1_musig_partial_sig *partial_sig_ptr[2]; 54 unsigned char final_sig[64]; 55 secp256k1_musig_session session; 56 int i; 57 58 testrand256(msg); 59 for (i = 0; i < 2; i++) { 60 testrand256(sk[i]); 61 pk_ptr[i] = &pk[i]; 62 pubnonce_ptr[i] = &pubnonce[i]; 63 partial_sig_ptr[i] = &partial_sig[i]; 64 65 CHECK(create_keypair_and_pk(&keypair[i], &pk[i], sk[i])); 66 if (i == 0) { 67 testrand256(session_secrand[i]); 68 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[i], &pubnonce[i], session_secrand[i], sk[i], &pk[i], NULL, NULL, NULL) == 1); 69 } else { 70 uint64_t nonrepeating_cnt = 0; 71 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[i], &pubnonce[i], nonrepeating_cnt, &keypair[i], NULL, NULL, NULL) == 1); 72 } 73 } 74 75 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1); 76 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1); 77 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1); 78 79 for (i = 0; i < 2; i++) { 80 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[i], &secnonce[i], &keypair[i], &keyagg_cache, &session) == 1); 81 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[i], &pubnonce[i], &pk[i], &keyagg_cache, &session) == 1); 82 } 83 84 CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, 2) == 1); 85 CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, msg, sizeof(msg), &agg_pk) == 1); 86 } 87 88 /* Generate two pubnonces such that both group elements of their sum (calculated 89 * with secp256k1_musig_sum_pubnonces) are infinity. */ 90 static void pubnonce_summing_to_inf(secp256k1_musig_pubnonce *pubnonce) { 91 secp256k1_ge ge[2]; 92 int i; 93 secp256k1_gej summed_pubnonces[2]; 94 const secp256k1_musig_pubnonce *pubnonce_ptr[2]; 95 96 testutil_random_ge_test(&ge[0]); 97 testutil_random_ge_test(&ge[1]); 98 99 for (i = 0; i < 2; i++) { 100 secp256k1_musig_pubnonce_save(&pubnonce[i], ge); 101 pubnonce_ptr[i] = &pubnonce[i]; 102 secp256k1_ge_neg(&ge[0], &ge[0]); 103 secp256k1_ge_neg(&ge[1], &ge[1]); 104 } 105 106 secp256k1_musig_sum_pubnonces(CTX, summed_pubnonces, pubnonce_ptr, 2); 107 CHECK(secp256k1_gej_is_infinity(&summed_pubnonces[0])); 108 CHECK(secp256k1_gej_is_infinity(&summed_pubnonces[1])); 109 } 110 111 int memcmp_and_randomize(unsigned char *value, const unsigned char *expected, size_t len) { 112 int ret; 113 size_t i; 114 ret = secp256k1_memcmp_var(value, expected, len); 115 for (i = 0; i < len; i++) { 116 value[i] = testrand_bits(8); 117 } 118 return ret; 119 } 120 121 static void musig_api_tests(void) { 122 secp256k1_musig_partial_sig partial_sig[2]; 123 const secp256k1_musig_partial_sig *partial_sig_ptr[2]; 124 secp256k1_musig_partial_sig invalid_partial_sig; 125 const secp256k1_musig_partial_sig *invalid_partial_sig_ptr[2]; 126 unsigned char pre_sig[64]; 127 unsigned char buf[32]; 128 unsigned char sk[2][32]; 129 secp256k1_keypair keypair[2]; 130 secp256k1_keypair invalid_keypair; 131 unsigned char max64[64]; 132 unsigned char zeros132[132] = { 0 }; 133 unsigned char session_secrand[2][32]; 134 unsigned char nonrepeating_cnt = 0; 135 secp256k1_musig_secnonce secnonce[2]; 136 secp256k1_musig_secnonce secnonce_tmp; 137 secp256k1_musig_secnonce invalid_secnonce; 138 secp256k1_musig_pubnonce pubnonce[2]; 139 const secp256k1_musig_pubnonce *pubnonce_ptr[2]; 140 unsigned char pubnonce_ser[66]; 141 secp256k1_musig_pubnonce inf_pubnonce[2]; 142 const secp256k1_musig_pubnonce *inf_pubnonce_ptr[2]; 143 secp256k1_musig_pubnonce invalid_pubnonce; 144 const secp256k1_musig_pubnonce *invalid_pubnonce_ptr[1]; 145 secp256k1_musig_aggnonce aggnonce; 146 unsigned char aggnonce_ser[66]; 147 unsigned char msg[32]; 148 secp256k1_xonly_pubkey agg_pk; 149 secp256k1_pubkey full_agg_pk; 150 secp256k1_musig_keyagg_cache keyagg_cache; 151 secp256k1_musig_keyagg_cache invalid_keyagg_cache; 152 secp256k1_musig_session session; 153 secp256k1_musig_session invalid_session; 154 secp256k1_pubkey pk[2]; 155 const secp256k1_pubkey *pk_ptr[2]; 156 secp256k1_pubkey invalid_pk; 157 const secp256k1_pubkey *invalid_pk_ptr2[2]; 158 const secp256k1_pubkey *invalid_pk_ptr3[3]; 159 unsigned char tweak[32]; 160 int i; 161 162 /** setup **/ 163 memset(max64, 0xff, sizeof(max64)); 164 memset(&invalid_keypair, 0, sizeof(invalid_keypair)); 165 memset(&invalid_pk, 0, sizeof(invalid_pk)); 166 memset(&invalid_secnonce, 0, sizeof(invalid_secnonce)); 167 memset(&invalid_partial_sig, 0, sizeof(invalid_partial_sig)); 168 pubnonce_summing_to_inf(inf_pubnonce); 169 /* Simulate structs being uninitialized by setting it to 0s. We don't want 170 * to produce undefined behavior by actually providing uninitialized 171 * structs. */ 172 memset(&invalid_keyagg_cache, 0, sizeof(invalid_keyagg_cache)); 173 memset(&invalid_pk, 0, sizeof(invalid_pk)); 174 memset(&invalid_pubnonce, 0, sizeof(invalid_pubnonce)); 175 memset(&invalid_session, 0, sizeof(invalid_session)); 176 177 testrand256(msg); 178 testrand256(tweak); 179 for (i = 0; i < 2; i++) { 180 pk_ptr[i] = &pk[i]; 181 invalid_pk_ptr2[i] = &invalid_pk; 182 invalid_pk_ptr3[i] = &pk[i]; 183 pubnonce_ptr[i] = &pubnonce[i]; 184 inf_pubnonce_ptr[i] = &inf_pubnonce[i]; 185 partial_sig_ptr[i] = &partial_sig[i]; 186 invalid_partial_sig_ptr[i] = &partial_sig[i]; 187 testrand256(session_secrand[i]); 188 testrand256(sk[i]); 189 CHECK(create_keypair_and_pk(&keypair[i], &pk[i], sk[i])); 190 } 191 invalid_pubnonce_ptr[0] = &invalid_pubnonce; 192 invalid_partial_sig_ptr[0] = &invalid_partial_sig; 193 /* invalid_pk_ptr3 has two valid, one invalid pk, which is important to test 194 * musig_pubkey_agg */ 195 invalid_pk_ptr3[2] = &invalid_pk; 196 197 /** main test body **/ 198 199 /** Key aggregation **/ 200 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1); 201 CHECK(secp256k1_musig_pubkey_agg(CTX, NULL, &keyagg_cache, pk_ptr, 2) == 1); 202 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, NULL, pk_ptr, 2) == 1); 203 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, NULL, 2)); 204 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0); 205 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, invalid_pk_ptr2, 2)); 206 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0); 207 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, invalid_pk_ptr3, 3)); 208 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0); 209 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 0)); 210 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0); 211 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, NULL, 0)); 212 CHECK(memcmp_and_randomize(agg_pk.data, zeros132, sizeof(agg_pk.data)) == 0); 213 214 CHECK(secp256k1_musig_pubkey_agg(CTX, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1); 215 216 /* pubkey_get */ 217 CHECK(secp256k1_musig_pubkey_get(CTX, &full_agg_pk, &keyagg_cache) == 1); 218 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_get(CTX, NULL, &keyagg_cache)); 219 CHECK_ILLEGAL(CTX, secp256k1_musig_pubkey_get(CTX, &full_agg_pk, NULL)); 220 CHECK(secp256k1_memcmp_var(&full_agg_pk, zeros132, sizeof(full_agg_pk)) == 0); 221 222 /** Tweaking **/ 223 { 224 int (*tweak_func[2]) (const secp256k1_context* ctx, secp256k1_pubkey *output_pubkey, secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *tweak32); 225 tweak_func[0] = secp256k1_musig_pubkey_ec_tweak_add; 226 tweak_func[1] = secp256k1_musig_pubkey_xonly_tweak_add; 227 for (i = 0; i < 2; i++) { 228 secp256k1_pubkey tmp_output_pk; 229 secp256k1_musig_keyagg_cache tmp_keyagg_cache = keyagg_cache; 230 CHECK((*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, tweak) == 1); 231 /* Reset keyagg_cache */ 232 tmp_keyagg_cache = keyagg_cache; 233 CHECK((*tweak_func[i])(CTX, NULL, &tmp_keyagg_cache, tweak) == 1); 234 tmp_keyagg_cache = keyagg_cache; 235 CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, NULL, tweak)); 236 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0); 237 tmp_keyagg_cache = keyagg_cache; 238 CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, NULL)); 239 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0); 240 tmp_keyagg_cache = keyagg_cache; 241 CHECK((*tweak_func[i])(CTX, &tmp_output_pk, &tmp_keyagg_cache, max64) == 0); 242 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0); 243 tmp_keyagg_cache = keyagg_cache; 244 /* Uninitialized keyagg_cache */ 245 CHECK_ILLEGAL(CTX, (*tweak_func[i])(CTX, &tmp_output_pk, &invalid_keyagg_cache, tweak)); 246 CHECK(memcmp_and_randomize(tmp_output_pk.data, zeros132, sizeof(tmp_output_pk.data)) == 0); 247 } 248 } 249 250 /** Session creation with nonce_gen **/ 251 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64) == 1); 252 /* nonce_gen, if successful, sets session_secrand to the zero array, which 253 * makes subsequent nonce_gen calls with the same session_secrand fail. So 254 * check that session_secrand is indeed the zero array and fill it with 255 * random values again. */ 256 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0); 257 258 CHECK_ILLEGAL(STATIC_CTX, secp256k1_musig_nonce_gen(STATIC_CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64)); 259 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0); 260 261 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, NULL, &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64)); 262 263 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], NULL, session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, max64)); 264 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0); 265 266 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], NULL, sk[0], &pk[0], msg, &keyagg_cache, max64)); 267 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0); 268 269 /* session_secrand = 0 is disallowed because it indicates a faulty RNG */ 270 memcpy(&session_secrand[0], zeros132, sizeof(session_secrand[0])); 271 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], zeros132, sk[0], &pk[0], msg, &keyagg_cache, max64) == 0); 272 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0); 273 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0); 274 275 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], NULL, &pk[0], msg, &keyagg_cache, max64) == 1); 276 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0); 277 278 /* invalid seckey */ 279 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], max64, &pk[0], msg, &keyagg_cache, max64) == 0); 280 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0); 281 282 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], NULL, msg, &keyagg_cache, max64)); 283 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0); 284 285 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &invalid_pk, msg, &keyagg_cache, max64)); 286 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0); 287 288 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], NULL, &keyagg_cache, max64) == 1); 289 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0); 290 291 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, NULL, max64) == 1); 292 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0); 293 294 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &invalid_keyagg_cache, max64)); 295 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0); 296 297 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk[0], &pk[0], msg, &keyagg_cache, NULL) == 1); 298 CHECK(memcmp_and_randomize(session_secrand[0], zeros132, sizeof(session_secrand[0])) == 0); 299 300 /* Every in-argument except session_secrand and pubkey can be NULL */ 301 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], NULL, &pk[0], NULL, NULL, NULL) == 1); 302 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[1], &pubnonce[1], session_secrand[1], sk[1], &pk[1], NULL, NULL, NULL) == 1); 303 304 /** Session creation with nonce_gen_counter **/ 305 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64) == 1); 306 CHECK_ILLEGAL(STATIC_CTX, secp256k1_musig_nonce_gen_counter(STATIC_CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64)); 307 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0); 308 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, NULL, &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64)); 309 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], NULL, nonrepeating_cnt, &keypair[0], msg, &keyagg_cache, max64)); 310 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0); 311 /* using nonce_gen_counter requires keypair */ 312 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, NULL, msg, &keyagg_cache, max64)); 313 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0); 314 /* invalid keypair */ 315 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &invalid_keypair, msg, &keyagg_cache, max64)); 316 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0); 317 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], NULL, &keyagg_cache, max64) == 1); 318 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, NULL, max64) == 1); 319 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], msg, &invalid_keyagg_cache, max64)); 320 CHECK(memcmp_and_randomize(secnonce[0].data, zeros132, sizeof(secnonce[0].data)) == 0); 321 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt,&keypair[0], msg, &keyagg_cache, NULL) == 1); 322 323 /* Every in-argument except nonrepeating_cnt and keypair can be NULL */ 324 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[0], &pubnonce[0], nonrepeating_cnt, &keypair[0], NULL, NULL, NULL) == 1); 325 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce[1], &pubnonce[1], nonrepeating_cnt, &keypair[1], NULL, NULL, NULL) == 1); 326 327 328 /** Serialize and parse public nonces **/ 329 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, NULL, &pubnonce[0])); 330 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, NULL)); 331 CHECK(memcmp_and_randomize(pubnonce_ser, zeros132, sizeof(pubnonce_ser)) == 0); 332 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &invalid_pubnonce)); 333 CHECK(memcmp_and_randomize(pubnonce_ser, zeros132, sizeof(pubnonce_ser)) == 0); 334 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &pubnonce[0]) == 1); 335 336 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], pubnonce_ser) == 1); 337 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_parse(CTX, NULL, pubnonce_ser)); 338 CHECK_ILLEGAL(CTX, secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], NULL)); 339 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], zeros132) == 0); 340 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[0], pubnonce_ser) == 1); 341 342 { 343 /* Check that serialize and parse results in the same value */ 344 secp256k1_musig_pubnonce tmp; 345 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce_ser, &pubnonce[0]) == 1); 346 CHECK(secp256k1_musig_pubnonce_parse(CTX, &tmp, pubnonce_ser) == 1); 347 CHECK(secp256k1_memcmp_var(&tmp, &pubnonce[0], sizeof(tmp)) == 0); 348 } 349 350 /** Receive nonces and aggregate **/ 351 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1); 352 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, NULL, pubnonce_ptr, 2)); 353 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, NULL, 2)); 354 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 0)); 355 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_agg(CTX, &aggnonce, invalid_pubnonce_ptr, 1)); 356 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, inf_pubnonce_ptr, 2) == 1); 357 { 358 /* Check that the aggnonce encodes two points at infinity */ 359 secp256k1_ge aggnonce_pt[2]; 360 secp256k1_musig_aggnonce_load(CTX, aggnonce_pt, &aggnonce); 361 for (i = 0; i < 2; i++) { 362 secp256k1_ge_is_infinity(&aggnonce_pt[i]); 363 } 364 } 365 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1); 366 367 /** Serialize and parse aggregate nonces **/ 368 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1); 369 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, NULL, &aggnonce)); 370 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, NULL)); 371 CHECK(memcmp_and_randomize(aggnonce_ser, zeros132, sizeof(aggnonce_ser)) == 0); 372 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, (secp256k1_musig_aggnonce*) &invalid_pubnonce)); 373 CHECK(memcmp_and_randomize(aggnonce_ser, zeros132, sizeof(aggnonce_ser)) == 0); 374 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1); 375 376 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, aggnonce_ser) == 1); 377 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_parse(CTX, NULL, aggnonce_ser)); 378 CHECK_ILLEGAL(CTX, secp256k1_musig_aggnonce_parse(CTX, &aggnonce, NULL)); 379 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, zeros132) == 1); 380 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, aggnonce_ser) == 1); 381 382 { 383 /* Check that serialize and parse results in the same value */ 384 secp256k1_musig_aggnonce tmp; 385 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce_ser, &aggnonce) == 1); 386 CHECK(secp256k1_musig_aggnonce_parse(CTX, &tmp, aggnonce_ser) == 1); 387 CHECK(secp256k1_memcmp_var(&tmp, &aggnonce, sizeof(tmp)) == 0); 388 } 389 390 /** Process nonces **/ 391 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1); 392 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, NULL, &aggnonce, msg, &keyagg_cache)); 393 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, NULL, msg, &keyagg_cache)); 394 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, (secp256k1_musig_aggnonce*) &invalid_pubnonce, msg, &keyagg_cache)); 395 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, NULL, &keyagg_cache)); 396 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, NULL)); 397 CHECK_ILLEGAL(CTX, secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &invalid_keyagg_cache)); 398 399 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, &keyagg_cache) == 1); 400 401 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp)); 402 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &session) == 1); 403 /* The secnonce is set to 0 and subsequent signing attempts fail */ 404 CHECK(secp256k1_memcmp_var(&secnonce_tmp, zeros132, sizeof(secnonce_tmp)) == 0); 405 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &session)); 406 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp)); 407 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, NULL, &secnonce_tmp, &keypair[0], &keyagg_cache, &session)); 408 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp)); 409 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], NULL, &keypair[0], &keyagg_cache, &session)); 410 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &invalid_secnonce, &keypair[0], &keyagg_cache, &session)); 411 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, NULL, &keyagg_cache, &session)); 412 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp)); 413 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &invalid_keypair, &keyagg_cache, &session)); 414 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp)); 415 { 416 unsigned char sk_tmp[32]; 417 secp256k1_keypair keypair_tmp; 418 testrand256(sk_tmp); 419 CHECK(secp256k1_keypair_create(CTX, &keypair_tmp, sk_tmp)); 420 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair_tmp, &keyagg_cache, &session)); 421 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp)); 422 } 423 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], NULL, &session)); 424 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp)); 425 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &invalid_keyagg_cache, &session)); 426 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp)); 427 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, NULL)); 428 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp)); 429 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &invalid_session)); 430 memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp)); 431 432 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce[0], &keypair[0], &keyagg_cache, &session) == 1); 433 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[1], &secnonce[1], &keypair[1], &keyagg_cache, &session) == 1); 434 435 CHECK(secp256k1_musig_partial_sig_serialize(CTX, buf, &partial_sig[0]) == 1); 436 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, NULL, &partial_sig[0])); 437 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, buf, NULL)); 438 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_serialize(CTX, buf, &invalid_partial_sig)); 439 CHECK(secp256k1_musig_partial_sig_parse(CTX, &partial_sig[0], buf) == 1); 440 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_parse(CTX, NULL, buf)); 441 { 442 /* Check that parsing failure results in an invalid sig */ 443 secp256k1_musig_partial_sig tmp; 444 CHECK(secp256k1_musig_partial_sig_parse(CTX, &tmp, max64) == 0); 445 CHECK(secp256k1_memcmp_var(&tmp, zeros132, sizeof(partial_sig[0])) == 0); 446 } 447 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_parse(CTX, &partial_sig[0], NULL)); 448 449 { 450 /* Check that serialize and parse results in the same value */ 451 secp256k1_musig_partial_sig tmp; 452 CHECK(secp256k1_musig_partial_sig_serialize(CTX, buf, &partial_sig[0]) == 1); 453 CHECK(secp256k1_musig_partial_sig_parse(CTX, &tmp, buf) == 1); 454 CHECK(secp256k1_memcmp_var(&tmp, &partial_sig[0], sizeof(tmp)) == 0); 455 } 456 457 /** Partial signature verification */ 458 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 1); 459 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 0); 460 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, NULL, &pubnonce[0], &pk[0], &keyagg_cache, &session)); 461 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &invalid_partial_sig, &pubnonce[0], &pk[0], &keyagg_cache, &session)); 462 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], NULL, &pk[0], &keyagg_cache, &session)); 463 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &invalid_pubnonce, &pk[0], &keyagg_cache, &session)); 464 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], NULL, &keyagg_cache, &session)); 465 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &invalid_pk, &keyagg_cache, &session)); 466 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], NULL, &session)); 467 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &invalid_keyagg_cache, &session)); 468 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, NULL)); 469 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &invalid_session)); 470 471 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], &keyagg_cache, &session) == 1); 472 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[1], &pk[1], &keyagg_cache, &session) == 1); 473 474 /** Signature aggregation and verification */ 475 CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 2) == 1); 476 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, NULL, &session, partial_sig_ptr, 2)); 477 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, NULL, partial_sig_ptr, 2)); 478 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &invalid_session, partial_sig_ptr, 2)); 479 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, NULL, 2)); 480 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, invalid_partial_sig_ptr, 2)); 481 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 0)); 482 CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 1) == 1); 483 CHECK(secp256k1_musig_partial_sig_agg(CTX, pre_sig, &session, partial_sig_ptr, 2) == 1); 484 } 485 486 static void musig_nonce_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes) { 487 secp256k1_scalar k1[2], k2[2]; 488 489 secp256k1_nonce_function_musig(k1, args[0], args[1], args[2], args[3], args[4], args[5]); 490 testrand_flip(args[n_flip], n_bytes); 491 secp256k1_nonce_function_musig(k2, args[0], args[1], args[2], args[3], args[4], args[5]); 492 CHECK(secp256k1_scalar_eq(&k1[0], &k2[0]) == 0); 493 CHECK(secp256k1_scalar_eq(&k1[1], &k2[1]) == 0); 494 } 495 496 static void musig_nonce_test(void) { 497 unsigned char *args[6]; 498 unsigned char session_secrand[32]; 499 unsigned char sk[32]; 500 unsigned char pk[33]; 501 unsigned char msg[32]; 502 unsigned char agg_pk[32]; 503 unsigned char extra_input[32]; 504 int i, j; 505 secp256k1_scalar k[6][2]; 506 507 testrand_bytes_test(session_secrand, sizeof(session_secrand)); 508 testrand_bytes_test(sk, sizeof(sk)); 509 testrand_bytes_test(pk, sizeof(pk)); 510 testrand_bytes_test(msg, sizeof(msg)); 511 testrand_bytes_test(agg_pk, sizeof(agg_pk)); 512 testrand_bytes_test(extra_input, sizeof(extra_input)); 513 514 /* Check that a bitflip in an argument results in different nonces. */ 515 args[0] = session_secrand; 516 args[1] = msg; 517 args[2] = sk; 518 args[3] = pk; 519 args[4] = agg_pk; 520 args[5] = extra_input; 521 for (i = 0; i < COUNT; i++) { 522 musig_nonce_bitflip(args, 0, sizeof(session_secrand)); 523 musig_nonce_bitflip(args, 1, sizeof(msg)); 524 musig_nonce_bitflip(args, 2, sizeof(sk)); 525 musig_nonce_bitflip(args, 3, sizeof(pk)); 526 musig_nonce_bitflip(args, 4, sizeof(agg_pk)); 527 musig_nonce_bitflip(args, 5, sizeof(extra_input)); 528 } 529 /* Check that if any argument is NULL, a different nonce is produced than if 530 * any other argument is NULL. */ 531 memcpy(msg, session_secrand, sizeof(msg)); 532 memcpy(sk, session_secrand, sizeof(sk)); 533 memcpy(pk, session_secrand, sizeof(session_secrand)); 534 memcpy(agg_pk, session_secrand, sizeof(agg_pk)); 535 memcpy(extra_input, session_secrand, sizeof(extra_input)); 536 secp256k1_nonce_function_musig(k[0], args[0], args[1], args[2], args[3], args[4], args[5]); 537 secp256k1_nonce_function_musig(k[1], args[0], NULL, args[2], args[3], args[4], args[5]); 538 secp256k1_nonce_function_musig(k[2], args[0], args[1], NULL, args[3], args[4], args[5]); 539 secp256k1_nonce_function_musig(k[3], args[0], args[1], args[2], NULL, args[4], args[5]); 540 secp256k1_nonce_function_musig(k[4], args[0], args[1], args[2], args[3], NULL, args[5]); 541 secp256k1_nonce_function_musig(k[5], args[0], args[1], args[2], args[3], args[4], NULL); 542 for (i = 0; i < 6; i++) { 543 CHECK(!secp256k1_scalar_eq(&k[i][0], &k[i][1])); 544 for (j = i+1; j < 6; j++) { 545 CHECK(!secp256k1_scalar_eq(&k[i][0], &k[j][0])); 546 CHECK(!secp256k1_scalar_eq(&k[i][1], &k[j][1])); 547 } 548 } 549 } 550 551 static void sha256_tag_test_internal(secp256k1_sha256 *sha_tagged, unsigned char *tag, size_t taglen) { 552 secp256k1_sha256 sha; 553 secp256k1_sha256_initialize_tagged(&sha, tag, taglen); 554 test_sha256_eq(&sha, sha_tagged); 555 } 556 557 /* Checks that the initialized tagged hashes have the expected 558 * state. */ 559 static void sha256_tag_test(void) { 560 secp256k1_sha256 sha; 561 { 562 char tag[] = "KeyAgg list"; 563 secp256k1_musig_keyagglist_sha256(&sha); 564 sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag) - 1); 565 } 566 { 567 char tag[] = "KeyAgg coefficient"; 568 secp256k1_musig_keyaggcoef_sha256(&sha); 569 sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag) - 1); 570 } 571 { 572 unsigned char tag[] = "MuSig/aux"; 573 secp256k1_nonce_function_musig_sha256_tagged_aux(&sha); 574 sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag) - 1); 575 } 576 { 577 unsigned char tag[] = "MuSig/nonce"; 578 secp256k1_nonce_function_musig_sha256_tagged(&sha); 579 sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag) - 1); 580 } 581 { 582 unsigned char tag[] = "MuSig/noncecoef"; 583 secp256k1_musig_compute_noncehash_sha256_tagged(&sha); 584 sha256_tag_test_internal(&sha, (unsigned char*)tag, sizeof(tag) - 1); 585 } 586 } 587 588 /* Attempts to create a signature for the aggregate public key using given secret 589 * keys and keyagg_cache. */ 590 static void musig_tweak_test_helper(const secp256k1_xonly_pubkey* agg_pk, const unsigned char *sk0, const unsigned char *sk1, secp256k1_musig_keyagg_cache *keyagg_cache) { 591 secp256k1_pubkey pk[2]; 592 unsigned char session_secrand[2][32]; 593 unsigned char msg[32]; 594 secp256k1_musig_secnonce secnonce[2]; 595 secp256k1_musig_pubnonce pubnonce[2]; 596 const secp256k1_musig_pubnonce *pubnonce_ptr[2]; 597 secp256k1_musig_aggnonce aggnonce; 598 secp256k1_keypair keypair[2]; 599 secp256k1_musig_session session; 600 secp256k1_musig_partial_sig partial_sig[2]; 601 const secp256k1_musig_partial_sig *partial_sig_ptr[2]; 602 unsigned char final_sig[64]; 603 int i; 604 605 for (i = 0; i < 2; i++) { 606 pubnonce_ptr[i] = &pubnonce[i]; 607 partial_sig_ptr[i] = &partial_sig[i]; 608 609 testrand256(session_secrand[i]); 610 } 611 CHECK(create_keypair_and_pk(&keypair[0], &pk[0], sk0) == 1); 612 CHECK(create_keypair_and_pk(&keypair[1], &pk[1], sk1) == 1); 613 testrand256(msg); 614 615 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[0], &pubnonce[0], session_secrand[0], sk0, &pk[0], NULL, NULL, NULL) == 1); 616 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce[1], &pubnonce[1], session_secrand[1], sk1, &pk[1], NULL, NULL, NULL) == 1); 617 618 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2) == 1); 619 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, msg, keyagg_cache) == 1); 620 621 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[0], &secnonce[0], &keypair[0], keyagg_cache, &session) == 1); 622 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig[1], &secnonce[1], &keypair[1], keyagg_cache, &session) == 1); 623 624 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[0], &pubnonce[0], &pk[0], keyagg_cache, &session) == 1); 625 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig[1], &pubnonce[1], &pk[1], keyagg_cache, &session) == 1); 626 627 CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, 2) == 1); 628 CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, msg, sizeof(msg), agg_pk) == 1); 629 } 630 631 /* Create aggregate public key P[0], tweak multiple times (using xonly and 632 * plain tweaking) and test signing. */ 633 static void musig_tweak_test(void) { 634 unsigned char sk[2][32]; 635 secp256k1_pubkey pk[2]; 636 const secp256k1_pubkey *pk_ptr[2]; 637 secp256k1_musig_keyagg_cache keyagg_cache; 638 enum { N_TWEAKS = 8 }; 639 secp256k1_pubkey P[N_TWEAKS + 1]; 640 secp256k1_xonly_pubkey P_xonly[N_TWEAKS + 1]; 641 int i; 642 643 /* Key Setup */ 644 for (i = 0; i < 2; i++) { 645 pk_ptr[i] = &pk[i]; 646 testrand256(sk[i]); 647 CHECK(create_keypair_and_pk(NULL, &pk[i], sk[i]) == 1); 648 } 649 /* Compute P0 = keyagg(pk0, pk1) and test signing for it */ 650 CHECK(secp256k1_musig_pubkey_agg(CTX, &P_xonly[0], &keyagg_cache, pk_ptr, 2) == 1); 651 musig_tweak_test_helper(&P_xonly[0], sk[0], sk[1], &keyagg_cache); 652 CHECK(secp256k1_musig_pubkey_get(CTX, &P[0], &keyagg_cache)); 653 654 /* Compute Pi = f(Pj) + tweaki*G where where j = i-1 and try signing for 655 * that key. If xonly is set to true, the function f normalizes the input 656 * point to have an even X-coordinate ("xonly-tweaking"). 657 * Otherwise, the function f is the identity function. */ 658 for (i = 1; i <= N_TWEAKS; i++) { 659 unsigned char tweak[32]; 660 int P_parity; 661 int xonly = testrand_bits(1); 662 663 testrand256(tweak); 664 if (xonly) { 665 CHECK(secp256k1_musig_pubkey_xonly_tweak_add(CTX, &P[i], &keyagg_cache, tweak) == 1); 666 } else { 667 CHECK(secp256k1_musig_pubkey_ec_tweak_add(CTX, &P[i], &keyagg_cache, tweak) == 1); 668 } 669 CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &P_xonly[i], &P_parity, &P[i])); 670 /* Check that musig_pubkey_tweak_add produces same result as 671 * xonly_pubkey_tweak_add or ec_pubkey_tweak_add. */ 672 if (xonly) { 673 unsigned char P_serialized[32]; 674 CHECK(secp256k1_xonly_pubkey_serialize(CTX, P_serialized, &P_xonly[i])); 675 CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, P_serialized, P_parity, &P_xonly[i-1], tweak) == 1); 676 } else { 677 secp256k1_pubkey tmp_key = P[i-1]; 678 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &tmp_key, tweak)); 679 CHECK(secp256k1_memcmp_var(&tmp_key, &P[i], sizeof(tmp_key)) == 0); 680 } 681 /* Test signing for P[i] */ 682 musig_tweak_test_helper(&P_xonly[i], sk[0], sk[1], &keyagg_cache); 683 } 684 } 685 686 int musig_vectors_keyagg_and_tweak(enum MUSIG_ERROR *error, 687 secp256k1_musig_keyagg_cache *keyagg_cache, 688 unsigned char *agg_pk_ser, 689 const unsigned char pubkeys33[][33], 690 const unsigned char tweaks32[][32], 691 size_t key_indices_len, 692 const size_t *key_indices, 693 size_t tweak_indices_len, 694 const size_t *tweak_indices, 695 const int *is_xonly) { 696 secp256k1_pubkey pubkeys[MUSIG_VECTORS_MAX_PUBKEYS]; 697 const secp256k1_pubkey *pk_ptr[MUSIG_VECTORS_MAX_PUBKEYS]; 698 int i; 699 secp256k1_pubkey agg_pk; 700 secp256k1_xonly_pubkey agg_pk_xonly; 701 702 for (i = 0; i < (int)key_indices_len; i++) { 703 if (!secp256k1_ec_pubkey_parse(CTX, &pubkeys[i], pubkeys33[key_indices[i]], 33)) { 704 *error = MUSIG_PUBKEY; 705 return 0; 706 } 707 pk_ptr[i] = &pubkeys[i]; 708 } 709 if (!secp256k1_musig_pubkey_agg(CTX, NULL, keyagg_cache, pk_ptr, key_indices_len)) { 710 *error = MUSIG_OTHER; 711 return 0; 712 } 713 714 for (i = 0; i < (int)tweak_indices_len; i++) { 715 if (is_xonly[i]) { 716 if (!secp256k1_musig_pubkey_xonly_tweak_add(CTX, NULL, keyagg_cache, tweaks32[tweak_indices[i]])) { 717 *error = MUSIG_TWEAK; 718 return 0; 719 } 720 } else { 721 if (!secp256k1_musig_pubkey_ec_tweak_add(CTX, NULL, keyagg_cache, tweaks32[tweak_indices[i]])) { 722 *error = MUSIG_TWEAK; 723 return 0; 724 } 725 } 726 } 727 if (!secp256k1_musig_pubkey_get(CTX, &agg_pk, keyagg_cache)) { 728 *error = MUSIG_OTHER; 729 return 0; 730 } 731 732 if (!secp256k1_xonly_pubkey_from_pubkey(CTX, &agg_pk_xonly, NULL, &agg_pk)) { 733 *error = MUSIG_OTHER; 734 return 0; 735 } 736 737 if (agg_pk_ser != NULL) { 738 if (!secp256k1_xonly_pubkey_serialize(CTX, agg_pk_ser, &agg_pk_xonly)) { 739 *error = MUSIG_OTHER; 740 return 0; 741 } 742 } 743 744 return 1; 745 } 746 747 static void musig_test_vectors_keyagg(void) { 748 size_t i; 749 const struct musig_key_agg_vector *vector = &musig_key_agg_vector; 750 751 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) { 752 const struct musig_key_agg_valid_test_case *c = &vector->valid_case[i]; 753 enum MUSIG_ERROR error; 754 secp256k1_musig_keyagg_cache keyagg_cache; 755 unsigned char agg_pk[32]; 756 757 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, agg_pk, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, 0, NULL, NULL)); 758 CHECK(secp256k1_memcmp_var(agg_pk, c->expected, sizeof(agg_pk)) == 0); 759 } 760 761 for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) { 762 const struct musig_key_agg_error_test_case *c = &vector->error_case[i]; 763 enum MUSIG_ERROR error; 764 secp256k1_musig_keyagg_cache keyagg_cache; 765 766 CHECK(!musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly)); 767 CHECK(c->error == error); 768 } 769 } 770 771 static void musig_test_vectors_noncegen(void) { 772 size_t i; 773 const struct musig_nonce_gen_vector *vector = &musig_nonce_gen_vector; 774 775 for (i = 0; i < sizeof(vector->test_case)/sizeof(vector->test_case[0]); i++) { 776 const struct musig_nonce_gen_test_case *c = &vector->test_case[i]; 777 secp256k1_musig_keyagg_cache keyagg_cache; 778 secp256k1_musig_keyagg_cache *keyagg_cache_ptr = NULL; 779 unsigned char session_secrand32[32]; 780 secp256k1_musig_secnonce secnonce; 781 secp256k1_musig_pubnonce pubnonce; 782 const unsigned char *sk = NULL; 783 const unsigned char *msg = NULL; 784 const unsigned char *extra_in = NULL; 785 secp256k1_pubkey pk; 786 unsigned char pubnonce66[66]; 787 788 memcpy(session_secrand32, c->rand_, 32); 789 if (c->has_sk) { 790 sk = c->sk; 791 } 792 if (c->has_aggpk) { 793 /* Create keyagg_cache from aggpk */ 794 secp256k1_keyagg_cache_internal cache_i; 795 secp256k1_xonly_pubkey aggpk; 796 memset(&cache_i, 0, sizeof(cache_i)); 797 CHECK(secp256k1_xonly_pubkey_parse(CTX, &aggpk, c->aggpk)); 798 CHECK(secp256k1_xonly_pubkey_load(CTX, &cache_i.pk, &aggpk)); 799 secp256k1_keyagg_cache_save(&keyagg_cache, &cache_i); 800 keyagg_cache_ptr = &keyagg_cache; 801 } 802 if (c->has_msg) { 803 msg = c->msg; 804 } 805 if (c->has_extra_in) { 806 extra_in = c->extra_in; 807 } 808 809 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk, c->pk, sizeof(c->pk))); 810 CHECK(secp256k1_musig_nonce_gen(CTX, &secnonce, &pubnonce, session_secrand32, sk, &pk, msg, keyagg_cache_ptr, extra_in) == 1); 811 CHECK(secp256k1_memcmp_var(&secnonce.data[4], c->expected_secnonce, 2*32) == 0); 812 /* The last element of the secnonce is the public key (uncompressed in 813 * secp256k1_musig_secnonce, compressed in the test vector secnonce). */ 814 CHECK(secp256k1_memcmp_var(&secnonce.data[4+2*32], &pk, sizeof(pk)) == 0); 815 CHECK(secp256k1_memcmp_var(&c->expected_secnonce[2*32], c->pk, sizeof(c->pk)) == 0); 816 817 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce66, &pubnonce) == 1); 818 CHECK(sizeof(c->expected_pubnonce) == sizeof(pubnonce66)); 819 CHECK(secp256k1_memcmp_var(pubnonce66, c->expected_pubnonce, sizeof(pubnonce66)) == 0); 820 } 821 } 822 823 824 static void musig_test_vectors_nonceagg(void) { 825 size_t i; 826 int j; 827 const struct musig_nonce_agg_vector *vector = &musig_nonce_agg_vector; 828 829 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) { 830 const struct musig_nonce_agg_test_case *c = &vector->valid_case[i]; 831 secp256k1_musig_pubnonce pubnonce[2]; 832 const secp256k1_musig_pubnonce *pubnonce_ptr[2]; 833 secp256k1_musig_aggnonce aggnonce; 834 unsigned char aggnonce66[66]; 835 836 for (j = 0; j < 2; j++) { 837 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pnonces[c->pnonce_indices[j]]) == 1); 838 pubnonce_ptr[j] = &pubnonce[j]; 839 } 840 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, 2)); 841 CHECK(secp256k1_musig_aggnonce_serialize(CTX, aggnonce66, &aggnonce)); 842 CHECK(secp256k1_memcmp_var(aggnonce66, c->expected, 33) == 0); 843 } 844 for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) { 845 const struct musig_nonce_agg_test_case *c = &vector->error_case[i]; 846 secp256k1_musig_pubnonce pubnonce[2]; 847 for (j = 0; j < 2; j++) { 848 int expected = c->invalid_nonce_idx != j; 849 CHECK(expected == secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pnonces[c->pnonce_indices[j]])); 850 } 851 } 852 } 853 854 static void musig_test_set_secnonce(secp256k1_musig_secnonce *secnonce, const unsigned char *secnonce64, const secp256k1_pubkey *pubkey) { 855 secp256k1_ge pk; 856 secp256k1_scalar k[2]; 857 858 secp256k1_scalar_set_b32(&k[0], &secnonce64[0], NULL); 859 secp256k1_scalar_set_b32(&k[1], &secnonce64[32], NULL); 860 CHECK(secp256k1_pubkey_load(CTX, &pk, pubkey)); 861 secp256k1_musig_secnonce_save(secnonce, k, &pk); 862 } 863 864 static void musig_test_vectors_signverify(void) { 865 size_t i; 866 const struct musig_sign_verify_vector *vector = &musig_sign_verify_vector; 867 868 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) { 869 const struct musig_valid_case *c = &vector->valid_case[i]; 870 enum MUSIG_ERROR error; 871 secp256k1_musig_keyagg_cache keyagg_cache; 872 secp256k1_pubkey pubkey; 873 secp256k1_musig_pubnonce pubnonce; 874 secp256k1_musig_aggnonce aggnonce; 875 secp256k1_musig_session session; 876 secp256k1_musig_partial_sig partial_sig; 877 secp256k1_musig_secnonce secnonce; 878 secp256k1_keypair keypair; 879 unsigned char partial_sig32[32]; 880 881 CHECK(secp256k1_keypair_create(CTX, &keypair, vector->sk)); 882 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL)); 883 884 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonces[c->aggnonce_index])); 885 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache)); 886 887 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0]))); 888 musig_test_set_secnonce(&secnonce, vector->secnonces[0], &pubkey); 889 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session)); 890 CHECK(secp256k1_musig_partial_sig_serialize(CTX, partial_sig32, &partial_sig)); 891 CHECK(secp256k1_memcmp_var(partial_sig32, c->expected, sizeof(partial_sig32)) == 0); 892 893 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[0])); 894 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig, &pubnonce, &pubkey, &keyagg_cache, &session)); 895 } 896 for (i = 0; i < sizeof(vector->sign_error_case)/sizeof(vector->sign_error_case[0]); i++) { 897 const struct musig_sign_error_case *c = &vector->sign_error_case[i]; 898 enum MUSIG_ERROR error; 899 secp256k1_musig_keyagg_cache keyagg_cache; 900 secp256k1_pubkey pubkey; 901 secp256k1_musig_aggnonce aggnonce; 902 secp256k1_musig_session session; 903 secp256k1_musig_partial_sig partial_sig; 904 secp256k1_musig_secnonce secnonce; 905 secp256k1_keypair keypair; 906 int expected; 907 908 if (i == 0) { 909 /* Skip this vector since the implementation does not error out when 910 * the signing key does not belong to any pubkey. */ 911 continue; 912 } 913 expected = c->error != MUSIG_PUBKEY; 914 CHECK(expected == musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL)); 915 CHECK(expected || c->error == error); 916 if (!expected) { 917 continue; 918 } 919 920 expected = c->error != MUSIG_AGGNONCE; 921 CHECK(expected == secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonces[c->aggnonce_index])); 922 if (!expected) { 923 continue; 924 } 925 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache)); 926 927 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0]))); 928 musig_test_set_secnonce(&secnonce, vector->secnonces[c->secnonce_index], &pubkey); 929 expected = c->error != MUSIG_SECNONCE; 930 if (expected) { 931 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session)); 932 } else { 933 CHECK_ILLEGAL(CTX, secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session)); 934 } 935 } 936 for (i = 0; i < sizeof(vector->verify_fail_case)/sizeof(vector->verify_fail_case[0]); i++) { 937 const struct musig_verify_fail_error_case *c = &vector->verify_fail_case[i]; 938 enum MUSIG_ERROR error; 939 secp256k1_musig_keyagg_cache keyagg_cache; 940 secp256k1_musig_aggnonce aggnonce; 941 secp256k1_musig_session session; 942 secp256k1_musig_partial_sig partial_sig; 943 enum { NUM_PUBNONCES = 3 }; 944 secp256k1_musig_pubnonce pubnonce[NUM_PUBNONCES]; 945 const secp256k1_musig_pubnonce *pubnonce_ptr[NUM_PUBNONCES]; 946 secp256k1_pubkey pubkey; 947 int expected; 948 size_t j; 949 950 CHECK(NUM_PUBNONCES <= c->nonce_indices_len); 951 for (j = 0; j < c->nonce_indices_len; j++) { 952 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce[j], vector->pubnonces[c->nonce_indices[j]])); 953 pubnonce_ptr[j] = &pubnonce[j]; 954 } 955 956 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL)); 957 CHECK(secp256k1_musig_nonce_agg(CTX, &aggnonce, pubnonce_ptr, c->nonce_indices_len) == 1); 958 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msgs[c->msg_index], &keyagg_cache)); 959 960 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[c->signer_index], sizeof(vector->pubkeys[0]))); 961 962 expected = c->error != MUSIG_SIG; 963 CHECK(expected == secp256k1_musig_partial_sig_parse(CTX, &partial_sig, c->sig)); 964 if (!expected) { 965 continue; 966 } 967 expected = c->error != MUSIG_SIG_VERIFY; 968 CHECK(expected == secp256k1_musig_partial_sig_verify(CTX, &partial_sig, pubnonce, &pubkey, &keyagg_cache, &session)); 969 } 970 for (i = 0; i < sizeof(vector->verify_error_case)/sizeof(vector->verify_error_case[0]); i++) { 971 const struct musig_verify_fail_error_case *c = &vector->verify_error_case[i]; 972 enum MUSIG_ERROR error; 973 secp256k1_musig_keyagg_cache keyagg_cache; 974 secp256k1_musig_pubnonce pubnonce; 975 int expected; 976 977 expected = c->error != MUSIG_PUBKEY; 978 CHECK(expected == musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, NULL, c->key_indices_len, c->key_indices, 0, NULL, NULL)); 979 CHECK(expected || c->error == error); 980 if (!expected) { 981 continue; 982 } 983 expected = c->error != MUSIG_PUBNONCE; 984 CHECK(expected == secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[c->nonce_indices[c->signer_index]])); 985 } 986 } 987 988 static void musig_test_vectors_tweak(void) { 989 size_t i; 990 const struct musig_tweak_vector *vector = &musig_tweak_vector; 991 secp256k1_pubkey pubkey; 992 secp256k1_musig_aggnonce aggnonce; 993 secp256k1_musig_secnonce secnonce; 994 995 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, vector->aggnonce)); 996 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, vector->pubkeys[0], sizeof(vector->pubkeys[0]))); 997 998 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) { 999 const struct musig_tweak_case *c = &vector->valid_case[i]; 1000 enum MUSIG_ERROR error; 1001 secp256k1_musig_keyagg_cache keyagg_cache; 1002 secp256k1_musig_pubnonce pubnonce; 1003 secp256k1_musig_session session; 1004 secp256k1_musig_partial_sig partial_sig; 1005 secp256k1_keypair keypair; 1006 unsigned char partial_sig32[32]; 1007 1008 musig_test_set_secnonce(&secnonce, vector->secnonce, &pubkey); 1009 1010 CHECK(secp256k1_keypair_create(CTX, &keypair, vector->sk)); 1011 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly)); 1012 1013 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msg, &keyagg_cache)); 1014 1015 CHECK(secp256k1_musig_partial_sign(CTX, &partial_sig, &secnonce, &keypair, &keyagg_cache, &session)); 1016 CHECK(secp256k1_musig_partial_sig_serialize(CTX, partial_sig32, &partial_sig)); 1017 CHECK(secp256k1_memcmp_var(partial_sig32, c->expected, sizeof(partial_sig32)) == 0); 1018 1019 CHECK(secp256k1_musig_pubnonce_parse(CTX, &pubnonce, vector->pubnonces[c->nonce_indices[c->signer_index]])); 1020 CHECK(secp256k1_musig_partial_sig_verify(CTX, &partial_sig, &pubnonce, &pubkey, &keyagg_cache, &session)); 1021 } 1022 for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) { 1023 const struct musig_tweak_case *c = &vector->error_case[i]; 1024 enum MUSIG_ERROR error; 1025 secp256k1_musig_keyagg_cache keyagg_cache; 1026 CHECK(!musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, NULL, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly)); 1027 CHECK(error == MUSIG_TWEAK); 1028 } 1029 } 1030 1031 static void musig_test_vectors_sigagg(void) { 1032 size_t i, j; 1033 const struct musig_sig_agg_vector *vector = &musig_sig_agg_vector; 1034 1035 for (i = 0; i < sizeof(vector->valid_case)/sizeof(vector->valid_case[0]); i++) { 1036 const struct musig_sig_agg_case *c = &vector->valid_case[i]; 1037 enum MUSIG_ERROR error; 1038 unsigned char final_sig[64]; 1039 secp256k1_musig_keyagg_cache keyagg_cache; 1040 unsigned char agg_pk32[32]; 1041 secp256k1_xonly_pubkey agg_pk; 1042 secp256k1_musig_aggnonce aggnonce; 1043 secp256k1_musig_session session; 1044 secp256k1_musig_partial_sig partial_sig[(sizeof(vector->psigs)/sizeof(vector->psigs[0]))]; 1045 const secp256k1_musig_partial_sig *partial_sig_ptr[(sizeof(vector->psigs)/sizeof(vector->psigs[0]))]; 1046 1047 CHECK(musig_vectors_keyagg_and_tweak(&error, &keyagg_cache, agg_pk32, vector->pubkeys, vector->tweaks, c->key_indices_len, c->key_indices, c->tweak_indices_len, c->tweak_indices, c->is_xonly)); 1048 CHECK(secp256k1_musig_aggnonce_parse(CTX, &aggnonce, c->aggnonce)); 1049 CHECK(secp256k1_musig_nonce_process(CTX, &session, &aggnonce, vector->msg, &keyagg_cache)); 1050 for (j = 0; j < c->psig_indices_len; j++) { 1051 CHECK(secp256k1_musig_partial_sig_parse(CTX, &partial_sig[j], vector->psigs[c->psig_indices[j]])); 1052 partial_sig_ptr[j] = &partial_sig[j]; 1053 } 1054 1055 CHECK(secp256k1_musig_partial_sig_agg(CTX, final_sig, &session, partial_sig_ptr, c->psig_indices_len) == 1); 1056 CHECK(secp256k1_memcmp_var(final_sig, c->expected, sizeof(final_sig)) == 0); 1057 1058 CHECK(secp256k1_xonly_pubkey_parse(CTX, &agg_pk, agg_pk32)); 1059 CHECK(secp256k1_schnorrsig_verify(CTX, final_sig, vector->msg, sizeof(vector->msg), &agg_pk) == 1); 1060 } 1061 for (i = 0; i < sizeof(vector->error_case)/sizeof(vector->error_case[0]); i++) { 1062 const struct musig_sig_agg_case *c = &vector->error_case[i]; 1063 secp256k1_musig_partial_sig partial_sig[(sizeof(vector->psigs)/sizeof(vector->psigs[0]))]; 1064 for (j = 0; j < c->psig_indices_len; j++) { 1065 int expected = c->invalid_sig_idx != (int)j; 1066 CHECK(expected == secp256k1_musig_partial_sig_parse(CTX, &partial_sig[j], vector->psigs[c->psig_indices[j]])); 1067 } 1068 } 1069 } 1070 1071 /* Since the BIP doesn't provide static test vectors for nonce_gen_counter, we 1072 * define a static test here */ 1073 static void musig_test_static_nonce_gen_counter(void) { 1074 secp256k1_musig_secnonce secnonce; 1075 secp256k1_musig_pubnonce pubnonce; 1076 unsigned char pubnonce66[66]; 1077 secp256k1_pubkey pk; 1078 secp256k1_keypair keypair; 1079 uint64_t nonrepeating_cnt = 0; 1080 unsigned char sk[32] = { 1081 0xEE, 0xC1, 0xCB, 0x7D, 0x1B, 0x72, 0x54, 0xC5, 1082 0xCA, 0xB0, 0xD9, 0xC6, 0x1A, 0xB0, 0x2E, 0x64, 1083 0x3D, 0x46, 0x4A, 0x59, 0xFE, 0x6C, 0x96, 0xA7, 1084 0xEF, 0xE8, 0x71, 0xF0, 0x7C, 0x5A, 0xEF, 0x54, 1085 }; 1086 unsigned char expected_secnonce[64] = { 1087 0x84, 0x2F, 0x13, 0x80, 0xCD, 0x17, 0xA1, 0x98, 1088 0xFC, 0x3D, 0xAD, 0x3B, 0x7D, 0xA7, 0x49, 0x29, 1089 0x41, 0xF4, 0x69, 0x76, 0xF2, 0x70, 0x2F, 0xF7, 1090 0xC6, 0x6F, 0x24, 0xF4, 0x72, 0x03, 0x6A, 0xF1, 1091 0xDA, 0x3F, 0x95, 0x2D, 0xDE, 0x4A, 0x2D, 0xA6, 1092 0xB6, 0x32, 0x57, 0x07, 0xCE, 0x87, 0xA4, 0xE3, 1093 0x61, 0x6D, 0x06, 0xFC, 0x5F, 0x81, 0xA9, 0xC9, 1094 0x93, 0x86, 0xD2, 0x0A, 0x99, 0xCE, 0xCF, 0x99, 1095 }; 1096 unsigned char expected_pubnonce[66] = { 1097 0x03, 0xA5, 0xB9, 0xB6, 0x90, 0x79, 0x42, 0xEA, 1098 0xCD, 0xDA, 0x49, 0xA3, 0x66, 0x01, 0x6E, 0xC2, 1099 0xE6, 0x24, 0x04, 0xA1, 0xBF, 0x4A, 0xB6, 0xD4, 1100 0xDB, 0x82, 0x06, 0x7B, 0xC3, 0xAD, 0xF0, 0x86, 1101 0xD7, 0x03, 0x32, 0x05, 0xDB, 0x9E, 0xB3, 0x4D, 1102 0x5C, 0x7C, 0xE0, 0x28, 0x48, 0xCA, 0xC6, 0x8A, 1103 0x83, 0xED, 0x73, 0xE3, 0x88, 0x34, 0x77, 0xF5, 1104 0x63, 0xF2, 0x3C, 0xE9, 0xA1, 0x1A, 0x77, 0x21, 1105 0xEC, 0x64, 1106 }; 1107 1108 CHECK(secp256k1_keypair_create(CTX, &keypair, sk)); 1109 CHECK(secp256k1_keypair_pub(CTX, &pk, &keypair)); 1110 CHECK(secp256k1_musig_nonce_gen_counter(CTX, &secnonce, &pubnonce, nonrepeating_cnt, &keypair, NULL, NULL, NULL) == 1); 1111 1112 CHECK(secp256k1_memcmp_var(&secnonce.data[4], expected_secnonce, 2*32) == 0); 1113 CHECK(secp256k1_memcmp_var(&secnonce.data[4+2*32], &pk, sizeof(pk)) == 0); 1114 1115 CHECK(secp256k1_musig_pubnonce_serialize(CTX, pubnonce66, &pubnonce) == 1); 1116 CHECK(secp256k1_memcmp_var(pubnonce66, expected_pubnonce, sizeof(pubnonce66)) == 0); 1117 } 1118 1119 static void run_musig_tests(void) { 1120 int i; 1121 1122 for (i = 0; i < COUNT; i++) { 1123 musig_simple_test(); 1124 } 1125 musig_api_tests(); 1126 musig_nonce_test(); 1127 for (i = 0; i < COUNT; i++) { 1128 /* Run multiple times to ensure that pk and nonce have different y 1129 * parities */ 1130 musig_tweak_test(); 1131 } 1132 sha256_tag_test(); 1133 musig_test_vectors_keyagg(); 1134 musig_test_vectors_noncegen(); 1135 musig_test_vectors_nonceagg(); 1136 musig_test_vectors_signverify(); 1137 musig_test_vectors_tweak(); 1138 musig_test_vectors_sigagg(); 1139 1140 musig_test_static_nonce_gen_counter(); 1141 } 1142 1143 #endif