diff --git a/include/secp256k1_musig.h b/include/secp256k1_musig.h index 5e0f2ba0..d580b8df 100644 --- a/include/secp256k1_musig.h +++ b/include/secp256k1_musig.h @@ -20,18 +20,18 @@ extern "C" { */ /** Data structure containing auxiliary data generated in `pubkey_combine` and - * required for `session_*_initialize`. + * required for `session_*_init`. * Fields: - * magic: Set during initialization in `pubkey_combine` to allow - * detecting an uninitialized object. - * pk_hash: The 32-byte hash of the original public keys - * is_negated: Whether the MuSig-aggregated point was negated when - * converting it to the combined xonly pubkey. + * magic: Set during initialization in `pubkey_combine` to allow + * detecting an uninitialized object. + * pk_hash: The 32-byte hash of the original public keys + * pk_parity: Whether the MuSig-aggregated point was negated when + * converting it to the combined xonly pubkey. */ typedef struct { uint64_t magic; unsigned char pk_hash[32]; - int is_negated; + int pk_parity; } secp256k1_musig_pre_session; /** Data structure containing data related to a signing session resulting in a single @@ -45,14 +45,14 @@ typedef struct { * structure. * * Fields: - * magic: Set in `musig_session_initialize` to allow detecting an + * magic: Set in `musig_session_init` to allow detecting an * uninitialized object. * round: Current round of the session * pre_session: Auxiliary data created in `pubkey_combine` * combined_pk: MuSig-computed combined xonly public key * n_signers: Number of signers * msg: The 32-byte message (hash) to be signed - * msg_is_set: Whether the above message has been set + * is_msg_set: Whether the above message has been set * has_secret_data: Whether this session object has a signers' secret data; if this * is `false`, it may still be used for verification purposes. * seckey: If `has_secret_data`, the signer's secret key @@ -61,9 +61,8 @@ typedef struct { * nonce_commitments_hash: If `has_secret_data` and round >= 1, the hash of all * signers' commitments * combined_nonce: If round >= 2, the summed combined public nonce - * nonce_is_negated: If round >= 2, whether the above nonce was negated after - * summing the participants' nonces. Needed to ensure the nonce's y - * coordinate is even. + * combined_nonce_parity: If round >= 2, the parity of the Y coordinate of above + * nonce. */ typedef struct { uint64_t magic; @@ -71,23 +70,23 @@ typedef struct { secp256k1_musig_pre_session pre_session; secp256k1_xonly_pubkey combined_pk; uint32_t n_signers; + int is_msg_set; unsigned char msg[32]; - int msg_is_set; int has_secret_data; unsigned char seckey[32]; unsigned char secnonce[32]; secp256k1_pubkey nonce; unsigned char nonce_commitments_hash[32]; secp256k1_pubkey combined_nonce; - int nonce_is_negated; + int combined_nonce_parity; } secp256k1_musig_session; /** Data structure containing data on all signers in a single session. * * The workflow for this structure is as follows: * - * 1. This structure is initialized with `musig_session_initialize` or - * `musig_session_initialize_verifier`, which set the `index` field, and zero out + * 1. This structure is initialized with `musig_session_init` or + * `musig_session_init_verifier`, which set the `index` field, and zero out * all other fields. The public session is initialized with the signers' * nonce_commitments. * @@ -129,7 +128,8 @@ typedef struct { unsigned char data[32]; } secp256k1_musig_partial_signature; -/** Computes a combined public key and the hash of the given public keys +/** Computes a combined public key and the hash of the given public keys. + * Different orders of `pubkeys` result in different `combined_pk`s. * * Returns: 1 if the public keys were successfully combined, 0 otherwise * Args: ctx: pointer to a context object initialized for verification @@ -138,7 +138,7 @@ typedef struct { * multiexponentiation. If NULL, an inefficient algorithm is used. * Out: combined_pk: the MuSig-combined xonly public key (cannot be NULL) * pre_session: if non-NULL, pointer to a musig_pre_session struct to be used in - * `musig_session_initialize`. + * `musig_session_init`. * In: pubkeys: input array of public keys to combine. The order is important; * a different order will result in a different combined public * key (cannot be NULL) @@ -180,7 +180,7 @@ SECP256K1_API int secp256k1_musig_pubkey_combine( * than `n_signers`. * seckey: the signer's 32-byte secret key (cannot be NULL) */ -SECP256K1_API int secp256k1_musig_session_initialize( +SECP256K1_API int secp256k1_musig_session_init( const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, @@ -196,7 +196,7 @@ SECP256K1_API int secp256k1_musig_session_initialize( /** Gets the signer's public nonce given a list of all signers' data with * commitments. Called by participating signers after - * `secp256k1_musig_session_initialize` and after all nonce commitments have + * `secp256k1_musig_session_init` and after all nonce commitments have * been collected * * Returns: 1: public nonce is written in nonce @@ -205,14 +205,14 @@ SECP256K1_API int secp256k1_musig_session_initialize( * Args: ctx: pointer to a context object (cannot be NULL) * session: the signing session to get the nonce from (cannot be NULL) * signers: an array of signers' data initialized with - * `musig_session_initialize`. Array length must equal to + * `musig_session_init`. Array length must equal to * `n_commitments` (cannot be NULL) * Out: nonce: the nonce (cannot be NULL) * In: commitments: array of pointers to 32-byte nonce commitments (cannot be NULL) * n_commitments: the length of commitments and signers array. Must be the total * number of signers participating in the MuSig. * msg32: the 32-byte message to be signed. Must be NULL if already - * set with `musig_session_initialize` otherwise can not be NULL. + * set with `musig_session_init` otherwise can not be NULL. */ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_session_get_public_nonce( const secp256k1_context* ctx, @@ -244,7 +244,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_session_get_publi * participating in the MuSig. Must be greater than 0 and at most * 2^32 - 1. */ -SECP256K1_API int secp256k1_musig_session_initialize_verifier( +SECP256K1_API int secp256k1_musig_session_init_verifier( const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, @@ -263,7 +263,7 @@ SECP256K1_API int secp256k1_musig_session_initialize_verifier( * Args: ctx: pointer to a context object (cannot be NULL) * signer: pointer to the signer data to update (cannot be NULL). Must have * been used with `musig_session_get_public_nonce` or initialized - * with `musig_session_initialize_verifier`. + * with `musig_session_init_verifier`. * In: nonce: signer's alleged public nonce (cannot be NULL) */ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_set_nonce( @@ -285,8 +285,9 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_set_nonce( * (cannot be NULL) * n_signers: the length of the signers array. Must be the total number of * signers participating in the MuSig. - * Out: nonce_is_negated: a pointer to an integer that indicates if the combined - * public nonce had to be negated. + * Out: nonce_parity: if non-NULL, a pointer to an integer that indicates the + * parity of the combined public nonce. Used for adaptor + * signatures. * adaptor: point to add to the combined public nonce. If NULL, nothing is * added to the combined nonce. */ @@ -295,7 +296,7 @@ SECP256K1_API int secp256k1_musig_session_combine_nonces( secp256k1_musig_session *session, const secp256k1_musig_session_signer_data *signers, size_t n_signers, - int *nonce_is_negated, + int *nonce_parity, const secp256k1_pubkey *adaptor ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -399,14 +400,14 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_combi * In: partial_sig: partial signature to tweak with secret adaptor (cannot be NULL) * sec_adaptor32: 32-byte secret adaptor to add to the partial signature (cannot * be NULL) - * nonce_is_negated: the `nonce_is_negated` output of `musig_session_combine_nonces` + * nonce_parity: the `nonce_parity` output of `musig_session_combine_nonces` */ SECP256K1_API int secp256k1_musig_partial_sig_adapt( const secp256k1_context* ctx, secp256k1_musig_partial_signature *adaptor_sig, const secp256k1_musig_partial_signature *partial_sig, const unsigned char *sec_adaptor32, - int nonce_is_negated + int nonce_parity ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); /** Extracts a secret adaptor from a MuSig, given all parties' partial @@ -422,7 +423,7 @@ SECP256K1_API int secp256k1_musig_partial_sig_adapt( * In: sig64: complete 2-of-2 signature (cannot be NULL) * partial_sigs: array of partial signatures (cannot be NULL) * n_partial_sigs: number of elements in partial_sigs array - * nonce_is_negated: the `nonce_is_negated` output of `musig_session_combine_nonces` + * nonce_parity: the `nonce_parity` output of `musig_session_combine_nonces` */ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_extract_secret_adaptor( const secp256k1_context* ctx, @@ -430,7 +431,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_extract_secret_ad const unsigned char *sig64, const secp256k1_musig_partial_signature *partial_sigs, size_t n_partial_sigs, - int nonce_is_negated + int nonce_parity ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); #ifdef __cplusplus diff --git a/src/modules/musig/example.c b/src/modules/musig/example.c index 4670d442..e21dd9b5 100644 --- a/src/modules/musig/example.c +++ b/src/modules/musig/example.c @@ -60,7 +60,7 @@ int sign(const secp256k1_context* ctx, unsigned char seckeys[][32], const secp25 return 0; } /* Create random session ID. It is absolutely necessary that the session ID - * is unique for every call of secp256k1_musig_session_initialize. Otherwise + * is unique for every call of secp256k1_musig_session_init. Otherwise * it's trivial for an attacker to extract the secret key! */ frand = fopen("/dev/urandom", "r"); if(frand == NULL) { @@ -72,7 +72,7 @@ int sign(const secp256k1_context* ctx, unsigned char seckeys[][32], const secp25 } fclose(frand); /* Initialize session */ - if (!secp256k1_musig_session_initialize(ctx, &musig_session[i], signer_data[i], nonce_commitment[i], session_id32, msg32, &combined_pk, &pre_session, N_SIGNERS, i, seckeys[i])) { + if (!secp256k1_musig_session_init(ctx, &musig_session[i], signer_data[i], nonce_commitment[i], session_id32, msg32, &combined_pk, &pre_session, N_SIGNERS, i, seckeys[i])) { return 0; } nonce_commitment_ptr[i] = &nonce_commitment[i][0]; diff --git a/src/modules/musig/main_impl.h b/src/modules/musig/main_impl.h index 6d602ad9..36791566 100644 --- a/src/modules/musig/main_impl.h +++ b/src/modules/musig/main_impl.h @@ -102,7 +102,7 @@ int secp256k1_musig_pubkey_combine(const secp256k1_context* ctx, secp256k1_scrat secp256k1_musig_pubkey_combine_ecmult_data ecmult_data; secp256k1_gej pkj; secp256k1_ge pkp; - int is_negated; + int pk_parity; VERIFY_CHECK(ctx != NULL); ARG_CHECK(combined_pk != NULL); @@ -120,20 +120,20 @@ int secp256k1_musig_pubkey_combine(const secp256k1_context* ctx, secp256k1_scrat } secp256k1_ge_set_gej(&pkp, &pkj); secp256k1_fe_normalize(&pkp.y); - is_negated = secp256k1_extrakeys_ge_even_y(&pkp); + pk_parity = secp256k1_extrakeys_ge_even_y(&pkp); secp256k1_xonly_pubkey_save(combined_pk, &pkp); if (pre_session != NULL) { pre_session->magic = pre_session_magic; memcpy(pre_session->pk_hash, ecmult_data.ell, 32); - pre_session->is_negated = is_negated; + pre_session->pk_parity = pk_parity; } return 1; } static const uint64_t session_magic = 0xd92e6fc1ee41b4cbUL; -int secp256k1_musig_session_initialize(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, unsigned char *nonce_commitment32, const unsigned char *session_id32, const unsigned char *msg32, const secp256k1_xonly_pubkey *combined_pk, const secp256k1_musig_pre_session *pre_session, size_t n_signers, size_t my_index, const unsigned char *seckey) { +int secp256k1_musig_session_init(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, unsigned char *nonce_commitment32, const unsigned char *session_id32, const unsigned char *msg32, const secp256k1_xonly_pubkey *combined_pk, const secp256k1_musig_pre_session *pre_session, size_t n_signers, size_t my_index, const unsigned char *seckey) { unsigned char combined_ser[32]; int overflow; secp256k1_scalar secret; @@ -164,9 +164,9 @@ int secp256k1_musig_session_initialize(const secp256k1_context* ctx, secp256k1_m session->magic = session_magic; if (msg32 != NULL) { memcpy(session->msg, msg32, 32); - session->msg_is_set = 1; + session->is_msg_set = 1; } else { - session->msg_is_set = 0; + session->is_msg_set = 0; } memcpy(&session->combined_pk, combined_pk, sizeof(*combined_pk)); session->pre_session = *pre_session; @@ -182,10 +182,10 @@ int secp256k1_musig_session_initialize(const secp256k1_context* ctx, secp256k1_m } secp256k1_musig_coefficient(&mu, session->pre_session.pk_hash, (uint32_t) my_index); /* Compute the signers public key point and determine if the secret needs to - * be negated before signing. If the signer's pubkey is negated XOR the - * MuSig-combined pubkey is negated the secret has to be negated. This can - * be seen by looking at the secret key belonging to `combined_pk`. Let's - * define + * be negated before signing. If the signer's pubkey has an odd Y coordinate + * XOR the MuSig-combined pubkey has an odd Y coordinate, the secret has to + * be negated. This can be seen by looking at the secret key belonging to + * `combined_pk`. Let's define * P' := mu_0*|P_0| + ... + mu_n*|P_n| where P_i is the i-th public key * point x_i*G, mu_i is the i-th musig coefficient and |.| is a function * that normalizes a point to an even Y by negating if necessary similar to @@ -196,7 +196,7 @@ int secp256k1_musig_session_initialize(const secp256k1_context* ctx, secp256k1_m secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &secret); secp256k1_ge_set_gej(&p, &pj); secp256k1_fe_normalize(&p.y); - if (secp256k1_fe_is_odd(&p.y) != session->pre_session.is_negated) { + if (secp256k1_fe_is_odd(&p.y) != session->pre_session.pk_parity) { secp256k1_scalar_negate(&secret, &secret); } secp256k1_scalar_mul(&secret, &secret, &mu); @@ -205,7 +205,7 @@ int secp256k1_musig_session_initialize(const secp256k1_context* ctx, secp256k1_m /* Compute secret nonce */ secp256k1_sha256_initialize(&sha); secp256k1_sha256_write(&sha, session_id32, 32); - if (session->msg_is_set) { + if (session->is_msg_set) { secp256k1_sha256_write(&sha, msg32, 32); } secp256k1_xonly_pubkey_serialize(ctx, combined_ser, combined_pk); @@ -248,9 +248,9 @@ int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp2 ARG_CHECK(session->round == 0); /* If the message was not set during initialization it must be set now. */ - ARG_CHECK(!(!session->msg_is_set && msg32 == NULL)); + ARG_CHECK(!(!session->is_msg_set && msg32 == NULL)); /* The message can only be set once. */ - ARG_CHECK(!(session->msg_is_set && msg32 != NULL)); + ARG_CHECK(!(session->is_msg_set && msg32 != NULL)); ARG_CHECK(session->has_secret_data); ARG_CHECK(n_commitments == session->n_signers); for (i = 0; i < n_commitments; i++) { @@ -259,7 +259,7 @@ int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp2 if (msg32 != NULL) { memcpy(session->msg, msg32, 32); - session->msg_is_set = 1; + session->is_msg_set = 1; } secp256k1_sha256_initialize(&sha); for (i = 0; i < n_commitments; i++) { @@ -273,7 +273,7 @@ int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp2 return 1; } -int secp256k1_musig_session_initialize_verifier(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, const unsigned char *msg32, const secp256k1_xonly_pubkey *combined_pk, const secp256k1_musig_pre_session *pre_session, const unsigned char *const *commitments, size_t n_signers) { +int secp256k1_musig_session_init_verifier(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, const unsigned char *msg32, const secp256k1_xonly_pubkey *combined_pk, const secp256k1_musig_pre_session *pre_session, const unsigned char *const *commitments, size_t n_signers) { size_t i; VERIFY_CHECK(ctx != NULL); @@ -302,7 +302,7 @@ int secp256k1_musig_session_initialize_verifier(const secp256k1_context* ctx, se secp256k1_musig_signers_init(signers, session->n_signers); session->pre_session = *pre_session; - session->msg_is_set = 1; + session->is_msg_set = 1; memcpy(session->msg, msg32, 32); session->has_secret_data = 0; @@ -335,7 +335,7 @@ int secp256k1_musig_set_nonce(const secp256k1_context* ctx, secp256k1_musig_sess return 1; } -int secp256k1_musig_session_combine_nonces(const secp256k1_context* ctx, secp256k1_musig_session *session, const secp256k1_musig_session_signer_data *signers, size_t n_signers, int *nonce_is_negated, const secp256k1_pubkey *adaptor) { +int secp256k1_musig_session_combine_nonces(const secp256k1_context* ctx, secp256k1_musig_session *session, const secp256k1_musig_session_signer_data *signers, size_t n_signers, int *nonce_parity, const secp256k1_pubkey *adaptor) { secp256k1_gej combined_noncej; secp256k1_ge combined_noncep; secp256k1_ge noncep; @@ -379,13 +379,13 @@ int secp256k1_musig_session_combine_nonces(const secp256k1_context* ctx, secp256 secp256k1_ge_set_gej(&combined_noncep, &combined_noncej); secp256k1_fe_normalize(&combined_noncep.y); if (!secp256k1_fe_is_odd(&combined_noncep.y)) { - session->nonce_is_negated = 0; + session->combined_nonce_parity = 0; } else { - session->nonce_is_negated = 1; + session->combined_nonce_parity = 1; secp256k1_ge_neg(&combined_noncep, &combined_noncep); } - if (nonce_is_negated != NULL) { - *nonce_is_negated = session->nonce_is_negated; + if (nonce_parity != NULL) { + *nonce_parity = session->combined_nonce_parity; } secp256k1_pubkey_save(&session->combined_nonce, &combined_noncep); session->round = 2; @@ -456,7 +456,7 @@ int secp256k1_musig_partial_sign(const secp256k1_context* ctx, const secp256k1_m secp256k1_scalar_clear(&k); return 0; } - if (session->nonce_is_negated) { + if (session->combined_nonce_parity) { secp256k1_scalar_negate(&k, &k); } @@ -544,10 +544,10 @@ int secp256k1_musig_partial_sig_verify(const secp256k1_context* ctx, const secp2 if (!secp256k1_pubkey_load(ctx, &rp, &signer->nonce)) { return 0; } - /* If the MuSig-combined point is negated, the signers will sign for the - * negation of their individual xonly public key such that the combined - * signature is valid for the MuSig aggregated xonly key. */ - if (session->pre_session.is_negated) { + /* If the MuSig-combined point has an odd Y coordinate, the signers will + * sign for the negation of their individual xonly public key such that the + * combined signature is valid for the MuSig aggregated xonly key. */ + if (session->pre_session.pk_parity) { secp256k1_scalar_negate(&e, &e); } @@ -559,7 +559,7 @@ int secp256k1_musig_partial_sig_verify(const secp256k1_context* ctx, const secp2 secp256k1_gej_set_ge(&pkj, &pkp); secp256k1_ecmult(&ctx->ecmult_ctx, &rj, &pkj, &e, &s); - if (!session->nonce_is_negated) { + if (!session->combined_nonce_parity) { secp256k1_ge_neg(&rp, &rp); } secp256k1_gej_add_ge_var(&rj, &rj, &rp, NULL); @@ -567,7 +567,7 @@ int secp256k1_musig_partial_sig_verify(const secp256k1_context* ctx, const secp2 return secp256k1_gej_is_infinity(&rj); } -int secp256k1_musig_partial_sig_adapt(const secp256k1_context* ctx, secp256k1_musig_partial_signature *adaptor_sig, const secp256k1_musig_partial_signature *partial_sig, const unsigned char *sec_adaptor32, int nonce_is_negated) { +int secp256k1_musig_partial_sig_adapt(const secp256k1_context* ctx, secp256k1_musig_partial_signature *adaptor_sig, const secp256k1_musig_partial_signature *partial_sig, const unsigned char *sec_adaptor32, int nonce_parity) { secp256k1_scalar s; secp256k1_scalar t; int overflow; @@ -588,7 +588,7 @@ int secp256k1_musig_partial_sig_adapt(const secp256k1_context* ctx, secp256k1_mu return 0; } - if (nonce_is_negated) { + if (nonce_parity) { secp256k1_scalar_negate(&t, &t); } @@ -598,7 +598,7 @@ int secp256k1_musig_partial_sig_adapt(const secp256k1_context* ctx, secp256k1_mu return 1; } -int secp256k1_musig_extract_secret_adaptor(const secp256k1_context* ctx, unsigned char *sec_adaptor32, const unsigned char *sig64, const secp256k1_musig_partial_signature *partial_sigs, size_t n_partial_sigs, int nonce_is_negated) { +int secp256k1_musig_extract_secret_adaptor(const secp256k1_context* ctx, unsigned char *sec_adaptor32, const unsigned char *sig64, const secp256k1_musig_partial_signature *partial_sigs, size_t n_partial_sigs, int nonce_parity) { secp256k1_scalar t; secp256k1_scalar s; int overflow; @@ -625,7 +625,7 @@ int secp256k1_musig_extract_secret_adaptor(const secp256k1_context* ctx, unsigne secp256k1_scalar_add(&t, &t, &s); } - if (!nonce_is_negated) { + if (!nonce_parity) { secp256k1_scalar_negate(&t, &t); } secp256k1_scalar_get_b32(sec_adaptor32, &t); diff --git a/src/modules/musig/musig.md b/src/modules/musig/musig.md index ec1f1df5..240e85ca 100644 --- a/src/modules/musig/musig.md +++ b/src/modules/musig/musig.md @@ -74,7 +74,7 @@ signature process, which is also a supported mode) acts as follows. ### Signing Participant -1. The signer starts the session by calling `secp256k1_musig_session_initialize`. +1. The signer starts the session by calling `secp256k1_musig_session_init`. This function outputs - an initialized session state in the out-pointer `session` - an array of initialized signer data in the out-pointer `signers` @@ -91,7 +91,7 @@ signature process, which is also a supported mode) acts as follows. length-32 byte arrays which can be communicated however is communicated. 3. Once all signers nonce commitments have been received, the signer records these commitments with the function `secp256k1_musig_session_get_public_nonce`. - If the signer did not provide a message to `secp256k1_musig_session_initialize`, + If the signer did not provide a message to `secp256k1_musig_session_init`, a message must be provided now. This function updates in place - the session state `session` @@ -133,8 +133,8 @@ A participant who wants to verify the signing process, i.e. check that nonce com are consistent and partial signatures are correct without contributing a partial signature, may do so using the above instructions except for the following changes: -1. A signing session should be produced using `musig_session_initialize_verifier` - rather than `musig_session_initialize`; this function takes no secret data or +1. A signing session should be produced using `musig_session_init_verifier` + rather than `musig_session_init`; this function takes no secret data or signer index. 2. The participant receives nonce commitments, public nonces and partial signatures, but does not produce these values. Therefore `secp256k1_musig_session_get_public_nonce` diff --git a/src/modules/musig/tests_impl.h b/src/modules/musig/tests_impl.h index 19fb0a5e..5cdd0822 100644 --- a/src/modules/musig/tests_impl.h +++ b/src/modules/musig/tests_impl.h @@ -45,8 +45,8 @@ void musig_simple_test(secp256k1_scratch_space *scratch) { CHECK(secp256k1_xonly_pubkey_create(&pk[1], sk[1]) == 1); CHECK(secp256k1_musig_pubkey_combine(ctx, scratch, &combined_pk, &pre_session, pk, 2) == 1); - CHECK(secp256k1_musig_session_initialize(ctx, &session[1], signer1, nonce_commitment[1], session_id[1], msg, &combined_pk, &pre_session, 2, 1, sk[1]) == 1); - CHECK(secp256k1_musig_session_initialize(ctx, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); + CHECK(secp256k1_musig_session_init(ctx, &session[1], signer1, nonce_commitment[1], session_id[1], msg, &combined_pk, &pre_session, 2, 1, sk[1]) == 1); + CHECK(secp256k1_musig_session_init(ctx, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); ncs[0] = nonce_commitment[0]; ncs[1] = nonce_commitment[1]; @@ -91,7 +91,7 @@ void musig_api_tests(secp256k1_scratch_space *scratch) { unsigned char ones[32]; unsigned char session_id[2][32]; unsigned char nonce_commitment[2][32]; - int nonce_is_negated; + int combined_nonce_parity; const unsigned char *ncs[2]; unsigned char msg[32]; secp256k1_xonly_pubkey combined_pk; @@ -172,68 +172,68 @@ void musig_api_tests(secp256k1_scratch_space *scratch) { /** Session creation **/ ecount = 0; - CHECK(secp256k1_musig_session_initialize(none, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); + CHECK(secp256k1_musig_session_init(none, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); CHECK(ecount == 1); - CHECK(secp256k1_musig_session_initialize(vrfy, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); + CHECK(secp256k1_musig_session_init(vrfy, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); CHECK(ecount == 2); - CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); + CHECK(secp256k1_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); CHECK(ecount == 2); - CHECK(secp256k1_musig_session_initialize(sign, NULL, signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); + CHECK(secp256k1_musig_session_init(sign, NULL, signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); CHECK(ecount == 3); - CHECK(secp256k1_musig_session_initialize(sign, &session[0], NULL, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); + CHECK(secp256k1_musig_session_init(sign, &session[0], NULL, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); CHECK(ecount == 4); - CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, NULL, session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); + CHECK(secp256k1_musig_session_init(sign, &session[0], signer0, NULL, session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); CHECK(ecount == 5); - CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], NULL, msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); + CHECK(secp256k1_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], NULL, msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); CHECK(ecount == 6); - CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], NULL, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); + CHECK(secp256k1_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], NULL, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); CHECK(ecount == 6); - CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, NULL, &pre_session, 2, 0, sk[0]) == 0); + CHECK(secp256k1_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, NULL, &pre_session, 2, 0, sk[0]) == 0); CHECK(ecount == 7); - CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, NULL, 2, 0, sk[0]) == 0); + CHECK(secp256k1_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, NULL, 2, 0, sk[0]) == 0); CHECK(ecount == 8); /* Uninitialized pre_session */ - CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session_uninitialized, 2, 0, sk[0]) == 0); + CHECK(secp256k1_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session_uninitialized, 2, 0, sk[0]) == 0); CHECK(ecount == 9); - CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 0, 0, sk[0]) == 0); + CHECK(secp256k1_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 0, 0, sk[0]) == 0); CHECK(ecount == 10); - /* If more than UINT32_MAX fits in a size_t, test that session_initialize + /* If more than UINT32_MAX fits in a size_t, test that session_init * rejects n_signers that high. */ if (SIZE_MAX > UINT32_MAX) { - CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, ((size_t) UINT32_MAX) + 2, 0, sk[0]) == 0); + CHECK(secp256k1_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, ((size_t) UINT32_MAX) + 2, 0, sk[0]) == 0); } CHECK(ecount == 11); - CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, NULL) == 0); + CHECK(secp256k1_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, NULL) == 0); CHECK(ecount == 12); /* secret key overflows */ - CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, ones) == 0); + CHECK(secp256k1_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, ones) == 0); CHECK(ecount == 12); - CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); - CHECK(secp256k1_musig_session_initialize(sign, &session[1], signer1, nonce_commitment[1], session_id[1], msg, &combined_pk, &pre_session, 2, 1, sk[1]) == 1); + CHECK(secp256k1_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); + CHECK(secp256k1_musig_session_init(sign, &session[1], signer1, nonce_commitment[1], session_id[1], msg, &combined_pk, &pre_session, 2, 1, sk[1]) == 1); ncs[0] = nonce_commitment[0]; ncs[1] = nonce_commitment[1]; ecount = 0; - CHECK(secp256k1_musig_session_initialize_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, 2) == 1); + CHECK(secp256k1_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, 2) == 1); CHECK(ecount == 0); - CHECK(secp256k1_musig_session_initialize_verifier(none, NULL, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, 2) == 0); + CHECK(secp256k1_musig_session_init_verifier(none, NULL, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, 2) == 0); CHECK(ecount == 1); - CHECK(secp256k1_musig_session_initialize_verifier(none, &verifier_session, verifier_signer_data, NULL, &combined_pk, &pre_session, ncs, 2) == 0); + CHECK(secp256k1_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, NULL, &combined_pk, &pre_session, ncs, 2) == 0); CHECK(ecount == 2); - CHECK(secp256k1_musig_session_initialize_verifier(none, &verifier_session, verifier_signer_data, msg, NULL, &pre_session, ncs, 2) == 0); + CHECK(secp256k1_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, NULL, &pre_session, ncs, 2) == 0); CHECK(ecount == 3); - CHECK(secp256k1_musig_session_initialize_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, NULL, ncs, 2) == 0); + CHECK(secp256k1_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, NULL, ncs, 2) == 0); CHECK(ecount == 4); - CHECK(secp256k1_musig_session_initialize_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, NULL, 2) == 0); + CHECK(secp256k1_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, NULL, 2) == 0); CHECK(ecount == 5); - CHECK(secp256k1_musig_session_initialize_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, 0) == 0); + CHECK(secp256k1_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, 0) == 0); CHECK(ecount == 6); if (SIZE_MAX > UINT32_MAX) { - CHECK(secp256k1_musig_session_initialize_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, ((size_t) UINT32_MAX) + 2) == 0); + CHECK(secp256k1_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, ((size_t) UINT32_MAX) + 2) == 0); } CHECK(ecount == 7); - CHECK(secp256k1_musig_session_initialize_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, 2) == 1); + CHECK(secp256k1_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, 2) == 1); /** Signing step 0 -- exchange nonce commitments */ ecount = 0; @@ -296,26 +296,26 @@ void musig_api_tests(secp256k1_scratch_space *scratch) { ecount = 0; memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp)); - CHECK(secp256k1_musig_session_combine_nonces(none, &session_0_tmp, signer0, 2, &nonce_is_negated, &adaptor) == 1); + CHECK(secp256k1_musig_session_combine_nonces(none, &session_0_tmp, signer0, 2, &combined_nonce_parity, &adaptor) == 1); memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp)); - CHECK(secp256k1_musig_session_combine_nonces(none, NULL, signer0, 2, &nonce_is_negated, &adaptor) == 0); + CHECK(secp256k1_musig_session_combine_nonces(none, NULL, signer0, 2, &combined_nonce_parity, &adaptor) == 0); CHECK(ecount == 1); /* Uninitialized session */ - CHECK(secp256k1_musig_session_combine_nonces(none, &session_uninitialized, signer0, 2, &nonce_is_negated, &adaptor) == 0); + CHECK(secp256k1_musig_session_combine_nonces(none, &session_uninitialized, signer0, 2, &combined_nonce_parity, &adaptor) == 0); CHECK(ecount == 2); - CHECK(secp256k1_musig_session_combine_nonces(none, &session_0_tmp, NULL, 2, &nonce_is_negated, &adaptor) == 0); + CHECK(secp256k1_musig_session_combine_nonces(none, &session_0_tmp, NULL, 2, &combined_nonce_parity, &adaptor) == 0); CHECK(ecount == 3); /* Number of signers differs from number during intialization */ - CHECK(secp256k1_musig_session_combine_nonces(none, &session_0_tmp, signer0, 1, &nonce_is_negated, &adaptor) == 0); + CHECK(secp256k1_musig_session_combine_nonces(none, &session_0_tmp, signer0, 1, &combined_nonce_parity, &adaptor) == 0); CHECK(ecount == 4); CHECK(secp256k1_musig_session_combine_nonces(none, &session_0_tmp, signer0, 2, NULL, &adaptor) == 1); CHECK(ecount == 4); memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp)); - CHECK(secp256k1_musig_session_combine_nonces(none, &session_0_tmp, signer0, 2, &nonce_is_negated, NULL) == 1); + CHECK(secp256k1_musig_session_combine_nonces(none, &session_0_tmp, signer0, 2, &combined_nonce_parity, NULL) == 1); - CHECK(secp256k1_musig_session_combine_nonces(none, &session[0], signer0, 2, &nonce_is_negated, &adaptor) == 1); - CHECK(secp256k1_musig_session_combine_nonces(none, &session[1], signer0, 2, &nonce_is_negated, &adaptor) == 1); - CHECK(secp256k1_musig_session_combine_nonces(none, &verifier_session, verifier_signer_data, 2, &nonce_is_negated, &adaptor) == 1); + CHECK(secp256k1_musig_session_combine_nonces(none, &session[0], signer0, 2, &combined_nonce_parity, &adaptor) == 1); + CHECK(secp256k1_musig_session_combine_nonces(none, &session[1], signer0, 2, &combined_nonce_parity, &adaptor) == 1); + CHECK(secp256k1_musig_session_combine_nonces(none, &verifier_session, verifier_signer_data, 2, &combined_nonce_parity, &adaptor) == 1); } /** Signing step 2 -- partial signatures */ @@ -384,16 +384,16 @@ void musig_api_tests(secp256k1_scratch_space *scratch) { /** Adaptor signature verification */ memcpy(&partial_sig_adapted[1], &partial_sig[1], sizeof(partial_sig_adapted[1])); ecount = 0; - CHECK(secp256k1_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig[0], sec_adaptor, nonce_is_negated) == 1); + CHECK(secp256k1_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig[0], sec_adaptor, combined_nonce_parity) == 1); CHECK(secp256k1_musig_partial_sig_adapt(none, NULL, &partial_sig[0], sec_adaptor, 0) == 0); CHECK(ecount == 1); CHECK(secp256k1_musig_partial_sig_adapt(none, &partial_sig_adapted[0], NULL, sec_adaptor, 0) == 0); CHECK(ecount == 2); - CHECK(secp256k1_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig_overflow, sec_adaptor, nonce_is_negated) == 0); + CHECK(secp256k1_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig_overflow, sec_adaptor, combined_nonce_parity) == 0); CHECK(ecount == 2); CHECK(secp256k1_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig[0], NULL, 0) == 0); CHECK(ecount == 3); - CHECK(secp256k1_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig[0], ones, nonce_is_negated) == 0); + CHECK(secp256k1_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig[0], ones, combined_nonce_parity) == 0); CHECK(ecount == 3); /** Signing combining and verification */ @@ -430,7 +430,7 @@ void musig_api_tests(secp256k1_scratch_space *scratch) { /** Secret adaptor can be extracted from signature */ ecount = 0; - CHECK(secp256k1_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig, partial_sig, 2, nonce_is_negated) == 1); + CHECK(secp256k1_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig, partial_sig, 2, combined_nonce_parity) == 1); CHECK(memcmp(sec_adaptor, sec_adaptor1, 32) == 0); CHECK(secp256k1_musig_extract_secret_adaptor(none, NULL, final_sig, partial_sig, 2, 0) == 0); CHECK(ecount == 1); @@ -440,7 +440,7 @@ void musig_api_tests(secp256k1_scratch_space *scratch) { unsigned char final_sig_tmp[64]; memcpy(final_sig_tmp, final_sig, sizeof(final_sig_tmp)); memcpy(&final_sig_tmp[32], ones, 32); - CHECK(secp256k1_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig_tmp, partial_sig, 2, nonce_is_negated) == 0); + CHECK(secp256k1_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig_tmp, partial_sig, 2, combined_nonce_parity) == 0); } CHECK(ecount == 2); CHECK(secp256k1_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig, NULL, 2, 0) == 0); @@ -449,7 +449,7 @@ void musig_api_tests(secp256k1_scratch_space *scratch) { secp256k1_musig_partial_signature partial_sig_tmp[2]; partial_sig_tmp[0] = partial_sig[0]; partial_sig_tmp[1] = partial_sig_overflow; - CHECK(secp256k1_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig, partial_sig_tmp, 2, nonce_is_negated) == 0); + CHECK(secp256k1_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig, partial_sig_tmp, 2, combined_nonce_parity) == 0); } CHECK(ecount == 3); CHECK(secp256k1_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig, partial_sig, 0, 0) == 1); @@ -486,9 +486,9 @@ void musig_state_machine_diff_signer_msghash_test(unsigned char *msghash, secp25 pks_tmp[0] = pks[0]; CHECK(secp256k1_xonly_pubkey_create(&pks_tmp[1], sk_dummy) == 1); CHECK(secp256k1_musig_pubkey_combine(ctx, NULL, &combined_pk_tmp, &pre_session_tmp, pks_tmp, 2) == 1); - CHECK(secp256k1_musig_session_initialize(ctx, &session_tmp, signers_tmp, nonce_commitment, session_id, msg, &combined_pk_tmp, &pre_session_tmp, 2, 1, sk_dummy) == 1); + CHECK(secp256k1_musig_session_init(ctx, &session_tmp, signers_tmp, nonce_commitment, session_id, msg, &combined_pk_tmp, &pre_session_tmp, 2, 1, sk_dummy) == 1); - CHECK(secp256k1_musig_session_initialize(ctx, &session, signers, nonce_commitment, session_id, msg, combined_pk, pre_session, 2, 0, sk) == 1); + CHECK(secp256k1_musig_session_init(ctx, &session, signers, nonce_commitment, session_id, msg, combined_pk, pre_session, 2, 0, sk) == 1); CHECK(memcmp(nonce_commitment, nonce_commitments[1], 32) == 0); /* Call get_public_nonce with different signers than the signers the session was * initialized with. */ @@ -517,7 +517,7 @@ int musig_state_machine_diff_signers_combine_nonce_test(secp256k1_xonly_pubkey * /* Initialize new signers */ secp256k1_testrand256(session_id); - CHECK(secp256k1_musig_session_initialize(ctx, &session, signers, nonce_commitment, session_id, msg, combined_pk, pre_session, 2, 1, sk) == 1); + CHECK(secp256k1_musig_session_init(ctx, &session, signers, nonce_commitment, session_id, msg, combined_pk, pre_session, 2, 1, sk) == 1); ncs[0] = nonce_commitment_other; ncs[1] = nonce_commitment; CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session, signers, &nonce, ncs, 2, NULL) == 1); @@ -549,7 +549,7 @@ void musig_state_machine_late_msg_test(secp256k1_xonly_pubkey *pks, secp256k1_xo secp256k1_musig_partial_signature partial_sig; secp256k1_context_set_illegal_callback(ctx_tmp, counting_illegal_callback_fn, &ecount); - CHECK(secp256k1_musig_session_initialize(ctx, &session, signers, nonce_commitment, session_id, NULL, combined_pk, pre_session, 2, 1, sk) == 1); + CHECK(secp256k1_musig_session_init(ctx, &session, signers, nonce_commitment, session_id, NULL, combined_pk, pre_session, 2, 1, sk) == 1); ncs[0] = nonce_commitment_other; ncs[1] = nonce_commitment; @@ -609,8 +609,8 @@ void musig_state_machine_tests(secp256k1_scratch_space *scratch) { CHECK(secp256k1_xonly_pubkey_create(&pk[0], sk[0]) == 1); CHECK(secp256k1_xonly_pubkey_create(&pk[1], sk[1]) == 1); CHECK(secp256k1_musig_pubkey_combine(ctx, scratch, &combined_pk, &pre_session, pk, 2) == 1); - CHECK(secp256k1_musig_session_initialize(ctx, &session[0], signers0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); - CHECK(secp256k1_musig_session_initialize(ctx, &session[1], signers1, nonce_commitment[1], session_id[1], msg, &combined_pk, &pre_session, 2, 1, sk[1]) == 1); + CHECK(secp256k1_musig_session_init(ctx, &session[0], signers0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); + CHECK(secp256k1_musig_session_init(ctx, &session[1], signers1, nonce_commitment[1], session_id[1], msg, &combined_pk, &pre_session, 2, 1, sk[1]) == 1); /* Can't combine nonces unless we're through round 1 already */ ecount = 0; CHECK(secp256k1_musig_session_combine_nonces(ctx_tmp, &session[0], signers0, 2, NULL, NULL) == 0); @@ -708,8 +708,8 @@ void scriptless_atomic_swap(secp256k1_scratch_space *scratch) { const unsigned char *noncommit_b_ptr[2]; secp256k1_pubkey pubnon_a[2]; secp256k1_pubkey pubnon_b[2]; - int nonce_is_negated_a; - int nonce_is_negated_b; + int combined_nonce_parity_a; + int combined_nonce_parity_b; secp256k1_musig_session_signer_data data_a[2]; secp256k1_musig_session_signer_data data_b[2]; @@ -733,13 +733,13 @@ void scriptless_atomic_swap(secp256k1_scratch_space *scratch) { CHECK(secp256k1_musig_pubkey_combine(ctx, scratch, &combined_pk_a, &pre_session_a, pk_a, 2)); CHECK(secp256k1_musig_pubkey_combine(ctx, scratch, &combined_pk_b, &pre_session_b, pk_b, 2)); - CHECK(secp256k1_musig_session_initialize(ctx, &musig_session_a[0], data_a, noncommit_a[0], seed, msg32_a, &combined_pk_a, &pre_session_a, 2, 0, seckey_a[0])); - CHECK(secp256k1_musig_session_initialize(ctx, &musig_session_a[1], data_a, noncommit_a[1], seed, msg32_a, &combined_pk_a, &pre_session_a, 2, 1, seckey_a[1])); + CHECK(secp256k1_musig_session_init(ctx, &musig_session_a[0], data_a, noncommit_a[0], seed, msg32_a, &combined_pk_a, &pre_session_a, 2, 0, seckey_a[0])); + CHECK(secp256k1_musig_session_init(ctx, &musig_session_a[1], data_a, noncommit_a[1], seed, msg32_a, &combined_pk_a, &pre_session_a, 2, 1, seckey_a[1])); noncommit_a_ptr[0] = noncommit_a[0]; noncommit_a_ptr[1] = noncommit_a[1]; - CHECK(secp256k1_musig_session_initialize(ctx, &musig_session_b[0], data_b, noncommit_b[0], seed, msg32_b, &combined_pk_b, &pre_session_b, 2, 0, seckey_b[0])); - CHECK(secp256k1_musig_session_initialize(ctx, &musig_session_b[1], data_b, noncommit_b[1], seed, msg32_b, &combined_pk_b, &pre_session_b, 2, 1, seckey_b[1])); + CHECK(secp256k1_musig_session_init(ctx, &musig_session_b[0], data_b, noncommit_b[0], seed, msg32_b, &combined_pk_b, &pre_session_b, 2, 0, seckey_b[0])); + CHECK(secp256k1_musig_session_init(ctx, &musig_session_b[1], data_b, noncommit_b[1], seed, msg32_b, &combined_pk_b, &pre_session_b, 2, 1, seckey_b[1])); noncommit_b_ptr[0] = noncommit_b[0]; noncommit_b_ptr[1] = noncommit_b[1]; @@ -752,9 +752,9 @@ void scriptless_atomic_swap(secp256k1_scratch_space *scratch) { CHECK(secp256k1_musig_set_nonce(ctx, &data_a[1], &pubnon_a[1])); CHECK(secp256k1_musig_set_nonce(ctx, &data_b[0], &pubnon_b[0])); CHECK(secp256k1_musig_set_nonce(ctx, &data_b[1], &pubnon_b[1])); - CHECK(secp256k1_musig_session_combine_nonces(ctx, &musig_session_a[0], data_a, 2, &nonce_is_negated_a, &pub_adaptor)); + CHECK(secp256k1_musig_session_combine_nonces(ctx, &musig_session_a[0], data_a, 2, &combined_nonce_parity_a, &pub_adaptor)); CHECK(secp256k1_musig_session_combine_nonces(ctx, &musig_session_a[1], data_a, 2, NULL, &pub_adaptor)); - CHECK(secp256k1_musig_session_combine_nonces(ctx, &musig_session_b[0], data_b, 2, &nonce_is_negated_b, &pub_adaptor)); + CHECK(secp256k1_musig_session_combine_nonces(ctx, &musig_session_b[0], data_b, 2, &combined_nonce_parity_b, &pub_adaptor)); CHECK(secp256k1_musig_session_combine_nonces(ctx, &musig_session_b[1], data_b, 2, NULL, &pub_adaptor)); /* Step 3: Signer 0 produces partial signatures for both chains. */ @@ -770,16 +770,16 @@ void scriptless_atomic_swap(secp256k1_scratch_space *scratch) { /* Step 5: Signer 0 adapts its own partial signature and combines it with the * partial signature from signer 1. This results in a complete signature which * is broadcasted by signer 0 to take B-coins. */ - CHECK(secp256k1_musig_partial_sig_adapt(ctx, &partial_sig_b_adapted[0], &partial_sig_b[0], sec_adaptor, nonce_is_negated_b)); + CHECK(secp256k1_musig_partial_sig_adapt(ctx, &partial_sig_b_adapted[0], &partial_sig_b[0], sec_adaptor, combined_nonce_parity_b)); memcpy(&partial_sig_b_adapted[1], &partial_sig_b[1], sizeof(partial_sig_b_adapted[1])); CHECK(secp256k1_musig_partial_sig_combine(ctx, &musig_session_b[0], final_sig_b, partial_sig_b_adapted, 2) == 1); CHECK(secp256k1_schnorrsig_verify(ctx, final_sig_b, msg32_b, &combined_pk_b) == 1); /* Step 6: Signer 1 extracts adaptor from the published signature, applies it to * other partial signature, and takes A-coins. */ - CHECK(secp256k1_musig_extract_secret_adaptor(ctx, sec_adaptor_extracted, final_sig_b, partial_sig_b, 2, nonce_is_negated_b) == 1); + CHECK(secp256k1_musig_extract_secret_adaptor(ctx, sec_adaptor_extracted, final_sig_b, partial_sig_b, 2, combined_nonce_parity_b) == 1); CHECK(memcmp(sec_adaptor_extracted, sec_adaptor, sizeof(sec_adaptor)) == 0); /* in real life we couldn't check this, of course */ - CHECK(secp256k1_musig_partial_sig_adapt(ctx, &partial_sig_a[0], &partial_sig_a[0], sec_adaptor_extracted, nonce_is_negated_a)); + CHECK(secp256k1_musig_partial_sig_adapt(ctx, &partial_sig_a[0], &partial_sig_a[0], sec_adaptor_extracted, combined_nonce_parity_a)); CHECK(secp256k1_musig_partial_sign(ctx, &musig_session_a[1], &partial_sig_a[1])); CHECK(secp256k1_musig_partial_sig_combine(ctx, &musig_session_a[1], final_sig_a, partial_sig_a, 2) == 1); CHECK(secp256k1_schnorrsig_verify(ctx, final_sig_a, msg32_a, &combined_pk_a) == 1); @@ -818,6 +818,7 @@ void sha256_tag_test(void) { CHECK(memcmp(buf, buf2, 32) == 0); } + void run_musig_tests(void) { int i; secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 1024 * 1024); @@ -828,7 +829,7 @@ void run_musig_tests(void) { musig_api_tests(scratch); musig_state_machine_tests(scratch); for (i = 0; i < count; i++) { - /* Run multiple times to ensure that the nonce is negated in some tests */ + /* Run multiple times to ensure that the nonce has different y parities */ scriptless_atomic_swap(scratch); } sha256_tag_test();