frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

musig: update to BIP v1.0.0-rc.2 "Add ''pk'' arg to ''NonceGen''"

Browse Source
This commit is contained in:
Jonas Nick 2022-12-20 19:11:35 +00:00
parent d717a4980b
commit 36621d13be
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
5 changed files with 85 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
examples/musig.c
View File

@ -112,7 +112,7 @@ int sign(const secp256k1_context* ctx, struct signer_secrets *signer_secrets, st
} }
/* Initialize session and create secret nonce for signing and public /* Initialize session and create secret nonce for signing and public
* nonce to send to the other signers. */ * nonce to send to the other signers. */
if (!secp256k1_musig_nonce_gen(ctx, &signer_secrets[i].secnonce, &signer[i].pubnonce, session_id, seckey, msg32, NULL, NULL)) { if (!secp256k1_musig_nonce_gen(ctx, &signer_secrets[i].secnonce, &signer[i].pubnonce, session_id, seckey, &signer[i].pubkey, msg32, NULL, NULL)) {
return 0; return 0;
} }
pubnonces[i] = &signer[i].pubnonce; pubnonces[i] = &signer[i].pubnonce;

4
include/secp256k1_musig.h
View File

@ -357,6 +357,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_xonly_twea
* unless you really know what you are doing. * unless you really know what you are doing.
* seckey: the 32-byte secret key that will later be used for signing, if * seckey: the 32-byte secret key that will later be used for signing, if
* already known (can be NULL) * already known (can be NULL)
* pubkey: public key of the signer creating the nonce
* msg32: the 32-byte message that will later be signed, if already known * msg32: the 32-byte message that will later be signed, if already known
* (can be NULL) * (can be NULL)
* keyagg_cache: pointer to the keyagg_cache that was used to create the aggregate * keyagg_cache: pointer to the keyagg_cache that was used to create the aggregate
@ -371,10 +372,11 @@ SECP256K1_API int secp256k1_musig_nonce_gen(
secp256k1_musig_pubnonce *pubnonce, secp256k1_musig_pubnonce *pubnonce,
const unsigned char *session_id32, const unsigned char *session_id32,
const unsigned char *seckey, const unsigned char *seckey,
const secp256k1_pubkey *pubkey,
const unsigned char *msg32, const unsigned char *msg32,
const secp256k1_musig_keyagg_cache *keyagg_cache, const secp256k1_musig_keyagg_cache *keyagg_cache,
const unsigned char *extra_input32 const unsigned char *extra_input32
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(6);
/** Aggregates the nonces of all signers into a single nonce /** Aggregates the nonces of all signers into a single nonce
* *

46
src/modules/musig/session_impl.h
View File

@ -291,36 +291,35 @@ static int secp256k1_xonly_ge_serialize(unsigned char *output32, secp256k1_ge *g
} }
/* Write optional inputs into the hash */ /* Write optional inputs into the hash */
static void secp256k1_nonce_function_musig_helper(secp256k1_sha256 *sha, unsigned int prefix_size, const unsigned char *data32) { static void secp256k1_nonce_function_musig_helper(secp256k1_sha256 *sha, unsigned int prefix_size, const unsigned char *data, unsigned char len) {
unsigned char zero[7] = { 0 }; unsigned char zero[7] = { 0 };
/* The spec requires length prefixes to be between 1 and 8 bytes /* The spec requires length prefixes to be between 1 and 8 bytes
* (inclusive) */ * (inclusive) */
VERIFY_CHECK(prefix_size <= 8); VERIFY_CHECK(prefix_size <= 8);
/* Since the length of all input data is <= 32, we can always pad the length /* Since the length of all input data fits in a byte, we can always pad the
* prefix with prefix_size - 1 zero bytes. */ * length prefix with prefix_size - 1 zero bytes. */
secp256k1_sha256_write(sha, zero, prefix_size - 1); secp256k1_sha256_write(sha, zero, prefix_size - 1);
if (data32 != NULL) { if (data != NULL) {
unsigned char len = 32;
secp256k1_sha256_write(sha, &len, 1); secp256k1_sha256_write(sha, &len, 1);
secp256k1_sha256_write(sha, data32, 32); secp256k1_sha256_write(sha, data, len);
} else { } else {
unsigned char len = 0; len = 0;
secp256k1_sha256_write(sha, &len, 1); secp256k1_sha256_write(sha, &len, 1);
} }
} }
static void secp256k1_nonce_function_musig(secp256k1_scalar *k, const unsigned char *session_id, const unsigned char *msg32, const unsigned char *key32, const unsigned char *agg_pk32, const unsigned char *extra_input32) { static void secp256k1_nonce_function_musig(secp256k1_scalar *k, const unsigned char *session_id, const unsigned char *msg32, const unsigned char *seckey32, const unsigned char *pk33, const unsigned char *agg_pk32, const unsigned char *extra_input32) {
secp256k1_sha256 sha; secp256k1_sha256 sha;
unsigned char rand[32]; unsigned char rand[32];
unsigned char i; unsigned char i;
unsigned char msg_present; unsigned char msg_present;
if (key32 != NULL) { if (seckey32 != NULL) {
secp256k1_sha256_initialize_tagged(&sha, (unsigned char*)"MuSig/aux", sizeof("MuSig/aux") - 1); secp256k1_sha256_initialize_tagged(&sha, (unsigned char*)"MuSig/aux", sizeof("MuSig/aux") - 1);
secp256k1_sha256_write(&sha, session_id, 32); secp256k1_sha256_write(&sha, session_id, 32);
secp256k1_sha256_finalize(&sha, rand); secp256k1_sha256_finalize(&sha, rand);
for (i = 0; i < 32; i++) { for (i = 0; i < 32; i++) {
rand[i] ^= key32[i]; rand[i] ^= seckey32[i];
} }
} else { } else {
memcpy(rand, session_id, sizeof(rand)); memcpy(rand, session_id, sizeof(rand));
@ -329,13 +328,14 @@ static void secp256k1_nonce_function_musig(secp256k1_scalar *k, const unsigned c
/* Subtract one from `sizeof` to avoid hashing the implicit null byte */ /* Subtract one from `sizeof` to avoid hashing the implicit null byte */
secp256k1_sha256_initialize_tagged(&sha, (unsigned char*)"MuSig/nonce", sizeof("MuSig/nonce") - 1); secp256k1_sha256_initialize_tagged(&sha, (unsigned char*)"MuSig/nonce", sizeof("MuSig/nonce") - 1);
secp256k1_sha256_write(&sha, rand, sizeof(rand)); secp256k1_sha256_write(&sha, rand, sizeof(rand));
secp256k1_nonce_function_musig_helper(&sha, 1, agg_pk32); secp256k1_nonce_function_musig_helper(&sha, 1, pk33, 33);
secp256k1_nonce_function_musig_helper(&sha, 1, agg_pk32, 32);
msg_present = msg32 != NULL; msg_present = msg32 != NULL;
secp256k1_sha256_write(&sha, &msg_present, 1); secp256k1_sha256_write(&sha, &msg_present, 1);
if (msg_present) { if (msg_present) {
secp256k1_nonce_function_musig_helper(&sha, 8, msg32); secp256k1_nonce_function_musig_helper(&sha, 8, msg32, 32);
} }
secp256k1_nonce_function_musig_helper(&sha, 4, extra_input32); secp256k1_nonce_function_musig_helper(&sha, 4, extra_input32, 32);
for (i = 0; i < 2; i++) { for (i = 0; i < 2; i++) {
unsigned char buf[32]; unsigned char buf[32];
@ -346,13 +346,15 @@ static void secp256k1_nonce_function_musig(secp256k1_scalar *k, const unsigned c
} }
} }
int secp256k1_musig_nonce_gen(const secp256k1_context* ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, const unsigned char *session_id32, const unsigned char *seckey, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) { int secp256k1_musig_nonce_gen(const secp256k1_context* ctx, secp256k1_musig_secnonce *secnonce, secp256k1_musig_pubnonce *pubnonce, const unsigned char *session_id32, const unsigned char *seckey, const secp256k1_pubkey *pubkey, const unsigned char *msg32, const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *extra_input32) {
secp256k1_keyagg_cache_internal cache_i; secp256k1_keyagg_cache_internal cache_i;
secp256k1_scalar k[2]; secp256k1_scalar k[2];
secp256k1_ge nonce_pt[2]; secp256k1_ge nonce_pt[2];
int i; int i;
unsigned char pk_ser[32]; unsigned char pk_ser[33];
unsigned char *pk_ser_ptr = NULL; size_t pk_ser_len = sizeof(pk_ser);
unsigned char aggpk_ser[32];
unsigned char *aggpk_ser_ptr = NULL;
int ret = 1; int ret = 1;
VERIFY_CHECK(ctx != NULL); VERIFY_CHECK(ctx != NULL);
@ -361,6 +363,7 @@ int secp256k1_musig_nonce_gen(const secp256k1_context* ctx, secp256k1_musig_secn
ARG_CHECK(pubnonce != NULL); ARG_CHECK(pubnonce != NULL);
memset(pubnonce, 0, sizeof(*pubnonce)); memset(pubnonce, 0, sizeof(*pubnonce));
ARG_CHECK(session_id32 != NULL); ARG_CHECK(session_id32 != NULL);
ARG_CHECK(pubkey != NULL);
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
if (seckey == NULL) { if (seckey == NULL) {
/* Check in constant time that the session_id is not 0 as a /* Check in constant time that the session_id is not 0 as a
@ -385,12 +388,17 @@ int secp256k1_musig_nonce_gen(const secp256k1_context* ctx, secp256k1_musig_secn
if (!secp256k1_keyagg_cache_load(ctx, &cache_i, keyagg_cache)) { if (!secp256k1_keyagg_cache_load(ctx, &cache_i, keyagg_cache)) {
return 0; return 0;
} }
ret_tmp = secp256k1_xonly_ge_serialize(pk_ser, &cache_i.pk); ret_tmp = secp256k1_xonly_ge_serialize(aggpk_ser, &cache_i.pk);
/* Serialization can not fail because the loaded point can not be infinity. */ /* Serialization can not fail because the loaded point can not be infinity. */
VERIFY_CHECK(ret_tmp); VERIFY_CHECK(ret_tmp);
pk_ser_ptr = pk_ser; aggpk_ser_ptr = aggpk_ser;
} }
secp256k1_nonce_function_musig(k, session_id32, msg32, seckey, pk_ser_ptr, extra_input32); if (!secp256k1_ec_pubkey_serialize(ctx, pk_ser, &pk_ser_len, pubkey, SECP256K1_EC_COMPRESSED)) {
return 0;
}
VERIFY_CHECK(pk_ser_len == sizeof(pk_ser));
secp256k1_nonce_function_musig(k, session_id32, msg32, seckey, pk_ser, aggpk_ser_ptr, extra_input32);
VERIFY_CHECK(!secp256k1_scalar_is_zero(&k[0])); VERIFY_CHECK(!secp256k1_scalar_is_zero(&k[0]));
VERIFY_CHECK(!secp256k1_scalar_is_zero(&k[1])); VERIFY_CHECK(!secp256k1_scalar_is_zero(&k[1]));
VERIFY_CHECK(!secp256k1_scalar_eq(&k[0], &k[1])); VERIFY_CHECK(!secp256k1_scalar_eq(&k[0], &k[1]));

96
src/modules/musig/tests_impl.h
View File

@ -64,7 +64,7 @@ void musig_simple_test(secp256k1_scratch_space *scratch) {
partial_sig_ptr[i] = &partial_sig[i]; partial_sig_ptr[i] = &partial_sig[i];
CHECK(create_keypair_and_pk(&keypair[i], &pk[i], sk[i])); CHECK(create_keypair_and_pk(&keypair[i], &pk[i], sk[i]));
CHECK(secp256k1_musig_nonce_gen(ctx, &secnonce[i], &pubnonce[i], session_id[i], sk[i], NULL, NULL, NULL) == 1); CHECK(secp256k1_musig_nonce_gen(ctx, &secnonce[i], &pubnonce[i], session_id[i], sk[i], &pk[i], NULL, NULL, NULL) == 1);
} }
CHECK(secp256k1_musig_pubkey_agg(ctx, scratch, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1); CHECK(secp256k1_musig_pubkey_agg(ctx, scratch, &agg_pk, &keyagg_cache, pk_ptr, 2) == 1);
@ -294,44 +294,48 @@ void musig_api_tests(secp256k1_scratch_space *scratch) {
/** Session creation **/ /** Session creation **/
ecount = 0; ecount = 0;
CHECK(secp256k1_musig_nonce_gen(none, &secnonce[0], &pubnonce[0], session_id[0], sk[0], msg, &keyagg_cache, max64) == 1); CHECK(secp256k1_musig_nonce_gen(none, &secnonce[0], &pubnonce[0], session_id[0], sk[0], &pk[0], msg, &keyagg_cache, max64) == 1);
CHECK(secp256k1_musig_nonce_gen(vrfy, &secnonce[0], &pubnonce[0], session_id[0], sk[0], msg, &keyagg_cache, max64) == 1); CHECK(secp256k1_musig_nonce_gen(vrfy, &secnonce[0], &pubnonce[0], session_id[0], sk[0], &pk[0], msg, &keyagg_cache, max64) == 1);
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], sk[0], msg, &keyagg_cache, max64) == 1); CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], sk[0], &pk[0], msg, &keyagg_cache, max64) == 1);
CHECK(ecount == 0); CHECK(ecount == 0);
CHECK(secp256k1_musig_nonce_gen(sttc, &secnonce[0], &pubnonce[0], session_id[0], sk[0], msg, &keyagg_cache, max64) == 0); CHECK(secp256k1_musig_nonce_gen(sttc, &secnonce[0], &pubnonce[0], session_id[0], sk[0], &pk[0], msg, &keyagg_cache, max64) == 0);
CHECK(ecount == 1); CHECK(ecount == 1);
CHECK(secp256k1_musig_nonce_gen(sign, NULL, &pubnonce[0], session_id[0], sk[0], msg, &keyagg_cache, max64) == 0); CHECK(secp256k1_musig_nonce_gen(sign, NULL, &pubnonce[0], session_id[0], sk[0], &pk[0], msg, &keyagg_cache, max64) == 0);
CHECK(ecount == 2); CHECK(ecount == 2);
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], NULL, session_id[0], sk[0], msg, &keyagg_cache, max64) == 0); CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], NULL, session_id[0], sk[0], &pk[0], msg, &keyagg_cache, max64) == 0);
CHECK(ecount == 3); CHECK(ecount == 3);
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], NULL, sk[0], msg, &keyagg_cache, max64) == 0); CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], NULL, sk[0], &pk[0], msg, &keyagg_cache, max64) == 0);
CHECK(ecount == 4); CHECK(ecount == 4);
CHECK(memcmp_and_randomize(secnonce[0].data, zeros68, sizeof(secnonce[0].data)) == 0); CHECK(memcmp_and_randomize(secnonce[0].data, zeros68, sizeof(secnonce[0].data)) == 0);
/* no seckey and session_id is 0 */ /* no seckey and session_id is 0 */
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], zeros68, NULL, msg, &keyagg_cache, max64) == 0); CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], zeros68, NULL, &pk[0], msg, &keyagg_cache, max64) == 0);
CHECK(ecount == 4); CHECK(ecount == 4);
CHECK(memcmp_and_randomize(secnonce[0].data, zeros68, sizeof(secnonce[0].data)) == 0); CHECK(memcmp_and_randomize(secnonce[0].data, zeros68, sizeof(secnonce[0].data)) == 0);
/* session_id 0 is fine when a seckey is provided */ /* session_id 0 is fine when a seckey is provided */
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], zeros68, sk[0], msg, &keyagg_cache, max64) == 1); CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], zeros68, sk[0], &pk[0], msg, &keyagg_cache, max64) == 1);
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], NULL, msg, &keyagg_cache, max64) == 1); CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], NULL, &pk[0], msg, &keyagg_cache, max64) == 1);
CHECK(ecount == 4); CHECK(ecount == 4);
/* invalid seckey */ /* invalid seckey */
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], max64, msg, &keyagg_cache, max64) == 0); CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], max64, &pk[0], msg, &keyagg_cache, max64) == 0);
CHECK(memcmp_and_randomize(secnonce[0].data, zeros68, sizeof(secnonce[0].data)) == 0); CHECK(memcmp_and_randomize(secnonce[0].data, zeros68, sizeof(secnonce[0].data)) == 0);
CHECK(ecount == 4); CHECK(ecount == 4);
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], sk[0], NULL, &keyagg_cache, max64) == 1); CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], sk[0], NULL, msg, &keyagg_cache, max64) == 0);
CHECK(ecount == 4);
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], sk[0], msg, NULL, max64) == 1);
CHECK(ecount == 4);
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], sk[0], msg, &invalid_keyagg_cache, max64) == 0);
CHECK(ecount == 5); CHECK(ecount == 5);
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], sk[0], &invalid_pk, msg, &keyagg_cache, max64) == 0);
CHECK(ecount == 6);
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], sk[0], &pk[0], NULL, &keyagg_cache, max64) == 1);
CHECK(ecount == 6);
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], sk[0], &pk[0], msg, NULL, max64) == 1);
CHECK(ecount == 6);
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], sk[0], &pk[0], msg, &invalid_keyagg_cache, max64) == 0);
CHECK(ecount == 7);
CHECK(memcmp_and_randomize(secnonce[0].data, zeros68, sizeof(secnonce[0].data)) == 0); CHECK(memcmp_and_randomize(secnonce[0].data, zeros68, sizeof(secnonce[0].data)) == 0);
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], sk[0], msg, &keyagg_cache, NULL) == 1); CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], sk[0], &pk[0], msg, &keyagg_cache, NULL) == 1);
CHECK(ecount == 5); CHECK(ecount == 7);
/* Every in-argument except session_id can be NULL */ /* Every in-argument except session_id and pubkey can be NULL */
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], NULL, NULL, NULL, NULL) == 1); CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], NULL, &pk[0], NULL, NULL, NULL) == 1);
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[1], &pubnonce[1], session_id[1], sk[1], NULL, NULL, NULL) == 1); CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[1], &pubnonce[1], session_id[1], sk[1], &pk[1], NULL, NULL, NULL) == 1);
/** Serialize and parse public nonces **/ /** Serialize and parse public nonces **/
ecount = 0; ecount = 0;
@ -608,25 +612,27 @@ void musig_api_tests(secp256k1_scratch_space *scratch) {
void musig_nonce_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes) { void musig_nonce_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes) {
secp256k1_scalar k1[2], k2[2]; secp256k1_scalar k1[2], k2[2];
secp256k1_nonce_function_musig(k1, args[0], args[1], args[2], args[3], args[4]); secp256k1_nonce_function_musig(k1, args[0], args[1], args[2], args[3], args[4], args[5]);
secp256k1_testrand_flip(args[n_flip], n_bytes); secp256k1_testrand_flip(args[n_flip], n_bytes);
secp256k1_nonce_function_musig(k2, args[0], args[1], args[2], args[3], args[4]); secp256k1_nonce_function_musig(k2, args[0], args[1], args[2], args[3], args[4], args[5]);
CHECK(secp256k1_scalar_eq(&k1[0], &k2[0]) == 0); CHECK(secp256k1_scalar_eq(&k1[0], &k2[0]) == 0);
CHECK(secp256k1_scalar_eq(&k1[1], &k2[1]) == 0); CHECK(secp256k1_scalar_eq(&k1[1], &k2[1]) == 0);
} }
void musig_nonce_test(void) { void musig_nonce_test(void) {
unsigned char *args[5]; unsigned char *args[6];
unsigned char session_id[32]; unsigned char session_id[32];
unsigned char sk[32]; unsigned char sk[32];
unsigned char pk[33];
unsigned char msg[32]; unsigned char msg[32];
unsigned char agg_pk[32]; unsigned char agg_pk[32];
unsigned char extra_input[32]; unsigned char extra_input[32];
int i, j; int i, j;
secp256k1_scalar k[5][2]; secp256k1_scalar k[6][2];
secp256k1_testrand_bytes_test(session_id, sizeof(session_id)); secp256k1_testrand_bytes_test(session_id, sizeof(session_id));
secp256k1_testrand_bytes_test(sk, sizeof(sk)); secp256k1_testrand_bytes_test(sk, sizeof(sk));
secp256k1_testrand_bytes_test(pk, sizeof(pk));
secp256k1_testrand_bytes_test(msg, sizeof(msg)); secp256k1_testrand_bytes_test(msg, sizeof(msg));
secp256k1_testrand_bytes_test(agg_pk, sizeof(agg_pk)); secp256k1_testrand_bytes_test(agg_pk, sizeof(agg_pk));
secp256k1_testrand_bytes_test(extra_input, sizeof(extra_input)); secp256k1_testrand_bytes_test(extra_input, sizeof(extra_input));
@ -635,29 +641,33 @@ void musig_nonce_test(void) {
args[0] = session_id; args[0] = session_id;
args[1] = msg; args[1] = msg;
args[2] = sk; args[2] = sk;
args[3] = agg_pk; args[3] = pk;
args[4] = extra_input; args[4] = agg_pk;
args[5] = extra_input;
for (i = 0; i < count; i++) { for (i = 0; i < count; i++) {
musig_nonce_bitflip(args, 0, sizeof(session_id)); musig_nonce_bitflip(args, 0, sizeof(session_id));
musig_nonce_bitflip(args, 1, sizeof(msg)); musig_nonce_bitflip(args, 1, sizeof(msg));
musig_nonce_bitflip(args, 2, sizeof(sk)); musig_nonce_bitflip(args, 2, sizeof(sk));
musig_nonce_bitflip(args, 3, sizeof(agg_pk)); musig_nonce_bitflip(args, 3, sizeof(pk));
musig_nonce_bitflip(args, 4, sizeof(extra_input)); musig_nonce_bitflip(args, 4, sizeof(agg_pk));
musig_nonce_bitflip(args, 5, sizeof(extra_input));
} }
/* Check that if any argument is NULL, a different nonce is produced than if /* Check that if any argument is NULL, a different nonce is produced than if
* any other argument is NULL. */ * any other argument is NULL. */
memcpy(msg, session_id, sizeof(msg)); memcpy(msg, session_id, sizeof(msg));
memcpy(sk, session_id, sizeof(sk)); memcpy(sk, session_id, sizeof(sk));
memcpy(pk, session_id, sizeof(session_id));
memcpy(agg_pk, session_id, sizeof(agg_pk)); memcpy(agg_pk, session_id, sizeof(agg_pk));
memcpy(extra_input, session_id, sizeof(extra_input)); memcpy(extra_input, session_id, sizeof(extra_input));
secp256k1_nonce_function_musig(k[0], args[0], args[1], args[2], args[3], args[4]); secp256k1_nonce_function_musig(k[0], args[0], args[1], args[2], args[3], args[4], args[5]);
secp256k1_nonce_function_musig(k[1], args[0], NULL, args[2], args[3], args[4]); secp256k1_nonce_function_musig(k[1], args[0], NULL, args[2], args[3], args[4], args[5]);
secp256k1_nonce_function_musig(k[2], args[0], args[1], NULL, args[3], args[4]); secp256k1_nonce_function_musig(k[2], args[0], args[1], NULL, args[3], args[4], args[5]);
secp256k1_nonce_function_musig(k[3], args[0], args[1], args[2], NULL, args[4]); secp256k1_nonce_function_musig(k[3], args[0], args[1], args[2], NULL, args[4], args[5]);
secp256k1_nonce_function_musig(k[4], args[0], args[1], args[2], args[3], NULL); secp256k1_nonce_function_musig(k[4], args[0], args[1], args[2], args[3], NULL, args[5]);
for (i = 0; i < 5; i++) { secp256k1_nonce_function_musig(k[5], args[0], args[1], args[2], args[3], args[4], NULL);
for (i = 0; i < 6; i++) {
CHECK(!secp256k1_scalar_eq(&k[i][0], &k[i][1])); CHECK(!secp256k1_scalar_eq(&k[i][0], &k[i][1]));
for (j = i+1; j < 5; j++) { for (j = i+1; j < 6; j++) {
CHECK(!secp256k1_scalar_eq(&k[i][0], &k[j][0])); CHECK(!secp256k1_scalar_eq(&k[i][0], &k[j][0]));
CHECK(!secp256k1_scalar_eq(&k[i][1], &k[j][1])); CHECK(!secp256k1_scalar_eq(&k[i][1], &k[j][1]));
} }
@ -729,10 +739,10 @@ void scriptless_atomic_swap(secp256k1_scratch_space *scratch) {
CHECK(secp256k1_musig_pubkey_agg(ctx, scratch, &agg_pk_a, &keyagg_cache_a, pk_a_ptr, 2) == 1); CHECK(secp256k1_musig_pubkey_agg(ctx, scratch, &agg_pk_a, &keyagg_cache_a, pk_a_ptr, 2) == 1);
CHECK(secp256k1_musig_pubkey_agg(ctx, scratch, &agg_pk_b, &keyagg_cache_b, pk_b_ptr, 2) == 1); CHECK(secp256k1_musig_pubkey_agg(ctx, scratch, &agg_pk_b, &keyagg_cache_b, pk_b_ptr, 2) == 1);
CHECK(secp256k1_musig_nonce_gen(ctx, &secnonce_a[0], &pubnonce_a[0], seed_a[0], sk_a[0], NULL, NULL, NULL) == 1); CHECK(secp256k1_musig_nonce_gen(ctx, &secnonce_a[0], &pubnonce_a[0], seed_a[0], sk_a[0], &pk_a[0], NULL, NULL, NULL) == 1);
CHECK(secp256k1_musig_nonce_gen(ctx, &secnonce_a[1], &pubnonce_a[1], seed_a[1], sk_a[1], NULL, NULL, NULL) == 1); CHECK(secp256k1_musig_nonce_gen(ctx, &secnonce_a[1], &pubnonce_a[1], seed_a[1], sk_a[1], &pk_b[1], NULL, NULL, NULL) == 1);
CHECK(secp256k1_musig_nonce_gen(ctx, &secnonce_b[0], &pubnonce_b[0], seed_b[0], sk_b[0], NULL, NULL, NULL) == 1); CHECK(secp256k1_musig_nonce_gen(ctx, &secnonce_b[0], &pubnonce_b[0], seed_b[0], sk_b[0], &pk_b[0], NULL, NULL, NULL) == 1);
CHECK(secp256k1_musig_nonce_gen(ctx, &secnonce_b[1], &pubnonce_b[1], seed_b[1], sk_b[1], NULL, NULL, NULL) == 1); CHECK(secp256k1_musig_nonce_gen(ctx, &secnonce_b[1], &pubnonce_b[1], seed_b[1], sk_b[1], &pk_b[1], NULL, NULL, NULL) == 1);
/* Step 2: Exchange nonces */ /* Step 2: Exchange nonces */
CHECK(secp256k1_musig_nonce_agg(ctx, &aggnonce_a, pubnonce_ptr_a, 2) == 1); CHECK(secp256k1_musig_nonce_agg(ctx, &aggnonce_a, pubnonce_ptr_a, 2) == 1);
@ -840,8 +850,8 @@ void musig_tweak_test_helper(const secp256k1_xonly_pubkey* agg_pk, const unsigne
CHECK(create_keypair_and_pk(&keypair[1], &pk[1], sk1) == 1); CHECK(create_keypair_and_pk(&keypair[1], &pk[1], sk1) == 1);
secp256k1_testrand256(msg); secp256k1_testrand256(msg);
CHECK(secp256k1_musig_nonce_gen(ctx, &secnonce[0], &pubnonce[0], session_id[0], sk0, NULL, NULL, NULL) == 1); CHECK(secp256k1_musig_nonce_gen(ctx, &secnonce[0], &pubnonce[0], session_id[0], sk0, &pk[0], NULL, NULL, NULL) == 1);
CHECK(secp256k1_musig_nonce_gen(ctx, &secnonce[1], &pubnonce[1], session_id[1], sk1, NULL, NULL, NULL) == 1); CHECK(secp256k1_musig_nonce_gen(ctx, &secnonce[1], &pubnonce[1], session_id[1], sk1, &pk[1], NULL, NULL, NULL) == 1);
CHECK(secp256k1_musig_nonce_agg(ctx, &aggnonce, pubnonce_ptr, 2) == 1); CHECK(secp256k1_musig_nonce_agg(ctx, &aggnonce, pubnonce_ptr, 2) == 1);
CHECK(secp256k1_musig_nonce_process(ctx, &session, &aggnonce, msg, keyagg_cache, NULL) == 1); CHECK(secp256k1_musig_nonce_process(ctx, &session, &aggnonce, msg, keyagg_cache, NULL) == 1);

2
src/valgrind_ctime_test.c
View File

@ -286,7 +286,7 @@ void run_tests(secp256k1_context *ctx, unsigned char *key) {
VALGRIND_MAKE_MEM_UNDEFINED(session_id, sizeof(session_id)); VALGRIND_MAKE_MEM_UNDEFINED(session_id, sizeof(session_id));
VALGRIND_MAKE_MEM_UNDEFINED(extra_input, sizeof(extra_input)); VALGRIND_MAKE_MEM_UNDEFINED(extra_input, sizeof(extra_input));
VALGRIND_MAKE_MEM_UNDEFINED(sec_adaptor, sizeof(sec_adaptor)); VALGRIND_MAKE_MEM_UNDEFINED(sec_adaptor, sizeof(sec_adaptor));
ret = secp256k1_musig_nonce_gen(ctx, &secnonce, &pubnonce, session_id, key, msg, &cache, extra_input); ret = secp256k1_musig_nonce_gen(ctx, &secnonce, &pubnonce, session_id, key, &pk, msg, &cache, extra_input);
VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
CHECK(ret == 1); CHECK(ret == 1);
CHECK(secp256k1_musig_nonce_agg(ctx, &aggnonce, pubnonce_ptr, 1)); CHECK(secp256k1_musig_nonce_agg(ctx, &aggnonce, pubnonce_ptr, 1));