diff --git a/include/secp256k1_musig.h b/include/secp256k1_musig.h index f3e4d9ee..c3e225e8 100644 --- a/include/secp256k1_musig.h +++ b/include/secp256k1_musig.h @@ -207,7 +207,9 @@ SECP256K1_API int secp256k1_musig_session_init( * signers: an array of signers' data initialized with * `musig_session_init`. Array length must equal to * `n_commitments` (cannot be NULL) - * Out: nonce: the nonce (cannot be NULL) + * Out: nonce33: filled with a 33-byte public nonce which is supposed to be + * sent to the other signers and then used in `musig_set nonce` + * (cannot be NULL) * In: commitments: array of pointers to 32-byte nonce commitments (cannot be NULL) * n_commitments: the length of commitments and signers array. Must be the total * number of signers participating in the MuSig. @@ -218,7 +220,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_session_get_publi const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, - secp256k1_pubkey *nonce, + unsigned char *nonce33, const unsigned char *const *commitments, size_t n_commitments, const unsigned char *msg32 @@ -264,12 +266,12 @@ SECP256K1_API int secp256k1_musig_session_init_verifier( * signer: pointer to the signer data to update (cannot be NULL). Must have * been used with `musig_session_get_public_nonce` or initialized * with `musig_session_init_verifier`. - * In: nonce: signer's alleged public nonce (cannot be NULL) + * In: nonce33: signer's alleged public nonce (cannot be NULL) */ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_set_nonce( const secp256k1_context* ctx, secp256k1_musig_session_signer_data *signer, - const secp256k1_pubkey *nonce + const unsigned char *nonce33 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Updates a session with the combined public nonce of all signers. The combined diff --git a/src/modules/musig/example.c b/src/modules/musig/example.c index e21dd9b5..43d982be 100644 --- a/src/modules/musig/example.c +++ b/src/modules/musig/example.c @@ -45,7 +45,7 @@ int sign(const secp256k1_context* ctx, unsigned char seckeys[][32], const secp25 unsigned char nonce_commitment[N_SIGNERS][32]; const unsigned char *nonce_commitment_ptr[N_SIGNERS]; secp256k1_musig_session_signer_data signer_data[N_SIGNERS][N_SIGNERS]; - secp256k1_pubkey nonce[N_SIGNERS]; + unsigned char nonce[N_SIGNERS][33]; int i, j; secp256k1_musig_partial_signature partial_sig[N_SIGNERS]; @@ -80,14 +80,14 @@ int sign(const secp256k1_context* ctx, unsigned char seckeys[][32], const secp25 /* Communication round 1: Exchange nonce commitments */ for (i = 0; i < N_SIGNERS; i++) { /* Set nonce commitments in the signer data and get the own public nonce */ - if (!secp256k1_musig_session_get_public_nonce(ctx, &musig_session[i], signer_data[i], &nonce[i], nonce_commitment_ptr, N_SIGNERS, NULL)) { + if (!secp256k1_musig_session_get_public_nonce(ctx, &musig_session[i], signer_data[i], nonce[i], nonce_commitment_ptr, N_SIGNERS, NULL)) { return 0; } } /* Communication round 2: Exchange nonces */ for (i = 0; i < N_SIGNERS; i++) { for (j = 0; j < N_SIGNERS; j++) { - if (!secp256k1_musig_set_nonce(ctx, &signer_data[i][j], &nonce[j])) { + if (!secp256k1_musig_set_nonce(ctx, &signer_data[i][j], nonce[j])) { /* Signer j's nonce does not match the nonce commitment. In this case * abort the protocol. If you make another attempt at finishing the * protocol, create a new session (with a fresh session ID!). */ diff --git a/src/modules/musig/main_impl.h b/src/modules/musig/main_impl.h index 5353ebbd..99f054cc 100644 --- a/src/modules/musig/main_impl.h +++ b/src/modules/musig/main_impl.h @@ -233,10 +233,12 @@ int secp256k1_musig_session_init(const secp256k1_context* ctx, secp256k1_musig_s return 1; } -int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, secp256k1_pubkey *nonce, const unsigned char *const *commitments, size_t n_commitments, const unsigned char *msg32) { +int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, unsigned char *nonce, const unsigned char *const *commitments, size_t n_commitments, const unsigned char *msg32) { secp256k1_sha256 sha; unsigned char nonce_commitments_hash[32]; size_t i; + unsigned char nonce_ser[33]; + size_t nonce_ser_size = sizeof(nonce_ser); (void) ctx; VERIFY_CHECK(ctx != NULL); @@ -268,7 +270,9 @@ int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp2 } secp256k1_sha256_finalize(&sha, nonce_commitments_hash); memcpy(session->nonce_commitments_hash, nonce_commitments_hash, 32); - memcpy(nonce, &session->nonce, sizeof(*nonce)); + + secp256k1_ec_pubkey_serialize(ctx, nonce_ser, &nonce_ser_size, &session->nonce, SECP256K1_EC_COMPRESSED); + memcpy(nonce, &nonce_ser, nonce_ser_size); session->round = 1; return 1; } @@ -313,24 +317,25 @@ int secp256k1_musig_session_init_verifier(const secp256k1_context* ctx, secp256k return 1; } -int secp256k1_musig_set_nonce(const secp256k1_context* ctx, secp256k1_musig_session_signer_data *signer, const secp256k1_pubkey *nonce) { - unsigned char commit[33]; - size_t commit_size = sizeof(commit); +int secp256k1_musig_set_nonce(const secp256k1_context* ctx, secp256k1_musig_session_signer_data *signer, const unsigned char *nonce) { secp256k1_sha256 sha; + unsigned char commit[32]; VERIFY_CHECK(ctx != NULL); ARG_CHECK(signer != NULL); ARG_CHECK(nonce != NULL); secp256k1_sha256_initialize(&sha); - secp256k1_ec_pubkey_serialize(ctx, commit, &commit_size, nonce, SECP256K1_EC_COMPRESSED); - secp256k1_sha256_write(&sha, commit, commit_size); + secp256k1_sha256_write(&sha, nonce, 33); secp256k1_sha256_finalize(&sha, commit); if (memcmp(commit, signer->nonce_commitment, 32) != 0) { return 0; } memcpy(&signer->nonce, nonce, sizeof(*nonce)); + if (!secp256k1_ec_pubkey_parse(ctx, &signer->nonce, nonce, 33)) { + return 0; + } signer->present = 1; return 1; } diff --git a/src/modules/musig/tests_impl.h b/src/modules/musig/tests_impl.h index 5cdd0822..0ea712b4 100644 --- a/src/modules/musig/tests_impl.h +++ b/src/modules/musig/tests_impl.h @@ -31,7 +31,7 @@ void musig_simple_test(secp256k1_scratch_space *scratch) { unsigned char session_id[2][32]; secp256k1_xonly_pubkey pk[2]; const unsigned char *ncs[2]; - secp256k1_pubkey public_nonce[3]; + unsigned char public_nonce[3][33]; secp256k1_musig_partial_signature partial_sig[2]; unsigned char final_sig[64]; @@ -51,13 +51,13 @@ void musig_simple_test(secp256k1_scratch_space *scratch) { ncs[0] = nonce_commitment[0]; ncs[1] = nonce_commitment[1]; - CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session[0], signer0, &public_nonce[0], ncs, 2, NULL) == 1); - CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session[1], signer1, &public_nonce[1], ncs, 2, NULL) == 1); + CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session[0], signer0, public_nonce[0], ncs, 2, NULL) == 1); + CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session[1], signer1, public_nonce[1], ncs, 2, NULL) == 1); - CHECK(secp256k1_musig_set_nonce(ctx, &signer0[0], &public_nonce[0]) == 1); - CHECK(secp256k1_musig_set_nonce(ctx, &signer0[1], &public_nonce[1]) == 1); - CHECK(secp256k1_musig_set_nonce(ctx, &signer1[0], &public_nonce[0]) == 1); - CHECK(secp256k1_musig_set_nonce(ctx, &signer1[1], &public_nonce[1]) == 1); + CHECK(secp256k1_musig_set_nonce(ctx, &signer0[0], public_nonce[0]) == 1); + CHECK(secp256k1_musig_set_nonce(ctx, &signer0[1], public_nonce[1]) == 1); + CHECK(secp256k1_musig_set_nonce(ctx, &signer1[0], public_nonce[0]) == 1); + CHECK(secp256k1_musig_set_nonce(ctx, &signer1[1], public_nonce[1]) == 1); CHECK(secp256k1_musig_session_combine_nonces(ctx, &session[0], signer0, 2, NULL, NULL) == 1); CHECK(secp256k1_musig_session_combine_nonces(ctx, &session[1], signer1, 2, NULL, NULL) == 1); @@ -238,13 +238,13 @@ void musig_api_tests(secp256k1_scratch_space *scratch) { /** Signing step 0 -- exchange nonce commitments */ ecount = 0; { - secp256k1_pubkey nonce; + unsigned char nonce[33]; secp256k1_musig_session session_0_tmp; memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp)); /* Can obtain public nonce after commitments have been exchanged; still can't sign */ - CHECK(secp256k1_musig_session_get_public_nonce(none, &session_0_tmp, signer0, &nonce, ncs, 2, NULL) == 1); + CHECK(secp256k1_musig_session_get_public_nonce(none, &session_0_tmp, signer0, nonce, ncs, 2, NULL) == 1); CHECK(secp256k1_musig_partial_sign(none, &session_0_tmp, &partial_sig[0]) == 0); CHECK(ecount == 1); } @@ -252,47 +252,47 @@ void musig_api_tests(secp256k1_scratch_space *scratch) { /** Signing step 1 -- exchange nonces */ ecount = 0; { - secp256k1_pubkey public_nonce[3]; + unsigned char public_nonce[3][33]; secp256k1_musig_session session_0_tmp; memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp)); - CHECK(secp256k1_musig_session_get_public_nonce(none, &session_0_tmp, signer0, &public_nonce[0], ncs, 2, NULL) == 1); + CHECK(secp256k1_musig_session_get_public_nonce(none, &session_0_tmp, signer0, public_nonce[0], ncs, 2, NULL) == 1); CHECK(ecount == 0); /* Reset session */ memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp)); - CHECK(secp256k1_musig_session_get_public_nonce(none, NULL, signer0, &public_nonce[0], ncs, 2, NULL) == 0); + CHECK(secp256k1_musig_session_get_public_nonce(none, NULL, signer0, public_nonce[0], ncs, 2, NULL) == 0); CHECK(ecount == 1); /* uninitialized session */ - CHECK(secp256k1_musig_session_get_public_nonce(none, &session_uninitialized, signer0, &public_nonce[0], ncs, 2, NULL) == 0); + CHECK(secp256k1_musig_session_get_public_nonce(none, &session_uninitialized, signer0, public_nonce[0], ncs, 2, NULL) == 0); CHECK(ecount == 2); - CHECK(secp256k1_musig_session_get_public_nonce(none, &session_0_tmp, NULL, &public_nonce[0], ncs, 2, NULL) == 0); + CHECK(secp256k1_musig_session_get_public_nonce(none, &session_0_tmp, NULL, public_nonce[0], ncs, 2, NULL) == 0); CHECK(ecount == 3); CHECK(secp256k1_musig_session_get_public_nonce(none, &session_0_tmp, signer0, NULL, ncs, 2, NULL) == 0); CHECK(ecount == 4); - CHECK(secp256k1_musig_session_get_public_nonce(none, &session_0_tmp, signer0, &public_nonce[0], NULL, 2, NULL) == 0); + CHECK(secp256k1_musig_session_get_public_nonce(none, &session_0_tmp, signer0, public_nonce[0], NULL, 2, NULL) == 0); CHECK(ecount == 5); /* Number of commitments and number of signers are different */ - CHECK(secp256k1_musig_session_get_public_nonce(none, &session_0_tmp, signer0, &public_nonce[0], ncs, 1, NULL) == 0); + CHECK(secp256k1_musig_session_get_public_nonce(none, &session_0_tmp, signer0, public_nonce[0], ncs, 1, NULL) == 0); CHECK(ecount == 6); - CHECK(secp256k1_musig_session_get_public_nonce(none, &session[0], signer0, &public_nonce[0], ncs, 2, NULL) == 1); - CHECK(secp256k1_musig_session_get_public_nonce(none, &session[1], signer1, &public_nonce[1], ncs, 2, NULL) == 1); + CHECK(secp256k1_musig_session_get_public_nonce(none, &session[0], signer0, public_nonce[0], ncs, 2, NULL) == 1); + CHECK(secp256k1_musig_session_get_public_nonce(none, &session[1], signer1, public_nonce[1], ncs, 2, NULL) == 1); - CHECK(secp256k1_musig_set_nonce(none, &signer0[0], &public_nonce[0]) == 1); - CHECK(secp256k1_musig_set_nonce(none, &signer0[1], &public_nonce[0]) == 0); - CHECK(secp256k1_musig_set_nonce(none, &signer0[1], &public_nonce[1]) == 1); - CHECK(secp256k1_musig_set_nonce(none, &signer0[1], &public_nonce[1]) == 1); + CHECK(secp256k1_musig_set_nonce(none, &signer0[0], public_nonce[0]) == 1); + CHECK(secp256k1_musig_set_nonce(none, &signer0[1], public_nonce[0]) == 0); + CHECK(secp256k1_musig_set_nonce(none, &signer0[1], public_nonce[1]) == 1); + CHECK(secp256k1_musig_set_nonce(none, &signer0[1], public_nonce[1]) == 1); CHECK(ecount == 6); - CHECK(secp256k1_musig_set_nonce(none, NULL, &public_nonce[0]) == 0); + CHECK(secp256k1_musig_set_nonce(none, NULL, public_nonce[0]) == 0); CHECK(ecount == 7); CHECK(secp256k1_musig_set_nonce(none, &signer1[0], NULL) == 0); CHECK(ecount == 8); - CHECK(secp256k1_musig_set_nonce(none, &signer1[0], &public_nonce[0]) == 1); - CHECK(secp256k1_musig_set_nonce(none, &signer1[1], &public_nonce[1]) == 1); - CHECK(secp256k1_musig_set_nonce(none, &verifier_signer_data[0], &public_nonce[0]) == 1); - CHECK(secp256k1_musig_set_nonce(none, &verifier_signer_data[1], &public_nonce[1]) == 1); + CHECK(secp256k1_musig_set_nonce(none, &signer1[0], public_nonce[0]) == 1); + CHECK(secp256k1_musig_set_nonce(none, &signer1[1], public_nonce[1]) == 1); + CHECK(secp256k1_musig_set_nonce(none, &verifier_signer_data[0], public_nonce[0]) == 1); + CHECK(secp256k1_musig_set_nonce(none, &verifier_signer_data[1], public_nonce[1]) == 1); ecount = 0; memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp)); @@ -469,7 +469,7 @@ void musig_api_tests(secp256k1_scratch_space *scratch) { * ones and return the resulting messagehash. This should not result in a different * messagehash because the public keys of the signers are only used during session * initialization. */ -void musig_state_machine_diff_signer_msghash_test(unsigned char *msghash, secp256k1_xonly_pubkey *pks, secp256k1_xonly_pubkey *combined_pk, secp256k1_musig_pre_session *pre_session, const unsigned char * const *nonce_commitments, unsigned char *msg, secp256k1_pubkey *nonce_other, unsigned char *sk, unsigned char *session_id) { +void musig_state_machine_diff_signer_msghash_test(unsigned char *msghash, secp256k1_xonly_pubkey *pks, secp256k1_xonly_pubkey *combined_pk, secp256k1_musig_pre_session *pre_session, const unsigned char * const *nonce_commitments, unsigned char *msg, unsigned char *nonce_other, unsigned char *sk, unsigned char *session_id) { secp256k1_musig_session session; secp256k1_musig_session session_tmp; unsigned char nonce_commitment[32]; @@ -479,7 +479,7 @@ void musig_state_machine_diff_signer_msghash_test(unsigned char *msghash, secp25 secp256k1_xonly_pubkey pks_tmp[2]; secp256k1_xonly_pubkey combined_pk_tmp; secp256k1_musig_pre_session pre_session_tmp; - secp256k1_pubkey nonce; + unsigned char nonce[33]; /* Set up signers with different public keys */ secp256k1_testrand256(sk_dummy); @@ -492,10 +492,10 @@ void musig_state_machine_diff_signer_msghash_test(unsigned char *msghash, secp25 CHECK(memcmp(nonce_commitment, nonce_commitments[1], 32) == 0); /* Call get_public_nonce with different signers than the signers the session was * initialized with. */ - CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session_tmp, signers, &nonce, nonce_commitments, 2, NULL) == 1); - CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session, signers_tmp, &nonce, nonce_commitments, 2, NULL) == 1); + CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session_tmp, signers, nonce, nonce_commitments, 2, NULL) == 1); + CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session, signers_tmp, nonce, nonce_commitments, 2, NULL) == 1); CHECK(secp256k1_musig_set_nonce(ctx, &signers[0], nonce_other) == 1); - CHECK(secp256k1_musig_set_nonce(ctx, &signers[1], &nonce) == 1); + CHECK(secp256k1_musig_set_nonce(ctx, &signers[1], nonce) == 1); CHECK(secp256k1_musig_session_combine_nonces(ctx, &session, signers, 2, NULL, NULL) == 1); secp256k1_musig_compute_messagehash(ctx, msghash, &session); @@ -506,13 +506,13 @@ void musig_state_machine_diff_signer_msghash_test(unsigned char *msghash, secp25 * commitments of signers_other do not match the nonce commitments the new session * was initialized with. If do_test is 0, the correct signers are being used and * therefore the function should return 1. */ -int musig_state_machine_diff_signers_combine_nonce_test(secp256k1_xonly_pubkey *combined_pk, secp256k1_musig_pre_session *pre_session, unsigned char *nonce_commitment_other, secp256k1_pubkey *nonce_other, unsigned char *msg, unsigned char *sk, secp256k1_musig_session_signer_data *signers_other, int do_test) { +int musig_state_machine_diff_signers_combine_nonce_test(secp256k1_xonly_pubkey *combined_pk, secp256k1_musig_pre_session *pre_session, unsigned char *nonce_commitment_other, unsigned char *nonce_other, unsigned char *msg, unsigned char *sk, secp256k1_musig_session_signer_data *signers_other, int do_test) { secp256k1_musig_session session; secp256k1_musig_session_signer_data signers[2]; secp256k1_musig_session_signer_data *signers_to_use; unsigned char nonce_commitment[32]; unsigned char session_id[32]; - secp256k1_pubkey nonce; + unsigned char nonce[33]; const unsigned char *ncs[2]; /* Initialize new signers */ @@ -520,10 +520,10 @@ int musig_state_machine_diff_signers_combine_nonce_test(secp256k1_xonly_pubkey * CHECK(secp256k1_musig_session_init(ctx, &session, signers, nonce_commitment, session_id, msg, combined_pk, pre_session, 2, 1, sk) == 1); ncs[0] = nonce_commitment_other; ncs[1] = nonce_commitment; - CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session, signers, &nonce, ncs, 2, NULL) == 1); + CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session, signers, nonce, ncs, 2, NULL) == 1); CHECK(secp256k1_musig_set_nonce(ctx, &signers[0], nonce_other) == 1); - CHECK(secp256k1_musig_set_nonce(ctx, &signers[1], &nonce) == 1); - CHECK(secp256k1_musig_set_nonce(ctx, &signers[1], &nonce) == 1); + CHECK(secp256k1_musig_set_nonce(ctx, &signers[1], nonce) == 1); + CHECK(secp256k1_musig_set_nonce(ctx, &signers[1], nonce) == 1); secp256k1_musig_session_combine_nonces(ctx, &session, signers_other, 2, NULL, NULL); if (do_test) { signers_to_use = signers_other; @@ -537,7 +537,7 @@ int musig_state_machine_diff_signers_combine_nonce_test(secp256k1_xonly_pubkey * * parameters but without a message. Will test that the message must be * provided with `get_public_nonce`. */ -void musig_state_machine_late_msg_test(secp256k1_xonly_pubkey *pks, secp256k1_xonly_pubkey *combined_pk, secp256k1_musig_pre_session *pre_session, unsigned char *nonce_commitment_other, secp256k1_pubkey *nonce_other, unsigned char *sk, unsigned char *session_id, unsigned char *msg) { +void musig_state_machine_late_msg_test(secp256k1_xonly_pubkey *pks, secp256k1_xonly_pubkey *combined_pk, secp256k1_musig_pre_session *pre_session, unsigned char *nonce_commitment_other, unsigned char *nonce_other, unsigned char *sk, unsigned char *session_id, unsigned char *msg) { /* Create context for testing ARG_CHECKs by setting an illegal_callback. */ secp256k1_context *ctx_tmp = secp256k1_context_create(SECP256K1_CONTEXT_NONE); int ecount = 0; @@ -545,7 +545,7 @@ void musig_state_machine_late_msg_test(secp256k1_xonly_pubkey *pks, secp256k1_xo secp256k1_musig_session_signer_data signers[2]; unsigned char nonce_commitment[32]; const unsigned char *ncs[2]; - secp256k1_pubkey nonce; + unsigned char nonce[33]; secp256k1_musig_partial_signature partial_sig; secp256k1_context_set_illegal_callback(ctx_tmp, counting_illegal_callback_fn, &ecount); @@ -555,19 +555,19 @@ void musig_state_machine_late_msg_test(secp256k1_xonly_pubkey *pks, secp256k1_xo /* Trying to get the nonce without providing a message fails. */ CHECK(ecount == 0); - CHECK(secp256k1_musig_session_get_public_nonce(ctx_tmp, &session, signers, &nonce, ncs, 2, NULL) == 0); + CHECK(secp256k1_musig_session_get_public_nonce(ctx_tmp, &session, signers, nonce, ncs, 2, NULL) == 0); CHECK(ecount == 1); /* Providing a message should make get_public_nonce succeed. */ - CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session, signers, &nonce, ncs, 2, msg) == 1); + CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session, signers, nonce, ncs, 2, msg) == 1); /* Trying to set the message again fails. */ CHECK(ecount == 1); - CHECK(secp256k1_musig_session_get_public_nonce(ctx_tmp, &session, signers, &nonce, ncs, 2, msg) == 0); + CHECK(secp256k1_musig_session_get_public_nonce(ctx_tmp, &session, signers, nonce, ncs, 2, msg) == 0); CHECK(ecount == 2); /* Check that it's working */ CHECK(secp256k1_musig_set_nonce(ctx, &signers[0], nonce_other) == 1); - CHECK(secp256k1_musig_set_nonce(ctx, &signers[1], &nonce) == 1); + CHECK(secp256k1_musig_set_nonce(ctx, &signers[1], nonce) == 1); CHECK(secp256k1_musig_session_combine_nonces(ctx, &session, signers, 2, NULL, NULL) == 1); CHECK(secp256k1_musig_partial_sign(ctx, &session, &partial_sig)); CHECK(secp256k1_musig_partial_sig_verify(ctx, &session, &signers[1], &partial_sig, &pks[1])); @@ -586,7 +586,7 @@ void musig_state_machine_tests(secp256k1_scratch_space *scratch) { secp256k1_xonly_pubkey pk[2]; secp256k1_xonly_pubkey combined_pk; secp256k1_musig_pre_session pre_session; - secp256k1_pubkey nonce[2]; + unsigned char nonce[2][33]; const unsigned char *ncs[2]; secp256k1_musig_partial_signature partial_sig[2]; unsigned char sig[64]; @@ -619,33 +619,33 @@ void musig_state_machine_tests(secp256k1_scratch_space *scratch) { /* Set nonce commitments */ ncs[0] = nonce_commitment[0]; ncs[1] = nonce_commitment[1]; - CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session[0], signers0, &nonce[0], ncs, 2, NULL) == 1); + CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session[0], signers0, nonce[0], ncs, 2, NULL) == 1); /* Calling the function again is not okay */ ecount = 0; - CHECK(secp256k1_musig_session_get_public_nonce(ctx_tmp, &session[0], signers0, &nonce[0], ncs, 2, NULL) == 0); + CHECK(secp256k1_musig_session_get_public_nonce(ctx_tmp, &session[0], signers0, nonce[0], ncs, 2, NULL) == 0); CHECK(ecount == 1); /* Get nonce for signer 1 */ - CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session[1], signers1, &nonce[1], ncs, 2, NULL) == 1); + CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session[1], signers1, nonce[1], ncs, 2, NULL) == 1); /* Set nonces */ - CHECK(secp256k1_musig_set_nonce(ctx, &signers0[0], &nonce[0]) == 1); + CHECK(secp256k1_musig_set_nonce(ctx, &signers0[0], nonce[0]) == 1); /* Can't set nonce that doesn't match nonce commitment */ - CHECK(secp256k1_musig_set_nonce(ctx, &signers0[1], &nonce[0]) == 0); + CHECK(secp256k1_musig_set_nonce(ctx, &signers0[1], nonce[0]) == 0); /* Set correct nonce */ - CHECK(secp256k1_musig_set_nonce(ctx, &signers0[1], &nonce[1]) == 1); + CHECK(secp256k1_musig_set_nonce(ctx, &signers0[1], nonce[1]) == 1); /* Combine nonces */ CHECK(secp256k1_musig_session_combine_nonces(ctx, &session[0], signers0, 2, NULL, NULL) == 1); /* Not everyone is present from signer 1's view */ CHECK(secp256k1_musig_session_combine_nonces(ctx, &session[1], signers1, 2, NULL, NULL) == 0); /* Make everyone present */ - CHECK(secp256k1_musig_set_nonce(ctx, &signers1[0], &nonce[0]) == 1); - CHECK(secp256k1_musig_set_nonce(ctx, &signers1[1], &nonce[1]) == 1); + CHECK(secp256k1_musig_set_nonce(ctx, &signers1[0], nonce[0]) == 1); + CHECK(secp256k1_musig_set_nonce(ctx, &signers1[1], nonce[1]) == 1); /* Can't combine nonces from signers of a different session */ - CHECK(musig_state_machine_diff_signers_combine_nonce_test(&combined_pk, &pre_session, nonce_commitment[0], &nonce[0], msg, sk[1], signers1, 1) == 0); - CHECK(musig_state_machine_diff_signers_combine_nonce_test(&combined_pk, &pre_session, nonce_commitment[0], &nonce[0], msg, sk[1], signers1, 0) == 1); + CHECK(musig_state_machine_diff_signers_combine_nonce_test(&combined_pk, &pre_session, nonce_commitment[0], nonce[0], msg, sk[1], signers1, 1) == 0); + CHECK(musig_state_machine_diff_signers_combine_nonce_test(&combined_pk, &pre_session, nonce_commitment[0], nonce[0], msg, sk[1], signers1, 0) == 1); /* Partially sign */ CHECK(secp256k1_musig_partial_sign(ctx, &session[0], &partial_sig[0]) == 1); @@ -665,7 +665,7 @@ void musig_state_machine_tests(secp256k1_scratch_space *scratch) { * with different signers (i.e. they diff in public keys). This is because the * public keys of the signers is set in stone when initializing the session. */ secp256k1_musig_compute_messagehash(ctx, msghash1, &session[1]); - musig_state_machine_diff_signer_msghash_test(msghash2, pk, &combined_pk, &pre_session, ncs, msg, &nonce[0], sk[1], session_id[1]); + musig_state_machine_diff_signer_msghash_test(msghash2, pk, &combined_pk, &pre_session, ncs, msg, nonce[0], sk[1], session_id[1]); CHECK(memcmp(msghash1, msghash2, 32) == 0); CHECK(secp256k1_musig_partial_sign(ctx, &session[1], &partial_sig[1]) == 1); @@ -673,7 +673,7 @@ void musig_state_machine_tests(secp256k1_scratch_space *scratch) { /* Wrong signature */ CHECK(secp256k1_musig_partial_sig_verify(ctx, &session[1], &signers1[1], &partial_sig[0], &pk[1]) == 0); /* Can't get the public nonce until msg is set */ - musig_state_machine_late_msg_test(pk, &combined_pk, &pre_session, nonce_commitment[0], &nonce[0], sk[1], session_id[1], msg); + musig_state_machine_late_msg_test(pk, &combined_pk, &pre_session, nonce_commitment[0], nonce[0], sk[1], session_id[1], msg); } secp256k1_context_destroy(ctx_tmp); } @@ -706,8 +706,8 @@ void scriptless_atomic_swap(secp256k1_scratch_space *scratch) { unsigned char noncommit_b[2][32]; const unsigned char *noncommit_a_ptr[2]; const unsigned char *noncommit_b_ptr[2]; - secp256k1_pubkey pubnon_a[2]; - secp256k1_pubkey pubnon_b[2]; + unsigned char pubnon_a[2][33]; + unsigned char pubnon_b[2][33]; int combined_nonce_parity_a; int combined_nonce_parity_b; secp256k1_musig_session_signer_data data_a[2]; @@ -744,14 +744,14 @@ void scriptless_atomic_swap(secp256k1_scratch_space *scratch) { noncommit_b_ptr[1] = noncommit_b[1]; /* Step 2: Exchange nonces */ - CHECK(secp256k1_musig_session_get_public_nonce(ctx, &musig_session_a[0], data_a, &pubnon_a[0], noncommit_a_ptr, 2, NULL)); - CHECK(secp256k1_musig_session_get_public_nonce(ctx, &musig_session_a[1], data_a, &pubnon_a[1], noncommit_a_ptr, 2, NULL)); - CHECK(secp256k1_musig_session_get_public_nonce(ctx, &musig_session_b[0], data_b, &pubnon_b[0], noncommit_b_ptr, 2, NULL)); - CHECK(secp256k1_musig_session_get_public_nonce(ctx, &musig_session_b[1], data_b, &pubnon_b[1], noncommit_b_ptr, 2, NULL)); - CHECK(secp256k1_musig_set_nonce(ctx, &data_a[0], &pubnon_a[0])); - CHECK(secp256k1_musig_set_nonce(ctx, &data_a[1], &pubnon_a[1])); - CHECK(secp256k1_musig_set_nonce(ctx, &data_b[0], &pubnon_b[0])); - CHECK(secp256k1_musig_set_nonce(ctx, &data_b[1], &pubnon_b[1])); + CHECK(secp256k1_musig_session_get_public_nonce(ctx, &musig_session_a[0], data_a, pubnon_a[0], noncommit_a_ptr, 2, NULL)); + CHECK(secp256k1_musig_session_get_public_nonce(ctx, &musig_session_a[1], data_a, pubnon_a[1], noncommit_a_ptr, 2, NULL)); + CHECK(secp256k1_musig_session_get_public_nonce(ctx, &musig_session_b[0], data_b, pubnon_b[0], noncommit_b_ptr, 2, NULL)); + CHECK(secp256k1_musig_session_get_public_nonce(ctx, &musig_session_b[1], data_b, pubnon_b[1], noncommit_b_ptr, 2, NULL)); + CHECK(secp256k1_musig_set_nonce(ctx, &data_a[0], pubnon_a[0])); + CHECK(secp256k1_musig_set_nonce(ctx, &data_a[1], pubnon_a[1])); + CHECK(secp256k1_musig_set_nonce(ctx, &data_b[0], pubnon_b[0])); + CHECK(secp256k1_musig_set_nonce(ctx, &data_b[1], pubnon_b[1])); CHECK(secp256k1_musig_session_combine_nonces(ctx, &musig_session_a[0], data_a, 2, &combined_nonce_parity_a, &pub_adaptor)); CHECK(secp256k1_musig_session_combine_nonces(ctx, &musig_session_a[1], data_a, 2, NULL, &pub_adaptor)); CHECK(secp256k1_musig_session_combine_nonces(ctx, &musig_session_b[0], data_b, 2, &combined_nonce_parity_b, &pub_adaptor)); @@ -818,7 +818,6 @@ void sha256_tag_test(void) { CHECK(memcmp(buf, buf2, 32) == 0); } - void run_musig_tests(void) { int i; secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 1024 * 1024);