diff --git a/src/modules/musig/tests_impl.h b/src/modules/musig/tests_impl.h index 9660227e..ddc6910f 100644 --- a/src/modules/musig/tests_impl.h +++ b/src/modules/musig/tests_impl.h @@ -911,534 +911,6 @@ void musig_tweak_test(secp256k1_scratch_space *scratch) { } } -void musig_test_vectors_keyagg_helper(const unsigned char **pk_ser, int n_pks, const unsigned char *agg_pk_expected, int has_second_pk, int second_pk_idx) { - secp256k1_xonly_pubkey *pk = malloc(n_pks * sizeof(*pk)); - const secp256k1_xonly_pubkey **pk_ptr = malloc(n_pks * sizeof(*pk_ptr)); - secp256k1_keyagg_cache_internal cache_i; - secp256k1_xonly_pubkey agg_pk; - unsigned char agg_pk_ser[32]; - secp256k1_musig_keyagg_cache keyagg_cache; - int i; - - for (i = 0; i < n_pks; i++) { - CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk[i], pk_ser[i]) == 1); - pk_ptr[i] = &pk[i]; - } - - CHECK(secp256k1_musig_pubkey_agg(ctx, NULL, &agg_pk, &keyagg_cache, pk_ptr, n_pks) == 1); - CHECK(secp256k1_keyagg_cache_load(ctx, &cache_i, &keyagg_cache) == 1); - CHECK(secp256k1_fe_is_zero(&cache_i.second_pk_x) == !has_second_pk); - if (!secp256k1_fe_is_zero(&cache_i.second_pk_x)) { - secp256k1_ge pk_pt; - CHECK(secp256k1_xonly_pubkey_load(ctx, &pk_pt, &pk[second_pk_idx]) == 1); - CHECK(secp256k1_fe_equal_var(&pk_pt.x, &cache_i.second_pk_x) == 1); - } - CHECK(secp256k1_xonly_pubkey_serialize(ctx, agg_pk_ser, &agg_pk) == 1); - /* TODO: remove when test vectors are not expected to change anymore */ - /* int k, l; */ - /* printf("const unsigned char agg_pk_expected[32] = {\n"); */ - /* for (k = 0; k < 4; k++) { */ - /* printf(" "); */ - /* for (l = 0; l < 8; l++) { */ - /* printf("0x%02X, ", agg_pk_ser[k*8+l]); */ - /* } */ - /* printf("\n"); */ - /* } */ - /* printf("};\n"); */ - CHECK(secp256k1_memcmp_var(agg_pk_ser, agg_pk_expected, sizeof(agg_pk_ser)) == 0); - free(pk); - free(pk_ptr); -} - -/* Test vector public keys */ -const unsigned char vec_pk[3][32] = { - /* X1 */ - { - 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10, - 0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29, - 0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0, - 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9 - }, - /* X2 */ - { - 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, - 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, - 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, - 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 - }, - /* X3 */ - { - 0x35, 0x90, 0xA9, 0x4E, 0x76, 0x8F, 0x8E, 0x18, - 0x15, 0xC2, 0xF2, 0x4B, 0x4D, 0x80, 0xA8, 0xE3, - 0x14, 0x93, 0x16, 0xC3, 0x51, 0x8C, 0xE7, 0xB7, - 0xAD, 0x33, 0x83, 0x68, 0xD0, 0x38, 0xCA, 0x66 - } -}; - -void musig_test_vectors_keyagg(void) { - size_t i; - const unsigned char *pk[4]; - const unsigned char agg_pk_expected[4][32] = { - { /* 0 */ - 0xE5, 0x83, 0x01, 0x40, 0x51, 0x21, 0x95, 0xD7, - 0x4C, 0x83, 0x07, 0xE3, 0x96, 0x37, 0xCB, 0xE5, - 0xFB, 0x73, 0x0E, 0xBE, 0xAB, 0x80, 0xEC, 0x51, - 0x4C, 0xF8, 0x8A, 0x87, 0x7C, 0xEE, 0xEE, 0x0B, - }, - { /* 1 */ - 0xD7, 0x0C, 0xD6, 0x9A, 0x26, 0x47, 0xF7, 0x39, - 0x09, 0x73, 0xDF, 0x48, 0xCB, 0xFA, 0x2C, 0xCC, - 0x40, 0x7B, 0x8B, 0x2D, 0x60, 0xB0, 0x8C, 0x5F, - 0x16, 0x41, 0x18, 0x5C, 0x79, 0x98, 0xA2, 0x90, - }, - { /* 2 */ - 0x81, 0xA8, 0xB0, 0x93, 0x91, 0x2C, 0x9E, 0x48, - 0x14, 0x08, 0xD0, 0x97, 0x76, 0xCE, 0xFB, 0x48, - 0xAE, 0xB8, 0xB6, 0x54, 0x81, 0xB6, 0xBA, 0xAF, - 0xB3, 0xC5, 0x81, 0x01, 0x06, 0x71, 0x7B, 0xEB, - }, - { /* 3 */ - 0x2E, 0xB1, 0x88, 0x51, 0x88, 0x7E, 0x7B, 0xDC, - 0x5E, 0x83, 0x0E, 0x89, 0xB1, 0x9D, 0xDB, 0xC2, - 0x80, 0x78, 0xF1, 0xFA, 0x88, 0xAA, 0xD0, 0xAD, - 0x01, 0xCA, 0x06, 0xFE, 0x4F, 0x80, 0x21, 0x0B, - }, - }; - - for (i = 0; i < sizeof(agg_pk_expected)/sizeof(agg_pk_expected[0]); i++) { - size_t n_pks; - int has_second_pk; - int second_pk_idx; - switch (i) { - case 0: - /* [X1, X2, X3] */ - n_pks = 3; - pk[0] = vec_pk[0]; - pk[1] = vec_pk[1]; - pk[2] = vec_pk[2]; - has_second_pk = 1; - second_pk_idx = 1; - break; - case 1: - /* [X3, X2, X1] */ - n_pks = 3; - pk[2] = vec_pk[0]; - pk[1] = vec_pk[1]; - pk[0] = vec_pk[2]; - has_second_pk = 1; - second_pk_idx = 1; - break; - case 2: - /* [X1, X1, X1] */ - n_pks = 3; - pk[0] = vec_pk[0]; - pk[1] = vec_pk[0]; - pk[2] = vec_pk[0]; - has_second_pk = 0; - second_pk_idx = 0; /* unchecked */ - break; - case 3: - /* [X1, X1, X2, X2] */ - n_pks = 4; - pk[0] = vec_pk[0]; - pk[1] = vec_pk[0]; - pk[2] = vec_pk[1]; - pk[3] = vec_pk[1]; - has_second_pk = 1; - second_pk_idx = 2; /* second_pk_idx = 3 is equally valid */ - break; - default: - CHECK(0); - } - musig_test_vectors_keyagg_helper(pk, n_pks, agg_pk_expected[i], has_second_pk, second_pk_idx); - } -} - -void musig_test_vectors_noncegen(void) { - enum { N = 3 }; - secp256k1_scalar k[N][2]; - const unsigned char k32_expected[N][2][32] = { - { - { - 0x8D, 0xD0, 0x99, 0x51, 0x79, 0x50, 0x5E, 0xB1, - 0x27, 0x3A, 0x07, 0x11, 0x58, 0x23, 0xC8, 0x6E, - 0xF7, 0x14, 0x39, 0x0F, 0xDE, 0x2D, 0xEE, 0xB6, - 0xF9, 0x31, 0x6A, 0xEE, 0xBE, 0x5C, 0x71, 0xFC, - }, - { - 0x73, 0x29, 0x2E, 0x47, 0x11, 0x34, 0x7D, 0xD3, - 0x9E, 0x36, 0x05, 0xEE, 0xD6, 0x45, 0x65, 0x49, - 0xB3, 0x0F, 0x3B, 0xC7, 0x16, 0x22, 0x5A, 0x18, - 0x65, 0xBA, 0xE1, 0xD9, 0x84, 0xEF, 0xF8, 0x9D, - }, - }, - /* msg32 is NULL */ - { - { - 0x67, 0x02, 0x5A, 0xF2, 0xA3, 0x56, 0x0B, 0xFC, - 0x1D, 0x95, 0xBD, 0xA6, 0xB2, 0x0B, 0x21, 0x50, - 0x97, 0x63, 0xDB, 0x17, 0x3B, 0xD9, 0x37, 0x30, - 0x17, 0x24, 0x66, 0xEC, 0xAF, 0xA2, 0x60, 0x3B, - }, - { - 0x0B, 0x1D, 0x9E, 0x8F, 0x43, 0xBD, 0xAE, 0x69, - 0x99, 0x6E, 0x0E, 0x3A, 0xBC, 0x30, 0x06, 0x4C, - 0x52, 0x37, 0x3E, 0x05, 0x3E, 0x70, 0xC6, 0xD6, - 0x18, 0x4B, 0xFA, 0xDA, 0xE0, 0xF0, 0xE2, 0xD9, - }, - }, - /* All fields except session_id are NULL */ - { - { - 0xA6, 0xC3, 0x24, 0xC7, 0xE8, 0xD1, 0x8A, 0xAA, - 0x59, 0xD7, 0xB4, 0x74, 0xDD, 0x73, 0x82, 0x6D, - 0x7E, 0x74, 0x91, 0x3F, 0x9B, 0x36, 0x12, 0xE4, - 0x4F, 0x28, 0x6E, 0x07, 0x54, 0x14, 0x58, 0x21, - }, - { - 0x4E, 0x75, 0xD3, 0x81, 0xCD, 0xB7, 0x3C, 0x68, - 0xA0, 0x7E, 0x64, 0x15, 0xE0, 0x0E, 0x89, 0x32, - 0x44, 0x21, 0x87, 0x4F, 0x4E, 0x03, 0xE8, 0x67, - 0x73, 0x4E, 0x33, 0x20, 0xCE, 0x24, 0xBA, 0x8E, - }, - }, - }; - unsigned char args[5][32]; - int i, j; - - for (i = 0; i < 5; i++) { - memset(args[i], i, sizeof(args[i])); - } - - secp256k1_nonce_function_musig(k[0], args[0], args[1], args[2], args[3], args[4]); - secp256k1_nonce_function_musig(k[1], args[0], NULL, args[2], args[3], args[4]); - secp256k1_nonce_function_musig(k[2], args[0], NULL, NULL, NULL, NULL); - /* TODO: remove when test vectors are not expected to change anymore */ - /* int t, u; */ - /* printf("const unsigned char k32_expected[N][2][32] = {\n"); */ - /* for (i = 0; i < N; i++) { */ - /* printf(" {\n"); */ - /* for (j = 0; j < 2; j++) { */ - /* unsigned char k32[32]; */ - /* secp256k1_scalar_get_b32(k32, &k[i][j]); */ - /* printf(" {\n"); */ - /* for (t = 0; t < 4; t++) { */ - /* printf(" "); */ - /* for (u = 0; u < 8; u++) { */ - /* printf("0x%02X, ", k32[t*8+u]); */ - /* } */ - /* printf("\n"); */ - /* } */ - /* printf(" },\n"); */ - /* } */ - /* printf(" },\n"); */ - /* } */ - /* printf("};\n"); */ - for (i = 0; i < N; i++) { - for (j = 0; j < 2; j++) { - unsigned char k32[32]; - secp256k1_scalar_get_b32(k32, &k[i][j]); - CHECK(secp256k1_memcmp_var(k32, k32_expected[i][j], 32) == 0); - } - } -} - -void musig_test_vectors_sign_helper(secp256k1_musig_keyagg_cache *keyagg_cache, int *fin_nonce_parity, unsigned char *sig, const unsigned char *secnonce_bytes, const unsigned char *agg_pubnonce_ser, const unsigned char *sk, const unsigned char *msg, const unsigned char tweak[][32], const int *is_xonly_t, int n_tweaks, const secp256k1_pubkey *adaptor, const unsigned char **pk_ser, int signer_pos) { - secp256k1_keypair signer_keypair; - secp256k1_musig_secnonce secnonce; - secp256k1_xonly_pubkey pk[3]; - const secp256k1_xonly_pubkey *pk_ptr[3]; - secp256k1_xonly_pubkey agg_pk; - secp256k1_musig_session session; - secp256k1_musig_aggnonce agg_pubnonce; - secp256k1_musig_partial_sig partial_sig; - int i; - - CHECK(create_keypair_and_pk(&signer_keypair, &pk[signer_pos], sk) == 1); - for (i = 0; i < 3; i++) { - if (i != signer_pos) { - int offset = i < signer_pos ? 0 : -1; - CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk[i], pk_ser[i + offset]) == 1); - } - pk_ptr[i] = &pk[i]; - } - CHECK(secp256k1_musig_pubkey_agg(ctx, NULL, &agg_pk, keyagg_cache, pk_ptr, 3) == 1); - for (i = 0; i < n_tweaks; i++) { - if (is_xonly_t[i]) { - CHECK(secp256k1_musig_pubkey_xonly_tweak_add(ctx, NULL, keyagg_cache, tweak[i]) == 1); - } else { - CHECK(secp256k1_musig_pubkey_ec_tweak_add(ctx, NULL, keyagg_cache, tweak[i]) == 1); - } - } - memcpy(&secnonce.data[0], secp256k1_musig_secnonce_magic, 4); - memcpy(&secnonce.data[4], secnonce_bytes, sizeof(secnonce.data) - 4); - CHECK(secp256k1_musig_aggnonce_parse(ctx, &agg_pubnonce, agg_pubnonce_ser) == 1); - CHECK(secp256k1_musig_nonce_process(ctx, &session, &agg_pubnonce, msg, keyagg_cache, adaptor) == 1); - CHECK(secp256k1_musig_partial_sign(ctx, &partial_sig, &secnonce, &signer_keypair, keyagg_cache, &session) == 1); - CHECK(secp256k1_musig_nonce_parity(ctx, fin_nonce_parity, &session) == 1); - memcpy(sig, &partial_sig.data[4], 32); -} - -int musig_test_pk_parity(const secp256k1_musig_keyagg_cache *keyagg_cache) { - secp256k1_keyagg_cache_internal cache_i; - CHECK(secp256k1_keyagg_cache_load(ctx, &cache_i, keyagg_cache) == 1); - return secp256k1_fe_is_odd(&cache_i.pk.y); -} - -int musig_test_is_second_pk(const secp256k1_musig_keyagg_cache *keyagg_cache, const unsigned char *sk) { - secp256k1_ge pkp; - secp256k1_xonly_pubkey pk; - secp256k1_keyagg_cache_internal cache_i; - CHECK(create_keypair_and_pk(NULL, &pk, sk)); - CHECK(secp256k1_xonly_pubkey_load(ctx, &pkp, &pk)); - CHECK(secp256k1_keyagg_cache_load(ctx, &cache_i, keyagg_cache)); - return secp256k1_fe_equal_var(&cache_i.second_pk_x, &pkp.x); -} - -/* TODO: Add test vectors for failed signing */ -void musig_test_vectors_sign(void) { - unsigned char sig[32]; - secp256k1_musig_keyagg_cache keyagg_cache; - int fin_nonce_parity; - const unsigned char secnonce[64] = { - 0x50, 0x8B, 0x81, 0xA6, 0x11, 0xF1, 0x00, 0xA6, - 0xB2, 0xB6, 0xB2, 0x96, 0x56, 0x59, 0x08, 0x98, - 0xAF, 0x48, 0x8B, 0xCF, 0x2E, 0x1F, 0x55, 0xCF, - 0x22, 0xE5, 0xCF, 0xB8, 0x44, 0x21, 0xFE, 0x61, - 0xFA, 0x27, 0xFD, 0x49, 0xB1, 0xD5, 0x00, 0x85, - 0xB4, 0x81, 0x28, 0x5E, 0x1C, 0xA2, 0x05, 0xD5, - 0x5C, 0x82, 0xCC, 0x1B, 0x31, 0xFF, 0x5C, 0xD5, - 0x4A, 0x48, 0x98, 0x29, 0x35, 0x59, 0x01, 0xF7, - }; - /* The nonces are already aggregated */ - const unsigned char agg_pubnonce[66] = { - 0x02, - 0x84, 0x65, 0xFC, 0xF0, 0xBB, 0xDB, 0xCF, 0x44, - 0x3A, 0xAB, 0xCC, 0xE5, 0x33, 0xD4, 0x2B, 0x4B, - 0x5A, 0x10, 0x96, 0x6A, 0xC0, 0x9A, 0x49, 0x65, - 0x5E, 0x8C, 0x42, 0xDA, 0xAB, 0x8F, 0xCD, 0x61, - 0x03, - 0x74, 0x96, 0xA3, 0xCC, 0x86, 0x92, 0x6D, 0x45, - 0x2C, 0xAF, 0xCF, 0xD5, 0x5D, 0x25, 0x97, 0x2C, - 0xA1, 0x67, 0x5D, 0x54, 0x93, 0x10, 0xDE, 0x29, - 0x6B, 0xFF, 0x42, 0xF7, 0x2E, 0xEE, 0xA8, 0xC9, - }; - const unsigned char sk[32] = { - 0x7F, 0xB9, 0xE0, 0xE6, 0x87, 0xAD, 0xA1, 0xEE, - 0xBF, 0x7E, 0xCF, 0xE2, 0xF2, 0x1E, 0x73, 0xEB, - 0xDB, 0x51, 0xA7, 0xD4, 0x50, 0x94, 0x8D, 0xFE, - 0x8D, 0x76, 0xD7, 0xF2, 0xD1, 0x00, 0x76, 0x71, - }; - const unsigned char msg[32] = { - 0xF9, 0x54, 0x66, 0xD0, 0x86, 0x77, 0x0E, 0x68, - 0x99, 0x64, 0x66, 0x42, 0x19, 0x26, 0x6F, 0xE5, - 0xED, 0x21, 0x5C, 0x92, 0xAE, 0x20, 0xBA, 0xB5, - 0xC9, 0xD7, 0x9A, 0xDD, 0xDD, 0xF3, 0xC0, 0xCF, - }; - const unsigned char *pk[2] = { vec_pk[0], vec_pk[1] }; - - { - /* This is a test where the combined public key point has an _odd_ y - * coordinate, the signer _is not_ the second pubkey in the list and the - * nonce parity is 1. */ - const unsigned char sig_expected[32] = { - 0x68, 0x53, 0x7C, 0xC5, 0x23, 0x4E, 0x50, 0x5B, - 0xD1, 0x40, 0x61, 0xF8, 0xDA, 0x9E, 0x90, 0xC2, - 0x20, 0xA1, 0x81, 0x85, 0x5F, 0xD8, 0xBD, 0xB7, - 0xF1, 0x27, 0xBB, 0x12, 0x40, 0x3B, 0x4D, 0x3B, - }; - musig_test_vectors_sign_helper(&keyagg_cache, &fin_nonce_parity, sig, secnonce, agg_pubnonce, sk, msg, NULL, NULL, 0, NULL, pk, 0); - /* TODO: remove when test vectors are not expected to change anymore */ - /* int k, l; */ - /* printf("const unsigned char sig_expected[32] = {\n"); */ - /* for (k = 0; k < 4; k++) { */ - /* printf(" "); */ - /* for (l = 0; l < 8; l++) { */ - /* printf("0x%02X, ", sig[k*8+l]); */ - /* } */ - /* printf("\n"); */ - /* } */ - /* printf("};\n"); */ - - /* Check that the description of the test vector is correct */ - CHECK(musig_test_pk_parity(&keyagg_cache) == 1); - CHECK(!musig_test_is_second_pk(&keyagg_cache, sk)); - CHECK(fin_nonce_parity == 1); - CHECK(secp256k1_memcmp_var(sig, sig_expected, 32) == 0); - } - { - /* This is a test where the aggregate public key point has an _even_ y - * coordinate, the signer _is_ the second pubkey in the list and the - * nonce parity is 0. */ - const unsigned char sig_expected[32] = { - 0x2D, 0xF6, 0x7B, 0xFF, 0xF1, 0x8E, 0x3D, 0xE7, - 0x97, 0xE1, 0x3C, 0x64, 0x75, 0xC9, 0x63, 0x04, - 0x81, 0x38, 0xDA, 0xEC, 0x5C, 0xB2, 0x0A, 0x35, - 0x7C, 0xEC, 0xA7, 0xC8, 0x42, 0x42, 0x95, 0xEA, - }; - musig_test_vectors_sign_helper(&keyagg_cache, &fin_nonce_parity, sig, secnonce, agg_pubnonce, sk, msg, NULL, NULL, 0, NULL, pk, 1); - /* Check that the description of the test vector is correct */ - CHECK(musig_test_pk_parity(&keyagg_cache) == 0); - CHECK(musig_test_is_second_pk(&keyagg_cache, sk)); - CHECK(fin_nonce_parity == 0); - CHECK(secp256k1_memcmp_var(sig, sig_expected, 32) == 0); - } - { - /* This is a test where the parity of aggregate public key point (1) is unequal to the - * nonce parity (0). */ - const unsigned char sig_expected[32] = { - 0x0D, 0x5B, 0x65, 0x1E, 0x6D, 0xE3, 0x4A, 0x29, - 0xA1, 0x2D, 0xE7, 0xA8, 0xB4, 0x18, 0x3B, 0x4A, - 0xE6, 0xA7, 0xF7, 0xFB, 0xE1, 0x5C, 0xDC, 0xAF, - 0xA4, 0xA3, 0xD1, 0xBC, 0xAA, 0xBC, 0x75, 0x17, - }; - musig_test_vectors_sign_helper(&keyagg_cache, &fin_nonce_parity, sig, secnonce, agg_pubnonce, sk, msg, NULL, NULL, 0, NULL, pk, 2); - /* Check that the description of the test vector is correct */ - CHECK(musig_test_pk_parity(&keyagg_cache) == 1); - CHECK(fin_nonce_parity == 0); - CHECK(!musig_test_is_second_pk(&keyagg_cache, sk)); - CHECK(secp256k1_memcmp_var(sig, sig_expected, 32) == 0); - } - { - /* This is a test that includes an xonly public key tweak. */ - const unsigned char sig_expected[32] = { - 0x5E, 0x24, 0xC7, 0x49, 0x6B, 0x56, 0x5D, 0xEB, - 0xC3, 0xB9, 0x63, 0x9E, 0x6F, 0x13, 0x04, 0xA2, - 0x15, 0x97, 0xF9, 0x60, 0x3D, 0x3A, 0xB0, 0x5B, - 0x49, 0x13, 0x64, 0x17, 0x75, 0xE1, 0x37, 0x5B, - }; - const unsigned char tweak[1][32] = {{ - 0xE8, 0xF7, 0x91, 0xFF, 0x92, 0x25, 0xA2, 0xAF, - 0x01, 0x02, 0xAF, 0xFF, 0x4A, 0x9A, 0x72, 0x3D, - 0x96, 0x12, 0xA6, 0x82, 0xA2, 0x5E, 0xBE, 0x79, - 0x80, 0x2B, 0x26, 0x3C, 0xDF, 0xCD, 0x83, 0xBB, - }}; - int is_xonly_t[1] = { 1 }; - musig_test_vectors_sign_helper(&keyagg_cache, &fin_nonce_parity, sig, secnonce, agg_pubnonce, sk, msg, tweak, is_xonly_t, 1, NULL, pk, 2); - - CHECK(musig_test_pk_parity(&keyagg_cache) == 1); - CHECK(!musig_test_is_second_pk(&keyagg_cache, sk)); - CHECK(fin_nonce_parity == 1); - CHECK(secp256k1_memcmp_var(sig, sig_expected, 32) == 0); - } - { - /* This is a test that includes an ordinary public key tweak. */ - const unsigned char sig_expected[32] = { - 0x78, 0x40, 0x8D, 0xDC, 0xAB, 0x48, 0x13, 0xD1, - 0x39, 0x4C, 0x97, 0xD4, 0x93, 0xEF, 0x10, 0x84, - 0x19, 0x5C, 0x1D, 0x4B, 0x52, 0xE6, 0x3E, 0xCD, - 0x7B, 0xC5, 0x99, 0x16, 0x44, 0xE4, 0x4D, 0xDD, - }; - const unsigned char tweak[1][32] = {{ - 0xE8, 0xF7, 0x91, 0xFF, 0x92, 0x25, 0xA2, 0xAF, - 0x01, 0x02, 0xAF, 0xFF, 0x4A, 0x9A, 0x72, 0x3D, - 0x96, 0x12, 0xA6, 0x82, 0xA2, 0x5E, 0xBE, 0x79, - 0x80, 0x2B, 0x26, 0x3C, 0xDF, 0xCD, 0x83, 0xBB, - }}; - int is_xonly_t[1] = { 0 }; - musig_test_vectors_sign_helper(&keyagg_cache, &fin_nonce_parity, sig, secnonce, agg_pubnonce, sk, msg, tweak, is_xonly_t, 1, NULL, pk, 2); - - CHECK(musig_test_pk_parity(&keyagg_cache) == 1); - CHECK(!musig_test_is_second_pk(&keyagg_cache, sk)); - CHECK(fin_nonce_parity == 0); - CHECK(secp256k1_memcmp_var(sig, sig_expected, 32) == 0); - } - { - /* This is a test that includes an ordinary and an x-only public key tweak. */ - const unsigned char sig_expected[32] = { - 0xC3, 0xA8, 0x29, 0xA8, 0x14, 0x80, 0xE3, 0x6E, - 0xC3, 0xAB, 0x05, 0x29, 0x64, 0x50, 0x9A, 0x94, - 0xEB, 0xF3, 0x42, 0x10, 0x40, 0x3D, 0x16, 0xB2, - 0x26, 0xA6, 0xF1, 0x6E, 0xC8, 0x5B, 0x73, 0x57, - }; - - const unsigned char tweak[2][32] = { - { - 0xE8, 0xF7, 0x91, 0xFF, 0x92, 0x25, 0xA2, 0xAF, - 0x01, 0x02, 0xAF, 0xFF, 0x4A, 0x9A, 0x72, 0x3D, - 0x96, 0x12, 0xA6, 0x82, 0xA2, 0x5E, 0xBE, 0x79, - 0x80, 0x2B, 0x26, 0x3C, 0xDF, 0xCD, 0x83, 0xBB, - }, - { - 0xAE, 0x2E, 0xA7, 0x97, 0xCC, 0x0F, 0xE7, 0x2A, - 0xC5, 0xB9, 0x7B, 0x97, 0xF3, 0xC6, 0x95, 0x7D, - 0x7E, 0x41, 0x99, 0xA1, 0x67, 0xA5, 0x8E, 0xB0, - 0x8B, 0xCA, 0xFF, 0xDA, 0x70, 0xAC, 0x04, 0x55, - }, - }; - int is_xonly_t[2] = { 0, 1 }; - musig_test_vectors_sign_helper(&keyagg_cache, &fin_nonce_parity, sig, secnonce, agg_pubnonce, sk, msg, tweak, is_xonly_t, 2, NULL, pk, 2); - CHECK(musig_test_pk_parity(&keyagg_cache) == 0); - CHECK(!musig_test_is_second_pk(&keyagg_cache, sk)); - CHECK(fin_nonce_parity == 0); - CHECK(secp256k1_memcmp_var(sig, sig_expected, 32) == 0); - } - { - /* This is a test with four tweaks: x-only, ordinary, x-only, ordinary. */ - const unsigned char sig_expected[32] = { - 0x8C, 0x44, 0x73, 0xC6, 0xA3, 0x82, 0xBD, 0x3C, - 0x4A, 0xD7, 0xBE, 0x59, 0x81, 0x8D, 0xA5, 0xED, - 0x7C, 0xF8, 0xCE, 0xC4, 0xBC, 0x21, 0x99, 0x6C, - 0xFD, 0xA0, 0x8B, 0xB4, 0x31, 0x6B, 0x8B, 0xC7, - }; - const unsigned char tweak[4][32] = { - { - 0xE8, 0xF7, 0x91, 0xFF, 0x92, 0x25, 0xA2, 0xAF, - 0x01, 0x02, 0xAF, 0xFF, 0x4A, 0x9A, 0x72, 0x3D, - 0x96, 0x12, 0xA6, 0x82, 0xA2, 0x5E, 0xBE, 0x79, - 0x80, 0x2B, 0x26, 0x3C, 0xDF, 0xCD, 0x83, 0xBB, - }, - { - 0xAE, 0x2E, 0xA7, 0x97, 0xCC, 0x0F, 0xE7, 0x2A, - 0xC5, 0xB9, 0x7B, 0x97, 0xF3, 0xC6, 0x95, 0x7D, - 0x7E, 0x41, 0x99, 0xA1, 0x67, 0xA5, 0x8E, 0xB0, - 0x8B, 0xCA, 0xFF, 0xDA, 0x70, 0xAC, 0x04, 0x55, - }, - { - 0xF5, 0x2E, 0xCB, 0xC5, 0x65, 0xB3, 0xD8, 0xBE, - 0xA2, 0xDF, 0xD5, 0xB7, 0x5A, 0x4F, 0x45, 0x7E, - 0x54, 0x36, 0x98, 0x09, 0x32, 0x2E, 0x41, 0x20, - 0x83, 0x16, 0x26, 0xF2, 0x90, 0xFA, 0x87, 0xE0, - }, - { - 0x19, 0x69, 0xAD, 0x73, 0xCC, 0x17, 0x7F, 0xA0, - 0xB4, 0xFC, 0xED, 0x6D, 0xF1, 0xF7, 0xBF, 0x99, - 0x07, 0xE6, 0x65, 0xFD, 0xE9, 0xBA, 0x19, 0x6A, - 0x74, 0xFE, 0xD0, 0xA3, 0xCF, 0x5A, 0xEF, 0x9D, - }, - }; - int is_xonly_t[4] = { 1, 0, 1, 0 }; - musig_test_vectors_sign_helper(&keyagg_cache, &fin_nonce_parity, sig, secnonce, agg_pubnonce, sk, msg, tweak, is_xonly_t, 4, NULL, pk, 2); - CHECK(musig_test_pk_parity(&keyagg_cache) == 0); - CHECK(!musig_test_is_second_pk(&keyagg_cache, sk)); - CHECK(fin_nonce_parity == 1); - CHECK(secp256k1_memcmp_var(sig, sig_expected, 32) == 0); - } - { - /* This is a test that includes an adaptor. */ - const unsigned char sig_expected[32] = { - 0xD7, 0x67, 0xD0, 0x7D, 0x9A, 0xB8, 0x19, 0x8C, - 0x9F, 0x64, 0xE3, 0xFD, 0x9F, 0x7B, 0x8B, 0xAA, - 0xC6, 0x05, 0xF1, 0x8D, 0xFF, 0x18, 0x95, 0x24, - 0x2D, 0x93, 0x95, 0xD9, 0xC8, 0xE6, 0xDD, 0x7C, - }; - const unsigned char sec_adaptor[32] = { - 0xD5, 0x6A, 0xD1, 0x85, 0x00, 0xF2, 0xD7, 0x8A, - 0xB9, 0x54, 0x80, 0x53, 0x76, 0xF3, 0x9D, 0x1B, - 0x6D, 0x62, 0x04, 0x95, 0x12, 0x39, 0x04, 0x6D, - 0x99, 0x3A, 0x9C, 0x31, 0xE0, 0xF4, 0x78, 0x71, - }; - secp256k1_pubkey pub_adaptor; - CHECK(secp256k1_ec_pubkey_create(ctx, &pub_adaptor, sec_adaptor) == 1); - musig_test_vectors_sign_helper(&keyagg_cache, &fin_nonce_parity, sig, secnonce, agg_pubnonce, sk, msg, NULL, NULL, 0, &pub_adaptor, pk, 2); - - CHECK(musig_test_pk_parity(&keyagg_cache) == 1); - CHECK(!musig_test_is_second_pk(&keyagg_cache, sk)); - CHECK(fin_nonce_parity == 1); - CHECK(secp256k1_memcmp_var(sig, sig_expected, 32) == 0); - } -} - void run_musig_tests(void) { int i; secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 1024 * 1024); @@ -1455,9 +927,6 @@ void run_musig_tests(void) { musig_tweak_test(scratch); } sha256_tag_test(); - musig_test_vectors_keyagg(); - musig_test_vectors_noncegen(); - musig_test_vectors_sign(); secp256k1_scratch_space_destroy(ctx, scratch); }