forked from hush/hush3
![jameslee777@yahoo.com](/assets/img/avatar_default.png)
18 changed files with 6571 additions and 0 deletions
File diff suppressed because it is too large
@ -0,0 +1,17 @@ |
|||
include_HEADERS += include/secp256k1_musig.h |
|||
noinst_HEADERS += src/modules/musig/main_impl.h |
|||
noinst_HEADERS += src/modules/musig/tests_impl.h |
|||
|
|||
noinst_PROGRAMS += example_musig |
|||
example_musig_SOURCES = src/modules/musig/example.c |
|||
example_musig_CPPFLAGS = -DSECP256K1_BUILD -I$(top_srcdir)/include $(SECP_INCLUDES) |
|||
if !ENABLE_COVERAGE |
|||
example_musig_CPPFLAGS += -DVERIFY |
|||
endif |
|||
example_musig_LDADD = libsecp256k1.la $(SECP_LIBS) |
|||
example_musig_LDFLAGS = -static |
|||
|
|||
if USE_TESTS |
|||
TESTS += example_musig |
|||
endif |
|||
|
@ -0,0 +1,166 @@ |
|||
/**********************************************************************
|
|||
* Copyright (c) 2018 Jonas Nick * |
|||
* Distributed under the MIT software license, see the accompanying * |
|||
* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
|
|||
**********************************************************************/ |
|||
|
|||
/**
|
|||
* This file demonstrates how to use the MuSig module to create a multisignature. |
|||
* Additionally, see the documentation in include/secp256k1_musig.h. |
|||
*/ |
|||
|
|||
#include <stdio.h> |
|||
#include <assert.h> |
|||
#include <secp256k1.h> |
|||
#include <secp256k1_schnorrsig.h> |
|||
#include <secp256k1_musig.h> |
|||
|
|||
/* Number of public keys involved in creating the aggregate signature */ |
|||
#define N_SIGNERS 3 |
|||
/* Create a key pair and store it in seckey and pubkey */ |
|||
int create_key(const secp256k1_context* ctx, unsigned char* seckey, secp256k1_pubkey* pubkey) { |
|||
int ret; |
|||
FILE *frand = fopen("/dev/urandom", "r"); |
|||
if (frand == NULL) { |
|||
return 0; |
|||
} |
|||
do { |
|||
if(!fread(seckey, 32, 1, frand)) { |
|||
fclose(frand); |
|||
return 0; |
|||
} |
|||
/* The probability that this not a valid secret key is approximately 2^-128 */ |
|||
} while (!secp256k1_ec_seckey_verify(ctx, seckey)); |
|||
fclose(frand); |
|||
ret = secp256k1_ec_pubkey_create(ctx, pubkey, seckey); |
|||
return ret; |
|||
} |
|||
|
|||
/* Sign a message hash with the given key pairs and store the result in sig */ |
|||
int sign(const secp256k1_context* ctx, unsigned char seckeys[][32], const secp256k1_pubkey* pubkeys, const unsigned char* msg32, secp256k1_schnorrsig *sig) { |
|||
secp256k1_musig_session musig_session[N_SIGNERS]; |
|||
unsigned char nonce_commitment[N_SIGNERS][32]; |
|||
const unsigned char *nonce_commitment_ptr[N_SIGNERS]; |
|||
secp256k1_musig_session_signer_data signer_data[N_SIGNERS][N_SIGNERS]; |
|||
secp256k1_pubkey nonce[N_SIGNERS]; |
|||
int i, j; |
|||
secp256k1_musig_partial_signature partial_sig[N_SIGNERS]; |
|||
|
|||
for (i = 0; i < N_SIGNERS; i++) { |
|||
FILE *frand; |
|||
unsigned char session_id32[32]; |
|||
unsigned char pk_hash[32]; |
|||
secp256k1_pubkey combined_pk; |
|||
|
|||
/* Create combined pubkey and initialize signer data */ |
|||
if (!secp256k1_musig_pubkey_combine(ctx, NULL, &combined_pk, pk_hash, pubkeys, N_SIGNERS)) { |
|||
return 0; |
|||
} |
|||
/* Create random session ID. It is absolutely necessary that the session ID
|
|||
* is unique for every call of secp256k1_musig_session_initialize. Otherwise |
|||
* it's trivial for an attacker to extract the secret key! */ |
|||
frand = fopen("/dev/urandom", "r"); |
|||
if(frand == NULL) { |
|||
return 0; |
|||
} |
|||
if (!fread(session_id32, 32, 1, frand)) { |
|||
fclose(frand); |
|||
return 0; |
|||
} |
|||
fclose(frand); |
|||
/* Initialize session */ |
|||
if (!secp256k1_musig_session_initialize(ctx, &musig_session[i], signer_data[i], nonce_commitment[i], session_id32, msg32, &combined_pk, pk_hash, N_SIGNERS, i, seckeys[i])) { |
|||
return 0; |
|||
} |
|||
nonce_commitment_ptr[i] = &nonce_commitment[i][0]; |
|||
} |
|||
/* Communication round 1: Exchange nonce commitments */ |
|||
for (i = 0; i < N_SIGNERS; i++) { |
|||
/* Set nonce commitments in the signer data and get the own public nonce */ |
|||
if (!secp256k1_musig_session_get_public_nonce(ctx, &musig_session[i], signer_data[i], &nonce[i], nonce_commitment_ptr, N_SIGNERS)) { |
|||
return 0; |
|||
} |
|||
} |
|||
/* Communication round 2: Exchange nonces */ |
|||
for (i = 0; i < N_SIGNERS; i++) { |
|||
for (j = 0; j < N_SIGNERS; j++) { |
|||
if (!secp256k1_musig_set_nonce(ctx, &signer_data[i][j], &nonce[j])) { |
|||
/* Signer j's nonce does not match the nonce commitment. In this case
|
|||
* abort the protocol. If you make another attempt at finishing the |
|||
* protocol, create a new session (with a fresh session ID!). */ |
|||
return 0; |
|||
} |
|||
} |
|||
if (!secp256k1_musig_session_combine_nonces(ctx, &musig_session[i], signer_data[i], N_SIGNERS, NULL, NULL)) { |
|||
return 0; |
|||
} |
|||
} |
|||
for (i = 0; i < N_SIGNERS; i++) { |
|||
if (!secp256k1_musig_partial_sign(ctx, &musig_session[i], &partial_sig[i])) { |
|||
return 0; |
|||
} |
|||
} |
|||
/* Communication round 3: Exchange partial signatures */ |
|||
for (i = 0; i < N_SIGNERS; i++) { |
|||
for (j = 0; j < N_SIGNERS; j++) { |
|||
/* To check whether signing was successful, it suffices to either verify
|
|||
* the the combined signature with the combined public key using |
|||
* secp256k1_schnorrsig_verify, or verify all partial signatures of all |
|||
* signers individually. Verifying the combined signature is cheaper but |
|||
* verifying the individual partial signatures has the advantage that it |
|||
* can be used to determine which of the partial signatures are invalid |
|||
* (if any), i.e., which of the partial signatures cause the combined |
|||
* signature to be invalid and thus the protocol run to fail. It's also |
|||
* fine to first verify the combined sig, and only verify the individual |
|||
* sigs if it does not work. |
|||
*/ |
|||
if (!secp256k1_musig_partial_sig_verify(ctx, &musig_session[i], &signer_data[i][j], &partial_sig[j], &pubkeys[j])) { |
|||
return 0; |
|||
} |
|||
} |
|||
} |
|||
return secp256k1_musig_partial_sig_combine(ctx, &musig_session[0], sig, partial_sig, N_SIGNERS); |
|||
} |
|||
|
|||
int main(void) { |
|||
secp256k1_context* ctx; |
|||
int i; |
|||
unsigned char seckeys[N_SIGNERS][32]; |
|||
secp256k1_pubkey pubkeys[N_SIGNERS]; |
|||
secp256k1_pubkey combined_pk; |
|||
unsigned char msg[32] = "this_could_be_the_hash_of_a_msg!"; |
|||
secp256k1_schnorrsig sig; |
|||
|
|||
/* Create a context for signing and verification */ |
|||
ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); |
|||
printf("Creating key pairs......"); |
|||
for (i = 0; i < N_SIGNERS; i++) { |
|||
if (!create_key(ctx, seckeys[i], &pubkeys[i])) { |
|||
printf("FAILED\n"); |
|||
return 1; |
|||
} |
|||
} |
|||
printf("ok\n"); |
|||
printf("Combining public keys..."); |
|||
if (!secp256k1_musig_pubkey_combine(ctx, NULL, &combined_pk, NULL, pubkeys, N_SIGNERS)) { |
|||
printf("FAILED\n"); |
|||
return 1; |
|||
} |
|||
printf("ok\n"); |
|||
printf("Signing message........."); |
|||
if (!sign(ctx, seckeys, pubkeys, msg, &sig)) { |
|||
printf("FAILED\n"); |
|||
return 1; |
|||
} |
|||
printf("ok\n"); |
|||
printf("Verifying signature....."); |
|||
if (!secp256k1_schnorrsig_verify(ctx, &sig, msg, &combined_pk)) { |
|||
printf("FAILED\n"); |
|||
return 1; |
|||
} |
|||
printf("ok\n"); |
|||
secp256k1_context_destroy(ctx); |
|||
return 0; |
|||
} |
|||
|
|||
|
@ -0,0 +1,631 @@ |
|||
|
|||
/**********************************************************************
|
|||
* Copyright (c) 2018 Andrew Poelstra, Jonas Nick * |
|||
* Distributed under the MIT software license, see the accompanying * |
|||
* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
|
|||
**********************************************************************/ |
|||
|
|||
#ifndef _SECP256K1_MODULE_MUSIG_MAIN_ |
|||
#define _SECP256K1_MODULE_MUSIG_MAIN_ |
|||
|
|||
#include "include/secp256k1.h" |
|||
#include "include/secp256k1_musig.h" |
|||
#include "hash.h" |
|||
|
|||
/* Computes ell = SHA256(pk[0], ..., pk[np-1]) */ |
|||
static int secp256k1_musig_compute_ell(const secp256k1_context *ctx, unsigned char *ell, const secp256k1_pubkey *pk, size_t np) { |
|||
secp256k1_sha256 sha; |
|||
size_t i; |
|||
|
|||
secp256k1_sha256_initialize(&sha); |
|||
for (i = 0; i < np; i++) { |
|||
unsigned char ser[33]; |
|||
size_t serlen = sizeof(ser); |
|||
if (!secp256k1_ec_pubkey_serialize(ctx, ser, &serlen, &pk[i], SECP256K1_EC_COMPRESSED)) { |
|||
return 0; |
|||
} |
|||
secp256k1_sha256_write(&sha, ser, serlen); |
|||
} |
|||
secp256k1_sha256_finalize(&sha, ell); |
|||
return 1; |
|||
} |
|||
|
|||
/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
|
|||
* SHA256 to SHA256("MuSig coefficient")||SHA256("MuSig coefficient"). */ |
|||
static void secp256k1_musig_sha256_init_tagged(secp256k1_sha256 *sha) { |
|||
secp256k1_sha256_initialize(sha); |
|||
|
|||
sha->s[0] = 0x0fd0690cul; |
|||
sha->s[1] = 0xfefeae97ul; |
|||
sha->s[2] = 0x996eac7ful; |
|||
sha->s[3] = 0x5c30d864ul; |
|||
sha->s[4] = 0x8c4a0573ul; |
|||
sha->s[5] = 0xaca1a22ful; |
|||
sha->s[6] = 0x6f43b801ul; |
|||
sha->s[7] = 0x85ce27cdul; |
|||
sha->bytes = 64; |
|||
} |
|||
|
|||
/* Compute r = SHA256(ell, idx). The four bytes of idx are serialized least significant byte first. */ |
|||
static void secp256k1_musig_coefficient(secp256k1_scalar *r, const unsigned char *ell, uint32_t idx) { |
|||
secp256k1_sha256 sha; |
|||
unsigned char buf[32]; |
|||
size_t i; |
|||
|
|||
secp256k1_musig_sha256_init_tagged(&sha); |
|||
secp256k1_sha256_write(&sha, ell, 32); |
|||
/* We're hashing the index of the signer instead of its public key as specified
|
|||
* in the MuSig paper. This reduces the total amount of data that needs to be |
|||
* hashed. |
|||
* Additionally, it prevents creating identical musig_coefficients for identical |
|||
* public keys. A participant Bob could choose his public key to be the same as |
|||
* Alice's, then replay Alice's messages (nonce and partial signature) to create |
|||
* a valid partial signature. This is not a problem for MuSig per se, but could |
|||
* result in subtle issues with protocols building on threshold signatures. |
|||
* With the assumption that public keys are unique, hashing the index is |
|||
* equivalent to hashing the public key. Because the public key can be |
|||
* identified by the index given the ordered list of public keys (included in |
|||
* ell), the index is just a different encoding of the public key.*/ |
|||
for (i = 0; i < sizeof(uint32_t); i++) { |
|||
unsigned char c = idx; |
|||
secp256k1_sha256_write(&sha, &c, 1); |
|||
idx >>= 8; |
|||
} |
|||
secp256k1_sha256_finalize(&sha, buf); |
|||
secp256k1_scalar_set_b32(r, buf, NULL); |
|||
} |
|||
|
|||
typedef struct { |
|||
const secp256k1_context *ctx; |
|||
unsigned char ell[32]; |
|||
const secp256k1_pubkey *pks; |
|||
} secp256k1_musig_pubkey_combine_ecmult_data; |
|||
|
|||
/* Callback for batch EC multiplication to compute ell_0*P0 + ell_1*P1 + ... */ |
|||
static int secp256k1_musig_pubkey_combine_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data) { |
|||
secp256k1_musig_pubkey_combine_ecmult_data *ctx = (secp256k1_musig_pubkey_combine_ecmult_data *) data; |
|||
secp256k1_musig_coefficient(sc, ctx->ell, idx); |
|||
return secp256k1_pubkey_load(ctx->ctx, pt, &ctx->pks[idx]); |
|||
} |
|||
|
|||
|
|||
static void secp256k1_musig_signers_init(secp256k1_musig_session_signer_data *signers, uint32_t n_signers) { |
|||
uint32_t i; |
|||
for (i = 0; i < n_signers; i++) { |
|||
memset(&signers[i], 0, sizeof(signers[i])); |
|||
signers[i].index = i; |
|||
signers[i].present = 0; |
|||
} |
|||
} |
|||
|
|||
int secp256k1_musig_pubkey_combine(const secp256k1_context* ctx, secp256k1_scratch_space *scratch, secp256k1_pubkey *combined_pk, unsigned char *pk_hash32, const secp256k1_pubkey *pubkeys, size_t n_pubkeys) { |
|||
secp256k1_musig_pubkey_combine_ecmult_data ecmult_data; |
|||
secp256k1_gej pkj; |
|||
secp256k1_ge pkp; |
|||
|
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(combined_pk != NULL); |
|||
ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); |
|||
ARG_CHECK(pubkeys != NULL); |
|||
ARG_CHECK(n_pubkeys > 0); |
|||
|
|||
ecmult_data.ctx = ctx; |
|||
ecmult_data.pks = pubkeys; |
|||
if (!secp256k1_musig_compute_ell(ctx, ecmult_data.ell, pubkeys, n_pubkeys)) { |
|||
return 0; |
|||
} |
|||
if (!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &pkj, NULL, secp256k1_musig_pubkey_combine_callback, (void *) &ecmult_data, n_pubkeys)) { |
|||
return 0; |
|||
} |
|||
secp256k1_ge_set_gej(&pkp, &pkj); |
|||
secp256k1_pubkey_save(combined_pk, &pkp); |
|||
|
|||
if (pk_hash32 != NULL) { |
|||
memcpy(pk_hash32, ecmult_data.ell, 32); |
|||
} |
|||
return 1; |
|||
} |
|||
|
|||
int secp256k1_musig_session_initialize(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, unsigned char *nonce_commitment32, const unsigned char *session_id32, const unsigned char *msg32, const secp256k1_pubkey *combined_pk, const unsigned char *pk_hash32, size_t n_signers, size_t my_index, const unsigned char *seckey) { |
|||
unsigned char combined_ser[33]; |
|||
size_t combined_ser_size = sizeof(combined_ser); |
|||
int overflow; |
|||
secp256k1_scalar secret; |
|||
secp256k1_scalar mu; |
|||
secp256k1_sha256 sha; |
|||
secp256k1_gej rj; |
|||
secp256k1_ge rp; |
|||
|
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); |
|||
ARG_CHECK(session != NULL); |
|||
ARG_CHECK(signers != NULL); |
|||
ARG_CHECK(nonce_commitment32 != NULL); |
|||
ARG_CHECK(session_id32 != NULL); |
|||
ARG_CHECK(combined_pk != NULL); |
|||
ARG_CHECK(pk_hash32 != NULL); |
|||
ARG_CHECK(seckey != NULL); |
|||
|
|||
memset(session, 0, sizeof(*session)); |
|||
|
|||
if (msg32 != NULL) { |
|||
memcpy(session->msg, msg32, 32); |
|||
session->msg_is_set = 1; |
|||
} else { |
|||
session->msg_is_set = 0; |
|||
} |
|||
memcpy(&session->combined_pk, combined_pk, sizeof(*combined_pk)); |
|||
memcpy(session->pk_hash, pk_hash32, 32); |
|||
session->nonce_is_set = 0; |
|||
session->has_secret_data = 1; |
|||
if (n_signers == 0 || my_index >= n_signers) { |
|||
return 0; |
|||
} |
|||
if (n_signers > UINT32_MAX) { |
|||
return 0; |
|||
} |
|||
session->n_signers = (uint32_t) n_signers; |
|||
secp256k1_musig_signers_init(signers, session->n_signers); |
|||
session->nonce_commitments_hash_is_set = 0; |
|||
|
|||
/* Compute secret key */ |
|||
secp256k1_scalar_set_b32(&secret, seckey, &overflow); |
|||
if (overflow) { |
|||
secp256k1_scalar_clear(&secret); |
|||
return 0; |
|||
} |
|||
secp256k1_musig_coefficient(&mu, pk_hash32, (uint32_t) my_index); |
|||
secp256k1_scalar_mul(&secret, &secret, &mu); |
|||
secp256k1_scalar_get_b32(session->seckey, &secret); |
|||
|
|||
/* Compute secret nonce */ |
|||
secp256k1_sha256_initialize(&sha); |
|||
secp256k1_sha256_write(&sha, session_id32, 32); |
|||
if (session->msg_is_set) { |
|||
secp256k1_sha256_write(&sha, msg32, 32); |
|||
} |
|||
secp256k1_ec_pubkey_serialize(ctx, combined_ser, &combined_ser_size, combined_pk, SECP256K1_EC_COMPRESSED); |
|||
secp256k1_sha256_write(&sha, combined_ser, combined_ser_size); |
|||
secp256k1_sha256_write(&sha, seckey, 32); |
|||
secp256k1_sha256_finalize(&sha, session->secnonce); |
|||
secp256k1_scalar_set_b32(&secret, session->secnonce, &overflow); |
|||
if (overflow) { |
|||
secp256k1_scalar_clear(&secret); |
|||
return 0; |
|||
} |
|||
|
|||
/* Compute public nonce and commitment */ |
|||
secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &secret); |
|||
secp256k1_ge_set_gej(&rp, &rj); |
|||
secp256k1_pubkey_save(&session->nonce, &rp); |
|||
|
|||
if (nonce_commitment32 != NULL) { |
|||
unsigned char commit[33]; |
|||
size_t commit_size = sizeof(commit); |
|||
secp256k1_sha256_initialize(&sha); |
|||
secp256k1_ec_pubkey_serialize(ctx, commit, &commit_size, &session->nonce, SECP256K1_EC_COMPRESSED); |
|||
secp256k1_sha256_write(&sha, commit, commit_size); |
|||
secp256k1_sha256_finalize(&sha, nonce_commitment32); |
|||
} |
|||
|
|||
secp256k1_scalar_clear(&secret); |
|||
return 1; |
|||
} |
|||
|
|||
int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, secp256k1_pubkey *nonce, const unsigned char *const *commitments, size_t n_commitments) { |
|||
secp256k1_sha256 sha; |
|||
unsigned char nonce_commitments_hash[32]; |
|||
size_t i; |
|||
(void) ctx; |
|||
|
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(session != NULL); |
|||
ARG_CHECK(signers != NULL); |
|||
ARG_CHECK(nonce != NULL); |
|||
ARG_CHECK(commitments != NULL); |
|||
|
|||
if (!session->has_secret_data || n_commitments != session->n_signers) { |
|||
return 0; |
|||
} |
|||
for (i = 0; i < n_commitments; i++) { |
|||
ARG_CHECK(commitments[i] != NULL); |
|||
} |
|||
|
|||
secp256k1_sha256_initialize(&sha); |
|||
for (i = 0; i < n_commitments; i++) { |
|||
memcpy(signers[i].nonce_commitment, commitments[i], 32); |
|||
secp256k1_sha256_write(&sha, commitments[i], 32); |
|||
} |
|||
secp256k1_sha256_finalize(&sha, nonce_commitments_hash); |
|||
if (session->nonce_commitments_hash_is_set |
|||
&& memcmp(session->nonce_commitments_hash, nonce_commitments_hash, 32) != 0) { |
|||
/* Abort if get_public_nonce has been called before with a different array of
|
|||
* commitments. */ |
|||
return 0; |
|||
} |
|||
memcpy(session->nonce_commitments_hash, nonce_commitments_hash, 32); |
|||
session->nonce_commitments_hash_is_set = 1; |
|||
memcpy(nonce, &session->nonce, sizeof(*nonce)); |
|||
return 1; |
|||
} |
|||
|
|||
int secp256k1_musig_session_initialize_verifier(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, const unsigned char *msg32, const secp256k1_pubkey *combined_pk, const unsigned char *pk_hash32, const unsigned char *const *commitments, size_t n_signers) { |
|||
size_t i; |
|||
|
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(session != NULL); |
|||
ARG_CHECK(signers != NULL); |
|||
ARG_CHECK(combined_pk != NULL); |
|||
ARG_CHECK(pk_hash32 != NULL); |
|||
ARG_CHECK(commitments != NULL); |
|||
/* Check n_signers before checking commitments to allow testing the case where
|
|||
* n_signers is big without allocating the space. */ |
|||
if (n_signers > UINT32_MAX) { |
|||
return 0; |
|||
} |
|||
for (i = 0; i < n_signers; i++) { |
|||
ARG_CHECK(commitments[i] != NULL); |
|||
} |
|||
(void) ctx; |
|||
|
|||
memset(session, 0, sizeof(*session)); |
|||
|
|||
memcpy(&session->combined_pk, combined_pk, sizeof(*combined_pk)); |
|||
if (n_signers == 0) { |
|||
return 0; |
|||
} |
|||
session->n_signers = (uint32_t) n_signers; |
|||
secp256k1_musig_signers_init(signers, session->n_signers); |
|||
|
|||
memcpy(session->pk_hash, pk_hash32, 32); |
|||
session->nonce_is_set = 0; |
|||
session->msg_is_set = 0; |
|||
if (msg32 != NULL) { |
|||
memcpy(session->msg, msg32, 32); |
|||
session->msg_is_set = 1; |
|||
} |
|||
session->has_secret_data = 0; |
|||
session->nonce_commitments_hash_is_set = 0; |
|||
|
|||
for (i = 0; i < n_signers; i++) { |
|||
memcpy(signers[i].nonce_commitment, commitments[i], 32); |
|||
} |
|||
return 1; |
|||
} |
|||
|
|||
int secp256k1_musig_set_nonce(const secp256k1_context* ctx, secp256k1_musig_session_signer_data *signer, const secp256k1_pubkey *nonce) { |
|||
unsigned char commit[33]; |
|||
size_t commit_size = sizeof(commit); |
|||
secp256k1_sha256 sha; |
|||
|
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(signer != NULL); |
|||
ARG_CHECK(nonce != NULL); |
|||
|
|||
secp256k1_sha256_initialize(&sha); |
|||
secp256k1_ec_pubkey_serialize(ctx, commit, &commit_size, nonce, SECP256K1_EC_COMPRESSED); |
|||
secp256k1_sha256_write(&sha, commit, commit_size); |
|||
secp256k1_sha256_finalize(&sha, commit); |
|||
|
|||
if (memcmp(commit, signer->nonce_commitment, 32) != 0) { |
|||
return 0; |
|||
} |
|||
memcpy(&signer->nonce, nonce, sizeof(*nonce)); |
|||
signer->present = 1; |
|||
return 1; |
|||
} |
|||
|
|||
int secp256k1_musig_session_combine_nonces(const secp256k1_context* ctx, secp256k1_musig_session *session, const secp256k1_musig_session_signer_data *signers, size_t n_signers, int *nonce_is_negated, const secp256k1_pubkey *adaptor) { |
|||
secp256k1_gej combined_noncej; |
|||
secp256k1_ge combined_noncep; |
|||
secp256k1_ge noncep; |
|||
secp256k1_sha256 sha; |
|||
unsigned char nonce_commitments_hash[32]; |
|||
size_t i; |
|||
|
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(session != NULL); |
|||
ARG_CHECK(signers != NULL); |
|||
|
|||
if (n_signers != session->n_signers) { |
|||
return 0; |
|||
} |
|||
secp256k1_sha256_initialize(&sha); |
|||
secp256k1_gej_set_infinity(&combined_noncej); |
|||
for (i = 0; i < n_signers; i++) { |
|||
if (!signers[i].present) { |
|||
return 0; |
|||
} |
|||
secp256k1_sha256_write(&sha, signers[i].nonce_commitment, 32); |
|||
secp256k1_pubkey_load(ctx, &noncep, &signers[i].nonce); |
|||
secp256k1_gej_add_ge_var(&combined_noncej, &combined_noncej, &noncep, NULL); |
|||
} |
|||
secp256k1_sha256_finalize(&sha, nonce_commitments_hash); |
|||
/* Either the session is a verifier session or or the nonce_commitments_hash has
|
|||
* been set in `musig_session_get_public_nonce`. */ |
|||
VERIFY_CHECK(!session->has_secret_data || session->nonce_commitments_hash_is_set); |
|||
if (session->has_secret_data |
|||
&& memcmp(session->nonce_commitments_hash, nonce_commitments_hash, 32) != 0) { |
|||
/* If the signers' commitments changed between get_public_nonce and now we
|
|||
* have to abort because in that case they may have seen our nonce before |
|||
* creating their commitment. That can happen if the signer_data given to |
|||
* this function is different to the signer_data given to get_public_nonce. |
|||
* */ |
|||
return 0; |
|||
} |
|||
|
|||
/* Add public adaptor to nonce */ |
|||
if (adaptor != NULL) { |
|||
secp256k1_pubkey_load(ctx, &noncep, adaptor); |
|||
secp256k1_gej_add_ge_var(&combined_noncej, &combined_noncej, &noncep, NULL); |
|||
} |
|||
secp256k1_ge_set_gej(&combined_noncep, &combined_noncej); |
|||
if (secp256k1_fe_is_quad_var(&combined_noncep.y)) { |
|||
session->nonce_is_negated = 0; |
|||
} else { |
|||
session->nonce_is_negated = 1; |
|||
secp256k1_ge_neg(&combined_noncep, &combined_noncep); |
|||
} |
|||
if (nonce_is_negated != NULL) { |
|||
*nonce_is_negated = session->nonce_is_negated; |
|||
} |
|||
secp256k1_pubkey_save(&session->combined_nonce, &combined_noncep); |
|||
session->nonce_is_set = 1; |
|||
return 1; |
|||
} |
|||
|
|||
int secp256k1_musig_session_set_msg(const secp256k1_context* ctx, secp256k1_musig_session *session, const unsigned char *msg32) { |
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(session != NULL); |
|||
ARG_CHECK(msg32 != NULL); |
|||
|
|||
if (session->msg_is_set) { |
|||
return 0; |
|||
} |
|||
memcpy(session->msg, msg32, 32); |
|||
session->msg_is_set = 1; |
|||
return 1; |
|||
} |
|||
|
|||
int secp256k1_musig_partial_signature_serialize(const secp256k1_context* ctx, unsigned char *out32, const secp256k1_musig_partial_signature* sig) { |
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(out32 != NULL); |
|||
ARG_CHECK(sig != NULL); |
|||
memcpy(out32, sig->data, 32); |
|||
return 1; |
|||
} |
|||
|
|||
int secp256k1_musig_partial_signature_parse(const secp256k1_context* ctx, secp256k1_musig_partial_signature* sig, const unsigned char *in32) { |
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(sig != NULL); |
|||
ARG_CHECK(in32 != NULL); |
|||
memcpy(sig->data, in32, 32); |
|||
return 1; |
|||
} |
|||
|
|||
/* Compute msghash = SHA256(combined_nonce, combined_pk, msg) */ |
|||
static int secp256k1_musig_compute_messagehash(const secp256k1_context *ctx, unsigned char *msghash, const secp256k1_musig_session *session) { |
|||
unsigned char buf[33]; |
|||
size_t bufsize = 33; |
|||
secp256k1_ge rp; |
|||
secp256k1_sha256 sha; |
|||
|
|||
secp256k1_sha256_initialize(&sha); |
|||
if (!session->nonce_is_set) { |
|||
return 0; |
|||
} |
|||
secp256k1_pubkey_load(ctx, &rp, &session->combined_nonce); |
|||
secp256k1_fe_get_b32(buf, &rp.x); |
|||
secp256k1_sha256_write(&sha, buf, 32); |
|||
secp256k1_ec_pubkey_serialize(ctx, buf, &bufsize, &session->combined_pk, SECP256K1_EC_COMPRESSED); |
|||
VERIFY_CHECK(bufsize == 33); |
|||
secp256k1_sha256_write(&sha, buf, bufsize); |
|||
if (!session->msg_is_set) { |
|||
return 0; |
|||
} |
|||
secp256k1_sha256_write(&sha, session->msg, 32); |
|||
secp256k1_sha256_finalize(&sha, msghash); |
|||
return 1; |
|||
} |
|||
|
|||
int secp256k1_musig_partial_sign(const secp256k1_context* ctx, const secp256k1_musig_session *session, secp256k1_musig_partial_signature *partial_sig) { |
|||
unsigned char msghash[32]; |
|||
int overflow; |
|||
secp256k1_scalar sk; |
|||
secp256k1_scalar e, k; |
|||
|
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(partial_sig != NULL); |
|||
ARG_CHECK(session != NULL); |
|||
|
|||
if (!session->nonce_is_set || !session->has_secret_data) { |
|||
return 0; |
|||
} |
|||
|
|||
/* build message hash */ |
|||
if (!secp256k1_musig_compute_messagehash(ctx, msghash, session)) { |
|||
return 0; |
|||
} |
|||
secp256k1_scalar_set_b32(&e, msghash, NULL); |
|||
|
|||
secp256k1_scalar_set_b32(&sk, session->seckey, &overflow); |
|||
if (overflow) { |
|||
secp256k1_scalar_clear(&sk); |
|||
return 0; |
|||
} |
|||
|
|||
secp256k1_scalar_set_b32(&k, session->secnonce, &overflow); |
|||
if (overflow || secp256k1_scalar_is_zero(&k)) { |
|||
secp256k1_scalar_clear(&sk); |
|||
secp256k1_scalar_clear(&k); |
|||
return 0; |
|||
} |
|||
if (session->nonce_is_negated) { |
|||
secp256k1_scalar_negate(&k, &k); |
|||
} |
|||
|
|||
/* Sign */ |
|||
secp256k1_scalar_mul(&e, &e, &sk); |
|||
secp256k1_scalar_add(&e, &e, &k); |
|||
secp256k1_scalar_get_b32(&partial_sig->data[0], &e); |
|||
secp256k1_scalar_clear(&sk); |
|||
secp256k1_scalar_clear(&k); |
|||
|
|||
return 1; |
|||
} |
|||
|
|||
int secp256k1_musig_partial_sig_combine(const secp256k1_context* ctx, const secp256k1_musig_session *session, secp256k1_schnorrsig *sig, const secp256k1_musig_partial_signature *partial_sigs, size_t n_sigs) { |
|||
size_t i; |
|||
secp256k1_scalar s; |
|||
secp256k1_ge noncep; |
|||
(void) ctx; |
|||
|
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(sig != NULL); |
|||
ARG_CHECK(partial_sigs != NULL); |
|||
ARG_CHECK(session != NULL); |
|||
|
|||
if (!session->nonce_is_set) { |
|||
return 0; |
|||
} |
|||
if (n_sigs != session->n_signers) { |
|||
return 0; |
|||
} |
|||
secp256k1_scalar_clear(&s); |
|||
for (i = 0; i < n_sigs; i++) { |
|||
int overflow; |
|||
secp256k1_scalar term; |
|||
|
|||
secp256k1_scalar_set_b32(&term, partial_sigs[i].data, &overflow); |
|||
if (overflow) { |
|||
return 0; |
|||
} |
|||
secp256k1_scalar_add(&s, &s, &term); |
|||
} |
|||
|
|||
secp256k1_pubkey_load(ctx, &noncep, &session->combined_nonce); |
|||
VERIFY_CHECK(secp256k1_fe_is_quad_var(&noncep.y)); |
|||
secp256k1_fe_normalize(&noncep.x); |
|||
secp256k1_fe_get_b32(&sig->data[0], &noncep.x); |
|||
secp256k1_scalar_get_b32(&sig->data[32], &s); |
|||
|
|||
return 1; |
|||
} |
|||
|
|||
int secp256k1_musig_partial_sig_verify(const secp256k1_context* ctx, const secp256k1_musig_session *session, const secp256k1_musig_session_signer_data *signer, const secp256k1_musig_partial_signature *partial_sig, const secp256k1_pubkey *pubkey) { |
|||
unsigned char msghash[32]; |
|||
secp256k1_scalar s; |
|||
secp256k1_scalar e; |
|||
secp256k1_scalar mu; |
|||
secp256k1_gej rj; |
|||
secp256k1_ge rp; |
|||
int overflow; |
|||
|
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); |
|||
ARG_CHECK(session != NULL); |
|||
ARG_CHECK(signer != NULL); |
|||
ARG_CHECK(partial_sig != NULL); |
|||
ARG_CHECK(pubkey != NULL); |
|||
|
|||
if (!session->nonce_is_set || !signer->present) { |
|||
return 0; |
|||
} |
|||
secp256k1_scalar_set_b32(&s, partial_sig->data, &overflow); |
|||
if (overflow) { |
|||
return 0; |
|||
} |
|||
if (!secp256k1_musig_compute_messagehash(ctx, msghash, session)) { |
|||
return 0; |
|||
} |
|||
secp256k1_scalar_set_b32(&e, msghash, NULL); |
|||
|
|||
/* Multiplying the messagehash by the musig coefficient is equivalent
|
|||
* to multiplying the signer's public key by the coefficient, except |
|||
* much easier to do. */ |
|||
secp256k1_musig_coefficient(&mu, session->pk_hash, signer->index); |
|||
secp256k1_scalar_mul(&e, &e, &mu); |
|||
|
|||
if (!secp256k1_pubkey_load(ctx, &rp, &signer->nonce)) { |
|||
return 0; |
|||
} |
|||
|
|||
if (!secp256k1_schnorrsig_real_verify(ctx, &rj, &s, &e, pubkey)) { |
|||
return 0; |
|||
} |
|||
if (!session->nonce_is_negated) { |
|||
secp256k1_ge_neg(&rp, &rp); |
|||
} |
|||
secp256k1_gej_add_ge_var(&rj, &rj, &rp, NULL); |
|||
|
|||
return secp256k1_gej_is_infinity(&rj); |
|||
} |
|||
|
|||
int secp256k1_musig_partial_sig_adapt(const secp256k1_context* ctx, secp256k1_musig_partial_signature *adaptor_sig, const secp256k1_musig_partial_signature *partial_sig, const unsigned char *sec_adaptor32, int nonce_is_negated) { |
|||
secp256k1_scalar s; |
|||
secp256k1_scalar t; |
|||
int overflow; |
|||
|
|||
(void) ctx; |
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(adaptor_sig != NULL); |
|||
ARG_CHECK(partial_sig != NULL); |
|||
ARG_CHECK(sec_adaptor32 != NULL); |
|||
|
|||
secp256k1_scalar_set_b32(&s, partial_sig->data, &overflow); |
|||
if (overflow) { |
|||
return 0; |
|||
} |
|||
secp256k1_scalar_set_b32(&t, sec_adaptor32, &overflow); |
|||
if (overflow) { |
|||
secp256k1_scalar_clear(&t); |
|||
return 0; |
|||
} |
|||
|
|||
if (nonce_is_negated) { |
|||
secp256k1_scalar_negate(&t, &t); |
|||
} |
|||
|
|||
secp256k1_scalar_add(&s, &s, &t); |
|||
secp256k1_scalar_get_b32(adaptor_sig->data, &s); |
|||
secp256k1_scalar_clear(&t); |
|||
return 1; |
|||
} |
|||
|
|||
int secp256k1_musig_extract_secret_adaptor(const secp256k1_context* ctx, unsigned char *sec_adaptor32, const secp256k1_schnorrsig *sig, const secp256k1_musig_partial_signature *partial_sigs, size_t n_partial_sigs, int nonce_is_negated) { |
|||
secp256k1_scalar t; |
|||
secp256k1_scalar s; |
|||
int overflow; |
|||
size_t i; |
|||
|
|||
(void) ctx; |
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(sec_adaptor32 != NULL); |
|||
ARG_CHECK(sig != NULL); |
|||
ARG_CHECK(partial_sigs != NULL); |
|||
|
|||
secp256k1_scalar_set_b32(&t, &sig->data[32], &overflow); |
|||
if (overflow) { |
|||
return 0; |
|||
} |
|||
secp256k1_scalar_negate(&t, &t); |
|||
|
|||
for (i = 0; i < n_partial_sigs; i++) { |
|||
secp256k1_scalar_set_b32(&s, partial_sigs[i].data, &overflow); |
|||
if (overflow) { |
|||
secp256k1_scalar_clear(&t); |
|||
return 0; |
|||
} |
|||
secp256k1_scalar_add(&t, &t, &s); |
|||
} |
|||
|
|||
if (!nonce_is_negated) { |
|||
secp256k1_scalar_negate(&t, &t); |
|||
} |
|||
secp256k1_scalar_get_b32(sec_adaptor32, &t); |
|||
secp256k1_scalar_clear(&t); |
|||
return 1; |
|||
} |
|||
|
|||
#endif |
|||
|
@ -0,0 +1,758 @@ |
|||
/**********************************************************************
|
|||
* Copyright (c) 2018 Andrew Poelstra * |
|||
* Distributed under the MIT software license, see the accompanying * |
|||
* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
|
|||
**********************************************************************/ |
|||
|
|||
#ifndef _SECP256K1_MODULE_MUSIG_TESTS_ |
|||
#define _SECP256K1_MODULE_MUSIG_TESTS_ |
|||
|
|||
#include "secp256k1_musig.h" |
|||
|
|||
void musig_api_tests(secp256k1_scratch_space *scratch) { |
|||
secp256k1_scratch_space *scratch_small; |
|||
secp256k1_musig_session session[2]; |
|||
secp256k1_musig_session verifier_session; |
|||
secp256k1_musig_session_signer_data signer0[2]; |
|||
secp256k1_musig_session_signer_data signer1[2]; |
|||
secp256k1_musig_session_signer_data verifier_signer_data[2]; |
|||
secp256k1_musig_partial_signature partial_sig[2]; |
|||
secp256k1_musig_partial_signature partial_sig_adapted[2]; |
|||
secp256k1_musig_partial_signature partial_sig_overflow; |
|||
secp256k1_schnorrsig final_sig; |
|||
secp256k1_schnorrsig final_sig_cmp; |
|||
|
|||
unsigned char buf[32]; |
|||
unsigned char sk[2][32]; |
|||
unsigned char ones[32]; |
|||
unsigned char session_id[2][32]; |
|||
unsigned char nonce_commitment[2][32]; |
|||
int nonce_is_negated; |
|||
const unsigned char *ncs[2]; |
|||
unsigned char msg[32]; |
|||
unsigned char msghash[32]; |
|||
secp256k1_pubkey combined_pk; |
|||
unsigned char pk_hash[32]; |
|||
secp256k1_pubkey pk[2]; |
|||
|
|||
unsigned char sec_adaptor[32]; |
|||
unsigned char sec_adaptor1[32]; |
|||
secp256k1_pubkey adaptor; |
|||
|
|||
/** setup **/ |
|||
secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE); |
|||
secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN); |
|||
secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY); |
|||
int ecount; |
|||
|
|||
secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); |
|||
secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); |
|||
secp256k1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); |
|||
secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); |
|||
secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); |
|||
secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); |
|||
|
|||
memset(ones, 0xff, 32); |
|||
|
|||
secp256k1_rand256(session_id[0]); |
|||
secp256k1_rand256(session_id[1]); |
|||
secp256k1_rand256(sk[0]); |
|||
secp256k1_rand256(sk[1]); |
|||
secp256k1_rand256(msg); |
|||
secp256k1_rand256(sec_adaptor); |
|||
|
|||
CHECK(secp256k1_ec_pubkey_create(ctx, &pk[0], sk[0]) == 1); |
|||
CHECK(secp256k1_ec_pubkey_create(ctx, &pk[1], sk[1]) == 1); |
|||
CHECK(secp256k1_ec_pubkey_create(ctx, &adaptor, sec_adaptor) == 1); |
|||
|
|||
/** main test body **/ |
|||
|
|||
/* Key combination */ |
|||
ecount = 0; |
|||
CHECK(secp256k1_musig_pubkey_combine(none, scratch, &combined_pk, pk_hash, pk, 2) == 0); |
|||
CHECK(ecount == 1); |
|||
CHECK(secp256k1_musig_pubkey_combine(sign, scratch, &combined_pk, pk_hash, pk, 2) == 0); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_musig_pubkey_combine(vrfy, scratch, &combined_pk, pk_hash, pk, 2) == 1); |
|||
CHECK(ecount == 2); |
|||
/* pubkey_combine does not require a scratch space */ |
|||
CHECK(secp256k1_musig_pubkey_combine(vrfy, NULL, &combined_pk, pk_hash, pk, 2) == 1); |
|||
CHECK(ecount == 2); |
|||
/* If a scratch space is given it shouldn't be too small */ |
|||
scratch_small = secp256k1_scratch_space_create(ctx, 1); |
|||
CHECK(secp256k1_musig_pubkey_combine(vrfy, scratch_small, &combined_pk, pk_hash, pk, 2) == 0); |
|||
secp256k1_scratch_space_destroy(scratch_small); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_musig_pubkey_combine(vrfy, scratch, NULL, pk_hash, pk, 2) == 0); |
|||
CHECK(ecount == 3); |
|||
CHECK(secp256k1_musig_pubkey_combine(vrfy, scratch, &combined_pk, NULL, pk, 2) == 1); |
|||
CHECK(ecount == 3); |
|||
CHECK(secp256k1_musig_pubkey_combine(vrfy, scratch, &combined_pk, pk_hash, NULL, 2) == 0); |
|||
CHECK(ecount == 4); |
|||
CHECK(secp256k1_musig_pubkey_combine(vrfy, scratch, &combined_pk, pk_hash, pk, 0) == 0); |
|||
CHECK(ecount == 5); |
|||
CHECK(secp256k1_musig_pubkey_combine(vrfy, scratch, &combined_pk, pk_hash, NULL, 0) == 0); |
|||
CHECK(ecount == 6); |
|||
|
|||
CHECK(secp256k1_musig_pubkey_combine(vrfy, scratch, &combined_pk, pk_hash, pk, 2) == 1); |
|||
CHECK(secp256k1_musig_pubkey_combine(vrfy, scratch, &combined_pk, pk_hash, pk, 2) == 1); |
|||
CHECK(secp256k1_musig_pubkey_combine(vrfy, scratch, &combined_pk, pk_hash, pk, 2) == 1); |
|||
|
|||
/** Session creation **/ |
|||
ecount = 0; |
|||
CHECK(secp256k1_musig_session_initialize(none, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, pk_hash, 2, 0, sk[0]) == 0); |
|||
CHECK(ecount == 1); |
|||
CHECK(secp256k1_musig_session_initialize(vrfy, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, pk_hash, 2, 0, sk[0]) == 0); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, pk_hash, 2, 0, sk[0]) == 1); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_musig_session_initialize(sign, NULL, signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, pk_hash, 2, 0, sk[0]) == 0); |
|||
CHECK(ecount == 3); |
|||
CHECK(secp256k1_musig_session_initialize(sign, &session[0], NULL, nonce_commitment[0], session_id[0], msg, &combined_pk, pk_hash, 2, 0, sk[0]) == 0); |
|||
CHECK(ecount == 4); |
|||
CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, NULL, session_id[0], msg, &combined_pk, pk_hash, 2, 0, sk[0]) == 0); |
|||
CHECK(ecount == 5); |
|||
CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], NULL, msg, &combined_pk, pk_hash, 2, 0, sk[0]) == 0); |
|||
CHECK(ecount == 6); |
|||
CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], NULL, &combined_pk, pk_hash, 2, 0, sk[0]) == 1); |
|||
CHECK(ecount == 6); |
|||
CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, NULL, pk_hash, 2, 0, sk[0]) == 0); |
|||
CHECK(ecount == 7); |
|||
CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, NULL, 2, 0, sk[0]) == 0); |
|||
CHECK(ecount == 8); |
|||
CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, pk_hash, 0, 0, sk[0]) == 0); |
|||
CHECK(ecount == 8); |
|||
/* If more than UINT32_MAX fits in a size_t, test that session_initialize
|
|||
* rejects n_signers that high. */ |
|||
if (SIZE_MAX > UINT32_MAX) { |
|||
CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, pk_hash, ((size_t) UINT32_MAX) + 2, 0, sk[0]) == 0); |
|||
} |
|||
CHECK(ecount == 8); |
|||
CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, pk_hash, 2, 0, NULL) == 0); |
|||
CHECK(ecount == 9); |
|||
/* secret key overflows */ |
|||
CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, pk_hash, 2, 0, ones) == 0); |
|||
CHECK(ecount == 9); |
|||
|
|||
|
|||
{ |
|||
secp256k1_musig_session session_without_msg; |
|||
CHECK(secp256k1_musig_session_initialize(sign, &session_without_msg, signer0, nonce_commitment[0], session_id[0], NULL, &combined_pk, pk_hash, 2, 0, sk[0]) == 1); |
|||
CHECK(secp256k1_musig_session_set_msg(none, &session_without_msg, msg) == 1); |
|||
CHECK(secp256k1_musig_session_set_msg(none, &session_without_msg, msg) == 0); |
|||
} |
|||
CHECK(secp256k1_musig_session_initialize(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, pk_hash, 2, 0, sk[0]) == 1); |
|||
CHECK(secp256k1_musig_session_initialize(sign, &session[1], signer1, nonce_commitment[1], session_id[1], msg, &combined_pk, pk_hash, 2, 1, sk[1]) == 1); |
|||
ncs[0] = nonce_commitment[0]; |
|||
ncs[1] = nonce_commitment[1]; |
|||
|
|||
ecount = 0; |
|||
CHECK(secp256k1_musig_session_initialize_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, pk_hash, ncs, 2) == 1); |
|||
CHECK(ecount == 0); |
|||
CHECK(secp256k1_musig_session_initialize_verifier(none, NULL, verifier_signer_data, msg, &combined_pk, pk_hash, ncs, 2) == 0); |
|||
CHECK(ecount == 1); |
|||
CHECK(secp256k1_musig_session_initialize_verifier(none, &verifier_session, verifier_signer_data, NULL, &combined_pk, pk_hash, ncs, 2) == 1); |
|||
CHECK(ecount == 1); |
|||
CHECK(secp256k1_musig_session_initialize_verifier(none, &verifier_session, verifier_signer_data, msg, NULL, pk_hash, ncs, 2) == 0); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_musig_session_initialize_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, NULL, ncs, 2) == 0); |
|||
CHECK(ecount == 3); |
|||
CHECK(secp256k1_musig_session_initialize_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, pk_hash, NULL, 2) == 0); |
|||
CHECK(ecount == 4); |
|||
CHECK(secp256k1_musig_session_initialize_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, pk_hash, ncs, 0) == 0); |
|||
CHECK(ecount == 4); |
|||
if (SIZE_MAX > UINT32_MAX) { |
|||
CHECK(secp256k1_musig_session_initialize_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, pk_hash, ncs, ((size_t) UINT32_MAX) + 2) == 0); |
|||
} |
|||
CHECK(ecount == 4); |
|||
CHECK(secp256k1_musig_session_initialize_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, pk_hash, ncs, 2) == 1); |
|||
|
|||
CHECK(secp256k1_musig_compute_messagehash(none, msghash, &verifier_session) == 0); |
|||
CHECK(secp256k1_musig_compute_messagehash(none, msghash, &session[0]) == 0); |
|||
|
|||
/** Signing step 0 -- exchange nonce commitments */ |
|||
ecount = 0; |
|||
{ |
|||
secp256k1_pubkey nonce; |
|||
|
|||
/* Can obtain public nonce after commitments have been exchanged; still can't sign */ |
|||
CHECK(secp256k1_musig_session_get_public_nonce(none, &session[0], signer0, &nonce, ncs, 2) == 1); |
|||
CHECK(secp256k1_musig_partial_sign(none, &session[0], &partial_sig[0]) == 0); |
|||
CHECK(ecount == 0); |
|||
} |
|||
|
|||
/** Signing step 1 -- exchange nonces */ |
|||
ecount = 0; |
|||
{ |
|||
secp256k1_pubkey public_nonce[3]; |
|||
|
|||
CHECK(secp256k1_musig_session_get_public_nonce(none, &session[0], signer0, &public_nonce[0], ncs, 2) == 1); |
|||
CHECK(ecount == 0); |
|||
CHECK(secp256k1_musig_session_get_public_nonce(none, NULL, signer0, &public_nonce[0], ncs, 2) == 0); |
|||
CHECK(ecount == 1); |
|||
CHECK(secp256k1_musig_session_get_public_nonce(none, &session[0], NULL, &public_nonce[0], ncs, 2) == 0); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_musig_session_get_public_nonce(none, &session[0], signer0, NULL, ncs, 2) == 0); |
|||
CHECK(ecount == 3); |
|||
CHECK(secp256k1_musig_session_get_public_nonce(none, &session[0], signer0, &public_nonce[0], NULL, 2) == 0); |
|||
CHECK(ecount == 4); |
|||
/* Number of commitments and number of signers are different */ |
|||
CHECK(secp256k1_musig_session_get_public_nonce(none, &session[0], signer0, &public_nonce[0], ncs, 1) == 0); |
|||
CHECK(ecount == 4); |
|||
|
|||
CHECK(secp256k1_musig_session_get_public_nonce(none, &session[0], signer0, &public_nonce[0], ncs, 2) == 1); |
|||
CHECK(secp256k1_musig_session_get_public_nonce(none, &session[1], signer1, &public_nonce[1], ncs, 2) == 1); |
|||
|
|||
CHECK(secp256k1_musig_set_nonce(none, &signer0[0], &public_nonce[0]) == 1); |
|||
CHECK(secp256k1_musig_set_nonce(none, &signer0[1], &public_nonce[0]) == 0); |
|||
CHECK(secp256k1_musig_set_nonce(none, &signer0[1], &public_nonce[1]) == 1); |
|||
CHECK(secp256k1_musig_set_nonce(none, &signer0[1], &public_nonce[1]) == 1); |
|||
CHECK(ecount == 4); |
|||
|
|||
CHECK(secp256k1_musig_set_nonce(none, NULL, &public_nonce[0]) == 0); |
|||
CHECK(ecount == 5); |
|||
CHECK(secp256k1_musig_set_nonce(none, &signer1[0], NULL) == 0); |
|||
CHECK(ecount == 6); |
|||
|
|||
CHECK(secp256k1_musig_set_nonce(none, &signer1[0], &public_nonce[0]) == 1); |
|||
CHECK(secp256k1_musig_set_nonce(none, &signer1[1], &public_nonce[1]) == 1); |
|||
CHECK(secp256k1_musig_set_nonce(none, &verifier_signer_data[0], &public_nonce[0]) == 1); |
|||
CHECK(secp256k1_musig_set_nonce(none, &verifier_signer_data[1], &public_nonce[1]) == 1); |
|||
|
|||
ecount = 0; |
|||
CHECK(secp256k1_musig_session_combine_nonces(none, &session[0], signer0, 2, &nonce_is_negated, &adaptor) == 1); |
|||
CHECK(secp256k1_musig_session_combine_nonces(none, NULL, signer0, 2, &nonce_is_negated, &adaptor) == 0); |
|||
CHECK(ecount == 1); |
|||
CHECK(secp256k1_musig_session_combine_nonces(none, &session[0], NULL, 2, &nonce_is_negated, &adaptor) == 0); |
|||
CHECK(ecount == 2); |
|||
/* Number of signers differs from number during intialization */ |
|||
CHECK(secp256k1_musig_session_combine_nonces(none, &session[0], signer0, 1, &nonce_is_negated, &adaptor) == 0); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_musig_session_combine_nonces(none, &session[0], signer0, 2, NULL, &adaptor) == 1); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_musig_session_combine_nonces(none, &session[0], signer0, 2, &nonce_is_negated, NULL) == 1); |
|||
|
|||
CHECK(secp256k1_musig_session_combine_nonces(none, &session[0], signer0, 2, &nonce_is_negated, &adaptor) == 1); |
|||
CHECK(secp256k1_musig_session_combine_nonces(none, &session[1], signer0, 2, &nonce_is_negated, &adaptor) == 1); |
|||
CHECK(secp256k1_musig_session_combine_nonces(none, &verifier_session, verifier_signer_data, 2, &nonce_is_negated, &adaptor) == 1); |
|||
} |
|||
|
|||
/** Signing step 2 -- partial signatures */ |
|||
ecount = 0; |
|||
CHECK(secp256k1_musig_partial_sign(none, &session[0], &partial_sig[0]) == 1); |
|||
CHECK(ecount == 0); |
|||
CHECK(secp256k1_musig_partial_sign(none, NULL, &partial_sig[0]) == 0); |
|||
CHECK(ecount == 1); |
|||
CHECK(secp256k1_musig_partial_sign(none, &session[0], NULL) == 0); |
|||
CHECK(ecount == 2); |
|||
|
|||
CHECK(secp256k1_musig_partial_sign(none, &session[0], &partial_sig[0]) == 1); |
|||
CHECK(secp256k1_musig_partial_sign(none, &session[1], &partial_sig[1]) == 1); |
|||
/* observer can't sign */ |
|||
CHECK(secp256k1_musig_partial_sign(none, &verifier_session, &partial_sig[2]) == 0); |
|||
CHECK(ecount == 2); |
|||
|
|||
ecount = 0; |
|||
CHECK(secp256k1_musig_partial_signature_serialize(none, buf, &partial_sig[0]) == 1); |
|||
CHECK(secp256k1_musig_partial_signature_serialize(none, NULL, &partial_sig[0]) == 0); |
|||
CHECK(ecount == 1); |
|||
CHECK(secp256k1_musig_partial_signature_serialize(none, buf, NULL) == 0); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_musig_partial_signature_parse(none, &partial_sig[0], buf) == 1); |
|||
CHECK(secp256k1_musig_partial_signature_parse(none, NULL, buf) == 0); |
|||
CHECK(ecount == 3); |
|||
CHECK(secp256k1_musig_partial_signature_parse(none, &partial_sig[0], NULL) == 0); |
|||
CHECK(ecount == 4); |
|||
CHECK(secp256k1_musig_partial_signature_parse(none, &partial_sig_overflow, ones) == 1); |
|||
|
|||
/** Partial signature verification */ |
|||
ecount = 0; |
|||
CHECK(secp256k1_musig_partial_sig_verify(none, &session[0], &signer0[0], &partial_sig[0], &pk[0]) == 0); |
|||
CHECK(ecount == 1); |
|||
CHECK(secp256k1_musig_partial_sig_verify(sign, &session[0], &signer0[0], &partial_sig[0], &pk[0]) == 0); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], &partial_sig[0], &pk[0]) == 1); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], &partial_sig[1], &pk[0]) == 0); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_musig_partial_sig_verify(vrfy, NULL, &signer0[0], &partial_sig[0], &pk[0]) == 0); |
|||
CHECK(ecount == 3); |
|||
CHECK(secp256k1_musig_partial_sig_verify(vrfy, &session[0], NULL, &partial_sig[0], &pk[0]) == 0); |
|||
CHECK(ecount == 4); |
|||
CHECK(secp256k1_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], NULL, &pk[0]) == 0); |
|||
CHECK(ecount == 5); |
|||
CHECK(secp256k1_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], &partial_sig_overflow, &pk[0]) == 0); |
|||
CHECK(ecount == 5); |
|||
CHECK(secp256k1_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], &partial_sig[0], NULL) == 0); |
|||
CHECK(ecount == 6); |
|||
|
|||
CHECK(secp256k1_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], &partial_sig[0], &pk[0]) == 1); |
|||
CHECK(secp256k1_musig_partial_sig_verify(vrfy, &session[1], &signer1[0], &partial_sig[0], &pk[0]) == 1); |
|||
CHECK(secp256k1_musig_partial_sig_verify(vrfy, &session[0], &signer0[1], &partial_sig[1], &pk[1]) == 1); |
|||
CHECK(secp256k1_musig_partial_sig_verify(vrfy, &session[1], &signer1[1], &partial_sig[1], &pk[1]) == 1); |
|||
CHECK(secp256k1_musig_partial_sig_verify(vrfy, &verifier_session, &verifier_signer_data[0], &partial_sig[0], &pk[0]) == 1); |
|||
CHECK(secp256k1_musig_partial_sig_verify(vrfy, &verifier_session, &verifier_signer_data[1], &partial_sig[1], &pk[1]) == 1); |
|||
CHECK(ecount == 6); |
|||
|
|||
/** Adaptor signature verification */ |
|||
memcpy(&partial_sig_adapted[1], &partial_sig[1], sizeof(partial_sig_adapted[1])); |
|||
ecount = 0; |
|||
CHECK(secp256k1_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig[0], sec_adaptor, nonce_is_negated) == 1); |
|||
CHECK(secp256k1_musig_partial_sig_adapt(none, NULL, &partial_sig[0], sec_adaptor, 0) == 0); |
|||
CHECK(ecount == 1); |
|||
CHECK(secp256k1_musig_partial_sig_adapt(none, &partial_sig_adapted[0], NULL, sec_adaptor, 0) == 0); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig_overflow, sec_adaptor, nonce_is_negated) == 0); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig[0], NULL, 0) == 0); |
|||
CHECK(ecount == 3); |
|||
CHECK(secp256k1_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig[0], ones, nonce_is_negated) == 0); |
|||
CHECK(ecount == 3); |
|||
|
|||
/** Signing combining and verification */ |
|||
ecount = 0; |
|||
CHECK(secp256k1_musig_partial_sig_combine(none, &session[0], &final_sig, partial_sig_adapted, 2) == 1); |
|||
CHECK(secp256k1_musig_partial_sig_combine(none, &session[0], &final_sig_cmp, partial_sig_adapted, 2) == 1); |
|||
CHECK(memcmp(&final_sig, &final_sig_cmp, sizeof(final_sig)) == 0); |
|||
CHECK(secp256k1_musig_partial_sig_combine(none, &session[0], &final_sig_cmp, partial_sig_adapted, 2) == 1); |
|||
CHECK(memcmp(&final_sig, &final_sig_cmp, sizeof(final_sig)) == 0); |
|||
|
|||
CHECK(secp256k1_musig_partial_sig_combine(none, NULL, &final_sig, partial_sig_adapted, 2) == 0); |
|||
CHECK(ecount == 1); |
|||
CHECK(secp256k1_musig_partial_sig_combine(none, &session[0], NULL, partial_sig_adapted, 2) == 0); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_musig_partial_sig_combine(none, &session[0], &final_sig, NULL, 2) == 0); |
|||
CHECK(ecount == 3); |
|||
{ |
|||
secp256k1_musig_partial_signature partial_sig_tmp[2]; |
|||
partial_sig_tmp[0] = partial_sig_adapted[0]; |
|||
partial_sig_tmp[1] = partial_sig_overflow; |
|||
CHECK(secp256k1_musig_partial_sig_combine(none, &session[0], &final_sig, partial_sig_tmp, 2) == 0); |
|||
} |
|||
CHECK(ecount == 3); |
|||
/* Wrong number of partial sigs */ |
|||
CHECK(secp256k1_musig_partial_sig_combine(none, &session[0], &final_sig, partial_sig_adapted, 1) == 0); |
|||
CHECK(ecount == 3); |
|||
|
|||
CHECK(secp256k1_schnorrsig_verify(vrfy, &final_sig, msg, &combined_pk) == 1); |
|||
|
|||
/** Secret adaptor can be extracted from signature */ |
|||
ecount = 0; |
|||
CHECK(secp256k1_musig_extract_secret_adaptor(none, sec_adaptor1, &final_sig, partial_sig, 2, nonce_is_negated) == 1); |
|||
CHECK(memcmp(sec_adaptor, sec_adaptor1, 32) == 0); |
|||
CHECK(secp256k1_musig_extract_secret_adaptor(none, NULL, &final_sig, partial_sig, 2, 0) == 0); |
|||
CHECK(ecount == 1); |
|||
CHECK(secp256k1_musig_extract_secret_adaptor(none, sec_adaptor1, NULL, partial_sig, 2, 0) == 0); |
|||
CHECK(ecount == 2); |
|||
{ |
|||
secp256k1_schnorrsig final_sig_tmp = final_sig; |
|||
memcpy(&final_sig_tmp.data[32], ones, 32); |
|||
CHECK(secp256k1_musig_extract_secret_adaptor(none, sec_adaptor1, &final_sig_tmp, partial_sig, 2, nonce_is_negated) == 0); |
|||
} |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_musig_extract_secret_adaptor(none, sec_adaptor1, &final_sig, NULL, 2, 0) == 0); |
|||
CHECK(ecount == 3); |
|||
{ |
|||
secp256k1_musig_partial_signature partial_sig_tmp[2]; |
|||
partial_sig_tmp[0] = partial_sig[0]; |
|||
partial_sig_tmp[1] = partial_sig_overflow; |
|||
CHECK(secp256k1_musig_extract_secret_adaptor(none, sec_adaptor1, &final_sig, partial_sig_tmp, 2, nonce_is_negated) == 0); |
|||
} |
|||
CHECK(ecount == 3); |
|||
CHECK(secp256k1_musig_extract_secret_adaptor(none, sec_adaptor1, &final_sig, partial_sig, 0, 0) == 1); |
|||
CHECK(secp256k1_musig_extract_secret_adaptor(none, sec_adaptor1, &final_sig, partial_sig, 2, 1) == 1); |
|||
|
|||
/** cleanup **/ |
|||
memset(&session, 0, sizeof(session)); |
|||
secp256k1_context_destroy(none); |
|||
secp256k1_context_destroy(sign); |
|||
secp256k1_context_destroy(vrfy); |
|||
} |
|||
|
|||
/* Initializes two sessions, one use the given parameters (session_id,
|
|||
* nonce_commitments, etc.) except that `session_tmp` uses new signers with different |
|||
* public keys. The point of this test is to call `musig_session_get_public_nonce` |
|||
* with signers from `session_tmp` who have different public keys than the correct |
|||
* ones and return the resulting messagehash. This should not result in a different |
|||
* messagehash because the public keys of the signers are only used during session |
|||
* initialization. */ |
|||
int musig_state_machine_diff_signer_msghash_test(unsigned char *msghash, secp256k1_pubkey *pks, secp256k1_pubkey *combined_pk, unsigned char *pk_hash, const unsigned char * const *nonce_commitments, unsigned char *msg, secp256k1_pubkey *nonce_other, unsigned char *sk, unsigned char *session_id) { |
|||
secp256k1_musig_session session; |
|||
secp256k1_musig_session session_tmp; |
|||
unsigned char nonce_commitment[32]; |
|||
secp256k1_musig_session_signer_data signers[2]; |
|||
secp256k1_musig_session_signer_data signers_tmp[2]; |
|||
unsigned char sk_dummy[32]; |
|||
secp256k1_pubkey pks_tmp[2]; |
|||
secp256k1_pubkey combined_pk_tmp; |
|||
unsigned char pk_hash_tmp[32]; |
|||
secp256k1_pubkey nonce; |
|||
|
|||
/* Set up signers with different public keys */ |
|||
secp256k1_rand256(sk_dummy); |
|||
pks_tmp[0] = pks[0]; |
|||
CHECK(secp256k1_ec_pubkey_create(ctx, &pks_tmp[1], sk_dummy) == 1); |
|||
CHECK(secp256k1_musig_pubkey_combine(ctx, NULL, &combined_pk_tmp, pk_hash_tmp, pks_tmp, 2) == 1); |
|||
CHECK(secp256k1_musig_session_initialize(ctx, &session_tmp, signers_tmp, nonce_commitment, session_id, msg, &combined_pk_tmp, pk_hash_tmp, 2, 0, sk_dummy) == 1); |
|||
|
|||
CHECK(secp256k1_musig_session_initialize(ctx, &session, signers, nonce_commitment, session_id, msg, combined_pk, pk_hash, 2, 0, sk) == 1); |
|||
CHECK(memcmp(nonce_commitment, nonce_commitments[1], 32) == 0); |
|||
/* Call get_public_nonce with different signers than the signers the session was
|
|||
* initialized with. */ |
|||
CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session_tmp, signers, &nonce, nonce_commitments, 2) == 1); |
|||
CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session, signers_tmp, &nonce, nonce_commitments, 2) == 1); |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &signers[0], nonce_other) == 1); |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &signers[1], &nonce) == 1); |
|||
CHECK(secp256k1_musig_session_combine_nonces(ctx, &session, signers, 2, NULL, NULL) == 1); |
|||
|
|||
return secp256k1_musig_compute_messagehash(ctx, msghash, &session); |
|||
} |
|||
|
|||
/* Creates a new session (with a different session id) and tries to use that session
|
|||
* to combine nonces with given signers_other. This should fail, because the nonce |
|||
* commitments of signers_other do not match the nonce commitments the new session |
|||
* was initialized with. If do_test is 0, the correct signers are being used and |
|||
* therefore the function should return 1. */ |
|||
int musig_state_machine_diff_signers_combine_nonce_test(secp256k1_pubkey *combined_pk, unsigned char *pk_hash, unsigned char *nonce_commitment_other, secp256k1_pubkey *nonce_other, unsigned char *msg, unsigned char *sk, secp256k1_musig_session_signer_data *signers_other, int do_test) { |
|||
secp256k1_musig_session session; |
|||
secp256k1_musig_session_signer_data signers[2]; |
|||
secp256k1_musig_session_signer_data *signers_to_use; |
|||
unsigned char nonce_commitment[32]; |
|||
unsigned char session_id[32]; |
|||
secp256k1_pubkey nonce; |
|||
const unsigned char *ncs[2]; |
|||
|
|||
/* Initialize new signers */ |
|||
secp256k1_rand256(session_id); |
|||
CHECK(secp256k1_musig_session_initialize(ctx, &session, signers, nonce_commitment, session_id, msg, combined_pk, pk_hash, 2, 1, sk) == 1); |
|||
ncs[0] = nonce_commitment_other; |
|||
ncs[1] = nonce_commitment; |
|||
CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session, signers, &nonce, ncs, 2) == 1); |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &signers[0], nonce_other) == 1); |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &signers[1], &nonce) == 1); |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &signers[1], &nonce) == 1); |
|||
secp256k1_musig_session_combine_nonces(ctx, &session, signers_other, 2, NULL, NULL); |
|||
if (do_test) { |
|||
signers_to_use = signers_other; |
|||
} else { |
|||
signers_to_use = signers; |
|||
} |
|||
return secp256k1_musig_session_combine_nonces(ctx, &session, signers_to_use, 2, NULL, NULL); |
|||
} |
|||
|
|||
/* Recreates a session with the given session_id, signers, pk, msg etc. parameters
|
|||
* and tries to sign and verify the other signers partial signature. Both should fail |
|||
* if msg is NULL. */ |
|||
int musig_state_machine_missing_msg_test(secp256k1_pubkey *pks, secp256k1_pubkey *combined_pk, unsigned char *pk_hash, unsigned char *nonce_commitment_other, secp256k1_pubkey *nonce_other, secp256k1_musig_partial_signature *partial_sig_other, unsigned char *sk, unsigned char *session_id, unsigned char *msg) { |
|||
secp256k1_musig_session session; |
|||
secp256k1_musig_session_signer_data signers[2]; |
|||
unsigned char nonce_commitment[32]; |
|||
const unsigned char *ncs[2]; |
|||
secp256k1_pubkey nonce; |
|||
secp256k1_musig_partial_signature partial_sig; |
|||
int partial_sign, partial_verify; |
|||
|
|||
CHECK(secp256k1_musig_session_initialize(ctx, &session, signers, nonce_commitment, session_id, msg, combined_pk, pk_hash, 2, 0, sk) == 1); |
|||
ncs[0] = nonce_commitment_other; |
|||
ncs[1] = nonce_commitment; |
|||
CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session, signers, &nonce, ncs, 2) == 1); |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &signers[0], nonce_other) == 1); |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &signers[1], &nonce) == 1); |
|||
|
|||
CHECK(secp256k1_musig_session_combine_nonces(ctx, &session, signers, 2, NULL, NULL) == 1); |
|||
partial_sign = secp256k1_musig_partial_sign(ctx, &session, &partial_sig); |
|||
partial_verify = secp256k1_musig_partial_sig_verify(ctx, &session, &signers[0], partial_sig_other, &pks[0]); |
|||
if (msg != NULL) { |
|||
/* Return 1 if both succeeded */ |
|||
return partial_sign && partial_verify; |
|||
} |
|||
/* Return 0 if both failed */ |
|||
return partial_sign || partial_verify; |
|||
} |
|||
|
|||
/* Recreates a session with the given session_id, signers, pk, msg etc. parameters
|
|||
* and tries to verify and combine partial sigs. If do_combine is 0, the |
|||
* combine_nonces step is left out. In that case verify and combine should fail and |
|||
* this function should return 0. */ |
|||
int musig_state_machine_missing_combine_test(secp256k1_pubkey *pks, secp256k1_pubkey *combined_pk, unsigned char *pk_hash, unsigned char *nonce_commitment_other, secp256k1_pubkey *nonce_other, secp256k1_musig_partial_signature *partial_sig_other, unsigned char *msg, unsigned char *sk, unsigned char *session_id, secp256k1_musig_partial_signature *partial_sig, int do_combine) { |
|||
secp256k1_musig_session session; |
|||
secp256k1_musig_session_signer_data signers[2]; |
|||
unsigned char nonce_commitment[32]; |
|||
const unsigned char *ncs[2]; |
|||
secp256k1_pubkey nonce; |
|||
secp256k1_musig_partial_signature partial_sigs[2]; |
|||
secp256k1_schnorrsig sig; |
|||
int partial_verify, sig_combine; |
|||
|
|||
CHECK(secp256k1_musig_session_initialize(ctx, &session, signers, nonce_commitment, session_id, msg, combined_pk, pk_hash, 2, 0, sk) == 1); |
|||
ncs[0] = nonce_commitment_other; |
|||
ncs[1] = nonce_commitment; |
|||
CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session, signers, &nonce, ncs, 2) == 1); |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &signers[0], nonce_other) == 1); |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &signers[1], &nonce) == 1); |
|||
|
|||
partial_sigs[0] = *partial_sig_other; |
|||
partial_sigs[1] = *partial_sig; |
|||
if (do_combine != 0) { |
|||
CHECK(secp256k1_musig_session_combine_nonces(ctx, &session, signers, 2, NULL, NULL) == 1); |
|||
} |
|||
partial_verify = secp256k1_musig_partial_sig_verify(ctx, &session, signers, partial_sig_other, &pks[0]); |
|||
sig_combine = secp256k1_musig_partial_sig_combine(ctx, &session, &sig, partial_sigs, 2); |
|||
if (do_combine != 0) { |
|||
/* Return 1 if both succeeded */ |
|||
return partial_verify && sig_combine; |
|||
} |
|||
/* Return 0 if both failed */ |
|||
return partial_verify || sig_combine; |
|||
} |
|||
|
|||
void musig_state_machine_tests(secp256k1_scratch_space *scratch) { |
|||
size_t i; |
|||
secp256k1_musig_session session[2]; |
|||
secp256k1_musig_session_signer_data signers0[2]; |
|||
secp256k1_musig_session_signer_data signers1[2]; |
|||
unsigned char nonce_commitment[2][32]; |
|||
unsigned char session_id[2][32]; |
|||
unsigned char msg[32]; |
|||
unsigned char sk[2][32]; |
|||
secp256k1_pubkey pk[2]; |
|||
secp256k1_pubkey combined_pk; |
|||
unsigned char pk_hash[32]; |
|||
secp256k1_pubkey nonce[2]; |
|||
const unsigned char *ncs[2]; |
|||
secp256k1_musig_partial_signature partial_sig[2]; |
|||
unsigned char msghash1[32]; |
|||
unsigned char msghash2[32]; |
|||
|
|||
/* Run state machine with the same objects twice to test that it's allowed to
|
|||
* reinitialize session and session_signer_data. */ |
|||
for (i = 0; i < 2; i++) { |
|||
/* Setup */ |
|||
secp256k1_rand256(session_id[0]); |
|||
secp256k1_rand256(session_id[1]); |
|||
secp256k1_rand256(sk[0]); |
|||
secp256k1_rand256(sk[1]); |
|||
secp256k1_rand256(msg); |
|||
CHECK(secp256k1_ec_pubkey_create(ctx, &pk[0], sk[0]) == 1); |
|||
CHECK(secp256k1_ec_pubkey_create(ctx, &pk[1], sk[1]) == 1); |
|||
CHECK(secp256k1_musig_pubkey_combine(ctx, scratch, &combined_pk, pk_hash, pk, 2) == 1); |
|||
CHECK(secp256k1_musig_session_initialize(ctx, &session[0], signers0, nonce_commitment[0], session_id[0], msg, &combined_pk, pk_hash, 2, 0, sk[0]) == 1); |
|||
CHECK(secp256k1_musig_session_initialize(ctx, &session[1], signers1, nonce_commitment[1], session_id[1], msg, &combined_pk, pk_hash, 2, 1, sk[1]) == 1); |
|||
|
|||
/* Set nonce commitments */ |
|||
ncs[0] = nonce_commitment[0]; |
|||
ncs[1] = nonce_commitment[1]; |
|||
CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session[0], signers0, &nonce[0], ncs, 2) == 1); |
|||
/* Changing a nonce commitment is not okay */ |
|||
ncs[1] = (unsigned char*) "this isn't a nonce commitment..."; |
|||
CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session[0], signers0, &nonce[0], ncs, 2) == 0); |
|||
/* Repeating with the same nonce commitments is okay */ |
|||
ncs[1] = nonce_commitment[1]; |
|||
CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session[0], signers0, &nonce[0], ncs, 2) == 1); |
|||
|
|||
/* Get nonce for signer 1 */ |
|||
CHECK(secp256k1_musig_session_get_public_nonce(ctx, &session[1], signers1, &nonce[1], ncs, 2) == 1); |
|||
|
|||
/* Set nonces */ |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &signers0[0], &nonce[0]) == 1); |
|||
/* Can't set nonce that doesn't match nonce commitment */ |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &signers0[1], &nonce[0]) == 0); |
|||
/* Set correct nonce */ |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &signers0[1], &nonce[1]) == 1); |
|||
|
|||
/* Combine nonces */ |
|||
CHECK(secp256k1_musig_session_combine_nonces(ctx, &session[0], signers0, 2, NULL, NULL) == 1); |
|||
/* Not everyone is present from signer 1's view */ |
|||
CHECK(secp256k1_musig_session_combine_nonces(ctx, &session[1], signers1, 2, NULL, NULL) == 0); |
|||
/* Make everyone present */ |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &signers1[0], &nonce[0]) == 1); |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &signers1[1], &nonce[1]) == 1); |
|||
|
|||
/* Can't combine nonces from signers of a different session */ |
|||
CHECK(musig_state_machine_diff_signers_combine_nonce_test(&combined_pk, pk_hash, nonce_commitment[0], &nonce[0], msg, sk[1], signers1, 1) == 0); |
|||
CHECK(musig_state_machine_diff_signers_combine_nonce_test(&combined_pk, pk_hash, nonce_commitment[0], &nonce[0], msg, sk[1], signers1, 0) == 1); |
|||
|
|||
/* Partially sign */ |
|||
CHECK(secp256k1_musig_partial_sign(ctx, &session[0], &partial_sig[0]) == 1); |
|||
/* Can't verify or sign until nonce is combined */ |
|||
CHECK(secp256k1_musig_partial_sig_verify(ctx, &session[1], &signers1[0], &partial_sig[0], &pk[0]) == 0); |
|||
CHECK(secp256k1_musig_partial_sign(ctx, &session[1], &partial_sig[1]) == 0); |
|||
CHECK(secp256k1_musig_session_combine_nonces(ctx, &session[1], signers1, 2, NULL, NULL) == 1); |
|||
CHECK(secp256k1_musig_partial_sig_verify(ctx, &session[1], &signers1[0], &partial_sig[0], &pk[0]) == 1); |
|||
/* messagehash should be the same as a session whose get_public_nonce was called
|
|||
* with different signers (i.e. they diff in public keys). This is because the |
|||
* public keys of the signers is set in stone when initializing the session. */ |
|||
CHECK(secp256k1_musig_compute_messagehash(ctx, msghash1, &session[1]) == 1); |
|||
CHECK(musig_state_machine_diff_signer_msghash_test(msghash2, pk, &combined_pk, pk_hash, ncs, msg, &nonce[0], sk[1], session_id[1]) == 1); |
|||
CHECK(memcmp(msghash1, msghash2, 32) == 0); |
|||
CHECK(secp256k1_musig_partial_sign(ctx, &session[1], &partial_sig[1]) == 1); |
|||
CHECK(secp256k1_musig_partial_sig_verify(ctx, &session[1], &signers1[1], &partial_sig[1], &pk[1]) == 1); |
|||
/* Wrong signature */ |
|||
CHECK(secp256k1_musig_partial_sig_verify(ctx, &session[1], &signers1[1], &partial_sig[0], &pk[1]) == 0); |
|||
/* Can't sign or verify until msg is set */ |
|||
CHECK(musig_state_machine_missing_msg_test(pk, &combined_pk, pk_hash, nonce_commitment[0], &nonce[0], &partial_sig[0], sk[1], session_id[1], NULL) == 0); |
|||
CHECK(musig_state_machine_missing_msg_test(pk, &combined_pk, pk_hash, nonce_commitment[0], &nonce[0], &partial_sig[0], sk[1], session_id[1], msg) == 1); |
|||
|
|||
/* Can't verify and combine partial sigs until nonces are combined */ |
|||
CHECK(musig_state_machine_missing_combine_test(pk, &combined_pk, pk_hash, nonce_commitment[0], &nonce[0], &partial_sig[0], msg, sk[1], session_id[1], &partial_sig[1], 0) == 0); |
|||
CHECK(musig_state_machine_missing_combine_test(pk, &combined_pk, pk_hash, nonce_commitment[0], &nonce[0], &partial_sig[0], msg, sk[1], session_id[1], &partial_sig[1], 1) == 1); |
|||
} |
|||
} |
|||
|
|||
void scriptless_atomic_swap(secp256k1_scratch_space *scratch) { |
|||
/* Throughout this test "a" and "b" refer to two hypothetical blockchains,
|
|||
* while the indices 0 and 1 refer to the two signers. Here signer 0 is |
|||
* sending a-coins to signer 1, while signer 1 is sending b-coins to signer |
|||
* 0. Signer 0 produces the adaptor signatures. */ |
|||
secp256k1_schnorrsig final_sig_a; |
|||
secp256k1_schnorrsig final_sig_b; |
|||
secp256k1_musig_partial_signature partial_sig_a[2]; |
|||
secp256k1_musig_partial_signature partial_sig_b_adapted[2]; |
|||
secp256k1_musig_partial_signature partial_sig_b[2]; |
|||
unsigned char sec_adaptor[32]; |
|||
unsigned char sec_adaptor_extracted[32]; |
|||
secp256k1_pubkey pub_adaptor; |
|||
|
|||
unsigned char seckey_a[2][32]; |
|||
unsigned char seckey_b[2][32]; |
|||
secp256k1_pubkey pk_a[2]; |
|||
secp256k1_pubkey pk_b[2]; |
|||
unsigned char pk_hash_a[32]; |
|||
unsigned char pk_hash_b[32]; |
|||
secp256k1_pubkey combined_pk_a; |
|||
secp256k1_pubkey combined_pk_b; |
|||
secp256k1_musig_session musig_session_a[2]; |
|||
secp256k1_musig_session musig_session_b[2]; |
|||
unsigned char noncommit_a[2][32]; |
|||
unsigned char noncommit_b[2][32]; |
|||
const unsigned char *noncommit_a_ptr[2]; |
|||
const unsigned char *noncommit_b_ptr[2]; |
|||
secp256k1_pubkey pubnon_a[2]; |
|||
secp256k1_pubkey pubnon_b[2]; |
|||
int nonce_is_negated_a; |
|||
int nonce_is_negated_b; |
|||
secp256k1_musig_session_signer_data data_a[2]; |
|||
secp256k1_musig_session_signer_data data_b[2]; |
|||
|
|||
const unsigned char seed[32] = "still tired of choosing seeds..."; |
|||
const unsigned char msg32_a[32] = "this is the message blockchain a"; |
|||
const unsigned char msg32_b[32] = "this is the message blockchain b"; |
|||
|
|||
/* Step 1: key setup */ |
|||
secp256k1_rand256(seckey_a[0]); |
|||
secp256k1_rand256(seckey_a[1]); |
|||
secp256k1_rand256(seckey_b[0]); |
|||
secp256k1_rand256(seckey_b[1]); |
|||
secp256k1_rand256(sec_adaptor); |
|||
|
|||
CHECK(secp256k1_ec_pubkey_create(ctx, &pk_a[0], seckey_a[0])); |
|||
CHECK(secp256k1_ec_pubkey_create(ctx, &pk_a[1], seckey_a[1])); |
|||
CHECK(secp256k1_ec_pubkey_create(ctx, &pk_b[0], seckey_b[0])); |
|||
CHECK(secp256k1_ec_pubkey_create(ctx, &pk_b[1], seckey_b[1])); |
|||
CHECK(secp256k1_ec_pubkey_create(ctx, &pub_adaptor, sec_adaptor)); |
|||
|
|||
CHECK(secp256k1_musig_pubkey_combine(ctx, scratch, &combined_pk_a, pk_hash_a, pk_a, 2)); |
|||
CHECK(secp256k1_musig_pubkey_combine(ctx, scratch, &combined_pk_b, pk_hash_b, pk_b, 2)); |
|||
|
|||
CHECK(secp256k1_musig_session_initialize(ctx, &musig_session_a[0], data_a, noncommit_a[0], seed, msg32_a, &combined_pk_a, pk_hash_a, 2, 0, seckey_a[0])); |
|||
CHECK(secp256k1_musig_session_initialize(ctx, &musig_session_a[1], data_a, noncommit_a[1], seed, msg32_a, &combined_pk_a, pk_hash_a, 2, 1, seckey_a[1])); |
|||
noncommit_a_ptr[0] = noncommit_a[0]; |
|||
noncommit_a_ptr[1] = noncommit_a[1]; |
|||
|
|||
CHECK(secp256k1_musig_session_initialize(ctx, &musig_session_b[0], data_b, noncommit_b[0], seed, msg32_b, &combined_pk_b, pk_hash_b, 2, 0, seckey_b[0])); |
|||
CHECK(secp256k1_musig_session_initialize(ctx, &musig_session_b[1], data_b, noncommit_b[1], seed, msg32_b, &combined_pk_b, pk_hash_b, 2, 1, seckey_b[1])); |
|||
noncommit_b_ptr[0] = noncommit_b[0]; |
|||
noncommit_b_ptr[1] = noncommit_b[1]; |
|||
|
|||
/* Step 2: Exchange nonces */ |
|||
CHECK(secp256k1_musig_session_get_public_nonce(ctx, &musig_session_a[0], data_a, &pubnon_a[0], noncommit_a_ptr, 2)); |
|||
CHECK(secp256k1_musig_session_get_public_nonce(ctx, &musig_session_a[1], data_a, &pubnon_a[1], noncommit_a_ptr, 2)); |
|||
CHECK(secp256k1_musig_session_get_public_nonce(ctx, &musig_session_b[0], data_b, &pubnon_b[0], noncommit_b_ptr, 2)); |
|||
CHECK(secp256k1_musig_session_get_public_nonce(ctx, &musig_session_b[1], data_b, &pubnon_b[1], noncommit_b_ptr, 2)); |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &data_a[0], &pubnon_a[0])); |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &data_a[1], &pubnon_a[1])); |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &data_b[0], &pubnon_b[0])); |
|||
CHECK(secp256k1_musig_set_nonce(ctx, &data_b[1], &pubnon_b[1])); |
|||
CHECK(secp256k1_musig_session_combine_nonces(ctx, &musig_session_a[0], data_a, 2, &nonce_is_negated_a, &pub_adaptor)); |
|||
CHECK(secp256k1_musig_session_combine_nonces(ctx, &musig_session_a[1], data_a, 2, NULL, &pub_adaptor)); |
|||
CHECK(secp256k1_musig_session_combine_nonces(ctx, &musig_session_b[0], data_b, 2, &nonce_is_negated_b, &pub_adaptor)); |
|||
CHECK(secp256k1_musig_session_combine_nonces(ctx, &musig_session_b[1], data_b, 2, NULL, &pub_adaptor)); |
|||
|
|||
/* Step 3: Signer 0 produces partial signatures for both chains. */ |
|||
CHECK(secp256k1_musig_partial_sign(ctx, &musig_session_a[0], &partial_sig_a[0])); |
|||
CHECK(secp256k1_musig_partial_sign(ctx, &musig_session_b[0], &partial_sig_b[0])); |
|||
|
|||
/* Step 4: Signer 1 receives partial signatures, verifies them and creates a
|
|||
* partial signature to send B-coins to signer 0. */ |
|||
CHECK(secp256k1_musig_partial_sig_verify(ctx, &musig_session_a[1], data_a, &partial_sig_a[0], &pk_a[0]) == 1); |
|||
CHECK(secp256k1_musig_partial_sig_verify(ctx, &musig_session_b[1], data_b, &partial_sig_b[0], &pk_b[0]) == 1); |
|||
CHECK(secp256k1_musig_partial_sign(ctx, &musig_session_b[1], &partial_sig_b[1])); |
|||
|
|||
/* Step 5: Signer 0 adapts its own partial signature and combines it with the
|
|||
* partial signature from signer 1. This results in a complete signature which |
|||
* is broadcasted by signer 0 to take B-coins. */ |
|||
CHECK(secp256k1_musig_partial_sig_adapt(ctx, &partial_sig_b_adapted[0], &partial_sig_b[0], sec_adaptor, nonce_is_negated_b)); |
|||
memcpy(&partial_sig_b_adapted[1], &partial_sig_b[1], sizeof(partial_sig_b_adapted[1])); |
|||
CHECK(secp256k1_musig_partial_sig_combine(ctx, &musig_session_b[0], &final_sig_b, partial_sig_b_adapted, 2) == 1); |
|||
CHECK(secp256k1_schnorrsig_verify(ctx, &final_sig_b, msg32_b, &combined_pk_b) == 1); |
|||
|
|||
/* Step 6: Signer 1 extracts adaptor from the published signature, applies it to
|
|||
* other partial signature, and takes A-coins. */ |
|||
CHECK(secp256k1_musig_extract_secret_adaptor(ctx, sec_adaptor_extracted, &final_sig_b, partial_sig_b, 2, nonce_is_negated_b) == 1); |
|||
CHECK(memcmp(sec_adaptor_extracted, sec_adaptor, sizeof(sec_adaptor)) == 0); /* in real life we couldn't check this, of course */ |
|||
CHECK(secp256k1_musig_partial_sig_adapt(ctx, &partial_sig_a[0], &partial_sig_a[0], sec_adaptor_extracted, nonce_is_negated_a)); |
|||
CHECK(secp256k1_musig_partial_sign(ctx, &musig_session_a[1], &partial_sig_a[1])); |
|||
CHECK(secp256k1_musig_partial_sig_combine(ctx, &musig_session_a[1], &final_sig_a, partial_sig_a, 2) == 1); |
|||
CHECK(secp256k1_schnorrsig_verify(ctx, &final_sig_a, msg32_a, &combined_pk_a) == 1); |
|||
} |
|||
|
|||
/* Checks that hash initialized by secp256k1_musig_sha256_init_tagged has the
|
|||
* expected state. */ |
|||
void sha256_tag_test(void) { |
|||
char tag[17] = "MuSig coefficient"; |
|||
secp256k1_sha256 sha; |
|||
secp256k1_sha256 sha_tagged; |
|||
unsigned char buf[32]; |
|||
unsigned char buf2[32]; |
|||
size_t i; |
|||
|
|||
secp256k1_sha256_initialize(&sha); |
|||
secp256k1_sha256_write(&sha, (unsigned char *) tag, 17); |
|||
secp256k1_sha256_finalize(&sha, buf); |
|||
/* buf = SHA256("MuSig coefficient") */ |
|||
|
|||
secp256k1_sha256_initialize(&sha); |
|||
secp256k1_sha256_write(&sha, buf, 32); |
|||
secp256k1_sha256_write(&sha, buf, 32); |
|||
/* Is buffer fully consumed? */ |
|||
CHECK((sha.bytes & 0x3F) == 0); |
|||
|
|||
/* Compare with tagged SHA */ |
|||
secp256k1_musig_sha256_init_tagged(&sha_tagged); |
|||
for (i = 0; i < 8; i++) { |
|||
CHECK(sha_tagged.s[i] == sha.s[i]); |
|||
} |
|||
secp256k1_sha256_write(&sha, buf, 32); |
|||
secp256k1_sha256_write(&sha_tagged, buf, 32); |
|||
secp256k1_sha256_finalize(&sha, buf); |
|||
secp256k1_sha256_finalize(&sha_tagged, buf2); |
|||
CHECK(memcmp(buf, buf2, 32) == 0); |
|||
} |
|||
|
|||
void run_musig_tests(void) { |
|||
int i; |
|||
secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 1024 * 1024); |
|||
|
|||
musig_api_tests(scratch); |
|||
musig_state_machine_tests(scratch); |
|||
for (i = 0; i < count; i++) { |
|||
/* Run multiple times to ensure that the nonce is negated in some tests */ |
|||
scriptless_atomic_swap(scratch); |
|||
} |
|||
sha256_tag_test(); |
|||
|
|||
secp256k1_scratch_space_destroy(scratch); |
|||
} |
|||
|
|||
#endif |
|||
|
@ -0,0 +1,9 @@ |
|||
include_HEADERS += include/secp256k1_schnorrsig.h |
|||
noinst_HEADERS += src/modules/schnorrsig/main_impl.h |
|||
noinst_HEADERS += src/modules/schnorrsig/tests_impl.h |
|||
if USE_BENCHMARK |
|||
noinst_PROGRAMS += bench_schnorrsig |
|||
bench_schnorrsig_SOURCES = src/bench_schnorrsig.c |
|||
bench_schnorrsig_LDADD = libsecp256k1.la $(SECP_LIBS) $(COMMON_LIB) |
|||
endif |
|||
|
@ -0,0 +1,339 @@ |
|||
/**********************************************************************
|
|||
* Copyright (c) 2018 Andrew Poelstra * |
|||
* Distributed under the MIT software license, see the accompanying * |
|||
* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
|
|||
**********************************************************************/ |
|||
|
|||
#ifndef _SECP256K1_MODULE_SCHNORRSIG_MAIN_ |
|||
#define _SECP256K1_MODULE_SCHNORRSIG_MAIN_ |
|||
|
|||
#include "include/secp256k1.h" |
|||
#include "include/secp256k1_schnorrsig.h" |
|||
#include "hash.h" |
|||
|
|||
int secp256k1_schnorrsig_serialize(const secp256k1_context* ctx, unsigned char *out64, const secp256k1_schnorrsig* sig) { |
|||
(void) ctx; |
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(out64 != NULL); |
|||
ARG_CHECK(sig != NULL); |
|||
memcpy(out64, sig->data, 64); |
|||
return 1; |
|||
} |
|||
|
|||
int secp256k1_schnorrsig_parse(const secp256k1_context* ctx, secp256k1_schnorrsig* sig, const unsigned char *in64) { |
|||
(void) ctx; |
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(sig != NULL); |
|||
ARG_CHECK(in64 != NULL); |
|||
memcpy(sig->data, in64, 64); |
|||
return 1; |
|||
} |
|||
|
|||
int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, secp256k1_schnorrsig *sig, int *nonce_is_negated, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, void *ndata) { |
|||
secp256k1_scalar x; |
|||
secp256k1_scalar e; |
|||
secp256k1_scalar k; |
|||
secp256k1_gej pkj; |
|||
secp256k1_gej rj; |
|||
secp256k1_ge pk; |
|||
secp256k1_ge r; |
|||
secp256k1_sha256 sha; |
|||
int overflow; |
|||
unsigned char buf[33]; |
|||
size_t buflen = sizeof(buf); |
|||
|
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); |
|||
ARG_CHECK(sig != NULL); |
|||
ARG_CHECK(msg32 != NULL); |
|||
ARG_CHECK(seckey != NULL); |
|||
|
|||
if (noncefp == NULL) { |
|||
noncefp = secp256k1_nonce_function_bipschnorr; |
|||
} |
|||
secp256k1_scalar_set_b32(&x, seckey, &overflow); |
|||
/* Fail if the secret key is invalid. */ |
|||
if (overflow || secp256k1_scalar_is_zero(&x)) { |
|||
memset(sig, 0, sizeof(*sig)); |
|||
return 0; |
|||
} |
|||
|
|||
secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pkj, &x); |
|||
secp256k1_ge_set_gej(&pk, &pkj); |
|||
|
|||
if (!noncefp(buf, msg32, seckey, NULL, (void*)ndata, 0)) { |
|||
return 0; |
|||
} |
|||
secp256k1_scalar_set_b32(&k, buf, NULL); |
|||
if (secp256k1_scalar_is_zero(&k)) { |
|||
return 0; |
|||
} |
|||
|
|||
secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &k); |
|||
secp256k1_ge_set_gej(&r, &rj); |
|||
|
|||
if (nonce_is_negated != NULL) { |
|||
*nonce_is_negated = 0; |
|||
} |
|||
if (!secp256k1_fe_is_quad_var(&r.y)) { |
|||
secp256k1_scalar_negate(&k, &k); |
|||
if (nonce_is_negated != NULL) { |
|||
*nonce_is_negated = 1; |
|||
} |
|||
} |
|||
secp256k1_fe_normalize(&r.x); |
|||
secp256k1_fe_get_b32(&sig->data[0], &r.x); |
|||
|
|||
secp256k1_sha256_initialize(&sha); |
|||
secp256k1_sha256_write(&sha, &sig->data[0], 32); |
|||
secp256k1_eckey_pubkey_serialize(&pk, buf, &buflen, 1); |
|||
secp256k1_sha256_write(&sha, buf, buflen); |
|||
secp256k1_sha256_write(&sha, msg32, 32); |
|||
secp256k1_sha256_finalize(&sha, buf); |
|||
|
|||
secp256k1_scalar_set_b32(&e, buf, NULL); |
|||
secp256k1_scalar_mul(&e, &e, &x); |
|||
secp256k1_scalar_add(&e, &e, &k); |
|||
|
|||
secp256k1_scalar_get_b32(&sig->data[32], &e); |
|||
secp256k1_scalar_clear(&k); |
|||
secp256k1_scalar_clear(&x); |
|||
|
|||
return 1; |
|||
} |
|||
|
|||
/* Helper function for verification and batch verification.
|
|||
* Computes R = sG - eP. */ |
|||
static int secp256k1_schnorrsig_real_verify(const secp256k1_context* ctx, secp256k1_gej *rj, const secp256k1_scalar *s, const secp256k1_scalar *e, const secp256k1_pubkey *pk) { |
|||
secp256k1_scalar nege; |
|||
secp256k1_ge pkp; |
|||
secp256k1_gej pkj; |
|||
|
|||
secp256k1_scalar_negate(&nege, e); |
|||
|
|||
if (!secp256k1_pubkey_load(ctx, &pkp, pk)) { |
|||
return 0; |
|||
} |
|||
secp256k1_gej_set_ge(&pkj, &pkp); |
|||
|
|||
/* rj = s*G + (-e)*pkj */ |
|||
secp256k1_ecmult(&ctx->ecmult_ctx, rj, &pkj, &nege, s); |
|||
return 1; |
|||
} |
|||
|
|||
int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const secp256k1_schnorrsig *sig, const unsigned char *msg32, const secp256k1_pubkey *pk) { |
|||
secp256k1_scalar s; |
|||
secp256k1_scalar e; |
|||
secp256k1_gej rj; |
|||
secp256k1_fe rx; |
|||
secp256k1_sha256 sha; |
|||
unsigned char buf[33]; |
|||
size_t buflen = sizeof(buf); |
|||
int overflow; |
|||
|
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); |
|||
ARG_CHECK(sig != NULL); |
|||
ARG_CHECK(msg32 != NULL); |
|||
ARG_CHECK(pk != NULL); |
|||
|
|||
if (!secp256k1_fe_set_b32(&rx, &sig->data[0])) { |
|||
return 0; |
|||
} |
|||
|
|||
secp256k1_scalar_set_b32(&s, &sig->data[32], &overflow); |
|||
if (overflow) { |
|||
return 0; |
|||
} |
|||
|
|||
secp256k1_sha256_initialize(&sha); |
|||
secp256k1_sha256_write(&sha, &sig->data[0], 32); |
|||
secp256k1_ec_pubkey_serialize(ctx, buf, &buflen, pk, SECP256K1_EC_COMPRESSED); |
|||
secp256k1_sha256_write(&sha, buf, buflen); |
|||
secp256k1_sha256_write(&sha, msg32, 32); |
|||
secp256k1_sha256_finalize(&sha, buf); |
|||
secp256k1_scalar_set_b32(&e, buf, NULL); |
|||
|
|||
if (!secp256k1_schnorrsig_real_verify(ctx, &rj, &s, &e, pk) |
|||
|| !secp256k1_gej_has_quad_y_var(&rj) /* fails if rj is infinity */ |
|||
|| !secp256k1_gej_eq_x_var(&rx, &rj)) { |
|||
return 0; |
|||
} |
|||
|
|||
return 1; |
|||
} |
|||
|
|||
/* Data that is used by the batch verification ecmult callback */ |
|||
typedef struct { |
|||
const secp256k1_context *ctx; |
|||
/* Seed for the random number generator */ |
|||
unsigned char chacha_seed[32]; |
|||
/* Caches randomizers generated by the PRNG which returns two randomizers per call. Caching
|
|||
* avoids having to call the PRNG twice as often. The very first randomizer will be set to 1 and |
|||
* the PRNG is called at every odd indexed schnorrsig to fill the cache. */ |
|||
secp256k1_scalar randomizer_cache[2]; |
|||
/* Signature, message, public key tuples to verify */ |
|||
const secp256k1_schnorrsig *const *sig; |
|||
const unsigned char *const *msg32; |
|||
const secp256k1_pubkey *const *pk; |
|||
size_t n_sigs; |
|||
} secp256k1_schnorrsig_verify_ecmult_context; |
|||
|
|||
/* Callback function which is called by ecmult_multi in order to convert the ecmult_context
|
|||
* consisting of signature, message and public key tuples into scalars and points. */ |
|||
static int secp256k1_schnorrsig_verify_batch_ecmult_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data) { |
|||
secp256k1_schnorrsig_verify_ecmult_context *ecmult_context = (secp256k1_schnorrsig_verify_ecmult_context *) data; |
|||
|
|||
if (idx % 4 == 2) { |
|||
/* Every idx corresponds to a (scalar,point)-tuple. So this callback is called with 4
|
|||
* consecutive tuples before we need to call the RNG for new randomizers: |
|||
* (-randomizer_cache[0], R1) |
|||
* (-randomizer_cache[0]*e1, P1) |
|||
* (-randomizer_cache[1], R2) |
|||
* (-randomizer_cache[1]*e2, P2) */ |
|||
secp256k1_scalar_chacha20(&ecmult_context->randomizer_cache[0], &ecmult_context->randomizer_cache[1], ecmult_context->chacha_seed, idx / 4); |
|||
} |
|||
|
|||
/* R */ |
|||
if (idx % 2 == 0) { |
|||
secp256k1_fe rx; |
|||
*sc = ecmult_context->randomizer_cache[(idx / 2) % 2]; |
|||
if (!secp256k1_fe_set_b32(&rx, &ecmult_context->sig[idx / 2]->data[0])) { |
|||
return 0; |
|||
} |
|||
if (!secp256k1_ge_set_xquad(pt, &rx)) { |
|||
return 0; |
|||
} |
|||
/* eP */ |
|||
} else { |
|||
unsigned char buf[33]; |
|||
size_t buflen = sizeof(buf); |
|||
secp256k1_sha256 sha; |
|||
secp256k1_sha256_initialize(&sha); |
|||
secp256k1_sha256_write(&sha, &ecmult_context->sig[idx / 2]->data[0], 32); |
|||
secp256k1_ec_pubkey_serialize(ecmult_context->ctx, buf, &buflen, ecmult_context->pk[idx / 2], SECP256K1_EC_COMPRESSED); |
|||
secp256k1_sha256_write(&sha, buf, buflen); |
|||
secp256k1_sha256_write(&sha, ecmult_context->msg32[idx / 2], 32); |
|||
secp256k1_sha256_finalize(&sha, buf); |
|||
|
|||
secp256k1_scalar_set_b32(sc, buf, NULL); |
|||
secp256k1_scalar_mul(sc, sc, &ecmult_context->randomizer_cache[(idx / 2) % 2]); |
|||
|
|||
if (!secp256k1_pubkey_load(ecmult_context->ctx, pt, ecmult_context->pk[idx / 2])) { |
|||
return 0; |
|||
} |
|||
} |
|||
return 1; |
|||
} |
|||
|
|||
/** Helper function for batch verification. Hashes signature verification data into the
|
|||
* randomization seed and initializes ecmult_context. |
|||
* |
|||
* Returns 1 if the randomizer was successfully initialized. |
|||
* |
|||
* Args: ctx: a secp256k1 context object |
|||
* Out: ecmult_context: context for batch_ecmult_callback |
|||
* In/Out sha: an initialized sha256 object which hashes the schnorrsig input in order to get a |
|||
* seed for the randomizer PRNG |
|||
* In: sig: array of signatures, or NULL if there are no signatures |
|||
* msg32: array of messages, or NULL if there are no signatures |
|||
* pk: array of public keys, or NULL if there are no signatures |
|||
* n_sigs: number of signatures in above arrays (must be 0 if they are NULL) |
|||
*/ |
|||
int secp256k1_schnorrsig_verify_batch_init_randomizer(const secp256k1_context *ctx, secp256k1_schnorrsig_verify_ecmult_context *ecmult_context, secp256k1_sha256 *sha, const secp256k1_schnorrsig *const *sig, const unsigned char *const *msg32, const secp256k1_pubkey *const *pk, size_t n_sigs) { |
|||
size_t i; |
|||
|
|||
if (n_sigs > 0) { |
|||
ARG_CHECK(sig != NULL); |
|||
ARG_CHECK(msg32 != NULL); |
|||
ARG_CHECK(pk != NULL); |
|||
} |
|||
|
|||
for (i = 0; i < n_sigs; i++) { |
|||
unsigned char buf[33]; |
|||
size_t buflen = sizeof(buf); |
|||
secp256k1_sha256_write(sha, sig[i]->data, 64); |
|||
secp256k1_sha256_write(sha, msg32[i], 32); |
|||
secp256k1_ec_pubkey_serialize(ctx, buf, &buflen, pk[i], SECP256K1_EC_COMPRESSED); |
|||
secp256k1_sha256_write(sha, buf, 32); |
|||
} |
|||
ecmult_context->ctx = ctx; |
|||
ecmult_context->sig = sig; |
|||
ecmult_context->msg32 = msg32; |
|||
ecmult_context->pk = pk; |
|||
ecmult_context->n_sigs = n_sigs; |
|||
|
|||
return 1; |
|||
} |
|||
|
|||
/** Helper function for batch verification. Sums the s part of all signatures multiplied by their
|
|||
* randomizer. |
|||
* |
|||
* Returns 1 if s is successfully summed. |
|||
* |
|||
* In/Out: s: the s part of the input sigs is added to this s argument |
|||
* In: chacha_seed: PRNG seed for computing randomizers |
|||
* sig: array of signatures, or NULL if there are no signatures |
|||
* n_sigs: number of signatures in above array (must be 0 if they are NULL) |
|||
*/ |
|||
int secp256k1_schnorrsig_verify_batch_sum_s(secp256k1_scalar *s, unsigned char *chacha_seed, const secp256k1_schnorrsig *const *sig, size_t n_sigs) { |
|||
secp256k1_scalar randomizer_cache[2]; |
|||
size_t i; |
|||
|
|||
secp256k1_scalar_set_int(&randomizer_cache[0], 1); |
|||
for (i = 0; i < n_sigs; i++) { |
|||
int overflow; |
|||
secp256k1_scalar term; |
|||
if (i % 2 == 1) { |
|||
secp256k1_scalar_chacha20(&randomizer_cache[0], &randomizer_cache[1], chacha_seed, i / 2); |
|||
} |
|||
|
|||
secp256k1_scalar_set_b32(&term, &sig[i]->data[32], &overflow); |
|||
if (overflow) { |
|||
return 0; |
|||
} |
|||
secp256k1_scalar_mul(&term, &term, &randomizer_cache[i % 2]); |
|||
secp256k1_scalar_add(s, s, &term); |
|||
} |
|||
return 1; |
|||
} |
|||
|
|||
/* schnorrsig batch verification.
|
|||
* Seeds a random number generator with the inputs and derives a random number ai for every |
|||
* signature i. Fails if y-coordinate of any R is not a quadratic residue or if |
|||
* 0 != -(s1 + a2*s2 + ... + au*su)G + R1 + a2*R2 + ... + au*Ru + e1*P1 + (a2*e2)P2 + ... + (au*eu)Pu. */ |
|||
int secp256k1_schnorrsig_verify_batch(const secp256k1_context *ctx, secp256k1_scratch *scratch, const secp256k1_schnorrsig *const *sig, const unsigned char *const *msg32, const secp256k1_pubkey *const *pk, size_t n_sigs) { |
|||
secp256k1_schnorrsig_verify_ecmult_context ecmult_context; |
|||
secp256k1_sha256 sha; |
|||
secp256k1_scalar s; |
|||
secp256k1_gej rj; |
|||
|
|||
VERIFY_CHECK(ctx != NULL); |
|||
ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); |
|||
ARG_CHECK(scratch != NULL); |
|||
/* Check that n_sigs is less than half of the maximum size_t value. This is necessary because
|
|||
* the number of points given to ecmult_multi is 2*n_sigs. */ |
|||
ARG_CHECK(n_sigs <= SIZE_MAX / 2); |
|||
/* Check that n_sigs is less than 2^31 to ensure the same behavior of this function on 32-bit
|
|||
* and 64-bit platforms. */ |
|||
ARG_CHECK(n_sigs < (size_t)(1 << 31)); |
|||
|
|||
secp256k1_sha256_initialize(&sha); |
|||
if (!secp256k1_schnorrsig_verify_batch_init_randomizer(ctx, &ecmult_context, &sha, sig, msg32, pk, n_sigs)) { |
|||
return 0; |
|||
} |
|||
secp256k1_sha256_finalize(&sha, ecmult_context.chacha_seed); |
|||
secp256k1_scalar_set_int(&ecmult_context.randomizer_cache[0], 1); |
|||
|
|||
secp256k1_scalar_clear(&s); |
|||
if (!secp256k1_schnorrsig_verify_batch_sum_s(&s, ecmult_context.chacha_seed, sig, n_sigs)) { |
|||
return 0; |
|||
} |
|||
secp256k1_scalar_negate(&s, &s); |
|||
|
|||
return secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &rj, &s, secp256k1_schnorrsig_verify_batch_ecmult_callback, (void *) &ecmult_context, 2 * n_sigs) |
|||
&& secp256k1_gej_is_infinity(&rj); |
|||
} |
|||
|
|||
#endif |
|||
|
@ -0,0 +1,727 @@ |
|||
/**********************************************************************
|
|||
* Copyright (c) 2018 Andrew Poelstra * |
|||
* Distributed under the MIT software license, see the accompanying * |
|||
* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
|
|||
**********************************************************************/ |
|||
|
|||
#ifndef _SECP256K1_MODULE_SCHNORRSIG_TESTS_ |
|||
#define _SECP256K1_MODULE_SCHNORRSIG_TESTS_ |
|||
|
|||
#include "secp256k1_schnorrsig.h" |
|||
|
|||
void test_schnorrsig_serialize(void) { |
|||
secp256k1_schnorrsig sig; |
|||
unsigned char in[64]; |
|||
unsigned char out[64]; |
|||
|
|||
memset(in, 0x12, 64); |
|||
CHECK(secp256k1_schnorrsig_parse(ctx, &sig, in)); |
|||
CHECK(secp256k1_schnorrsig_serialize(ctx, out, &sig)); |
|||
CHECK(memcmp(in, out, 64) == 0); |
|||
} |
|||
|
|||
void test_schnorrsig_api(secp256k1_scratch_space *scratch) { |
|||
unsigned char sk1[32]; |
|||
unsigned char sk2[32]; |
|||
unsigned char sk3[32]; |
|||
unsigned char msg[32]; |
|||
unsigned char sig64[64]; |
|||
secp256k1_pubkey pk[3]; |
|||
secp256k1_schnorrsig sig; |
|||
const secp256k1_schnorrsig *sigptr = &sig; |
|||
const unsigned char *msgptr = msg; |
|||
const secp256k1_pubkey *pkptr = &pk[0]; |
|||
int nonce_is_negated; |
|||
|
|||
/** setup **/ |
|||
secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE); |
|||
secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN); |
|||
secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY); |
|||
secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); |
|||
int ecount; |
|||
|
|||
secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); |
|||
secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); |
|||
secp256k1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); |
|||
secp256k1_context_set_error_callback(both, counting_illegal_callback_fn, &ecount); |
|||
secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); |
|||
secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); |
|||
secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); |
|||
secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount); |
|||
|
|||
secp256k1_rand256(sk1); |
|||
secp256k1_rand256(sk2); |
|||
secp256k1_rand256(sk3); |
|||
secp256k1_rand256(msg); |
|||
CHECK(secp256k1_ec_pubkey_create(ctx, &pk[0], sk1) == 1); |
|||
CHECK(secp256k1_ec_pubkey_create(ctx, &pk[1], sk2) == 1); |
|||
CHECK(secp256k1_ec_pubkey_create(ctx, &pk[2], sk3) == 1); |
|||
|
|||
/** main test body **/ |
|||
ecount = 0; |
|||
CHECK(secp256k1_schnorrsig_sign(none, &sig, &nonce_is_negated, msg, sk1, NULL, NULL) == 0); |
|||
CHECK(ecount == 1); |
|||
CHECK(secp256k1_schnorrsig_sign(vrfy, &sig, &nonce_is_negated, msg, sk1, NULL, NULL) == 0); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_schnorrsig_sign(sign, &sig, &nonce_is_negated, msg, sk1, NULL, NULL) == 1); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_schnorrsig_sign(sign, NULL, &nonce_is_negated, msg, sk1, NULL, NULL) == 0); |
|||
CHECK(ecount == 3); |
|||
CHECK(secp256k1_schnorrsig_sign(sign, &sig, NULL, msg, sk1, NULL, NULL) == 1); |
|||
CHECK(ecount == 3); |
|||
CHECK(secp256k1_schnorrsig_sign(sign, &sig, &nonce_is_negated, NULL, sk1, NULL, NULL) == 0); |
|||
CHECK(ecount == 4); |
|||
CHECK(secp256k1_schnorrsig_sign(sign, &sig, &nonce_is_negated, msg, NULL, NULL, NULL) == 0); |
|||
CHECK(ecount == 5); |
|||
|
|||
ecount = 0; |
|||
CHECK(secp256k1_schnorrsig_serialize(none, sig64, &sig) == 1); |
|||
CHECK(ecount == 0); |
|||
CHECK(secp256k1_schnorrsig_serialize(none, NULL, &sig) == 0); |
|||
CHECK(ecount == 1); |
|||
CHECK(secp256k1_schnorrsig_serialize(none, sig64, NULL) == 0); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_schnorrsig_parse(none, &sig, sig64) == 1); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_schnorrsig_parse(none, NULL, sig64) == 0); |
|||
CHECK(ecount == 3); |
|||
CHECK(secp256k1_schnorrsig_parse(none, &sig, NULL) == 0); |
|||
CHECK(ecount == 4); |
|||
|
|||
ecount = 0; |
|||
CHECK(secp256k1_schnorrsig_verify(none, &sig, msg, &pk[0]) == 0); |
|||
CHECK(ecount == 1); |
|||
CHECK(secp256k1_schnorrsig_verify(sign, &sig, msg, &pk[0]) == 0); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_schnorrsig_verify(vrfy, &sig, msg, &pk[0]) == 1); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_schnorrsig_verify(vrfy, NULL, msg, &pk[0]) == 0); |
|||
CHECK(ecount == 3); |
|||
CHECK(secp256k1_schnorrsig_verify(vrfy, &sig, NULL, &pk[0]) == 0); |
|||
CHECK(ecount == 4); |
|||
CHECK(secp256k1_schnorrsig_verify(vrfy, &sig, msg, NULL) == 0); |
|||
CHECK(ecount == 5); |
|||
|
|||
ecount = 0; |
|||
CHECK(secp256k1_schnorrsig_verify_batch(none, scratch, &sigptr, &msgptr, &pkptr, 1) == 0); |
|||
CHECK(ecount == 1); |
|||
CHECK(secp256k1_schnorrsig_verify_batch(sign, scratch, &sigptr, &msgptr, &pkptr, 1) == 0); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, &sigptr, &msgptr, &pkptr, 1) == 1); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, NULL, NULL, NULL, 0) == 1); |
|||
CHECK(ecount == 2); |
|||
CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, NULL, &msgptr, &pkptr, 1) == 0); |
|||
CHECK(ecount == 3); |
|||
CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, &sigptr, NULL, &pkptr, 1) == 0); |
|||
CHECK(ecount == 4); |
|||
CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, &sigptr, &msgptr, NULL, 1) == 0); |
|||
CHECK(ecount == 5); |
|||
CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, &sigptr, &msgptr, &pkptr, (size_t)1 << (sizeof(size_t)*8-1)) == 0); |
|||
CHECK(ecount == 6); |
|||
CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, &sigptr, &msgptr, &pkptr, 1 << 31) == 0); |
|||
CHECK(ecount == 7); |
|||
|
|||
secp256k1_context_destroy(none); |
|||
secp256k1_context_destroy(sign); |
|||
secp256k1_context_destroy(vrfy); |
|||
secp256k1_context_destroy(both); |
|||
} |
|||
|
|||
/* Helper function for schnorrsig_bip_vectors
|
|||
* Signs the message and checks that it's the same as expected_sig. */ |
|||
void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *msg, const unsigned char *expected_sig, const int expected_nonce_is_negated) { |
|||
secp256k1_schnorrsig sig; |
|||
unsigned char serialized_sig[64]; |
|||
secp256k1_pubkey pk; |
|||
int nonce_is_negated; |
|||
|
|||
CHECK(secp256k1_schnorrsig_sign(ctx, &sig, &nonce_is_negated, msg, sk, NULL, NULL)); |
|||
CHECK(nonce_is_negated == expected_nonce_is_negated); |
|||
CHECK(secp256k1_schnorrsig_serialize(ctx, serialized_sig, &sig)); |
|||
CHECK(memcmp(serialized_sig, expected_sig, 64) == 0); |
|||
|
|||
CHECK(secp256k1_ec_pubkey_parse(ctx, &pk, pk_serialized, 33)); |
|||
CHECK(secp256k1_schnorrsig_verify(ctx, &sig, msg, &pk)); |
|||
} |
|||
|
|||
/* Helper function for schnorrsig_bip_vectors
|
|||
* Checks that both verify and verify_batch return the same value as expected. */ |
|||
void test_schnorrsig_bip_vectors_check_verify(secp256k1_scratch_space *scratch, const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig_serialized, int expected) { |
|||
const unsigned char *msg_arr[1]; |
|||
const secp256k1_schnorrsig *sig_arr[1]; |
|||
const secp256k1_pubkey *pk_arr[1]; |
|||
secp256k1_pubkey pk; |
|||
secp256k1_schnorrsig sig; |
|||
|
|||
CHECK(secp256k1_ec_pubkey_parse(ctx, &pk, pk_serialized, 33)); |
|||
CHECK(secp256k1_schnorrsig_parse(ctx, &sig, sig_serialized)); |
|||
|
|||
sig_arr[0] = &sig; |
|||
msg_arr[0] = msg32; |
|||
pk_arr[0] = &pk; |
|||
|
|||
CHECK(expected == secp256k1_schnorrsig_verify(ctx, &sig, msg32, &pk)); |
|||
CHECK(expected == secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 1)); |
|||
} |
|||
|
|||
/* Test vectors according to BIP-schnorr
|
|||
* (https://github.com/sipa/bips/blob/7f6a73e53c8bbcf2d008ea0546f76433e22094a8/bip-schnorr/test-vectors.csv).
|
|||
*/ |
|||
void test_schnorrsig_bip_vectors(secp256k1_scratch_space *scratch) { |
|||
{ |
|||
/* Test vector 1 */ |
|||
const unsigned char sk1[32] = { |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 |
|||
}; |
|||
const unsigned char pk1[33] = { |
|||
0x02, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, |
|||
0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B, |
|||
0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, |
|||
0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, |
|||
0x98 |
|||
}; |
|||
const unsigned char msg1[32] = { |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 |
|||
}; |
|||
const unsigned char sig1[64] = { |
|||
0x78, 0x7A, 0x84, 0x8E, 0x71, 0x04, 0x3D, 0x28, |
|||
0x0C, 0x50, 0x47, 0x0E, 0x8E, 0x15, 0x32, 0xB2, |
|||
0xDD, 0x5D, 0x20, 0xEE, 0x91, 0x2A, 0x45, 0xDB, |
|||
0xDD, 0x2B, 0xD1, 0xDF, 0xBF, 0x18, 0x7E, 0xF6, |
|||
0x70, 0x31, 0xA9, 0x88, 0x31, 0x85, 0x9D, 0xC3, |
|||
0x4D, 0xFF, 0xEE, 0xDD, 0xA8, 0x68, 0x31, 0x84, |
|||
0x2C, 0xCD, 0x00, 0x79, 0xE1, 0xF9, 0x2A, 0xF1, |
|||
0x77, 0xF7, 0xF2, 0x2C, 0xC1, 0xDC, 0xED, 0x05 |
|||
}; |
|||
test_schnorrsig_bip_vectors_check_signing(sk1, pk1, msg1, sig1, 1); |
|||
test_schnorrsig_bip_vectors_check_verify(scratch, pk1, msg1, sig1, 1); |
|||
} |
|||
{ |
|||
/* Test vector 2 */ |
|||
const unsigned char sk2[32] = { |
|||
0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A, |
|||
0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7, |
|||
0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56, |
|||
0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF |
|||
}; |
|||
const unsigned char pk2[33] = { |
|||
0x02, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, |
|||
0x5F, 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, |
|||
0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, |
|||
0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, |
|||
0x59 |
|||
}; |
|||
const unsigned char msg2[32] = { |
|||
0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, |
|||
0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, |
|||
0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, |
|||
0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 |
|||
}; |
|||
const unsigned char sig2[64] = { |
|||
0x2A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A, |
|||
0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB, |
|||
0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7, |
|||
0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D, |
|||
0x1E, 0x51, 0xA2, 0x2C, 0xCE, 0xC3, 0x55, 0x99, |
|||
0xB8, 0xF2, 0x66, 0x91, 0x22, 0x81, 0xF8, 0x36, |
|||
0x5F, 0xFC, 0x2D, 0x03, 0x5A, 0x23, 0x04, 0x34, |
|||
0xA1, 0xA6, 0x4D, 0xC5, 0x9F, 0x70, 0x13, 0xFD |
|||
}; |
|||
test_schnorrsig_bip_vectors_check_signing(sk2, pk2, msg2, sig2, 0); |
|||
test_schnorrsig_bip_vectors_check_verify(scratch, pk2, msg2, sig2, 1); |
|||
} |
|||
{ |
|||
/* Test vector 3 */ |
|||
const unsigned char sk3[32] = { |
|||
0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, |
|||
0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, |
|||
0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, |
|||
0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC7 |
|||
}; |
|||
const unsigned char pk3[33] = { |
|||
0x03, 0xFA, 0xC2, 0x11, 0x4C, 0x2F, 0xBB, 0x09, |
|||
0x15, 0x27, 0xEB, 0x7C, 0x64, 0xEC, 0xB1, 0x1F, |
|||
0x80, 0x21, 0xCB, 0x45, 0xE8, 0xE7, 0x80, 0x9D, |
|||
0x3C, 0x09, 0x38, 0xE4, 0xB8, 0xC0, 0xE5, 0xF8, |
|||
0x4B |
|||
}; |
|||
const unsigned char msg3[32] = { |
|||
0x5E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A, |
|||
0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D, |
|||
0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33, |
|||
0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C |
|||
}; |
|||
const unsigned char sig3[64] = { |
|||
0x00, 0xDA, 0x9B, 0x08, 0x17, 0x2A, 0x9B, 0x6F, |
|||
0x04, 0x66, 0xA2, 0xDE, 0xFD, 0x81, 0x7F, 0x2D, |
|||
0x7A, 0xB4, 0x37, 0xE0, 0xD2, 0x53, 0xCB, 0x53, |
|||
0x95, 0xA9, 0x63, 0x86, 0x6B, 0x35, 0x74, 0xBE, |
|||
0x00, 0x88, 0x03, 0x71, 0xD0, 0x17, 0x66, 0x93, |
|||
0x5B, 0x92, 0xD2, 0xAB, 0x4C, 0xD5, 0xC8, 0xA2, |
|||
0xA5, 0x83, 0x7E, 0xC5, 0x7F, 0xED, 0x76, 0x60, |
|||
0x77, 0x3A, 0x05, 0xF0, 0xDE, 0x14, 0x23, 0x80 |
|||
}; |
|||
test_schnorrsig_bip_vectors_check_signing(sk3, pk3, msg3, sig3, 0); |
|||
test_schnorrsig_bip_vectors_check_verify(scratch, pk3, msg3, sig3, 1); |
|||
} |
|||
{ |
|||
/* Test vector 4 */ |
|||
const unsigned char pk4[33] = { |
|||
0x03, 0xDE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, |
|||
0x50, 0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, |
|||
0x21, 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, |
|||
0x87, 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, |
|||
0x34 |
|||
}; |
|||
const unsigned char msg4[32] = { |
|||
0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2, |
|||
0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24, |
|||
0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B, |
|||
0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03 |
|||
}; |
|||
const unsigned char sig4[64] = { |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F, |
|||
0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28, |
|||
0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63, |
|||
0x02, 0xA8, 0xDC, 0x32, 0xE6, 0x4E, 0x86, 0xA3, |
|||
0x33, 0xF2, 0x0E, 0xF5, 0x6E, 0xAC, 0x9B, 0xA3, |
|||
0x0B, 0x72, 0x46, 0xD6, 0xD2, 0x5E, 0x22, 0xAD, |
|||
0xB8, 0xC6, 0xBE, 0x1A, 0xEB, 0x08, 0xD4, 0x9D |
|||
}; |
|||
test_schnorrsig_bip_vectors_check_verify(scratch, pk4, msg4, sig4, 1); |
|||
} |
|||
{ |
|||
/* Test vector 5 */ |
|||
const unsigned char pk5[33] = { |
|||
0x03, 0x1B, 0x84, 0xC5, 0x56, 0x7B, 0x12, 0x64, |
|||
0x40, 0x99, 0x5D, 0x3E, 0xD5, 0xAA, 0xBA, 0x05, |
|||
0x65, 0xD7, 0x1E, 0x18, 0x34, 0x60, 0x48, 0x19, |
|||
0xFF, 0x9C, 0x17, 0xF5, 0xE9, 0xD5, 0xDD, 0x07, |
|||
0x8F |
|||
}; |
|||
const unsigned char msg5[32] = { |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 |
|||
}; |
|||
const unsigned char sig5[64] = { |
|||
0x52, 0x81, 0x85, 0x79, 0xAC, 0xA5, 0x97, 0x67, |
|||
0xE3, 0x29, 0x1D, 0x91, 0xB7, 0x6B, 0x63, 0x7B, |
|||
0xEF, 0x06, 0x20, 0x83, 0x28, 0x49, 0x92, 0xF2, |
|||
0xD9, 0x5F, 0x56, 0x4C, 0xA6, 0xCB, 0x4E, 0x35, |
|||
0x30, 0xB1, 0xDA, 0x84, 0x9C, 0x8E, 0x83, 0x04, |
|||
0xAD, 0xC0, 0xCF, 0xE8, 0x70, 0x66, 0x03, 0x34, |
|||
0xB3, 0xCF, 0xC1, 0x8E, 0x82, 0x5E, 0xF1, 0xDB, |
|||
0x34, 0xCF, 0xAE, 0x3D, 0xFC, 0x5D, 0x81, 0x87 |
|||
}; |
|||
test_schnorrsig_bip_vectors_check_verify(scratch, pk5, msg5, sig5, 1); |
|||
} |
|||
{ |
|||
/* Test vector 6 */ |
|||
const unsigned char pk6[33] = { |
|||
0x03, 0xFA, 0xC2, 0x11, 0x4C, 0x2F, 0xBB, 0x09, |
|||
0x15, 0x27, 0xEB, 0x7C, 0x64, 0xEC, 0xB1, 0x1F, |
|||
0x80, 0x21, 0xCB, 0x45, 0xE8, 0xE7, 0x80, 0x9D, |
|||
0x3C, 0x09, 0x38, 0xE4, 0xB8, 0xC0, 0xE5, 0xF8, |
|||
0x4B |
|||
}; |
|||
const unsigned char msg6[32] = { |
|||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
|||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
|||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
|||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF |
|||
}; |
|||
const unsigned char sig6[64] = { |
|||
0x57, 0x0D, 0xD4, 0xCA, 0x83, 0xD4, 0xE6, 0x31, |
|||
0x7B, 0x8E, 0xE6, 0xBA, 0xE8, 0x34, 0x67, 0xA1, |
|||
0xBF, 0x41, 0x9D, 0x07, 0x67, 0x12, 0x2D, 0xE4, |
|||
0x09, 0x39, 0x44, 0x14, 0xB0, 0x50, 0x80, 0xDC, |
|||
0xE9, 0xEE, 0x5F, 0x23, 0x7C, 0xBD, 0x10, 0x8E, |
|||
0xAB, 0xAE, 0x1E, 0x37, 0x75, 0x9A, 0xE4, 0x7F, |
|||
0x8E, 0x42, 0x03, 0xDA, 0x35, 0x32, 0xEB, 0x28, |
|||
0xDB, 0x86, 0x0F, 0x33, 0xD6, 0x2D, 0x49, 0xBD |
|||
}; |
|||
test_schnorrsig_bip_vectors_check_verify(scratch, pk6, msg6, sig6, 1); |
|||
} |
|||
{ |
|||
/* Test vector 7 */ |
|||
const unsigned char pk7[33] = { |
|||
0x03, 0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, |
|||
0x50, 0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, |
|||
0x21, 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, |
|||
0x87, 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, |
|||
0x34 |
|||
}; |
|||
secp256k1_pubkey pk7_parsed; |
|||
/* No need to check the signature of the test vector as parsing the pubkey already fails */ |
|||
CHECK(!secp256k1_ec_pubkey_parse(ctx, &pk7_parsed, pk7, 33)); |
|||
} |
|||
{ |
|||
/* Test vector 8 */ |
|||
const unsigned char pk8[33] = { |
|||
0x02, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, |
|||
0x5F, 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, |
|||
0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, |
|||
0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, |
|||
0x59 |
|||
}; |
|||
const unsigned char msg8[32] = { |
|||
0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, |
|||
0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, |
|||
0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, |
|||
0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 |
|||
}; |
|||
const unsigned char sig8[64] = { |
|||
0x2A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A, |
|||
0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB, |
|||
0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7, |
|||
0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D, |
|||
0xFA, 0x16, 0xAE, 0xE0, 0x66, 0x09, 0x28, 0x0A, |
|||
0x19, 0xB6, 0x7A, 0x24, 0xE1, 0x97, 0x7E, 0x46, |
|||
0x97, 0x71, 0x2B, 0x5F, 0xD2, 0x94, 0x39, 0x14, |
|||
0xEC, 0xD5, 0xF7, 0x30, 0x90, 0x1B, 0x4A, 0xB7 |
|||
}; |
|||
test_schnorrsig_bip_vectors_check_verify(scratch, pk8, msg8, sig8, 0); |
|||
} |
|||
{ |
|||
/* Test vector 9 */ |
|||
const unsigned char pk9[33] = { |
|||
0x03, 0xFA, 0xC2, 0x11, 0x4C, 0x2F, 0xBB, 0x09, |
|||
0x15, 0x27, 0xEB, 0x7C, 0x64, 0xEC, 0xB1, 0x1F, |
|||
0x80, 0x21, 0xCB, 0x45, 0xE8, 0xE7, 0x80, 0x9D, |
|||
0x3C, 0x09, 0x38, 0xE4, 0xB8, 0xC0, 0xE5, 0xF8, |
|||
0x4B |
|||
}; |
|||
const unsigned char msg9[32] = { |
|||
0x5E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A, |
|||
0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D, |
|||
0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33, |
|||
0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C |
|||
}; |
|||
const unsigned char sig9[64] = { |
|||
0x00, 0xDA, 0x9B, 0x08, 0x17, 0x2A, 0x9B, 0x6F, |
|||
0x04, 0x66, 0xA2, 0xDE, 0xFD, 0x81, 0x7F, 0x2D, |
|||
0x7A, 0xB4, 0x37, 0xE0, 0xD2, 0x53, 0xCB, 0x53, |
|||
0x95, 0xA9, 0x63, 0x86, 0x6B, 0x35, 0x74, 0xBE, |
|||
0xD0, 0x92, 0xF9, 0xD8, 0x60, 0xF1, 0x77, 0x6A, |
|||
0x1F, 0x74, 0x12, 0xAD, 0x8A, 0x1E, 0xB5, 0x0D, |
|||
0xAC, 0xCC, 0x22, 0x2B, 0xC8, 0xC0, 0xE2, 0x6B, |
|||
0x20, 0x56, 0xDF, 0x2F, 0x27, 0x3E, 0xFD, 0xEC |
|||
}; |
|||
test_schnorrsig_bip_vectors_check_verify(scratch, pk9, msg9, sig9, 0); |
|||
} |
|||
{ |
|||
/* Test vector 10 */ |
|||
const unsigned char pk10[33] = { |
|||
0x02, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, |
|||
0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B, |
|||
0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, |
|||
0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, |
|||
0x98 |
|||
}; |
|||
const unsigned char msg10[32] = { |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 |
|||
}; |
|||
const unsigned char sig10[64] = { |
|||
0x78, 0x7A, 0x84, 0x8E, 0x71, 0x04, 0x3D, 0x28, |
|||
0x0C, 0x50, 0x47, 0x0E, 0x8E, 0x15, 0x32, 0xB2, |
|||
0xDD, 0x5D, 0x20, 0xEE, 0x91, 0x2A, 0x45, 0xDB, |
|||
0xDD, 0x2B, 0xD1, 0xDF, 0xBF, 0x18, 0x7E, 0xF6, |
|||
0x8F, 0xCE, 0x56, 0x77, 0xCE, 0x7A, 0x62, 0x3C, |
|||
0xB2, 0x00, 0x11, 0x22, 0x57, 0x97, 0xCE, 0x7A, |
|||
0x8D, 0xE1, 0xDC, 0x6C, 0xCD, 0x4F, 0x75, 0x4A, |
|||
0x47, 0xDA, 0x6C, 0x60, 0x0E, 0x59, 0x54, 0x3C |
|||
}; |
|||
test_schnorrsig_bip_vectors_check_verify(scratch, pk10, msg10, sig10, 0); |
|||
} |
|||
{ |
|||
/* Test vector 11 */ |
|||
const unsigned char pk11[33] = { |
|||
0x03, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, |
|||
0x5F, 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, |
|||
0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, |
|||
0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, |
|||
0x59 |
|||
}; |
|||
const unsigned char msg11[32] = { |
|||
0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, |
|||
0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, |
|||
0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, |
|||
0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 |
|||
}; |
|||
const unsigned char sig11[64] = { |
|||
0x2A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A, |
|||
0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB, |
|||
0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7, |
|||
0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D, |
|||
0x1E, 0x51, 0xA2, 0x2C, 0xCE, 0xC3, 0x55, 0x99, |
|||
0xB8, 0xF2, 0x66, 0x91, 0x22, 0x81, 0xF8, 0x36, |
|||
0x5F, 0xFC, 0x2D, 0x03, 0x5A, 0x23, 0x04, 0x34, |
|||
0xA1, 0xA6, 0x4D, 0xC5, 0x9F, 0x70, 0x13, 0xFD |
|||
}; |
|||
test_schnorrsig_bip_vectors_check_verify(scratch, pk11, msg11, sig11, 0); |
|||
} |
|||
{ |
|||
/* Test vector 12 */ |
|||
const unsigned char pk12[33] = { |
|||
0x02, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, |
|||
0x5F, 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, |
|||
0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, |
|||
0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, |
|||
0x59 |
|||
}; |
|||
const unsigned char msg12[32] = { |
|||
0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, |
|||
0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, |
|||
0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, |
|||
0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 |
|||
}; |
|||
const unsigned char sig12[64] = { |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x9E, 0x9D, 0x01, 0xAF, 0x98, 0x8B, 0x5C, 0xED, |
|||
0xCE, 0x47, 0x22, 0x1B, 0xFA, 0x9B, 0x22, 0x27, |
|||
0x21, 0xF3, 0xFA, 0x40, 0x89, 0x15, 0x44, 0x4A, |
|||
0x4B, 0x48, 0x90, 0x21, 0xDB, 0x55, 0x77, 0x5F |
|||
}; |
|||
test_schnorrsig_bip_vectors_check_verify(scratch, pk12, msg12, sig12, 0); |
|||
} |
|||
{ |
|||
/* Test vector 13 */ |
|||
const unsigned char pk13[33] = { |
|||
0x02, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, |
|||
0x5F, 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, |
|||
0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, |
|||
0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, |
|||
0x59 |
|||
}; |
|||
const unsigned char msg13[32] = { |
|||
0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, |
|||
0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, |
|||
0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, |
|||
0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 |
|||
}; |
|||
const unsigned char sig13[64] = { |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
|||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, |
|||
0xD3, 0x7D, 0xDF, 0x02, 0x54, 0x35, 0x18, 0x36, |
|||
0xD8, 0x4B, 0x1B, 0xD6, 0xA7, 0x95, 0xFD, 0x5D, |
|||
0x52, 0x30, 0x48, 0xF2, 0x98, 0xC4, 0x21, 0x4D, |
|||
0x18, 0x7F, 0xE4, 0x89, 0x29, 0x47, 0xF7, 0x28 |
|||
}; |
|||
test_schnorrsig_bip_vectors_check_verify(scratch, pk13, msg13, sig13, 0); |
|||
} |
|||
{ |
|||
/* Test vector 14 */ |
|||
const unsigned char pk14[33] = { |
|||
0x02, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, |
|||
0x5F, 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, |
|||
0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, |
|||
0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, |
|||
0x59 |
|||
}; |
|||
const unsigned char msg14[32] = { |
|||
0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, |
|||
0x14, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, |
|||
0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, |
|||
0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 |
|||
}; |
|||
const unsigned char sig14[64] = { |
|||
0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A, |
|||
0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB, |
|||
0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7, |
|||
0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D, |
|||
0x1E, 0x51, 0xA2, 0x2C, 0xCE, 0xC3, 0x55, 0x99, |
|||
0xB8, 0xF2, 0x66, 0x91, 0x22, 0x81, 0xF8, 0x36, |
|||
0x5F, 0xFC, 0x2D, 0x03, 0x5A, 0x23, 0x04, 0x34, |
|||
0xA1, 0xA6, 0x4D, 0xC5, 0x9F, 0x70, 0x13, 0xFD |
|||
}; |
|||
test_schnorrsig_bip_vectors_check_verify(scratch, pk14, msg14, sig14, 0); |
|||
} |
|||
{ |
|||
/* Test vector 15 */ |
|||
const unsigned char pk15[33] = { |
|||
0x02, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, |
|||
0x5F, 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, |
|||
0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, |
|||
0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, |
|||
0x59 |
|||
}; |
|||
const unsigned char msg15[32] = { |
|||
0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, |
|||
0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, |
|||
0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, |
|||
0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 |
|||
}; |
|||
const unsigned char sig15[64] = { |
|||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
|||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
|||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
|||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, 0x2F, |
|||
0x1E, 0x51, 0xA2, 0x2C, 0xCE, 0xC3, 0x55, 0x99, |
|||
0xB8, 0xF2, 0x66, 0x91, 0x22, 0x81, 0xF8, 0x36, |
|||
0x5F, 0xFC, 0x2D, 0x03, 0x5A, 0x23, 0x04, 0x34, |
|||
0xA1, 0xA6, 0x4D, 0xC5, 0x9F, 0x70, 0x13, 0xFD |
|||
}; |
|||
test_schnorrsig_bip_vectors_check_verify(scratch, pk15, msg15, sig15, 0); |
|||
} |
|||
{ |
|||
/* Test vector 16 */ |
|||
const unsigned char pk16[33] = { |
|||
0x02, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, |
|||
0x5F, 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, |
|||
0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, |
|||
0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, |
|||
0x59 |
|||
}; |
|||
const unsigned char msg16[32] = { |
|||
0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, |
|||
0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, |
|||
0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, |
|||
0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 |
|||
}; |
|||
const unsigned char sig16[64] = { |
|||
0x2A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A, |
|||
0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB, |
|||
0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7, |
|||
0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D, |
|||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, |
|||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, |
|||
0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, |
|||
0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41 |
|||
}; |
|||
test_schnorrsig_bip_vectors_check_verify(scratch, pk16, msg16, sig16, 0); |
|||
} |
|||
} |
|||
|
|||
/* Nonce function that returns constant 0 */ |
|||
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { |
|||
(void) msg32; |
|||
(void) key32; |
|||
(void) algo16; |
|||
(void) data; |
|||
(void) counter; |
|||
(void) nonce32; |
|||
return 0; |
|||
} |
|||
|
|||
/* Nonce function that sets nonce to 0 */ |
|||
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { |
|||
(void) msg32; |
|||
(void) key32; |
|||
(void) algo16; |
|||
(void) data; |
|||
(void) counter; |
|||
|
|||
memset(nonce32, 0, 32); |
|||
return 1; |
|||
} |
|||
|
|||
void test_schnorrsig_sign(void) { |
|||
unsigned char sk[32]; |
|||
const unsigned char msg[32] = "this is a msg for a schnorrsig.."; |
|||
secp256k1_schnorrsig sig; |
|||
|
|||
memset(sk, 23, sizeof(sk)); |
|||
CHECK(secp256k1_schnorrsig_sign(ctx, &sig, NULL, msg, sk, NULL, NULL) == 1); |
|||
|
|||
/* Overflowing secret key */ |
|||
memset(sk, 0xFF, sizeof(sk)); |
|||
CHECK(secp256k1_schnorrsig_sign(ctx, &sig, NULL, msg, sk, NULL, NULL) == 0); |
|||
memset(sk, 23, sizeof(sk)); |
|||
|
|||
CHECK(secp256k1_schnorrsig_sign(ctx, &sig, NULL, msg, sk, nonce_function_failing, NULL) == 0); |
|||
CHECK(secp256k1_schnorrsig_sign(ctx, &sig, NULL, msg, sk, nonce_function_0, NULL) == 0); |
|||
} |
|||
|
|||
#define N_SIGS 200 |
|||
/* Creates N_SIGS valid signatures and verifies them with verify and verify_batch. Then flips some
|
|||
* bits and checks that verification now fails. */ |
|||
void test_schnorrsig_sign_verify(secp256k1_scratch_space *scratch) { |
|||
const unsigned char sk[32] = "shhhhhhhh! this key is a secret."; |
|||
unsigned char msg[N_SIGS][32]; |
|||
secp256k1_schnorrsig sig[N_SIGS]; |
|||
size_t i; |
|||
const secp256k1_schnorrsig *sig_arr[N_SIGS]; |
|||
const unsigned char *msg_arr[N_SIGS]; |
|||
const secp256k1_pubkey *pk_arr[N_SIGS]; |
|||
secp256k1_pubkey pk; |
|||
|
|||
CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk)); |
|||
|
|||
CHECK(secp256k1_schnorrsig_verify_batch(ctx, scratch, NULL, NULL, NULL, 0)); |
|||
|
|||
for (i = 0; i < N_SIGS; i++) { |
|||
secp256k1_rand256(msg[i]); |
|||
CHECK(secp256k1_schnorrsig_sign(ctx, &sig[i], NULL, msg[i], sk, NULL, NULL)); |
|||
CHECK(secp256k1_schnorrsig_verify(ctx, &sig[i], msg[i], &pk)); |
|||
sig_arr[i] = &sig[i]; |
|||
msg_arr[i] = msg[i]; |
|||
pk_arr[i] = &pk; |
|||
} |
|||
|
|||
CHECK(secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 1)); |
|||
CHECK(secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 2)); |
|||
CHECK(secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 4)); |
|||
CHECK(secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, N_SIGS)); |
|||
|
|||
{ |
|||
/* Flip a few bits in the signature and in the message and check that
|
|||
* verify and verify_batch fail */ |
|||
size_t sig_idx = secp256k1_rand_int(4); |
|||
size_t byte_idx = secp256k1_rand_int(32); |
|||
unsigned char xorbyte = secp256k1_rand_int(254)+1; |
|||
sig[sig_idx].data[byte_idx] ^= xorbyte; |
|||
CHECK(!secp256k1_schnorrsig_verify(ctx, &sig[sig_idx], msg[sig_idx], &pk)); |
|||
CHECK(!secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 4)); |
|||
sig[sig_idx].data[byte_idx] ^= xorbyte; |
|||
|
|||
byte_idx = secp256k1_rand_int(32); |
|||
sig[sig_idx].data[32+byte_idx] ^= xorbyte; |
|||
CHECK(!secp256k1_schnorrsig_verify(ctx, &sig[sig_idx], msg[sig_idx], &pk)); |
|||
CHECK(!secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 4)); |
|||
sig[sig_idx].data[32+byte_idx] ^= xorbyte; |
|||
|
|||
byte_idx = secp256k1_rand_int(32); |
|||
msg[sig_idx][byte_idx] ^= xorbyte; |
|||
CHECK(!secp256k1_schnorrsig_verify(ctx, &sig[sig_idx], msg[sig_idx], &pk)); |
|||
CHECK(!secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 4)); |
|||
msg[sig_idx][byte_idx] ^= xorbyte; |
|||
|
|||
/* Check that above bitflips have been reversed correctly */ |
|||
CHECK(secp256k1_schnorrsig_verify(ctx, &sig[sig_idx], msg[sig_idx], &pk)); |
|||
CHECK(secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 4)); |
|||
} |
|||
} |
|||
#undef N_SIGS |
|||
|
|||
void run_schnorrsig_tests(void) { |
|||
secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 1024 * 1024); |
|||
|
|||
test_schnorrsig_serialize(); |
|||
test_schnorrsig_api(scratch); |
|||
test_schnorrsig_bip_vectors(scratch); |
|||
test_schnorrsig_sign(); |
|||
test_schnorrsig_sign_verify(scratch); |
|||
|
|||
secp256k1_scratch_space_destroy(scratch); |
|||
} |
|||
|
|||
#endif |
|||
|
File diff suppressed because it is too large
Loading…
Reference in new issue