2022-03-11 19:00:33 -08:00
|
|
|
// Copyright 2013-2022 The btcsuite developers
|
2022-03-01 18:48:09 -08:00
|
|
|
|
|
|
|
|
package musig2
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"bytes"
|
|
|
|
|
"crypto/sha256"
|
|
|
|
|
"encoding/hex"
|
|
|
|
|
"fmt"
|
2022-03-11 19:00:33 -08:00
|
|
|
"sync"
|
2022-03-01 18:48:09 -08:00
|
|
|
"testing"
|
|
|
|
|
|
|
|
|
|
"github.com/btcsuite/btcd/btcec/v2"
|
|
|
|
|
"github.com/btcsuite/btcd/btcec/v2/schnorr"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// TestMuSig2SgnTestVectors tests that this implementation of musig2 matches
|
|
|
|
|
// the secp256k1-zkp test vectors.
|
|
|
|
|
func TestMuSig2SignTestVectors(t *testing.T) {
|
|
|
|
|
t.Parallel()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
key1Bytes, _ = hex.DecodeString("F9308A019258C31049344F85F89D5229B53" +
|
|
|
|
|
"1C845836F99B08601F113BCE036F9")
|
|
|
|
|
key2Bytes, _ = hex.DecodeString("DFF1D77F2A671C5F36183726DB2341BE58F" +
|
|
|
|
|
"EAE1DA2DECED843240F7B502BA659")
|
|
|
|
|
key3Bytes, _ = hex.DecodeString("3590A94E768F8E1815C2F24B4D80A8E3149" +
|
|
|
|
|
"316C3518CE7B7AD338368D038CA66")
|
|
|
|
|
|
|
|
|
|
testKeys = [][]byte{key1Bytes, key2Bytes, key3Bytes}
|
|
|
|
|
|
|
|
|
|
keyCombo1, _ = hex.DecodeString("E5830140512195D74C8307E39637CBE5FB730EBEAB80EC514CF88A877CEEEE0B")
|
|
|
|
|
keyCombo2, _ = hex.DecodeString("D70CD69A2647F7390973DF48CBFA2CCC407B8B2D60B08C5F1641185C7998A290")
|
|
|
|
|
keyCombo3, _ = hex.DecodeString("81A8B093912C9E481408D09776CEFB48AEB8B65481B6BAAFB3C5810106717BEB")
|
|
|
|
|
keyCombo4, _ = hex.DecodeString("2EB18851887E7BDC5E830E89B19DDBC28078F1FA88AAD0AD01CA06FE4F80210B")
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// TestMuSig2KeyAggTestVectors tests that this implementation of musig2 key
|
|
|
|
|
// aggregation lines up with the secp256k1-zkp test vectors.
|
|
|
|
|
func TestMuSig2KeyAggTestVectors(t *testing.T) {
|
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
|
|
testCases := []struct {
|
|
|
|
|
keyOrder []int
|
|
|
|
|
expectedKey []byte
|
|
|
|
|
}{
|
|
|
|
|
// Keys in backwards lexicographical order.
|
|
|
|
|
{
|
|
|
|
|
keyOrder: []int{0, 1, 2},
|
|
|
|
|
expectedKey: keyCombo1,
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// Keys in sorted order.
|
|
|
|
|
{
|
|
|
|
|
keyOrder: []int{2, 1, 0},
|
|
|
|
|
expectedKey: keyCombo2,
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// Only the first key.
|
|
|
|
|
{
|
|
|
|
|
keyOrder: []int{0, 0, 0},
|
|
|
|
|
expectedKey: keyCombo3,
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// Duplicate the first key and second keys.
|
|
|
|
|
{
|
|
|
|
|
keyOrder: []int{0, 0, 1, 1},
|
|
|
|
|
expectedKey: keyCombo4,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for i, testCase := range testCases {
|
|
|
|
|
testName := fmt.Sprintf("%v", testCase.keyOrder)
|
|
|
|
|
t.Run(testName, func(t *testing.T) {
|
|
|
|
|
var keys []*btcec.PublicKey
|
|
|
|
|
for _, keyIndex := range testCase.keyOrder {
|
|
|
|
|
keyBytes := testKeys[keyIndex]
|
|
|
|
|
pub, err := schnorr.ParsePubKey(keyBytes)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("unable to parse pubkeys: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
keys = append(keys, pub)
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-11 19:00:33 -08:00
|
|
|
uniqueKeyIndex := secondUniqueKeyIndex(keys, false)
|
2022-03-30 22:52:39 -05:00
|
|
|
combinedKey, _, _, _ := AggregateKeys(
|
2022-03-10 18:47:52 -08:00
|
|
|
keys, false, WithUniqueKeyIndex(uniqueKeyIndex),
|
|
|
|
|
)
|
2022-03-31 19:27:34 -05:00
|
|
|
combinedKeyBytes := schnorr.SerializePubKey(combinedKey.FinalKey)
|
2022-03-01 18:48:09 -08:00
|
|
|
if !bytes.Equal(combinedKeyBytes, testCase.expectedKey) {
|
|
|
|
|
t.Fatalf("case: #%v, invalid aggregation: "+
|
|
|
|
|
"expected %x, got %x", i, testCase.expectedKey,
|
|
|
|
|
combinedKeyBytes)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func mustParseHex(str string) []byte {
|
|
|
|
|
b, err := hex.DecodeString(str)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(fmt.Errorf("unable to parse hex: %v", err))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return b
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func parseKey(xHex string) *btcec.PublicKey {
|
|
|
|
|
xB, err := hex.DecodeString(xHex)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var x, y btcec.FieldVal
|
|
|
|
|
x.SetByteSlice(xB)
|
|
|
|
|
if !btcec.DecompressY(&x, false, &y) {
|
|
|
|
|
panic("x not on curve")
|
|
|
|
|
}
|
|
|
|
|
y.Normalize()
|
|
|
|
|
|
|
|
|
|
return btcec.NewPublicKey(&x, &y)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
signSetPrivKey, _ = btcec.PrivKeyFromBytes(
|
|
|
|
|
mustParseHex("7FB9E0E687ADA1EEBF7ECFE2F21E73EBDB51A7D450948DFE8D76D7F2D1007671"),
|
|
|
|
|
)
|
|
|
|
|
signSetPubKey, _ = schnorr.ParsePubKey(schnorr.SerializePubKey(signSetPrivKey.PubKey()))
|
|
|
|
|
|
|
|
|
|
signTestMsg = mustParseHex("F95466D086770E689964664219266FE5ED215C92AE20BAB5C9D79ADDDDF3C0CF")
|
|
|
|
|
|
|
|
|
|
signSetKey2, _ = schnorr.ParsePubKey(
|
|
|
|
|
mustParseHex("F9308A019258C31049344F85F89D5229B531C845836F99B086" +
|
|
|
|
|
"01F113BCE036F9"),
|
|
|
|
|
)
|
|
|
|
|
signSetKey3, _ = schnorr.ParsePubKey(
|
|
|
|
|
mustParseHex("DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843" +
|
|
|
|
|
"240F7B502BA659"),
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
signSetKeys = []*btcec.PublicKey{signSetPubKey, signSetKey2, signSetKey3}
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// TestMuSig2SigningTestVectors tests that the musig2 implementation produces
|
|
|
|
|
// the same set of signatures.
|
|
|
|
|
func TestMuSig2SigningTestVectors(t *testing.T) {
|
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
|
|
var aggregatedNonce [PubNonceSize]byte
|
|
|
|
|
copy(
|
|
|
|
|
aggregatedNonce[:],
|
|
|
|
|
mustParseHex("028465FCF0BBDBCF443AABCCE533D42B4B5A10966AC09A49655E8C42DAAB8FCD61"),
|
|
|
|
|
)
|
|
|
|
|
copy(
|
|
|
|
|
aggregatedNonce[33:],
|
|
|
|
|
mustParseHex("037496A3CC86926D452CAFCFD55D25972CA1675D549310DE296BFF42F72EEEA8C9"),
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var secNonce [SecNonceSize]byte
|
|
|
|
|
copy(secNonce[:], mustParseHex("508B81A611F100A6B2B6B29656590898AF488BCF2E1F55CF22E5CFB84421FE61"))
|
|
|
|
|
copy(secNonce[32:], mustParseHex("FA27FD49B1D50085B481285E1CA205D55C82CC1B31FF5CD54A489829355901F7"))
|
|
|
|
|
|
|
|
|
|
testCases := []struct {
|
|
|
|
|
keyOrder []int
|
|
|
|
|
expectedPartialSig []byte
|
2022-03-30 22:52:39 -05:00
|
|
|
tweak *KeyTweakDesc
|
2022-03-01 18:48:09 -08:00
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
keyOrder: []int{0, 1, 2},
|
|
|
|
|
expectedPartialSig: mustParseHex("68537CC5234E505BD14061F8DA9E90C220A181855FD8BDB7F127BB12403B4D3B"),
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
keyOrder: []int{1, 0, 2},
|
|
|
|
|
expectedPartialSig: mustParseHex("2DF67BFFF18E3DE797E13C6475C963048138DAEC5CB20A357CECA7C8424295EA"),
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
keyOrder: []int{1, 2, 0},
|
|
|
|
|
expectedPartialSig: mustParseHex("0D5B651E6DE34A29A12DE7A8B4183B4AE6A7F7FBE15CDCAFA4A3D1BCAABC7517"),
|
|
|
|
|
},
|
2022-03-30 22:52:39 -05:00
|
|
|
{
|
|
|
|
|
keyOrder: []int{1, 2, 0},
|
|
|
|
|
expectedPartialSig: mustParseHex("5e24c7496b565debc3b9639e6f1304a21597f9603d3ab05b4913641775e1375b"),
|
|
|
|
|
tweak: &KeyTweakDesc{
|
|
|
|
|
Tweak: [32]byte{
|
|
|
|
|
0xE8, 0xF7, 0x91, 0xFF, 0x92, 0x25, 0xA2, 0xAF,
|
|
|
|
|
0x01, 0x02, 0xAF, 0xFF, 0x4A, 0x9A, 0x72, 0x3D,
|
|
|
|
|
0x96, 0x12, 0xA6, 0x82, 0xA2, 0x5E, 0xBE, 0x79,
|
|
|
|
|
0x80, 0x2B, 0x26, 0x3C, 0xDF, 0xCD, 0x83, 0xBB,
|
|
|
|
|
},
|
|
|
|
|
IsXOnly: true,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
keyOrder: []int{1, 2, 0},
|
|
|
|
|
expectedPartialSig: mustParseHex("78408ddcab4813d1394c97d493ef1084195c1d4b52e63ecd7bc5991644e44ddd"),
|
|
|
|
|
tweak: &KeyTweakDesc{
|
|
|
|
|
Tweak: [32]byte{
|
|
|
|
|
0xE8, 0xF7, 0x91, 0xFF, 0x92, 0x25, 0xA2, 0xAF,
|
|
|
|
|
0x01, 0x02, 0xAF, 0xFF, 0x4A, 0x9A, 0x72, 0x3D,
|
|
|
|
|
0x96, 0x12, 0xA6, 0x82, 0xA2, 0x5E, 0xBE, 0x79,
|
|
|
|
|
0x80, 0x2B, 0x26, 0x3C, 0xDF, 0xCD, 0x83, 0xBB,
|
|
|
|
|
},
|
|
|
|
|
IsXOnly: false,
|
|
|
|
|
},
|
|
|
|
|
},
|
2022-03-01 18:48:09 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var msg [32]byte
|
|
|
|
|
copy(msg[:], signTestMsg)
|
|
|
|
|
|
|
|
|
|
for _, testCase := range testCases {
|
2022-03-30 22:52:39 -05:00
|
|
|
testName := fmt.Sprintf("%v/tweak=%v", testCase.keyOrder, testCase.tweak != nil)
|
|
|
|
|
if testCase.tweak != nil {
|
|
|
|
|
testName += fmt.Sprintf("/x_only=%v", testCase.tweak.IsXOnly)
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-01 18:48:09 -08:00
|
|
|
t.Run(testName, func(t *testing.T) {
|
|
|
|
|
keySet := make([]*btcec.PublicKey, 0, len(testCase.keyOrder))
|
|
|
|
|
for _, keyIndex := range testCase.keyOrder {
|
|
|
|
|
keySet = append(keySet, signSetKeys[keyIndex])
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-30 22:52:39 -05:00
|
|
|
var opts []SignOption
|
|
|
|
|
if testCase.tweak != nil {
|
|
|
|
|
opts = append(
|
|
|
|
|
opts, WithTweaks(*testCase.tweak),
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-01 18:48:09 -08:00
|
|
|
partialSig, err := Sign(
|
2022-03-11 19:00:33 -08:00
|
|
|
secNonce, signSetPrivKey, aggregatedNonce,
|
2022-03-30 22:52:39 -05:00
|
|
|
keySet, msg, opts...,
|
2022-03-01 18:48:09 -08:00
|
|
|
)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("unable to generate partial sig: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var partialSigBytes [32]byte
|
|
|
|
|
partialSig.S.PutBytesUnchecked(partialSigBytes[:])
|
|
|
|
|
|
|
|
|
|
if !bytes.Equal(partialSigBytes[:], testCase.expectedPartialSig) {
|
|
|
|
|
t.Fatalf("sigs don't match: expected %x, got %x",
|
|
|
|
|
testCase.expectedPartialSig, partialSigBytes,
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type signer struct {
|
|
|
|
|
privKey *btcec.PrivateKey
|
|
|
|
|
pubKey *btcec.PublicKey
|
|
|
|
|
|
|
|
|
|
nonces *Nonces
|
|
|
|
|
|
|
|
|
|
partialSig *PartialSignature
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type signerSet []signer
|
|
|
|
|
|
|
|
|
|
func (s signerSet) keys() []*btcec.PublicKey {
|
|
|
|
|
keys := make([]*btcec.PublicKey, len(s))
|
|
|
|
|
for i := 0; i < len(s); i++ {
|
|
|
|
|
keys[i] = s[i].pubKey
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return keys
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s signerSet) partialSigs() []*PartialSignature {
|
|
|
|
|
sigs := make([]*PartialSignature, len(s))
|
|
|
|
|
for i := 0; i < len(s); i++ {
|
|
|
|
|
sigs[i] = s[i].partialSig
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return sigs
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s signerSet) pubNonces() [][PubNonceSize]byte {
|
|
|
|
|
nonces := make([][PubNonceSize]byte, len(s))
|
|
|
|
|
for i := 0; i < len(s); i++ {
|
|
|
|
|
nonces[i] = s[i].nonces.PubNonce
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nonces
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s signerSet) combinedKey() *btcec.PublicKey {
|
2022-03-11 19:00:33 -08:00
|
|
|
uniqueKeyIndex := secondUniqueKeyIndex(s.keys(), false)
|
2022-03-30 22:52:39 -05:00
|
|
|
key, _, _, _ := AggregateKeys(
|
2022-03-10 18:47:52 -08:00
|
|
|
s.keys(), false, WithUniqueKeyIndex(uniqueKeyIndex),
|
|
|
|
|
)
|
2022-03-31 19:27:34 -05:00
|
|
|
return key.FinalKey
|
2022-03-01 18:48:09 -08:00
|
|
|
}
|
2022-03-01 18:49:05 -08:00
|
|
|
|
2022-03-30 22:52:39 -05:00
|
|
|
// testMultiPartySign executes a multi-party signing context w/ 100 signers.
|
2022-03-31 19:27:34 -05:00
|
|
|
func testMultiPartySign(t *testing.T, taprootTweak []byte,
|
|
|
|
|
tweaks ...KeyTweakDesc) {
|
|
|
|
|
|
2022-03-11 19:00:33 -08:00
|
|
|
const numSigners = 100
|
|
|
|
|
|
|
|
|
|
// First generate the set of signers along with their public keys.
|
|
|
|
|
signerKeys := make([]*btcec.PrivateKey, numSigners)
|
|
|
|
|
signSet := make([]*btcec.PublicKey, numSigners)
|
2022-03-01 18:49:05 -08:00
|
|
|
for i := 0; i < numSigners; i++ {
|
|
|
|
|
privKey, err := btcec.NewPrivateKey()
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("unable to gen priv key: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pubKey, err := schnorr.ParsePubKey(
|
|
|
|
|
schnorr.SerializePubKey(privKey.PubKey()),
|
|
|
|
|
)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("unable to gen key: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-11 19:00:33 -08:00
|
|
|
signerKeys[i] = privKey
|
|
|
|
|
signSet[i] = pubKey
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var combinedKey *btcec.PublicKey
|
|
|
|
|
|
2022-03-30 22:52:39 -05:00
|
|
|
var ctxOpts []ContextOption
|
2022-03-31 19:27:34 -05:00
|
|
|
switch {
|
2022-04-01 12:35:25 -05:00
|
|
|
case len(taprootTweak) == 0:
|
|
|
|
|
ctxOpts = append(ctxOpts, WithBip86TweakCtx())
|
2022-03-31 19:27:34 -05:00
|
|
|
case taprootTweak != nil:
|
|
|
|
|
ctxOpts = append(ctxOpts, WithTaprootTweakCtx(taprootTweak))
|
|
|
|
|
case len(tweaks) != 0:
|
|
|
|
|
ctxOpts = append(ctxOpts, WithTweakedContext(tweaks...))
|
2022-03-30 22:52:39 -05:00
|
|
|
}
|
|
|
|
|
|
2022-03-11 19:00:33 -08:00
|
|
|
// Now that we have all the signers, we'll make a new context, then
|
|
|
|
|
// generate a new session for each of them(which handles nonce
|
|
|
|
|
// generation).
|
|
|
|
|
signers := make([]*Session, numSigners)
|
|
|
|
|
for i, signerKey := range signerKeys {
|
2022-03-30 22:52:39 -05:00
|
|
|
signCtx, err := NewContext(
|
|
|
|
|
signerKey, signSet, false, ctxOpts...,
|
|
|
|
|
)
|
2022-03-01 18:49:05 -08:00
|
|
|
if err != nil {
|
2022-03-11 19:00:33 -08:00
|
|
|
t.Fatalf("unable to generate context: %v", err)
|
2022-03-01 18:49:05 -08:00
|
|
|
}
|
|
|
|
|
|
2022-03-11 19:00:33 -08:00
|
|
|
if combinedKey == nil {
|
2022-03-31 19:27:34 -05:00
|
|
|
combinedKey = signCtx.CombinedKey()
|
2022-03-11 19:00:33 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
session, err := signCtx.NewSession()
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("unable to generate new session: %v", err)
|
|
|
|
|
}
|
|
|
|
|
signers[i] = session
|
2022-03-01 18:49:05 -08:00
|
|
|
}
|
|
|
|
|
|
2022-03-11 19:00:33 -08:00
|
|
|
// Next, in the pre-signing phase, we'll send all the nonces to each
|
|
|
|
|
// signer.
|
|
|
|
|
var wg sync.WaitGroup
|
|
|
|
|
for i, signCtx := range signers {
|
|
|
|
|
signCtx := signCtx
|
2022-03-01 18:49:05 -08:00
|
|
|
|
2022-03-11 19:00:33 -08:00
|
|
|
wg.Add(1)
|
|
|
|
|
go func(idx int, signer *Session) {
|
|
|
|
|
defer wg.Done()
|
|
|
|
|
|
|
|
|
|
for j, otherCtx := range signers {
|
|
|
|
|
if idx == j {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nonce := otherCtx.PublicNonce()
|
|
|
|
|
haveAll, err := signer.RegisterPubNonce(nonce)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("unable to add public nonce")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if j == len(signers)-1 && !haveAll {
|
|
|
|
|
t.Fatalf("all public nonces should have been detected")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}(i, signCtx)
|
2022-03-01 18:49:05 -08:00
|
|
|
}
|
|
|
|
|
|
2022-03-11 19:00:33 -08:00
|
|
|
wg.Wait()
|
|
|
|
|
|
|
|
|
|
msg := sha256.Sum256([]byte("let's get taprooty"))
|
2022-03-01 18:49:05 -08:00
|
|
|
|
2022-03-11 19:00:33 -08:00
|
|
|
// In the final step, we'll use the first signer as our combiner, and
|
|
|
|
|
// generate a signature for each signer, and then accumulate that with
|
|
|
|
|
// the combiner.
|
|
|
|
|
combiner := signers[0]
|
2022-03-01 18:49:05 -08:00
|
|
|
for i := range signers {
|
|
|
|
|
signer := signers[i]
|
2022-03-11 19:00:33 -08:00
|
|
|
partialSig, err := signer.Sign(msg)
|
2022-03-01 18:49:05 -08:00
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("unable to generate partial sig: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-11 19:00:33 -08:00
|
|
|
// We don't need to combine the signature for the very first
|
|
|
|
|
// signer, as it already has that partial signature.
|
|
|
|
|
if i != 0 {
|
|
|
|
|
haveAll, err := combiner.CombineSig(partialSig)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("unable to combine sigs: %v", err)
|
|
|
|
|
}
|
2022-03-01 18:49:05 -08:00
|
|
|
|
2022-03-11 19:00:33 -08:00
|
|
|
if i == len(signers)-1 && !haveAll {
|
|
|
|
|
t.Fatalf("final sig wasn't reconstructed")
|
|
|
|
|
}
|
2022-03-01 18:49:05 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Finally we'll combined all the nonces, and ensure that it validates
|
|
|
|
|
// as a single schnorr signature.
|
2022-03-11 19:00:33 -08:00
|
|
|
finalSig := combiner.FinalSig()
|
2022-03-01 18:49:05 -08:00
|
|
|
if !finalSig.Verify(msg[:], combinedKey) {
|
|
|
|
|
t.Fatalf("final sig is invalid!")
|
|
|
|
|
}
|
2022-03-11 19:00:33 -08:00
|
|
|
|
|
|
|
|
// Verify that if we try to sign again with any of the existing
|
|
|
|
|
// signers, then we'll get an error as the nonces have already been
|
|
|
|
|
// used.
|
|
|
|
|
for _, signer := range signers {
|
|
|
|
|
_, err := signer.Sign(msg)
|
|
|
|
|
if err != ErrSigningContextReuse {
|
|
|
|
|
t.Fatalf("expected to get signing context reuse")
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-03-01 18:49:05 -08:00
|
|
|
}
|
2022-03-30 22:52:39 -05:00
|
|
|
|
|
|
|
|
// TestMuSigMultiParty tests that for a given set of 100 signers, we're able to
|
|
|
|
|
// properly generate valid sub signatures, which ultimately can be combined
|
|
|
|
|
// into a single valid signature.
|
|
|
|
|
func TestMuSigMultiParty(t *testing.T) {
|
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
|
|
testTweak := [32]byte{
|
|
|
|
|
0xE8, 0xF7, 0x91, 0xFF, 0x92, 0x25, 0xA2, 0xAF,
|
|
|
|
|
0x01, 0x02, 0xAF, 0xFF, 0x4A, 0x9A, 0x72, 0x3D,
|
|
|
|
|
0x96, 0x12, 0xA6, 0x82, 0xA2, 0x5E, 0xBE, 0x79,
|
|
|
|
|
0x80, 0x2B, 0x26, 0x3C, 0xDF, 0xCD, 0x83, 0xBB,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
t.Run("no_tweak", func(t *testing.T) {
|
|
|
|
|
t.Parallel()
|
|
|
|
|
|
2022-03-31 19:27:34 -05:00
|
|
|
testMultiPartySign(t, nil)
|
2022-03-30 22:52:39 -05:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
t.Run("tweaked", func(t *testing.T) {
|
|
|
|
|
t.Parallel()
|
|
|
|
|
|
2022-03-31 19:27:34 -05:00
|
|
|
testMultiPartySign(t, nil, KeyTweakDesc{
|
2022-03-30 22:52:39 -05:00
|
|
|
Tweak: testTweak,
|
|
|
|
|
})
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
t.Run("tweaked_x_only", func(t *testing.T) {
|
|
|
|
|
t.Parallel()
|
|
|
|
|
|
2022-03-31 19:27:34 -05:00
|
|
|
testMultiPartySign(t, nil, KeyTweakDesc{
|
2022-03-30 22:52:39 -05:00
|
|
|
Tweak: testTweak,
|
|
|
|
|
IsXOnly: true,
|
|
|
|
|
})
|
|
|
|
|
})
|
2022-03-31 19:27:34 -05:00
|
|
|
|
|
|
|
|
t.Run("taproot_tweaked_x_only", func(t *testing.T) {
|
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
|
|
testMultiPartySign(t, testTweak[:])
|
|
|
|
|
})
|
2022-04-01 12:35:25 -05:00
|
|
|
|
|
|
|
|
t.Run("taproot_bip_86", func(t *testing.T) {
|
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
|
|
testMultiPartySign(t, []byte{})
|
|
|
|
|
})
|
2022-03-30 22:52:39 -05:00
|
|
|
}
|
