mleku/orly
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix failing musig build

Browse Source
This commit is contained in:
mleku
2025-08-07 21:21:11 +01:00
parent a4dd177eb5
commit c41bcb2652
18 changed files with 885 additions and 643 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
pkg/crypto/ec/musig2/bench_test.go
View File

@@ -6,10 +6,11 @@ package musig2
import (
"fmt"
"testing"
"orly.dev/pkg/crypto/ec"
"orly.dev/pkg/crypto/ec/schnorr"
"orly.dev/pkg/encoders/hex"
"testing"
)
var (
@@ -190,7 +191,7 @@ func BenchmarkCombineSigs(b *testing.B) {
}
var msg [32]byte
copy(msg[:], testMsg[:])
var finalNonce *btcec.btcec
var finalNonce *btcec.PublicKey
for i := range signers {
signer := signers[i]
partialSig, err := Sign(
@@ -246,7 +247,7 @@ func BenchmarkAggregateNonces(b *testing.B) {
}
}
var testKey *btcec.btcec
var testKey *btcec.PublicKey
// BenchmarkAggregateKeys benchmarks how long it takes to aggregate public
// keys.

5
pkg/crypto/ec/musig2/context.go
View File

@@ -4,6 +4,7 @@ package musig2
import (
"fmt"
"orly.dev/pkg/crypto/ec"
"orly.dev/pkg/crypto/ec/schnorr"
"orly.dev/pkg/utils/chk"
@@ -63,7 +64,7 @@ type Context struct {
// signingKey is the key we'll use for signing.
signingKey *btcec.SecretKey
// pubKey is our even-y coordinate public key.
pubKey *btcec.btcec
pubKey *btcec.PublicKey
// combinedKey is the aggregated public key.
combinedKey *AggregateKey
// uniqueKeyIndex is the index of the second unique key in the keySet.
@@ -103,7 +104,7 @@ type contextOptions struct {
// h_tapTweak(internalKey) as there is no true script root.
bip86Tweak bool
// keySet is the complete set of signers for this context.
keySet []*btcec.btcec
keySet []*btcec.PublicKey
// numSigners is the total number of signers that will eventually be a
// part of the context.
numSigners int

65
pkg/crypto/ec/musig2/data/key_agg_vectors.json
View File

@@ -14,25 +14,45 @@
],
"valid_test_cases": [
{
"key_indices": [0, 1, 2],
"key_indices": [
0,
1,
2
],
"expected": "90539EEDE565F5D054F32CC0C220126889ED1E5D193BAF15AEF344FE59D4610C"
},
{
"key_indices": [2, 1, 0],
"key_indices": [
2,
1,
0
],
"expected": "6204DE8B083426DC6EAF9502D27024D53FC826BF7D2012148A0575435DF54B2B"
},
{
"key_indices": [0, 0, 0],
"key_indices": [
0,
0,
0
],
"expected": "B436E3BAD62B8CD409969A224731C193D051162D8C5AE8B109306127DA3AA935"
},
{
"key_indices": [0, 0, 1, 1],
"key_indices": [
0,
0,
1,
1
],
"expected": "69BC22BFA5D106306E48A20679DE1D7389386124D07571D0D872686028C26A3E"
}
],
"error_test_cases": [
{
"key_indices": [0, 3],
"key_indices": [
0,
3
],
"tweak_indices": [],
"is_xonly": [],
"error": {
@@ -43,7 +63,10 @@
"comment": "Invalid public key"
},
{
"key_indices": [0, 4],
"key_indices": [
0,
4
],
"tweak_indices": [],
"is_xonly": [],
"error": {
@@ -54,7 +77,10 @@
"comment": "Public key exceeds field size"
},
{
"key_indices": [5, 0],
"key_indices": [
5,
0
],
"tweak_indices": [],
"is_xonly": [],
"error": {
@@ -65,9 +91,16 @@
"comment": "First byte of public key is not 2 or 3"
},
{
"key_indices": [0, 1],
"tweak_indices": [0],
"is_xonly": [true],
"key_indices": [
0,
1
],
"tweak_indices": [
0
],
"is_xonly": [
true
],
"error": {
"type": "value",
"message": "The tweak must be less than n."
@@ -75,9 +108,15 @@
"comment": "Tweak is out of range"
},
{
"key_indices": [6],
"tweak_indices": [1],
"is_xonly": [false],
"key_indices": [
6
],
"tweak_indices": [
1
],
"is_xonly": [
false
],
"error": {
"type": "value",
"message": "The result of tweaking cannot be infinity."

25
pkg/crypto/ec/musig2/data/nonce_agg_vectors.json
View File

@@ -10,18 +10,27 @@
],
"valid_test_cases": [
{
"pnonce_indices": [0, 1],
"pnonce_indices": [
0,
1
],
"expected": "035FE1873B4F2967F52FEA4A06AD5A8ECCBE9D0FD73068012C894E2E87CCB5804B024725377345BDE0E9C33AF3C43C0A29A9249F2F2956FA8CFEB55C8573D0262DC8"
},
{
"pnonce_indices": [2, 3],
"pnonce_indices": [
2,
3
],
"expected": "035FE1873B4F2967F52FEA4A06AD5A8ECCBE9D0FD73068012C894E2E87CCB5804B000000000000000000000000000000000000000000000000000000000000000000",
"comment": "Sum of second points encoded in the nonces is point at infinity which is serialized as 33 zero bytes"
}
],
"error_test_cases": [
{
"pnonce_indices": [0, 4],
"pnonce_indices": [
0,
4
],
"error": {
"type": "invalid_contribution",
"signer": 1,
@@ -31,7 +40,10 @@
"btcec_err": "invalid public key: unsupported format: 4"
},
{
"pnonce_indices": [5, 1],
"pnonce_indices": [
5,
1
],
"error": {
"type": "invalid_contribution",
"signer": 0,
@@ -41,7 +53,10 @@
"btcec_err": "invalid public key: x coordinate 48c264cdd57d3c24d79990b0f865674eb62a0f9018277a95011b41bfc193b831 is not on the secp256k1 curve"
},
{
"pnonce_indices": [6, 1],
"pnonce_indices": [
6,
1
],
"error": {
"type": "invalid_contribution",
"signer": 0,

141
pkg/crypto/ec/musig2/data/sign_verify_vectors.json
View File

@@ -31,32 +31,62 @@
],
"valid_test_cases": [
{
"key_indices": [0, 1, 2],
"nonce_indices": [0, 1, 2],
"key_indices": [
0,
1,
2
],
"nonce_indices": [
0,
1,
2
],
"aggnonce_index": 0,
"msg_index": 0,
"signer_index": 0,
"expected": "012ABBCB52B3016AC03AD82395A1A415C48B93DEF78718E62A7A90052FE224FB"
},
{
"key_indices": [1, 0, 2],
"nonce_indices": [1, 0, 2],
"key_indices": [
1,
0,
2
],
"nonce_indices": [
1,
0,
2
],
"aggnonce_index": 0,
"msg_index": 0,
"signer_index": 1,
"expected": "9FF2F7AAA856150CC8819254218D3ADEEB0535269051897724F9DB3789513A52"
},
{
"key_indices": [1, 2, 0],
"nonce_indices": [1, 2, 0],
"key_indices": [
1,
2,
0
],
"nonce_indices": [
1,
2,
0
],
"aggnonce_index": 0,
"msg_index": 0,
"signer_index": 2,
"expected": "FA23C359F6FAC4E7796BB93BC9F0532A95468C539BA20FF86D7C76ED92227900"
},
{
"key_indices": [0, 1],
"nonce_indices": [0, 3],
"key_indices": [
0,
1
],
"nonce_indices": [
0,
3
],
"aggnonce_index": 1,
"msg_index": 0,
"signer_index": 0,
@@ -66,7 +96,10 @@
],
"sign_error_test_cases": [
{
"key_indices": [1, 2],
"key_indices": [
1,
2
],
"aggnonce_index": 0,
"msg_index": 0,
"secnonce_index": 0,
@@ -77,7 +110,11 @@
"comment": "The signers pubkey is not in the list of pubkeys"
},
{
"key_indices": [1, 0, 3],
"key_indices": [
1,
0,
3
],
"aggnonce_index": 0,
"msg_index": 0,
"secnonce_index": 0,
@@ -89,7 +126,11 @@
"comment": "Signer 2 provided an invalid public key"
},
{
"key_indices": [1, 2, 0],
"key_indices": [
1,
2,
0
],
"aggnonce_index": 2,
"msg_index": 0,
"secnonce_index": 0,
@@ -101,7 +142,11 @@
"comment": "Aggregate nonce is invalid due wrong tag, 0x04, in the first half"
},
{
"key_indices": [1, 2, 0],
"key_indices": [
1,
2,
0
],
"aggnonce_index": 3,
"msg_index": 0,
"secnonce_index": 0,
@@ -113,7 +158,11 @@
"comment": "Aggregate nonce is invalid because the second half does not correspond to an X coordinate"
},
{
"key_indices": [1, 2, 0],
"key_indices": [
1,
2,
0
],
"aggnonce_index": 4,
"msg_index": 0,
"secnonce_index": 0,
@@ -125,7 +174,11 @@
"comment": "Aggregate nonce is invalid because second half exceeds field size"
},
{
"key_indices": [0, 1, 2],
"key_indices": [
0,
1,
2
],
"aggnonce_index": 0,
"msg_index": 0,
"signer_index": 0,
@@ -140,24 +193,48 @@
"verify_fail_test_cases": [
{
"sig": "97AC833ADCB1AFA42EBF9E0725616F3C9A0D5B614F6FE283CEAAA37A8FFAF406",
"key_indices": [0, 1, 2],
"nonce_indices": [0, 1, 2],
"key_indices": [
0,
1,
2
],
"nonce_indices": [
0,
1,
2
],
"msg_index": 0,
"signer_index": 0,
"comment": "Wrong signature (which is equal to the negation of valid signature)"
},
{
"sig": "68537CC5234E505BD14061F8DA9E90C220A181855FD8BDB7F127BB12403B4D3B",
"key_indices": [0, 1, 2],
"nonce_indices": [0, 1, 2],
"key_indices": [
0,
1,
2
],
"nonce_indices": [
0,
1,
2
],
"msg_index": 0,
"signer_index": 1,
"comment": "Wrong signer"
},
{
"sig": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141",
"key_indices": [0, 1, 2],
"nonce_indices": [0, 1, 2],
"key_indices": [
0,
1,
2
],
"nonce_indices": [
0,
1,
2
],
"msg_index": 0,
"signer_index": 0,
"comment": "Signature exceeds group size"
@@ -166,8 +243,16 @@
"verify_error_test_cases": [
{
"sig": "68537CC5234E505BD14061F8DA9E90C220A181855FD8BDB7F127BB12403B4D3B",
"key_indices": [0, 1, 2],
"nonce_indices": [4, 1, 2],
"key_indices": [
0,
1,
2
],
"nonce_indices": [
4,
1,
2
],
"msg_index": 0,
"signer_index": 0,
"error": {
@@ -179,8 +264,16 @@
},
{
"sig": "68537CC5234E505BD14061F8DA9E90C220A181855FD8BDB7F127BB12403B4D3B",
"key_indices": [3, 1, 2],
"nonce_indices": [0, 1, 2],
"key_indices": [
3,
1,
2
],
"nonce_indices": [
0,
1,
2
],
"msg_index": 0,
"signer_index": 0,
"error": {

134
pkg/crypto/ec/musig2/data/tweak_vectors.json
View File

@@ -22,46 +22,120 @@
"msg": "F95466D086770E689964664219266FE5ED215C92AE20BAB5C9D79ADDDDF3C0CF",
"valid_test_cases": [
{
"key_indices": [1, 2, 0],
"nonce_indices": [1, 2, 0],
"tweak_indices": [0],
"is_xonly": [true],
"key_indices": [
1,
2,
0
],
"nonce_indices": [
1,
2,
0
],
"tweak_indices": [
0
],
"is_xonly": [
true
],
"signer_index": 2,
"expected": "E28A5C66E61E178C2BA19DB77B6CF9F7E2F0F56C17918CD13135E60CC848FE91",
"comment": "A single x-only tweak"
},
{
"key_indices": [1, 2, 0],
"nonce_indices": [1, 2, 0],
"tweak_indices": [0],
"is_xonly": [false],
"key_indices": [
1,
2,
0
],
"nonce_indices": [
1,
2,
0
],
"tweak_indices": [
0
],
"is_xonly": [
false
],
"signer_index": 2,
"expected": "38B0767798252F21BF5702C48028B095428320F73A4B14DB1E25DE58543D2D2D",
"comment": "A single plain tweak"
},
{
"key_indices": [1, 2, 0],
"nonce_indices": [1, 2, 0],
"tweak_indices": [0, 1],
"is_xonly": [false, true],
"key_indices": [
1,
2,
0
],
"nonce_indices": [
1,
2,
0
],
"tweak_indices": [
0,
1
],
"is_xonly": [
false,
true
],
"signer_index": 2,
"expected": "408A0A21C4A0F5DACAF9646AD6EB6FECD7F7A11F03ED1F48DFFF2185BC2C2408",
"comment": "A plain tweak followed by an x-only tweak"
},
{
"key_indices": [1, 2, 0],
"nonce_indices": [1, 2, 0],
"tweak_indices": [0, 1, 2, 3],
"is_xonly": [false, false, true, true],
"key_indices": [
1,
2,
0
],
"nonce_indices": [
1,
2,
0
],
"tweak_indices": [
0,
1,
2,
3
],
"is_xonly": [
false,
false,
true,
true
],
"signer_index": 2,
"expected": "45ABD206E61E3DF2EC9E264A6FEC8292141A633C28586388235541F9ADE75435",
"comment": "Four tweaks: plain, plain, x-only, x-only."
},
{
"key_indices": [1, 2, 0],
"nonce_indices": [1, 2, 0],
"tweak_indices": [0, 1, 2, 3],
"is_xonly": [true, false, true, false],
"key_indices": [
1,
2,
0
],
"nonce_indices": [
1,
2,
0
],
"tweak_indices": [
0,
1,
2,
3
],
"is_xonly": [
true,
false,
true,
false
],
"signer_index": 2,
"expected": "B255FDCAC27B40C7CE7848E2D3B7BF5EA0ED756DA81565AC804CCCA3E1D5D239",
"comment": "Four tweaks: x-only, plain, x-only, plain. If an implementation prohibits applying plain tweaks after x-only tweaks, it can skip this test vector or return an error."
@@ -69,10 +143,22 @@
],
"error_test_cases": [
{
"key_indices": [1, 2, 0],
"nonce_indices": [1, 2, 0],
"tweak_indices": [4],
"is_xonly": [false],
"key_indices": [
1,
2,
0
],
"nonce_indices": [
1,
2,
0
],
"tweak_indices": [
4
],
"is_xonly": [
false
],
"signer_index": 2,
"error": {
"type": "value",

7
pkg/crypto/ec/musig2/keys.go
View File

@@ -5,11 +5,12 @@ package musig2
import (
"bytes"
"fmt"
"sort"
"orly.dev/pkg/crypto/ec"
"orly.dev/pkg/crypto/ec/chainhash"
"orly.dev/pkg/crypto/ec/schnorr"
"orly.dev/pkg/crypto/ec/secp256k1"
"sort"
)
var (
@@ -224,7 +225,7 @@ func defaultKeyAggOptions() *keyAggOption { return &keyAggOption{} }
// point has an even y coordinate.
//
// TODO(roasbeef): double check, can just check the y coord even not jacobian?
func hasEvenY(pJ btcec.btcec) bool {
func hasEvenY(pJ btcec.JacobianPoint) bool {
pJ.ToAffine()
p := btcec.NewPublicKey(&pJ.X, &pJ.Y)
keyBytes := p.SerializeCompressed()
@@ -237,7 +238,7 @@ func hasEvenY(pJ btcec.btcec) bool {
// by the parity factor. The xOnly bool specifies if this is to be an x-only
// tweak or not.
func tweakKey(
keyJ btcec.btcec, parityAcc btcec.ModNScalar,
keyJ btcec.JacobianPoint, parityAcc btcec.ModNScalar,
tweak [32]byte,
tweakAcc btcec.ModNScalar,
xOnly bool,

13
pkg/crypto/ec/musig2/keys_test.go
View File

@@ -5,15 +5,16 @@ package musig2
import (
"encoding/json"
"fmt"
"orly.dev/pkg/crypto/ec"
"orly.dev/pkg/crypto/ec/schnorr"
"orly.dev/pkg/crypto/ec/secp256k1"
"orly.dev/pkg/encoders/hex"
"os"
"path"
"strings"
"testing"
"orly.dev/pkg/crypto/ec"
"orly.dev/pkg/crypto/ec/schnorr"
"orly.dev/pkg/crypto/ec/secp256k1"
"orly.dev/pkg/encoders/hex"
"github.com/stretchr/testify/require"
)
@@ -39,9 +40,9 @@ func TestMusig2KeySort(t *testing.T) {
require.NoError(t, err)
var testCase keySortTestVector
require.NoError(t, json.Unmarshal(testVectorBytes, &testCase))
keys := make([]*btcec.btcec, len(testCase.PubKeys))
keys := make([]*btcec.PublicKey, len(testCase.PubKeys))
for i, keyStr := range testCase.PubKeys {
pubKey, err := btcec.btcec.ParsePubKey(mustParseHex(keyStr))
pubKey, err := btcec.ParsePubKey(mustParseHex(keyStr))
require.NoError(t, err)
keys[i] = pubKey
}

9
pkg/crypto/ec/musig2/musig2_test.go
View File

@@ -5,11 +5,12 @@ package musig2
import (
"errors"
"fmt"
"sync"
"testing"
"orly.dev/pkg/crypto/ec"
"orly.dev/pkg/crypto/sha256"
"orly.dev/pkg/encoders/hex"
"sync"
"testing"
)
const (
@@ -26,14 +27,14 @@ func mustParseHex(str string) []byte {
type signer struct {
privKey *btcec.SecretKey
pubKey *btcec.btcec
pubKey *btcec.PublicKey
nonces *Nonces
partialSig *PartialSignature
}
type signerSet []signer
func (s signerSet) keys() []*btcec.btcec {
func (s signerSet) keys() []*btcec.PublicKey {
keys := make([]*btcec.PublicKey, len(s))
for i := 0; i < len(s); i++ {
keys[i] = s[i].pubKey

5
pkg/crypto/ec/musig2/nonces.go
View File

@@ -8,6 +8,7 @@ import (
"encoding/binary"
"errors"
"io"
"orly.dev/pkg/crypto/ec"
"orly.dev/pkg/crypto/ec/chainhash"
"orly.dev/pkg/crypto/ec/schnorr"
@@ -59,8 +60,8 @@ func secNonceToPubNonce(secNonce [SecNonceSize]byte) [PubNonceSize]byte {
var k1Mod, k2Mod btcec.ModNScalar
k1Mod.SetByteSlice(secNonce[:btcec.SecKeyBytesLen])
k2Mod.SetByteSlice(secNonce[btcec.SecKeyBytesLen:])
var r1, r2 btcec.btcec
btcec.btcec.ScalarBaseMultNonConst(&k1Mod, &r1)
var r1, r2 btcec.JacobianPoint
btcec.ScalarBaseMultNonConst(&k1Mod, &r1)
btcec.ScalarBaseMultNonConst(&k2Mod, &r2)
// Next, we'll convert the key in jacobian format to a normal public
// key expressed in affine coordinates.

3
pkg/crypto/ec/musig2/nonces_test.go
View File

@@ -6,11 +6,12 @@ import (
"bytes"
"encoding/json"
"fmt"
"orly.dev/pkg/encoders/hex"
"os"
"path"
"testing"
"orly.dev/pkg/encoders/hex"
"github.com/stretchr/testify/require"
)

5
pkg/crypto/ec/musig2/sign.go
View File

@@ -6,6 +6,7 @@ import (
"bytes"
"fmt"
"io"
"orly.dev/pkg/crypto/ec"
"orly.dev/pkg/crypto/ec/chainhash"
"orly.dev/pkg/crypto/ec/schnorr"
@@ -53,7 +54,7 @@ var (
)
// infinityPoint is the jacobian representation of the point at infinity.
var infinityPoint btcec.btcec
var infinityPoint btcec.JacobianPoint
// PartialSignature reprints a partial (s-only) musig2 multi-signature. This
// isn't a valid schnorr signature by itself, as it needs to be aggregated
@@ -205,7 +206,7 @@ func computeSigningNonce(
combinedNonce [PubNonceSize]byte,
combinedKey *btcec.PublicKey, msg [32]byte,
) (
*btcec.btcec, *btcec.ModNScalar, error,
*btcec.JacobianPoint, *btcec.ModNScalar, error,
) {
// Next we'll compute the value b, that blinds our second public

11
pkg/crypto/ec/musig2/sign_test.go
View File

@@ -6,14 +6,15 @@ import (
"bytes"
"encoding/json"
"fmt"
"orly.dev/pkg/crypto/ec"
"orly.dev/pkg/crypto/ec/secp256k1"
"orly.dev/pkg/encoders/hex"
"os"
"path"
"strings"
"testing"
"orly.dev/pkg/crypto/ec"
"orly.dev/pkg/crypto/ec/secp256k1"
"orly.dev/pkg/encoders/hex"
"github.com/stretchr/testify/require"
)
@@ -80,7 +81,7 @@ func TestMusig2SignVerify(t *testing.T) {
require.NoError(t, err)
var testCases signVerifyTestVectors
require.NoError(t, json.Unmarshal(testVectorBytes, &testCases))
privKey, _ := btcec.btcec.SecKeyFromBytes(mustParseHex(testCases.SecKey))
privKey, _ := btcec.SecKeyFromBytes(mustParseHex(testCases.SecKey))
for i, testCase := range testCases.ValidCases {
testCase := testCase
testName := fmt.Sprintf("valid_case_%v", i)
@@ -312,7 +313,7 @@ func TestMusig2SignCombine(t *testing.T) {
combinedNonce, combinedKey.FinalKey, msg,
)
finalNonceJ.ToAffine()
finalNonce := btcec.btcec.NewPublicKey(
finalNonce := btcec.NewPublicKey(
&finalNonceJ.X, &finalNonceJ.Y,
)
combinedSig := CombineSigs(

2
pkg/crypto/ec/schnorr/bench_test.go
View File

@@ -48,7 +48,7 @@ func hexToModNScalar(s string) *btcec.ModNScalar {
// if there is an error. This is only provided for the hard-coded constants, so
// errors in the source code can be detected. It will only (and must only) be
// called with hard-coded values.
func hexToFieldVal(s string) *btcec.btcec {
func hexToFieldVal(s string) *btcec.PublicKey {
b, err := hex.Dec(s)
if err != nil {
panic("invalid hex in source file: " + s)

2
pkg/crypto/ec/schnorr/signature_test.go
View File

@@ -207,7 +207,7 @@ func TestSchnorrSign(t *testing.T) {
continue
}
d := decodeHex(test.secretKey)
privKey, _ := btcec.btcec.SecKeyFromBytes(d)
privKey, _ := btcec.PublicKey.SecKeyFromBytes(d)
var auxBytes [32]byte
aux := decodeHex(test.auxRand)
copy(auxBytes[:], aux)