diff --git a/src/secp256k1/include/secp256k1_schnorr.h b/src/secp256k1/include/secp256k1_schnorr.h --- a/src/secp256k1/include/secp256k1_schnorr.h +++ b/src/secp256k1/include/secp256k1_schnorr.h @@ -50,6 +50,51 @@ const void *ndata ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5); +/** + * This function combines several keys into one. + * The combined public key looks like a regular public key, but generating + * a signature for it necessitates all the priavate keys corresponding to each + * combined public key. + * Args: ctx: pointer to a context object, initialized for signing + * (cannot be NULL) + * Out: C: pointer to a 32-byte buffer where a unique identifier + * of the key combination will be placed (cannot be NULL) + * combined_pubkey: pointer to a secp256k1_pubkey where the combined + * public key will be placed (cannot be NULL) + * In: pubkeys: pointer to an array of public keys (cannot be NULL) + * nkeys: how many public keys are to be combined + */ +SECP256K1_API int secp256k1_schnorr_combine_keys( + const secp256k1_context *ctx, + unsigned char *C, + secp256k1_pubkey *combined_pubkey, + const secp256k1_pubkey *pubkeys, + const size_t nkeys +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); + +/** + * This function retrieve the partial private key corresponding to a share + * of a combined public key. + * This partial key can be used to create a partial signature. Partial + * signature can then be combined to form a schnorr signature. + * Args: ctx: pointer to a context object, initialized for signing + * (cannot be NULL) + * Out: partial_key: pointer to a 32-byte buffer where the partial + * private key will be placed (cannot be NULL) + * In: C: pointer to a 32-byte buffer containing the unique + * identifier provided by secp256k1_schnorr_combine_keys + * (cannot be NULL) + * seckey: pointer to a 32-byte secret key (cannot be NULL) + * pubkey: the public key to sign with (cannot be NULL) + */ +SECP256K1_API int secp256k1_schnorr_get_partial_key( + const secp256k1_context *ctx, + unsigned char *partial_key, + const unsigned char *C, + const unsigned char *seckey, + const secp256k1_pubkey *pubkey +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5); + # ifdef __cplusplus } # endif diff --git a/src/secp256k1/src/modules/schnorr/main_impl.h b/src/secp256k1/src/modules/schnorr/main_impl.h --- a/src/secp256k1/src/modules/schnorr/main_impl.h +++ b/src/secp256k1/src/modules/schnorr/main_impl.h @@ -60,4 +60,61 @@ return ret; } +int secp256k1_schnorr_combine_keys( + const secp256k1_context *ctx, + unsigned char *C, + secp256k1_pubkey *combined_pubkey, + const secp256k1_pubkey *pubkeys, + const size_t nkeys +) { + secp256k1_ge p; + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); + VERIFY_CHECK(C != NULL); + ARG_CHECK(combined_pubkey != NULL); + ARG_CHECK(pubkeys != NULL); + /* We must have at least two key to combine them */ + ARG_CHECK(nkeys > 1); + /* But no more than 1 << 31 */ + ARG_CHECK(nkeys < (size_t)(1 << 31)); + + if (!secp256k1_schnorr_multisig_compute_c(ctx, C, pubkeys, nkeys)) { + return 0; + } + + if (!secp256k1_schnorr_multisig_combine_keys(ctx, &p, C, pubkeys, nkeys)) { + return 0; + } + + secp256k1_pubkey_save(combined_pubkey, &p); + return 1; +} + +int secp256k1_schnorr_get_partial_key( + const secp256k1_context *ctx, + unsigned char *partial_key, + const unsigned char *C, + const unsigned char *seckey, + const secp256k1_pubkey *pubkey +) { + secp256k1_scalar sec; + secp256k1_ge q; + int ret = 0; + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(partial_key != NULL); + ARG_CHECK(C != NULL); + ARG_CHECK(seckey != NULL); + ARG_CHECK(pubkey != NULL); + + secp256k1_pubkey_load(ctx, &q, pubkey); + secp256k1_scalar_set_b32(&sec, seckey, NULL); + ret = secp256k1_schnorr_multisig_compute_privkey(&sec, C, &sec, &q); + if (ret) { + secp256k1_scalar_get_b32(partial_key, &sec); + } + + secp256k1_scalar_clear(&sec); + return ret; +} + #endif diff --git a/src/secp256k1/src/modules/schnorr/schnorr.h b/src/secp256k1/src/modules/schnorr/schnorr.h --- a/src/secp256k1/src/modules/schnorr/schnorr.h +++ b/src/secp256k1/src/modules/schnorr/schnorr.h @@ -61,4 +61,32 @@ const void *ndata ); +static int secp256k1_schnorr_multisig_compute_c( + const secp256k1_context *ctx, + unsigned char C[32], + const secp256k1_pubkey *pubkeys, + const size_t nkeys +); + +static int secp256k1_schnorr_multisig_compute_pubkey( + secp256k1_ge *partial_pubkey, + const unsigned char *C, + secp256k1_ge *pubkey +); + +static int secp256k1_schnorr_multisig_compute_privkey( + secp256k1_scalar *partial_privkey, + const unsigned char *C, + const secp256k1_scalar *privkey, + secp256k1_ge *pubkey +); + +static int secp256k1_schnorr_multisig_combine_keys( + const secp256k1_context *ctx, + secp256k1_ge *combined_pubkey, + const unsigned char *C, + const secp256k1_pubkey *pubkeys, + const size_t nkeys +); + #endif diff --git a/src/secp256k1/src/modules/schnorr/schnorr_impl.h b/src/secp256k1/src/modules/schnorr/schnorr_impl.h --- a/src/secp256k1/src/modules/schnorr/schnorr_impl.h +++ b/src/secp256k1/src/modules/schnorr/schnorr_impl.h @@ -245,4 +245,148 @@ return ret; } +/** + * Schnorr signatures are linear and therefore lend themselves to aggregation. + * However, it is possible for one party to chose it key judiciously such as + * it cancels the key of another party. Consider the two parties: + * Alice: A = a * G + * Bob: B = b * G + * + * Bob could pretend that his public key is Q = B - A, and lead Alice to + * to believe that she did share a key with Bob, when in fact Bob has the + * sole control of the key. + * In order to solve this problem, we derive a new key for both Alice and Bob + * in such a way that it is not possible for either Alice or Bob to chose + * his or her key depending on the key of the other. + * + * The procedure goes as follow: + * C = H(A || B || ...) + * A' = H(C || A) * A + * B' = H(C || B) * B + * The combined key is P = A' + B' + ... + * + * Anyone can verify that the key are combined properly as it doesn't require + * any private info to do so. Each participant is also able to derive a new + * private key from the existing one as follow: + * Alice: a' = a * H(C || A) + * Bob: b' = b * H(C || B) + * + * Because only Alice knows her private key, only she can compute the partial + * private key required to interract with Bob, and vice versa. + */ +static int secp256k1_schnorr_multisig_compute_c( + const secp256k1_context *ctx, + unsigned char *C, + const secp256k1_pubkey *pubkeys, + const size_t nkeys +) { + size_t i, size; + secp256k1_sha256 sha; + secp256k1_ge q; + unsigned char buf[33]; + secp256k1_sha256_initialize(&sha); + + /* Hash all the keys */ + for (i = 0; i < nkeys; i++) { + /** + * We do so by hashing the serialization fo all the keys one by one. + * However, this is not ideal because it makes the construction + * dependent ont he ordering of the keys. It may be preferable to + * change this to use the multiset construction in the future. + */ + secp256k1_pubkey_load(ctx, &q, &pubkeys[i]); + secp256k1_eckey_pubkey_serialize(&q, buf, &size, 1); + VERIFY_CHECK(size == 33); + secp256k1_sha256_write(&sha, buf, 33); + } + + /* Compute C */ + secp256k1_sha256_finalize(&sha, C); + return 1; +} + +static int secp256k1_schnorr_multisig_compute_tweak( + secp256k1_scalar *tweak, + const unsigned char *C, + secp256k1_ge *pubkey +) { + int overflow = 0; + size_t size; + unsigned char buf[33]; + secp256k1_sha256 sha; + secp256k1_sha256_initialize(&sha); + secp256k1_sha256_write(&sha, C, 32); + + secp256k1_eckey_pubkey_serialize(pubkey, buf, &size, 1); + VERIFY_CHECK(size == 33); + secp256k1_sha256_write(&sha, buf, 33); + + secp256k1_sha256_finalize(&sha, buf); + secp256k1_scalar_set_b32(tweak, buf, &overflow); + return !overflow & !secp256k1_scalar_is_zero(tweak); +} + +static int secp256k1_schnorr_multisig_compute_pubkey( + secp256k1_ge *partial_pubkey, + const unsigned char *C, + secp256k1_ge *pubkey +) { + secp256k1_scalar tweak; + secp256k1_gej Qj; + + if (!secp256k1_schnorr_multisig_compute_tweak(&tweak, C, pubkey)) { + return 0; + } + + secp256k1_ecmult_const(&Qj, pubkey, &tweak); + secp256k1_ge_set_gej(partial_pubkey, &Qj); + return 1; +} + +static int secp256k1_schnorr_multisig_compute_privkey( + secp256k1_scalar *partial_privkey, + const unsigned char *C, + const secp256k1_scalar *privkey, + secp256k1_ge *pubkey +) { + secp256k1_scalar tweak; + if (!secp256k1_schnorr_multisig_compute_tweak(&tweak, C, pubkey)) { + return 0; + } + + secp256k1_scalar_mul(partial_privkey, privkey, &tweak); + return 1; +} + +static int secp256k1_schnorr_multisig_combine_keys( + const secp256k1_context *ctx, + secp256k1_ge *combined_pubkey, + const unsigned char *C, + const secp256k1_pubkey *pubkeys, + const size_t nkeys +) { + size_t i; + secp256k1_ge q; + secp256k1_gej Pj; + + /* Aggregate the keys */ + secp256k1_gej_set_infinity(&Pj); + for (i = 0; i < nkeys; i++) { + secp256k1_pubkey_load(ctx, &q, &pubkeys[i]); + if (!secp256k1_schnorr_multisig_compute_pubkey(&q, C, &q)) { + return 0; + } + + /** + * There are more effiscient ways to do this, but this + * is the simplest, and will do for now. + * TODO: Use more effiscient algorithm such as pippenger. + */ + secp256k1_gej_add_ge(&Pj, &Pj, &q); + } + + secp256k1_ge_set_gej(combined_pubkey, &Pj); + return 1; +} + #endif diff --git a/src/secp256k1/src/modules/schnorr/tests_impl.h b/src/secp256k1/src/modules/schnorr/tests_impl.h --- a/src/secp256k1/src/modules/schnorr/tests_impl.h +++ b/src/secp256k1/src/modules/schnorr/tests_impl.h @@ -78,7 +78,7 @@ #undef SIG_COUNT -void run_schnorr_compact_test(void) { +void run_schnorr_test_vectors(void) { { /* Test vector 1 */ static const unsigned char pkbuf[33] = { @@ -507,6 +507,229 @@ CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pkbuf, 33)); CHECK(secp256k1_schnorr_verify(ctx, sig, msg, &pubkey) == 0); } + + { + /* Combine 2 keys */ + static const unsigned char skbuf[2][32] = {{ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, + }, { + 0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A, + 0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7, + 0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56, + 0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF, + }}; + + static const unsigned char partial_skbuf[2][32] = {{ + 0x50, 0x15, 0x5e, 0x3f, 0x22, 0x43, 0x62, 0x01, + 0x62, 0x69, 0xb5, 0xeb, 0x59, 0x5b, 0xe6, 0x71, + 0x0d, 0xcb, 0x6c, 0xf7, 0x2f, 0x72, 0x01, 0x47, + 0x49, 0x5e, 0x5f, 0x5e, 0x57, 0xb5, 0xd9, 0xb3, + }, { + 0x06, 0xea, 0x81, 0xd7, 0xe3, 0xf3, 0x64, 0x98, + 0xca, 0x79, 0xfa, 0xff, 0x6d, 0x62, 0xad, 0x5b, + 0xbf, 0x6a, 0x69, 0x4a, 0x33, 0x9f, 0x6b, 0xe6, + 0x6b, 0xbb, 0x44, 0x0f, 0x2e, 0x9b, 0x1c, 0x7e, + }}; + + static const unsigned char pkbuf[2][33] = {{ + 0x02, + 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, + 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B, 0x07, + 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, + 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98, + }, { + 0x02, + 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, + 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, + 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, + 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59, + }}; + + static const unsigned char combined_pkbuf[33] = { + 0x02, + 0x3f, 0x65, 0x73, 0xd0, 0xe6, 0x0c, 0x56, 0x97, + 0xc3, 0xf8, 0xe5, 0xce, 0xd7, 0xd5, 0x6e, 0xe1, + 0xcf, 0x3b, 0xb6, 0xc2, 0x7e, 0x9d, 0x22, 0x87, + 0xf8, 0xce, 0xaa, 0xb6, 0x47, 0x61, 0x90, 0x90, + }; + + int i; + unsigned char C[32], computed_pkbuf[33], computed_skbuf[2][32]; + size_t size = 33; + secp256k1_pubkey combined_pubkey; + + secp256k1_pubkey pks[2]; + for (i = 0; i < 2; i++) { + CHECK(secp256k1_ec_pubkey_parse(ctx, &pks[i], pkbuf[i], 33)); + } + + CHECK(secp256k1_schnorr_combine_keys(ctx, C, &combined_pubkey, pks, 2)); + CHECK(secp256k1_ec_pubkey_serialize(ctx, computed_pkbuf, &size, &combined_pubkey, SECP256K1_EC_COMPRESSED)); + CHECK(size == 33); + CHECK(memcmp(combined_pkbuf, computed_pkbuf, size) == 0); + + for (i = 0; i < 2; i++) { + CHECK(secp256k1_schnorr_get_partial_key(ctx, computed_skbuf[i], C, skbuf[i], &pks[i])); + CHECK(memcmp(partial_skbuf[i], computed_skbuf[i], 32) == 0); + } + } + + { + /* Combine 2 opposite keys */ + static const unsigned char skbuf[2][32] = {{ + 0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A, + 0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7, + 0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56, + 0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF, + }, { + 0x48, 0x1e, 0xae, 0x9d, 0x75, 0x12, 0xd5, 0x95, + 0x40, 0x8e, 0xa7, 0x7f, 0x63, 0x0b, 0x0c, 0x37, + 0x57, 0xc7, 0xc6, 0xd7, 0x76, 0x93, 0xc5, 0xe5, + 0x18, 0x4d, 0x85, 0x88, 0x7e, 0xa5, 0x71, 0x52, + }}; + + static const unsigned char partial_skbuf[2][32] = {{ + 0xf4, 0xa3, 0x57, 0x59, 0xab, 0x54, 0x88, 0x05, + 0x78, 0x12, 0x25, 0xc0, 0x97, 0x6a, 0xb9, 0x13, + 0x1d, 0x7d, 0xc4, 0xac, 0x3a, 0xcd, 0x6f, 0xa7, + 0xc3, 0xda, 0x99, 0xa8, 0x2f, 0x25, 0x97, 0x58, + }, { + 0x1e, 0x35, 0x02, 0x6d, 0xd7, 0x03, 0x0e, 0x77, + 0xcc, 0x1e, 0x41, 0x7d, 0x9c, 0x32, 0xa2, 0x8d, + 0x17, 0x16, 0x12, 0xba, 0x9e, 0x7d, 0x35, 0xe1, + 0xa3, 0xd8, 0x1b, 0xdd, 0x4b, 0x22, 0x1d, 0x24, + }}; + + static const unsigned char pkbuf[2][33] = {{ + 0x02, + 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, + 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, + 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, + 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59, + }, { + 0x03, + 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, + 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, + 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, + 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59, + }}; + + static const unsigned char combined_pkbuf[33] = { + 0x02, + 0x41, 0xc3, 0x18, 0xc6, 0x50, 0x7f, 0xec, 0x98, + 0x9c, 0x0d, 0xfd, 0x42, 0x35, 0x3b, 0x67, 0x8b, + 0x93, 0xec, 0xb6, 0x17, 0x7a, 0xd8, 0x6b, 0x16, + 0x0d, 0xe8, 0xc9, 0x39, 0xdd, 0x07, 0x8b, 0xab, + }; + + int i; + unsigned char C[32], computed_pkbuf[33], computed_skbuf[2][32]; + size_t size = 33; + secp256k1_pubkey combined_pubkey; + + secp256k1_pubkey pks[2]; + for (i = 0; i < 2; i++) { + CHECK(secp256k1_ec_pubkey_parse(ctx, &pks[i], pkbuf[i], 33)); + } + + CHECK(secp256k1_schnorr_combine_keys(ctx, C, &combined_pubkey, pks, 2)); + CHECK(secp256k1_ec_pubkey_serialize(ctx, computed_pkbuf, &size, &combined_pubkey, SECP256K1_EC_COMPRESSED)); + CHECK(size == 33); + CHECK(memcmp(combined_pkbuf, computed_pkbuf, size) == 0); + + for (i = 0; i < 2; i++) { + CHECK(secp256k1_schnorr_get_partial_key(ctx, computed_skbuf[i], C, skbuf[i], &pks[i])); + CHECK(memcmp(partial_skbuf[i], computed_skbuf[i], 32) == 0); + } + } + + { + /* Combine 3 keys */ + static const unsigned char skbuf[3][32] = {{ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, + }, { + 0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A, + 0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7, + 0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56, + 0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF, + }, { + 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, + 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, + 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, + 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC7, + }}; + + static const unsigned char partial_skbuf[3][32] = {{ + 0xff, 0x49, 0xbd, 0xf0, 0xff, 0x1e, 0x4d, 0x9c, + 0xa2, 0x32, 0x19, 0x9a, 0x56, 0x98, 0x7a, 0x16, + 0x77, 0xec, 0x95, 0x83, 0xfa, 0x84, 0xb2, 0xbe, + 0xa3, 0x2c, 0x4f, 0xcf, 0x2c, 0x23, 0x17, 0xea, + }, { + 0xca, 0x39, 0x96, 0x91, 0xa4, 0x9e, 0xa4, 0x47, + 0x5f, 0xdb, 0x3b, 0x1f, 0x2e, 0x34, 0xd1, 0xfa, + 0xfc, 0x33, 0xdf, 0x77, 0x55, 0xc3, 0xf3, 0x3e, + 0xf8, 0xfe, 0x18, 0x7d, 0x0f, 0xb7, 0x35, 0x1a, + }, { + 0xe8, 0x3e, 0xff, 0xbb, 0x13, 0x3f, 0xcd, 0x39, + 0xd1, 0x0d, 0xf1, 0x99, 0x93, 0xa0, 0xc1, 0x90, + 0x90, 0xd8, 0x3e, 0x6c, 0x94, 0x59, 0x35, 0xc4, + 0xb5, 0xc6, 0x59, 0x92, 0x61, 0x50, 0xd7, 0xb1, + }}; + + static const unsigned char pkbuf[3][33] = {{ + 0x02, + 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, + 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B, 0x07, + 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, + 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98, + }, { + 0x02, + 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, + 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, + 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, + 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59, + }, { + 0x03, + 0xFA, 0xC2, 0x11, 0x4C, 0x2F, 0xBB, 0x09, 0x15, + 0x27, 0xEB, 0x7C, 0x64, 0xEC, 0xB1, 0x1F, 0x80, + 0x21, 0xCB, 0x45, 0xE8, 0xE7, 0x80, 0x9D, 0x3C, + 0x09, 0x38, 0xE4, 0xB8, 0xC0, 0xE5, 0xF8, 0x4B, + }}; + + static const unsigned char combined_pkbuf[33] = { + 0x02, + 0x7c, 0xba, 0x0b, 0x6a, 0xd6, 0x63, 0xef, 0x22, + 0xa8, 0xa4, 0x22, 0x6e, 0xf5, 0x8b, 0x2b, 0x1a, + 0x57, 0x55, 0x00, 0xe2, 0x5e, 0xa0, 0x67, 0x88, + 0x09, 0xa7, 0x12, 0xac, 0x66, 0x26, 0x00, 0x23, + }; + + int i; + unsigned char C[32], computed_pkbuf[33], computed_skbuf[3][32]; + size_t size = 33; + secp256k1_pubkey combined_pubkey; + + secp256k1_pubkey pks[3]; + for (i = 0; i < 3; i++) { + CHECK(secp256k1_ec_pubkey_parse(ctx, &pks[i], pkbuf[i], 33)); + } + + CHECK(secp256k1_schnorr_combine_keys(ctx, C, &combined_pubkey, pks, 3)); + CHECK(secp256k1_ec_pubkey_serialize(ctx, computed_pkbuf, &size, &combined_pubkey, SECP256K1_EC_COMPRESSED)); + CHECK(size == 33); + CHECK(memcmp(combined_pkbuf, computed_pkbuf, size) == 0); + + for (i = 0; i < 3; i++) { + CHECK(secp256k1_schnorr_get_partial_key(ctx, computed_skbuf[i], C, skbuf[i], &pks[i])); + CHECK(memcmp(partial_skbuf[i], computed_skbuf[i], 32) == 0); + } + } } void run_schnorr_tests(void) { @@ -516,7 +739,7 @@ } test_schnorr_sign_verify(); - run_schnorr_compact_test(); + run_schnorr_test_vectors(); } #endif