btcec/schnorr/musig2: add infinity testvectors

This commit adds the testvectors from jonasnick/bips@20ba031
btcsuite · Jun 29, 2022 · fa58633 · fa58633
1 parent c3d7c35
commit fa58633
Showing 1 changed file with 40 additions and 9 deletions.
diff --git a/btcec/schnorr/musig2/musig2_test.go b/btcec/schnorr/musig2/musig2_test.go
@@ -285,6 +285,7 @@ var (
 	signExpected1 = mustParseHex("68537CC5234E505BD14061F8DA9E90C220A181855FD8BDB7F127BB12403B4D3B")
 	signExpected2 = mustParseHex("2DF67BFFF18E3DE797E13C6475C963048138DAEC5CB20A357CECA7C8424295EA")
 	signExpected3 = mustParseHex("0D5B651E6DE34A29A12DE7A8B4183B4AE6A7F7FBE15CDCAFA4A3D1BCAABC7517")
+	signExpected4 = mustParseHex("8D5E0407FB4756EEBCD86264C32D792EE36EEB69E952BBB30B8E41BEBC4D22FA")
 
 	signSetKeys = [][]byte{signSetPubKey, signSetKey2, signSetKey3, invalidPk1}
 
@@ -296,6 +297,8 @@ var (
 		"0279BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798")
 	verifyPnonce3 = mustParsePubNonce("032DE2662628C90B03F5E720284EB52FF7D71F4284F627B68A853D78C78E1FFE93" +
 		"03E4C5524E83FFE1493B9077CF1CA6BEB2090C93D930321071AD40B2F44E599046")
+	verifyPnonce4 = mustParsePubNonce("0237C87821AFD50A8644D820A8F3E02E499C931865C2360FB43D0A0D20DAFE07EA" +
+		"0387BF891D2A6DEAEBADC909352AA9405D1428C15F4B75F04DAE642A95C2548480")
 
 	tweak1 = KeyTweakDesc{
 		Tweak: [32]byte{
@@ -413,15 +416,21 @@ func TestMuSig2SigningTestVectors(t *testing.T) {
 			aggNonce:           aggregatedNonce,
 			expectedPartialSig: signExpected3,
 		},
+		// Vector 4 Both halves of aggregate nonce correspond to point at infinity
+		{
+			keyOrder:           []int{0, 1},
+			aggNonce:           mustNonceAgg([][66]byte{verifyPnonce1, verifyPnonce4}),
+			expectedPartialSig: signExpected4,
+		},
 
-		// Vector 4: Signer 2 provided an invalid public key
+		// Vector 5: Signer 2 provided an invalid public key
 		{
 			keyOrder:      []int{1, 0, 3},
 			aggNonce:      aggregatedNonce,
 			expectedError: secp256k1.ErrPubKeyNotOnCurve,
 		},
 
-		// Vector 5: Aggregate nonce is invalid due wrong tag, 0x04,
+		// Vector 6: Aggregate nonce is invalid due wrong tag, 0x04,
 		// in the first half.
 		{
 
@@ -432,7 +441,7 @@ func TestMuSig2SigningTestVectors(t *testing.T) {
 			expectedError: secp256k1.ErrPubKeyInvalidFormat,
 		},
 
-		// Vector 6: Aggregate nonce is invalid because the second half
+		// Vector 7: Aggregate nonce is invalid because the second half
 		// does not correspond to an X coordinate.
 		{
 
@@ -443,7 +452,7 @@ func TestMuSig2SigningTestVectors(t *testing.T) {
 			expectedError: secp256k1.ErrPubKeyNotOnCurve,
 		},
 
-		// Vector 7: Aggregate nonce is invalid because the second half
+		// Vector 8: Aggregate nonce is invalid because the second half
 		// exceeds field size.
 		{
 
@@ -667,7 +676,7 @@ func TestMusig2PartialSigVerifyTestVectors(t *testing.T) {
 				genTweakParity(tweak4, false),
 			},
 		},
-		// Vector 8
+		// Vector 9
 		{
 
 			partialSig:    signExpected1,
@@ -679,7 +688,7 @@ func TestMusig2PartialSigVerifyTestVectors(t *testing.T) {
 				verifyPnonce3,
 			},
 		},
-		// Vector 9
+		// Vector 10
 		{
 
 			partialSig:    signExpected2,
@@ -691,7 +700,7 @@ func TestMusig2PartialSigVerifyTestVectors(t *testing.T) {
 				verifyPnonce3,
 			},
 		},
-		// Vector 10
+		// Vector 11
 		{
 
 			partialSig:    signExpected3,
@@ -703,7 +712,18 @@ func TestMusig2PartialSigVerifyTestVectors(t *testing.T) {
 				verifyPnonce1,
 			},
 		},
-		// Vector 11: Wrong signature (which is equal to the negation of valid signature expected[0])
+		// Vector 12: Both halves of aggregate nonce correspond to point at infinity
+		{
+
+			partialSig:    signExpected4,
+			pubnonceIndex: 0,
+			keyOrder:      []int{0, 1},
+			nonces: [][66]byte{
+				verifyPnonce1,
+				verifyPnonce4,
+			},
+		},
+		// Vector 13: Wrong signature (which is equal to the negation of valid signature expected[0])
 		{
 
 			partialSig:    mustParseHex("97AC833ADCB1AFA42EBF9E0725616F3C9A0D5B614F6FE283CEAAA37A8FFAF406"),
@@ -1373,7 +1393,7 @@ func TestMusig2AggregateNoncesTestVectors(t *testing.T) {
 				append(append([]byte{}, pNonce1[0:33]...), getGBytes()...),
 				append(append([]byte{}, pNonce2[0:33]...), getNegGBytes()...),
 			},
-			expectedNonce: append(append([]byte{}, expectedNonce[0:33]...), getGBytes()...),
+			expectedNonce: append(append([]byte{}, expectedNonce[0:33]...), getInfinityBytes()...),
 		},
 	}
 	for i, testCase := range testCases {
@@ -1665,6 +1685,13 @@ func aggNonceToPubkey(combinedNonce [66]byte, combinedKey *AggregateKey, msg [32
 	), nil
 
 }
+func mustNonceAgg(nonces [][66]byte) [66]byte {
+	aggNonce, err := AggregateNonces(nonces)
+	if err != nil {
+		panic("can't aggregate nonces")
+	}
+	return aggNonce
+}
 
 func memsetLoop(a []byte, v uint8) {
 	for i := range a {
@@ -1697,6 +1724,10 @@ func getNegGBytes() []byte {
 	return pk
 }
 
+func getInfinityBytes() []byte {
+	return make([]byte, 33)
+}
+
 func mustParseHex32(str string) [32]byte {
 	b, err := hex.DecodeString(str)
 	if err != nil {