From 2320184d0ea87279558a8e6cbb3bccf5ba1bb781 Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Wed, 30 Jul 2025 16:34:36 -0700
Subject: [PATCH 01/17] descriptors: Fix meaning of any_key_parsed

Invert any_key_parsed so that the name matches the behavior.
---
 src/script/descriptor.cpp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/script/descriptor.cpp b/src/script/descriptor.cpp
index bd819d365ae..83a561a7e78 100644
--- a/src/script/descriptor.cpp
+++ b/src/script/descriptor.cpp
@@ -1843,20 +1843,20 @@ std::vector<std::unique_ptr<PubkeyProvider>> ParsePubkey(uint32_t& key_exp_index
         bool any_ranged = false;
         bool all_bip32 = true;
         std::vector<std::vector<std::unique_ptr<PubkeyProvider>>> providers;
-        bool any_key_parsed = true;
+        bool any_key_parsed = false;
         size_t max_multipath_len = 0;
         while (expr.size()) {
-            if (!any_key_parsed && !Const(",", expr)) {
+            if (any_key_parsed && !Const(",", expr)) {
                 error = strprintf("musig(): expected ',', got '%c'", expr[0]);
                 return {};
             }
-            any_key_parsed = false;
             auto arg = Expr(expr);
             auto pk = ParsePubkey(key_exp_index, arg, ParseScriptContext::MUSIG, out, error);
             if (pk.empty()) {
                 error = strprintf("musig(): %s", error);
                 return {};
             }
+            any_key_parsed = true;
 
             any_ranged = any_ranged || pk.at(0)->IsRange();
             all_bip32 = all_bip32 &&  pk.at(0)->IsBIP32();
@@ -1866,7 +1866,7 @@ std::vector<std::unique_ptr<PubkeyProvider>> ParsePubkey(uint32_t& key_exp_index
             providers.emplace_back(std::move(pk));
             key_exp_index++;
         }
-        if (any_key_parsed) {
+        if (!any_key_parsed) {
             error = "musig(): Must contain key expressions";
             return {};
         }

From 39a63bf2e7e38dd3f30b5d1a8f6b2fff0e380d12 Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Wed, 30 Jul 2025 16:36:12 -0700
Subject: [PATCH 02/17] descriptors: Add a doxygen comment for has_hardened
 output_parameter

---
 src/script/descriptor.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/script/descriptor.cpp b/src/script/descriptor.cpp
index 83a561a7e78..3a402702178 100644
--- a/src/script/descriptor.cpp
+++ b/src/script/descriptor.cpp
@@ -1647,6 +1647,7 @@ std::optional<uint32_t> ParseKeyPathNum(std::span<const char> elem, bool& apostr
  * @param[out] apostrophe only updated if hardened derivation is found
  * @param[out] error parsing error message
  * @param[in] allow_multipath Allows the parsed path to use the multipath specifier
+ * @param[out] has_hardened Records whether the path contains any hardened derivation
  * @returns false if parsing failed
  **/
 [[nodiscard]] bool ParseKeyPath(const std::vector<std::span<const char>>& split, std::vector<KeyPath>& out, bool& apostrophe, std::string& error, bool allow_multipath, bool& has_hardened)

From a4cfddda644f1fc9a815b2d16c997716cd63554a Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Wed, 30 Jul 2025 16:36:54 -0700
Subject: [PATCH 03/17] tests: Clarify why musig derivation adds a pubkey and
 xpub

---
 src/test/descriptor_tests.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/test/descriptor_tests.cpp b/src/test/descriptor_tests.cpp
index 4dc94134278..69ae51610eb 100644
--- a/src/test/descriptor_tests.cpp
+++ b/src/test/descriptor_tests.cpp
@@ -52,7 +52,7 @@ constexpr int XONLY_KEYS = 1 << 6; // X-only pubkeys are in use (and thus inferr
 constexpr int MISSING_PRIVKEYS = 1 << 7; // Not all private keys are available, so ToPrivateString will fail.
 constexpr int SIGNABLE_FAILS = 1 << 8; // We can sign with this descriptor, but actually trying to sign will fail
 constexpr int MUSIG = 1 << 9; // This is a MuSig so key counts will have an extra key
-constexpr int MUSIG_DERIVATION = 1 << 10; // MuSig with derivation from the aggregate key
+constexpr int MUSIG_DERIVATION = 1 << 10; // MuSig with BIP 328 derivation from the aggregate key
 constexpr int MIXED_MUSIG = 1 << 11; // Both MuSig and normal key expressions are present
 constexpr int UNIQUE_XPUBS = 1 << 12; // Whether the xpub count should be of unique xpubs
 
@@ -315,6 +315,7 @@ void DoCheck(std::string prv, std::string pub, const std::string& norm_pub, int
             size_t num_xpubs = CountXpubs(pub1);
             size_t num_unique_xpubs = CountUniqueXpubs(pub1);
             if (flags & MUSIG_DERIVATION) {
+                // Deriving from the aggregate will include the synthetic xpub of the aggregate in the caches and SigningProviders.
                 num_xpubs++;
                 num_unique_xpubs++;
             }

From fb8720f1e09f4e41802f07be53fb220d6f6c127f Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Mon, 5 Feb 2024 15:09:40 -0500
Subject: [PATCH 04/17] sign: Refactor Schnorr sighash computation out of
 CreateSchnorrSig

There will be other functions within MutableTransactionSignatureCreator
that need to compute the same sighash, so make it a separate member
function.
---
 src/script/sign.cpp | 26 ++++++++++++++++++--------
 src/script/sign.h   |  2 ++
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/src/script/sign.cpp b/src/script/sign.cpp
index 33cbc38be41..1e40d5328fc 100644
--- a/src/script/sign.cpp
+++ b/src/script/sign.cpp
@@ -59,17 +59,14 @@ bool MutableTransactionSignatureCreator::CreateSig(const SigningProvider& provid
     return true;
 }
 
-bool MutableTransactionSignatureCreator::CreateSchnorrSig(const SigningProvider& provider, std::vector<unsigned char>& sig, const XOnlyPubKey& pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion) const
+std::optional<uint256> MutableTransactionSignatureCreator::ComputeSchnorrSignatureHash(const uint256* leaf_hash, SigVersion sigversion) const
 {
     assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT);
 
-    CKey key;
-    if (!provider.GetKeyByXOnly(pubkey, key)) return false;
-
     // BIP341/BIP342 signing needs lots of precomputed transaction data. While some
     // (non-SIGHASH_DEFAULT) sighash modes exist that can work with just some subset
     // of data present, for now, only support signing when everything is provided.
-    if (!m_txdata || !m_txdata->m_bip341_taproot_ready || !m_txdata->m_spent_outputs_ready) return false;
+    if (!m_txdata || !m_txdata->m_bip341_taproot_ready || !m_txdata->m_spent_outputs_ready) return std::nullopt;
 
     ScriptExecutionData execdata;
     execdata.m_annex_init = true;
@@ -77,15 +74,28 @@ bool MutableTransactionSignatureCreator::CreateSchnorrSig(const SigningProvider&
     if (sigversion == SigVersion::TAPSCRIPT) {
         execdata.m_codeseparator_pos_init = true;
         execdata.m_codeseparator_pos = 0xFFFFFFFF; // Only support non-OP_CODESEPARATOR BIP342 signing for now.
-        if (!leaf_hash) return false; // BIP342 signing needs leaf hash.
+        if (!leaf_hash) return std::nullopt; // BIP342 signing needs leaf hash.
         execdata.m_tapleaf_hash_init = true;
         execdata.m_tapleaf_hash = *leaf_hash;
     }
     uint256 hash;
-    if (!SignatureHashSchnorr(hash, execdata, m_txto, nIn, nHashType, sigversion, *m_txdata, MissingDataBehavior::FAIL)) return false;
+    if (!SignatureHashSchnorr(hash, execdata, m_txto, nIn, nHashType, sigversion, *m_txdata, MissingDataBehavior::FAIL)) return std::nullopt;
+    return hash;
+}
+
+bool MutableTransactionSignatureCreator::CreateSchnorrSig(const SigningProvider& provider, std::vector<unsigned char>& sig, const XOnlyPubKey& pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion) const
+{
+    assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT);
+
+    CKey key;
+    if (!provider.GetKeyByXOnly(pubkey, key)) return false;
+
+    std::optional<uint256> hash = ComputeSchnorrSignatureHash(leaf_hash, sigversion);
+    if (!hash.has_value()) return false;
+
     sig.resize(64);
     // Use uint256{} as aux_rnd for now.
-    if (!key.SignSchnorr(hash, sig, merkle_root, {})) return false;
+    if (!key.SignSchnorr(*hash, sig, merkle_root, {})) return false;
     if (nHashType) sig.push_back(nHashType);
     return true;
 }
diff --git a/src/script/sign.h b/src/script/sign.h
index fe2c470bc64..5af6392b128 100644
--- a/src/script/sign.h
+++ b/src/script/sign.h
@@ -45,6 +45,8 @@ class MutableTransactionSignatureCreator : public BaseSignatureCreator
     const MutableTransactionSignatureChecker checker;
     const PrecomputedTransactionData* m_txdata;
 
+    std::optional<uint256> ComputeSchnorrSignatureHash(const uint256* leaf_hash, SigVersion sigversion) const;
+
 public:
     MutableTransactionSignatureCreator(const CMutableTransaction& tx LIFETIMEBOUND, unsigned int input_idx, const CAmount& amount, int hash_type);
     MutableTransactionSignatureCreator(const CMutableTransaction& tx LIFETIMEBOUND, unsigned int input_idx, const CAmount& amount, const PrecomputedTransactionData* txdata, int hash_type);

From f14876213aad0e67088b75cae24323db9f2576d8 Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Tue, 16 Sep 2025 16:09:31 -0700
Subject: [PATCH 05/17] musig: Move synthetic xpub construction to its own
 function

---
 src/musig.cpp             | 11 +++++++++++
 src/musig.h               |  3 +++
 src/script/descriptor.cpp |  8 +-------
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/src/musig.cpp b/src/musig.cpp
index b3329543127..85074796cbf 100644
--- a/src/musig.cpp
+++ b/src/musig.cpp
@@ -51,3 +51,14 @@ std::optional<CPubKey> MuSig2AggregatePubkeys(const std::vector<CPubKey>& pubkey
     }
     return GetCPubKeyFromMuSig2KeyAggCache(keyagg_cache);
 }
+
+CExtPubKey CreateMuSig2SyntheticXpub(const CPubKey& pubkey)
+{
+    CExtPubKey extpub;
+    extpub.nDepth = 0;
+    std::memset(extpub.vchFingerprint, 0, 4);
+    extpub.nChild = 0;
+    extpub.chaincode = MUSIG_CHAINCODE;
+    extpub.pubkey = pubkey;
+    return extpub;
+}
diff --git a/src/musig.h b/src/musig.h
index d46a67f65ec..0bc1f5ff6f1 100644
--- a/src/musig.h
+++ b/src/musig.h
@@ -23,4 +23,7 @@ std::optional<CPubKey> GetCPubKeyFromMuSig2KeyAggCache(secp256k1_musig_keyagg_ca
 //! Compute the full aggregate pubkey from the given participant pubkeys in their current order
 std::optional<CPubKey> MuSig2AggregatePubkeys(const std::vector<CPubKey>& pubkeys);
 
+//! Construct the BIP 328 synthetic xpub for a pubkey
+CExtPubKey CreateMuSig2SyntheticXpub(const CPubKey& pubkey);
+
 #endif // BITCOIN_MUSIG_H
diff --git a/src/script/descriptor.cpp b/src/script/descriptor.cpp
index 3a402702178..d0436702124 100644
--- a/src/script/descriptor.cpp
+++ b/src/script/descriptor.cpp
@@ -641,13 +641,7 @@ public:
             // Make our pubkey provider
             if (IsRangedDerivation() || !m_path.empty()) {
                 // Make the synthetic xpub and construct the BIP32PubkeyProvider
-                CExtPubKey extpub;
-                extpub.nDepth = 0;
-                std::memset(extpub.vchFingerprint, 0, 4);
-                extpub.nChild = 0;
-                extpub.chaincode = MUSIG_CHAINCODE;
-                extpub.pubkey = m_aggregate_pubkey.value();
-
+                CExtPubKey extpub = CreateMuSig2SyntheticXpub(m_aggregate_pubkey.value());
                 m_aggregate_provider = std::make_unique<BIP32PubkeyProvider>(m_expr_index, extpub, m_path, m_derive, /*apostrophe=*/false);
             } else {
                 m_aggregate_provider = std::make_unique<ConstPubkeyProvider>(m_expr_index, m_aggregate_pubkey.value(), /*xonly=*/false);

From 4b24bfeab9d6732aae3e69efd33105792ef1198f Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Mon, 4 Mar 2024 15:40:00 -0500
Subject: [PATCH 06/17] pubkey: Return tweaks from BIP32 derivation

MuSig2 needs the BIP32 derivation tweaks in order to sign with a key
derived from the aggregate pubkey.
---
 src/pubkey.cpp | 9 ++++++---
 src/pubkey.h   | 4 ++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/pubkey.cpp b/src/pubkey.cpp
index 6041c89e7f1..264f861bc7a 100644
--- a/src/pubkey.cpp
+++ b/src/pubkey.cpp
@@ -338,13 +338,16 @@ bool CPubKey::Decompress() {
     return true;
 }
 
-bool CPubKey::Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const {
+bool CPubKey::Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc, uint256* bip32_tweak_out) const {
     assert(IsValid());
     assert((nChild >> 31) == 0);
     assert(size() == COMPRESSED_SIZE);
     unsigned char out[64];
     BIP32Hash(cc, nChild, *begin(), begin()+1, out);
     memcpy(ccChild.begin(), out+32, 32);
+    if (bip32_tweak_out) {
+        memcpy(bip32_tweak_out->begin(), out, 32);
+    }
     secp256k1_pubkey pubkey;
     if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) {
         return false;
@@ -409,13 +412,13 @@ void CExtPubKey::DecodeWithVersion(const unsigned char code[BIP32_EXTKEY_WITH_VE
     Decode(&code[4]);
 }
 
-bool CExtPubKey::Derive(CExtPubKey &out, unsigned int _nChild) const {
+bool CExtPubKey::Derive(CExtPubKey &out, unsigned int _nChild, uint256* bip32_tweak_out) const {
     if (nDepth == std::numeric_limits<unsigned char>::max()) return false;
     out.nDepth = nDepth + 1;
     CKeyID id = pubkey.GetID();
     memcpy(out.vchFingerprint, &id, 4);
     out.nChild = _nChild;
-    return pubkey.Derive(out.pubkey, out.chaincode, _nChild, chaincode);
+    return pubkey.Derive(out.pubkey, out.chaincode, _nChild, chaincode, bip32_tweak_out);
 }
 
 /* static */ bool CPubKey::CheckLowS(const std::vector<unsigned char>& vchSig) {
diff --git a/src/pubkey.h b/src/pubkey.h
index 442dc2d6431..5ae7f75dde9 100644
--- a/src/pubkey.h
+++ b/src/pubkey.h
@@ -224,7 +224,7 @@ public:
     bool Decompress();
 
     //! Derive BIP32 child pubkey.
-    [[nodiscard]] bool Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const;
+    [[nodiscard]] bool Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc, uint256* bip32_tweak_out = nullptr) const;
 };
 
 class XOnlyPubKey
@@ -379,7 +379,7 @@ struct CExtPubKey {
     void Decode(const unsigned char code[BIP32_EXTKEY_SIZE]);
     void EncodeWithVersion(unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]) const;
     void DecodeWithVersion(const unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]);
-    [[nodiscard]] bool Derive(CExtPubKey& out, unsigned int nChild) const;
+    [[nodiscard]] bool Derive(CExtPubKey& out, unsigned int nChild, uint256* bip32_tweak_out = nullptr) const;
 };
 
 #endif // BITCOIN_PUBKEY_H

From 9baff05e494443cd82708490f384aa3034ad43bd Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Mon, 4 Mar 2024 17:53:37 -0500
Subject: [PATCH 07/17] sign: Include taproot output key's KeyOriginInfo in
 sigdata

---
 src/script/sign.cpp | 14 +++++++++++---
 src/script/sign.h   |  2 +-
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/script/sign.cpp b/src/script/sign.cpp
index 1e40d5328fc..8575c0b90da 100644
--- a/src/script/sign.cpp
+++ b/src/script/sign.cpp
@@ -355,11 +355,19 @@ static bool SignTaproot(const SigningProvider& provider, const BaseSignatureCrea
 
     // Try key path spending.
     {
-        KeyOriginInfo info;
-        if (provider.GetKeyOriginByXOnly(sigdata.tr_spenddata.internal_key, info)) {
+        KeyOriginInfo internal_key_info;
+        if (provider.GetKeyOriginByXOnly(sigdata.tr_spenddata.internal_key, internal_key_info)) {
             auto it = sigdata.taproot_misc_pubkeys.find(sigdata.tr_spenddata.internal_key);
             if (it == sigdata.taproot_misc_pubkeys.end()) {
-                sigdata.taproot_misc_pubkeys.emplace(sigdata.tr_spenddata.internal_key, std::make_pair(std::set<uint256>(), info));
+                sigdata.taproot_misc_pubkeys.emplace(sigdata.tr_spenddata.internal_key, std::make_pair(std::set<uint256>(), internal_key_info));
+            }
+        }
+
+        KeyOriginInfo output_key_info;
+        if (provider.GetKeyOriginByXOnly(output, output_key_info)) {
+            auto it = sigdata.taproot_misc_pubkeys.find(output);
+            if (it == sigdata.taproot_misc_pubkeys.end()) {
+                sigdata.taproot_misc_pubkeys.emplace(output, std::make_pair(std::set<uint256>(), output_key_info));
             }
         }
 
diff --git a/src/script/sign.h b/src/script/sign.h
index 5af6392b128..fea937108ba 100644
--- a/src/script/sign.h
+++ b/src/script/sign.h
@@ -80,7 +80,7 @@ struct SignatureData {
     std::map<CKeyID, std::pair<CPubKey, KeyOriginInfo>> misc_pubkeys;
     std::vector<unsigned char> taproot_key_path_sig; /// Schnorr signature for key path spending
     std::map<std::pair<XOnlyPubKey, uint256>, std::vector<unsigned char>> taproot_script_sigs; ///< (Partial) schnorr signatures, indexed by XOnlyPubKey and leaf_hash.
-    std::map<XOnlyPubKey, std::pair<std::set<uint256>, KeyOriginInfo>> taproot_misc_pubkeys; ///< Miscellaneous Taproot pubkeys involved in this input along with their leaf script hashes and key origin data. Also includes the Taproot internal key (may have no leaf script hashes).
+    std::map<XOnlyPubKey, std::pair<std::set<uint256>, KeyOriginInfo>> taproot_misc_pubkeys; ///< Miscellaneous Taproot pubkeys involved in this input along with their leaf script hashes and key origin data. Also includes the Taproot internal and output keys (may have no leaf script hashes).
     std::map<CKeyID, XOnlyPubKey> tap_pubkeys; ///< Misc Taproot pubkeys involved in this input, by hash. (Equivalent of misc_pubkeys but for Taproot.)
     std::vector<CKeyID> missing_pubkeys; ///< KeyIDs of pubkeys which could not be found
     std::vector<CKeyID> missing_sigs; ///< KeyIDs of pubkeys for signatures which could not be found

From c06a1dc86ff2347538e95041ab7b97af25342958 Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Mon, 25 Mar 2024 16:13:58 -0400
Subject: [PATCH 08/17] Add MuSig2SecNonce class for secure allocation of musig
 nonces

---
 src/musig.cpp | 41 +++++++++++++++++++++++++++++++++++++++++
 src/musig.h   | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+)

diff --git a/src/musig.cpp b/src/musig.cpp
index 85074796cbf..c361a7ea890 100644
--- a/src/musig.cpp
+++ b/src/musig.cpp
@@ -3,6 +3,7 @@
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
 #include <musig.h>
+#include <support/allocators/secure.h>
 
 #include <secp256k1_musig.h>
 
@@ -62,3 +63,43 @@ CExtPubKey CreateMuSig2SyntheticXpub(const CPubKey& pubkey)
     extpub.pubkey = pubkey;
     return extpub;
 }
+
+class MuSig2SecNonceImpl
+{
+private:
+    //! The actual secnonce itself
+    secure_unique_ptr<secp256k1_musig_secnonce> m_nonce;
+
+public:
+    MuSig2SecNonceImpl() : m_nonce{make_secure_unique<secp256k1_musig_secnonce>()} {}
+
+    // Delete copy constructors
+    MuSig2SecNonceImpl(const MuSig2SecNonceImpl&) = delete;
+    MuSig2SecNonceImpl& operator=(const MuSig2SecNonceImpl&) = delete;
+
+    secp256k1_musig_secnonce* Get() const { return m_nonce.get(); }
+    void Invalidate() { m_nonce.reset(); }
+    bool IsValid() { return m_nonce != nullptr; }
+};
+
+MuSig2SecNonce::MuSig2SecNonce() : m_impl{std::make_unique<MuSig2SecNonceImpl>()} {}
+
+MuSig2SecNonce::MuSig2SecNonce(MuSig2SecNonce&&) noexcept = default;
+MuSig2SecNonce& MuSig2SecNonce::operator=(MuSig2SecNonce&&) noexcept = default;
+
+MuSig2SecNonce::~MuSig2SecNonce() = default;
+
+secp256k1_musig_secnonce* MuSig2SecNonce::Get() const
+{
+    return m_impl->Get();
+}
+
+void MuSig2SecNonce::Invalidate()
+{
+    return m_impl->Invalidate();
+}
+
+bool MuSig2SecNonce::IsValid()
+{
+    return m_impl->IsValid();
+}
diff --git a/src/musig.h b/src/musig.h
index 0bc1f5ff6f1..40da1f10b97 100644
--- a/src/musig.h
+++ b/src/musig.h
@@ -11,6 +11,8 @@
 #include <vector>
 
 struct secp256k1_musig_keyagg_cache;
+class MuSig2SecNonceImpl;
+struct secp256k1_musig_secnonce;
 
 //! MuSig2 chaincode as defined by BIP 328
 using namespace util::hex_literals;
@@ -26,4 +28,35 @@ std::optional<CPubKey> MuSig2AggregatePubkeys(const std::vector<CPubKey>& pubkey
 //! Construct the BIP 328 synthetic xpub for a pubkey
 CExtPubKey CreateMuSig2SyntheticXpub(const CPubKey& pubkey);
 
+/**
+ * MuSig2SecNonce encapsulates a secret nonce in use in a MuSig2 signing session.
+ * Since this nonce persists outside of libsecp256k1 signing code, we must handle
+ * its construction and destruction ourselves.
+ * The secret nonce must be kept a secret, otherwise the private key may be leaked.
+ * As such, it needs to be treated in the same way that CKeys are treated.
+ * So this class handles the secure allocation of the secp256k1_musig_secnonce object
+ * that libsecp256k1 uses, and only gives out references to this object to avoid
+ * any possibility of copies being made. Furthermore, objects of this class are not
+ * copyable to avoid nonce reuse.
+*/
+class MuSig2SecNonce
+{
+private:
+    std::unique_ptr<MuSig2SecNonceImpl> m_impl;
+
+public:
+    MuSig2SecNonce();
+    MuSig2SecNonce(MuSig2SecNonce&&) noexcept;
+    MuSig2SecNonce& operator=(MuSig2SecNonce&&) noexcept;
+    ~MuSig2SecNonce();
+
+    // Delete copy constructors
+    MuSig2SecNonce(const MuSig2SecNonce&) = delete;
+    MuSig2SecNonce& operator=(const MuSig2SecNonce&) = delete;
+
+    secp256k1_musig_secnonce* Get() const;
+    void Invalidate();
+    bool IsValid();
+};
+
 #endif // BITCOIN_MUSIG_H

From 4d8b4f53363f013ed3972997f0b05b9c19e9db9d Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Mon, 5 Feb 2024 16:49:09 -0500
Subject: [PATCH 09/17] signingprovider: Add musig2 secnonces

Adds GetMuSig2SecNonces which returns secp256k1_musig_secnonce*, and
DeleteMuSig2Session which removes the MuSig2 secnonce from wherever it
was retrieved. FlatSigningProvider stores it as a pointer to a map of
session id to secnonce so that deletion will actually delete from the
object that actually owns the secnonces.

The session id is just a unique identifier for the caller to determine
what secnonces have been created.
---
 src/script/signingprovider.cpp | 37 ++++++++++++++++++++++++++++++++++
 src/script/signingprovider.h   | 14 +++++++++++++
 2 files changed, 51 insertions(+)

diff --git a/src/script/signingprovider.cpp b/src/script/signingprovider.cpp
index 792796b0f14..846f0c98da2 100644
--- a/src/script/signingprovider.cpp
+++ b/src/script/signingprovider.cpp
@@ -58,6 +58,21 @@ std::vector<CPubKey> HidingSigningProvider::GetMuSig2ParticipantPubkeys(const CP
     return m_provider->GetMuSig2ParticipantPubkeys(pubkey);
 }
 
+void HidingSigningProvider::SetMuSig2SecNonce(const uint256& id, MuSig2SecNonce&& nonce) const
+{
+    m_provider->SetMuSig2SecNonce(id, std::move(nonce));
+}
+
+std::optional<std::reference_wrapper<MuSig2SecNonce>> HidingSigningProvider::GetMuSig2SecNonce(const uint256& session_id) const
+{
+    return m_provider->GetMuSig2SecNonce(session_id);
+}
+
+void HidingSigningProvider::DeleteMuSig2Session(const uint256& session_id) const
+{
+    m_provider->DeleteMuSig2Session(session_id);
+}
+
 bool FlatSigningProvider::GetCScript(const CScriptID& scriptid, CScript& script) const { return LookupHelper(scripts, scriptid, script); }
 bool FlatSigningProvider::GetPubKey(const CKeyID& keyid, CPubKey& pubkey) const { return LookupHelper(pubkeys, keyid, pubkey); }
 bool FlatSigningProvider::GetKeyOrigin(const CKeyID& keyid, KeyOriginInfo& info) const
@@ -94,6 +109,26 @@ std::vector<CPubKey> FlatSigningProvider::GetMuSig2ParticipantPubkeys(const CPub
     return participant_pubkeys;
 }
 
+void FlatSigningProvider::SetMuSig2SecNonce(const uint256& session_id, MuSig2SecNonce&& nonce) const
+{
+    if (!Assume(musig2_secnonces)) return;
+    musig2_secnonces->emplace(session_id, std::move(nonce));
+}
+
+std::optional<std::reference_wrapper<MuSig2SecNonce>> FlatSigningProvider::GetMuSig2SecNonce(const uint256& session_id) const
+{
+    if (!Assume(musig2_secnonces)) return std::nullopt;
+    const auto& it = musig2_secnonces->find(session_id);
+    if (it == musig2_secnonces->end()) return std::nullopt;
+    return it->second;
+}
+
+void FlatSigningProvider::DeleteMuSig2Session(const uint256& session_id) const
+{
+    if (!Assume(musig2_secnonces)) return;
+    musig2_secnonces->erase(session_id);
+}
+
 FlatSigningProvider& FlatSigningProvider::Merge(FlatSigningProvider&& b)
 {
     scripts.merge(b.scripts);
@@ -102,6 +137,8 @@ FlatSigningProvider& FlatSigningProvider::Merge(FlatSigningProvider&& b)
     origins.merge(b.origins);
     tr_trees.merge(b.tr_trees);
     aggregate_pubkeys.merge(b.aggregate_pubkeys);
+    // We shouldn't be merging 2 different sessions, just overwrite with b's sessions.
+    if (!musig2_secnonces) musig2_secnonces = b.musig2_secnonces;
     return *this;
 }
 
diff --git a/src/script/signingprovider.h b/src/script/signingprovider.h
index 1da58bf6f92..cc917cc6c63 100644
--- a/src/script/signingprovider.h
+++ b/src/script/signingprovider.h
@@ -9,11 +9,15 @@
 #include <addresstype.h>
 #include <attributes.h>
 #include <key.h>
+#include <musig.h>
 #include <pubkey.h>
 #include <script/keyorigin.h>
 #include <script/script.h>
 #include <sync.h>
 
+#include <functional>
+#include <optional>
+
 struct ShortestVectorFirstComparator
 {
     bool operator()(const std::vector<unsigned char>& a, const std::vector<unsigned char>& b) const
@@ -162,6 +166,9 @@ public:
     virtual bool GetTaprootSpendData(const XOnlyPubKey& output_key, TaprootSpendData& spenddata) const { return false; }
     virtual bool GetTaprootBuilder(const XOnlyPubKey& output_key, TaprootBuilder& builder) const { return false; }
     virtual std::vector<CPubKey> GetMuSig2ParticipantPubkeys(const CPubKey& pubkey) const { return {}; }
+    virtual void SetMuSig2SecNonce(const uint256& id, MuSig2SecNonce&& nonce) const {}
+    virtual std::optional<std::reference_wrapper<MuSig2SecNonce>> GetMuSig2SecNonce(const uint256& session_id) const { return std::nullopt; }
+    virtual void DeleteMuSig2Session(const uint256& session_id) const {}
 
     bool GetKeyByXOnly(const XOnlyPubKey& pubkey, CKey& key) const
     {
@@ -206,6 +213,9 @@ public:
     bool GetTaprootSpendData(const XOnlyPubKey& output_key, TaprootSpendData& spenddata) const override;
     bool GetTaprootBuilder(const XOnlyPubKey& output_key, TaprootBuilder& builder) const override;
     std::vector<CPubKey> GetMuSig2ParticipantPubkeys(const CPubKey& pubkey) const override;
+    void SetMuSig2SecNonce(const uint256& id, MuSig2SecNonce&& nonce) const override;
+    std::optional<std::reference_wrapper<MuSig2SecNonce>> GetMuSig2SecNonce(const uint256& session_id) const override;
+    void DeleteMuSig2Session(const uint256& session_id) const override;
 };
 
 struct FlatSigningProvider final : public SigningProvider
@@ -216,6 +226,7 @@ struct FlatSigningProvider final : public SigningProvider
     std::map<CKeyID, CKey> keys;
     std::map<XOnlyPubKey, TaprootBuilder> tr_trees; /** Map from output key to Taproot tree (which can then make the TaprootSpendData */
     std::map<CPubKey, std::vector<CPubKey>> aggregate_pubkeys; /** MuSig2 aggregate pubkeys */
+    std::map<uint256, MuSig2SecNonce>* musig2_secnonces{nullptr};
 
     bool GetCScript(const CScriptID& scriptid, CScript& script) const override;
     bool GetPubKey(const CKeyID& keyid, CPubKey& pubkey) const override;
@@ -225,6 +236,9 @@ struct FlatSigningProvider final : public SigningProvider
     bool GetTaprootSpendData(const XOnlyPubKey& output_key, TaprootSpendData& spenddata) const override;
     bool GetTaprootBuilder(const XOnlyPubKey& output_key, TaprootBuilder& builder) const override;
     std::vector<CPubKey> GetMuSig2ParticipantPubkeys(const CPubKey& pubkey) const override;
+    void SetMuSig2SecNonce(const uint256& id, MuSig2SecNonce&& nonce) const override;
+    std::optional<std::reference_wrapper<MuSig2SecNonce>> GetMuSig2SecNonce(const uint256& session_id) const override;
+    void DeleteMuSig2Session(const uint256& session_id) const override;
 
     FlatSigningProvider& Merge(FlatSigningProvider&& b) LIFETIMEBOUND;
 };

From d99a081679e16668458512aba2fd13a3e1bdb09f Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Mon, 19 Feb 2024 15:28:21 -0500
Subject: [PATCH 10/17] psbt: MuSig2 data in Fill/FromSignatureData

---
 src/psbt.cpp      | 24 ++++++++++++++++++++++++
 src/script/sign.h |  6 ++++++
 2 files changed, 30 insertions(+)

diff --git a/src/psbt.cpp b/src/psbt.cpp
index 28ccdcb1eaa..92ddcba6a59 100644
--- a/src/psbt.cpp
+++ b/src/psbt.cpp
@@ -149,6 +149,13 @@ void PSBTInput::FillSignatureData(SignatureData& sigdata) const
     for (const auto& [hash, preimage] : hash256_preimages) {
         sigdata.hash256_preimages.emplace(std::vector<unsigned char>(hash.begin(), hash.end()), preimage);
     }
+    sigdata.musig2_pubkeys.insert(m_musig2_participants.begin(), m_musig2_participants.end());
+    for (const auto& [agg_key_lh, pubnonces] : m_musig2_pubnonces) {
+        sigdata.musig2_pubnonces[agg_key_lh].insert(pubnonces.begin(), pubnonces.end());
+    }
+    for (const auto& [agg_key_lh, psigs] : m_musig2_partial_sigs) {
+        sigdata.musig2_partial_sigs[agg_key_lh].insert(psigs.begin(), psigs.end());
+    }
 }
 
 void PSBTInput::FromSignatureData(const SignatureData& sigdata)
@@ -196,6 +203,13 @@ void PSBTInput::FromSignatureData(const SignatureData& sigdata)
     for (const auto& [pubkey, leaf_origin] : sigdata.taproot_misc_pubkeys) {
         m_tap_bip32_paths.emplace(pubkey, leaf_origin);
     }
+    m_musig2_participants.insert(sigdata.musig2_pubkeys.begin(), sigdata.musig2_pubkeys.end());
+    for (const auto& [agg_key_lh, pubnonces] : sigdata.musig2_pubnonces) {
+        m_musig2_pubnonces[agg_key_lh].insert(pubnonces.begin(), pubnonces.end());
+    }
+    for (const auto& [agg_key_lh, psigs] : sigdata.musig2_partial_sigs) {
+        m_musig2_partial_sigs[agg_key_lh].insert(psigs.begin(), psigs.end());
+    }
 }
 
 void PSBTInput::Merge(const PSBTInput& input)
@@ -223,6 +237,13 @@ void PSBTInput::Merge(const PSBTInput& input)
     if (m_tap_key_sig.empty() && !input.m_tap_key_sig.empty()) m_tap_key_sig = input.m_tap_key_sig;
     if (m_tap_internal_key.IsNull() && !input.m_tap_internal_key.IsNull()) m_tap_internal_key = input.m_tap_internal_key;
     if (m_tap_merkle_root.IsNull() && !input.m_tap_merkle_root.IsNull()) m_tap_merkle_root = input.m_tap_merkle_root;
+    m_musig2_participants.insert(input.m_musig2_participants.begin(), input.m_musig2_participants.end());
+    for (const auto& [agg_key_lh, pubnonces] : input.m_musig2_pubnonces) {
+        m_musig2_pubnonces[agg_key_lh].insert(pubnonces.begin(), pubnonces.end());
+    }
+    for (const auto& [agg_key_lh, psigs] : input.m_musig2_partial_sigs) {
+        m_musig2_partial_sigs[agg_key_lh].insert(psigs.begin(), psigs.end());
+    }
 }
 
 void PSBTOutput::FillSignatureData(SignatureData& sigdata) const
@@ -252,6 +273,7 @@ void PSBTOutput::FillSignatureData(SignatureData& sigdata) const
         sigdata.taproot_misc_pubkeys.emplace(pubkey, leaf_origin);
         sigdata.tap_pubkeys.emplace(Hash160(pubkey), pubkey);
     }
+    sigdata.musig2_pubkeys.insert(m_musig2_participants.begin(), m_musig2_participants.end());
 }
 
 void PSBTOutput::FromSignatureData(const SignatureData& sigdata)
@@ -274,6 +296,7 @@ void PSBTOutput::FromSignatureData(const SignatureData& sigdata)
     for (const auto& [pubkey, leaf_origin] : sigdata.taproot_misc_pubkeys) {
         m_tap_bip32_paths.emplace(pubkey, leaf_origin);
     }
+    m_musig2_participants.insert(sigdata.musig2_pubkeys.begin(), sigdata.musig2_pubkeys.end());
 }
 
 bool PSBTOutput::IsNull() const
@@ -291,6 +314,7 @@ void PSBTOutput::Merge(const PSBTOutput& output)
     if (witness_script.empty() && !output.witness_script.empty()) witness_script = output.witness_script;
     if (m_tap_internal_key.IsNull() && !output.m_tap_internal_key.IsNull()) m_tap_internal_key = output.m_tap_internal_key;
     if (m_tap_tree.empty() && !output.m_tap_tree.empty()) m_tap_tree = output.m_tap_tree;
+    m_musig2_participants.insert(output.m_musig2_participants.begin(), output.m_musig2_participants.end());
 }
 
 bool PSBTInputSigned(const PSBTInput& input)
diff --git a/src/script/sign.h b/src/script/sign.h
index fea937108ba..2b4db20019c 100644
--- a/src/script/sign.h
+++ b/src/script/sign.h
@@ -90,6 +90,12 @@ struct SignatureData {
     std::map<std::vector<uint8_t>, std::vector<uint8_t>> hash256_preimages; ///< Mapping from a HASH256 hash to its preimage provided to solve a Script
     std::map<std::vector<uint8_t>, std::vector<uint8_t>> ripemd160_preimages; ///< Mapping from a RIPEMD160 hash to its preimage provided to solve a Script
     std::map<std::vector<uint8_t>, std::vector<uint8_t>> hash160_preimages; ///< Mapping from a HASH160 hash to its preimage provided to solve a Script
+    //! Map MuSig2 aggregate pubkeys to its participants
+    std::map<CPubKey, std::vector<CPubKey>> musig2_pubkeys;
+    //! Mapping from pair of MuSig2 aggregate pubkey, and tapleaf hash to map of MuSig2 participant pubkeys to MuSig2 public nonce
+    std::map<std::pair<CPubKey, uint256>, std::map<CPubKey, std::vector<uint8_t>>> musig2_pubnonces;
+    //! Mapping from pair of MuSig2 aggregate pubkey, and tapleaf hash to map of MuSig2 participant pubkeys to MuSig2 partial signature
+    std::map<std::pair<CPubKey, uint256>, std::map<CPubKey, uint256>> musig2_partial_sigs;
 
     SignatureData() = default;
     explicit SignatureData(const CScript& script) : scriptSig(script) {}

From 82ea67c607cde6187d7082429d27b927dc21c0c6 Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Tue, 5 Aug 2025 12:38:29 -0700
Subject: [PATCH 11/17] musig: Add MuSig2AggregatePubkeys variant that
 validates the aggregate

A common pattern that MuSig2 functions will use is to aggregate the
pubkeys to get the keyagg_cache and then validate the aggregated pubkey
against a provided aggregate pubkey. A variant of MuSig2AggregatePubkeys
is added which does that.

The functionality of GetMuSig2KeyAggCache and GetCPubKeyFromMuSig2KeyAggCache
are included in MuSig2AggregatePubkeys (and used internally) so there is
no expectation that callers will need these so they are made static.
---
 src/musig.cpp | 18 +++++++++++++-----
 src/musig.h   |  9 ++++-----
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/src/musig.cpp b/src/musig.cpp
index c361a7ea890..7ebb8e55258 100644
--- a/src/musig.cpp
+++ b/src/musig.cpp
@@ -7,7 +7,7 @@
 
 #include <secp256k1_musig.h>
 
-bool GetMuSig2KeyAggCache(const std::vector<CPubKey>& pubkeys, secp256k1_musig_keyagg_cache& keyagg_cache)
+static bool GetMuSig2KeyAggCache(const std::vector<CPubKey>& pubkeys, secp256k1_musig_keyagg_cache& keyagg_cache)
 {
     // Parse the pubkeys
     std::vector<secp256k1_pubkey> secp_pubkeys;
@@ -29,7 +29,7 @@ bool GetMuSig2KeyAggCache(const std::vector<CPubKey>& pubkeys, secp256k1_musig_k
     return true;
 }
 
-std::optional<CPubKey> GetCPubKeyFromMuSig2KeyAggCache(secp256k1_musig_keyagg_cache& keyagg_cache)
+static std::optional<CPubKey> GetCPubKeyFromMuSig2KeyAggCache(secp256k1_musig_keyagg_cache& keyagg_cache)
 {
     // Get the plain aggregated pubkey
     secp256k1_pubkey agg_pubkey;
@@ -44,13 +44,21 @@ std::optional<CPubKey> GetCPubKeyFromMuSig2KeyAggCache(secp256k1_musig_keyagg_ca
     return CPubKey(ser_agg_pubkey, ser_agg_pubkey + ser_agg_pubkey_len);
 }
 
-std::optional<CPubKey> MuSig2AggregatePubkeys(const std::vector<CPubKey>& pubkeys)
+std::optional<CPubKey> MuSig2AggregatePubkeys(const std::vector<CPubKey>& pubkeys, secp256k1_musig_keyagg_cache& keyagg_cache, const std::optional<CPubKey>& expected_aggregate)
 {
-    secp256k1_musig_keyagg_cache keyagg_cache;
     if (!GetMuSig2KeyAggCache(pubkeys, keyagg_cache)) {
         return std::nullopt;
     }
-    return GetCPubKeyFromMuSig2KeyAggCache(keyagg_cache);
+    std::optional<CPubKey> agg_key = GetCPubKeyFromMuSig2KeyAggCache(keyagg_cache);
+    if (!agg_key.has_value()) return std::nullopt;
+    if (expected_aggregate.has_value() && expected_aggregate != agg_key) return std::nullopt;
+    return agg_key;
+}
+
+std::optional<CPubKey> MuSig2AggregatePubkeys(const std::vector<CPubKey>& pubkeys)
+{
+    secp256k1_musig_keyagg_cache keyagg_cache;
+    return MuSig2AggregatePubkeys(pubkeys, keyagg_cache, std::nullopt);
 }
 
 CExtPubKey CreateMuSig2SyntheticXpub(const CPubKey& pubkey)
diff --git a/src/musig.h b/src/musig.h
index 40da1f10b97..bb469df4a9a 100644
--- a/src/musig.h
+++ b/src/musig.h
@@ -18,11 +18,10 @@ struct secp256k1_musig_secnonce;
 using namespace util::hex_literals;
 constexpr uint256 MUSIG_CHAINCODE{"868087ca02a6f974c4598924c36b57762d32cb45717167e300622c7167e38965"_hex_u8};
 
-//! Create a secp256k1_musig_keyagg_cache from the pubkeys in their current order. This is necessary for most MuSig2 operations
-bool GetMuSig2KeyAggCache(const std::vector<CPubKey>& pubkeys, secp256k1_musig_keyagg_cache& keyagg_cache);
-//! Retrieve the full aggregate pubkey from the secp256k1_musig_keyagg_cache
-std::optional<CPubKey> GetCPubKeyFromMuSig2KeyAggCache(secp256k1_musig_keyagg_cache& cache);
-//! Compute the full aggregate pubkey from the given participant pubkeys in their current order
+//! Compute the full aggregate pubkey from the given participant pubkeys in their current order.
+//! Outputs the secp256k1_musig_keyagg_cache and validates that the computed aggregate pubkey matches an expected aggregate pubkey.
+//! This is necessary for most MuSig2 operations.
+std::optional<CPubKey> MuSig2AggregatePubkeys(const std::vector<CPubKey>& pubkeys, secp256k1_musig_keyagg_cache& keyagg_cache, const std::optional<CPubKey>& expected_aggregate);
 std::optional<CPubKey> MuSig2AggregatePubkeys(const std::vector<CPubKey>& pubkeys);
 
 //! Construct the BIP 328 synthetic xpub for a pubkey

From 512b17fc56eac3a2e2b9ba489b5423d098cce0db Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Mon, 12 Feb 2024 15:31:16 -0500
Subject: [PATCH 12/17] sign: Add CreateMuSig2Nonce

---
 src/key.cpp         | 34 ++++++++++++++++++++++++++++++++++
 src/key.h           |  3 +++
 src/musig.cpp       |  7 +++++++
 src/musig.h         |  4 ++++
 src/psbt.h          |  2 +-
 src/script/sign.cpp | 36 ++++++++++++++++++++++++++++++++++++
 src/script/sign.h   |  3 +++
 7 files changed, 88 insertions(+), 1 deletion(-)

diff --git a/src/key.cpp b/src/key.cpp
index 01fa3d270e3..023983326c0 100644
--- a/src/key.cpp
+++ b/src/key.cpp
@@ -13,6 +13,7 @@
 #include <secp256k1.h>
 #include <secp256k1_ellswift.h>
 #include <secp256k1_extrakeys.h>
+#include <secp256k1_musig.h>
 #include <secp256k1_recovery.h>
 #include <secp256k1_schnorrsig.h>
 
@@ -349,6 +350,39 @@ KeyPair CKey::ComputeKeyPair(const uint256* merkle_root) const
     return KeyPair(*this, merkle_root);
 }
 
+std::vector<uint8_t> CKey::CreateMuSig2Nonce(MuSig2SecNonce& secnonce, const uint256& sighash, const CPubKey& aggregate_pubkey, const std::vector<CPubKey>& pubkeys)
+{
+    // Get the keyagg cache and aggregate pubkey
+    secp256k1_musig_keyagg_cache keyagg_cache;
+    if (!MuSig2AggregatePubkeys(pubkeys, keyagg_cache, aggregate_pubkey)) return {};
+
+    // Parse participant pubkey
+    CPubKey our_pubkey = GetPubKey();
+    secp256k1_pubkey pubkey;
+    if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, our_pubkey.data(), our_pubkey.size())) {
+        return {};
+    }
+
+    // Generate randomness for nonce
+    uint256 rand;
+    GetStrongRandBytes(rand);
+
+    // Generate nonce
+    secp256k1_musig_pubnonce pubnonce;
+    if (!secp256k1_musig_nonce_gen(secp256k1_context_sign, secnonce.Get(), &pubnonce, rand.data(), UCharCast(begin()), &pubkey, sighash.data(), &keyagg_cache, nullptr)) {
+        return {};
+    }
+
+    // Serialize pubnonce
+    std::vector<uint8_t> out;
+    out.resize(MUSIG2_PUBNONCE_SIZE);
+    if (!secp256k1_musig_pubnonce_serialize(secp256k1_context_static, out.data(), &pubnonce)) {
+        return {};
+    }
+
+    return out;
+}
+
 CKey GenerateRandomKey(bool compressed) noexcept
 {
     CKey key;
diff --git a/src/key.h b/src/key.h
index 22f96880b7b..97ed27ccfc0 100644
--- a/src/key.h
+++ b/src/key.h
@@ -7,6 +7,7 @@
 #ifndef BITCOIN_KEY_H
 #define BITCOIN_KEY_H
 
+#include <musig.h>
 #include <pubkey.h>
 #include <serialize.h>
 #include <support/allocators/secure.h>
@@ -220,6 +221,8 @@ public:
      *                               Merkle root of the script tree).
      */
     KeyPair ComputeKeyPair(const uint256* merkle_root) const;
+
+    std::vector<uint8_t> CreateMuSig2Nonce(MuSig2SecNonce& secnonce, const uint256& sighash, const CPubKey& aggregate_pubkey, const std::vector<CPubKey>& pubkeys);
 };
 
 CKey GenerateRandomKey(bool compressed = true) noexcept;
diff --git a/src/musig.cpp b/src/musig.cpp
index 7ebb8e55258..5cf638d50b7 100644
--- a/src/musig.cpp
+++ b/src/musig.cpp
@@ -111,3 +111,10 @@ bool MuSig2SecNonce::IsValid()
 {
     return m_impl->IsValid();
 }
+
+uint256 MuSig2SessionID(const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256& sighash)
+{
+    HashWriter hasher;
+    hasher << script_pubkey << part_pubkey << sighash;
+    return hasher.GetSHA256();
+}
diff --git a/src/musig.h b/src/musig.h
index bb469df4a9a..03324fc454a 100644
--- a/src/musig.h
+++ b/src/musig.h
@@ -18,6 +18,8 @@ struct secp256k1_musig_secnonce;
 using namespace util::hex_literals;
 constexpr uint256 MUSIG_CHAINCODE{"868087ca02a6f974c4598924c36b57762d32cb45717167e300622c7167e38965"_hex_u8};
 
+constexpr size_t MUSIG2_PUBNONCE_SIZE{66};
+
 //! Compute the full aggregate pubkey from the given participant pubkeys in their current order.
 //! Outputs the secp256k1_musig_keyagg_cache and validates that the computed aggregate pubkey matches an expected aggregate pubkey.
 //! This is necessary for most MuSig2 operations.
@@ -58,4 +60,6 @@ public:
     bool IsValid();
 };
 
+uint256 MuSig2SessionID(const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256& sighash);
+
 #endif // BITCOIN_MUSIG_H
diff --git a/src/psbt.h b/src/psbt.h
index f8098b04503..f0de079f7b4 100644
--- a/src/psbt.h
+++ b/src/psbt.h
@@ -794,7 +794,7 @@ struct PSBTInput
 
                     std::vector<uint8_t> pubnonce;
                     s >> pubnonce;
-                    if (pubnonce.size() != 66) {
+                    if (pubnonce.size() != MUSIG2_PUBNONCE_SIZE) {
                         throw std::ios_base::failure("Input musig2 pubnonce value is not 66 bytes");
                     }
 
diff --git a/src/script/sign.cpp b/src/script/sign.cpp
index 8575c0b90da..5ca3f98814e 100644
--- a/src/script/sign.cpp
+++ b/src/script/sign.cpp
@@ -7,8 +7,10 @@
 
 #include <consensus/amount.h>
 #include <key.h>
+#include <musig.h>
 #include <policy/policy.h>
 #include <primitives/transaction.h>
+#include <random.h>
 #include <script/keyorigin.h>
 #include <script/miniscript.h>
 #include <script/script.h>
@@ -100,6 +102,34 @@ bool MutableTransactionSignatureCreator::CreateSchnorrSig(const SigningProvider&
     return true;
 }
 
+std::vector<uint8_t> MutableTransactionSignatureCreator::CreateMuSig2Nonce(const SigningProvider& provider, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion, const SignatureData& sigdata) const
+{
+    assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT);
+
+    // Retrieve the private key
+    CKey key;
+    if (!provider.GetKey(part_pubkey.GetID(), key)) return {};
+
+    // Retrieve participant pubkeys
+    auto it = sigdata.musig2_pubkeys.find(aggregate_pubkey);
+    if (it == sigdata.musig2_pubkeys.end()) return {};
+    const std::vector<CPubKey>& pubkeys = it->second;
+    if (std::find(pubkeys.begin(), pubkeys.end(), part_pubkey) == pubkeys.end()) return {};
+
+    // Compute sighash
+    std::optional<uint256> sighash = ComputeSchnorrSignatureHash(leaf_hash, sigversion);
+    if (!sighash.has_value()) return {};
+
+    MuSig2SecNonce secnonce;
+    std::vector<uint8_t> out = key.CreateMuSig2Nonce(secnonce, *sighash, aggregate_pubkey, pubkeys);
+    if (out.empty()) return {};
+
+    // Store the secnonce in the SigningProvider
+    provider.SetMuSig2SecNonce(MuSig2SessionID(script_pubkey, part_pubkey, *sighash), std::move(secnonce));
+
+    return out;
+}
+
 static bool GetCScript(const SigningProvider& provider, const SignatureData& sigdata, const CScriptID& scriptid, CScript& script)
 {
     if (provider.GetCScript(scriptid, script)) {
@@ -755,6 +785,12 @@ public:
         sig.assign(64, '\000');
         return true;
     }
+    std::vector<uint8_t> CreateMuSig2Nonce(const SigningProvider& provider, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion, const SignatureData& sigdata) const override
+    {
+        std::vector<uint8_t> out;
+        out.assign(MUSIG2_PUBNONCE_SIZE, '\000');
+        return out;
+    }
 };
 
 }
diff --git a/src/script/sign.h b/src/script/sign.h
index 2b4db20019c..4a0782daa32 100644
--- a/src/script/sign.h
+++ b/src/script/sign.h
@@ -23,6 +23,7 @@ class SigningProvider;
 
 struct bilingual_str;
 struct CMutableTransaction;
+struct SignatureData;
 
 /** Interface for signature creators. */
 class BaseSignatureCreator {
@@ -33,6 +34,7 @@ public:
     /** Create a singular (non-script) signature. */
     virtual bool CreateSig(const SigningProvider& provider, std::vector<unsigned char>& vchSig, const CKeyID& keyid, const CScript& scriptCode, SigVersion sigversion) const =0;
     virtual bool CreateSchnorrSig(const SigningProvider& provider, std::vector<unsigned char>& sig, const XOnlyPubKey& pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion) const =0;
+    virtual std::vector<uint8_t> CreateMuSig2Nonce(const SigningProvider& provider, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion, const SignatureData& sigdata) const =0;
 };
 
 /** A signature creator for transactions. */
@@ -53,6 +55,7 @@ public:
     const BaseSignatureChecker& Checker() const override { return checker; }
     bool CreateSig(const SigningProvider& provider, std::vector<unsigned char>& vchSig, const CKeyID& keyid, const CScript& scriptCode, SigVersion sigversion) const override;
     bool CreateSchnorrSig(const SigningProvider& provider, std::vector<unsigned char>& sig, const XOnlyPubKey& pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion) const override;
+    std::vector<uint8_t> CreateMuSig2Nonce(const SigningProvider& provider, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion, const SignatureData& sigdata) const override;
 };
 
 /** A signature checker that accepts all signatures */

From bf69442b3f5004dc3df5a1b1d752114ba68fa5f4 Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Mon, 5 Feb 2024 16:44:03 -0500
Subject: [PATCH 13/17] sign: Add CreateMuSig2PartialSig

---
 src/key.cpp         | 89 +++++++++++++++++++++++++++++++++++++++++++++
 src/key.h           |  1 +
 src/script/sign.cpp | 49 +++++++++++++++++++++++++
 src/script/sign.h   |  2 +
 4 files changed, 141 insertions(+)

diff --git a/src/key.cpp b/src/key.cpp
index 023983326c0..84e0b821f71 100644
--- a/src/key.cpp
+++ b/src/key.cpp
@@ -383,6 +383,95 @@ std::vector<uint8_t> CKey::CreateMuSig2Nonce(MuSig2SecNonce& secnonce, const uin
     return out;
 }
 
+std::optional<uint256> CKey::CreateMuSig2PartialSig(const uint256& sighash, const CPubKey& aggregate_pubkey, const std::vector<CPubKey>& pubkeys, const std::map<CPubKey, std::vector<uint8_t>>& pubnonces, MuSig2SecNonce& secnonce, const std::vector<std::pair<uint256, bool>>& tweaks)
+{
+    secp256k1_keypair keypair;
+    if (!secp256k1_keypair_create(secp256k1_context_sign, &keypair, UCharCast(begin()))) return std::nullopt;
+
+    // Get the keyagg cache and aggregate pubkey
+    secp256k1_musig_keyagg_cache keyagg_cache;
+    if (!MuSig2AggregatePubkeys(pubkeys, keyagg_cache, aggregate_pubkey)) return std::nullopt;
+
+    // Check that there are enough pubnonces
+    if (pubnonces.size() != pubkeys.size()) return std::nullopt;
+
+    // Parse the pubnonces
+    std::vector<std::pair<secp256k1_pubkey, secp256k1_musig_pubnonce>> signers_data;
+    std::vector<const secp256k1_musig_pubnonce*> pubnonce_ptrs;
+    std::optional<size_t> our_pubkey_idx;
+    CPubKey our_pubkey = GetPubKey();
+    for (const CPubKey& part_pk : pubkeys) {
+        const auto& pn_it = pubnonces.find(part_pk);
+        if (pn_it == pubnonces.end()) return std::nullopt;
+        const std::vector<uint8_t> pubnonce = pn_it->second;
+        if (pubnonce.size() != MUSIG2_PUBNONCE_SIZE) return std::nullopt;
+        if (part_pk == our_pubkey) {
+            our_pubkey_idx = signers_data.size();
+        }
+
+        auto& [secp_pk, secp_pn] = signers_data.emplace_back();
+
+        if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &secp_pk, part_pk.data(), part_pk.size())) {
+            return std::nullopt;
+        }
+
+        if (!secp256k1_musig_pubnonce_parse(secp256k1_context_static, &secp_pn, pubnonce.data())) {
+            return std::nullopt;
+        }
+    }
+    if (our_pubkey_idx == std::nullopt) {
+        return std::nullopt;
+    }
+    pubnonce_ptrs.reserve(signers_data.size());
+    for (auto& [_, pn] : signers_data) {
+        pubnonce_ptrs.push_back(&pn);
+    }
+
+    // Aggregate nonces
+    secp256k1_musig_aggnonce aggnonce;
+    if (!secp256k1_musig_nonce_agg(secp256k1_context_static, &aggnonce, pubnonce_ptrs.data(), pubnonce_ptrs.size())) {
+        return std::nullopt;
+    }
+
+    // Apply tweaks
+    for (const auto& [tweak, xonly] : tweaks) {
+        if (xonly) {
+            if (!secp256k1_musig_pubkey_xonly_tweak_add(secp256k1_context_static, nullptr, &keyagg_cache, tweak.data())) {
+                return std::nullopt;
+            }
+        } else if (!secp256k1_musig_pubkey_ec_tweak_add(secp256k1_context_static, nullptr, &keyagg_cache, tweak.data())) {
+            return std::nullopt;
+        }
+    }
+
+    // Create musig_session
+    secp256k1_musig_session session;
+    if (!secp256k1_musig_nonce_process(secp256k1_context_static, &session, &aggnonce, sighash.data(), &keyagg_cache)) {
+        return std::nullopt;
+    }
+
+    // Create partial signature
+    secp256k1_musig_partial_sig psig;
+    if (!secp256k1_musig_partial_sign(secp256k1_context_static, &psig, secnonce.Get(), &keypair, &keyagg_cache, &session)) {
+        return std::nullopt;
+    }
+    // The secnonce must be deleted after signing to prevent nonce reuse.
+    secnonce.Invalidate();
+
+    // Verify partial signature
+    if (!secp256k1_musig_partial_sig_verify(secp256k1_context_static, &psig, &(signers_data.at(*our_pubkey_idx).second), &(signers_data.at(*our_pubkey_idx).first), &keyagg_cache, &session)) {
+        return std::nullopt;
+    }
+
+    // Serialize
+    uint256 sig;
+    if (!secp256k1_musig_partial_sig_serialize(secp256k1_context_static, sig.data(), &psig)) {
+        return std::nullopt;
+    }
+
+    return sig;
+}
+
 CKey GenerateRandomKey(bool compressed) noexcept
 {
     CKey key;
diff --git a/src/key.h b/src/key.h
index 97ed27ccfc0..f35f3cc0156 100644
--- a/src/key.h
+++ b/src/key.h
@@ -223,6 +223,7 @@ public:
     KeyPair ComputeKeyPair(const uint256* merkle_root) const;
 
     std::vector<uint8_t> CreateMuSig2Nonce(MuSig2SecNonce& secnonce, const uint256& sighash, const CPubKey& aggregate_pubkey, const std::vector<CPubKey>& pubkeys);
+    std::optional<uint256> CreateMuSig2PartialSig(const uint256& hash, const CPubKey& aggregate_pubkey, const std::vector<CPubKey>& pubkeys, const std::map<CPubKey, std::vector<uint8_t>>& pubnonces, MuSig2SecNonce& secnonce, const std::vector<std::pair<uint256, bool>>& tweaks);
 };
 
 CKey GenerateRandomKey(bool compressed = true) noexcept;
diff --git a/src/script/sign.cpp b/src/script/sign.cpp
index 5ca3f98814e..8abc82bcb3c 100644
--- a/src/script/sign.cpp
+++ b/src/script/sign.cpp
@@ -130,6 +130,50 @@ std::vector<uint8_t> MutableTransactionSignatureCreator::CreateMuSig2Nonce(const
     return out;
 }
 
+bool MutableTransactionSignatureCreator::CreateMuSig2PartialSig(const SigningProvider& provider, uint256& partial_sig, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const std::vector<std::pair<uint256, bool>>& tweaks, SigVersion sigversion, const SignatureData& sigdata) const
+{
+    assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT);
+
+    // Retrieve private key
+    CKey key;
+    if (!provider.GetKey(part_pubkey.GetID(), key)) return false;
+
+    // Retrieve participant pubkeys
+    auto it = sigdata.musig2_pubkeys.find(aggregate_pubkey);
+    if (it == sigdata.musig2_pubkeys.end()) return false;
+    const std::vector<CPubKey>& pubkeys = it->second;
+    if (std::find(pubkeys.begin(), pubkeys.end(), part_pubkey) == pubkeys.end()) return {};
+
+    // Retrieve pubnonces
+    auto this_leaf_aggkey = std::make_pair(script_pubkey, leaf_hash ? *leaf_hash : uint256());
+    auto pubnonce_it = sigdata.musig2_pubnonces.find(this_leaf_aggkey);
+    if (pubnonce_it == sigdata.musig2_pubnonces.end()) return false;
+    const std::map<CPubKey, std::vector<uint8_t>>& pubnonces = pubnonce_it->second;
+
+    // Check if enough pubnonces
+    if (pubnonces.size() != pubkeys.size()) return false;
+
+    // Compute sighash
+    std::optional<uint256> sighash = ComputeSchnorrSignatureHash(leaf_hash, sigversion);
+    if (!sighash.has_value()) return false;
+
+    // Retrieve the secnonce
+    uint256 session_id = MuSig2SessionID(script_pubkey, part_pubkey, *sighash);
+    std::optional<std::reference_wrapper<MuSig2SecNonce>> secnonce = provider.GetMuSig2SecNonce(session_id);
+    if (!secnonce || !secnonce->get().IsValid()) return false;
+
+    // Compute the sig
+    std::optional<uint256> sig = key.CreateMuSig2PartialSig(*sighash, aggregate_pubkey, pubkeys, pubnonces, *secnonce, tweaks);
+    if (!sig) return false;
+    partial_sig = std::move(*sig);
+
+    // Delete the secnonce now that we're done with it
+    assert(!secnonce->get().IsValid());
+    provider.DeleteMuSig2Session(session_id);
+
+    return true;
+}
+
 static bool GetCScript(const SigningProvider& provider, const SignatureData& sigdata, const CScriptID& scriptid, CScript& script)
 {
     if (provider.GetCScript(scriptid, script)) {
@@ -791,6 +835,11 @@ public:
         out.assign(MUSIG2_PUBNONCE_SIZE, '\000');
         return out;
     }
+    bool CreateMuSig2PartialSig(const SigningProvider& provider, uint256& partial_sig, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const std::vector<std::pair<uint256, bool>>& tweaks, SigVersion sigversion, const SignatureData& sigdata) const override
+    {
+        partial_sig = uint256::ONE;
+        return true;
+    }
 };
 
 }
diff --git a/src/script/sign.h b/src/script/sign.h
index 4a0782daa32..0c9263df0b4 100644
--- a/src/script/sign.h
+++ b/src/script/sign.h
@@ -35,6 +35,7 @@ public:
     virtual bool CreateSig(const SigningProvider& provider, std::vector<unsigned char>& vchSig, const CKeyID& keyid, const CScript& scriptCode, SigVersion sigversion) const =0;
     virtual bool CreateSchnorrSig(const SigningProvider& provider, std::vector<unsigned char>& sig, const XOnlyPubKey& pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion) const =0;
     virtual std::vector<uint8_t> CreateMuSig2Nonce(const SigningProvider& provider, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion, const SignatureData& sigdata) const =0;
+    virtual bool CreateMuSig2PartialSig(const SigningProvider& provider, uint256& partial_sig, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const std::vector<std::pair<uint256, bool>>& tweaks, SigVersion sigversion, const SignatureData& sigdata) const =0;
 };
 
 /** A signature creator for transactions. */
@@ -56,6 +57,7 @@ public:
     bool CreateSig(const SigningProvider& provider, std::vector<unsigned char>& vchSig, const CKeyID& keyid, const CScript& scriptCode, SigVersion sigversion) const override;
     bool CreateSchnorrSig(const SigningProvider& provider, std::vector<unsigned char>& sig, const XOnlyPubKey& pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion) const override;
     std::vector<uint8_t> CreateMuSig2Nonce(const SigningProvider& provider, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion, const SignatureData& sigdata) const override;
+    bool CreateMuSig2PartialSig(const SigningProvider& provider, uint256& partial_sig, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const std::vector<std::pair<uint256, bool>>& tweaks, SigVersion sigversion, const SignatureData& sigdata) const override;
 };
 
 /** A signature checker that accepts all signatures */

From 258db938899409c8ee1cef04e16ba1795ea0038d Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Mon, 29 Jan 2024 17:32:49 -0500
Subject: [PATCH 14/17] sign: Add CreateMuSig2AggregateSig

---
 src/musig.cpp       | 86 +++++++++++++++++++++++++++++++++++++++++++++
 src/musig.h         |  2 ++
 src/script/sign.cpp | 35 ++++++++++++++++++
 src/script/sign.h   |  2 ++
 4 files changed, 125 insertions(+)

diff --git a/src/musig.cpp b/src/musig.cpp
index 5cf638d50b7..686ec5e869a 100644
--- a/src/musig.cpp
+++ b/src/musig.cpp
@@ -118,3 +118,89 @@ uint256 MuSig2SessionID(const CPubKey& script_pubkey, const CPubKey& part_pubkey
     hasher << script_pubkey << part_pubkey << sighash;
     return hasher.GetSHA256();
 }
+
+std::optional<std::vector<uint8_t>> CreateMuSig2AggregateSig(const std::vector<CPubKey>& part_pubkeys, const CPubKey& aggregate_pubkey, const std::vector<std::pair<uint256, bool>>& tweaks, const uint256& sighash, const std::map<CPubKey, std::vector<uint8_t>>& pubnonces, const std::map<CPubKey, uint256>& partial_sigs)
+{
+    if (!part_pubkeys.size()) return std::nullopt;
+
+    // Get the keyagg cache and aggregate pubkey
+    secp256k1_musig_keyagg_cache keyagg_cache;
+    if (!MuSig2AggregatePubkeys(part_pubkeys, keyagg_cache, aggregate_pubkey)) return std::nullopt;
+
+    // Check if enough pubnonces and partial sigs
+    if (pubnonces.size() != part_pubkeys.size()) return std::nullopt;
+    if (partial_sigs.size() != part_pubkeys.size()) return std::nullopt;
+
+    // Parse the pubnonces and partial sigs
+    std::vector<std::tuple<secp256k1_pubkey, secp256k1_musig_pubnonce, secp256k1_musig_partial_sig>> signers_data;
+    std::vector<const secp256k1_musig_pubnonce*> pubnonce_ptrs;
+    std::vector<const secp256k1_musig_partial_sig*> partial_sig_ptrs;
+    for (const CPubKey& part_pk : part_pubkeys) {
+        const auto& pn_it = pubnonces.find(part_pk);
+        if (pn_it == pubnonces.end()) return std::nullopt;
+        const std::vector<uint8_t> pubnonce = pn_it->second;
+        if (pubnonce.size() != MUSIG2_PUBNONCE_SIZE) return std::nullopt;
+        const auto& it = partial_sigs.find(part_pk);
+        if (it == partial_sigs.end()) return std::nullopt;
+        const uint256& partial_sig = it->second;
+
+        auto& [secp_pk, secp_pn, secp_ps] = signers_data.emplace_back();
+
+        if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &secp_pk, part_pk.data(), part_pk.size())) {
+            return std::nullopt;
+        }
+
+        if (!secp256k1_musig_pubnonce_parse(secp256k1_context_static, &secp_pn, pubnonce.data())) {
+            return std::nullopt;
+        }
+
+        if (!secp256k1_musig_partial_sig_parse(secp256k1_context_static, &secp_ps, partial_sig.data())) {
+            return std::nullopt;
+        }
+    }
+    pubnonce_ptrs.reserve(signers_data.size());
+    partial_sig_ptrs.reserve(signers_data.size());
+    for (auto& [_, pn, ps] : signers_data) {
+        pubnonce_ptrs.push_back(&pn);
+        partial_sig_ptrs.push_back(&ps);
+    }
+
+    // Aggregate nonces
+    secp256k1_musig_aggnonce aggnonce;
+    if (!secp256k1_musig_nonce_agg(secp256k1_context_static, &aggnonce, pubnonce_ptrs.data(), pubnonce_ptrs.size())) {
+        return std::nullopt;
+    }
+
+    // Apply tweaks
+    for (const auto& [tweak, xonly] : tweaks) {
+        if (xonly) {
+            if (!secp256k1_musig_pubkey_xonly_tweak_add(secp256k1_context_static, nullptr, &keyagg_cache, tweak.data())) {
+                return std::nullopt;
+            }
+        } else if (!secp256k1_musig_pubkey_ec_tweak_add(secp256k1_context_static, nullptr, &keyagg_cache, tweak.data())) {
+            return std::nullopt;
+        }
+    }
+
+    // Create musig_session
+    secp256k1_musig_session session;
+    if (!secp256k1_musig_nonce_process(secp256k1_context_static, &session, &aggnonce, sighash.data(), &keyagg_cache)) {
+        return std::nullopt;
+    }
+
+    // Verify partial sigs
+    for (const auto& [pk, pb, ps] : signers_data) {
+        if (!secp256k1_musig_partial_sig_verify(secp256k1_context_static, &ps, &pb, &pk, &keyagg_cache, &session)) {
+            return std::nullopt;
+        }
+    }
+
+    // Aggregate partial sigs
+    std::vector<uint8_t> sig;
+    sig.resize(64);
+    if (!secp256k1_musig_partial_sig_agg(secp256k1_context_static, sig.data(), &session, partial_sig_ptrs.data(), partial_sig_ptrs.size())) {
+        return std::nullopt;
+    }
+
+    return sig;
+}
diff --git a/src/musig.h b/src/musig.h
index 03324fc454a..c81b53eddd4 100644
--- a/src/musig.h
+++ b/src/musig.h
@@ -62,4 +62,6 @@ public:
 
 uint256 MuSig2SessionID(const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256& sighash);
 
+std::optional<std::vector<uint8_t>> CreateMuSig2AggregateSig(const std::vector<CPubKey>& participants, const CPubKey& aggregate_pubkey, const std::vector<std::pair<uint256, bool>>& tweaks, const uint256& sighash, const std::map<CPubKey, std::vector<uint8_t>>& pubnonces, const std::map<CPubKey, uint256>& partial_sigs);
+
 #endif // BITCOIN_MUSIG_H
diff --git a/src/script/sign.cpp b/src/script/sign.cpp
index 8abc82bcb3c..bc40c05a195 100644
--- a/src/script/sign.cpp
+++ b/src/script/sign.cpp
@@ -174,6 +174,36 @@ bool MutableTransactionSignatureCreator::CreateMuSig2PartialSig(const SigningPro
     return true;
 }
 
+bool MutableTransactionSignatureCreator::CreateMuSig2AggregateSig(const std::vector<CPubKey>& participants, std::vector<uint8_t>& sig, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const uint256* leaf_hash, const std::vector<std::pair<uint256, bool>>& tweaks, SigVersion sigversion, const SignatureData& sigdata) const
+{
+    assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT);
+    if (!participants.size()) return false;
+
+    // Retrieve pubnonces and partial sigs
+    auto this_leaf_aggkey = std::make_pair(script_pubkey, leaf_hash ? *leaf_hash : uint256());
+    auto pubnonce_it = sigdata.musig2_pubnonces.find(this_leaf_aggkey);
+    if (pubnonce_it == sigdata.musig2_pubnonces.end()) return false;
+    const std::map<CPubKey, std::vector<uint8_t>>& pubnonces = pubnonce_it->second;
+    auto partial_sigs_it = sigdata.musig2_partial_sigs.find(this_leaf_aggkey);
+    if (partial_sigs_it == sigdata.musig2_partial_sigs.end()) return false;
+    const std::map<CPubKey, uint256>& partial_sigs = partial_sigs_it->second;
+
+    // Check if enough pubnonces and partial sigs
+    if (pubnonces.size() != participants.size()) return false;
+    if (partial_sigs.size() != participants.size()) return false;
+
+    // Compute sighash
+    std::optional<uint256> sighash = ComputeSchnorrSignatureHash(leaf_hash, sigversion);
+    if (!sighash.has_value()) return false;
+
+    std::optional<std::vector<uint8_t>> res = ::CreateMuSig2AggregateSig(participants, aggregate_pubkey, tweaks, *sighash, pubnonces, partial_sigs);
+    if (!res) return false;
+    sig = res.value();
+    if (nHashType) sig.push_back(nHashType);
+
+    return true;
+}
+
 static bool GetCScript(const SigningProvider& provider, const SignatureData& sigdata, const CScriptID& scriptid, CScript& script)
 {
     if (provider.GetCScript(scriptid, script)) {
@@ -840,6 +870,11 @@ public:
         partial_sig = uint256::ONE;
         return true;
     }
+    bool CreateMuSig2AggregateSig(const std::vector<CPubKey>& participants, std::vector<uint8_t>& sig, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const uint256* leaf_hash, const std::vector<std::pair<uint256, bool>>& tweaks, SigVersion sigversion, const SignatureData& sigdata) const override
+    {
+        sig.assign(64, '\000');
+        return true;
+    }
 };
 
 }
diff --git a/src/script/sign.h b/src/script/sign.h
index 0c9263df0b4..dd86a8066a2 100644
--- a/src/script/sign.h
+++ b/src/script/sign.h
@@ -36,6 +36,7 @@ public:
     virtual bool CreateSchnorrSig(const SigningProvider& provider, std::vector<unsigned char>& sig, const XOnlyPubKey& pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion) const =0;
     virtual std::vector<uint8_t> CreateMuSig2Nonce(const SigningProvider& provider, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion, const SignatureData& sigdata) const =0;
     virtual bool CreateMuSig2PartialSig(const SigningProvider& provider, uint256& partial_sig, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const std::vector<std::pair<uint256, bool>>& tweaks, SigVersion sigversion, const SignatureData& sigdata) const =0;
+    virtual bool CreateMuSig2AggregateSig(const std::vector<CPubKey>& participants, std::vector<uint8_t>& sig, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const uint256* leaf_hash, const std::vector<std::pair<uint256, bool>>& tweaks, SigVersion sigversion, const SignatureData& sigdata) const =0;
 };
 
 /** A signature creator for transactions. */
@@ -58,6 +59,7 @@ public:
     bool CreateSchnorrSig(const SigningProvider& provider, std::vector<unsigned char>& sig, const XOnlyPubKey& pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion) const override;
     std::vector<uint8_t> CreateMuSig2Nonce(const SigningProvider& provider, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion, const SignatureData& sigdata) const override;
     bool CreateMuSig2PartialSig(const SigningProvider& provider, uint256& partial_sig, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const std::vector<std::pair<uint256, bool>>& tweaks, SigVersion sigversion, const SignatureData& sigdata) const override;
+    bool CreateMuSig2AggregateSig(const std::vector<CPubKey>& participants, std::vector<uint8_t>& sig, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const uint256* leaf_hash, const std::vector<std::pair<uint256, bool>>& tweaks, SigVersion sigversion, const SignatureData& sigdata) const override;
 };
 
 /** A signature checker that accepts all signatures */

From 4a273edda0ec10f0c5ae5d94b9925fa334d1c6e6 Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Mon, 5 Feb 2024 15:57:01 -0500
Subject: [PATCH 15/17] sign: Create MuSig2 signatures for known MuSig2
 aggregate keys

When creating Taproot signatures, if the key being signed for is known
to be a MuSig2 aggregate key, do the MuSig2 signing algorithms.

First try to create the aggregate signature. This will fail if there are
not enough partial signatures or public nonces. If it does fail, try to
create a partial signature with all participant keys. This will fail for
those keys that we do not have the private keys for, and if there are
not enough public nonces. Lastly, if the partial signatures could not be
created, add our own public nonces for the private keys that we know, if
they do not yet exist.
---
 src/script/sign.cpp            | 123 ++++++++++++++++++++++++++++++---
 src/script/signingprovider.cpp |  10 +++
 src/script/signingprovider.h   |   3 +
 3 files changed, 128 insertions(+), 8 deletions(-)

diff --git a/src/script/sign.cpp b/src/script/sign.cpp
index bc40c05a195..8103e318c51 100644
--- a/src/script/sign.cpp
+++ b/src/script/sign.cpp
@@ -265,6 +265,100 @@ static bool CreateSig(const BaseSignatureCreator& creator, SignatureData& sigdat
     return false;
 }
 
+static bool SignMuSig2(const BaseSignatureCreator& creator, SignatureData& sigdata, const SigningProvider& provider, std::vector<unsigned char>& sig_out, const XOnlyPubKey& script_pubkey, const uint256* merkle_root, const uint256* leaf_hash, SigVersion sigversion)
+{
+    Assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT);
+
+    // Lookup derivation paths for the script pubkey
+    KeyOriginInfo agg_info;
+    auto misc_pk_it = sigdata.taproot_misc_pubkeys.find(script_pubkey);
+    if (misc_pk_it != sigdata.taproot_misc_pubkeys.end()) {
+        agg_info = misc_pk_it->second.second;
+    }
+
+    for (const auto& [agg_pub, part_pks] : sigdata.musig2_pubkeys) {
+        if (part_pks.empty()) continue;
+
+        // Fill participant derivation path info
+        for (const auto& part_pk : part_pks) {
+            KeyOriginInfo part_info;
+            if (provider.GetKeyOrigin(part_pk.GetID(), part_info)) {
+                XOnlyPubKey xonly_part(part_pk);
+                auto it = sigdata.taproot_misc_pubkeys.find(xonly_part);
+                if (it == sigdata.taproot_misc_pubkeys.end()) {
+                    it = sigdata.taproot_misc_pubkeys.emplace(xonly_part, std::make_pair(std::set<uint256>(), part_info)).first;
+                }
+                if (leaf_hash) it->second.first.insert(*leaf_hash);
+            }
+        }
+
+        // The pubkey in the script may not be the actual aggregate of the participants, but derived from it.
+        // Check the derivation, and compute the BIP 32 derivation tweaks
+        std::vector<std::pair<uint256, bool>> tweaks;
+        CPubKey plain_pub = agg_pub;
+        if (XOnlyPubKey(agg_pub) != script_pubkey) {
+            if (agg_info.path.empty()) continue;
+            // Compute and compare fingerprint
+            CKeyID keyid = agg_pub.GetID();
+            if (!std::equal(agg_info.fingerprint, agg_info.fingerprint + sizeof(agg_info.fingerprint), keyid.data())) {
+                continue;
+            }
+            // Get the BIP32 derivation tweaks
+            CExtPubKey extpub = CreateMuSig2SyntheticXpub(agg_pub);
+            for (const int i : agg_info.path) {
+                auto& [t, xonly] = tweaks.emplace_back();
+                xonly = false;
+                if (!extpub.Derive(extpub, i, &t)) {
+                    return false;
+                }
+            }
+            Assert(XOnlyPubKey(extpub.pubkey) == script_pubkey);
+            plain_pub = extpub.pubkey;
+        }
+
+        // Add the merkle root tweak
+        if (sigversion == SigVersion::TAPROOT && merkle_root) {
+            tweaks.emplace_back(script_pubkey.ComputeTapTweakHash(merkle_root->IsNull() ? nullptr : merkle_root), true);
+            std::optional<std::pair<XOnlyPubKey, bool>> tweaked = script_pubkey.CreateTapTweak(merkle_root->IsNull() ? nullptr : merkle_root);
+            if (!Assume(tweaked)) return false;
+            plain_pub = tweaked->first.GetCPubKeys().at(tweaked->second ? 1 : 0);
+        }
+
+        // First try to aggregate
+        if (creator.CreateMuSig2AggregateSig(part_pks, sig_out, agg_pub, plain_pub, leaf_hash, tweaks, sigversion, sigdata)) {
+            if (sigversion == SigVersion::TAPROOT) {
+                sigdata.taproot_key_path_sig = sig_out;
+            } else {
+                auto lookup_key = std::make_pair(script_pubkey, leaf_hash ? *leaf_hash : uint256());
+                sigdata.taproot_script_sigs[lookup_key] = sig_out;
+            }
+            continue;
+        }
+        // Cannot aggregate, try making partial sigs for every participant
+        auto pub_key_leaf_hash = std::make_pair(plain_pub, leaf_hash ? *leaf_hash : uint256());
+        for (const CPubKey& part_pk : part_pks) {
+            uint256 partial_sig;
+            if (creator.CreateMuSig2PartialSig(provider, partial_sig, agg_pub, plain_pub, part_pk, leaf_hash, tweaks, sigversion, sigdata) && Assume(!partial_sig.IsNull())) {
+                sigdata.musig2_partial_sigs[pub_key_leaf_hash].emplace(part_pk, partial_sig);
+            }
+        }
+        // If there are any partial signatures, exit early
+        auto partial_sigs_it = sigdata.musig2_partial_sigs.find(pub_key_leaf_hash);
+        if (partial_sigs_it != sigdata.musig2_partial_sigs.end() && !partial_sigs_it->second.empty()) {
+            continue;
+        }
+        // No partial sigs, try to make pubnonces
+        std::map<CPubKey, std::vector<uint8_t>>& pubnonces = sigdata.musig2_pubnonces[pub_key_leaf_hash];
+        for (const CPubKey& part_pk : part_pks) {
+            if (pubnonces.contains(part_pk)) continue;
+            std::vector<uint8_t> pubnonce = creator.CreateMuSig2Nonce(provider, agg_pub, plain_pub, part_pk, leaf_hash, merkle_root, sigversion, sigdata);
+            if (pubnonce.empty()) continue;
+            pubnonces[part_pk] = std::move(pubnonce);
+        }
+    }
+    return true;
+}
+
 static bool CreateTaprootScriptSig(const BaseSignatureCreator& creator, SignatureData& sigdata, const SigningProvider& provider, std::vector<unsigned char>& sig_out, const XOnlyPubKey& pubkey, const uint256& leaf_hash, SigVersion sigversion)
 {
     KeyOriginInfo info;
@@ -283,11 +377,14 @@ static bool CreateTaprootScriptSig(const BaseSignatureCreator& creator, Signatur
         sig_out = it->second;
         return true;
     }
+
     if (creator.CreateSchnorrSig(provider, sig_out, pubkey, &leaf_hash, nullptr, sigversion)) {
         sigdata.taproot_script_sigs[lookup_key] = sig_out;
-        return true;
+    } else if (!SignMuSig2(creator, sigdata, provider, sig_out, pubkey, /*merkle_root=*/nullptr, &leaf_hash, sigversion)) {
+        return false;
     }
-    return false;
+
+    return sigdata.taproot_script_sigs.contains(lookup_key);
 }
 
 template<typename M, typename K, typename V>
@@ -456,6 +553,10 @@ static bool SignTaproot(const SigningProvider& provider, const BaseSignatureCrea
     if (provider.GetTaprootBuilder(output, builder)) {
         sigdata.tr_builder = builder;
     }
+    if (auto agg_keys = provider.GetAllMuSig2ParticipantPubkeys(); !agg_keys.empty()) {
+        sigdata.musig2_pubkeys.insert(agg_keys.begin(), agg_keys.end());
+    }
+
 
     // Try key path spending.
     {
@@ -475,16 +576,22 @@ static bool SignTaproot(const SigningProvider& provider, const BaseSignatureCrea
             }
         }
 
-        std::vector<unsigned char> sig;
-        if (sigdata.taproot_key_path_sig.size() == 0) {
-            if (creator.CreateSchnorrSig(provider, sig, sigdata.tr_spenddata.internal_key, nullptr, &sigdata.tr_spenddata.merkle_root, SigVersion::TAPROOT)) {
+        auto make_keypath_sig = [&](const XOnlyPubKey& pk, const uint256* merkle_root) {
+            std::vector<unsigned char> sig;
+            if (creator.CreateSchnorrSig(provider, sig, pk, nullptr, merkle_root, SigVersion::TAPROOT)) {
                 sigdata.taproot_key_path_sig = sig;
+            } else {
+                SignMuSig2(creator, sigdata, provider, sig, pk, merkle_root, /*leaf_hash=*/nullptr, SigVersion::TAPROOT);
             }
+        };
+
+        // First try signing with internal key
+        if (sigdata.taproot_key_path_sig.size() == 0) {
+            make_keypath_sig(sigdata.tr_spenddata.internal_key, &sigdata.tr_spenddata.merkle_root);
         }
+        // Try signing with output key if still no signature
         if (sigdata.taproot_key_path_sig.size() == 0) {
-            if (creator.CreateSchnorrSig(provider, sig, output, nullptr, nullptr, SigVersion::TAPROOT)) {
-                sigdata.taproot_key_path_sig = sig;
-            }
+            make_keypath_sig(output, nullptr);
         }
         if (sigdata.taproot_key_path_sig.size()) {
             result = Vector(sigdata.taproot_key_path_sig);
diff --git a/src/script/signingprovider.cpp b/src/script/signingprovider.cpp
index 846f0c98da2..8557eb772c8 100644
--- a/src/script/signingprovider.cpp
+++ b/src/script/signingprovider.cpp
@@ -58,6 +58,11 @@ std::vector<CPubKey> HidingSigningProvider::GetMuSig2ParticipantPubkeys(const CP
     return m_provider->GetMuSig2ParticipantPubkeys(pubkey);
 }
 
+std::map<CPubKey, std::vector<CPubKey>> HidingSigningProvider::GetAllMuSig2ParticipantPubkeys() const
+{
+    return m_provider->GetAllMuSig2ParticipantPubkeys();
+}
+
 void HidingSigningProvider::SetMuSig2SecNonce(const uint256& id, MuSig2SecNonce&& nonce) const
 {
     m_provider->SetMuSig2SecNonce(id, std::move(nonce));
@@ -109,6 +114,11 @@ std::vector<CPubKey> FlatSigningProvider::GetMuSig2ParticipantPubkeys(const CPub
     return participant_pubkeys;
 }
 
+std::map<CPubKey, std::vector<CPubKey>> FlatSigningProvider::GetAllMuSig2ParticipantPubkeys() const
+{
+    return aggregate_pubkeys;
+}
+
 void FlatSigningProvider::SetMuSig2SecNonce(const uint256& session_id, MuSig2SecNonce&& nonce) const
 {
     if (!Assume(musig2_secnonces)) return;
diff --git a/src/script/signingprovider.h b/src/script/signingprovider.h
index cc917cc6c63..31422bb4b6a 100644
--- a/src/script/signingprovider.h
+++ b/src/script/signingprovider.h
@@ -166,6 +166,7 @@ public:
     virtual bool GetTaprootSpendData(const XOnlyPubKey& output_key, TaprootSpendData& spenddata) const { return false; }
     virtual bool GetTaprootBuilder(const XOnlyPubKey& output_key, TaprootBuilder& builder) const { return false; }
     virtual std::vector<CPubKey> GetMuSig2ParticipantPubkeys(const CPubKey& pubkey) const { return {}; }
+    virtual std::map<CPubKey, std::vector<CPubKey>> GetAllMuSig2ParticipantPubkeys() const {return {}; }
     virtual void SetMuSig2SecNonce(const uint256& id, MuSig2SecNonce&& nonce) const {}
     virtual std::optional<std::reference_wrapper<MuSig2SecNonce>> GetMuSig2SecNonce(const uint256& session_id) const { return std::nullopt; }
     virtual void DeleteMuSig2Session(const uint256& session_id) const {}
@@ -213,6 +214,7 @@ public:
     bool GetTaprootSpendData(const XOnlyPubKey& output_key, TaprootSpendData& spenddata) const override;
     bool GetTaprootBuilder(const XOnlyPubKey& output_key, TaprootBuilder& builder) const override;
     std::vector<CPubKey> GetMuSig2ParticipantPubkeys(const CPubKey& pubkey) const override;
+    std::map<CPubKey, std::vector<CPubKey>> GetAllMuSig2ParticipantPubkeys() const override;
     void SetMuSig2SecNonce(const uint256& id, MuSig2SecNonce&& nonce) const override;
     std::optional<std::reference_wrapper<MuSig2SecNonce>> GetMuSig2SecNonce(const uint256& session_id) const override;
     void DeleteMuSig2Session(const uint256& session_id) const override;
@@ -236,6 +238,7 @@ struct FlatSigningProvider final : public SigningProvider
     bool GetTaprootSpendData(const XOnlyPubKey& output_key, TaprootSpendData& spenddata) const override;
     bool GetTaprootBuilder(const XOnlyPubKey& output_key, TaprootBuilder& builder) const override;
     std::vector<CPubKey> GetMuSig2ParticipantPubkeys(const CPubKey& pubkey) const override;
+    std::map<CPubKey, std::vector<CPubKey>> GetAllMuSig2ParticipantPubkeys() const override;
     void SetMuSig2SecNonce(const uint256& id, MuSig2SecNonce&& nonce) const override;
     std::optional<std::reference_wrapper<MuSig2SecNonce>> GetMuSig2SecNonce(const uint256& session_id) const override;
     void DeleteMuSig2Session(const uint256& session_id) const override;

From 68ef954c4c59802a6810a462eaa8dd61728ba820 Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Mon, 12 Feb 2024 17:33:44 -0500
Subject: [PATCH 16/17] wallet: Keep secnonces in DescriptorScriptPubKeyMan

---
 src/wallet/scriptpubkeyman.cpp |  4 ++++
 src/wallet/scriptpubkeyman.h   | 14 ++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/src/wallet/scriptpubkeyman.cpp b/src/wallet/scriptpubkeyman.cpp
index 730667dbdf4..ff18265d70b 100644
--- a/src/wallet/scriptpubkeyman.cpp
+++ b/src/wallet/scriptpubkeyman.cpp
@@ -1256,6 +1256,10 @@ std::unique_ptr<FlatSigningProvider> DescriptorScriptPubKeyMan::GetSigningProvid
         FlatSigningProvider master_provider;
         master_provider.keys = GetKeys();
         m_wallet_descriptor.descriptor->ExpandPrivate(index, master_provider, *out_keys);
+
+        // Always include musig_secnonces as this descriptor may have a participant private key
+        // but not a musig() descriptor
+        out_keys->musig2_secnonces = &m_musig2_secnonces;
     }
 
     return out_keys;
diff --git a/src/wallet/scriptpubkeyman.h b/src/wallet/scriptpubkeyman.h
index c6f6e37f2b9..ee2acdfbd8f 100644
--- a/src/wallet/scriptpubkeyman.h
+++ b/src/wallet/scriptpubkeyman.h
@@ -10,6 +10,7 @@
 #include <common/signmessage.h>
 #include <common/types.h>
 #include <logging.h>
+#include <musig.h>
 #include <node/types.h>
 #include <psbt.h>
 #include <script/descriptor.h>
@@ -295,6 +296,19 @@ private:
     //! Number of pre-generated keys/scripts (part of the look-ahead process, used to detect payments)
     int64_t m_keypool_size GUARDED_BY(cs_desc_man){DEFAULT_KEYPOOL_SIZE};
 
+    /** Map of a session id to MuSig2 secnonce
+     *
+     * Stores MuSig2 secnonces while the MuSig2 signing session is still ongoing.
+     * Note that these secnonces must not be reused. In order to avoid being tricked into
+     * reusing a nonce, this map is held only in memory and must not be written to disk.
+     * The side effect is that signing sessions cannot persist across restarts, but this
+     * must be done in order to prevent nonce reuse.
+     *
+     * The session id is an arbitrary value set by the signer in order for the signing logic
+     * to find ongoing signing sessions. It is the SHA256 of aggregate xonly key, + participant pubkey + sighash.
+     */
+    mutable std::map<uint256, MuSig2SecNonce> m_musig2_secnonces;
+
     bool AddDescriptorKeyWithDB(WalletBatch& batch, const CKey& key, const CPubKey &pubkey) EXCLUSIVE_LOCKS_REQUIRED(cs_desc_man);
 
     KeyMap GetKeys() const EXCLUSIVE_LOCKS_REQUIRED(cs_desc_man);

From ac599c4a9cb3b2d424932d3fd91f9eed17426827 Mon Sep 17 00:00:00 2001
From: Ava Chow <github@achow101.com>
Date: Mon, 4 Mar 2024 16:34:42 -0500
Subject: [PATCH 17/17] test: Test MuSig2 in the wallet

---
 test/functional/test_runner.py  |   1 +
 test/functional/wallet_musig.py | 242 ++++++++++++++++++++++++++++++++
 2 files changed, 243 insertions(+)
 create mode 100755 test/functional/wallet_musig.py

diff --git a/test/functional/test_runner.py b/test/functional/test_runner.py
index 7c8c15f391d..efa135ce225 100755
--- a/test/functional/test_runner.py
+++ b/test/functional/test_runner.py
@@ -342,6 +342,7 @@ BASE_SCRIPTS = [
     'mempool_datacarrier.py',
     'feature_coinstatsindex.py',
     'wallet_orphanedreward.py',
+    'wallet_musig.py',
     'wallet_timelock.py',
     'p2p_permissions.py',
     'feature_blocksdir.py',
diff --git a/test/functional/wallet_musig.py b/test/functional/wallet_musig.py
new file mode 100755
index 00000000000..277ca9276ed
--- /dev/null
+++ b/test/functional/wallet_musig.py
@@ -0,0 +1,242 @@
+#!/usr/bin/env python3
+# Copyright (c) 2024 The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+import re
+
+from test_framework.descriptors import descsum_create
+from test_framework.key import H_POINT
+from test_framework.test_framework import BitcoinTestFramework
+from test_framework.util import (
+    assert_equal,
+    assert_greater_than,
+)
+
+PRIVKEY_RE = re.compile(r"^tr\((.+?)/.+\)#.{8}$")
+PUBKEY_RE = re.compile(r"^tr\((\[.+?\].+?)/.+\)#.{8}$")
+ORIGIN_PATH_RE = re.compile(r"^\[\w{8}(/.*)\].*$")
+MULTIPATH_TWO_RE = re.compile(r"<(\d+);(\d+)>")
+MUSIG_RE = re.compile(r"musig\((.*?)\)")
+PLACEHOLDER_RE = re.compile(r"\$\d")
+
+class WalletMuSigTest(BitcoinTestFramework):
+    WALLET_NUM = 0
+    def set_test_params(self):
+        self.num_nodes = 1
+
+    def skip_test_if_missing_module(self):
+        self.skip_if_no_wallet()
+
+    def do_test(self, comment, pattern, sighash_type=None, scriptpath=False, nosign_wallets=None, only_one_musig_wallet=False):
+        self.log.info(f"Testing {comment}")
+        has_internal = MULTIPATH_TWO_RE.search(pattern) is not None
+
+        wallets = []
+        keys = []
+
+        pat = pattern.replace("$H", H_POINT)
+
+        # Figure out how many wallets are needed and create them
+        expected_pubnonces = 0
+        expected_partial_sigs = 0
+        for musig in MUSIG_RE.findall(pat):
+            musig_partial_sigs = 0
+            for placeholder in PLACEHOLDER_RE.findall(musig):
+                wallet_index = int(placeholder[1:])
+                if nosign_wallets is None or wallet_index not in nosign_wallets:
+                    expected_pubnonces += 1
+                else:
+                    musig_partial_sigs = None
+                if musig_partial_sigs is not None:
+                    musig_partial_sigs += 1
+                if wallet_index < len(wallets):
+                    continue
+                wallet_name = f"musig_{self.WALLET_NUM}"
+                self.WALLET_NUM += 1
+                self.nodes[0].createwallet(wallet_name)
+                wallet = self.nodes[0].get_wallet_rpc(wallet_name)
+                wallets.append(wallet)
+
+                for priv_desc in wallet.listdescriptors(True)["descriptors"]:
+                    desc = priv_desc["desc"]
+                    if not desc.startswith("tr("):
+                        continue
+                    privkey = PRIVKEY_RE.search(desc).group(1)
+                    break
+                for pub_desc in wallet.listdescriptors()["descriptors"]:
+                    desc = pub_desc["desc"]
+                    if not desc.startswith("tr("):
+                        continue
+                    pubkey = PUBKEY_RE.search(desc).group(1)
+                    # Since the pubkey is derived from the private key that we have, we need
+                    # to extract and insert the origin path from the pubkey as well.
+                    privkey += ORIGIN_PATH_RE.search(pubkey).group(1)
+                    break
+                keys.append((privkey, pubkey))
+            if musig_partial_sigs is not None:
+                expected_partial_sigs += musig_partial_sigs
+
+        # Construct and import each wallet's musig descriptor that
+        # contains the private key from that wallet and pubkeys of the others
+        for i, wallet in enumerate(wallets):
+            if only_one_musig_wallet and i > 0:
+                continue
+            desc = pat
+            import_descs = []
+            for j, (priv, pub) in enumerate(keys):
+                if j == i:
+                    desc = desc.replace(f"${i}", priv)
+                else:
+                    desc = desc.replace(f"${j}", pub)
+
+            import_descs.append({
+                "desc": descsum_create(desc),
+                "active": True,
+                "timestamp": "now",
+            })
+
+            res = wallet.importdescriptors(import_descs)
+            for r in res:
+                assert_equal(r["success"], True)
+
+        # Check that the wallets agree on the same musig address
+        addr = None
+        change_addr = None
+        for i, wallet in enumerate(wallets):
+            if only_one_musig_wallet and i > 0:
+                continue
+            if addr is None:
+                addr = wallet.getnewaddress(address_type="bech32m")
+            else:
+                assert_equal(addr, wallet.getnewaddress(address_type="bech32m"))
+            if has_internal:
+                if change_addr is None:
+                    change_addr = wallet.getrawchangeaddress(address_type="bech32m")
+                else:
+                    assert_equal(change_addr, wallet.getrawchangeaddress(address_type="bech32m"))
+
+        # Fund that address
+        self.def_wallet.sendtoaddress(addr, 10)
+        self.generate(self.nodes[0], 1)
+
+        # Spend that UTXO
+        utxo = None
+        for i, wallet in enumerate(wallets):
+            if only_one_musig_wallet and i > 0:
+                continue
+            if utxo is None:
+                utxo = wallet.listunspent()[0]
+            else:
+                assert_equal(utxo, wallet.listunspent()[0])
+        psbt = wallets[0].walletcreatefundedpsbt(outputs=[{self.def_wallet.getnewaddress(): 5}], inputs=[utxo], change_type="bech32m", changePosition=1)["psbt"]
+
+        dec_psbt = self.nodes[0].decodepsbt(psbt)
+        assert_equal(len(dec_psbt["inputs"]), 1)
+        assert_equal(len(dec_psbt["inputs"][0]["musig2_participant_pubkeys"]), pattern.count("musig("))
+        if has_internal:
+            assert_equal(len(dec_psbt["outputs"][1]["musig2_participant_pubkeys"]), pattern.count("musig("))
+
+        # Check all participant pubkeys in the input and change output
+        psbt_maps = [dec_psbt["inputs"][0]]
+        if has_internal:
+            psbt_maps.append(dec_psbt["outputs"][1])
+        for psbt_map in psbt_maps:
+            part_pks = set()
+            for agg in psbt_map["musig2_participant_pubkeys"]:
+                for part_pub in agg["participant_pubkeys"]:
+                    part_pks.add(part_pub[2:])
+            # Check that there are as many participants as we expected
+            assert_equal(len(part_pks), len(keys))
+            # Check that each participant has a derivation path
+            for deriv_path in psbt_map["taproot_bip32_derivs"]:
+                if deriv_path["pubkey"] in part_pks:
+                    part_pks.remove(deriv_path["pubkey"])
+            assert_equal(len(part_pks), 0)
+
+        # Add pubnonces
+        nonce_psbts = []
+        for i, wallet in enumerate(wallets):
+            if nosign_wallets and i in nosign_wallets:
+                continue
+            proc = wallet.walletprocesspsbt(psbt=psbt, sighashtype=sighash_type)
+            assert_equal(proc["complete"], False)
+            nonce_psbts.append(proc["psbt"])
+
+        comb_nonce_psbt = self.nodes[0].combinepsbt(nonce_psbts)
+
+        dec_psbt = self.nodes[0].decodepsbt(comb_nonce_psbt)
+        assert_equal(len(dec_psbt["inputs"][0]["musig2_pubnonces"]), expected_pubnonces)
+        for pn in dec_psbt["inputs"][0]["musig2_pubnonces"]:
+            pubkey = pn["aggregate_pubkey"][2:]
+            if pubkey in dec_psbt["inputs"][0]["witness_utxo"]["scriptPubKey"]["hex"]:
+                continue
+            elif "taproot_scripts" in dec_psbt["inputs"][0]:
+                for leaf_scripts in dec_psbt["inputs"][0]["taproot_scripts"]:
+                    if pubkey in leaf_scripts["script"]:
+                        break
+                else:
+                    assert False, "Aggregate pubkey for pubnonce not seen as output key, or in any scripts"
+            else:
+                assert False, "Aggregate pubkey for pubnonce not seen as output key or internal key"
+
+        # Add partial sigs
+        psig_psbts = []
+        for i, wallet in enumerate(wallets):
+            if nosign_wallets and i in nosign_wallets:
+                continue
+            proc = wallet.walletprocesspsbt(psbt=comb_nonce_psbt, sighashtype=sighash_type)
+            assert_equal(proc["complete"], False)
+            psig_psbts.append(proc["psbt"])
+
+        comb_psig_psbt = self.nodes[0].combinepsbt(psig_psbts)
+
+        dec_psbt = self.nodes[0].decodepsbt(comb_psig_psbt)
+        assert_equal(len(dec_psbt["inputs"][0]["musig2_partial_sigs"]), expected_partial_sigs)
+        for ps in dec_psbt["inputs"][0]["musig2_partial_sigs"]:
+            pubkey = ps["aggregate_pubkey"][2:]
+            if pubkey in dec_psbt["inputs"][0]["witness_utxo"]["scriptPubKey"]["hex"]:
+                continue
+            elif "taproot_scripts" in dec_psbt["inputs"][0]:
+                for leaf_scripts in dec_psbt["inputs"][0]["taproot_scripts"]:
+                    if pubkey in leaf_scripts["script"]:
+                        break
+                else:
+                    assert False, "Aggregate pubkey for partial sig not seen as output key or in any scripts"
+            else:
+                assert False, "Aggregate pubkey for partial sig not seen as output key"
+
+        # Non-participant aggregates partial sigs and send
+        finalized = self.nodes[0].finalizepsbt(psbt=comb_psig_psbt, extract=False)
+        assert_equal(finalized["complete"], True)
+        witness = self.nodes[0].decodepsbt(finalized["psbt"])["inputs"][0]["final_scriptwitness"]
+        if scriptpath:
+            assert_greater_than(len(witness), 1)
+        else:
+            assert_equal(len(witness), 1)
+        finalized = self.nodes[0].finalizepsbt(comb_psig_psbt)
+        assert "hex" in finalized
+        self.nodes[0].sendrawtransaction(finalized["hex"])
+
+    def run_test(self):
+        self.def_wallet = self.nodes[0].get_wallet_rpc(self.default_wallet_name)
+
+        self.do_test("rawtr(musig(keys/*))", "rawtr(musig($0/<0;1>/*,$1/<1;2>/*,$2/<2;3>/*))")
+        self.do_test("rawtr(musig(keys/*)) with ALL|ANYONECANPAY", "rawtr(musig($0/<0;1>/*,$1/<1;2>/*,$2/<2;3>/*))", "ALL|ANYONECANPAY")
+        self.do_test("tr(musig(keys/*)) no multipath", "tr(musig($0/0/*,$1/1/*,$2/2/*))")
+        self.do_test("tr(musig(keys/*)) 2 index multipath", "tr(musig($0/<0;1>/*,$1/<1;2>/*,$2/<2;3>/*))")
+        self.do_test("tr(musig(keys/*)) 3 index multipath", "tr(musig($0/<0;1;2>/*,$1/<1;2;3>/*,$2/<2;3;4>/*))")
+        self.do_test("rawtr(musig/*)", "rawtr(musig($0,$1,$2)/<0;1>/*)")
+        self.do_test("tr(musig/*)", "tr(musig($0,$1,$2)/<0;1>/*)")
+        self.do_test("rawtr(musig(keys/*)) without all wallets importing", "rawtr(musig($0/<0;1>/*,$1/<0;1>/*,$2/<0;1>/*))", only_one_musig_wallet=True)
+        self.do_test("tr(musig(keys/*)) without all wallets importing", "tr(musig($0/<0;1>/*,$1/<0;1>/*,$2/<0;1>/*))", only_one_musig_wallet=True)
+        self.do_test("tr(H, pk(musig(keys/*)))", "tr($H,pk(musig($0/<0;1>/*,$1/<1;2>/*,$2/<2;3>/*)))", scriptpath=True)
+        self.do_test("tr(H,pk(musig/*))", "tr($H,pk(musig($0,$1,$2)/<0;1>/*))", scriptpath=True)
+        self.do_test("tr(H,{pk(musig/*), pk(musig/*)})", "tr($H,{pk(musig($0,$1,$2)/<0;1>/*),pk(musig($3,$4,$5)/0/*)})", scriptpath=True)
+        self.do_test("tr(H,{pk(musig/*), pk(same keys different musig/*)})", "tr($H,{pk(musig($0,$1,$2)/<0;1>/*),pk(musig($1,$2)/0/*)})", scriptpath=True)
+        self.do_test("tr(musig/*,{pk(partial keys diff musig-1/*),pk(partial keys diff musig-2/*)})}", "tr(musig($0,$1,$2)/<3;4>/*,{pk(musig($0,$1)/<5;6>/*),pk(musig($1,$2)/7/*)})")
+        self.do_test("tr(musig/*,{pk(partial keys diff musig-1/*),pk(partial keys diff musig-2/*)})} script-path", "tr(musig($0,$1,$2)/<3;4>/*,{pk(musig($0,$1)/<5;6>/*),pk(musig($1,$2)/7/*)})", scriptpath=True, nosign_wallets=[0])
+
+
+if __name__ == '__main__':
+    WalletMuSigTest(__file__).main()