From c235e5055f5d76e0cd39dcce3addb8cbd525e1bd Mon Sep 17 00:00:00 2001 From: Elliott Jin Date: Tue, 5 Apr 2022 18:18:18 -0400 Subject: [PATCH] musig-spec: Add naive Python reference implementation --- doc/musig-reference.py | 500 +++++++++++++++++++++++++++++++++++++++ doc/musig-spec.mediawiki | 4 +- 2 files changed, 502 insertions(+), 2 deletions(-) create mode 100644 doc/musig-reference.py diff --git a/doc/musig-reference.py b/doc/musig-reference.py new file mode 100644 index 000000000..f7702492d --- /dev/null +++ b/doc/musig-reference.py @@ -0,0 +1,500 @@ +from collections import namedtuple +from typing import Any, List, Optional, Tuple +import hashlib +import secrets +import time + +# WARNING: Implementers should be aware that some inputs could +# trigger assertion errors, and proceed with caution. For example, +# an assertion error raised in one of the functions below should not +# cause a server process to crash. + +# +# The following helper functions were copied from the BIP-340 reference implementation: +# https://github.com/bitcoin/bips/blob/master/bip-0340/reference.py +# + +p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F +n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 + +# Points are tuples of X and Y coordinates and the point at infinity is +# represented by the None keyword. +G = (0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798, 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8) + +Point = Tuple[int, int] + +# This implementation can be sped up by storing the midstate after hashing +# tag_hash instead of rehashing it all the time. +def tagged_hash(tag: str, msg: bytes) -> bytes: + tag_hash = hashlib.sha256(tag.encode()).digest() + return hashlib.sha256(tag_hash + tag_hash + msg).digest() + +def is_infinite(P: Optional[Point]) -> bool: + return P is None + +def x(P: Point) -> int: + assert not is_infinite(P) + return P[0] + +def y(P: Point) -> int: + assert not is_infinite(P) + return P[1] + +def point_add(P1: Optional[Point], P2: Optional[Point]) -> Optional[Point]: + if P1 is None: + return P2 + if P2 is None: + return P1 + if (x(P1) == x(P2)) and (y(P1) != y(P2)): + return None + if P1 == P2: + lam = (3 * x(P1) * x(P1) * pow(2 * y(P1), p - 2, p)) % p + else: + lam = ((y(P2) - y(P1)) * pow(x(P2) - x(P1), p - 2, p)) % p + x3 = (lam * lam - x(P1) - x(P2)) % p + return (x3, (lam * (x(P1) - x3) - y(P1)) % p) + +def point_mul(P: Optional[Point], n: int) -> Optional[Point]: + R = None + for i in range(256): + if (n >> i) & 1: + R = point_add(R, P) + P = point_add(P, P) + return R + +def bytes_from_int(x: int) -> bytes: + return x.to_bytes(32, byteorder="big") + +def bytes_from_point(P: Point) -> bytes: + return bytes_from_int(x(P)) + +def lift_x(b: bytes) -> Optional[Point]: + x = int_from_bytes(b) + if x >= p: + return None + y_sq = (pow(x, 3, p) + 7) % p + y = pow(y_sq, (p + 1) // 4, p) + if pow(y, 2, p) != y_sq: + return None + return (x, y if y & 1 == 0 else p-y) + +def int_from_bytes(b: bytes) -> int: + return int.from_bytes(b, byteorder="big") + +def has_even_y(P: Point) -> bool: + assert not is_infinite(P) + return y(P) % 2 == 0 + +def schnorr_verify(msg: bytes, pubkey: bytes, sig: bytes) -> bool: + if len(msg) != 32: + raise ValueError('The message must be a 32-byte array.') + if len(pubkey) != 32: + raise ValueError('The public key must be a 32-byte array.') + if len(sig) != 64: + raise ValueError('The signature must be a 64-byte array.') + P = lift_x(pubkey) + r = int_from_bytes(sig[0:32]) + s = int_from_bytes(sig[32:64]) + if (P is None) or (r >= p) or (s >= n): + return False + e = int_from_bytes(tagged_hash("BIP0340/challenge", sig[0:32] + pubkey + msg)) % n + R = point_add(point_mul(G, s), point_mul(P, n - e)) + if (R is None) or (not has_even_y(R)) or (x(R) != r): + return False + return True + +# +# End of helper functions copied from BIP-340 reference implementation. +# + +infinity = None + +def cbytes(P: Point) -> bytes: + a = b'\x02' if has_even_y(P) else b'\x03' + return a + bytes_from_point(P) + +def point_negate(P: Optional[Point]) -> Optional[Point]: + if P is None: + return P + return (x(P), p - y(P)) + +def pointc(x: bytes) -> Point: + P = lift_x(x[1:33]) + if P is None: + raise ValueError('x is not a valid compressed point.') + if x[0] == 2: + return P + elif x[0] == 3: + P = point_negate(P) + assert P is not None + return P + else: + raise ValueError('x is not a valid compressed point.') + +def key_agg(pubkeys: List[bytes], tweaks: List[bytes], is_xonly: List[bool]) -> bytes: + Q, _, _ = key_agg_internal(pubkeys, tweaks, is_xonly) + return bytes_from_point(Q) + +def key_agg_internal(pubkeys: List[bytes], tweaks: List[bytes], is_xonly: List[bool]) -> Tuple[Point, int, int]: + pk2 = get_second_key(pubkeys) + u = len(pubkeys) + Q = infinity + for i in range(u): + P_i = lift_x(pubkeys[i]) + a_i = key_agg_coeff_internal(pubkeys, pubkeys[i], pk2) + Q = point_add(Q, point_mul(P_i, a_i)) + if Q is None: + raise ValueError('The aggregate public key cannot be infinity.') + gacc = 1 + tacc = 0 + v = len(tweaks) + for i in range(v): + Q, gacc, tacc = apply_tweak(Q, gacc, tacc, tweaks[i], is_xonly[i]) + return Q, gacc, tacc + +def hash_keys(pubkeys: List[bytes]) -> bytes: + return tagged_hash('KeyAgg list', b''.join(pubkeys)) + +def get_second_key(pubkeys: List[bytes]) -> bytes: + u = len(pubkeys) + for j in range(1, u): + if pubkeys[j] != pubkeys[0]: + return pubkeys[j] + return bytes_from_int(0) + +def key_agg_coeff(pubkeys: List[bytes], pk_: bytes) -> int: + pk2 = get_second_key(pubkeys) + return key_agg_coeff_internal(pubkeys, pk_, pk2) + +def key_agg_coeff_internal(pubkeys: List[bytes], pk_: bytes, pk2: bytes) -> int: + L = hash_keys(pubkeys) + if pk_ == pk2: + return 1 + return int_from_bytes(tagged_hash('KeyAgg coefficient', L + pk_)) % n + +def apply_tweak(Q: Point, gacc: int, tacc: int, tweak_i: bytes, is_xonly_i: bool) -> Tuple[Point, int, int]: + if len(tweak_i) != 32: + raise ValueError('The tweak must be a 32-byte array.') + if is_xonly_i and not has_even_y(Q): + g = n - 1 + else: + g = 1 + t_i = int_from_bytes(tweak_i) + if t_i >= n: + raise ValueError('The tweak must be less than n.') + Q_i = point_add(point_mul(Q, g), point_mul(G, t_i)) + if Q_i is None: + raise ValueError('The result of tweaking cannot be infinity.') + gacc_i = g * gacc % n + tacc_i = (t_i + g * tacc) % n + return Q_i, gacc_i, tacc_i + +def bytes_xor(a: bytes, b: bytes) -> bytes: + return bytes(x ^ y for x, y in zip(a, b)) + +def nonce_hash(rand: bytes, aggpk: bytes, i: int, msg: bytes, extra_in: bytes) -> int: + buf = b'' + buf += rand + buf += len(aggpk).to_bytes(1, 'big') + buf += aggpk + buf += i.to_bytes(1, 'big') + buf += len(msg).to_bytes(1, 'big') + buf += msg + buf += len(extra_in).to_bytes(4, 'big') + buf += extra_in + return int_from_bytes(tagged_hash('MuSig/nonce', buf)) + +def nonce_gen(sk: bytes, aggpk: bytes, msg: bytes, extra_in: bytes) -> Tuple[bytes, bytes]: + if len(sk) not in (0, 32): + raise ValueError('The optional byte array sk must have length 0 or 32.') + if len(aggpk) not in (0, 32): + raise ValueError('The optional byte array aggpk must have length 0 or 32.') + if len(msg) not in (0, 32): + raise ValueError('The optional byte array msg must have length 0 or 32.') + rand_ = secrets.token_bytes(32) + if len(sk) > 0: + rand = bytes_xor(sk, tagged_hash('MuSig/aux', rand_)) + else: + rand = rand_ + k_1 = nonce_hash(rand, aggpk, 1, msg, extra_in) + k_2 = nonce_hash(rand, aggpk, 2, msg, extra_in) + # k_1 == 0 or k_2 == 0 cannot occur except with negligible probability. + assert k_1 != 0 + assert k_2 != 0 + R_1_ = point_mul(G, k_1) + R_2_ = point_mul(G, k_2) + assert R_1_ is not None + assert R_2_ is not None + pubnonce = cbytes(R_1_) + cbytes(R_2_) + secnonce = bytes_from_int(k_1) + bytes_from_int(k_2) + return secnonce, pubnonce + +def nonce_agg(pubnonces: List[bytes]) -> bytes: + u = len(pubnonces) + aggnonce = b'' + for i in (1, 2): + R_i_ = infinity + for j in range(u): + R_i_ = point_add(R_i_, pointc(pubnonces[j][(i-1)*33:i*33])) + R_i = R_i_ if not is_infinite(R_i_) else G + assert R_i is not None + aggnonce += cbytes(R_i) + return aggnonce + +SessionContext = namedtuple('SessionContext', ['aggnonce', 'pubkeys', 'tweaks', 'is_xonly', 'msg']) + +def get_session_values(session_ctx: SessionContext) -> tuple[Point, int, int, int, Point, int]: + (aggnonce, pubkeys, tweaks, is_xonly, msg) = session_ctx + Q, gacc_v, tacc_v = key_agg_internal(pubkeys, tweaks, is_xonly) + b = int_from_bytes(tagged_hash('MuSig/noncecoef', aggnonce + bytes_from_point(Q) + msg)) % n + R_1 = pointc(aggnonce[0:33]) + R_2 = pointc(aggnonce[33:66]) + R = point_add(R_1, point_mul(R_2, b)) + # The aggregate public nonce cannot be infinity except with negligible probability. + assert R is not None + e = int_from_bytes(tagged_hash('BIP0340/challenge', bytes_from_point(R) + bytes_from_point(Q) + msg)) % n + return (Q, gacc_v, tacc_v, b, R, e) + +def get_session_key_agg_coeff(session_ctx: SessionContext, P: Point) -> int: + (_, pubkeys, _, _, _) = session_ctx + return key_agg_coeff(pubkeys, bytes_from_point(P)) + +# Callers should overwrite secnonce with zeros after calling sign. +def sign(secnonce: bytes, sk: bytes, session_ctx: SessionContext) -> bytes: + (Q, gacc_v, _, b, R, e) = get_session_values(session_ctx) + k_1_ = int_from_bytes(secnonce[0:32]) + k_2_ = int_from_bytes(secnonce[32:64]) + if not 0 < k_1_ < n: + raise ValueError('first secnonce value is out of range.') + if not 0 < k_2_ < n: + raise ValueError('second secnonce value is out of range.') + k_1 = k_1_ if has_even_y(R) else n - k_1_ + k_2 = k_2_ if has_even_y(R) else n - k_2_ + d_ = int_from_bytes(sk) + if not 0 < d_ < n: + raise ValueError('secret key value is out of range.') + P = point_mul(G, d_) + assert P is not None + a = get_session_key_agg_coeff(session_ctx, P) + gp = 1 if has_even_y(P) else n - 1 + g_v = 1 if has_even_y(Q) else n - 1 + d = g_v * gacc_v * gp * d_ % n + s = (k_1 + b * k_2 + e * a * d) % n + psig = bytes_from_int(s) + R_1_ = point_mul(G, k_1_) + R_2_ = point_mul(G, k_2_) + assert R_1_ is not None + assert R_2_ is not None + pubnonce = cbytes(R_1_) + cbytes(R_2_) + # Optional correctness check. The result of signing should pass signature verification. + assert partial_sig_verify_internal(psig, pubnonce, bytes_from_point(P), session_ctx) + return psig + +def partial_sig_verify(psig: bytes, pubnonces: List[bytes], pubkeys: List[bytes], tweaks: List[bytes], is_xonly: List[bool], msg: bytes, i: int) -> bool: + aggnonce = nonce_agg(pubnonces) + session_ctx = SessionContext(aggnonce, pubkeys, tweaks, is_xonly, msg) + return partial_sig_verify_internal(psig, pubnonces[i], pubkeys[i], session_ctx) + +def partial_sig_verify_internal(psig: bytes, pubnonce: bytes, pk_: bytes, session_ctx: SessionContext) -> bool: + (Q, gacc_v, _, b, R, e) = get_session_values(session_ctx) + s = int_from_bytes(psig) + if s >= n: + return False + R_1_ = pointc(pubnonce[0:33]) + R_2_ = pointc(pubnonce[33:66]) + R__ = point_add(R_1_, point_mul(R_2_, b)) + R_ = R__ if has_even_y(R) else point_negate(R__) + g_v = 1 if has_even_y(Q) else n - 1 + g_ = g_v * gacc_v % n + P = point_mul(lift_x(pk_), g_) + if P is None: + return False + a = get_session_key_agg_coeff(session_ctx, P) + return point_mul(G, s) == point_add(R_, point_mul(P, e * a % n)) + +def partial_sig_agg(psigs: List[bytes], session_ctx: SessionContext) -> Optional[bytes]: + (Q, _, tacc_v, _, R, e) = get_session_values(session_ctx) + s = 0 + u = len(psigs) + for i in range(u): + s_i = int_from_bytes(psigs[i]) + if s_i >= n: + return None + s = (s + s_i) % n + g_v = 1 if has_even_y(Q) else n - 1 + s = (s + e * g_v * tacc_v) % n + return bytes_from_point(R) + bytes_from_int(s) +# +# The following code is only used for testing. +# Test vectors were copied from libsecp256k1-zkp's MuSig test file. +# See `musig_test_vectors_keyagg` and `musig_test_vectors_sign` in +# https://github.com/ElementsProject/secp256k1-zkp/blob/master/src/modules/musig/tests_impl.h +# +def fromhex_all(l): + return [bytes.fromhex(l_i) for l_i in l] + +def test_key_agg_vectors(): + X = fromhex_all([ + 'F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F9', + 'DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659', + '3590A94E768F8E1815C2F24B4D80A8E3149316C3518CE7B7AD338368D038CA66', + ]) + + expected = fromhex_all([ + 'E5830140512195D74C8307E39637CBE5FB730EBEAB80EC514CF88A877CEEEE0B', + 'D70CD69A2647F7390973DF48CBFA2CCC407B8B2D60B08C5F1641185C7998A290', + '81A8B093912C9E481408D09776CEFB48AEB8B65481B6BAAFB3C5810106717BEB', + '2EB18851887E7BDC5E830E89B19DDBC28078F1FA88AAD0AD01CA06FE4F80210B', + ]) + + assert key_agg([X[0], X[1], X[2]], [], []) == expected[0] + assert key_agg([X[2], X[1], X[0]], [], []) == expected[1] + assert key_agg([X[0], X[0], X[0]], [], []) == expected[2] + assert key_agg([X[0], X[0], X[1], X[1]], [], []) == expected[3] + +def test_sign_vectors(): + X = fromhex_all([ + 'F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F9', + 'DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659', + ]) + + secnonce = bytes.fromhex( + '508B81A611F100A6B2B6B29656590898AF488BCF2E1F55CF22E5CFB84421FE61' + + 'FA27FD49B1D50085B481285E1CA205D55C82CC1B31FF5CD54A489829355901F7') + + aggnonce = bytes.fromhex( + '028465FCF0BBDBCF443AABCCE533D42B4B5A10966AC09A49655E8C42DAAB8FCD61' + + '037496A3CC86926D452CAFCFD55D25972CA1675D549310DE296BFF42F72EEEA8C9') + + sk = bytes.fromhex('7FB9E0E687ADA1EEBF7ECFE2F21E73EBDB51A7D450948DFE8D76D7F2D1007671') + msg = bytes.fromhex('F95466D086770E689964664219266FE5ED215C92AE20BAB5C9D79ADDDDF3C0CF') + + expected = fromhex_all([ + '68537CC5234E505BD14061F8DA9E90C220A181855FD8BDB7F127BB12403B4D3B', + '2DF67BFFF18E3DE797E13C6475C963048138DAEC5CB20A357CECA7C8424295EA', + '0D5B651E6DE34A29A12DE7A8B4183B4AE6A7F7FBE15CDCAFA4A3D1BCAABC7517', + ]) + + pk = bytes_from_point(point_mul(G, int_from_bytes(sk))) + + session_ctx = SessionContext(aggnonce, [pk, X[0], X[1]], [], [], msg) + assert sign(secnonce, sk, session_ctx) == expected[0] + # WARNING: An actual implementation should clear the secnonce after use, + # e.g. by setting secnonce = bytes(64) after usage. Reusing the secnonce, as + # we do here for testing purposes, can leak the secret key. + + session_ctx = SessionContext(aggnonce, [X[0], pk, X[1]], [], [], msg) + assert sign(secnonce, sk, session_ctx) == expected[1] + + session_ctx = SessionContext(aggnonce, [X[0], X[1], pk], [], [], msg) + assert sign(secnonce, sk, session_ctx) == expected[2] + +def test_tweak_vectors(): + X = fromhex_all([ + 'F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F9', + 'DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659', + ]) + + secnonce = bytes.fromhex( + '508B81A611F100A6B2B6B29656590898AF488BCF2E1F55CF22E5CFB84421FE61' + + 'FA27FD49B1D50085B481285E1CA205D55C82CC1B31FF5CD54A489829355901F7') + + aggnonce = bytes.fromhex( + '028465FCF0BBDBCF443AABCCE533D42B4B5A10966AC09A49655E8C42DAAB8FCD61' + + '037496A3CC86926D452CAFCFD55D25972CA1675D549310DE296BFF42F72EEEA8C9') + + sk = bytes.fromhex('7FB9E0E687ADA1EEBF7ECFE2F21E73EBDB51A7D450948DFE8D76D7F2D1007671') + msg = bytes.fromhex('F95466D086770E689964664219266FE5ED215C92AE20BAB5C9D79ADDDDF3C0CF') + + tweaks = fromhex_all([ + 'E8F791FF9225A2AF0102AFFF4A9A723D9612A682A25EBE79802B263CDFCD83BB', + 'AE2EA797CC0FE72AC5B97B97F3C6957D7E4199A167A58EB08BCAFFDA70AC0455', + 'F52ECBC565B3D8BEA2DFD5B75A4F457E54369809322E4120831626F290FA87E0', + '1969AD73CC177FA0B4FCED6DF1F7BF9907E665FDE9BA196A74FED0A3CF5AEF9D', + ]) + + expected = fromhex_all([ + '5E24C7496B565DEBC3B9639E6F1304A21597F9603D3AB05B4913641775E1375B', + '78408DDCAB4813D1394C97D493EF1084195C1D4B52E63ECD7BC5991644E44DDD', + 'C3A829A81480E36EC3AB052964509A94EBF34210403D16B226A6F16EC85B7357', + '8C4473C6A382BD3C4AD7BE59818DA5ED7CF8CEC4BC21996CFDA08BB4316B8BC7', + ]) + + pk = bytes_from_point(point_mul(G, int_from_bytes(sk))) + + # A single x-only tweak + session_ctx = SessionContext(aggnonce, [X[0], X[1], pk], tweaks[:1], [True], msg) + assert sign(secnonce, sk, session_ctx) == expected[0] + # WARNING: An actual implementation should clear the secnonce after use, + # e.g. by setting secnonce = bytes(64) after usage. Reusing the secnonce, as + # we do here for testing purposes, can leak the secret key. + + # A single ordinary tweak + session_ctx = SessionContext(aggnonce, [X[0], X[1], pk], tweaks[:1], [False], msg) + assert sign(secnonce, sk, session_ctx) == expected[1] + + # An ordinary tweak followed by an x-only tweak + session_ctx = SessionContext(aggnonce, [X[0], X[1], pk], tweaks[:2], [False, True], msg) + assert sign(secnonce, sk, session_ctx) == expected[2] + + # Four tweaks: x-only, ordinary, x-only, ordinary + session_ctx = SessionContext(aggnonce, [X[0], X[1], pk], tweaks[:4], [True, False, True, False], msg) + assert sign(secnonce, sk, session_ctx) == expected[3] + +def test_sign_and_verify_random(iters): + for i in range(iters): + sk_1 = secrets.token_bytes(32) + sk_2 = secrets.token_bytes(32) + pk_1 = bytes_from_point(point_mul(G, int_from_bytes(sk_1))) + pk_2 = bytes_from_point(point_mul(G, int_from_bytes(sk_2))) + pubkeys = [pk_1, pk_2] + + # In this example, the message and aggregate pubkey are known + # before nonce generation, so they can be passed into the nonce + # generation function as a defense-in-depth measure to protect + # against nonce reuse. + # + # If these values are not known when nonce_gen is called, empty + # byte arrays can be passed in for the corresponding arguments + # instead. + msg = secrets.token_bytes(32) + v = secrets.randbelow(4) + tweaks = [secrets.token_bytes(32) for _ in range(v)] + is_xonly = [secrets.choice([False, True]) for _ in range(v)] + aggpk = key_agg(pubkeys, tweaks, is_xonly) + + # Use a non-repeating counter for extra_in + secnonce_1, pubnonce_1 = nonce_gen(sk_1, aggpk, msg, i.to_bytes(4, 'big')) + + # Use a clock for extra_in + t = time.clock_gettime_ns(time.CLOCK_MONOTONIC) + secnonce_2, pubnonce_2 = nonce_gen(sk_2, aggpk, msg, t.to_bytes(8, 'big')) + + pubnonces = [pubnonce_1, pubnonce_2] + aggnonce = nonce_agg(pubnonces) + + session_ctx = SessionContext(aggnonce, pubkeys, tweaks, is_xonly, msg) + psig_1 = sign(secnonce_1, sk_1, session_ctx) + # Clear the secnonce after use + secnonce_1 = bytes(64) + assert partial_sig_verify(psig_1, pubnonces, pubkeys, tweaks, is_xonly, msg, 0) + + # Wrong signer index + assert not partial_sig_verify(psig_1, pubnonces, pubkeys, tweaks, is_xonly, msg, 1) + + # Wrong message + assert not partial_sig_verify(psig_1, pubnonces, pubkeys, tweaks, is_xonly, secrets.token_bytes(32), 0) + + psig_2 = sign(secnonce_2, sk_2, session_ctx) + # Clear the secnonce after use + secnonce_2 = bytes(64) + assert partial_sig_verify(psig_2, pubnonces, pubkeys, tweaks, is_xonly, msg, 1) + + sig = partial_sig_agg([psig_1, psig_2], session_ctx) + assert schnorr_verify(msg, aggpk, sig) + +if __name__ == '__main__': + test_key_agg_vectors() + test_sign_vectors() + test_tweak_vectors() + test_sign_and_verify_random(4) diff --git a/doc/musig-spec.mediawiki b/doc/musig-spec.mediawiki index 24ce37fe0..7ce736e9e 100644 --- a/doc/musig-spec.mediawiki +++ b/doc/musig-spec.mediawiki @@ -405,8 +405,8 @@ Input: === Test Vectors and Reference Code === -There are some vectors in libsecp256k1's [https://github.com/ElementsProject/secp256k1-zkp/blob/master/src/modules/musig/tests_impl.h MuSig test file]. -Search for the ''musig_test_vectors_keyagg'' and ''musig_test_vectors_sign'' functions. +We provide a naive, highly inefficient, and non-constant time [[musig-reference.py|pure Python 3 reference implementation of the key aggregation, partial signing, and partial signature verification algorithms, together with some test vectors]]. +The reference implementation is for demonstration purposes only and not to be used in production environments. == Remarks on Security and Correctness ==