Add a helper method to verify partial musig2 signatures

Author: sstone

build.gradle.kts

@@ -13,7 +13,7 @@ plugins {
 val currentOs = org.gradle.internal.os.OperatingSystem.current()
 
 group = "fr.acinq.bitcoin"
-version = "0.22.2"
+version = "0.22.3-SNAPSHOT"
 
 repositories {
     google()

src/commonMain/kotlin/fr/acinq/bitcoin/crypto/musig2/Musig2.kt

@@ -3,6 +3,7 @@ package fr.acinq.bitcoin.crypto.musig2
 import fr.acinq.bitcoin.*
 import fr.acinq.bitcoin.utils.Either
 import fr.acinq.bitcoin.utils.flatMap
+import fr.acinq.bitcoin.utils.getOrElse
 import fr.acinq.secp256k1.Hex
 import fr.acinq.secp256k1.Secp256k1
 import kotlin.jvm.JvmOverloads
@@ -279,6 +280,36 @@ public object Musig2 {
         return taprootSession(tx, inputIndex, inputs, publicKeys, publicNonces, scriptTree).map { it.sign(secretNonce, privateKey) }
     }
 
+    /**
+     * Verify a partial musig2 signature.
+
+     * @param partialSig partial musig2 signature.
+     * @param nonce public nonce matching the secret nonce used to generate the signature.
+     * @param publicKey public key for the private key used to generate the signature.
+     * @param tx transaction spending the target taproot input.
+     * @param inputIndex index of the taproot input to spend.
+     * @param inputs all inputs of the spending transaction.
+     * @param publicKeys public keys of all participants of the musig2 session: callers must verify that all public keys are valid.
+     * @param publicNonces public nonces of all participants of the musig2 session.
+     * @param scriptTree tapscript tree of the taproot input, if it has script paths.
+     * @return true if the partial signature is valid.
+     */
+    @JvmStatic
+    public fun verifyTaprootSignature(
+        partialSig: ByteVector32,
+        nonce: IndividualNonce,
+        publicKey: PublicKey,
+        tx: Transaction,
+        inputIndex: Int,
+        inputs: List<TxOut>,
+        publicKeys: List<PublicKey>,
+        publicNonces: List<IndividualNonce>,
+        scriptTree: ScriptTree?
+    ): Boolean {
+        val session = taprootSession(tx, inputIndex, inputs, publicKeys, publicNonces, scriptTree)
+        return session.map { it.verify(partialSig, nonce, publicKey) }.getOrElse { false }
+    }
+
     /**
      * Aggregate partial musig2 signatures into a valid schnorr signature for the given taproot input key path.
      *

src/commonTest/kotlin/fr/acinq/bitcoin/crypto/musig2/Musig2TestsCommon.kt

@@ -298,10 +298,14 @@ class Musig2TestsCommon {
 
         // Once they have each other's public nonce, they can produce partial signatures.
         val publicNonces = listOf(aliceNonce.second, bobNonce.second)
+
         val aliceSig = Musig2.signTaprootInput(alicePrivKey, spendingTx, 0, listOf(tx.txOut[0]), listOf(alicePubKey, bobPubKey), aliceNonce.first, publicNonces, scriptTree = null).right
         assertNotNull(aliceSig)
+        assertTrue(Musig2.verifyTaprootSignature(aliceSig, aliceNonce.second, alicePubKey, spendingTx, 0, listOf(tx.txOut[0]), listOf(alicePubKey, bobPubKey), publicNonces, scriptTree = null))
+
         val bobSig = Musig2.signTaprootInput(bobPrivKey, spendingTx, 0, listOf(tx.txOut[0]), listOf(alicePubKey, bobPubKey), bobNonce.first, publicNonces, scriptTree = null).right
         assertNotNull(bobSig)
+        assertTrue(Musig2.verifyTaprootSignature(bobSig, bobNonce.second, bobPubKey, spendingTx, 0, listOf(tx.txOut[0]), listOf(alicePubKey, bobPubKey), publicNonces, scriptTree = null))
 
         // Once they have each other's partial signature, they can aggregate them into a valid signature.
         val aggregateSig = Musig2.aggregateTaprootSignatures(listOf(aliceSig, bobSig), spendingTx, 0, listOf(tx.txOut[0]), listOf(alicePubKey, bobPubKey), publicNonces, scriptTree = null).right
@@ -355,8 +359,11 @@ class Musig2TestsCommon {
             val publicNonces = listOf(userNonce.second, serverNonce.second)
             val userSig = Musig2.signTaprootInput(userPrivateKey, tx, 0, swapInTx.txOut, listOf(userPublicKey, serverPublicKey), userNonce.first, publicNonces, scriptTree).right
             assertNotNull(userSig)
+            assertTrue(Musig2.verifyTaprootSignature(userSig, userNonce.second, userPublicKey, tx, 0, swapInTx.txOut, listOf(userPublicKey, serverPublicKey), publicNonces, scriptTree))
+
             val serverSig = Musig2.signTaprootInput(serverPrivateKey, tx, 0, swapInTx.txOut, listOf(userPublicKey, serverPublicKey), serverNonce.first, publicNonces, scriptTree).right
             assertNotNull(serverSig)
+            assertTrue(Musig2.verifyTaprootSignature(serverSig, serverNonce.second, serverPublicKey, tx, 0, swapInTx.txOut, listOf(userPublicKey, serverPublicKey), publicNonces, scriptTree))
 
             // Once they have each other's partial signature, they can aggregate them into a valid signature.
             val aggregateSig = Musig2.aggregateTaprootSignatures(listOf(userSig, serverSig), tx, 0, swapInTx.txOut, listOf(userPublicKey, serverPublicKey), publicNonces, scriptTree).right