Bitcoin ABC 0.30.5
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H
8#define SECP256K1_MODULE_SCHNORRSIG_TESTS_H
9
10#include "secp256k1_schnorrsig.h"
11
12/* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
13 * bytes) changes the hash function
14 */
15void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) {
16 unsigned char nonces[2][32];
17 CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
18 secp256k1_testrand_flip(args[n_flip], n_bytes);
19 CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
20 CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
21}
22
23/* Tests for the equality of two sha256 structs. This function only produces a
24 * correct result if an integer multiple of 64 many bytes have been written
25 * into the hash functions. */
26void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
27 /* Is buffer fully consumed? */
28 CHECK((sha1->bytes & 0x3F) == 0);
29
30 CHECK(sha1->bytes == sha2->bytes);
31 CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
32}
33
34void run_nonce_function_bip340_tests(void) {
35 unsigned char tag[13] = "BIP0340/nonce";
36 unsigned char aux_tag[11] = "BIP0340/aux";
37 unsigned char algo[13] = "BIP0340/nonce";
38 size_t algolen = sizeof(algo);
39 secp256k1_sha256 sha;
40 secp256k1_sha256 sha_optimized;
41 unsigned char nonce[32];
42 unsigned char msg[32];
43 size_t msglen = sizeof(msg);
44 unsigned char key[32];
45 unsigned char pk[32];
46 unsigned char aux_rand[32];
47 unsigned char *args[5];
48 int i;
49
50 /* Check that hash initialized by
51 * secp256k1_nonce_function_bip340_sha256_tagged has the expected
52 * state. */
53 secp256k1_sha256_initialize_tagged(&sha, tag, sizeof(tag));
54 secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized);
55 test_sha256_eq(&sha, &sha_optimized);
56
57 /* Check that hash initialized by
58 * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
59 * state. */
60 secp256k1_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag));
61 secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized);
62 test_sha256_eq(&sha, &sha_optimized);
63
64 secp256k1_testrand256(msg);
65 secp256k1_testrand256(key);
66 secp256k1_testrand256(pk);
67 secp256k1_testrand256(aux_rand);
68
69 /* Check that a bitflip in an argument results in different nonces. */
70 args[0] = msg;
71 args[1] = key;
72 args[2] = pk;
73 args[3] = algo;
74 args[4] = aux_rand;
75 for (i = 0; i < count; i++) {
76 nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen);
77 nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen);
78 nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen);
79 /* Flip algo special case "BIP0340/nonce" */
80 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
81 /* Flip algo again */
82 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
83 nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen);
84 }
85
86 /* NULL algo is disallowed */
87 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
88 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
89 /* Other algo is fine */
90 secp256k1_rfc6979_hmac_sha256_generate(&secp256k1_test_rng, algo, algolen);
91 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
92
93 for (i = 0; i < count; i++) {
94 unsigned char nonce2[32];
95 uint32_t offset = secp256k1_testrand_int(msglen - 1);
96 size_t msglen_tmp = (msglen + offset) % msglen;
97 size_t algolen_tmp;
98
99 /* Different msglen gives different nonce */
100 CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1);
101 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
102
103 /* Different algolen gives different nonce */
104 offset = secp256k1_testrand_int(algolen - 1);
105 algolen_tmp = (algolen + offset) % algolen;
106 CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1);
107 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
108 }
109
110 /* NULL aux_rand argument is allowed. */
111 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
112}
113
114void test_schnorrsig_api(void) {
115 unsigned char sk1[32];
116 unsigned char sk2[32];
117 unsigned char sk3[32];
118 unsigned char msg[32];
119 secp256k1_keypair keypairs[3];
120 secp256k1_keypair invalid_keypair = { 0 };
121 secp256k1_xonly_pubkey pk[3];
122 secp256k1_xonly_pubkey zero_pk;
123 unsigned char sig[64];
124 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
125 secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL};
126
128 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
129 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
130 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
131 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
132 int ecount;
133
134 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
135 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount);
136 secp256k1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount);
137 secp256k1_context_set_error_callback(both, counting_illegal_callback_fn, &ecount);
138 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
139 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount);
140 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
141 secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount);
142
143 secp256k1_testrand256(sk1);
144 secp256k1_testrand256(sk2);
145 secp256k1_testrand256(sk3);
146 secp256k1_testrand256(msg);
147 CHECK(secp256k1_keypair_create(ctx, &keypairs[0], sk1) == 1);
148 CHECK(secp256k1_keypair_create(ctx, &keypairs[1], sk2) == 1);
149 CHECK(secp256k1_keypair_create(ctx, &keypairs[2], sk3) == 1);
150 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[0], NULL, &keypairs[0]) == 1);
151 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[1], NULL, &keypairs[1]) == 1);
152 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[2], NULL, &keypairs[2]) == 1);
153 memset(&zero_pk, 0, sizeof(zero_pk));
154
156 ecount = 0;
157 CHECK(secp256k1_schnorrsig_sign(none, sig, msg, &keypairs[0], NULL) == 0);
158 CHECK(ecount == 1);
159 CHECK(secp256k1_schnorrsig_sign(vrfy, sig, msg, &keypairs[0], NULL) == 0);
160 CHECK(ecount == 2);
161 CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL) == 1);
162 CHECK(ecount == 2);
163 CHECK(secp256k1_schnorrsig_sign(sign, NULL, msg, &keypairs[0], NULL) == 0);
164 CHECK(ecount == 3);
165 CHECK(secp256k1_schnorrsig_sign(sign, sig, NULL, &keypairs[0], NULL) == 0);
166 CHECK(ecount == 4);
167 CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, NULL, NULL) == 0);
168 CHECK(ecount == 5);
169 CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &invalid_keypair, NULL) == 0);
170 CHECK(ecount == 6);
171
172 ecount = 0;
173 CHECK(secp256k1_schnorrsig_sign_custom(none, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
174 CHECK(ecount == 1);
175 CHECK(secp256k1_schnorrsig_sign_custom(vrfy, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
176 CHECK(ecount == 2);
177 CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
178 CHECK(ecount == 2);
179 CHECK(secp256k1_schnorrsig_sign_custom(sign, NULL, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
180 CHECK(ecount == 3);
181 CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, NULL, sizeof(msg), &keypairs[0], &extraparams) == 0);
182 CHECK(ecount == 4);
183 CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
184 CHECK(ecount == 4);
185 CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), NULL, &extraparams) == 0);
186 CHECK(ecount == 5);
187 CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &invalid_keypair, &extraparams) == 0);
188 CHECK(ecount == 6);
189 CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
190 CHECK(ecount == 6);
191 CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams) == 0);
192 CHECK(ecount == 7);
193
194 ecount = 0;
195 CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL) == 1);
196 CHECK(secp256k1_schnorrsig_verify(none, sig, msg, sizeof(msg), &pk[0]) == 0);
197 CHECK(ecount == 1);
198 CHECK(secp256k1_schnorrsig_verify(sign, sig, msg, sizeof(msg), &pk[0]) == 0);
199 CHECK(ecount == 2);
200 CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), &pk[0]) == 1);
201 CHECK(ecount == 2);
202 CHECK(secp256k1_schnorrsig_verify(vrfy, NULL, msg, sizeof(msg), &pk[0]) == 0);
203 CHECK(ecount == 3);
204 CHECK(secp256k1_schnorrsig_verify(vrfy, sig, NULL, sizeof(msg), &pk[0]) == 0);
205 CHECK(ecount == 4);
206 CHECK(secp256k1_schnorrsig_verify(vrfy, sig, NULL, 0, &pk[0]) == 0);
207 CHECK(ecount == 4);
208 CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), NULL) == 0);
209 CHECK(ecount == 5);
210 CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), &zero_pk) == 0);
211 CHECK(ecount == 6);
212
213 secp256k1_context_destroy(none);
214 secp256k1_context_destroy(sign);
215 secp256k1_context_destroy(vrfy);
216 secp256k1_context_destroy(both);
217}
218
219/* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
220 * expected state. */
221void test_schnorrsig_sha256_tagged(void) {
222 unsigned char tag[17] = "BIP0340/challenge";
223 secp256k1_sha256 sha;
224 secp256k1_sha256 sha_optimized;
225
226 secp256k1_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag));
227 secp256k1_schnorrsig_sha256_tagged(&sha_optimized);
228 test_sha256_eq(&sha, &sha_optimized);
229}
230
231/* Helper function for schnorrsig_bip_vectors
232 * Signs the message and checks that it's the same as expected_sig. */
233void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig) {
234 unsigned char sig[64];
235 secp256k1_keypair keypair;
236 secp256k1_xonly_pubkey pk, pk_expected;
237
238 CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
239 CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg32, &keypair, aux_rand));
240 CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
241
242 CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk_expected, pk_serialized));
243 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
244 CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
245 CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk));
246}
247
248/* Helper function for schnorrsig_bip_vectors
249 * Checks that both verify and verify_batch (TODO) return the same value as expected. */
250void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected) {
251 secp256k1_xonly_pubkey pk;
252
253 CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk, pk_serialized));
254 CHECK(expected == secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk));
255}
256
257/* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
258 * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */
259void test_schnorrsig_bip_vectors(void) {
260 {
261 /* Test vector 0 */
262 const unsigned char sk[32] = {
263 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
264 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
265 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
266 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
267 };
268 const unsigned char pk[32] = {
269 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10,
270 0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29,
271 0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0,
272 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9
273 };
274 unsigned char aux_rand[32] = {
275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
276 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
277 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
278 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
279 };
280 const unsigned char msg[32] = {
281 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
282 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
283 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
284 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
285 };
286 const unsigned char sig[64] = {
287 0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10,
288 0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36,
289 0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08,
290 0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15,
291 0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71,
292 0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5,
293 0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47,
294 0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0
295 };
296 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
297 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
298 }
299 {
300 /* Test vector 1 */
301 const unsigned char sk[32] = {
302 0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A,
303 0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7,
304 0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56,
305 0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF
306 };
307 const unsigned char pk[32] = {
308 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
309 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
310 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
311 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
312 };
313 unsigned char aux_rand[32] = {
314 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
315 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
316 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
317 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
318 };
319 const unsigned char msg[32] = {
320 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
321 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
322 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
323 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
324 };
325 const unsigned char sig[64] = {
326 0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D,
327 0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07,
328 0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17,
329 0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41,
330 0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC,
331 0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA,
332 0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C,
333 0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A
334 };
335 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
336 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
337 }
338 {
339 /* Test vector 2 */
340 const unsigned char sk[32] = {
341 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
342 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
343 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
344 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9
345 };
346 const unsigned char pk[32] = {
347 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13,
348 0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC,
349 0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9,
350 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8
351 };
352 unsigned char aux_rand[32] = {
353 0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE,
354 0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC,
355 0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C,
356 0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06
357 };
358 const unsigned char msg[32] = {
359 0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A,
360 0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D,
361 0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33,
362 0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C
363 };
364 const unsigned char sig[64] = {
365 0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7,
366 0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94,
367 0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B,
368 0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B,
369 0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A,
370 0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C,
371 0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E,
372 0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7
373 };
374 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
375 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
376 }
377 {
378 /* Test vector 3 */
379 const unsigned char sk[32] = {
380 0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81,
381 0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0,
382 0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54,
383 0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10
384 };
385 const unsigned char pk[32] = {
386 0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25,
387 0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD,
388 0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A,
389 0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17
390 };
391 unsigned char aux_rand[32] = {
392 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
393 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
394 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
395 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
396 };
397 const unsigned char msg[32] = {
398 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
399 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
400 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
401 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
402 };
403 const unsigned char sig[64] = {
404 0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1,
405 0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9,
406 0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6,
407 0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC,
408 0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93,
409 0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A,
410 0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27,
411 0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3
412 };
413 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
414 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
415 }
416 {
417 /* Test vector 4 */
418 const unsigned char pk[32] = {
419 0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12,
420 0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83,
421 0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA,
422 0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9
423 };
424 const unsigned char msg[32] = {
425 0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2,
426 0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24,
427 0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B,
428 0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03
429 };
430 const unsigned char sig[64] = {
431 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
432 0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F,
433 0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28,
434 0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63,
435 0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3,
436 0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10,
437 0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93,
438 0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4
439 };
440 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
441 }
442 {
443 /* Test vector 5 */
444 const unsigned char pk[32] = {
445 0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50,
446 0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21,
447 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87,
448 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34
449 };
450 secp256k1_xonly_pubkey pk_parsed;
451 /* No need to check the signature of the test vector as parsing the pubkey already fails */
452 CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
453 }
454 {
455 /* Test vector 6 */
456 const unsigned char pk[32] = {
457 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
458 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
459 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
460 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
461 };
462 const unsigned char msg[32] = {
463 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
464 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
465 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
466 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
467 };
468 const unsigned char sig[64] = {
469 0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4,
470 0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3,
471 0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B,
472 0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56,
473 0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07,
474 0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF,
475 0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E,
476 0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2
477 };
478 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
479 }
480 {
481 /* Test vector 7 */
482 const unsigned char pk[32] = {
483 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
484 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
485 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
486 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
487 };
488 const unsigned char msg[32] = {
489 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
490 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
491 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
492 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
493 };
494 const unsigned char sig[64] = {
495 0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C,
496 0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7,
497 0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4,
498 0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F,
499 0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89,
500 0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8,
501 0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35,
502 0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD
503 };
504 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
505 }
506 {
507 /* Test vector 8 */
508 const unsigned char pk[32] = {
509 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
510 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
511 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
512 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
513 };
514 const unsigned char msg[32] = {
515 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
516 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
517 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
518 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
519 };
520 const unsigned char sig[64] = {
521 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
522 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
523 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
524 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
525 0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC,
526 0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26,
527 0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C,
528 0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6
529 };
530 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
531 }
532 {
533 /* Test vector 9 */
534 const unsigned char pk[32] = {
535 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
536 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
537 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
538 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
539 };
540 const unsigned char msg[32] = {
541 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
542 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
543 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
544 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
545 };
546 const unsigned char sig[64] = {
547 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
548 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
549 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
550 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
551 0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23,
552 0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA,
553 0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC,
554 0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51
555 };
556 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
557 }
558 {
559 /* Test vector 10 */
560 const unsigned char pk[32] = {
561 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
562 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
563 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
564 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
565 };
566 const unsigned char msg[32] = {
567 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
568 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
569 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
570 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
571 };
572 const unsigned char sig[64] = {
573 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
574 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
575 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
577 0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64,
578 0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4,
579 0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9,
580 0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97
581 };
582 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
583 }
584 {
585 /* Test vector 11 */
586 const unsigned char pk[32] = {
587 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
588 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
589 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
590 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
591 };
592 const unsigned char msg[32] = {
593 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
594 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
595 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
596 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
597 };
598 const unsigned char sig[64] = {
599 0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A,
600 0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB,
601 0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7,
602 0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D,
603 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
604 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
605 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
606 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
607 };
608 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
609 }
610 {
611 /* Test vector 12 */
612 const unsigned char pk[32] = {
613 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
614 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
615 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
616 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
617 };
618 const unsigned char msg[32] = {
619 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
620 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
621 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
622 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
623 };
624 const unsigned char sig[64] = {
625 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
626 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
627 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
628 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
629 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
630 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
631 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
632 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
633 };
634 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
635 }
636 {
637 /* Test vector 13 */
638 const unsigned char pk[32] = {
639 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
640 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
641 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
642 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
643 };
644 const unsigned char msg[32] = {
645 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
646 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
647 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
648 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
649 };
650 const unsigned char sig[64] = {
651 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
652 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
653 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
654 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
655 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
656 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
657 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
658 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
659 };
660 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
661 }
662 {
663 /* Test vector 14 */
664 const unsigned char pk[32] = {
665 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
666 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
667 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
668 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
669 };
670 secp256k1_xonly_pubkey pk_parsed;
671 /* No need to check the signature of the test vector as parsing the pubkey already fails */
672 CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
673 }
674}
675
676/* Nonce function that returns constant 0 */
677static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
678 (void) msg;
679 (void) msglen;
680 (void) key32;
681 (void) xonly_pk32;
682 (void) algo;
683 (void) algolen;
684 (void) data;
685 (void) nonce32;
686 return 0;
687}
688
689/* Nonce function that sets nonce to 0 */
690static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
691 (void) msg;
692 (void) msglen;
693 (void) key32;
694 (void) xonly_pk32;
695 (void) algo;
696 (void) algolen;
697 (void) data;
698
699 memset(nonce32, 0, 32);
700 return 1;
701}
702
703/* Nonce function that sets nonce to 0xFF...0xFF */
704static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
705 (void) msg;
706 (void) msglen;
707 (void) key32;
708 (void) xonly_pk32;
709 (void) algo;
710 (void) algolen;
711 (void) data;
712
713 memset(nonce32, 0xFF, 32);
714 return 1;
715}
716
717void test_schnorrsig_sign(void) {
718 unsigned char sk[32];
719 secp256k1_xonly_pubkey pk;
720 secp256k1_keypair keypair;
721 const unsigned char msg[32] = "this is a msg for a schnorrsig..";
722 unsigned char sig[64];
723 unsigned char sig2[64];
724 unsigned char zeros64[64] = { 0 };
725 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
726 unsigned char aux_rand[32];
727
728 secp256k1_testrand256(sk);
729 secp256k1_testrand256(aux_rand);
730 CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
731 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
732 CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL) == 1);
733 CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
734
735 /* Test different nonce functions */
736 CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
737 CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
738 memset(sig, 1, sizeof(sig));
739 extraparams.noncefp = nonce_function_failing;
740 CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
741 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
742 memset(&sig, 1, sizeof(sig));
743 extraparams.noncefp = nonce_function_0;
744 CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
745 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
746 memset(&sig, 1, sizeof(sig));
747 extraparams.noncefp = nonce_function_overflowing;
748 CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
749 CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
750
751 /* When using the default nonce function, schnorrsig_sign_custom produces
752 * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */
753 extraparams.noncefp = NULL;
754 extraparams.ndata = aux_rand;
755 CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
756 CHECK(secp256k1_schnorrsig_sign(ctx, sig2, msg, &keypair, extraparams.ndata) == 1);
757 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
758}
759
760#define N_SIGS 3
761/* Creates N_SIGS valid signatures and verifies them with verify and
762 * verify_batch (TODO). Then flips some bits and checks that verification now
763 * fails. */
764void test_schnorrsig_sign_verify(void) {
765 unsigned char sk[32];
766 unsigned char msg[N_SIGS][32];
767 unsigned char sig[N_SIGS][64];
768 size_t i;
769 secp256k1_keypair keypair;
770 secp256k1_xonly_pubkey pk;
771 secp256k1_scalar s;
772
773 secp256k1_testrand256(sk);
774 CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
775 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
776
777 for (i = 0; i < N_SIGS; i++) {
778 secp256k1_testrand256(msg[i]);
779 CHECK(secp256k1_schnorrsig_sign(ctx, sig[i], msg[i], &keypair, NULL));
780 CHECK(secp256k1_schnorrsig_verify(ctx, sig[i], msg[i], sizeof(msg[i]), &pk));
781 }
782
783 {
784 /* Flip a few bits in the signature and in the message and check that
785 * verify and verify_batch (TODO) fail */
786 size_t sig_idx = secp256k1_testrand_int(N_SIGS);
787 size_t byte_idx = secp256k1_testrand_int(32);
788 unsigned char xorbyte = secp256k1_testrand_int(254)+1;
789 sig[sig_idx][byte_idx] ^= xorbyte;
790 CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
791 sig[sig_idx][byte_idx] ^= xorbyte;
792
793 byte_idx = secp256k1_testrand_int(32);
794 sig[sig_idx][32+byte_idx] ^= xorbyte;
795 CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
796 sig[sig_idx][32+byte_idx] ^= xorbyte;
797
798 byte_idx = secp256k1_testrand_int(32);
799 msg[sig_idx][byte_idx] ^= xorbyte;
800 CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
801 msg[sig_idx][byte_idx] ^= xorbyte;
802
803 /* Check that above bitflips have been reversed correctly */
804 CHECK(secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
805 }
806
807 /* Test overflowing s */
808 CHECK(secp256k1_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL));
809 CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
810 memset(&sig[0][32], 0xFF, 32);
811 CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
812
813 /* Test negative s */
814 CHECK(secp256k1_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL));
815 CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
816 secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
817 secp256k1_scalar_negate(&s, &s);
818 secp256k1_scalar_get_b32(&sig[0][32], &s);
819 CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
820
821 /* The empty message can be signed & verified */
822 CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], NULL, 0, &keypair, NULL) == 1);
823 CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], NULL, 0, &pk) == 1);
824
825 {
826 /* Test varying message lengths */
827 unsigned char msg_large[32 * 8];
828 uint32_t msglen = secp256k1_testrand_int(sizeof(msg_large));
829 for (i = 0; i < sizeof(msg_large); i += 32) {
830 secp256k1_testrand256(&msg_large[i]);
831 }
832 CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], msg_large, msglen, &keypair, NULL) == 1);
833 CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 1);
834 /* Verification for a random wrong message length fails */
835 msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large);
836 CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 0);
837 }
838}
839#undef N_SIGS
840
841void test_schnorrsig_taproot(void) {
842 unsigned char sk[32];
843 secp256k1_keypair keypair;
844 secp256k1_xonly_pubkey internal_pk;
845 unsigned char internal_pk_bytes[32];
846 secp256k1_xonly_pubkey output_pk;
847 unsigned char output_pk_bytes[32];
848 unsigned char tweak[32];
849 int pk_parity;
850 unsigned char msg[32];
851 unsigned char sig[64];
852
853 /* Create output key */
854 secp256k1_testrand256(sk);
855 CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
856 CHECK(secp256k1_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1);
857 /* In actual taproot the tweak would be hash of internal_pk */
858 CHECK(secp256k1_xonly_pubkey_serialize(ctx, tweak, &internal_pk) == 1);
859 CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
860 CHECK(secp256k1_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1);
861 CHECK(secp256k1_xonly_pubkey_serialize(ctx, output_pk_bytes, &output_pk) == 1);
862
863 /* Key spend */
864 secp256k1_testrand256(msg);
865 CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL) == 1);
866 /* Verify key spend */
867 CHECK(secp256k1_xonly_pubkey_parse(ctx, &output_pk, output_pk_bytes) == 1);
868 CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &output_pk) == 1);
869
870 /* Script spend */
871 CHECK(secp256k1_xonly_pubkey_serialize(ctx, internal_pk_bytes, &internal_pk) == 1);
872 /* Verify script spend */
873 CHECK(secp256k1_xonly_pubkey_parse(ctx, &internal_pk, internal_pk_bytes) == 1);
874 CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
875}
876
877void run_schnorrsig_tests(void) {
878 int i;
879 run_nonce_function_bip340_tests();
880
881 test_schnorrsig_api();
882 test_schnorrsig_sha256_tagged();
883 test_schnorrsig_bip_vectors();
884 for (i = 0; i < count; i++) {
885 test_schnorrsig_sign();
886 test_schnorrsig_sign_verify();
887 }
888 test_schnorrsig_taproot();
889}
890
891#endif
ctx
secp256k1_context * ctx
Definition: bench_multiset.c:12
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:169
sha1
Internal SHA-1 implementation.
Definition: sha1.cpp:14
sig
SchnorrSig sig
Definition: processor.cpp:498
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
nonce_function_bip340
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: main_impl.h:52
secp256k1_nonce_function_bip340_sha256_tagged_aux
static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: main_impl.h:32
secp256k1_nonce_function_bip340_sha256_tagged
static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:16
secp256k1_schnorrsig_sha256_tagged
static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:96
test_schnorrsig_bip_vectors
void test_schnorrsig_bip_vectors(void)
Definition: tests_impl.h:259
test_schnorrsig_sign
void test_schnorrsig_sign(void)
Definition: tests_impl.h:717
nonce_function_overflowing
static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:704
run_nonce_function_bip340_tests
void run_nonce_function_bip340_tests(void)
Definition: tests_impl.h:34
test_schnorrsig_bip_vectors_check_verify
void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected)
Definition: tests_impl.h:250
test_schnorrsig_taproot
void test_schnorrsig_taproot(void)
Definition: tests_impl.h:841
nonce_function_0
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:690
test_sha256_eq
void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests_impl.h:26
test_schnorrsig_bip_vectors_check_signing
void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig)
Definition: tests_impl.h:233
test_schnorrsig_sign_verify
void test_schnorrsig_sign_verify(void)
Definition: tests_impl.h:764
run_schnorrsig_tests
void run_schnorrsig_tests(void)
Definition: tests_impl.h:877
nonce_function_bip340_bitflip
void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen)
Definition: tests_impl.h:15
N_SIGS
#define N_SIGS
Definition: tests_impl.h:760
test_schnorrsig_sha256_tagged
void test_schnorrsig_sha256_tagged(void)
Definition: tests_impl.h:221
nonce_function_failing
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:677
test_schnorrsig_api
void test_schnorrsig_api(void)
Definition: tests_impl.h:114
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:224
CHECK
#define CHECK(cond)
Definition: util.h:53
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:174
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:212
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:152
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:203
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:176
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:173
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:196
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:43
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a secret key.
Definition: main_impl.h:197
secp256k1_keypair_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:256
secp256k1_keypair_xonly_pub
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Get the x-only public key from a keypair.
Definition: main_impl.h:235
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:21
secp256k1_schnorrsig.h
secp256k1_schnorrsig_sign
SECP256K1_API int secp256k1_schnorrsig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a Schnorr signature.
Definition: main_impl.h:188
SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
Definition: secp256k1_schnorrsig.h:89
secp256k1_schnorrsig_sign_custom
SECP256K1_API int secp256k1_schnorrsig_sign_custom(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Create a Schnorr signature with a more flexible API.
Definition: main_impl.h:192
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:207
secp256k1_context_struct
Definition: secp256k1.c:69
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_schnorrsig_extraparams
Data structure that contains additional arguments for schnorrsig_sign_custom.
Definition: secp256k1_schnorrsig.h:82
secp256k1_schnorrsig_extraparams::noncefp
secp256k1_nonce_function_hardened noncefp
Definition: secp256k1_schnorrsig.h:84
secp256k1_schnorrsig_extraparams::ndata
void * ndata
Definition: secp256k1_schnorrsig.h:85
secp256k1_sha256
Definition: hash.h:13
secp256k1_sha256::bytes
size_t bytes
Definition: hash.h:16
secp256k1_sha256::s
uint32_t s[8]
Definition: hash.h:14
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_flip
static void secp256k1_testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_test_rng
static secp256k1_rfc6979_hmac_sha256 secp256k1_test_rng
Definition: testrand_impl.h:17
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:34
count
static int count
Definition: tests.c:31
Generated on Wed Nov 20 2024 17:55:59 for Bitcoin ABC by doxygen 1.9.4