Bitcoin ABC 0.33.5
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H
8#define SECP256K1_MODULE_SCHNORRSIG_TESTS_H
9
10#include "../../../include/secp256k1_schnorrsig.h"
11
12/* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
13 * bytes) changes the hash function
14 */
15static void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) {
16 unsigned char nonces[2][32];
17 CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
18 secp256k1_testrand_flip(args[n_flip], n_bytes);
19 CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
20 CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
21}
22
23static void run_nonce_function_bip340_tests(void) {
24 unsigned char tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'};
25 unsigned char aux_tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'a', 'u', 'x'};
26 unsigned char algo[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'};
27 size_t algolen = sizeof(algo);
28 secp256k1_sha256 sha;
29 secp256k1_sha256 sha_optimized;
30 unsigned char nonce[32], nonce_z[32];
31 unsigned char msg[32];
32 size_t msglen = sizeof(msg);
33 unsigned char key[32];
34 unsigned char pk[32];
35 unsigned char aux_rand[32];
36 unsigned char *args[5];
37 int i;
38
39 /* Check that hash initialized by
40 * secp256k1_nonce_function_bip340_sha256_tagged has the expected
41 * state. */
42 secp256k1_sha256_initialize_tagged(&sha, tag, sizeof(tag));
43 secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized);
44 test_sha256_eq(&sha, &sha_optimized);
45
46 /* Check that hash initialized by
47 * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
48 * state. */
49 secp256k1_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag));
50 secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized);
51 test_sha256_eq(&sha, &sha_optimized);
52
53 secp256k1_testrand256(msg);
54 secp256k1_testrand256(key);
55 secp256k1_testrand256(pk);
56 secp256k1_testrand256(aux_rand);
57
58 /* Check that a bitflip in an argument results in different nonces. */
59 args[0] = msg;
60 args[1] = key;
61 args[2] = pk;
62 args[3] = algo;
63 args[4] = aux_rand;
64 for (i = 0; i < COUNT; i++) {
65 nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen);
66 nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen);
67 nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen);
68 /* Flip algo special case "BIP0340/nonce" */
69 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
70 /* Flip algo again */
71 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
72 nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen);
73 }
74
75 /* NULL algo is disallowed */
76 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
77 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
78 /* Other algo is fine */
79 secp256k1_testrand_bytes_test(algo, algolen);
80 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
81
82 for (i = 0; i < COUNT; i++) {
83 unsigned char nonce2[32];
84 uint32_t offset = secp256k1_testrand_int(msglen - 1);
85 size_t msglen_tmp = (msglen + offset) % msglen;
86 size_t algolen_tmp;
87
88 /* Different msglen gives different nonce */
89 CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1);
90 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
91
92 /* Different algolen gives different nonce */
93 offset = secp256k1_testrand_int(algolen - 1);
94 algolen_tmp = (algolen + offset) % algolen;
95 CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1);
96 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
97 }
98
99 /* NULL aux_rand argument is allowed, and identical to passing all zero aux_rand. */
100 memset(aux_rand, 0, 32);
101 CHECK(nonce_function_bip340(nonce_z, msg, msglen, key, pk, algo, algolen, &aux_rand) == 1);
102 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
103 CHECK(secp256k1_memcmp_var(nonce_z, nonce, 32) == 0);
104}
105
106static void test_schnorrsig_api(void) {
107 unsigned char sk1[32];
108 unsigned char sk2[32];
109 unsigned char sk3[32];
110 unsigned char msg[32];
111 secp256k1_keypair keypairs[3];
112 secp256k1_keypair invalid_keypair = {{ 0 }};
113 secp256k1_xonly_pubkey pk[3];
114 secp256k1_xonly_pubkey zero_pk;
115 unsigned char sig[64];
116 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
117 secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL};
118
120 int ecount = 0;
121
122 secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount);
123 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
124 secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
125 secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
126
127 secp256k1_testrand256(sk1);
128 secp256k1_testrand256(sk2);
129 secp256k1_testrand256(sk3);
130 secp256k1_testrand256(msg);
131 CHECK(secp256k1_keypair_create(CTX, &keypairs[0], sk1) == 1);
132 CHECK(secp256k1_keypair_create(CTX, &keypairs[1], sk2) == 1);
133 CHECK(secp256k1_keypair_create(CTX, &keypairs[2], sk3) == 1);
134 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[0], NULL, &keypairs[0]) == 1);
135 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[1], NULL, &keypairs[1]) == 1);
136 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[2], NULL, &keypairs[2]) == 1);
137 memset(&zero_pk, 0, sizeof(zero_pk));
138
140 ecount = 0;
141 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
142 CHECK(ecount == 0);
143 CHECK(secp256k1_schnorrsig_sign32(CTX, NULL, msg, &keypairs[0], NULL) == 0);
144 CHECK(ecount == 1);
145 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, NULL, &keypairs[0], NULL) == 0);
146 CHECK(ecount == 2);
147 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, NULL, NULL) == 0);
148 CHECK(ecount == 3);
149 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &invalid_keypair, NULL) == 0);
150 CHECK(ecount == 4);
151 CHECK(secp256k1_schnorrsig_sign32(STATIC_CTX, sig, msg, &keypairs[0], NULL) == 0);
152 CHECK(ecount == 5);
153
154 ecount = 0;
155 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
156 CHECK(ecount == 0);
157 CHECK(secp256k1_schnorrsig_sign_custom(CTX, NULL, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
158 CHECK(ecount == 1);
159 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, sizeof(msg), &keypairs[0], &extraparams) == 0);
160 CHECK(ecount == 2);
161 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
162 CHECK(ecount == 2);
163 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), NULL, &extraparams) == 0);
164 CHECK(ecount == 3);
165 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &invalid_keypair, &extraparams) == 0);
166 CHECK(ecount == 4);
167 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
168 CHECK(ecount == 4);
169 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams) == 0);
170 CHECK(ecount == 5);
171 CHECK(secp256k1_schnorrsig_sign_custom(STATIC_CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
172 CHECK(ecount == 6);
173
174 ecount = 0;
175 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
176 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk[0]) == 1);
177 CHECK(ecount == 0);
178 CHECK(secp256k1_schnorrsig_verify(CTX, NULL, msg, sizeof(msg), &pk[0]) == 0);
179 CHECK(ecount == 1);
180 CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, sizeof(msg), &pk[0]) == 0);
181 CHECK(ecount == 2);
182 CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, 0, &pk[0]) == 0);
183 CHECK(ecount == 2);
184 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), NULL) == 0);
185 CHECK(ecount == 3);
186 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &zero_pk) == 0);
187 CHECK(ecount == 4);
188
189 secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL);
190 secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
191}
192
193/* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
194 * expected state. */
195static void test_schnorrsig_sha256_tagged(void) {
196 unsigned char tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'c', 'h', 'a', 'l', 'l', 'e', 'n', 'g', 'e'};
197 secp256k1_sha256 sha;
198 secp256k1_sha256 sha_optimized;
199
200 secp256k1_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag));
201 secp256k1_schnorrsig_sha256_tagged(&sha_optimized);
202 test_sha256_eq(&sha, &sha_optimized);
203}
204
205/* Helper function for schnorrsig_bip_vectors
206 * Signs the message and checks that it's the same as expected_sig. */
207static void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig) {
208 unsigned char sig[64];
209 secp256k1_keypair keypair;
210 secp256k1_xonly_pubkey pk, pk_expected;
211
212 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
213 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg32, &keypair, aux_rand));
214 CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
215
216 CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk_expected, pk_serialized));
217 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
218 CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
219 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg32, 32, &pk));
220}
221
222/* Helper function for schnorrsig_bip_vectors
223 * Checks that both verify and verify_batch (TODO) return the same value as expected. */
224static void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected) {
225 secp256k1_xonly_pubkey pk;
226
227 CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk, pk_serialized));
228 CHECK(expected == secp256k1_schnorrsig_verify(CTX, sig, msg32, 32, &pk));
229}
230
231/* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
232 * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */
233static void test_schnorrsig_bip_vectors(void) {
234 {
235 /* Test vector 0 */
236 const unsigned char sk[32] = {
237 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
238 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
239 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
240 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
241 };
242 const unsigned char pk[32] = {
243 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10,
244 0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29,
245 0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0,
246 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9
247 };
248 unsigned char aux_rand[32] = {
249 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
250 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
251 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
252 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
253 };
254 const unsigned char msg[32] = {
255 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
256 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
257 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
258 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
259 };
260 const unsigned char sig[64] = {
261 0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10,
262 0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36,
263 0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08,
264 0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15,
265 0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71,
266 0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5,
267 0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47,
268 0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0
269 };
270 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
271 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
272 }
273 {
274 /* Test vector 1 */
275 const unsigned char sk[32] = {
276 0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A,
277 0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7,
278 0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56,
279 0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF
280 };
281 const unsigned char pk[32] = {
282 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
283 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
284 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
285 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
286 };
287 unsigned char aux_rand[32] = {
288 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
289 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
290 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
291 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
292 };
293 const unsigned char msg[32] = {
294 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
295 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
296 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
297 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
298 };
299 const unsigned char sig[64] = {
300 0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D,
301 0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07,
302 0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17,
303 0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41,
304 0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC,
305 0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA,
306 0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C,
307 0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A
308 };
309 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
310 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
311 }
312 {
313 /* Test vector 2 */
314 const unsigned char sk[32] = {
315 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
316 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
317 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
318 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9
319 };
320 const unsigned char pk[32] = {
321 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13,
322 0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC,
323 0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9,
324 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8
325 };
326 unsigned char aux_rand[32] = {
327 0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE,
328 0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC,
329 0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C,
330 0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06
331 };
332 const unsigned char msg[32] = {
333 0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A,
334 0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D,
335 0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33,
336 0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C
337 };
338 const unsigned char sig[64] = {
339 0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7,
340 0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94,
341 0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B,
342 0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B,
343 0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A,
344 0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C,
345 0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E,
346 0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7
347 };
348 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
349 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
350 }
351 {
352 /* Test vector 3 */
353 const unsigned char sk[32] = {
354 0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81,
355 0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0,
356 0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54,
357 0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10
358 };
359 const unsigned char pk[32] = {
360 0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25,
361 0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD,
362 0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A,
363 0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17
364 };
365 unsigned char aux_rand[32] = {
366 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
367 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
368 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
369 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
370 };
371 const unsigned char msg[32] = {
372 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
373 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
374 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
375 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
376 };
377 const unsigned char sig[64] = {
378 0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1,
379 0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9,
380 0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6,
381 0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC,
382 0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93,
383 0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A,
384 0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27,
385 0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3
386 };
387 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
388 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
389 }
390 {
391 /* Test vector 4 */
392 const unsigned char pk[32] = {
393 0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12,
394 0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83,
395 0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA,
396 0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9
397 };
398 const unsigned char msg[32] = {
399 0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2,
400 0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24,
401 0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B,
402 0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03
403 };
404 const unsigned char sig[64] = {
405 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
406 0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F,
407 0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28,
408 0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63,
409 0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3,
410 0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10,
411 0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93,
412 0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4
413 };
414 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
415 }
416 {
417 /* Test vector 5 */
418 const unsigned char pk[32] = {
419 0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50,
420 0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21,
421 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87,
422 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34
423 };
424 secp256k1_xonly_pubkey pk_parsed;
425 /* No need to check the signature of the test vector as parsing the pubkey already fails */
426 CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
427 }
428 {
429 /* Test vector 6 */
430 const unsigned char pk[32] = {
431 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
432 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
433 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
434 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
435 };
436 const unsigned char msg[32] = {
437 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
438 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
439 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
440 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
441 };
442 const unsigned char sig[64] = {
443 0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4,
444 0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3,
445 0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B,
446 0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56,
447 0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07,
448 0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF,
449 0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E,
450 0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2
451 };
452 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
453 }
454 {
455 /* Test vector 7 */
456 const unsigned char pk[32] = {
457 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
458 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
459 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
460 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
461 };
462 const unsigned char msg[32] = {
463 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
464 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
465 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
466 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
467 };
468 const unsigned char sig[64] = {
469 0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C,
470 0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7,
471 0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4,
472 0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F,
473 0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89,
474 0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8,
475 0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35,
476 0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD
477 };
478 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
479 }
480 {
481 /* Test vector 8 */
482 const unsigned char pk[32] = {
483 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
484 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
485 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
486 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
487 };
488 const unsigned char msg[32] = {
489 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
490 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
491 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
492 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
493 };
494 const unsigned char sig[64] = {
495 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
496 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
497 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
498 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
499 0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC,
500 0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26,
501 0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C,
502 0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6
503 };
504 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
505 }
506 {
507 /* Test vector 9 */
508 const unsigned char pk[32] = {
509 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
510 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
511 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
512 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
513 };
514 const unsigned char msg[32] = {
515 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
516 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
517 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
518 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
519 };
520 const unsigned char sig[64] = {
521 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
522 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
523 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
525 0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23,
526 0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA,
527 0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC,
528 0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51
529 };
530 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
531 }
532 {
533 /* Test vector 10 */
534 const unsigned char pk[32] = {
535 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
536 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
537 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
538 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
539 };
540 const unsigned char msg[32] = {
541 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
542 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
543 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
544 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
545 };
546 const unsigned char sig[64] = {
547 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
548 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
549 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
550 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
551 0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64,
552 0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4,
553 0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9,
554 0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97
555 };
556 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
557 }
558 {
559 /* Test vector 11 */
560 const unsigned char pk[32] = {
561 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
562 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
563 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
564 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
565 };
566 const unsigned char msg[32] = {
567 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
568 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
569 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
570 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
571 };
572 const unsigned char sig[64] = {
573 0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A,
574 0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB,
575 0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7,
576 0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D,
577 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
578 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
579 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
580 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
581 };
582 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
583 }
584 {
585 /* Test vector 12 */
586 const unsigned char pk[32] = {
587 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
588 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
589 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
590 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
591 };
592 const unsigned char msg[32] = {
593 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
594 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
595 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
596 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
597 };
598 const unsigned char sig[64] = {
599 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
600 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
601 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
602 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
603 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
604 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
605 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
606 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
607 };
608 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
609 }
610 {
611 /* Test vector 13 */
612 const unsigned char pk[32] = {
613 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
614 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
615 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
616 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
617 };
618 const unsigned char msg[32] = {
619 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
620 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
621 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
622 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
623 };
624 const unsigned char sig[64] = {
625 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
626 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
627 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
628 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
629 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
630 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
631 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
632 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
633 };
634 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
635 }
636 {
637 /* Test vector 14 */
638 const unsigned char pk[32] = {
639 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
640 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
641 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
642 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
643 };
644 secp256k1_xonly_pubkey pk_parsed;
645 /* No need to check the signature of the test vector as parsing the pubkey already fails */
646 CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
647 }
648}
649
650/* Nonce function that returns constant 0 */
651static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
652 (void) msg;
653 (void) msglen;
654 (void) key32;
655 (void) xonly_pk32;
656 (void) algo;
657 (void) algolen;
658 (void) data;
659 (void) nonce32;
660 return 0;
661}
662
663/* Nonce function that sets nonce to 0 */
664static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
665 (void) msg;
666 (void) msglen;
667 (void) key32;
668 (void) xonly_pk32;
669 (void) algo;
670 (void) algolen;
671 (void) data;
672
673 memset(nonce32, 0, 32);
674 return 1;
675}
676
677/* Nonce function that sets nonce to 0xFF...0xFF */
678static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
679 (void) msg;
680 (void) msglen;
681 (void) key32;
682 (void) xonly_pk32;
683 (void) algo;
684 (void) algolen;
685 (void) data;
686
687 memset(nonce32, 0xFF, 32);
688 return 1;
689}
690
691static void test_schnorrsig_sign(void) {
692 unsigned char sk[32];
693 secp256k1_xonly_pubkey pk;
694 secp256k1_keypair keypair;
695 const unsigned char msg[] = {'t', 'h', 'i', 's', ' ', 'i', 's', ' ', 'a', ' ', 'm', 's', 'g', ' ', 'f', 'o', 'r', ' ', 'a', ' ', 's', 'c', 'h', 'n', 'o', 'r', 'r', 's', 'i', 'g', '.', '.'};
696 unsigned char sig[64];
697 unsigned char sig2[64];
698 unsigned char zeros64[64] = { 0 };
699 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
700 unsigned char aux_rand[32];
701
702 secp256k1_testrand256(sk);
703 secp256k1_testrand256(aux_rand);
704 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
705 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
706 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
707 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
708 /* Check that deprecated alias gives the same result */
709 CHECK(secp256k1_schnorrsig_sign(CTX, sig2, msg, &keypair, NULL) == 1);
710 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
711
712 /* Test different nonce functions */
713 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
714 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
715 memset(sig, 1, sizeof(sig));
716 extraparams.noncefp = nonce_function_failing;
717 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
718 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
719 memset(&sig, 1, sizeof(sig));
720 extraparams.noncefp = nonce_function_0;
721 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
722 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
723 memset(&sig, 1, sizeof(sig));
724 extraparams.noncefp = nonce_function_overflowing;
725 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
726 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
727
728 /* When using the default nonce function, schnorrsig_sign_custom produces
729 * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */
730 extraparams.noncefp = NULL;
731 extraparams.ndata = aux_rand;
732 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
733 CHECK(secp256k1_schnorrsig_sign32(CTX, sig2, msg, &keypair, extraparams.ndata) == 1);
734 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
735}
736
737#define N_SIGS 3
738/* Creates N_SIGS valid signatures and verifies them with verify and
739 * verify_batch (TODO). Then flips some bits and checks that verification now
740 * fails. */
741static void test_schnorrsig_sign_verify(void) {
742 unsigned char sk[32];
743 unsigned char msg[N_SIGS][32];
744 unsigned char sig[N_SIGS][64];
745 size_t i;
746 secp256k1_keypair keypair;
747 secp256k1_xonly_pubkey pk;
748 secp256k1_scalar s;
749
750 secp256k1_testrand256(sk);
751 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
752 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
753
754 for (i = 0; i < N_SIGS; i++) {
755 secp256k1_testrand256(msg[i]);
756 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[i], msg[i], &keypair, NULL));
757 CHECK(secp256k1_schnorrsig_verify(CTX, sig[i], msg[i], sizeof(msg[i]), &pk));
758 }
759
760 {
761 /* Flip a few bits in the signature and in the message and check that
762 * verify and verify_batch (TODO) fail */
763 size_t sig_idx = secp256k1_testrand_int(N_SIGS);
764 size_t byte_idx = secp256k1_testrand_bits(5);
765 unsigned char xorbyte = secp256k1_testrand_int(254)+1;
766 sig[sig_idx][byte_idx] ^= xorbyte;
767 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
768 sig[sig_idx][byte_idx] ^= xorbyte;
769
770 byte_idx = secp256k1_testrand_bits(5);
771 sig[sig_idx][32+byte_idx] ^= xorbyte;
772 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
773 sig[sig_idx][32+byte_idx] ^= xorbyte;
774
775 byte_idx = secp256k1_testrand_bits(5);
776 msg[sig_idx][byte_idx] ^= xorbyte;
777 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
778 msg[sig_idx][byte_idx] ^= xorbyte;
779
780 /* Check that above bitflips have been reversed correctly */
781 CHECK(secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
782 }
783
784 /* Test overflowing s */
785 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
786 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
787 memset(&sig[0][32], 0xFF, 32);
788 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
789
790 /* Test negative s */
791 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
792 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
793 secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
794 secp256k1_scalar_negate(&s, &s);
795 secp256k1_scalar_get_b32(&sig[0][32], &s);
796 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
797
798 /* The empty message can be signed & verified */
799 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], NULL, 0, &keypair, NULL) == 1);
800 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], NULL, 0, &pk) == 1);
801
802 {
803 /* Test varying message lengths */
804 unsigned char msg_large[32 * 8];
805 uint32_t msglen = secp256k1_testrand_int(sizeof(msg_large));
806 for (i = 0; i < sizeof(msg_large); i += 32) {
807 secp256k1_testrand256(&msg_large[i]);
808 }
809 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], msg_large, msglen, &keypair, NULL) == 1);
810 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 1);
811 /* Verification for a random wrong message length fails */
812 msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large);
813 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 0);
814 }
815}
816#undef N_SIGS
817
818static void test_schnorrsig_taproot(void) {
819 unsigned char sk[32];
820 secp256k1_keypair keypair;
821 secp256k1_xonly_pubkey internal_pk;
822 unsigned char internal_pk_bytes[32];
823 secp256k1_xonly_pubkey output_pk;
824 unsigned char output_pk_bytes[32];
825 unsigned char tweak[32];
826 int pk_parity;
827 unsigned char msg[32];
828 unsigned char sig[64];
829
830 /* Create output key */
831 secp256k1_testrand256(sk);
832 CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
833 CHECK(secp256k1_keypair_xonly_pub(CTX, &internal_pk, NULL, &keypair) == 1);
834 /* In actual taproot the tweak would be hash of internal_pk */
835 CHECK(secp256k1_xonly_pubkey_serialize(CTX, tweak, &internal_pk) == 1);
836 CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1);
837 CHECK(secp256k1_keypair_xonly_pub(CTX, &output_pk, &pk_parity, &keypair) == 1);
838 CHECK(secp256k1_xonly_pubkey_serialize(CTX, output_pk_bytes, &output_pk) == 1);
839
840 /* Key spend */
841 secp256k1_testrand256(msg);
842 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
843 /* Verify key spend */
844 CHECK(secp256k1_xonly_pubkey_parse(CTX, &output_pk, output_pk_bytes) == 1);
845 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &output_pk) == 1);
846
847 /* Script spend */
848 CHECK(secp256k1_xonly_pubkey_serialize(CTX, internal_pk_bytes, &internal_pk) == 1);
849 /* Verify script spend */
850 CHECK(secp256k1_xonly_pubkey_parse(CTX, &internal_pk, internal_pk_bytes) == 1);
851 CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
852}
853
854static void run_schnorrsig_tests(void) {
855 int i;
856 run_nonce_function_bip340_tests();
857
858 test_schnorrsig_api();
859 test_schnorrsig_sha256_tagged();
860 test_schnorrsig_bip_vectors();
861 for (i = 0; i < COUNT; i++) {
862 test_schnorrsig_sign();
863 test_schnorrsig_sign_verify();
864 }
865 test_schnorrsig_taproot();
866}
867
868#endif
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:163
tests_wycheproof_generate.msg
def msg
Definition: tests_wycheproof_generate.py:56
tests_wycheproof_generate.pk
def pk
Definition: tests_wycheproof_generate.py:69
sig
SchnorrSig sig
Definition: processor.cpp:537
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
nonce_function_bip340
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: main_impl.h:52
secp256k1_nonce_function_bip340_sha256_tagged_aux
static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: main_impl.h:32
secp256k1_nonce_function_bip340_sha256_tagged
static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:16
secp256k1_schnorrsig_sha256_tagged
static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:103
test_schnorrsig_sign_verify
static void test_schnorrsig_sign_verify(void)
Definition: tests_impl.h:741
run_nonce_function_bip340_tests
static void run_nonce_function_bip340_tests(void)
Definition: tests_impl.h:23
nonce_function_overflowing
static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:678
test_schnorrsig_sign
static void test_schnorrsig_sign(void)
Definition: tests_impl.h:691
test_schnorrsig_api
static void test_schnorrsig_api(void)
Definition: tests_impl.h:106
nonce_function_0
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:664
test_schnorrsig_taproot
static void test_schnorrsig_taproot(void)
Definition: tests_impl.h:818
test_schnorrsig_bip_vectors
static void test_schnorrsig_bip_vectors(void)
Definition: tests_impl.h:233
test_schnorrsig_bip_vectors_check_verify
static void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected)
Definition: tests_impl.h:224
test_schnorrsig_bip_vectors_check_signing
static void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig)
Definition: tests_impl.h:207
run_schnorrsig_tests
static void run_schnorrsig_tests(void)
Definition: tests_impl.h:854
N_SIGS
#define N_SIGS
Definition: tests_impl.h:737
nonce_function_failing
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:651
test_schnorrsig_sha256_tagged
static void test_schnorrsig_sha256_tagged(void)
Definition: tests_impl.h:195
nonce_function_bip340_bitflip
static void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen)
Definition: tests_impl.h:15
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:225
CHECK
#define CHECK(cond)
Definition: util.h:128
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:210
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:198
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:44
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a secret key.
Definition: main_impl.h:196
secp256k1_keypair_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:255
secp256k1_keypair_xonly_pub
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Get the x-only public key from a keypair.
Definition: main_impl.h:234
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:22
secp256k1_schnorrsig_sign32
SECP256K1_API int secp256k1_schnorrsig_sign32(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a Schnorr signature.
Definition: main_impl.h:195
SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
Definition: secp256k1_schnorrsig.h:89
secp256k1_schnorrsig_sign
SECP256K1_API int secp256k1_schnorrsig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_DEPRECATED("Use secp256k1_schnorrsig_sign32 instead")
Same as secp256k1_schnorrsig_sign32, but DEPRECATED.
Definition: main_impl.h:200
secp256k1_schnorrsig_sign_custom
SECP256K1_API int secp256k1_schnorrsig_sign_custom(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Create a Schnorr signature with a more flexible API.
Definition: main_impl.h:204
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:219
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_schnorrsig_extraparams
Data structure that contains additional arguments for schnorrsig_sign_custom.
Definition: secp256k1_schnorrsig.h:82
secp256k1_schnorrsig_extraparams::noncefp
secp256k1_nonce_function_hardened noncefp
Definition: secp256k1_schnorrsig.h:84
secp256k1_schnorrsig_extraparams::ndata
void * ndata
Definition: secp256k1_schnorrsig.h:85
secp256k1_sha256
Definition: hash.h:13
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_flip
static void secp256k1_testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
COUNT
static int COUNT
Definition: tests.c:39
CTX
static secp256k1_context * CTX
Definition: tests.c:40
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:74
test_sha256_eq
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:733
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:41
Generated on Fri May 29 2026 21:48:36 for Bitcoin ABC by doxygen 1.9.4