Bitcoin ABC  0.26.3
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H
8 #define SECP256K1_MODULE_SCHNORRSIG_TESTS_H
9 
10 #include "secp256k1_schnorrsig.h"
11 
12 /* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
13  * bytes) changes the hash function
14  */
15 void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes) {
16  unsigned char nonces[2][32];
17  CHECK(nonce_function_bip340(nonces[0], args[0], args[1], args[2], args[3], args[4]) == 1);
18  secp256k1_testrand_flip(args[n_flip], n_bytes);
19  CHECK(nonce_function_bip340(nonces[1], args[0], args[1], args[2], args[3], args[4]) == 1);
20  CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
21 }
22 
23 /* Tests for the equality of two sha256 structs. This function only produces a
24  * correct result if an integer multiple of 64 many bytes have been written
25  * into the hash functions. */
26 void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
27  /* Is buffer fully consumed? */
28  CHECK((sha1->bytes & 0x3F) == 0);
29 
30  CHECK(sha1->bytes == sha2->bytes);
31  CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
32 }
33 
34 void run_nonce_function_bip340_tests(void) {
35  unsigned char tag[13] = "BIP0340/nonce";
36  unsigned char aux_tag[11] = "BIP0340/aux";
37  unsigned char algo16[16] = "BIP0340/nonce\0\0\0";
38  secp256k1_sha256 sha;
39  secp256k1_sha256 sha_optimized;
40  unsigned char nonce[32];
41  unsigned char msg[32];
42  unsigned char key[32];
43  unsigned char pk[32];
44  unsigned char aux_rand[32];
45  unsigned char *args[5];
46  int i;
47 
48  /* Check that hash initialized by
49  * secp256k1_nonce_function_bip340_sha256_tagged has the expected
50  * state. */
51  secp256k1_sha256_initialize_tagged(&sha, tag, sizeof(tag));
52  secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized);
53  test_sha256_eq(&sha, &sha_optimized);
54 
55  /* Check that hash initialized by
56  * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
57  * state. */
58  secp256k1_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag));
59  secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized);
60  test_sha256_eq(&sha, &sha_optimized);
61 
62  secp256k1_testrand256(msg);
63  secp256k1_testrand256(key);
64  secp256k1_testrand256(pk);
65  secp256k1_testrand256(aux_rand);
66 
67  /* Check that a bitflip in an argument results in different nonces. */
68  args[0] = msg;
69  args[1] = key;
70  args[2] = pk;
71  args[3] = algo16;
72  args[4] = aux_rand;
73  for (i = 0; i < count; i++) {
74  nonce_function_bip340_bitflip(args, 0, 32);
75  nonce_function_bip340_bitflip(args, 1, 32);
76  nonce_function_bip340_bitflip(args, 2, 32);
77  /* Flip algo16 special case "BIP0340/nonce" */
78  nonce_function_bip340_bitflip(args, 3, 16);
79  /* Flip algo16 again */
80  nonce_function_bip340_bitflip(args, 3, 16);
81  nonce_function_bip340_bitflip(args, 4, 32);
82  }
83 
84  /* NULL algo16 is disallowed */
85  CHECK(nonce_function_bip340(nonce, msg, key, pk, NULL, NULL) == 0);
86  /* Empty algo16 is fine */
87  memset(algo16, 0x00, 16);
88  CHECK(nonce_function_bip340(nonce, msg, key, pk, algo16, NULL) == 1);
89  /* algo16 with terminating null bytes is fine */
90  algo16[1] = 65;
91  CHECK(nonce_function_bip340(nonce, msg, key, pk, algo16, NULL) == 1);
92  /* Other algo16 is fine */
93  memset(algo16, 0xFF, 16);
94  CHECK(nonce_function_bip340(nonce, msg, key, pk, algo16, NULL) == 1);
95 
96  /* NULL aux_rand argument is allowed. */
97  CHECK(nonce_function_bip340(nonce, msg, key, pk, algo16, NULL) == 1);
98 }
99 
100 void test_schnorrsig_api(void) {
101  unsigned char sk1[32];
102  unsigned char sk2[32];
103  unsigned char sk3[32];
104  unsigned char msg[32];
105  secp256k1_keypair keypairs[3];
106  secp256k1_keypair invalid_keypair = { 0 };
107  secp256k1_xonly_pubkey pk[3];
108  secp256k1_xonly_pubkey zero_pk;
109  unsigned char sig[64];
110 
112  secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
113  secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
114  secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
115  secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
116  int ecount;
117 
118  secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
119  secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount);
120  secp256k1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount);
121  secp256k1_context_set_error_callback(both, counting_illegal_callback_fn, &ecount);
122  secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
123  secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount);
124  secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
125  secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount);
126 
127  secp256k1_testrand256(sk1);
128  secp256k1_testrand256(sk2);
129  secp256k1_testrand256(sk3);
130  secp256k1_testrand256(msg);
131  CHECK(secp256k1_keypair_create(ctx, &keypairs[0], sk1) == 1);
132  CHECK(secp256k1_keypair_create(ctx, &keypairs[1], sk2) == 1);
133  CHECK(secp256k1_keypair_create(ctx, &keypairs[2], sk3) == 1);
134  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[0], NULL, &keypairs[0]) == 1);
135  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[1], NULL, &keypairs[1]) == 1);
136  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[2], NULL, &keypairs[2]) == 1);
137  memset(&zero_pk, 0, sizeof(zero_pk));
138 
140  ecount = 0;
141  CHECK(secp256k1_schnorrsig_sign(none, sig, msg, &keypairs[0], NULL, NULL) == 0);
142  CHECK(ecount == 1);
143  CHECK(secp256k1_schnorrsig_sign(vrfy, sig, msg, &keypairs[0], NULL, NULL) == 0);
144  CHECK(ecount == 2);
145  CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL, NULL) == 1);
146  CHECK(ecount == 2);
147  CHECK(secp256k1_schnorrsig_sign(sign, NULL, msg, &keypairs[0], NULL, NULL) == 0);
148  CHECK(ecount == 3);
149  CHECK(secp256k1_schnorrsig_sign(sign, sig, NULL, &keypairs[0], NULL, NULL) == 0);
150  CHECK(ecount == 4);
151  CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, NULL, NULL, NULL) == 0);
152  CHECK(ecount == 5);
153  CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &invalid_keypair, NULL, NULL) == 0);
154  CHECK(ecount == 6);
155 
156  ecount = 0;
157  CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL, NULL) == 1);
158  CHECK(secp256k1_schnorrsig_verify(none, sig, msg, &pk[0]) == 0);
159  CHECK(ecount == 1);
160  CHECK(secp256k1_schnorrsig_verify(sign, sig, msg, &pk[0]) == 0);
161  CHECK(ecount == 2);
162  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, &pk[0]) == 1);
163  CHECK(ecount == 2);
164  CHECK(secp256k1_schnorrsig_verify(vrfy, NULL, msg, &pk[0]) == 0);
165  CHECK(ecount == 3);
166  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, NULL, &pk[0]) == 0);
167  CHECK(ecount == 4);
168  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, NULL) == 0);
169  CHECK(ecount == 5);
170  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, &zero_pk) == 0);
171  CHECK(ecount == 6);
172 
173  secp256k1_context_destroy(none);
174  secp256k1_context_destroy(sign);
175  secp256k1_context_destroy(vrfy);
176  secp256k1_context_destroy(both);
177 }
178 
179 /* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
180  * expected state. */
181 void test_schnorrsig_sha256_tagged(void) {
182  char tag[17] = "BIP0340/challenge";
183  secp256k1_sha256 sha;
184  secp256k1_sha256 sha_optimized;
185 
186  secp256k1_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag));
187  secp256k1_schnorrsig_sha256_tagged(&sha_optimized);
188  test_sha256_eq(&sha, &sha_optimized);
189 }
190 
191 /* Helper function for schnorrsig_bip_vectors
192  * Signs the message and checks that it's the same as expected_sig. */
193 void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, unsigned char *aux_rand, const unsigned char *msg, const unsigned char *expected_sig) {
194  unsigned char sig[64];
195  secp256k1_keypair keypair;
196  secp256k1_xonly_pubkey pk, pk_expected;
197 
198  CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
199  CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, aux_rand));
200  CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
201 
202  CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk_expected, pk_serialized));
203  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
204  CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
205  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, &pk));
206 }
207 
208 /* Helper function for schnorrsig_bip_vectors
209  * Checks that both verify and verify_batch (TODO) return the same value as expected. */
210 void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected) {
211  secp256k1_xonly_pubkey pk;
212 
213  CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk, pk_serialized));
214  CHECK(expected == secp256k1_schnorrsig_verify(ctx, sig, msg32, &pk));
215 }
216 
217 /* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
218  * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */
219 void test_schnorrsig_bip_vectors(void) {
220  {
221  /* Test vector 0 */
222  const unsigned char sk[32] = {
223  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
224  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
225  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
226  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
227  };
228  const unsigned char pk[32] = {
229  0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10,
230  0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29,
231  0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0,
232  0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9
233  };
234  unsigned char aux_rand[32] = {
235  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
236  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
237  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
238  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
239  };
240  const unsigned char msg[32] = {
241  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
242  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
243  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
244  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
245  };
246  const unsigned char sig[64] = {
247  0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10,
248  0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36,
249  0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08,
250  0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15,
251  0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71,
252  0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5,
253  0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47,
254  0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0
255  };
256  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
257  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
258  }
259  {
260  /* Test vector 1 */
261  const unsigned char sk[32] = {
262  0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A,
263  0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7,
264  0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56,
265  0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF
266  };
267  const unsigned char pk[32] = {
268  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
269  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
270  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
271  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
272  };
273  unsigned char aux_rand[32] = {
274  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
275  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
276  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
277  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
278  };
279  const unsigned char msg[32] = {
280  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
281  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
282  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
283  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
284  };
285  const unsigned char sig[64] = {
286  0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D,
287  0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07,
288  0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17,
289  0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41,
290  0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC,
291  0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA,
292  0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C,
293  0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A
294  };
295  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
296  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
297  }
298  {
299  /* Test vector 2 */
300  const unsigned char sk[32] = {
301  0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
302  0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
303  0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
304  0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9
305  };
306  const unsigned char pk[32] = {
307  0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13,
308  0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC,
309  0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9,
310  0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8
311  };
312  unsigned char aux_rand[32] = {
313  0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE,
314  0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC,
315  0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C,
316  0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06
317  };
318  const unsigned char msg[32] = {
319  0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A,
320  0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D,
321  0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33,
322  0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C
323  };
324  const unsigned char sig[64] = {
325  0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7,
326  0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94,
327  0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B,
328  0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B,
329  0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A,
330  0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C,
331  0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E,
332  0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7
333  };
334  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
335  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
336  }
337  {
338  /* Test vector 3 */
339  const unsigned char sk[32] = {
340  0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81,
341  0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0,
342  0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54,
343  0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10
344  };
345  const unsigned char pk[32] = {
346  0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25,
347  0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD,
348  0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A,
349  0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17
350  };
351  unsigned char aux_rand[32] = {
352  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
353  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
354  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
355  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
356  };
357  const unsigned char msg[32] = {
358  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
359  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
360  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
361  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
362  };
363  const unsigned char sig[64] = {
364  0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1,
365  0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9,
366  0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6,
367  0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC,
368  0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93,
369  0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A,
370  0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27,
371  0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3
372  };
373  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
374  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
375  }
376  {
377  /* Test vector 4 */
378  const unsigned char pk[32] = {
379  0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12,
380  0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83,
381  0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA,
382  0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9
383  };
384  const unsigned char msg[32] = {
385  0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2,
386  0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24,
387  0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B,
388  0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03
389  };
390  const unsigned char sig[64] = {
391  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
392  0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F,
393  0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28,
394  0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63,
395  0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3,
396  0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10,
397  0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93,
398  0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4
399  };
400  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
401  }
402  {
403  /* Test vector 5 */
404  const unsigned char pk[32] = {
405  0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50,
406  0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21,
407  0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87,
408  0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34
409  };
410  secp256k1_xonly_pubkey pk_parsed;
411  /* No need to check the signature of the test vector as parsing the pubkey already fails */
412  CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
413  }
414  {
415  /* Test vector 6 */
416  const unsigned char pk[32] = {
417  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
418  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
419  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
420  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
421  };
422  const unsigned char msg[32] = {
423  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
424  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
425  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
426  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
427  };
428  const unsigned char sig[64] = {
429  0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4,
430  0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3,
431  0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B,
432  0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56,
433  0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07,
434  0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF,
435  0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E,
436  0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2
437  };
438  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
439  }
440  {
441  /* Test vector 7 */
442  const unsigned char pk[32] = {
443  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
444  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
445  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
446  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
447  };
448  const unsigned char msg[32] = {
449  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
450  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
451  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
452  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
453  };
454  const unsigned char sig[64] = {
455  0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C,
456  0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7,
457  0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4,
458  0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F,
459  0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89,
460  0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8,
461  0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35,
462  0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD
463  };
464  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
465  }
466  {
467  /* Test vector 8 */
468  const unsigned char pk[32] = {
469  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
470  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
471  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
472  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
473  };
474  const unsigned char msg[32] = {
475  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
476  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
477  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
478  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
479  };
480  const unsigned char sig[64] = {
481  0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
482  0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
483  0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
484  0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
485  0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC,
486  0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26,
487  0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C,
488  0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6
489  };
490  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
491  }
492  {
493  /* Test vector 9 */
494  const unsigned char pk[32] = {
495  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
496  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
497  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
498  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
499  };
500  const unsigned char msg[32] = {
501  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
502  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
503  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
504  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
505  };
506  const unsigned char sig[64] = {
507  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
508  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
509  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
510  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
511  0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23,
512  0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA,
513  0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC,
514  0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51
515  };
516  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
517  }
518  {
519  /* Test vector 10 */
520  const unsigned char pk[32] = {
521  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
522  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
523  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
524  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
525  };
526  const unsigned char msg[32] = {
527  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
528  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
529  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
530  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
531  };
532  const unsigned char sig[64] = {
533  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
534  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
535  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
536  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
537  0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64,
538  0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4,
539  0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9,
540  0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97
541  };
542  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
543  }
544  {
545  /* Test vector 11 */
546  const unsigned char pk[32] = {
547  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
548  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
549  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
550  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
551  };
552  const unsigned char msg[32] = {
553  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
554  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
555  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
556  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
557  };
558  const unsigned char sig[64] = {
559  0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A,
560  0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB,
561  0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7,
562  0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D,
563  0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
564  0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
565  0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
566  0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
567  };
568  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
569  }
570  {
571  /* Test vector 12 */
572  const unsigned char pk[32] = {
573  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
574  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
575  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
576  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
577  };
578  const unsigned char msg[32] = {
579  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
580  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
581  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
582  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
583  };
584  const unsigned char sig[64] = {
585  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
586  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
587  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
588  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
589  0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
590  0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
591  0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
592  0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
593  };
594  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
595  }
596  {
597  /* Test vector 13 */
598  const unsigned char pk[32] = {
599  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
600  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
601  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
602  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
603  };
604  const unsigned char msg[32] = {
605  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
606  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
607  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
608  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
609  };
610  const unsigned char sig[64] = {
611  0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
612  0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
613  0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
614  0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
615  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
616  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
617  0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
618  0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
619  };
620  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
621  }
622  {
623  /* Test vector 14 */
624  const unsigned char pk[32] = {
625  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
626  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
627  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
628  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
629  };
630  secp256k1_xonly_pubkey pk_parsed;
631  /* No need to check the signature of the test vector as parsing the pubkey already fails */
632  CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
633  }
634 }
635 
636 /* Nonce function that returns constant 0 */
637 static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data) {
638  (void) msg32;
639  (void) key32;
640  (void) xonly_pk32;
641  (void) algo16;
642  (void) data;
643  (void) nonce32;
644  return 0;
645 }
646 
647 /* Nonce function that sets nonce to 0 */
648 static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data) {
649  (void) msg32;
650  (void) key32;
651  (void) xonly_pk32;
652  (void) algo16;
653  (void) data;
654 
655  memset(nonce32, 0, 32);
656  return 1;
657 }
658 
659 /* Nonce function that sets nonce to 0xFF...0xFF */
660 static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data) {
661  (void) msg32;
662  (void) key32;
663  (void) xonly_pk32;
664  (void) algo16;
665  (void) data;
666 
667  memset(nonce32, 0xFF, 32);
668  return 1;
669 }
670 
671 void test_schnorrsig_sign(void) {
672  unsigned char sk[32];
673  secp256k1_keypair keypair;
674  const unsigned char msg[32] = "this is a msg for a schnorrsig..";
675  unsigned char sig[64];
676  unsigned char zeros64[64] = { 0 };
677 
678  secp256k1_testrand256(sk);
679  CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
680  CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL) == 1);
681 
682  /* Test different nonce functions */
683  memset(sig, 1, sizeof(sig));
684  CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, nonce_function_failing, NULL) == 0);
685  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
686  memset(&sig, 1, sizeof(sig));
687  CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, nonce_function_0, NULL) == 0);
688  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
689  CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, nonce_function_overflowing, NULL) == 1);
690  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) != 0);
691 }
692 
693 #define N_SIGS 3
694 /* Creates N_SIGS valid signatures and verifies them with verify and
695  * verify_batch (TODO). Then flips some bits and checks that verification now
696  * fails. */
697 void test_schnorrsig_sign_verify(void) {
698  unsigned char sk[32];
699  unsigned char msg[N_SIGS][32];
700  unsigned char sig[N_SIGS][64];
701  size_t i;
702  secp256k1_keypair keypair;
703  secp256k1_xonly_pubkey pk;
704  secp256k1_scalar s;
705 
706  secp256k1_testrand256(sk);
707  CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
708  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
709 
710  for (i = 0; i < N_SIGS; i++) {
711  secp256k1_testrand256(msg[i]);
712  CHECK(secp256k1_schnorrsig_sign(ctx, sig[i], msg[i], &keypair, NULL, NULL));
713  CHECK(secp256k1_schnorrsig_verify(ctx, sig[i], msg[i], &pk));
714  }
715 
716  {
717  /* Flip a few bits in the signature and in the message and check that
718  * verify and verify_batch (TODO) fail */
719  size_t sig_idx = secp256k1_testrand_int(N_SIGS);
720  size_t byte_idx = secp256k1_testrand_int(32);
721  unsigned char xorbyte = secp256k1_testrand_int(254)+1;
722  sig[sig_idx][byte_idx] ^= xorbyte;
723  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk));
724  sig[sig_idx][byte_idx] ^= xorbyte;
725 
726  byte_idx = secp256k1_testrand_int(32);
727  sig[sig_idx][32+byte_idx] ^= xorbyte;
728  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk));
729  sig[sig_idx][32+byte_idx] ^= xorbyte;
730 
731  byte_idx = secp256k1_testrand_int(32);
732  msg[sig_idx][byte_idx] ^= xorbyte;
733  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk));
734  msg[sig_idx][byte_idx] ^= xorbyte;
735 
736  /* Check that above bitflips have been reversed correctly */
737  CHECK(secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk));
738  }
739 
740  /* Test overflowing s */
741  CHECK(secp256k1_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL, NULL));
742  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], &pk));
743  memset(&sig[0][32], 0xFF, 32);
744  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], &pk));
745 
746  /* Test negative s */
747  CHECK(secp256k1_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL, NULL));
748  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], &pk));
749  secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
750  secp256k1_scalar_negate(&s, &s);
751  secp256k1_scalar_get_b32(&sig[0][32], &s);
752  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], &pk));
753 }
754 #undef N_SIGS
755 
756 void test_schnorrsig_taproot(void) {
757  unsigned char sk[32];
758  secp256k1_keypair keypair;
759  secp256k1_xonly_pubkey internal_pk;
760  unsigned char internal_pk_bytes[32];
761  secp256k1_xonly_pubkey output_pk;
762  unsigned char output_pk_bytes[32];
763  unsigned char tweak[32];
764  int pk_parity;
765  unsigned char msg[32];
766  unsigned char sig[64];
767 
768  /* Create output key */
769  secp256k1_testrand256(sk);
770  CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
771  CHECK(secp256k1_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1);
772  /* In actual taproot the tweak would be hash of internal_pk */
773  CHECK(secp256k1_xonly_pubkey_serialize(ctx, tweak, &internal_pk) == 1);
774  CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
775  CHECK(secp256k1_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1);
776  CHECK(secp256k1_xonly_pubkey_serialize(ctx, output_pk_bytes, &output_pk) == 1);
777 
778  /* Key spend */
779  secp256k1_testrand256(msg);
780  CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL) == 1);
781  /* Verify key spend */
782  CHECK(secp256k1_xonly_pubkey_parse(ctx, &output_pk, output_pk_bytes) == 1);
783  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, &output_pk) == 1);
784 
785  /* Script spend */
786  CHECK(secp256k1_xonly_pubkey_serialize(ctx, internal_pk_bytes, &internal_pk) == 1);
787  /* Verify script spend */
788  CHECK(secp256k1_xonly_pubkey_parse(ctx, &internal_pk, internal_pk_bytes) == 1);
789  CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
790 }
791 
792 void run_schnorrsig_tests(void) {
793  int i;
794  run_nonce_function_bip340_tests();
795 
796  test_schnorrsig_api();
797  test_schnorrsig_sha256_tagged();
798  test_schnorrsig_bip_vectors();
799  for (i = 0; i < count; i++) {
800  test_schnorrsig_sign();
801  test_schnorrsig_sign_verify();
802  }
803  test_schnorrsig_taproot();
804 }
805 
806 #endif
ctx
secp256k1_context * ctx
Definition: bench_multiset.c:12
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:169
sha1
Internal SHA-1 implementation.
Definition: sha1.cpp:14
sig
SchnorrSig sig
Definition: processor.cpp:491
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_nonce_function_bip340_sha256_tagged_aux
static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: main_impl.h:32
secp256k1_nonce_function_bip340_sha256_tagged
static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:16
secp256k1_schnorrsig_sha256_tagged
static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:98
nonce_function_bip340
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data)
Definition: main_impl.h:50
test_schnorrsig_bip_vectors
void test_schnorrsig_bip_vectors(void)
Definition: tests_impl.h:219
test_schnorrsig_sign
void test_schnorrsig_sign(void)
Definition: tests_impl.h:671
nonce_function_0
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data)
Definition: tests_impl.h:648
run_nonce_function_bip340_tests
void run_nonce_function_bip340_tests(void)
Definition: tests_impl.h:34
test_schnorrsig_bip_vectors_check_verify
void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected)
Definition: tests_impl.h:210
test_schnorrsig_taproot
void test_schnorrsig_taproot(void)
Definition: tests_impl.h:756
nonce_function_overflowing
static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data)
Definition: tests_impl.h:660
nonce_function_failing
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data)
Definition: tests_impl.h:637
test_sha256_eq
void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests_impl.h:26
test_schnorrsig_bip_vectors_check_signing
void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, unsigned char *aux_rand, const unsigned char *msg, const unsigned char *expected_sig)
Definition: tests_impl.h:193
test_schnorrsig_sign_verify
void test_schnorrsig_sign_verify(void)
Definition: tests_impl.h:697
run_schnorrsig_tests
void run_schnorrsig_tests(void)
Definition: tests_impl.h:792
N_SIGS
#define N_SIGS
Definition: tests_impl.h:693
test_schnorrsig_sha256_tagged
void test_schnorrsig_sha256_tagged(void)
Definition: tests_impl.h:181
nonce_function_bip340_bitflip
void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes)
Definition: tests_impl.h:15
test_schnorrsig_api
void test_schnorrsig_api(void)
Definition: tests_impl.h:100
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:224
CHECK
#define CHECK(cond)
Definition: util.h:53
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:171
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:212
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:203
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:173
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:152
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:170
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:196
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:43
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:109
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a secret key.
Definition: main_impl.h:171
secp256k1_keypair_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:230
secp256k1_keypair_xonly_pub
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Get the x-only public key from a keypair.
Definition: main_impl.h:209
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:21
secp256k1_schnorrsig.h
secp256k1_schnorrsig_sign
SECP256K1_API int secp256k1_schnorrsig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, secp256k1_nonce_function_hardened noncefp, void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a Schnorr signature.
Definition: main_impl.h:127
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify a Schnorr signature.
Definition: main_impl.h:190
secp256k1_context_struct
Definition: secp256k1.c:69
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_sha256
Definition: hash.h:13
secp256k1_sha256::bytes
size_t bytes
Definition: hash.h:16
secp256k1_sha256::s
uint32_t s[8]
Definition: hash.h:14
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_flip
static void secp256k1_testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:34
count
static int count
Definition: tests.c:31
Generated on Thu Apr 25 2024 02:36:35 for Bitcoin ABC by doxygen 1.9.1