Bitcoin Core  26.99.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H
8 #define SECP256K1_MODULE_SCHNORRSIG_TESTS_H
9 
10 #include "../../../include/secp256k1_schnorrsig.h"
11 
12 /* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
13  * bytes) changes the hash function
14  */
15 static void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) {
16  unsigned char nonces[2][32];
17  CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
18  secp256k1_testrand_flip(args[n_flip], n_bytes);
19  CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
20  CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
21 }
22 
23 static void run_nonce_function_bip340_tests(void) {
24  unsigned char tag[13] = "BIP0340/nonce";
25  unsigned char aux_tag[11] = "BIP0340/aux";
26  unsigned char algo[13] = "BIP0340/nonce";
27  size_t algolen = sizeof(algo);
28  secp256k1_sha256 sha;
29  secp256k1_sha256 sha_optimized;
30  unsigned char nonce[32], nonce_z[32];
31  unsigned char msg[32];
32  size_t msglen = sizeof(msg);
33  unsigned char key[32];
34  unsigned char pk[32];
35  unsigned char aux_rand[32];
36  unsigned char *args[5];
37  int i;
38 
39  /* Check that hash initialized by
40  * secp256k1_nonce_function_bip340_sha256_tagged has the expected
41  * state. */
42  secp256k1_sha256_initialize_tagged(&sha, tag, sizeof(tag));
43  secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized);
44  test_sha256_eq(&sha, &sha_optimized);
45 
46  /* Check that hash initialized by
47  * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
48  * state. */
49  secp256k1_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag));
50  secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized);
51  test_sha256_eq(&sha, &sha_optimized);
52 
53  secp256k1_testrand256(msg);
54  secp256k1_testrand256(key);
55  secp256k1_testrand256(pk);
56  secp256k1_testrand256(aux_rand);
57 
58  /* Check that a bitflip in an argument results in different nonces. */
59  args[0] = msg;
60  args[1] = key;
61  args[2] = pk;
62  args[3] = algo;
63  args[4] = aux_rand;
64  for (i = 0; i < COUNT; i++) {
65  nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen);
66  nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen);
67  nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen);
68  /* Flip algo special case "BIP0340/nonce" */
69  nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
70  /* Flip algo again */
71  nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
72  nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen);
73  }
74 
75  /* NULL algo is disallowed */
76  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
77  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
78  /* Other algo is fine */
79  secp256k1_testrand_bytes_test(algo, algolen);
80  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
81 
82  for (i = 0; i < COUNT; i++) {
83  unsigned char nonce2[32];
84  uint32_t offset = secp256k1_testrand_int(msglen - 1);
85  size_t msglen_tmp = (msglen + offset) % msglen;
86  size_t algolen_tmp;
87 
88  /* Different msglen gives different nonce */
89  CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1);
90  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
91 
92  /* Different algolen gives different nonce */
93  offset = secp256k1_testrand_int(algolen - 1);
94  algolen_tmp = (algolen + offset) % algolen;
95  CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1);
96  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
97  }
98 
99  /* NULL aux_rand argument is allowed, and identical to passing all zero aux_rand. */
100  memset(aux_rand, 0, 32);
101  CHECK(nonce_function_bip340(nonce_z, msg, msglen, key, pk, algo, algolen, &aux_rand) == 1);
102  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
103  CHECK(secp256k1_memcmp_var(nonce_z, nonce, 32) == 0);
104 }
105 
106 static void test_schnorrsig_api(void) {
107  unsigned char sk1[32];
108  unsigned char sk2[32];
109  unsigned char sk3[32];
110  unsigned char msg[32];
111  secp256k1_keypair keypairs[3];
112  secp256k1_keypair invalid_keypair = {{ 0 }};
113  secp256k1_xonly_pubkey pk[3];
114  secp256k1_xonly_pubkey zero_pk;
115  unsigned char sig[64];
116  secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
117  secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL};
118 
120  int ecount = 0;
121 
122  secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount);
123  secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
124  secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
125  secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
126 
127  secp256k1_testrand256(sk1);
128  secp256k1_testrand256(sk2);
129  secp256k1_testrand256(sk3);
130  secp256k1_testrand256(msg);
131  CHECK(secp256k1_keypair_create(CTX, &keypairs[0], sk1) == 1);
132  CHECK(secp256k1_keypair_create(CTX, &keypairs[1], sk2) == 1);
133  CHECK(secp256k1_keypair_create(CTX, &keypairs[2], sk3) == 1);
134  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[0], NULL, &keypairs[0]) == 1);
135  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[1], NULL, &keypairs[1]) == 1);
136  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[2], NULL, &keypairs[2]) == 1);
137  memset(&zero_pk, 0, sizeof(zero_pk));
138 
140  ecount = 0;
141  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
142  CHECK(ecount == 0);
143  CHECK(secp256k1_schnorrsig_sign32(CTX, NULL, msg, &keypairs[0], NULL) == 0);
144  CHECK(ecount == 1);
145  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, NULL, &keypairs[0], NULL) == 0);
146  CHECK(ecount == 2);
147  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, NULL, NULL) == 0);
148  CHECK(ecount == 3);
149  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &invalid_keypair, NULL) == 0);
150  CHECK(ecount == 4);
151  CHECK(secp256k1_schnorrsig_sign32(STATIC_CTX, sig, msg, &keypairs[0], NULL) == 0);
152  CHECK(ecount == 5);
153 
154  ecount = 0;
155  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
156  CHECK(ecount == 0);
157  CHECK(secp256k1_schnorrsig_sign_custom(CTX, NULL, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
158  CHECK(ecount == 1);
159  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, sizeof(msg), &keypairs[0], &extraparams) == 0);
160  CHECK(ecount == 2);
161  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
162  CHECK(ecount == 2);
163  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), NULL, &extraparams) == 0);
164  CHECK(ecount == 3);
165  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &invalid_keypair, &extraparams) == 0);
166  CHECK(ecount == 4);
167  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
168  CHECK(ecount == 4);
169  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams) == 0);
170  CHECK(ecount == 5);
171  CHECK(secp256k1_schnorrsig_sign_custom(STATIC_CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
172  CHECK(ecount == 6);
173 
174  ecount = 0;
175  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
176  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk[0]) == 1);
177  CHECK(ecount == 0);
178  CHECK(secp256k1_schnorrsig_verify(CTX, NULL, msg, sizeof(msg), &pk[0]) == 0);
179  CHECK(ecount == 1);
180  CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, sizeof(msg), &pk[0]) == 0);
181  CHECK(ecount == 2);
182  CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, 0, &pk[0]) == 0);
183  CHECK(ecount == 2);
184  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), NULL) == 0);
185  CHECK(ecount == 3);
186  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &zero_pk) == 0);
187  CHECK(ecount == 4);
188 
189  secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL);
190  secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
191 }
192 
193 /* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
194  * expected state. */
195 static void test_schnorrsig_sha256_tagged(void) {
196  unsigned char tag[17] = "BIP0340/challenge";
197  secp256k1_sha256 sha;
198  secp256k1_sha256 sha_optimized;
199 
200  secp256k1_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag));
201  secp256k1_schnorrsig_sha256_tagged(&sha_optimized);
202  test_sha256_eq(&sha, &sha_optimized);
203 }
204 
205 /* Helper function for schnorrsig_bip_vectors
206  * Signs the message and checks that it's the same as expected_sig. */
207 static void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg, size_t msglen, const unsigned char *expected_sig) {
208  unsigned char sig[64];
209  secp256k1_keypair keypair;
210  secp256k1_xonly_pubkey pk, pk_expected;
211 
212  secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
213  extraparams.ndata = (unsigned char*)aux_rand;
214 
215  CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
216  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, msglen, &keypair, &extraparams));
217  CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
218  if (msglen == 32) {
219  memset(sig, 0, 64);
220  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, aux_rand));
221  CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
222  }
223 
224  CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk_expected, pk_serialized));
225  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
226  CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
227  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, msglen, &pk));
228 }
229 
230 /* Helper function for schnorrsig_bip_vectors
231  * Checks that both verify and verify_batch (TODO) return the same value as expected. */
232 static void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg, size_t msglen, const unsigned char *sig, int expected) {
233  secp256k1_xonly_pubkey pk;
234 
235  CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk, pk_serialized));
236  CHECK(expected == secp256k1_schnorrsig_verify(CTX, sig, msg, msglen, &pk));
237 }
238 
239 /* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
240  * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */
241 static void test_schnorrsig_bip_vectors(void) {
242  {
243  /* Test vector 0 */
244  const unsigned char sk[32] = {
245  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
246  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
247  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
248  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
249  };
250  const unsigned char pk[32] = {
251  0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10,
252  0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29,
253  0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0,
254  0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9
255  };
256  const unsigned char aux_rand[32] = {
257  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
258  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
259  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
260  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
261  };
262  const unsigned char msg[32] = {
263  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
264  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
265  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
266  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
267  };
268  const unsigned char sig[64] = {
269  0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10,
270  0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36,
271  0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08,
272  0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15,
273  0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71,
274  0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5,
275  0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47,
276  0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0
277  };
278  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
279  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
280  }
281  {
282  /* Test vector 1 */
283  const unsigned char sk[32] = {
284  0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A,
285  0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7,
286  0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56,
287  0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF
288  };
289  const unsigned char pk[32] = {
290  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
291  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
292  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
293  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
294  };
295  const unsigned char aux_rand[32] = {
296  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
297  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
298  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
299  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
300  };
301  const unsigned char msg[32] = {
302  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
303  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
304  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
305  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
306  };
307  const unsigned char sig[64] = {
308  0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D,
309  0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07,
310  0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17,
311  0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41,
312  0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC,
313  0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA,
314  0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C,
315  0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A
316  };
317  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
318  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
319  }
320  {
321  /* Test vector 2 */
322  const unsigned char sk[32] = {
323  0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
324  0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
325  0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
326  0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9
327  };
328  const unsigned char pk[32] = {
329  0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13,
330  0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC,
331  0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9,
332  0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8
333  };
334  const unsigned char aux_rand[32] = {
335  0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE,
336  0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC,
337  0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C,
338  0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06
339  };
340  const unsigned char msg[32] = {
341  0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A,
342  0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D,
343  0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33,
344  0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C
345  };
346  const unsigned char sig[64] = {
347  0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7,
348  0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94,
349  0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B,
350  0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B,
351  0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A,
352  0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C,
353  0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E,
354  0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7
355  };
356  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
357  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
358  }
359  {
360  /* Test vector 3 */
361  const unsigned char sk[32] = {
362  0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81,
363  0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0,
364  0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54,
365  0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10
366  };
367  const unsigned char pk[32] = {
368  0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25,
369  0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD,
370  0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A,
371  0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17
372  };
373  const unsigned char aux_rand[32] = {
374  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
375  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
376  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
377  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
378  };
379  const unsigned char msg[32] = {
380  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
381  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
382  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
383  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
384  };
385  const unsigned char sig[64] = {
386  0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1,
387  0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9,
388  0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6,
389  0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC,
390  0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93,
391  0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A,
392  0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27,
393  0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3
394  };
395  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
396  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
397  }
398  {
399  /* Test vector 4 */
400  const unsigned char pk[32] = {
401  0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12,
402  0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83,
403  0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA,
404  0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9
405  };
406  const unsigned char msg[32] = {
407  0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2,
408  0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24,
409  0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B,
410  0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03
411  };
412  const unsigned char sig[64] = {
413  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
414  0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F,
415  0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28,
416  0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63,
417  0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3,
418  0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10,
419  0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93,
420  0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4
421  };
422  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
423  }
424  {
425  /* Test vector 5 */
426  const unsigned char pk[32] = {
427  0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50,
428  0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21,
429  0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87,
430  0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34
431  };
432  secp256k1_xonly_pubkey pk_parsed;
433  /* No need to check the signature of the test vector as parsing the pubkey already fails */
434  CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
435  }
436  {
437  /* Test vector 6 */
438  const unsigned char pk[32] = {
439  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
440  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
441  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
442  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
443  };
444  const unsigned char msg[32] = {
445  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
446  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
447  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
448  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
449  };
450  const unsigned char sig[64] = {
451  0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4,
452  0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3,
453  0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B,
454  0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56,
455  0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07,
456  0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF,
457  0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E,
458  0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2
459  };
460  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
461  }
462  {
463  /* Test vector 7 */
464  const unsigned char pk[32] = {
465  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
466  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
467  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
468  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
469  };
470  const unsigned char msg[32] = {
471  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
472  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
473  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
474  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
475  };
476  const unsigned char sig[64] = {
477  0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C,
478  0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7,
479  0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4,
480  0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F,
481  0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89,
482  0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8,
483  0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35,
484  0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD
485  };
486  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
487  }
488  {
489  /* Test vector 8 */
490  const unsigned char pk[32] = {
491  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
492  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
493  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
494  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
495  };
496  const unsigned char msg[32] = {
497  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
498  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
499  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
500  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
501  };
502  const unsigned char sig[64] = {
503  0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
504  0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
505  0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
506  0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
507  0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC,
508  0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26,
509  0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C,
510  0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6
511  };
512  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
513  }
514  {
515  /* Test vector 9 */
516  const unsigned char pk[32] = {
517  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
518  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
519  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
520  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
521  };
522  const unsigned char msg[32] = {
523  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
524  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
525  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
526  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
527  };
528  const unsigned char sig[64] = {
529  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
530  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
531  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
532  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
533  0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23,
534  0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA,
535  0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC,
536  0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51
537  };
538  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
539  }
540  {
541  /* Test vector 10 */
542  const unsigned char pk[32] = {
543  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
544  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
545  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
546  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
547  };
548  const unsigned char msg[32] = {
549  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
550  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
551  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
552  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
553  };
554  const unsigned char sig[64] = {
555  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
556  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
557  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
558  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
559  0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64,
560  0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4,
561  0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9,
562  0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97
563  };
564  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
565  }
566  {
567  /* Test vector 11 */
568  const unsigned char pk[32] = {
569  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
570  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
571  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
572  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
573  };
574  const unsigned char msg[32] = {
575  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
576  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
577  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
578  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
579  };
580  const unsigned char sig[64] = {
581  0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A,
582  0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB,
583  0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7,
584  0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D,
585  0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
586  0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
587  0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
588  0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
589  };
590  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
591  }
592  {
593  /* Test vector 12 */
594  const unsigned char pk[32] = {
595  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
596  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
597  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
598  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
599  };
600  const unsigned char msg[32] = {
601  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
602  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
603  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
604  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
605  };
606  const unsigned char sig[64] = {
607  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
608  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
609  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
610  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
611  0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
612  0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
613  0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
614  0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
615  };
616  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
617  }
618  {
619  /* Test vector 13 */
620  const unsigned char pk[32] = {
621  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
622  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
623  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
624  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
625  };
626  const unsigned char msg[32] = {
627  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
628  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
629  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
630  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
631  };
632  const unsigned char sig[64] = {
633  0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
634  0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
635  0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
636  0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
637  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
638  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
639  0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
640  0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
641  };
642  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
643  }
644  {
645  /* Test vector 14 */
646  const unsigned char pk[32] = {
647  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
648  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
649  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
650  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
651  };
652  secp256k1_xonly_pubkey pk_parsed;
653  /* No need to check the signature of the test vector as parsing the pubkey already fails */
654  CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
655  }
656  {
657  /* Test vector 15 */
658  const unsigned char sk[32] = {
659  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
660  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
661  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
662  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
663  };
664  const unsigned char pk[32] = {
665  0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
666  0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
667  0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
668  0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
669  };
670  const unsigned char aux_rand[32] = {
671  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
672  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
673  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
674  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
675  };
676  /* const unsigned char msg[0] = {}; */
677  const unsigned char sig[64] = {
678  0x71, 0x53, 0x5D, 0xB1, 0x65, 0xEC, 0xD9, 0xFB,
679  0xBC, 0x04, 0x6E, 0x5F, 0xFA, 0xEA, 0x61, 0x18,
680  0x6B, 0xB6, 0xAD, 0x43, 0x67, 0x32, 0xFC, 0xCC,
681  0x25, 0x29, 0x1A, 0x55, 0x89, 0x54, 0x64, 0xCF,
682  0x60, 0x69, 0xCE, 0x26, 0xBF, 0x03, 0x46, 0x62,
683  0x28, 0xF1, 0x9A, 0x3A, 0x62, 0xDB, 0x8A, 0x64,
684  0x9F, 0x2D, 0x56, 0x0F, 0xAC, 0x65, 0x28, 0x27,
685  0xD1, 0xAF, 0x05, 0x74, 0xE4, 0x27, 0xAB, 0x63,
686  };
687  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, NULL, 0, sig);
688  test_schnorrsig_bip_vectors_check_verify(pk, NULL, 0, sig, 1);
689  }
690  {
691  /* Test vector 16 */
692  const unsigned char sk[32] = {
693  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
694  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
695  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
696  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
697  };
698  const unsigned char pk[32] = {
699  0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
700  0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
701  0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
702  0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
703  };
704  const unsigned char aux_rand[32] = {
705  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
706  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
707  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
708  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
709  };
710  const unsigned char msg[] = { 0x11 };
711  const unsigned char sig[64] = {
712  0x08, 0xA2, 0x0A, 0x0A, 0xFE, 0xF6, 0x41, 0x24,
713  0x64, 0x92, 0x32, 0xE0, 0x69, 0x3C, 0x58, 0x3A,
714  0xB1, 0xB9, 0x93, 0x4A, 0xE6, 0x3B, 0x4C, 0x35,
715  0x11, 0xF3, 0xAE, 0x11, 0x34, 0xC6, 0xA3, 0x03,
716  0xEA, 0x31, 0x73, 0xBF, 0xEA, 0x66, 0x83, 0xBD,
717  0x10, 0x1F, 0xA5, 0xAA, 0x5D, 0xBC, 0x19, 0x96,
718  0xFE, 0x7C, 0xAC, 0xFC, 0x5A, 0x57, 0x7D, 0x33,
719  0xEC, 0x14, 0x56, 0x4C, 0xEC, 0x2B, 0xAC, 0xBF,
720  };
721  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
722  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
723  }
724  {
725  /* Test vector 17 */
726  const unsigned char sk[32] = {
727  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
728  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
729  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
730  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
731  };
732  const unsigned char pk[32] = {
733  0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
734  0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
735  0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
736  0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
737  };
738  const unsigned char aux_rand[32] = {
739  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
740  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
741  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
742  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
743  };
744  const unsigned char msg[] = {
745  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
746  0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10,
747  0x11,
748  };
749  const unsigned char sig[64] = {
750  0x51, 0x30, 0xF3, 0x9A, 0x40, 0x59, 0xB4, 0x3B,
751  0xC7, 0xCA, 0xC0, 0x9A, 0x19, 0xEC, 0xE5, 0x2B,
752  0x5D, 0x86, 0x99, 0xD1, 0xA7, 0x1E, 0x3C, 0x52,
753  0xDA, 0x9A, 0xFD, 0xB6, 0xB5, 0x0A, 0xC3, 0x70,
754  0xC4, 0xA4, 0x82, 0xB7, 0x7B, 0xF9, 0x60, 0xF8,
755  0x68, 0x15, 0x40, 0xE2, 0x5B, 0x67, 0x71, 0xEC,
756  0xE1, 0xE5, 0xA3, 0x7F, 0xD8, 0x0E, 0x5A, 0x51,
757  0x89, 0x7C, 0x55, 0x66, 0xA9, 0x7E, 0xA5, 0xA5,
758  };
759  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
760  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
761  }
762  {
763  /* Test vector 18 */
764  const unsigned char sk[32] = {
765  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
766  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
767  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
768  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
769  };
770  const unsigned char pk[32] = {
771  0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
772  0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
773  0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
774  0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
775  };
776  const unsigned char aux_rand[32] = {
777  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
778  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
779  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
780  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
781  };
782  const unsigned char sig[64] = {
783  0x40, 0x3B, 0x12, 0xB0, 0xD8, 0x55, 0x5A, 0x34,
784  0x41, 0x75, 0xEA, 0x7E, 0xC7, 0x46, 0x56, 0x63,
785  0x03, 0x32, 0x1E, 0x5D, 0xBF, 0xA8, 0xBE, 0x6F,
786  0x09, 0x16, 0x35, 0x16, 0x3E, 0xCA, 0x79, 0xA8,
787  0x58, 0x5E, 0xD3, 0xE3, 0x17, 0x08, 0x07, 0xE7,
788  0xC0, 0x3B, 0x72, 0x0F, 0xC5, 0x4C, 0x7B, 0x23,
789  0x89, 0x7F, 0xCB, 0xA0, 0xE9, 0xD0, 0xB4, 0xA0,
790  0x68, 0x94, 0xCF, 0xD2, 0x49, 0xF2, 0x23, 0x67,
791  };
792  unsigned char msg[100];
793  memset(msg, 0x99, sizeof(msg));
794  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
795  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
796  }
797 }
798 
799 /* Nonce function that returns constant 0 */
800 static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
801  (void) msg;
802  (void) msglen;
803  (void) key32;
804  (void) xonly_pk32;
805  (void) algo;
806  (void) algolen;
807  (void) data;
808  (void) nonce32;
809  return 0;
810 }
811 
812 /* Nonce function that sets nonce to 0 */
813 static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
814  (void) msg;
815  (void) msglen;
816  (void) key32;
817  (void) xonly_pk32;
818  (void) algo;
819  (void) algolen;
820  (void) data;
821 
822  memset(nonce32, 0, 32);
823  return 1;
824 }
825 
826 /* Nonce function that sets nonce to 0xFF...0xFF */
827 static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
828  (void) msg;
829  (void) msglen;
830  (void) key32;
831  (void) xonly_pk32;
832  (void) algo;
833  (void) algolen;
834  (void) data;
835 
836  memset(nonce32, 0xFF, 32);
837  return 1;
838 }
839 
840 static void test_schnorrsig_sign(void) {
841  unsigned char sk[32];
842  secp256k1_xonly_pubkey pk;
843  secp256k1_keypair keypair;
844  const unsigned char msg[32] = "this is a msg for a schnorrsig..";
845  unsigned char sig[64];
846  unsigned char sig2[64];
847  unsigned char zeros64[64] = { 0 };
848  secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
849  unsigned char aux_rand[32];
850 
851  secp256k1_testrand256(sk);
852  secp256k1_testrand256(aux_rand);
853  CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
854  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
855  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
856  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
857  /* Check that deprecated alias gives the same result */
858  CHECK(secp256k1_schnorrsig_sign(CTX, sig2, msg, &keypair, NULL) == 1);
859  CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
860 
861  /* Test different nonce functions */
862  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
863  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
864  memset(sig, 1, sizeof(sig));
865  extraparams.noncefp = nonce_function_failing;
866  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
867  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
868  memset(&sig, 1, sizeof(sig));
869  extraparams.noncefp = nonce_function_0;
870  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
871  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
872  memset(&sig, 1, sizeof(sig));
873  extraparams.noncefp = nonce_function_overflowing;
874  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
875  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
876 
877  /* When using the default nonce function, schnorrsig_sign_custom produces
878  * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */
879  extraparams.noncefp = NULL;
880  extraparams.ndata = aux_rand;
881  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
882  CHECK(secp256k1_schnorrsig_sign32(CTX, sig2, msg, &keypair, extraparams.ndata) == 1);
883  CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
884 }
885 
886 #define N_SIGS 3
887 /* Creates N_SIGS valid signatures and verifies them with verify and
888  * verify_batch (TODO). Then flips some bits and checks that verification now
889  * fails. */
890 static void test_schnorrsig_sign_verify(void) {
891  unsigned char sk[32];
892  unsigned char msg[N_SIGS][32];
893  unsigned char sig[N_SIGS][64];
894  size_t i;
895  secp256k1_keypair keypair;
896  secp256k1_xonly_pubkey pk;
897  secp256k1_scalar s;
898 
899  secp256k1_testrand256(sk);
900  CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
901  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
902 
903  for (i = 0; i < N_SIGS; i++) {
904  secp256k1_testrand256(msg[i]);
905  CHECK(secp256k1_schnorrsig_sign32(CTX, sig[i], msg[i], &keypair, NULL));
906  CHECK(secp256k1_schnorrsig_verify(CTX, sig[i], msg[i], sizeof(msg[i]), &pk));
907  }
908 
909  {
910  /* Flip a few bits in the signature and in the message and check that
911  * verify and verify_batch (TODO) fail */
912  size_t sig_idx = secp256k1_testrand_int(N_SIGS);
913  size_t byte_idx = secp256k1_testrand_bits(5);
914  unsigned char xorbyte = secp256k1_testrand_int(254)+1;
915  sig[sig_idx][byte_idx] ^= xorbyte;
916  CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
917  sig[sig_idx][byte_idx] ^= xorbyte;
918 
919  byte_idx = secp256k1_testrand_bits(5);
920  sig[sig_idx][32+byte_idx] ^= xorbyte;
921  CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
922  sig[sig_idx][32+byte_idx] ^= xorbyte;
923 
924  byte_idx = secp256k1_testrand_bits(5);
925  msg[sig_idx][byte_idx] ^= xorbyte;
926  CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
927  msg[sig_idx][byte_idx] ^= xorbyte;
928 
929  /* Check that above bitflips have been reversed correctly */
930  CHECK(secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
931  }
932 
933  /* Test overflowing s */
934  CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
935  CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
936  memset(&sig[0][32], 0xFF, 32);
937  CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
938 
939  /* Test negative s */
940  CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
941  CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
942  secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
943  secp256k1_scalar_negate(&s, &s);
944  secp256k1_scalar_get_b32(&sig[0][32], &s);
945  CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
946 
947  /* The empty message can be signed & verified */
948  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], NULL, 0, &keypair, NULL) == 1);
949  CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], NULL, 0, &pk) == 1);
950 
951  {
952  /* Test varying message lengths */
953  unsigned char msg_large[32 * 8];
954  uint32_t msglen = secp256k1_testrand_int(sizeof(msg_large));
955  for (i = 0; i < sizeof(msg_large); i += 32) {
956  secp256k1_testrand256(&msg_large[i]);
957  }
958  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], msg_large, msglen, &keypair, NULL) == 1);
959  CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 1);
960  /* Verification for a random wrong message length fails */
961  msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large);
962  CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 0);
963  }
964 }
965 #undef N_SIGS
966 
967 static void test_schnorrsig_taproot(void) {
968  unsigned char sk[32];
969  secp256k1_keypair keypair;
970  secp256k1_xonly_pubkey internal_pk;
971  unsigned char internal_pk_bytes[32];
972  secp256k1_xonly_pubkey output_pk;
973  unsigned char output_pk_bytes[32];
974  unsigned char tweak[32];
975  int pk_parity;
976  unsigned char msg[32];
977  unsigned char sig[64];
978 
979  /* Create output key */
980  secp256k1_testrand256(sk);
981  CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
982  CHECK(secp256k1_keypair_xonly_pub(CTX, &internal_pk, NULL, &keypair) == 1);
983  /* In actual taproot the tweak would be hash of internal_pk */
984  CHECK(secp256k1_xonly_pubkey_serialize(CTX, tweak, &internal_pk) == 1);
985  CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1);
986  CHECK(secp256k1_keypair_xonly_pub(CTX, &output_pk, &pk_parity, &keypair) == 1);
987  CHECK(secp256k1_xonly_pubkey_serialize(CTX, output_pk_bytes, &output_pk) == 1);
988 
989  /* Key spend */
990  secp256k1_testrand256(msg);
991  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
992  /* Verify key spend */
993  CHECK(secp256k1_xonly_pubkey_parse(CTX, &output_pk, output_pk_bytes) == 1);
994  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &output_pk) == 1);
995 
996  /* Script spend */
997  CHECK(secp256k1_xonly_pubkey_serialize(CTX, internal_pk_bytes, &internal_pk) == 1);
998  /* Verify script spend */
999  CHECK(secp256k1_xonly_pubkey_parse(CTX, &internal_pk, internal_pk_bytes) == 1);
1000  CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
1001 }
1002 
1003 static void run_schnorrsig_tests(void) {
1004  int i;
1005  run_nonce_function_bip340_tests();
1006 
1007  test_schnorrsig_api();
1008  test_schnorrsig_sha256_tagged();
1009  test_schnorrsig_bip_vectors();
1010  for (i = 0; i < COUNT; i++) {
1011  test_schnorrsig_sign();
1012  test_schnorrsig_sign_verify();
1013  }
1014  test_schnorrsig_taproot();
1015 }
1016 
1017 #endif
args
ArgsManager & args
Definition: bitcoind.cpp:269
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:163
nonce
unsigned int nonce
Definition: miner_tests.cpp:72
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
tests_wycheproof_generate.msg
def msg
Definition: tests_wycheproof_generate.py:56
tests_wycheproof_generate.pk
def pk
Definition: tests_wycheproof_generate.py:69
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
nonce_function_bip340
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: main_impl.h:52
secp256k1_nonce_function_bip340_sha256_tagged_aux
static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: main_impl.h:32
secp256k1_nonce_function_bip340_sha256_tagged
static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:16
secp256k1_schnorrsig_sha256_tagged
static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:103
test_schnorrsig_sign_verify
static void test_schnorrsig_sign_verify(void)
Definition: tests_impl.h:890
run_nonce_function_bip340_tests
static void run_nonce_function_bip340_tests(void)
Definition: tests_impl.h:23
nonce_function_overflowing
static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:827
test_schnorrsig_sign
static void test_schnorrsig_sign(void)
Definition: tests_impl.h:840
test_schnorrsig_bip_vectors_check_signing
static void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg, size_t msglen, const unsigned char *expected_sig)
Definition: tests_impl.h:207
test_schnorrsig_bip_vectors_check_verify
static void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg, size_t msglen, const unsigned char *sig, int expected)
Definition: tests_impl.h:232
test_schnorrsig_api
static void test_schnorrsig_api(void)
Definition: tests_impl.h:106
nonce_function_0
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:813
test_schnorrsig_taproot
static void test_schnorrsig_taproot(void)
Definition: tests_impl.h:967
test_schnorrsig_bip_vectors
static void test_schnorrsig_bip_vectors(void)
Definition: tests_impl.h:241
run_schnorrsig_tests
static void run_schnorrsig_tests(void)
Definition: tests_impl.h:1003
N_SIGS
#define N_SIGS
Definition: tests_impl.h:886
nonce_function_failing
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:800
test_schnorrsig_sha256_tagged
static void test_schnorrsig_sha256_tagged(void)
Definition: tests_impl.h:195
nonce_function_bip340_bitflip
static void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen)
Definition: tests_impl.h:15
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:217
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:210
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:198
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:44
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a secret key.
Definition: main_impl.h:196
secp256k1_keypair_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:255
secp256k1_keypair_xonly_pub
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Get the x-only public key from a keypair.
Definition: main_impl.h:234
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:22
secp256k1_schnorrsig_sign32
SECP256K1_API int secp256k1_schnorrsig_sign32(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a Schnorr signature.
Definition: main_impl.h:195
SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
Definition: secp256k1_schnorrsig.h:89
secp256k1_schnorrsig_sign
SECP256K1_API int secp256k1_schnorrsig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_DEPRECATED("Use secp256k1_schnorrsig_sign32 instead")
Same as secp256k1_schnorrsig_sign32, but DEPRECATED.
Definition: main_impl.h:200
secp256k1_schnorrsig_sign_custom
SECP256K1_API int secp256k1_schnorrsig_sign_custom(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Create a Schnorr signature with a more flexible API.
Definition: main_impl.h:204
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:219
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_schnorrsig_extraparams
Data structure that contains additional arguments for schnorrsig_sign_custom.
Definition: secp256k1_schnorrsig.h:82
secp256k1_schnorrsig_extraparams::noncefp
secp256k1_nonce_function_hardened noncefp
Definition: secp256k1_schnorrsig.h:84
secp256k1_schnorrsig_extraparams::ndata
void * ndata
Definition: secp256k1_schnorrsig.h:85
secp256k1_sha256
Definition: hash.h:13
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_flip
static void secp256k1_testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
COUNT
static int COUNT
Definition: tests.c:39
CTX
static secp256k1_context * CTX
Definition: tests.c:40
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:74
test_sha256_eq
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:757
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:41
Generated on Mon Dec 11 2023 02:43:20 for Bitcoin Core by doxygen 1.9.1