Bitcoin Core  24.99.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H
8 #define SECP256K1_MODULE_SCHNORRSIG_TESTS_H
9 
10 #include "../../../include/secp256k1_schnorrsig.h"
11 
12 /* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
13  * bytes) changes the hash function
14  */
15 void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) {
16  unsigned char nonces[2][32];
17  CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
18  secp256k1_testrand_flip(args[n_flip], n_bytes);
19  CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
20  CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
21 }
22 
23 /* Tests for the equality of two sha256 structs. This function only produces a
24  * correct result if an integer multiple of 64 many bytes have been written
25  * into the hash functions. */
26 void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
27  /* Is buffer fully consumed? */
28  CHECK((sha1->bytes & 0x3F) == 0);
29 
30  CHECK(sha1->bytes == sha2->bytes);
31  CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
32 }
33 
34 void run_nonce_function_bip340_tests(void) {
35  unsigned char tag[13] = "BIP0340/nonce";
36  unsigned char aux_tag[11] = "BIP0340/aux";
37  unsigned char algo[13] = "BIP0340/nonce";
38  size_t algolen = sizeof(algo);
39  secp256k1_sha256 sha;
40  secp256k1_sha256 sha_optimized;
41  unsigned char nonce[32], nonce_z[32];
42  unsigned char msg[32];
43  size_t msglen = sizeof(msg);
44  unsigned char key[32];
45  unsigned char pk[32];
46  unsigned char aux_rand[32];
47  unsigned char *args[5];
48  int i;
49 
50  /* Check that hash initialized by
51  * secp256k1_nonce_function_bip340_sha256_tagged has the expected
52  * state. */
53  secp256k1_sha256_initialize_tagged(&sha, tag, sizeof(tag));
54  secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized);
55  test_sha256_eq(&sha, &sha_optimized);
56 
57  /* Check that hash initialized by
58  * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
59  * state. */
60  secp256k1_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag));
61  secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized);
62  test_sha256_eq(&sha, &sha_optimized);
63 
64  secp256k1_testrand256(msg);
65  secp256k1_testrand256(key);
66  secp256k1_testrand256(pk);
67  secp256k1_testrand256(aux_rand);
68 
69  /* Check that a bitflip in an argument results in different nonces. */
70  args[0] = msg;
71  args[1] = key;
72  args[2] = pk;
73  args[3] = algo;
74  args[4] = aux_rand;
75  for (i = 0; i < count; i++) {
76  nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen);
77  nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen);
78  nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen);
79  /* Flip algo special case "BIP0340/nonce" */
80  nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
81  /* Flip algo again */
82  nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
83  nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen);
84  }
85 
86  /* NULL algo is disallowed */
87  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
88  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
89  /* Other algo is fine */
90  secp256k1_testrand_bytes_test(algo, algolen);
91  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
92 
93  for (i = 0; i < count; i++) {
94  unsigned char nonce2[32];
95  uint32_t offset = secp256k1_testrand_int(msglen - 1);
96  size_t msglen_tmp = (msglen + offset) % msglen;
97  size_t algolen_tmp;
98 
99  /* Different msglen gives different nonce */
100  CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1);
101  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
102 
103  /* Different algolen gives different nonce */
104  offset = secp256k1_testrand_int(algolen - 1);
105  algolen_tmp = (algolen + offset) % algolen;
106  CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1);
107  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
108  }
109 
110  /* NULL aux_rand argument is allowed, and identical to passing all zero aux_rand. */
111  memset(aux_rand, 0, 32);
112  CHECK(nonce_function_bip340(nonce_z, msg, msglen, key, pk, algo, algolen, &aux_rand) == 1);
113  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
114  CHECK(secp256k1_memcmp_var(nonce_z, nonce, 32) == 0);
115 }
116 
117 void test_schnorrsig_api(void) {
118  unsigned char sk1[32];
119  unsigned char sk2[32];
120  unsigned char sk3[32];
121  unsigned char msg[32];
122  secp256k1_keypair keypairs[3];
123  secp256k1_keypair invalid_keypair = {{ 0 }};
124  secp256k1_xonly_pubkey pk[3];
125  secp256k1_xonly_pubkey zero_pk;
126  unsigned char sig[64];
127  secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
128  secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL};
129 
131  secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static);
132  int ecount;
133 
134  secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount);
135  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
136  secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount);
137  secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
138 
139  secp256k1_testrand256(sk1);
140  secp256k1_testrand256(sk2);
141  secp256k1_testrand256(sk3);
142  secp256k1_testrand256(msg);
143  CHECK(secp256k1_keypair_create(ctx, &keypairs[0], sk1) == 1);
144  CHECK(secp256k1_keypair_create(ctx, &keypairs[1], sk2) == 1);
145  CHECK(secp256k1_keypair_create(ctx, &keypairs[2], sk3) == 1);
146  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[0], NULL, &keypairs[0]) == 1);
147  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[1], NULL, &keypairs[1]) == 1);
148  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[2], NULL, &keypairs[2]) == 1);
149  memset(&zero_pk, 0, sizeof(zero_pk));
150 
152  ecount = 0;
153  CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypairs[0], NULL) == 1);
154  CHECK(ecount == 0);
155  CHECK(secp256k1_schnorrsig_sign32(ctx, NULL, msg, &keypairs[0], NULL) == 0);
156  CHECK(ecount == 1);
157  CHECK(secp256k1_schnorrsig_sign32(ctx, sig, NULL, &keypairs[0], NULL) == 0);
158  CHECK(ecount == 2);
159  CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, NULL, NULL) == 0);
160  CHECK(ecount == 3);
161  CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &invalid_keypair, NULL) == 0);
162  CHECK(ecount == 4);
163  CHECK(secp256k1_schnorrsig_sign32(sttc, sig, msg, &keypairs[0], NULL) == 0);
164  CHECK(ecount == 5);
165 
166  ecount = 0;
167  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
168  CHECK(ecount == 0);
169  CHECK(secp256k1_schnorrsig_sign_custom(ctx, NULL, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
170  CHECK(ecount == 1);
171  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, NULL, sizeof(msg), &keypairs[0], &extraparams) == 0);
172  CHECK(ecount == 2);
173  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
174  CHECK(ecount == 2);
175  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), NULL, &extraparams) == 0);
176  CHECK(ecount == 3);
177  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &invalid_keypair, &extraparams) == 0);
178  CHECK(ecount == 4);
179  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
180  CHECK(ecount == 4);
181  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams) == 0);
182  CHECK(ecount == 5);
183  CHECK(secp256k1_schnorrsig_sign_custom(sttc, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
184  CHECK(ecount == 6);
185 
186  ecount = 0;
187  CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypairs[0], NULL) == 1);
188  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk[0]) == 1);
189  CHECK(ecount == 0);
190  CHECK(secp256k1_schnorrsig_verify(ctx, NULL, msg, sizeof(msg), &pk[0]) == 0);
191  CHECK(ecount == 1);
192  CHECK(secp256k1_schnorrsig_verify(ctx, sig, NULL, sizeof(msg), &pk[0]) == 0);
193  CHECK(ecount == 2);
194  CHECK(secp256k1_schnorrsig_verify(ctx, sig, NULL, 0, &pk[0]) == 0);
195  CHECK(ecount == 2);
196  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), NULL) == 0);
197  CHECK(ecount == 3);
198  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &zero_pk) == 0);
199  CHECK(ecount == 4);
200 
201  secp256k1_context_destroy(sttc);
202 }
203 
204 /* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
205  * expected state. */
206 void test_schnorrsig_sha256_tagged(void) {
207  unsigned char tag[17] = "BIP0340/challenge";
208  secp256k1_sha256 sha;
209  secp256k1_sha256 sha_optimized;
210 
211  secp256k1_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag));
212  secp256k1_schnorrsig_sha256_tagged(&sha_optimized);
213  test_sha256_eq(&sha, &sha_optimized);
214 }
215 
216 /* Helper function for schnorrsig_bip_vectors
217  * Signs the message and checks that it's the same as expected_sig. */
218 void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig) {
219  unsigned char sig[64];
220  secp256k1_keypair keypair;
221  secp256k1_xonly_pubkey pk, pk_expected;
222 
223  CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
224  CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg32, &keypair, aux_rand));
225  CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
226 
227  CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk_expected, pk_serialized));
228  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
229  CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
230  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk));
231 }
232 
233 /* Helper function for schnorrsig_bip_vectors
234  * Checks that both verify and verify_batch (TODO) return the same value as expected. */
235 void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected) {
236  secp256k1_xonly_pubkey pk;
237 
238  CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk, pk_serialized));
239  CHECK(expected == secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk));
240 }
241 
242 /* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
243  * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */
244 void test_schnorrsig_bip_vectors(void) {
245  {
246  /* Test vector 0 */
247  const unsigned char sk[32] = {
248  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
249  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
250  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
251  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
252  };
253  const unsigned char pk[32] = {
254  0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10,
255  0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29,
256  0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0,
257  0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9
258  };
259  unsigned char aux_rand[32] = {
260  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
261  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
262  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
263  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
264  };
265  const unsigned char msg[32] = {
266  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
267  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
268  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
269  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
270  };
271  const unsigned char sig[64] = {
272  0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10,
273  0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36,
274  0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08,
275  0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15,
276  0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71,
277  0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5,
278  0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47,
279  0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0
280  };
281  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
282  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
283  }
284  {
285  /* Test vector 1 */
286  const unsigned char sk[32] = {
287  0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A,
288  0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7,
289  0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56,
290  0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF
291  };
292  const unsigned char pk[32] = {
293  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
294  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
295  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
296  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
297  };
298  unsigned char aux_rand[32] = {
299  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
300  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
301  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
302  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
303  };
304  const unsigned char msg[32] = {
305  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
306  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
307  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
308  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
309  };
310  const unsigned char sig[64] = {
311  0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D,
312  0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07,
313  0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17,
314  0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41,
315  0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC,
316  0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA,
317  0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C,
318  0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A
319  };
320  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
321  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
322  }
323  {
324  /* Test vector 2 */
325  const unsigned char sk[32] = {
326  0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
327  0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
328  0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
329  0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9
330  };
331  const unsigned char pk[32] = {
332  0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13,
333  0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC,
334  0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9,
335  0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8
336  };
337  unsigned char aux_rand[32] = {
338  0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE,
339  0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC,
340  0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C,
341  0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06
342  };
343  const unsigned char msg[32] = {
344  0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A,
345  0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D,
346  0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33,
347  0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C
348  };
349  const unsigned char sig[64] = {
350  0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7,
351  0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94,
352  0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B,
353  0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B,
354  0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A,
355  0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C,
356  0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E,
357  0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7
358  };
359  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
360  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
361  }
362  {
363  /* Test vector 3 */
364  const unsigned char sk[32] = {
365  0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81,
366  0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0,
367  0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54,
368  0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10
369  };
370  const unsigned char pk[32] = {
371  0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25,
372  0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD,
373  0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A,
374  0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17
375  };
376  unsigned char aux_rand[32] = {
377  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
378  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
379  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
380  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
381  };
382  const unsigned char msg[32] = {
383  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
384  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
385  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
386  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
387  };
388  const unsigned char sig[64] = {
389  0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1,
390  0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9,
391  0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6,
392  0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC,
393  0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93,
394  0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A,
395  0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27,
396  0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3
397  };
398  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
399  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
400  }
401  {
402  /* Test vector 4 */
403  const unsigned char pk[32] = {
404  0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12,
405  0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83,
406  0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA,
407  0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9
408  };
409  const unsigned char msg[32] = {
410  0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2,
411  0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24,
412  0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B,
413  0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03
414  };
415  const unsigned char sig[64] = {
416  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
417  0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F,
418  0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28,
419  0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63,
420  0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3,
421  0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10,
422  0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93,
423  0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4
424  };
425  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
426  }
427  {
428  /* Test vector 5 */
429  const unsigned char pk[32] = {
430  0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50,
431  0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21,
432  0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87,
433  0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34
434  };
435  secp256k1_xonly_pubkey pk_parsed;
436  /* No need to check the signature of the test vector as parsing the pubkey already fails */
437  CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
438  }
439  {
440  /* Test vector 6 */
441  const unsigned char pk[32] = {
442  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
443  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
444  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
445  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
446  };
447  const unsigned char msg[32] = {
448  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
449  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
450  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
451  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
452  };
453  const unsigned char sig[64] = {
454  0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4,
455  0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3,
456  0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B,
457  0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56,
458  0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07,
459  0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF,
460  0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E,
461  0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2
462  };
463  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
464  }
465  {
466  /* Test vector 7 */
467  const unsigned char pk[32] = {
468  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
469  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
470  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
471  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
472  };
473  const unsigned char msg[32] = {
474  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
475  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
476  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
477  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
478  };
479  const unsigned char sig[64] = {
480  0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C,
481  0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7,
482  0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4,
483  0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F,
484  0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89,
485  0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8,
486  0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35,
487  0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD
488  };
489  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
490  }
491  {
492  /* Test vector 8 */
493  const unsigned char pk[32] = {
494  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
495  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
496  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
497  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
498  };
499  const unsigned char msg[32] = {
500  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
501  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
502  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
503  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
504  };
505  const unsigned char sig[64] = {
506  0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
507  0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
508  0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
509  0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
510  0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC,
511  0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26,
512  0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C,
513  0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6
514  };
515  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
516  }
517  {
518  /* Test vector 9 */
519  const unsigned char pk[32] = {
520  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
521  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
522  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
523  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
524  };
525  const unsigned char msg[32] = {
526  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
527  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
528  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
529  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
530  };
531  const unsigned char sig[64] = {
532  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
533  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
534  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
535  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
536  0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23,
537  0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA,
538  0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC,
539  0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51
540  };
541  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
542  }
543  {
544  /* Test vector 10 */
545  const unsigned char pk[32] = {
546  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
547  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
548  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
549  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
550  };
551  const unsigned char msg[32] = {
552  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
553  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
554  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
555  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
556  };
557  const unsigned char sig[64] = {
558  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
559  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
560  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
561  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
562  0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64,
563  0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4,
564  0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9,
565  0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97
566  };
567  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
568  }
569  {
570  /* Test vector 11 */
571  const unsigned char pk[32] = {
572  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
573  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
574  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
575  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
576  };
577  const unsigned char msg[32] = {
578  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
579  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
580  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
581  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
582  };
583  const unsigned char sig[64] = {
584  0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A,
585  0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB,
586  0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7,
587  0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D,
588  0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
589  0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
590  0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
591  0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
592  };
593  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
594  }
595  {
596  /* Test vector 12 */
597  const unsigned char pk[32] = {
598  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
599  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
600  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
601  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
602  };
603  const unsigned char msg[32] = {
604  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
605  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
606  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
607  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
608  };
609  const unsigned char sig[64] = {
610  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
611  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
612  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
613  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
614  0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
615  0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
616  0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
617  0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
618  };
619  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
620  }
621  {
622  /* Test vector 13 */
623  const unsigned char pk[32] = {
624  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
625  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
626  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
627  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
628  };
629  const unsigned char msg[32] = {
630  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
631  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
632  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
633  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
634  };
635  const unsigned char sig[64] = {
636  0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
637  0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
638  0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
639  0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
640  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
641  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
642  0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
643  0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
644  };
645  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
646  }
647  {
648  /* Test vector 14 */
649  const unsigned char pk[32] = {
650  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
651  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
652  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
653  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
654  };
655  secp256k1_xonly_pubkey pk_parsed;
656  /* No need to check the signature of the test vector as parsing the pubkey already fails */
657  CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
658  }
659 }
660 
661 /* Nonce function that returns constant 0 */
662 static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
663  (void) msg;
664  (void) msglen;
665  (void) key32;
666  (void) xonly_pk32;
667  (void) algo;
668  (void) algolen;
669  (void) data;
670  (void) nonce32;
671  return 0;
672 }
673 
674 /* Nonce function that sets nonce to 0 */
675 static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
676  (void) msg;
677  (void) msglen;
678  (void) key32;
679  (void) xonly_pk32;
680  (void) algo;
681  (void) algolen;
682  (void) data;
683 
684  memset(nonce32, 0, 32);
685  return 1;
686 }
687 
688 /* Nonce function that sets nonce to 0xFF...0xFF */
689 static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
690  (void) msg;
691  (void) msglen;
692  (void) key32;
693  (void) xonly_pk32;
694  (void) algo;
695  (void) algolen;
696  (void) data;
697 
698  memset(nonce32, 0xFF, 32);
699  return 1;
700 }
701 
702 void test_schnorrsig_sign(void) {
703  unsigned char sk[32];
704  secp256k1_xonly_pubkey pk;
705  secp256k1_keypair keypair;
706  const unsigned char msg[32] = "this is a msg for a schnorrsig..";
707  unsigned char sig[64];
708  unsigned char sig2[64];
709  unsigned char zeros64[64] = { 0 };
710  secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
711  unsigned char aux_rand[32];
712 
713  secp256k1_testrand256(sk);
714  secp256k1_testrand256(aux_rand);
715  CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
716  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
717  CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypair, NULL) == 1);
718  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
719  /* Check that deprecated alias gives the same result */
720  CHECK(secp256k1_schnorrsig_sign(ctx, sig2, msg, &keypair, NULL) == 1);
721  CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
722 
723  /* Test different nonce functions */
724  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
725  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
726  memset(sig, 1, sizeof(sig));
727  extraparams.noncefp = nonce_function_failing;
728  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
729  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
730  memset(&sig, 1, sizeof(sig));
731  extraparams.noncefp = nonce_function_0;
732  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
733  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
734  memset(&sig, 1, sizeof(sig));
735  extraparams.noncefp = nonce_function_overflowing;
736  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
737  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
738 
739  /* When using the default nonce function, schnorrsig_sign_custom produces
740  * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */
741  extraparams.noncefp = NULL;
742  extraparams.ndata = aux_rand;
743  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
744  CHECK(secp256k1_schnorrsig_sign32(ctx, sig2, msg, &keypair, extraparams.ndata) == 1);
745  CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
746 }
747 
748 #define N_SIGS 3
749 /* Creates N_SIGS valid signatures and verifies them with verify and
750  * verify_batch (TODO). Then flips some bits and checks that verification now
751  * fails. */
752 void test_schnorrsig_sign_verify(void) {
753  unsigned char sk[32];
754  unsigned char msg[N_SIGS][32];
755  unsigned char sig[N_SIGS][64];
756  size_t i;
757  secp256k1_keypair keypair;
758  secp256k1_xonly_pubkey pk;
759  secp256k1_scalar s;
760 
761  secp256k1_testrand256(sk);
762  CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
763  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
764 
765  for (i = 0; i < N_SIGS; i++) {
766  secp256k1_testrand256(msg[i]);
767  CHECK(secp256k1_schnorrsig_sign32(ctx, sig[i], msg[i], &keypair, NULL));
768  CHECK(secp256k1_schnorrsig_verify(ctx, sig[i], msg[i], sizeof(msg[i]), &pk));
769  }
770 
771  {
772  /* Flip a few bits in the signature and in the message and check that
773  * verify and verify_batch (TODO) fail */
774  size_t sig_idx = secp256k1_testrand_int(N_SIGS);
775  size_t byte_idx = secp256k1_testrand_bits(5);
776  unsigned char xorbyte = secp256k1_testrand_int(254)+1;
777  sig[sig_idx][byte_idx] ^= xorbyte;
778  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
779  sig[sig_idx][byte_idx] ^= xorbyte;
780 
781  byte_idx = secp256k1_testrand_bits(5);
782  sig[sig_idx][32+byte_idx] ^= xorbyte;
783  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
784  sig[sig_idx][32+byte_idx] ^= xorbyte;
785 
786  byte_idx = secp256k1_testrand_bits(5);
787  msg[sig_idx][byte_idx] ^= xorbyte;
788  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
789  msg[sig_idx][byte_idx] ^= xorbyte;
790 
791  /* Check that above bitflips have been reversed correctly */
792  CHECK(secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
793  }
794 
795  /* Test overflowing s */
796  CHECK(secp256k1_schnorrsig_sign32(ctx, sig[0], msg[0], &keypair, NULL));
797  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
798  memset(&sig[0][32], 0xFF, 32);
799  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
800 
801  /* Test negative s */
802  CHECK(secp256k1_schnorrsig_sign32(ctx, sig[0], msg[0], &keypair, NULL));
803  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
804  secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
805  secp256k1_scalar_negate(&s, &s);
806  secp256k1_scalar_get_b32(&sig[0][32], &s);
807  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
808 
809  /* The empty message can be signed & verified */
810  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], NULL, 0, &keypair, NULL) == 1);
811  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], NULL, 0, &pk) == 1);
812 
813  {
814  /* Test varying message lengths */
815  unsigned char msg_large[32 * 8];
816  uint32_t msglen = secp256k1_testrand_int(sizeof(msg_large));
817  for (i = 0; i < sizeof(msg_large); i += 32) {
818  secp256k1_testrand256(&msg_large[i]);
819  }
820  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], msg_large, msglen, &keypair, NULL) == 1);
821  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 1);
822  /* Verification for a random wrong message length fails */
823  msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large);
824  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 0);
825  }
826 }
827 #undef N_SIGS
828 
829 void test_schnorrsig_taproot(void) {
830  unsigned char sk[32];
831  secp256k1_keypair keypair;
832  secp256k1_xonly_pubkey internal_pk;
833  unsigned char internal_pk_bytes[32];
834  secp256k1_xonly_pubkey output_pk;
835  unsigned char output_pk_bytes[32];
836  unsigned char tweak[32];
837  int pk_parity;
838  unsigned char msg[32];
839  unsigned char sig[64];
840 
841  /* Create output key */
842  secp256k1_testrand256(sk);
843  CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
844  CHECK(secp256k1_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1);
845  /* In actual taproot the tweak would be hash of internal_pk */
846  CHECK(secp256k1_xonly_pubkey_serialize(ctx, tweak, &internal_pk) == 1);
847  CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
848  CHECK(secp256k1_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1);
849  CHECK(secp256k1_xonly_pubkey_serialize(ctx, output_pk_bytes, &output_pk) == 1);
850 
851  /* Key spend */
852  secp256k1_testrand256(msg);
853  CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypair, NULL) == 1);
854  /* Verify key spend */
855  CHECK(secp256k1_xonly_pubkey_parse(ctx, &output_pk, output_pk_bytes) == 1);
856  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &output_pk) == 1);
857 
858  /* Script spend */
859  CHECK(secp256k1_xonly_pubkey_serialize(ctx, internal_pk_bytes, &internal_pk) == 1);
860  /* Verify script spend */
861  CHECK(secp256k1_xonly_pubkey_parse(ctx, &internal_pk, internal_pk_bytes) == 1);
862  CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
863 }
864 
865 void run_schnorrsig_tests(void) {
866  int i;
867  run_nonce_function_bip340_tests();
868 
869  test_schnorrsig_api();
870  test_schnorrsig_sha256_tagged();
871  test_schnorrsig_bip_vectors();
872  for (i = 0; i < count; i++) {
873  test_schnorrsig_sign();
874  test_schnorrsig_sign_verify();
875  }
876  test_schnorrsig_taproot();
877 }
878 
879 #endif
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:163
nonce
unsigned int nonce
Definition: miner_tests.cpp:69
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
sha1
Internal SHA-1 implementation.
Definition: sha1.cpp:16
args
ArgsManager args
Definition: notifications.cpp:36
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
nonce_function_bip340
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: main_impl.h:52
secp256k1_nonce_function_bip340_sha256_tagged_aux
static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: main_impl.h:32
secp256k1_nonce_function_bip340_sha256_tagged
static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:16
secp256k1_schnorrsig_sha256_tagged
static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:103
test_schnorrsig_bip_vectors
void test_schnorrsig_bip_vectors(void)
Definition: tests_impl.h:244
test_schnorrsig_sign
void test_schnorrsig_sign(void)
Definition: tests_impl.h:702
nonce_function_overflowing
static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:689
run_nonce_function_bip340_tests
void run_nonce_function_bip340_tests(void)
Definition: tests_impl.h:34
test_schnorrsig_bip_vectors_check_signing
void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig)
Definition: tests_impl.h:218
test_schnorrsig_bip_vectors_check_verify
void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected)
Definition: tests_impl.h:235
test_schnorrsig_taproot
void test_schnorrsig_taproot(void)
Definition: tests_impl.h:829
nonce_function_0
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:675
test_sha256_eq
void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests_impl.h:26
test_schnorrsig_sign_verify
void test_schnorrsig_sign_verify(void)
Definition: tests_impl.h:752
run_schnorrsig_tests
void run_schnorrsig_tests(void)
Definition: tests_impl.h:865
nonce_function_bip340_bitflip
void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen)
Definition: tests_impl.h:15
N_SIGS
#define N_SIGS
Definition: tests_impl.h:748
test_schnorrsig_sha256_tagged
void test_schnorrsig_sha256_tagged(void)
Definition: tests_impl.h:206
nonce_function_failing
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:662
test_schnorrsig_api
void test_schnorrsig_api(void)
Definition: tests_impl.h:117
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:201
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:166
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:182
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:173
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:148
secp256k1_context_static
SECP256K1_API const secp256k1_context * secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.c:75
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:43
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:134
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a secret key.
Definition: main_impl.h:195
secp256k1_keypair_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:254
secp256k1_keypair_xonly_pub
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Get the x-only public key from a keypair.
Definition: main_impl.h:233
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:21
secp256k1_schnorrsig_sign32
SECP256K1_API int secp256k1_schnorrsig_sign32(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a Schnorr signature.
Definition: main_impl.h:195
SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
Definition: secp256k1_schnorrsig.h:89
secp256k1_schnorrsig_sign
SECP256K1_API int secp256k1_schnorrsig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_DEPRECATED("Use secp256k1_schnorrsig_sign32 instead")
Same as secp256k1_schnorrsig_sign32, but DEPRECATED.
Definition: main_impl.h:200
secp256k1_schnorrsig_sign_custom
SECP256K1_API int secp256k1_schnorrsig_sign_custom(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Create a Schnorr signature with a more flexible API.
Definition: main_impl.h:204
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:219
secp256k1_context_struct
Definition: secp256k1.c:62
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_schnorrsig_extraparams
Data structure that contains additional arguments for schnorrsig_sign_custom.
Definition: secp256k1_schnorrsig.h:82
secp256k1_schnorrsig_extraparams::noncefp
secp256k1_nonce_function_hardened noncefp
Definition: secp256k1_schnorrsig.h:84
secp256k1_schnorrsig_extraparams::ndata
void * ndata
Definition: secp256k1_schnorrsig.h:85
secp256k1_sha256
Definition: hash.h:13
secp256k1_sha256::bytes
uint64_t bytes
Definition: hash.h:16
secp256k1_sha256::s
uint32_t s[8]
Definition: hash.h:14
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_flip
static void secp256k1_testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
ctx
static secp256k1_context * ctx
Definition: tests.c:35
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:37
count
static int count
Definition: tests.c:34
Generated on Tue Jan 31 2023 02:46:12 for Bitcoin Core by doxygen 1.9.1