Bitcoin Core  27.99.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H
8 #define SECP256K1_MODULE_SCHNORRSIG_TESTS_H
9 
10 #include "../../../include/secp256k1_schnorrsig.h"
11 
12 /* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
13  * bytes) changes the hash function
14  */
15 static void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) {
16  unsigned char nonces[2][32];
17  CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
18  secp256k1_testrand_flip(args[n_flip], n_bytes);
19  CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
20  CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
21 }
22 
23 static void run_nonce_function_bip340_tests(void) {
24  unsigned char tag[13] = "BIP0340/nonce";
25  unsigned char aux_tag[11] = "BIP0340/aux";
26  unsigned char algo[13] = "BIP0340/nonce";
27  size_t algolen = sizeof(algo);
28  secp256k1_sha256 sha;
29  secp256k1_sha256 sha_optimized;
30  unsigned char nonce[32], nonce_z[32];
31  unsigned char msg[32];
32  size_t msglen = sizeof(msg);
33  unsigned char key[32];
34  unsigned char pk[32];
35  unsigned char aux_rand[32];
36  unsigned char *args[5];
37  int i;
38 
39  /* Check that hash initialized by
40  * secp256k1_nonce_function_bip340_sha256_tagged has the expected
41  * state. */
42  secp256k1_sha256_initialize_tagged(&sha, tag, sizeof(tag));
43  secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized);
44  test_sha256_eq(&sha, &sha_optimized);
45 
46  /* Check that hash initialized by
47  * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
48  * state. */
49  secp256k1_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag));
50  secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized);
51  test_sha256_eq(&sha, &sha_optimized);
52 
53  secp256k1_testrand256(msg);
54  secp256k1_testrand256(key);
55  secp256k1_testrand256(pk);
56  secp256k1_testrand256(aux_rand);
57 
58  /* Check that a bitflip in an argument results in different nonces. */
59  args[0] = msg;
60  args[1] = key;
61  args[2] = pk;
62  args[3] = algo;
63  args[4] = aux_rand;
64  for (i = 0; i < COUNT; i++) {
65  nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen);
66  nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen);
67  nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen);
68  /* Flip algo special case "BIP0340/nonce" */
69  nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
70  /* Flip algo again */
71  nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
72  nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen);
73  }
74 
75  /* NULL algo is disallowed */
76  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
77  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
78  /* Other algo is fine */
79  secp256k1_testrand_bytes_test(algo, algolen);
80  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
81 
82  for (i = 0; i < COUNT; i++) {
83  unsigned char nonce2[32];
84  uint32_t offset = secp256k1_testrand_int(msglen - 1);
85  size_t msglen_tmp = (msglen + offset) % msglen;
86  size_t algolen_tmp;
87 
88  /* Different msglen gives different nonce */
89  CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1);
90  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
91 
92  /* Different algolen gives different nonce */
93  offset = secp256k1_testrand_int(algolen - 1);
94  algolen_tmp = (algolen + offset) % algolen;
95  CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1);
96  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
97  }
98 
99  /* NULL aux_rand argument is allowed, and identical to passing all zero aux_rand. */
100  memset(aux_rand, 0, 32);
101  CHECK(nonce_function_bip340(nonce_z, msg, msglen, key, pk, algo, algolen, &aux_rand) == 1);
102  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
103  CHECK(secp256k1_memcmp_var(nonce_z, nonce, 32) == 0);
104 }
105 
106 static void test_schnorrsig_api(void) {
107  unsigned char sk1[32];
108  unsigned char sk2[32];
109  unsigned char sk3[32];
110  unsigned char msg[32];
111  secp256k1_keypair keypairs[3];
112  secp256k1_keypair invalid_keypair = {{ 0 }};
113  secp256k1_xonly_pubkey pk[3];
114  secp256k1_xonly_pubkey zero_pk;
115  unsigned char sig[64];
116  secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
117  secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL};
118 
119  secp256k1_testrand256(sk1);
120  secp256k1_testrand256(sk2);
121  secp256k1_testrand256(sk3);
122  secp256k1_testrand256(msg);
123  CHECK(secp256k1_keypair_create(CTX, &keypairs[0], sk1) == 1);
124  CHECK(secp256k1_keypair_create(CTX, &keypairs[1], sk2) == 1);
125  CHECK(secp256k1_keypair_create(CTX, &keypairs[2], sk3) == 1);
126  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[0], NULL, &keypairs[0]) == 1);
127  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[1], NULL, &keypairs[1]) == 1);
128  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[2], NULL, &keypairs[2]) == 1);
129  memset(&zero_pk, 0, sizeof(zero_pk));
130 
132  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
133  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, NULL, msg, &keypairs[0], NULL));
134  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, NULL, &keypairs[0], NULL));
135  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, msg, NULL, NULL));
136  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, msg, &invalid_keypair, NULL));
137  CHECK_ILLEGAL(STATIC_CTX, secp256k1_schnorrsig_sign32(STATIC_CTX, sig, msg, &keypairs[0], NULL));
138 
139  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
140  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, NULL, msg, sizeof(msg), &keypairs[0], &extraparams));
141  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, sizeof(msg), &keypairs[0], &extraparams));
142  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
143  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), NULL, &extraparams));
144  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &invalid_keypair, &extraparams));
145  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
146  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams));
147  CHECK_ILLEGAL(STATIC_CTX, secp256k1_schnorrsig_sign_custom(STATIC_CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams));
148 
149  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
150  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk[0]) == 1);
151  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, NULL, msg, sizeof(msg), &pk[0]));
152  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, NULL, sizeof(msg), &pk[0]));
153  CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, 0, &pk[0]) == 0);
154  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), NULL));
155  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &zero_pk));
156 }
157 
158 /* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
159  * expected state. */
160 static void test_schnorrsig_sha256_tagged(void) {
161  unsigned char tag[17] = "BIP0340/challenge";
162  secp256k1_sha256 sha;
163  secp256k1_sha256 sha_optimized;
164 
165  secp256k1_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag));
166  secp256k1_schnorrsig_sha256_tagged(&sha_optimized);
167  test_sha256_eq(&sha, &sha_optimized);
168 }
169 
170 /* Helper function for schnorrsig_bip_vectors
171  * Signs the message and checks that it's the same as expected_sig. */
172 static void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg, size_t msglen, const unsigned char *expected_sig) {
173  unsigned char sig[64];
174  secp256k1_keypair keypair;
175  secp256k1_xonly_pubkey pk, pk_expected;
176 
177  secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
178  extraparams.ndata = (unsigned char*)aux_rand;
179 
180  CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
181  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, msglen, &keypair, &extraparams));
182  CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
183  if (msglen == 32) {
184  memset(sig, 0, 64);
185  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, aux_rand));
186  CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
187  }
188 
189  CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk_expected, pk_serialized));
190  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
191  CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
192  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, msglen, &pk));
193 }
194 
195 /* Helper function for schnorrsig_bip_vectors
196  * Checks that both verify and verify_batch (TODO) return the same value as expected. */
197 static void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg, size_t msglen, const unsigned char *sig, int expected) {
198  secp256k1_xonly_pubkey pk;
199 
200  CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk, pk_serialized));
201  CHECK(expected == secp256k1_schnorrsig_verify(CTX, sig, msg, msglen, &pk));
202 }
203 
204 /* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
205  * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */
206 static void test_schnorrsig_bip_vectors(void) {
207  {
208  /* Test vector 0 */
209  const unsigned char sk[32] = {
210  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
211  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
212  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
213  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
214  };
215  const unsigned char pk[32] = {
216  0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10,
217  0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29,
218  0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0,
219  0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9
220  };
221  const unsigned char aux_rand[32] = {
222  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
223  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
224  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
225  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
226  };
227  const unsigned char msg[32] = {
228  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
229  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
230  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
231  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
232  };
233  const unsigned char sig[64] = {
234  0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10,
235  0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36,
236  0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08,
237  0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15,
238  0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71,
239  0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5,
240  0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47,
241  0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0
242  };
243  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
244  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
245  }
246  {
247  /* Test vector 1 */
248  const unsigned char sk[32] = {
249  0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A,
250  0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7,
251  0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56,
252  0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF
253  };
254  const unsigned char pk[32] = {
255  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
256  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
257  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
258  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
259  };
260  const unsigned char aux_rand[32] = {
261  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
262  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
263  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
264  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
265  };
266  const unsigned char msg[32] = {
267  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
268  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
269  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
270  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
271  };
272  const unsigned char sig[64] = {
273  0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D,
274  0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07,
275  0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17,
276  0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41,
277  0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC,
278  0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA,
279  0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C,
280  0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A
281  };
282  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
283  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
284  }
285  {
286  /* Test vector 2 */
287  const unsigned char sk[32] = {
288  0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
289  0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
290  0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
291  0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9
292  };
293  const unsigned char pk[32] = {
294  0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13,
295  0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC,
296  0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9,
297  0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8
298  };
299  const unsigned char aux_rand[32] = {
300  0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE,
301  0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC,
302  0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C,
303  0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06
304  };
305  const unsigned char msg[32] = {
306  0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A,
307  0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D,
308  0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33,
309  0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C
310  };
311  const unsigned char sig[64] = {
312  0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7,
313  0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94,
314  0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B,
315  0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B,
316  0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A,
317  0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C,
318  0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E,
319  0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7
320  };
321  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
322  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
323  }
324  {
325  /* Test vector 3 */
326  const unsigned char sk[32] = {
327  0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81,
328  0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0,
329  0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54,
330  0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10
331  };
332  const unsigned char pk[32] = {
333  0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25,
334  0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD,
335  0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A,
336  0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17
337  };
338  const unsigned char aux_rand[32] = {
339  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
340  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
341  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
342  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
343  };
344  const unsigned char msg[32] = {
345  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
346  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
347  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
348  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
349  };
350  const unsigned char sig[64] = {
351  0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1,
352  0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9,
353  0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6,
354  0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC,
355  0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93,
356  0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A,
357  0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27,
358  0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3
359  };
360  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
361  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
362  }
363  {
364  /* Test vector 4 */
365  const unsigned char pk[32] = {
366  0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12,
367  0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83,
368  0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA,
369  0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9
370  };
371  const unsigned char msg[32] = {
372  0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2,
373  0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24,
374  0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B,
375  0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03
376  };
377  const unsigned char sig[64] = {
378  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
379  0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F,
380  0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28,
381  0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63,
382  0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3,
383  0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10,
384  0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93,
385  0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4
386  };
387  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
388  }
389  {
390  /* Test vector 5 */
391  const unsigned char pk[32] = {
392  0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50,
393  0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21,
394  0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87,
395  0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34
396  };
397  secp256k1_xonly_pubkey pk_parsed;
398  /* No need to check the signature of the test vector as parsing the pubkey already fails */
399  CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
400  }
401  {
402  /* Test vector 6 */
403  const unsigned char pk[32] = {
404  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
405  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
406  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
407  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
408  };
409  const unsigned char msg[32] = {
410  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
411  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
412  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
413  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
414  };
415  const unsigned char sig[64] = {
416  0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4,
417  0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3,
418  0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B,
419  0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56,
420  0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07,
421  0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF,
422  0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E,
423  0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2
424  };
425  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
426  }
427  {
428  /* Test vector 7 */
429  const unsigned char pk[32] = {
430  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
431  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
432  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
433  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
434  };
435  const unsigned char msg[32] = {
436  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
437  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
438  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
439  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
440  };
441  const unsigned char sig[64] = {
442  0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C,
443  0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7,
444  0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4,
445  0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F,
446  0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89,
447  0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8,
448  0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35,
449  0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD
450  };
451  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
452  }
453  {
454  /* Test vector 8 */
455  const unsigned char pk[32] = {
456  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
457  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
458  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
459  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
460  };
461  const unsigned char msg[32] = {
462  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
463  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
464  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
465  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
466  };
467  const unsigned char sig[64] = {
468  0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
469  0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
470  0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
471  0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
472  0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC,
473  0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26,
474  0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C,
475  0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6
476  };
477  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
478  }
479  {
480  /* Test vector 9 */
481  const unsigned char pk[32] = {
482  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
483  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
484  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
485  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
486  };
487  const unsigned char msg[32] = {
488  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
489  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
490  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
491  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
492  };
493  const unsigned char sig[64] = {
494  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
495  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
496  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
497  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
498  0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23,
499  0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA,
500  0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC,
501  0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51
502  };
503  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
504  }
505  {
506  /* Test vector 10 */
507  const unsigned char pk[32] = {
508  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
509  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
510  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
511  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
512  };
513  const unsigned char msg[32] = {
514  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
515  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
516  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
517  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
518  };
519  const unsigned char sig[64] = {
520  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
521  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
522  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
523  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
524  0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64,
525  0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4,
526  0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9,
527  0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97
528  };
529  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
530  }
531  {
532  /* Test vector 11 */
533  const unsigned char pk[32] = {
534  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
535  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
536  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
537  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
538  };
539  const unsigned char msg[32] = {
540  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
541  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
542  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
543  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
544  };
545  const unsigned char sig[64] = {
546  0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A,
547  0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB,
548  0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7,
549  0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D,
550  0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
551  0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
552  0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
553  0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
554  };
555  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
556  }
557  {
558  /* Test vector 12 */
559  const unsigned char pk[32] = {
560  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
561  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
562  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
563  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
564  };
565  const unsigned char msg[32] = {
566  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
567  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
568  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
569  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
570  };
571  const unsigned char sig[64] = {
572  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
573  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
574  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
575  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
576  0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
577  0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
578  0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
579  0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
580  };
581  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
582  }
583  {
584  /* Test vector 13 */
585  const unsigned char pk[32] = {
586  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
587  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
588  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
589  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
590  };
591  const unsigned char msg[32] = {
592  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
593  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
594  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
595  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
596  };
597  const unsigned char sig[64] = {
598  0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
599  0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
600  0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
601  0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
602  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
603  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
604  0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
605  0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
606  };
607  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
608  }
609  {
610  /* Test vector 14 */
611  const unsigned char pk[32] = {
612  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
613  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
614  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
615  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
616  };
617  secp256k1_xonly_pubkey pk_parsed;
618  /* No need to check the signature of the test vector as parsing the pubkey already fails */
619  CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
620  }
621  {
622  /* Test vector 15 */
623  const unsigned char sk[32] = {
624  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
625  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
626  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
627  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
628  };
629  const unsigned char pk[32] = {
630  0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
631  0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
632  0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
633  0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
634  };
635  const unsigned char aux_rand[32] = {
636  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
637  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
638  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
639  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
640  };
641  /* const unsigned char msg[0] = {}; */
642  const unsigned char sig[64] = {
643  0x71, 0x53, 0x5D, 0xB1, 0x65, 0xEC, 0xD9, 0xFB,
644  0xBC, 0x04, 0x6E, 0x5F, 0xFA, 0xEA, 0x61, 0x18,
645  0x6B, 0xB6, 0xAD, 0x43, 0x67, 0x32, 0xFC, 0xCC,
646  0x25, 0x29, 0x1A, 0x55, 0x89, 0x54, 0x64, 0xCF,
647  0x60, 0x69, 0xCE, 0x26, 0xBF, 0x03, 0x46, 0x62,
648  0x28, 0xF1, 0x9A, 0x3A, 0x62, 0xDB, 0x8A, 0x64,
649  0x9F, 0x2D, 0x56, 0x0F, 0xAC, 0x65, 0x28, 0x27,
650  0xD1, 0xAF, 0x05, 0x74, 0xE4, 0x27, 0xAB, 0x63,
651  };
652  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, NULL, 0, sig);
653  test_schnorrsig_bip_vectors_check_verify(pk, NULL, 0, sig, 1);
654  }
655  {
656  /* Test vector 16 */
657  const unsigned char sk[32] = {
658  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
659  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
660  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
661  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
662  };
663  const unsigned char pk[32] = {
664  0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
665  0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
666  0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
667  0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
668  };
669  const unsigned char aux_rand[32] = {
670  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
671  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
672  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
673  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
674  };
675  const unsigned char msg[] = { 0x11 };
676  const unsigned char sig[64] = {
677  0x08, 0xA2, 0x0A, 0x0A, 0xFE, 0xF6, 0x41, 0x24,
678  0x64, 0x92, 0x32, 0xE0, 0x69, 0x3C, 0x58, 0x3A,
679  0xB1, 0xB9, 0x93, 0x4A, 0xE6, 0x3B, 0x4C, 0x35,
680  0x11, 0xF3, 0xAE, 0x11, 0x34, 0xC6, 0xA3, 0x03,
681  0xEA, 0x31, 0x73, 0xBF, 0xEA, 0x66, 0x83, 0xBD,
682  0x10, 0x1F, 0xA5, 0xAA, 0x5D, 0xBC, 0x19, 0x96,
683  0xFE, 0x7C, 0xAC, 0xFC, 0x5A, 0x57, 0x7D, 0x33,
684  0xEC, 0x14, 0x56, 0x4C, 0xEC, 0x2B, 0xAC, 0xBF,
685  };
686  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
687  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
688  }
689  {
690  /* Test vector 17 */
691  const unsigned char sk[32] = {
692  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
693  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
694  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
695  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
696  };
697  const unsigned char pk[32] = {
698  0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
699  0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
700  0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
701  0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
702  };
703  const unsigned char aux_rand[32] = {
704  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
705  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
706  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
707  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
708  };
709  const unsigned char msg[] = {
710  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
711  0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10,
712  0x11,
713  };
714  const unsigned char sig[64] = {
715  0x51, 0x30, 0xF3, 0x9A, 0x40, 0x59, 0xB4, 0x3B,
716  0xC7, 0xCA, 0xC0, 0x9A, 0x19, 0xEC, 0xE5, 0x2B,
717  0x5D, 0x86, 0x99, 0xD1, 0xA7, 0x1E, 0x3C, 0x52,
718  0xDA, 0x9A, 0xFD, 0xB6, 0xB5, 0x0A, 0xC3, 0x70,
719  0xC4, 0xA4, 0x82, 0xB7, 0x7B, 0xF9, 0x60, 0xF8,
720  0x68, 0x15, 0x40, 0xE2, 0x5B, 0x67, 0x71, 0xEC,
721  0xE1, 0xE5, 0xA3, 0x7F, 0xD8, 0x0E, 0x5A, 0x51,
722  0x89, 0x7C, 0x55, 0x66, 0xA9, 0x7E, 0xA5, 0xA5,
723  };
724  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
725  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
726  }
727  {
728  /* Test vector 18 */
729  const unsigned char sk[32] = {
730  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
731  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
732  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
733  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
734  };
735  const unsigned char pk[32] = {
736  0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
737  0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
738  0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
739  0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
740  };
741  const unsigned char aux_rand[32] = {
742  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
743  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
744  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
745  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
746  };
747  const unsigned char sig[64] = {
748  0x40, 0x3B, 0x12, 0xB0, 0xD8, 0x55, 0x5A, 0x34,
749  0x41, 0x75, 0xEA, 0x7E, 0xC7, 0x46, 0x56, 0x63,
750  0x03, 0x32, 0x1E, 0x5D, 0xBF, 0xA8, 0xBE, 0x6F,
751  0x09, 0x16, 0x35, 0x16, 0x3E, 0xCA, 0x79, 0xA8,
752  0x58, 0x5E, 0xD3, 0xE3, 0x17, 0x08, 0x07, 0xE7,
753  0xC0, 0x3B, 0x72, 0x0F, 0xC5, 0x4C, 0x7B, 0x23,
754  0x89, 0x7F, 0xCB, 0xA0, 0xE9, 0xD0, 0xB4, 0xA0,
755  0x68, 0x94, 0xCF, 0xD2, 0x49, 0xF2, 0x23, 0x67,
756  };
757  unsigned char msg[100];
758  memset(msg, 0x99, sizeof(msg));
759  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
760  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
761  }
762 }
763 
764 /* Nonce function that returns constant 0 */
765 static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
766  (void) msg;
767  (void) msglen;
768  (void) key32;
769  (void) xonly_pk32;
770  (void) algo;
771  (void) algolen;
772  (void) data;
773  (void) nonce32;
774  return 0;
775 }
776 
777 /* Nonce function that sets nonce to 0 */
778 static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
779  (void) msg;
780  (void) msglen;
781  (void) key32;
782  (void) xonly_pk32;
783  (void) algo;
784  (void) algolen;
785  (void) data;
786 
787  memset(nonce32, 0, 32);
788  return 1;
789 }
790 
791 /* Nonce function that sets nonce to 0xFF...0xFF */
792 static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
793  (void) msg;
794  (void) msglen;
795  (void) key32;
796  (void) xonly_pk32;
797  (void) algo;
798  (void) algolen;
799  (void) data;
800 
801  memset(nonce32, 0xFF, 32);
802  return 1;
803 }
804 
805 static void test_schnorrsig_sign(void) {
806  unsigned char sk[32];
807  secp256k1_xonly_pubkey pk;
808  secp256k1_keypair keypair;
809  const unsigned char msg[32] = "this is a msg for a schnorrsig..";
810  unsigned char sig[64];
811  unsigned char sig2[64];
812  unsigned char zeros64[64] = { 0 };
813  secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
814  unsigned char aux_rand[32];
815 
816  secp256k1_testrand256(sk);
817  secp256k1_testrand256(aux_rand);
818  CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
819  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
820  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
821  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
822  /* Check that deprecated alias gives the same result */
823  CHECK(secp256k1_schnorrsig_sign(CTX, sig2, msg, &keypair, NULL) == 1);
824  CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
825 
826  /* Test different nonce functions */
827  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
828  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
829  memset(sig, 1, sizeof(sig));
830  extraparams.noncefp = nonce_function_failing;
831  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
832  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
833  memset(&sig, 1, sizeof(sig));
834  extraparams.noncefp = nonce_function_0;
835  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
836  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
837  memset(&sig, 1, sizeof(sig));
838  extraparams.noncefp = nonce_function_overflowing;
839  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
840  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
841 
842  /* When using the default nonce function, schnorrsig_sign_custom produces
843  * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */
844  extraparams.noncefp = NULL;
845  extraparams.ndata = aux_rand;
846  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
847  CHECK(secp256k1_schnorrsig_sign32(CTX, sig2, msg, &keypair, extraparams.ndata) == 1);
848  CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
849 }
850 
851 #define N_SIGS 3
852 /* Creates N_SIGS valid signatures and verifies them with verify and
853  * verify_batch (TODO). Then flips some bits and checks that verification now
854  * fails. */
855 static void test_schnorrsig_sign_verify(void) {
856  unsigned char sk[32];
857  unsigned char msg[N_SIGS][32];
858  unsigned char sig[N_SIGS][64];
859  size_t i;
860  secp256k1_keypair keypair;
861  secp256k1_xonly_pubkey pk;
862  secp256k1_scalar s;
863 
864  secp256k1_testrand256(sk);
865  CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
866  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
867 
868  for (i = 0; i < N_SIGS; i++) {
869  secp256k1_testrand256(msg[i]);
870  CHECK(secp256k1_schnorrsig_sign32(CTX, sig[i], msg[i], &keypair, NULL));
871  CHECK(secp256k1_schnorrsig_verify(CTX, sig[i], msg[i], sizeof(msg[i]), &pk));
872  }
873 
874  {
875  /* Flip a few bits in the signature and in the message and check that
876  * verify and verify_batch (TODO) fail */
877  size_t sig_idx = secp256k1_testrand_int(N_SIGS);
878  size_t byte_idx = secp256k1_testrand_bits(5);
879  unsigned char xorbyte = secp256k1_testrand_int(254)+1;
880  sig[sig_idx][byte_idx] ^= xorbyte;
881  CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
882  sig[sig_idx][byte_idx] ^= xorbyte;
883 
884  byte_idx = secp256k1_testrand_bits(5);
885  sig[sig_idx][32+byte_idx] ^= xorbyte;
886  CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
887  sig[sig_idx][32+byte_idx] ^= xorbyte;
888 
889  byte_idx = secp256k1_testrand_bits(5);
890  msg[sig_idx][byte_idx] ^= xorbyte;
891  CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
892  msg[sig_idx][byte_idx] ^= xorbyte;
893 
894  /* Check that above bitflips have been reversed correctly */
895  CHECK(secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
896  }
897 
898  /* Test overflowing s */
899  CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
900  CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
901  memset(&sig[0][32], 0xFF, 32);
902  CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
903 
904  /* Test negative s */
905  CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
906  CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
907  secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
908  secp256k1_scalar_negate(&s, &s);
909  secp256k1_scalar_get_b32(&sig[0][32], &s);
910  CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
911 
912  /* The empty message can be signed & verified */
913  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], NULL, 0, &keypair, NULL) == 1);
914  CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], NULL, 0, &pk) == 1);
915 
916  {
917  /* Test varying message lengths */
918  unsigned char msg_large[32 * 8];
919  uint32_t msglen = secp256k1_testrand_int(sizeof(msg_large));
920  for (i = 0; i < sizeof(msg_large); i += 32) {
921  secp256k1_testrand256(&msg_large[i]);
922  }
923  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], msg_large, msglen, &keypair, NULL) == 1);
924  CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 1);
925  /* Verification for a random wrong message length fails */
926  msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large);
927  CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 0);
928  }
929 }
930 #undef N_SIGS
931 
932 static void test_schnorrsig_taproot(void) {
933  unsigned char sk[32];
934  secp256k1_keypair keypair;
935  secp256k1_xonly_pubkey internal_pk;
936  unsigned char internal_pk_bytes[32];
937  secp256k1_xonly_pubkey output_pk;
938  unsigned char output_pk_bytes[32];
939  unsigned char tweak[32];
940  int pk_parity;
941  unsigned char msg[32];
942  unsigned char sig[64];
943 
944  /* Create output key */
945  secp256k1_testrand256(sk);
946  CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
947  CHECK(secp256k1_keypair_xonly_pub(CTX, &internal_pk, NULL, &keypair) == 1);
948  /* In actual taproot the tweak would be hash of internal_pk */
949  CHECK(secp256k1_xonly_pubkey_serialize(CTX, tweak, &internal_pk) == 1);
950  CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1);
951  CHECK(secp256k1_keypair_xonly_pub(CTX, &output_pk, &pk_parity, &keypair) == 1);
952  CHECK(secp256k1_xonly_pubkey_serialize(CTX, output_pk_bytes, &output_pk) == 1);
953 
954  /* Key spend */
955  secp256k1_testrand256(msg);
956  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
957  /* Verify key spend */
958  CHECK(secp256k1_xonly_pubkey_parse(CTX, &output_pk, output_pk_bytes) == 1);
959  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &output_pk) == 1);
960 
961  /* Script spend */
962  CHECK(secp256k1_xonly_pubkey_serialize(CTX, internal_pk_bytes, &internal_pk) == 1);
963  /* Verify script spend */
964  CHECK(secp256k1_xonly_pubkey_parse(CTX, &internal_pk, internal_pk_bytes) == 1);
965  CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
966 }
967 
968 static void run_schnorrsig_tests(void) {
969  int i;
970  run_nonce_function_bip340_tests();
971 
972  test_schnorrsig_api();
973  test_schnorrsig_sha256_tagged();
974  test_schnorrsig_bip_vectors();
975  for (i = 0; i < COUNT; i++) {
976  test_schnorrsig_sign();
977  test_schnorrsig_sign_verify();
978  }
979  test_schnorrsig_taproot();
980 }
981 
982 #endif
args
ArgsManager & args
Definition: bitcoind.cpp:268
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:163
nonce
unsigned int nonce
Definition: miner_tests.cpp:71
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
tests_wycheproof_generate.msg
def msg
Definition: tests_wycheproof_generate.py:56
tests_wycheproof_generate.pk
def pk
Definition: tests_wycheproof_generate.py:69
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
nonce_function_bip340
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: main_impl.h:52
secp256k1_nonce_function_bip340_sha256_tagged_aux
static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: main_impl.h:32
secp256k1_nonce_function_bip340_sha256_tagged
static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:16
secp256k1_schnorrsig_sha256_tagged
static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:103
test_schnorrsig_sign_verify
static void test_schnorrsig_sign_verify(void)
Definition: tests_impl.h:855
run_nonce_function_bip340_tests
static void run_nonce_function_bip340_tests(void)
Definition: tests_impl.h:23
nonce_function_overflowing
static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:792
test_schnorrsig_sign
static void test_schnorrsig_sign(void)
Definition: tests_impl.h:805
test_schnorrsig_bip_vectors_check_signing
static void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg, size_t msglen, const unsigned char *expected_sig)
Definition: tests_impl.h:172
test_schnorrsig_bip_vectors_check_verify
static void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg, size_t msglen, const unsigned char *sig, int expected)
Definition: tests_impl.h:197
test_schnorrsig_api
static void test_schnorrsig_api(void)
Definition: tests_impl.h:106
nonce_function_0
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:778
test_schnorrsig_taproot
static void test_schnorrsig_taproot(void)
Definition: tests_impl.h:932
test_schnorrsig_bip_vectors
static void test_schnorrsig_bip_vectors(void)
Definition: tests_impl.h:206
run_schnorrsig_tests
static void run_schnorrsig_tests(void)
Definition: tests_impl.h:968
N_SIGS
#define N_SIGS
Definition: tests_impl.h:851
nonce_function_failing
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:765
test_schnorrsig_sha256_tagged
static void test_schnorrsig_sha256_tagged(void)
Definition: tests_impl.h:160
nonce_function_bip340_bitflip
static void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen)
Definition: tests_impl.h:15
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:226
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:44
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a secret key.
Definition: main_impl.h:196
secp256k1_keypair_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:255
secp256k1_keypair_xonly_pub
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Get the x-only public key from a keypair.
Definition: main_impl.h:234
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:22
secp256k1_schnorrsig_sign32
SECP256K1_API int secp256k1_schnorrsig_sign32(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a Schnorr signature.
Definition: main_impl.h:195
SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
Definition: secp256k1_schnorrsig.h:89
secp256k1_schnorrsig_sign
SECP256K1_API int secp256k1_schnorrsig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_DEPRECATED("Use secp256k1_schnorrsig_sign32 instead")
Same as secp256k1_schnorrsig_sign32, but DEPRECATED.
Definition: main_impl.h:200
secp256k1_schnorrsig_sign_custom
SECP256K1_API int secp256k1_schnorrsig_sign_custom(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Create a Schnorr signature with a more flexible API.
Definition: main_impl.h:204
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:219
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_schnorrsig_extraparams
Data structure that contains additional arguments for schnorrsig_sign_custom.
Definition: secp256k1_schnorrsig.h:82
secp256k1_schnorrsig_extraparams::noncefp
secp256k1_nonce_function_hardened noncefp
Definition: secp256k1_schnorrsig.h:84
secp256k1_schnorrsig_extraparams::ndata
void * ndata
Definition: secp256k1_schnorrsig.h:85
secp256k1_sha256
Definition: hash.h:13
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_flip
static void secp256k1_testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
COUNT
static int COUNT
Definition: tests.c:40
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:78
CTX
static secp256k1_context * CTX
Definition: tests.c:41
test_sha256_eq
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:729
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:42
Generated on Tue Apr 23 2024 05:36:00 for Bitcoin Core by doxygen 1.9.1