Wire Sysio Wire Sysion 1.0.0
Loading...
Searching...
No Matches
tests_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H
8#define SECP256K1_MODULE_SCHNORRSIG_TESTS_H
9
10#include "../../../include/secp256k1_schnorrsig.h"
11
12/* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
13 * bytes) changes the hash function
14 */
15void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) {
16 unsigned char nonces[2][32];
17 CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
18 secp256k1_testrand_flip(args[n_flip], n_bytes);
19 CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
20 CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
21}
22
23/* Tests for the equality of two sha256 structs. This function only produces a
24 * correct result if an integer multiple of 64 many bytes have been written
25 * into the hash functions. */
26void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
27 /* Is buffer fully consumed? */
28 CHECK((sha1->bytes & 0x3F) == 0);
29
30 CHECK(sha1->bytes == sha2->bytes);
31 CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
32}
33
34void run_nonce_function_bip340_tests(void) {
35 unsigned char tag[13] = "BIP0340/nonce";
36 unsigned char aux_tag[11] = "BIP0340/aux";
37 unsigned char algo[13] = "BIP0340/nonce";
38 size_t algolen = sizeof(algo);
39 secp256k1_sha256 sha;
40 secp256k1_sha256 sha_optimized;
41 unsigned char nonce[32], nonce_z[32];
42 unsigned char msg[32];
43 size_t msglen = sizeof(msg);
44 unsigned char key[32];
45 unsigned char pk[32];
46 unsigned char aux_rand[32];
47 unsigned char *args[5];
48 int i;
49
50 /* Check that hash initialized by
51 * secp256k1_nonce_function_bip340_sha256_tagged has the expected
52 * state. */
53 secp256k1_sha256_initialize_tagged(&sha, tag, sizeof(tag));
54 secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized);
55 test_sha256_eq(&sha, &sha_optimized);
56
57 /* Check that hash initialized by
58 * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
59 * state. */
60 secp256k1_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag));
61 secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized);
62 test_sha256_eq(&sha, &sha_optimized);
63
64 secp256k1_testrand256(msg);
65 secp256k1_testrand256(key);
66 secp256k1_testrand256(pk);
67 secp256k1_testrand256(aux_rand);
68
69 /* Check that a bitflip in an argument results in different nonces. */
70 args[0] = msg;
71 args[1] = key;
72 args[2] = pk;
73 args[3] = algo;
74 args[4] = aux_rand;
75 for (i = 0; i < count; i++) {
76 nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen);
77 nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen);
78 nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen);
79 /* Flip algo special case "BIP0340/nonce" */
80 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
81 /* Flip algo again */
82 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
83 nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen);
84 }
85
86 /* NULL algo is disallowed */
87 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
88 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
89 /* Other algo is fine */
90 secp256k1_testrand_bytes_test(algo, algolen);
91 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
92
93 for (i = 0; i < count; i++) {
94 unsigned char nonce2[32];
95 uint32_t offset = secp256k1_testrand_int(msglen - 1);
96 size_t msglen_tmp = (msglen + offset) % msglen;
97 size_t algolen_tmp;
98
99 /* Different msglen gives different nonce */
100 CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1);
101 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
102
103 /* Different algolen gives different nonce */
104 offset = secp256k1_testrand_int(algolen - 1);
105 algolen_tmp = (algolen + offset) % algolen;
106 CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1);
107 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
108 }
109
110 /* NULL aux_rand argument is allowed, and identical to passing all zero aux_rand. */
111 memset(aux_rand, 0, 32);
112 CHECK(nonce_function_bip340(nonce_z, msg, msglen, key, pk, algo, algolen, &aux_rand) == 1);
113 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
114 CHECK(secp256k1_memcmp_var(nonce_z, nonce, 32) == 0);
115}
116
117void test_schnorrsig_api(void) {
118 unsigned char sk1[32];
119 unsigned char sk2[32];
120 unsigned char sk3[32];
121 unsigned char msg[32];
122 secp256k1_keypair keypairs[3];
123 secp256k1_keypair invalid_keypair = {{ 0 }};
124 secp256k1_xonly_pubkey pk[3];
125 secp256k1_xonly_pubkey zero_pk;
126 unsigned char sig[64];
127 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
128 secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL};
129
131 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
132 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
133 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
134 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
135 secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_no_precomp);
136 int ecount;
137
138 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
139 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount);
140 secp256k1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount);
141 secp256k1_context_set_error_callback(both, counting_illegal_callback_fn, &ecount);
142 secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount);
143 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
144 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount);
145 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
146 secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount);
147 secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
148
149 secp256k1_testrand256(sk1);
150 secp256k1_testrand256(sk2);
151 secp256k1_testrand256(sk3);
152 secp256k1_testrand256(msg);
153 CHECK(secp256k1_keypair_create(ctx, &keypairs[0], sk1) == 1);
154 CHECK(secp256k1_keypair_create(ctx, &keypairs[1], sk2) == 1);
155 CHECK(secp256k1_keypair_create(ctx, &keypairs[2], sk3) == 1);
156 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[0], NULL, &keypairs[0]) == 1);
157 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[1], NULL, &keypairs[1]) == 1);
158 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[2], NULL, &keypairs[2]) == 1);
159 memset(&zero_pk, 0, sizeof(zero_pk));
160
162 ecount = 0;
163 CHECK(secp256k1_schnorrsig_sign32(none, sig, msg, &keypairs[0], NULL) == 1);
164 CHECK(ecount == 0);
165 CHECK(secp256k1_schnorrsig_sign32(vrfy, sig, msg, &keypairs[0], NULL) == 1);
166 CHECK(ecount == 0);
167 CHECK(secp256k1_schnorrsig_sign32(sign, sig, msg, &keypairs[0], NULL) == 1);
168 CHECK(ecount == 0);
169 CHECK(secp256k1_schnorrsig_sign32(sign, NULL, msg, &keypairs[0], NULL) == 0);
170 CHECK(ecount == 1);
171 CHECK(secp256k1_schnorrsig_sign32(sign, sig, NULL, &keypairs[0], NULL) == 0);
172 CHECK(ecount == 2);
173 CHECK(secp256k1_schnorrsig_sign32(sign, sig, msg, NULL, NULL) == 0);
174 CHECK(ecount == 3);
175 CHECK(secp256k1_schnorrsig_sign32(sign, sig, msg, &invalid_keypair, NULL) == 0);
176 CHECK(ecount == 4);
177 CHECK(secp256k1_schnorrsig_sign32(sttc, sig, msg, &keypairs[0], NULL) == 0);
178 CHECK(ecount == 5);
179
180 ecount = 0;
181 CHECK(secp256k1_schnorrsig_sign_custom(none, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
182 CHECK(ecount == 0);
183 CHECK(secp256k1_schnorrsig_sign_custom(vrfy, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
184 CHECK(ecount == 0);
185 CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
186 CHECK(ecount == 0);
187 CHECK(secp256k1_schnorrsig_sign_custom(sign, NULL, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
188 CHECK(ecount == 1);
189 CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, NULL, sizeof(msg), &keypairs[0], &extraparams) == 0);
190 CHECK(ecount == 2);
191 CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
192 CHECK(ecount == 2);
193 CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), NULL, &extraparams) == 0);
194 CHECK(ecount == 3);
195 CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &invalid_keypair, &extraparams) == 0);
196 CHECK(ecount == 4);
197 CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
198 CHECK(ecount == 4);
199 CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams) == 0);
200 CHECK(ecount == 5);
201 CHECK(secp256k1_schnorrsig_sign_custom(sttc, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
202 CHECK(ecount == 6);
203
204 ecount = 0;
205 CHECK(secp256k1_schnorrsig_sign32(sign, sig, msg, &keypairs[0], NULL) == 1);
206 CHECK(secp256k1_schnorrsig_verify(none, sig, msg, sizeof(msg), &pk[0]) == 1);
207 CHECK(ecount == 0);
208 CHECK(secp256k1_schnorrsig_verify(sign, sig, msg, sizeof(msg), &pk[0]) == 1);
209 CHECK(ecount == 0);
210 CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), &pk[0]) == 1);
211 CHECK(ecount == 0);
212 CHECK(secp256k1_schnorrsig_verify(vrfy, NULL, msg, sizeof(msg), &pk[0]) == 0);
213 CHECK(ecount == 1);
214 CHECK(secp256k1_schnorrsig_verify(vrfy, sig, NULL, sizeof(msg), &pk[0]) == 0);
215 CHECK(ecount == 2);
216 CHECK(secp256k1_schnorrsig_verify(vrfy, sig, NULL, 0, &pk[0]) == 0);
217 CHECK(ecount == 2);
218 CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), NULL) == 0);
219 CHECK(ecount == 3);
220 CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), &zero_pk) == 0);
221 CHECK(ecount == 4);
222
223 secp256k1_context_destroy(none);
224 secp256k1_context_destroy(sign);
225 secp256k1_context_destroy(vrfy);
226 secp256k1_context_destroy(both);
227 secp256k1_context_destroy(sttc);
228}
229
230/* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
231 * expected state. */
232void test_schnorrsig_sha256_tagged(void) {
233 unsigned char tag[17] = "BIP0340/challenge";
234 secp256k1_sha256 sha;
235 secp256k1_sha256 sha_optimized;
236
237 secp256k1_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag));
238 secp256k1_schnorrsig_sha256_tagged(&sha_optimized);
239 test_sha256_eq(&sha, &sha_optimized);
240}
241
242/* Helper function for schnorrsig_bip_vectors
243 * Signs the message and checks that it's the same as expected_sig. */
244void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig) {
245 unsigned char sig[64];
246 secp256k1_keypair keypair;
247 secp256k1_xonly_pubkey pk, pk_expected;
248
249 CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
250 CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg32, &keypair, aux_rand));
251 CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
252
253 CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk_expected, pk_serialized));
254 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
255 CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
256 CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk));
257}
258
259/* Helper function for schnorrsig_bip_vectors
260 * Checks that both verify and verify_batch (TODO) return the same value as expected. */
261void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected) {
262 secp256k1_xonly_pubkey pk;
263
264 CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk, pk_serialized));
265 CHECK(expected == secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk));
266}
267
268/* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
269 * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */
270void test_schnorrsig_bip_vectors(void) {
271 {
272 /* Test vector 0 */
273 const unsigned char sk[32] = {
274 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
276 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
277 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
278 };
279 const unsigned char pk[32] = {
280 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10,
281 0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29,
282 0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0,
283 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9
284 };
285 unsigned char aux_rand[32] = {
286 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
287 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
288 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
289 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
290 };
291 const unsigned char msg[32] = {
292 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
293 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
294 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
295 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
296 };
297 const unsigned char sig[64] = {
298 0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10,
299 0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36,
300 0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08,
301 0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15,
302 0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71,
303 0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5,
304 0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47,
305 0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0
306 };
307 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
308 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
309 }
310 {
311 /* Test vector 1 */
312 const unsigned char sk[32] = {
313 0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A,
314 0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7,
315 0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56,
316 0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF
317 };
318 const unsigned char pk[32] = {
319 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
320 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
321 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
322 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
323 };
324 unsigned char aux_rand[32] = {
325 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
326 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
327 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
328 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
329 };
330 const unsigned char msg[32] = {
331 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
332 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
333 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
334 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
335 };
336 const unsigned char sig[64] = {
337 0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D,
338 0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07,
339 0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17,
340 0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41,
341 0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC,
342 0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA,
343 0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C,
344 0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A
345 };
346 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
347 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
348 }
349 {
350 /* Test vector 2 */
351 const unsigned char sk[32] = {
352 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
353 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
354 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
355 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9
356 };
357 const unsigned char pk[32] = {
358 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13,
359 0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC,
360 0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9,
361 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8
362 };
363 unsigned char aux_rand[32] = {
364 0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE,
365 0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC,
366 0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C,
367 0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06
368 };
369 const unsigned char msg[32] = {
370 0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A,
371 0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D,
372 0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33,
373 0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C
374 };
375 const unsigned char sig[64] = {
376 0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7,
377 0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94,
378 0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B,
379 0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B,
380 0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A,
381 0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C,
382 0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E,
383 0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7
384 };
385 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
386 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
387 }
388 {
389 /* Test vector 3 */
390 const unsigned char sk[32] = {
391 0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81,
392 0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0,
393 0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54,
394 0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10
395 };
396 const unsigned char pk[32] = {
397 0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25,
398 0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD,
399 0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A,
400 0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17
401 };
402 unsigned char aux_rand[32] = {
403 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
404 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
405 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
406 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
407 };
408 const unsigned char msg[32] = {
409 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
410 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
411 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
412 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
413 };
414 const unsigned char sig[64] = {
415 0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1,
416 0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9,
417 0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6,
418 0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC,
419 0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93,
420 0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A,
421 0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27,
422 0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3
423 };
424 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
425 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
426 }
427 {
428 /* Test vector 4 */
429 const unsigned char pk[32] = {
430 0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12,
431 0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83,
432 0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA,
433 0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9
434 };
435 const unsigned char msg[32] = {
436 0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2,
437 0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24,
438 0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B,
439 0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03
440 };
441 const unsigned char sig[64] = {
442 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
443 0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F,
444 0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28,
445 0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63,
446 0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3,
447 0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10,
448 0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93,
449 0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4
450 };
451 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
452 }
453 {
454 /* Test vector 5 */
455 const unsigned char pk[32] = {
456 0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50,
457 0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21,
458 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87,
459 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34
460 };
461 secp256k1_xonly_pubkey pk_parsed;
462 /* No need to check the signature of the test vector as parsing the pubkey already fails */
463 CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
464 }
465 {
466 /* Test vector 6 */
467 const unsigned char pk[32] = {
468 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
469 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
470 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
471 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
472 };
473 const unsigned char msg[32] = {
474 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
475 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
476 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
477 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
478 };
479 const unsigned char sig[64] = {
480 0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4,
481 0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3,
482 0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B,
483 0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56,
484 0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07,
485 0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF,
486 0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E,
487 0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2
488 };
489 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
490 }
491 {
492 /* Test vector 7 */
493 const unsigned char pk[32] = {
494 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
495 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
496 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
497 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
498 };
499 const unsigned char msg[32] = {
500 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
501 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
502 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
503 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
504 };
505 const unsigned char sig[64] = {
506 0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C,
507 0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7,
508 0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4,
509 0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F,
510 0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89,
511 0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8,
512 0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35,
513 0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD
514 };
515 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
516 }
517 {
518 /* Test vector 8 */
519 const unsigned char pk[32] = {
520 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
521 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
522 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
523 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
524 };
525 const unsigned char msg[32] = {
526 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
527 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
528 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
529 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
530 };
531 const unsigned char sig[64] = {
532 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
533 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
534 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
535 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
536 0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC,
537 0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26,
538 0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C,
539 0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6
540 };
541 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
542 }
543 {
544 /* Test vector 9 */
545 const unsigned char pk[32] = {
546 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
547 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
548 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
549 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
550 };
551 const unsigned char msg[32] = {
552 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
553 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
554 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
555 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
556 };
557 const unsigned char sig[64] = {
558 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
559 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
560 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
561 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
562 0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23,
563 0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA,
564 0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC,
565 0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51
566 };
567 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
568 }
569 {
570 /* Test vector 10 */
571 const unsigned char pk[32] = {
572 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
573 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
574 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
575 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
576 };
577 const unsigned char msg[32] = {
578 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
579 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
580 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
581 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
582 };
583 const unsigned char sig[64] = {
584 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
585 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
586 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
587 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
588 0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64,
589 0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4,
590 0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9,
591 0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97
592 };
593 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
594 }
595 {
596 /* Test vector 11 */
597 const unsigned char pk[32] = {
598 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
599 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
600 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
601 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
602 };
603 const unsigned char msg[32] = {
604 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
605 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
606 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
607 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
608 };
609 const unsigned char sig[64] = {
610 0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A,
611 0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB,
612 0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7,
613 0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D,
614 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
615 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
616 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
617 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
618 };
619 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
620 }
621 {
622 /* Test vector 12 */
623 const unsigned char pk[32] = {
624 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
625 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
626 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
627 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
628 };
629 const unsigned char msg[32] = {
630 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
631 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
632 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
633 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
634 };
635 const unsigned char sig[64] = {
636 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
637 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
638 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
639 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
640 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
641 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
642 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
643 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
644 };
645 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
646 }
647 {
648 /* Test vector 13 */
649 const unsigned char pk[32] = {
650 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
651 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
652 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
653 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
654 };
655 const unsigned char msg[32] = {
656 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
657 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
658 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
659 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
660 };
661 const unsigned char sig[64] = {
662 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
663 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
664 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
665 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
666 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
667 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
668 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
669 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
670 };
671 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
672 }
673 {
674 /* Test vector 14 */
675 const unsigned char pk[32] = {
676 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
677 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
678 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
679 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
680 };
681 secp256k1_xonly_pubkey pk_parsed;
682 /* No need to check the signature of the test vector as parsing the pubkey already fails */
683 CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
684 }
685}
686
687/* Nonce function that returns constant 0 */
688static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
689 (void) msg;
690 (void) msglen;
691 (void) key32;
692 (void) xonly_pk32;
693 (void) algo;
694 (void) algolen;
695 (void) data;
696 (void) nonce32;
697 return 0;
698}
699
700/* Nonce function that sets nonce to 0 */
701static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
702 (void) msg;
703 (void) msglen;
704 (void) key32;
705 (void) xonly_pk32;
706 (void) algo;
707 (void) algolen;
708 (void) data;
709
710 memset(nonce32, 0, 32);
711 return 1;
712}
713
714/* Nonce function that sets nonce to 0xFF...0xFF */
715static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
716 (void) msg;
717 (void) msglen;
718 (void) key32;
719 (void) xonly_pk32;
720 (void) algo;
721 (void) algolen;
722 (void) data;
723
724 memset(nonce32, 0xFF, 32);
725 return 1;
726}
727
728void test_schnorrsig_sign(void) {
729 unsigned char sk[32];
730 secp256k1_xonly_pubkey pk;
731 secp256k1_keypair keypair;
732 const unsigned char msg[32] = "this is a msg for a schnorrsig..";
733 unsigned char sig[64];
734 unsigned char sig2[64];
735 unsigned char zeros64[64] = { 0 };
736 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
737 unsigned char aux_rand[32];
738
739 secp256k1_testrand256(sk);
740 secp256k1_testrand256(aux_rand);
741 CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
742 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
743 CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypair, NULL) == 1);
744 CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
745 /* Check that deprecated alias gives the same result */
746 CHECK(secp256k1_schnorrsig_sign(ctx, sig2, msg, &keypair, NULL) == 1);
747 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
748
749 /* Test different nonce functions */
750 CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
751 CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
752 memset(sig, 1, sizeof(sig));
753 extraparams.noncefp = nonce_function_failing;
754 CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
755 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
756 memset(&sig, 1, sizeof(sig));
757 extraparams.noncefp = nonce_function_0;
758 CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
759 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
760 memset(&sig, 1, sizeof(sig));
761 extraparams.noncefp = nonce_function_overflowing;
762 CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
763 CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
764
765 /* When using the default nonce function, schnorrsig_sign_custom produces
766 * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */
767 extraparams.noncefp = NULL;
768 extraparams.ndata = aux_rand;
769 CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
770 CHECK(secp256k1_schnorrsig_sign32(ctx, sig2, msg, &keypair, extraparams.ndata) == 1);
771 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
772}
773
774#define N_SIGS 3
775/* Creates N_SIGS valid signatures and verifies them with verify and
776 * verify_batch (TODO). Then flips some bits and checks that verification now
777 * fails. */
778void test_schnorrsig_sign_verify(void) {
779 unsigned char sk[32];
780 unsigned char msg[N_SIGS][32];
781 unsigned char sig[N_SIGS][64];
782 size_t i;
783 secp256k1_keypair keypair;
784 secp256k1_xonly_pubkey pk;
785 secp256k1_scalar s;
786
787 secp256k1_testrand256(sk);
788 CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
789 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
790
791 for (i = 0; i < N_SIGS; i++) {
792 secp256k1_testrand256(msg[i]);
793 CHECK(secp256k1_schnorrsig_sign32(ctx, sig[i], msg[i], &keypair, NULL));
794 CHECK(secp256k1_schnorrsig_verify(ctx, sig[i], msg[i], sizeof(msg[i]), &pk));
795 }
796
797 {
798 /* Flip a few bits in the signature and in the message and check that
799 * verify and verify_batch (TODO) fail */
800 size_t sig_idx = secp256k1_testrand_int(N_SIGS);
801 size_t byte_idx = secp256k1_testrand_bits(5);
802 unsigned char xorbyte = secp256k1_testrand_int(254)+1;
803 sig[sig_idx][byte_idx] ^= xorbyte;
804 CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
805 sig[sig_idx][byte_idx] ^= xorbyte;
806
807 byte_idx = secp256k1_testrand_bits(5);
808 sig[sig_idx][32+byte_idx] ^= xorbyte;
809 CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
810 sig[sig_idx][32+byte_idx] ^= xorbyte;
811
812 byte_idx = secp256k1_testrand_bits(5);
813 msg[sig_idx][byte_idx] ^= xorbyte;
814 CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
815 msg[sig_idx][byte_idx] ^= xorbyte;
816
817 /* Check that above bitflips have been reversed correctly */
818 CHECK(secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
819 }
820
821 /* Test overflowing s */
822 CHECK(secp256k1_schnorrsig_sign32(ctx, sig[0], msg[0], &keypair, NULL));
823 CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
824 memset(&sig[0][32], 0xFF, 32);
825 CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
826
827 /* Test negative s */
828 CHECK(secp256k1_schnorrsig_sign32(ctx, sig[0], msg[0], &keypair, NULL));
829 CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
830 secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
831 secp256k1_scalar_negate(&s, &s);
832 secp256k1_scalar_get_b32(&sig[0][32], &s);
833 CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
834
835 /* The empty message can be signed & verified */
836 CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], NULL, 0, &keypair, NULL) == 1);
837 CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], NULL, 0, &pk) == 1);
838
839 {
840 /* Test varying message lengths */
841 unsigned char msg_large[32 * 8];
842 uint32_t msglen = secp256k1_testrand_int(sizeof(msg_large));
843 for (i = 0; i < sizeof(msg_large); i += 32) {
844 secp256k1_testrand256(&msg_large[i]);
845 }
846 CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], msg_large, msglen, &keypair, NULL) == 1);
847 CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 1);
848 /* Verification for a random wrong message length fails */
849 msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large);
850 CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 0);
851 }
852}
853#undef N_SIGS
854
855void test_schnorrsig_taproot(void) {
856 unsigned char sk[32];
857 secp256k1_keypair keypair;
858 secp256k1_xonly_pubkey internal_pk;
859 unsigned char internal_pk_bytes[32];
860 secp256k1_xonly_pubkey output_pk;
861 unsigned char output_pk_bytes[32];
862 unsigned char tweak[32];
863 int pk_parity;
864 unsigned char msg[32];
865 unsigned char sig[64];
866
867 /* Create output key */
868 secp256k1_testrand256(sk);
869 CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
870 CHECK(secp256k1_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1);
871 /* In actual taproot the tweak would be hash of internal_pk */
872 CHECK(secp256k1_xonly_pubkey_serialize(ctx, tweak, &internal_pk) == 1);
873 CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
874 CHECK(secp256k1_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1);
875 CHECK(secp256k1_xonly_pubkey_serialize(ctx, output_pk_bytes, &output_pk) == 1);
876
877 /* Key spend */
878 secp256k1_testrand256(msg);
879 CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypair, NULL) == 1);
880 /* Verify key spend */
881 CHECK(secp256k1_xonly_pubkey_parse(ctx, &output_pk, output_pk_bytes) == 1);
882 CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &output_pk) == 1);
883
884 /* Script spend */
885 CHECK(secp256k1_xonly_pubkey_serialize(ctx, internal_pk_bytes, &internal_pk) == 1);
886 /* Verify script spend */
887 CHECK(secp256k1_xonly_pubkey_parse(ctx, &internal_pk, internal_pk_bytes) == 1);
888 CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
889}
890
904
905#endif
CHECK
#define CHECK(cond)
Definition util.h:80
count
int * count
Definition gmock_stress_test.cc:177
test_schnorrsig_bip_vectors
void test_schnorrsig_bip_vectors(void)
Definition tests_impl.h:270
test_schnorrsig_sign
void test_schnorrsig_sign(void)
Definition tests_impl.h:728
run_nonce_function_bip340_tests
void run_nonce_function_bip340_tests(void)
Definition tests_impl.h:34
test_schnorrsig_bip_vectors_check_signing
void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig)
Definition tests_impl.h:244
test_schnorrsig_bip_vectors_check_verify
void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected)
Definition tests_impl.h:261
test_schnorrsig_taproot
void test_schnorrsig_taproot(void)
Definition tests_impl.h:855
test_sha256_eq
void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition tests_impl.h:26
test_schnorrsig_sign_verify
void test_schnorrsig_sign_verify(void)
Definition tests_impl.h:778
run_schnorrsig_tests
void run_schnorrsig_tests(void)
Definition tests_impl.h:891
nonce_function_bip340_bitflip
void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen)
Definition tests_impl.h:15
N_SIGS
#define N_SIGS
Definition tests_impl.h:774
test_schnorrsig_sha256_tagged
void test_schnorrsig_sha256_tagged(void)
Definition tests_impl.h:232
test_schnorrsig_api
void test_schnorrsig_api(void)
Definition tests_impl.h:117
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Definition secp256k1.c:146
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition secp256k1.h:196
secp256k1_context_no_precomp
SECP256K1_API const secp256k1_context * secp256k1_context_no_precomp
Definition secp256k1.c:60
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Definition secp256k1.c:162
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Definition secp256k1.c:107
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Definition secp256k1.c:153
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition secp256k1.h:198
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Definition secp256k1.c:128
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Definition secp256k1.h:195
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition main_impl.h:43
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Definition main_impl.h:134
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition main_impl.h:195
secp256k1_keypair_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition main_impl.h:254
secp256k1_keypair_xonly_pub
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Definition main_impl.h:233
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition main_impl.h:21
secp256k1_schnorrsig.h
secp256k1_schnorrsig_sign32
SECP256K1_API int secp256k1_schnorrsig_sign32(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Definition main_impl.h:195
SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
Definition secp256k1_schnorrsig.h:89
secp256k1_schnorrsig_sign
SECP256K1_API int secp256k1_schnorrsig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_DEPRECATED("Use secp256k1_schnorrsig_sign32 instead")
Definition main_impl.h:200
secp256k1_schnorrsig_sign_custom
SECP256K1_API int secp256k1_schnorrsig_sign_custom(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Definition main_impl.h:204
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Definition main_impl.h:219
uint32_t
unsigned int uint32_t
Definition stdint.h:126
secp256k1_context_struct
Definition secp256k1.c:47
secp256k1_keypair
Definition secp256k1_extrakeys.h:33
secp256k1_scalar
Definition scalar_4x64.h:13
secp256k1_schnorrsig_extraparams
Definition secp256k1_schnorrsig.h:82
secp256k1_schnorrsig_extraparams::noncefp
secp256k1_nonce_function_hardened noncefp
Definition secp256k1_schnorrsig.h:84
secp256k1_schnorrsig_extraparams::ndata
void * ndata
Definition secp256k1_schnorrsig.h:85
secp256k1_sha256
Definition hash.h:13
secp256k1_sha256::bytes
uint64_t bytes
Definition hash.h:16
secp256k1_sha256::s
uint32_t s[8]
Definition hash.h:14
secp256k1_xonly_pubkey
Definition secp256k1_extrakeys.h:22
key
uint8_t key[16]
Definition yubico_otp.c:41
s
char * s
Definition yubihsm_pkcs11.c:524
memset
memset(pInfo->slotDescription, ' ', 64)