github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/src/modules/schnorrsig/tests_impl.h (about) 1 /*********************************************************************** 2 * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.* 5 ***********************************************************************/ 6 7 #ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H 8 #define SECP256K1_MODULE_SCHNORRSIG_TESTS_H 9 10 #include "../../../include/secp256k1_schnorrsig.h" 11 12 /* Checks that a bit flip in the n_flip-th argument (that has n_bytes many 13 * bytes) changes the hash function 14 */ 15 static void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) { 16 unsigned char nonces[2][32]; 17 CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1); 18 testrand_flip(args[n_flip], n_bytes); 19 CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1); 20 CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0); 21 } 22 23 static void run_nonce_function_bip340_tests(void) { 24 unsigned char tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'}; 25 unsigned char aux_tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'a', 'u', 'x'}; 26 unsigned char algo[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'}; 27 size_t algolen = sizeof(algo); 28 secp256k1_sha256 sha; 29 secp256k1_sha256 sha_optimized; 30 unsigned char nonce[32], nonce_z[32]; 31 unsigned char msg[32]; 32 size_t msglen = sizeof(msg); 33 unsigned char key[32]; 34 unsigned char pk[32]; 35 unsigned char aux_rand[32]; 36 unsigned char *args[5]; 37 int i; 38 39 /* Check that hash initialized by 40 * secp256k1_nonce_function_bip340_sha256_tagged has the expected 41 * state. */ 42 secp256k1_sha256_initialize_tagged(&sha, tag, sizeof(tag)); 43 secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized); 44 test_sha256_eq(&sha, &sha_optimized); 45 46 /* Check that hash initialized by 47 * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected 48 * state. */ 49 secp256k1_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag)); 50 secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized); 51 test_sha256_eq(&sha, &sha_optimized); 52 53 testrand256(msg); 54 testrand256(key); 55 testrand256(pk); 56 testrand256(aux_rand); 57 58 /* Check that a bitflip in an argument results in different nonces. */ 59 args[0] = msg; 60 args[1] = key; 61 args[2] = pk; 62 args[3] = algo; 63 args[4] = aux_rand; 64 for (i = 0; i < COUNT; i++) { 65 nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen); 66 nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen); 67 nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen); 68 /* Flip algo special case "BIP0340/nonce" */ 69 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen); 70 /* Flip algo again */ 71 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen); 72 nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen); 73 } 74 75 /* NULL algo is disallowed */ 76 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0); 77 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1); 78 /* Other algo is fine */ 79 testrand_bytes_test(algo, algolen); 80 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1); 81 82 for (i = 0; i < COUNT; i++) { 83 unsigned char nonce2[32]; 84 uint32_t offset = testrand_int(msglen - 1); 85 size_t msglen_tmp = (msglen + offset) % msglen; 86 size_t algolen_tmp; 87 88 /* Different msglen gives different nonce */ 89 CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1); 90 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0); 91 92 /* Different algolen gives different nonce */ 93 offset = testrand_int(algolen - 1); 94 algolen_tmp = (algolen + offset) % algolen; 95 CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1); 96 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0); 97 } 98 99 /* NULL aux_rand argument is allowed, and identical to passing all zero aux_rand. */ 100 memset(aux_rand, 0, 32); 101 CHECK(nonce_function_bip340(nonce_z, msg, msglen, key, pk, algo, algolen, &aux_rand) == 1); 102 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1); 103 CHECK(secp256k1_memcmp_var(nonce_z, nonce, 32) == 0); 104 } 105 106 static void test_schnorrsig_api(void) { 107 unsigned char sk1[32]; 108 unsigned char sk2[32]; 109 unsigned char sk3[32]; 110 unsigned char msg[32]; 111 secp256k1_keypair keypairs[3]; 112 secp256k1_keypair invalid_keypair = {{ 0 }}; 113 secp256k1_xonly_pubkey pk[3]; 114 secp256k1_xonly_pubkey zero_pk; 115 unsigned char sig[64]; 116 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT; 117 secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL}; 118 119 testrand256(sk1); 120 testrand256(sk2); 121 testrand256(sk3); 122 testrand256(msg); 123 CHECK(secp256k1_keypair_create(CTX, &keypairs[0], sk1) == 1); 124 CHECK(secp256k1_keypair_create(CTX, &keypairs[1], sk2) == 1); 125 CHECK(secp256k1_keypair_create(CTX, &keypairs[2], sk3) == 1); 126 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[0], NULL, &keypairs[0]) == 1); 127 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[1], NULL, &keypairs[1]) == 1); 128 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[2], NULL, &keypairs[2]) == 1); 129 memset(&zero_pk, 0, sizeof(zero_pk)); 130 131 /** main test body **/ 132 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1); 133 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, NULL, msg, &keypairs[0], NULL)); 134 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, NULL, &keypairs[0], NULL)); 135 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, msg, NULL, NULL)); 136 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, msg, &invalid_keypair, NULL)); 137 CHECK_ILLEGAL(STATIC_CTX, secp256k1_schnorrsig_sign32(STATIC_CTX, sig, msg, &keypairs[0], NULL)); 138 139 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1); 140 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, NULL, msg, sizeof(msg), &keypairs[0], &extraparams)); 141 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, sizeof(msg), &keypairs[0], &extraparams)); 142 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, 0, &keypairs[0], &extraparams) == 1); 143 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), NULL, &extraparams)); 144 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &invalid_keypair, &extraparams)); 145 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1); 146 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams)); 147 CHECK_ILLEGAL(STATIC_CTX, secp256k1_schnorrsig_sign_custom(STATIC_CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams)); 148 149 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1); 150 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk[0]) == 1); 151 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, NULL, msg, sizeof(msg), &pk[0])); 152 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, NULL, sizeof(msg), &pk[0])); 153 CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, 0, &pk[0]) == 0); 154 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), NULL)); 155 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &zero_pk)); 156 } 157 158 /* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the 159 * expected state. */ 160 static void test_schnorrsig_sha256_tagged(void) { 161 unsigned char tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'c', 'h', 'a', 'l', 'l', 'e', 'n', 'g', 'e'}; 162 secp256k1_sha256 sha; 163 secp256k1_sha256 sha_optimized; 164 165 secp256k1_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag)); 166 secp256k1_schnorrsig_sha256_tagged(&sha_optimized); 167 test_sha256_eq(&sha, &sha_optimized); 168 } 169 170 /* Helper function for schnorrsig_bip_vectors 171 * Signs the message and checks that it's the same as expected_sig. */ 172 static void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg, size_t msglen, const unsigned char *expected_sig) { 173 unsigned char sig[64]; 174 secp256k1_keypair keypair; 175 secp256k1_xonly_pubkey pk, pk_expected; 176 177 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT; 178 extraparams.ndata = (unsigned char*)aux_rand; 179 180 CHECK(secp256k1_keypair_create(CTX, &keypair, sk)); 181 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, msglen, &keypair, &extraparams)); 182 CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0); 183 if (msglen == 32) { 184 memset(sig, 0, 64); 185 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, aux_rand)); 186 CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0); 187 } 188 189 CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk_expected, pk_serialized)); 190 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair)); 191 CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0); 192 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, msglen, &pk)); 193 } 194 195 /* Helper function for schnorrsig_bip_vectors 196 * Checks that both verify and verify_batch (TODO) return the same value as expected. */ 197 static void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg, size_t msglen, const unsigned char *sig, int expected) { 198 secp256k1_xonly_pubkey pk; 199 200 CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk, pk_serialized)); 201 CHECK(expected == secp256k1_schnorrsig_verify(CTX, sig, msg, msglen, &pk)); 202 } 203 204 /* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See 205 * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */ 206 static void test_schnorrsig_bip_vectors(void) { 207 { 208 /* Test vector 0 */ 209 const unsigned char sk[32] = { 210 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 211 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 212 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 213 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03 214 }; 215 const unsigned char pk[32] = { 216 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10, 217 0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29, 218 0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0, 219 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9 220 }; 221 const unsigned char aux_rand[32] = { 222 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 223 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 224 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 225 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 226 }; 227 const unsigned char msg[32] = { 228 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 229 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 230 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 231 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 232 }; 233 const unsigned char sig[64] = { 234 0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10, 235 0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36, 236 0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08, 237 0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15, 238 0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71, 239 0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5, 240 0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47, 241 0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0 242 }; 243 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig); 244 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1); 245 } 246 { 247 /* Test vector 1 */ 248 const unsigned char sk[32] = { 249 0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A, 250 0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7, 251 0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56, 252 0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF 253 }; 254 const unsigned char pk[32] = { 255 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 256 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 257 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 258 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 259 }; 260 const unsigned char aux_rand[32] = { 261 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 262 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 263 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 264 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 265 }; 266 const unsigned char msg[32] = { 267 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 268 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 269 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 270 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 271 }; 272 const unsigned char sig[64] = { 273 0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D, 274 0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07, 275 0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17, 276 0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41, 277 0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC, 278 0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA, 279 0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C, 280 0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A 281 }; 282 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig); 283 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1); 284 } 285 { 286 /* Test vector 2 */ 287 const unsigned char sk[32] = { 288 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, 289 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 290 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 291 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9 292 }; 293 const unsigned char pk[32] = { 294 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 295 0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 296 0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9, 297 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8 298 }; 299 const unsigned char aux_rand[32] = { 300 0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE, 301 0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC, 302 0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C, 303 0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06 304 }; 305 const unsigned char msg[32] = { 306 0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A, 307 0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D, 308 0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33, 309 0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C 310 }; 311 const unsigned char sig[64] = { 312 0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7, 313 0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94, 314 0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B, 315 0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B, 316 0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A, 317 0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C, 318 0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E, 319 0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7 320 }; 321 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig); 322 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1); 323 } 324 { 325 /* Test vector 3 */ 326 const unsigned char sk[32] = { 327 0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81, 328 0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0, 329 0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54, 330 0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10 331 }; 332 const unsigned char pk[32] = { 333 0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25, 334 0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD, 335 0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A, 336 0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17 337 }; 338 const unsigned char aux_rand[32] = { 339 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 340 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 341 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 342 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF 343 }; 344 const unsigned char msg[32] = { 345 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 346 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 347 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 348 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF 349 }; 350 const unsigned char sig[64] = { 351 0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1, 352 0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9, 353 0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6, 354 0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC, 355 0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93, 356 0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A, 357 0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27, 358 0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3 359 }; 360 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig); 361 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1); 362 } 363 { 364 /* Test vector 4 */ 365 const unsigned char pk[32] = { 366 0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12, 367 0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83, 368 0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA, 369 0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9 370 }; 371 const unsigned char msg[32] = { 372 0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2, 373 0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24, 374 0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B, 375 0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03 376 }; 377 const unsigned char sig[64] = { 378 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 379 0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F, 380 0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28, 381 0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63, 382 0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3, 383 0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10, 384 0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93, 385 0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4 386 }; 387 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1); 388 } 389 { 390 /* Test vector 5 */ 391 const unsigned char pk[32] = { 392 0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50, 393 0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21, 394 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87, 395 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34 396 }; 397 secp256k1_xonly_pubkey pk_parsed; 398 /* No need to check the signature of the test vector as parsing the pubkey already fails */ 399 CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk)); 400 } 401 { 402 /* Test vector 6 */ 403 const unsigned char pk[32] = { 404 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 405 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 406 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 407 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 408 }; 409 const unsigned char msg[32] = { 410 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 411 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 412 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 413 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 414 }; 415 const unsigned char sig[64] = { 416 0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4, 417 0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3, 418 0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B, 419 0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56, 420 0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07, 421 0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF, 422 0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E, 423 0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2 424 }; 425 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0); 426 } 427 { 428 /* Test vector 7 */ 429 const unsigned char pk[32] = { 430 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 431 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 432 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 433 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 434 }; 435 const unsigned char msg[32] = { 436 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 437 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 438 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 439 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 440 }; 441 const unsigned char sig[64] = { 442 0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C, 443 0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7, 444 0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4, 445 0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F, 446 0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89, 447 0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8, 448 0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35, 449 0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD 450 }; 451 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0); 452 } 453 { 454 /* Test vector 8 */ 455 const unsigned char pk[32] = { 456 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 457 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 458 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 459 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 460 }; 461 const unsigned char msg[32] = { 462 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 463 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 464 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 465 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 466 }; 467 const unsigned char sig[64] = { 468 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA, 469 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F, 470 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96, 471 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69, 472 0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC, 473 0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26, 474 0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C, 475 0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6 476 }; 477 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0); 478 } 479 { 480 /* Test vector 9 */ 481 const unsigned char pk[32] = { 482 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 483 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 484 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 485 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 486 }; 487 const unsigned char msg[32] = { 488 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 489 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 490 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 491 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 492 }; 493 const unsigned char sig[64] = { 494 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 495 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 497 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 498 0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23, 499 0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA, 500 0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC, 501 0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51 502 }; 503 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0); 504 } 505 { 506 /* Test vector 10 */ 507 const unsigned char pk[32] = { 508 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 509 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 510 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 511 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 512 }; 513 const unsigned char msg[32] = { 514 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 515 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 516 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 517 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 518 }; 519 const unsigned char sig[64] = { 520 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 521 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 522 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 523 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 524 0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64, 525 0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4, 526 0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9, 527 0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97 528 }; 529 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0); 530 } 531 { 532 /* Test vector 11 */ 533 const unsigned char pk[32] = { 534 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 535 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 536 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 537 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 538 }; 539 const unsigned char msg[32] = { 540 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 541 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 542 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 543 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 544 }; 545 const unsigned char sig[64] = { 546 0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A, 547 0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB, 548 0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7, 549 0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D, 550 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03, 551 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7, 552 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F, 553 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B 554 }; 555 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0); 556 } 557 { 558 /* Test vector 12 */ 559 const unsigned char pk[32] = { 560 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 561 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 562 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 563 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 564 }; 565 const unsigned char msg[32] = { 566 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 567 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 568 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 569 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 570 }; 571 const unsigned char sig[64] = { 572 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 573 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 574 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 575 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F, 576 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03, 577 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7, 578 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F, 579 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B 580 }; 581 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0); 582 } 583 { 584 /* Test vector 13 */ 585 const unsigned char pk[32] = { 586 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 587 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 588 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 589 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 590 }; 591 const unsigned char msg[32] = { 592 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 593 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 594 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 595 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 596 }; 597 const unsigned char sig[64] = { 598 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA, 599 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F, 600 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96, 601 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69, 602 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 603 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 604 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 605 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41 606 }; 607 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0); 608 } 609 { 610 /* Test vector 14 */ 611 const unsigned char pk[32] = { 612 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 613 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 614 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 615 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30 616 }; 617 secp256k1_xonly_pubkey pk_parsed; 618 /* No need to check the signature of the test vector as parsing the pubkey already fails */ 619 CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk)); 620 } 621 { 622 /* Test vector 15 */ 623 const unsigned char sk[32] = { 624 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 625 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 626 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 627 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 628 }; 629 const unsigned char pk[32] = { 630 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4, 631 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22, 632 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23, 633 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17, 634 }; 635 const unsigned char aux_rand[32] = { 636 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 637 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 638 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 639 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 640 }; 641 /* const unsigned char msg[0] = {}; */ 642 const unsigned char sig[64] = { 643 0x71, 0x53, 0x5D, 0xB1, 0x65, 0xEC, 0xD9, 0xFB, 644 0xBC, 0x04, 0x6E, 0x5F, 0xFA, 0xEA, 0x61, 0x18, 645 0x6B, 0xB6, 0xAD, 0x43, 0x67, 0x32, 0xFC, 0xCC, 646 0x25, 0x29, 0x1A, 0x55, 0x89, 0x54, 0x64, 0xCF, 647 0x60, 0x69, 0xCE, 0x26, 0xBF, 0x03, 0x46, 0x62, 648 0x28, 0xF1, 0x9A, 0x3A, 0x62, 0xDB, 0x8A, 0x64, 649 0x9F, 0x2D, 0x56, 0x0F, 0xAC, 0x65, 0x28, 0x27, 650 0xD1, 0xAF, 0x05, 0x74, 0xE4, 0x27, 0xAB, 0x63, 651 }; 652 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, NULL, 0, sig); 653 test_schnorrsig_bip_vectors_check_verify(pk, NULL, 0, sig, 1); 654 } 655 { 656 /* Test vector 16 */ 657 const unsigned char sk[32] = { 658 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 659 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 660 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 661 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 662 }; 663 const unsigned char pk[32] = { 664 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4, 665 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22, 666 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23, 667 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17, 668 }; 669 const unsigned char aux_rand[32] = { 670 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 671 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 672 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 673 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 674 }; 675 const unsigned char msg[] = { 0x11 }; 676 const unsigned char sig[64] = { 677 0x08, 0xA2, 0x0A, 0x0A, 0xFE, 0xF6, 0x41, 0x24, 678 0x64, 0x92, 0x32, 0xE0, 0x69, 0x3C, 0x58, 0x3A, 679 0xB1, 0xB9, 0x93, 0x4A, 0xE6, 0x3B, 0x4C, 0x35, 680 0x11, 0xF3, 0xAE, 0x11, 0x34, 0xC6, 0xA3, 0x03, 681 0xEA, 0x31, 0x73, 0xBF, 0xEA, 0x66, 0x83, 0xBD, 682 0x10, 0x1F, 0xA5, 0xAA, 0x5D, 0xBC, 0x19, 0x96, 683 0xFE, 0x7C, 0xAC, 0xFC, 0x5A, 0x57, 0x7D, 0x33, 684 0xEC, 0x14, 0x56, 0x4C, 0xEC, 0x2B, 0xAC, 0xBF, 685 }; 686 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig); 687 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1); 688 } 689 { 690 /* Test vector 17 */ 691 const unsigned char sk[32] = { 692 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 693 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 694 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 695 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 696 }; 697 const unsigned char pk[32] = { 698 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4, 699 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22, 700 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23, 701 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17, 702 }; 703 const unsigned char aux_rand[32] = { 704 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 708 }; 709 const unsigned char msg[] = { 710 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 711 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 712 0x11, 713 }; 714 const unsigned char sig[64] = { 715 0x51, 0x30, 0xF3, 0x9A, 0x40, 0x59, 0xB4, 0x3B, 716 0xC7, 0xCA, 0xC0, 0x9A, 0x19, 0xEC, 0xE5, 0x2B, 717 0x5D, 0x86, 0x99, 0xD1, 0xA7, 0x1E, 0x3C, 0x52, 718 0xDA, 0x9A, 0xFD, 0xB6, 0xB5, 0x0A, 0xC3, 0x70, 719 0xC4, 0xA4, 0x82, 0xB7, 0x7B, 0xF9, 0x60, 0xF8, 720 0x68, 0x15, 0x40, 0xE2, 0x5B, 0x67, 0x71, 0xEC, 721 0xE1, 0xE5, 0xA3, 0x7F, 0xD8, 0x0E, 0x5A, 0x51, 722 0x89, 0x7C, 0x55, 0x66, 0xA9, 0x7E, 0xA5, 0xA5, 723 }; 724 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig); 725 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1); 726 } 727 { 728 /* Test vector 18 */ 729 const unsigned char sk[32] = { 730 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 731 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 732 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 733 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 734 }; 735 const unsigned char pk[32] = { 736 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4, 737 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22, 738 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23, 739 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17, 740 }; 741 const unsigned char aux_rand[32] = { 742 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 743 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 744 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 745 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 746 }; 747 const unsigned char sig[64] = { 748 0x40, 0x3B, 0x12, 0xB0, 0xD8, 0x55, 0x5A, 0x34, 749 0x41, 0x75, 0xEA, 0x7E, 0xC7, 0x46, 0x56, 0x63, 750 0x03, 0x32, 0x1E, 0x5D, 0xBF, 0xA8, 0xBE, 0x6F, 751 0x09, 0x16, 0x35, 0x16, 0x3E, 0xCA, 0x79, 0xA8, 752 0x58, 0x5E, 0xD3, 0xE3, 0x17, 0x08, 0x07, 0xE7, 753 0xC0, 0x3B, 0x72, 0x0F, 0xC5, 0x4C, 0x7B, 0x23, 754 0x89, 0x7F, 0xCB, 0xA0, 0xE9, 0xD0, 0xB4, 0xA0, 755 0x68, 0x94, 0xCF, 0xD2, 0x49, 0xF2, 0x23, 0x67, 756 }; 757 unsigned char msg[100]; 758 memset(msg, 0x99, sizeof(msg)); 759 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig); 760 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1); 761 } 762 } 763 764 /* Nonce function that returns constant 0 */ 765 static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) { 766 (void) msg; 767 (void) msglen; 768 (void) key32; 769 (void) xonly_pk32; 770 (void) algo; 771 (void) algolen; 772 (void) data; 773 (void) nonce32; 774 return 0; 775 } 776 777 /* Nonce function that sets nonce to 0 */ 778 static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) { 779 (void) msg; 780 (void) msglen; 781 (void) key32; 782 (void) xonly_pk32; 783 (void) algo; 784 (void) algolen; 785 (void) data; 786 787 memset(nonce32, 0, 32); 788 return 1; 789 } 790 791 /* Nonce function that sets nonce to 0xFF...0xFF */ 792 static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) { 793 (void) msg; 794 (void) msglen; 795 (void) key32; 796 (void) xonly_pk32; 797 (void) algo; 798 (void) algolen; 799 (void) data; 800 801 memset(nonce32, 0xFF, 32); 802 return 1; 803 } 804 805 static void test_schnorrsig_sign(void) { 806 unsigned char sk[32]; 807 secp256k1_xonly_pubkey pk; 808 secp256k1_keypair keypair; 809 const unsigned char msg[] = {'t', 'h', 'i', 's', ' ', 'i', 's', ' ', 'a', ' ', 'm', 's', 'g', ' ', 'f', 'o', 'r', ' ', 'a', ' ', 's', 'c', 'h', 'n', 'o', 'r', 'r', 's', 'i', 'g', '.', '.'}; 810 unsigned char sig[64]; 811 unsigned char sig2[64]; 812 unsigned char zeros64[64] = { 0 }; 813 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT; 814 unsigned char aux_rand[32]; 815 816 testrand256(sk); 817 testrand256(aux_rand); 818 CHECK(secp256k1_keypair_create(CTX, &keypair, sk)); 819 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair)); 820 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1); 821 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk)); 822 /* Check that deprecated alias gives the same result */ 823 CHECK(secp256k1_schnorrsig_sign(CTX, sig2, msg, &keypair, NULL) == 1); 824 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0); 825 826 /* Test different nonce functions */ 827 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1); 828 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk)); 829 memset(sig, 1, sizeof(sig)); 830 extraparams.noncefp = nonce_function_failing; 831 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0); 832 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0); 833 memset(&sig, 1, sizeof(sig)); 834 extraparams.noncefp = nonce_function_0; 835 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0); 836 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0); 837 memset(&sig, 1, sizeof(sig)); 838 extraparams.noncefp = nonce_function_overflowing; 839 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1); 840 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk)); 841 842 /* When using the default nonce function, schnorrsig_sign_custom produces 843 * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */ 844 extraparams.noncefp = NULL; 845 extraparams.ndata = aux_rand; 846 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1); 847 CHECK(secp256k1_schnorrsig_sign32(CTX, sig2, msg, &keypair, extraparams.ndata) == 1); 848 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0); 849 } 850 851 #define N_SIGS 3 852 /* Creates N_SIGS valid signatures and verifies them with verify and 853 * verify_batch (TODO). Then flips some bits and checks that verification now 854 * fails. */ 855 static void test_schnorrsig_sign_verify(void) { 856 unsigned char sk[32]; 857 unsigned char msg[N_SIGS][32]; 858 unsigned char sig[N_SIGS][64]; 859 size_t i; 860 secp256k1_keypair keypair; 861 secp256k1_xonly_pubkey pk; 862 secp256k1_scalar s; 863 864 testrand256(sk); 865 CHECK(secp256k1_keypair_create(CTX, &keypair, sk)); 866 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair)); 867 868 for (i = 0; i < N_SIGS; i++) { 869 testrand256(msg[i]); 870 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[i], msg[i], &keypair, NULL)); 871 CHECK(secp256k1_schnorrsig_verify(CTX, sig[i], msg[i], sizeof(msg[i]), &pk)); 872 } 873 874 { 875 /* Flip a few bits in the signature and in the message and check that 876 * verify and verify_batch (TODO) fail */ 877 size_t sig_idx = testrand_int(N_SIGS); 878 size_t byte_idx = testrand_bits(5); 879 unsigned char xorbyte = testrand_int(254)+1; 880 sig[sig_idx][byte_idx] ^= xorbyte; 881 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk)); 882 sig[sig_idx][byte_idx] ^= xorbyte; 883 884 byte_idx = testrand_bits(5); 885 sig[sig_idx][32+byte_idx] ^= xorbyte; 886 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk)); 887 sig[sig_idx][32+byte_idx] ^= xorbyte; 888 889 byte_idx = testrand_bits(5); 890 msg[sig_idx][byte_idx] ^= xorbyte; 891 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk)); 892 msg[sig_idx][byte_idx] ^= xorbyte; 893 894 /* Check that above bitflips have been reversed correctly */ 895 CHECK(secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk)); 896 } 897 898 /* Test overflowing s */ 899 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL)); 900 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk)); 901 memset(&sig[0][32], 0xFF, 32); 902 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk)); 903 904 /* Test negative s */ 905 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL)); 906 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk)); 907 secp256k1_scalar_set_b32(&s, &sig[0][32], NULL); 908 secp256k1_scalar_negate(&s, &s); 909 secp256k1_scalar_get_b32(&sig[0][32], &s); 910 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk)); 911 912 /* The empty message can be signed & verified */ 913 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], NULL, 0, &keypair, NULL) == 1); 914 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], NULL, 0, &pk) == 1); 915 916 { 917 /* Test varying message lengths */ 918 unsigned char msg_large[32 * 8]; 919 uint32_t msglen = testrand_int(sizeof(msg_large)); 920 for (i = 0; i < sizeof(msg_large); i += 32) { 921 testrand256(&msg_large[i]); 922 } 923 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], msg_large, msglen, &keypair, NULL) == 1); 924 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 1); 925 /* Verification for a random wrong message length fails */ 926 msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large); 927 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 0); 928 } 929 } 930 #undef N_SIGS 931 932 static void test_schnorrsig_taproot(void) { 933 unsigned char sk[32]; 934 secp256k1_keypair keypair; 935 secp256k1_xonly_pubkey internal_pk; 936 unsigned char internal_pk_bytes[32]; 937 secp256k1_xonly_pubkey output_pk; 938 unsigned char output_pk_bytes[32]; 939 unsigned char tweak[32]; 940 int pk_parity; 941 unsigned char msg[32]; 942 unsigned char sig[64]; 943 944 /* Create output key */ 945 testrand256(sk); 946 CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); 947 CHECK(secp256k1_keypair_xonly_pub(CTX, &internal_pk, NULL, &keypair) == 1); 948 /* In actual taproot the tweak would be hash of internal_pk */ 949 CHECK(secp256k1_xonly_pubkey_serialize(CTX, tweak, &internal_pk) == 1); 950 CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1); 951 CHECK(secp256k1_keypair_xonly_pub(CTX, &output_pk, &pk_parity, &keypair) == 1); 952 CHECK(secp256k1_xonly_pubkey_serialize(CTX, output_pk_bytes, &output_pk) == 1); 953 954 /* Key spend */ 955 testrand256(msg); 956 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1); 957 /* Verify key spend */ 958 CHECK(secp256k1_xonly_pubkey_parse(CTX, &output_pk, output_pk_bytes) == 1); 959 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &output_pk) == 1); 960 961 /* Script spend */ 962 CHECK(secp256k1_xonly_pubkey_serialize(CTX, internal_pk_bytes, &internal_pk) == 1); 963 /* Verify script spend */ 964 CHECK(secp256k1_xonly_pubkey_parse(CTX, &internal_pk, internal_pk_bytes) == 1); 965 CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1); 966 } 967 968 static void run_schnorrsig_tests(void) { 969 int i; 970 run_nonce_function_bip340_tests(); 971 972 test_schnorrsig_api(); 973 test_schnorrsig_sha256_tagged(); 974 test_schnorrsig_bip_vectors(); 975 for (i = 0; i < COUNT; i++) { 976 test_schnorrsig_sign(); 977 test_schnorrsig_sign_verify(); 978 } 979 test_schnorrsig_taproot(); 980 } 981 982 #endif