tests_impl.h
1 /*********************************************************************** 2 * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.* 5 ***********************************************************************/ 6 7 #ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H 8 #define SECP256K1_MODULE_SCHNORRSIG_TESTS_H 9 10 #include "../../../include/secp256k1_schnorrsig.h" 11 #include "../../unit_test.h" 12 13 /* Checks that a bit flip in the n_flip-th argument (that has n_bytes many 14 * bytes) changes the hash function 15 */ 16 static void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) { 17 unsigned char nonces[2][32]; 18 CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1); 19 testrand_flip(args[n_flip], n_bytes); 20 CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1); 21 CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0); 22 } 23 24 static void run_nonce_function_bip340_tests(void) { 25 /* "BIP0340/nonce" */ 26 static const unsigned char tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'}; 27 /* "BIP0340/aux" */ 28 static const unsigned char aux_tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'a', 'u', 'x'}; 29 unsigned char algo[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'}; 30 size_t algolen = sizeof(algo); 31 secp256k1_sha256 sha_optimized; 32 unsigned char nonce[32], nonce_z[32]; 33 unsigned char msg[32]; 34 size_t msglen = sizeof(msg); 35 unsigned char key[32]; 36 unsigned char pk[32]; 37 unsigned char aux_rand[32]; 38 unsigned char *args[5]; 39 int i; 40 41 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX); 42 43 /* Check that hash initialized by 44 * secp256k1_nonce_function_bip340_sha256_tagged has the expected 45 * state. */ 46 secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized); 47 test_sha256_tag_midstate(hash_ctx, &sha_optimized, tag, sizeof(tag)); 48 49 50 /* Check that hash initialized by 51 * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected 52 * state. */ 53 secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized); 54 test_sha256_tag_midstate(hash_ctx, &sha_optimized, aux_tag, sizeof(aux_tag)); 55 56 testrand256(msg); 57 testrand256(key); 58 testrand256(pk); 59 testrand256(aux_rand); 60 61 /* Check that a bitflip in an argument results in different nonces. */ 62 args[0] = msg; 63 args[1] = key; 64 args[2] = pk; 65 args[3] = algo; 66 args[4] = aux_rand; 67 for (i = 0; i < COUNT; i++) { 68 nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen); 69 nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen); 70 nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen); 71 /* Flip algo special case "BIP0340/nonce" */ 72 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen); 73 /* Flip algo again */ 74 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen); 75 nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen); 76 } 77 78 /* NULL algo is disallowed */ 79 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0); 80 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1); 81 /* Other algo is fine */ 82 testrand_bytes_test(algo, algolen); 83 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1); 84 85 for (i = 0; i < COUNT; i++) { 86 unsigned char nonce2[32]; 87 uint32_t offset = testrand_int(msglen - 1); 88 size_t msglen_tmp = (msglen + offset) % msglen; 89 size_t algolen_tmp; 90 91 /* Different msglen gives different nonce */ 92 CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1); 93 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0); 94 95 /* Different algolen gives different nonce */ 96 offset = testrand_int(algolen - 1); 97 algolen_tmp = (algolen + offset) % algolen; 98 CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1); 99 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0); 100 } 101 102 /* NULL aux_rand argument is allowed, and identical to passing all zero aux_rand. */ 103 memset(aux_rand, 0, 32); 104 CHECK(nonce_function_bip340(nonce_z, msg, msglen, key, pk, algo, algolen, &aux_rand) == 1); 105 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1); 106 CHECK(secp256k1_memcmp_var(nonce_z, nonce, 32) == 0); 107 } 108 109 static void test_schnorrsig_api(void) { 110 unsigned char sk1[32]; 111 unsigned char sk2[32]; 112 unsigned char sk3[32]; 113 unsigned char msg[32]; 114 secp256k1_keypair keypairs[3]; 115 secp256k1_keypair invalid_keypair = {{ 0 }}; 116 secp256k1_xonly_pubkey pk[3]; 117 secp256k1_xonly_pubkey zero_pk; 118 unsigned char sig[64]; 119 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT; 120 secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL}; 121 122 testrand256(sk1); 123 testrand256(sk2); 124 testrand256(sk3); 125 testrand256(msg); 126 CHECK(secp256k1_keypair_create(CTX, &keypairs[0], sk1) == 1); 127 CHECK(secp256k1_keypair_create(CTX, &keypairs[1], sk2) == 1); 128 CHECK(secp256k1_keypair_create(CTX, &keypairs[2], sk3) == 1); 129 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[0], NULL, &keypairs[0]) == 1); 130 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[1], NULL, &keypairs[1]) == 1); 131 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[2], NULL, &keypairs[2]) == 1); 132 memset(&zero_pk, 0, sizeof(zero_pk)); 133 134 /** main test body **/ 135 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1); 136 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, NULL, msg, &keypairs[0], NULL)); 137 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, NULL, &keypairs[0], NULL)); 138 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, msg, NULL, NULL)); 139 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, msg, &invalid_keypair, NULL)); 140 CHECK_ILLEGAL(STATIC_CTX, secp256k1_schnorrsig_sign32(STATIC_CTX, sig, msg, &keypairs[0], NULL)); 141 142 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1); 143 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, NULL, msg, sizeof(msg), &keypairs[0], &extraparams)); 144 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, sizeof(msg), &keypairs[0], &extraparams)); 145 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, 0, &keypairs[0], &extraparams) == 1); 146 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), NULL, &extraparams)); 147 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &invalid_keypair, &extraparams)); 148 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1); 149 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams)); 150 CHECK_ILLEGAL(STATIC_CTX, secp256k1_schnorrsig_sign_custom(STATIC_CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams)); 151 152 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1); 153 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk[0]) == 1); 154 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, NULL, msg, sizeof(msg), &pk[0])); 155 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, NULL, sizeof(msg), &pk[0])); 156 CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, 0, &pk[0]) == 0); 157 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), NULL)); 158 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &zero_pk)); 159 } 160 161 /* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the 162 * expected state. */ 163 static void test_schnorrsig_sha256_tagged(void) { 164 unsigned char tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'c', 'h', 'a', 'l', 'l', 'e', 'n', 'g', 'e'}; 165 secp256k1_sha256 sha; 166 secp256k1_sha256 sha_optimized; 167 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX); 168 169 secp256k1_sha256_initialize_tagged(hash_ctx, &sha, (unsigned char *) tag, sizeof(tag)); 170 secp256k1_schnorrsig_sha256_tagged(&sha_optimized); 171 test_sha256_eq(&sha, &sha_optimized); 172 } 173 174 /* Helper function for schnorrsig_bip_vectors 175 * Signs the message and checks that it's the same as expected_sig. */ 176 static void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg, size_t msglen, const unsigned char *expected_sig) { 177 unsigned char sig[64]; 178 secp256k1_keypair keypair; 179 secp256k1_xonly_pubkey pk, pk_expected; 180 181 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT; 182 extraparams.ndata = (unsigned char*)aux_rand; 183 184 CHECK(secp256k1_keypair_create(CTX, &keypair, sk)); 185 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, msglen, &keypair, &extraparams)); 186 CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0); 187 if (msglen == 32) { 188 memset(sig, 0, 64); 189 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, aux_rand)); 190 CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0); 191 } 192 193 CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk_expected, pk_serialized)); 194 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair)); 195 CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0); 196 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, msglen, &pk)); 197 } 198 199 /* Helper function for schnorrsig_bip_vectors 200 * Checks that both verify and verify_batch (TODO) return the same value as expected. */ 201 static void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg, size_t msglen, const unsigned char *sig, int expected) { 202 secp256k1_xonly_pubkey pk; 203 204 CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk, pk_serialized)); 205 CHECK(expected == secp256k1_schnorrsig_verify(CTX, sig, msg, msglen, &pk)); 206 } 207 208 /* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See 209 * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */ 210 static void test_schnorrsig_bip_vectors(void) { 211 { 212 /* Test vector 0 */ 213 const unsigned char sk[32] = { 214 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 215 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 216 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 217 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03 218 }; 219 const unsigned char pk[32] = { 220 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10, 221 0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29, 222 0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0, 223 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9 224 }; 225 const unsigned char aux_rand[32] = { 226 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 227 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 228 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 229 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 230 }; 231 const unsigned char msg[32] = { 232 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 233 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 234 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 236 }; 237 const unsigned char sig[64] = { 238 0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10, 239 0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36, 240 0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08, 241 0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15, 242 0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71, 243 0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5, 244 0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47, 245 0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0 246 }; 247 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig); 248 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1); 249 } 250 { 251 /* Test vector 1 */ 252 const unsigned char sk[32] = { 253 0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A, 254 0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7, 255 0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56, 256 0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF 257 }; 258 const unsigned char pk[32] = { 259 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 260 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 261 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 262 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 263 }; 264 const unsigned char aux_rand[32] = { 265 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 266 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 267 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 268 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 269 }; 270 const unsigned char msg[32] = { 271 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 272 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 273 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 274 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 275 }; 276 const unsigned char sig[64] = { 277 0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D, 278 0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07, 279 0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17, 280 0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41, 281 0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC, 282 0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA, 283 0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C, 284 0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A 285 }; 286 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig); 287 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1); 288 } 289 { 290 /* Test vector 2 */ 291 const unsigned char sk[32] = { 292 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, 293 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 294 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 295 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9 296 }; 297 const unsigned char pk[32] = { 298 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 299 0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 300 0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9, 301 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8 302 }; 303 const unsigned char aux_rand[32] = { 304 0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE, 305 0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC, 306 0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C, 307 0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06 308 }; 309 const unsigned char msg[32] = { 310 0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A, 311 0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D, 312 0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33, 313 0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C 314 }; 315 const unsigned char sig[64] = { 316 0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7, 317 0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94, 318 0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B, 319 0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B, 320 0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A, 321 0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C, 322 0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E, 323 0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7 324 }; 325 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig); 326 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1); 327 } 328 { 329 /* Test vector 3 */ 330 const unsigned char sk[32] = { 331 0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81, 332 0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0, 333 0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54, 334 0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10 335 }; 336 const unsigned char pk[32] = { 337 0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25, 338 0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD, 339 0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A, 340 0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17 341 }; 342 const unsigned char aux_rand[32] = { 343 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 344 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 345 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 346 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF 347 }; 348 const unsigned char msg[32] = { 349 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 350 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 351 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 352 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF 353 }; 354 const unsigned char sig[64] = { 355 0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1, 356 0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9, 357 0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6, 358 0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC, 359 0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93, 360 0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A, 361 0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27, 362 0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3 363 }; 364 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig); 365 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1); 366 } 367 { 368 /* Test vector 4 */ 369 const unsigned char pk[32] = { 370 0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12, 371 0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83, 372 0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA, 373 0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9 374 }; 375 const unsigned char msg[32] = { 376 0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2, 377 0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24, 378 0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B, 379 0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03 380 }; 381 const unsigned char sig[64] = { 382 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 383 0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F, 384 0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28, 385 0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63, 386 0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3, 387 0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10, 388 0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93, 389 0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4 390 }; 391 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1); 392 } 393 { 394 /* Test vector 5 */ 395 const unsigned char pk[32] = { 396 0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50, 397 0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21, 398 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87, 399 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34 400 }; 401 secp256k1_xonly_pubkey pk_parsed; 402 /* No need to check the signature of the test vector as parsing the pubkey already fails */ 403 CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk)); 404 } 405 { 406 /* Test vector 6 */ 407 const unsigned char pk[32] = { 408 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 409 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 410 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 411 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 412 }; 413 const unsigned char msg[32] = { 414 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 415 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 416 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 417 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 418 }; 419 const unsigned char sig[64] = { 420 0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4, 421 0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3, 422 0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B, 423 0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56, 424 0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07, 425 0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF, 426 0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E, 427 0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2 428 }; 429 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0); 430 } 431 { 432 /* Test vector 7 */ 433 const unsigned char pk[32] = { 434 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 435 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 436 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 437 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 438 }; 439 const unsigned char msg[32] = { 440 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 441 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 442 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 443 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 444 }; 445 const unsigned char sig[64] = { 446 0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C, 447 0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7, 448 0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4, 449 0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F, 450 0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89, 451 0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8, 452 0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35, 453 0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD 454 }; 455 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0); 456 } 457 { 458 /* Test vector 8 */ 459 const unsigned char pk[32] = { 460 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 461 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 462 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 463 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 464 }; 465 const unsigned char msg[32] = { 466 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 467 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 468 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 469 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 470 }; 471 const unsigned char sig[64] = { 472 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA, 473 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F, 474 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96, 475 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69, 476 0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC, 477 0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26, 478 0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C, 479 0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6 480 }; 481 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0); 482 } 483 { 484 /* Test vector 9 */ 485 const unsigned char pk[32] = { 486 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 487 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 488 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 489 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 490 }; 491 const unsigned char msg[32] = { 492 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 493 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 494 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 495 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 496 }; 497 const unsigned char sig[64] = { 498 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 499 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 500 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 501 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 502 0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23, 503 0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA, 504 0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC, 505 0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51 506 }; 507 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0); 508 } 509 { 510 /* Test vector 10 */ 511 const unsigned char pk[32] = { 512 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 513 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 514 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 515 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 516 }; 517 const unsigned char msg[32] = { 518 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 519 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 520 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 521 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 522 }; 523 const unsigned char sig[64] = { 524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 525 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 526 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 527 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 528 0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64, 529 0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4, 530 0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9, 531 0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97 532 }; 533 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0); 534 } 535 { 536 /* Test vector 11 */ 537 const unsigned char pk[32] = { 538 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 539 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 540 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 541 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 542 }; 543 const unsigned char msg[32] = { 544 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 545 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 546 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 547 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 548 }; 549 const unsigned char sig[64] = { 550 0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A, 551 0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB, 552 0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7, 553 0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D, 554 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03, 555 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7, 556 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F, 557 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B 558 }; 559 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0); 560 } 561 { 562 /* Test vector 12 */ 563 const unsigned char pk[32] = { 564 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 565 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 566 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 567 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 568 }; 569 const unsigned char msg[32] = { 570 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 571 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 572 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 573 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 574 }; 575 const unsigned char sig[64] = { 576 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 577 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 578 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 579 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F, 580 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03, 581 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7, 582 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F, 583 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B 584 }; 585 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0); 586 } 587 { 588 /* Test vector 13 */ 589 const unsigned char pk[32] = { 590 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 591 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 592 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, 593 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 594 }; 595 const unsigned char msg[32] = { 596 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 597 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, 598 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, 599 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 600 }; 601 const unsigned char sig[64] = { 602 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA, 603 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F, 604 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96, 605 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69, 606 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 607 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 608 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 609 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41 610 }; 611 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0); 612 } 613 { 614 /* Test vector 14 */ 615 const unsigned char pk[32] = { 616 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 617 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 618 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 619 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30 620 }; 621 secp256k1_xonly_pubkey pk_parsed; 622 /* No need to check the signature of the test vector as parsing the pubkey already fails */ 623 CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk)); 624 } 625 { 626 /* Test vector 15 */ 627 const unsigned char sk[32] = { 628 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 629 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 630 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 631 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 632 }; 633 const unsigned char pk[32] = { 634 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4, 635 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22, 636 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23, 637 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17, 638 }; 639 const unsigned char aux_rand[32] = { 640 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 641 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 642 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 643 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 644 }; 645 /* const unsigned char msg[0] = {}; */ 646 const unsigned char sig[64] = { 647 0x71, 0x53, 0x5D, 0xB1, 0x65, 0xEC, 0xD9, 0xFB, 648 0xBC, 0x04, 0x6E, 0x5F, 0xFA, 0xEA, 0x61, 0x18, 649 0x6B, 0xB6, 0xAD, 0x43, 0x67, 0x32, 0xFC, 0xCC, 650 0x25, 0x29, 0x1A, 0x55, 0x89, 0x54, 0x64, 0xCF, 651 0x60, 0x69, 0xCE, 0x26, 0xBF, 0x03, 0x46, 0x62, 652 0x28, 0xF1, 0x9A, 0x3A, 0x62, 0xDB, 0x8A, 0x64, 653 0x9F, 0x2D, 0x56, 0x0F, 0xAC, 0x65, 0x28, 0x27, 654 0xD1, 0xAF, 0x05, 0x74, 0xE4, 0x27, 0xAB, 0x63, 655 }; 656 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, NULL, 0, sig); 657 test_schnorrsig_bip_vectors_check_verify(pk, NULL, 0, sig, 1); 658 } 659 { 660 /* Test vector 16 */ 661 const unsigned char sk[32] = { 662 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 663 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 664 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 665 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 666 }; 667 const unsigned char pk[32] = { 668 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4, 669 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22, 670 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23, 671 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17, 672 }; 673 const unsigned char aux_rand[32] = { 674 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 675 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 676 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 677 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 678 }; 679 const unsigned char msg[] = { 0x11 }; 680 const unsigned char sig[64] = { 681 0x08, 0xA2, 0x0A, 0x0A, 0xFE, 0xF6, 0x41, 0x24, 682 0x64, 0x92, 0x32, 0xE0, 0x69, 0x3C, 0x58, 0x3A, 683 0xB1, 0xB9, 0x93, 0x4A, 0xE6, 0x3B, 0x4C, 0x35, 684 0x11, 0xF3, 0xAE, 0x11, 0x34, 0xC6, 0xA3, 0x03, 685 0xEA, 0x31, 0x73, 0xBF, 0xEA, 0x66, 0x83, 0xBD, 686 0x10, 0x1F, 0xA5, 0xAA, 0x5D, 0xBC, 0x19, 0x96, 687 0xFE, 0x7C, 0xAC, 0xFC, 0x5A, 0x57, 0x7D, 0x33, 688 0xEC, 0x14, 0x56, 0x4C, 0xEC, 0x2B, 0xAC, 0xBF, 689 }; 690 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig); 691 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1); 692 } 693 { 694 /* Test vector 17 */ 695 const unsigned char sk[32] = { 696 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 697 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 698 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 699 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 700 }; 701 const unsigned char pk[32] = { 702 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4, 703 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22, 704 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23, 705 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17, 706 }; 707 const unsigned char aux_rand[32] = { 708 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 709 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 710 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 711 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 712 }; 713 const unsigned char msg[] = { 714 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 715 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 716 0x11, 717 }; 718 const unsigned char sig[64] = { 719 0x51, 0x30, 0xF3, 0x9A, 0x40, 0x59, 0xB4, 0x3B, 720 0xC7, 0xCA, 0xC0, 0x9A, 0x19, 0xEC, 0xE5, 0x2B, 721 0x5D, 0x86, 0x99, 0xD1, 0xA7, 0x1E, 0x3C, 0x52, 722 0xDA, 0x9A, 0xFD, 0xB6, 0xB5, 0x0A, 0xC3, 0x70, 723 0xC4, 0xA4, 0x82, 0xB7, 0x7B, 0xF9, 0x60, 0xF8, 724 0x68, 0x15, 0x40, 0xE2, 0x5B, 0x67, 0x71, 0xEC, 725 0xE1, 0xE5, 0xA3, 0x7F, 0xD8, 0x0E, 0x5A, 0x51, 726 0x89, 0x7C, 0x55, 0x66, 0xA9, 0x7E, 0xA5, 0xA5, 727 }; 728 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig); 729 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1); 730 } 731 { 732 /* Test vector 18 */ 733 const unsigned char sk[32] = { 734 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 735 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 736 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 737 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 738 }; 739 const unsigned char pk[32] = { 740 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4, 741 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22, 742 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23, 743 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17, 744 }; 745 const unsigned char aux_rand[32] = { 746 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 747 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 748 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 749 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 750 }; 751 const unsigned char sig[64] = { 752 0x40, 0x3B, 0x12, 0xB0, 0xD8, 0x55, 0x5A, 0x34, 753 0x41, 0x75, 0xEA, 0x7E, 0xC7, 0x46, 0x56, 0x63, 754 0x03, 0x32, 0x1E, 0x5D, 0xBF, 0xA8, 0xBE, 0x6F, 755 0x09, 0x16, 0x35, 0x16, 0x3E, 0xCA, 0x79, 0xA8, 756 0x58, 0x5E, 0xD3, 0xE3, 0x17, 0x08, 0x07, 0xE7, 757 0xC0, 0x3B, 0x72, 0x0F, 0xC5, 0x4C, 0x7B, 0x23, 758 0x89, 0x7F, 0xCB, 0xA0, 0xE9, 0xD0, 0xB4, 0xA0, 759 0x68, 0x94, 0xCF, 0xD2, 0x49, 0xF2, 0x23, 0x67, 760 }; 761 unsigned char msg[100]; 762 memset(msg, 0x99, sizeof(msg)); 763 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig); 764 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1); 765 } 766 } 767 768 /* Nonce function that returns constant 0 */ 769 static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) { 770 (void) msg; 771 (void) msglen; 772 (void) key32; 773 (void) xonly_pk32; 774 (void) algo; 775 (void) algolen; 776 (void) data; 777 (void) nonce32; 778 return 0; 779 } 780 781 /* Nonce function that sets nonce to 0 */ 782 static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) { 783 (void) msg; 784 (void) msglen; 785 (void) key32; 786 (void) xonly_pk32; 787 (void) algo; 788 (void) algolen; 789 (void) data; 790 791 memset(nonce32, 0, 32); 792 return 1; 793 } 794 795 /* Nonce function that sets nonce to 0xFF...0xFF */ 796 static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) { 797 (void) msg; 798 (void) msglen; 799 (void) key32; 800 (void) xonly_pk32; 801 (void) algo; 802 (void) algolen; 803 (void) data; 804 805 memset(nonce32, 0xFF, 32); 806 return 1; 807 } 808 809 static void test_schnorrsig_sign_internal(void) { 810 unsigned char sk[32]; 811 secp256k1_xonly_pubkey pk; 812 secp256k1_keypair keypair; 813 const unsigned char msg[] = {'t', 'h', 'i', 's', ' ', 'i', 's', ' ', 'a', ' ', 'm', 's', 'g', ' ', 'f', 'o', 'r', ' ', 'a', ' ', 's', 'c', 'h', 'n', 'o', 'r', 'r', 's', 'i', 'g', '.', '.'}; 814 unsigned char sig[64]; 815 unsigned char sig2[64]; 816 unsigned char zeros64[64] = { 0 }; 817 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT; 818 unsigned char aux_rand[32]; 819 820 testrand256(sk); 821 testrand256(aux_rand); 822 CHECK(secp256k1_keypair_create(CTX, &keypair, sk)); 823 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair)); 824 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1); 825 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk)); 826 /* Check that deprecated alias gives the same result */ 827 CHECK(secp256k1_schnorrsig_sign(CTX, sig2, msg, &keypair, NULL) == 1); 828 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0); 829 830 /* Test different nonce functions */ 831 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1); 832 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk)); 833 memset(sig, 1, sizeof(sig)); 834 extraparams.noncefp = nonce_function_failing; 835 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0); 836 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0); 837 memset(&sig, 1, sizeof(sig)); 838 extraparams.noncefp = nonce_function_0; 839 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0); 840 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0); 841 memset(&sig, 1, sizeof(sig)); 842 extraparams.noncefp = nonce_function_overflowing; 843 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1); 844 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk)); 845 846 /* When using the default nonce function, schnorrsig_sign_custom produces 847 * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */ 848 extraparams.noncefp = NULL; 849 extraparams.ndata = aux_rand; 850 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1); 851 CHECK(secp256k1_schnorrsig_sign32(CTX, sig2, msg, &keypair, extraparams.ndata) == 1); 852 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0); 853 } 854 855 DEFINE_SHA256_TRANSFORM_PROBE(sha256_schnorrsig) 856 static void test_schnorrsig_ctx_sha256(void) { 857 /* Check ctx-provided SHA256 compression override takes effect */ 858 secp256k1_context *ctx = secp256k1_context_clone(CTX); 859 unsigned char out_default[64], out_custom[64]; 860 unsigned char sk[32] = {1}, msg32[32] = {1}; 861 secp256k1_keypair keypair; 862 CHECK(secp256k1_keypair_create(ctx, &keypair, sk)); 863 864 /* Default behavior. No ctx-provided SHA256 compression */ 865 CHECK(secp256k1_schnorrsig_sign32(ctx, out_default, msg32, &keypair, NULL)); 866 CHECK(!sha256_schnorrsig_called); 867 868 /* Override SHA256 compression directly, bypassing the ctx setter sanity checks */ 869 ctx->hash_ctx.fn_sha256_compression = sha256_schnorrsig; 870 CHECK(secp256k1_schnorrsig_sign32(ctx, out_custom, msg32, &keypair, NULL)); 871 CHECK(sha256_schnorrsig_called); 872 /* Outputs must differ if custom compression was used */ 873 CHECK(secp256k1_memcmp_var(out_default, out_custom, 64) != 0); 874 875 secp256k1_context_destroy(ctx); 876 } 877 878 #define N_SIGS 3 879 /* Creates N_SIGS valid signatures and verifies them with verify and 880 * verify_batch (TODO). Then flips some bits and checks that verification now 881 * fails. */ 882 static void test_schnorrsig_sign_verify_internal(void) { 883 unsigned char sk[32]; 884 unsigned char msg[N_SIGS][32]; 885 unsigned char sig[N_SIGS][64]; 886 size_t i; 887 secp256k1_keypair keypair; 888 secp256k1_xonly_pubkey pk; 889 secp256k1_scalar s; 890 891 testrand256(sk); 892 CHECK(secp256k1_keypair_create(CTX, &keypair, sk)); 893 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair)); 894 895 for (i = 0; i < N_SIGS; i++) { 896 testrand256(msg[i]); 897 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[i], msg[i], &keypair, NULL)); 898 CHECK(secp256k1_schnorrsig_verify(CTX, sig[i], msg[i], sizeof(msg[i]), &pk)); 899 } 900 901 { 902 /* Flip a few bits in the signature and in the message and check that 903 * verify and verify_batch (TODO) fail */ 904 size_t sig_idx = testrand_int(N_SIGS); 905 size_t byte_idx = testrand_bits(5); 906 unsigned char xorbyte = testrand_int(254)+1; 907 sig[sig_idx][byte_idx] ^= xorbyte; 908 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk)); 909 sig[sig_idx][byte_idx] ^= xorbyte; 910 911 byte_idx = testrand_bits(5); 912 sig[sig_idx][32+byte_idx] ^= xorbyte; 913 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk)); 914 sig[sig_idx][32+byte_idx] ^= xorbyte; 915 916 byte_idx = testrand_bits(5); 917 msg[sig_idx][byte_idx] ^= xorbyte; 918 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk)); 919 msg[sig_idx][byte_idx] ^= xorbyte; 920 921 /* Check that above bitflips have been reversed correctly */ 922 CHECK(secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk)); 923 } 924 925 /* Test overflowing s */ 926 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL)); 927 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk)); 928 memset(&sig[0][32], 0xFF, 32); 929 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk)); 930 931 /* Test negative s */ 932 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL)); 933 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk)); 934 secp256k1_scalar_set_b32(&s, &sig[0][32], NULL); 935 secp256k1_scalar_negate(&s, &s); 936 secp256k1_scalar_get_b32(&sig[0][32], &s); 937 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk)); 938 939 /* The empty message can be signed & verified */ 940 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], NULL, 0, &keypair, NULL) == 1); 941 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], NULL, 0, &pk) == 1); 942 943 { 944 /* Test varying message lengths */ 945 unsigned char msg_large[32 * 8]; 946 uint32_t msglen = testrand_int(sizeof(msg_large)); 947 for (i = 0; i < sizeof(msg_large); i += 32) { 948 testrand256(&msg_large[i]); 949 } 950 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], msg_large, msglen, &keypair, NULL) == 1); 951 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 1); 952 /* Verification for a random wrong message length fails */ 953 msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large); 954 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 0); 955 } 956 } 957 #undef N_SIGS 958 959 static void test_schnorrsig_taproot(void) { 960 unsigned char sk[32]; 961 secp256k1_keypair keypair; 962 secp256k1_xonly_pubkey internal_pk; 963 unsigned char internal_pk_bytes[32]; 964 secp256k1_xonly_pubkey output_pk; 965 unsigned char output_pk_bytes[32]; 966 unsigned char tweak[32]; 967 int pk_parity; 968 unsigned char msg[32]; 969 unsigned char sig[64]; 970 971 /* Create output key */ 972 testrand256(sk); 973 CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); 974 CHECK(secp256k1_keypair_xonly_pub(CTX, &internal_pk, NULL, &keypair) == 1); 975 /* In actual taproot the tweak would be hash of internal_pk */ 976 CHECK(secp256k1_xonly_pubkey_serialize(CTX, tweak, &internal_pk) == 1); 977 CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1); 978 CHECK(secp256k1_keypair_xonly_pub(CTX, &output_pk, &pk_parity, &keypair) == 1); 979 CHECK(secp256k1_xonly_pubkey_serialize(CTX, output_pk_bytes, &output_pk) == 1); 980 981 /* Key spend */ 982 testrand256(msg); 983 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1); 984 /* Verify key spend */ 985 CHECK(secp256k1_xonly_pubkey_parse(CTX, &output_pk, output_pk_bytes) == 1); 986 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &output_pk) == 1); 987 988 /* Script spend */ 989 CHECK(secp256k1_xonly_pubkey_serialize(CTX, internal_pk_bytes, &internal_pk) == 1); 990 /* Verify script spend */ 991 CHECK(secp256k1_xonly_pubkey_parse(CTX, &internal_pk, internal_pk_bytes) == 1); 992 CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1); 993 } 994 995 /* --- Test registry --- */ 996 REPEAT_TEST(test_schnorrsig_sign) 997 REPEAT_TEST(test_schnorrsig_sign_verify) 998 999 static const struct tf_test_entry tests_schnorrsig[] = { 1000 CASE(nonce_function_bip340_tests), 1001 CASE1(test_schnorrsig_api), 1002 CASE1(test_schnorrsig_sha256_tagged), 1003 CASE1(test_schnorrsig_bip_vectors), 1004 CASE1(test_schnorrsig_sign), 1005 CASE1(test_schnorrsig_sign_verify), 1006 CASE1(test_schnorrsig_taproot), 1007 CASE1(test_schnorrsig_ctx_sha256), 1008 }; 1009 1010 #endif