Bitcoin ABC 0.32.11
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H
8#define SECP256K1_MODULE_SCHNORRSIG_TESTS_H
9
10#include "../../../include/secp256k1_schnorrsig.h"
11
12/* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
13 * bytes) changes the hash function
14 */
15void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) {
16 unsigned char nonces[2][32];
17 CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
18 secp256k1_testrand_flip(args[n_flip], n_bytes);
19 CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
20 CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
21}
22
23/* Tests for the equality of two sha256 structs. This function only produces a
24 * correct result if an integer multiple of 64 many bytes have been written
25 * into the hash functions. */
26void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
27 /* Is buffer fully consumed? */
28 CHECK((sha1->bytes & 0x3F) == 0);
29
30 CHECK(sha1->bytes == sha2->bytes);
31 CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
32}
33
34void run_nonce_function_bip340_tests(void) {
35 unsigned char tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'};
36 unsigned char aux_tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'a', 'u', 'x'};
37 unsigned char algo[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'};
38 size_t algolen = sizeof(algo);
39 secp256k1_sha256 sha;
40 secp256k1_sha256 sha_optimized;
41 unsigned char nonce[32], nonce_z[32];
42 unsigned char msg[32];
43 size_t msglen = sizeof(msg);
44 unsigned char key[32];
45 unsigned char pk[32];
46 unsigned char aux_rand[32];
47 unsigned char *args[5];
48 int i;
49
50 /* Check that hash initialized by
51 * secp256k1_nonce_function_bip340_sha256_tagged has the expected
52 * state. */
53 secp256k1_sha256_initialize_tagged(&sha, tag, sizeof(tag));
54 secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized);
55 test_sha256_eq(&sha, &sha_optimized);
56
57 /* Check that hash initialized by
58 * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
59 * state. */
60 secp256k1_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag));
61 secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized);
62 test_sha256_eq(&sha, &sha_optimized);
63
64 secp256k1_testrand256(msg);
65 secp256k1_testrand256(key);
66 secp256k1_testrand256(pk);
67 secp256k1_testrand256(aux_rand);
68
69 /* Check that a bitflip in an argument results in different nonces. */
70 args[0] = msg;
71 args[1] = key;
72 args[2] = pk;
73 args[3] = algo;
74 args[4] = aux_rand;
75 for (i = 0; i < COUNT; i++) {
76 nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen);
77 nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen);
78 nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen);
79 /* Flip algo special case "BIP0340/nonce" */
80 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
81 /* Flip algo again */
82 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
83 nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen);
84 }
85
86 /* NULL algo is disallowed */
87 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
88 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
89 /* Other algo is fine */
90 secp256k1_testrand_bytes_test(algo, algolen);
91 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
92
93 for (i = 0; i < COUNT; i++) {
94 unsigned char nonce2[32];
95 uint32_t offset = secp256k1_testrand_int(msglen - 1);
96 size_t msglen_tmp = (msglen + offset) % msglen;
97 size_t algolen_tmp;
98
99 /* Different msglen gives different nonce */
100 CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1);
101 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
102
103 /* Different algolen gives different nonce */
104 offset = secp256k1_testrand_int(algolen - 1);
105 algolen_tmp = (algolen + offset) % algolen;
106 CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1);
107 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
108 }
109
110 /* NULL aux_rand argument is allowed, and identical to passing all zero aux_rand. */
111 memset(aux_rand, 0, 32);
112 CHECK(nonce_function_bip340(nonce_z, msg, msglen, key, pk, algo, algolen, &aux_rand) == 1);
113 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
114 CHECK(secp256k1_memcmp_var(nonce_z, nonce, 32) == 0);
115}
116
117void test_schnorrsig_api(void) {
118 unsigned char sk1[32];
119 unsigned char sk2[32];
120 unsigned char sk3[32];
121 unsigned char msg[32];
122 secp256k1_keypair keypairs[3];
123 secp256k1_keypair invalid_keypair = {{ 0 }};
124 secp256k1_xonly_pubkey pk[3];
125 secp256k1_xonly_pubkey zero_pk;
126 unsigned char sig[64];
127 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
128 secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL};
129
131 int ecount = 0;
132
133 secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount);
134 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
135 secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
136 secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
137
138 secp256k1_testrand256(sk1);
139 secp256k1_testrand256(sk2);
140 secp256k1_testrand256(sk3);
141 secp256k1_testrand256(msg);
142 CHECK(secp256k1_keypair_create(CTX, &keypairs[0], sk1) == 1);
143 CHECK(secp256k1_keypair_create(CTX, &keypairs[1], sk2) == 1);
144 CHECK(secp256k1_keypair_create(CTX, &keypairs[2], sk3) == 1);
145 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[0], NULL, &keypairs[0]) == 1);
146 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[1], NULL, &keypairs[1]) == 1);
147 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[2], NULL, &keypairs[2]) == 1);
148 memset(&zero_pk, 0, sizeof(zero_pk));
149
151 ecount = 0;
152 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
153 CHECK(ecount == 0);
154 CHECK(secp256k1_schnorrsig_sign32(CTX, NULL, msg, &keypairs[0], NULL) == 0);
155 CHECK(ecount == 1);
156 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, NULL, &keypairs[0], NULL) == 0);
157 CHECK(ecount == 2);
158 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, NULL, NULL) == 0);
159 CHECK(ecount == 3);
160 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &invalid_keypair, NULL) == 0);
161 CHECK(ecount == 4);
162 CHECK(secp256k1_schnorrsig_sign32(STATIC_CTX, sig, msg, &keypairs[0], NULL) == 0);
163 CHECK(ecount == 5);
164
165 ecount = 0;
166 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
167 CHECK(ecount == 0);
168 CHECK(secp256k1_schnorrsig_sign_custom(CTX, NULL, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
169 CHECK(ecount == 1);
170 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, sizeof(msg), &keypairs[0], &extraparams) == 0);
171 CHECK(ecount == 2);
172 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
173 CHECK(ecount == 2);
174 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), NULL, &extraparams) == 0);
175 CHECK(ecount == 3);
176 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &invalid_keypair, &extraparams) == 0);
177 CHECK(ecount == 4);
178 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
179 CHECK(ecount == 4);
180 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams) == 0);
181 CHECK(ecount == 5);
182 CHECK(secp256k1_schnorrsig_sign_custom(STATIC_CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
183 CHECK(ecount == 6);
184
185 ecount = 0;
186 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
187 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk[0]) == 1);
188 CHECK(ecount == 0);
189 CHECK(secp256k1_schnorrsig_verify(CTX, NULL, msg, sizeof(msg), &pk[0]) == 0);
190 CHECK(ecount == 1);
191 CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, sizeof(msg), &pk[0]) == 0);
192 CHECK(ecount == 2);
193 CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, 0, &pk[0]) == 0);
194 CHECK(ecount == 2);
195 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), NULL) == 0);
196 CHECK(ecount == 3);
197 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &zero_pk) == 0);
198 CHECK(ecount == 4);
199
200 secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL);
201 secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
202}
203
204/* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
205 * expected state. */
206void test_schnorrsig_sha256_tagged(void) {
207 unsigned char tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'c', 'h', 'a', 'l', 'l', 'e', 'n', 'g', 'e'};
208 secp256k1_sha256 sha;
209 secp256k1_sha256 sha_optimized;
210
211 secp256k1_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag));
212 secp256k1_schnorrsig_sha256_tagged(&sha_optimized);
213 test_sha256_eq(&sha, &sha_optimized);
214}
215
216/* Helper function for schnorrsig_bip_vectors
217 * Signs the message and checks that it's the same as expected_sig. */
218void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig) {
219 unsigned char sig[64];
220 secp256k1_keypair keypair;
221 secp256k1_xonly_pubkey pk, pk_expected;
222
223 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
224 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg32, &keypair, aux_rand));
225 CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
226
227 CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk_expected, pk_serialized));
228 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
229 CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
230 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg32, 32, &pk));
231}
232
233/* Helper function for schnorrsig_bip_vectors
234 * Checks that both verify and verify_batch (TODO) return the same value as expected. */
235void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected) {
236 secp256k1_xonly_pubkey pk;
237
238 CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk, pk_serialized));
239 CHECK(expected == secp256k1_schnorrsig_verify(CTX, sig, msg32, 32, &pk));
240}
241
242/* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
243 * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */
244void test_schnorrsig_bip_vectors(void) {
245 {
246 /* Test vector 0 */
247 const unsigned char sk[32] = {
248 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
249 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
250 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
251 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
252 };
253 const unsigned char pk[32] = {
254 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10,
255 0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29,
256 0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0,
257 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9
258 };
259 unsigned char aux_rand[32] = {
260 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
261 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
262 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
263 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
264 };
265 const unsigned char msg[32] = {
266 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
267 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
268 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
269 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
270 };
271 const unsigned char sig[64] = {
272 0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10,
273 0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36,
274 0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08,
275 0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15,
276 0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71,
277 0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5,
278 0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47,
279 0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0
280 };
281 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
282 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
283 }
284 {
285 /* Test vector 1 */
286 const unsigned char sk[32] = {
287 0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A,
288 0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7,
289 0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56,
290 0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF
291 };
292 const unsigned char pk[32] = {
293 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
294 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
295 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
296 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
297 };
298 unsigned char aux_rand[32] = {
299 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
300 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
301 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
302 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
303 };
304 const unsigned char msg[32] = {
305 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
306 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
307 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
308 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
309 };
310 const unsigned char sig[64] = {
311 0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D,
312 0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07,
313 0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17,
314 0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41,
315 0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC,
316 0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA,
317 0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C,
318 0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A
319 };
320 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
321 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
322 }
323 {
324 /* Test vector 2 */
325 const unsigned char sk[32] = {
326 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
327 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
328 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
329 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9
330 };
331 const unsigned char pk[32] = {
332 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13,
333 0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC,
334 0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9,
335 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8
336 };
337 unsigned char aux_rand[32] = {
338 0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE,
339 0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC,
340 0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C,
341 0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06
342 };
343 const unsigned char msg[32] = {
344 0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A,
345 0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D,
346 0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33,
347 0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C
348 };
349 const unsigned char sig[64] = {
350 0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7,
351 0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94,
352 0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B,
353 0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B,
354 0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A,
355 0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C,
356 0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E,
357 0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7
358 };
359 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
360 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
361 }
362 {
363 /* Test vector 3 */
364 const unsigned char sk[32] = {
365 0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81,
366 0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0,
367 0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54,
368 0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10
369 };
370 const unsigned char pk[32] = {
371 0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25,
372 0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD,
373 0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A,
374 0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17
375 };
376 unsigned char aux_rand[32] = {
377 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
378 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
379 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
380 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
381 };
382 const unsigned char msg[32] = {
383 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
384 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
385 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
386 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
387 };
388 const unsigned char sig[64] = {
389 0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1,
390 0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9,
391 0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6,
392 0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC,
393 0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93,
394 0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A,
395 0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27,
396 0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3
397 };
398 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
399 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
400 }
401 {
402 /* Test vector 4 */
403 const unsigned char pk[32] = {
404 0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12,
405 0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83,
406 0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA,
407 0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9
408 };
409 const unsigned char msg[32] = {
410 0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2,
411 0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24,
412 0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B,
413 0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03
414 };
415 const unsigned char sig[64] = {
416 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
417 0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F,
418 0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28,
419 0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63,
420 0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3,
421 0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10,
422 0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93,
423 0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4
424 };
425 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
426 }
427 {
428 /* Test vector 5 */
429 const unsigned char pk[32] = {
430 0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50,
431 0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21,
432 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87,
433 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34
434 };
435 secp256k1_xonly_pubkey pk_parsed;
436 /* No need to check the signature of the test vector as parsing the pubkey already fails */
437 CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
438 }
439 {
440 /* Test vector 6 */
441 const unsigned char pk[32] = {
442 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
443 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
444 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
445 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
446 };
447 const unsigned char msg[32] = {
448 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
449 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
450 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
451 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
452 };
453 const unsigned char sig[64] = {
454 0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4,
455 0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3,
456 0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B,
457 0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56,
458 0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07,
459 0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF,
460 0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E,
461 0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2
462 };
463 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
464 }
465 {
466 /* Test vector 7 */
467 const unsigned char pk[32] = {
468 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
469 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
470 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
471 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
472 };
473 const unsigned char msg[32] = {
474 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
475 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
476 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
477 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
478 };
479 const unsigned char sig[64] = {
480 0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C,
481 0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7,
482 0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4,
483 0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F,
484 0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89,
485 0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8,
486 0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35,
487 0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD
488 };
489 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
490 }
491 {
492 /* Test vector 8 */
493 const unsigned char pk[32] = {
494 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
495 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
496 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
497 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
498 };
499 const unsigned char msg[32] = {
500 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
501 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
502 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
503 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
504 };
505 const unsigned char sig[64] = {
506 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
507 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
508 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
509 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
510 0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC,
511 0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26,
512 0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C,
513 0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6
514 };
515 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
516 }
517 {
518 /* Test vector 9 */
519 const unsigned char pk[32] = {
520 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
521 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
522 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
523 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
524 };
525 const unsigned char msg[32] = {
526 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
527 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
528 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
529 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
530 };
531 const unsigned char sig[64] = {
532 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
533 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
534 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
535 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
536 0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23,
537 0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA,
538 0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC,
539 0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51
540 };
541 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
542 }
543 {
544 /* Test vector 10 */
545 const unsigned char pk[32] = {
546 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
547 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
548 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
549 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
550 };
551 const unsigned char msg[32] = {
552 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
553 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
554 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
555 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
556 };
557 const unsigned char sig[64] = {
558 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
559 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
560 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
561 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
562 0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64,
563 0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4,
564 0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9,
565 0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97
566 };
567 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
568 }
569 {
570 /* Test vector 11 */
571 const unsigned char pk[32] = {
572 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
573 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
574 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
575 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
576 };
577 const unsigned char msg[32] = {
578 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
579 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
580 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
581 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
582 };
583 const unsigned char sig[64] = {
584 0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A,
585 0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB,
586 0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7,
587 0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D,
588 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
589 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
590 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
591 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
592 };
593 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
594 }
595 {
596 /* Test vector 12 */
597 const unsigned char pk[32] = {
598 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
599 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
600 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
601 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
602 };
603 const unsigned char msg[32] = {
604 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
605 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
606 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
607 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
608 };
609 const unsigned char sig[64] = {
610 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
611 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
612 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
613 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
614 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
615 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
616 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
617 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
618 };
619 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
620 }
621 {
622 /* Test vector 13 */
623 const unsigned char pk[32] = {
624 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
625 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
626 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
627 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
628 };
629 const unsigned char msg[32] = {
630 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
631 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
632 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
633 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
634 };
635 const unsigned char sig[64] = {
636 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
637 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
638 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
639 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
640 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
641 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
642 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
643 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
644 };
645 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
646 }
647 {
648 /* Test vector 14 */
649 const unsigned char pk[32] = {
650 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
651 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
652 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
653 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
654 };
655 secp256k1_xonly_pubkey pk_parsed;
656 /* No need to check the signature of the test vector as parsing the pubkey already fails */
657 CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
658 }
659}
660
661/* Nonce function that returns constant 0 */
662static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
663 (void) msg;
664 (void) msglen;
665 (void) key32;
666 (void) xonly_pk32;
667 (void) algo;
668 (void) algolen;
669 (void) data;
670 (void) nonce32;
671 return 0;
672}
673
674/* Nonce function that sets nonce to 0 */
675static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
676 (void) msg;
677 (void) msglen;
678 (void) key32;
679 (void) xonly_pk32;
680 (void) algo;
681 (void) algolen;
682 (void) data;
683
684 memset(nonce32, 0, 32);
685 return 1;
686}
687
688/* Nonce function that sets nonce to 0xFF...0xFF */
689static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
690 (void) msg;
691 (void) msglen;
692 (void) key32;
693 (void) xonly_pk32;
694 (void) algo;
695 (void) algolen;
696 (void) data;
697
698 memset(nonce32, 0xFF, 32);
699 return 1;
700}
701
702void test_schnorrsig_sign(void) {
703 unsigned char sk[32];
704 secp256k1_xonly_pubkey pk;
705 secp256k1_keypair keypair;
706 const unsigned char msg[] = {'t', 'h', 'i', 's', ' ', 'i', 's', ' ', 'a', ' ', 'm', 's', 'g', ' ', 'f', 'o', 'r', ' ', 'a', ' ', 's', 'c', 'h', 'n', 'o', 'r', 'r', 's', 'i', 'g', '.', '.'};
707 unsigned char sig[64];
708 unsigned char sig2[64];
709 unsigned char zeros64[64] = { 0 };
710 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
711 unsigned char aux_rand[32];
712
713 secp256k1_testrand256(sk);
714 secp256k1_testrand256(aux_rand);
715 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
716 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
717 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
718 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
719 /* Check that deprecated alias gives the same result */
720 CHECK(secp256k1_schnorrsig_sign(CTX, sig2, msg, &keypair, NULL) == 1);
721 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
722
723 /* Test different nonce functions */
724 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
725 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
726 memset(sig, 1, sizeof(sig));
727 extraparams.noncefp = nonce_function_failing;
728 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
729 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
730 memset(&sig, 1, sizeof(sig));
731 extraparams.noncefp = nonce_function_0;
732 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
733 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
734 memset(&sig, 1, sizeof(sig));
735 extraparams.noncefp = nonce_function_overflowing;
736 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
737 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
738
739 /* When using the default nonce function, schnorrsig_sign_custom produces
740 * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */
741 extraparams.noncefp = NULL;
742 extraparams.ndata = aux_rand;
743 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
744 CHECK(secp256k1_schnorrsig_sign32(CTX, sig2, msg, &keypair, extraparams.ndata) == 1);
745 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
746}
747
748#define N_SIGS 3
749/* Creates N_SIGS valid signatures and verifies them with verify and
750 * verify_batch (TODO). Then flips some bits and checks that verification now
751 * fails. */
752void test_schnorrsig_sign_verify(void) {
753 unsigned char sk[32];
754 unsigned char msg[N_SIGS][32];
755 unsigned char sig[N_SIGS][64];
756 size_t i;
757 secp256k1_keypair keypair;
758 secp256k1_xonly_pubkey pk;
759 secp256k1_scalar s;
760
761 secp256k1_testrand256(sk);
762 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
763 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
764
765 for (i = 0; i < N_SIGS; i++) {
766 secp256k1_testrand256(msg[i]);
767 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[i], msg[i], &keypair, NULL));
768 CHECK(secp256k1_schnorrsig_verify(CTX, sig[i], msg[i], sizeof(msg[i]), &pk));
769 }
770
771 {
772 /* Flip a few bits in the signature and in the message and check that
773 * verify and verify_batch (TODO) fail */
774 size_t sig_idx = secp256k1_testrand_int(N_SIGS);
775 size_t byte_idx = secp256k1_testrand_bits(5);
776 unsigned char xorbyte = secp256k1_testrand_int(254)+1;
777 sig[sig_idx][byte_idx] ^= xorbyte;
778 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
779 sig[sig_idx][byte_idx] ^= xorbyte;
780
781 byte_idx = secp256k1_testrand_bits(5);
782 sig[sig_idx][32+byte_idx] ^= xorbyte;
783 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
784 sig[sig_idx][32+byte_idx] ^= xorbyte;
785
786 byte_idx = secp256k1_testrand_bits(5);
787 msg[sig_idx][byte_idx] ^= xorbyte;
788 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
789 msg[sig_idx][byte_idx] ^= xorbyte;
790
791 /* Check that above bitflips have been reversed correctly */
792 CHECK(secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
793 }
794
795 /* Test overflowing s */
796 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
797 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
798 memset(&sig[0][32], 0xFF, 32);
799 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
800
801 /* Test negative s */
802 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
803 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
804 secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
805 secp256k1_scalar_negate(&s, &s);
806 secp256k1_scalar_get_b32(&sig[0][32], &s);
807 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
808
809 /* The empty message can be signed & verified */
810 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], NULL, 0, &keypair, NULL) == 1);
811 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], NULL, 0, &pk) == 1);
812
813 {
814 /* Test varying message lengths */
815 unsigned char msg_large[32 * 8];
816 uint32_t msglen = secp256k1_testrand_int(sizeof(msg_large));
817 for (i = 0; i < sizeof(msg_large); i += 32) {
818 secp256k1_testrand256(&msg_large[i]);
819 }
820 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], msg_large, msglen, &keypair, NULL) == 1);
821 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 1);
822 /* Verification for a random wrong message length fails */
823 msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large);
824 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 0);
825 }
826}
827#undef N_SIGS
828
829void test_schnorrsig_taproot(void) {
830 unsigned char sk[32];
831 secp256k1_keypair keypair;
832 secp256k1_xonly_pubkey internal_pk;
833 unsigned char internal_pk_bytes[32];
834 secp256k1_xonly_pubkey output_pk;
835 unsigned char output_pk_bytes[32];
836 unsigned char tweak[32];
837 int pk_parity;
838 unsigned char msg[32];
839 unsigned char sig[64];
840
841 /* Create output key */
842 secp256k1_testrand256(sk);
843 CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
844 CHECK(secp256k1_keypair_xonly_pub(CTX, &internal_pk, NULL, &keypair) == 1);
845 /* In actual taproot the tweak would be hash of internal_pk */
846 CHECK(secp256k1_xonly_pubkey_serialize(CTX, tweak, &internal_pk) == 1);
847 CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1);
848 CHECK(secp256k1_keypair_xonly_pub(CTX, &output_pk, &pk_parity, &keypair) == 1);
849 CHECK(secp256k1_xonly_pubkey_serialize(CTX, output_pk_bytes, &output_pk) == 1);
850
851 /* Key spend */
852 secp256k1_testrand256(msg);
853 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
854 /* Verify key spend */
855 CHECK(secp256k1_xonly_pubkey_parse(CTX, &output_pk, output_pk_bytes) == 1);
856 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &output_pk) == 1);
857
858 /* Script spend */
859 CHECK(secp256k1_xonly_pubkey_serialize(CTX, internal_pk_bytes, &internal_pk) == 1);
860 /* Verify script spend */
861 CHECK(secp256k1_xonly_pubkey_parse(CTX, &internal_pk, internal_pk_bytes) == 1);
862 CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
863}
864
865void run_schnorrsig_tests(void) {
866 int i;
867 run_nonce_function_bip340_tests();
868
869 test_schnorrsig_api();
870 test_schnorrsig_sha256_tagged();
871 test_schnorrsig_bip_vectors();
872 for (i = 0; i < COUNT; i++) {
873 test_schnorrsig_sign();
874 test_schnorrsig_sign_verify();
875 }
876 test_schnorrsig_taproot();
877}
878
879#endif
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:163
sha1
Internal SHA-1 implementation.
Definition: sha1.cpp:14
sig
SchnorrSig sig
Definition: processor.cpp:523
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
nonce_function_bip340
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: main_impl.h:52
secp256k1_nonce_function_bip340_sha256_tagged_aux
static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: main_impl.h:32
secp256k1_nonce_function_bip340_sha256_tagged
static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:16
secp256k1_schnorrsig_sha256_tagged
static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:103
test_schnorrsig_bip_vectors
void test_schnorrsig_bip_vectors(void)
Definition: tests_impl.h:244
test_schnorrsig_sign
void test_schnorrsig_sign(void)
Definition: tests_impl.h:702
nonce_function_overflowing
static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:689
run_nonce_function_bip340_tests
void run_nonce_function_bip340_tests(void)
Definition: tests_impl.h:34
test_schnorrsig_bip_vectors_check_signing
void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig)
Definition: tests_impl.h:218
test_schnorrsig_bip_vectors_check_verify
void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected)
Definition: tests_impl.h:235
test_schnorrsig_taproot
void test_schnorrsig_taproot(void)
Definition: tests_impl.h:829
nonce_function_0
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:675
test_sha256_eq
void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests_impl.h:26
test_schnorrsig_sign_verify
void test_schnorrsig_sign_verify(void)
Definition: tests_impl.h:752
run_schnorrsig_tests
void run_schnorrsig_tests(void)
Definition: tests_impl.h:865
nonce_function_bip340_bitflip
void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen)
Definition: tests_impl.h:15
N_SIGS
#define N_SIGS
Definition: tests_impl.h:748
test_schnorrsig_sha256_tagged
void test_schnorrsig_sha256_tagged(void)
Definition: tests_impl.h:206
nonce_function_failing
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:662
test_schnorrsig_api
void test_schnorrsig_api(void)
Definition: tests_impl.h:117
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:197
CHECK
#define CHECK(cond)
Definition: util.h:81
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:195
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:183
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:43
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:134
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a secret key.
Definition: main_impl.h:195
secp256k1_keypair_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:254
secp256k1_keypair_xonly_pub
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Get the x-only public key from a keypair.
Definition: main_impl.h:233
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:21
secp256k1_schnorrsig_sign32
SECP256K1_API int secp256k1_schnorrsig_sign32(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a Schnorr signature.
Definition: main_impl.h:195
SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
Definition: secp256k1_schnorrsig.h:89
secp256k1_schnorrsig_sign
SECP256K1_API int secp256k1_schnorrsig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_DEPRECATED("Use secp256k1_schnorrsig_sign32 instead")
Same as secp256k1_schnorrsig_sign32, but DEPRECATED.
Definition: main_impl.h:200
secp256k1_schnorrsig_sign_custom
SECP256K1_API int secp256k1_schnorrsig_sign_custom(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Create a Schnorr signature with a more flexible API.
Definition: main_impl.h:204
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:219
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_schnorrsig_extraparams
Data structure that contains additional arguments for schnorrsig_sign_custom.
Definition: secp256k1_schnorrsig.h:82
secp256k1_schnorrsig_extraparams::noncefp
secp256k1_nonce_function_hardened noncefp
Definition: secp256k1_schnorrsig.h:84
secp256k1_schnorrsig_extraparams::ndata
void * ndata
Definition: secp256k1_schnorrsig.h:85
secp256k1_sha256
Definition: hash.h:13
secp256k1_sha256::bytes
uint64_t bytes
Definition: hash.h:16
secp256k1_sha256::s
uint32_t s[8]
Definition: hash.h:14
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_flip
static void secp256k1_testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
COUNT
static int COUNT
Definition: tests.c:30
CTX
static secp256k1_context * CTX
Definition: tests.c:31
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:34
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:32
Generated on Thu Mar 19 2026 20:37:15 for Bitcoin ABC by doxygen 1.9.4