Bitcoin Core 30.99.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H
8#define SECP256K1_MODULE_SCHNORRSIG_TESTS_H
9
10#include "../../../include/secp256k1_schnorrsig.h"
11#include "../../unit_test.h"
12
13/* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
14 * bytes) changes the hash function
15 */
16static void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) {
17 unsigned char nonces[2][32];
18 CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
19 testrand_flip(args[n_flip], n_bytes);
20 CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
21 CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
22}
23
24static void run_nonce_function_bip340_tests(void) {
25 /* "BIP0340/nonce" */
26 static const unsigned char tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'};
27 /* "BIP0340/aux" */
28 static const unsigned char aux_tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'a', 'u', 'x'};
29 unsigned char algo[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'};
30 size_t algolen = sizeof(algo);
31 secp256k1_sha256 sha_optimized;
32 unsigned char nonce[32], nonce_z[32];
33 unsigned char msg[32];
34 size_t msglen = sizeof(msg);
35 unsigned char key[32];
36 unsigned char pk[32];
37 unsigned char aux_rand[32];
38 unsigned char *args[5];
39 int i;
40
41 /* Check that hash initialized by
42 * secp256k1_nonce_function_bip340_sha256_tagged has the expected
43 * state. */
44 secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized);
45 test_sha256_tag_midstate(&sha_optimized, tag, sizeof(tag));
46
47
48 /* Check that hash initialized by
49 * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
50 * state. */
51 secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized);
52 test_sha256_tag_midstate(&sha_optimized, aux_tag, sizeof(aux_tag));
53
54 testrand256(msg);
55 testrand256(key);
56 testrand256(pk);
57 testrand256(aux_rand);
58
59 /* Check that a bitflip in an argument results in different nonces. */
60 args[0] = msg;
61 args[1] = key;
62 args[2] = pk;
63 args[3] = algo;
64 args[4] = aux_rand;
65 for (i = 0; i < COUNT; i++) {
66 nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen);
67 nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen);
68 nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen);
69 /* Flip algo special case "BIP0340/nonce" */
70 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
71 /* Flip algo again */
72 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
73 nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen);
74 }
75
76 /* NULL algo is disallowed */
77 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
78 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
79 /* Other algo is fine */
80 testrand_bytes_test(algo, algolen);
81 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
82
83 for (i = 0; i < COUNT; i++) {
84 unsigned char nonce2[32];
85 uint32_t offset = testrand_int(msglen - 1);
86 size_t msglen_tmp = (msglen + offset) % msglen;
87 size_t algolen_tmp;
88
89 /* Different msglen gives different nonce */
90 CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1);
91 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
92
93 /* Different algolen gives different nonce */
94 offset = testrand_int(algolen - 1);
95 algolen_tmp = (algolen + offset) % algolen;
96 CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1);
97 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
98 }
99
100 /* NULL aux_rand argument is allowed, and identical to passing all zero aux_rand. */
101 memset(aux_rand, 0, 32);
102 CHECK(nonce_function_bip340(nonce_z, msg, msglen, key, pk, algo, algolen, &aux_rand) == 1);
103 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
104 CHECK(secp256k1_memcmp_var(nonce_z, nonce, 32) == 0);
105}
106
107static void test_schnorrsig_api(void) {
108 unsigned char sk1[32];
109 unsigned char sk2[32];
110 unsigned char sk3[32];
111 unsigned char msg[32];
112 secp256k1_keypair keypairs[3];
113 secp256k1_keypair invalid_keypair = {{ 0 }};
114 secp256k1_xonly_pubkey pk[3];
115 secp256k1_xonly_pubkey zero_pk;
116 unsigned char sig[64];
117 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
118 secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL};
119
120 testrand256(sk1);
121 testrand256(sk2);
122 testrand256(sk3);
123 testrand256(msg);
124 CHECK(secp256k1_keypair_create(CTX, &keypairs[0], sk1) == 1);
125 CHECK(secp256k1_keypair_create(CTX, &keypairs[1], sk2) == 1);
126 CHECK(secp256k1_keypair_create(CTX, &keypairs[2], sk3) == 1);
127 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[0], NULL, &keypairs[0]) == 1);
128 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[1], NULL, &keypairs[1]) == 1);
129 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[2], NULL, &keypairs[2]) == 1);
130 memset(&zero_pk, 0, sizeof(zero_pk));
131
133 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
134 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, NULL, msg, &keypairs[0], NULL));
135 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, NULL, &keypairs[0], NULL));
136 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, msg, NULL, NULL));
137 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, msg, &invalid_keypair, NULL));
138 CHECK_ILLEGAL(STATIC_CTX, secp256k1_schnorrsig_sign32(STATIC_CTX, sig, msg, &keypairs[0], NULL));
139
140 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
141 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, NULL, msg, sizeof(msg), &keypairs[0], &extraparams));
142 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, sizeof(msg), &keypairs[0], &extraparams));
143 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
144 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), NULL, &extraparams));
145 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &invalid_keypair, &extraparams));
146 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
147 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams));
148 CHECK_ILLEGAL(STATIC_CTX, secp256k1_schnorrsig_sign_custom(STATIC_CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams));
149
150 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
151 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk[0]) == 1);
152 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, NULL, msg, sizeof(msg), &pk[0]));
153 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, NULL, sizeof(msg), &pk[0]));
154 CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, 0, &pk[0]) == 0);
155 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), NULL));
156 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &zero_pk));
157}
158
159/* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
160 * expected state. */
161static void test_schnorrsig_sha256_tagged(void) {
162 unsigned char tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'c', 'h', 'a', 'l', 'l', 'e', 'n', 'g', 'e'};
163 secp256k1_sha256 sha;
164 secp256k1_sha256 sha_optimized;
165
166 secp256k1_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag));
167 secp256k1_schnorrsig_sha256_tagged(&sha_optimized);
168 test_sha256_eq(&sha, &sha_optimized);
169}
170
171/* Helper function for schnorrsig_bip_vectors
172 * Signs the message and checks that it's the same as expected_sig. */
173static void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg, size_t msglen, const unsigned char *expected_sig) {
174 unsigned char sig[64];
175 secp256k1_keypair keypair;
176 secp256k1_xonly_pubkey pk, pk_expected;
177
178 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
179 extraparams.ndata = (unsigned char*)aux_rand;
180
181 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
182 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, msglen, &keypair, &extraparams));
183 CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
184 if (msglen == 32) {
185 memset(sig, 0, 64);
186 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, aux_rand));
187 CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
188 }
189
190 CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk_expected, pk_serialized));
191 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
192 CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
193 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, msglen, &pk));
194}
195
196/* Helper function for schnorrsig_bip_vectors
197 * Checks that both verify and verify_batch (TODO) return the same value as expected. */
198static void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg, size_t msglen, const unsigned char *sig, int expected) {
199 secp256k1_xonly_pubkey pk;
200
201 CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk, pk_serialized));
202 CHECK(expected == secp256k1_schnorrsig_verify(CTX, sig, msg, msglen, &pk));
203}
204
205/* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
206 * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */
207static void test_schnorrsig_bip_vectors(void) {
208 {
209 /* Test vector 0 */
210 const unsigned char sk[32] = {
211 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
212 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
213 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
214 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
215 };
216 const unsigned char pk[32] = {
217 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10,
218 0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29,
219 0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0,
220 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9
221 };
222 const unsigned char aux_rand[32] = {
223 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
224 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
225 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
226 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
227 };
228 const unsigned char msg[32] = {
229 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
230 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
231 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
232 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
233 };
234 const unsigned char sig[64] = {
235 0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10,
236 0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36,
237 0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08,
238 0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15,
239 0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71,
240 0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5,
241 0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47,
242 0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0
243 };
244 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
245 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
246 }
247 {
248 /* Test vector 1 */
249 const unsigned char sk[32] = {
250 0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A,
251 0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7,
252 0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56,
253 0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF
254 };
255 const unsigned char pk[32] = {
256 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
257 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
258 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
259 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
260 };
261 const unsigned char aux_rand[32] = {
262 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
263 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
264 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
265 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
266 };
267 const unsigned char msg[32] = {
268 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
269 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
270 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
271 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
272 };
273 const unsigned char sig[64] = {
274 0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D,
275 0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07,
276 0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17,
277 0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41,
278 0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC,
279 0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA,
280 0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C,
281 0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A
282 };
283 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
284 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
285 }
286 {
287 /* Test vector 2 */
288 const unsigned char sk[32] = {
289 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
290 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
291 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
292 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9
293 };
294 const unsigned char pk[32] = {
295 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13,
296 0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC,
297 0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9,
298 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8
299 };
300 const unsigned char aux_rand[32] = {
301 0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE,
302 0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC,
303 0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C,
304 0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06
305 };
306 const unsigned char msg[32] = {
307 0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A,
308 0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D,
309 0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33,
310 0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C
311 };
312 const unsigned char sig[64] = {
313 0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7,
314 0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94,
315 0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B,
316 0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B,
317 0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A,
318 0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C,
319 0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E,
320 0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7
321 };
322 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
323 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
324 }
325 {
326 /* Test vector 3 */
327 const unsigned char sk[32] = {
328 0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81,
329 0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0,
330 0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54,
331 0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10
332 };
333 const unsigned char pk[32] = {
334 0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25,
335 0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD,
336 0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A,
337 0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17
338 };
339 const unsigned char aux_rand[32] = {
340 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
341 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
342 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
343 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
344 };
345 const unsigned char msg[32] = {
346 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
347 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
348 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
349 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
350 };
351 const unsigned char sig[64] = {
352 0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1,
353 0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9,
354 0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6,
355 0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC,
356 0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93,
357 0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A,
358 0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27,
359 0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3
360 };
361 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
362 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
363 }
364 {
365 /* Test vector 4 */
366 const unsigned char pk[32] = {
367 0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12,
368 0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83,
369 0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA,
370 0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9
371 };
372 const unsigned char msg[32] = {
373 0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2,
374 0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24,
375 0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B,
376 0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03
377 };
378 const unsigned char sig[64] = {
379 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
380 0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F,
381 0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28,
382 0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63,
383 0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3,
384 0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10,
385 0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93,
386 0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4
387 };
388 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
389 }
390 {
391 /* Test vector 5 */
392 const unsigned char pk[32] = {
393 0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50,
394 0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21,
395 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87,
396 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34
397 };
398 secp256k1_xonly_pubkey pk_parsed;
399 /* No need to check the signature of the test vector as parsing the pubkey already fails */
400 CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
401 }
402 {
403 /* Test vector 6 */
404 const unsigned char pk[32] = {
405 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
406 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
407 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
408 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
409 };
410 const unsigned char msg[32] = {
411 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
412 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
413 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
414 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
415 };
416 const unsigned char sig[64] = {
417 0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4,
418 0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3,
419 0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B,
420 0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56,
421 0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07,
422 0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF,
423 0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E,
424 0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2
425 };
426 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
427 }
428 {
429 /* Test vector 7 */
430 const unsigned char pk[32] = {
431 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
432 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
433 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
434 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
435 };
436 const unsigned char msg[32] = {
437 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
438 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
439 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
440 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
441 };
442 const unsigned char sig[64] = {
443 0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C,
444 0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7,
445 0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4,
446 0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F,
447 0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89,
448 0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8,
449 0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35,
450 0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD
451 };
452 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
453 }
454 {
455 /* Test vector 8 */
456 const unsigned char pk[32] = {
457 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
458 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
459 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
460 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
461 };
462 const unsigned char msg[32] = {
463 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
464 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
465 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
466 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
467 };
468 const unsigned char sig[64] = {
469 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
470 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
471 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
472 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
473 0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC,
474 0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26,
475 0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C,
476 0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6
477 };
478 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
479 }
480 {
481 /* Test vector 9 */
482 const unsigned char pk[32] = {
483 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
484 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
485 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
486 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
487 };
488 const unsigned char msg[32] = {
489 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
490 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
491 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
492 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
493 };
494 const unsigned char sig[64] = {
495 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
497 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
498 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
499 0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23,
500 0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA,
501 0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC,
502 0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51
503 };
504 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
505 }
506 {
507 /* Test vector 10 */
508 const unsigned char pk[32] = {
509 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
510 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
511 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
512 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
513 };
514 const unsigned char msg[32] = {
515 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
516 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
517 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
518 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
519 };
520 const unsigned char sig[64] = {
521 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
522 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
523 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
525 0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64,
526 0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4,
527 0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9,
528 0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97
529 };
530 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
531 }
532 {
533 /* Test vector 11 */
534 const unsigned char pk[32] = {
535 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
536 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
537 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
538 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
539 };
540 const unsigned char msg[32] = {
541 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
542 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
543 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
544 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
545 };
546 const unsigned char sig[64] = {
547 0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A,
548 0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB,
549 0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7,
550 0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D,
551 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
552 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
553 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
554 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
555 };
556 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
557 }
558 {
559 /* Test vector 12 */
560 const unsigned char pk[32] = {
561 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
562 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
563 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
564 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
565 };
566 const unsigned char msg[32] = {
567 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
568 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
569 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
570 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
571 };
572 const unsigned char sig[64] = {
573 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
574 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
575 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
576 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
577 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
578 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
579 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
580 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
581 };
582 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
583 }
584 {
585 /* Test vector 13 */
586 const unsigned char pk[32] = {
587 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
588 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
589 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
590 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
591 };
592 const unsigned char msg[32] = {
593 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
594 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
595 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
596 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
597 };
598 const unsigned char sig[64] = {
599 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
600 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
601 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
602 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
603 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
604 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
605 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
606 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
607 };
608 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
609 }
610 {
611 /* Test vector 14 */
612 const unsigned char pk[32] = {
613 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
614 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
615 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
616 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
617 };
618 secp256k1_xonly_pubkey pk_parsed;
619 /* No need to check the signature of the test vector as parsing the pubkey already fails */
620 CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
621 }
622 {
623 /* Test vector 15 */
624 const unsigned char sk[32] = {
625 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
626 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
627 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
628 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
629 };
630 const unsigned char pk[32] = {
631 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
632 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
633 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
634 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
635 };
636 const unsigned char aux_rand[32] = {
637 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
638 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
639 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
640 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
641 };
642 /* const unsigned char msg[0] = {}; */
643 const unsigned char sig[64] = {
644 0x71, 0x53, 0x5D, 0xB1, 0x65, 0xEC, 0xD9, 0xFB,
645 0xBC, 0x04, 0x6E, 0x5F, 0xFA, 0xEA, 0x61, 0x18,
646 0x6B, 0xB6, 0xAD, 0x43, 0x67, 0x32, 0xFC, 0xCC,
647 0x25, 0x29, 0x1A, 0x55, 0x89, 0x54, 0x64, 0xCF,
648 0x60, 0x69, 0xCE, 0x26, 0xBF, 0x03, 0x46, 0x62,
649 0x28, 0xF1, 0x9A, 0x3A, 0x62, 0xDB, 0x8A, 0x64,
650 0x9F, 0x2D, 0x56, 0x0F, 0xAC, 0x65, 0x28, 0x27,
651 0xD1, 0xAF, 0x05, 0x74, 0xE4, 0x27, 0xAB, 0x63,
652 };
653 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, NULL, 0, sig);
654 test_schnorrsig_bip_vectors_check_verify(pk, NULL, 0, sig, 1);
655 }
656 {
657 /* Test vector 16 */
658 const unsigned char sk[32] = {
659 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
660 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
661 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
662 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
663 };
664 const unsigned char pk[32] = {
665 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
666 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
667 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
668 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
669 };
670 const unsigned char aux_rand[32] = {
671 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
672 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
673 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
674 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
675 };
676 const unsigned char msg[] = { 0x11 };
677 const unsigned char sig[64] = {
678 0x08, 0xA2, 0x0A, 0x0A, 0xFE, 0xF6, 0x41, 0x24,
679 0x64, 0x92, 0x32, 0xE0, 0x69, 0x3C, 0x58, 0x3A,
680 0xB1, 0xB9, 0x93, 0x4A, 0xE6, 0x3B, 0x4C, 0x35,
681 0x11, 0xF3, 0xAE, 0x11, 0x34, 0xC6, 0xA3, 0x03,
682 0xEA, 0x31, 0x73, 0xBF, 0xEA, 0x66, 0x83, 0xBD,
683 0x10, 0x1F, 0xA5, 0xAA, 0x5D, 0xBC, 0x19, 0x96,
684 0xFE, 0x7C, 0xAC, 0xFC, 0x5A, 0x57, 0x7D, 0x33,
685 0xEC, 0x14, 0x56, 0x4C, 0xEC, 0x2B, 0xAC, 0xBF,
686 };
687 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
688 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
689 }
690 {
691 /* Test vector 17 */
692 const unsigned char sk[32] = {
693 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
694 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
695 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
696 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
697 };
698 const unsigned char pk[32] = {
699 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
700 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
701 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
702 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
703 };
704 const unsigned char aux_rand[32] = {
705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
708 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
709 };
710 const unsigned char msg[] = {
711 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
712 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10,
713 0x11,
714 };
715 const unsigned char sig[64] = {
716 0x51, 0x30, 0xF3, 0x9A, 0x40, 0x59, 0xB4, 0x3B,
717 0xC7, 0xCA, 0xC0, 0x9A, 0x19, 0xEC, 0xE5, 0x2B,
718 0x5D, 0x86, 0x99, 0xD1, 0xA7, 0x1E, 0x3C, 0x52,
719 0xDA, 0x9A, 0xFD, 0xB6, 0xB5, 0x0A, 0xC3, 0x70,
720 0xC4, 0xA4, 0x82, 0xB7, 0x7B, 0xF9, 0x60, 0xF8,
721 0x68, 0x15, 0x40, 0xE2, 0x5B, 0x67, 0x71, 0xEC,
722 0xE1, 0xE5, 0xA3, 0x7F, 0xD8, 0x0E, 0x5A, 0x51,
723 0x89, 0x7C, 0x55, 0x66, 0xA9, 0x7E, 0xA5, 0xA5,
724 };
725 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
726 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
727 }
728 {
729 /* Test vector 18 */
730 const unsigned char sk[32] = {
731 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
732 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
733 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
734 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
735 };
736 const unsigned char pk[32] = {
737 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
738 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
739 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
740 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
741 };
742 const unsigned char aux_rand[32] = {
743 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
744 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
745 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
746 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
747 };
748 const unsigned char sig[64] = {
749 0x40, 0x3B, 0x12, 0xB0, 0xD8, 0x55, 0x5A, 0x34,
750 0x41, 0x75, 0xEA, 0x7E, 0xC7, 0x46, 0x56, 0x63,
751 0x03, 0x32, 0x1E, 0x5D, 0xBF, 0xA8, 0xBE, 0x6F,
752 0x09, 0x16, 0x35, 0x16, 0x3E, 0xCA, 0x79, 0xA8,
753 0x58, 0x5E, 0xD3, 0xE3, 0x17, 0x08, 0x07, 0xE7,
754 0xC0, 0x3B, 0x72, 0x0F, 0xC5, 0x4C, 0x7B, 0x23,
755 0x89, 0x7F, 0xCB, 0xA0, 0xE9, 0xD0, 0xB4, 0xA0,
756 0x68, 0x94, 0xCF, 0xD2, 0x49, 0xF2, 0x23, 0x67,
757 };
758 unsigned char msg[100];
759 memset(msg, 0x99, sizeof(msg));
760 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
761 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
762 }
763}
764
765/* Nonce function that returns constant 0 */
766static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
767 (void) msg;
768 (void) msglen;
769 (void) key32;
770 (void) xonly_pk32;
771 (void) algo;
772 (void) algolen;
773 (void) data;
774 (void) nonce32;
775 return 0;
776}
777
778/* Nonce function that sets nonce to 0 */
779static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
780 (void) msg;
781 (void) msglen;
782 (void) key32;
783 (void) xonly_pk32;
784 (void) algo;
785 (void) algolen;
786 (void) data;
787
788 memset(nonce32, 0, 32);
789 return 1;
790}
791
792/* Nonce function that sets nonce to 0xFF...0xFF */
793static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
794 (void) msg;
795 (void) msglen;
796 (void) key32;
797 (void) xonly_pk32;
798 (void) algo;
799 (void) algolen;
800 (void) data;
801
802 memset(nonce32, 0xFF, 32);
803 return 1;
804}
805
806static void test_schnorrsig_sign_internal(void) {
807 unsigned char sk[32];
808 secp256k1_xonly_pubkey pk;
809 secp256k1_keypair keypair;
810 const unsigned char msg[] = {'t', 'h', 'i', 's', ' ', 'i', 's', ' ', 'a', ' ', 'm', 's', 'g', ' ', 'f', 'o', 'r', ' ', 'a', ' ', 's', 'c', 'h', 'n', 'o', 'r', 'r', 's', 'i', 'g', '.', '.'};
811 unsigned char sig[64];
812 unsigned char sig2[64];
813 unsigned char zeros64[64] = { 0 };
814 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
815 unsigned char aux_rand[32];
816
817 testrand256(sk);
818 testrand256(aux_rand);
819 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
820 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
821 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
822 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
823 /* Check that deprecated alias gives the same result */
824 CHECK(secp256k1_schnorrsig_sign(CTX, sig2, msg, &keypair, NULL) == 1);
825 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
826
827 /* Test different nonce functions */
828 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
829 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
830 memset(sig, 1, sizeof(sig));
831 extraparams.noncefp = nonce_function_failing;
832 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
833 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
834 memset(&sig, 1, sizeof(sig));
835 extraparams.noncefp = nonce_function_0;
836 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
837 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
838 memset(&sig, 1, sizeof(sig));
839 extraparams.noncefp = nonce_function_overflowing;
840 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
841 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
842
843 /* When using the default nonce function, schnorrsig_sign_custom produces
844 * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */
845 extraparams.noncefp = NULL;
846 extraparams.ndata = aux_rand;
847 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
848 CHECK(secp256k1_schnorrsig_sign32(CTX, sig2, msg, &keypair, extraparams.ndata) == 1);
849 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
850}
851
852#define N_SIGS 3
853/* Creates N_SIGS valid signatures and verifies them with verify and
854 * verify_batch (TODO). Then flips some bits and checks that verification now
855 * fails. */
856static void test_schnorrsig_sign_verify_internal(void) {
857 unsigned char sk[32];
858 unsigned char msg[N_SIGS][32];
859 unsigned char sig[N_SIGS][64];
860 size_t i;
861 secp256k1_keypair keypair;
862 secp256k1_xonly_pubkey pk;
863 secp256k1_scalar s;
864
865 testrand256(sk);
866 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
867 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
868
869 for (i = 0; i < N_SIGS; i++) {
870 testrand256(msg[i]);
871 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[i], msg[i], &keypair, NULL));
872 CHECK(secp256k1_schnorrsig_verify(CTX, sig[i], msg[i], sizeof(msg[i]), &pk));
873 }
874
875 {
876 /* Flip a few bits in the signature and in the message and check that
877 * verify and verify_batch (TODO) fail */
878 size_t sig_idx = testrand_int(N_SIGS);
879 size_t byte_idx = testrand_bits(5);
880 unsigned char xorbyte = testrand_int(254)+1;
881 sig[sig_idx][byte_idx] ^= xorbyte;
882 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
883 sig[sig_idx][byte_idx] ^= xorbyte;
884
885 byte_idx = testrand_bits(5);
886 sig[sig_idx][32+byte_idx] ^= xorbyte;
887 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
888 sig[sig_idx][32+byte_idx] ^= xorbyte;
889
890 byte_idx = testrand_bits(5);
891 msg[sig_idx][byte_idx] ^= xorbyte;
892 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
893 msg[sig_idx][byte_idx] ^= xorbyte;
894
895 /* Check that above bitflips have been reversed correctly */
896 CHECK(secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
897 }
898
899 /* Test overflowing s */
900 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
901 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
902 memset(&sig[0][32], 0xFF, 32);
903 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
904
905 /* Test negative s */
906 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
907 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
908 secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
909 secp256k1_scalar_negate(&s, &s);
910 secp256k1_scalar_get_b32(&sig[0][32], &s);
911 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
912
913 /* The empty message can be signed & verified */
914 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], NULL, 0, &keypair, NULL) == 1);
915 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], NULL, 0, &pk) == 1);
916
917 {
918 /* Test varying message lengths */
919 unsigned char msg_large[32 * 8];
920 uint32_t msglen = testrand_int(sizeof(msg_large));
921 for (i = 0; i < sizeof(msg_large); i += 32) {
922 testrand256(&msg_large[i]);
923 }
924 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], msg_large, msglen, &keypair, NULL) == 1);
925 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 1);
926 /* Verification for a random wrong message length fails */
927 msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large);
928 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 0);
929 }
930}
931#undef N_SIGS
932
933static void test_schnorrsig_taproot(void) {
934 unsigned char sk[32];
935 secp256k1_keypair keypair;
936 secp256k1_xonly_pubkey internal_pk;
937 unsigned char internal_pk_bytes[32];
938 secp256k1_xonly_pubkey output_pk;
939 unsigned char output_pk_bytes[32];
940 unsigned char tweak[32];
941 int pk_parity;
942 unsigned char msg[32];
943 unsigned char sig[64];
944
945 /* Create output key */
946 testrand256(sk);
947 CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
948 CHECK(secp256k1_keypair_xonly_pub(CTX, &internal_pk, NULL, &keypair) == 1);
949 /* In actual taproot the tweak would be hash of internal_pk */
950 CHECK(secp256k1_xonly_pubkey_serialize(CTX, tweak, &internal_pk) == 1);
951 CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1);
952 CHECK(secp256k1_keypair_xonly_pub(CTX, &output_pk, &pk_parity, &keypair) == 1);
953 CHECK(secp256k1_xonly_pubkey_serialize(CTX, output_pk_bytes, &output_pk) == 1);
954
955 /* Key spend */
956 testrand256(msg);
957 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
958 /* Verify key spend */
959 CHECK(secp256k1_xonly_pubkey_parse(CTX, &output_pk, output_pk_bytes) == 1);
960 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &output_pk) == 1);
961
962 /* Script spend */
963 CHECK(secp256k1_xonly_pubkey_serialize(CTX, internal_pk_bytes, &internal_pk) == 1);
964 /* Verify script spend */
965 CHECK(secp256k1_xonly_pubkey_parse(CTX, &internal_pk, internal_pk_bytes) == 1);
966 CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
967}
968
969/* --- Test registry --- */
970REPEAT_TEST(test_schnorrsig_sign)
971REPEAT_TEST(test_schnorrsig_sign_verify)
972
973static const struct tf_test_entry tests_schnorrsig[] = {
974 CASE(nonce_function_bip340_tests),
975 CASE1(test_schnorrsig_api),
976 CASE1(test_schnorrsig_sha256_tagged),
977 CASE1(test_schnorrsig_bip_vectors),
978 CASE1(test_schnorrsig_sign),
979 CASE1(test_schnorrsig_sign_verify),
980 CASE1(test_schnorrsig_taproot),
981};
982
983#endif
args
ArgsManager & args
Definition: bitcoind.cpp:277
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:163
nonce
unsigned int nonce
Definition: miner_tests.cpp:76
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
tweak
static int tweak(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *cache)
Definition: musig.c:64
test_vectors_musig2_generate.s
tuple s
Definition: test_vectors_musig2_generate.py:72
test_vectors_musig2_generate.data
data
Definition: test_vectors_musig2_generate.py:98
tests_wycheproof_generate_ecdh.sk
sk
Definition: tests_wycheproof_generate_ecdh.py:101
tests_wycheproof_generate_ecdh.pk
def pk
Definition: tests_wycheproof_generate_ecdh.py:115
tests_wycheproof_generate_ecdsa.msg
msg
Definition: tests_wycheproof_generate_ecdsa.py:52
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
nonce_function_bip340
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: main_impl.h:52
secp256k1_nonce_function_bip340_sha256_tagged_aux
static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: main_impl.h:32
secp256k1_nonce_function_bip340_sha256_tagged
static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:16
secp256k1_schnorrsig_sha256_tagged
static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:106
run_nonce_function_bip340_tests
static void run_nonce_function_bip340_tests(void)
Definition: tests_impl.h:24
test_schnorrsig_sign_internal
static void test_schnorrsig_sign_internal(void)
Definition: tests_impl.h:806
nonce_function_overflowing
static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:793
test_schnorrsig_bip_vectors_check_signing
static void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg, size_t msglen, const unsigned char *expected_sig)
Definition: tests_impl.h:173
test_schnorrsig_bip_vectors_check_verify
static void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg, size_t msglen, const unsigned char *sig, int expected)
Definition: tests_impl.h:198
test_schnorrsig_api
static void test_schnorrsig_api(void)
Definition: tests_impl.h:107
nonce_function_0
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:779
test_schnorrsig_taproot
static void test_schnorrsig_taproot(void)
Definition: tests_impl.h:933
test_schnorrsig_bip_vectors
static void test_schnorrsig_bip_vectors(void)
Definition: tests_impl.h:207
tests_schnorrsig
static const struct tf_test_entry tests_schnorrsig[]
Definition: tests_impl.h:973
N_SIGS
#define N_SIGS
Definition: tests_impl.h:852
nonce_function_failing
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:766
test_schnorrsig_sha256_tagged
static void test_schnorrsig_sha256_tagged(void)
Definition: tests_impl.h:161
nonce_function_bip340_bitflip
static void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen)
Definition: tests_impl.h:16
test_schnorrsig_sign_verify_internal
static void test_schnorrsig_sign_verify_internal(void)
Definition: tests_impl.h:856
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:268
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:44
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a valid secret key.
Definition: main_impl.h:196
secp256k1_keypair_xonly_pub
SECP256K1_API int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Get the x-only public key from a keypair.
Definition: main_impl.h:234
secp256k1_keypair_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:255
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:22
secp256k1_schnorrsig_sign32
SECP256K1_API int secp256k1_schnorrsig_sign32(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a Schnorr signature.
Definition: main_impl.h:200
SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
Definition: secp256k1_schnorrsig.h:89
secp256k1_schnorrsig_sign
SECP256K1_API int secp256k1_schnorrsig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_DEPRECATED("Use secp256k1_schnorrsig_sign32 instead")
Same as secp256k1_schnorrsig_sign32, but DEPRECATED.
Definition: main_impl.h:205
secp256k1_schnorrsig_sign_custom
SECP256K1_API int secp256k1_schnorrsig_sign_custom(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Create a Schnorr signature with a more flexible API.
Definition: main_impl.h:209
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:224
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_schnorrsig_extraparams
Data structure that contains additional arguments for schnorrsig_sign_custom.
Definition: secp256k1_schnorrsig.h:82
secp256k1_schnorrsig_extraparams::noncefp
secp256k1_nonce_function_hardened noncefp
Definition: secp256k1_schnorrsig.h:84
secp256k1_schnorrsig_extraparams::ndata
void * ndata
Definition: secp256k1_schnorrsig.h:85
secp256k1_sha256
Definition: hash.h:13
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
tf_test_entry
Definition: unit_test.h:51
testrand_flip
static void testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
testrand256
static void testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
testrand_bits
static SECP256K1_INLINE uint64_t testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_int
static uint32_t testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
testrand_bytes_test
static void testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:79
CTX
static secp256k1_context * CTX
Definition: tests.c:42
test_sha256_tag_midstate
static void test_sha256_tag_midstate(secp256k1_sha256 *sha_tagged, const unsigned char *tag, size_t taglen)
Definition: tests.c:627
test_sha256_eq
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:618
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:43
COUNT
int COUNT
Definition: unit_test.c:23
CASE1
#define CASE1(name)
Definition: unit_test.h:25
REPEAT_TEST
#define REPEAT_TEST(fn)
Definition: unit_test.h:34
CASE
#define CASE(name)
Definition: unit_test.h:24
Generated on Wed Oct 29 2025 20:00:30 for Bitcoin Core by doxygen 1.9.4