Bitcoin Core 31.99.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H
8#define SECP256K1_MODULE_SCHNORRSIG_TESTS_H
9
10#include "../../../include/secp256k1_schnorrsig.h"
11#include "../../unit_test.h"
12
13/* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
14 * bytes) changes the hash function
15 */
16static void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) {
17 unsigned char nonces[2][32];
18 CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
19 testrand_flip(args[n_flip], n_bytes);
20 CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
21 CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
22}
23
24static void run_nonce_function_bip340_tests(void) {
25 /* "BIP0340/nonce" */
26 static const unsigned char tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'};
27 /* "BIP0340/aux" */
28 static const unsigned char aux_tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'a', 'u', 'x'};
29 unsigned char algo[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'};
30 size_t algolen = sizeof(algo);
31 secp256k1_sha256 sha_optimized;
32 unsigned char nonce[32], nonce_z[32];
33 unsigned char msg[32];
34 size_t msglen = sizeof(msg);
35 unsigned char key[32];
36 unsigned char pk[32];
37 unsigned char aux_rand[32];
38 unsigned char *args[5];
39 int i;
40
41 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX);
42
43 /* Check that hash initialized by
44 * secp256k1_nonce_function_bip340_sha256_tagged has the expected
45 * state. */
46 secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized);
47 test_sha256_tag_midstate(hash_ctx, &sha_optimized, tag, sizeof(tag));
48
49
50 /* Check that hash initialized by
51 * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
52 * state. */
53 secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized);
54 test_sha256_tag_midstate(hash_ctx, &sha_optimized, aux_tag, sizeof(aux_tag));
55
56 testrand256(msg);
57 testrand256(key);
58 testrand256(pk);
59 testrand256(aux_rand);
60
61 /* Check that a bitflip in an argument results in different nonces. */
62 args[0] = msg;
63 args[1] = key;
64 args[2] = pk;
65 args[3] = algo;
66 args[4] = aux_rand;
67 for (i = 0; i < COUNT; i++) {
68 nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen);
69 nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen);
70 nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen);
71 /* Flip algo special case "BIP0340/nonce" */
72 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
73 /* Flip algo again */
74 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
75 nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen);
76 }
77
78 /* NULL algo is disallowed */
79 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
80 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
81 /* Other algo is fine */
82 testrand_bytes_test(algo, algolen);
83 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
84
85 for (i = 0; i < COUNT; i++) {
86 unsigned char nonce2[32];
87 uint32_t offset = testrand_int(msglen - 1);
88 size_t msglen_tmp = (msglen + offset) % msglen;
89 size_t algolen_tmp;
90
91 /* Different msglen gives different nonce */
92 CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1);
93 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
94
95 /* Different algolen gives different nonce */
96 offset = testrand_int(algolen - 1);
97 algolen_tmp = (algolen + offset) % algolen;
98 CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1);
99 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
100 }
101
102 /* NULL aux_rand argument is allowed, and identical to passing all zero aux_rand. */
103 memset(aux_rand, 0, 32);
104 CHECK(nonce_function_bip340(nonce_z, msg, msglen, key, pk, algo, algolen, &aux_rand) == 1);
105 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
106 CHECK(secp256k1_memcmp_var(nonce_z, nonce, 32) == 0);
107}
108
109static void test_schnorrsig_api(void) {
110 unsigned char sk1[32];
111 unsigned char sk2[32];
112 unsigned char sk3[32];
113 unsigned char msg[32];
114 secp256k1_keypair keypairs[3];
115 secp256k1_keypair invalid_keypair = {{ 0 }};
116 secp256k1_xonly_pubkey pk[3];
117 secp256k1_xonly_pubkey zero_pk;
118 unsigned char sig[64];
119 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
120 secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL};
121
122 testrand256(sk1);
123 testrand256(sk2);
124 testrand256(sk3);
125 testrand256(msg);
126 CHECK(secp256k1_keypair_create(CTX, &keypairs[0], sk1) == 1);
127 CHECK(secp256k1_keypair_create(CTX, &keypairs[1], sk2) == 1);
128 CHECK(secp256k1_keypair_create(CTX, &keypairs[2], sk3) == 1);
129 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[0], NULL, &keypairs[0]) == 1);
130 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[1], NULL, &keypairs[1]) == 1);
131 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[2], NULL, &keypairs[2]) == 1);
132 memset(&zero_pk, 0, sizeof(zero_pk));
133
135 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
136 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, NULL, msg, &keypairs[0], NULL));
137 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, NULL, &keypairs[0], NULL));
138 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, msg, NULL, NULL));
139 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, msg, &invalid_keypair, NULL));
140 CHECK_ILLEGAL(STATIC_CTX, secp256k1_schnorrsig_sign32(STATIC_CTX, sig, msg, &keypairs[0], NULL));
141
142 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
143 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, NULL, msg, sizeof(msg), &keypairs[0], &extraparams));
144 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, sizeof(msg), &keypairs[0], &extraparams));
145 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
146 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), NULL, &extraparams));
147 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &invalid_keypair, &extraparams));
148 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
149 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams));
150 CHECK_ILLEGAL(STATIC_CTX, secp256k1_schnorrsig_sign_custom(STATIC_CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams));
151
152 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
153 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk[0]) == 1);
154 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, NULL, msg, sizeof(msg), &pk[0]));
155 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, NULL, sizeof(msg), &pk[0]));
156 CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, 0, &pk[0]) == 0);
157 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), NULL));
158 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &zero_pk));
159}
160
161/* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
162 * expected state. */
163static void test_schnorrsig_sha256_tagged(void) {
164 unsigned char tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'c', 'h', 'a', 'l', 'l', 'e', 'n', 'g', 'e'};
165 secp256k1_sha256 sha;
166 secp256k1_sha256 sha_optimized;
167 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX);
168
169 secp256k1_sha256_initialize_tagged(hash_ctx, &sha, (unsigned char *) tag, sizeof(tag));
170 secp256k1_schnorrsig_sha256_tagged(&sha_optimized);
171 test_sha256_eq(&sha, &sha_optimized);
172}
173
174/* Helper function for schnorrsig_bip_vectors
175 * Signs the message and checks that it's the same as expected_sig. */
176static void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg, size_t msglen, const unsigned char *expected_sig) {
177 unsigned char sig[64];
178 secp256k1_keypair keypair;
179 secp256k1_xonly_pubkey pk, pk_expected;
180
181 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
182 extraparams.ndata = (unsigned char*)aux_rand;
183
184 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
185 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, msglen, &keypair, &extraparams));
186 CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
187 if (msglen == 32) {
188 memset(sig, 0, 64);
189 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, aux_rand));
190 CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
191 }
192
193 CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk_expected, pk_serialized));
194 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
195 CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
196 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, msglen, &pk));
197}
198
199/* Helper function for schnorrsig_bip_vectors
200 * Checks that both verify and verify_batch (TODO) return the same value as expected. */
201static void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg, size_t msglen, const unsigned char *sig, int expected) {
202 secp256k1_xonly_pubkey pk;
203
204 CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk, pk_serialized));
205 CHECK(expected == secp256k1_schnorrsig_verify(CTX, sig, msg, msglen, &pk));
206}
207
208/* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
209 * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */
210static void test_schnorrsig_bip_vectors(void) {
211 {
212 /* Test vector 0 */
213 const unsigned char sk[32] = {
214 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
215 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
216 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
217 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
218 };
219 const unsigned char pk[32] = {
220 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10,
221 0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29,
222 0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0,
223 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9
224 };
225 const unsigned char aux_rand[32] = {
226 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
227 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
228 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
229 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
230 };
231 const unsigned char msg[32] = {
232 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
233 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
234 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
236 };
237 const unsigned char sig[64] = {
238 0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10,
239 0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36,
240 0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08,
241 0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15,
242 0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71,
243 0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5,
244 0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47,
245 0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0
246 };
247 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
248 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
249 }
250 {
251 /* Test vector 1 */
252 const unsigned char sk[32] = {
253 0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A,
254 0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7,
255 0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56,
256 0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF
257 };
258 const unsigned char pk[32] = {
259 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
260 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
261 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
262 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
263 };
264 const unsigned char aux_rand[32] = {
265 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
266 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
267 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
268 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
269 };
270 const unsigned char msg[32] = {
271 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
272 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
273 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
274 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
275 };
276 const unsigned char sig[64] = {
277 0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D,
278 0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07,
279 0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17,
280 0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41,
281 0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC,
282 0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA,
283 0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C,
284 0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A
285 };
286 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
287 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
288 }
289 {
290 /* Test vector 2 */
291 const unsigned char sk[32] = {
292 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
293 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
294 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
295 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9
296 };
297 const unsigned char pk[32] = {
298 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13,
299 0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC,
300 0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9,
301 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8
302 };
303 const unsigned char aux_rand[32] = {
304 0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE,
305 0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC,
306 0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C,
307 0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06
308 };
309 const unsigned char msg[32] = {
310 0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A,
311 0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D,
312 0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33,
313 0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C
314 };
315 const unsigned char sig[64] = {
316 0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7,
317 0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94,
318 0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B,
319 0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B,
320 0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A,
321 0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C,
322 0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E,
323 0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7
324 };
325 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
326 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
327 }
328 {
329 /* Test vector 3 */
330 const unsigned char sk[32] = {
331 0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81,
332 0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0,
333 0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54,
334 0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10
335 };
336 const unsigned char pk[32] = {
337 0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25,
338 0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD,
339 0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A,
340 0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17
341 };
342 const unsigned char aux_rand[32] = {
343 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
344 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
345 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
346 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
347 };
348 const unsigned char msg[32] = {
349 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
350 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
351 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
352 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
353 };
354 const unsigned char sig[64] = {
355 0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1,
356 0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9,
357 0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6,
358 0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC,
359 0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93,
360 0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A,
361 0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27,
362 0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3
363 };
364 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
365 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
366 }
367 {
368 /* Test vector 4 */
369 const unsigned char pk[32] = {
370 0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12,
371 0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83,
372 0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA,
373 0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9
374 };
375 const unsigned char msg[32] = {
376 0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2,
377 0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24,
378 0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B,
379 0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03
380 };
381 const unsigned char sig[64] = {
382 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
383 0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F,
384 0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28,
385 0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63,
386 0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3,
387 0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10,
388 0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93,
389 0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4
390 };
391 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
392 }
393 {
394 /* Test vector 5 */
395 const unsigned char pk[32] = {
396 0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50,
397 0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21,
398 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87,
399 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34
400 };
401 secp256k1_xonly_pubkey pk_parsed;
402 /* No need to check the signature of the test vector as parsing the pubkey already fails */
403 CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
404 }
405 {
406 /* Test vector 6 */
407 const unsigned char pk[32] = {
408 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
409 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
410 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
411 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
412 };
413 const unsigned char msg[32] = {
414 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
415 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
416 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
417 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
418 };
419 const unsigned char sig[64] = {
420 0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4,
421 0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3,
422 0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B,
423 0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56,
424 0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07,
425 0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF,
426 0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E,
427 0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2
428 };
429 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
430 }
431 {
432 /* Test vector 7 */
433 const unsigned char pk[32] = {
434 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
435 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
436 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
437 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
438 };
439 const unsigned char msg[32] = {
440 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
441 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
442 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
443 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
444 };
445 const unsigned char sig[64] = {
446 0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C,
447 0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7,
448 0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4,
449 0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F,
450 0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89,
451 0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8,
452 0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35,
453 0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD
454 };
455 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
456 }
457 {
458 /* Test vector 8 */
459 const unsigned char pk[32] = {
460 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
461 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
462 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
463 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
464 };
465 const unsigned char msg[32] = {
466 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
467 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
468 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
469 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
470 };
471 const unsigned char sig[64] = {
472 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
473 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
474 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
475 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
476 0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC,
477 0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26,
478 0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C,
479 0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6
480 };
481 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
482 }
483 {
484 /* Test vector 9 */
485 const unsigned char pk[32] = {
486 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
487 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
488 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
489 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
490 };
491 const unsigned char msg[32] = {
492 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
493 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
494 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
495 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
496 };
497 const unsigned char sig[64] = {
498 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
499 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
500 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
501 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
502 0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23,
503 0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA,
504 0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC,
505 0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51
506 };
507 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
508 }
509 {
510 /* Test vector 10 */
511 const unsigned char pk[32] = {
512 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
513 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
514 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
515 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
516 };
517 const unsigned char msg[32] = {
518 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
519 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
520 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
521 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
522 };
523 const unsigned char sig[64] = {
524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
525 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
526 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
527 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
528 0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64,
529 0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4,
530 0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9,
531 0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97
532 };
533 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
534 }
535 {
536 /* Test vector 11 */
537 const unsigned char pk[32] = {
538 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
539 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
540 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
541 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
542 };
543 const unsigned char msg[32] = {
544 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
545 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
546 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
547 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
548 };
549 const unsigned char sig[64] = {
550 0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A,
551 0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB,
552 0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7,
553 0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D,
554 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
555 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
556 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
557 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
558 };
559 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
560 }
561 {
562 /* Test vector 12 */
563 const unsigned char pk[32] = {
564 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
565 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
566 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
567 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
568 };
569 const unsigned char msg[32] = {
570 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
571 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
572 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
573 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
574 };
575 const unsigned char sig[64] = {
576 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
577 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
578 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
579 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
580 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
581 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
582 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
583 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
584 };
585 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
586 }
587 {
588 /* Test vector 13 */
589 const unsigned char pk[32] = {
590 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
591 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
592 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
593 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
594 };
595 const unsigned char msg[32] = {
596 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
597 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
598 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
599 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
600 };
601 const unsigned char sig[64] = {
602 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
603 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
604 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
605 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
606 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
607 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
608 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
609 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
610 };
611 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
612 }
613 {
614 /* Test vector 14 */
615 const unsigned char pk[32] = {
616 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
617 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
618 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
619 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
620 };
621 secp256k1_xonly_pubkey pk_parsed;
622 /* No need to check the signature of the test vector as parsing the pubkey already fails */
623 CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
624 }
625 {
626 /* Test vector 15 */
627 const unsigned char sk[32] = {
628 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
629 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
630 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
631 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
632 };
633 const unsigned char pk[32] = {
634 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
635 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
636 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
637 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
638 };
639 const unsigned char aux_rand[32] = {
640 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
641 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
642 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
643 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
644 };
645 /* const unsigned char msg[0] = {}; */
646 const unsigned char sig[64] = {
647 0x71, 0x53, 0x5D, 0xB1, 0x65, 0xEC, 0xD9, 0xFB,
648 0xBC, 0x04, 0x6E, 0x5F, 0xFA, 0xEA, 0x61, 0x18,
649 0x6B, 0xB6, 0xAD, 0x43, 0x67, 0x32, 0xFC, 0xCC,
650 0x25, 0x29, 0x1A, 0x55, 0x89, 0x54, 0x64, 0xCF,
651 0x60, 0x69, 0xCE, 0x26, 0xBF, 0x03, 0x46, 0x62,
652 0x28, 0xF1, 0x9A, 0x3A, 0x62, 0xDB, 0x8A, 0x64,
653 0x9F, 0x2D, 0x56, 0x0F, 0xAC, 0x65, 0x28, 0x27,
654 0xD1, 0xAF, 0x05, 0x74, 0xE4, 0x27, 0xAB, 0x63,
655 };
656 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, NULL, 0, sig);
657 test_schnorrsig_bip_vectors_check_verify(pk, NULL, 0, sig, 1);
658 }
659 {
660 /* Test vector 16 */
661 const unsigned char sk[32] = {
662 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
663 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
664 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
665 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
666 };
667 const unsigned char pk[32] = {
668 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
669 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
670 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
671 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
672 };
673 const unsigned char aux_rand[32] = {
674 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
675 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
676 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
677 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
678 };
679 const unsigned char msg[] = { 0x11 };
680 const unsigned char sig[64] = {
681 0x08, 0xA2, 0x0A, 0x0A, 0xFE, 0xF6, 0x41, 0x24,
682 0x64, 0x92, 0x32, 0xE0, 0x69, 0x3C, 0x58, 0x3A,
683 0xB1, 0xB9, 0x93, 0x4A, 0xE6, 0x3B, 0x4C, 0x35,
684 0x11, 0xF3, 0xAE, 0x11, 0x34, 0xC6, 0xA3, 0x03,
685 0xEA, 0x31, 0x73, 0xBF, 0xEA, 0x66, 0x83, 0xBD,
686 0x10, 0x1F, 0xA5, 0xAA, 0x5D, 0xBC, 0x19, 0x96,
687 0xFE, 0x7C, 0xAC, 0xFC, 0x5A, 0x57, 0x7D, 0x33,
688 0xEC, 0x14, 0x56, 0x4C, 0xEC, 0x2B, 0xAC, 0xBF,
689 };
690 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
691 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
692 }
693 {
694 /* Test vector 17 */
695 const unsigned char sk[32] = {
696 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
697 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
698 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
699 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
700 };
701 const unsigned char pk[32] = {
702 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
703 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
704 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
705 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
706 };
707 const unsigned char aux_rand[32] = {
708 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
709 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
710 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
711 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
712 };
713 const unsigned char msg[] = {
714 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
715 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10,
716 0x11,
717 };
718 const unsigned char sig[64] = {
719 0x51, 0x30, 0xF3, 0x9A, 0x40, 0x59, 0xB4, 0x3B,
720 0xC7, 0xCA, 0xC0, 0x9A, 0x19, 0xEC, 0xE5, 0x2B,
721 0x5D, 0x86, 0x99, 0xD1, 0xA7, 0x1E, 0x3C, 0x52,
722 0xDA, 0x9A, 0xFD, 0xB6, 0xB5, 0x0A, 0xC3, 0x70,
723 0xC4, 0xA4, 0x82, 0xB7, 0x7B, 0xF9, 0x60, 0xF8,
724 0x68, 0x15, 0x40, 0xE2, 0x5B, 0x67, 0x71, 0xEC,
725 0xE1, 0xE5, 0xA3, 0x7F, 0xD8, 0x0E, 0x5A, 0x51,
726 0x89, 0x7C, 0x55, 0x66, 0xA9, 0x7E, 0xA5, 0xA5,
727 };
728 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
729 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
730 }
731 {
732 /* Test vector 18 */
733 const unsigned char sk[32] = {
734 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
735 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
736 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
737 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
738 };
739 const unsigned char pk[32] = {
740 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
741 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
742 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
743 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
744 };
745 const unsigned char aux_rand[32] = {
746 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
747 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
748 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
749 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
750 };
751 const unsigned char sig[64] = {
752 0x40, 0x3B, 0x12, 0xB0, 0xD8, 0x55, 0x5A, 0x34,
753 0x41, 0x75, 0xEA, 0x7E, 0xC7, 0x46, 0x56, 0x63,
754 0x03, 0x32, 0x1E, 0x5D, 0xBF, 0xA8, 0xBE, 0x6F,
755 0x09, 0x16, 0x35, 0x16, 0x3E, 0xCA, 0x79, 0xA8,
756 0x58, 0x5E, 0xD3, 0xE3, 0x17, 0x08, 0x07, 0xE7,
757 0xC0, 0x3B, 0x72, 0x0F, 0xC5, 0x4C, 0x7B, 0x23,
758 0x89, 0x7F, 0xCB, 0xA0, 0xE9, 0xD0, 0xB4, 0xA0,
759 0x68, 0x94, 0xCF, 0xD2, 0x49, 0xF2, 0x23, 0x67,
760 };
761 unsigned char msg[100];
762 memset(msg, 0x99, sizeof(msg));
763 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
764 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
765 }
766}
767
768/* Nonce function that returns constant 0 */
769static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
770 (void) msg;
771 (void) msglen;
772 (void) key32;
773 (void) xonly_pk32;
774 (void) algo;
775 (void) algolen;
776 (void) data;
777 (void) nonce32;
778 return 0;
779}
780
781/* Nonce function that sets nonce to 0 */
782static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
783 (void) msg;
784 (void) msglen;
785 (void) key32;
786 (void) xonly_pk32;
787 (void) algo;
788 (void) algolen;
789 (void) data;
790
791 memset(nonce32, 0, 32);
792 return 1;
793}
794
795/* Nonce function that sets nonce to 0xFF...0xFF */
796static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
797 (void) msg;
798 (void) msglen;
799 (void) key32;
800 (void) xonly_pk32;
801 (void) algo;
802 (void) algolen;
803 (void) data;
804
805 memset(nonce32, 0xFF, 32);
806 return 1;
807}
808
809static void test_schnorrsig_sign_internal(void) {
810 unsigned char sk[32];
811 secp256k1_xonly_pubkey pk;
812 secp256k1_keypair keypair;
813 const unsigned char msg[] = {'t', 'h', 'i', 's', ' ', 'i', 's', ' ', 'a', ' ', 'm', 's', 'g', ' ', 'f', 'o', 'r', ' ', 'a', ' ', 's', 'c', 'h', 'n', 'o', 'r', 'r', 's', 'i', 'g', '.', '.'};
814 unsigned char sig[64];
815 unsigned char sig2[64];
816 unsigned char zeros64[64] = { 0 };
817 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
818 unsigned char aux_rand[32];
819
820 testrand256(sk);
821 testrand256(aux_rand);
822 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
823 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
824 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
825 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
826 /* Check that deprecated alias gives the same result */
827 CHECK(secp256k1_schnorrsig_sign(CTX, sig2, msg, &keypair, NULL) == 1);
828 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
829
830 /* Test different nonce functions */
831 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
832 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
833 memset(sig, 1, sizeof(sig));
834 extraparams.noncefp = nonce_function_failing;
835 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
836 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
837 memset(&sig, 1, sizeof(sig));
838 extraparams.noncefp = nonce_function_0;
839 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
840 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
841 memset(&sig, 1, sizeof(sig));
842 extraparams.noncefp = nonce_function_overflowing;
843 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
844 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
845
846 /* When using the default nonce function, schnorrsig_sign_custom produces
847 * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */
848 extraparams.noncefp = NULL;
849 extraparams.ndata = aux_rand;
850 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
851 CHECK(secp256k1_schnorrsig_sign32(CTX, sig2, msg, &keypair, extraparams.ndata) == 1);
852 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
853}
854
855DEFINE_SHA256_TRANSFORM_PROBE(sha256_schnorrsig)
856static void test_schnorrsig_ctx_sha256(void) {
857 /* Check ctx-provided SHA256 compression override takes effect */
858 secp256k1_context *ctx = secp256k1_context_clone(CTX);
859 unsigned char out_default[64], out_custom[64];
860 unsigned char sk[32] = {1}, msg32[32] = {1};
861 secp256k1_keypair keypair;
862 CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
863
864 /* Default behavior. No ctx-provided SHA256 compression */
865 CHECK(secp256k1_schnorrsig_sign32(ctx, out_default, msg32, &keypair, NULL));
866 CHECK(!sha256_schnorrsig_called);
867
868 /* Override SHA256 compression directly, bypassing the ctx setter sanity checks */
869 ctx->hash_ctx.fn_sha256_compression = sha256_schnorrsig;
870 CHECK(secp256k1_schnorrsig_sign32(ctx, out_custom, msg32, &keypair, NULL));
871 CHECK(sha256_schnorrsig_called);
872 /* Outputs must differ if custom compression was used */
873 CHECK(secp256k1_memcmp_var(out_default, out_custom, 64) != 0);
874
875 secp256k1_context_destroy(ctx);
876}
877
878#define N_SIGS 3
879/* Creates N_SIGS valid signatures and verifies them with verify and
880 * verify_batch (TODO). Then flips some bits and checks that verification now
881 * fails. */
882static void test_schnorrsig_sign_verify_internal(void) {
883 unsigned char sk[32];
884 unsigned char msg[N_SIGS][32];
885 unsigned char sig[N_SIGS][64];
886 size_t i;
887 secp256k1_keypair keypair;
888 secp256k1_xonly_pubkey pk;
889 secp256k1_scalar s;
890
891 testrand256(sk);
892 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
893 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
894
895 for (i = 0; i < N_SIGS; i++) {
896 testrand256(msg[i]);
897 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[i], msg[i], &keypair, NULL));
898 CHECK(secp256k1_schnorrsig_verify(CTX, sig[i], msg[i], sizeof(msg[i]), &pk));
899 }
900
901 {
902 /* Flip a few bits in the signature and in the message and check that
903 * verify and verify_batch (TODO) fail */
904 size_t sig_idx = testrand_int(N_SIGS);
905 size_t byte_idx = testrand_bits(5);
906 unsigned char xorbyte = testrand_int(254)+1;
907 sig[sig_idx][byte_idx] ^= xorbyte;
908 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
909 sig[sig_idx][byte_idx] ^= xorbyte;
910
911 byte_idx = testrand_bits(5);
912 sig[sig_idx][32+byte_idx] ^= xorbyte;
913 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
914 sig[sig_idx][32+byte_idx] ^= xorbyte;
915
916 byte_idx = testrand_bits(5);
917 msg[sig_idx][byte_idx] ^= xorbyte;
918 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
919 msg[sig_idx][byte_idx] ^= xorbyte;
920
921 /* Check that above bitflips have been reversed correctly */
922 CHECK(secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
923 }
924
925 /* Test overflowing s */
926 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
927 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
928 memset(&sig[0][32], 0xFF, 32);
929 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
930
931 /* Test negative s */
932 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
933 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
934 secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
935 secp256k1_scalar_negate(&s, &s);
936 secp256k1_scalar_get_b32(&sig[0][32], &s);
937 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
938
939 /* The empty message can be signed & verified */
940 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], NULL, 0, &keypair, NULL) == 1);
941 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], NULL, 0, &pk) == 1);
942
943 {
944 /* Test varying message lengths */
945 unsigned char msg_large[32 * 8];
946 uint32_t msglen = testrand_int(sizeof(msg_large));
947 for (i = 0; i < sizeof(msg_large); i += 32) {
948 testrand256(&msg_large[i]);
949 }
950 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], msg_large, msglen, &keypair, NULL) == 1);
951 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 1);
952 /* Verification for a random wrong message length fails */
953 msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large);
954 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 0);
955 }
956}
957#undef N_SIGS
958
959static void test_schnorrsig_taproot(void) {
960 unsigned char sk[32];
961 secp256k1_keypair keypair;
962 secp256k1_xonly_pubkey internal_pk;
963 unsigned char internal_pk_bytes[32];
964 secp256k1_xonly_pubkey output_pk;
965 unsigned char output_pk_bytes[32];
966 unsigned char tweak[32];
967 int pk_parity;
968 unsigned char msg[32];
969 unsigned char sig[64];
970
971 /* Create output key */
972 testrand256(sk);
973 CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
974 CHECK(secp256k1_keypair_xonly_pub(CTX, &internal_pk, NULL, &keypair) == 1);
975 /* In actual taproot the tweak would be hash of internal_pk */
976 CHECK(secp256k1_xonly_pubkey_serialize(CTX, tweak, &internal_pk) == 1);
977 CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1);
978 CHECK(secp256k1_keypair_xonly_pub(CTX, &output_pk, &pk_parity, &keypair) == 1);
979 CHECK(secp256k1_xonly_pubkey_serialize(CTX, output_pk_bytes, &output_pk) == 1);
980
981 /* Key spend */
982 testrand256(msg);
983 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
984 /* Verify key spend */
985 CHECK(secp256k1_xonly_pubkey_parse(CTX, &output_pk, output_pk_bytes) == 1);
986 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &output_pk) == 1);
987
988 /* Script spend */
989 CHECK(secp256k1_xonly_pubkey_serialize(CTX, internal_pk_bytes, &internal_pk) == 1);
990 /* Verify script spend */
991 CHECK(secp256k1_xonly_pubkey_parse(CTX, &internal_pk, internal_pk_bytes) == 1);
992 CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
993}
994
995/* --- Test registry --- */
996REPEAT_TEST(test_schnorrsig_sign)
997REPEAT_TEST(test_schnorrsig_sign_verify)
998
999static const struct tf_test_entry tests_schnorrsig[] = {
1000 CASE(nonce_function_bip340_tests),
1001 CASE1(test_schnorrsig_api),
1002 CASE1(test_schnorrsig_sha256_tagged),
1003 CASE1(test_schnorrsig_bip_vectors),
1004 CASE1(test_schnorrsig_sign),
1005 CASE1(test_schnorrsig_sign_verify),
1006 CASE1(test_schnorrsig_taproot),
1007 CASE1(test_schnorrsig_ctx_sha256),
1008};
1009
1010#endif
args
ArgsManager & args
Definition: bitcoind.cpp:278
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(const secp256k1_hash_ctx *hash_ctx, secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:196
nonce
unsigned int nonce
Definition: miner_tests.cpp:82
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
tweak
static int tweak(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *cache)
Definition: musig.c:64
test_vectors_musig2_generate.s
tuple s
Definition: test_vectors_musig2_generate.py:72
test_vectors_musig2_generate.data
data
Definition: test_vectors_musig2_generate.py:98
tests_wycheproof_generate_ecdh.sk
sk
Definition: tests_wycheproof_generate_ecdh.py:101
tests_wycheproof_generate_ecdh.pk
def pk
Definition: tests_wycheproof_generate_ecdh.py:115
tests_wycheproof_generate_ecdsa.msg
msg
Definition: tests_wycheproof_generate_ecdsa.py:52
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
nonce_function_bip340
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: main_impl.h:90
secp256k1_nonce_function_bip340_sha256_tagged_aux
static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: main_impl.h:26
secp256k1_nonce_function_bip340_sha256_tagged
static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:16
secp256k1_schnorrsig_sha256_tagged
static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:98
run_nonce_function_bip340_tests
static void run_nonce_function_bip340_tests(void)
Definition: tests_impl.h:24
test_schnorrsig_sign_internal
static void test_schnorrsig_sign_internal(void)
Definition: tests_impl.h:809
nonce_function_overflowing
static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:796
test_schnorrsig_bip_vectors_check_signing
static void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg, size_t msglen, const unsigned char *expected_sig)
Definition: tests_impl.h:176
test_schnorrsig_bip_vectors_check_verify
static void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg, size_t msglen, const unsigned char *sig, int expected)
Definition: tests_impl.h:201
test_schnorrsig_api
static void test_schnorrsig_api(void)
Definition: tests_impl.h:109
nonce_function_0
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:782
test_schnorrsig_taproot
static void test_schnorrsig_taproot(void)
Definition: tests_impl.h:959
test_schnorrsig_bip_vectors
static void test_schnorrsig_bip_vectors(void)
Definition: tests_impl.h:210
tests_schnorrsig
static const struct tf_test_entry tests_schnorrsig[]
Definition: tests_impl.h:999
N_SIGS
#define N_SIGS
Definition: tests_impl.h:878
nonce_function_failing
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:769
test_schnorrsig_ctx_sha256
static void test_schnorrsig_ctx_sha256(void)
Definition: tests_impl.h:856
test_schnorrsig_sha256_tagged
static void test_schnorrsig_sha256_tagged(void)
Definition: tests_impl.h:163
nonce_function_bip340_bitflip
static void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen)
Definition: tests_impl.h:16
test_schnorrsig_sign_verify_internal
static void test_schnorrsig_sign_verify_internal(void)
Definition: tests_impl.h:882
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:271
secp256k1_get_hash_context
static SECP256K1_INLINE const secp256k1_hash_ctx * secp256k1_get_hash_context(const secp256k1_context *ctx)
Definition: secp256k1.c:238
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:190
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:166
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:44
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a valid secret key.
Definition: main_impl.h:196
secp256k1_keypair_xonly_pub
SECP256K1_API int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Get the x-only public key from a keypair.
Definition: main_impl.h:234
secp256k1_keypair_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:255
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:22
secp256k1_schnorrsig_sign32
SECP256K1_API int secp256k1_schnorrsig_sign32(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a Schnorr signature.
Definition: main_impl.h:191
SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
Definition: secp256k1_schnorrsig.h:89
secp256k1_schnorrsig_sign
SECP256K1_API int secp256k1_schnorrsig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_DEPRECATED("Use secp256k1_schnorrsig_sign32 instead")
Same as secp256k1_schnorrsig_sign32, but DEPRECATED.
Definition: main_impl.h:196
secp256k1_schnorrsig_sign_custom
SECP256K1_API int secp256k1_schnorrsig_sign_custom(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Create a Schnorr signature with a more flexible API.
Definition: main_impl.h:200
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:215
secp256k1_context_struct
Definition: secp256k1.c:61
secp256k1_context_struct::hash_ctx
secp256k1_hash_ctx hash_ctx
Definition: secp256k1.c:63
secp256k1_hash_ctx
Definition: hash.h:13
secp256k1_hash_ctx::fn_sha256_compression
secp256k1_sha256_compression_function fn_sha256_compression
Definition: hash.h:14
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_schnorrsig_extraparams
Data structure that contains additional arguments for schnorrsig_sign_custom.
Definition: secp256k1_schnorrsig.h:82
secp256k1_schnorrsig_extraparams::noncefp
secp256k1_nonce_function_hardened noncefp
Definition: secp256k1_schnorrsig.h:84
secp256k1_schnorrsig_extraparams::ndata
void * ndata
Definition: secp256k1_schnorrsig.h:85
secp256k1_sha256
Definition: hash.h:19
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
tf_test_entry
Definition: unit_test.h:53
testrand_flip
static void testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
testrand256
static void testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
testrand_bits
static SECP256K1_INLINE uint64_t testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_int
static uint32_t testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
testrand_bytes_test
static void testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
test_sha256_tag_midstate
static void test_sha256_tag_midstate(const secp256k1_hash_ctx *hash_ctx, secp256k1_sha256 *sha_tagged, const unsigned char *tag, size_t taglen)
Definition: tests.c:770
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:79
CTX
static secp256k1_context * CTX
Definition: tests.c:42
test_sha256_eq
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:761
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:43
DEFINE_SHA256_TRANSFORM_PROBE
#define DEFINE_SHA256_TRANSFORM_PROBE(name)
Definition: testutil.h:15
COUNT
int COUNT
Definition: unit_test.c:23
CASE1
#define CASE1(name)
Definition: unit_test.h:27
REPEAT_TEST
#define REPEAT_TEST(fn)
Definition: unit_test.h:36
CASE
#define CASE(name)
Definition: unit_test.h:26
Generated on Wed Apr 22 2026 20:00:29 for Bitcoin Core by doxygen 1.9.4