Bitcoin Core 28.99.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H
8#define SECP256K1_MODULE_SCHNORRSIG_TESTS_H
9
10#include "../../../include/secp256k1_schnorrsig.h"
11
12/* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
13 * bytes) changes the hash function
14 */
15static void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) {
16 unsigned char nonces[2][32];
17 CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
18 testrand_flip(args[n_flip], n_bytes);
19 CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
20 CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
21}
22
23static void run_nonce_function_bip340_tests(void) {
24 unsigned char tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'};
25 unsigned char aux_tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'a', 'u', 'x'};
26 unsigned char algo[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'};
27 size_t algolen = sizeof(algo);
28 secp256k1_sha256 sha;
29 secp256k1_sha256 sha_optimized;
30 unsigned char nonce[32], nonce_z[32];
31 unsigned char msg[32];
32 size_t msglen = sizeof(msg);
33 unsigned char key[32];
34 unsigned char pk[32];
35 unsigned char aux_rand[32];
36 unsigned char *args[5];
37 int i;
38
39 /* Check that hash initialized by
40 * secp256k1_nonce_function_bip340_sha256_tagged has the expected
41 * state. */
42 secp256k1_sha256_initialize_tagged(&sha, tag, sizeof(tag));
43 secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized);
44 test_sha256_eq(&sha, &sha_optimized);
45
46 /* Check that hash initialized by
47 * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
48 * state. */
49 secp256k1_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag));
50 secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized);
51 test_sha256_eq(&sha, &sha_optimized);
52
53 testrand256(msg);
54 testrand256(key);
55 testrand256(pk);
56 testrand256(aux_rand);
57
58 /* Check that a bitflip in an argument results in different nonces. */
59 args[0] = msg;
60 args[1] = key;
61 args[2] = pk;
62 args[3] = algo;
63 args[4] = aux_rand;
64 for (i = 0; i < COUNT; i++) {
65 nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen);
66 nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen);
67 nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen);
68 /* Flip algo special case "BIP0340/nonce" */
69 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
70 /* Flip algo again */
71 nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
72 nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen);
73 }
74
75 /* NULL algo is disallowed */
76 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
77 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
78 /* Other algo is fine */
79 testrand_bytes_test(algo, algolen);
80 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
81
82 for (i = 0; i < COUNT; i++) {
83 unsigned char nonce2[32];
84 uint32_t offset = testrand_int(msglen - 1);
85 size_t msglen_tmp = (msglen + offset) % msglen;
86 size_t algolen_tmp;
87
88 /* Different msglen gives different nonce */
89 CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1);
90 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
91
92 /* Different algolen gives different nonce */
93 offset = testrand_int(algolen - 1);
94 algolen_tmp = (algolen + offset) % algolen;
95 CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1);
96 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
97 }
98
99 /* NULL aux_rand argument is allowed, and identical to passing all zero aux_rand. */
100 memset(aux_rand, 0, 32);
101 CHECK(nonce_function_bip340(nonce_z, msg, msglen, key, pk, algo, algolen, &aux_rand) == 1);
102 CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
103 CHECK(secp256k1_memcmp_var(nonce_z, nonce, 32) == 0);
104}
105
106static void test_schnorrsig_api(void) {
107 unsigned char sk1[32];
108 unsigned char sk2[32];
109 unsigned char sk3[32];
110 unsigned char msg[32];
111 secp256k1_keypair keypairs[3];
112 secp256k1_keypair invalid_keypair = {{ 0 }};
113 secp256k1_xonly_pubkey pk[3];
114 secp256k1_xonly_pubkey zero_pk;
115 unsigned char sig[64];
116 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
117 secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL};
118
119 testrand256(sk1);
120 testrand256(sk2);
121 testrand256(sk3);
122 testrand256(msg);
123 CHECK(secp256k1_keypair_create(CTX, &keypairs[0], sk1) == 1);
124 CHECK(secp256k1_keypair_create(CTX, &keypairs[1], sk2) == 1);
125 CHECK(secp256k1_keypair_create(CTX, &keypairs[2], sk3) == 1);
126 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[0], NULL, &keypairs[0]) == 1);
127 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[1], NULL, &keypairs[1]) == 1);
128 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[2], NULL, &keypairs[2]) == 1);
129 memset(&zero_pk, 0, sizeof(zero_pk));
130
132 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
133 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, NULL, msg, &keypairs[0], NULL));
134 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, NULL, &keypairs[0], NULL));
135 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, msg, NULL, NULL));
136 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, msg, &invalid_keypair, NULL));
137 CHECK_ILLEGAL(STATIC_CTX, secp256k1_schnorrsig_sign32(STATIC_CTX, sig, msg, &keypairs[0], NULL));
138
139 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
140 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, NULL, msg, sizeof(msg), &keypairs[0], &extraparams));
141 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, sizeof(msg), &keypairs[0], &extraparams));
142 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
143 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), NULL, &extraparams));
144 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &invalid_keypair, &extraparams));
145 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
146 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams));
147 CHECK_ILLEGAL(STATIC_CTX, secp256k1_schnorrsig_sign_custom(STATIC_CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams));
148
149 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
150 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk[0]) == 1);
151 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, NULL, msg, sizeof(msg), &pk[0]));
152 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, NULL, sizeof(msg), &pk[0]));
153 CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, 0, &pk[0]) == 0);
154 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), NULL));
155 CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &zero_pk));
156}
157
158/* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
159 * expected state. */
160static void test_schnorrsig_sha256_tagged(void) {
161 unsigned char tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'c', 'h', 'a', 'l', 'l', 'e', 'n', 'g', 'e'};
162 secp256k1_sha256 sha;
163 secp256k1_sha256 sha_optimized;
164
165 secp256k1_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag));
166 secp256k1_schnorrsig_sha256_tagged(&sha_optimized);
167 test_sha256_eq(&sha, &sha_optimized);
168}
169
170/* Helper function for schnorrsig_bip_vectors
171 * Signs the message and checks that it's the same as expected_sig. */
172static void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg, size_t msglen, const unsigned char *expected_sig) {
173 unsigned char sig[64];
174 secp256k1_keypair keypair;
175 secp256k1_xonly_pubkey pk, pk_expected;
176
177 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
178 extraparams.ndata = (unsigned char*)aux_rand;
179
180 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
181 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, msglen, &keypair, &extraparams));
182 CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
183 if (msglen == 32) {
184 memset(sig, 0, 64);
185 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, aux_rand));
186 CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
187 }
188
189 CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk_expected, pk_serialized));
190 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
191 CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
192 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, msglen, &pk));
193}
194
195/* Helper function for schnorrsig_bip_vectors
196 * Checks that both verify and verify_batch (TODO) return the same value as expected. */
197static void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg, size_t msglen, const unsigned char *sig, int expected) {
198 secp256k1_xonly_pubkey pk;
199
200 CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk, pk_serialized));
201 CHECK(expected == secp256k1_schnorrsig_verify(CTX, sig, msg, msglen, &pk));
202}
203
204/* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
205 * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */
206static void test_schnorrsig_bip_vectors(void) {
207 {
208 /* Test vector 0 */
209 const unsigned char sk[32] = {
210 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
211 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
212 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
213 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
214 };
215 const unsigned char pk[32] = {
216 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10,
217 0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29,
218 0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0,
219 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9
220 };
221 const unsigned char aux_rand[32] = {
222 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
223 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
224 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
225 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
226 };
227 const unsigned char msg[32] = {
228 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
229 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
230 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
231 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
232 };
233 const unsigned char sig[64] = {
234 0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10,
235 0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36,
236 0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08,
237 0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15,
238 0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71,
239 0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5,
240 0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47,
241 0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0
242 };
243 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
244 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
245 }
246 {
247 /* Test vector 1 */
248 const unsigned char sk[32] = {
249 0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A,
250 0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7,
251 0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56,
252 0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF
253 };
254 const unsigned char pk[32] = {
255 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
256 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
257 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
258 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
259 };
260 const unsigned char aux_rand[32] = {
261 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
262 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
263 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
264 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
265 };
266 const unsigned char msg[32] = {
267 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
268 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
269 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
270 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
271 };
272 const unsigned char sig[64] = {
273 0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D,
274 0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07,
275 0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17,
276 0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41,
277 0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC,
278 0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA,
279 0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C,
280 0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A
281 };
282 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
283 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
284 }
285 {
286 /* Test vector 2 */
287 const unsigned char sk[32] = {
288 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
289 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
290 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
291 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9
292 };
293 const unsigned char pk[32] = {
294 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13,
295 0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC,
296 0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9,
297 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8
298 };
299 const unsigned char aux_rand[32] = {
300 0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE,
301 0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC,
302 0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C,
303 0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06
304 };
305 const unsigned char msg[32] = {
306 0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A,
307 0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D,
308 0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33,
309 0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C
310 };
311 const unsigned char sig[64] = {
312 0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7,
313 0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94,
314 0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B,
315 0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B,
316 0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A,
317 0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C,
318 0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E,
319 0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7
320 };
321 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
322 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
323 }
324 {
325 /* Test vector 3 */
326 const unsigned char sk[32] = {
327 0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81,
328 0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0,
329 0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54,
330 0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10
331 };
332 const unsigned char pk[32] = {
333 0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25,
334 0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD,
335 0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A,
336 0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17
337 };
338 const unsigned char aux_rand[32] = {
339 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
340 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
341 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
342 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
343 };
344 const unsigned char msg[32] = {
345 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
346 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
347 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
348 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
349 };
350 const unsigned char sig[64] = {
351 0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1,
352 0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9,
353 0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6,
354 0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC,
355 0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93,
356 0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A,
357 0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27,
358 0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3
359 };
360 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
361 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
362 }
363 {
364 /* Test vector 4 */
365 const unsigned char pk[32] = {
366 0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12,
367 0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83,
368 0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA,
369 0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9
370 };
371 const unsigned char msg[32] = {
372 0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2,
373 0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24,
374 0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B,
375 0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03
376 };
377 const unsigned char sig[64] = {
378 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
379 0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F,
380 0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28,
381 0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63,
382 0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3,
383 0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10,
384 0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93,
385 0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4
386 };
387 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
388 }
389 {
390 /* Test vector 5 */
391 const unsigned char pk[32] = {
392 0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50,
393 0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21,
394 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87,
395 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34
396 };
397 secp256k1_xonly_pubkey pk_parsed;
398 /* No need to check the signature of the test vector as parsing the pubkey already fails */
399 CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
400 }
401 {
402 /* Test vector 6 */
403 const unsigned char pk[32] = {
404 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
405 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
406 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
407 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
408 };
409 const unsigned char msg[32] = {
410 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
411 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
412 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
413 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
414 };
415 const unsigned char sig[64] = {
416 0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4,
417 0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3,
418 0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B,
419 0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56,
420 0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07,
421 0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF,
422 0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E,
423 0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2
424 };
425 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
426 }
427 {
428 /* Test vector 7 */
429 const unsigned char pk[32] = {
430 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
431 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
432 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
433 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
434 };
435 const unsigned char msg[32] = {
436 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
437 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
438 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
439 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
440 };
441 const unsigned char sig[64] = {
442 0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C,
443 0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7,
444 0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4,
445 0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F,
446 0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89,
447 0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8,
448 0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35,
449 0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD
450 };
451 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
452 }
453 {
454 /* Test vector 8 */
455 const unsigned char pk[32] = {
456 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
457 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
458 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
459 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
460 };
461 const unsigned char msg[32] = {
462 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
463 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
464 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
465 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
466 };
467 const unsigned char sig[64] = {
468 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
469 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
470 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
471 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
472 0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC,
473 0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26,
474 0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C,
475 0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6
476 };
477 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
478 }
479 {
480 /* Test vector 9 */
481 const unsigned char pk[32] = {
482 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
483 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
484 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
485 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
486 };
487 const unsigned char msg[32] = {
488 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
489 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
490 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
491 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
492 };
493 const unsigned char sig[64] = {
494 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
495 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
497 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
498 0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23,
499 0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA,
500 0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC,
501 0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51
502 };
503 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
504 }
505 {
506 /* Test vector 10 */
507 const unsigned char pk[32] = {
508 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
509 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
510 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
511 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
512 };
513 const unsigned char msg[32] = {
514 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
515 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
516 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
517 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
518 };
519 const unsigned char sig[64] = {
520 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
521 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
522 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
523 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
524 0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64,
525 0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4,
526 0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9,
527 0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97
528 };
529 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
530 }
531 {
532 /* Test vector 11 */
533 const unsigned char pk[32] = {
534 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
535 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
536 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
537 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
538 };
539 const unsigned char msg[32] = {
540 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
541 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
542 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
543 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
544 };
545 const unsigned char sig[64] = {
546 0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A,
547 0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB,
548 0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7,
549 0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D,
550 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
551 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
552 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
553 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
554 };
555 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
556 }
557 {
558 /* Test vector 12 */
559 const unsigned char pk[32] = {
560 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
561 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
562 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
563 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
564 };
565 const unsigned char msg[32] = {
566 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
567 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
568 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
569 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
570 };
571 const unsigned char sig[64] = {
572 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
573 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
574 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
575 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
576 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
577 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
578 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
579 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
580 };
581 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
582 }
583 {
584 /* Test vector 13 */
585 const unsigned char pk[32] = {
586 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
587 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
588 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
589 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
590 };
591 const unsigned char msg[32] = {
592 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
593 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
594 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
595 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
596 };
597 const unsigned char sig[64] = {
598 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
599 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
600 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
601 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
602 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
603 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
604 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
605 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
606 };
607 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
608 }
609 {
610 /* Test vector 14 */
611 const unsigned char pk[32] = {
612 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
613 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
614 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
615 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
616 };
617 secp256k1_xonly_pubkey pk_parsed;
618 /* No need to check the signature of the test vector as parsing the pubkey already fails */
619 CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
620 }
621 {
622 /* Test vector 15 */
623 const unsigned char sk[32] = {
624 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
625 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
626 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
627 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
628 };
629 const unsigned char pk[32] = {
630 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
631 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
632 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
633 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
634 };
635 const unsigned char aux_rand[32] = {
636 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
637 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
638 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
639 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
640 };
641 /* const unsigned char msg[0] = {}; */
642 const unsigned char sig[64] = {
643 0x71, 0x53, 0x5D, 0xB1, 0x65, 0xEC, 0xD9, 0xFB,
644 0xBC, 0x04, 0x6E, 0x5F, 0xFA, 0xEA, 0x61, 0x18,
645 0x6B, 0xB6, 0xAD, 0x43, 0x67, 0x32, 0xFC, 0xCC,
646 0x25, 0x29, 0x1A, 0x55, 0x89, 0x54, 0x64, 0xCF,
647 0x60, 0x69, 0xCE, 0x26, 0xBF, 0x03, 0x46, 0x62,
648 0x28, 0xF1, 0x9A, 0x3A, 0x62, 0xDB, 0x8A, 0x64,
649 0x9F, 0x2D, 0x56, 0x0F, 0xAC, 0x65, 0x28, 0x27,
650 0xD1, 0xAF, 0x05, 0x74, 0xE4, 0x27, 0xAB, 0x63,
651 };
652 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, NULL, 0, sig);
653 test_schnorrsig_bip_vectors_check_verify(pk, NULL, 0, sig, 1);
654 }
655 {
656 /* Test vector 16 */
657 const unsigned char sk[32] = {
658 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
659 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
660 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
661 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
662 };
663 const unsigned char pk[32] = {
664 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
665 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
666 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
667 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
668 };
669 const unsigned char aux_rand[32] = {
670 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
671 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
672 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
673 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
674 };
675 const unsigned char msg[] = { 0x11 };
676 const unsigned char sig[64] = {
677 0x08, 0xA2, 0x0A, 0x0A, 0xFE, 0xF6, 0x41, 0x24,
678 0x64, 0x92, 0x32, 0xE0, 0x69, 0x3C, 0x58, 0x3A,
679 0xB1, 0xB9, 0x93, 0x4A, 0xE6, 0x3B, 0x4C, 0x35,
680 0x11, 0xF3, 0xAE, 0x11, 0x34, 0xC6, 0xA3, 0x03,
681 0xEA, 0x31, 0x73, 0xBF, 0xEA, 0x66, 0x83, 0xBD,
682 0x10, 0x1F, 0xA5, 0xAA, 0x5D, 0xBC, 0x19, 0x96,
683 0xFE, 0x7C, 0xAC, 0xFC, 0x5A, 0x57, 0x7D, 0x33,
684 0xEC, 0x14, 0x56, 0x4C, 0xEC, 0x2B, 0xAC, 0xBF,
685 };
686 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
687 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
688 }
689 {
690 /* Test vector 17 */
691 const unsigned char sk[32] = {
692 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
693 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
694 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
695 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
696 };
697 const unsigned char pk[32] = {
698 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
699 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
700 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
701 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
702 };
703 const unsigned char aux_rand[32] = {
704 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
708 };
709 const unsigned char msg[] = {
710 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
711 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10,
712 0x11,
713 };
714 const unsigned char sig[64] = {
715 0x51, 0x30, 0xF3, 0x9A, 0x40, 0x59, 0xB4, 0x3B,
716 0xC7, 0xCA, 0xC0, 0x9A, 0x19, 0xEC, 0xE5, 0x2B,
717 0x5D, 0x86, 0x99, 0xD1, 0xA7, 0x1E, 0x3C, 0x52,
718 0xDA, 0x9A, 0xFD, 0xB6, 0xB5, 0x0A, 0xC3, 0x70,
719 0xC4, 0xA4, 0x82, 0xB7, 0x7B, 0xF9, 0x60, 0xF8,
720 0x68, 0x15, 0x40, 0xE2, 0x5B, 0x67, 0x71, 0xEC,
721 0xE1, 0xE5, 0xA3, 0x7F, 0xD8, 0x0E, 0x5A, 0x51,
722 0x89, 0x7C, 0x55, 0x66, 0xA9, 0x7E, 0xA5, 0xA5,
723 };
724 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
725 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
726 }
727 {
728 /* Test vector 18 */
729 const unsigned char sk[32] = {
730 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
731 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
732 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
733 0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
734 };
735 const unsigned char pk[32] = {
736 0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
737 0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
738 0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
739 0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
740 };
741 const unsigned char aux_rand[32] = {
742 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
743 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
744 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
745 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
746 };
747 const unsigned char sig[64] = {
748 0x40, 0x3B, 0x12, 0xB0, 0xD8, 0x55, 0x5A, 0x34,
749 0x41, 0x75, 0xEA, 0x7E, 0xC7, 0x46, 0x56, 0x63,
750 0x03, 0x32, 0x1E, 0x5D, 0xBF, 0xA8, 0xBE, 0x6F,
751 0x09, 0x16, 0x35, 0x16, 0x3E, 0xCA, 0x79, 0xA8,
752 0x58, 0x5E, 0xD3, 0xE3, 0x17, 0x08, 0x07, 0xE7,
753 0xC0, 0x3B, 0x72, 0x0F, 0xC5, 0x4C, 0x7B, 0x23,
754 0x89, 0x7F, 0xCB, 0xA0, 0xE9, 0xD0, 0xB4, 0xA0,
755 0x68, 0x94, 0xCF, 0xD2, 0x49, 0xF2, 0x23, 0x67,
756 };
757 unsigned char msg[100];
758 memset(msg, 0x99, sizeof(msg));
759 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
760 test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
761 }
762}
763
764/* Nonce function that returns constant 0 */
765static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
766 (void) msg;
767 (void) msglen;
768 (void) key32;
769 (void) xonly_pk32;
770 (void) algo;
771 (void) algolen;
772 (void) data;
773 (void) nonce32;
774 return 0;
775}
776
777/* Nonce function that sets nonce to 0 */
778static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
779 (void) msg;
780 (void) msglen;
781 (void) key32;
782 (void) xonly_pk32;
783 (void) algo;
784 (void) algolen;
785 (void) data;
786
787 memset(nonce32, 0, 32);
788 return 1;
789}
790
791/* Nonce function that sets nonce to 0xFF...0xFF */
792static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
793 (void) msg;
794 (void) msglen;
795 (void) key32;
796 (void) xonly_pk32;
797 (void) algo;
798 (void) algolen;
799 (void) data;
800
801 memset(nonce32, 0xFF, 32);
802 return 1;
803}
804
805static void test_schnorrsig_sign(void) {
806 unsigned char sk[32];
807 secp256k1_xonly_pubkey pk;
808 secp256k1_keypair keypair;
809 const unsigned char msg[] = {'t', 'h', 'i', 's', ' ', 'i', 's', ' ', 'a', ' ', 'm', 's', 'g', ' ', 'f', 'o', 'r', ' ', 'a', ' ', 's', 'c', 'h', 'n', 'o', 'r', 'r', 's', 'i', 'g', '.', '.'};
810 unsigned char sig[64];
811 unsigned char sig2[64];
812 unsigned char zeros64[64] = { 0 };
813 secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
814 unsigned char aux_rand[32];
815
816 testrand256(sk);
817 testrand256(aux_rand);
818 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
819 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
820 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
821 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
822 /* Check that deprecated alias gives the same result */
823 CHECK(secp256k1_schnorrsig_sign(CTX, sig2, msg, &keypair, NULL) == 1);
824 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
825
826 /* Test different nonce functions */
827 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
828 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
829 memset(sig, 1, sizeof(sig));
830 extraparams.noncefp = nonce_function_failing;
831 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
832 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
833 memset(&sig, 1, sizeof(sig));
834 extraparams.noncefp = nonce_function_0;
835 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
836 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
837 memset(&sig, 1, sizeof(sig));
838 extraparams.noncefp = nonce_function_overflowing;
839 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
840 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
841
842 /* When using the default nonce function, schnorrsig_sign_custom produces
843 * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */
844 extraparams.noncefp = NULL;
845 extraparams.ndata = aux_rand;
846 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
847 CHECK(secp256k1_schnorrsig_sign32(CTX, sig2, msg, &keypair, extraparams.ndata) == 1);
848 CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
849}
850
851#define N_SIGS 3
852/* Creates N_SIGS valid signatures and verifies them with verify and
853 * verify_batch (TODO). Then flips some bits and checks that verification now
854 * fails. */
855static void test_schnorrsig_sign_verify(void) {
856 unsigned char sk[32];
857 unsigned char msg[N_SIGS][32];
858 unsigned char sig[N_SIGS][64];
859 size_t i;
860 secp256k1_keypair keypair;
861 secp256k1_xonly_pubkey pk;
862 secp256k1_scalar s;
863
864 testrand256(sk);
865 CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
866 CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
867
868 for (i = 0; i < N_SIGS; i++) {
869 testrand256(msg[i]);
870 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[i], msg[i], &keypair, NULL));
871 CHECK(secp256k1_schnorrsig_verify(CTX, sig[i], msg[i], sizeof(msg[i]), &pk));
872 }
873
874 {
875 /* Flip a few bits in the signature and in the message and check that
876 * verify and verify_batch (TODO) fail */
877 size_t sig_idx = testrand_int(N_SIGS);
878 size_t byte_idx = testrand_bits(5);
879 unsigned char xorbyte = testrand_int(254)+1;
880 sig[sig_idx][byte_idx] ^= xorbyte;
881 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
882 sig[sig_idx][byte_idx] ^= xorbyte;
883
884 byte_idx = testrand_bits(5);
885 sig[sig_idx][32+byte_idx] ^= xorbyte;
886 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
887 sig[sig_idx][32+byte_idx] ^= xorbyte;
888
889 byte_idx = testrand_bits(5);
890 msg[sig_idx][byte_idx] ^= xorbyte;
891 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
892 msg[sig_idx][byte_idx] ^= xorbyte;
893
894 /* Check that above bitflips have been reversed correctly */
895 CHECK(secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
896 }
897
898 /* Test overflowing s */
899 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
900 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
901 memset(&sig[0][32], 0xFF, 32);
902 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
903
904 /* Test negative s */
905 CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
906 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
907 secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
908 secp256k1_scalar_negate(&s, &s);
909 secp256k1_scalar_get_b32(&sig[0][32], &s);
910 CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
911
912 /* The empty message can be signed & verified */
913 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], NULL, 0, &keypair, NULL) == 1);
914 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], NULL, 0, &pk) == 1);
915
916 {
917 /* Test varying message lengths */
918 unsigned char msg_large[32 * 8];
919 uint32_t msglen = testrand_int(sizeof(msg_large));
920 for (i = 0; i < sizeof(msg_large); i += 32) {
921 testrand256(&msg_large[i]);
922 }
923 CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], msg_large, msglen, &keypair, NULL) == 1);
924 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 1);
925 /* Verification for a random wrong message length fails */
926 msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large);
927 CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 0);
928 }
929}
930#undef N_SIGS
931
932static void test_schnorrsig_taproot(void) {
933 unsigned char sk[32];
934 secp256k1_keypair keypair;
935 secp256k1_xonly_pubkey internal_pk;
936 unsigned char internal_pk_bytes[32];
937 secp256k1_xonly_pubkey output_pk;
938 unsigned char output_pk_bytes[32];
939 unsigned char tweak[32];
940 int pk_parity;
941 unsigned char msg[32];
942 unsigned char sig[64];
943
944 /* Create output key */
945 testrand256(sk);
946 CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
947 CHECK(secp256k1_keypair_xonly_pub(CTX, &internal_pk, NULL, &keypair) == 1);
948 /* In actual taproot the tweak would be hash of internal_pk */
949 CHECK(secp256k1_xonly_pubkey_serialize(CTX, tweak, &internal_pk) == 1);
950 CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1);
951 CHECK(secp256k1_keypair_xonly_pub(CTX, &output_pk, &pk_parity, &keypair) == 1);
952 CHECK(secp256k1_xonly_pubkey_serialize(CTX, output_pk_bytes, &output_pk) == 1);
953
954 /* Key spend */
955 testrand256(msg);
956 CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
957 /* Verify key spend */
958 CHECK(secp256k1_xonly_pubkey_parse(CTX, &output_pk, output_pk_bytes) == 1);
959 CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &output_pk) == 1);
960
961 /* Script spend */
962 CHECK(secp256k1_xonly_pubkey_serialize(CTX, internal_pk_bytes, &internal_pk) == 1);
963 /* Verify script spend */
964 CHECK(secp256k1_xonly_pubkey_parse(CTX, &internal_pk, internal_pk_bytes) == 1);
965 CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
966}
967
968static void run_schnorrsig_tests(void) {
969 int i;
970 run_nonce_function_bip340_tests();
971
972 test_schnorrsig_api();
973 test_schnorrsig_sha256_tagged();
974 test_schnorrsig_bip_vectors();
975 for (i = 0; i < COUNT; i++) {
976 test_schnorrsig_sign();
977 test_schnorrsig_sign_verify();
978 }
979 test_schnorrsig_taproot();
980}
981
982#endif
args
ArgsManager & args
Definition: bitcoind.cpp:277
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:163
nonce
unsigned int nonce
Definition: miner_tests.cpp:74
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
tweak
static int tweak(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *cache)
Definition: musig.c:63
test_vectors_musig2_generate.s
tuple s
Definition: test_vectors_musig2_generate.py:72
test_vectors_musig2_generate.data
data
Definition: test_vectors_musig2_generate.py:98
tests_wycheproof_generate.msg
def msg
Definition: tests_wycheproof_generate.py:56
tests_wycheproof_generate.pk
def pk
Definition: tests_wycheproof_generate.py:69
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
nonce_function_bip340
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: main_impl.h:52
secp256k1_nonce_function_bip340_sha256_tagged_aux
static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: main_impl.h:32
secp256k1_nonce_function_bip340_sha256_tagged
static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:16
secp256k1_schnorrsig_sha256_tagged
static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:104
test_schnorrsig_sign_verify
static void test_schnorrsig_sign_verify(void)
Definition: tests_impl.h:855
run_nonce_function_bip340_tests
static void run_nonce_function_bip340_tests(void)
Definition: tests_impl.h:23
nonce_function_overflowing
static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:792
test_schnorrsig_sign
static void test_schnorrsig_sign(void)
Definition: tests_impl.h:805
test_schnorrsig_bip_vectors_check_signing
static void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg, size_t msglen, const unsigned char *expected_sig)
Definition: tests_impl.h:172
test_schnorrsig_bip_vectors_check_verify
static void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg, size_t msglen, const unsigned char *sig, int expected)
Definition: tests_impl.h:197
test_schnorrsig_api
static void test_schnorrsig_api(void)
Definition: tests_impl.h:106
nonce_function_0
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:778
test_schnorrsig_taproot
static void test_schnorrsig_taproot(void)
Definition: tests_impl.h:932
test_schnorrsig_bip_vectors
static void test_schnorrsig_bip_vectors(void)
Definition: tests_impl.h:206
run_schnorrsig_tests
static void run_schnorrsig_tests(void)
Definition: tests_impl.h:968
N_SIGS
#define N_SIGS
Definition: tests_impl.h:851
nonce_function_failing
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:765
test_schnorrsig_sha256_tagged
static void test_schnorrsig_sha256_tagged(void)
Definition: tests_impl.h:160
nonce_function_bip340_bitflip
static void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen)
Definition: tests_impl.h:15
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:255
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:44
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a valid secret key.
Definition: main_impl.h:196
secp256k1_keypair_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:255
secp256k1_keypair_xonly_pub
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Get the x-only public key from a keypair.
Definition: main_impl.h:234
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:22
secp256k1_schnorrsig_sign32
SECP256K1_API int secp256k1_schnorrsig_sign32(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a Schnorr signature.
Definition: main_impl.h:197
SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
Definition: secp256k1_schnorrsig.h:89
secp256k1_schnorrsig_sign
SECP256K1_API int secp256k1_schnorrsig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_DEPRECATED("Use secp256k1_schnorrsig_sign32 instead")
Same as secp256k1_schnorrsig_sign32, but DEPRECATED.
Definition: main_impl.h:202
secp256k1_schnorrsig_sign_custom
SECP256K1_API int secp256k1_schnorrsig_sign_custom(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Create a Schnorr signature with a more flexible API.
Definition: main_impl.h:206
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:221
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_schnorrsig_extraparams
Data structure that contains additional arguments for schnorrsig_sign_custom.
Definition: secp256k1_schnorrsig.h:82
secp256k1_schnorrsig_extraparams::noncefp
secp256k1_nonce_function_hardened noncefp
Definition: secp256k1_schnorrsig.h:84
secp256k1_schnorrsig_extraparams::ndata
void * ndata
Definition: secp256k1_schnorrsig.h:85
secp256k1_sha256
Definition: hash.h:13
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
testrand_flip
static void testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
testrand256
static void testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
testrand_bits
static SECP256K1_INLINE uint64_t testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_int
static uint32_t testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
testrand_bytes_test
static void testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
COUNT
static int COUNT
Definition: tests.c:40
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:78
CTX
static secp256k1_context * CTX
Definition: tests.c:41
test_sha256_eq
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:614
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:42
Generated on Wed Dec 18 2024 20:00:11 for Bitcoin Core by doxygen 1.9.4