Bitcoin Core  22.99.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H
8 #define SECP256K1_MODULE_SCHNORRSIG_TESTS_H
9 
10 #include "../../../include/secp256k1_schnorrsig.h"
11 
12 /* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
13  * bytes) changes the hash function
14  */
15 void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) {
16  unsigned char nonces[2][32];
17  CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
18  secp256k1_testrand_flip(args[n_flip], n_bytes);
19  CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
20  CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
21 }
22 
23 /* Tests for the equality of two sha256 structs. This function only produces a
24  * correct result if an integer multiple of 64 many bytes have been written
25  * into the hash functions. */
27  /* Is buffer fully consumed? */
28  CHECK((sha1->bytes & 0x3F) == 0);
29 
30  CHECK(sha1->bytes == sha2->bytes);
31  CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
32 }
33 
35  unsigned char tag[13] = "BIP0340/nonce";
36  unsigned char aux_tag[11] = "BIP0340/aux";
37  unsigned char algo[13] = "BIP0340/nonce";
38  size_t algolen = sizeof(algo);
39  secp256k1_sha256 sha;
40  secp256k1_sha256 sha_optimized;
41  unsigned char nonce[32];
42  unsigned char msg[32];
43  size_t msglen = sizeof(msg);
44  unsigned char key[32];
45  unsigned char pk[32];
46  unsigned char aux_rand[32];
47  unsigned char *args[5];
48  int i;
49 
50  /* Check that hash initialized by
51  * secp256k1_nonce_function_bip340_sha256_tagged has the expected
52  * state. */
53  secp256k1_sha256_initialize_tagged(&sha, tag, sizeof(tag));
55  test_sha256_eq(&sha, &sha_optimized);
56 
57  /* Check that hash initialized by
58  * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
59  * state. */
60  secp256k1_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag));
62  test_sha256_eq(&sha, &sha_optimized);
63 
67  secp256k1_testrand256(aux_rand);
68 
69  /* Check that a bitflip in an argument results in different nonces. */
70  args[0] = msg;
71  args[1] = key;
72  args[2] = pk;
73  args[3] = algo;
74  args[4] = aux_rand;
75  for (i = 0; i < count; i++) {
76  nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen);
77  nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen);
78  nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen);
79  /* Flip algo special case "BIP0340/nonce" */
80  nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
81  /* Flip algo again */
82  nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
83  nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen);
84  }
85 
86  /* NULL algo is disallowed */
87  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
88  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
89  /* Other algo is fine */
91  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
92 
93  for (i = 0; i < count; i++) {
94  unsigned char nonce2[32];
95  uint32_t offset = secp256k1_testrand_int(msglen - 1);
96  size_t msglen_tmp = (msglen + offset) % msglen;
97  size_t algolen_tmp;
98 
99  /* Different msglen gives different nonce */
100  CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1);
101  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
102 
103  /* Different algolen gives different nonce */
104  offset = secp256k1_testrand_int(algolen - 1);
105  algolen_tmp = (algolen + offset) % algolen;
106  CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1);
107  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
108  }
109 
110  /* NULL aux_rand argument is allowed. */
111  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
112 }
113 
115  unsigned char sk1[32];
116  unsigned char sk2[32];
117  unsigned char sk3[32];
118  unsigned char msg[32];
119  secp256k1_keypair keypairs[3];
120  secp256k1_keypair invalid_keypair = {{ 0 }};
122  secp256k1_xonly_pubkey zero_pk;
123  unsigned char sig[64];
125  secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL};
126 
132  int ecount;
133 
142 
147  CHECK(secp256k1_keypair_create(ctx, &keypairs[0], sk1) == 1);
148  CHECK(secp256k1_keypair_create(ctx, &keypairs[1], sk2) == 1);
149  CHECK(secp256k1_keypair_create(ctx, &keypairs[2], sk3) == 1);
150  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[0], NULL, &keypairs[0]) == 1);
151  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[1], NULL, &keypairs[1]) == 1);
152  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[2], NULL, &keypairs[2]) == 1);
153  memset(&zero_pk, 0, sizeof(zero_pk));
154 
156  ecount = 0;
157  CHECK(secp256k1_schnorrsig_sign(none, sig, msg, &keypairs[0], NULL) == 0);
158  CHECK(ecount == 1);
159  CHECK(secp256k1_schnorrsig_sign(vrfy, sig, msg, &keypairs[0], NULL) == 0);
160  CHECK(ecount == 2);
161  CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL) == 1);
162  CHECK(ecount == 2);
163  CHECK(secp256k1_schnorrsig_sign(sign, NULL, msg, &keypairs[0], NULL) == 0);
164  CHECK(ecount == 3);
165  CHECK(secp256k1_schnorrsig_sign(sign, sig, NULL, &keypairs[0], NULL) == 0);
166  CHECK(ecount == 4);
167  CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, NULL, NULL) == 0);
168  CHECK(ecount == 5);
169  CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &invalid_keypair, NULL) == 0);
170  CHECK(ecount == 6);
171 
172  ecount = 0;
173  CHECK(secp256k1_schnorrsig_sign_custom(none, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
174  CHECK(ecount == 1);
175  CHECK(secp256k1_schnorrsig_sign_custom(vrfy, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
176  CHECK(ecount == 2);
177  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
178  CHECK(ecount == 2);
179  CHECK(secp256k1_schnorrsig_sign_custom(sign, NULL, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
180  CHECK(ecount == 3);
181  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, NULL, sizeof(msg), &keypairs[0], &extraparams) == 0);
182  CHECK(ecount == 4);
183  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
184  CHECK(ecount == 4);
185  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), NULL, &extraparams) == 0);
186  CHECK(ecount == 5);
187  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &invalid_keypair, &extraparams) == 0);
188  CHECK(ecount == 6);
189  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
190  CHECK(ecount == 6);
191  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams) == 0);
192  CHECK(ecount == 7);
193 
194  ecount = 0;
195  CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL) == 1);
196  CHECK(secp256k1_schnorrsig_verify(none, sig, msg, sizeof(msg), &pk[0]) == 0);
197  CHECK(ecount == 1);
198  CHECK(secp256k1_schnorrsig_verify(sign, sig, msg, sizeof(msg), &pk[0]) == 0);
199  CHECK(ecount == 2);
200  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), &pk[0]) == 1);
201  CHECK(ecount == 2);
202  CHECK(secp256k1_schnorrsig_verify(vrfy, NULL, msg, sizeof(msg), &pk[0]) == 0);
203  CHECK(ecount == 3);
204  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, NULL, sizeof(msg), &pk[0]) == 0);
205  CHECK(ecount == 4);
206  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, NULL, 0, &pk[0]) == 0);
207  CHECK(ecount == 4);
208  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), NULL) == 0);
209  CHECK(ecount == 5);
210  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), &zero_pk) == 0);
211  CHECK(ecount == 6);
212 
217 }
218 
219 /* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
220  * expected state. */
222  unsigned char tag[17] = "BIP0340/challenge";
223  secp256k1_sha256 sha;
224  secp256k1_sha256 sha_optimized;
225 
226  secp256k1_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag));
227  secp256k1_schnorrsig_sha256_tagged(&sha_optimized);
228  test_sha256_eq(&sha, &sha_optimized);
229 }
230 
231 /* Helper function for schnorrsig_bip_vectors
232  * Signs the message and checks that it's the same as expected_sig. */
233 void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig) {
234  unsigned char sig[64];
235  secp256k1_keypair keypair;
236  secp256k1_xonly_pubkey pk, pk_expected;
237 
238  CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
239  CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg32, &keypair, aux_rand));
240  CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
241 
242  CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk_expected, pk_serialized));
243  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
244  CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
245  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk));
246 }
247 
248 /* Helper function for schnorrsig_bip_vectors
249  * Checks that both verify and verify_batch (TODO) return the same value as expected. */
250 void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected) {
252 
253  CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk, pk_serialized));
254  CHECK(expected == secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk));
255 }
256 
257 /* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
258  * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */
260  {
261  /* Test vector 0 */
262  const unsigned char sk[32] = {
263  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
264  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
265  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
266  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
267  };
268  const unsigned char pk[32] = {
269  0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10,
270  0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29,
271  0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0,
272  0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9
273  };
274  unsigned char aux_rand[32] = {
275  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
276  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
277  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
278  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
279  };
280  const unsigned char msg[32] = {
281  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
282  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
283  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
284  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
285  };
286  const unsigned char sig[64] = {
287  0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10,
288  0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36,
289  0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08,
290  0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15,
291  0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71,
292  0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5,
293  0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47,
294  0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0
295  };
296  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
298  }
299  {
300  /* Test vector 1 */
301  const unsigned char sk[32] = {
302  0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A,
303  0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7,
304  0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56,
305  0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF
306  };
307  const unsigned char pk[32] = {
308  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
309  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
310  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
311  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
312  };
313  unsigned char aux_rand[32] = {
314  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
315  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
316  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
317  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
318  };
319  const unsigned char msg[32] = {
320  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
321  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
322  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
323  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
324  };
325  const unsigned char sig[64] = {
326  0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D,
327  0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07,
328  0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17,
329  0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41,
330  0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC,
331  0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA,
332  0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C,
333  0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A
334  };
335  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
337  }
338  {
339  /* Test vector 2 */
340  const unsigned char sk[32] = {
341  0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
342  0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
343  0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
344  0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9
345  };
346  const unsigned char pk[32] = {
347  0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13,
348  0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC,
349  0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9,
350  0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8
351  };
352  unsigned char aux_rand[32] = {
353  0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE,
354  0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC,
355  0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C,
356  0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06
357  };
358  const unsigned char msg[32] = {
359  0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A,
360  0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D,
361  0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33,
362  0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C
363  };
364  const unsigned char sig[64] = {
365  0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7,
366  0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94,
367  0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B,
368  0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B,
369  0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A,
370  0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C,
371  0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E,
372  0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7
373  };
374  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
376  }
377  {
378  /* Test vector 3 */
379  const unsigned char sk[32] = {
380  0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81,
381  0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0,
382  0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54,
383  0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10
384  };
385  const unsigned char pk[32] = {
386  0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25,
387  0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD,
388  0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A,
389  0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17
390  };
391  unsigned char aux_rand[32] = {
392  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
393  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
394  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
395  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
396  };
397  const unsigned char msg[32] = {
398  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
399  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
400  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
401  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
402  };
403  const unsigned char sig[64] = {
404  0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1,
405  0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9,
406  0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6,
407  0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC,
408  0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93,
409  0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A,
410  0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27,
411  0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3
412  };
413  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
415  }
416  {
417  /* Test vector 4 */
418  const unsigned char pk[32] = {
419  0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12,
420  0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83,
421  0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA,
422  0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9
423  };
424  const unsigned char msg[32] = {
425  0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2,
426  0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24,
427  0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B,
428  0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03
429  };
430  const unsigned char sig[64] = {
431  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
432  0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F,
433  0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28,
434  0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63,
435  0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3,
436  0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10,
437  0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93,
438  0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4
439  };
441  }
442  {
443  /* Test vector 5 */
444  const unsigned char pk[32] = {
445  0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50,
446  0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21,
447  0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87,
448  0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34
449  };
450  secp256k1_xonly_pubkey pk_parsed;
451  /* No need to check the signature of the test vector as parsing the pubkey already fails */
452  CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
453  }
454  {
455  /* Test vector 6 */
456  const unsigned char pk[32] = {
457  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
458  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
459  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
460  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
461  };
462  const unsigned char msg[32] = {
463  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
464  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
465  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
466  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
467  };
468  const unsigned char sig[64] = {
469  0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4,
470  0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3,
471  0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B,
472  0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56,
473  0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07,
474  0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF,
475  0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E,
476  0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2
477  };
479  }
480  {
481  /* Test vector 7 */
482  const unsigned char pk[32] = {
483  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
484  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
485  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
486  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
487  };
488  const unsigned char msg[32] = {
489  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
490  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
491  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
492  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
493  };
494  const unsigned char sig[64] = {
495  0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C,
496  0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7,
497  0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4,
498  0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F,
499  0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89,
500  0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8,
501  0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35,
502  0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD
503  };
505  }
506  {
507  /* Test vector 8 */
508  const unsigned char pk[32] = {
509  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
510  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
511  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
512  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
513  };
514  const unsigned char msg[32] = {
515  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
516  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
517  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
518  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
519  };
520  const unsigned char sig[64] = {
521  0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
522  0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
523  0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
524  0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
525  0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC,
526  0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26,
527  0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C,
528  0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6
529  };
531  }
532  {
533  /* Test vector 9 */
534  const unsigned char pk[32] = {
535  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
536  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
537  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
538  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
539  };
540  const unsigned char msg[32] = {
541  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
542  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
543  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
544  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
545  };
546  const unsigned char sig[64] = {
547  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
548  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
549  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
550  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
551  0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23,
552  0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA,
553  0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC,
554  0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51
555  };
557  }
558  {
559  /* Test vector 10 */
560  const unsigned char pk[32] = {
561  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
562  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
563  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
564  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
565  };
566  const unsigned char msg[32] = {
567  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
568  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
569  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
570  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
571  };
572  const unsigned char sig[64] = {
573  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
574  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
575  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
576  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
577  0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64,
578  0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4,
579  0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9,
580  0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97
581  };
583  }
584  {
585  /* Test vector 11 */
586  const unsigned char pk[32] = {
587  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
588  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
589  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
590  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
591  };
592  const unsigned char msg[32] = {
593  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
594  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
595  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
596  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
597  };
598  const unsigned char sig[64] = {
599  0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A,
600  0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB,
601  0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7,
602  0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D,
603  0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
604  0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
605  0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
606  0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
607  };
609  }
610  {
611  /* Test vector 12 */
612  const unsigned char pk[32] = {
613  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
614  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
615  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
616  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
617  };
618  const unsigned char msg[32] = {
619  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
620  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
621  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
622  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
623  };
624  const unsigned char sig[64] = {
625  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
626  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
627  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
628  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
629  0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
630  0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
631  0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
632  0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
633  };
635  }
636  {
637  /* Test vector 13 */
638  const unsigned char pk[32] = {
639  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
640  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
641  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
642  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
643  };
644  const unsigned char msg[32] = {
645  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
646  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
647  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
648  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
649  };
650  const unsigned char sig[64] = {
651  0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
652  0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
653  0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
654  0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
655  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
656  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
657  0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
658  0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
659  };
661  }
662  {
663  /* Test vector 14 */
664  const unsigned char pk[32] = {
665  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
666  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
667  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
668  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
669  };
670  secp256k1_xonly_pubkey pk_parsed;
671  /* No need to check the signature of the test vector as parsing the pubkey already fails */
672  CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
673  }
674 }
675 
676 /* Nonce function that returns constant 0 */
677 static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
678  (void) msg;
679  (void) msglen;
680  (void) key32;
681  (void) xonly_pk32;
682  (void) algo;
683  (void) algolen;
684  (void) data;
685  (void) nonce32;
686  return 0;
687 }
688 
689 /* Nonce function that sets nonce to 0 */
690 static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
691  (void) msg;
692  (void) msglen;
693  (void) key32;
694  (void) xonly_pk32;
695  (void) algo;
696  (void) algolen;
697  (void) data;
698 
699  memset(nonce32, 0, 32);
700  return 1;
701 }
702 
703 /* Nonce function that sets nonce to 0xFF...0xFF */
704 static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
705  (void) msg;
706  (void) msglen;
707  (void) key32;
708  (void) xonly_pk32;
709  (void) algo;
710  (void) algolen;
711  (void) data;
712 
713  memset(nonce32, 0xFF, 32);
714  return 1;
715 }
716 
718  unsigned char sk[32];
720  secp256k1_keypair keypair;
721  const unsigned char msg[32] = "this is a msg for a schnorrsig..";
722  unsigned char sig[64];
723  unsigned char sig2[64];
724  unsigned char zeros64[64] = { 0 };
726  unsigned char aux_rand[32];
727 
729  secp256k1_testrand256(aux_rand);
730  CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
731  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
732  CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL) == 1);
733  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
734 
735  /* Test different nonce functions */
736  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
737  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
738  memset(sig, 1, sizeof(sig));
739  extraparams.noncefp = nonce_function_failing;
740  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
741  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
742  memset(&sig, 1, sizeof(sig));
743  extraparams.noncefp = nonce_function_0;
744  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
745  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
746  memset(&sig, 1, sizeof(sig));
747  extraparams.noncefp = nonce_function_overflowing;
748  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
749  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
750 
751  /* When using the default nonce function, schnorrsig_sign_custom produces
752  * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */
753  extraparams.noncefp = NULL;
754  extraparams.ndata = aux_rand;
755  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
756  CHECK(secp256k1_schnorrsig_sign(ctx, sig2, msg, &keypair, extraparams.ndata) == 1);
757  CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
758 }
759 
760 #define N_SIGS 3
761 /* Creates N_SIGS valid signatures and verifies them with verify and
762  * verify_batch (TODO). Then flips some bits and checks that verification now
763  * fails. */
765  unsigned char sk[32];
766  unsigned char msg[N_SIGS][32];
767  unsigned char sig[N_SIGS][64];
768  size_t i;
769  secp256k1_keypair keypair;
772 
774  CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
775  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
776 
777  for (i = 0; i < N_SIGS; i++) {
778  secp256k1_testrand256(msg[i]);
779  CHECK(secp256k1_schnorrsig_sign(ctx, sig[i], msg[i], &keypair, NULL));
780  CHECK(secp256k1_schnorrsig_verify(ctx, sig[i], msg[i], sizeof(msg[i]), &pk));
781  }
782 
783  {
784  /* Flip a few bits in the signature and in the message and check that
785  * verify and verify_batch (TODO) fail */
786  size_t sig_idx = secp256k1_testrand_int(N_SIGS);
787  size_t byte_idx = secp256k1_testrand_int(32);
788  unsigned char xorbyte = secp256k1_testrand_int(254)+1;
789  sig[sig_idx][byte_idx] ^= xorbyte;
790  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
791  sig[sig_idx][byte_idx] ^= xorbyte;
792 
793  byte_idx = secp256k1_testrand_int(32);
794  sig[sig_idx][32+byte_idx] ^= xorbyte;
795  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
796  sig[sig_idx][32+byte_idx] ^= xorbyte;
797 
798  byte_idx = secp256k1_testrand_int(32);
799  msg[sig_idx][byte_idx] ^= xorbyte;
800  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
801  msg[sig_idx][byte_idx] ^= xorbyte;
802 
803  /* Check that above bitflips have been reversed correctly */
804  CHECK(secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
805  }
806 
807  /* Test overflowing s */
808  CHECK(secp256k1_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL));
809  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
810  memset(&sig[0][32], 0xFF, 32);
811  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
812 
813  /* Test negative s */
814  CHECK(secp256k1_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL));
815  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
816  secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
817  secp256k1_scalar_negate(&s, &s);
818  secp256k1_scalar_get_b32(&sig[0][32], &s);
819  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
820 
821  /* The empty message can be signed & verified */
822  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], NULL, 0, &keypair, NULL) == 1);
823  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], NULL, 0, &pk) == 1);
824 
825  {
826  /* Test varying message lengths */
827  unsigned char msg_large[32 * 8];
828  uint32_t msglen = secp256k1_testrand_int(sizeof(msg_large));
829  for (i = 0; i < sizeof(msg_large); i += 32) {
830  secp256k1_testrand256(&msg_large[i]);
831  }
832  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], msg_large, msglen, &keypair, NULL) == 1);
833  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 1);
834  /* Verification for a random wrong message length fails */
835  msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large);
836  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 0);
837  }
838 }
839 #undef N_SIGS
840 
842  unsigned char sk[32];
843  secp256k1_keypair keypair;
844  secp256k1_xonly_pubkey internal_pk;
845  unsigned char internal_pk_bytes[32];
846  secp256k1_xonly_pubkey output_pk;
847  unsigned char output_pk_bytes[32];
848  unsigned char tweak[32];
849  int pk_parity;
850  unsigned char msg[32];
851  unsigned char sig[64];
852 
853  /* Create output key */
855  CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
856  CHECK(secp256k1_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1);
857  /* In actual taproot the tweak would be hash of internal_pk */
858  CHECK(secp256k1_xonly_pubkey_serialize(ctx, tweak, &internal_pk) == 1);
859  CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
860  CHECK(secp256k1_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1);
861  CHECK(secp256k1_xonly_pubkey_serialize(ctx, output_pk_bytes, &output_pk) == 1);
862 
863  /* Key spend */
865  CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL) == 1);
866  /* Verify key spend */
867  CHECK(secp256k1_xonly_pubkey_parse(ctx, &output_pk, output_pk_bytes) == 1);
868  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &output_pk) == 1);
869 
870  /* Script spend */
871  CHECK(secp256k1_xonly_pubkey_serialize(ctx, internal_pk_bytes, &internal_pk) == 1);
872  /* Verify script spend */
873  CHECK(secp256k1_xonly_pubkey_parse(ctx, &internal_pk, internal_pk_bytes) == 1);
874  CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
875 }
876 
878  int i;
880 
884  for (i = 0; i < count; i++) {
887  }
889 }
890 
891 #endif
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:218
secp256k1_sha256::s
uint32_t s[8]
Definition: hash.h:18
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_schnorrsig_extraparams::ndata
void * ndata
Definition: secp256k1_schnorrsig.h:85
count
static int count
Definition: tests.c:41
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:184
test_schnorrsig_api
void test_schnorrsig_api(void)
Definition: tests_impl.h:114
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:185
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
test_schnorrsig_taproot
void test_schnorrsig_taproot(void)
Definition: tests_impl.h:841
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_context_struct
Definition: secp256k1.c:75
test_sha256_eq
void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests_impl.h:26
secp256k1_schnorrsig_sign_custom
SECP256K1_API int secp256k1_schnorrsig_sign_custom(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Create a Schnorr signature with a more flexible API.
Definition: main_impl.h:192
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:224
secp256k1_testrand_flip
static void secp256k1_testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
secp256k1_keypair_xonly_pub
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Get the x-only public key from a keypair.
Definition: main_impl.h:235
secp256k1_sha256
Definition: hash.h:13
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:209
test_schnorrsig_sha256_tagged
void test_schnorrsig_sha256_tagged(void)
Definition: tests_impl.h:221
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:202
secp256k1_schnorrsig_sign
SECP256K1_API int secp256k1_schnorrsig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a Schnorr signature.
Definition: main_impl.h:188
test_schnorrsig_bip_vectors_check_verify
void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected)
Definition: tests_impl.h:250
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:158
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:207
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_nonce_function_bip340_sha256_tagged
static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:16
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:44
nonce_function_bip340
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: main_impl.h:52
test_schnorrsig_bip_vectors
void test_schnorrsig_bip_vectors(void)
Definition: tests_impl.h:259
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a secret key.
Definition: main_impl.h:197
secp256k1_test_rng
static secp256k1_rfc6979_hmac_sha256 secp256k1_test_rng
Definition: testrand_impl.h:17
nonce_function_0
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:690
nonce_function_failing
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:677
test_schnorrsig_sign
void test_schnorrsig_sign(void)
Definition: tests_impl.h:717
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
secp256k1_schnorrsig_sha256_tagged
static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:96
N_SIGS
#define N_SIGS
Definition: tests_impl.h:760
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:21
secp256k1_nonce_function_bip340_sha256_tagged_aux
static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: main_impl.h:32
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:187
test_schnorrsig_sign_verify
void test_schnorrsig_sign_verify(void)
Definition: tests_impl.h:764
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:43
nonce_function_overflowing
static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:704
sha1
Internal SHA-1 implementation.
Definition: sha1.cpp:15
secp256k1_keypair_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:256
run_schnorrsig_tests
void run_schnorrsig_tests(void)
Definition: tests_impl.h:877
run_nonce_function_bip340_tests
void run_nonce_function_bip340_tests(void)
Definition: tests_impl.h:34
secp256k1_schnorrsig_extraparams::noncefp
secp256k1_nonce_function_hardened noncefp
Definition: secp256k1_schnorrsig.h:84
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
CHECK
#define CHECK(cond)
Definition: util.h:53
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:169
nonce
unsigned int nonce
Definition: miner_tests.cpp:54
SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
Definition: secp256k1_schnorrsig.h:89
nonce_function_bip340_bitflip
void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen)
Definition: tests_impl.h:15
test_schnorrsig_bip_vectors_check_signing
void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig)
Definition: tests_impl.h:233
ctx
static secp256k1_context * ctx
Definition: tests.c:42
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
secp256k1_sha256::bytes
size_t bytes
Definition: hash.h:20
secp256k1_schnorrsig_extraparams
Data structure that contains additional arguments for schnorrsig_sign_custom.
Definition: secp256k1_schnorrsig.h:82