Bitcoin Core  22.99.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H
8 #define SECP256K1_MODULE_SCHNORRSIG_TESTS_H
9 
10 #include "../../../include/secp256k1_schnorrsig.h"
11 
12 /* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
13  * bytes) changes the hash function
14  */
15 void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) {
16  unsigned char nonces[2][32];
17  CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
18  secp256k1_testrand_flip(args[n_flip], n_bytes);
19  CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
20  CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
21 }
22 
23 /* Tests for the equality of two sha256 structs. This function only produces a
24  * correct result if an integer multiple of 64 many bytes have been written
25  * into the hash functions. */
27  /* Is buffer fully consumed? */
28  CHECK((sha1->bytes & 0x3F) == 0);
29 
30  CHECK(sha1->bytes == sha2->bytes);
31  CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
32 }
33 
35  unsigned char tag[13] = "BIP0340/nonce";
36  unsigned char aux_tag[11] = "BIP0340/aux";
37  unsigned char algo[13] = "BIP0340/nonce";
38  size_t algolen = sizeof(algo);
39  secp256k1_sha256 sha;
40  secp256k1_sha256 sha_optimized;
41  unsigned char nonce[32], nonce_z[32];
42  unsigned char msg[32];
43  size_t msglen = sizeof(msg);
44  unsigned char key[32];
45  unsigned char pk[32];
46  unsigned char aux_rand[32];
47  unsigned char *args[5];
48  int i;
49 
50  /* Check that hash initialized by
51  * secp256k1_nonce_function_bip340_sha256_tagged has the expected
52  * state. */
53  secp256k1_sha256_initialize_tagged(&sha, tag, sizeof(tag));
55  test_sha256_eq(&sha, &sha_optimized);
56 
57  /* Check that hash initialized by
58  * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
59  * state. */
60  secp256k1_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag));
62  test_sha256_eq(&sha, &sha_optimized);
63 
67  secp256k1_testrand256(aux_rand);
68 
69  /* Check that a bitflip in an argument results in different nonces. */
70  args[0] = msg;
71  args[1] = key;
72  args[2] = pk;
73  args[3] = algo;
74  args[4] = aux_rand;
75  for (i = 0; i < count; i++) {
76  nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen);
77  nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen);
78  nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen);
79  /* Flip algo special case "BIP0340/nonce" */
80  nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
81  /* Flip algo again */
82  nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
83  nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen);
84  }
85 
86  /* NULL algo is disallowed */
87  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
88  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
89  /* Other algo is fine */
91  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
92 
93  for (i = 0; i < count; i++) {
94  unsigned char nonce2[32];
95  uint32_t offset = secp256k1_testrand_int(msglen - 1);
96  size_t msglen_tmp = (msglen + offset) % msglen;
97  size_t algolen_tmp;
98 
99  /* Different msglen gives different nonce */
100  CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1);
101  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
102 
103  /* Different algolen gives different nonce */
104  offset = secp256k1_testrand_int(algolen - 1);
105  algolen_tmp = (algolen + offset) % algolen;
106  CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1);
107  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
108  }
109 
110  /* NULL aux_rand argument is allowed, and identical to passing all zero aux_rand. */
111  memset(aux_rand, 0, 32);
112  CHECK(nonce_function_bip340(nonce_z, msg, msglen, key, pk, algo, algolen, &aux_rand) == 1);
113  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
114  CHECK(secp256k1_memcmp_var(nonce_z, nonce, 32) == 0);
115 }
116 
118  unsigned char sk1[32];
119  unsigned char sk2[32];
120  unsigned char sk3[32];
121  unsigned char msg[32];
122  secp256k1_keypair keypairs[3];
123  secp256k1_keypair invalid_keypair = {{ 0 }};
125  secp256k1_xonly_pubkey zero_pk;
126  unsigned char sig[64];
128  secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL};
129 
136  int ecount;
137 
148 
153  CHECK(secp256k1_keypair_create(ctx, &keypairs[0], sk1) == 1);
154  CHECK(secp256k1_keypair_create(ctx, &keypairs[1], sk2) == 1);
155  CHECK(secp256k1_keypair_create(ctx, &keypairs[2], sk3) == 1);
156  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[0], NULL, &keypairs[0]) == 1);
157  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[1], NULL, &keypairs[1]) == 1);
158  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[2], NULL, &keypairs[2]) == 1);
159  memset(&zero_pk, 0, sizeof(zero_pk));
160 
162  ecount = 0;
163  CHECK(secp256k1_schnorrsig_sign(none, sig, msg, &keypairs[0], NULL) == 1);
164  CHECK(ecount == 0);
165  CHECK(secp256k1_schnorrsig_sign(vrfy, sig, msg, &keypairs[0], NULL) == 1);
166  CHECK(ecount == 0);
167  CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL) == 1);
168  CHECK(ecount == 0);
169  CHECK(secp256k1_schnorrsig_sign(sign, NULL, msg, &keypairs[0], NULL) == 0);
170  CHECK(ecount == 1);
171  CHECK(secp256k1_schnorrsig_sign(sign, sig, NULL, &keypairs[0], NULL) == 0);
172  CHECK(ecount == 2);
173  CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, NULL, NULL) == 0);
174  CHECK(ecount == 3);
175  CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &invalid_keypair, NULL) == 0);
176  CHECK(ecount == 4);
177  CHECK(secp256k1_schnorrsig_sign(sttc, sig, msg, &keypairs[0], NULL) == 0);
178  CHECK(ecount == 5);
179 
180  ecount = 0;
181  CHECK(secp256k1_schnorrsig_sign_custom(none, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
182  CHECK(ecount == 0);
183  CHECK(secp256k1_schnorrsig_sign_custom(vrfy, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
184  CHECK(ecount == 0);
185  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
186  CHECK(ecount == 0);
187  CHECK(secp256k1_schnorrsig_sign_custom(sign, NULL, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
188  CHECK(ecount == 1);
189  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, NULL, sizeof(msg), &keypairs[0], &extraparams) == 0);
190  CHECK(ecount == 2);
191  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
192  CHECK(ecount == 2);
193  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), NULL, &extraparams) == 0);
194  CHECK(ecount == 3);
195  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &invalid_keypair, &extraparams) == 0);
196  CHECK(ecount == 4);
197  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
198  CHECK(ecount == 4);
199  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams) == 0);
200  CHECK(ecount == 5);
201  CHECK(secp256k1_schnorrsig_sign_custom(sttc, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
202  CHECK(ecount == 6);
203 
204  ecount = 0;
205  CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL) == 1);
206  CHECK(secp256k1_schnorrsig_verify(none, sig, msg, sizeof(msg), &pk[0]) == 1);
207  CHECK(ecount == 0);
208  CHECK(secp256k1_schnorrsig_verify(sign, sig, msg, sizeof(msg), &pk[0]) == 1);
209  CHECK(ecount == 0);
210  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), &pk[0]) == 1);
211  CHECK(ecount == 0);
212  CHECK(secp256k1_schnorrsig_verify(vrfy, NULL, msg, sizeof(msg), &pk[0]) == 0);
213  CHECK(ecount == 1);
214  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, NULL, sizeof(msg), &pk[0]) == 0);
215  CHECK(ecount == 2);
216  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, NULL, 0, &pk[0]) == 0);
217  CHECK(ecount == 2);
218  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), NULL) == 0);
219  CHECK(ecount == 3);
220  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), &zero_pk) == 0);
221  CHECK(ecount == 4);
222 
228 }
229 
230 /* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
231  * expected state. */
233  unsigned char tag[17] = "BIP0340/challenge";
234  secp256k1_sha256 sha;
235  secp256k1_sha256 sha_optimized;
236 
237  secp256k1_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag));
238  secp256k1_schnorrsig_sha256_tagged(&sha_optimized);
239  test_sha256_eq(&sha, &sha_optimized);
240 }
241 
242 /* Helper function for schnorrsig_bip_vectors
243  * Signs the message and checks that it's the same as expected_sig. */
244 void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig) {
245  unsigned char sig[64];
246  secp256k1_keypair keypair;
247  secp256k1_xonly_pubkey pk, pk_expected;
248 
249  CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
250  CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg32, &keypair, aux_rand));
251  CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
252 
253  CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk_expected, pk_serialized));
254  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
255  CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
256  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk));
257 }
258 
259 /* Helper function for schnorrsig_bip_vectors
260  * Checks that both verify and verify_batch (TODO) return the same value as expected. */
261 void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected) {
263 
264  CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk, pk_serialized));
265  CHECK(expected == secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk));
266 }
267 
268 /* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
269  * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */
271  {
272  /* Test vector 0 */
273  const unsigned char sk[32] = {
274  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
275  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
276  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
277  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
278  };
279  const unsigned char pk[32] = {
280  0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10,
281  0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29,
282  0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0,
283  0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9
284  };
285  unsigned char aux_rand[32] = {
286  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
287  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
288  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
289  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
290  };
291  const unsigned char msg[32] = {
292  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
293  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
294  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
295  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
296  };
297  const unsigned char sig[64] = {
298  0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10,
299  0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36,
300  0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08,
301  0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15,
302  0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71,
303  0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5,
304  0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47,
305  0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0
306  };
307  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
309  }
310  {
311  /* Test vector 1 */
312  const unsigned char sk[32] = {
313  0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A,
314  0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7,
315  0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56,
316  0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF
317  };
318  const unsigned char pk[32] = {
319  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
320  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
321  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
322  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
323  };
324  unsigned char aux_rand[32] = {
325  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
326  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
327  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
328  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
329  };
330  const unsigned char msg[32] = {
331  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
332  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
333  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
334  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
335  };
336  const unsigned char sig[64] = {
337  0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D,
338  0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07,
339  0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17,
340  0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41,
341  0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC,
342  0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA,
343  0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C,
344  0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A
345  };
346  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
348  }
349  {
350  /* Test vector 2 */
351  const unsigned char sk[32] = {
352  0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
353  0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
354  0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
355  0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9
356  };
357  const unsigned char pk[32] = {
358  0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13,
359  0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC,
360  0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9,
361  0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8
362  };
363  unsigned char aux_rand[32] = {
364  0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE,
365  0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC,
366  0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C,
367  0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06
368  };
369  const unsigned char msg[32] = {
370  0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A,
371  0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D,
372  0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33,
373  0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C
374  };
375  const unsigned char sig[64] = {
376  0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7,
377  0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94,
378  0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B,
379  0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B,
380  0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A,
381  0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C,
382  0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E,
383  0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7
384  };
385  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
387  }
388  {
389  /* Test vector 3 */
390  const unsigned char sk[32] = {
391  0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81,
392  0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0,
393  0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54,
394  0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10
395  };
396  const unsigned char pk[32] = {
397  0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25,
398  0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD,
399  0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A,
400  0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17
401  };
402  unsigned char aux_rand[32] = {
403  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
404  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
405  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
406  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
407  };
408  const unsigned char msg[32] = {
409  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
410  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
411  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
412  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
413  };
414  const unsigned char sig[64] = {
415  0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1,
416  0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9,
417  0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6,
418  0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC,
419  0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93,
420  0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A,
421  0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27,
422  0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3
423  };
424  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
426  }
427  {
428  /* Test vector 4 */
429  const unsigned char pk[32] = {
430  0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12,
431  0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83,
432  0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA,
433  0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9
434  };
435  const unsigned char msg[32] = {
436  0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2,
437  0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24,
438  0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B,
439  0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03
440  };
441  const unsigned char sig[64] = {
442  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
443  0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F,
444  0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28,
445  0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63,
446  0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3,
447  0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10,
448  0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93,
449  0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4
450  };
452  }
453  {
454  /* Test vector 5 */
455  const unsigned char pk[32] = {
456  0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50,
457  0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21,
458  0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87,
459  0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34
460  };
461  secp256k1_xonly_pubkey pk_parsed;
462  /* No need to check the signature of the test vector as parsing the pubkey already fails */
463  CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
464  }
465  {
466  /* Test vector 6 */
467  const unsigned char pk[32] = {
468  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
469  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
470  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
471  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
472  };
473  const unsigned char msg[32] = {
474  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
475  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
476  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
477  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
478  };
479  const unsigned char sig[64] = {
480  0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4,
481  0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3,
482  0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B,
483  0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56,
484  0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07,
485  0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF,
486  0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E,
487  0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2
488  };
490  }
491  {
492  /* Test vector 7 */
493  const unsigned char pk[32] = {
494  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
495  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
496  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
497  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
498  };
499  const unsigned char msg[32] = {
500  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
501  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
502  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
503  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
504  };
505  const unsigned char sig[64] = {
506  0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C,
507  0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7,
508  0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4,
509  0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F,
510  0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89,
511  0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8,
512  0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35,
513  0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD
514  };
516  }
517  {
518  /* Test vector 8 */
519  const unsigned char pk[32] = {
520  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
521  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
522  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
523  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
524  };
525  const unsigned char msg[32] = {
526  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
527  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
528  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
529  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
530  };
531  const unsigned char sig[64] = {
532  0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
533  0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
534  0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
535  0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
536  0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC,
537  0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26,
538  0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C,
539  0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6
540  };
542  }
543  {
544  /* Test vector 9 */
545  const unsigned char pk[32] = {
546  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
547  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
548  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
549  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
550  };
551  const unsigned char msg[32] = {
552  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
553  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
554  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
555  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
556  };
557  const unsigned char sig[64] = {
558  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
559  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
560  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
561  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
562  0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23,
563  0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA,
564  0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC,
565  0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51
566  };
568  }
569  {
570  /* Test vector 10 */
571  const unsigned char pk[32] = {
572  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
573  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
574  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
575  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
576  };
577  const unsigned char msg[32] = {
578  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
579  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
580  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
581  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
582  };
583  const unsigned char sig[64] = {
584  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
585  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
586  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
587  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
588  0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64,
589  0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4,
590  0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9,
591  0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97
592  };
594  }
595  {
596  /* Test vector 11 */
597  const unsigned char pk[32] = {
598  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
599  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
600  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
601  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
602  };
603  const unsigned char msg[32] = {
604  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
605  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
606  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
607  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
608  };
609  const unsigned char sig[64] = {
610  0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A,
611  0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB,
612  0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7,
613  0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D,
614  0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
615  0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
616  0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
617  0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
618  };
620  }
621  {
622  /* Test vector 12 */
623  const unsigned char pk[32] = {
624  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
625  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
626  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
627  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
628  };
629  const unsigned char msg[32] = {
630  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
631  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
632  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
633  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
634  };
635  const unsigned char sig[64] = {
636  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
637  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
638  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
639  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
640  0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
641  0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
642  0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
643  0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
644  };
646  }
647  {
648  /* Test vector 13 */
649  const unsigned char pk[32] = {
650  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
651  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
652  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
653  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
654  };
655  const unsigned char msg[32] = {
656  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
657  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
658  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
659  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
660  };
661  const unsigned char sig[64] = {
662  0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
663  0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
664  0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
665  0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
666  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
667  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
668  0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
669  0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
670  };
672  }
673  {
674  /* Test vector 14 */
675  const unsigned char pk[32] = {
676  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
677  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
678  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
679  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
680  };
681  secp256k1_xonly_pubkey pk_parsed;
682  /* No need to check the signature of the test vector as parsing the pubkey already fails */
683  CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
684  }
685 }
686 
687 /* Nonce function that returns constant 0 */
688 static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
689  (void) msg;
690  (void) msglen;
691  (void) key32;
692  (void) xonly_pk32;
693  (void) algo;
694  (void) algolen;
695  (void) data;
696  (void) nonce32;
697  return 0;
698 }
699 
700 /* Nonce function that sets nonce to 0 */
701 static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
702  (void) msg;
703  (void) msglen;
704  (void) key32;
705  (void) xonly_pk32;
706  (void) algo;
707  (void) algolen;
708  (void) data;
709 
710  memset(nonce32, 0, 32);
711  return 1;
712 }
713 
714 /* Nonce function that sets nonce to 0xFF...0xFF */
715 static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
716  (void) msg;
717  (void) msglen;
718  (void) key32;
719  (void) xonly_pk32;
720  (void) algo;
721  (void) algolen;
722  (void) data;
723 
724  memset(nonce32, 0xFF, 32);
725  return 1;
726 }
727 
729  unsigned char sk[32];
731  secp256k1_keypair keypair;
732  const unsigned char msg[32] = "this is a msg for a schnorrsig..";
733  unsigned char sig[64];
734  unsigned char sig2[64];
735  unsigned char zeros64[64] = { 0 };
737  unsigned char aux_rand[32];
738 
740  secp256k1_testrand256(aux_rand);
741  CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
742  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
743  CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL) == 1);
744  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
745 
746  /* Test different nonce functions */
747  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
748  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
749  memset(sig, 1, sizeof(sig));
750  extraparams.noncefp = nonce_function_failing;
751  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
752  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
753  memset(&sig, 1, sizeof(sig));
754  extraparams.noncefp = nonce_function_0;
755  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
756  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
757  memset(&sig, 1, sizeof(sig));
758  extraparams.noncefp = nonce_function_overflowing;
759  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
760  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
761 
762  /* When using the default nonce function, schnorrsig_sign_custom produces
763  * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */
764  extraparams.noncefp = NULL;
765  extraparams.ndata = aux_rand;
766  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
767  CHECK(secp256k1_schnorrsig_sign(ctx, sig2, msg, &keypair, extraparams.ndata) == 1);
768  CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
769 }
770 
771 #define N_SIGS 3
772 /* Creates N_SIGS valid signatures and verifies them with verify and
773  * verify_batch (TODO). Then flips some bits and checks that verification now
774  * fails. */
776  unsigned char sk[32];
777  unsigned char msg[N_SIGS][32];
778  unsigned char sig[N_SIGS][64];
779  size_t i;
780  secp256k1_keypair keypair;
783 
785  CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
786  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
787 
788  for (i = 0; i < N_SIGS; i++) {
789  secp256k1_testrand256(msg[i]);
790  CHECK(secp256k1_schnorrsig_sign(ctx, sig[i], msg[i], &keypair, NULL));
791  CHECK(secp256k1_schnorrsig_verify(ctx, sig[i], msg[i], sizeof(msg[i]), &pk));
792  }
793 
794  {
795  /* Flip a few bits in the signature and in the message and check that
796  * verify and verify_batch (TODO) fail */
797  size_t sig_idx = secp256k1_testrand_int(N_SIGS);
798  size_t byte_idx = secp256k1_testrand_int(32);
799  unsigned char xorbyte = secp256k1_testrand_int(254)+1;
800  sig[sig_idx][byte_idx] ^= xorbyte;
801  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
802  sig[sig_idx][byte_idx] ^= xorbyte;
803 
804  byte_idx = secp256k1_testrand_int(32);
805  sig[sig_idx][32+byte_idx] ^= xorbyte;
806  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
807  sig[sig_idx][32+byte_idx] ^= xorbyte;
808 
809  byte_idx = secp256k1_testrand_int(32);
810  msg[sig_idx][byte_idx] ^= xorbyte;
811  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
812  msg[sig_idx][byte_idx] ^= xorbyte;
813 
814  /* Check that above bitflips have been reversed correctly */
815  CHECK(secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
816  }
817 
818  /* Test overflowing s */
819  CHECK(secp256k1_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL));
820  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
821  memset(&sig[0][32], 0xFF, 32);
822  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
823 
824  /* Test negative s */
825  CHECK(secp256k1_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL));
826  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
827  secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
828  secp256k1_scalar_negate(&s, &s);
829  secp256k1_scalar_get_b32(&sig[0][32], &s);
830  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
831 
832  /* The empty message can be signed & verified */
833  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], NULL, 0, &keypair, NULL) == 1);
834  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], NULL, 0, &pk) == 1);
835 
836  {
837  /* Test varying message lengths */
838  unsigned char msg_large[32 * 8];
839  uint32_t msglen = secp256k1_testrand_int(sizeof(msg_large));
840  for (i = 0; i < sizeof(msg_large); i += 32) {
841  secp256k1_testrand256(&msg_large[i]);
842  }
843  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], msg_large, msglen, &keypair, NULL) == 1);
844  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 1);
845  /* Verification for a random wrong message length fails */
846  msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large);
847  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 0);
848  }
849 }
850 #undef N_SIGS
851 
853  unsigned char sk[32];
854  secp256k1_keypair keypair;
855  secp256k1_xonly_pubkey internal_pk;
856  unsigned char internal_pk_bytes[32];
857  secp256k1_xonly_pubkey output_pk;
858  unsigned char output_pk_bytes[32];
859  unsigned char tweak[32];
860  int pk_parity;
861  unsigned char msg[32];
862  unsigned char sig[64];
863 
864  /* Create output key */
866  CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
867  CHECK(secp256k1_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1);
868  /* In actual taproot the tweak would be hash of internal_pk */
869  CHECK(secp256k1_xonly_pubkey_serialize(ctx, tweak, &internal_pk) == 1);
870  CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
871  CHECK(secp256k1_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1);
872  CHECK(secp256k1_xonly_pubkey_serialize(ctx, output_pk_bytes, &output_pk) == 1);
873 
874  /* Key spend */
876  CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL) == 1);
877  /* Verify key spend */
878  CHECK(secp256k1_xonly_pubkey_parse(ctx, &output_pk, output_pk_bytes) == 1);
879  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &output_pk) == 1);
880 
881  /* Script spend */
882  CHECK(secp256k1_xonly_pubkey_serialize(ctx, internal_pk_bytes, &internal_pk) == 1);
883  /* Verify script spend */
884  CHECK(secp256k1_xonly_pubkey_parse(ctx, &internal_pk, internal_pk_bytes) == 1);
885  CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
886 }
887 
889  int i;
891 
895  for (i = 0; i < count; i++) {
898  }
900 }
901 
902 #endif
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:162
secp256k1_sha256::s
uint32_t s[8]
Definition: hash.h:18
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
test_schnorrsig_bip_vectors_check_signing
void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig)
Definition: tests_impl.h:244
secp256k1_schnorrsig_extraparams::ndata
void * ndata
Definition: secp256k1_schnorrsig.h:85
count
static int count
Definition: tests.c:31
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:128
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:184
test_schnorrsig_api
void test_schnorrsig_api(void)
Definition: tests_impl.h:117
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:185
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
test_schnorrsig_taproot
void test_schnorrsig_taproot(void)
Definition: tests_impl.h:852
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_context_struct
Definition: secp256k1.c:47
test_sha256_eq
void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests_impl.h:26
secp256k1_schnorrsig_sign_custom
SECP256K1_API int secp256k1_schnorrsig_sign_custom(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Create a Schnorr signature with a more flexible API.
Definition: main_impl.h:200
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:221
secp256k1_testrand_flip
static void secp256k1_testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
secp256k1_keypair_xonly_pub
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Get the x-only public key from a keypair.
Definition: main_impl.h:233
secp256k1_sha256
Definition: hash.h:13
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:153
test_schnorrsig_sha256_tagged
void test_schnorrsig_sha256_tagged(void)
Definition: tests_impl.h:232
test_schnorrsig_bip_vectors_check_verify
void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected)
Definition: tests_impl.h:261
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:107
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:215
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_nonce_function_bip340_sha256_tagged
static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:16
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:34
nonce_function_bip340
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: main_impl.h:52
test_schnorrsig_bip_vectors
void test_schnorrsig_bip_vectors(void)
Definition: tests_impl.h:270
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a secret key.
Definition: main_impl.h:195
secp256k1_test_rng
static secp256k1_rfc6979_hmac_sha256 secp256k1_test_rng
Definition: testrand_impl.h:17
nonce_function_0
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:701
nonce_function_failing
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:688
test_schnorrsig_sign
void test_schnorrsig_sign(void)
Definition: tests_impl.h:728
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:134
secp256k1_schnorrsig_sign
SECP256K1_API int secp256k1_schnorrsig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a Schnorr signature.
Definition: main_impl.h:195
secp256k1_schnorrsig_sha256_tagged
static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:103
N_SIGS
#define N_SIGS
Definition: tests_impl.h:771
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:21
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:146
secp256k1_nonce_function_bip340_sha256_tagged_aux
static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: main_impl.h:32
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:187
test_schnorrsig_sign_verify
void test_schnorrsig_sign_verify(void)
Definition: tests_impl.h:775
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:43
nonce_function_overflowing
static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:715
sha1
Internal SHA-1 implementation.
Definition: sha1.cpp:15
secp256k1_keypair_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:254
run_schnorrsig_tests
void run_schnorrsig_tests(void)
Definition: tests_impl.h:888
secp256k1_context_no_precomp
const SECP256K1_API secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:60
run_nonce_function_bip340_tests
void run_nonce_function_bip340_tests(void)
Definition: tests_impl.h:34
secp256k1_schnorrsig_extraparams::noncefp
secp256k1_nonce_function_hardened noncefp
Definition: secp256k1_schnorrsig.h:84
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:169
nonce
unsigned int nonce
Definition: miner_tests.cpp:57
SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
Definition: secp256k1_schnorrsig.h:89
nonce_function_bip340_bitflip
void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen)
Definition: tests_impl.h:15
ctx
static secp256k1_context * ctx
Definition: tests.c:32
args
ArgsManager args
Definition: notifications.cpp:36
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
secp256k1_sha256::bytes
size_t bytes
Definition: hash.h:20
secp256k1_schnorrsig_extraparams
Data structure that contains additional arguments for schnorrsig_sign_custom.
Definition: secp256k1_schnorrsig.h:82