Bitcoin Core  31.0.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H
8 #define SECP256K1_MODULE_SCHNORRSIG_TESTS_H
9 
10 #include "../../../include/secp256k1_schnorrsig.h"
11 #include "../../unit_test.h"
12 
13 /* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
14  * bytes) changes the hash function
15  */
16 static void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) {
17  unsigned char nonces[2][32];
18  CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
19  testrand_flip(args[n_flip], n_bytes);
20  CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
21  CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
22 }
23 
24 static void run_nonce_function_bip340_tests(void) {
25  /* "BIP0340/nonce" */
26  static const unsigned char tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'};
27  /* "BIP0340/aux" */
28  static const unsigned char aux_tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'a', 'u', 'x'};
29  unsigned char algo[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'n', 'o', 'n', 'c', 'e'};
30  size_t algolen = sizeof(algo);
31  secp256k1_sha256 sha_optimized;
32  unsigned char nonce[32], nonce_z[32];
33  unsigned char msg[32];
34  size_t msglen = sizeof(msg);
35  unsigned char key[32];
36  unsigned char pk[32];
37  unsigned char aux_rand[32];
38  unsigned char *args[5];
39  int i;
40 
41  /* Check that hash initialized by
42  * secp256k1_nonce_function_bip340_sha256_tagged has the expected
43  * state. */
44  secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized);
45  test_sha256_tag_midstate(&sha_optimized, tag, sizeof(tag));
46 
47 
48  /* Check that hash initialized by
49  * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
50  * state. */
51  secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized);
52  test_sha256_tag_midstate(&sha_optimized, aux_tag, sizeof(aux_tag));
53 
54  testrand256(msg);
55  testrand256(key);
56  testrand256(pk);
57  testrand256(aux_rand);
58 
59  /* Check that a bitflip in an argument results in different nonces. */
60  args[0] = msg;
61  args[1] = key;
62  args[2] = pk;
63  args[3] = algo;
64  args[4] = aux_rand;
65  for (i = 0; i < COUNT; i++) {
66  nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen);
67  nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen);
68  nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen);
69  /* Flip algo special case "BIP0340/nonce" */
70  nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
71  /* Flip algo again */
72  nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
73  nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen);
74  }
75 
76  /* NULL algo is disallowed */
77  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
78  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
79  /* Other algo is fine */
80  testrand_bytes_test(algo, algolen);
81  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
82 
83  for (i = 0; i < COUNT; i++) {
84  unsigned char nonce2[32];
85  uint32_t offset = testrand_int(msglen - 1);
86  size_t msglen_tmp = (msglen + offset) % msglen;
87  size_t algolen_tmp;
88 
89  /* Different msglen gives different nonce */
90  CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1);
91  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
92 
93  /* Different algolen gives different nonce */
94  offset = testrand_int(algolen - 1);
95  algolen_tmp = (algolen + offset) % algolen;
96  CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1);
97  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
98  }
99 
100  /* NULL aux_rand argument is allowed, and identical to passing all zero aux_rand. */
101  memset(aux_rand, 0, 32);
102  CHECK(nonce_function_bip340(nonce_z, msg, msglen, key, pk, algo, algolen, &aux_rand) == 1);
103  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
104  CHECK(secp256k1_memcmp_var(nonce_z, nonce, 32) == 0);
105 }
106 
107 static void test_schnorrsig_api(void) {
108  unsigned char sk1[32];
109  unsigned char sk2[32];
110  unsigned char sk3[32];
111  unsigned char msg[32];
112  secp256k1_keypair keypairs[3];
113  secp256k1_keypair invalid_keypair = {{ 0 }};
114  secp256k1_xonly_pubkey pk[3];
115  secp256k1_xonly_pubkey zero_pk;
116  unsigned char sig[64];
117  secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
118  secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL};
119 
120  testrand256(sk1);
121  testrand256(sk2);
122  testrand256(sk3);
123  testrand256(msg);
124  CHECK(secp256k1_keypair_create(CTX, &keypairs[0], sk1) == 1);
125  CHECK(secp256k1_keypair_create(CTX, &keypairs[1], sk2) == 1);
126  CHECK(secp256k1_keypair_create(CTX, &keypairs[2], sk3) == 1);
127  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[0], NULL, &keypairs[0]) == 1);
128  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[1], NULL, &keypairs[1]) == 1);
129  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[2], NULL, &keypairs[2]) == 1);
130  memset(&zero_pk, 0, sizeof(zero_pk));
131 
133  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
134  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, NULL, msg, &keypairs[0], NULL));
135  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, NULL, &keypairs[0], NULL));
136  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, msg, NULL, NULL));
137  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign32(CTX, sig, msg, &invalid_keypair, NULL));
138  CHECK_ILLEGAL(STATIC_CTX, secp256k1_schnorrsig_sign32(STATIC_CTX, sig, msg, &keypairs[0], NULL));
139 
140  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
141  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, NULL, msg, sizeof(msg), &keypairs[0], &extraparams));
142  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, sizeof(msg), &keypairs[0], &extraparams));
143  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
144  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), NULL, &extraparams));
145  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &invalid_keypair, &extraparams));
146  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
147  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams));
148  CHECK_ILLEGAL(STATIC_CTX, secp256k1_schnorrsig_sign_custom(STATIC_CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams));
149 
150  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
151  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk[0]) == 1);
152  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, NULL, msg, sizeof(msg), &pk[0]));
153  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, NULL, sizeof(msg), &pk[0]));
154  CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, 0, &pk[0]) == 0);
155  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), NULL));
156  CHECK_ILLEGAL(CTX, secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &zero_pk));
157 }
158 
159 /* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
160  * expected state. */
161 static void test_schnorrsig_sha256_tagged(void) {
162  unsigned char tag[] = {'B', 'I', 'P', '0', '3', '4', '0', '/', 'c', 'h', 'a', 'l', 'l', 'e', 'n', 'g', 'e'};
163  secp256k1_sha256 sha;
164  secp256k1_sha256 sha_optimized;
165 
166  secp256k1_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag));
167  secp256k1_schnorrsig_sha256_tagged(&sha_optimized);
168  test_sha256_eq(&sha, &sha_optimized);
169 }
170 
171 /* Helper function for schnorrsig_bip_vectors
172  * Signs the message and checks that it's the same as expected_sig. */
173 static void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg, size_t msglen, const unsigned char *expected_sig) {
174  unsigned char sig[64];
175  secp256k1_keypair keypair;
176  secp256k1_xonly_pubkey pk, pk_expected;
177 
178  secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
179  extraparams.ndata = (unsigned char*)aux_rand;
180 
181  CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
182  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, msglen, &keypair, &extraparams));
183  CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
184  if (msglen == 32) {
185  memset(sig, 0, 64);
186  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, aux_rand));
187  CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
188  }
189 
190  CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk_expected, pk_serialized));
191  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
192  CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
193  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, msglen, &pk));
194 }
195 
196 /* Helper function for schnorrsig_bip_vectors
197  * Checks that both verify and verify_batch (TODO) return the same value as expected. */
198 static void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg, size_t msglen, const unsigned char *sig, int expected) {
199  secp256k1_xonly_pubkey pk;
200 
201  CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk, pk_serialized));
202  CHECK(expected == secp256k1_schnorrsig_verify(CTX, sig, msg, msglen, &pk));
203 }
204 
205 /* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
206  * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */
207 static void test_schnorrsig_bip_vectors(void) {
208  {
209  /* Test vector 0 */
210  const unsigned char sk[32] = {
211  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
212  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
213  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
214  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
215  };
216  const unsigned char pk[32] = {
217  0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10,
218  0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29,
219  0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0,
220  0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9
221  };
222  const unsigned char aux_rand[32] = {
223  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
224  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
225  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
226  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
227  };
228  const unsigned char msg[32] = {
229  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
230  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
231  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
232  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
233  };
234  const unsigned char sig[64] = {
235  0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10,
236  0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36,
237  0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08,
238  0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15,
239  0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71,
240  0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5,
241  0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47,
242  0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0
243  };
244  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
245  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
246  }
247  {
248  /* Test vector 1 */
249  const unsigned char sk[32] = {
250  0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A,
251  0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7,
252  0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56,
253  0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF
254  };
255  const unsigned char pk[32] = {
256  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
257  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
258  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
259  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
260  };
261  const unsigned char aux_rand[32] = {
262  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
263  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
264  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
265  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
266  };
267  const unsigned char msg[32] = {
268  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
269  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
270  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
271  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
272  };
273  const unsigned char sig[64] = {
274  0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D,
275  0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07,
276  0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17,
277  0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41,
278  0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC,
279  0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA,
280  0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C,
281  0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A
282  };
283  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
284  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
285  }
286  {
287  /* Test vector 2 */
288  const unsigned char sk[32] = {
289  0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
290  0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
291  0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
292  0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9
293  };
294  const unsigned char pk[32] = {
295  0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13,
296  0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC,
297  0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9,
298  0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8
299  };
300  const unsigned char aux_rand[32] = {
301  0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE,
302  0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC,
303  0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C,
304  0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06
305  };
306  const unsigned char msg[32] = {
307  0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A,
308  0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D,
309  0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33,
310  0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C
311  };
312  const unsigned char sig[64] = {
313  0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7,
314  0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94,
315  0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B,
316  0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B,
317  0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A,
318  0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C,
319  0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E,
320  0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7
321  };
322  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
323  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
324  }
325  {
326  /* Test vector 3 */
327  const unsigned char sk[32] = {
328  0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81,
329  0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0,
330  0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54,
331  0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10
332  };
333  const unsigned char pk[32] = {
334  0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25,
335  0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD,
336  0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A,
337  0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17
338  };
339  const unsigned char aux_rand[32] = {
340  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
341  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
342  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
343  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
344  };
345  const unsigned char msg[32] = {
346  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
347  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
348  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
349  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
350  };
351  const unsigned char sig[64] = {
352  0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1,
353  0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9,
354  0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6,
355  0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC,
356  0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93,
357  0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A,
358  0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27,
359  0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3
360  };
361  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
362  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
363  }
364  {
365  /* Test vector 4 */
366  const unsigned char pk[32] = {
367  0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12,
368  0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83,
369  0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA,
370  0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9
371  };
372  const unsigned char msg[32] = {
373  0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2,
374  0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24,
375  0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B,
376  0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03
377  };
378  const unsigned char sig[64] = {
379  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
380  0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F,
381  0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28,
382  0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63,
383  0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3,
384  0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10,
385  0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93,
386  0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4
387  };
388  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
389  }
390  {
391  /* Test vector 5 */
392  const unsigned char pk[32] = {
393  0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50,
394  0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21,
395  0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87,
396  0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34
397  };
398  secp256k1_xonly_pubkey pk_parsed;
399  /* No need to check the signature of the test vector as parsing the pubkey already fails */
400  CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
401  }
402  {
403  /* Test vector 6 */
404  const unsigned char pk[32] = {
405  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
406  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
407  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
408  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
409  };
410  const unsigned char msg[32] = {
411  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
412  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
413  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
414  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
415  };
416  const unsigned char sig[64] = {
417  0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4,
418  0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3,
419  0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B,
420  0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56,
421  0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07,
422  0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF,
423  0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E,
424  0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2
425  };
426  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
427  }
428  {
429  /* Test vector 7 */
430  const unsigned char pk[32] = {
431  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
432  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
433  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
434  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
435  };
436  const unsigned char msg[32] = {
437  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
438  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
439  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
440  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
441  };
442  const unsigned char sig[64] = {
443  0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C,
444  0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7,
445  0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4,
446  0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F,
447  0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89,
448  0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8,
449  0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35,
450  0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD
451  };
452  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
453  }
454  {
455  /* Test vector 8 */
456  const unsigned char pk[32] = {
457  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
458  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
459  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
460  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
461  };
462  const unsigned char msg[32] = {
463  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
464  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
465  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
466  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
467  };
468  const unsigned char sig[64] = {
469  0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
470  0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
471  0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
472  0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
473  0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC,
474  0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26,
475  0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C,
476  0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6
477  };
478  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
479  }
480  {
481  /* Test vector 9 */
482  const unsigned char pk[32] = {
483  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
484  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
485  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
486  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
487  };
488  const unsigned char msg[32] = {
489  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
490  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
491  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
492  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
493  };
494  const unsigned char sig[64] = {
495  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
496  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
497  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
498  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
499  0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23,
500  0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA,
501  0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC,
502  0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51
503  };
504  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
505  }
506  {
507  /* Test vector 10 */
508  const unsigned char pk[32] = {
509  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
510  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
511  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
512  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
513  };
514  const unsigned char msg[32] = {
515  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
516  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
517  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
518  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
519  };
520  const unsigned char sig[64] = {
521  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
522  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
523  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
524  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
525  0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64,
526  0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4,
527  0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9,
528  0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97
529  };
530  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
531  }
532  {
533  /* Test vector 11 */
534  const unsigned char pk[32] = {
535  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
536  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
537  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
538  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
539  };
540  const unsigned char msg[32] = {
541  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
542  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
543  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
544  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
545  };
546  const unsigned char sig[64] = {
547  0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A,
548  0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB,
549  0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7,
550  0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D,
551  0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
552  0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
553  0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
554  0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
555  };
556  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
557  }
558  {
559  /* Test vector 12 */
560  const unsigned char pk[32] = {
561  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
562  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
563  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
564  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
565  };
566  const unsigned char msg[32] = {
567  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
568  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
569  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
570  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
571  };
572  const unsigned char sig[64] = {
573  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
574  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
575  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
576  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
577  0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
578  0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
579  0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
580  0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
581  };
582  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
583  }
584  {
585  /* Test vector 13 */
586  const unsigned char pk[32] = {
587  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
588  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
589  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
590  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
591  };
592  const unsigned char msg[32] = {
593  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
594  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
595  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
596  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
597  };
598  const unsigned char sig[64] = {
599  0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
600  0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
601  0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
602  0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
603  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
604  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
605  0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
606  0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
607  };
608  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 0);
609  }
610  {
611  /* Test vector 14 */
612  const unsigned char pk[32] = {
613  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
614  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
615  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
616  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
617  };
618  secp256k1_xonly_pubkey pk_parsed;
619  /* No need to check the signature of the test vector as parsing the pubkey already fails */
620  CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
621  }
622  {
623  /* Test vector 15 */
624  const unsigned char sk[32] = {
625  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
626  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
627  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
628  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
629  };
630  const unsigned char pk[32] = {
631  0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
632  0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
633  0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
634  0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
635  };
636  const unsigned char aux_rand[32] = {
637  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
638  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
639  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
640  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
641  };
642  /* const unsigned char msg[0] = {}; */
643  const unsigned char sig[64] = {
644  0x71, 0x53, 0x5D, 0xB1, 0x65, 0xEC, 0xD9, 0xFB,
645  0xBC, 0x04, 0x6E, 0x5F, 0xFA, 0xEA, 0x61, 0x18,
646  0x6B, 0xB6, 0xAD, 0x43, 0x67, 0x32, 0xFC, 0xCC,
647  0x25, 0x29, 0x1A, 0x55, 0x89, 0x54, 0x64, 0xCF,
648  0x60, 0x69, 0xCE, 0x26, 0xBF, 0x03, 0x46, 0x62,
649  0x28, 0xF1, 0x9A, 0x3A, 0x62, 0xDB, 0x8A, 0x64,
650  0x9F, 0x2D, 0x56, 0x0F, 0xAC, 0x65, 0x28, 0x27,
651  0xD1, 0xAF, 0x05, 0x74, 0xE4, 0x27, 0xAB, 0x63,
652  };
653  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, NULL, 0, sig);
654  test_schnorrsig_bip_vectors_check_verify(pk, NULL, 0, sig, 1);
655  }
656  {
657  /* Test vector 16 */
658  const unsigned char sk[32] = {
659  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
660  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
661  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
662  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
663  };
664  const unsigned char pk[32] = {
665  0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
666  0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
667  0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
668  0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
669  };
670  const unsigned char aux_rand[32] = {
671  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
672  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
673  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
674  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
675  };
676  const unsigned char msg[] = { 0x11 };
677  const unsigned char sig[64] = {
678  0x08, 0xA2, 0x0A, 0x0A, 0xFE, 0xF6, 0x41, 0x24,
679  0x64, 0x92, 0x32, 0xE0, 0x69, 0x3C, 0x58, 0x3A,
680  0xB1, 0xB9, 0x93, 0x4A, 0xE6, 0x3B, 0x4C, 0x35,
681  0x11, 0xF3, 0xAE, 0x11, 0x34, 0xC6, 0xA3, 0x03,
682  0xEA, 0x31, 0x73, 0xBF, 0xEA, 0x66, 0x83, 0xBD,
683  0x10, 0x1F, 0xA5, 0xAA, 0x5D, 0xBC, 0x19, 0x96,
684  0xFE, 0x7C, 0xAC, 0xFC, 0x5A, 0x57, 0x7D, 0x33,
685  0xEC, 0x14, 0x56, 0x4C, 0xEC, 0x2B, 0xAC, 0xBF,
686  };
687  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
688  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
689  }
690  {
691  /* Test vector 17 */
692  const unsigned char sk[32] = {
693  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
694  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
695  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
696  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
697  };
698  const unsigned char pk[32] = {
699  0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
700  0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
701  0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
702  0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
703  };
704  const unsigned char aux_rand[32] = {
705  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
706  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
707  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
708  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
709  };
710  const unsigned char msg[] = {
711  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
712  0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10,
713  0x11,
714  };
715  const unsigned char sig[64] = {
716  0x51, 0x30, 0xF3, 0x9A, 0x40, 0x59, 0xB4, 0x3B,
717  0xC7, 0xCA, 0xC0, 0x9A, 0x19, 0xEC, 0xE5, 0x2B,
718  0x5D, 0x86, 0x99, 0xD1, 0xA7, 0x1E, 0x3C, 0x52,
719  0xDA, 0x9A, 0xFD, 0xB6, 0xB5, 0x0A, 0xC3, 0x70,
720  0xC4, 0xA4, 0x82, 0xB7, 0x7B, 0xF9, 0x60, 0xF8,
721  0x68, 0x15, 0x40, 0xE2, 0x5B, 0x67, 0x71, 0xEC,
722  0xE1, 0xE5, 0xA3, 0x7F, 0xD8, 0x0E, 0x5A, 0x51,
723  0x89, 0x7C, 0x55, 0x66, 0xA9, 0x7E, 0xA5, 0xA5,
724  };
725  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
726  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
727  }
728  {
729  /* Test vector 18 */
730  const unsigned char sk[32] = {
731  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
732  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
733  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
734  0x03, 0x40, 0x03, 0x40, 0x03, 0x40, 0x03, 0x40,
735  };
736  const unsigned char pk[32] = {
737  0x77, 0x8C, 0xAA, 0x53, 0xB4, 0x39, 0x3A, 0xC4,
738  0x67, 0x77, 0x4D, 0x09, 0x49, 0x7A, 0x87, 0x22,
739  0x4B, 0xF9, 0xFA, 0xB6, 0xF6, 0xE6, 0x8B, 0x23,
740  0x08, 0x64, 0x97, 0x32, 0x4D, 0x6F, 0xD1, 0x17,
741  };
742  const unsigned char aux_rand[32] = {
743  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
744  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
745  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
746  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
747  };
748  const unsigned char sig[64] = {
749  0x40, 0x3B, 0x12, 0xB0, 0xD8, 0x55, 0x5A, 0x34,
750  0x41, 0x75, 0xEA, 0x7E, 0xC7, 0x46, 0x56, 0x63,
751  0x03, 0x32, 0x1E, 0x5D, 0xBF, 0xA8, 0xBE, 0x6F,
752  0x09, 0x16, 0x35, 0x16, 0x3E, 0xCA, 0x79, 0xA8,
753  0x58, 0x5E, 0xD3, 0xE3, 0x17, 0x08, 0x07, 0xE7,
754  0xC0, 0x3B, 0x72, 0x0F, 0xC5, 0x4C, 0x7B, 0x23,
755  0x89, 0x7F, 0xCB, 0xA0, 0xE9, 0xD0, 0xB4, 0xA0,
756  0x68, 0x94, 0xCF, 0xD2, 0x49, 0xF2, 0x23, 0x67,
757  };
758  unsigned char msg[100];
759  memset(msg, 0x99, sizeof(msg));
760  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sizeof(msg), sig);
761  test_schnorrsig_bip_vectors_check_verify(pk, msg, sizeof(msg), sig, 1);
762  }
763 }
764 
765 /* Nonce function that returns constant 0 */
766 static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
767  (void) msg;
768  (void) msglen;
769  (void) key32;
770  (void) xonly_pk32;
771  (void) algo;
772  (void) algolen;
773  (void) data;
774  (void) nonce32;
775  return 0;
776 }
777 
778 /* Nonce function that sets nonce to 0 */
779 static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
780  (void) msg;
781  (void) msglen;
782  (void) key32;
783  (void) xonly_pk32;
784  (void) algo;
785  (void) algolen;
786  (void) data;
787 
788  memset(nonce32, 0, 32);
789  return 1;
790 }
791 
792 /* Nonce function that sets nonce to 0xFF...0xFF */
793 static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
794  (void) msg;
795  (void) msglen;
796  (void) key32;
797  (void) xonly_pk32;
798  (void) algo;
799  (void) algolen;
800  (void) data;
801 
802  memset(nonce32, 0xFF, 32);
803  return 1;
804 }
805 
806 static void test_schnorrsig_sign_internal(void) {
807  unsigned char sk[32];
808  secp256k1_xonly_pubkey pk;
809  secp256k1_keypair keypair;
810  const unsigned char msg[] = {'t', 'h', 'i', 's', ' ', 'i', 's', ' ', 'a', ' ', 'm', 's', 'g', ' ', 'f', 'o', 'r', ' ', 'a', ' ', 's', 'c', 'h', 'n', 'o', 'r', 'r', 's', 'i', 'g', '.', '.'};
811  unsigned char sig[64];
812  unsigned char sig2[64];
813  unsigned char zeros64[64] = { 0 };
814  secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
815  unsigned char aux_rand[32];
816 
817  testrand256(sk);
818  testrand256(aux_rand);
819  CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
820  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
821  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
822  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
823  /* Check that deprecated alias gives the same result */
824  CHECK(secp256k1_schnorrsig_sign(CTX, sig2, msg, &keypair, NULL) == 1);
825  CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
826 
827  /* Test different nonce functions */
828  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
829  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
830  memset(sig, 1, sizeof(sig));
831  extraparams.noncefp = nonce_function_failing;
832  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
833  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
834  memset(&sig, 1, sizeof(sig));
835  extraparams.noncefp = nonce_function_0;
836  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
837  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
838  memset(&sig, 1, sizeof(sig));
839  extraparams.noncefp = nonce_function_overflowing;
840  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
841  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
842 
843  /* When using the default nonce function, schnorrsig_sign_custom produces
844  * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */
845  extraparams.noncefp = NULL;
846  extraparams.ndata = aux_rand;
847  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
848  CHECK(secp256k1_schnorrsig_sign32(CTX, sig2, msg, &keypair, extraparams.ndata) == 1);
849  CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
850 }
851 
852 #define N_SIGS 3
853 /* Creates N_SIGS valid signatures and verifies them with verify and
854  * verify_batch (TODO). Then flips some bits and checks that verification now
855  * fails. */
856 static void test_schnorrsig_sign_verify_internal(void) {
857  unsigned char sk[32];
858  unsigned char msg[N_SIGS][32];
859  unsigned char sig[N_SIGS][64];
860  size_t i;
861  secp256k1_keypair keypair;
862  secp256k1_xonly_pubkey pk;
863  secp256k1_scalar s;
864 
865  testrand256(sk);
866  CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
867  CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
868 
869  for (i = 0; i < N_SIGS; i++) {
870  testrand256(msg[i]);
871  CHECK(secp256k1_schnorrsig_sign32(CTX, sig[i], msg[i], &keypair, NULL));
872  CHECK(secp256k1_schnorrsig_verify(CTX, sig[i], msg[i], sizeof(msg[i]), &pk));
873  }
874 
875  {
876  /* Flip a few bits in the signature and in the message and check that
877  * verify and verify_batch (TODO) fail */
878  size_t sig_idx = testrand_int(N_SIGS);
879  size_t byte_idx = testrand_bits(5);
880  unsigned char xorbyte = testrand_int(254)+1;
881  sig[sig_idx][byte_idx] ^= xorbyte;
882  CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
883  sig[sig_idx][byte_idx] ^= xorbyte;
884 
885  byte_idx = testrand_bits(5);
886  sig[sig_idx][32+byte_idx] ^= xorbyte;
887  CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
888  sig[sig_idx][32+byte_idx] ^= xorbyte;
889 
890  byte_idx = testrand_bits(5);
891  msg[sig_idx][byte_idx] ^= xorbyte;
892  CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
893  msg[sig_idx][byte_idx] ^= xorbyte;
894 
895  /* Check that above bitflips have been reversed correctly */
896  CHECK(secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
897  }
898 
899  /* Test overflowing s */
900  CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
901  CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
902  memset(&sig[0][32], 0xFF, 32);
903  CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
904 
905  /* Test negative s */
906  CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
907  CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
908  secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
909  secp256k1_scalar_negate(&s, &s);
910  secp256k1_scalar_get_b32(&sig[0][32], &s);
911  CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
912 
913  /* The empty message can be signed & verified */
914  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], NULL, 0, &keypair, NULL) == 1);
915  CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], NULL, 0, &pk) == 1);
916 
917  {
918  /* Test varying message lengths */
919  unsigned char msg_large[32 * 8];
920  uint32_t msglen = testrand_int(sizeof(msg_large));
921  for (i = 0; i < sizeof(msg_large); i += 32) {
922  testrand256(&msg_large[i]);
923  }
924  CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], msg_large, msglen, &keypair, NULL) == 1);
925  CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 1);
926  /* Verification for a random wrong message length fails */
927  msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large);
928  CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 0);
929  }
930 }
931 #undef N_SIGS
932 
933 static void test_schnorrsig_taproot(void) {
934  unsigned char sk[32];
935  secp256k1_keypair keypair;
936  secp256k1_xonly_pubkey internal_pk;
937  unsigned char internal_pk_bytes[32];
938  secp256k1_xonly_pubkey output_pk;
939  unsigned char output_pk_bytes[32];
940  unsigned char tweak[32];
941  int pk_parity;
942  unsigned char msg[32];
943  unsigned char sig[64];
944 
945  /* Create output key */
946  testrand256(sk);
947  CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
948  CHECK(secp256k1_keypair_xonly_pub(CTX, &internal_pk, NULL, &keypair) == 1);
949  /* In actual taproot the tweak would be hash of internal_pk */
950  CHECK(secp256k1_xonly_pubkey_serialize(CTX, tweak, &internal_pk) == 1);
951  CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1);
952  CHECK(secp256k1_keypair_xonly_pub(CTX, &output_pk, &pk_parity, &keypair) == 1);
953  CHECK(secp256k1_xonly_pubkey_serialize(CTX, output_pk_bytes, &output_pk) == 1);
954 
955  /* Key spend */
956  testrand256(msg);
957  CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
958  /* Verify key spend */
959  CHECK(secp256k1_xonly_pubkey_parse(CTX, &output_pk, output_pk_bytes) == 1);
960  CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &output_pk) == 1);
961 
962  /* Script spend */
963  CHECK(secp256k1_xonly_pubkey_serialize(CTX, internal_pk_bytes, &internal_pk) == 1);
964  /* Verify script spend */
965  CHECK(secp256k1_xonly_pubkey_parse(CTX, &internal_pk, internal_pk_bytes) == 1);
966  CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
967 }
968 
969 /* --- Test registry --- */
970 REPEAT_TEST(test_schnorrsig_sign)
971 REPEAT_TEST(test_schnorrsig_sign_verify)
972 
973 static const struct tf_test_entry tests_schnorrsig[] = {
974  CASE(nonce_function_bip340_tests),
975  CASE1(test_schnorrsig_api),
976  CASE1(test_schnorrsig_sha256_tagged),
977  CASE1(test_schnorrsig_bip_vectors),
978  CASE1(test_schnorrsig_sign),
979  CASE1(test_schnorrsig_sign_verify),
980  CASE1(test_schnorrsig_taproot),
981 };
982 
983 #endif
secp256k1_nonce_function_bip340_sha256_tagged
static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:16
CASE1
#define CASE1(name)
Definition: unit_test.h:25
nonce_function_failing
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:766
nonce
unsigned int nonce
Definition: miner_tests.cpp:82
nonce_function_overflowing
static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:793
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a valid secret key.
Definition: main_impl.h:196
test_vectors_musig2_generate.data
data
Definition: test_vectors_musig2_generate.py:98
secp256k1_schnorrsig_sign
SECP256K1_API int secp256k1_schnorrsig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_DEPRECATED("Use secp256k1_schnorrsig_sign32 instead")
Same as secp256k1_schnorrsig_sign32, but DEPRECATED.
Definition: main_impl.h:205
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_sha256
Definition: hash.h:13
secp256k1_keypair_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:255
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
tests_wycheproof_generate_ecdsa.msg
msg
Definition: tests_wycheproof_generate_ecdsa.py:52
test_sha256_eq
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:618
testrand256
static void testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
tests_schnorrsig
static const struct tf_test_entry tests_schnorrsig[]
Definition: tests_impl.h:973
test_schnorrsig_bip_vectors
static void test_schnorrsig_bip_vectors(void)
Definition: tests_impl.h:207
tweak
static int tweak(const secp256k1_context *ctx, secp256k1_xonly_pubkey *agg_pk, secp256k1_musig_keyagg_cache *cache)
Definition: musig.c:64
test_schnorrsig_sha256_tagged
static void test_schnorrsig_sha256_tagged(void)
Definition: tests_impl.h:161
test_schnorrsig_sign_verify_internal
static void test_schnorrsig_sign_verify_internal(void)
Definition: tests_impl.h:856
testrand_flip
static void testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
N_SIGS
#define N_SIGS
Definition: tests_impl.h:852
test_schnorrsig_bip_vectors_check_verify
static void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg, size_t msglen, const unsigned char *sig, int expected)
Definition: tests_impl.h:198
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:43
REPEAT_TEST
#define REPEAT_TEST(fn)
Definition: unit_test.h:34
test_schnorrsig_api
static void test_schnorrsig_api(void)
Definition: tests_impl.h:107
secp256k1_schnorrsig_extraparams
Data structure that contains additional arguments for schnorrsig_sign_custom.
Definition: secp256k1_schnorrsig.h:82
args
ArgsManager & args
Definition: bitcoind.cpp:277
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
CASE
#define CASE(name)
Definition: unit_test.h:24
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:22
musig_sig_agg_case::expected
unsigned char expected[64]
Definition: vectors.h:298
tf_test_entry
Definition: unit_test.h:51
CTX
static secp256k1_context * CTX
Definition: tests.c:42
secp256k1_schnorrsig_sign32
SECP256K1_API int secp256k1_schnorrsig_sign32(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a Schnorr signature.
Definition: main_impl.h:200
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
test_schnorrsig_bip_vectors_check_signing
static void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg, size_t msglen, const unsigned char *expected_sig)
Definition: tests_impl.h:173
testrand_bytes_test
static void testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_schnorrsig_sign_custom
SECP256K1_API int secp256k1_schnorrsig_sign_custom(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Create a Schnorr signature with a more flexible API.
Definition: main_impl.h:209
nonce_function_bip340
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: main_impl.h:52
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
nonce_function_bip340_bitflip
static void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen)
Definition: tests_impl.h:16
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_nonce_function_bip340_sha256_tagged_aux
static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: main_impl.h:32
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:163
testrand_int
static uint32_t testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
test_schnorrsig_taproot
static void test_schnorrsig_taproot(void)
Definition: tests_impl.h:933
test_sha256_tag_midstate
static void test_sha256_tag_midstate(secp256k1_sha256 *sha_tagged, const unsigned char *tag, size_t taglen)
Definition: tests.c:627
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:269
testrand_bits
static SECP256K1_INLINE uint64_t testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:44
run_nonce_function_bip340_tests
static void run_nonce_function_bip340_tests(void)
Definition: tests_impl.h:24
tests_wycheproof_generate_ecdh.sk
sk
Definition: tests_wycheproof_generate_ecdh.py:101
secp256k1_keypair_xonly_pub
SECP256K1_API int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Get the x-only public key from a keypair.
Definition: main_impl.h:234
test_vectors_musig2_generate.s
tuple s
Definition: test_vectors_musig2_generate.py:72
secp256k1_schnorrsig_extraparams::noncefp
secp256k1_nonce_function_hardened noncefp
Definition: secp256k1_schnorrsig.h:84
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:79
SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
Definition: secp256k1_schnorrsig.h:89
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:224
nonce_function_0
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:779
tests_wycheproof_generate_ecdh.pk
def pk
Definition: tests_wycheproof_generate_ecdh.py:115
test_schnorrsig_sign_internal
static void test_schnorrsig_sign_internal(void)
Definition: tests_impl.h:806
COUNT
int COUNT
Definition: unit_test.c:23
secp256k1_schnorrsig_extraparams::ndata
void * ndata
Definition: secp256k1_schnorrsig.h:85
secp256k1_schnorrsig_sha256_tagged
static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:106
Generated on Thu Apr 16 2026 12:00:00 for Bitcoin Core by   doxygen 1.8.14