1 /***********************************************************************
2 * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7 #ifndef _SECP256K1_MODULE_SCHNORRSIG_TESTS_
8 #define _SECP256K1_MODULE_SCHNORRSIG_TESTS_
9
10 #include "secp256k1_schnorrsig.h"
11
12 /* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
13 * bytes) changes the hash function
14 */
nonce_function_bip340_bitflip(unsigned char ** args,size_t n_flip,size_t n_bytes)15 void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes) {
16 unsigned char nonces[2][32];
17 CHECK(nonce_function_bip340(nonces[0], args[0], args[1], args[2], args[3], args[4]) == 1);
18 secp256k1_testrand_flip(args[n_flip], n_bytes);
19 CHECK(nonce_function_bip340(nonces[1], args[0], args[1], args[2], args[3], args[4]) == 1);
20 CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
21 }
22
23 /* Tests for the equality of two sha256 structs. This function only produces a
24 * correct result if an integer multiple of 64 many bytes have been written
25 * into the hash functions. */
test_sha256_eq(const secp256k1_sha256 * sha1,const secp256k1_sha256 * sha2)26 void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
27 /* Is buffer fully consumed? */
28 CHECK((sha1->bytes & 0x3F) == 0);
29
30 CHECK(sha1->bytes == sha2->bytes);
31 CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
32 }
33
run_nonce_function_bip340_tests(void)34 void run_nonce_function_bip340_tests(void) {
35 unsigned char tag[13] = "BIP0340/nonce";
36 unsigned char aux_tag[11] = "BIP0340/aux";
37 unsigned char algo16[16] = "BIP0340/nonce\0\0\0";
38 secp256k1_sha256 sha;
39 secp256k1_sha256 sha_optimized;
40 unsigned char nonce[32];
41 unsigned char msg[32];
42 unsigned char key[32];
43 unsigned char pk[32];
44 unsigned char aux_rand[32];
45 unsigned char *args[5];
46 int i;
47
48 /* Check that hash initialized by
49 * secp256k1_nonce_function_bip340_sha256_tagged has the expected
50 * state. */
51 secp256k1_sha256_initialize_tagged(&sha, tag, sizeof(tag));
52 secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized);
53 test_sha256_eq(&sha, &sha_optimized);
54
55 /* Check that hash initialized by
56 * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
57 * state. */
58 secp256k1_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag));
59 secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized);
60 test_sha256_eq(&sha, &sha_optimized);
61
62 secp256k1_testrand256(msg);
63 secp256k1_testrand256(key);
64 secp256k1_testrand256(pk);
65 secp256k1_testrand256(aux_rand);
66
67 /* Check that a bitflip in an argument results in different nonces. */
68 args[0] = msg;
69 args[1] = key;
70 args[2] = pk;
71 args[3] = algo16;
72 args[4] = aux_rand;
73 for (i = 0; i < count; i++) {
74 nonce_function_bip340_bitflip(args, 0, 32);
75 nonce_function_bip340_bitflip(args, 1, 32);
76 nonce_function_bip340_bitflip(args, 2, 32);
77 /* Flip algo16 special case "BIP0340/nonce" */
78 nonce_function_bip340_bitflip(args, 3, 16);
79 /* Flip algo16 again */
80 nonce_function_bip340_bitflip(args, 3, 16);
81 nonce_function_bip340_bitflip(args, 4, 32);
82 }
83
84 /* NULL algo16 is disallowed */
85 CHECK(nonce_function_bip340(nonce, msg, key, pk, NULL, NULL) == 0);
86 /* Empty algo16 is fine */
87 memset(algo16, 0x00, 16);
88 CHECK(nonce_function_bip340(nonce, msg, key, pk, algo16, NULL) == 1);
89 /* algo16 with terminating null bytes is fine */
90 algo16[1] = 65;
91 CHECK(nonce_function_bip340(nonce, msg, key, pk, algo16, NULL) == 1);
92 /* Other algo16 is fine */
93 memset(algo16, 0xFF, 16);
94 CHECK(nonce_function_bip340(nonce, msg, key, pk, algo16, NULL) == 1);
95
96 /* NULL aux_rand argument is allowed. */
97 CHECK(nonce_function_bip340(nonce, msg, key, pk, algo16, NULL) == 1);
98 }
99
test_schnorrsig_api(void)100 void test_schnorrsig_api(void) {
101 unsigned char sk1[32];
102 unsigned char sk2[32];
103 unsigned char sk3[32];
104 unsigned char msg[32];
105 secp256k1_keypair keypairs[3];
106 secp256k1_keypair invalid_keypair = { 0 };
107 secp256k1_xonly_pubkey pk[3];
108 secp256k1_xonly_pubkey zero_pk;
109 unsigned char sig[64];
110
111 /** setup **/
112 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
113 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
114 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
115 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
116 int ecount;
117
118 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
119 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount);
120 secp256k1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount);
121 secp256k1_context_set_error_callback(both, counting_illegal_callback_fn, &ecount);
122 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
123 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount);
124 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
125 secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount);
126
127 secp256k1_testrand256(sk1);
128 secp256k1_testrand256(sk2);
129 secp256k1_testrand256(sk3);
130 secp256k1_testrand256(msg);
131 CHECK(secp256k1_keypair_create(ctx, &keypairs[0], sk1) == 1);
132 CHECK(secp256k1_keypair_create(ctx, &keypairs[1], sk2) == 1);
133 CHECK(secp256k1_keypair_create(ctx, &keypairs[2], sk3) == 1);
134 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[0], NULL, &keypairs[0]) == 1);
135 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[1], NULL, &keypairs[1]) == 1);
136 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[2], NULL, &keypairs[2]) == 1);
137 memset(&zero_pk, 0, sizeof(zero_pk));
138
139 /** main test body **/
140 ecount = 0;
141 CHECK(secp256k1_schnorrsig_sign(none, sig, msg, &keypairs[0], NULL, NULL) == 0);
142 CHECK(ecount == 1);
143 CHECK(secp256k1_schnorrsig_sign(vrfy, sig, msg, &keypairs[0], NULL, NULL) == 0);
144 CHECK(ecount == 2);
145 CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL, NULL) == 1);
146 CHECK(ecount == 2);
147 CHECK(secp256k1_schnorrsig_sign(sign, NULL, msg, &keypairs[0], NULL, NULL) == 0);
148 CHECK(ecount == 3);
149 CHECK(secp256k1_schnorrsig_sign(sign, sig, NULL, &keypairs[0], NULL, NULL) == 0);
150 CHECK(ecount == 4);
151 CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, NULL, NULL, NULL) == 0);
152 CHECK(ecount == 5);
153 CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &invalid_keypair, NULL, NULL) == 0);
154 CHECK(ecount == 6);
155
156 ecount = 0;
157 CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL, NULL) == 1);
158 CHECK(secp256k1_schnorrsig_verify(none, sig, msg, &pk[0]) == 0);
159 CHECK(ecount == 1);
160 CHECK(secp256k1_schnorrsig_verify(sign, sig, msg, &pk[0]) == 0);
161 CHECK(ecount == 2);
162 CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, &pk[0]) == 1);
163 CHECK(ecount == 2);
164 CHECK(secp256k1_schnorrsig_verify(vrfy, NULL, msg, &pk[0]) == 0);
165 CHECK(ecount == 3);
166 CHECK(secp256k1_schnorrsig_verify(vrfy, sig, NULL, &pk[0]) == 0);
167 CHECK(ecount == 4);
168 CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, NULL) == 0);
169 CHECK(ecount == 5);
170 CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, &zero_pk) == 0);
171 CHECK(ecount == 6);
172
173 secp256k1_context_destroy(none);
174 secp256k1_context_destroy(sign);
175 secp256k1_context_destroy(vrfy);
176 secp256k1_context_destroy(both);
177 }
178
179 /* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
180 * expected state. */
test_schnorrsig_sha256_tagged(void)181 void test_schnorrsig_sha256_tagged(void) {
182 char tag[17] = "BIP0340/challenge";
183 secp256k1_sha256 sha;
184 secp256k1_sha256 sha_optimized;
185
186 secp256k1_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag));
187 secp256k1_schnorrsig_sha256_tagged(&sha_optimized);
188 test_sha256_eq(&sha, &sha_optimized);
189 }
190
191 /* Helper function for schnorrsig_bip_vectors
192 * Signs the message and checks that it's the same as expected_sig. */
test_schnorrsig_bip_vectors_check_signing(const unsigned char * sk,const unsigned char * pk_serialized,unsigned char * aux_rand,const unsigned char * msg,const unsigned char * expected_sig)193 void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, unsigned char *aux_rand, const unsigned char *msg, const unsigned char *expected_sig) {
194 unsigned char sig[64];
195 secp256k1_keypair keypair;
196 secp256k1_xonly_pubkey pk, pk_expected;
197
198 CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
199 CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, aux_rand));
200 CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
201
202 CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk_expected, pk_serialized));
203 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
204 CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
205 CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, &pk));
206 }
207
208 /* Helper function for schnorrsig_bip_vectors
209 * Checks that both verify and verify_batch (TODO) return the same value as expected. */
test_schnorrsig_bip_vectors_check_verify(const unsigned char * pk_serialized,const unsigned char * msg32,const unsigned char * sig,int expected)210 void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected) {
211 secp256k1_xonly_pubkey pk;
212
213 CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk, pk_serialized));
214 CHECK(expected == secp256k1_schnorrsig_verify(ctx, sig, msg32, &pk));
215 }
216
217 /* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
218 * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */
test_schnorrsig_bip_vectors(void)219 void test_schnorrsig_bip_vectors(void) {
220 {
221 /* Test vector 0 */
222 const unsigned char sk[32] = {
223 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
224 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
225 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
226 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
227 };
228 const unsigned char pk[32] = {
229 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10,
230 0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29,
231 0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0,
232 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9
233 };
234 unsigned char aux_rand[32] = {
235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
236 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
237 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
238 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
239 };
240 const unsigned char msg[32] = {
241 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
242 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
243 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
244 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
245 };
246 const unsigned char sig[64] = {
247 0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10,
248 0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36,
249 0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08,
250 0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15,
251 0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71,
252 0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5,
253 0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47,
254 0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0
255 };
256 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
257 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
258 }
259 {
260 /* Test vector 1 */
261 const unsigned char sk[32] = {
262 0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A,
263 0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7,
264 0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56,
265 0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF
266 };
267 const unsigned char pk[32] = {
268 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
269 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
270 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
271 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
272 };
273 unsigned char aux_rand[32] = {
274 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
276 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
277 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
278 };
279 const unsigned char msg[32] = {
280 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
281 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
282 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
283 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
284 };
285 const unsigned char sig[64] = {
286 0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D,
287 0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07,
288 0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17,
289 0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41,
290 0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC,
291 0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA,
292 0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C,
293 0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A
294 };
295 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
296 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
297 }
298 {
299 /* Test vector 2 */
300 const unsigned char sk[32] = {
301 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
302 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
303 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
304 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9
305 };
306 const unsigned char pk[32] = {
307 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13,
308 0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC,
309 0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9,
310 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8
311 };
312 unsigned char aux_rand[32] = {
313 0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE,
314 0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC,
315 0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C,
316 0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06
317 };
318 const unsigned char msg[32] = {
319 0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A,
320 0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D,
321 0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33,
322 0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C
323 };
324 const unsigned char sig[64] = {
325 0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7,
326 0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94,
327 0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B,
328 0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B,
329 0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A,
330 0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C,
331 0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E,
332 0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7
333 };
334 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
335 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
336 }
337 {
338 /* Test vector 3 */
339 const unsigned char sk[32] = {
340 0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81,
341 0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0,
342 0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54,
343 0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10
344 };
345 const unsigned char pk[32] = {
346 0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25,
347 0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD,
348 0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A,
349 0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17
350 };
351 unsigned char aux_rand[32] = {
352 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
353 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
354 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
355 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
356 };
357 const unsigned char msg[32] = {
358 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
359 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
360 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
361 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
362 };
363 const unsigned char sig[64] = {
364 0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1,
365 0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9,
366 0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6,
367 0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC,
368 0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93,
369 0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A,
370 0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27,
371 0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3
372 };
373 test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
374 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
375 }
376 {
377 /* Test vector 4 */
378 const unsigned char pk[32] = {
379 0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12,
380 0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83,
381 0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA,
382 0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9
383 };
384 const unsigned char msg[32] = {
385 0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2,
386 0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24,
387 0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B,
388 0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03
389 };
390 const unsigned char sig[64] = {
391 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
392 0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F,
393 0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28,
394 0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63,
395 0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3,
396 0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10,
397 0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93,
398 0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4
399 };
400 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
401 }
402 {
403 /* Test vector 5 */
404 const unsigned char pk[32] = {
405 0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50,
406 0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21,
407 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87,
408 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34
409 };
410 secp256k1_xonly_pubkey pk_parsed;
411 /* No need to check the signature of the test vector as parsing the pubkey already fails */
412 CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
413 }
414 {
415 /* Test vector 6 */
416 const unsigned char pk[32] = {
417 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
418 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
419 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
420 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
421 };
422 const unsigned char msg[32] = {
423 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
424 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
425 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
426 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
427 };
428 const unsigned char sig[64] = {
429 0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4,
430 0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3,
431 0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B,
432 0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56,
433 0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07,
434 0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF,
435 0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E,
436 0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2
437 };
438 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
439 }
440 {
441 /* Test vector 7 */
442 const unsigned char pk[32] = {
443 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
444 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
445 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
446 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
447 };
448 const unsigned char msg[32] = {
449 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
450 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
451 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
452 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
453 };
454 const unsigned char sig[64] = {
455 0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C,
456 0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7,
457 0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4,
458 0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F,
459 0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89,
460 0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8,
461 0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35,
462 0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD
463 };
464 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
465 }
466 {
467 /* Test vector 8 */
468 const unsigned char pk[32] = {
469 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
470 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
471 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
472 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
473 };
474 const unsigned char msg[32] = {
475 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
476 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
477 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
478 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
479 };
480 const unsigned char sig[64] = {
481 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
482 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
483 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
484 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
485 0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC,
486 0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26,
487 0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C,
488 0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6
489 };
490 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
491 }
492 {
493 /* Test vector 9 */
494 const unsigned char pk[32] = {
495 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
496 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
497 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
498 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
499 };
500 const unsigned char msg[32] = {
501 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
502 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
503 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
504 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
505 };
506 const unsigned char sig[64] = {
507 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
508 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
509 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
510 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
511 0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23,
512 0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA,
513 0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC,
514 0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51
515 };
516 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
517 }
518 {
519 /* Test vector 10 */
520 const unsigned char pk[32] = {
521 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
522 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
523 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
524 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
525 };
526 const unsigned char msg[32] = {
527 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
528 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
529 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
530 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
531 };
532 const unsigned char sig[64] = {
533 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
534 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
535 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
536 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
537 0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64,
538 0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4,
539 0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9,
540 0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97
541 };
542 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
543 }
544 {
545 /* Test vector 11 */
546 const unsigned char pk[32] = {
547 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
548 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
549 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
550 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
551 };
552 const unsigned char msg[32] = {
553 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
554 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
555 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
556 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
557 };
558 const unsigned char sig[64] = {
559 0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A,
560 0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB,
561 0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7,
562 0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D,
563 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
564 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
565 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
566 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
567 };
568 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
569 }
570 {
571 /* Test vector 12 */
572 const unsigned char pk[32] = {
573 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
574 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
575 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
576 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
577 };
578 const unsigned char msg[32] = {
579 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
580 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
581 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
582 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
583 };
584 const unsigned char sig[64] = {
585 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
586 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
587 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
588 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
589 0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
590 0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
591 0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
592 0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
593 };
594 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
595 }
596 {
597 /* Test vector 13 */
598 const unsigned char pk[32] = {
599 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
600 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
601 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
602 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
603 };
604 const unsigned char msg[32] = {
605 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
606 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
607 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
608 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
609 };
610 const unsigned char sig[64] = {
611 0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
612 0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
613 0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
614 0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
615 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
616 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
617 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
618 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
619 };
620 test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
621 }
622 {
623 /* Test vector 14 */
624 const unsigned char pk[32] = {
625 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
626 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
627 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
628 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
629 };
630 secp256k1_xonly_pubkey pk_parsed;
631 /* No need to check the signature of the test vector as parsing the pubkey already fails */
632 CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
633 }
634 }
635
636 /* Nonce function that returns constant 0 */
nonce_function_failing(unsigned char * nonce32,const unsigned char * msg32,const unsigned char * key32,const unsigned char * xonly_pk32,const unsigned char * algo16,void * data)637 static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data) {
638 (void) msg32;
639 (void) key32;
640 (void) xonly_pk32;
641 (void) algo16;
642 (void) data;
643 (void) nonce32;
644 return 0;
645 }
646
647 /* Nonce function that sets nonce to 0 */
nonce_function_0(unsigned char * nonce32,const unsigned char * msg32,const unsigned char * key32,const unsigned char * xonly_pk32,const unsigned char * algo16,void * data)648 static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data) {
649 (void) msg32;
650 (void) key32;
651 (void) xonly_pk32;
652 (void) algo16;
653 (void) data;
654
655 memset(nonce32, 0, 32);
656 return 1;
657 }
658
659 /* Nonce function that sets nonce to 0xFF...0xFF */
nonce_function_overflowing(unsigned char * nonce32,const unsigned char * msg32,const unsigned char * key32,const unsigned char * xonly_pk32,const unsigned char * algo16,void * data)660 static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data) {
661 (void) msg32;
662 (void) key32;
663 (void) xonly_pk32;
664 (void) algo16;
665 (void) data;
666
667 memset(nonce32, 0xFF, 32);
668 return 1;
669 }
670
test_schnorrsig_sign(void)671 void test_schnorrsig_sign(void) {
672 unsigned char sk[32];
673 secp256k1_keypair keypair;
674 const unsigned char msg[32] = "this is a msg for a schnorrsig..";
675 unsigned char sig[64];
676 unsigned char zeros64[64] = { 0 };
677
678 secp256k1_testrand256(sk);
679 CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
680 CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL) == 1);
681
682 /* Test different nonce functions */
683 memset(sig, 1, sizeof(sig));
684 CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, nonce_function_failing, NULL) == 0);
685 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
686 memset(&sig, 1, sizeof(sig));
687 CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, nonce_function_0, NULL) == 0);
688 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
689 CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, nonce_function_overflowing, NULL) == 1);
690 CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) != 0);
691 }
692
693 #define N_SIGS 3
694 /* Creates N_SIGS valid signatures and verifies them with verify and
695 * verify_batch (TODO). Then flips some bits and checks that verification now
696 * fails. */
test_schnorrsig_sign_verify(void)697 void test_schnorrsig_sign_verify(void) {
698 unsigned char sk[32];
699 unsigned char msg[N_SIGS][32];
700 unsigned char sig[N_SIGS][64];
701 size_t i;
702 secp256k1_keypair keypair;
703 secp256k1_xonly_pubkey pk;
704 secp256k1_scalar s;
705
706 secp256k1_testrand256(sk);
707 CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
708 CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
709
710 for (i = 0; i < N_SIGS; i++) {
711 secp256k1_testrand256(msg[i]);
712 CHECK(secp256k1_schnorrsig_sign(ctx, sig[i], msg[i], &keypair, NULL, NULL));
713 CHECK(secp256k1_schnorrsig_verify(ctx, sig[i], msg[i], &pk));
714 }
715
716 {
717 /* Flip a few bits in the signature and in the message and check that
718 * verify and verify_batch (TODO) fail */
719 size_t sig_idx = secp256k1_testrand_int(N_SIGS);
720 size_t byte_idx = secp256k1_testrand_int(32);
721 unsigned char xorbyte = secp256k1_testrand_int(254)+1;
722 sig[sig_idx][byte_idx] ^= xorbyte;
723 CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk));
724 sig[sig_idx][byte_idx] ^= xorbyte;
725
726 byte_idx = secp256k1_testrand_int(32);
727 sig[sig_idx][32+byte_idx] ^= xorbyte;
728 CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk));
729 sig[sig_idx][32+byte_idx] ^= xorbyte;
730
731 byte_idx = secp256k1_testrand_int(32);
732 msg[sig_idx][byte_idx] ^= xorbyte;
733 CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk));
734 msg[sig_idx][byte_idx] ^= xorbyte;
735
736 /* Check that above bitflips have been reversed correctly */
737 CHECK(secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk));
738 }
739
740 /* Test overflowing s */
741 CHECK(secp256k1_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL, NULL));
742 CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], &pk));
743 memset(&sig[0][32], 0xFF, 32);
744 CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], &pk));
745
746 /* Test negative s */
747 CHECK(secp256k1_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL, NULL));
748 CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], &pk));
749 secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
750 secp256k1_scalar_negate(&s, &s);
751 secp256k1_scalar_get_b32(&sig[0][32], &s);
752 CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], &pk));
753 }
754 #undef N_SIGS
755
test_schnorrsig_taproot(void)756 void test_schnorrsig_taproot(void) {
757 unsigned char sk[32];
758 secp256k1_keypair keypair;
759 secp256k1_xonly_pubkey internal_pk;
760 unsigned char internal_pk_bytes[32];
761 secp256k1_xonly_pubkey output_pk;
762 unsigned char output_pk_bytes[32];
763 unsigned char tweak[32];
764 int pk_parity;
765 unsigned char msg[32];
766 unsigned char sig[64];
767
768 /* Create output key */
769 secp256k1_testrand256(sk);
770 CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
771 CHECK(secp256k1_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1);
772 /* In actual taproot the tweak would be hash of internal_pk */
773 CHECK(secp256k1_xonly_pubkey_serialize(ctx, tweak, &internal_pk) == 1);
774 CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
775 CHECK(secp256k1_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1);
776 CHECK(secp256k1_xonly_pubkey_serialize(ctx, output_pk_bytes, &output_pk) == 1);
777
778 /* Key spend */
779 secp256k1_testrand256(msg);
780 CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL) == 1);
781 /* Verify key spend */
782 CHECK(secp256k1_xonly_pubkey_parse(ctx, &output_pk, output_pk_bytes) == 1);
783 CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, &output_pk) == 1);
784
785 /* Script spend */
786 CHECK(secp256k1_xonly_pubkey_serialize(ctx, internal_pk_bytes, &internal_pk) == 1);
787 /* Verify script spend */
788 CHECK(secp256k1_xonly_pubkey_parse(ctx, &internal_pk, internal_pk_bytes) == 1);
789 CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
790 }
791
run_schnorrsig_tests(void)792 void run_schnorrsig_tests(void) {
793 int i;
794 run_nonce_function_bip340_tests();
795
796 test_schnorrsig_api();
797 test_schnorrsig_sha256_tagged();
798 test_schnorrsig_bip_vectors();
799 for (i = 0; i < count; i++) {
800 test_schnorrsig_sign();
801 test_schnorrsig_sign_verify();
802 }
803 test_schnorrsig_taproot();
804 }
805
806 #endif
807