Bitcoin Core  24.1.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H
8 #define SECP256K1_MODULE_SCHNORRSIG_TESTS_H
9 
10 #include "../../../include/secp256k1_schnorrsig.h"
11 
12 /* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
13  * bytes) changes the hash function
14  */
15 void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) {
16  unsigned char nonces[2][32];
17  CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
18  secp256k1_testrand_flip(args[n_flip], n_bytes);
19  CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
20  CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
21 }
22 
23 /* Tests for the equality of two sha256 structs. This function only produces a
24  * correct result if an integer multiple of 64 many bytes have been written
25  * into the hash functions. */
26 void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
27  /* Is buffer fully consumed? */
28  CHECK((sha1->bytes & 0x3F) == 0);
29 
30  CHECK(sha1->bytes == sha2->bytes);
31  CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
32 }
33 
34 void run_nonce_function_bip340_tests(void) {
35  unsigned char tag[13] = "BIP0340/nonce";
36  unsigned char aux_tag[11] = "BIP0340/aux";
37  unsigned char algo[13] = "BIP0340/nonce";
38  size_t algolen = sizeof(algo);
39  secp256k1_sha256 sha;
40  secp256k1_sha256 sha_optimized;
41  unsigned char nonce[32], nonce_z[32];
42  unsigned char msg[32];
43  size_t msglen = sizeof(msg);
44  unsigned char key[32];
45  unsigned char pk[32];
46  unsigned char aux_rand[32];
47  unsigned char *args[5];
48  int i;
49 
50  /* Check that hash initialized by
51  * secp256k1_nonce_function_bip340_sha256_tagged has the expected
52  * state. */
53  secp256k1_sha256_initialize_tagged(&sha, tag, sizeof(tag));
54  secp256k1_nonce_function_bip340_sha256_tagged(&sha_optimized);
55  test_sha256_eq(&sha, &sha_optimized);
56 
57  /* Check that hash initialized by
58  * secp256k1_nonce_function_bip340_sha256_tagged_aux has the expected
59  * state. */
60  secp256k1_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag));
61  secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha_optimized);
62  test_sha256_eq(&sha, &sha_optimized);
63 
64  secp256k1_testrand256(msg);
65  secp256k1_testrand256(key);
66  secp256k1_testrand256(pk);
67  secp256k1_testrand256(aux_rand);
68 
69  /* Check that a bitflip in an argument results in different nonces. */
70  args[0] = msg;
71  args[1] = key;
72  args[2] = pk;
73  args[3] = algo;
74  args[4] = aux_rand;
75  for (i = 0; i < count; i++) {
76  nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen);
77  nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen);
78  nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen);
79  /* Flip algo special case "BIP0340/nonce" */
80  nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
81  /* Flip algo again */
82  nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
83  nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen);
84  }
85 
86  /* NULL algo is disallowed */
87  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
88  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
89  /* Other algo is fine */
90  secp256k1_testrand_bytes_test(algo, algolen);
91  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
92 
93  for (i = 0; i < count; i++) {
94  unsigned char nonce2[32];
95  uint32_t offset = secp256k1_testrand_int(msglen - 1);
96  size_t msglen_tmp = (msglen + offset) % msglen;
97  size_t algolen_tmp;
98 
99  /* Different msglen gives different nonce */
100  CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1);
101  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
102 
103  /* Different algolen gives different nonce */
104  offset = secp256k1_testrand_int(algolen - 1);
105  algolen_tmp = (algolen + offset) % algolen;
106  CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1);
107  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
108  }
109 
110  /* NULL aux_rand argument is allowed, and identical to passing all zero aux_rand. */
111  memset(aux_rand, 0, 32);
112  CHECK(nonce_function_bip340(nonce_z, msg, msglen, key, pk, algo, algolen, &aux_rand) == 1);
113  CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
114  CHECK(secp256k1_memcmp_var(nonce_z, nonce, 32) == 0);
115 }
116 
117 void test_schnorrsig_api(void) {
118  unsigned char sk1[32];
119  unsigned char sk2[32];
120  unsigned char sk3[32];
121  unsigned char msg[32];
122  secp256k1_keypair keypairs[3];
123  secp256k1_keypair invalid_keypair = {{ 0 }};
124  secp256k1_xonly_pubkey pk[3];
125  secp256k1_xonly_pubkey zero_pk;
126  unsigned char sig[64];
127  secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
128  secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL};
129 
131  secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
132  secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
133  secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
134  secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
135  secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_no_precomp);
136  int ecount;
137 
138  secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
139  secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount);
140  secp256k1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount);
141  secp256k1_context_set_error_callback(both, counting_illegal_callback_fn, &ecount);
142  secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount);
143  secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
144  secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount);
145  secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
146  secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount);
147  secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
148 
149  secp256k1_testrand256(sk1);
150  secp256k1_testrand256(sk2);
151  secp256k1_testrand256(sk3);
152  secp256k1_testrand256(msg);
153  CHECK(secp256k1_keypair_create(ctx, &keypairs[0], sk1) == 1);
154  CHECK(secp256k1_keypair_create(ctx, &keypairs[1], sk2) == 1);
155  CHECK(secp256k1_keypair_create(ctx, &keypairs[2], sk3) == 1);
156  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[0], NULL, &keypairs[0]) == 1);
157  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[1], NULL, &keypairs[1]) == 1);
158  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[2], NULL, &keypairs[2]) == 1);
159  memset(&zero_pk, 0, sizeof(zero_pk));
160 
162  ecount = 0;
163  CHECK(secp256k1_schnorrsig_sign32(none, sig, msg, &keypairs[0], NULL) == 1);
164  CHECK(ecount == 0);
165  CHECK(secp256k1_schnorrsig_sign32(vrfy, sig, msg, &keypairs[0], NULL) == 1);
166  CHECK(ecount == 0);
167  CHECK(secp256k1_schnorrsig_sign32(sign, sig, msg, &keypairs[0], NULL) == 1);
168  CHECK(ecount == 0);
169  CHECK(secp256k1_schnorrsig_sign32(sign, NULL, msg, &keypairs[0], NULL) == 0);
170  CHECK(ecount == 1);
171  CHECK(secp256k1_schnorrsig_sign32(sign, sig, NULL, &keypairs[0], NULL) == 0);
172  CHECK(ecount == 2);
173  CHECK(secp256k1_schnorrsig_sign32(sign, sig, msg, NULL, NULL) == 0);
174  CHECK(ecount == 3);
175  CHECK(secp256k1_schnorrsig_sign32(sign, sig, msg, &invalid_keypair, NULL) == 0);
176  CHECK(ecount == 4);
177  CHECK(secp256k1_schnorrsig_sign32(sttc, sig, msg, &keypairs[0], NULL) == 0);
178  CHECK(ecount == 5);
179 
180  ecount = 0;
181  CHECK(secp256k1_schnorrsig_sign_custom(none, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
182  CHECK(ecount == 0);
183  CHECK(secp256k1_schnorrsig_sign_custom(vrfy, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
184  CHECK(ecount == 0);
185  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
186  CHECK(ecount == 0);
187  CHECK(secp256k1_schnorrsig_sign_custom(sign, NULL, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
188  CHECK(ecount == 1);
189  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, NULL, sizeof(msg), &keypairs[0], &extraparams) == 0);
190  CHECK(ecount == 2);
191  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
192  CHECK(ecount == 2);
193  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), NULL, &extraparams) == 0);
194  CHECK(ecount == 3);
195  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &invalid_keypair, &extraparams) == 0);
196  CHECK(ecount == 4);
197  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
198  CHECK(ecount == 4);
199  CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams) == 0);
200  CHECK(ecount == 5);
201  CHECK(secp256k1_schnorrsig_sign_custom(sttc, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
202  CHECK(ecount == 6);
203 
204  ecount = 0;
205  CHECK(secp256k1_schnorrsig_sign32(sign, sig, msg, &keypairs[0], NULL) == 1);
206  CHECK(secp256k1_schnorrsig_verify(none, sig, msg, sizeof(msg), &pk[0]) == 1);
207  CHECK(ecount == 0);
208  CHECK(secp256k1_schnorrsig_verify(sign, sig, msg, sizeof(msg), &pk[0]) == 1);
209  CHECK(ecount == 0);
210  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), &pk[0]) == 1);
211  CHECK(ecount == 0);
212  CHECK(secp256k1_schnorrsig_verify(vrfy, NULL, msg, sizeof(msg), &pk[0]) == 0);
213  CHECK(ecount == 1);
214  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, NULL, sizeof(msg), &pk[0]) == 0);
215  CHECK(ecount == 2);
216  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, NULL, 0, &pk[0]) == 0);
217  CHECK(ecount == 2);
218  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), NULL) == 0);
219  CHECK(ecount == 3);
220  CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), &zero_pk) == 0);
221  CHECK(ecount == 4);
222 
223  secp256k1_context_destroy(none);
224  secp256k1_context_destroy(sign);
225  secp256k1_context_destroy(vrfy);
226  secp256k1_context_destroy(both);
227  secp256k1_context_destroy(sttc);
228 }
229 
230 /* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
231  * expected state. */
232 void test_schnorrsig_sha256_tagged(void) {
233  unsigned char tag[17] = "BIP0340/challenge";
234  secp256k1_sha256 sha;
235  secp256k1_sha256 sha_optimized;
236 
237  secp256k1_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag));
238  secp256k1_schnorrsig_sha256_tagged(&sha_optimized);
239  test_sha256_eq(&sha, &sha_optimized);
240 }
241 
242 /* Helper function for schnorrsig_bip_vectors
243  * Signs the message and checks that it's the same as expected_sig. */
244 void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig) {
245  unsigned char sig[64];
246  secp256k1_keypair keypair;
247  secp256k1_xonly_pubkey pk, pk_expected;
248 
249  CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
250  CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg32, &keypair, aux_rand));
251  CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
252 
253  CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk_expected, pk_serialized));
254  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
255  CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
256  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk));
257 }
258 
259 /* Helper function for schnorrsig_bip_vectors
260  * Checks that both verify and verify_batch (TODO) return the same value as expected. */
261 void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected) {
262  secp256k1_xonly_pubkey pk;
263 
264  CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk, pk_serialized));
265  CHECK(expected == secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk));
266 }
267 
268 /* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
269  * https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv. */
270 void test_schnorrsig_bip_vectors(void) {
271  {
272  /* Test vector 0 */
273  const unsigned char sk[32] = {
274  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
275  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
276  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
277  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
278  };
279  const unsigned char pk[32] = {
280  0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10,
281  0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29,
282  0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0,
283  0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9
284  };
285  unsigned char aux_rand[32] = {
286  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
287  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
288  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
289  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
290  };
291  const unsigned char msg[32] = {
292  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
293  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
294  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
295  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
296  };
297  const unsigned char sig[64] = {
298  0xE9, 0x07, 0x83, 0x1F, 0x80, 0x84, 0x8D, 0x10,
299  0x69, 0xA5, 0x37, 0x1B, 0x40, 0x24, 0x10, 0x36,
300  0x4B, 0xDF, 0x1C, 0x5F, 0x83, 0x07, 0xB0, 0x08,
301  0x4C, 0x55, 0xF1, 0xCE, 0x2D, 0xCA, 0x82, 0x15,
302  0x25, 0xF6, 0x6A, 0x4A, 0x85, 0xEA, 0x8B, 0x71,
303  0xE4, 0x82, 0xA7, 0x4F, 0x38, 0x2D, 0x2C, 0xE5,
304  0xEB, 0xEE, 0xE8, 0xFD, 0xB2, 0x17, 0x2F, 0x47,
305  0x7D, 0xF4, 0x90, 0x0D, 0x31, 0x05, 0x36, 0xC0
306  };
307  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
308  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
309  }
310  {
311  /* Test vector 1 */
312  const unsigned char sk[32] = {
313  0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A,
314  0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7,
315  0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56,
316  0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF
317  };
318  const unsigned char pk[32] = {
319  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
320  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
321  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
322  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
323  };
324  unsigned char aux_rand[32] = {
325  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
326  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
327  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
328  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
329  };
330  const unsigned char msg[32] = {
331  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
332  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
333  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
334  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
335  };
336  const unsigned char sig[64] = {
337  0x68, 0x96, 0xBD, 0x60, 0xEE, 0xAE, 0x29, 0x6D,
338  0xB4, 0x8A, 0x22, 0x9F, 0xF7, 0x1D, 0xFE, 0x07,
339  0x1B, 0xDE, 0x41, 0x3E, 0x6D, 0x43, 0xF9, 0x17,
340  0xDC, 0x8D, 0xCF, 0x8C, 0x78, 0xDE, 0x33, 0x41,
341  0x89, 0x06, 0xD1, 0x1A, 0xC9, 0x76, 0xAB, 0xCC,
342  0xB2, 0x0B, 0x09, 0x12, 0x92, 0xBF, 0xF4, 0xEA,
343  0x89, 0x7E, 0xFC, 0xB6, 0x39, 0xEA, 0x87, 0x1C,
344  0xFA, 0x95, 0xF6, 0xDE, 0x33, 0x9E, 0x4B, 0x0A
345  };
346  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
347  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
348  }
349  {
350  /* Test vector 2 */
351  const unsigned char sk[32] = {
352  0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
353  0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
354  0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
355  0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC9
356  };
357  const unsigned char pk[32] = {
358  0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13,
359  0x12, 0x1F, 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC,
360  0x01, 0x39, 0x71, 0x53, 0x09, 0xB0, 0x86, 0xC9,
361  0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8
362  };
363  unsigned char aux_rand[32] = {
364  0xC8, 0x7A, 0xA5, 0x38, 0x24, 0xB4, 0xD7, 0xAE,
365  0x2E, 0xB0, 0x35, 0xA2, 0xB5, 0xBB, 0xBC, 0xCC,
366  0x08, 0x0E, 0x76, 0xCD, 0xC6, 0xD1, 0x69, 0x2C,
367  0x4B, 0x0B, 0x62, 0xD7, 0x98, 0xE6, 0xD9, 0x06
368  };
369  const unsigned char msg[32] = {
370  0x7E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A,
371  0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D,
372  0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33,
373  0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C
374  };
375  const unsigned char sig[64] = {
376  0x58, 0x31, 0xAA, 0xEE, 0xD7, 0xB4, 0x4B, 0xB7,
377  0x4E, 0x5E, 0xAB, 0x94, 0xBA, 0x9D, 0x42, 0x94,
378  0xC4, 0x9B, 0xCF, 0x2A, 0x60, 0x72, 0x8D, 0x8B,
379  0x4C, 0x20, 0x0F, 0x50, 0xDD, 0x31, 0x3C, 0x1B,
380  0xAB, 0x74, 0x58, 0x79, 0xA5, 0xAD, 0x95, 0x4A,
381  0x72, 0xC4, 0x5A, 0x91, 0xC3, 0xA5, 0x1D, 0x3C,
382  0x7A, 0xDE, 0xA9, 0x8D, 0x82, 0xF8, 0x48, 0x1E,
383  0x0E, 0x1E, 0x03, 0x67, 0x4A, 0x6F, 0x3F, 0xB7
384  };
385  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
386  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
387  }
388  {
389  /* Test vector 3 */
390  const unsigned char sk[32] = {
391  0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81,
392  0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0,
393  0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54,
394  0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10
395  };
396  const unsigned char pk[32] = {
397  0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25,
398  0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD,
399  0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A,
400  0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17
401  };
402  unsigned char aux_rand[32] = {
403  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
404  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
405  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
406  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
407  };
408  const unsigned char msg[32] = {
409  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
410  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
411  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
412  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
413  };
414  const unsigned char sig[64] = {
415  0x7E, 0xB0, 0x50, 0x97, 0x57, 0xE2, 0x46, 0xF1,
416  0x94, 0x49, 0x88, 0x56, 0x51, 0x61, 0x1C, 0xB9,
417  0x65, 0xEC, 0xC1, 0xA1, 0x87, 0xDD, 0x51, 0xB6,
418  0x4F, 0xDA, 0x1E, 0xDC, 0x96, 0x37, 0xD5, 0xEC,
419  0x97, 0x58, 0x2B, 0x9C, 0xB1, 0x3D, 0xB3, 0x93,
420  0x37, 0x05, 0xB3, 0x2B, 0xA9, 0x82, 0xAF, 0x5A,
421  0xF2, 0x5F, 0xD7, 0x88, 0x81, 0xEB, 0xB3, 0x27,
422  0x71, 0xFC, 0x59, 0x22, 0xEF, 0xC6, 0x6E, 0xA3
423  };
424  test_schnorrsig_bip_vectors_check_signing(sk, pk, aux_rand, msg, sig);
425  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
426  }
427  {
428  /* Test vector 4 */
429  const unsigned char pk[32] = {
430  0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12,
431  0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83,
432  0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA,
433  0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9
434  };
435  const unsigned char msg[32] = {
436  0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2,
437  0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24,
438  0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B,
439  0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03
440  };
441  const unsigned char sig[64] = {
442  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
443  0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F,
444  0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28,
445  0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63,
446  0x76, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, 0xB3,
447  0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, 0x10,
448  0x60, 0xCB, 0x71, 0xC0, 0x4E, 0x80, 0xF5, 0x93,
449  0x06, 0x0B, 0x07, 0xD2, 0x83, 0x08, 0xD7, 0xF4
450  };
451  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 1);
452  }
453  {
454  /* Test vector 5 */
455  const unsigned char pk[32] = {
456  0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50,
457  0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21,
458  0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87,
459  0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34
460  };
461  secp256k1_xonly_pubkey pk_parsed;
462  /* No need to check the signature of the test vector as parsing the pubkey already fails */
463  CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
464  }
465  {
466  /* Test vector 6 */
467  const unsigned char pk[32] = {
468  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
469  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
470  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
471  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
472  };
473  const unsigned char msg[32] = {
474  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
475  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
476  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
477  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
478  };
479  const unsigned char sig[64] = {
480  0xFF, 0xF9, 0x7B, 0xD5, 0x75, 0x5E, 0xEE, 0xA4,
481  0x20, 0x45, 0x3A, 0x14, 0x35, 0x52, 0x35, 0xD3,
482  0x82, 0xF6, 0x47, 0x2F, 0x85, 0x68, 0xA1, 0x8B,
483  0x2F, 0x05, 0x7A, 0x14, 0x60, 0x29, 0x75, 0x56,
484  0x3C, 0xC2, 0x79, 0x44, 0x64, 0x0A, 0xC6, 0x07,
485  0xCD, 0x10, 0x7A, 0xE1, 0x09, 0x23, 0xD9, 0xEF,
486  0x7A, 0x73, 0xC6, 0x43, 0xE1, 0x66, 0xBE, 0x5E,
487  0xBE, 0xAF, 0xA3, 0x4B, 0x1A, 0xC5, 0x53, 0xE2
488  };
489  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
490  }
491  {
492  /* Test vector 7 */
493  const unsigned char pk[32] = {
494  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
495  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
496  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
497  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
498  };
499  const unsigned char msg[32] = {
500  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
501  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
502  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
503  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
504  };
505  const unsigned char sig[64] = {
506  0x1F, 0xA6, 0x2E, 0x33, 0x1E, 0xDB, 0xC2, 0x1C,
507  0x39, 0x47, 0x92, 0xD2, 0xAB, 0x11, 0x00, 0xA7,
508  0xB4, 0x32, 0xB0, 0x13, 0xDF, 0x3F, 0x6F, 0xF4,
509  0xF9, 0x9F, 0xCB, 0x33, 0xE0, 0xE1, 0x51, 0x5F,
510  0x28, 0x89, 0x0B, 0x3E, 0xDB, 0x6E, 0x71, 0x89,
511  0xB6, 0x30, 0x44, 0x8B, 0x51, 0x5C, 0xE4, 0xF8,
512  0x62, 0x2A, 0x95, 0x4C, 0xFE, 0x54, 0x57, 0x35,
513  0xAA, 0xEA, 0x51, 0x34, 0xFC, 0xCD, 0xB2, 0xBD
514  };
515  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
516  }
517  {
518  /* Test vector 8 */
519  const unsigned char pk[32] = {
520  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
521  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
522  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
523  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
524  };
525  const unsigned char msg[32] = {
526  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
527  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
528  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
529  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
530  };
531  const unsigned char sig[64] = {
532  0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
533  0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
534  0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
535  0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
536  0x96, 0x17, 0x64, 0xB3, 0xAA, 0x9B, 0x2F, 0xFC,
537  0xB6, 0xEF, 0x94, 0x7B, 0x68, 0x87, 0xA2, 0x26,
538  0xE8, 0xD7, 0xC9, 0x3E, 0x00, 0xC5, 0xED, 0x0C,
539  0x18, 0x34, 0xFF, 0x0D, 0x0C, 0x2E, 0x6D, 0xA6
540  };
541  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
542  }
543  {
544  /* Test vector 9 */
545  const unsigned char pk[32] = {
546  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
547  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
548  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
549  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
550  };
551  const unsigned char msg[32] = {
552  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
553  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
554  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
555  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
556  };
557  const unsigned char sig[64] = {
558  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
559  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
560  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
561  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
562  0x12, 0x3D, 0xDA, 0x83, 0x28, 0xAF, 0x9C, 0x23,
563  0xA9, 0x4C, 0x1F, 0xEE, 0xCF, 0xD1, 0x23, 0xBA,
564  0x4F, 0xB7, 0x34, 0x76, 0xF0, 0xD5, 0x94, 0xDC,
565  0xB6, 0x5C, 0x64, 0x25, 0xBD, 0x18, 0x60, 0x51
566  };
567  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
568  }
569  {
570  /* Test vector 10 */
571  const unsigned char pk[32] = {
572  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
573  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
574  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
575  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
576  };
577  const unsigned char msg[32] = {
578  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
579  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
580  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
581  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
582  };
583  const unsigned char sig[64] = {
584  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
585  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
586  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
587  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
588  0x76, 0x15, 0xFB, 0xAF, 0x5A, 0xE2, 0x88, 0x64,
589  0x01, 0x3C, 0x09, 0x97, 0x42, 0xDE, 0xAD, 0xB4,
590  0xDB, 0xA8, 0x7F, 0x11, 0xAC, 0x67, 0x54, 0xF9,
591  0x37, 0x80, 0xD5, 0xA1, 0x83, 0x7C, 0xF1, 0x97
592  };
593  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
594  }
595  {
596  /* Test vector 11 */
597  const unsigned char pk[32] = {
598  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
599  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
600  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
601  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
602  };
603  const unsigned char msg[32] = {
604  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
605  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
606  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
607  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
608  };
609  const unsigned char sig[64] = {
610  0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A,
611  0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB,
612  0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7,
613  0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D,
614  0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
615  0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
616  0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
617  0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
618  };
619  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
620  }
621  {
622  /* Test vector 12 */
623  const unsigned char pk[32] = {
624  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
625  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
626  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
627  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
628  };
629  const unsigned char msg[32] = {
630  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
631  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
632  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
633  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
634  };
635  const unsigned char sig[64] = {
636  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
637  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
638  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
639  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
640  0x69, 0xE8, 0x9B, 0x4C, 0x55, 0x64, 0xD0, 0x03,
641  0x49, 0x10, 0x6B, 0x84, 0x97, 0x78, 0x5D, 0xD7,
642  0xD1, 0xD7, 0x13, 0xA8, 0xAE, 0x82, 0xB3, 0x2F,
643  0xA7, 0x9D, 0x5F, 0x7F, 0xC4, 0x07, 0xD3, 0x9B
644  };
645  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
646  }
647  {
648  /* Test vector 13 */
649  const unsigned char pk[32] = {
650  0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F,
651  0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE,
652  0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8,
653  0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59
654  };
655  const unsigned char msg[32] = {
656  0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3,
657  0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44,
658  0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0,
659  0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89
660  };
661  const unsigned char sig[64] = {
662  0x6C, 0xFF, 0x5C, 0x3B, 0xA8, 0x6C, 0x69, 0xEA,
663  0x4B, 0x73, 0x76, 0xF3, 0x1A, 0x9B, 0xCB, 0x4F,
664  0x74, 0xC1, 0x97, 0x60, 0x89, 0xB2, 0xD9, 0x96,
665  0x3D, 0xA2, 0xE5, 0x54, 0x3E, 0x17, 0x77, 0x69,
666  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
667  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
668  0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
669  0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
670  };
671  test_schnorrsig_bip_vectors_check_verify(pk, msg, sig, 0);
672  }
673  {
674  /* Test vector 14 */
675  const unsigned char pk[32] = {
676  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
677  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
678  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
679  0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
680  };
681  secp256k1_xonly_pubkey pk_parsed;
682  /* No need to check the signature of the test vector as parsing the pubkey already fails */
683  CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
684  }
685 }
686 
687 /* Nonce function that returns constant 0 */
688 static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
689  (void) msg;
690  (void) msglen;
691  (void) key32;
692  (void) xonly_pk32;
693  (void) algo;
694  (void) algolen;
695  (void) data;
696  (void) nonce32;
697  return 0;
698 }
699 
700 /* Nonce function that sets nonce to 0 */
701 static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
702  (void) msg;
703  (void) msglen;
704  (void) key32;
705  (void) xonly_pk32;
706  (void) algo;
707  (void) algolen;
708  (void) data;
709 
710  memset(nonce32, 0, 32);
711  return 1;
712 }
713 
714 /* Nonce function that sets nonce to 0xFF...0xFF */
715 static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
716  (void) msg;
717  (void) msglen;
718  (void) key32;
719  (void) xonly_pk32;
720  (void) algo;
721  (void) algolen;
722  (void) data;
723 
724  memset(nonce32, 0xFF, 32);
725  return 1;
726 }
727 
728 void test_schnorrsig_sign(void) {
729  unsigned char sk[32];
730  secp256k1_xonly_pubkey pk;
731  secp256k1_keypair keypair;
732  const unsigned char msg[32] = "this is a msg for a schnorrsig..";
733  unsigned char sig[64];
734  unsigned char sig2[64];
735  unsigned char zeros64[64] = { 0 };
736  secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
737  unsigned char aux_rand[32];
738 
739  secp256k1_testrand256(sk);
740  secp256k1_testrand256(aux_rand);
741  CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
742  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
743  CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypair, NULL) == 1);
744  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
745  /* Check that deprecated alias gives the same result */
746  CHECK(secp256k1_schnorrsig_sign(ctx, sig2, msg, &keypair, NULL) == 1);
747  CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
748 
749  /* Test different nonce functions */
750  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
751  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
752  memset(sig, 1, sizeof(sig));
753  extraparams.noncefp = nonce_function_failing;
754  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
755  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
756  memset(&sig, 1, sizeof(sig));
757  extraparams.noncefp = nonce_function_0;
758  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
759  CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
760  memset(&sig, 1, sizeof(sig));
761  extraparams.noncefp = nonce_function_overflowing;
762  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
763  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
764 
765  /* When using the default nonce function, schnorrsig_sign_custom produces
766  * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */
767  extraparams.noncefp = NULL;
768  extraparams.ndata = aux_rand;
769  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
770  CHECK(secp256k1_schnorrsig_sign32(ctx, sig2, msg, &keypair, extraparams.ndata) == 1);
771  CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
772 }
773 
774 #define N_SIGS 3
775 /* Creates N_SIGS valid signatures and verifies them with verify and
776  * verify_batch (TODO). Then flips some bits and checks that verification now
777  * fails. */
778 void test_schnorrsig_sign_verify(void) {
779  unsigned char sk[32];
780  unsigned char msg[N_SIGS][32];
781  unsigned char sig[N_SIGS][64];
782  size_t i;
783  secp256k1_keypair keypair;
784  secp256k1_xonly_pubkey pk;
785  secp256k1_scalar s;
786 
787  secp256k1_testrand256(sk);
788  CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
789  CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
790 
791  for (i = 0; i < N_SIGS; i++) {
792  secp256k1_testrand256(msg[i]);
793  CHECK(secp256k1_schnorrsig_sign32(ctx, sig[i], msg[i], &keypair, NULL));
794  CHECK(secp256k1_schnorrsig_verify(ctx, sig[i], msg[i], sizeof(msg[i]), &pk));
795  }
796 
797  {
798  /* Flip a few bits in the signature and in the message and check that
799  * verify and verify_batch (TODO) fail */
800  size_t sig_idx = secp256k1_testrand_int(N_SIGS);
801  size_t byte_idx = secp256k1_testrand_bits(5);
802  unsigned char xorbyte = secp256k1_testrand_int(254)+1;
803  sig[sig_idx][byte_idx] ^= xorbyte;
804  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
805  sig[sig_idx][byte_idx] ^= xorbyte;
806 
807  byte_idx = secp256k1_testrand_bits(5);
808  sig[sig_idx][32+byte_idx] ^= xorbyte;
809  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
810  sig[sig_idx][32+byte_idx] ^= xorbyte;
811 
812  byte_idx = secp256k1_testrand_bits(5);
813  msg[sig_idx][byte_idx] ^= xorbyte;
814  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
815  msg[sig_idx][byte_idx] ^= xorbyte;
816 
817  /* Check that above bitflips have been reversed correctly */
818  CHECK(secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
819  }
820 
821  /* Test overflowing s */
822  CHECK(secp256k1_schnorrsig_sign32(ctx, sig[0], msg[0], &keypair, NULL));
823  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
824  memset(&sig[0][32], 0xFF, 32);
825  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
826 
827  /* Test negative s */
828  CHECK(secp256k1_schnorrsig_sign32(ctx, sig[0], msg[0], &keypair, NULL));
829  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
830  secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
831  secp256k1_scalar_negate(&s, &s);
832  secp256k1_scalar_get_b32(&sig[0][32], &s);
833  CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
834 
835  /* The empty message can be signed & verified */
836  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], NULL, 0, &keypair, NULL) == 1);
837  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], NULL, 0, &pk) == 1);
838 
839  {
840  /* Test varying message lengths */
841  unsigned char msg_large[32 * 8];
842  uint32_t msglen = secp256k1_testrand_int(sizeof(msg_large));
843  for (i = 0; i < sizeof(msg_large); i += 32) {
844  secp256k1_testrand256(&msg_large[i]);
845  }
846  CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], msg_large, msglen, &keypair, NULL) == 1);
847  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 1);
848  /* Verification for a random wrong message length fails */
849  msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large);
850  CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 0);
851  }
852 }
853 #undef N_SIGS
854 
855 void test_schnorrsig_taproot(void) {
856  unsigned char sk[32];
857  secp256k1_keypair keypair;
858  secp256k1_xonly_pubkey internal_pk;
859  unsigned char internal_pk_bytes[32];
860  secp256k1_xonly_pubkey output_pk;
861  unsigned char output_pk_bytes[32];
862  unsigned char tweak[32];
863  int pk_parity;
864  unsigned char msg[32];
865  unsigned char sig[64];
866 
867  /* Create output key */
868  secp256k1_testrand256(sk);
869  CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
870  CHECK(secp256k1_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1);
871  /* In actual taproot the tweak would be hash of internal_pk */
872  CHECK(secp256k1_xonly_pubkey_serialize(ctx, tweak, &internal_pk) == 1);
873  CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
874  CHECK(secp256k1_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1);
875  CHECK(secp256k1_xonly_pubkey_serialize(ctx, output_pk_bytes, &output_pk) == 1);
876 
877  /* Key spend */
878  secp256k1_testrand256(msg);
879  CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypair, NULL) == 1);
880  /* Verify key spend */
881  CHECK(secp256k1_xonly_pubkey_parse(ctx, &output_pk, output_pk_bytes) == 1);
882  CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &output_pk) == 1);
883 
884  /* Script spend */
885  CHECK(secp256k1_xonly_pubkey_serialize(ctx, internal_pk_bytes, &internal_pk) == 1);
886  /* Verify script spend */
887  CHECK(secp256k1_xonly_pubkey_parse(ctx, &internal_pk, internal_pk_bytes) == 1);
888  CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
889 }
890 
891 void run_schnorrsig_tests(void) {
892  int i;
893  run_nonce_function_bip340_tests();
894 
895  test_schnorrsig_api();
896  test_schnorrsig_sha256_tagged();
897  test_schnorrsig_bip_vectors();
898  for (i = 0; i < count; i++) {
899  test_schnorrsig_sign();
900  test_schnorrsig_sign_verify();
901  }
902  test_schnorrsig_taproot();
903 }
904 
905 #endif
secp256k1_nonce_function_bip340_sha256_tagged
static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:16
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call...
Definition: secp256k1.c:153
sha1
Internal SHA-1 implementation.
Definition: sha1.cpp:15
nonce_function_failing
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:688
nonce
unsigned int nonce
Definition: miner_tests.cpp:60
nonce_function_overflowing
static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:715
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a secret key.
Definition: main_impl.h:195
secp256k1_testrand_flip
static void secp256k1_testrand_flip(unsigned char *b, size_t len)
Flip a single random bit in a byte array.
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_schnorrsig_sign
SECP256K1_API int secp256k1_schnorrsig_sign(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_DEPRECATED("Use secp256k1_schnorrsig_sign32 instead")
Same as secp256k1_schnorrsig_sign32, but DEPRECATED.
Definition: main_impl.h:200
nonce_function_bip340_bitflip
void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen)
Definition: tests_impl.h:15
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:202
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_sha256
Definition: hash.h:13
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:146
secp256k1_keypair_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:254
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_context_struct
Definition: secp256k1.c:47
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:200
test_schnorrsig_sign_verify
void test_schnorrsig_sign_verify(void)
Definition: tests_impl.h:778
args
ArgsManager args
Definition: notifications.cpp:36
N_SIGS
#define N_SIGS
Definition: tests_impl.h:774
secp256k1_schnorrsig_extraparams
Data structure that contains additional arguments for schnorrsig_sign_custom.
Definition: secp256k1_schnorrsig.h:82
test_schnorrsig_taproot
void test_schnorrsig_taproot(void)
Definition: tests_impl.h:855
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
secp256k1_sha256::s
uint32_t s[8]
Definition: hash.h:14
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:21
ctx
static secp256k1_context * ctx
Definition: tests.c:34
test_schnorrsig_api
void test_schnorrsig_api(void)
Definition: tests_impl.h:117
secp256k1_schnorrsig_sign32
SECP256K1_API int secp256k1_schnorrsig_sign32(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, const unsigned char *aux_rand32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a Schnorr signature.
Definition: main_impl.h:195
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:134
run_nonce_function_bip340_tests
void run_nonce_function_bip340_tests(void)
Definition: tests_impl.h:34
test_sha256_eq
void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests_impl.h:26
secp256k1_schnorrsig_sign_custom
SECP256K1_API int secp256k1_schnorrsig_sign_custom(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Create a Schnorr signature with a more flexible API.
Definition: main_impl.h:204
nonce_function_bip340
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: main_impl.h:52
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
secp256k1_keypair_xonly_pub
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Get the x-only public key from a keypair.
Definition: main_impl.h:233
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:162
test_schnorrsig_sha256_tagged
void test_schnorrsig_sha256_tagged(void)
Definition: tests_impl.h:232
secp256k1_sha256::bytes
uint64_t bytes
Definition: hash.h:16
test_schnorrsig_bip_vectors
void test_schnorrsig_bip_vectors(void)
Definition: tests_impl.h:270
secp256k1_nonce_function_bip340_sha256_tagged_aux
static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha)
Definition: main_impl.h:32
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:163
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:199
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:128
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
test_schnorrsig_bip_vectors_check_verify
void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected)
Definition: tests_impl.h:261
secp256k1_context_no_precomp
SECP256K1_API const secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:60
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:196
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:43
count
static int count
Definition: tests.c:33
secp256k1_schnorrsig_extraparams::noncefp
secp256k1_nonce_function_hardened noncefp
Definition: secp256k1_schnorrsig.h:84
test_schnorrsig_sign
void test_schnorrsig_sign(void)
Definition: tests_impl.h:728
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:36
SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
#define SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT
Definition: secp256k1_schnorrsig.h:89
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:107
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:219
nonce_function_0
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data)
Definition: tests_impl.h:701
test_schnorrsig_bip_vectors_check_signing
void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig)
Definition: tests_impl.h:244
run_schnorrsig_tests
void run_schnorrsig_tests(void)
Definition: tests_impl.h:891
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_schnorrsig_extraparams::ndata
void * ndata
Definition: secp256k1_schnorrsig.h:85
secp256k1_schnorrsig_sha256_tagged
static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha)
Definition: main_impl.h:103
Generated on Tue May 16 2023 12:00:00 for Bitcoin Core by   doxygen 1.8.14