diff --git a/.gitignore b/.gitignore index 085bd54d0..b95250fcf 100644 --- a/.gitignore +++ b/.gitignore @@ -3,7 +3,6 @@ bench_ecdh bench_ecmult bench_generator bench_rangeproof -bench_schnorrsig bench_sign bench_verify bench_recover diff --git a/Makefile.am b/Makefile.am index 27a16bb70..99c010358 100644 --- a/Makefile.am +++ b/Makefile.am @@ -151,10 +151,6 @@ if ENABLE_MODULE_ECDH include src/modules/ecdh/Makefile.am.include endif -if ENABLE_MODULE_SCHNORRSIG -include src/modules/schnorrsig/Makefile.am.include -endif - #if ENABLE_MODULE_MUSIG #include src/modules/musig/Makefile.am.include #endif diff --git a/configure.ac b/configure.ac index 1107fb20c..6121cc165 100644 --- a/configure.ac +++ b/configure.ac @@ -131,11 +131,6 @@ AC_ARG_ENABLE(module_ecdh, [enable_module_ecdh=$enableval], [enable_module_ecdh=no]) -AC_ARG_ENABLE(module_schnorrsig, - AS_HELP_STRING([--enable-module-schnorrsig],[enable schnorrsig module (experimental)]), - [enable_module_schnorrsig=$enableval], - [enable_module_schnorrsig=no]) - #AC_ARG_ENABLE(module_musig, # AS_HELP_STRING([--enable-module-musig],[enable MuSig module (experimental)]), # [enable_module_musig=$enableval], @@ -464,10 +459,6 @@ if test x"$enable_module_ecdh" = x"yes"; then AC_DEFINE(ENABLE_MODULE_ECDH, 1, [Define this symbol to enable the ECDH module]) fi -if test x"$enable_module_schnorrsig" = x"yes"; then - AC_DEFINE(ENABLE_MODULE_SCHNORRSIG, 1, [Define this symbol to enable the schnorrsig module]) -fi - #if test x"$enable_module_musig" = x"yes"; then # AC_DEFINE(ENABLE_MODULE_MUSIG, 1, [Define this symbol to enable the MuSig module]) #fi @@ -513,7 +504,6 @@ if test x"$enable_experimental" = x"yes"; then AC_MSG_NOTICE([Building range proof module: $enable_module_rangeproof]) AC_MSG_NOTICE([Building key whitelisting module: $enable_module_whitelist]) AC_MSG_NOTICE([Building surjection proof module: $enable_module_surjectionproof]) - AC_MSG_NOTICE([Building schnorrsig module: $enable_module_schnorrsig]) # AC_MSG_NOTICE([Building MuSig module: $enable_module_musig]) AC_MSG_NOTICE([******]) @@ -542,9 +532,6 @@ else if test x"$enable_module_ecdh" = x"yes"; then AC_MSG_ERROR([ECDH module is experimental. Use --enable-experimental to allow.]) fi - if test x"$enable_module_schnorrsig" = x"yes"; then - AC_MSG_ERROR([schnorrsig module is experimental. Use --enable-experimental to allow.]) - fi # if test x"$enable_module_musig" = x"yes"; then # AC_MSG_ERROR([MuSig module is experimental. Use --enable-experimental to allow.]) # fi @@ -577,7 +564,6 @@ AM_CONDITIONAL([USE_EXHAUSTIVE_TESTS], [test x"$use_exhaustive_tests" != x"no"]) AM_CONDITIONAL([USE_BENCHMARK], [test x"$use_benchmark" = x"yes"]) AM_CONDITIONAL([USE_ECMULT_STATIC_PRECOMPUTATION], [test x"$set_precomp" = x"yes"]) AM_CONDITIONAL([ENABLE_MODULE_ECDH], [test x"$enable_module_ecdh" = x"yes"]) -AM_CONDITIONAL([ENABLE_MODULE_SCHNORRSIG], [test x"$enable_module_schnorrsig" = x"yes"]) #AM_CONDITIONAL([ENABLE_MODULE_MUSIG], [test x"$enable_module_musig" = x"yes"]) AM_CONDITIONAL([ENABLE_MODULE_RECOVERY], [test x"$enable_module_recovery" = x"yes"]) AM_CONDITIONAL([ENABLE_MODULE_GENERATOR], [test x"$enable_module_generator" = x"yes"]) @@ -604,7 +590,6 @@ echo " with benchmarks = $use_benchmark" echo " with coverage = $enable_coverage" echo " module ecdh = $enable_module_ecdh" echo " module recovery = $enable_module_recovery" -echo " module schnorrsig = $enable_module_schnorrsig" echo echo " asm = $set_asm" echo " bignum = $set_bignum" diff --git a/contrib/travis.sh b/contrib/travis.sh index 251248223..833536d94 100755 --- a/contrib/travis.sh +++ b/contrib/travis.sh @@ -18,7 +18,6 @@ fi --enable-ecmult-static-precomputation="$STATICPRECOMPUTATION" --with-ecmult-gen-precision="$ECMULTGENPRECISION" \ --enable-module-ecdh="$ECDH" --enable-module-recovery="$RECOVERY" \ --enable-module-rangeproof="$RANGEPROOF" --enable-module-whitelist="$WHITELIST" --enable-module-generator="$GENERATOR" \ - --enable-module-schnorrsig="$SCHNORRSIG" \ --host="$HOST" $EXTRAFLAGS if [ -n "$BUILD" ] diff --git a/include/secp256k1.h b/include/secp256k1.h index 8413a4019..2178c8e2d 100644 --- a/include/secp256k1.h +++ b/include/secp256k1.h @@ -525,12 +525,6 @@ SECP256K1_API int secp256k1_ecdsa_signature_normalize( */ SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_rfc6979; -/** An implementation of the nonce generation function as defined in BIP-schnorr. - * If a data pointer is passed, it is assumed to be a pointer to 32 bytes of - * extra entropy. - */ -SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_bipschnorr; - /** A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979). */ SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_default; diff --git a/include/secp256k1_schnorrsig.h b/include/secp256k1_schnorrsig.h deleted file mode 100644 index 4c0f263dc..000000000 --- a/include/secp256k1_schnorrsig.h +++ /dev/null @@ -1,129 +0,0 @@ -#ifndef SECP256K1_SCHNORRSIG_H -#define SECP256K1_SCHNORRSIG_H - -#include "secp256k1.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** This module implements a variant of Schnorr signatures compliant with - * BIP-schnorr - * (https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki). - */ - -/** Opaque data structure that holds a parsed Schnorr signature. - * - * The exact representation of data inside is implementation defined and not - * guaranteed to be portable between different platforms or versions. It is - * however guaranteed to be 64 bytes in size, and can be safely copied/moved. - * If you need to convert to a format suitable for storage, transmission, or - * comparison, use the `secp256k1_schnorrsig_serialize` and - * `secp256k1_schnorrsig_parse` functions. - */ -typedef struct { - unsigned char data[64]; -} secp256k1_schnorrsig; - -/** Serialize a Schnorr signature. - * - * Returns: 1 - * Args: ctx: a secp256k1 context object - * Out: out64: pointer to a 64-byte array to store the serialized signature - * In: sig: pointer to the signature - * - * See secp256k1_schnorrsig_parse for details about the encoding. - */ -SECP256K1_API int secp256k1_schnorrsig_serialize( - const secp256k1_context* ctx, - unsigned char *out64, - const secp256k1_schnorrsig* sig -) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); - -/** Parse a Schnorr signature. - * - * Returns: 1 when the signature could be parsed, 0 otherwise. - * Args: ctx: a secp256k1 context object - * Out: sig: pointer to a signature object - * In: in64: pointer to the 64-byte signature to be parsed - * - * The signature is serialized in the form R||s, where R is a 32-byte public - * key (x-coordinate only; the y-coordinate is considered to be the unique - * y-coordinate satisfying the curve equation that is a quadratic residue) - * and s is a 32-byte big-endian scalar. - * - * After the call, sig will always be initialized. If parsing failed or the - * encoded numbers are out of range, signature validation with it is - * guaranteed to fail for every message and public key. - */ -SECP256K1_API int secp256k1_schnorrsig_parse( - const secp256k1_context* ctx, - secp256k1_schnorrsig* sig, - const unsigned char *in64 -) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); - -/** Create a Schnorr signature. - * - * Returns 1 on success, 0 on failure. - * Args: ctx: pointer to a context object, initialized for signing (cannot be NULL) - * Out: sig: pointer to the returned signature (cannot be NULL) - * nonce_is_negated: a pointer to an integer indicates if signing algorithm negated the - * nonce (can be NULL) - * In: msg32: the 32-byte message hash being signed (cannot be NULL) - * seckey: pointer to a 32-byte secret key (cannot be NULL) - * noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_bipschnorr is used - * ndata: pointer to arbitrary data used by the nonce generation function (can be NULL) - */ -SECP256K1_API int secp256k1_schnorrsig_sign( - const secp256k1_context* ctx, - secp256k1_schnorrsig *sig, - int *nonce_is_negated, - const unsigned char *msg32, - const unsigned char *seckey, - secp256k1_nonce_function noncefp, - void *ndata -) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5); - -/** Verify a Schnorr signature. - * - * Returns: 1: correct signature - * 0: incorrect or unparseable signature - * Args: ctx: a secp256k1 context object, initialized for verification. - * In: sig: the signature being verified (cannot be NULL) - * msg32: the 32-byte message hash being verified (cannot be NULL) - * pubkey: pointer to a public key to verify with (cannot be NULL) - */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify( - const secp256k1_context* ctx, - const secp256k1_schnorrsig *sig, - const unsigned char *msg32, - const secp256k1_pubkey *pubkey -) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); - -/** Verifies a set of Schnorr signatures. - * - * Returns 1 if all succeeded, 0 otherwise. In particular, returns 1 if n_sigs is 0. - * - * Args: ctx: a secp256k1 context object, initialized for verification. - * scratch: scratch space used for the multiexponentiation - * In: sig: array of signatures, or NULL if there are no signatures - * msg32: array of messages, or NULL if there are no signatures - * pk: array of public keys, or NULL if there are no signatures - * n_sigs: number of signatures in above arrays. Must be smaller than - * 2^31 and smaller than half the maximum size_t value. Must be 0 - * if above arrays are NULL. - */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify_batch( - const secp256k1_context* ctx, - secp256k1_scratch_space *scratch, - const secp256k1_schnorrsig *const *sig, - const unsigned char *const *msg32, - const secp256k1_pubkey *const *pk, - size_t n_sigs -) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); - -#ifdef __cplusplus -} -#endif - -#endif /* SECP256K1_SCHNORRSIG_H */ diff --git a/src/bench_schnorrsig.c b/src/bench_schnorrsig.c deleted file mode 100644 index a22e34968..000000000 --- a/src/bench_schnorrsig.c +++ /dev/null @@ -1,129 +0,0 @@ -/********************************************************************** - * Copyright (c) 2018 Andrew Poelstra * - * Distributed under the MIT software license, see the accompanying * - * file COPYING or http://www.opensource.org/licenses/mit-license.php.* - **********************************************************************/ - -#include -#include - -#include "include/secp256k1.h" -#include "include/secp256k1_schnorrsig.h" -#include "util.h" -#include "bench.h" - -typedef struct { - secp256k1_context *ctx; - secp256k1_scratch_space *scratch; - int n; - const unsigned char **pk; - const secp256k1_schnorrsig **sigs; - const unsigned char **msgs; -} bench_schnorrsig_data; - -void bench_schnorrsig_sign(void* arg, int iters) { - bench_schnorrsig_data *data = (bench_schnorrsig_data *)arg; - int i; - unsigned char sk[32] = "benchmarkexample secrettemplate"; - unsigned char msg[32] = "benchmarkexamplemessagetemplate"; - secp256k1_schnorrsig sig; - - for (i = 0; i < iters; i++) { - msg[0] = i; - msg[1] = i >> 8; - sk[0] = i; - sk[1] = i >> 8; - CHECK(secp256k1_schnorrsig_sign(data->ctx, &sig, NULL, msg, sk, NULL, NULL)); - } -} - -void bench_schnorrsig_verify(void* arg, int iters) { - bench_schnorrsig_data *data = (bench_schnorrsig_data *)arg; - int i; - - for (i = 0; i < iters; i++) { - secp256k1_pubkey pk; - CHECK(secp256k1_ec_pubkey_parse(data->ctx, &pk, data->pk[i], 33) == 1); - CHECK(secp256k1_schnorrsig_verify(data->ctx, data->sigs[i], data->msgs[i], &pk)); - } -} - -void bench_schnorrsig_verify_n(void* arg, int iters) { - bench_schnorrsig_data *data = (bench_schnorrsig_data *)arg; - int i, j; - const secp256k1_pubkey **pk = (const secp256k1_pubkey **)malloc(data->n * sizeof(*pk)); - - CHECK(pk != NULL); - for (j = 0; j < iters/data->n; j++) { - for (i = 0; i < data->n; i++) { - secp256k1_pubkey *pk_nonconst = (secp256k1_pubkey *)malloc(sizeof(*pk_nonconst)); - CHECK(secp256k1_ec_pubkey_parse(data->ctx, pk_nonconst, data->pk[i], 33) == 1); - pk[i] = pk_nonconst; - } - CHECK(secp256k1_schnorrsig_verify_batch(data->ctx, data->scratch, data->sigs, data->msgs, pk, data->n)); - for (i = 0; i < data->n; i++) { - free((void *)pk[i]); - } - } - free(pk); -} - -int main(void) { - int i; - bench_schnorrsig_data data; - int iters = get_iters(1000); - - data.ctx = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY | SECP256K1_CONTEXT_SIGN); - data.scratch = secp256k1_scratch_space_create(data.ctx, 1024 * 1024 * 1024); - data.pk = (const unsigned char **)malloc(iters * sizeof(unsigned char *)); - data.msgs = (const unsigned char **)malloc(iters * sizeof(unsigned char *)); - data.sigs = (const secp256k1_schnorrsig **)malloc(iters * sizeof(secp256k1_schnorrsig *)); - - for (i = 0; i < iters; i++) { - unsigned char sk[32]; - unsigned char *msg = (unsigned char *)malloc(32); - secp256k1_schnorrsig *sig = (secp256k1_schnorrsig *)malloc(sizeof(*sig)); - unsigned char *pk_char = (unsigned char *)malloc(33); - secp256k1_pubkey pk; - size_t pk_len = 33; - msg[0] = sk[0] = i; - msg[1] = sk[1] = i >> 8; - msg[2] = sk[2] = i >> 16; - msg[3] = sk[3] = i >> 24; - memset(&msg[4], 'm', 28); - memset(&sk[4], 's', 28); - - data.pk[i] = pk_char; - data.msgs[i] = msg; - data.sigs[i] = sig; - - CHECK(secp256k1_ec_pubkey_create(data.ctx, &pk, sk)); - CHECK(secp256k1_ec_pubkey_serialize(data.ctx, pk_char, &pk_len, &pk, SECP256K1_EC_COMPRESSED) == 1); - CHECK(secp256k1_schnorrsig_sign(data.ctx, sig, NULL, msg, sk, NULL, NULL)); - } - - run_benchmark("schnorrsig_sign", bench_schnorrsig_sign, NULL, NULL, (void *) &data, 10, iters); - run_benchmark("schnorrsig_verify", bench_schnorrsig_verify, NULL, NULL, (void *) &data, 10, iters); - for (i = 1; i <= iters; i *= 2) { - char name[64]; - int divisible_iters; - sprintf(name, "schnorrsig_batch_verify_%d", (int) i); - - data.n = i; - divisible_iters = iters - (iters % data.n); - run_benchmark(name, bench_schnorrsig_verify_n, NULL, NULL, (void *) &data, 3, divisible_iters); - } - - for (i = 0; i < iters; i++) { - free((void *)data.pk[i]); - free((void *)data.msgs[i]); - free((void *)data.sigs[i]); - } - free(data.pk); - free(data.msgs); - free(data.sigs); - - secp256k1_scratch_space_destroy(data.ctx, data.scratch); - secp256k1_context_destroy(data.ctx); - return 0; -} diff --git a/src/modules/schnorrsig/Makefile.am.include b/src/modules/schnorrsig/Makefile.am.include deleted file mode 100644 index a82bafe43..000000000 --- a/src/modules/schnorrsig/Makefile.am.include +++ /dev/null @@ -1,8 +0,0 @@ -include_HEADERS += include/secp256k1_schnorrsig.h -noinst_HEADERS += src/modules/schnorrsig/main_impl.h -noinst_HEADERS += src/modules/schnorrsig/tests_impl.h -if USE_BENCHMARK -noinst_PROGRAMS += bench_schnorrsig -bench_schnorrsig_SOURCES = src/bench_schnorrsig.c -bench_schnorrsig_LDADD = libsecp256k1.la $(SECP_LIBS) $(COMMON_LIB) -endif diff --git a/src/modules/schnorrsig/main_impl.h b/src/modules/schnorrsig/main_impl.h deleted file mode 100644 index b0310ab9e..000000000 --- a/src/modules/schnorrsig/main_impl.h +++ /dev/null @@ -1,338 +0,0 @@ -/********************************************************************** - * Copyright (c) 2018 Andrew Poelstra * - * Distributed under the MIT software license, see the accompanying * - * file COPYING or http://www.opensource.org/licenses/mit-license.php.* - **********************************************************************/ - -#ifndef _SECP256K1_MODULE_SCHNORRSIG_MAIN_ -#define _SECP256K1_MODULE_SCHNORRSIG_MAIN_ - -#include "include/secp256k1.h" -#include "include/secp256k1_schnorrsig.h" -#include "hash.h" - -int secp256k1_schnorrsig_serialize(const secp256k1_context* ctx, unsigned char *out64, const secp256k1_schnorrsig* sig) { - (void) ctx; - VERIFY_CHECK(ctx != NULL); - ARG_CHECK(out64 != NULL); - ARG_CHECK(sig != NULL); - memcpy(out64, sig->data, 64); - return 1; -} - -int secp256k1_schnorrsig_parse(const secp256k1_context* ctx, secp256k1_schnorrsig* sig, const unsigned char *in64) { - (void) ctx; - VERIFY_CHECK(ctx != NULL); - ARG_CHECK(sig != NULL); - ARG_CHECK(in64 != NULL); - memcpy(sig->data, in64, 64); - return 1; -} - -int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, secp256k1_schnorrsig *sig, int *nonce_is_negated, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, void *ndata) { - secp256k1_scalar x; - secp256k1_scalar e; - secp256k1_scalar k; - secp256k1_gej pkj; - secp256k1_gej rj; - secp256k1_ge pk; - secp256k1_ge r; - secp256k1_sha256 sha; - int overflow; - unsigned char buf[33]; - size_t buflen = sizeof(buf); - - VERIFY_CHECK(ctx != NULL); - ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); - ARG_CHECK(sig != NULL); - ARG_CHECK(msg32 != NULL); - ARG_CHECK(seckey != NULL); - - if (noncefp == NULL) { - noncefp = secp256k1_nonce_function_bipschnorr; - } - secp256k1_scalar_set_b32(&x, seckey, &overflow); - /* Fail if the secret key is invalid. */ - if (overflow || secp256k1_scalar_is_zero(&x)) { - memset(sig, 0, sizeof(*sig)); - return 0; - } - - secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pkj, &x); - secp256k1_ge_set_gej(&pk, &pkj); - - if (!noncefp(buf, msg32, seckey, NULL, (void*)ndata, 0)) { - return 0; - } - secp256k1_scalar_set_b32(&k, buf, NULL); - if (secp256k1_scalar_is_zero(&k)) { - return 0; - } - - secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &k); - secp256k1_ge_set_gej(&r, &rj); - - if (nonce_is_negated != NULL) { - *nonce_is_negated = 0; - } - if (!secp256k1_fe_is_quad_var(&r.y)) { - secp256k1_scalar_negate(&k, &k); - if (nonce_is_negated != NULL) { - *nonce_is_negated = 1; - } - } - secp256k1_fe_normalize(&r.x); - secp256k1_fe_get_b32(&sig->data[0], &r.x); - - secp256k1_sha256_initialize(&sha); - secp256k1_sha256_write(&sha, &sig->data[0], 32); - secp256k1_eckey_pubkey_serialize(&pk, buf, &buflen, 1); - secp256k1_sha256_write(&sha, buf, buflen); - secp256k1_sha256_write(&sha, msg32, 32); - secp256k1_sha256_finalize(&sha, buf); - - secp256k1_scalar_set_b32(&e, buf, NULL); - secp256k1_scalar_mul(&e, &e, &x); - secp256k1_scalar_add(&e, &e, &k); - - secp256k1_scalar_get_b32(&sig->data[32], &e); - secp256k1_scalar_clear(&k); - secp256k1_scalar_clear(&x); - - return 1; -} - -/* Helper function for verification and batch verification. - * Computes R = sG - eP. */ -static int secp256k1_schnorrsig_real_verify(const secp256k1_context* ctx, secp256k1_gej *rj, const secp256k1_scalar *s, const secp256k1_scalar *e, const secp256k1_pubkey *pk) { - secp256k1_scalar nege; - secp256k1_ge pkp; - secp256k1_gej pkj; - - secp256k1_scalar_negate(&nege, e); - - if (!secp256k1_pubkey_load(ctx, &pkp, pk)) { - return 0; - } - secp256k1_gej_set_ge(&pkj, &pkp); - - /* rj = s*G + (-e)*pkj */ - secp256k1_ecmult(&ctx->ecmult_ctx, rj, &pkj, &nege, s); - return 1; -} - -int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const secp256k1_schnorrsig *sig, const unsigned char *msg32, const secp256k1_pubkey *pk) { - secp256k1_scalar s; - secp256k1_scalar e; - secp256k1_gej rj; - secp256k1_fe rx; - secp256k1_sha256 sha; - unsigned char buf[33]; - size_t buflen = sizeof(buf); - int overflow; - - VERIFY_CHECK(ctx != NULL); - ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); - ARG_CHECK(sig != NULL); - ARG_CHECK(msg32 != NULL); - ARG_CHECK(pk != NULL); - - if (!secp256k1_fe_set_b32(&rx, &sig->data[0])) { - return 0; - } - - secp256k1_scalar_set_b32(&s, &sig->data[32], &overflow); - if (overflow) { - return 0; - } - - secp256k1_sha256_initialize(&sha); - secp256k1_sha256_write(&sha, &sig->data[0], 32); - secp256k1_ec_pubkey_serialize(ctx, buf, &buflen, pk, SECP256K1_EC_COMPRESSED); - secp256k1_sha256_write(&sha, buf, buflen); - secp256k1_sha256_write(&sha, msg32, 32); - secp256k1_sha256_finalize(&sha, buf); - secp256k1_scalar_set_b32(&e, buf, NULL); - - if (!secp256k1_schnorrsig_real_verify(ctx, &rj, &s, &e, pk) - || !secp256k1_gej_has_quad_y_var(&rj) /* fails if rj is infinity */ - || !secp256k1_gej_eq_x_var(&rx, &rj)) { - return 0; - } - - return 1; -} - -/* Data that is used by the batch verification ecmult callback */ -typedef struct { - const secp256k1_context *ctx; - /* Seed for the random number generator */ - unsigned char chacha_seed[32]; - /* Caches randomizers generated by the PRNG which returns two randomizers per call. Caching - * avoids having to call the PRNG twice as often. The very first randomizer will be set to 1 and - * the PRNG is called at every odd indexed schnorrsig to fill the cache. */ - secp256k1_scalar randomizer_cache[2]; - /* Signature, message, public key tuples to verify */ - const secp256k1_schnorrsig *const *sig; - const unsigned char *const *msg32; - const secp256k1_pubkey *const *pk; - size_t n_sigs; -} secp256k1_schnorrsig_verify_ecmult_context; - -/* Callback function which is called by ecmult_multi in order to convert the ecmult_context - * consisting of signature, message and public key tuples into scalars and points. */ -static int secp256k1_schnorrsig_verify_batch_ecmult_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data) { - secp256k1_schnorrsig_verify_ecmult_context *ecmult_context = (secp256k1_schnorrsig_verify_ecmult_context *) data; - - if (idx % 4 == 2) { - /* Every idx corresponds to a (scalar,point)-tuple. So this callback is called with 4 - * consecutive tuples before we need to call the RNG for new randomizers: - * (-randomizer_cache[0], R1) - * (-randomizer_cache[0]*e1, P1) - * (-randomizer_cache[1], R2) - * (-randomizer_cache[1]*e2, P2) */ - secp256k1_scalar_chacha20(&ecmult_context->randomizer_cache[0], &ecmult_context->randomizer_cache[1], ecmult_context->chacha_seed, idx / 4); - } - - /* R */ - if (idx % 2 == 0) { - secp256k1_fe rx; - *sc = ecmult_context->randomizer_cache[(idx / 2) % 2]; - if (!secp256k1_fe_set_b32(&rx, &ecmult_context->sig[idx / 2]->data[0])) { - return 0; - } - if (!secp256k1_ge_set_xquad(pt, &rx)) { - return 0; - } - /* eP */ - } else { - unsigned char buf[33]; - size_t buflen = sizeof(buf); - secp256k1_sha256 sha; - secp256k1_sha256_initialize(&sha); - secp256k1_sha256_write(&sha, &ecmult_context->sig[idx / 2]->data[0], 32); - secp256k1_ec_pubkey_serialize(ecmult_context->ctx, buf, &buflen, ecmult_context->pk[idx / 2], SECP256K1_EC_COMPRESSED); - secp256k1_sha256_write(&sha, buf, buflen); - secp256k1_sha256_write(&sha, ecmult_context->msg32[idx / 2], 32); - secp256k1_sha256_finalize(&sha, buf); - - secp256k1_scalar_set_b32(sc, buf, NULL); - secp256k1_scalar_mul(sc, sc, &ecmult_context->randomizer_cache[(idx / 2) % 2]); - - if (!secp256k1_pubkey_load(ecmult_context->ctx, pt, ecmult_context->pk[idx / 2])) { - return 0; - } - } - return 1; -} - -/** Helper function for batch verification. Hashes signature verification data into the - * randomization seed and initializes ecmult_context. - * - * Returns 1 if the randomizer was successfully initialized. - * - * Args: ctx: a secp256k1 context object - * Out: ecmult_context: context for batch_ecmult_callback - * In/Out sha: an initialized sha256 object which hashes the schnorrsig input in order to get a - * seed for the randomizer PRNG - * In: sig: array of signatures, or NULL if there are no signatures - * msg32: array of messages, or NULL if there are no signatures - * pk: array of public keys, or NULL if there are no signatures - * n_sigs: number of signatures in above arrays (must be 0 if they are NULL) - */ -static int secp256k1_schnorrsig_verify_batch_init_randomizer(const secp256k1_context *ctx, secp256k1_schnorrsig_verify_ecmult_context *ecmult_context, secp256k1_sha256 *sha, const secp256k1_schnorrsig *const *sig, const unsigned char *const *msg32, const secp256k1_pubkey *const *pk, size_t n_sigs) { - size_t i; - - if (n_sigs > 0) { - ARG_CHECK(sig != NULL); - ARG_CHECK(msg32 != NULL); - ARG_CHECK(pk != NULL); - } - - for (i = 0; i < n_sigs; i++) { - unsigned char buf[33]; - size_t buflen = sizeof(buf); - secp256k1_sha256_write(sha, sig[i]->data, 64); - secp256k1_sha256_write(sha, msg32[i], 32); - secp256k1_ec_pubkey_serialize(ctx, buf, &buflen, pk[i], SECP256K1_EC_COMPRESSED); - secp256k1_sha256_write(sha, buf, buflen); - } - ecmult_context->ctx = ctx; - ecmult_context->sig = sig; - ecmult_context->msg32 = msg32; - ecmult_context->pk = pk; - ecmult_context->n_sigs = n_sigs; - - return 1; -} - -/** Helper function for batch verification. Sums the s part of all signatures multiplied by their - * randomizer. - * - * Returns 1 if s is successfully summed. - * - * In/Out: s: the s part of the input sigs is added to this s argument - * In: chacha_seed: PRNG seed for computing randomizers - * sig: array of signatures, or NULL if there are no signatures - * n_sigs: number of signatures in above array (must be 0 if they are NULL) - */ -static int secp256k1_schnorrsig_verify_batch_sum_s(secp256k1_scalar *s, unsigned char *chacha_seed, const secp256k1_schnorrsig *const *sig, size_t n_sigs) { - secp256k1_scalar randomizer_cache[2]; - size_t i; - - secp256k1_scalar_set_int(&randomizer_cache[0], 1); - for (i = 0; i < n_sigs; i++) { - int overflow; - secp256k1_scalar term; - if (i % 2 == 1) { - secp256k1_scalar_chacha20(&randomizer_cache[0], &randomizer_cache[1], chacha_seed, i / 2); - } - - secp256k1_scalar_set_b32(&term, &sig[i]->data[32], &overflow); - if (overflow) { - return 0; - } - secp256k1_scalar_mul(&term, &term, &randomizer_cache[i % 2]); - secp256k1_scalar_add(s, s, &term); - } - return 1; -} - -/* schnorrsig batch verification. - * Seeds a random number generator with the inputs and derives a random number ai for every - * signature i. Fails if y-coordinate of any R is not a quadratic residue or if - * 0 != -(s1 + a2*s2 + ... + au*su)G + R1 + a2*R2 + ... + au*Ru + e1*P1 + (a2*e2)P2 + ... + (au*eu)Pu. */ -int secp256k1_schnorrsig_verify_batch(const secp256k1_context *ctx, secp256k1_scratch *scratch, const secp256k1_schnorrsig *const *sig, const unsigned char *const *msg32, const secp256k1_pubkey *const *pk, size_t n_sigs) { - secp256k1_schnorrsig_verify_ecmult_context ecmult_context; - secp256k1_sha256 sha; - secp256k1_scalar s; - secp256k1_gej rj; - - VERIFY_CHECK(ctx != NULL); - ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); - ARG_CHECK(scratch != NULL); - /* Check that n_sigs is less than half of the maximum size_t value. This is necessary because - * the number of points given to ecmult_multi is 2*n_sigs. */ - ARG_CHECK(n_sigs <= SIZE_MAX / 2); - /* Check that n_sigs is less than 2^31 to ensure the same behavior of this function on 32-bit - * and 64-bit platforms. */ - ARG_CHECK(n_sigs < ((uint32_t)1 << 31)); - - secp256k1_sha256_initialize(&sha); - if (!secp256k1_schnorrsig_verify_batch_init_randomizer(ctx, &ecmult_context, &sha, sig, msg32, pk, n_sigs)) { - return 0; - } - secp256k1_sha256_finalize(&sha, ecmult_context.chacha_seed); - secp256k1_scalar_set_int(&ecmult_context.randomizer_cache[0], 1); - - secp256k1_scalar_clear(&s); - if (!secp256k1_schnorrsig_verify_batch_sum_s(&s, ecmult_context.chacha_seed, sig, n_sigs)) { - return 0; - } - secp256k1_scalar_negate(&s, &s); - - return secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &rj, &s, secp256k1_schnorrsig_verify_batch_ecmult_callback, (void *) &ecmult_context, 2 * n_sigs) - && secp256k1_gej_is_infinity(&rj); -} - -#endif diff --git a/src/modules/schnorrsig/tests_impl.h b/src/modules/schnorrsig/tests_impl.h deleted file mode 100644 index 670b2d1ad..000000000 --- a/src/modules/schnorrsig/tests_impl.h +++ /dev/null @@ -1,726 +0,0 @@ -/********************************************************************** - * Copyright (c) 2018 Andrew Poelstra * - * Distributed under the MIT software license, see the accompanying * - * file COPYING or http://www.opensource.org/licenses/mit-license.php.* - **********************************************************************/ - -#ifndef _SECP256K1_MODULE_SCHNORRSIG_TESTS_ -#define _SECP256K1_MODULE_SCHNORRSIG_TESTS_ - -#include "secp256k1_schnorrsig.h" - -void test_schnorrsig_serialize(void) { - secp256k1_schnorrsig sig; - unsigned char in[64]; - unsigned char out[64]; - - memset(in, 0x12, 64); - CHECK(secp256k1_schnorrsig_parse(ctx, &sig, in)); - CHECK(secp256k1_schnorrsig_serialize(ctx, out, &sig)); - CHECK(memcmp(in, out, 64) == 0); -} - -void test_schnorrsig_api(secp256k1_scratch_space *scratch) { - unsigned char sk1[32]; - unsigned char sk2[32]; - unsigned char sk3[32]; - unsigned char msg[32]; - unsigned char sig64[64]; - secp256k1_pubkey pk[3]; - secp256k1_schnorrsig sig; - const secp256k1_schnorrsig *sigptr = &sig; - const unsigned char *msgptr = msg; - const secp256k1_pubkey *pkptr = &pk[0]; - int nonce_is_negated; - - /** setup **/ - secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE); - secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN); - secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY); - secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); - int ecount; - - secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); - secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); - secp256k1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); - secp256k1_context_set_error_callback(both, counting_illegal_callback_fn, &ecount); - secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); - secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); - secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); - secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount); - - secp256k1_rand256(sk1); - secp256k1_rand256(sk2); - secp256k1_rand256(sk3); - secp256k1_rand256(msg); - CHECK(secp256k1_ec_pubkey_create(ctx, &pk[0], sk1) == 1); - CHECK(secp256k1_ec_pubkey_create(ctx, &pk[1], sk2) == 1); - CHECK(secp256k1_ec_pubkey_create(ctx, &pk[2], sk3) == 1); - - /** main test body **/ - ecount = 0; - CHECK(secp256k1_schnorrsig_sign(none, &sig, &nonce_is_negated, msg, sk1, NULL, NULL) == 0); - CHECK(ecount == 1); - CHECK(secp256k1_schnorrsig_sign(vrfy, &sig, &nonce_is_negated, msg, sk1, NULL, NULL) == 0); - CHECK(ecount == 2); - CHECK(secp256k1_schnorrsig_sign(sign, &sig, &nonce_is_negated, msg, sk1, NULL, NULL) == 1); - CHECK(ecount == 2); - CHECK(secp256k1_schnorrsig_sign(sign, NULL, &nonce_is_negated, msg, sk1, NULL, NULL) == 0); - CHECK(ecount == 3); - CHECK(secp256k1_schnorrsig_sign(sign, &sig, NULL, msg, sk1, NULL, NULL) == 1); - CHECK(ecount == 3); - CHECK(secp256k1_schnorrsig_sign(sign, &sig, &nonce_is_negated, NULL, sk1, NULL, NULL) == 0); - CHECK(ecount == 4); - CHECK(secp256k1_schnorrsig_sign(sign, &sig, &nonce_is_negated, msg, NULL, NULL, NULL) == 0); - CHECK(ecount == 5); - - ecount = 0; - CHECK(secp256k1_schnorrsig_serialize(none, sig64, &sig) == 1); - CHECK(ecount == 0); - CHECK(secp256k1_schnorrsig_serialize(none, NULL, &sig) == 0); - CHECK(ecount == 1); - CHECK(secp256k1_schnorrsig_serialize(none, sig64, NULL) == 0); - CHECK(ecount == 2); - CHECK(secp256k1_schnorrsig_parse(none, &sig, sig64) == 1); - CHECK(ecount == 2); - CHECK(secp256k1_schnorrsig_parse(none, NULL, sig64) == 0); - CHECK(ecount == 3); - CHECK(secp256k1_schnorrsig_parse(none, &sig, NULL) == 0); - CHECK(ecount == 4); - - ecount = 0; - CHECK(secp256k1_schnorrsig_verify(none, &sig, msg, &pk[0]) == 0); - CHECK(ecount == 1); - CHECK(secp256k1_schnorrsig_verify(sign, &sig, msg, &pk[0]) == 0); - CHECK(ecount == 2); - CHECK(secp256k1_schnorrsig_verify(vrfy, &sig, msg, &pk[0]) == 1); - CHECK(ecount == 2); - CHECK(secp256k1_schnorrsig_verify(vrfy, NULL, msg, &pk[0]) == 0); - CHECK(ecount == 3); - CHECK(secp256k1_schnorrsig_verify(vrfy, &sig, NULL, &pk[0]) == 0); - CHECK(ecount == 4); - CHECK(secp256k1_schnorrsig_verify(vrfy, &sig, msg, NULL) == 0); - CHECK(ecount == 5); - - ecount = 0; - CHECK(secp256k1_schnorrsig_verify_batch(none, scratch, &sigptr, &msgptr, &pkptr, 1) == 0); - CHECK(ecount == 1); - CHECK(secp256k1_schnorrsig_verify_batch(sign, scratch, &sigptr, &msgptr, &pkptr, 1) == 0); - CHECK(ecount == 2); - CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, &sigptr, &msgptr, &pkptr, 1) == 1); - CHECK(ecount == 2); - CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, NULL, NULL, NULL, 0) == 1); - CHECK(ecount == 2); - CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, NULL, &msgptr, &pkptr, 1) == 0); - CHECK(ecount == 3); - CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, &sigptr, NULL, &pkptr, 1) == 0); - CHECK(ecount == 4); - CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, &sigptr, &msgptr, NULL, 1) == 0); - CHECK(ecount == 5); - CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, &sigptr, &msgptr, &pkptr, (size_t)1 << (sizeof(size_t)*8-1)) == 0); - CHECK(ecount == 6); - CHECK(secp256k1_schnorrsig_verify_batch(vrfy, scratch, &sigptr, &msgptr, &pkptr, (uint32_t)1 << 31) == 0); - CHECK(ecount == 7); - - secp256k1_context_destroy(none); - secp256k1_context_destroy(sign); - secp256k1_context_destroy(vrfy); - secp256k1_context_destroy(both); -} - -/* Helper function for schnorrsig_bip_vectors - * Signs the message and checks that it's the same as expected_sig. */ -void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *msg, const unsigned char *expected_sig, const int expected_nonce_is_negated) { - secp256k1_schnorrsig sig; - unsigned char serialized_sig[64]; - secp256k1_pubkey pk; - int nonce_is_negated; - - CHECK(secp256k1_schnorrsig_sign(ctx, &sig, &nonce_is_negated, msg, sk, NULL, NULL)); - CHECK(nonce_is_negated == expected_nonce_is_negated); - CHECK(secp256k1_schnorrsig_serialize(ctx, serialized_sig, &sig)); - CHECK(memcmp(serialized_sig, expected_sig, 64) == 0); - - CHECK(secp256k1_ec_pubkey_parse(ctx, &pk, pk_serialized, 33)); - CHECK(secp256k1_schnorrsig_verify(ctx, &sig, msg, &pk)); -} - -/* Helper function for schnorrsig_bip_vectors - * Checks that both verify and verify_batch return the same value as expected. */ -void test_schnorrsig_bip_vectors_check_verify(secp256k1_scratch_space *scratch, const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig_serialized, int expected) { - const unsigned char *msg_arr[1]; - const secp256k1_schnorrsig *sig_arr[1]; - const secp256k1_pubkey *pk_arr[1]; - secp256k1_pubkey pk; - secp256k1_schnorrsig sig; - - CHECK(secp256k1_ec_pubkey_parse(ctx, &pk, pk_serialized, 33)); - CHECK(secp256k1_schnorrsig_parse(ctx, &sig, sig_serialized)); - - sig_arr[0] = &sig; - msg_arr[0] = msg32; - pk_arr[0] = &pk; - - CHECK(expected == secp256k1_schnorrsig_verify(ctx, &sig, msg32, &pk)); - CHECK(expected == secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 1)); -} - -/* Test vectors according to BIP-schnorr - * (https://github.com/sipa/bips/blob/7f6a73e53c8bbcf2d008ea0546f76433e22094a8/bip-schnorr/test-vectors.csv). - */ -void test_schnorrsig_bip_vectors(secp256k1_scratch_space *scratch) { - { - /* Test vector 1 */ - const unsigned char sk1[32] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 - }; - const unsigned char pk1[33] = { - 0x02, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, - 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B, - 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, - 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, - 0x98 - }; - const unsigned char msg1[32] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - }; - const unsigned char sig1[64] = { - 0x78, 0x7A, 0x84, 0x8E, 0x71, 0x04, 0x3D, 0x28, - 0x0C, 0x50, 0x47, 0x0E, 0x8E, 0x15, 0x32, 0xB2, - 0xDD, 0x5D, 0x20, 0xEE, 0x91, 0x2A, 0x45, 0xDB, - 0xDD, 0x2B, 0xD1, 0xDF, 0xBF, 0x18, 0x7E, 0xF6, - 0x70, 0x31, 0xA9, 0x88, 0x31, 0x85, 0x9D, 0xC3, - 0x4D, 0xFF, 0xEE, 0xDD, 0xA8, 0x68, 0x31, 0x84, - 0x2C, 0xCD, 0x00, 0x79, 0xE1, 0xF9, 0x2A, 0xF1, - 0x77, 0xF7, 0xF2, 0x2C, 0xC1, 0xDC, 0xED, 0x05 - }; - test_schnorrsig_bip_vectors_check_signing(sk1, pk1, msg1, sig1, 1); - test_schnorrsig_bip_vectors_check_verify(scratch, pk1, msg1, sig1, 1); - } - { - /* Test vector 2 */ - const unsigned char sk2[32] = { - 0xB7, 0xE1, 0x51, 0x62, 0x8A, 0xED, 0x2A, 0x6A, - 0xBF, 0x71, 0x58, 0x80, 0x9C, 0xF4, 0xF3, 0xC7, - 0x62, 0xE7, 0x16, 0x0F, 0x38, 0xB4, 0xDA, 0x56, - 0xA7, 0x84, 0xD9, 0x04, 0x51, 0x90, 0xCF, 0xEF - }; - const unsigned char pk2[33] = { - 0x02, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, - 0x5F, 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, - 0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, - 0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, - 0x59 - }; - const unsigned char msg2[32] = { - 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, - 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, - 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, - 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 - }; - const unsigned char sig2[64] = { - 0x2A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A, - 0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB, - 0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7, - 0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D, - 0x1E, 0x51, 0xA2, 0x2C, 0xCE, 0xC3, 0x55, 0x99, - 0xB8, 0xF2, 0x66, 0x91, 0x22, 0x81, 0xF8, 0x36, - 0x5F, 0xFC, 0x2D, 0x03, 0x5A, 0x23, 0x04, 0x34, - 0xA1, 0xA6, 0x4D, 0xC5, 0x9F, 0x70, 0x13, 0xFD - }; - test_schnorrsig_bip_vectors_check_signing(sk2, pk2, msg2, sig2, 0); - test_schnorrsig_bip_vectors_check_verify(scratch, pk2, msg2, sig2, 1); - } - { - /* Test vector 3 */ - const unsigned char sk3[32] = { - 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, - 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, - 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, - 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x14, 0xE5, 0xC7 - }; - const unsigned char pk3[33] = { - 0x03, 0xFA, 0xC2, 0x11, 0x4C, 0x2F, 0xBB, 0x09, - 0x15, 0x27, 0xEB, 0x7C, 0x64, 0xEC, 0xB1, 0x1F, - 0x80, 0x21, 0xCB, 0x45, 0xE8, 0xE7, 0x80, 0x9D, - 0x3C, 0x09, 0x38, 0xE4, 0xB8, 0xC0, 0xE5, 0xF8, - 0x4B - }; - const unsigned char msg3[32] = { - 0x5E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A, - 0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D, - 0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33, - 0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C - }; - const unsigned char sig3[64] = { - 0x00, 0xDA, 0x9B, 0x08, 0x17, 0x2A, 0x9B, 0x6F, - 0x04, 0x66, 0xA2, 0xDE, 0xFD, 0x81, 0x7F, 0x2D, - 0x7A, 0xB4, 0x37, 0xE0, 0xD2, 0x53, 0xCB, 0x53, - 0x95, 0xA9, 0x63, 0x86, 0x6B, 0x35, 0x74, 0xBE, - 0x00, 0x88, 0x03, 0x71, 0xD0, 0x17, 0x66, 0x93, - 0x5B, 0x92, 0xD2, 0xAB, 0x4C, 0xD5, 0xC8, 0xA2, - 0xA5, 0x83, 0x7E, 0xC5, 0x7F, 0xED, 0x76, 0x60, - 0x77, 0x3A, 0x05, 0xF0, 0xDE, 0x14, 0x23, 0x80 - }; - test_schnorrsig_bip_vectors_check_signing(sk3, pk3, msg3, sig3, 0); - test_schnorrsig_bip_vectors_check_verify(scratch, pk3, msg3, sig3, 1); - } - { - /* Test vector 4 */ - const unsigned char pk4[33] = { - 0x03, 0xDE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, - 0x50, 0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, - 0x21, 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, - 0x87, 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, - 0x34 - }; - const unsigned char msg4[32] = { - 0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2, - 0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24, - 0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B, - 0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03 - }; - const unsigned char sig4[64] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, 0x3F, - 0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, 0x28, - 0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, 0x63, - 0x02, 0xA8, 0xDC, 0x32, 0xE6, 0x4E, 0x86, 0xA3, - 0x33, 0xF2, 0x0E, 0xF5, 0x6E, 0xAC, 0x9B, 0xA3, - 0x0B, 0x72, 0x46, 0xD6, 0xD2, 0x5E, 0x22, 0xAD, - 0xB8, 0xC6, 0xBE, 0x1A, 0xEB, 0x08, 0xD4, 0x9D - }; - test_schnorrsig_bip_vectors_check_verify(scratch, pk4, msg4, sig4, 1); - } - { - /* Test vector 5 */ - const unsigned char pk5[33] = { - 0x03, 0x1B, 0x84, 0xC5, 0x56, 0x7B, 0x12, 0x64, - 0x40, 0x99, 0x5D, 0x3E, 0xD5, 0xAA, 0xBA, 0x05, - 0x65, 0xD7, 0x1E, 0x18, 0x34, 0x60, 0x48, 0x19, - 0xFF, 0x9C, 0x17, 0xF5, 0xE9, 0xD5, 0xDD, 0x07, - 0x8F - }; - const unsigned char msg5[32] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - }; - const unsigned char sig5[64] = { - 0x52, 0x81, 0x85, 0x79, 0xAC, 0xA5, 0x97, 0x67, - 0xE3, 0x29, 0x1D, 0x91, 0xB7, 0x6B, 0x63, 0x7B, - 0xEF, 0x06, 0x20, 0x83, 0x28, 0x49, 0x92, 0xF2, - 0xD9, 0x5F, 0x56, 0x4C, 0xA6, 0xCB, 0x4E, 0x35, - 0x30, 0xB1, 0xDA, 0x84, 0x9C, 0x8E, 0x83, 0x04, - 0xAD, 0xC0, 0xCF, 0xE8, 0x70, 0x66, 0x03, 0x34, - 0xB3, 0xCF, 0xC1, 0x8E, 0x82, 0x5E, 0xF1, 0xDB, - 0x34, 0xCF, 0xAE, 0x3D, 0xFC, 0x5D, 0x81, 0x87 - }; - test_schnorrsig_bip_vectors_check_verify(scratch, pk5, msg5, sig5, 1); - } - { - /* Test vector 6 */ - const unsigned char pk6[33] = { - 0x03, 0xFA, 0xC2, 0x11, 0x4C, 0x2F, 0xBB, 0x09, - 0x15, 0x27, 0xEB, 0x7C, 0x64, 0xEC, 0xB1, 0x1F, - 0x80, 0x21, 0xCB, 0x45, 0xE8, 0xE7, 0x80, 0x9D, - 0x3C, 0x09, 0x38, 0xE4, 0xB8, 0xC0, 0xE5, 0xF8, - 0x4B - }; - const unsigned char msg6[32] = { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF - }; - const unsigned char sig6[64] = { - 0x57, 0x0D, 0xD4, 0xCA, 0x83, 0xD4, 0xE6, 0x31, - 0x7B, 0x8E, 0xE6, 0xBA, 0xE8, 0x34, 0x67, 0xA1, - 0xBF, 0x41, 0x9D, 0x07, 0x67, 0x12, 0x2D, 0xE4, - 0x09, 0x39, 0x44, 0x14, 0xB0, 0x50, 0x80, 0xDC, - 0xE9, 0xEE, 0x5F, 0x23, 0x7C, 0xBD, 0x10, 0x8E, - 0xAB, 0xAE, 0x1E, 0x37, 0x75, 0x9A, 0xE4, 0x7F, - 0x8E, 0x42, 0x03, 0xDA, 0x35, 0x32, 0xEB, 0x28, - 0xDB, 0x86, 0x0F, 0x33, 0xD6, 0x2D, 0x49, 0xBD - }; - test_schnorrsig_bip_vectors_check_verify(scratch, pk6, msg6, sig6, 1); - } - { - /* Test vector 7 */ - const unsigned char pk7[33] = { - 0x03, 0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, - 0x50, 0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, - 0x21, 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, - 0x87, 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, - 0x34 - }; - secp256k1_pubkey pk7_parsed; - /* No need to check the signature of the test vector as parsing the pubkey already fails */ - CHECK(!secp256k1_ec_pubkey_parse(ctx, &pk7_parsed, pk7, 33)); - } - { - /* Test vector 8 */ - const unsigned char pk8[33] = { - 0x02, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, - 0x5F, 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, - 0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, - 0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, - 0x59 - }; - const unsigned char msg8[32] = { - 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, - 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, - 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, - 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 - }; - const unsigned char sig8[64] = { - 0x2A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A, - 0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB, - 0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7, - 0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D, - 0xFA, 0x16, 0xAE, 0xE0, 0x66, 0x09, 0x28, 0x0A, - 0x19, 0xB6, 0x7A, 0x24, 0xE1, 0x97, 0x7E, 0x46, - 0x97, 0x71, 0x2B, 0x5F, 0xD2, 0x94, 0x39, 0x14, - 0xEC, 0xD5, 0xF7, 0x30, 0x90, 0x1B, 0x4A, 0xB7 - }; - test_schnorrsig_bip_vectors_check_verify(scratch, pk8, msg8, sig8, 0); - } - { - /* Test vector 9 */ - const unsigned char pk9[33] = { - 0x03, 0xFA, 0xC2, 0x11, 0x4C, 0x2F, 0xBB, 0x09, - 0x15, 0x27, 0xEB, 0x7C, 0x64, 0xEC, 0xB1, 0x1F, - 0x80, 0x21, 0xCB, 0x45, 0xE8, 0xE7, 0x80, 0x9D, - 0x3C, 0x09, 0x38, 0xE4, 0xB8, 0xC0, 0xE5, 0xF8, - 0x4B - }; - const unsigned char msg9[32] = { - 0x5E, 0x2D, 0x58, 0xD8, 0xB3, 0xBC, 0xDF, 0x1A, - 0xBA, 0xDE, 0xC7, 0x82, 0x90, 0x54, 0xF9, 0x0D, - 0xDA, 0x98, 0x05, 0xAA, 0xB5, 0x6C, 0x77, 0x33, - 0x30, 0x24, 0xB9, 0xD0, 0xA5, 0x08, 0xB7, 0x5C - }; - const unsigned char sig9[64] = { - 0x00, 0xDA, 0x9B, 0x08, 0x17, 0x2A, 0x9B, 0x6F, - 0x04, 0x66, 0xA2, 0xDE, 0xFD, 0x81, 0x7F, 0x2D, - 0x7A, 0xB4, 0x37, 0xE0, 0xD2, 0x53, 0xCB, 0x53, - 0x95, 0xA9, 0x63, 0x86, 0x6B, 0x35, 0x74, 0xBE, - 0xD0, 0x92, 0xF9, 0xD8, 0x60, 0xF1, 0x77, 0x6A, - 0x1F, 0x74, 0x12, 0xAD, 0x8A, 0x1E, 0xB5, 0x0D, - 0xAC, 0xCC, 0x22, 0x2B, 0xC8, 0xC0, 0xE2, 0x6B, - 0x20, 0x56, 0xDF, 0x2F, 0x27, 0x3E, 0xFD, 0xEC - }; - test_schnorrsig_bip_vectors_check_verify(scratch, pk9, msg9, sig9, 0); - } - { - /* Test vector 10 */ - const unsigned char pk10[33] = { - 0x02, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, - 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B, - 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, - 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, - 0x98 - }; - const unsigned char msg10[32] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - }; - const unsigned char sig10[64] = { - 0x78, 0x7A, 0x84, 0x8E, 0x71, 0x04, 0x3D, 0x28, - 0x0C, 0x50, 0x47, 0x0E, 0x8E, 0x15, 0x32, 0xB2, - 0xDD, 0x5D, 0x20, 0xEE, 0x91, 0x2A, 0x45, 0xDB, - 0xDD, 0x2B, 0xD1, 0xDF, 0xBF, 0x18, 0x7E, 0xF6, - 0x8F, 0xCE, 0x56, 0x77, 0xCE, 0x7A, 0x62, 0x3C, - 0xB2, 0x00, 0x11, 0x22, 0x57, 0x97, 0xCE, 0x7A, - 0x8D, 0xE1, 0xDC, 0x6C, 0xCD, 0x4F, 0x75, 0x4A, - 0x47, 0xDA, 0x6C, 0x60, 0x0E, 0x59, 0x54, 0x3C - }; - test_schnorrsig_bip_vectors_check_verify(scratch, pk10, msg10, sig10, 0); - } - { - /* Test vector 11 */ - const unsigned char pk11[33] = { - 0x03, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, - 0x5F, 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, - 0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, - 0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, - 0x59 - }; - const unsigned char msg11[32] = { - 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, - 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, - 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, - 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 - }; - const unsigned char sig11[64] = { - 0x2A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A, - 0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB, - 0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7, - 0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D, - 0x1E, 0x51, 0xA2, 0x2C, 0xCE, 0xC3, 0x55, 0x99, - 0xB8, 0xF2, 0x66, 0x91, 0x22, 0x81, 0xF8, 0x36, - 0x5F, 0xFC, 0x2D, 0x03, 0x5A, 0x23, 0x04, 0x34, - 0xA1, 0xA6, 0x4D, 0xC5, 0x9F, 0x70, 0x13, 0xFD - }; - test_schnorrsig_bip_vectors_check_verify(scratch, pk11, msg11, sig11, 0); - } - { - /* Test vector 12 */ - const unsigned char pk12[33] = { - 0x02, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, - 0x5F, 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, - 0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, - 0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, - 0x59 - }; - const unsigned char msg12[32] = { - 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, - 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, - 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, - 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 - }; - const unsigned char sig12[64] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x9E, 0x9D, 0x01, 0xAF, 0x98, 0x8B, 0x5C, 0xED, - 0xCE, 0x47, 0x22, 0x1B, 0xFA, 0x9B, 0x22, 0x27, - 0x21, 0xF3, 0xFA, 0x40, 0x89, 0x15, 0x44, 0x4A, - 0x4B, 0x48, 0x90, 0x21, 0xDB, 0x55, 0x77, 0x5F - }; - test_schnorrsig_bip_vectors_check_verify(scratch, pk12, msg12, sig12, 0); - } - { - /* Test vector 13 */ - const unsigned char pk13[33] = { - 0x02, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, - 0x5F, 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, - 0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, - 0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, - 0x59 - }; - const unsigned char msg13[32] = { - 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, - 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, - 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, - 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 - }; - const unsigned char sig13[64] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0xD3, 0x7D, 0xDF, 0x02, 0x54, 0x35, 0x18, 0x36, - 0xD8, 0x4B, 0x1B, 0xD6, 0xA7, 0x95, 0xFD, 0x5D, - 0x52, 0x30, 0x48, 0xF2, 0x98, 0xC4, 0x21, 0x4D, - 0x18, 0x7F, 0xE4, 0x89, 0x29, 0x47, 0xF7, 0x28 - }; - test_schnorrsig_bip_vectors_check_verify(scratch, pk13, msg13, sig13, 0); - } - { - /* Test vector 14 */ - const unsigned char pk14[33] = { - 0x02, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, - 0x5F, 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, - 0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, - 0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, - 0x59 - }; - const unsigned char msg14[32] = { - 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, - 0x14, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, - 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, - 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 - }; - const unsigned char sig14[64] = { - 0x4A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A, - 0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB, - 0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7, - 0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D, - 0x1E, 0x51, 0xA2, 0x2C, 0xCE, 0xC3, 0x55, 0x99, - 0xB8, 0xF2, 0x66, 0x91, 0x22, 0x81, 0xF8, 0x36, - 0x5F, 0xFC, 0x2D, 0x03, 0x5A, 0x23, 0x04, 0x34, - 0xA1, 0xA6, 0x4D, 0xC5, 0x9F, 0x70, 0x13, 0xFD - }; - test_schnorrsig_bip_vectors_check_verify(scratch, pk14, msg14, sig14, 0); - } - { - /* Test vector 15 */ - const unsigned char pk15[33] = { - 0x02, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, - 0x5F, 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, - 0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, - 0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, - 0x59 - }; - const unsigned char msg15[32] = { - 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, - 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, - 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, - 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 - }; - const unsigned char sig15[64] = { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, 0x2F, - 0x1E, 0x51, 0xA2, 0x2C, 0xCE, 0xC3, 0x55, 0x99, - 0xB8, 0xF2, 0x66, 0x91, 0x22, 0x81, 0xF8, 0x36, - 0x5F, 0xFC, 0x2D, 0x03, 0x5A, 0x23, 0x04, 0x34, - 0xA1, 0xA6, 0x4D, 0xC5, 0x9F, 0x70, 0x13, 0xFD - }; - test_schnorrsig_bip_vectors_check_verify(scratch, pk15, msg15, sig15, 0); - } - { - /* Test vector 16 */ - const unsigned char pk16[33] = { - 0x02, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, - 0x5F, 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, - 0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, - 0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, - 0x59 - }; - const unsigned char msg16[32] = { - 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, - 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, - 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, - 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 - }; - const unsigned char sig16[64] = { - 0x2A, 0x29, 0x8D, 0xAC, 0xAE, 0x57, 0x39, 0x5A, - 0x15, 0xD0, 0x79, 0x5D, 0xDB, 0xFD, 0x1D, 0xCB, - 0x56, 0x4D, 0xA8, 0x2B, 0x0F, 0x26, 0x9B, 0xC7, - 0x0A, 0x74, 0xF8, 0x22, 0x04, 0x29, 0xBA, 0x1D, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, - 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, - 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41 - }; - test_schnorrsig_bip_vectors_check_verify(scratch, pk16, msg16, sig16, 0); - } -} - -/* Nonce function that returns constant 0 */ -static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { - (void) msg32; - (void) key32; - (void) algo16; - (void) data; - (void) counter; - (void) nonce32; - return 0; -} - -/* Nonce function that sets nonce to 0 */ -static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { - (void) msg32; - (void) key32; - (void) algo16; - (void) data; - (void) counter; - - memset(nonce32, 0, 32); - return 1; -} - -void test_schnorrsig_sign(void) { - unsigned char sk[32]; - const unsigned char msg[32] = "this is a msg for a schnorrsig.."; - secp256k1_schnorrsig sig; - - memset(sk, 23, sizeof(sk)); - CHECK(secp256k1_schnorrsig_sign(ctx, &sig, NULL, msg, sk, NULL, NULL) == 1); - - /* Overflowing secret key */ - memset(sk, 0xFF, sizeof(sk)); - CHECK(secp256k1_schnorrsig_sign(ctx, &sig, NULL, msg, sk, NULL, NULL) == 0); - memset(sk, 23, sizeof(sk)); - - CHECK(secp256k1_schnorrsig_sign(ctx, &sig, NULL, msg, sk, nonce_function_failing, NULL) == 0); - CHECK(secp256k1_schnorrsig_sign(ctx, &sig, NULL, msg, sk, nonce_function_0, NULL) == 0); -} - -#define N_SIGS 200 -/* Creates N_SIGS valid signatures and verifies them with verify and verify_batch. Then flips some - * bits and checks that verification now fails. */ -void test_schnorrsig_sign_verify(secp256k1_scratch_space *scratch) { - const unsigned char sk[32] = "shhhhhhhh! this key is a secret."; - unsigned char msg[N_SIGS][32]; - secp256k1_schnorrsig sig[N_SIGS]; - size_t i; - const secp256k1_schnorrsig *sig_arr[N_SIGS]; - const unsigned char *msg_arr[N_SIGS]; - const secp256k1_pubkey *pk_arr[N_SIGS]; - secp256k1_pubkey pk; - - CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk)); - - CHECK(secp256k1_schnorrsig_verify_batch(ctx, scratch, NULL, NULL, NULL, 0)); - - for (i = 0; i < N_SIGS; i++) { - secp256k1_rand256(msg[i]); - CHECK(secp256k1_schnorrsig_sign(ctx, &sig[i], NULL, msg[i], sk, NULL, NULL)); - CHECK(secp256k1_schnorrsig_verify(ctx, &sig[i], msg[i], &pk)); - sig_arr[i] = &sig[i]; - msg_arr[i] = msg[i]; - pk_arr[i] = &pk; - } - - CHECK(secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 1)); - CHECK(secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 2)); - CHECK(secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 4)); - CHECK(secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, N_SIGS)); - - { - /* Flip a few bits in the signature and in the message and check that - * verify and verify_batch fail */ - size_t sig_idx = secp256k1_rand_int(4); - size_t byte_idx = secp256k1_rand_int(32); - unsigned char xorbyte = secp256k1_rand_int(254)+1; - sig[sig_idx].data[byte_idx] ^= xorbyte; - CHECK(!secp256k1_schnorrsig_verify(ctx, &sig[sig_idx], msg[sig_idx], &pk)); - CHECK(!secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 4)); - sig[sig_idx].data[byte_idx] ^= xorbyte; - - byte_idx = secp256k1_rand_int(32); - sig[sig_idx].data[32+byte_idx] ^= xorbyte; - CHECK(!secp256k1_schnorrsig_verify(ctx, &sig[sig_idx], msg[sig_idx], &pk)); - CHECK(!secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 4)); - sig[sig_idx].data[32+byte_idx] ^= xorbyte; - - byte_idx = secp256k1_rand_int(32); - msg[sig_idx][byte_idx] ^= xorbyte; - CHECK(!secp256k1_schnorrsig_verify(ctx, &sig[sig_idx], msg[sig_idx], &pk)); - CHECK(!secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 4)); - msg[sig_idx][byte_idx] ^= xorbyte; - - /* Check that above bitflips have been reversed correctly */ - CHECK(secp256k1_schnorrsig_verify(ctx, &sig[sig_idx], msg[sig_idx], &pk)); - CHECK(secp256k1_schnorrsig_verify_batch(ctx, scratch, sig_arr, msg_arr, pk_arr, 4)); - } -} -#undef N_SIGS - -void run_schnorrsig_tests(void) { - secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 1024 * 1024); - - test_schnorrsig_serialize(); - test_schnorrsig_api(scratch); - test_schnorrsig_bip_vectors(scratch); - test_schnorrsig_sign(); - test_schnorrsig_sign_verify(scratch); - - secp256k1_scratch_space_destroy(ctx, scratch); -} - -#endif diff --git a/src/secp256k1.c b/src/secp256k1.c index 0c3a09e3f..7258d8c89 100644 --- a/src/secp256k1.c +++ b/src/secp256k1.c @@ -449,29 +449,6 @@ static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *off *offset += len; } -/* This nonce function is described in BIP-schnorr - * (https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki) */ -static int nonce_function_bipschnorr(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { - secp256k1_sha256 sha; - (void) counter; - VERIFY_CHECK(counter == 0); - - /* Hash x||msg as per the spec */ - secp256k1_sha256_initialize(&sha); - secp256k1_sha256_write(&sha, key32, 32); - secp256k1_sha256_write(&sha, msg32, 32); - /* Hash in algorithm, which is not in the spec, but may be critical to - * users depending on it to avoid nonce reuse across algorithms. */ - if (algo16 != NULL) { - secp256k1_sha256_write(&sha, algo16, 16); - } - if (data != NULL) { - secp256k1_sha256_write(&sha, data, 32); - } - secp256k1_sha256_finalize(&sha, nonce32); - return 1; -} - static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { unsigned char keydata[112]; unsigned int offset = 0; @@ -502,7 +479,6 @@ static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *m return 1; } -const secp256k1_nonce_function secp256k1_nonce_function_bipschnorr = nonce_function_bipschnorr; const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979; const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979; @@ -777,10 +753,6 @@ int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey * # include "modules/ecdh/main_impl.h" #endif -#ifdef ENABLE_MODULE_SCHNORRSIG -# include "modules/schnorrsig/main_impl.h" -#endif - #ifdef ENABLE_MODULE_MUSIG # include "modules/musig/main_impl.h" #endif diff --git a/src/tests.c b/src/tests.c index c594dee94..274d26ccb 100644 --- a/src/tests.c +++ b/src/tests.c @@ -5504,10 +5504,6 @@ void run_ecdsa_openssl(void) { # include "modules/ecdh/tests_impl.h" #endif -#ifdef ENABLE_MODULE_SCHNORRSIG -# include "modules/schnorrsig/tests_impl.h" -#endif - #ifdef ENABLE_MODULE_MUSIG # include "modules/musig/tests_impl.h" #endif @@ -5824,11 +5820,6 @@ int main(int argc, char **argv) { run_ecdh_tests(); #endif -#ifdef ENABLE_MODULE_SCHNORRSIG - /* Schnorrsig tests */ - run_schnorrsig_tests(); -#endif - #ifdef ENABLE_MODULE_MUSIG run_musig_tests(); #endif