Merge #844: schnorrsig API overhaul
5f6ceafcfaschnorrsig: allow setting MSGLEN != 32 in benchmark (Jonas Nick)fdd06b7967schnorrsig: add tests for sign_custom and varlen msg verification (Jonas Nick)d8d806aaf3schnorrsig: add extra parameter struct for sign_custom (Jonas Nick)a0c3fc177fschnorrsig: allow signing and verification of variable length msgs (Jonas Nick)5a8e4991adAdd secp256k1_tagged_sha256 as defined in BIP-340 (Jonas Nick)b6c0b72fb0schnorrsig: remove noncefp args from sign; add sign_custom function (Jonas Nick)442cee5bafschnorrsig: add algolen argument to nonce_function_hardened (Jonas Nick)df3bfa12c3schnorrsig: clarify result of calling nonce_function_bip340 without data (Jonas Nick)99e8614812README: mention schnorrsig module (Jonas Nick) Pull request description: This is a work in progress because I wanted to put this up for discussion before writing tests. It addresses the TODOs that didn't make it in the schnorrsig PR and changes the APIs of `schnorrsig_sign`, `schnorrsig_verify` and `hardened_nonce_function`. - Ideally, the new `aux_rand32` argument for `sign` would be const, but didn't find a solution I was happy with. - Support for variable length message signing and verification supports the [suggested BIP amendment](https://github.com/sipa/bips/issues/207#issuecomment-673681901) for such messages. - ~~`sign_custom` with its opaque config object allows adding more arguments later without having to change the API again. Perhaps there are other sensible customization options, but I'm thinking of [sign-to-contract/covert-channel](https://github.com/bitcoin-core/secp256k1/pull/590) in particular. It would require adding the fields `unsigned char *s2c_data32` and `secp256k1_s2c_opening *s2c_opening` to the config struct. The former is the data to commit to and the latter is written to by `sign_custom`.~~ (EDIT: see below) ACKs for top commit: ariard: utACK5f6ceafLLFourn: utACK5f6ceafcfaTree-SHA512: cf1716dddf4f29bcacf542ed22622a817d0ec9c20d0592333cb7e6105902c77d819952e776b9407fae1333cbd03d63fded492d3a5df7769dcc5b450d91bb4761
This commit is contained in:
Tim Ruffing
@@ -13,6 +13,8 @@
|
||||
#include "util.h"
|
||||
#include "bench.h"
|
||||
|
||||
#define MSGLEN 32
|
||||
|
||||
typedef struct {
|
||||
secp256k1_context *ctx;
|
||||
int n;
|
||||
@@ -26,13 +28,13 @@ typedef struct {
|
||||
void bench_schnorrsig_sign(void* arg, int iters) {
|
||||
bench_schnorrsig_data *data = (bench_schnorrsig_data *)arg;
|
||||
int i;
|
||||
unsigned char msg[32] = "benchmarkexamplemessagetemplate";
|
||||
unsigned char msg[MSGLEN] = {0};
|
||||
unsigned char sig[64];
|
||||
|
||||
for (i = 0; i < iters; i++) {
|
||||
msg[0] = i;
|
||||
msg[1] = i >> 8;
|
||||
CHECK(secp256k1_schnorrsig_sign(data->ctx, sig, msg, data->keypairs[i], NULL, NULL));
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(data->ctx, sig, msg, MSGLEN, data->keypairs[i], NULL));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -43,7 +45,7 @@ void bench_schnorrsig_verify(void* arg, int iters) {
|
||||
for (i = 0; i < iters; i++) {
|
||||
secp256k1_xonly_pubkey pk;
|
||||
CHECK(secp256k1_xonly_pubkey_parse(data->ctx, &pk, data->pk[i]) == 1);
|
||||
CHECK(secp256k1_schnorrsig_verify(data->ctx, data->sigs[i], data->msgs[i], &pk));
|
||||
CHECK(secp256k1_schnorrsig_verify(data->ctx, data->sigs[i], data->msgs[i], MSGLEN, &pk));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -58,9 +60,10 @@ int main(void) {
|
||||
data.msgs = (const unsigned char **)malloc(iters * sizeof(unsigned char *));
|
||||
data.sigs = (const unsigned char **)malloc(iters * sizeof(unsigned char *));
|
||||
|
||||
CHECK(MSGLEN >= 4);
|
||||
for (i = 0; i < iters; i++) {
|
||||
unsigned char sk[32];
|
||||
unsigned char *msg = (unsigned char *)malloc(32);
|
||||
unsigned char *msg = (unsigned char *)malloc(MSGLEN);
|
||||
unsigned char *sig = (unsigned char *)malloc(64);
|
||||
secp256k1_keypair *keypair = (secp256k1_keypair *)malloc(sizeof(*keypair));
|
||||
unsigned char *pk_char = (unsigned char *)malloc(32);
|
||||
@@ -69,7 +72,7 @@ int main(void) {
|
||||
msg[1] = sk[1] = i >> 8;
|
||||
msg[2] = sk[2] = i >> 16;
|
||||
msg[3] = sk[3] = i >> 24;
|
||||
memset(&msg[4], 'm', 28);
|
||||
memset(&msg[4], 'm', MSGLEN - 4);
|
||||
memset(&sk[4], 's', 28);
|
||||
|
||||
data.keypairs[i] = keypair;
|
||||
@@ -78,7 +81,7 @@ int main(void) {
|
||||
data.sigs[i] = sig;
|
||||
|
||||
CHECK(secp256k1_keypair_create(data.ctx, keypair, sk));
|
||||
CHECK(secp256k1_schnorrsig_sign(data.ctx, sig, msg, keypair, NULL, NULL));
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(data.ctx, sig, msg, MSGLEN, keypair, NULL));
|
||||
CHECK(secp256k1_keypair_xonly_pub(data.ctx, &pk, NULL, keypair));
|
||||
CHECK(secp256k1_xonly_pubkey_serialize(data.ctx, pk_char, &pk) == 1);
|
||||
}
|
||||
|
||||
@@ -43,16 +43,16 @@ static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *
|
||||
sha->bytes = 64;
|
||||
}
|
||||
|
||||
/* algo16 argument for nonce_function_bip340 to derive the nonce exactly as stated in BIP-340
|
||||
/* algo argument for nonce_function_bip340 to derive the nonce exactly as stated in BIP-340
|
||||
* by using the correct tagged hash function. */
|
||||
static const unsigned char bip340_algo16[16] = "BIP0340/nonce\0\0\0";
|
||||
static const unsigned char bip340_algo[13] = "BIP0340/nonce";
|
||||
|
||||
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data) {
|
||||
static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
|
||||
secp256k1_sha256 sha;
|
||||
unsigned char masked_key[32];
|
||||
int i;
|
||||
|
||||
if (algo16 == NULL) {
|
||||
if (algo == NULL) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -65,18 +65,14 @@ static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *ms
|
||||
}
|
||||
}
|
||||
|
||||
/* Tag the hash with algo16 which is important to avoid nonce reuse across
|
||||
/* Tag the hash with algo which is important to avoid nonce reuse across
|
||||
* algorithms. If this nonce function is used in BIP-340 signing as defined
|
||||
* in the spec, an optimized tagging implementation is used. */
|
||||
if (secp256k1_memcmp_var(algo16, bip340_algo16, 16) == 0) {
|
||||
if (algolen == sizeof(bip340_algo)
|
||||
&& secp256k1_memcmp_var(algo, bip340_algo, algolen) == 0) {
|
||||
secp256k1_nonce_function_bip340_sha256_tagged(&sha);
|
||||
} else {
|
||||
int algo16_len = 16;
|
||||
/* Remove terminating null bytes */
|
||||
while (algo16_len > 0 && !algo16[algo16_len - 1]) {
|
||||
algo16_len--;
|
||||
}
|
||||
secp256k1_sha256_initialize_tagged(&sha, algo16, algo16_len);
|
||||
secp256k1_sha256_initialize_tagged(&sha, algo, algolen);
|
||||
}
|
||||
|
||||
/* Hash (masked-)key||pk||msg using the tagged hash as per the spec */
|
||||
@@ -86,7 +82,7 @@ static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *ms
|
||||
secp256k1_sha256_write(&sha, key32, 32);
|
||||
}
|
||||
secp256k1_sha256_write(&sha, xonly_pk32, 32);
|
||||
secp256k1_sha256_write(&sha, msg32, 32);
|
||||
secp256k1_sha256_write(&sha, msg, msglen);
|
||||
secp256k1_sha256_finalize(&sha, nonce32);
|
||||
return 1;
|
||||
}
|
||||
@@ -108,23 +104,23 @@ static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha) {
|
||||
sha->bytes = 64;
|
||||
}
|
||||
|
||||
static void secp256k1_schnorrsig_challenge(secp256k1_scalar* e, const unsigned char *r32, const unsigned char *msg32, const unsigned char *pubkey32)
|
||||
static void secp256k1_schnorrsig_challenge(secp256k1_scalar* e, const unsigned char *r32, const unsigned char *msg, size_t msglen, const unsigned char *pubkey32)
|
||||
{
|
||||
unsigned char buf[32];
|
||||
secp256k1_sha256 sha;
|
||||
|
||||
/* tagged hash(r.x, pk.x, msg32) */
|
||||
/* tagged hash(r.x, pk.x, msg) */
|
||||
secp256k1_schnorrsig_sha256_tagged(&sha);
|
||||
secp256k1_sha256_write(&sha, r32, 32);
|
||||
secp256k1_sha256_write(&sha, pubkey32, 32);
|
||||
secp256k1_sha256_write(&sha, msg32, 32);
|
||||
secp256k1_sha256_write(&sha, msg, msglen);
|
||||
secp256k1_sha256_finalize(&sha, buf);
|
||||
/* Set scalar e to the challenge hash modulo the curve order as per
|
||||
* BIP340. */
|
||||
secp256k1_scalar_set_b32(e, buf, NULL);
|
||||
}
|
||||
|
||||
int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, secp256k1_nonce_function_hardened noncefp, void *ndata) {
|
||||
int secp256k1_schnorrsig_sign_internal(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_nonce_function_hardened noncefp, void *ndata) {
|
||||
secp256k1_scalar sk;
|
||||
secp256k1_scalar e;
|
||||
secp256k1_scalar k;
|
||||
@@ -139,7 +135,7 @@ int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, unsigned char *sig64
|
||||
VERIFY_CHECK(ctx != NULL);
|
||||
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
|
||||
ARG_CHECK(sig64 != NULL);
|
||||
ARG_CHECK(msg32 != NULL);
|
||||
ARG_CHECK(msg != NULL || msglen == 0);
|
||||
ARG_CHECK(keypair != NULL);
|
||||
|
||||
if (noncefp == NULL) {
|
||||
@@ -156,7 +152,7 @@ int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, unsigned char *sig64
|
||||
|
||||
secp256k1_scalar_get_b32(seckey, &sk);
|
||||
secp256k1_fe_get_b32(pk_buf, &pk.x);
|
||||
ret &= !!noncefp(buf, msg32, seckey, pk_buf, bip340_algo16, ndata);
|
||||
ret &= !!noncefp(buf, msg, msglen, seckey, pk_buf, bip340_algo, sizeof(bip340_algo), ndata);
|
||||
secp256k1_scalar_set_b32(&k, buf, NULL);
|
||||
ret &= !secp256k1_scalar_is_zero(&k);
|
||||
secp256k1_scalar_cmov(&k, &secp256k1_scalar_one, !ret);
|
||||
@@ -174,7 +170,7 @@ int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, unsigned char *sig64
|
||||
secp256k1_fe_normalize_var(&r.x);
|
||||
secp256k1_fe_get_b32(&sig64[0], &r.x);
|
||||
|
||||
secp256k1_schnorrsig_challenge(&e, &sig64[0], msg32, pk_buf);
|
||||
secp256k1_schnorrsig_challenge(&e, &sig64[0], msg, msglen, pk_buf);
|
||||
secp256k1_scalar_mul(&e, &e, &sk);
|
||||
secp256k1_scalar_add(&e, &e, &k);
|
||||
secp256k1_scalar_get_b32(&sig64[32], &e);
|
||||
@@ -187,7 +183,26 @@ int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, unsigned char *sig64
|
||||
return ret;
|
||||
}
|
||||
|
||||
int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const unsigned char *sig64, const unsigned char *msg32, const secp256k1_xonly_pubkey *pubkey) {
|
||||
int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, unsigned char *aux_rand32) {
|
||||
return secp256k1_schnorrsig_sign_internal(ctx, sig64, msg32, 32, keypair, secp256k1_nonce_function_bip340, aux_rand32);
|
||||
}
|
||||
|
||||
int secp256k1_schnorrsig_sign_custom(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_keypair *keypair, secp256k1_schnorrsig_extraparams *extraparams) {
|
||||
secp256k1_nonce_function_hardened noncefp = NULL;
|
||||
void *ndata = NULL;
|
||||
VERIFY_CHECK(ctx != NULL);
|
||||
|
||||
if (extraparams != NULL) {
|
||||
ARG_CHECK(secp256k1_memcmp_var(extraparams->magic,
|
||||
SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC,
|
||||
sizeof(extraparams->magic)) == 0);
|
||||
noncefp = extraparams->noncefp;
|
||||
ndata = extraparams->ndata;
|
||||
}
|
||||
return secp256k1_schnorrsig_sign_internal(ctx, sig64, msg, msglen, keypair, noncefp, ndata);
|
||||
}
|
||||
|
||||
int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) {
|
||||
secp256k1_scalar s;
|
||||
secp256k1_scalar e;
|
||||
secp256k1_gej rj;
|
||||
@@ -201,7 +216,7 @@ int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const unsigned cha
|
||||
VERIFY_CHECK(ctx != NULL);
|
||||
ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
|
||||
ARG_CHECK(sig64 != NULL);
|
||||
ARG_CHECK(msg32 != NULL);
|
||||
ARG_CHECK(msg != NULL || msglen == 0);
|
||||
ARG_CHECK(pubkey != NULL);
|
||||
|
||||
if (!secp256k1_fe_set_b32(&rx, &sig64[0])) {
|
||||
@@ -219,7 +234,7 @@ int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const unsigned cha
|
||||
|
||||
/* Compute e. */
|
||||
secp256k1_fe_get_b32(buf, &pk.x);
|
||||
secp256k1_schnorrsig_challenge(&e, &sig64[0], msg32, buf);
|
||||
secp256k1_schnorrsig_challenge(&e, &sig64[0], msg, msglen, buf);
|
||||
|
||||
/* Compute rj = s*G + (-e)*pkj */
|
||||
secp256k1_scalar_negate(&e, &e);
|
||||
|
||||
@@ -58,15 +58,19 @@ static const unsigned char invalid_pubkey_bytes[][32] = {
|
||||
|
||||
#define NUM_INVALID_KEYS (sizeof(invalid_pubkey_bytes) / sizeof(invalid_pubkey_bytes[0]))
|
||||
|
||||
static int secp256k1_hardened_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32,
|
||||
static int secp256k1_hardened_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg,
|
||||
size_t msglen,
|
||||
const unsigned char *key32, const unsigned char *xonly_pk32,
|
||||
const unsigned char *algo16, void* data) {
|
||||
const unsigned char *algo, size_t algolen,
|
||||
void* data) {
|
||||
secp256k1_scalar s;
|
||||
int *idata = data;
|
||||
(void)msg32;
|
||||
(void)msg;
|
||||
(void)msglen;
|
||||
(void)key32;
|
||||
(void)xonly_pk32;
|
||||
(void)algo16;
|
||||
(void)algo;
|
||||
(void)algolen;
|
||||
secp256k1_scalar_set_int(&s, *idata);
|
||||
secp256k1_scalar_get_b32(nonce32, &s);
|
||||
return 1;
|
||||
@@ -101,7 +105,7 @@ static void test_exhaustive_schnorrsig_verify(const secp256k1_context *ctx, cons
|
||||
secp256k1_scalar e;
|
||||
unsigned char msg32[32];
|
||||
secp256k1_testrand256(msg32);
|
||||
secp256k1_schnorrsig_challenge(&e, sig64, msg32, pk32);
|
||||
secp256k1_schnorrsig_challenge(&e, sig64, msg32, sizeof(msg32), pk32);
|
||||
/* Only do work if we hit a challenge we haven't tried before. */
|
||||
if (!e_done[e]) {
|
||||
/* Iterate over the possible valid last 32 bytes in the signature.
|
||||
@@ -119,7 +123,7 @@ static void test_exhaustive_schnorrsig_verify(const secp256k1_context *ctx, cons
|
||||
secp256k1_testrand256(sig64 + 32);
|
||||
expect_valid = 0;
|
||||
}
|
||||
valid = secp256k1_schnorrsig_verify(ctx, sig64, msg32, &pubkeys[d - 1]);
|
||||
valid = secp256k1_schnorrsig_verify(ctx, sig64, msg32, sizeof(msg32), &pubkeys[d - 1]);
|
||||
CHECK(valid == expect_valid);
|
||||
count_valid += valid;
|
||||
}
|
||||
@@ -137,6 +141,8 @@ static void test_exhaustive_schnorrsig_verify(const secp256k1_context *ctx, cons
|
||||
static void test_exhaustive_schnorrsig_sign(const secp256k1_context *ctx, unsigned char (*xonly_pubkey_bytes)[32], const secp256k1_keypair* keypairs, const int* parities) {
|
||||
int d, k;
|
||||
uint64_t iter = 0;
|
||||
secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
|
||||
|
||||
/* Loop over keys. */
|
||||
for (d = 1; d < EXHAUSTIVE_TEST_ORDER; ++d) {
|
||||
int actual_d = d;
|
||||
@@ -149,19 +155,21 @@ static void test_exhaustive_schnorrsig_sign(const secp256k1_context *ctx, unsign
|
||||
unsigned char sig64[64];
|
||||
int actual_k = k;
|
||||
if (skip_section(&iter)) continue;
|
||||
extraparams.noncefp = secp256k1_hardened_nonce_function_smallint;
|
||||
extraparams.ndata = &k;
|
||||
if (parities[k - 1]) actual_k = EXHAUSTIVE_TEST_ORDER - k;
|
||||
/* Generate random messages until all challenges have been tried. */
|
||||
while (e_count_done < EXHAUSTIVE_TEST_ORDER) {
|
||||
secp256k1_scalar e;
|
||||
secp256k1_testrand256(msg32);
|
||||
secp256k1_schnorrsig_challenge(&e, xonly_pubkey_bytes[k - 1], msg32, xonly_pubkey_bytes[d - 1]);
|
||||
secp256k1_schnorrsig_challenge(&e, xonly_pubkey_bytes[k - 1], msg32, sizeof(msg32), xonly_pubkey_bytes[d - 1]);
|
||||
/* Only do work if we hit a challenge we haven't tried before. */
|
||||
if (!e_done[e]) {
|
||||
secp256k1_scalar expected_s = (actual_k + e * actual_d) % EXHAUSTIVE_TEST_ORDER;
|
||||
unsigned char expected_s_bytes[32];
|
||||
secp256k1_scalar_get_b32(expected_s_bytes, &expected_s);
|
||||
/* Invoke the real function to construct a signature. */
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig64, msg32, &keypairs[d - 1], secp256k1_hardened_nonce_function_smallint, &k));
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig64, msg32, sizeof(msg32), &keypairs[d - 1], &extraparams));
|
||||
/* The first 32 bytes must match the xonly pubkey for the specified k. */
|
||||
CHECK(secp256k1_memcmp_var(sig64, xonly_pubkey_bytes[k - 1], 32) == 0);
|
||||
/* The last 32 bytes must match the expected s value. */
|
||||
|
||||
@@ -12,11 +12,11 @@
|
||||
/* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
|
||||
* bytes) changes the hash function
|
||||
*/
|
||||
void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes) {
|
||||
void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t msglen, size_t algolen) {
|
||||
unsigned char nonces[2][32];
|
||||
CHECK(nonce_function_bip340(nonces[0], args[0], args[1], args[2], args[3], args[4]) == 1);
|
||||
CHECK(nonce_function_bip340(nonces[0], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
|
||||
secp256k1_testrand_flip(args[n_flip], n_bytes);
|
||||
CHECK(nonce_function_bip340(nonces[1], args[0], args[1], args[2], args[3], args[4]) == 1);
|
||||
CHECK(nonce_function_bip340(nonces[1], args[0], msglen, args[1], args[2], args[3], algolen, args[4]) == 1);
|
||||
CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0);
|
||||
}
|
||||
|
||||
@@ -34,11 +34,13 @@ void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
|
||||
void run_nonce_function_bip340_tests(void) {
|
||||
unsigned char tag[13] = "BIP0340/nonce";
|
||||
unsigned char aux_tag[11] = "BIP0340/aux";
|
||||
unsigned char algo16[16] = "BIP0340/nonce\0\0\0";
|
||||
unsigned char algo[13] = "BIP0340/nonce";
|
||||
size_t algolen = sizeof(algo);
|
||||
secp256k1_sha256 sha;
|
||||
secp256k1_sha256 sha_optimized;
|
||||
unsigned char nonce[32];
|
||||
unsigned char msg[32];
|
||||
size_t msglen = sizeof(msg);
|
||||
unsigned char key[32];
|
||||
unsigned char pk[32];
|
||||
unsigned char aux_rand[32];
|
||||
@@ -68,33 +70,45 @@ void run_nonce_function_bip340_tests(void) {
|
||||
args[0] = msg;
|
||||
args[1] = key;
|
||||
args[2] = pk;
|
||||
args[3] = algo16;
|
||||
args[3] = algo;
|
||||
args[4] = aux_rand;
|
||||
for (i = 0; i < count; i++) {
|
||||
nonce_function_bip340_bitflip(args, 0, 32);
|
||||
nonce_function_bip340_bitflip(args, 1, 32);
|
||||
nonce_function_bip340_bitflip(args, 2, 32);
|
||||
/* Flip algo16 special case "BIP0340/nonce" */
|
||||
nonce_function_bip340_bitflip(args, 3, 16);
|
||||
/* Flip algo16 again */
|
||||
nonce_function_bip340_bitflip(args, 3, 16);
|
||||
nonce_function_bip340_bitflip(args, 4, 32);
|
||||
nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen);
|
||||
nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen);
|
||||
nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen);
|
||||
/* Flip algo special case "BIP0340/nonce" */
|
||||
nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
|
||||
/* Flip algo again */
|
||||
nonce_function_bip340_bitflip(args, 3, algolen, msglen, algolen);
|
||||
nonce_function_bip340_bitflip(args, 4, 32, msglen, algolen);
|
||||
}
|
||||
|
||||
/* NULL algo16 is disallowed */
|
||||
CHECK(nonce_function_bip340(nonce, msg, key, pk, NULL, NULL) == 0);
|
||||
/* Empty algo16 is fine */
|
||||
memset(algo16, 0x00, 16);
|
||||
CHECK(nonce_function_bip340(nonce, msg, key, pk, algo16, NULL) == 1);
|
||||
/* algo16 with terminating null bytes is fine */
|
||||
algo16[1] = 65;
|
||||
CHECK(nonce_function_bip340(nonce, msg, key, pk, algo16, NULL) == 1);
|
||||
/* Other algo16 is fine */
|
||||
memset(algo16, 0xFF, 16);
|
||||
CHECK(nonce_function_bip340(nonce, msg, key, pk, algo16, NULL) == 1);
|
||||
/* NULL algo is disallowed */
|
||||
CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
|
||||
CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
|
||||
/* Other algo is fine */
|
||||
secp256k1_rfc6979_hmac_sha256_generate(&secp256k1_test_rng, algo, algolen);
|
||||
CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
|
||||
|
||||
for (i = 0; i < count; i++) {
|
||||
unsigned char nonce2[32];
|
||||
uint32_t offset = secp256k1_testrand_int(msglen - 1);
|
||||
size_t msglen_tmp = (msglen + offset) % msglen;
|
||||
size_t algolen_tmp;
|
||||
|
||||
/* Different msglen gives different nonce */
|
||||
CHECK(nonce_function_bip340(nonce2, msg, msglen_tmp, key, pk, algo, algolen, NULL) == 1);
|
||||
CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
|
||||
|
||||
/* Different algolen gives different nonce */
|
||||
offset = secp256k1_testrand_int(algolen - 1);
|
||||
algolen_tmp = (algolen + offset) % algolen;
|
||||
CHECK(nonce_function_bip340(nonce2, msg, msglen, key, pk, algo, algolen_tmp, NULL) == 1);
|
||||
CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
|
||||
}
|
||||
|
||||
/* NULL aux_rand argument is allowed. */
|
||||
CHECK(nonce_function_bip340(nonce, msg, key, pk, algo16, NULL) == 1);
|
||||
CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
|
||||
}
|
||||
|
||||
void test_schnorrsig_api(void) {
|
||||
@@ -107,6 +121,8 @@ void test_schnorrsig_api(void) {
|
||||
secp256k1_xonly_pubkey pk[3];
|
||||
secp256k1_xonly_pubkey zero_pk;
|
||||
unsigned char sig[64];
|
||||
secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
|
||||
secp256k1_schnorrsig_extraparams invalid_extraparams = { 0 };
|
||||
|
||||
/** setup **/
|
||||
secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
|
||||
@@ -138,36 +154,60 @@ void test_schnorrsig_api(void) {
|
||||
|
||||
/** main test body **/
|
||||
ecount = 0;
|
||||
CHECK(secp256k1_schnorrsig_sign(none, sig, msg, &keypairs[0], NULL, NULL) == 0);
|
||||
CHECK(secp256k1_schnorrsig_sign(none, sig, msg, &keypairs[0], NULL) == 0);
|
||||
CHECK(ecount == 1);
|
||||
CHECK(secp256k1_schnorrsig_sign(vrfy, sig, msg, &keypairs[0], NULL, NULL) == 0);
|
||||
CHECK(secp256k1_schnorrsig_sign(vrfy, sig, msg, &keypairs[0], NULL) == 0);
|
||||
CHECK(ecount == 2);
|
||||
CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL, NULL) == 1);
|
||||
CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL) == 1);
|
||||
CHECK(ecount == 2);
|
||||
CHECK(secp256k1_schnorrsig_sign(sign, NULL, msg, &keypairs[0], NULL, NULL) == 0);
|
||||
CHECK(secp256k1_schnorrsig_sign(sign, NULL, msg, &keypairs[0], NULL) == 0);
|
||||
CHECK(ecount == 3);
|
||||
CHECK(secp256k1_schnorrsig_sign(sign, sig, NULL, &keypairs[0], NULL, NULL) == 0);
|
||||
CHECK(secp256k1_schnorrsig_sign(sign, sig, NULL, &keypairs[0], NULL) == 0);
|
||||
CHECK(ecount == 4);
|
||||
CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, NULL, NULL, NULL) == 0);
|
||||
CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, NULL, NULL) == 0);
|
||||
CHECK(ecount == 5);
|
||||
CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &invalid_keypair, NULL, NULL) == 0);
|
||||
CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &invalid_keypair, NULL) == 0);
|
||||
CHECK(ecount == 6);
|
||||
|
||||
ecount = 0;
|
||||
CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL, NULL) == 1);
|
||||
CHECK(secp256k1_schnorrsig_verify(none, sig, msg, &pk[0]) == 0);
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(none, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
|
||||
CHECK(ecount == 1);
|
||||
CHECK(secp256k1_schnorrsig_verify(sign, sig, msg, &pk[0]) == 0);
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(vrfy, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
|
||||
CHECK(ecount == 2);
|
||||
CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, &pk[0]) == 1);
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
|
||||
CHECK(ecount == 2);
|
||||
CHECK(secp256k1_schnorrsig_verify(vrfy, NULL, msg, &pk[0]) == 0);
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(sign, NULL, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
|
||||
CHECK(ecount == 3);
|
||||
CHECK(secp256k1_schnorrsig_verify(vrfy, sig, NULL, &pk[0]) == 0);
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, NULL, sizeof(msg), &keypairs[0], &extraparams) == 0);
|
||||
CHECK(ecount == 4);
|
||||
CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, NULL) == 0);
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
|
||||
CHECK(ecount == 4);
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), NULL, &extraparams) == 0);
|
||||
CHECK(ecount == 5);
|
||||
CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, &zero_pk) == 0);
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &invalid_keypair, &extraparams) == 0);
|
||||
CHECK(ecount == 6);
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
|
||||
CHECK(ecount == 6);
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(sign, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams) == 0);
|
||||
CHECK(ecount == 7);
|
||||
|
||||
ecount = 0;
|
||||
CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL) == 1);
|
||||
CHECK(secp256k1_schnorrsig_verify(none, sig, msg, sizeof(msg), &pk[0]) == 0);
|
||||
CHECK(ecount == 1);
|
||||
CHECK(secp256k1_schnorrsig_verify(sign, sig, msg, sizeof(msg), &pk[0]) == 0);
|
||||
CHECK(ecount == 2);
|
||||
CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), &pk[0]) == 1);
|
||||
CHECK(ecount == 2);
|
||||
CHECK(secp256k1_schnorrsig_verify(vrfy, NULL, msg, sizeof(msg), &pk[0]) == 0);
|
||||
CHECK(ecount == 3);
|
||||
CHECK(secp256k1_schnorrsig_verify(vrfy, sig, NULL, sizeof(msg), &pk[0]) == 0);
|
||||
CHECK(ecount == 4);
|
||||
CHECK(secp256k1_schnorrsig_verify(vrfy, sig, NULL, 0, &pk[0]) == 0);
|
||||
CHECK(ecount == 4);
|
||||
CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), NULL) == 0);
|
||||
CHECK(ecount == 5);
|
||||
CHECK(secp256k1_schnorrsig_verify(vrfy, sig, msg, sizeof(msg), &zero_pk) == 0);
|
||||
CHECK(ecount == 6);
|
||||
|
||||
secp256k1_context_destroy(none);
|
||||
@@ -190,19 +230,19 @@ void test_schnorrsig_sha256_tagged(void) {
|
||||
|
||||
/* Helper function for schnorrsig_bip_vectors
|
||||
* Signs the message and checks that it's the same as expected_sig. */
|
||||
void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, unsigned char *aux_rand, const unsigned char *msg, const unsigned char *expected_sig) {
|
||||
void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *expected_sig) {
|
||||
unsigned char sig[64];
|
||||
secp256k1_keypair keypair;
|
||||
secp256k1_xonly_pubkey pk, pk_expected;
|
||||
|
||||
CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, aux_rand));
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg32, &keypair, aux_rand));
|
||||
CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
|
||||
|
||||
CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk_expected, pk_serialized));
|
||||
CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
|
||||
CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, &pk));
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk));
|
||||
}
|
||||
|
||||
/* Helper function for schnorrsig_bip_vectors
|
||||
@@ -211,7 +251,7 @@ void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized
|
||||
secp256k1_xonly_pubkey pk;
|
||||
|
||||
CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk, pk_serialized));
|
||||
CHECK(expected == secp256k1_schnorrsig_verify(ctx, sig, msg32, &pk));
|
||||
CHECK(expected == secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk));
|
||||
}
|
||||
|
||||
/* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
|
||||
@@ -634,22 +674,26 @@ void test_schnorrsig_bip_vectors(void) {
|
||||
}
|
||||
|
||||
/* Nonce function that returns constant 0 */
|
||||
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data) {
|
||||
(void) msg32;
|
||||
static int nonce_function_failing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
|
||||
(void) msg;
|
||||
(void) msglen;
|
||||
(void) key32;
|
||||
(void) xonly_pk32;
|
||||
(void) algo16;
|
||||
(void) algo;
|
||||
(void) algolen;
|
||||
(void) data;
|
||||
(void) nonce32;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Nonce function that sets nonce to 0 */
|
||||
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data) {
|
||||
(void) msg32;
|
||||
static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
|
||||
(void) msg;
|
||||
(void) msglen;
|
||||
(void) key32;
|
||||
(void) xonly_pk32;
|
||||
(void) algo16;
|
||||
(void) algo;
|
||||
(void) algolen;
|
||||
(void) data;
|
||||
|
||||
memset(nonce32, 0, 32);
|
||||
@@ -657,11 +701,13 @@ static int nonce_function_0(unsigned char *nonce32, const unsigned char *msg32,
|
||||
}
|
||||
|
||||
/* Nonce function that sets nonce to 0xFF...0xFF */
|
||||
static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data) {
|
||||
(void) msg32;
|
||||
static int nonce_function_overflowing(unsigned char *nonce32, const unsigned char *msg, size_t msglen, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) {
|
||||
(void) msg;
|
||||
(void) msglen;
|
||||
(void) key32;
|
||||
(void) xonly_pk32;
|
||||
(void) algo16;
|
||||
(void) algo;
|
||||
(void) algolen;
|
||||
(void) data;
|
||||
|
||||
memset(nonce32, 0xFF, 32);
|
||||
@@ -670,24 +716,45 @@ static int nonce_function_overflowing(unsigned char *nonce32, const unsigned cha
|
||||
|
||||
void test_schnorrsig_sign(void) {
|
||||
unsigned char sk[32];
|
||||
secp256k1_xonly_pubkey pk;
|
||||
secp256k1_keypair keypair;
|
||||
const unsigned char msg[32] = "this is a msg for a schnorrsig..";
|
||||
unsigned char sig[64];
|
||||
unsigned char sig2[64];
|
||||
unsigned char zeros64[64] = { 0 };
|
||||
secp256k1_schnorrsig_extraparams extraparams = SECP256K1_SCHNORRSIG_EXTRAPARAMS_INIT;
|
||||
unsigned char aux_rand[32];
|
||||
|
||||
secp256k1_testrand256(sk);
|
||||
secp256k1_testrand256(aux_rand);
|
||||
CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL) == 1);
|
||||
CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL) == 1);
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
|
||||
|
||||
/* Test different nonce functions */
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
|
||||
memset(sig, 1, sizeof(sig));
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, nonce_function_failing, NULL) == 0);
|
||||
extraparams.noncefp = nonce_function_failing;
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
|
||||
CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
|
||||
memset(&sig, 1, sizeof(sig));
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, nonce_function_0, NULL) == 0);
|
||||
extraparams.noncefp = nonce_function_0;
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
|
||||
CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, nonce_function_overflowing, NULL) == 1);
|
||||
CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) != 0);
|
||||
memset(&sig, 1, sizeof(sig));
|
||||
extraparams.noncefp = nonce_function_overflowing;
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
|
||||
|
||||
/* When using the default nonce function, schnorrsig_sign_custom produces
|
||||
* the same result as schnorrsig_sign with aux_rand = extraparams.ndata */
|
||||
extraparams.noncefp = NULL;
|
||||
extraparams.ndata = aux_rand;
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig2, msg, &keypair, extraparams.ndata) == 1);
|
||||
CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
|
||||
}
|
||||
|
||||
#define N_SIGS 3
|
||||
@@ -709,8 +776,8 @@ void test_schnorrsig_sign_verify(void) {
|
||||
|
||||
for (i = 0; i < N_SIGS; i++) {
|
||||
secp256k1_testrand256(msg[i]);
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig[i], msg[i], &keypair, NULL, NULL));
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig[i], msg[i], &pk));
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig[i], msg[i], &keypair, NULL));
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig[i], msg[i], sizeof(msg[i]), &pk));
|
||||
}
|
||||
|
||||
{
|
||||
@@ -720,36 +787,54 @@ void test_schnorrsig_sign_verify(void) {
|
||||
size_t byte_idx = secp256k1_testrand_int(32);
|
||||
unsigned char xorbyte = secp256k1_testrand_int(254)+1;
|
||||
sig[sig_idx][byte_idx] ^= xorbyte;
|
||||
CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk));
|
||||
CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
|
||||
sig[sig_idx][byte_idx] ^= xorbyte;
|
||||
|
||||
byte_idx = secp256k1_testrand_int(32);
|
||||
sig[sig_idx][32+byte_idx] ^= xorbyte;
|
||||
CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk));
|
||||
CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
|
||||
sig[sig_idx][32+byte_idx] ^= xorbyte;
|
||||
|
||||
byte_idx = secp256k1_testrand_int(32);
|
||||
msg[sig_idx][byte_idx] ^= xorbyte;
|
||||
CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk));
|
||||
CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
|
||||
msg[sig_idx][byte_idx] ^= xorbyte;
|
||||
|
||||
/* Check that above bitflips have been reversed correctly */
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk));
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
|
||||
}
|
||||
|
||||
/* Test overflowing s */
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL, NULL));
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], &pk));
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL));
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
|
||||
memset(&sig[0][32], 0xFF, 32);
|
||||
CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], &pk));
|
||||
CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
|
||||
|
||||
/* Test negative s */
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL, NULL));
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], &pk));
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL));
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
|
||||
secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
|
||||
secp256k1_scalar_negate(&s, &s);
|
||||
secp256k1_scalar_get_b32(&sig[0][32], &s);
|
||||
CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], &pk));
|
||||
CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
|
||||
|
||||
/* The empty message can be signed & verified */
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], NULL, 0, &keypair, NULL) == 1);
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], NULL, 0, &pk) == 1);
|
||||
|
||||
{
|
||||
/* Test varying message lengths */
|
||||
unsigned char msg_large[32 * 8];
|
||||
uint32_t msglen = secp256k1_testrand_int(sizeof(msg_large));
|
||||
for (i = 0; i < sizeof(msg_large); i += 32) {
|
||||
secp256k1_testrand256(&msg_large[i]);
|
||||
}
|
||||
CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], msg_large, msglen, &keypair, NULL) == 1);
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 1);
|
||||
/* Verification for a random wrong message length fails */
|
||||
msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large);
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 0);
|
||||
}
|
||||
}
|
||||
#undef N_SIGS
|
||||
|
||||
@@ -777,10 +862,10 @@ void test_schnorrsig_taproot(void) {
|
||||
|
||||
/* Key spend */
|
||||
secp256k1_testrand256(msg);
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL) == 1);
|
||||
CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL) == 1);
|
||||
/* Verify key spend */
|
||||
CHECK(secp256k1_xonly_pubkey_parse(ctx, &output_pk, output_pk_bytes) == 1);
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, &output_pk) == 1);
|
||||
CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &output_pk) == 1);
|
||||
|
||||
/* Script spend */
|
||||
CHECK(secp256k1_xonly_pubkey_serialize(ctx, internal_pk_bytes, &internal_pk) == 1);
|
||||
|
||||
@@ -790,6 +790,19 @@ int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *
|
||||
return 1;
|
||||
}
|
||||
|
||||
int secp256k1_tagged_sha256(const secp256k1_context* ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) {
|
||||
secp256k1_sha256 sha;
|
||||
VERIFY_CHECK(ctx != NULL);
|
||||
ARG_CHECK(hash32 != NULL);
|
||||
ARG_CHECK(tag != NULL);
|
||||
ARG_CHECK(msg != NULL);
|
||||
|
||||
secp256k1_sha256_initialize_tagged(&sha, tag, taglen);
|
||||
secp256k1_sha256_write(&sha, msg, msglen);
|
||||
secp256k1_sha256_finalize(&sha, hash32);
|
||||
return 1;
|
||||
}
|
||||
|
||||
#ifdef ENABLE_MODULE_ECDH
|
||||
# include "modules/ecdh/main_impl.h"
|
||||
#endif
|
||||
|
||||
33
src/tests.c
33
src/tests.c
@@ -564,6 +564,38 @@ void run_rfc6979_hmac_sha256_tests(void) {
|
||||
secp256k1_rfc6979_hmac_sha256_finalize(&rng);
|
||||
}
|
||||
|
||||
void run_tagged_sha256_tests(void) {
|
||||
int ecount = 0;
|
||||
secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
|
||||
unsigned char tag[32] = { 0 };
|
||||
unsigned char msg[32] = { 0 };
|
||||
unsigned char hash32[32];
|
||||
unsigned char hash_expected[32] = {
|
||||
0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
|
||||
0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
|
||||
0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
|
||||
0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
|
||||
};
|
||||
|
||||
secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
|
||||
|
||||
/* API test */
|
||||
CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
|
||||
CHECK(secp256k1_tagged_sha256(none, NULL, tag, sizeof(tag), msg, sizeof(msg)) == 0);
|
||||
CHECK(ecount == 1);
|
||||
CHECK(secp256k1_tagged_sha256(none, hash32, NULL, 0, msg, sizeof(msg)) == 0);
|
||||
CHECK(ecount == 2);
|
||||
CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), NULL, 0) == 0);
|
||||
CHECK(ecount == 3);
|
||||
|
||||
/* Static test vector */
|
||||
memcpy(tag, "tag", 3);
|
||||
memcpy(msg, "msg", 3);
|
||||
CHECK(secp256k1_tagged_sha256(none, hash32, tag, 3, msg, 3) == 1);
|
||||
CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
|
||||
secp256k1_context_destroy(none);
|
||||
}
|
||||
|
||||
/***** RANDOM TESTS *****/
|
||||
|
||||
void test_rand_bits(int rand32, int bits) {
|
||||
@@ -6569,6 +6601,7 @@ int main(int argc, char **argv) {
|
||||
run_sha256_tests();
|
||||
run_hmac_sha256_tests();
|
||||
run_rfc6979_hmac_sha256_tests();
|
||||
run_tagged_sha256_tests();
|
||||
|
||||
/* scalar tests */
|
||||
run_scalar_tests();
|
||||
|
||||
@@ -166,7 +166,7 @@ void run_tests(secp256k1_context *ctx, unsigned char *key) {
|
||||
ret = secp256k1_keypair_create(ctx, &keypair, key);
|
||||
VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
|
||||
CHECK(ret == 1);
|
||||
ret = secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL);
|
||||
ret = secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL);
|
||||
VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
|
||||
CHECK(ret == 1);
|
||||
#endif
|
||||
|
||||
Reference in New Issue
Block a user