From ce849f94d73eb51b5ec14b39457dca5c680ad43b Mon Sep 17 00:00:00 2001 From: siv2r Date: Wed, 23 Oct 2024 18:52:45 +0530 Subject: [PATCH 1/5] schnorr_adaptor: initialize project This commit adds the foundational configuration, building scripts, and an initial structure for the project. --- CMakeLists.txt | 10 +++ Makefile.am | 4 ++ README.md | 1 + configure.ac | 17 +++++ include/secp256k1_schnorr_adaptor.h | 71 +++++++++++++++++++ src/CMakeLists.txt | 3 + .../schnorr_adaptor/Makefile.am.include | 2 + src/modules/schnorr_adaptor/main_impl.h | 13 ++++ src/secp256k1.c | 4 ++ 9 files changed, 125 insertions(+) create mode 100644 include/secp256k1_schnorr_adaptor.h create mode 100644 src/modules/schnorr_adaptor/Makefile.am.include create mode 100644 src/modules/schnorr_adaptor/main_impl.h diff --git a/CMakeLists.txt b/CMakeLists.txt index 2d9d9d2c9..e82decf84 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -69,9 +69,18 @@ option(SECP256K1_ENABLE_MODULE_MUSIG "Enable MuSig module." ON) option(SECP256K1_ENABLE_MODULE_ECDSA_ADAPTOR "Enable ecdsa adaptor signatures module." ON) option(SECP256K1_ENABLE_MODULE_ECDSA_S2C "Enable ECDSA sign-to-contract module." ON) option(SECP256K1_ENABLE_MODULE_BPPP "Enable Bulletproofs++ module." ON) +option(SECP256K1_ENABLE_MODULE_SCHNORR_ADAPTOR "Enable schnorr adaptor signatures module." ON) # Processing must be done in a topological sorting of the dependency graph # (dependent module first). +if(SECP256K1_ENABLE_MODULE_SCHNORR_ADAPTOR) + if(DEFINED SECP256K1_ENABLE_MODULE_SCHNORRSIG AND NOT SECP256K1_ENABLE_MODULE_SCHNORRSIG) + message(FATAL_ERROR "Module dependency error: You have disabled the schnorrsig module explicitly, but it is required by the schnorr adaptor signatures module.") + endif() + set(SECP256K1_ENABLE_MODULE_SCHNORRSIG ON) + add_compile_definitions(ENABLE_MODULE_SCHNORR_ADAPTOR=1) +endif() + if(SECP256K1_ENABLE_MODULE_BPPP) if(DEFINED SECP256K1_ENABLE_MODULE_GENERATOR AND NOT SECP256K1_ENABLE_MODULE_GENERATOR) message(FATAL_ERROR "Module dependency error: You have disabled the generator module explicitly, but it is required by the bppp module.") @@ -362,6 +371,7 @@ message(" musig ............................... ${SECP256K1_ENABLE_MODULE_MUSIG message(" ecdsa-s2c ........................... ${SECP256K1_ENABLE_MODULE_ECDSA_S2C}") message(" ecdsa-adaptor ....................... ${SECP256K1_ENABLE_MODULE_ECDSA_ADAPTOR}") message(" bppp ................................ ${SECP256K1_ENABLE_MODULE_BPPP}") +message(" schnorr-adaptor ..................... ${SECP256K1_ENABLE_MODULE_SCHNORR_ADAPTOR}") message("Parameters:") message(" ecmult window size .................. ${SECP256K1_ECMULT_WINDOW_SIZE}") message(" ecmult gen precision bits ........... ${SECP256K1_ECMULT_GEN_PREC_BITS}") diff --git a/Makefile.am b/Makefile.am index 329f86ca8..9761eb2c1 100644 --- a/Makefile.am +++ b/Makefile.am @@ -320,3 +320,7 @@ endif if ENABLE_MODULE_ECDSA_ADAPTOR include src/modules/ecdsa_adaptor/Makefile.am.include endif + +if ENABLE_MODULE_SCHNORR_ADAPTOR +include src/modules/schnorr_adaptor/Makefile.am.include +endif \ No newline at end of file diff --git a/README.md b/README.md index 88bdb2ba4..d0267e3cd 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ Added features: * Experimental module for Confidential Assets (Pedersen commitments, range proofs, and [surjection proofs](src/modules/surjection/surjection.md)). * Experimental module for Bulletproofs++ range proofs. * Experimental module for [address whitelisting](src/modules/whitelist/whitelist.md). +* Experimental module for Schnorr adaptor signatures. Experimental features are made available for testing and review by the community. The APIs of these features should not be considered stable. diff --git a/configure.ac b/configure.ac index 4d2a6e67e..260f5076d 100644 --- a/configure.ac +++ b/configure.ac @@ -188,6 +188,10 @@ AC_ARG_ENABLE(module_schnorrsig_halfagg, AS_HELP_STRING([--enable-module-schnorrsig-halfagg],[enable schnorrsig half-aggregation module (experimental) [default=no]]), [], [SECP_SET_DEFAULT([enable_module_schnorrsig_halfagg], [no], [yes])]) +AC_ARG_ENABLE(module_schnorr_adaptor, + AS_HELP_STRING([--enable-module-schnorr-adaptor],[enable Schnorr adaptor module [default=no]]), [], + [SECP_SET_DEFAULT([enable_module_schnorr_adaptor], [no], [yes])]) + AC_ARG_ENABLE(module_ellswift, AS_HELP_STRING([--enable-module-ellswift],[enable ElligatorSwift module [default=yes]]), [], [SECP_SET_DEFAULT([enable_module_ellswift], [yes], [yes])]) @@ -454,6 +458,14 @@ if test x"$enable_module_schnorrsig_halfagg" = x"yes"; then enable_module_schnorrsig=yes fi +if test x"$enable_module_schnorr_adaptor" = x"yes"; then + if test x"$enable_module_schnorrsig" = x"no"; then + AC_MSG_ERROR([Module dependency error: You have disabled the schnorrsig module explicitly, but it is required by the schnorr adaptor module.]) + fi + SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_SCHNORR_ADAPTOR=1" + enable_module_schnorrsig=yes +fi + if test x"$enable_module_bppp" = x"yes"; then if test x"$enable_module_generator" = x"no"; then AC_MSG_ERROR([Module dependency error: You have disabled the generator module explicitly, but it is required by the bppp module.]) @@ -555,6 +567,9 @@ else if test x"$enable_module_schnorrsig_halfagg" = x"yes"; then AC_MSG_ERROR([Schnorrsig Half-Aggregation module is experimental. Use --enable-experimental to allow.]) fi + if test x"$enable_module_schnorr_adaptor" = x"yes"; then + AC_MSG_ERROR([Schnorr adaptor signatures module is experimental. Use --enable-experimental to allow.]) + fi if test x"$enable_module_bppp" = x"yes"; then AC_MSG_ERROR([Bulletproofs++ module is experimental. Use --enable-experimental to allow.]) fi @@ -611,6 +626,7 @@ AM_CONDITIONAL([ENABLE_MODULE_ECDSA_S2C], [test x"$enable_module_ecdsa_s2c" = x" AM_CONDITIONAL([ENABLE_MODULE_ECDSA_ADAPTOR], [test x"$enable_module_ecdsa_adaptor" = x"yes"]) AM_CONDITIONAL([ENABLE_MODULE_BPPP], [test x"$enable_module_bppp" = x"yes"]) AM_CONDITIONAL([ENABLE_MODULE_SCHNORRSIG_HALFAGG], [test x"$enable_module_schnorrsig_halfagg" = x"yes"]) +AM_CONDITIONAL([ENABLE_MODULE_SCHNORR_ADAPTOR], [test x"$enable_module_schnorr_adaptor" = x"yes"]) AM_CONDITIONAL([USE_REDUCED_SURJECTION_PROOF_SIZE], [test x"$use_reduced_surjection_proof_size" = x"yes"]) AM_CONDITIONAL([USE_EXTERNAL_ASM], [test x"$enable_external_asm" = x"yes"]) AM_CONDITIONAL([USE_ASM_ARM], [test x"$set_asm" = x"arm32"]) @@ -651,6 +667,7 @@ echo " module ecdsa-s2c = $enable_module_ecdsa_s2c" echo " module ecdsa-adaptor = $enable_module_ecdsa_adaptor" echo " module bppp = $enable_module_bppp" echo " module schnorrsig-halfagg = $enable_module_schnorrsig_halfagg" +echo " module schnorr-adaptor = $enable_module_schnorr_adaptor" echo echo " asm = $set_asm" echo " ecmult window size = $set_ecmult_window" diff --git a/include/secp256k1_schnorr_adaptor.h b/include/secp256k1_schnorr_adaptor.h new file mode 100644 index 000000000..a89567c68 --- /dev/null +++ b/include/secp256k1_schnorr_adaptor.h @@ -0,0 +1,71 @@ +#ifndef SECP256K1_SCHNORR_ADAPTOR_H +#define SECP256K1_SCHNORR_ADAPTOR_H + +#include "secp256k1.h" +#include "secp256k1_extrakeys.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** This module provides an experimental implementation of a Schnorr adaptor + * signature protocol variant. + * + * The test vectors have been generated and cross-verified using a Python + * implementation of this adaptor signature variant available at [0]. + * + * The protocol involves two parties, Alice and Bob. The general sequence of + * their interaction is as follows: + * 1. Alice calls the `schnorr_adaptor_presign` function for an adaptor point T + * and sends the pre-signature to Bob. + * 2. Bob extracts the adaptor point T from the pre-signature using + * `schnorr_adaptor_extract`. + * 3. Bob provides the pre-signature and the discrete logarithm of T to + * `schnorr_adaptor_adapt` which outputs a valid BIP 340 Schnorr signature. + * 4. Alice extracts the discrete logarithm of T from the pre-signature and the + * BIP 340 signature using `schnorr_adaptor_extract_sec`. + * + * In contrast to common descriptions of adaptor signature protocols, this + * module does not provide a verification algorithm for pre-signatures. + * Instead, `schnorr_adaptor_extract` returns the adaptor point encoded by a + * pre-signature, reducing communication cost. If a verification function for + * pre-signatures is needed, it can be easily simulated with + * `schnorr_adaptor_extract`. + * + * Assuming that BIP 340 Schnorr signatures satisfy strong unforgeability under + * chosen message attack, the Schnorr adaptor signature scheme fulfills the + * following properties as formalized by [1]. + * + * - Witness extractability: + * If Alice + * 1. creates a pre-signature with `schnorr_adaptor_presign` for message m + * and adaptor point T and + * 2. receives a Schnorr signature for message m that she hasn't created + * herself, + * then Alice is able to obtain the discrete logarithm of T with + * `schnorr_adaptor_extract_sec`. + * + * - Pre-signature adaptability: + * If Bob + * 1. receives a pre-signature and extracts an adaptor point T using + * `schnorr_adaptor_extract`, and + * 2. obtains the discrete logarithm of the adaptor point T + * Then then Bob is able to adapt the received pre-signature to a valid BIP + * 340 Schnorr signature using `schnorr_adaptor_adapt`. + * + * - Existential Unforgeability: + * Bob is not able to create a BIP 340 signature from a pre-signature for + * adaptor T without knowing the discrete logarithm of T. + * + * - Pre-signature existiential unforgeability: + * Only Alice can create a pre-signature for her public key. + * + * [0] https://github.com/ZhePang/Python_Specification_for_Schnorr_Adaptor + * [1] https://eprint.iacr.org/2020/476.pdf + */ + +#ifdef __cplusplus +} +#endif + +#endif /* SECP256K1_SCHNORR_ADAPTOR_H */ diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 27e902045..a65d05c16 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -120,6 +120,9 @@ if(SECP256K1_INSTALL) "${PROJECT_SOURCE_DIR}/include/secp256k1.h" "${PROJECT_SOURCE_DIR}/include/secp256k1_preallocated.h" ) + if(SECP256K1_ENABLE_MODULE_SCHNORR_ADAPTOR) + list(APPEND ${PROJECT_NAME}_headers "${PROJECT_SOURCE_DIR}/include/secp256k1_schnorr_adaptor.h") + endif() if(SECP256K1_ENABLE_MODULE_BPPP) list(APPEND ${PROJECT_NAME}_headers "${PROJECT_SOURCE_DIR}/include/secp256k1_bppp.h") endif() diff --git a/src/modules/schnorr_adaptor/Makefile.am.include b/src/modules/schnorr_adaptor/Makefile.am.include new file mode 100644 index 000000000..a1d1faa37 --- /dev/null +++ b/src/modules/schnorr_adaptor/Makefile.am.include @@ -0,0 +1,2 @@ +include_HEADERS += include/secp256k1_schnorr_adaptor.h +noinst_HEADERS += src/modules/schnorr_adaptor/main_impl.h diff --git a/src/modules/schnorr_adaptor/main_impl.h b/src/modules/schnorr_adaptor/main_impl.h new file mode 100644 index 000000000..010d815d2 --- /dev/null +++ b/src/modules/schnorr_adaptor/main_impl.h @@ -0,0 +1,13 @@ +/********************************************************************** + * Copyright (c) 2023-2024 Zhe Pang and Sivaram Dhakshinamoorthy * + * Distributed under the MIT software license, see the accompanying * + * file COPYING or http://www.opensource.org/licenses/mit-license.php.* + **********************************************************************/ + +#ifndef SECP256K1_MODULE_SCHNORR_ADAPTOR_MAIN_H +#define SECP256K1_MODULE_SCHNORR_ADAPTOR_MAIN_H + +#include "../../../include/secp256k1.h" +#include "../../../include/secp256k1_schnorr_adaptor.h" + +#endif diff --git a/src/secp256k1.c b/src/secp256k1.c index 4c5782693..d0aa51137 100644 --- a/src/secp256k1.c +++ b/src/secp256k1.c @@ -877,6 +877,10 @@ static int secp256k1_ge_parse_ext(secp256k1_ge* ge, const unsigned char *in33) { # include "modules/schnorrsig_halfagg/main_impl.h" #endif +#ifdef ENABLE_MODULE_SCHNORR_ADAPTOR +# include "modules/schnorr_adaptor/main_impl.h" +#endif + #ifdef ENABLE_MODULE_ELLSWIFT # include "modules/ellswift/main_impl.h" #endif From 6d51696f067af1be4de4755c6829b9f3ad9280ca Mon Sep 17 00:00:00 2001 From: siv2r Date: Wed, 23 Oct 2024 19:17:26 +0530 Subject: [PATCH 2/5] schnorr_adaptor: add nonce function and tags This commit adds a nonce function that will be used by default for Schnorr adaptor signatures. This nonce function is similar to secp256k1_nonce_function_hardened with an extra argument for a compressed 33-byte adaptor point. --- include/secp256k1_schnorr_adaptor.h | 41 ++++++++++++ src/modules/schnorr_adaptor/main_impl.h | 89 +++++++++++++++++++++++++ 2 files changed, 130 insertions(+) diff --git a/include/secp256k1_schnorr_adaptor.h b/include/secp256k1_schnorr_adaptor.h index a89567c68..4e272475e 100644 --- a/include/secp256k1_schnorr_adaptor.h +++ b/include/secp256k1_schnorr_adaptor.h @@ -64,6 +64,47 @@ extern "C" { * [1] https://eprint.iacr.org/2020/476.pdf */ +/** A pointer to a function to deterministically generate a nonce. + * + * In addition to the features of secp256k1_nonce_function_hardened, + * this function introduces an extra argument for a compressed 33-byte + * adaptor point. + * + * Returns: 1 if a nonce was successfully generated. 0 will cause signing to + * return an error. + * Out: nonce32: pointer to a 32-byte array to be filled by the function + * In: msg32: the 32-byte message being verified (will not be NULL) + * key32: pointer to a 32-byte secret key (will not be NULL) +* adaptor33: the 33-byte serialized adaptor point (will not be NULL) + * xonly_pk32: the 32-byte serialized xonly pubkey corresponding to key32 + * (will not be NULL) + * algo: pointer to an array describing the signature + * algorithm (will not be NULL) + * algolen: the length of the algo array + * data: arbitrary data pointer that is passed through + * + * Except for test cases, this function should compute some cryptographic hash of + * the message, the key, the adaptor point, the pubkey, the algorithm description, and data. + */ +typedef int (*secp256k1_nonce_function_hardened_schnorr_adaptor)( + unsigned char *nonce32, + const unsigned char *msg32, + const unsigned char *key32, + const unsigned char *adaptor33, + const unsigned char *xonly_pk32, + const unsigned char *algo, + size_t algolen, + void *data +); + +/** A modified BIP-340 nonce generation function. If a data pointer is passed, it is + * assumed to be a pointer to 32 bytes of auxiliary random data as defined in BIP-340. + * If the data pointer is NULL, the nonce derivation procedure uses a zeroed 32-byte + * auxiliary random data. The hash will be tagged with algo after removing all + * terminating null bytes. + */ +SECP256K1_API const secp256k1_nonce_function_hardened_schnorr_adaptor secp256k1_nonce_function_schnorr_adaptor; + #ifdef __cplusplus } #endif diff --git a/src/modules/schnorr_adaptor/main_impl.h b/src/modules/schnorr_adaptor/main_impl.h index 010d815d2..be035f287 100644 --- a/src/modules/schnorr_adaptor/main_impl.h +++ b/src/modules/schnorr_adaptor/main_impl.h @@ -10,4 +10,93 @@ #include "../../../include/secp256k1.h" #include "../../../include/secp256k1_schnorr_adaptor.h" +#include "../../hash.h" +#include "../../scalar.h" + +/* Initializes SHA256 with fixed midstate. This midstate was computed by applying + * SHA256 to SHA256("SchnorrAdaptor/nonce")||SHA256("SchnorrAdaptor/nonce"). */ +static void secp256k1_nonce_function_schnorr_adaptor_sha256_tagged(secp256k1_sha256 *sha) { + secp256k1_sha256_initialize(sha); + sha->s[0] = 0xe268ac2aul; + sha->s[1] = 0x3a221b84ul; + sha->s[2] = 0x69612afdul; + sha->s[3] = 0x92ce3040ul; + sha->s[4] = 0xc83ca35ful; + sha->s[5] = 0xec2ee152ul; + sha->s[6] = 0xba136ab7ul; + sha->s[7] = 0x3bf6ec7ful; + + sha->bytes = 64; +} + +/* Initializes SHA256 with fixed midstate. This midstate was computed by applying + * SHA256 to SHA256("SchnorrAdaptor/aux")||SHA256("SchnorrAdaptor/aux"). */ +static void secp256k1_nonce_function_schnorr_adaptor_sha256_tagged_aux(secp256k1_sha256 *sha) { + secp256k1_sha256_initialize(sha); + sha->s[0] = 0x50685e98ul; + sha->s[1] = 0x6313905eul; + sha->s[2] = 0x6db24fa0ul; + sha->s[3] = 0xc8b15c48ul; + sha->s[4] = 0x6b318921ul; + sha->s[5] = 0x441d8ff3ul; + sha->s[6] = 0xa7033a66ul; + sha->s[7] = 0xc3545cddul; + + sha->bytes = 64; +} + +/* algo argument for `nonce_function_schnorr_adaptor` to derive the nonce using a tagged hash function. */ +static const unsigned char schnorr_adaptor_algo[20] = "SchnorrAdaptor/nonce"; + +/* Modified BIP-340 nonce function */ +static int nonce_function_schnorr_adaptor(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *adaptor33, const unsigned char *xonly_pk32, const unsigned char *algo, size_t algolen, void *data) { + secp256k1_sha256 sha; + unsigned char masked_key[32]; + int i; + + if (algo == NULL) { + return 0; + } + + if (data != NULL) { + secp256k1_nonce_function_schnorr_adaptor_sha256_tagged_aux(&sha); + secp256k1_sha256_write(&sha, data, 32); + secp256k1_sha256_finalize(&sha, masked_key); + for (i = 0; i < 32; i++) { + masked_key[i] ^= key32[i]; + } + } else { + /* Precomputed TaggedHash("SchnorrAdaptor/aux", 0x0000...00); */ + static const unsigned char ZERO_MASK[32] = { + 65, 206, 231, 5, 44, 99, 30, 162, + 119, 101, 143, 108, 176, 134, 217, 23, + 54, 150, 157, 221, 198, 161, 164, 85, + 235, 82, 28, 56, 164, 220, 113, 53 + }; + for (i = 0; i < 32; i++) { + masked_key[i] = key32[i] ^ ZERO_MASK[i]; + } + } + + /* Tag the hash with algo which is important to avoid nonce reuse across + * algorithms. An optimized tagging implementation is used if the default + * tag is provided. */ + if (algolen == sizeof(schnorr_adaptor_algo) + && secp256k1_memcmp_var(algo, schnorr_adaptor_algo, algolen) == 0) { + secp256k1_nonce_function_schnorr_adaptor_sha256_tagged(&sha); + } else { + secp256k1_sha256_initialize_tagged(&sha, algo, algolen); + } + + /* Hash masked-key||adaptor33||pk||msg using the tagged hash */ + secp256k1_sha256_write(&sha, masked_key, 32); + secp256k1_sha256_write(&sha, adaptor33, 33); + secp256k1_sha256_write(&sha, xonly_pk32, 32); + secp256k1_sha256_write(&sha, msg32, 32); + secp256k1_sha256_finalize(&sha, nonce32); + return 1; +} + +const secp256k1_nonce_function_hardened_schnorr_adaptor secp256k1_nonce_function_schnorr_adaptor = nonce_function_schnorr_adaptor; + #endif From 808dc8ac7dfaeaed8bf93ab45d4642f495e78264 Mon Sep 17 00:00:00 2001 From: siv2r Date: Wed, 23 Oct 2024 19:38:13 +0530 Subject: [PATCH 3/5] schnorr_adaptor: add adaptor signature APIs This commit adds the Schnorr adaptor signature APIs: - adaptor_presign Creates a pre-signature for a given message and adaptor point. - adaptor_extract Extracts the adaptor point from a pre-signature. - adaptor_adapt Adapts the pre-signature to produce a BIP-340 Schnorr signature. - adaptor_extract_sec Extracts the secret adaptor (discrete logarithm of adaptor point) from a pre-signature and the corresponding BIP-340 signature. --- include/secp256k1_schnorr_adaptor.h | 103 +++++++++ src/modules/schnorr_adaptor/main_impl.h | 268 ++++++++++++++++++++++++ 2 files changed, 371 insertions(+) diff --git a/include/secp256k1_schnorr_adaptor.h b/include/secp256k1_schnorr_adaptor.h index 4e272475e..94d98c9e1 100644 --- a/include/secp256k1_schnorr_adaptor.h +++ b/include/secp256k1_schnorr_adaptor.h @@ -105,6 +105,109 @@ typedef int (*secp256k1_nonce_function_hardened_schnorr_adaptor)( */ SECP256K1_API const secp256k1_nonce_function_hardened_schnorr_adaptor secp256k1_nonce_function_schnorr_adaptor; +/** Creates a pre-signature for a given message and adaptor point. + * + * The pre-signature can be converted into a valid BIP-340 Schnorr signature + * (using `schnorr_adaptor_adapt`) by combining it with the discrete logarithm + * of the adaptor point. + * + * This function only signs 32-byte messages. If you have messages of a + * different size (or the same size but without a context-specific tag + * prefix), it is recommended to create a 32-byte message hash with + * secp256k1_tagged_sha256 and then sign the hash. Tagged hashing allows + * providing an context-specific tag for domain separation. This prevents + * signatures from being valid in multiple contexts by accident. + * + * Returns 1 on success, 0 on failure. + * Args: ctx: pointer to a context object (not secp256k1_context_static). + * Out: pre_sig65: pointer to a 65-byte array to store the pre-signature. + * In: msg32: the 32-byte message being signed. + * keypair: pointer to an initialized keypair. + * adaptor: pointer to an adaptor point encoded as a public key. + * aux_rand32: pointer to arbitrary data used by the nonce generation + * function (can be NULL). If it is non-NULL and + * secp256k1_nonce_function_schnorr_adaptor is used, then + * aux_rand32 must be a pointer to 32-byte auxiliary randomness + * as per BIP-340. + */ +SECP256K1_API int secp256k1_schnorr_adaptor_presign( + const secp256k1_context *ctx, + unsigned char *pre_sig65, + const unsigned char *msg32, + const secp256k1_keypair *keypair, + const secp256k1_pubkey *adaptor, + const unsigned char *aux_rand32 +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5); + +/** Extracts the adaptor point from a pre-signature. + * + * This function assumes that pre_sig65 was created using the corresponding + * msg32, pubkey, and a valid adaptor point, which it will extract. If these + * inputs are not related (e.g., if pre_sig65 was generated with a different + * key or message), the extracted adaptor point will be incorrect. However, + * the function will still return 1 to indicate a successful extraction. + * + * Returns 1 on success, 0 on failure. + * Args: ctx: pointer to a context object. + * Out: adaptor: pointer to store the adaptor point. + * In: pre_sig65: pointer to a 65-byte pre-signature. + * msg32: the 32-byte message associated with presig_65 + * pubkey: pointer to the x-only public key associated with pre_sig65 + */ +SECP256K1_API int secp256k1_schnorr_adaptor_extract( + const secp256k1_context *ctx, + secp256k1_pubkey *adaptor, + const unsigned char *pre_sig65, + const unsigned char *msg32, + const secp256k1_xonly_pubkey *pubkey +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5); + +/** Adapts the pre-signature to produce a BIP-340 Schnorr signature. + * + * The output BIP-340 signature is not verified by this function. + * To verify it, use `secp256k1_schnorrsig_verify`. + * + * If the pre_sig65 and sec_adaptor32 values are not related, the + * output signature will be invalid. In this case, the function will + * still return 1 to indicate successful execution. + * + * Returns 1 on success, 0 on failure. + * Args: ctx: pointer to a context object. + * Out: sig64: pointer to a 64-byte array to store the adapted + * pre-signature. This pointer may point to the same + * memory area as `pre_sig65`. + * In: pre_sig65: pointer to a 65-byte pre-signature. + * sec_adaptor32: pointer to a 32-byte secret adaptor associated with pre_sig65 + */ +SECP256K1_API int secp256k1_schnorr_adaptor_adapt( + const secp256k1_context *ctx, + unsigned char *sig64, + const unsigned char *pre_sig65, + const unsigned char *sec_adaptor32 +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); + +/** Extracts the secret adaptor (discrete logarithm of the adaptor point) + * from a pre-signature and the corresponding BIP-340 signature. + * + * This function assumes that the sig64 was created by adapting pre_sig65. + * If these inputs are not related, the extracted secret adaptor will be + * incorrect. However, the function will still return 1 to indicate successful + * extraction. + * + * Returns 1 on success, 0 on failure. + * Args: ctx: pointer to a context object. + * Out: sec_adaptor32: pointer to a 32-byte array to store the secret adaptor. + * In: pre_sig65: pointer to a 65-byte pre-signature. + * sig64: pointer to a valid 64-byte BIP-340 Schnorr signature + * associated with pre_sig65. + */ +SECP256K1_API int secp256k1_schnorr_adaptor_extract_sec( + const secp256k1_context *ctx, + unsigned char *sec_adaptor32, + const unsigned char *pre_sig65, + const unsigned char *sig64 +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); + #ifdef __cplusplus } #endif diff --git a/src/modules/schnorr_adaptor/main_impl.h b/src/modules/schnorr_adaptor/main_impl.h index be035f287..38cc80541 100644 --- a/src/modules/schnorr_adaptor/main_impl.h +++ b/src/modules/schnorr_adaptor/main_impl.h @@ -99,4 +99,272 @@ static int nonce_function_schnorr_adaptor(unsigned char *nonce32, const unsigned const secp256k1_nonce_function_hardened_schnorr_adaptor secp256k1_nonce_function_schnorr_adaptor = nonce_function_schnorr_adaptor; +static int secp256k1_schnorr_adaptor_presign_internal(const secp256k1_context *ctx, unsigned char *pre_sig65, const unsigned char *msg32, const secp256k1_keypair *keypair, const secp256k1_pubkey *adaptor, secp256k1_nonce_function_hardened_schnorr_adaptor noncefp, void *ndata) { + secp256k1_scalar sk; + secp256k1_scalar e; + secp256k1_scalar k; + secp256k1_gej rj, rpj; + secp256k1_ge r, rp; + secp256k1_ge pk; + secp256k1_ge adaptor_ge; + unsigned char nonce32[32] = { 0 }; + unsigned char pk_buf[32]; + unsigned char seckey[32]; + unsigned char adaptor_buff[33]; + size_t cmprssd_len = 33; /* for serializing `adaptor_ge` and `pre_sig65` */ + int serialize_ret = 0; + int ret = 1; + + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(pre_sig65 != NULL); + ARG_CHECK(msg32 != NULL); + ARG_CHECK(keypair != NULL); + ARG_CHECK(adaptor != NULL); + + if (noncefp == NULL) { + noncefp = secp256k1_nonce_function_schnorr_adaptor; + } + + /* T := adaptor_ge */ + if(!secp256k1_pubkey_load(ctx, &adaptor_ge, adaptor)){ + return 0; + } + + ret &= secp256k1_keypair_load(ctx, &sk, &pk, keypair); + /* Because we are signing for a x-only pubkey, the secret key is negated + * before signing if the point corresponding to the secret key does not + * have an even Y. */ + if (secp256k1_fe_is_odd(&pk.y)) { + secp256k1_scalar_negate(&sk, &sk); + } + + /* Generate the nonce k */ + secp256k1_scalar_get_b32(seckey, &sk); + secp256k1_fe_get_b32(pk_buf, &pk.x); + serialize_ret = secp256k1_eckey_pubkey_serialize(&adaptor_ge, adaptor_buff, &cmprssd_len, 1); + VERIFY_CHECK(serialize_ret); + ret &= !!noncefp(nonce32, msg32, seckey, adaptor_buff, pk_buf, schnorr_adaptor_algo, sizeof(schnorr_adaptor_algo), ndata); + secp256k1_scalar_set_b32(&k, nonce32, NULL); + ret &= !secp256k1_scalar_is_zero(&k); + secp256k1_scalar_cmov(&k, &secp256k1_scalar_one, !ret); + + /* R = k*G */ + secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &k); + secp256k1_ge_set_gej(&r, &rj); + + /* We declassify the non-secret values R and T to allow using them + * as branch points. */ + secp256k1_declassify(ctx, &rj, sizeof(rj)); + secp256k1_declassify(ctx, &adaptor_ge, sizeof(adaptor_ge)); + /* R' = R + T */ + secp256k1_gej_add_ge_var(&rpj, &rj, &adaptor_ge, NULL); + secp256k1_ge_set_gej(&rp, &rpj); + + /* We declassify R' (non-secret value) to branch on it */ + secp256k1_declassify(ctx, &rp, sizeof(rp)); + secp256k1_fe_normalize_var(&rp.y); + + /* Determine if the secret nonce should be negated. + * + * pre_sig65[0:33] contains the compressed 33-byte encoding of the public + * nonce R' = k*G + T, where k is the secret nonce and T is the adaptor point. + * + * Since a BIP340 signature requires an x-only public nonce, in the case where + * R' = k*G + T has odd Y-coordinate, the x-only public nonce corresponding to + * the signature is actually -k*G - T. Therefore, we negate k to ensure that the + * adapted pre-signature will result in a valid BIP340 signature, with an even R'.y + * + * pre_sig65[33:65] = k + e * d if R'.y is even + * = -k + e * d if R'.y is odd + */ + if (secp256k1_fe_is_odd(&rp.y)) { + secp256k1_scalar_negate(&k, &k); + } + serialize_ret = secp256k1_eckey_pubkey_serialize(&rp, pre_sig65, &cmprssd_len, 1); + /* R' is not the point at infinity with overwhelming probability */ + VERIFY_CHECK(serialize_ret); + (void) serialize_ret; + + secp256k1_schnorrsig_challenge(&e, &pre_sig65[1], msg32, 32, pk_buf); + secp256k1_scalar_mul(&e, &e, &sk); + secp256k1_scalar_add(&e, &e, &k); + secp256k1_scalar_get_b32(&pre_sig65[33], &e); + + secp256k1_memczero(pre_sig65, 65, !ret); + secp256k1_scalar_clear(&k); + secp256k1_scalar_clear(&sk); + memset(seckey, 0, sizeof(seckey)); + + return ret; +} + +int secp256k1_schnorr_adaptor_presign(const secp256k1_context *ctx, unsigned char *pre_sig65, const unsigned char *msg32, const secp256k1_keypair *keypair, const secp256k1_pubkey *adaptor, const unsigned char *aux_rand32) { + /* We cast away const from the passed aux_rand32 argument since we know the default nonce function does not modify it. */ + return secp256k1_schnorr_adaptor_presign_internal(ctx, pre_sig65, msg32, keypair, adaptor, secp256k1_nonce_function_schnorr_adaptor, (unsigned char*)aux_rand32); +} + + +int secp256k1_schnorr_adaptor_extract(const secp256k1_context *ctx, secp256k1_pubkey *adaptor, const unsigned char *pre_sig65, const unsigned char *msg32, const secp256k1_xonly_pubkey *pubkey) { + secp256k1_scalar s; + secp256k1_scalar e; + secp256k1_ge pk; + secp256k1_gej pkj; + secp256k1_ge adaptor_ge; + secp256k1_gej adaptor_gej; + secp256k1_gej rj; + secp256k1_ge rp; + unsigned char buf[32]; + int overflow; + + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(adaptor != NULL); + ARG_CHECK(pre_sig65 != NULL); + ARG_CHECK(msg32 != NULL); + ARG_CHECK(pubkey != NULL); + + /* R' := pre_sig65[0:33] */ + if (!secp256k1_eckey_pubkey_parse(&rp, &pre_sig65[0], 33)) { + return 0; + } + /* s := pre_sig65[33:65] */ + secp256k1_scalar_set_b32(&s, &pre_sig65[33], &overflow); + if (overflow) { + return 0; + } + + if (!secp256k1_xonly_pubkey_load(ctx, &pk, pubkey)) { + return 0; + } + + /* Compute e */ + secp256k1_fe_get_b32(buf, &pk.x); + secp256k1_schnorrsig_challenge(&e, &pre_sig65[1], msg32, 32, buf); + + /* Compute R = s*G + (-e)*P */ + secp256k1_scalar_negate(&e, &e); + secp256k1_gej_set_ge(&pkj, &pk); + secp256k1_ecmult(&rj, &pkj, &e, &s); + if (secp256k1_gej_is_infinity(&rj)) { + return 0; + } + + /* Determine if R needs to be negated + * + * `adaptor_presign` negates the secret nonce k when R’.y is odd, during + * the computation of the s value (i.e., presig[33:65]). Therefore, we need + * to negate R = k*G (if R'.y is odd) before subtracting it from R' = R + T. + * + * T = R' - R if R'.y is even + * = R' + R if R'.y is odd + */ + secp256k1_fe_normalize_var(&rp.y); + if (!secp256k1_fe_is_odd(&rp.y)) { + secp256k1_gej_neg(&rj, &rj); + } + secp256k1_gej_add_ge_var(&adaptor_gej, &rj, &rp, NULL); + secp256k1_ge_set_gej(&adaptor_ge, &adaptor_gej); + if (secp256k1_ge_is_infinity(&adaptor_ge)) { + return 0; + } + secp256k1_pubkey_save(adaptor, &adaptor_ge); + + return 1; +} + +int secp256k1_schnorr_adaptor_adapt(const secp256k1_context *ctx, unsigned char *sig64, const unsigned char *pre_sig65, const unsigned char *sec_adaptor32) { + secp256k1_scalar s; + secp256k1_scalar t; + int overflow; + int ret = 1; + + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(sig64 != NULL); + ARG_CHECK(pre_sig65 != NULL); + ARG_CHECK(sec_adaptor32 != NULL); + + if (pre_sig65[0] != SECP256K1_TAG_PUBKEY_EVEN && pre_sig65[0] != SECP256K1_TAG_PUBKEY_ODD) { + return 0; + } + secp256k1_scalar_set_b32(&s, &pre_sig65[33], &overflow); + if (overflow) { + return 0; + } + secp256k1_scalar_set_b32(&t, sec_adaptor32, &overflow); + ret &= !overflow; + + /* Determine if the secret adaptor should be negated. + * + * pre_sig65[0:33] contains the compressed 33-byte encoding of the public + * nonce R' = (k + t)*G, where r is the secret nonce generated by + * `adaptor_presign` and t is the secret adaptor. + * + * Since a BIP340 signature requires an x-only public nonce, in the case where + * (k + t)*G has odd Y-coordinate, the x-only public nonce corresponding to the + * signature is actually (-k - t)*G. Thus adapting a pre-signature requires + * negating t in this case. + * + * sig64[32:64] = s + t if R'.y is even + * = s - t if R'.y is odd + */ + if (pre_sig65[0] == SECP256K1_TAG_PUBKEY_ODD) { + secp256k1_scalar_negate(&t, &t); + } + secp256k1_scalar_add(&s, &s, &t); + secp256k1_scalar_get_b32(&sig64[32], &s); + memmove(sig64, &pre_sig65[1], 32); + + secp256k1_memczero(sig64, 64, !ret); + secp256k1_scalar_clear(&t); + return ret; +} + +int secp256k1_schnorr_adaptor_extract_sec(const secp256k1_context *ctx, unsigned char *sec_adaptor32, const unsigned char *pre_sig65, const unsigned char *sig64) { + secp256k1_scalar t; + secp256k1_scalar s; + int overflow; + int ret = 1; + + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(sec_adaptor32 != NULL); + ARG_CHECK(pre_sig65 != NULL); + ARG_CHECK(sig64 != NULL); + + if (pre_sig65[0] != SECP256K1_TAG_PUBKEY_EVEN && pre_sig65[0] != SECP256K1_TAG_PUBKEY_ODD) { + return 0; + } + secp256k1_scalar_set_b32(&s, &pre_sig65[33], &overflow); + if (overflow) { + return 0; + } + secp256k1_scalar_set_b32(&t, &sig64[32], &overflow); + ret &= !overflow; + + /*TODO: should we parse presig[0:33] & sig[0:32], to make sure the presig & + * has valid public nonce point? + * + * But we don't care about their validity here right? Then why do we ARG_CHECK + * presig[0] parity byte? + * + * Here, the inputs are invalid but the output is valid :/ */ + + secp256k1_scalar_negate(&s, &s); + secp256k1_scalar_add(&t, &t, &s); + /* `adaptor_adapt` negates the secret adaptor t when R’.y is odd, during + * the computation of the BIP340 signature. Therefore, we need negate + * (sig[32:64] - pre_sig65[33:65]) in this case. + * + * t = (sig[32:64] - pre_sig65[33:65]) if R'.y is even + * = -(sig[32:64] - pre_sig65[33:65]) if R'.y is odd + */ + if (pre_sig65[0] == SECP256K1_TAG_PUBKEY_ODD) { + secp256k1_scalar_negate(&t, &t); + } + secp256k1_scalar_get_b32(sec_adaptor32, &t); + + secp256k1_memczero(sec_adaptor32, 32, !ret); + secp256k1_scalar_clear(&t); + return ret; +} + #endif From 060dad2ef89f79542d6e3349af04ca0cbeb164c0 Mon Sep 17 00:00:00 2001 From: siv2r Date: Wed, 23 Oct 2024 19:52:26 +0530 Subject: [PATCH 4/5] schnorr_adaptor: add tests This commit adds test coverage, modifying the ci.yml file, Valgrind constant time tests for secret data, API tests, nonce function tests, and test vectors from the spec. --- .github/workflows/ci.yml | 33 +- ci/ci.sh | 5 +- src/ctime_tests.c | 45 + src/modules/ecdsa_adaptor/tests_impl.h | 4 - .../schnorr_adaptor/Makefile.am.include | 1 + src/modules/schnorr_adaptor/tests_impl.h | 1264 +++++++++++++++++ src/tests.c | 8 + src/testutil.h | 4 + 8 files changed, 1347 insertions(+), 17 deletions(-) create mode 100644 src/modules/schnorr_adaptor/tests_impl.h diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 36293f136..7c988a1ba 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,6 +41,7 @@ env: ECDSAADAPTOR: 'no' BPPP: 'no' SCHNORRSIG_HALFAGG: 'no' + SCHNORRADAPTOR: 'no' ### test options SECP256K1_TEST_ITERS: BENCH: 'yes' @@ -79,14 +80,14 @@ jobs: matrix: configuration: - env_vars: { WIDEMUL: 'int64', RECOVERY: 'yes' } - - env_vars: { WIDEMUL: 'int64', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes'} + - env_vars: { WIDEMUL: 'int64', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', SCHNORRADAPTOR: 'yes'} - env_vars: { WIDEMUL: 'int128' } - env_vars: { WIDEMUL: 'int128_struct', ELLSWIFT: 'yes' } - env_vars: { WIDEMUL: 'int128', RECOVERY: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes' } - - env_vars: { WIDEMUL: 'int128', ECDH: 'yes', SCHNORRSIG: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes'} + - env_vars: { WIDEMUL: 'int128', ECDH: 'yes', SCHNORRSIG: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', SCHNORRADAPTOR: 'yes'} - env_vars: { WIDEMUL: 'int128', ASM: 'x86_64', ELLSWIFT: 'yes' } - - env_vars: { RECOVERY: 'yes', SCHNORRSIG: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes'} - - env_vars: { CTIMETESTS: 'no', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', CPPFLAGS: '-DVERIFY' } + - env_vars: { RECOVERY: 'yes', SCHNORRSIG: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', SCHNORRADAPTOR: 'yes'} + - env_vars: { CTIMETESTS: 'no', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', SCHNORRADAPTOR: 'yes', CPPFLAGS: '-DVERIFY' } - env_vars: { BUILD: 'distcheck', WITH_VALGRIND: 'no', CTIMETESTS: 'no', BENCH: 'no' } - env_vars: { CPPFLAGS: '-DDETERMINISTIC' } - env_vars: { CFLAGS: '-O0', CTIMETESTS: 'no' } @@ -158,6 +159,7 @@ jobs: ECDSAADAPTOR: 'yes' BPPP: 'yes' SCHNORRSIG_HALFAGG: 'yes' + SCHNORRADAPTOR: 'yes' CC: ${{ matrix.cc }} steps: @@ -211,6 +213,7 @@ jobs: ECDSAADAPTOR: 'yes' BPPP: 'yes' SCHNORRSIG_HALFAGG: 'yes' + SCHNORRADAPTOR: 'yes' CTIMETESTS: 'no' steps: @@ -271,6 +274,7 @@ jobs: ECDSAADAPTOR: 'yes' BPPP: 'yes' SCHNORRSIG_HALFAGG: 'yes' + SCHNORRADAPTOR: 'yes' CTIMETESTS: 'no' steps: @@ -325,6 +329,7 @@ jobs: ECDSAADAPTOR: 'yes' BPPP: 'yes' SCHNORRSIG_HALFAGG: 'yes' + SCHNORRADAPTOR: 'yes' CTIMETESTS: 'no' strategy: @@ -389,6 +394,7 @@ jobs: ECDSAADAPTOR: 'yes' BPPP: 'yes' SCHNORRSIG_HALFAGG: 'yes' + SCHNORRADAPTOR: 'yes' CTIMETESTS: 'no' steps: @@ -450,6 +456,7 @@ jobs: ECDSAADAPTOR: 'yes' BPPP: 'yes' SCHNORRSIG_HALFAGG: 'yes' + SCHNORRADAPTOR: 'yes' CTIMETESTS: 'no' SECP256K1_TEST_ITERS: 2 @@ -510,6 +517,7 @@ jobs: ECDSAADAPTOR: 'yes' BPPP: 'yes' SCHNORRSIG_HALFAGG: 'yes' + SCHNORRADAPTOR: 'yes' CTIMETESTS: 'no' CFLAGS: '-fsanitize=undefined,address -g' UBSAN_OPTIONS: 'print_stacktrace=1:halt_on_error=1' @@ -576,6 +584,7 @@ jobs: ECDSAADAPTOR: 'yes' BPPP: 'yes' SCHNORRSIG_HALFAGG: 'yes' + SCHNORRADAPTOR: 'yes' CTIMETESTS: 'yes' CC: 'clang' SECP256K1_TEST_ITERS: 32 @@ -632,6 +641,7 @@ jobs: ECDSAADAPTOR: 'yes' BPPP: 'yes' SCHNORRSIG_HALFAGG: 'yes' + SCHNORRADAPTOR: 'yes' CTIMETESTS: 'no' strategy: @@ -688,15 +698,15 @@ jobs: fail-fast: false matrix: env_vars: - - { WIDEMUL: 'int64', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes' } + - { WIDEMUL: 'int64', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', SCHNORRADAPTOR: 'yes' } - { WIDEMUL: 'int128_struct', ECMULTGENPRECISION: 2, ECMULTWINDOW: 4 } - - { WIDEMUL: 'int128', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes' } + - { WIDEMUL: 'int128', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', SCHNORRADAPTOR: 'yes' } - { WIDEMUL: 'int128', RECOVERY: 'yes' } - - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes' } - - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', CC: 'gcc' } - - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', WRAPPER_CMD: 'valgrind --error-exitcode=42', SECP256K1_TEST_ITERS: 2 } - - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', CC: 'gcc', WRAPPER_CMD: 'valgrind --error-exitcode=42', SECP256K1_TEST_ITERS: 2 } - - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', CPPFLAGS: '-DVERIFY', CTIMETESTS: 'no' } + - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', SCHNORRADAPTOR: 'yes' } + - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', SCHNORRADAPTOR: 'yes', CC: 'gcc' } + - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', SCHNORRADAPTOR: 'yes', WRAPPER_CMD: 'valgrind --error-exitcode=42', SECP256K1_TEST_ITERS: 2 } + - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', SCHNORRADAPTOR: 'yes', CC: 'gcc', WRAPPER_CMD: 'valgrind --error-exitcode=42', SECP256K1_TEST_ITERS: 2 } + - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes', EXPERIMENTAL: 'yes', ECDSA_S2C: 'yes', RANGEPROOF: 'yes', WHITELIST: 'yes', GENERATOR: 'yes', MUSIG: 'yes', ECDSAADAPTOR: 'yes', BPPP: 'yes', SCHNORRSIG_HALFAGG: 'yes', SCHNORRADAPTOR: 'yes', CPPFLAGS: '-DVERIFY', CTIMETESTS: 'no' } - BUILD: 'distcheck' steps: @@ -816,6 +826,7 @@ jobs: ECDSAADAPTOR: 'yes' BPPP: 'yes' SCHNORRSIG_HALFAGG: 'yes' + SCHNORRADAPTOR: 'yes' steps: - name: Checkout diff --git a/ci/ci.sh b/ci/ci.sh index 47c4ae67c..c7101554e 100755 --- a/ci/ci.sh +++ b/ci/ci.sh @@ -13,8 +13,8 @@ print_environment() { # does not rely on bash. for var in WERROR_CFLAGS MAKEFLAGS BUILD \ ECMULTWINDOW ECMULTGENPRECISION ASM WIDEMUL WITH_VALGRIND EXTRAFLAGS \ - EXPERIMENTAL ECDH RECOVERY SCHNORRSIG SCHNORRSIG_HALFAGG ELLSWIFT \ - ECDSA_S2C GENERATOR RANGEPROOF WHITELIST MUSIG ECDSAADAPTOR BPPP \ + EXPERIMENTAL ECDH RECOVERY SCHNORRSIG SCHNORRSIG_HALFAGG SCHNORRADAPTOR \ + ELLSWIFT ECDSA_S2C GENERATOR RANGEPROOF WHITELIST MUSIG ECDSAADAPTOR BPPP \ SECP256K1_TEST_ITERS BENCH SECP256K1_BENCH_ITERS CTIMETESTS\ EXAMPLES \ HOST WRAPPER_CMD \ @@ -83,6 +83,7 @@ esac --enable-module-schnorrsig="$SCHNORRSIG" --enable-module-musig="$MUSIG" --enable-module-ecdsa-adaptor="$ECDSAADAPTOR" \ --enable-module-schnorrsig="$SCHNORRSIG" \ --enable-module-schnorrsig-halfagg="$SCHNORRSIG_HALFAGG" \ + --enable-module-schnorr-adaptor="$SCHNORRADAPTOR" \ --enable-examples="$EXAMPLES" \ --enable-ctime-tests="$CTIMETESTS" \ --with-valgrind="$WITH_VALGRIND" \ diff --git a/src/ctime_tests.c b/src/ctime_tests.c index 407d2cc6a..a742ff147 100644 --- a/src/ctime_tests.c +++ b/src/ctime_tests.c @@ -31,6 +31,10 @@ #include "../include/secp256k1_schnorrsig.h" #endif +#ifdef ENABLE_MODULE_SCHNORR_ADAPTOR +#include "../include/secp256k1_schnorr_adaptor.h" +#endif + #ifdef ENABLE_MODULE_ELLSWIFT #include "../include/secp256k1_ellswift.h" #endif @@ -193,6 +197,47 @@ static void run_tests(secp256k1_context *ctx, unsigned char *key) { CHECK(ret == 1); #endif +#ifdef ENABLE_MODULE_SCHNORR_ADAPTOR + { + unsigned char pre_sig[65]; + unsigned char bip340_sig[64]; + unsigned char sec_adaptor[32]; + unsigned char extracted_sec_adaptor[32]; + secp256k1_pubkey adaptor_pk; + + for (i = 0; i < 32; i++) { + sec_adaptor[i] = i + 2; + } + ret = secp256k1_ec_pubkey_create(ctx, &adaptor_pk, sec_adaptor); + CHECK(ret == 1); + + SECP256K1_CHECKMEM_UNDEFINE(key, 32); + ret = secp256k1_keypair_create(ctx, &keypair, key); + SECP256K1_CHECKMEM_DEFINE(&ret, sizeof(ret)); + CHECK(ret == 1); + ret = secp256k1_schnorr_adaptor_presign(ctx, pre_sig, msg, &keypair, &adaptor_pk, NULL); + SECP256K1_CHECKMEM_DEFINE(pre_sig, sizeof(pre_sig)); + SECP256K1_CHECKMEM_DEFINE(&ret, sizeof(ret)); + CHECK(ret == 1); + + SECP256K1_CHECKMEM_UNDEFINE(sec_adaptor, sizeof(sec_adaptor)); + ret = secp256k1_schnorr_adaptor_adapt(ctx, bip340_sig, pre_sig, sec_adaptor); + SECP256K1_CHECKMEM_DEFINE(&ret, sizeof(ret)); + CHECK(ret == 1); + + SECP256K1_CHECKMEM_UNDEFINE(bip340_sig, sizeof(bip340_sig)); + ret = secp256k1_schnorr_adaptor_extract_sec(ctx, extracted_sec_adaptor, pre_sig, bip340_sig); + SECP256K1_CHECKMEM_DEFINE(&ret, sizeof(ret)); + CHECK(ret == 1); + + SECP256K1_CHECKMEM_DEFINE(sec_adaptor, sizeof(sec_adaptor)); + SECP256K1_CHECKMEM_DEFINE(extracted_sec_adaptor, sizeof(extracted_sec_adaptor)); + ret = secp256k1_memcmp_var(sec_adaptor, extracted_sec_adaptor, sizeof(sec_adaptor)); + SECP256K1_CHECKMEM_DEFINE(&ret, sizeof(ret)); + CHECK(ret == 0); + } +#endif + #ifdef ENABLE_MODULE_ELLSWIFT SECP256K1_CHECKMEM_UNDEFINE(key, 32); ret = secp256k1_ellswift_create(ctx, ellswift, key, NULL); diff --git a/src/modules/ecdsa_adaptor/tests_impl.h b/src/modules/ecdsa_adaptor/tests_impl.h index c3b3d43d7..9cd7157b3 100644 --- a/src/modules/ecdsa_adaptor/tests_impl.h +++ b/src/modules/ecdsa_adaptor/tests_impl.h @@ -100,10 +100,6 @@ static void dleq_tests(void) { CHECK(secp256k1_dleq_nonce(&k, sk32, gen2_33, p1_33, p2_33, NULL, NULL) == 1); } -static void rand_flip_bit(unsigned char *array, size_t n) { - array[secp256k1_testrand_int(n)] ^= 1 << secp256k1_testrand_int(8); -} - /* Helper function for test_ecdsa_adaptor_spec_vectors * Checks that the adaptor signature is valid for the public and encryption keys. */ static void test_ecdsa_adaptor_spec_vectors_check_verify(const unsigned char *adaptor_sig162, const unsigned char *msg32, const unsigned char *pubkey33, const unsigned char *encryption_key33, int expected) { diff --git a/src/modules/schnorr_adaptor/Makefile.am.include b/src/modules/schnorr_adaptor/Makefile.am.include index a1d1faa37..7ef16361e 100644 --- a/src/modules/schnorr_adaptor/Makefile.am.include +++ b/src/modules/schnorr_adaptor/Makefile.am.include @@ -1,2 +1,3 @@ include_HEADERS += include/secp256k1_schnorr_adaptor.h noinst_HEADERS += src/modules/schnorr_adaptor/main_impl.h +noinst_HEADERS += src/modules/schnorr_adaptor/tests_impl.h \ No newline at end of file diff --git a/src/modules/schnorr_adaptor/tests_impl.h b/src/modules/schnorr_adaptor/tests_impl.h new file mode 100644 index 000000000..3f9017b52 --- /dev/null +++ b/src/modules/schnorr_adaptor/tests_impl.h @@ -0,0 +1,1264 @@ +/********************************************************************** + * Copyright (c) 2023-2024 Zhe Pang and Sivaram Dhakshinamoorthy * + * Distributed under the MIT software license, see the accompanying * + * file COPYING or http://www.opensource.org/licenses/mit-license.php.* + **********************************************************************/ + +#ifndef SECP256K1_MODULE_SCHNORR_ADAPTOR_TESTS_H +#define SECP256K1_MODULE_SCHNORR_ADAPTOR_TESTS_H + +#include "../../../include/secp256k1_schnorrsig.h" +#include "../../../include/secp256k1_schnorr_adaptor.h" + +/* Checks that a bit flip in the n_flip-th argument (that has n_bytes many + * bytes) changes the hash function + */ +static void nonce_function_schnorr_adaptor_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t algolen) { + unsigned char nonces[2][32]; + CHECK(nonce_function_schnorr_adaptor(nonces[0], args[0], args[1], args[2], args[3], args[4], algolen, args[5]) == 1); + secp256k1_testrand_flip(args[n_flip], n_bytes); + CHECK(nonce_function_schnorr_adaptor(nonces[1], args[0], args[1], args[2], args[3], args[4], algolen, args[5]) == 1); + CHECK(secp256k1_memcmp_var(nonces[0], nonces[1], 32) != 0); +} + +static void run_nonce_function_schnorr_adaptor_tests(void) { + unsigned char tag[20] = "SchnorrAdaptor/nonce"; + unsigned char aux_tag[18] = "SchnorrAdaptor/aux"; + unsigned char algo[20] = "SchnorrAdaptor/nonce"; + size_t algolen = sizeof(algo); + secp256k1_sha256 sha; + secp256k1_sha256 sha_optimized; + unsigned char nonce[32], nonce_z[32]; + unsigned char msg[32]; + unsigned char key[32]; + unsigned char adaptor[33]; + unsigned char pk[32]; + unsigned char aux_rand[32]; + unsigned char *args[6]; + int i; + + /* Check that hash initialized by + * secp256k1_nonce_function_schnorr_adaptor_sha256_tagged has the expected + * state. */ + secp256k1_sha256_initialize_tagged(&sha, tag, sizeof(tag)); + secp256k1_nonce_function_schnorr_adaptor_sha256_tagged(&sha_optimized); + test_sha256_eq(&sha, &sha_optimized); + + /* Check that hash initialized by + * secp256k1_nonce_function_schnorr_adaptor_sha256_tagged_aux has the expected + * state. */ + secp256k1_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag)); + secp256k1_nonce_function_schnorr_adaptor_sha256_tagged_aux(&sha_optimized); + test_sha256_eq(&sha, &sha_optimized); + + secp256k1_testrand256(msg); + secp256k1_testrand256(key); + /* The random function below may generate an invalid (serialized) adaptor + * point, but for testing the nonce function, this invalid argument + * is acceptable. */ + secp256k1_testrand_bytes_test(adaptor, sizeof(adaptor)); + secp256k1_testrand256(pk); + secp256k1_testrand256(aux_rand); + + /* Check that a bitflip in an argument results in different nonces. */ + args[0] = msg; + args[1] = key; + args[2] = adaptor; + args[3] = pk; + args[4] = algo; + args[5] = aux_rand; + for (i = 0; i < COUNT; i++) { + nonce_function_schnorr_adaptor_bitflip(args, 0, 32, algolen); + nonce_function_schnorr_adaptor_bitflip(args, 1, 32, algolen); + nonce_function_schnorr_adaptor_bitflip(args, 2, 33, algolen); + nonce_function_schnorr_adaptor_bitflip(args, 3, 32, algolen); + /* Flip algo special case "SchnorrAdaptor/nonce" */ + nonce_function_schnorr_adaptor_bitflip(args, 4, algolen, algolen); + /* Flip algo again */ + nonce_function_schnorr_adaptor_bitflip(args, 4, algolen, algolen); + nonce_function_schnorr_adaptor_bitflip(args, 5, 32, algolen); + } + + /* NULL algo is disallowed */ + CHECK(nonce_function_schnorr_adaptor(nonce, msg, key, adaptor, pk, NULL, 0, NULL) == 0); + CHECK(nonce_function_schnorr_adaptor(nonce, msg, key, adaptor, pk, algo, algolen, NULL) == 1); + /* Other algo is fine */ + secp256k1_testrand_bytes_test(algo, algolen); + CHECK(nonce_function_schnorr_adaptor(nonce, msg, key, adaptor, pk, algo, algolen, NULL) == 1); + + /* Different algolen gives different nonce */ + for (i = 0; i < COUNT; i++) { + unsigned char nonce2[32]; + uint32_t offset = secp256k1_testrand_int(algolen - 1); + size_t algolen_tmp = (algolen + offset) % algolen; + + CHECK(nonce_function_schnorr_adaptor(nonce2, msg, key, adaptor, pk, algo, algolen_tmp, NULL) == 1); + CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0); + } + + /* NULL aux_rand argument is allowed, and identical to passing all zero aux_rand. */ + memset(aux_rand, 0, 32); + CHECK(nonce_function_schnorr_adaptor(nonce_z, msg, key, adaptor, pk, algo, algolen, &aux_rand) == 1); + CHECK(nonce_function_schnorr_adaptor(nonce, msg, key, adaptor, pk, algo, algolen, NULL) == 1); + CHECK(secp256k1_memcmp_var(nonce_z, nonce, 32) == 0); +} + +static void test_schnorr_adaptor_api(void) { + unsigned char sk[32]; + unsigned char msg[32]; + secp256k1_keypair keypair; + secp256k1_keypair invalid_keypair = {{ 0 }}; + secp256k1_xonly_pubkey pk; + secp256k1_xonly_pubkey zero_pk; + unsigned char pre_sig[65]; + unsigned char invalid_pre_sig[65] = { 0 }; + unsigned char sig[64]; + unsigned char sec_adaptor[32]; + secp256k1_pubkey adaptor; + secp256k1_pubkey invalid_adaptor = {{ 0 }}; + unsigned char extracted_sec_adaptor[32]; + secp256k1_pubkey extracted_adaptor; + + /* setup */ + secp256k1_testrand256(sk); + secp256k1_testrand256(msg); + secp256k1_testrand256(sec_adaptor); + + CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); + CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair) == 1); + memset(&zero_pk, 0, sizeof(zero_pk)); + CHECK(secp256k1_ec_pubkey_create(CTX, &adaptor, sec_adaptor) == 1); + + /* main test body */ + CHECK(secp256k1_schnorr_adaptor_presign(CTX, pre_sig, msg, &keypair, &adaptor, NULL) == 1); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_presign(CTX, NULL, msg, &keypair, &adaptor, NULL)); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_presign(CTX, pre_sig, NULL, &keypair, &adaptor, NULL)); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_presign(CTX, pre_sig, msg, NULL, &adaptor, NULL)); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_presign(CTX, pre_sig, msg, &keypair, NULL, NULL)); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_presign(CTX, pre_sig, msg, &invalid_keypair, &adaptor, NULL)); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_presign(CTX, pre_sig, msg, &keypair, &invalid_adaptor, NULL)); + CHECK_ILLEGAL(STATIC_CTX, secp256k1_schnorr_adaptor_presign(STATIC_CTX, pre_sig, msg, &keypair, &adaptor, NULL)); + + CHECK(secp256k1_schnorr_adaptor_presign(CTX, pre_sig, msg, &keypair, &adaptor, NULL) == 1); + CHECK(secp256k1_schnorr_adaptor_extract(CTX, &extracted_adaptor, pre_sig, msg, &pk) == 1); + CHECK(secp256k1_memcmp_var(&extracted_adaptor, &adaptor, sizeof(adaptor)) == 0); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_extract(CTX, NULL, pre_sig, msg, &pk)); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_extract(CTX, &extracted_adaptor, NULL, msg, &pk)); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_extract(CTX, &extracted_adaptor, pre_sig, NULL, &pk)); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_extract(CTX, &extracted_adaptor, pre_sig, msg, NULL)); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_extract(CTX, &extracted_adaptor, pre_sig, msg, &zero_pk)); + + CHECK(secp256k1_schnorr_adaptor_adapt(CTX, sig, pre_sig, sec_adaptor) == 1); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_adapt(CTX, NULL, pre_sig, sec_adaptor)); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_adapt(CTX, sig, NULL, sec_adaptor)); + /* invalid pre_sig[0] byte */ + CHECK(secp256k1_schnorr_adaptor_adapt(CTX, sig, invalid_pre_sig, sec_adaptor) == 0); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_adapt(CTX, sig, pre_sig, NULL)); + + CHECK(secp256k1_schnorr_adaptor_adapt(CTX, sig, pre_sig, sec_adaptor) == 1); + CHECK(secp256k1_schnorr_adaptor_extract_sec(CTX, extracted_sec_adaptor, pre_sig, sig) == 1); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_extract_sec(CTX, NULL, pre_sig, sig)); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_extract_sec(CTX, extracted_sec_adaptor, NULL, sig)); + /* invalid pre_sig[0] byte */ + CHECK(secp256k1_schnorr_adaptor_extract_sec(CTX, extracted_sec_adaptor, invalid_pre_sig, sig) == 0); + CHECK_ILLEGAL(CTX, secp256k1_schnorr_adaptor_extract_sec(CTX, extracted_sec_adaptor, pre_sig, NULL)); +} + +/* Helper function for schnorr_adaptor_vectors + * Signs the message and checks that it's the same as expected_presig. */ +static void test_schnorr_adaptor_spec_vectors_check_presigning(const unsigned char *sk, const unsigned char *pk_serialized, const unsigned char *aux_rand, const unsigned char *msg32, const unsigned char *adaptor_serialized, const unsigned char *expected_presig) { + unsigned char pre_sig[65]; + secp256k1_keypair keypair; + secp256k1_xonly_pubkey pk, pk_expected; + secp256k1_pubkey adaptor, adaptor_extracted; + CHECK(secp256k1_ec_pubkey_parse(CTX, &adaptor, adaptor_serialized, 33)); + + CHECK(secp256k1_keypair_create(CTX, &keypair, sk)); + CHECK(secp256k1_schnorr_adaptor_presign(CTX, pre_sig, msg32, &keypair, &adaptor, aux_rand)); + CHECK(secp256k1_memcmp_var(pre_sig, expected_presig, 65) == 0); + + CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk_expected, pk_serialized)); + CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair)); + CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0); + CHECK(secp256k1_schnorr_adaptor_extract(CTX, &adaptor_extracted, pre_sig, msg32, &pk)); + CHECK(secp256k1_ec_pubkey_cmp(CTX, &adaptor_extracted, &adaptor) == 0); +} + +/* Helper function for schnorr_adaptor_vectors + * Extracts the adaptor point and checks if it returns the same value as expected. */ +static void test_schnorr_adaptor_spec_vectors_check_extract(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *adaptor_serialized, const unsigned char *pre_sig, int extract_success, int extracted_val_correct) { + secp256k1_xonly_pubkey pk; + secp256k1_pubkey adaptor, adaptor_extracted; + CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk, pk_serialized)); + CHECK(secp256k1_ec_pubkey_parse(CTX, &adaptor, adaptor_serialized, 33)); + CHECK(extract_success == secp256k1_schnorr_adaptor_extract(CTX, &adaptor_extracted, pre_sig, msg32, &pk)); + if (extract_success) { + CHECK(extracted_val_correct == (secp256k1_ec_pubkey_cmp(CTX, &adaptor_extracted, &adaptor) == 0)); + } + } + +/* Helper function for schnorr_adaptor_vectors + * Adapts a Schnorr pre-signature in a BIP340 signature + * and checks if it is [1] same as expected_sig64, and + * [2] valid BIP340 signature. */ +static void test_schnorr_adaptor_spec_vectors_check_adapt(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *pre_sig, const unsigned char *secadaptor, const unsigned char *expected_sig, int expected) { + unsigned char sig[64]; + secp256k1_xonly_pubkey pk; + CHECK(secp256k1_schnorr_adaptor_adapt(CTX, sig, pre_sig, secadaptor)); + CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0); + + CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk, pk_serialized)); + CHECK(expected == secp256k1_schnorrsig_verify(CTX, sig, msg32, 32, &pk)); +} + +/* Helper function for schnorr_adaptor_vectors + * Extracts the secret adaptor from a pre-signature and a BIP340 + * signature and checks if it is the same as expected_secadaptor. */ +static void test_schnorr_adaptor_spec_vectors_check_extract_sec(const unsigned char *pre_sig, const unsigned char *sig, const unsigned char *expected_secadaptor, int expected) { + unsigned char sec_adaptor[32]; + + CHECK(secp256k1_schnorr_adaptor_extract_sec(CTX, sec_adaptor, pre_sig, sig)); + CHECK(expected == (secp256k1_memcmp_var(sec_adaptor, expected_secadaptor, 32) == 0)); +} + +/* Test vectors according to Schnorr adaptor signature spec. + * See https://github.com/ZhePang/Python_Specification_for_Schnorr_Adaptor */ +static void test_schnorr_adaptor_spec_vectors(void) { + { + /* Presig: Test vector 0 */ + const unsigned char sk[32] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03 + }; + const unsigned char pk[32] = { + 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10, + 0x49, 0x34, 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29, + 0xB5, 0x31, 0xC8, 0x45, 0x83, 0x6F, 0x99, 0xB0, + 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9 + }; + unsigned char aux_rand[32] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; + const unsigned char msg[32] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; + const unsigned char adaptor[33] = { + 0x02, 0xC6, 0x04, 0x7F, 0x94, 0x41, 0xED, 0x7D, + 0x6D, 0x30, 0x45, 0x40, 0x6E, 0x95, 0xC0, 0x7C, + 0xD8, 0x5C, 0x77, 0x8E, 0x4B, 0x8C, 0xEF, 0x3C, + 0xA7, 0xAB, 0xAC, 0x09, 0xB9, 0x5C, 0x70, 0x9E, + 0xE5 + }; + const unsigned char pre_sig[65] = { + 0x03, 0x61, 0x79, 0xDB, 0xF3, 0xE1, 0x32, 0x07, + 0x85, 0x3F, 0x88, 0x0C, 0x7A, 0x7A, 0x85, 0xEC, + 0x67, 0x8B, 0xAD, 0x64, 0xB8, 0x97, 0xF1, 0x08, + 0xD4, 0x76, 0x43, 0x8A, 0xC4, 0xA9, 0x32, 0xEE, + 0x94, 0x97, 0xCC, 0x73, 0xB8, 0xC3, 0x51, 0xF1, + 0x89, 0xB9, 0xD4, 0xFD, 0xE8, 0x93, 0xE3, 0x82, + 0x0D, 0x4B, 0xFF, 0x7F, 0x49, 0xD4, 0xBE, 0x1F, + 0x8B, 0x02, 0xCB, 0x80, 0x8C, 0xD3, 0x19, 0x23, + 0xA0 + }; + test_schnorr_adaptor_spec_vectors_check_presigning(sk, pk, aux_rand, msg, adaptor, pre_sig); + test_schnorr_adaptor_spec_vectors_check_extract(pk, msg, adaptor, pre_sig, 1, 1); + }; + { + /* Presig: Test vector 1 */ + const unsigned char sk[32] = { + 0x0B, 0x43, 0x2B, 0x26, 0x77, 0x93, 0x73, 0x81, + 0xAE, 0xF0, 0x5B, 0xB0, 0x2A, 0x66, 0xEC, 0xD0, + 0x12, 0x77, 0x30, 0x62, 0xCF, 0x3F, 0xA2, 0x54, + 0x9E, 0x44, 0xF5, 0x8E, 0xD2, 0x40, 0x17, 0x10 + }; + const unsigned char pk[32] = { + 0x25, 0xD1, 0xDF, 0xF9, 0x51, 0x05, 0xF5, 0x25, + 0x3C, 0x40, 0x22, 0xF6, 0x28, 0xA9, 0x96, 0xAD, + 0x3A, 0x0D, 0x95, 0xFB, 0xF2, 0x1D, 0x46, 0x8A, + 0x1B, 0x33, 0xF8, 0xC1, 0x60, 0xD8, 0xF5, 0x17 + }; + const unsigned char aux_rand[32] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF + }; + const unsigned char msg[32] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF + }; + const unsigned char adaptor[33] = { + 0x03, 0x97, 0x72, 0x0B, 0x39, 0x10, 0x29, 0xF5, + 0x79, 0xF1, 0xF5, 0x71, 0x73, 0x35, 0x0B, 0x76, + 0xE4, 0xA7, 0xC3, 0xF4, 0x71, 0x53, 0xA5, 0x0E, + 0x46, 0xFA, 0x3A, 0x5F, 0x08, 0xBE, 0x66, 0xB1, + 0x4A + }; + const unsigned char pre_sig[65] = { + 0x02, 0xC9, 0x74, 0xF5, 0x2A, 0xEC, 0xE9, 0x7C, + 0x75, 0xE4, 0x40, 0xA8, 0xD8, 0x67, 0x7F, 0xC5, + 0x10, 0x5D, 0x85, 0x12, 0x28, 0x7B, 0x9C, 0x03, + 0x04, 0xFA, 0x8D, 0x51, 0xF0, 0xBF, 0x48, 0x60, + 0xBA, 0xA5, 0x30, 0x46, 0xD2, 0x22, 0x1B, 0xB1, + 0x23, 0xBA, 0x04, 0x5F, 0xF5, 0xE5, 0xBD, 0x26, + 0xD8, 0x8D, 0x0B, 0xF0, 0xD6, 0x3B, 0x80, 0xE6, + 0x40, 0x59, 0x99, 0xC1, 0xD2, 0xB6, 0xFF, 0x00, + 0x71 + }; + test_schnorr_adaptor_spec_vectors_check_presigning(sk, pk, aux_rand, msg, adaptor, pre_sig); + test_schnorr_adaptor_spec_vectors_check_extract(pk, msg, adaptor, pre_sig, 1, 1); + }; + { + /* Presig: Test vector 2 */ + const unsigned char pk[32] = { + 0xD6, 0x9C, 0x35, 0x09, 0xBB, 0x99, 0xE4, 0x12, + 0xE6, 0x8B, 0x0F, 0xE8, 0x54, 0x4E, 0x72, 0x83, + 0x7D, 0xFA, 0x30, 0x74, 0x6D, 0x8B, 0xE2, 0xAA, + 0x65, 0x97, 0x5F, 0x29, 0xD2, 0x2D, 0xC7, 0xB9 + }; + const unsigned char msg[32] = { + 0x4D, 0xF3, 0xC3, 0xF6, 0x8F, 0xCC, 0x83, 0xB2, + 0x7E, 0x9D, 0x42, 0xC9, 0x04, 0x31, 0xA7, 0x24, + 0x99, 0xF1, 0x78, 0x75, 0xC8, 0x1A, 0x59, 0x9B, + 0x56, 0x6C, 0x98, 0x89, 0xB9, 0x69, 0x67, 0x03 + }; + const unsigned char adaptor[33] = { + 0x02, 0xA6, 0xB5, 0x94, 0xB3, 0x8F, 0xB3, 0xE7, + 0x7C, 0x6E, 0xDF, 0x78, 0x16, 0x1F, 0xAD, 0xE2, + 0x04, 0x1F, 0x4E, 0x09, 0xFD, 0x84, 0x97, 0xDB, + 0x77, 0x6E, 0x54, 0x6C, 0x41, 0x56, 0x7F, 0xEB, + 0x3C + }; + const unsigned char pre_sig[65] = { + 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x3B, 0x78, 0xCE, 0x56, + 0x3F, 0x89, 0xA0, 0xED, 0x94, 0x14, 0xF5, 0xAA, + 0x28, 0xAD, 0x0D, 0x96, 0xD6, 0x79, 0x5F, 0x9C, + 0x63, 0xB6, 0xAF, 0xB1, 0x54, 0x8A, 0xF6, 0x03, + 0xB3, 0xEB, 0x45, 0xC9, 0xF8, 0x20, 0x7D, 0xEE, + 0x10, 0x0F, 0x77, 0x28, 0xF9, 0xFA, 0x53, 0x1D, + 0xA1, 0xF5, 0xFF, 0x9F, 0x75, 0xB7, 0x16, 0x68, + 0x44 + }; + test_schnorr_adaptor_spec_vectors_check_extract(pk, msg, adaptor, pre_sig, 1, 1); + }; + { + /* Presig: Test vector 3 */ + const unsigned char pk[32] = { + 0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, 0x50, + 0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, 0x21, + 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87, + 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34 + }; + secp256k1_xonly_pubkey pk_parsed; + /* No need to check adaptor_extract as parsing the pubkey already fails */ + CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk)); + }; + { + /* Presig: Test vector 4 */ + const unsigned char pk[32] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F + }; + secp256k1_xonly_pubkey pk_parsed; + /* No need to check adaptor_extract as parsing the pubkey already fails */ + CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk)); + }; + { + /* Presig: Test vector 5 */ + const unsigned char pk[32] = { + 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, + 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, + 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, + 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 + }; + const unsigned char msg[32] = { + 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, + 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, + 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, + 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 + }; + const unsigned char adaptor[33] = { + 0x02, 0x67, 0x8F, 0x02, 0xC8, 0x63, 0xB8, 0x2C, + 0xB7, 0xB6, 0xF0, 0xE5, 0x21, 0x60, 0x6A, 0xD8, + 0xDC, 0x75, 0xC1, 0xAC, 0x71, 0xD9, 0x74, 0x53, + 0xDB, 0x1A, 0x15, 0x61, 0x0E, 0x15, 0xA1, 0x2C, + 0x83 + }; + const unsigned char pre_sig[65] = { + 0x03, 0xEE, 0xFD, 0xEA, 0x4C, 0xDB, 0x67, 0x77, + 0x50, 0xA4, 0x20, 0xFE, 0xE8, 0x07, 0xEA, 0xCF, + 0x21, 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, + 0x87, 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, + 0x34, 0x79, 0x78, 0x3A, 0xCC, 0xAA, 0x0E, 0x62, + 0x06, 0x10, 0x61, 0x9D, 0xB4, 0x4B, 0x0C, 0xD4, + 0xFE, 0x0A, 0x47, 0xE0, 0x63, 0xC2, 0xD0, 0x9D, + 0x22, 0xF2, 0x13, 0xCF, 0xF0, 0x55, 0x5B, 0x5D, + 0x50 + }; + test_schnorr_adaptor_spec_vectors_check_extract(pk, msg, adaptor, pre_sig, 0, 0); + }; + { + /* Presig: Test vector 6 */ + const unsigned char pk[32] = { + 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, + 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, + 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, + 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 + }; + const unsigned char msg[32] = { + 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, + 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, + 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, + 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 + }; + const unsigned char adaptor[33] = { + 0x02, 0x67, 0x8F, 0x02, 0xC8, 0x63, 0xB8, 0x2C, + 0xB7, 0xB6, 0xF0, 0xE5, 0x21, 0x60, 0x6A, 0xD8, + 0xDC, 0x75, 0xC1, 0xAC, 0x71, 0xD9, 0x74, 0x53, + 0xDB, 0x1A, 0x15, 0x61, 0x0E, 0x15, 0xA1, 0x2C, + 0x83 + }; + const unsigned char pre_sig[65] = { + 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, + 0x2F, 0x79, 0x78, 0x3A, 0xCC, 0xAA, 0x0E, 0x62, + 0x06, 0x10, 0x61, 0x9D, 0xB4, 0x4B, 0x0C, 0xD4, + 0xFE, 0x0A, 0x47, 0xE0, 0x63, 0xC2, 0xD0, 0x9D, + 0x22, 0xF2, 0x13, 0xCF, 0xF0, 0x55, 0x5B, 0x5D, + 0x50 + }; + test_schnorr_adaptor_spec_vectors_check_extract(pk, msg, adaptor, pre_sig, 0, 0); + }; + { + /* Presig: Test vector 7 */ + const unsigned char pk[32] = { + 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, + 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, + 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, + 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 + }; + const unsigned char msg[32] = { + 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, + 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, + 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, + 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 + }; + const unsigned char adaptor[33] = { + 0x02, 0x67, 0x8F, 0x02, 0xC8, 0x63, 0xB8, 0x2C, + 0xB7, 0xB6, 0xF0, 0xE5, 0x21, 0x60, 0x6A, 0xD8, + 0xDC, 0x75, 0xC1, 0xAC, 0x71, 0xD9, 0x74, 0x53, + 0xDB, 0x1A, 0x15, 0x61, 0x0E, 0x15, 0xA1, 0x2C, + 0x83 + }; + const unsigned char pre_sig[65] = { + 0x04, 0xB8, 0x61, 0x3C, 0xCA, 0x78, 0xF4, 0xFA, + 0x80, 0xEA, 0x58, 0xEE, 0xD0, 0xC2, 0x6B, 0x4A, + 0xD4, 0x91, 0xEF, 0xFC, 0x44, 0x50, 0x3C, 0x8D, + 0xA9, 0x0D, 0x15, 0xA9, 0xC1, 0x7E, 0xD2, 0x60, + 0x13, 0x79, 0x78, 0x3A, 0xCC, 0xAA, 0x0E, 0x62, + 0x06, 0x10, 0x61, 0x9D, 0xB4, 0x4B, 0x0C, 0xD4, + 0xFE, 0x0A, 0x47, 0xE0, 0x63, 0xC2, 0xD0, 0x9D, + 0x22, 0xF2, 0x13, 0xCF, 0xF0, 0x55, 0x5B, 0x5D, + 0x50 + }; + test_schnorr_adaptor_spec_vectors_check_extract(pk, msg, adaptor, pre_sig, 0, 0); + }; + { + /* Presig: Test vector 8 */ + const unsigned char pk[32] = { + 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, + 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, + 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, + 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 + }; + const unsigned char msg[32] = { + 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, + 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, + 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, + 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 + }; + const unsigned char adaptor[33] = { + 0x02, 0x67, 0x8F, 0x02, 0xC8, 0x63, 0xB8, 0x2C, + 0xB7, 0xB6, 0xF0, 0xE5, 0x21, 0x60, 0x6A, 0xD8, + 0xDC, 0x75, 0xC1, 0xAC, 0x71, 0xD9, 0x74, 0x53, + 0xDB, 0x1A, 0x15, 0x61, 0x0E, 0x15, 0xA1, 0x2C, + 0x83 + }; + const unsigned char pre_sig[65] = { + 0x02, 0xB8, 0x61, 0x3C, 0xCA, 0x78, 0xF4, 0xFA, + 0x80, 0xEA, 0x58, 0xEE, 0xD0, 0xC2, 0x6B, 0x4A, + 0xD4, 0x91, 0xEF, 0xFC, 0x44, 0x50, 0x3C, 0x8D, + 0xA9, 0x0D, 0x15, 0xA9, 0xC1, 0x7E, 0xD2, 0x60, + 0x13, 0x79, 0x78, 0x3A, 0xCC, 0xAA, 0x0E, 0x62, + 0x06, 0x10, 0x61, 0x9D, 0xB4, 0x4B, 0x0C, 0xD4, + 0xFE, 0x0A, 0x47, 0xE0, 0x63, 0xC2, 0xD0, 0x9D, + 0x22, 0xF2, 0x13, 0xCF, 0xF0, 0x55, 0x5B, 0x5D, + 0x50 + }; + test_schnorr_adaptor_spec_vectors_check_extract(pk, msg, adaptor, pre_sig, 1, 0); + }; + { + /* Presig: Test vector 9 */ + const unsigned char pk[32] = { + 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, + 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, + 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, + 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 + }; + const unsigned char msg[32] = { + 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, + 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, + 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, + 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 + }; + const unsigned char adaptor[33] = { + 0x02, 0x67, 0x8F, 0x02, 0xC8, 0x63, 0xB8, 0x2C, + 0xB7, 0xB6, 0xF0, 0xE5, 0x21, 0x60, 0x6A, 0xD8, + 0xDC, 0x75, 0xC1, 0xAC, 0x71, 0xD9, 0x74, 0x53, + 0xDB, 0x1A, 0x15, 0x61, 0x0E, 0x15, 0xA1, 0x2C, + 0x83 + }; + const unsigned char pre_sig[65] = { + 0x03, 0xB8, 0x61, 0x3C, 0xCA, 0x78, 0xF4, 0xFA, + 0x80, 0xEA, 0x58, 0xEE, 0xD0, 0xC2, 0x6B, 0x4A, + 0xD4, 0x91, 0xEF, 0xFC, 0x44, 0x50, 0x3C, 0x8D, + 0xA9, 0x0D, 0x15, 0xA9, 0xC1, 0x7E, 0xD2, 0x60, + 0x13, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, + 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, + 0x41 + }; + test_schnorr_adaptor_spec_vectors_check_extract(pk, msg, adaptor, pre_sig, 0, 0); + }; + { + /* Presig: Test vector 10 */ + const unsigned char pk[32] = { + 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, + 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, + 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, + 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 + }; + const unsigned char msg[32] = { + 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, + 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, + 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, + 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 + }; + const unsigned char adaptor[33] = { + 0x02, 0x67, 0x8F, 0x02, 0xC8, 0x63, 0xB8, 0x2C, + 0xB7, 0xB6, 0xF0, 0xE5, 0x21, 0x60, 0x6A, 0xD8, + 0xDC, 0x75, 0xC1, 0xAC, 0x71, 0xD9, 0x74, 0x53, + 0xDB, 0x1A, 0x15, 0x61, 0x0E, 0x15, 0xA1, 0x2C, + 0x83 + }; + const unsigned char pre_sig[65] = { + 0x02, 0x70, 0x7A, 0x89, 0x22, 0xA7, 0xF9, 0x26, + 0x1A, 0x22, 0xA7, 0x05, 0x9E, 0x60, 0x35, 0x70, + 0x57, 0x2A, 0x71, 0x2A, 0x47, 0x53, 0xE3, 0x06, + 0xEE, 0xA5, 0xA6, 0x8B, 0x83, 0xC6, 0xC2, 0x48, + 0xA8, 0x8F, 0x77, 0x9F, 0xA0, 0x55, 0x99, 0x8A, + 0x02, 0x93, 0x8B, 0x38, 0x25, 0x5E, 0x37, 0x61, + 0x90, 0x17, 0x06, 0xFD, 0xDB, 0xF4, 0x77, 0x70, + 0x63, 0x87, 0xC0, 0x46, 0x0B, 0x6C, 0xFB, 0x89, + 0x2D + }; + test_schnorr_adaptor_spec_vectors_check_extract(pk, msg, adaptor, pre_sig, 1, 0); + }; + { + /* Presig: Test vector 11 */ + const unsigned char pk[32] = { + 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, + 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, + 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, + 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 + }; + const unsigned char msg[32] = { + 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, + 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, + 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, + 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 + }; + const unsigned char adaptor[33] = { + 0x02, 0x67, 0x8F, 0x02, 0xC8, 0x63, 0xB8, 0x2C, + 0xB7, 0xB6, 0xF0, 0xE5, 0x21, 0x60, 0x6A, 0xD8, + 0xDC, 0x75, 0xC1, 0xAC, 0x71, 0xD9, 0x74, 0x53, + 0xDB, 0x1A, 0x15, 0x61, 0x0E, 0x15, 0xA1, 0x2C, + 0x83 + }; + const unsigned char pre_sig[65] = { + 0x03, 0xB8, 0x61, 0x3C, 0xCA, 0x78, 0xF4, 0xFA, + 0x80, 0xEA, 0x58, 0xEE, 0xD0, 0xC2, 0x6B, 0x4A, + 0xD4, 0x91, 0xEF, 0xFC, 0x44, 0x50, 0x3C, 0x8D, + 0xA9, 0x0D, 0x15, 0xA9, 0xC1, 0x7E, 0xD2, 0x60, + 0x13, 0x86, 0x87, 0xC5, 0x33, 0x55, 0xF1, 0x9D, + 0xF9, 0xEF, 0x9E, 0x62, 0x4B, 0xB4, 0xF3, 0x2B, + 0x00, 0xB0, 0x66, 0xFC, 0x82, 0xEC, 0x78, 0x03, + 0x18, 0xCD, 0xBE, 0x8E, 0x9C, 0x7A, 0xDA, 0xE3, + 0xF1 + }; + test_schnorr_adaptor_spec_vectors_check_extract(pk, msg, adaptor, pre_sig, 1, 0); + }; + { + /* Presig: Test vector 12 */ + const unsigned char pk[32] = { + 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, + 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, + 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, + 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 + }; + const unsigned char msg[32] = { + 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, + 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, + 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, + 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 + }; + const unsigned char adaptor[33] = { + 0x02, 0x67, 0x8F, 0x02, 0xC8, 0x63, 0xB8, 0x2C, + 0xB7, 0xB6, 0xF0, 0xE5, 0x21, 0x60, 0x6A, 0xD8, + 0xDC, 0x75, 0xC1, 0xAC, 0x71, 0xD9, 0x74, 0x53, + 0xDB, 0x1A, 0x15, 0x61, 0x0E, 0x15, 0xA1, 0x2C, + 0x83 + }; + const unsigned char pre_sig[65] = { + 0x02, 0x67, 0x8F, 0x02, 0xC8, 0x63, 0xB8, 0x2C, + 0xB7, 0xB6, 0xF0, 0xE5, 0x21, 0x60, 0x6A, 0xD8, + 0xDC, 0x75, 0xC1, 0xAC, 0x71, 0xD9, 0x74, 0x53, + 0xDB, 0x1A, 0x15, 0x61, 0x0E, 0x15, 0xA1, 0x2C, + 0x83, 0x92, 0x62, 0xEC, 0xE4, 0xF1, 0x76, 0xC3, + 0xDE, 0x64, 0x2D, 0xDD, 0x09, 0xE8, 0xF5, 0xBF, + 0xB1, 0xB0, 0x84, 0xFA, 0x17, 0x78, 0x76, 0x41, + 0xB1, 0xD8, 0x76, 0x1E, 0x3C, 0xE9, 0x7E, 0xE0, + 0xA2 + }; + test_schnorr_adaptor_spec_vectors_check_extract(pk, msg, adaptor, pre_sig, 0, 0); + }; + { + /* Presig: Test vector 13 & 14 */ + const unsigned char adaptor[33] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00 + }; + secp256k1_pubkey adaptor_parsed; + /* No need to check adaptor_extract as parsing the adaptor point already fails */ + CHECK(!secp256k1_ec_pubkey_parse(CTX, &adaptor_parsed, adaptor, sizeof(adaptor))); + }; + { + /* Adapt: Test vector 0 */ + const unsigned char pk[32] = { + 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, + 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, + 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, + 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 + }; + const unsigned char msg[32] = { + 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, + 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, + 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, + 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 + }; + const unsigned char sec_adaptor[32] = { + 0x84, 0x8B, 0xC8, 0x7F, 0x32, 0xC6, 0xF7, 0x1D, + 0x3A, 0x93, 0xA5, 0x94, 0x24, 0x58, 0x45, 0x62, + 0x04, 0x6F, 0x31, 0x69, 0x37, 0x16, 0xFF, 0x73, + 0xA8, 0x97, 0xCC, 0xC1, 0x65, 0x9C, 0x5F, 0x5D + }; + const unsigned char pre_sig[65] = { + 0x02, 0x70, 0x7A, 0x89, 0x22, 0xA7, 0xF9, 0x26, + 0x1A, 0x22, 0xA7, 0x05, 0x9E, 0x60, 0x35, 0x70, + 0x57, 0x2A, 0x71, 0x2A, 0x47, 0x53, 0xE3, 0x06, + 0xEE, 0xA5, 0xA6, 0x8B, 0x83, 0xC6, 0xC2, 0x48, + 0xA8, 0x8F, 0x77, 0x9F, 0xA0, 0x55, 0x99, 0x8A, + 0x02, 0x93, 0x8B, 0x38, 0x25, 0x5E, 0x37, 0x61, + 0x90, 0x17, 0x06, 0xFD, 0xDB, 0xF4, 0x77, 0x70, + 0x63, 0x87, 0xC0, 0x46, 0x0B, 0x6C, 0xFB, 0x89, + 0x2D + }; + const unsigned char sig[64] = { + 0x70, 0x7A, 0x89, 0x22, 0xA7, 0xF9, 0x26, 0x1A, + 0x22, 0xA7, 0x05, 0x9E, 0x60, 0x35, 0x70, 0x57, + 0x2A, 0x71, 0x2A, 0x47, 0x53, 0xE3, 0x06, 0xEE, + 0xA5, 0xA6, 0x8B, 0x83, 0xC6, 0xC2, 0x48, 0xA8, + 0x14, 0x03, 0x68, 0x1F, 0x88, 0x60, 0x81, 0x1F, + 0xCE, 0x1E, 0xDD, 0xB9, 0x82, 0x8F, 0xA6, 0xF3, + 0x60, 0xC7, 0x52, 0x5E, 0x7C, 0x45, 0xCF, 0x9B, + 0x70, 0x85, 0xB4, 0x40, 0x02, 0x61, 0xA7, 0x49 + }; + test_schnorr_adaptor_spec_vectors_check_adapt(pk, msg, pre_sig, sec_adaptor, sig, 0); + }; + { + /* Adapt: Test vector 1 */ + const unsigned char pk[32] = { + 0xA1, 0x8D, 0xBC, 0x8D, 0xBF, 0x16, 0x3C, 0x60, + 0xDF, 0xA2, 0xEC, 0x7C, 0x87, 0xAC, 0x11, 0x3C, + 0xA4, 0x82, 0xFA, 0x2E, 0x1F, 0xDD, 0xD3, 0xEC, + 0x84, 0x21, 0xBF, 0x9B, 0xFA, 0x2E, 0xF1, 0xF2 + }; + const unsigned char msg[32] = { + 0x38, 0x95, 0x75, 0xB9, 0x2B, 0x58, 0x6B, 0xE2, + 0x73, 0x0A, 0x99, 0x82, 0x41, 0xE5, 0xCF, 0x65, + 0x1D, 0x6C, 0x19, 0x1F, 0xA6, 0x4E, 0xEA, 0x3D, + 0x00, 0x25, 0x6A, 0xFF, 0x7D, 0x18, 0x48, 0x4F + }; + const unsigned char sec_adaptor[32] = { + 0xE5, 0xE6, 0x8D, 0x0E, 0x63, 0x7D, 0xA4, 0x82, + 0x27, 0x32, 0xE2, 0x0F, 0x3E, 0xEB, 0xE1, 0x82, + 0x68, 0x92, 0xE8, 0x1C, 0x2C, 0xFE, 0xC6, 0xBE, + 0xC6, 0x00, 0xCD, 0xA3, 0xF6, 0x6A, 0x53, 0xF1 + }; + const unsigned char pre_sig[65] = { + 0x03, 0x73, 0xDB, 0x6D, 0x58, 0x03, 0xED, 0xD6, + 0x50, 0x2D, 0xE3, 0xD0, 0x95, 0x6B, 0xA3, 0xBD, + 0x3F, 0xAB, 0xA9, 0x88, 0x41, 0xC9, 0xAB, 0x07, + 0x4C, 0x79, 0x5E, 0x3A, 0x90, 0x12, 0xC4, 0x29, + 0x8A, 0x4B, 0x6C, 0x99, 0xEE, 0x31, 0xDB, 0x1C, + 0x15, 0x81, 0x30, 0x28, 0x26, 0x2E, 0xC2, 0x5E, + 0x0E, 0x04, 0xC9, 0xD3, 0x04, 0x15, 0x55, 0x85, + 0xF8, 0x5E, 0xC0, 0x02, 0x42, 0x2D, 0x20, 0x5D, + 0x6E + }; + const unsigned char sig[64] = { + 0x73, 0xDB, 0x6D, 0x58, 0x03, 0xED, 0xD6, 0x50, + 0x2D, 0xE3, 0xD0, 0x95, 0x6B, 0xA3, 0xBD, 0x3F, + 0xAB, 0xA9, 0x88, 0x41, 0xC9, 0xAB, 0x07, 0x4C, + 0x79, 0x5E, 0x3A, 0x90, 0x12, 0xC4, 0x29, 0x8A, + 0x65, 0x86, 0x0C, 0xDF, 0xCE, 0x5D, 0x77, 0x93, + 0x59, 0xFD, 0x46, 0x16, 0xEF, 0xD6, 0x7C, 0x8A, + 0x56, 0xE5, 0xC7, 0xCE, 0x97, 0x9F, 0x5F, 0x75, + 0x58, 0x91, 0x93, 0x2B, 0x06, 0xEC, 0x4A, 0xBE + }; + test_schnorr_adaptor_spec_vectors_check_adapt(pk, msg, pre_sig, sec_adaptor, sig, 1); + }; + { + /* Adapt: Test vector 2 */ + const unsigned char pk[32] = { + 0x15, 0xBF, 0x35, 0x43, 0x75, 0xCF, 0xBE, 0xDB, + 0x43, 0xDA, 0xC7, 0xD6, 0x6B, 0xCA, 0x46, 0xF5, + 0xCF, 0x0A, 0x42, 0xFF, 0xF0, 0x60, 0xEC, 0x0C, + 0xCC, 0x59, 0xA3, 0x96, 0xB2, 0x25, 0x43, 0x85 + }; + const unsigned char msg[32] = { + 0x2F, 0x4E, 0x50, 0x5E, 0x2C, 0x70, 0xE8, 0x1B, + 0x94, 0x43, 0x18, 0x00, 0xF8, 0x10, 0xEC, 0xB0, + 0x4F, 0xD0, 0xAA, 0xEE, 0xB0, 0xC7, 0x03, 0xF8, + 0xDC, 0xE4, 0x4E, 0xED, 0xFA, 0x0A, 0xB8, 0xC2 + }; + const unsigned char sec_adaptor[32] = { + 0x53, 0x92, 0x12, 0xA1, 0xB9, 0xFC, 0x42, 0xF4, + 0x4A, 0xD1, 0xA5, 0x77, 0x20, 0xC7, 0x44, 0x40, + 0x84, 0x03, 0xFF, 0xFF, 0x80, 0x58, 0x48, 0x66, + 0x40, 0x27, 0xFC, 0x9C, 0x74, 0xB3, 0x87, 0x6A + }; + const unsigned char pre_sig[65] = { + 0x02, 0xE4, 0xC4, 0x16, 0x13, 0x45, 0xD8, 0xC9, + 0xD8, 0x4A, 0x50, 0xD5, 0x76, 0x25, 0x76, 0xBE, + 0x7B, 0xCF, 0x1E, 0xA3, 0x13, 0x21, 0xBA, 0x6A, + 0x6F, 0x3C, 0x64, 0x18, 0x53, 0x6D, 0xB4, 0x3D, + 0xB4, 0x96, 0x72, 0x85, 0x58, 0xD7, 0x79, 0x65, + 0xA6, 0x42, 0x6D, 0x5C, 0x6A, 0x25, 0xB3, 0xF0, + 0xB0, 0x2E, 0xCE, 0xC4, 0x9F, 0xBB, 0xC7, 0xC9, + 0x66, 0xB9, 0xE3, 0x87, 0x6C, 0x33, 0x70, 0x4C, + 0xB5 + }; + const unsigned char sig[64] = { + 0xE4, 0xC4, 0x16, 0x13, 0x45, 0xD8, 0xC9, 0xD8, + 0x4A, 0x50, 0xD5, 0x76, 0x25, 0x76, 0xBE, 0x7B, + 0xCF, 0x1E, 0xA3, 0x13, 0x21, 0xBA, 0x6A, 0x6F, + 0x3C, 0x64, 0x18, 0x53, 0x6D, 0xB4, 0x3D, 0xB4, + 0xEA, 0x04, 0x97, 0xFA, 0x91, 0x75, 0xA8, 0x9A, + 0x8D, 0x3F, 0x01, 0xE1, 0x46, 0x7B, 0x34, 0xF0, + 0xB2, 0xD2, 0xC4, 0x9F, 0x3C, 0x20, 0x11, 0xCC, + 0xFA, 0x0B, 0x84, 0x08, 0xA8, 0x23, 0xD4, 0x1F + }; + test_schnorr_adaptor_spec_vectors_check_adapt(pk, msg, pre_sig, sec_adaptor, sig, 1); + }; + { + /* Adapt: Test vector 3 */ + const unsigned char pk[32] = { + 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, + 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, + 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, + 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 + }; + const unsigned char msg[32] = { + 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, + 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, + 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, + 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 + }; + const unsigned char sec_adaptor[32] = { + 0x84, 0x8B, 0xC8, 0x7F, 0x32, 0xC6, 0xF7, 0x1D, + 0x3A, 0x93, 0xA5, 0x94, 0x24, 0x58, 0x45, 0x62, + 0x04, 0x6F, 0x31, 0x69, 0x37, 0x16, 0xFF, 0x73, + 0xA8, 0x97, 0xCC, 0xC1, 0x65, 0x9C, 0x5F, 0x5D + }; + const unsigned char pre_sig[65] = { + 0x03, 0xB8, 0x61, 0x3C, 0xCA, 0x78, 0xF4, 0xFA, + 0x80, 0xEA, 0x58, 0xEE, 0xD0, 0xC2, 0x6B, 0x4A, + 0xD4, 0x91, 0xEF, 0xFC, 0x44, 0x50, 0x3C, 0x8D, + 0xA9, 0x0D, 0x15, 0xA9, 0xC1, 0x7E, 0xD2, 0x60, + 0x13, 0x86, 0x87, 0xC5, 0x33, 0x55, 0xF1, 0x9D, + 0xF9, 0xEF, 0x9E, 0x62, 0x4B, 0xB4, 0xF3, 0x2B, + 0x00, 0xB0, 0x66, 0xFC, 0x82, 0xEC, 0x78, 0x03, + 0x18, 0xCD, 0xBE, 0x8E, 0x9C, 0x7A, 0xDA, 0xE3, + 0xF1 + }; + const unsigned char sig[64] = { + 0xB8, 0x61, 0x3C, 0xCA, 0x78, 0xF4, 0xFA, 0x80, + 0xEA, 0x58, 0xEE, 0xD0, 0xC2, 0x6B, 0x4A, 0xD4, + 0x91, 0xEF, 0xFC, 0x44, 0x50, 0x3C, 0x8D, 0xA9, + 0x0D, 0x15, 0xA9, 0xC1, 0x7E, 0xD2, 0x60, 0x13, + 0x01, 0xFB, 0xFC, 0xB4, 0x23, 0x2A, 0xA6, 0xDC, + 0xB5, 0x0A, 0xBC, 0xB7, 0x90, 0x9A, 0xE5, 0x9E, + 0xAB, 0xF7, 0xCB, 0x19, 0xB5, 0x61, 0x03, 0xA5, + 0x25, 0x26, 0xC1, 0xDB, 0x15, 0x3E, 0x84, 0x94 + }; + test_schnorr_adaptor_spec_vectors_check_adapt(pk, msg, pre_sig, sec_adaptor, sig, 0); + }; + { + /* Adapt: Test vector 4 */ + const unsigned char pk[32] = { + 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, + 0x36, 0x18, 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, + 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 0xDE, 0xCE, 0xD8, + 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 + }; + const unsigned char msg[32] = { + 0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, + 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44, + 0xA4, 0x09, 0x38, 0x22, 0x29, 0x9F, 0x31, 0xD0, + 0x08, 0x2E, 0xFA, 0x98, 0xEC, 0x4E, 0x6C, 0x89 + }; + const unsigned char sec_adaptor[32] = { + 0x84, 0x8B, 0xC8, 0x7F, 0x32, 0xC6, 0xF7, 0x1D, + 0x3A, 0x93, 0xA5, 0x94, 0x24, 0x58, 0x45, 0x62, + 0x04, 0x6F, 0x31, 0x69, 0x37, 0x16, 0xFF, 0x73, + 0xA8, 0x97, 0xCC, 0xC1, 0x65, 0x9C, 0x5F, 0x5D + }; + const unsigned char pre_sig[65] = { + 0x02, 0xB8, 0x61, 0x3C, 0xCA, 0x78, 0xF4, 0xFA, + 0x80, 0xEA, 0x58, 0xEE, 0xD0, 0xC2, 0x6B, 0x4A, + 0xD4, 0x91, 0xEF, 0xFC, 0x44, 0x50, 0x3C, 0x8D, + 0xA9, 0x0D, 0x15, 0xA9, 0xC1, 0x7E, 0xD2, 0x60, + 0x13, 0x79, 0x78, 0x3A, 0xCC, 0xAA, 0x0E, 0x62, + 0x06, 0x10, 0x61, 0x9D, 0xB4, 0x4B, 0x0C, 0xD4, + 0xFE, 0x0A, 0x47, 0xE0, 0x63, 0xC2, 0xD0, 0x9D, + 0x22, 0xF2, 0x13, 0xCF, 0xF0, 0x55, 0x5B, 0x5D, + 0x50 + }; + const unsigned char sig[64] = { + 0xB8, 0x61, 0x3C, 0xCA, 0x78, 0xF4, 0xFA, 0x80, + 0xEA, 0x58, 0xEE, 0xD0, 0xC2, 0x6B, 0x4A, 0xD4, + 0x91, 0xEF, 0xFC, 0x44, 0x50, 0x3C, 0x8D, 0xA9, + 0x0D, 0x15, 0xA9, 0xC1, 0x7E, 0xD2, 0x60, 0x13, + 0xFE, 0x04, 0x03, 0x4B, 0xDC, 0xD5, 0x59, 0x23, + 0x4A, 0xF5, 0x43, 0x48, 0x6F, 0x65, 0x1A, 0x60, + 0x0E, 0xB7, 0x11, 0xCC, 0xF9, 0xE7, 0x9C, 0x96, + 0x9A, 0xAB, 0x9C, 0xB1, 0xBA, 0xF7, 0xBC, 0xAD + }; + test_schnorr_adaptor_spec_vectors_check_adapt(pk, msg, pre_sig, sec_adaptor, sig, 0); + }; + { + /* Secadapt: Test vector 0 */ + const unsigned char pre_sig[65] = { + 0x03, 0x73, 0xDB, 0x6D, 0x58, 0x03, 0xED, 0xD6, + 0x50, 0x2D, 0xE3, 0xD0, 0x95, 0x6B, 0xA3, 0xBD, + 0x3F, 0xAB, 0xA9, 0x88, 0x41, 0xC9, 0xAB, 0x07, + 0x4C, 0x79, 0x5E, 0x3A, 0x90, 0x12, 0xC4, 0x29, + 0x8A, 0x4B, 0x6C, 0x99, 0xEE, 0x31, 0xDB, 0x1C, + 0x15, 0x81, 0x30, 0x28, 0x26, 0x2E, 0xC2, 0x5E, + 0x0E, 0x04, 0xC9, 0xD3, 0x04, 0x15, 0x55, 0x85, + 0xF8, 0x5E, 0xC0, 0x02, 0x42, 0x2D, 0x20, 0x5D, + 0x6E + }; + const unsigned char sig[64] = { + 0x73, 0xDB, 0x6D, 0x58, 0x03, 0xED, 0xD6, 0x50, + 0x2D, 0xE3, 0xD0, 0x95, 0x6B, 0xA3, 0xBD, 0x3F, + 0xAB, 0xA9, 0x88, 0x41, 0xC9, 0xAB, 0x07, 0x4C, + 0x79, 0x5E, 0x3A, 0x90, 0x12, 0xC4, 0x29, 0x8A, + 0x65, 0x86, 0x0C, 0xDF, 0xCE, 0x5D, 0x77, 0x93, + 0x59, 0xFD, 0x46, 0x16, 0xEF, 0xD6, 0x7C, 0x8A, + 0x56, 0xE5, 0xC7, 0xCE, 0x97, 0x9F, 0x5F, 0x75, + 0x58, 0x91, 0x93, 0x2B, 0x06, 0xEC, 0x4A, 0xBE + }; + const unsigned char sec_adaptor[32] = { + 0xE5, 0xE6, 0x8D, 0x0E, 0x63, 0x7D, 0xA4, 0x82, + 0x27, 0x32, 0xE2, 0x0F, 0x3E, 0xEB, 0xE1, 0x82, + 0x68, 0x92, 0xE8, 0x1C, 0x2C, 0xFE, 0xC6, 0xBE, + 0xC6, 0x00, 0xCD, 0xA3, 0xF6, 0x6A, 0x53, 0xF1 + }; + test_schnorr_adaptor_spec_vectors_check_extract_sec(pre_sig, sig, sec_adaptor, 1); + }; + { + /* Secadapt: Test vector 1 */ + const unsigned char pre_sig[65] = { + 0x02, 0xE4, 0xC4, 0x16, 0x13, 0x45, 0xD8, 0xC9, + 0xD8, 0x4A, 0x50, 0xD5, 0x76, 0x25, 0x76, 0xBE, + 0x7B, 0xCF, 0x1E, 0xA3, 0x13, 0x21, 0xBA, 0x6A, + 0x6F, 0x3C, 0x64, 0x18, 0x53, 0x6D, 0xB4, 0x3D, + 0xB4, 0x96, 0x72, 0x85, 0x58, 0xD7, 0x79, 0x65, + 0xA6, 0x42, 0x6D, 0x5C, 0x6A, 0x25, 0xB3, 0xF0, + 0xB0, 0x2E, 0xCE, 0xC4, 0x9F, 0xBB, 0xC7, 0xC9, + 0x66, 0xB9, 0xE3, 0x87, 0x6C, 0x33, 0x70, 0x4C, + 0xB5 + }; + const unsigned char sig[64] = { + 0xE4, 0xC4, 0x16, 0x13, 0x45, 0xD8, 0xC9, 0xD8, + 0x4A, 0x50, 0xD5, 0x76, 0x25, 0x76, 0xBE, 0x7B, + 0xCF, 0x1E, 0xA3, 0x13, 0x21, 0xBA, 0x6A, 0x6F, + 0x3C, 0x64, 0x18, 0x53, 0x6D, 0xB4, 0x3D, 0xB4, + 0xEA, 0x04, 0x97, 0xFA, 0x91, 0x75, 0xA8, 0x9A, + 0x8D, 0x3F, 0x01, 0xE1, 0x46, 0x7B, 0x34, 0xF0, + 0xB2, 0xD2, 0xC4, 0x9F, 0x3C, 0x20, 0x11, 0xCC, + 0xFA, 0x0B, 0x84, 0x08, 0xA8, 0x23, 0xD4, 0x1F + }; + const unsigned char sec_adaptor[32] = { + 0x53, 0x92, 0x12, 0xA1, 0xB9, 0xFC, 0x42, 0xF4, + 0x4A, 0xD1, 0xA5, 0x77, 0x20, 0xC7, 0x44, 0x40, + 0x84, 0x03, 0xFF, 0xFF, 0x80, 0x58, 0x48, 0x66, + 0x40, 0x27, 0xFC, 0x9C, 0x74, 0xB3, 0x87, 0x6A + }; + test_schnorr_adaptor_spec_vectors_check_extract_sec(pre_sig, sig, sec_adaptor, 1); + }; + { + /* Secadapt: Test vector 2 */ + const unsigned char pre_sig[65] = { + 0x03, 0xB8, 0x61, 0x3C, 0xCA, 0x78, 0xF4, 0xFA, + 0x80, 0xEA, 0x58, 0xEE, 0xD0, 0xC2, 0x6B, 0x4A, + 0xD4, 0x91, 0xEF, 0xFC, 0x44, 0x50, 0x3C, 0x8D, + 0xA9, 0x0D, 0x15, 0xA9, 0xC1, 0x7E, 0xD2, 0x60, + 0x13, 0x79, 0x78, 0x3A, 0xCC, 0xAA, 0x0E, 0x62, + 0x06, 0x10, 0x61, 0x9D, 0xB4, 0x4B, 0x0C, 0xD4, + 0xFE, 0x0A, 0x47, 0xE0, 0x63, 0xC2, 0xD0, 0x9D, + 0x22, 0xF2, 0x13, 0xCF, 0xF0, 0x55, 0x5B, 0x5D, + 0x50 + }; + const unsigned char sig[64] = { + 0xB8, 0x61, 0x3C, 0xCA, 0x78, 0xF4, 0xFA, 0x80, + 0xEA, 0x58, 0xEE, 0xD0, 0xC2, 0x6B, 0x4A, 0xD4, + 0x91, 0xEF, 0xFC, 0x44, 0x50, 0x3C, 0x8D, 0xA9, + 0x0D, 0x15, 0xA9, 0xC1, 0x7E, 0xD2, 0x60, 0x13, + 0x01, 0xFB, 0xFC, 0xB4, 0x23, 0x2A, 0xA6, 0xDC, + 0xB5, 0x0A, 0xBC, 0xB7, 0x90, 0x9A, 0xE5, 0x9E, + 0xAB, 0xF7, 0xCB, 0x19, 0xB5, 0x61, 0x03, 0xA5, + 0x25, 0x26, 0xC1, 0xDB, 0x15, 0x3E, 0x84, 0x94 + }; + const unsigned char sec_adaptor[32] = { + 0x84, 0x8B, 0xC8, 0x7F, 0x32, 0xC6, 0xF7, 0x1D, + 0x3A, 0x93, 0xA5, 0x94, 0x24, 0x58, 0x45, 0x62, + 0x04, 0x6F, 0x31, 0x69, 0x37, 0x16, 0xFF, 0x73, + 0xA8, 0x97, 0xCC, 0xC1, 0x65, 0x9C, 0x5F, 0x5D + }; + test_schnorr_adaptor_spec_vectors_check_extract_sec(pre_sig, sig, sec_adaptor, 0); + }; + { + /* Secadapt: Test vector 3 */ + const unsigned char pre_sig[65] = { + 0x03, 0xB8, 0x61, 0x3C, 0xCA, 0x78, 0xF4, 0xFA, + 0x80, 0xEA, 0x58, 0xEE, 0xD0, 0xC2, 0x6B, 0x4A, + 0xD4, 0x91, 0xEF, 0xFC, 0x44, 0x50, 0x3C, 0x8D, + 0xA9, 0x0D, 0x15, 0xA9, 0xC1, 0x7E, 0xD2, 0x60, + 0x13, 0x79, 0x78, 0x3A, 0xCC, 0xAA, 0x0E, 0x62, + 0x06, 0x10, 0x61, 0x9D, 0xB4, 0x4B, 0x0C, 0xD4, + 0xFE, 0x0A, 0x47, 0xE0, 0x63, 0xC2, 0xD0, 0x9D, + 0x22, 0xF2, 0x13, 0xCF, 0xF0, 0x55, 0x5B, 0x5D, + 0x50 + }; + const unsigned char sig[64] = { + 0xB8, 0x61, 0x3C, 0xCA, 0x78, 0xF4, 0xFA, 0x80, + 0xEA, 0x58, 0xEE, 0xD0, 0xC2, 0x6B, 0x4A, 0xD4, + 0x91, 0xEF, 0xFC, 0x44, 0x50, 0x3C, 0x8D, 0xA9, + 0x0D, 0x15, 0xA9, 0xC1, 0x7E, 0xD2, 0x60, 0x13, + 0xFE, 0x04, 0x03, 0x4B, 0xDC, 0xD5, 0x59, 0x23, + 0x4A, 0xF5, 0x43, 0x48, 0x6F, 0x65, 0x1A, 0x60, + 0x0E, 0xB7, 0x11, 0xCC, 0xF9, 0xE7, 0x9C, 0x96, + 0x9A, 0xAB, 0x9C, 0xB1, 0xBA, 0xF7, 0xBC, 0xAD + }; + const unsigned char sec_adaptor[32] = { + 0x84, 0x8B, 0xC8, 0x7F, 0x32, 0xC6, 0xF7, 0x1D, + 0x3A, 0x93, 0xA5, 0x94, 0x24, 0x58, 0x45, 0x62, + 0x04, 0x6F, 0x31, 0x69, 0x37, 0x16, 0xFF, 0x73, + 0xA8, 0x97, 0xCC, 0xC1, 0x65, 0x9C, 0x5F, 0x5D + }; + test_schnorr_adaptor_spec_vectors_check_extract_sec(pre_sig, sig, sec_adaptor, 0); + }; +} + +static void test_schnorr_adaptor_edge_cases(void) { + unsigned char sk[32]; + secp256k1_xonly_pubkey pk; + secp256k1_keypair keypair; + const unsigned char msg[32] = "this is a schnorr adaptor msg..."; + unsigned char sec_adaptor[32]; + unsigned char extracted_sec_adaptor[32]; + secp256k1_pubkey adaptor; + secp256k1_pubkey extracted_adaptor; + unsigned char aux_rand[32]; + unsigned char pre_sig[65]; + unsigned char sig[64]; + + secp256k1_testrand256(sk); + secp256k1_testrand256(sec_adaptor); + secp256k1_testrand256(aux_rand); + CHECK(secp256k1_keypair_create(CTX, &keypair, sk)); + CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair)); + CHECK(secp256k1_ec_pubkey_create(CTX, &adaptor, sec_adaptor)); + + /* Test schnorr_adaptor_presign */ + CHECK(secp256k1_schnorr_adaptor_presign(CTX, pre_sig, msg, &keypair, &adaptor, aux_rand) == 1); + + /* TODO: test with different nonce functions after `schnorr_adaptor_presign_custom` + * gets implemented */ + + /* Test schnorr_adaptor_extract */ + CHECK(secp256k1_schnorr_adaptor_presign(CTX, pre_sig, msg, &keypair, &adaptor, aux_rand) == 1); + CHECK(secp256k1_schnorr_adaptor_extract(CTX, &extracted_adaptor, pre_sig, msg, &pk) == 1); + CHECK(secp256k1_ec_pubkey_cmp(CTX, &extracted_adaptor, &adaptor) == 0); + { + /* invalid R' (= pre_sig[0:33]) */ + unsigned char pre_sig_tmp[65]; + secp256k1_pubkey extracted_adaptor_tmp; + memcpy(pre_sig_tmp, pre_sig, sizeof(pre_sig_tmp)); + memset(pre_sig_tmp, 0xFF, 33); + CHECK(secp256k1_schnorr_adaptor_extract(CTX, &extracted_adaptor_tmp, pre_sig_tmp, msg, &pk) == 0); + } + { + /* overflowing s */ + unsigned char pre_sig_tmp[65]; + secp256k1_pubkey extracted_adaptor_tmp; + memcpy(pre_sig_tmp, pre_sig, sizeof(pre_sig_tmp)); + memset(&pre_sig_tmp[33], 0xFF, 32); + CHECK(secp256k1_schnorr_adaptor_extract(CTX, &extracted_adaptor_tmp, pre_sig_tmp, msg, &pk) == 0); + } + { + /* negated s */ + unsigned char pre_sig_tmp[65]; + secp256k1_scalar s; + secp256k1_pubkey extracted_adaptor_tmp; + memcpy(pre_sig_tmp, pre_sig, sizeof(pre_sig_tmp)); + secp256k1_scalar_set_b32(&s, &pre_sig_tmp[33], NULL); + secp256k1_scalar_negate(&s, &s); + secp256k1_scalar_get_b32(&pre_sig_tmp[33], &s); + CHECK(secp256k1_schnorr_adaptor_extract(CTX, &extracted_adaptor_tmp, pre_sig_tmp, msg, &pk) == 1); + CHECK(secp256k1_ec_pubkey_cmp(CTX, &extracted_adaptor_tmp, &adaptor) != 0); + } + { + /* any flipped bit in the pre-signature will extract + * an invalid adaptor point */ + unsigned char pre_sig_tmp[65]; + secp256k1_pubkey extracted_adaptor_tmp; + memcpy(pre_sig_tmp, pre_sig, sizeof(pre_sig_tmp)); + rand_flip_bit(&pre_sig_tmp[1], sizeof(pre_sig_tmp) - 1); + /* depending on which bit was flipped adaptor_extract can either + * return 0 (parsing pre-signature failed) or 1 (parsing + * pre-signature success) */ + if(secp256k1_schnorr_adaptor_extract(CTX, &extracted_adaptor_tmp, pre_sig_tmp, msg, &pk)) { + CHECK(secp256k1_ec_pubkey_cmp(CTX, &extracted_adaptor_tmp, &adaptor) != 0); + } + } + { + /* any flipped bit in the message will extract an invalid + * adaptor point */ + unsigned char msg_tmp[32]; + secp256k1_pubkey extracted_adaptor_tmp; + memcpy(msg_tmp, msg, sizeof(msg_tmp)); + rand_flip_bit(msg_tmp, sizeof(msg_tmp)); + CHECK(secp256k1_schnorr_adaptor_extract(CTX, &extracted_adaptor_tmp, pre_sig, msg_tmp, &pk) == 1); + CHECK(secp256k1_ec_pubkey_cmp(CTX, &extracted_adaptor_tmp, &adaptor) != 0); + } + /* Note: presig test vectors 12, 13, 14 will cover the case where + * adaptor_extract returns 0 when [1] R = infinity, or [2] T = infinity. + * So, we don't need to test those scenarios here */ + + /* Test schnorr_adaptor_adapt */ + CHECK(secp256k1_schnorr_adaptor_presign(CTX, pre_sig, msg, &keypair, &adaptor, aux_rand) == 1); + CHECK(secp256k1_schnorr_adaptor_adapt(CTX, sig, pre_sig, sec_adaptor) == 1); + CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk) == 1); + { + /* overflowing sec_adaptor */ + unsigned char sig_tmp[64]; + unsigned char sec_adaptor_tmp[32]; + memset(sec_adaptor_tmp, 0xFF, 32); + CHECK(secp256k1_schnorr_adaptor_adapt(CTX, sig_tmp, pre_sig, sec_adaptor_tmp) == 0); + } + { + /* overflowing s */ + unsigned char sig_tmp[64]; + unsigned char pre_sig_tmp[65]; + memcpy(pre_sig_tmp, pre_sig, sizeof(pre_sig_tmp)); + memset(&pre_sig_tmp[33], 0xFF, 32); + CHECK(secp256k1_schnorr_adaptor_adapt(CTX, sig_tmp, pre_sig_tmp, sec_adaptor) == 0); + } + { + /* negated s */ + unsigned char sig_tmp[64]; + unsigned char pre_sig_tmp[65]; + secp256k1_scalar s; + memcpy(pre_sig_tmp, pre_sig, sizeof(pre_sig_tmp)); + secp256k1_scalar_set_b32(&s, &pre_sig_tmp[33], NULL); + secp256k1_scalar_negate(&s, &s); + secp256k1_scalar_get_b32(&pre_sig_tmp[33], &s); + CHECK(secp256k1_schnorr_adaptor_adapt(CTX, sig_tmp, pre_sig_tmp, sec_adaptor) == 1); + CHECK(secp256k1_schnorrsig_verify(CTX, sig_tmp, msg, sizeof(msg), &pk) == 0); + } + { + /* any flipped bit in the pre-signature will result in + * an invalid signature */ + unsigned char sig_tmp[64]; + unsigned char pre_sig_tmp[65]; + memcpy(pre_sig_tmp, pre_sig, sizeof(pre_sig_tmp)); + rand_flip_bit(&pre_sig_tmp[1], sizeof(pre_sig_tmp) - 1); + /* depending on which bit was flipped adaptor_adapt can either + * return 0 (parsing pre_sig_tmp[33:65] failed) or 1 (parsing + * success but invalid sig will be generated) */ + if (secp256k1_schnorr_adaptor_adapt(CTX, sig_tmp, pre_sig_tmp, sec_adaptor)) { + CHECK(secp256k1_schnorrsig_verify(CTX, sig_tmp, msg, sizeof(msg), &pk) == 0); + } + } + { + /* any flipped bit in the sec_adaptor will result in an + * invalid signature */ + unsigned char sig_tmp[64]; + unsigned char sec_adaptor_tmp[32]; + memcpy(sec_adaptor_tmp, sec_adaptor, sizeof(sec_adaptor_tmp)); + rand_flip_bit(sec_adaptor_tmp, sizeof(sec_adaptor_tmp)); + CHECK(secp256k1_schnorr_adaptor_adapt(CTX, sig_tmp, pre_sig, sec_adaptor_tmp) == 1); + CHECK(secp256k1_schnorrsig_verify(CTX, sig_tmp, msg, sizeof(msg), &pk) == 0); + } + + /* Test schnorr_adaptor_extract_sec */ + CHECK(secp256k1_schnorr_adaptor_presign(CTX, pre_sig, msg, &keypair, &adaptor, aux_rand) == 1); + CHECK(secp256k1_schnorr_adaptor_adapt(CTX, sig, pre_sig, sec_adaptor) == 1); + CHECK(secp256k1_schnorr_adaptor_extract_sec(CTX, extracted_sec_adaptor, pre_sig, sig) == 1); + CHECK(secp256k1_memcmp_var(extracted_sec_adaptor, sec_adaptor, sizeof(extracted_sec_adaptor)) == 0); + { + /* overflowing pre_sig[33:65] */ + unsigned char extracted_sec_adaptor_tmp[32]; + unsigned char pre_sig_tmp[65]; + memcpy(pre_sig_tmp, pre_sig, sizeof(pre_sig_tmp)); + memset(&pre_sig_tmp[33], 0xFF, 32); + CHECK(secp256k1_schnorr_adaptor_extract_sec(CTX, extracted_sec_adaptor_tmp, pre_sig_tmp, sig) == 0); + } + { + /* overflowing sig[32:64] */ + unsigned char extracted_sec_adaptor_tmp[32]; + unsigned char sig_tmp[64]; + memcpy(sig_tmp, sig, sizeof(sig_tmp)); + memset(&sig_tmp[32], 0xFF, 32); + CHECK(secp256k1_schnorr_adaptor_extract_sec(CTX, extracted_sec_adaptor_tmp, pre_sig, sig_tmp) == 0); + } + { + /* any flipped bit in pre_sig[33:65] will extract + * an invalid secret adaptor */ + unsigned char extracted_sec_adaptor_tmp[32]; + unsigned char pre_sig_tmp[65]; + memcpy(pre_sig_tmp, pre_sig, sizeof(pre_sig_tmp)); + rand_flip_bit(&pre_sig_tmp[33], sizeof(pre_sig_tmp) - 33); + CHECK(secp256k1_schnorr_adaptor_extract_sec(CTX, extracted_sec_adaptor_tmp, pre_sig_tmp, sig) == 1); + CHECK(secp256k1_memcmp_var(extracted_sec_adaptor_tmp, sec_adaptor, sizeof(extracted_sec_adaptor_tmp)) != 0); + } + { + /* any flipped bit in sig[32:64] will extract + * an invalid secret adaptor */ + unsigned char extracted_sec_adaptor_tmp[32]; + unsigned char sig_tmp[64]; + memcpy(sig_tmp, sig, sizeof(sig_tmp)); + rand_flip_bit(&sig_tmp[32], sizeof(sig_tmp) - 32); + CHECK(secp256k1_schnorr_adaptor_extract_sec(CTX, extracted_sec_adaptor_tmp, pre_sig, sig_tmp) == 1); + CHECK(secp256k1_memcmp_var(extracted_sec_adaptor_tmp, sec_adaptor, sizeof(extracted_sec_adaptor_tmp)) != 0); + } + { + /* invalid presig[0:33] or sig[0:32] does not + * neccessarily result in an invalid output */ + unsigned char extracted_sec_adaptor_tmp[32]; + unsigned char pre_sig_tmp[65]; + unsigned char sig_tmp[64]; + memcpy(pre_sig_tmp, pre_sig, sizeof(pre_sig_tmp)); + memcpy(sig_tmp, sig, sizeof(sig_tmp)); + memset(&pre_sig_tmp[1], 0xFF, 32); + memset(sig_tmp, 0xFF, 32); + CHECK(secp256k1_schnorr_adaptor_extract_sec(CTX, extracted_sec_adaptor_tmp, pre_sig_tmp, sig_tmp) == 1); + CHECK(secp256k1_memcmp_var(extracted_sec_adaptor_tmp, sec_adaptor, sizeof(extracted_sec_adaptor_tmp)) == 0); + } +} + +static void test_schnorr_adaptor_correctness(void) { + unsigned char alice_sk[32]; + secp256k1_keypair alice_keypair; + secp256k1_xonly_pubkey alice_pk; + unsigned char sec_adaptor[32]; + secp256k1_pubkey adaptor; + unsigned char extracted_sec_adaptor[32]; + secp256k1_pubkey extracted_adaptor; + unsigned char msg[32]; + unsigned char pre_sig[65]; + unsigned char sig[64]; + + /* Alice setup */ + secp256k1_testrand256(alice_sk); + CHECK(secp256k1_keypair_create(CTX, &alice_keypair, alice_sk) == 1); + CHECK(secp256k1_keypair_xonly_pub(CTX, &alice_pk, NULL, &alice_keypair) == 1); + + /* t := sec_adaptor + * There exists an adaptor T = t*G, where t is unknown to Bob */ + secp256k1_testrand256(sec_adaptor); + CHECK(secp256k1_ec_pubkey_create(CTX, &adaptor, sec_adaptor)); + + /* Alice creates a pre-siganture for the adaptor point T, + * and sends it to Bob. */ + secp256k1_testrand256(msg); + CHECK(secp256k1_schnorr_adaptor_presign(CTX, pre_sig, msg, &alice_keypair, &adaptor, NULL) == 1); + + /* Bob extracts the adaptor point from the pre-signature, + * and verifies if it is equal to T */ + CHECK(secp256k1_schnorr_adaptor_extract(CTX, &extracted_adaptor, pre_sig, msg, &alice_pk) == 1); + CHECK(secp256k1_ec_pubkey_cmp(CTX, &extracted_adaptor, &adaptor) == 0); + + /* Bob learns t (the discrete logarithm of T). For example, Bob can + * pay a Lightning invoice that reveals t, assuming Lightning uses + * PTLC (Point Time Locked Contracts). */ + + /* Bob adapts the pre-signature with the discrete logarithm of T to + * create a valid BIP 340 Schnorr signature. */ + CHECK(secp256k1_schnorr_adaptor_adapt(CTX, sig, pre_sig, sec_adaptor) == 1); + CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &alice_pk) == 1); + + /* Alice learns the BIP340 signature after Bob publishes it on the blockchain. */ + + /* Alice extracts the discrete logarithm of T from the pre-signature and the + * BIP 340 signature. */ + CHECK(secp256k1_schnorr_adaptor_extract_sec(CTX, extracted_sec_adaptor, pre_sig, sig) == 1); + CHECK(secp256k1_memcmp_var(extracted_sec_adaptor, sec_adaptor, sizeof(extracted_sec_adaptor)) == 0); +} + +static void run_schnorr_adaptor_tests(void) { + int i; + run_nonce_function_schnorr_adaptor_tests(); + + test_schnorr_adaptor_api(); + test_schnorr_adaptor_spec_vectors(); + for (i = 0; i < COUNT; i++) { + test_schnorr_adaptor_edge_cases(); + } + test_schnorr_adaptor_correctness(); +} + +#endif diff --git a/src/tests.c b/src/tests.c index 7c2f30e35..ade38101d 100644 --- a/src/tests.c +++ b/src/tests.c @@ -7490,6 +7490,10 @@ static void run_ecdsa_wycheproof(void) { # include "modules/schnorrsig/tests_impl.h" #endif +#ifdef ENABLE_MODULE_SCHNORR_ADAPTOR +# include "modules/schnorr_adaptor/tests_impl.h" +#endif + #ifdef ENABLE_MODULE_ELLSWIFT # include "modules/ellswift/tests_impl.h" #endif @@ -7879,6 +7883,10 @@ int main(int argc, char **argv) { run_schnorrsig_tests(); #endif +#ifdef ENABLE_MODULE_SCHNORR_ADAPTOR + run_schnorr_adaptor_tests(); +#endif + #ifdef ENABLE_MODULE_ELLSWIFT run_ellswift_tests(); #endif diff --git a/src/testutil.h b/src/testutil.h index 4e2cb7d5b..25d6a915b 100644 --- a/src/testutil.h +++ b/src/testutil.h @@ -26,4 +26,8 @@ static void random_fe_non_zero(secp256k1_fe *nz) { } while (secp256k1_fe_is_zero(nz)); } +static void rand_flip_bit(unsigned char *array, size_t n) { + array[secp256k1_testrand_int(n)] ^= 1 << secp256k1_testrand_int(8); +} + #endif /* SECP256K1_TESTUTIL_H */ From c2f270985d2344c47d2922ff36648cfa1f83545e Mon Sep 17 00:00:00 2001 From: siv2r Date: Wed, 23 Oct 2024 20:03:16 +0530 Subject: [PATCH 5/5] schnorr_adaptor: add example This commit adds an example that implements the Multi-hop Locks protocol using the Schnorr adaptor signature APIs --- .gitignore | 1 + Makefile.am | 11 +++ README.md | 1 + examples/CMakeLists.txt | 4 + examples/schnorr_adaptor.c | 184 +++++++++++++++++++++++++++++++++++++ 5 files changed, 201 insertions(+) create mode 100644 examples/schnorr_adaptor.c diff --git a/.gitignore b/.gitignore index b3ae618d4..32edfb2b3 100644 --- a/.gitignore +++ b/.gitignore @@ -66,6 +66,7 @@ libsecp256k1.pc contrib/gh-pr-create.sh musig_example +schnorr_adaptor_example ### CMake /CMakeUserPresets.json diff --git a/Makefile.am b/Makefile.am index 9761eb2c1..0b3e2f2e3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -195,6 +195,17 @@ musig_example_LDFLAGS += -lbcrypt endif TESTS += musig_example endif +if ENABLE_MODULE_SCHNORR_ADAPTOR +noinst_PROGRAMS += schnorr_adaptor_example +schnorr_adaptor_example_SOURCES = examples/schnorr_adaptor.c +schnorr_adaptor_example_CPPFLAGS = -I$(top_srcdir)/include -DSECP256K1_STATIC +schnorr_adaptor_example_LDADD = libsecp256k1.la +schnorr_adaptor_example_LDFLAGS = -static +if BUILD_WINDOWS +schnorr_adaptor_example_LDFLAGS += -lbcrypt +endif +TESTS += schnorr_adaptor_example +endif endif ### Precomputed tables diff --git a/README.md b/README.md index d0267e3cd..80d2b0ee3 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,7 @@ Usage examples Usage examples can be found in the [examples](examples) directory. To compile them you need to configure with `--enable-examples`. * [ECDSA example](examples/ecdsa.c) * [Schnorr signatures example](examples/schnorr.c) + * [Schnorr adaptor signatures example](examples/schnorr_adaptor.c) * [Deriving a shared secret (ECDH) example](examples/ecdh.c) * [MuSig example](examples/musig.c) diff --git a/examples/CMakeLists.txt b/examples/CMakeLists.txt index 607bb6777..699d9e47e 100644 --- a/examples/CMakeLists.txt +++ b/examples/CMakeLists.txt @@ -28,3 +28,7 @@ endif() if(SECP256K1_ENABLE_MODULE_SCHNORRSIG) add_example(schnorr) endif() + +if(SECP256K1_ENABLE_MODULE_SCHNORR_ADAPTOR) + add_example(schnorr_adaptor) +endif() diff --git a/examples/schnorr_adaptor.c b/examples/schnorr_adaptor.c new file mode 100644 index 000000000..98fca8c48 --- /dev/null +++ b/examples/schnorr_adaptor.c @@ -0,0 +1,184 @@ +/************************************************************************* + * Written in 2024 by Sivaram Dhakshinamoorthy * + * To the extent possible under law, the author(s) have dedicated all * + * copyright and related and neighboring rights to the software in this * + * file to the public domain worldwide. This software is distributed * + * without any warranty. For the CC0 Public Domain Dedication, see * + * EXAMPLES_COPYING or https://creativecommons.org/publicdomain/zero/1.0 * + *************************************************************************/ + +#include +#include +#include + +#include +#include +#include + +#include "examples_util.h" + +/** This example implements the Multi-hop Locks protocol described in + * https://github.com/BlockstreamResearch/scriptless-scripts/blob/master/md/multi-hop-locks.md, + * using the Schnorr adaptor module. + * + * In this example, Alice (sender) sends a payment to Carol (recipient) + * via Bob (intermediate hop). The protocol ensures that Alice exchanges + * her coins for a proof of payment from Carol, and Bob securely forwards + * the payment without being able to access its details. + * + * Carol provides Alice with a point (z*G), which acts as the proof of + * payment. Alice sets up cryptographic locks with Bob, and Bob forwards + * the payment to Carol. When Carol reveals the secret z to claim the + * payment, Alice learns the proof of payment. + */ + +static int create_keypair(const secp256k1_context *ctx, secp256k1_keypair *keypair, secp256k1_xonly_pubkey *pubkey) { + unsigned char seckey[32]; + while (1) { + if (!fill_random(seckey, sizeof(seckey))) { + printf("Failed to generate randomness\n"); + return 0; + } + if (secp256k1_keypair_create(ctx, keypair, seckey)) { + break; + } + } + if(!secp256k1_keypair_xonly_pub(ctx, pubkey, NULL, keypair)){ + return 0; + } + return 1; +} + +/* Creates the locks required for multi-hop payments */ +static int create_hop_locks(const secp256k1_context *ctx, secp256k1_pubkey *left_lock, secp256k1_pubkey *right_lock, secp256k1_pubkey *adaptor_pop, unsigned char *tweak_sum, unsigned char *tweak1, unsigned char *tweak2) { + while (1) { + if (!fill_random(tweak1, 32)) { + printf("Failed to generate randomness\n"); + return 0; + } + if (!fill_random(tweak2, 32)) { + printf("Failed to generate randomness\n"); + return 0; + } + if (secp256k1_ec_seckey_verify(ctx, tweak1) && secp256k1_ec_seckey_verify(ctx, tweak2)) { + break; + } + } + /* Create left lock = (z + tweak1)*G */ + memcpy(left_lock, adaptor_pop, sizeof(secp256k1_pubkey)); + if(!secp256k1_ec_pubkey_tweak_add(ctx, left_lock, tweak1)) { + return 0; + } + + /* Create right lock = (z + tweak1 + tweak2)*G */ + memcpy(tweak_sum, tweak1, 32); + if(!secp256k1_ec_seckey_tweak_add(ctx, tweak_sum, tweak2)) { + return 0; + } + memcpy(right_lock, adaptor_pop, sizeof(secp256k1_pubkey)); + if(!secp256k1_ec_pubkey_tweak_add(ctx, right_lock, tweak_sum)) { + return 0; + } + + return 1; +} + +int main(void) { + unsigned char tx_ab[32] = "alice sends a payment to bob...."; + unsigned char tx_bc[32] = "bob sends a payment to carol...."; + unsigned char presig_ab[65]; + unsigned char presig_bc[65]; + unsigned char sig_ab[64]; + unsigned char sig_bc[64]; + unsigned char tmp[32]; + unsigned char tweak1[32]; + unsigned char tweak2[32]; + unsigned char tweak_sum[32]; + unsigned char secret_pop[32]; /* Carol's secret proof of payment */ + secp256k1_pubkey adaptor_pop; + secp256k1_pubkey left_lock; + secp256k1_pubkey right_lock; + secp256k1_pubkey tmp_pubkey; + secp256k1_xonly_pubkey pubkey_a, pubkey_b; + secp256k1_keypair keypair_a, keypair_b; + int ret; + + secp256k1_context* ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE); + + /* Generate keypairs for Alice and Bob */ + ret = create_keypair(ctx, &keypair_a, &pubkey_a); + assert(ret); + ret = create_keypair(ctx, &keypair_b, &pubkey_b); + assert(ret); + + /* Carol setup: creates a proof of payment (z*G) */ + if (!fill_random(secret_pop, sizeof(secret_pop))) { + printf("Failed to generate randomness\n"); + return 1; + } + ret = secp256k1_ec_pubkey_create(ctx, &adaptor_pop, secret_pop); + assert(ret); + + /* Alice's setup: Generates tweak1, tweak2, left lock, and right lock + * for the payment. She shares the following: + * + * 1. With Bob: tweak2, left lock, right lock + * 2. With Carol: tweak1 + tweak2, right lock + */ + if (!create_hop_locks(ctx, &left_lock, &right_lock, &adaptor_pop, tweak_sum, tweak1, tweak2)) { + return 1; + } + /* Alice sends a pre-signature to Bob */ + ret = secp256k1_schnorr_adaptor_presign(ctx, presig_ab, tx_ab, &keypair_a, &left_lock, NULL); + assert(ret); + + /* Bob setup: extracts the left lock from Alice's pre-signature and verifies it */ + ret = secp256k1_schnorr_adaptor_extract(ctx, &tmp_pubkey, presig_ab, tx_ab, &pubkey_a); + assert(ret); + assert(memcmp(&tmp_pubkey, &left_lock, sizeof(left_lock)) == 0); + /* Bob creates a pre-signature that forwards the payment to Carol */ + ret = secp256k1_schnorr_adaptor_presign(ctx, presig_bc, tx_bc, &keypair_b, &right_lock, NULL); + assert(ret); + + /* Carol extracts the right lock from Bob's pre-signature and verifies it */ + ret = secp256k1_schnorr_adaptor_extract(ctx, &tmp_pubkey, presig_bc, tx_bc, &pubkey_b); + assert(ret); + assert(memcmp(&tmp_pubkey, &right_lock, sizeof(right_lock)) == 0); + /* Carol claims her payment by adapting Bob's pre-signature with the + * secret = z + tweak1 + tweak2, to produce a valid BIP340 Schnorr + * signature. */ + memcpy(tmp, secret_pop, sizeof(secret_pop)); + ret = secp256k1_ec_seckey_tweak_add(ctx, tmp, tweak_sum); + assert(ret); + ret = secp256k1_schnorr_adaptor_adapt(ctx, sig_bc, presig_bc, tmp); + assert(ret); + assert(secp256k1_schnorrsig_verify(ctx, sig_bc, tx_bc, sizeof(tx_bc), &pubkey_b)); + + /* Bob extracts the secret = z + tweak1 + tweak2 from his pre-signature + * and the BIP340 signature created by Carol. */ + ret = secp256k1_schnorr_adaptor_extract_sec(ctx, tmp, presig_bc, sig_bc); + assert(ret); + /* Bob claims his payment by adapting Alice's pre-signature with the + * secret = z + tweak1, to produce a valid BIP340 Schnorr signature. */ + ret = secp256k1_ec_seckey_negate(ctx, tweak2); + assert(ret); + ret = secp256k1_ec_seckey_tweak_add(ctx, tmp, tweak2); + assert(ret); + ret = secp256k1_schnorr_adaptor_adapt(ctx, sig_ab, presig_ab, tmp); + assert(ret); + assert(secp256k1_schnorrsig_verify(ctx, sig_ab, tx_ab, sizeof(tx_ab), &pubkey_a)); + + /* Alice extracts the proof of payment = z from her pre-signature + * and the BIP340 signature created by Bob. */ + ret = secp256k1_schnorr_adaptor_extract_sec(ctx, tmp, presig_ab, sig_ab); + assert(ret); + ret = secp256k1_ec_seckey_negate(ctx, tweak1); + assert(ret); + ret = secp256k1_ec_seckey_tweak_add(ctx, tmp, tweak1); + assert(ret); + assert(memcmp(tmp, secret_pop, sizeof(secret_pop)) == 0); + + printf("Multi-hop locks protocol successfully executed!!!\n"); + secp256k1_context_destroy(ctx); + return 0; +}