bitcoin-bips/bip-schnorr/test-vectors.py

import sys
from reference import *

def vector0():
    seckey = bytes_from_int(1)
    msg = bytes_from_int(0)
    sig = schnorr_sign(msg, seckey)
    pubkey = pubkey_gen(seckey)

    # The point reconstructed from the public key has an even Y coordinate.
    pubkey_point = point_from_bytes(pubkey)
    assert(pubkey_point[1] & 1 == 0)

    return (seckey, pubkey, msg, sig, "TRUE", None)

def vector1():
    seckey = bytes_from_int(0xB7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF)
    msg = bytes_from_int(0x243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89)
    sig = schnorr_sign(msg, seckey)
    pubkey = pubkey_gen(seckey)

    # The point reconstructed from the public key has an odd Y coordinate.
    pubkey_point = point_from_bytes(pubkey)
    assert(pubkey_point[1] & 1 == 1)

    return (seckey, pubkey, msg, sig, "TRUE", None)

def vector2():
    seckey = bytes_from_int(0xC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B14E5C9)
    msg = bytes_from_int(0x5E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C)
    sig = schnorr_sign(msg, seckey)

    # This signature vector would not verify if the implementer checked the
    # squareness of the X coordinate of R instead of the Y coordinate.
    R = point_from_bytes(sig[0:32])
    assert(not is_square(R[0]))

    return (seckey, pubkey_gen(seckey), msg, sig, "TRUE", None)

def vector3():
    seckey = bytes_from_int(0x0B432B2677937381AEF05BB02A66ECD012773062CF3FA2549E44F58ED2401710)
    msg = bytes_from_int(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF)
    sig = schnorr_sign(msg, seckey)
    return (seckey, pubkey_gen(seckey), msg, sig, "TRUE", "test fails if msg is reduced modulo p or n")

# Signs with a given nonce. Results in an invalid signature if y(kG) is not a square
def schnorr_sign_fixed_nonce(msg, seckey0, k):
    if len(msg) != 32:
        raise ValueError('The message must be a 32-byte array.')
    seckey0 = int_from_bytes(seckey0)
    if not (1 <= seckey0 <= n - 1):
        raise ValueError('The secret key must be an integer in the range 1..n-1.')
    P = point_mul(G, seckey0)
    seckey = seckey0 if has_square_y(P) else n - seckey0
    R = point_mul(G, k)
    e = int_from_bytes(tagged_hash("BIPSchnorr", bytes_from_point(R) + bytes_from_point(P) + msg)) % n
    return bytes_from_point(R) + bytes_from_int((k + e * seckey) % n)

# Creates a singature with a small x(R) by using k = 1/2
def vector4():
    one_half = 0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0
    seckey = bytes_from_int(0x763758E5CBEEDEE4F7D3FC86F531C36578933228998226672F13C4F0EBE855EB)
    msg = bytes_from_int(0x4DF3C3F68FCC83B27E9D42C90431A72499F17875C81A599B566C9889B9696703)
    sig = schnorr_sign_fixed_nonce(msg, seckey, one_half)
    return (None, pubkey_gen(seckey), msg, sig, "TRUE", None)

default_seckey = bytes_from_int(0xB7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF)
default_msg = bytes_from_int(0x243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89)

def vector5():
    seckey = default_seckey
    msg = default_msg
    sig = schnorr_sign(msg, seckey)

    # Public key is not on the curve
    pubkey = bytes_from_int(0xEEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34)
    assert(point_from_bytes(pubkey) is None)

    return (None, pubkey, msg, sig, "FALSE", "public key not on the curve")

def vector6():
    seckey = default_seckey
    msg = default_msg
    k = 3
    sig = schnorr_sign_fixed_nonce(msg, seckey, k)

    # Y coordinate of R is not a square
    R = point_mul(G, k)
    assert(not has_square_y(R))

    return (None, pubkey_gen(seckey), msg, sig, "FALSE", "has_square_y(R) is false")

def vector7():
    seckey = default_seckey
    msg = int_from_bytes(default_msg)
    neg_msg = bytes_from_int(n - msg)
    sig = schnorr_sign(neg_msg, seckey)
    return (None, pubkey_gen(seckey), bytes_from_int(msg), sig, "FALSE", "negated message")

def vector8():
    seckey = default_seckey
    msg = default_msg
    sig = schnorr_sign(msg, seckey)
    sig = sig[0:32] + bytes_from_int(n - int_from_bytes(sig[32:64]))
    return (None, pubkey_gen(seckey), msg, sig, "FALSE", "negated s value")

def bytes_from_point_inf0(P):
    if P == None:
        return bytes_from_int(0)
    return bytes_from_int(P[0])

def vector9():
    seckey = default_seckey
    msg = default_msg

    # Override bytes_from_point in schnorr_sign to allow creating a signature
    # with k = 0.
    k = 0
    bytes_from_point_tmp = bytes_from_point.__code__
    bytes_from_point.__code__ = bytes_from_point_inf0.__code__
    sig = schnorr_sign_fixed_nonce(msg, seckey, k)
    bytes_from_point.__code__ = bytes_from_point_tmp

    return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sG - eP is infinite. Test fails in single verification if has_square_y(inf) is defined as true and x(inf) as 0")

def bytes_from_point_inf1(P):
    if P == None:
        return bytes_from_int(1)
    return bytes_from_int(P[0])

def vector10():
    seckey = default_seckey
    msg = default_msg

    # Override bytes_from_point in schnorr_sign to allow creating a signature
    # with k = 0.
    k = 0
    bytes_from_point_tmp = bytes_from_point.__code__
    bytes_from_point.__code__ = bytes_from_point_inf1.__code__
    sig = schnorr_sign_fixed_nonce(msg, seckey, k)
    bytes_from_point.__code__ = bytes_from_point_tmp

    return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sG - eP is infinite. Test fails in single verification if has_square_y(inf) is defined as true and x(inf) as 1")

# It's cryptographically impossible to create a test vector that fails if run
# in an implementation which merely misses the check that sig[0:32] is an X
# coordinate on the curve. This test vector just increases test coverage.
def vector11():
    seckey = default_seckey
    msg = default_msg
    sig = schnorr_sign(msg, seckey)

    # Replace R's X coordinate with an X coordinate that's not on the curve
    x_not_on_curve = bytes_from_int(0x4A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D)
    assert(point_from_bytes(x_not_on_curve) is None)
    sig = x_not_on_curve + sig[32:64]

    return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sig[0:32] is not an X coordinate on the curve")

# It's cryptographically impossible to create a test vector that fails if run
# in an implementation which merely misses the check that sig[0:32] is smaller
# than the field size. This test vector just increases test coverage.
def vector12():
    seckey = default_seckey
    msg = default_msg
    sig = schnorr_sign(msg, seckey)

    # Replace R's X coordinate with an X coordinate that's equal to field size
    sig = bytes_from_int(p) + sig[32:64]

    return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sig[0:32] is equal to field size")

# It's cryptographically impossible to create a test vector that fails if run
# in an implementation which merely misses the check that sig[32:64] is smaller
# than the curve order. This test vector just increases test coverage.
def vector13():
    seckey = default_seckey
    msg = default_msg
    sig = schnorr_sign(msg, seckey)

    # Replace s with a number that's equal to the curve order
    sig = sig[0:32] + bytes_from_int(n)

    return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sig[32:64] is equal to curve order")

vectors = [
        vector0(),
        vector1(),
        vector2(),
        vector3(),
        vector4(),
        vector5(),
        vector6(),
        vector7(),
        vector8(),
        vector9(),
        vector10(),
        vector11(),
        vector12(),
        vector13(),
    ]

# Converts the byte strings of a test vector into hex strings
def bytes_to_hex(seckey, pubkey, msg, sig, result, comment):
    return (seckey.hex().upper() if seckey is not None else None, pubkey.hex().upper(), msg.hex().upper(), sig.hex().upper(), result, comment)

vectors = list(map(lambda vector: bytes_to_hex(vector[0], vector[1], vector[2], vector[3], vector[4], vector[5]), vectors))

def print_csv(vectors):
    writer = csv.writer(sys.stdout)
    writer.writerow(("index", "secret key", "public key", "message", "signature", "verification result", "comment"))
    for (i,v) in enumerate(vectors):
        writer.writerow((i,)+v)

print_csv(vectors)
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00			`import sys`
			`from reference import *`

			`def vector0():`
Fix test vector generation code after changing schnorrsig_sign api 2019-11-01 15:44:02 +01:00			`seckey = bytes_from_int(1)`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00			`msg = bytes_from_int(0)`
			`sig = schnorr_sign(msg, seckey)`
			`pubkey = pubkey_gen(seckey)`

			`# The point reconstructed from the public key has an even Y coordinate.`
			`pubkey_point = point_from_bytes(pubkey)`
			`assert(pubkey_point[1] & 1 == 0)`

Fix test vector generation code after changing schnorrsig_sign api 2019-11-01 15:44:02 +01:00			`return (seckey, pubkey, msg, sig, "TRUE", None)`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00
			`def vector1():`
Fix test vector generation code after changing schnorrsig_sign api 2019-11-01 15:44:02 +01:00			`seckey = bytes_from_int(0xB7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF)`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00			`msg = bytes_from_int(0x243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89)`
			`sig = schnorr_sign(msg, seckey)`
			`pubkey = pubkey_gen(seckey)`

			`# The point reconstructed from the public key has an odd Y coordinate.`
			`pubkey_point = point_from_bytes(pubkey)`
			`assert(pubkey_point[1] & 1 == 1)`

Fix test vector generation code after changing schnorrsig_sign api 2019-11-01 15:44:02 +01:00			`return (seckey, pubkey, msg, sig, "TRUE", None)`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00
			`def vector2():`
Fix test vector generation code after changing schnorrsig_sign api 2019-11-01 15:44:02 +01:00			`seckey = bytes_from_int(0xC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B14E5C9)`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00			`msg = bytes_from_int(0x5E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C)`
			`sig = schnorr_sign(msg, seckey)`

Settle on notation: is_square(y), has_square_y(P) 2019-11-04 20:56:48 +01:00			`# This signature vector would not verify if the implementer checked the`
			`# squareness of the X coordinate of R instead of the Y coordinate.`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00			`R = point_from_bytes(sig[0:32])`
Settle on notation: is_square(y), has_square_y(P) 2019-11-04 20:56:48 +01:00			`assert(not is_square(R[0]))`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00
Fix test vector generation code after changing schnorrsig_sign api 2019-11-01 15:44:02 +01:00			`return (seckey, pubkey_gen(seckey), msg, sig, "TRUE", None)`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00
			`def vector3():`
Fix test vector generation code after changing schnorrsig_sign api 2019-11-01 15:44:02 +01:00			`seckey = bytes_from_int(0x0B432B2677937381AEF05BB02A66ECD012773062CF3FA2549E44F58ED2401710)`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00			`msg = bytes_from_int(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF)`
			`sig = schnorr_sign(msg, seckey)`
Fix test vector generation code after changing schnorrsig_sign api 2019-11-01 15:44:02 +01:00			`return (seckey, pubkey_gen(seckey), msg, sig, "TRUE", "test fails if msg is reduced modulo p or n")`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00
Settle on notation: is_square(y), has_square_y(P) 2019-11-04 20:56:48 +01:00			`# Signs with a given nonce. Results in an invalid signature if y(kG) is not a square`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00			`def schnorr_sign_fixed_nonce(msg, seckey0, k):`
			`if len(msg) != 32:`
			`raise ValueError('The message must be a 32-byte array.')`
Fix test vector generation code after changing schnorrsig_sign api 2019-11-01 15:44:02 +01:00			`seckey0 = int_from_bytes(seckey0)`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00			`if not (1 <= seckey0 <= n - 1):`
			`raise ValueError('The secret key must be an integer in the range 1..n-1.')`
			`P = point_mul(G, seckey0)`
Settle on notation: is_square(y), has_square_y(P) 2019-11-04 20:56:48 +01:00			`seckey = seckey0 if has_square_y(P) else n - seckey0`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00			`R = point_mul(G, k)`
Tag signature hashes, improve rationale and update test vectors 2019-08-26 22:46:08 +02:00			`e = int_from_bytes(tagged_hash("BIPSchnorr", bytes_from_point(R) + bytes_from_point(P) + msg)) % n`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00			`return bytes_from_point(R) + bytes_from_int((k + e * seckey) % n)`

			`# Creates a singature with a small x(R) by using k = 1/2`
			`def vector4():`
			`one_half = 0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0`
Fix test vector generation code after changing schnorrsig_sign api 2019-11-01 15:44:02 +01:00			`seckey = bytes_from_int(0x763758E5CBEEDEE4F7D3FC86F531C36578933228998226672F13C4F0EBE855EB)`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00			`msg = bytes_from_int(0x4DF3C3F68FCC83B27E9D42C90431A72499F17875C81A599B566C9889B9696703)`
			`sig = schnorr_sign_fixed_nonce(msg, seckey, one_half)`
			`return (None, pubkey_gen(seckey), msg, sig, "TRUE", None)`

Fix test vector generation code after changing schnorrsig_sign api 2019-11-01 15:44:02 +01:00			`default_seckey = bytes_from_int(0xB7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF)`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00			`default_msg = bytes_from_int(0x243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89)`

			`def vector5():`
			`seckey = default_seckey`
			`msg = default_msg`
			`sig = schnorr_sign(msg, seckey)`

			`# Public key is not on the curve`
			`pubkey = bytes_from_int(0xEEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34)`
			`assert(point_from_bytes(pubkey) is None)`

			`return (None, pubkey, msg, sig, "FALSE", "public key not on the curve")`

			`def vector6():`
			`seckey = default_seckey`
			`msg = default_msg`
			`k = 3`
			`sig = schnorr_sign_fixed_nonce(msg, seckey, k)`

Settle on notation: is_square(y), has_square_y(P) 2019-11-04 20:56:48 +01:00			`# Y coordinate of R is not a square`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00			`R = point_mul(G, k)`
Settle on notation: is_square(y), has_square_y(P) 2019-11-04 20:56:48 +01:00			`assert(not has_square_y(R))`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00
Adjust test vector generation code to latest terminology 2019-11-01 15:50:26 +01:00			`return (None, pubkey_gen(seckey), msg, sig, "FALSE", "has_square_y(R) is false")`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00
			`def vector7():`
			`seckey = default_seckey`
			`msg = int_from_bytes(default_msg)`
			`neg_msg = bytes_from_int(n - msg)`
			`sig = schnorr_sign(neg_msg, seckey)`
			`return (None, pubkey_gen(seckey), bytes_from_int(msg), sig, "FALSE", "negated message")`

			`def vector8():`
			`seckey = default_seckey`
			`msg = default_msg`
			`sig = schnorr_sign(msg, seckey)`
			`sig = sig[0:32] + bytes_from_int(n - int_from_bytes(sig[32:64]))`
			`return (None, pubkey_gen(seckey), msg, sig, "FALSE", "negated s value")`

			`def bytes_from_point_inf0(P):`
			`if P == None:`
			`return bytes_from_int(0)`
			`return bytes_from_int(P[0])`

			`def vector9():`
			`seckey = default_seckey`
			`msg = default_msg`

			`# Override bytes_from_point in schnorr_sign to allow creating a signature`
			`# with k = 0.`
			`k = 0`
			`bytes_from_point_tmp = bytes_from_point.__code__`
			`bytes_from_point.__code__ = bytes_from_point_inf0.__code__`
			`sig = schnorr_sign_fixed_nonce(msg, seckey, k)`
			`bytes_from_point.__code__ = bytes_from_point_tmp`

Settle on notation: is_square(y), has_square_y(P) 2019-11-04 20:56:48 +01:00			`return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sG - eP is infinite. Test fails in single verification if has_square_y(inf) is defined as true and x(inf) as 0")`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00
			`def bytes_from_point_inf1(P):`
			`if P == None:`
			`return bytes_from_int(1)`
			`return bytes_from_int(P[0])`

			`def vector10():`
			`seckey = default_seckey`
			`msg = default_msg`

			`# Override bytes_from_point in schnorr_sign to allow creating a signature`
			`# with k = 0.`
			`k = 0`
			`bytes_from_point_tmp = bytes_from_point.__code__`
			`bytes_from_point.__code__ = bytes_from_point_inf1.__code__`
			`sig = schnorr_sign_fixed_nonce(msg, seckey, k)`
			`bytes_from_point.__code__ = bytes_from_point_tmp`

Settle on notation: is_square(y), has_square_y(P) 2019-11-04 20:56:48 +01:00			`return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sG - eP is infinite. Test fails in single verification if has_square_y(inf) is defined as true and x(inf) as 1")`
Switch to 32 byte public keys in bip-schnorr 2019-07-06 18:32:41 +02:00
			`# It's cryptographically impossible to create a test vector that fails if run`
			`# in an implementation which merely misses the check that sig[0:32] is an X`
			`# coordinate on the curve. This test vector just increases test coverage.`
			`def vector11():`
			`seckey = default_seckey`
			`msg = default_msg`
			`sig = schnorr_sign(msg, seckey)`

			`# Replace R's X coordinate with an X coordinate that's not on the curve`
			`x_not_on_curve = bytes_from_int(0x4A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D)`
			`assert(point_from_bytes(x_not_on_curve) is None)`
			`sig = x_not_on_curve + sig[32:64]`

			`return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sig[0:32] is not an X coordinate on the curve")`

			`# It's cryptographically impossible to create a test vector that fails if run`
			`# in an implementation which merely misses the check that sig[0:32] is smaller`
			`# than the field size. This test vector just increases test coverage.`
			`def vector12():`
			`seckey = default_seckey`
			`msg = default_msg`
			`sig = schnorr_sign(msg, seckey)`

			`# Replace R's X coordinate with an X coordinate that's equal to field size`
			`sig = bytes_from_int(p) + sig[32:64]`

			`return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sig[0:32] is equal to field size")`

			`# It's cryptographically impossible to create a test vector that fails if run`
			`# in an implementation which merely misses the check that sig[32:64] is smaller`
			`# than the curve order. This test vector just increases test coverage.`
			`def vector13():`
			`seckey = default_seckey`
			`msg = default_msg`
			`sig = schnorr_sign(msg, seckey)`

			`# Replace s with a number that's equal to the curve order`
			`sig = sig[0:32] + bytes_from_int(n)`

			`return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sig[32:64] is equal to curve order")`

			`vectors = [`
			`vector0(),`
			`vector1(),`
			`vector2(),`
			`vector3(),`
			`vector4(),`
			`vector5(),`
			`vector6(),`
			`vector7(),`
			`vector8(),`
			`vector9(),`
			`vector10(),`
			`vector11(),`
			`vector12(),`
			`vector13(),`
			`]`

			`# Converts the byte strings of a test vector into hex strings`
			`def bytes_to_hex(seckey, pubkey, msg, sig, result, comment):`
			`return (seckey.hex().upper() if seckey is not None else None, pubkey.hex().upper(), msg.hex().upper(), sig.hex().upper(), result, comment)`

			`vectors = list(map(lambda vector: bytes_to_hex(vector[0], vector[1], vector[2], vector[3], vector[4], vector[5]), vectors))`

			`def print_csv(vectors):`
			`writer = csv.writer(sys.stdout)`
			`writer.writerow(("index", "secret key", "public key", "message", "signature", "verification result", "comment"))`
			`for (i,v) in enumerate(vectors):`
			`writer.writerow((i,)+v)`

			`print_csv(vectors)`