signature_test.go raw
1 // Copyright (c) 2013-2017 The btcsuite developers
2 // Copyright (c) 2015-2021 The Decred developers
3 // Use of this source code is governed by an ISC
4 // license that can be found in the LICENSE file.
5
6 package schnorr
7
8 import (
9 "errors"
10 "strings"
11 "testing"
12 "testing/quick"
13
14 "next.orly.dev/pkg/nostr/crypto/ec"
15 "next.orly.dev/pkg/nostr/crypto/ec/secp256k1"
16 "next.orly.dev/pkg/nostr/encoders/hex"
17 "next.orly.dev/pkg/lol/chk"
18
19 "github.com/davecgh/go-spew/spew"
20 )
21
22 type bip340Test struct {
23 secretKey string
24 publicKey string
25 auxRand string
26 message string
27 signature string
28 verifyResult bool
29 validPubKey bool
30 expectErr error
31 rfc6979 bool
32 }
33
34 var bip340TestVectors = []bip340Test{
35 {
36 secretKey: "0000000000000000000000000000000000000000000000000000000000000003",
37 publicKey: "F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F9",
38 auxRand: "0000000000000000000000000000000000000000000000000000000000000000",
39 message: "0000000000000000000000000000000000000000000000000000000000000000",
40 signature: "04E7F9037658A92AFEB4F25BAE5339E3DDCA81A353493827D26F16D92308E49E2A25E92208678A2DF86970DA91B03A8AF8815A8A60498B358DAF560B347AA557",
41 verifyResult: true,
42 validPubKey: true,
43 rfc6979: true,
44 },
45 {
46 secretKey: "0000000000000000000000000000000000000000000000000000000000000003",
47 publicKey: "F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F9",
48 auxRand: "0000000000000000000000000000000000000000000000000000000000000000",
49 message: "0000000000000000000000000000000000000000000000000000000000000000",
50 signature: "E907831F80848D1069A5371B402410364BDF1C5F8307B0084C55F1CE2DCA821525F66A4A85EA8B71E482A74F382D2CE5EBEEE8FDB2172F477DF4900D310536C0",
51 verifyResult: true,
52 validPubKey: true,
53 },
54 {
55 secretKey: "B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF",
56 publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
57 auxRand: "0000000000000000000000000000000000000000000000000000000000000001",
58 message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
59 signature: "6896BD60EEAE296DB48A229FF71DFE071BDE413E6D43F917DC8DCF8C78DE33418906D11AC976ABCCB20B091292BFF4EA897EFCB639EA871CFA95F6DE339E4B0A",
60 verifyResult: true,
61 validPubKey: true,
62 },
63 {
64 secretKey: "C90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B14E5C9",
65 publicKey: "DD308AFEC5777E13121FA72B9CC1B7CC0139715309B086C960E18FD969774EB8",
66 auxRand: "C87AA53824B4D7AE2EB035A2B5BBBCCC080E76CDC6D1692C4B0B62D798E6D906",
67 message: "7E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C",
68 signature: "5831AAEED7B44BB74E5EAB94BA9D4294C49BCF2A60728D8B4C200F50DD313C1BAB745879A5AD954A72C45A91C3A51D3C7ADEA98D82F8481E0E1E03674A6F3FB7",
69 verifyResult: true,
70 validPubKey: true,
71 },
72 {
73 secretKey: "0B432B2677937381AEF05BB02A66ECD012773062CF3FA2549E44F58ED2401710",
74 publicKey: "25D1DFF95105F5253C4022F628A996AD3A0D95FBF21D468A1B33F8C160D8F517",
75 auxRand: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
76 message: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
77 signature: "7EB0509757E246F19449885651611CB965ECC1A187DD51B64FDA1EDC9637D5EC97582B9CB13DB3933705B32BA982AF5AF25FD78881EBB32771FC5922EFC66EA3",
78 verifyResult: true,
79 validPubKey: true,
80 },
81 {
82 publicKey: "D69C3509BB99E412E68B0FE8544E72837DFA30746D8BE2AA65975F29D22DC7B9",
83 message: "4DF3C3F68FCC83B27E9D42C90431A72499F17875C81A599B566C9889B9696703",
84 signature: "00000000000000000000003B78CE563F89A0ED9414F5AA28AD0D96D6795F9C6376AFB1548AF603B3EB45C9F8207DEE1060CB71C04E80F593060B07D28308D7F4",
85 verifyResult: true,
86 validPubKey: true,
87 },
88 {
89 publicKey: "EEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34",
90 message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
91 signature: "6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E17776969E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
92 verifyResult: false,
93 validPubKey: false,
94 expectErr: secp256k1.ErrPubKeyNotOnCurve,
95 },
96 {
97 publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
98 message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
99 signature: "FFF97BD5755EEEA420453A14355235D382F6472F8568A18B2F057A14602975563CC27944640AC607CD107AE10923D9EF7A73C643E166BE5EBEAFA34B1AC553E2",
100 verifyResult: false,
101 validPubKey: true,
102 expectErr: ErrSigRYIsOdd,
103 },
104 {
105 publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
106 message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
107 signature: "1FA62E331EDBC21C394792D2AB1100A7B432B013DF3F6FF4F99FCB33E0E1515F28890B3EDB6E7189B630448B515CE4F8622A954CFE545735AAEA5134FCCDB2BD",
108 verifyResult: false,
109 validPubKey: true,
110 expectErr: ErrSigRYIsOdd,
111 },
112 {
113 publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
114 message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
115 signature: "6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E177769961764B3AA9B2FFCB6EF947B6887A226E8D7C93E00C5ED0C1834FF0D0C2E6DA6",
116 verifyResult: false,
117 validPubKey: true,
118 expectErr: ErrUnequalRValues,
119 },
120 {
121 publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
122 message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
123 signature: "0000000000000000000000000000000000000000000000000000000000000000123DDA8328AF9C23A94C1FEECFD123BA4FB73476F0D594DCB65C6425BD186051",
124 verifyResult: false,
125 validPubKey: true,
126 expectErr: ErrSigRNotOnCurve,
127 },
128 {
129 publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
130 message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
131 signature: "00000000000000000000000000000000000000000000000000000000000000017615FBAF5AE28864013C099742DEADB4DBA87F11AC6754F93780D5A1837CF197",
132 verifyResult: false,
133 validPubKey: true,
134 expectErr: ErrSigRNotOnCurve,
135 },
136 {
137 publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
138 message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
139 signature: "4A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D69E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
140 verifyResult: false,
141 validPubKey: true,
142 expectErr: ErrUnequalRValues,
143 },
144 {
145 publicKey: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC30",
146 message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
147 signature: "6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E17776969E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
148 verifyResult: false,
149 validPubKey: false,
150 expectErr: secp256k1.ErrPubKeyXTooBig,
151 },
152 {
153 secretKey: "0340034003400340034003400340034003400340034003400340034003400340",
154 publicKey: "778CAA53B4393AC467774D09497A87224BF9FAB6F6E68B23086497324D6FD117",
155 auxRand: "0000000000000000000000000000000000000000000000000000000000000000",
156 message: "",
157 signature: "71535DB165ECD9FBBC046E5FFAEA61186BB6AD436732FCCC25291A55895464CF6069CE26BF03466228F19A3A62DB8A649F2D560FAC652827D1AF0574E427AB63",
158 verifyResult: true,
159 validPubKey: true,
160 },
161 {
162 secretKey: "0340034003400340034003400340034003400340034003400340034003400340",
163 publicKey: "778CAA53B4393AC467774D09497A87224BF9FAB6F6E68B23086497324D6FD117",
164 auxRand: "0000000000000000000000000000000000000000000000000000000000000000",
165 message: "11",
166 signature: "08A20A0AFEF64124649232E0693C583AB1B9934AE63B4C3511F3AE1134C6A303EA3173BFEA6683BD101FA5AA5DBC1996FE7CACFC5A577D33EC14564CEC2BACBF",
167 verifyResult: true,
168 validPubKey: true,
169 },
170 {
171 secretKey: "0340034003400340034003400340034003400340034003400340034003400340",
172 publicKey: "778CAA53B4393AC467774D09497A87224BF9FAB6F6E68B23086497324D6FD117",
173 auxRand: "0000000000000000000000000000000000000000000000000000000000000000",
174 message: "0102030405060708090A0B0C0D0E0F1011",
175 signature: "5130F39A4059B43BC7CAC09A19ECE52B5D8699D1A71E3C52DA9AFDB6B50AC370C4A482B77BF960F8681540E25B6771ECE1E5A37FD80E5A51897C5566A97EA5A5",
176 verifyResult: true,
177 validPubKey: true,
178 },
179 {
180 secretKey: "0340034003400340034003400340034003400340034003400340034003400340",
181 publicKey: "778CAA53B4393AC467774D09497A87224BF9FAB6F6E68B23086497324D6FD117",
182 auxRand: "0000000000000000000000000000000000000000000000000000000000000000",
183 message: "99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999",
184 signature: "403B12B0D8555A344175EA7EC746566303321E5DBFA8BE6F091635163ECA79A8585ED3E3170807E7C03B720FC54C7B23897FCBA0E9D0B4A06894CFD249F22367",
185 verifyResult: true,
186 validPubKey: true,
187 },
188 }
189
190 // decodeHex decodes the passed hex string and returns the resulting bytes. It
191 // panics if an error occurs. This is only used in the tests as a helper since
192 // the only way it can fail is if there is an error in the test source code.
193 func decodeHex(hexStr string) []byte {
194 b, err := hex.Dec(hexStr)
195 if err != nil {
196 panic(
197 "invalid hex string in test source: err " + err.Error() +
198 ", hex: " + hexStr,
199 )
200 }
201 return b
202 }
203
204 func TestSchnorrSign(t *testing.T) {
205 // t.Parallel()
206 for i, test := range bip340TestVectors {
207 if len(test.secretKey) == 0 {
208 continue
209 }
210 d := decodeHex(test.secretKey)
211 privKey, _ := btcec.SecKeyFromBytes(d)
212 var auxBytes [32]byte
213 aux := decodeHex(test.auxRand)
214 copy(auxBytes[:], aux)
215 msg := decodeHex(test.message)
216 var signOpts []SignOption
217 if !test.rfc6979 {
218 signOpts = []SignOption{CustomNonce(auxBytes)}
219 }
220 sig, err := Sign(privKey, msg, signOpts...)
221 if err != nil {
222 t.Fatalf("test #%v: sig generation failed: %v", i+1, err)
223 }
224 if strings.ToUpper(hex.Enc(sig.Serialize())) != test.signature {
225 t.Fatalf(
226 "test #%v: got signature %x : "+
227 "want %s", i+1, sig.Serialize(), test.signature,
228 )
229 }
230 pubKeyBytes := decodeHex(test.publicKey)
231 err = schnorrVerify(sig, msg, pubKeyBytes)
232 if err != nil {
233 t.Fail()
234 }
235 verify := err == nil
236 if test.verifyResult != verify {
237 t.Fatalf(
238 "test #%v: verification mismatch: "+
239 "expected %v, got %v", i+1, test.verifyResult, verify,
240 )
241 }
242 }
243 }
244
245 func TestSchnorrVerify(t *testing.T) {
246 t.Parallel()
247 for i, test := range bip340TestVectors {
248 pubKeyBytes := decodeHex(test.publicKey)
249 _, err := ParsePubKey(pubKeyBytes)
250 switch {
251 case !test.validPubKey && err != nil:
252 if !errors.Is(err, test.expectErr) {
253 t.Fatalf(
254 "test #%v: pubkey validation should "+
255 "have failed, expected %v, got %v", i,
256 test.expectErr, err,
257 )
258 }
259 continue
260 case err != nil:
261 t.Fatalf("test #%v: unable to parse pubkey: %v", i, err)
262 }
263 msg := decodeHex(test.message)
264 sig, err := ParseSignature(decodeHex(test.signature))
265 if err != nil {
266 t.Fatalf("unable to parse sig: %v", err)
267 }
268 err = schnorrVerify(sig, msg, pubKeyBytes)
269 if err != nil && test.verifyResult {
270 t.Fatalf(
271 "test #%v: verification shouldn't have failed: %v", i+1,
272 err,
273 )
274 }
275 verify := err == nil
276 if test.verifyResult != verify {
277 t.Fatalf(
278 "test #%v: verificaiton mismatch: expected "+
279 "%v, got %v", i, test.verifyResult, verify,
280 )
281 }
282 if !test.verifyResult && test.expectErr != nil {
283 if !errors.Is(err, test.expectErr) {
284 t.Fatalf(
285 "test #%v: expect error %v : got %v", i,
286 test.expectErr, err,
287 )
288 }
289 }
290 }
291 }
292
293 // TestSchnorrSignNoMutate tests that generating a schnorr signature doesn't
294 // modify/mutate the underlying secret key.
295 func TestSchnorrSignNoMutate(t *testing.T) {
296 t.Parallel()
297 // Assert that given a random secret key and message, we can generate
298 // a signature from that w/o modifying the underlying secret key.
299 f := func(privBytes, msg [32]byte) bool {
300 privBytesCopy := privBytes
301 privKey, _ := btcec.SecKeyFromBytes(privBytesCopy[:])
302 // Generate a signature for secret key with our message.
303 _, err := Sign(privKey, msg[:])
304 if err != nil {
305 t.Logf("unable to gen sig: %v", err)
306 return false
307 }
308 // We should be able to re-derive the secret key from raw
309 // bytes and have that match up again.
310 privKeyCopy, _ := btcec.SecKeyFromBytes(privBytes[:])
311 if *privKey != *privKeyCopy {
312 t.Logf(
313 "secret doesn't match: expected %v, got %v",
314 spew.Sdump(privKeyCopy), spew.Sdump(privKey),
315 )
316 return false
317 }
318 return true
319 }
320 if err := quick.Check(f, nil); chk.T(err) {
321 t.Fatalf("secret key modified: %v", err)
322 }
323 }
324