Switch to 32 byte public keys in bip-schnorr

author: Jonas Nick <jonasd.nick@gmail.com> 2019-07-06 16:32:41 +0000
committer: Pieter Wuille <pieter.wuille@gmail.com> 2020-01-19 14:47:33 -0800
commit: e084aafb8b6ebacbce559cc55151a392ef653788 (patch)
tree: e027bf66e71b5b3691caaf1cfc2bcc4bc39169ac /bip-schnorr/test-vectors.py
parent: 1a4b08ab72690caedae8b5398dde0fedd0a48856 (diff)
download: bips-e084aafb8b6ebacbce559cc55151a392ef653788.tar.xz
1 files changed, 215 insertions, 0 deletions
diff --git a/bip-schnorr/test-vectors.py b/bip-schnorr/test-vectors.py
new file mode 100644
index 0000000..5088400
--- /dev/null
+++ b/bip-schnorr/test-vectors.py
@@ -0,0 +1,215 @@
+import sys
+from reference import *
+
+def vector0():
+    seckey = 1
+    msg = bytes_from_int(0)
+    sig = schnorr_sign(msg, seckey)
+    pubkey = pubkey_gen(seckey)
+
+    # The point reconstructed from the public key has an even Y coordinate.
+    pubkey_point = point_from_bytes(pubkey)
+    assert(pubkey_point[1] & 1 == 0)
+
+    return (bytes_from_int(seckey), pubkey, msg, sig, "TRUE", None)
+
+def vector1():
+    seckey = 0xB7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF
+    msg = bytes_from_int(0x243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89)
+    sig = schnorr_sign(msg, seckey)
+    pubkey = pubkey_gen(seckey)
+
+    # The point reconstructed from the public key has an odd Y coordinate.
+    pubkey_point = point_from_bytes(pubkey)
+    assert(pubkey_point[1] & 1 == 1)
+
+    return (bytes_from_int(seckey), pubkey, msg, sig, "TRUE", None)
+
+def vector2():
+    seckey = 0xC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B14E5C7
+    msg = bytes_from_int(0x5E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C)
+    sig = schnorr_sign(msg, seckey)
+
+    # This signature does not verify vector if the implementer would check the
+    # jacobi symbol of the X coordinate of R instead of the Y coordinate.
+    R = point_from_bytes(sig[0:32])
+    assert(jacobi(R[0]) != 1)
+
+    return (bytes_from_int(seckey), pubkey_gen(seckey), msg, sig, "TRUE", None)
+
+def vector3():
+    seckey = 0x0B432B2677937381AEF05BB02A66ECD012773062CF3FA2549E44F58ED2401710
+    msg = bytes_from_int(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF)
+    sig = schnorr_sign(msg, seckey)
+    return (bytes_from_int(seckey), pubkey_gen(seckey), msg, sig, "TRUE", "test fails if msg is reduced modulo p or n")
+
+# Signs with a given nonce. Results in an invalid signature if y(kG) is not a
+# quadratic residue.
+def schnorr_sign_fixed_nonce(msg, seckey0, k):
+    if len(msg) != 32:
+        raise ValueError('The message must be a 32-byte array.')
+    if not (1 <= seckey0 <= n - 1):
+        raise ValueError('The secret key must be an integer in the range 1..n-1.')
+    P = point_mul(G, seckey0)
+    seckey = seckey0 if (jacobi(P[1]) == 1) else n - seckey0
+    R = point_mul(G, k)
+    e = int_from_bytes(hash_sha256(bytes_from_point(R) + bytes_from_point(P) + msg)) % n
+    return bytes_from_point(R) + bytes_from_int((k + e * seckey) % n)
+
+# Creates a singature with a small x(R) by using k = 1/2
+def vector4():
+    one_half = 0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0
+    seckey = 0x763758E5CBEEDEE4F7D3FC86F531C36578933228998226672F13C4F0EBE855EB
+    msg = bytes_from_int(0x4DF3C3F68FCC83B27E9D42C90431A72499F17875C81A599B566C9889B9696703)
+    sig = schnorr_sign_fixed_nonce(msg, seckey, one_half)
+    return (None, pubkey_gen(seckey), msg, sig, "TRUE", None)
+
+default_seckey = 0xB7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF
+default_msg = bytes_from_int(0x243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89)
+
+def vector5():
+    seckey = default_seckey
+    msg = default_msg
+    sig = schnorr_sign(msg, seckey)
+
+    # Public key is not on the curve
+    pubkey = bytes_from_int(0xEEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34)
+    assert(point_from_bytes(pubkey) is None)
+
+    return (None, pubkey, msg, sig, "FALSE", "public key not on the curve")
+
+def vector6():
+    seckey = default_seckey
+    msg = default_msg
+    k = 3
+    sig = schnorr_sign_fixed_nonce(msg, seckey, k)
+
+    # Y coordinate of R is not a quadratic residue
+    R = point_mul(G, k)
+    assert(jacobi(R[1]) != 1)
+
+    return (None, pubkey_gen(seckey), msg, sig, "FALSE", "incorrect R residuosity")
+
+def vector7():
+    seckey = default_seckey
+    msg = int_from_bytes(default_msg)
+    neg_msg = bytes_from_int(n - msg)
+    sig = schnorr_sign(neg_msg, seckey)
+    return (None, pubkey_gen(seckey), bytes_from_int(msg), sig, "FALSE", "negated message")
+
+def vector8():
+    seckey = default_seckey
+    msg = default_msg
+    sig = schnorr_sign(msg, seckey)
+    sig = sig[0:32] + bytes_from_int(n - int_from_bytes(sig[32:64]))
+    return (None, pubkey_gen(seckey), msg, sig, "FALSE", "negated s value")
+
+def bytes_from_point_inf0(P):
+    if P == None:
+        return bytes_from_int(0)
+    return bytes_from_int(P[0])
+
+def vector9():
+    seckey = default_seckey
+    msg = default_msg
+
+    # Override bytes_from_point in schnorr_sign to allow creating a signature
+    # with k = 0.
+    k = 0
+    bytes_from_point_tmp = bytes_from_point.__code__
+    bytes_from_point.__code__ = bytes_from_point_inf0.__code__
+    sig = schnorr_sign_fixed_nonce(msg, seckey, k)
+    bytes_from_point.__code__ = bytes_from_point_tmp
+
+    return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sG - eP is infinite. Test fails in single verification if jacobi(y(inf)) is defined as 1 and x(inf) as 0")
+
+def bytes_from_point_inf1(P):
+    if P == None:
+        return bytes_from_int(1)
+    return bytes_from_int(P[0])
+
+def vector10():
+    seckey = default_seckey
+    msg = default_msg
+
+    # Override bytes_from_point in schnorr_sign to allow creating a signature
+    # with k = 0.
+    k = 0
+    bytes_from_point_tmp = bytes_from_point.__code__
+    bytes_from_point.__code__ = bytes_from_point_inf1.__code__
+    sig = schnorr_sign_fixed_nonce(msg, seckey, k)
+    bytes_from_point.__code__ = bytes_from_point_tmp
+
+    return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sG - eP is infinite. Test fails in single verification if jacobi(y(inf)) is defined as 1 and x(inf) as 1")
+
+# It's cryptographically impossible to create a test vector that fails if run
+# in an implementation which merely misses the check that sig[0:32] is an X
+# coordinate on the curve. This test vector just increases test coverage.
+def vector11():
+    seckey = default_seckey
+    msg = default_msg
+    sig = schnorr_sign(msg, seckey)
+
+    # Replace R's X coordinate with an X coordinate that's not on the curve
+    x_not_on_curve = bytes_from_int(0x4A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D)
+    assert(point_from_bytes(x_not_on_curve) is None)
+    sig = x_not_on_curve + sig[32:64]
+
+    return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sig[0:32] is not an X coordinate on the curve")
+
+# It's cryptographically impossible to create a test vector that fails if run
+# in an implementation which merely misses the check that sig[0:32] is smaller
+# than the field size. This test vector just increases test coverage.
+def vector12():
+    seckey = default_seckey
+    msg = default_msg
+    sig = schnorr_sign(msg, seckey)
+
+    # Replace R's X coordinate with an X coordinate that's equal to field size
+    sig = bytes_from_int(p) + sig[32:64]
+
+    return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sig[0:32] is equal to field size")
+
+# It's cryptographically impossible to create a test vector that fails if run
+# in an implementation which merely misses the check that sig[32:64] is smaller
+# than the curve order. This test vector just increases test coverage.
+def vector13():
+    seckey = default_seckey
+    msg = default_msg
+    sig = schnorr_sign(msg, seckey)
+
+    # Replace s with a number that's equal to the curve order
+    sig = sig[0:32] + bytes_from_int(n)
+
+    return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sig[32:64] is equal to curve order")
+
+vectors = [
+        vector0(),
+        vector1(),
+        vector2(),
+        vector3(),
+        vector4(),
+        vector5(),
+        vector6(),
+        vector7(),
+        vector8(),
+        vector9(),
+        vector10(),
+        vector11(),
+        vector12(),
+        vector13(),
+    ]
+
+# Converts the byte strings of a test vector into hex strings
+def bytes_to_hex(seckey, pubkey, msg, sig, result, comment):
+    return (seckey.hex().upper() if seckey is not None else None, pubkey.hex().upper(), msg.hex().upper(), sig.hex().upper(), result, comment)
+
+vectors = list(map(lambda vector: bytes_to_hex(vector[0], vector[1], vector[2], vector[3], vector[4], vector[5]), vectors))
+
+def print_csv(vectors):
+    writer = csv.writer(sys.stdout)
+    writer.writerow(("index", "secret key", "public key", "message", "signature", "verification result", "comment"))
+    for (i,v) in enumerate(vectors):
+        writer.writerow((i,)+v)
+
+print_csv(vectors)
author	Jonas Nick <jonasd.nick@gmail.com>	2019-07-06 16:32:41 +0000
committer	Pieter Wuille <pieter.wuille@gmail.com>	2020-01-19 14:47:33 -0800
commit	e084aafb8b6ebacbce559cc55151a392ef653788 (patch)
tree	e027bf66e71b5b3691caaf1cfc2bcc4bc39169ac /bip-schnorr/test-vectors.py
parent	1a4b08ab72690caedae8b5398dde0fedd0a48856 (diff)
download	bips-e084aafb8b6ebacbce559cc55151a392ef653788.tar.xz