3 files changed, 541 insertions, 0 deletions
diff --git a/bip-0340/reference.py b/bip-0340/reference.py
new file mode 100644
index 0000000..b327e0a
--- /dev/null
+++ b/bip-0340/reference.py
@@ -0,0 +1,221 @@
+from typing import Tuple, Optional, Any
+import hashlib
+import binascii
+
+# Set DEBUG to True to get a detailed debug output including
+# intermediate values during key generation, signing, and
+# verification. This is implemented via calls to the
+# debug_print_vars() function.
+#
+# If you want to print values on an individual basis, use
+# the pretty() function, e.g., print(pretty(foo)).
+DEBUG = False
+
+p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
+n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
+
+# Points are tuples of X and Y coordinates and the point at infinity is
+# represented by the None keyword.
+G = (0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798, 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8)
+
+Point = Tuple[int, int]
+
+# This implementation can be sped up by storing the midstate after hashing
+# tag_hash instead of rehashing it all the time.
+def tagged_hash(tag: str, msg: bytes) -> bytes:
+    tag_hash = hashlib.sha256(tag.encode()).digest()
+    return hashlib.sha256(tag_hash + tag_hash + msg).digest()
+
+def is_infinite(P: Optional[Point]) -> bool:
+    return P is None
+
+def x(P: Point) -> int:
+    assert not is_infinite(P)
+    return P[0]
+
+def y(P: Point) -> int:
+    assert not is_infinite(P)
+    return P[1]
+
+def point_add(P1: Optional[Point], P2: Optional[Point]) -> Optional[Point]:
+    if P1 is None:
+        return P2
+    if P2 is None:
+        return P1
+    if (x(P1) == x(P2)) and (y(P1) != y(P2)):
+        return None
+    if P1 == P2:
+        lam = (3 * x(P1) * x(P1) * pow(2 * y(P1), p - 2, p)) % p
+    else:
+        lam = ((y(P2) - y(P1)) * pow(x(P2) - x(P1), p - 2, p)) % p
+    x3 = (lam * lam - x(P1) - x(P2)) % p
+    return (x3, (lam * (x(P1) - x3) - y(P1)) % p)
+
+def point_mul(P: Optional[Point], n: int) -> Optional[Point]:
+    R = None
+    for i in range(256):
+        if (n >> i) & 1:
+            R = point_add(R, P)
+        P = point_add(P, P)
+    return R
+
+def bytes_from_int(x: int) -> bytes:
+    return x.to_bytes(32, byteorder="big")
+
+def bytes_from_point(P: Point) -> bytes:
+    return bytes_from_int(x(P))
+
+def xor_bytes(b0: bytes, b1: bytes) -> bytes:
+    return bytes(x ^ y for (x, y) in zip(b0, b1))
+
+def lift_x(x: int) -> Optional[Point]:
+    if x >= p:
+        return None
+    y_sq = (pow(x, 3, p) + 7) % p
+    y = pow(y_sq, (p + 1) // 4, p)
+    if pow(y, 2, p) != y_sq:
+        return None
+    return (x, y if y & 1 == 0 else p-y)
+
+def int_from_bytes(b: bytes) -> int:
+    return int.from_bytes(b, byteorder="big")
+
+def hash_sha256(b: bytes) -> bytes:
+    return hashlib.sha256(b).digest()
+
+def has_even_y(P: Point) -> bool:
+    assert not is_infinite(P)
+    return y(P) % 2 == 0
+
+def pubkey_gen(seckey: bytes) -> bytes:
+    d0 = int_from_bytes(seckey)
+    if not (1 <= d0 <= n - 1):
+        raise ValueError('The secret key must be an integer in the range 1..n-1.')
+    P = point_mul(G, d0)
+    assert P is not None
+    return bytes_from_point(P)
+
+def schnorr_sign(msg: bytes, seckey: bytes, aux_rand: bytes) -> bytes:
+    d0 = int_from_bytes(seckey)
+    if not (1 <= d0 <= n - 1):
+        raise ValueError('The secret key must be an integer in the range 1..n-1.')
+    if len(aux_rand) != 32:
+        raise ValueError('aux_rand must be 32 bytes instead of %i.' % len(aux_rand))
+    P = point_mul(G, d0)
+    assert P is not None
+    d = d0 if has_even_y(P) else n - d0
+    t = xor_bytes(bytes_from_int(d), tagged_hash("BIP0340/aux", aux_rand))
+    k0 = int_from_bytes(tagged_hash("BIP0340/nonce", t + bytes_from_point(P) + msg)) % n
+    if k0 == 0:
+        raise RuntimeError('Failure. This happens only with negligible probability.')
+    R = point_mul(G, k0)
+    assert R is not None
+    k = n - k0 if not has_even_y(R) else k0
+    e = int_from_bytes(tagged_hash("BIP0340/challenge", bytes_from_point(R) + bytes_from_point(P) + msg)) % n
+    sig = bytes_from_point(R) + bytes_from_int((k + e * d) % n)
+    debug_print_vars()
+    if not schnorr_verify(msg, bytes_from_point(P), sig):
+        raise RuntimeError('The created signature does not pass verification.')
+    return sig
+
+def schnorr_verify(msg: bytes, pubkey: bytes, sig: bytes) -> bool:
+    if len(pubkey) != 32:
+        raise ValueError('The public key must be a 32-byte array.')
+    if len(sig) != 64:
+        raise ValueError('The signature must be a 64-byte array.')
+    P = lift_x(int_from_bytes(pubkey))
+    r = int_from_bytes(sig[0:32])
+    s = int_from_bytes(sig[32:64])
+    if (P is None) or (r >= p) or (s >= n):
+        debug_print_vars()
+        return False
+    e = int_from_bytes(tagged_hash("BIP0340/challenge", sig[0:32] + pubkey + msg)) % n
+    R = point_add(point_mul(G, s), point_mul(P, n - e))
+    if (R is None) or (not has_even_y(R)) or (x(R) != r):
+        debug_print_vars()
+        return False
+    debug_print_vars()
+    return True
+
+#
+# The following code is only used to verify the test vectors.
+#
+import csv
+import os
+import sys
+
+def test_vectors() -> bool:
+    all_passed = True
+    with open(os.path.join(sys.path[0], 'test-vectors.csv'), newline='') as csvfile:
+        reader = csv.reader(csvfile)
+        reader.__next__()
+        for row in reader:
+            (index, seckey_hex, pubkey_hex, aux_rand_hex, msg_hex, sig_hex, result_str, comment) = row
+            pubkey = bytes.fromhex(pubkey_hex)
+            msg = bytes.fromhex(msg_hex)
+            sig = bytes.fromhex(sig_hex)
+            result = result_str == 'TRUE'
+            print('\nTest vector', ('#' + index).rjust(3, ' ') + ':')
+            if seckey_hex != '':
+                seckey = bytes.fromhex(seckey_hex)
+                pubkey_actual = pubkey_gen(seckey)
+                if pubkey != pubkey_actual:
+                    print(' * Failed key generation.')
+                    print('   Expected key:', pubkey.hex().upper())
+                    print('     Actual key:', pubkey_actual.hex().upper())
+                aux_rand = bytes.fromhex(aux_rand_hex)
+                try:
+                    sig_actual = schnorr_sign(msg, seckey, aux_rand)
+                    if sig == sig_actual:
+                        print(' * Passed signing test.')
+                    else:
+                        print(' * Failed signing test.')
+                        print('   Expected signature:', sig.hex().upper())
+                        print('     Actual signature:', sig_actual.hex().upper())
+                        all_passed = False
+                except RuntimeError as e:
+                    print(' * Signing test raised exception:', e)
+                    all_passed = False
+            result_actual = schnorr_verify(msg, pubkey, sig)
+            if result == result_actual:
+                print(' * Passed verification test.')
+            else:
+                print(' * Failed verification test.')
+                print('   Expected verification result:', result)
+                print('     Actual verification result:', result_actual)
+                if comment:
+                    print('   Comment:', comment)
+                all_passed = False
+    print()
+    if all_passed:
+        print('All test vectors passed.')
+    else:
+        print('Some test vectors failed.')
+    return all_passed
+
+#
+# The following code is only used for debugging
+#
+import inspect
+
+def pretty(v: Any) -> Any:
+    if isinstance(v, bytes):
+        return '0x' + v.hex()
+    if isinstance(v, int):
+        return pretty(bytes_from_int(v))
+    if isinstance(v, tuple):
+        return tuple(map(pretty, v))
+    return v
+
+def debug_print_vars() -> None:
+    if DEBUG:
+        current_frame = inspect.currentframe()
+        assert current_frame is not None
+        frame = current_frame.f_back
+        assert frame is not None
+        print('   Variables in function ', frame.f_code.co_name, ' at line ', frame.f_lineno, ':', sep='')
+        for var_name, var_val in frame.f_locals.items():
+            print('   ' + var_name.rjust(11, ' '), '==', pretty(var_val))
+
+if __name__ == '__main__':
+    test_vectors()
diff --git a/bip-0340/test-vectors.csv b/bip-0340/test-vectors.csv
new file mode 100644
index 0000000..6723391
--- /dev/null
+++ b/bip-0340/test-vectors.csv
@@ -0,0 +1,20 @@
+index,secret key,public key,aux_rand,message,signature,verification result,comment
+0,0000000000000000000000000000000000000000000000000000000000000003,F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F9,0000000000000000000000000000000000000000000000000000000000000000,0000000000000000000000000000000000000000000000000000000000000000,E907831F80848D1069A5371B402410364BDF1C5F8307B0084C55F1CE2DCA821525F66A4A85EA8B71E482A74F382D2CE5EBEEE8FDB2172F477DF4900D310536C0,TRUE,
+1,B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF,DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659,0000000000000000000000000000000000000000000000000000000000000001,243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89,6896BD60EEAE296DB48A229FF71DFE071BDE413E6D43F917DC8DCF8C78DE33418906D11AC976ABCCB20B091292BFF4EA897EFCB639EA871CFA95F6DE339E4B0A,TRUE,
+2,C90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B14E5C9,DD308AFEC5777E13121FA72B9CC1B7CC0139715309B086C960E18FD969774EB8,C87AA53824B4D7AE2EB035A2B5BBBCCC080E76CDC6D1692C4B0B62D798E6D906,7E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C,5831AAEED7B44BB74E5EAB94BA9D4294C49BCF2A60728D8B4C200F50DD313C1BAB745879A5AD954A72C45A91C3A51D3C7ADEA98D82F8481E0E1E03674A6F3FB7,TRUE,
+3,0B432B2677937381AEF05BB02A66ECD012773062CF3FA2549E44F58ED2401710,25D1DFF95105F5253C4022F628A996AD3A0D95FBF21D468A1B33F8C160D8F517,FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF,FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF,7EB0509757E246F19449885651611CB965ECC1A187DD51B64FDA1EDC9637D5EC97582B9CB13DB3933705B32BA982AF5AF25FD78881EBB32771FC5922EFC66EA3,TRUE,test fails if msg is reduced modulo p or n
+4,,D69C3509BB99E412E68B0FE8544E72837DFA30746D8BE2AA65975F29D22DC7B9,,4DF3C3F68FCC83B27E9D42C90431A72499F17875C81A599B566C9889B9696703,00000000000000000000003B78CE563F89A0ED9414F5AA28AD0D96D6795F9C6376AFB1548AF603B3EB45C9F8207DEE1060CB71C04E80F593060B07D28308D7F4,TRUE,
+5,,EEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34,,243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89,6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E17776969E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B,FALSE,public key not on the curve
+6,,DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659,,243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89,FFF97BD5755EEEA420453A14355235D382F6472F8568A18B2F057A14602975563CC27944640AC607CD107AE10923D9EF7A73C643E166BE5EBEAFA34B1AC553E2,FALSE,has_even_y(R) is false
+7,,DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659,,243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89,1FA62E331EDBC21C394792D2AB1100A7B432B013DF3F6FF4F99FCB33E0E1515F28890B3EDB6E7189B630448B515CE4F8622A954CFE545735AAEA5134FCCDB2BD,FALSE,negated message
+8,,DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659,,243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89,6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E177769961764B3AA9B2FFCB6EF947B6887A226E8D7C93E00C5ED0C1834FF0D0C2E6DA6,FALSE,negated s value
+9,,DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659,,243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89,0000000000000000000000000000000000000000000000000000000000000000123DDA8328AF9C23A94C1FEECFD123BA4FB73476F0D594DCB65C6425BD186051,FALSE,sG - eP is infinite. Test fails in single verification if has_even_y(inf) is defined as true and x(inf) as 0
+10,,DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659,,243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89,00000000000000000000000000000000000000000000000000000000000000017615FBAF5AE28864013C099742DEADB4DBA87F11AC6754F93780D5A1837CF197,FALSE,sG - eP is infinite. Test fails in single verification if has_even_y(inf) is defined as true and x(inf) as 1
+11,,DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659,,243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89,4A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D69E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B,FALSE,sig[0:32] is not an X coordinate on the curve
+12,,DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659,,243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89,FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F69E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B,FALSE,sig[0:32] is equal to field size
+13,,DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659,,243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89,6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E177769FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141,FALSE,sig[32:64] is equal to curve order
+14,,FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC30,,243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89,6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E17776969E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B,FALSE,public key is not a valid X coordinate because it exceeds the field size
+15,0340034003400340034003400340034003400340034003400340034003400340,778CAA53B4393AC467774D09497A87224BF9FAB6F6E68B23086497324D6FD117,0000000000000000000000000000000000000000000000000000000000000000,,71535DB165ECD9FBBC046E5FFAEA61186BB6AD436732FCCC25291A55895464CF6069CE26BF03466228F19A3A62DB8A649F2D560FAC652827D1AF0574E427AB63,TRUE,message of size 0 (added 2022-12)
+16,0340034003400340034003400340034003400340034003400340034003400340,778CAA53B4393AC467774D09497A87224BF9FAB6F6E68B23086497324D6FD117,0000000000000000000000000000000000000000000000000000000000000000,11,08A20A0AFEF64124649232E0693C583AB1B9934AE63B4C3511F3AE1134C6A303EA3173BFEA6683BD101FA5AA5DBC1996FE7CACFC5A577D33EC14564CEC2BACBF,TRUE,message of size 1 (added 2022-12)
+17,0340034003400340034003400340034003400340034003400340034003400340,778CAA53B4393AC467774D09497A87224BF9FAB6F6E68B23086497324D6FD117,0000000000000000000000000000000000000000000000000000000000000000,0102030405060708090A0B0C0D0E0F1011,5130F39A4059B43BC7CAC09A19ECE52B5D8699D1A71E3C52DA9AFDB6B50AC370C4A482B77BF960F8681540E25B6771ECE1E5A37FD80E5A51897C5566A97EA5A5,TRUE,message of size 17 (added 2022-12)
+18,0340034003400340034003400340034003400340034003400340034003400340,778CAA53B4393AC467774D09497A87224BF9FAB6F6E68B23086497324D6FD117,0000000000000000000000000000000000000000000000000000000000000000,99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999,403B12B0D8555A344175EA7EC746566303321E5DBFA8BE6F091635163ECA79A8585ED3E3170807E7C03B720FC54C7B23897FCBA0E9D0B4A06894CFD249F22367,TRUE,message of size 100 (added 2022-12)
diff --git a/bip-0340/test-vectors.py b/bip-0340/test-vectors.py
new file mode 100644
index 0000000..317f2ec
--- /dev/null
+++ b/bip-0340/test-vectors.py
@@ -0,0 +1,300 @@
+import sys
+from reference import *
+
+def is_square(x):
+    return int(pow(x, (p - 1) // 2, p)) == 1
+
+def has_square_y(P):
+    """Determine if P has a square Y coordinate. Used in an earlier draft of BIP340."""
+    assert not is_infinite(P)
+    return is_square(P[1])
+
+def vector0():
+    seckey = bytes_from_int(3)
+    msg = bytes_from_int(0)
+    aux_rand = bytes_from_int(0)
+    sig = schnorr_sign(msg, seckey, aux_rand)
+    pubkey = pubkey_gen(seckey)
+
+    # We should have at least one test vector where the seckey needs to be
+    # negated and one where it doesn't. In this one the seckey doesn't need to
+    # be negated.
+    x = int_from_bytes(seckey)
+    P = point_mul(G, x)
+    assert(y(P) % 2 == 0)
+
+    # For historical reasons (pubkey tiebreaker was squareness and not evenness)
+    # we should have at least one test vector where the the point reconstructed
+    # from the public key has a square and one where it has a non-square Y
+    # coordinate. In this one Y is non-square.
+    pubkey_point = lift_x(pubkey)
+    assert(not has_square_y(pubkey_point))
+
+    # For historical reasons (R tiebreaker was squareness and not evenness)
+    # we should have at least one test vector where the the point reconstructed
+    # from the R.x coordinate has a square and one where it has a non-square Y
+    # coordinate. In this one Y is non-square.
+    R = lift_x(sig[0:32])
+    assert(not has_square_y(R))
+
+    return (seckey, pubkey, aux_rand, msg, sig, "TRUE", None)
+
+def vector1():
+    seckey = bytes_from_int(0xB7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF)
+    msg = bytes_from_int(0x243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89)
+    aux_rand = bytes_from_int(1)
+
+    sig = schnorr_sign(msg, seckey, aux_rand)
+
+    # The point reconstructed from the R.x coordinate has a square Y coordinate.
+    R = lift_x(sig[0:32])
+    assert(has_square_y(R))
+
+    return (seckey, pubkey_gen(seckey), aux_rand, msg, sig, "TRUE", None)
+
+def vector2():
+    seckey = bytes_from_int(0xC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B14E5C9)
+    msg = bytes_from_int(0x7E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C)
+    aux_rand = bytes_from_int(0xC87AA53824B4D7AE2EB035A2B5BBBCCC080E76CDC6D1692C4B0B62D798E6D906)
+    sig = schnorr_sign(msg, seckey, aux_rand)
+
+    # The point reconstructed from the public key has a square Y coordinate.
+    pubkey = pubkey_gen(seckey)
+    pubkey_point = lift_x(pubkey)
+    assert(has_square_y(pubkey_point))
+
+    # This signature vector would not verify if the implementer checked the
+    # evenness of the X coordinate of R instead of the Y coordinate.
+    R = lift_x(sig[0:32])
+    assert(R[0] % 2 == 1)
+
+    return (seckey, pubkey, aux_rand, msg, sig, "TRUE", None)
+
+def vector3():
+    seckey = bytes_from_int(0x0B432B2677937381AEF05BB02A66ECD012773062CF3FA2549E44F58ED2401710)
+
+    # Need to negate this seckey before signing
+    x = int_from_bytes(seckey)
+    P = point_mul(G, x)
+    assert(y(P) % 2 != 0)
+
+    msg = bytes_from_int(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF)
+    aux_rand = bytes_from_int(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF)
+
+    sig = schnorr_sign(msg, seckey, aux_rand)
+    return (seckey, pubkey_gen(seckey), aux_rand, msg, sig, "TRUE", "test fails if msg is reduced modulo p or n")
+
+# Signs with a given nonce. This can be INSECURE and is only INTENDED FOR
+# GENERATING TEST VECTORS. Results in an invalid signature if y(kG) is not
+# even.
+def insecure_schnorr_sign_fixed_nonce(msg, seckey0, k):
+    if len(msg) != 32:
+        raise ValueError('The message must be a 32-byte array.')
+    seckey0 = int_from_bytes(seckey0)
+    if not (1 <= seckey0 <= n - 1):
+        raise ValueError('The secret key must be an integer in the range 1..n-1.')
+    P = point_mul(G, seckey0)
+    seckey = seckey0 if has_even_y(P) else n - seckey0
+    R = point_mul(G, k)
+    e = int_from_bytes(tagged_hash("BIP0340/challenge", bytes_from_point(R) + bytes_from_point(P) + msg)) % n
+    return bytes_from_point(R) + bytes_from_int((k + e * seckey) % n)
+
+# Creates a singature with a small x(R) by using k = -1/2
+def vector4():
+    one_half = n - 0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0
+    seckey = bytes_from_int(0x763758E5CBEEDEE4F7D3FC86F531C36578933228998226672F13C4F0EBE855EB)
+    msg = bytes_from_int(0x4DF3C3F68FCC83B27E9D42C90431A72499F17875C81A599B566C9889B9696703)
+    sig = insecure_schnorr_sign_fixed_nonce(msg, seckey, one_half)
+    return (None, pubkey_gen(seckey), None, msg, sig, "TRUE", None)
+
+default_seckey = bytes_from_int(0xB7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF)
+default_msg = bytes_from_int(0x243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89)
+default_aux_rand = bytes_from_int(0xC87AA53824B4D7AE2EB035A2B5BBBCCC080E76CDC6D1692C4B0B62D798E6D906)
+
+# Public key is not on the curve
+def vector5():
+    # This creates a dummy signature that doesn't have anything to do with the
+    # public key.
+    seckey = default_seckey
+    msg = default_msg
+    sig = schnorr_sign(msg, seckey, default_aux_rand)
+
+    pubkey = bytes_from_int(0xEEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34)
+    assert(lift_x(pubkey) is None)
+
+    return (None, pubkey, None, msg, sig, "FALSE", "public key not on the curve")
+
+def vector6():
+    seckey = default_seckey
+    msg = default_msg
+    k = 6
+    sig = insecure_schnorr_sign_fixed_nonce(msg, seckey, k)
+
+    # Y coordinate of R is not even
+    R = point_mul(G, k)
+    assert(not has_even_y(R))
+
+    return (None, pubkey_gen(seckey), None, msg, sig, "FALSE", "has_even_y(R) is false")
+
+def vector7():
+    seckey = default_seckey
+    msg = int_from_bytes(default_msg)
+    neg_msg = bytes_from_int(n - msg)
+    sig = schnorr_sign(neg_msg, seckey, default_aux_rand)
+    return (None, pubkey_gen(seckey), None, bytes_from_int(msg), sig, "FALSE", "negated message")
+
+def vector8():
+    seckey = default_seckey
+    msg = default_msg
+    sig = schnorr_sign(msg, seckey, default_aux_rand)
+    sig = sig[0:32] + bytes_from_int(n - int_from_bytes(sig[32:64]))
+    return (None, pubkey_gen(seckey), None, msg, sig, "FALSE", "negated s value")
+
+def bytes_from_point_inf0(P):
+    if P == None:
+        return bytes_from_int(0)
+    return bytes_from_int(P[0])
+
+def vector9():
+    seckey = default_seckey
+    msg = default_msg
+
+    # Override bytes_from_point in schnorr_sign to allow creating a signature
+    # with k = 0.
+    k = 0
+    bytes_from_point_tmp = bytes_from_point.__code__
+    bytes_from_point.__code__ = bytes_from_point_inf0.__code__
+    sig = insecure_schnorr_sign_fixed_nonce(msg, seckey, k)
+    bytes_from_point.__code__ = bytes_from_point_tmp
+
+    return (None, pubkey_gen(seckey), None, msg, sig, "FALSE", "sG - eP is infinite. Test fails in single verification if has_even_y(inf) is defined as true and x(inf) as 0")
+
+def bytes_from_point_inf1(P):
+    if P == None:
+        return bytes_from_int(1)
+    return bytes_from_int(P[0])
+
+def vector10():
+    seckey = default_seckey
+    msg = default_msg
+
+    # Override bytes_from_point in schnorr_sign to allow creating a signature
+    # with k = 0.
+    k = 0
+    bytes_from_point_tmp = bytes_from_point.__code__
+    bytes_from_point.__code__ = bytes_from_point_inf1.__code__
+    sig = insecure_schnorr_sign_fixed_nonce(msg, seckey, k)
+    bytes_from_point.__code__ = bytes_from_point_tmp
+
+    return (None, pubkey_gen(seckey), None, msg, sig, "FALSE", "sG - eP is infinite. Test fails in single verification if has_even_y(inf) is defined as true and x(inf) as 1")
+
+# It's cryptographically impossible to create a test vector that fails if run
+# in an implementation which merely misses the check that sig[0:32] is an X
+# coordinate on the curve. This test vector just increases test coverage.
+def vector11():
+    seckey = default_seckey
+    msg = default_msg
+    sig = schnorr_sign(msg, seckey, default_aux_rand)
+
+    # Replace R's X coordinate with an X coordinate that's not on the curve
+    x_not_on_curve = bytes_from_int(0x4A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D)
+    assert(lift_x(x_not_on_curve) is None)
+    sig = x_not_on_curve + sig[32:64]
+
+    return (None, pubkey_gen(seckey), None, msg, sig, "FALSE", "sig[0:32] is not an X coordinate on the curve")
+
+# It's cryptographically impossible to create a test vector that fails if run
+# in an implementation which merely misses the check that sig[0:32] is smaller
+# than the field size. This test vector just increases test coverage.
+def vector12():
+    seckey = default_seckey
+    msg = default_msg
+    sig = schnorr_sign(msg, seckey, default_aux_rand)
+
+    # Replace R's X coordinate with an X coordinate that's equal to field size
+    sig = bytes_from_int(p) + sig[32:64]
+
+    return (None, pubkey_gen(seckey), None, msg, sig, "FALSE", "sig[0:32] is equal to field size")
+
+# It's cryptographically impossible to create a test vector that fails if run
+# in an implementation which merely misses the check that sig[32:64] is smaller
+# than the curve order. This test vector just increases test coverage.
+def vector13():
+    seckey = default_seckey
+    msg = default_msg
+    sig = schnorr_sign(msg, seckey, default_aux_rand)
+
+    # Replace s with a number that's equal to the curve order
+    sig = sig[0:32] + bytes_from_int(n)
+
+    return (None, pubkey_gen(seckey), None, msg, sig, "FALSE", "sig[32:64] is equal to curve order")
+
+# Test out of range pubkey
+# It's cryptographically impossible to create a test vector that fails if run
+# in an implementation which accepts out of range pubkeys because we can't find
+# a secret key for such a public key and therefore can not create a signature.
+# This test vector just increases test coverage.
+def vector14():
+    # This creates a dummy signature that doesn't have anything to do with the
+    # public key.
+    seckey = default_seckey
+    msg = default_msg
+    sig = schnorr_sign(msg, seckey, default_aux_rand)
+    pubkey_int = p + 1
+    pubkey = bytes_from_int(pubkey_int)
+    assert(lift_x(pubkey) is None)
+    # If an implementation would reduce a given public key modulo p then the
+    # pubkey would be valid
+    assert(lift_x(bytes_from_int(pubkey_int % p)) is not None)
+
+    return (None, pubkey, None, msg, sig, "FALSE", "public key is not a valid X coordinate because it exceeds the field size")
+
+def varlen_vector(msg_int):
+    seckey = bytes_from_int(int(16 * "0340", 16))
+    pubkey = pubkey_gen(seckey)
+    aux_rand = bytes_from_int(0)
+    msg = msg_int.to_bytes((msg_int.bit_length() + 7) // 8, "big")
+    sig = schnorr_sign(msg, seckey, aux_rand)
+    comment = "message of size %d (added 2022-12)"
+    return (seckey, pubkey, aux_rand, msg, sig, "TRUE", comment % len(msg))
+
+vector15 = lambda : varlen_vector(0)
+vector16 = lambda : varlen_vector(0x11)
+vector17 = lambda : varlen_vector(0x0102030405060708090A0B0C0D0E0F1011)
+vector18 = lambda : varlen_vector(int(100 * "99", 16))
+
+vectors = [
+        vector0(),
+        vector1(),
+        vector2(),
+        vector3(),
+        vector4(),
+        vector5(),
+        vector6(),
+        vector7(),
+        vector8(),
+        vector9(),
+        vector10(),
+        vector11(),
+        vector12(),
+        vector13(),
+        vector14(),
+        vector15(),
+        vector16(),
+        vector17(),
+        vector18(),
+    ]
+
+# Converts the byte strings of a test vector into hex strings
+def bytes_to_hex(seckey, pubkey, aux_rand, msg, sig, result, comment):
+    return (seckey.hex().upper() if seckey is not None else None, pubkey.hex().upper(), aux_rand.hex().upper() if aux_rand is not None else None, msg.hex().upper(), sig.hex().upper(), result, comment)
+
+vectors = list(map(lambda vector: bytes_to_hex(vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], vector[6]), vectors))
+
+def print_csv(vectors):
+    writer = csv.writer(sys.stdout)
+    writer.writerow(("index", "secret key", "public key", "aux_rand", "message", "signature", "verification result", "comment"))
+    for (i,v) in enumerate(vectors):
+        writer.writerow((i,)+v)
+
+print_csv(vectors)