diff options
Diffstat (limited to 'bip-schnorr/test-vectors.py')
-rw-r--r-- | bip-schnorr/test-vectors.py | 241 |
1 files changed, 0 insertions, 241 deletions
diff --git a/bip-schnorr/test-vectors.py b/bip-schnorr/test-vectors.py deleted file mode 100644 index 195b61b..0000000 --- a/bip-schnorr/test-vectors.py +++ /dev/null @@ -1,241 +0,0 @@ -import sys -from reference import * - -def vector0(): - seckey = bytes_from_int(1) - msg = bytes_from_int(0) - sig = schnorr_sign(msg, seckey) - pubkey = pubkey_gen(seckey) - - # The point reconstructed from the public key has an even Y coordinate. - pubkey_point = point_from_bytes(pubkey) - assert(pubkey_point[1] & 1 == 0) - - return (seckey, pubkey, msg, sig, "TRUE", None) - -def vector1(): - seckey = bytes_from_int(0xB7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF) - msg = bytes_from_int(0x243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89) - sig = schnorr_sign(msg, seckey) - pubkey = pubkey_gen(seckey) - - # The point reconstructed from the public key has an odd Y coordinate. - pubkey_point = point_from_bytes(pubkey) - assert(pubkey_point[1] & 1 == 1) - - return (seckey, pubkey, msg, sig, "TRUE", None) - -def vector2(): - seckey = bytes_from_int(0xC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B14E5C9) - msg = bytes_from_int(0x5E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C) - sig = schnorr_sign(msg, seckey) - - # This signature vector would not verify if the implementer checked the - # squareness of the X coordinate of R instead of the Y coordinate. - R = point_from_bytes(sig[0:32]) - assert(not is_square(R[0])) - - return (seckey, pubkey_gen(seckey), msg, sig, "TRUE", None) - -def vector3(): - seckey = bytes_from_int(0x0B432B2677937381AEF05BB02A66ECD012773062CF3FA2549E44F58ED2401710) - msg = bytes_from_int(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF) - sig = schnorr_sign(msg, seckey) - return (seckey, pubkey_gen(seckey), msg, sig, "TRUE", "test fails if msg is reduced modulo p or n") - -# Signs with a given nonce. This can be INSECURE and is only INTENDED FOR -# GENERATING TEST VECTORS. Results in an invalid signature if y(kG) is not -# square. -def insecure_schnorr_sign_fixed_nonce(msg, seckey0, k): - if len(msg) != 32: - raise ValueError('The message must be a 32-byte array.') - seckey0 = int_from_bytes(seckey0) - if not (1 <= seckey0 <= n - 1): - raise ValueError('The secret key must be an integer in the range 1..n-1.') - P = point_mul(G, seckey0) - seckey = seckey0 if has_square_y(P) else n - seckey0 - R = point_mul(G, k) - e = int_from_bytes(tagged_hash("BIPSchnorr", bytes_from_point(R) + bytes_from_point(P) + msg)) % n - return bytes_from_point(R) + bytes_from_int((k + e * seckey) % n) - -# Creates a singature with a small x(R) by using k = 1/2 -def vector4(): - one_half = 0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0 - seckey = bytes_from_int(0x763758E5CBEEDEE4F7D3FC86F531C36578933228998226672F13C4F0EBE855EB) - msg = bytes_from_int(0x4DF3C3F68FCC83B27E9D42C90431A72499F17875C81A599B566C9889B9696703) - sig = insecure_schnorr_sign_fixed_nonce(msg, seckey, one_half) - return (None, pubkey_gen(seckey), msg, sig, "TRUE", None) - -default_seckey = bytes_from_int(0xB7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF) -default_msg = bytes_from_int(0x243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89) - -# Public key is not on the curve -def vector5(): - # This creates a dummy signature that doesn't have anything to do with the - # public key. - seckey = default_seckey - msg = default_msg - sig = schnorr_sign(msg, seckey) - - pubkey = bytes_from_int(0xEEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34) - assert(point_from_bytes(pubkey) is None) - - return (None, pubkey, msg, sig, "FALSE", "public key not on the curve") - -def vector6(): - seckey = default_seckey - msg = default_msg - k = 3 - sig = insecure_schnorr_sign_fixed_nonce(msg, seckey, k) - - # Y coordinate of R is not a square - R = point_mul(G, k) - assert(not has_square_y(R)) - - return (None, pubkey_gen(seckey), msg, sig, "FALSE", "has_square_y(R) is false") - -def vector7(): - seckey = default_seckey - msg = int_from_bytes(default_msg) - neg_msg = bytes_from_int(n - msg) - sig = schnorr_sign(neg_msg, seckey) - return (None, pubkey_gen(seckey), bytes_from_int(msg), sig, "FALSE", "negated message") - -def vector8(): - seckey = default_seckey - msg = default_msg - sig = schnorr_sign(msg, seckey) - sig = sig[0:32] + bytes_from_int(n - int_from_bytes(sig[32:64])) - return (None, pubkey_gen(seckey), msg, sig, "FALSE", "negated s value") - -def bytes_from_point_inf0(P): - if P == None: - return bytes_from_int(0) - return bytes_from_int(P[0]) - -def vector9(): - seckey = default_seckey - msg = default_msg - - # Override bytes_from_point in schnorr_sign to allow creating a signature - # with k = 0. - k = 0 - bytes_from_point_tmp = bytes_from_point.__code__ - bytes_from_point.__code__ = bytes_from_point_inf0.__code__ - sig = insecure_schnorr_sign_fixed_nonce(msg, seckey, k) - bytes_from_point.__code__ = bytes_from_point_tmp - - return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sG - eP is infinite. Test fails in single verification if has_square_y(inf) is defined as true and x(inf) as 0") - -def bytes_from_point_inf1(P): - if P == None: - return bytes_from_int(1) - return bytes_from_int(P[0]) - -def vector10(): - seckey = default_seckey - msg = default_msg - - # Override bytes_from_point in schnorr_sign to allow creating a signature - # with k = 0. - k = 0 - bytes_from_point_tmp = bytes_from_point.__code__ - bytes_from_point.__code__ = bytes_from_point_inf1.__code__ - sig = insecure_schnorr_sign_fixed_nonce(msg, seckey, k) - bytes_from_point.__code__ = bytes_from_point_tmp - - return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sG - eP is infinite. Test fails in single verification if has_square_y(inf) is defined as true and x(inf) as 1") - -# It's cryptographically impossible to create a test vector that fails if run -# in an implementation which merely misses the check that sig[0:32] is an X -# coordinate on the curve. This test vector just increases test coverage. -def vector11(): - seckey = default_seckey - msg = default_msg - sig = schnorr_sign(msg, seckey) - - # Replace R's X coordinate with an X coordinate that's not on the curve - x_not_on_curve = bytes_from_int(0x4A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D) - assert(point_from_bytes(x_not_on_curve) is None) - sig = x_not_on_curve + sig[32:64] - - return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sig[0:32] is not an X coordinate on the curve") - -# It's cryptographically impossible to create a test vector that fails if run -# in an implementation which merely misses the check that sig[0:32] is smaller -# than the field size. This test vector just increases test coverage. -def vector12(): - seckey = default_seckey - msg = default_msg - sig = schnorr_sign(msg, seckey) - - # Replace R's X coordinate with an X coordinate that's equal to field size - sig = bytes_from_int(p) + sig[32:64] - - return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sig[0:32] is equal to field size") - -# It's cryptographically impossible to create a test vector that fails if run -# in an implementation which merely misses the check that sig[32:64] is smaller -# than the curve order. This test vector just increases test coverage. -def vector13(): - seckey = default_seckey - msg = default_msg - sig = schnorr_sign(msg, seckey) - - # Replace s with a number that's equal to the curve order - sig = sig[0:32] + bytes_from_int(n) - - return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sig[32:64] is equal to curve order") - -# Test out of range pubkey -# It's cryptographically impossible to create a test vector that fails if run -# in an implementation which accepts out of range pubkeys because we can't find -# a secret key for such a public key and therefore can not create a signature. -# This test vector just increases test coverage. -def vector14(): - # This creates a dummy signature that doesn't have anything to do with the - # public key. - seckey = default_seckey - msg = default_msg - sig = schnorr_sign(msg, seckey) - - pubkey_int = p + 1 - pubkey = bytes_from_int(pubkey_int) - assert(point_from_bytes(pubkey) is None) - # If an implementation would reduce a given public key modulo p then the - # pubkey would be valid - assert(point_from_bytes(bytes_from_int(pubkey_int % p)) is not None) - - return (None, pubkey, msg, sig, "FALSE", "public key is not a valid X coordinate because it exceeds the field size") - -vectors = [ - vector0(), - vector1(), - vector2(), - vector3(), - vector4(), - vector5(), - vector6(), - vector7(), - vector8(), - vector9(), - vector10(), - vector11(), - vector12(), - vector13(), - vector14() - ] - -# Converts the byte strings of a test vector into hex strings -def bytes_to_hex(seckey, pubkey, msg, sig, result, comment): - return (seckey.hex().upper() if seckey is not None else None, pubkey.hex().upper(), msg.hex().upper(), sig.hex().upper(), result, comment) - -vectors = list(map(lambda vector: bytes_to_hex(vector[0], vector[1], vector[2], vector[3], vector[4], vector[5]), vectors)) - -def print_csv(vectors): - writer = csv.writer(sys.stdout) - writer.writerow(("index", "secret key", "public key", "message", "signature", "verification result", "comment")) - for (i,v) in enumerate(vectors): - writer.writerow((i,)+v) - -print_csv(vectors) |