import sys from reference import * def vector0(): seckey = 1 msg = bytes_from_int(0) sig = schnorr_sign(msg, seckey) pubkey = pubkey_gen(seckey) # The point reconstructed from the public key has an even Y coordinate. pubkey_point = point_from_bytes(pubkey) assert(pubkey_point[1] & 1 == 0) return (bytes_from_int(seckey), pubkey, msg, sig, "TRUE", None) def vector1(): seckey = 0xB7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF msg = bytes_from_int(0x243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89) sig = schnorr_sign(msg, seckey) pubkey = pubkey_gen(seckey) # The point reconstructed from the public key has an odd Y coordinate. pubkey_point = point_from_bytes(pubkey) assert(pubkey_point[1] & 1 == 1) return (bytes_from_int(seckey), pubkey, msg, sig, "TRUE", None) def vector2(): seckey = 0xC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B14E5C9 msg = bytes_from_int(0x5E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C) sig = schnorr_sign(msg, seckey) # This signature vector would not verify if the implementer checked the # squareness of the X coordinate of R instead of the Y coordinate. R = point_from_bytes(sig[0:32]) assert(not is_square(R[0])) return (bytes_from_int(seckey), pubkey_gen(seckey), msg, sig, "TRUE", None) def vector3(): seckey = 0x0B432B2677937381AEF05BB02A66ECD012773062CF3FA2549E44F58ED2401710 msg = bytes_from_int(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF) sig = schnorr_sign(msg, seckey) return (bytes_from_int(seckey), pubkey_gen(seckey), msg, sig, "TRUE", "test fails if msg is reduced modulo p or n") # Signs with a given nonce. Results in an invalid signature if y(kG) is not a square def schnorr_sign_fixed_nonce(msg, seckey0, k): if len(msg) != 32: raise ValueError('The message must be a 32-byte array.') if not (1 <= seckey0 <= n - 1): raise ValueError('The secret key must be an integer in the range 1..n-1.') P = point_mul(G, seckey0) seckey = seckey0 if has_square_y(P) else n - seckey0 R = point_mul(G, k) e = int_from_bytes(tagged_hash("BIPSchnorr", bytes_from_point(R) + bytes_from_point(P) + msg)) % n return bytes_from_point(R) + bytes_from_int((k + e * seckey) % n) # Creates a singature with a small x(R) by using k = 1/2 def vector4(): one_half = 0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0 seckey = 0x763758E5CBEEDEE4F7D3FC86F531C36578933228998226672F13C4F0EBE855EB msg = bytes_from_int(0x4DF3C3F68FCC83B27E9D42C90431A72499F17875C81A599B566C9889B9696703) sig = schnorr_sign_fixed_nonce(msg, seckey, one_half) return (None, pubkey_gen(seckey), msg, sig, "TRUE", None) default_seckey = 0xB7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF default_msg = bytes_from_int(0x243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89) def vector5(): seckey = default_seckey msg = default_msg sig = schnorr_sign(msg, seckey) # Public key is not on the curve pubkey = bytes_from_int(0xEEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34) assert(point_from_bytes(pubkey) is None) return (None, pubkey, msg, sig, "FALSE", "public key not on the curve") def vector6(): seckey = default_seckey msg = default_msg k = 3 sig = schnorr_sign_fixed_nonce(msg, seckey, k) # Y coordinate of R is not a square R = point_mul(G, k) assert(not has_square_y(R)) return (None, pubkey_gen(seckey), msg, sig, "FALSE", "incorrect R residuosity") def vector7(): seckey = default_seckey msg = int_from_bytes(default_msg) neg_msg = bytes_from_int(n - msg) sig = schnorr_sign(neg_msg, seckey) return (None, pubkey_gen(seckey), bytes_from_int(msg), sig, "FALSE", "negated message") def vector8(): seckey = default_seckey msg = default_msg sig = schnorr_sign(msg, seckey) sig = sig[0:32] + bytes_from_int(n - int_from_bytes(sig[32:64])) return (None, pubkey_gen(seckey), msg, sig, "FALSE", "negated s value") def bytes_from_point_inf0(P): if P == None: return bytes_from_int(0) return bytes_from_int(P[0]) def vector9(): seckey = default_seckey msg = default_msg # Override bytes_from_point in schnorr_sign to allow creating a signature # with k = 0. k = 0 bytes_from_point_tmp = bytes_from_point.__code__ bytes_from_point.__code__ = bytes_from_point_inf0.__code__ sig = schnorr_sign_fixed_nonce(msg, seckey, k) bytes_from_point.__code__ = bytes_from_point_tmp return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sG - eP is infinite. Test fails in single verification if has_square_y(inf) is defined as true and x(inf) as 0") def bytes_from_point_inf1(P): if P == None: return bytes_from_int(1) return bytes_from_int(P[0]) def vector10(): seckey = default_seckey msg = default_msg # Override bytes_from_point in schnorr_sign to allow creating a signature # with k = 0. k = 0 bytes_from_point_tmp = bytes_from_point.__code__ bytes_from_point.__code__ = bytes_from_point_inf1.__code__ sig = schnorr_sign_fixed_nonce(msg, seckey, k) bytes_from_point.__code__ = bytes_from_point_tmp return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sG - eP is infinite. Test fails in single verification if has_square_y(inf) is defined as true and x(inf) as 1") # It's cryptographically impossible to create a test vector that fails if run # in an implementation which merely misses the check that sig[0:32] is an X # coordinate on the curve. This test vector just increases test coverage. def vector11(): seckey = default_seckey msg = default_msg sig = schnorr_sign(msg, seckey) # Replace R's X coordinate with an X coordinate that's not on the curve x_not_on_curve = bytes_from_int(0x4A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D) assert(point_from_bytes(x_not_on_curve) is None) sig = x_not_on_curve + sig[32:64] return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sig[0:32] is not an X coordinate on the curve") # It's cryptographically impossible to create a test vector that fails if run # in an implementation which merely misses the check that sig[0:32] is smaller # than the field size. This test vector just increases test coverage. def vector12(): seckey = default_seckey msg = default_msg sig = schnorr_sign(msg, seckey) # Replace R's X coordinate with an X coordinate that's equal to field size sig = bytes_from_int(p) + sig[32:64] return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sig[0:32] is equal to field size") # It's cryptographically impossible to create a test vector that fails if run # in an implementation which merely misses the check that sig[32:64] is smaller # than the curve order. This test vector just increases test coverage. def vector13(): seckey = default_seckey msg = default_msg sig = schnorr_sign(msg, seckey) # Replace s with a number that's equal to the curve order sig = sig[0:32] + bytes_from_int(n) return (None, pubkey_gen(seckey), msg, sig, "FALSE", "sig[32:64] is equal to curve order") vectors = [ vector0(), vector1(), vector2(), vector3(), vector4(), vector5(), vector6(), vector7(), vector8(), vector9(), vector10(), vector11(), vector12(), vector13(), ] # Converts the byte strings of a test vector into hex strings def bytes_to_hex(seckey, pubkey, msg, sig, result, comment): return (seckey.hex().upper() if seckey is not None else None, pubkey.hex().upper(), msg.hex().upper(), sig.hex().upper(), result, comment) vectors = list(map(lambda vector: bytes_to_hex(vector[0], vector[1], vector[2], vector[3], vector[4], vector[5]), vectors)) def print_csv(vectors): writer = csv.writer(sys.stdout) writer.writerow(("index", "secret key", "public key", "message", "signature", "verification result", "comment")) for (i,v) in enumerate(vectors): writer.writerow((i,)+v) print_csv(vectors)