def test_sign_schnorr(self):
pk = PrivateKey(randint(1, N))
msg = int_to_big_endian(randint(1, N), 32)
sig = pk.sign_schnorr(msg, aux=b"\x00" * 32)
self.assertTrue(pk.point.verify_schnorr(msg, sig))
# tweak
tweak = randint(1, N)
tweak_point = pk.tweaked(tweak).point
k = randint(1, N)
r = k * G
if r.parity:
k = N - k
r = k * G
message = r.bip340() + tweak_point.bip340() + msg
challenge = big_endian_to_int(hash_challenge(message)) % N
if pk.point.parity == tweak_point.parity:
secret = pk.secret
else:
secret = -pk.secret
s = (k + challenge * secret) % N
if tweak_point.parity:
s = (s - challenge * tweak) % N
else:
s = (s + challenge * tweak) % N
sig = SchnorrSignature.parse(r.bip340() + int_to_big_endian(s, 32))
self.assertTrue(tweak_point.verify_schnorr(msg, sig))
def test_signing(self):
tests = [
(
"0",
"0000000000000000000000000000000000000000000000000000000000000003",
"F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F9",
"0000000000000000000000000000000000000000000000000000000000000000",
"0000000000000000000000000000000000000000000000000000000000000000",
"E907831F80848D1069A5371B402410364BDF1C5F8307B0084C55F1CE2DCA821525F66A4A85EA8B71E482A74F382D2CE5EBEEE8FDB2172F477DF4900D310536C0",
"",
),
(
"1",
"B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF",
"DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
"0000000000000000000000000000000000000000000000000000000000000001",
"243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
"6896BD60EEAE296DB48A229FF71DFE071BDE413E6D43F917DC8DCF8C78DE33418906D11AC976ABCCB20B091292BFF4EA897EFCB639EA871CFA95F6DE339E4B0A",
"",
),
(
"2",
"C90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B14E5C9",
"DD308AFEC5777E13121FA72B9CC1B7CC0139715309B086C960E18FD969774EB8",
"C87AA53824B4D7AE2EB035A2B5BBBCCC080E76CDC6D1692C4B0B62D798E6D906",
"7E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C",
"5831AAEED7B44BB74E5EAB94BA9D4294C49BCF2A60728D8B4C200F50DD313C1BAB745879A5AD954A72C45A91C3A51D3C7ADEA98D82F8481E0E1E03674A6F3FB7",
"",
),
(
"3",
"0B432B2677937381AEF05BB02A66ECD012773062CF3FA2549E44F58ED2401710",
"25D1DFF95105F5253C4022F628A996AD3A0D95FBF21D468A1B33F8C160D8F517",
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
"7EB0509757E246F19449885651611CB965ECC1A187DD51B64FDA1EDC9637D5EC97582B9CB13DB3933705B32BA982AF5AF25FD78881EBB32771FC5922EFC66EA3",
"test fails if msg is reduced modulo p or n",
),
]
for (
index,
secret,
bip340_pk,
aux_rand,
message,
signature,
comment,
) in tests:
private_key = PrivateKey(secret=int(secret, 16))
public_key = S256Point.parse(bytes.fromhex(bip340_pk))
aux = bytes.fromhex(aux_rand)
msg = bytes.fromhex(message)
want_sig = SchnorrSignature.parse(bytes.fromhex(signature))
self.assertTrue(public_key.verify_schnorr(msg, want_sig))
sig = private_key.sign_schnorr(msg, aux)
self.assertEqual(sig, want_sig)
def finalize_p2tr_multisig(self, input_index, sigs):
tx_in = self.tx_ins[input_index]
if len(tx_in.witness.items) < 2 or tx_in.tap_script is None:
raise RuntimeError("initialize single leaf multisig first")
for point in tx_in.tap_script.points:
for sig in sigs:
if len(sig) == 0:
continue
elif len(sig) == 64:
hash_type = SIGHASH_DEFAULT
schnorr = SchnorrSignature.parse(sig)
elif len(sig) == 65:
hash_type = sig[-1]
schnorr = SchnorrSignature.parse(sig[:-1])
else:
raise RuntimeError("invalid signature length")
msg = self.sig_hash(input_index, hash_type=hash_type)
if point.verify_schnorr(msg, schnorr):
tx_in.witness.items.insert(0, sig)
break
else:
tx_in.witness.items.insert(0, b"")
return self.verify_input(input_index)
def get_signature(self, s_sum, r, sig_hash, tweak=0):
tweak_point = self.get_tweak_point(tweak)
if tweak:
msg = r.bip340() + tweak_point.bip340() + sig_hash
challenge = big_endian_to_int(hash_challenge(msg)) % N
if tweak_point.parity:
s = (-s_sum - challenge * tweak) % N
else:
s = (s_sum + challenge * tweak) % N
else:
s = s_sum % N
s_raw = int_to_big_endian(s, 32)
sig = r.bip340() + s_raw
schnorrsig = SchnorrSignature.parse(sig)
if not tweak_point.verify_schnorr(sig_hash, schnorrsig):
raise ValueError("Invalid signature")
return schnorrsig
def test_verify(self):
tests = [
(
"D69C3509BB99E412E68B0FE8544E72837DFA30746D8BE2AA65975F29D22DC7B9",
"4DF3C3F68FCC83B27E9D42C90431A72499F17875C81A599B566C9889B9696703",
"00000000000000000000003B78CE563F89A0ED9414F5AA28AD0D96D6795F9C6376AFB1548AF603B3EB45C9F8207DEE1060CB71C04E80F593060B07D28308D7F4",
),
(
"d0fa46cb883e940ac3dc5421f05b03859972639f51ed2eccbf3dc5a62e2e1b15",
"11864b0142c248fdb090d08893745e0b36a78f988a8334d2056814ad5f541596",
"23b1d4ff27b16af4b0fcb9672df671701a1a7f5a6bb7352b051f461edbc614aa6068b3e5313a174f90f3d95dc4e06f69bebd9cf5a3098fde034b01e69e8e7889",
),
]
for bip340_pk, message, signature in tests:
public_key = S256Point.parse(bytes.fromhex(bip340_pk))
msg = bytes.fromhex(message)
sig = SchnorrSignature.parse(bytes.fromhex(signature))
self.assertTrue(public_key.verify_schnorr(msg, sig))
def op_checksig_schnorr(stack, tx_obj, input_index):
# check to see if there's at least 2 elements
if len(stack) < 2:
return False
pubkey = stack.pop()
signature = stack.pop()
point = S256Point.parse_bip340(pubkey)
if len(signature) == 65:
hash_type = signature[-1]
signature = signature[:-1]
elif len(signature) == 0:
stack.append(encode_num(0))
return True
else:
hash_type = 0
sig = SchnorrSignature.parse(signature)
msg = tx_obj.sig_hash(input_index, hash_type)
if point.verify_schnorr(msg, sig):
stack.append(encode_num(1))
else:
stack.append(encode_num(0))
return True
def test_errors(self):
tests = [
(
"EEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34",
"243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
"6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E17776969E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
ValueError,
"public key not on the curve",
),
(
"DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
"243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
"FFF97BD5755EEEA420453A14355235D382F6472F8568A18B2F057A14602975563CC27944640AC607CD107AE10923D9EF7A73C643E166BE5EBEAFA34B1AC553E2",
AssertionError,
"has_even_y(R) is false",
),
(
"DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
"243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
"1FA62E331EDBC21C394792D2AB1100A7B432B013DF3F6FF4F99FCB33E0E1515F28890B3EDB6E7189B630448B515CE4F8622A954CFE545735AAEA5134FCCDB2BD",
AssertionError,
"negated message",
),
(
"DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
"243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
"6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E177769961764B3AA9B2FFCB6EF947B6887A226E8D7C93E00C5ED0C1834FF0D0C2E6DA6",
AssertionError,
"negated s value",
),
(
"DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
"243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
"0000000000000000000000000000000000000000000000000000000000000000123DDA8328AF9C23A94C1FEECFD123BA4FB73476F0D594DCB65C6425BD186051",
AssertionError,
"sG - eP is infinite. Test fails in single verification if has_even_y(inf) is defined as true and x(inf) as 0",
),
(
"DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
"243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
"00000000000000000000000000000000000000000000000000000000000000017615FBAF5AE28864013C099742DEADB4DBA87F11AC6754F93780D5A1837CF197",
AssertionError,
"sG - eP is infinite. Test fails in single verification if has_even_y(inf) is defined as true and x(inf) as 1",
),
(
"DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
"243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
"4A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D69E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
ValueError,
"sig[0:32] is not an X coordinate on the curve",
),
(
"DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
"243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F69E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
ValueError,
"sig[0:32] is equal to field size",
),
(
"DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
"243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
"6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E177769FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141",
ValueError,
"sig[32:64] is equal to curve order",
),
(
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC30",
"243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
"6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E17776969E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
ValueError,
"public key is not a valid X coordinate because it exceeds the field size",
),
]
for bip340_pk, message, signature, error, comment in tests:
with self.assertRaises(error):
print(comment)
public_key = S256Point.parse(bytes.fromhex(bip340_pk))
msg = bytes.fromhex(message)
sig = SchnorrSignature.parse(bytes.fromhex(signature))
assert public_key.verify_schnorr(msg, sig)