//! # schnorrsig //! Support for Schnorr signatures. //! #[cfg(any(test, feature = "rand-std"))] use rand::thread_rng; #[cfg(any(test, feature = "rand"))] use rand::{CryptoRng, Rng}; use super::{from_hex, Error}; use core::{fmt, ptr, str}; use ffi::{self, CPtr}; use {constants, Secp256k1}; use {Message, Signing, KeyPair, XOnlyPublicKey}; /// Represents a Schnorr signature. pub struct Signature([u8; constants::SCHNORRSIG_SIGNATURE_SIZE]); impl_array_newtype!(Signature, u8, constants::SCHNORRSIG_SIGNATURE_SIZE); impl_pretty_debug!(Signature); #[cfg(feature = "serde")] impl ::serde::Serialize for Signature { fn serialize(&self, s: S) -> Result { if s.is_human_readable() { s.collect_str(self) } else { s.serialize_bytes(&self[..]) } } } #[cfg(feature = "serde")] impl<'de> ::serde::Deserialize<'de> for Signature { fn deserialize>(d: D) -> Result { if d.is_human_readable() { d.deserialize_str(super::serde_util::FromStrVisitor::new( "a hex string representing 64 byte schnorr signature" )) } else { d.deserialize_bytes(super::serde_util::BytesVisitor::new( "raw 64 bytes schnorr signature", Signature::from_slice )) } } } impl fmt::LowerHex for Signature { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { for ch in &self.0[..] { write!(f, "{:02x}", ch)?; } Ok(()) } } impl fmt::Display for Signature { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { fmt::LowerHex::fmt(self, f) } } impl str::FromStr for Signature { type Err = Error; fn from_str(s: &str) -> Result { let mut res = [0u8; constants::SCHNORRSIG_SIGNATURE_SIZE]; match from_hex(s, &mut res) { Ok(constants::SCHNORRSIG_SIGNATURE_SIZE) => { Signature::from_slice(&res[0..constants::SCHNORRSIG_SIGNATURE_SIZE]) } _ => Err(Error::InvalidSignature), } } } impl Signature { /// Creates a Signature directly from a slice #[inline] pub fn from_slice(data: &[u8]) -> Result { match data.len() { constants::SCHNORRSIG_SIGNATURE_SIZE => { let mut ret = [0u8; constants::SCHNORRSIG_SIGNATURE_SIZE]; ret[..].copy_from_slice(data); Ok(Signature(ret)) } _ => Err(Error::InvalidSignature), } } } impl Secp256k1 { fn schnorrsig_sign_helper( &self, msg: &Message, keypair: &KeyPair, nonce_data: *const ffi::types::c_void, ) -> Signature { unsafe { let mut sig = [0u8; constants::SCHNORRSIG_SIGNATURE_SIZE]; assert_eq!( 1, ffi::secp256k1_schnorrsig_sign( self.ctx, sig.as_mut_c_ptr(), msg.as_c_ptr(), keypair.as_ptr(), ffi::secp256k1_nonce_function_bip340, nonce_data ) ); Signature(sig) } } /// Create a schnorr signature internally using the ThreadRng random number /// generator to generate the auxiliary random data. /// Requires compilation with "rand-std" feature. #[cfg(any(test, feature = "rand-std"))] #[deprecated(since = "0.21.0", note = "Use sign_schnorr instead.")] pub fn schnorrsig_sign(&self, msg: &Message, keypair: &KeyPair) -> Signature { self.sign_schnorr(msg, keypair) } /// Create a schnorr signature internally using the ThreadRng random number /// generator to generate the auxiliary random data. /// Requires compilation with "rand-std" feature. #[cfg(any(test, feature = "rand-std"))] pub fn sign_schnorr(&self, msg: &Message, keypair: &KeyPair) -> Signature { let mut rng = thread_rng(); self.sign_schnorr_with_rng(msg, keypair, &mut rng) } /// Create a schnorr signature without using any auxiliary random data. #[deprecated(since = "0.21.0", note = "Use sign_schnorr_no_aux_rand instead.")] pub fn schnorrsig_sign_no_aux_rand( &self, msg: &Message, keypair: &KeyPair, ) -> Signature { self.sign_schnorr_no_aux_rand(msg, keypair) } /// Create a schnorr signature without using any auxiliary random data. pub fn sign_schnorr_no_aux_rand( &self, msg: &Message, keypair: &KeyPair, ) -> Signature { self.schnorrsig_sign_helper(msg, keypair, ptr::null()) } /// Create a Schnorr signature using the given auxiliary random data. #[deprecated(since = "0.21.0", note = "Use sign_schnorr_with_aux_rand instead.")] pub fn schnorrsig_sign_with_aux_rand( &self, msg: &Message, keypair: &KeyPair, aux_rand: &[u8; 32], ) -> Signature { self.sign_schnorr_with_aux_rand(msg, keypair, aux_rand) } /// Create a Schnorr signature using the given auxiliary random data. pub fn sign_schnorr_with_aux_rand( &self, msg: &Message, keypair: &KeyPair, aux_rand: &[u8; 32], ) -> Signature { self.schnorrsig_sign_helper( msg, keypair, aux_rand.as_c_ptr() as *const ffi::types::c_void, ) } /// Create a schnorr signature using the given random number generator to /// generate the auxiliary random data. Requires compilation with "rand" /// feature. #[cfg(any(test, feature = "rand"))] #[deprecated(since = "0.21.0", note = "Use sign_schnorr_with_rng instead.")] pub fn schnorrsig_sign_with_rng( &self, msg: &Message, keypair: &KeyPair, rng: &mut R, ) -> Signature { self.sign_schnorr_with_rng(msg, keypair, rng) } /// Create a schnorr signature using the given random number generator to /// generate the auxiliary random data. Requires compilation with "rand" /// feature. #[cfg(any(test, feature = "rand"))] pub fn sign_schnorr_with_rng( &self, msg: &Message, keypair: &KeyPair, rng: &mut R, ) -> Signature { let mut aux = [0u8; 32]; rng.fill_bytes(&mut aux); self.schnorrsig_sign_helper(msg, keypair, aux.as_c_ptr() as *const ffi::types::c_void) } /// Verify a Schnorr signature. #[deprecated(since = "0.21.0", note = "Use verify_schnorr instead.")] pub fn schnorrsig_verify( &self, sig: &Signature, msg: &Message, pubkey: &XOnlyPublicKey, ) -> Result<(), Error> { self.verify_schnorr(sig, msg, pubkey) } /// Verify a Schnorr signature. pub fn verify_schnorr( &self, sig: &Signature, msg: &Message, pubkey: &XOnlyPublicKey, ) -> Result<(), Error> { unsafe { let ret = ffi::secp256k1_schnorrsig_verify( self.ctx, sig.as_c_ptr(), msg.as_c_ptr(), pubkey.as_c_ptr(), ); if ret == 1 { Ok(()) } else { Err(Error::InvalidSignature) } } } /// Generates a random Schnorr KeyPair and its associated Schnorr PublicKey. /// Convenience function for `schnorrsig::KeyPair::new` and /// `schnorrsig::PublicKey::from_keypair`; call those functions directly for /// batch key generation. Requires a signing-capable context. Requires compilation /// with the "rand" feature. #[inline] #[cfg(any(test, feature = "rand"))] pub fn generate_schnorrsig_keypair( &self, rng: &mut R, ) -> (KeyPair, XOnlyPublicKey) { let sk = KeyPair::new(self, rng); let pubkey = XOnlyPublicKey::from_keypair(self, &sk); (sk, pubkey) } } #[cfg(test)] mod tests { use super::super::Error::InvalidPublicKey; use super::super::{constants, from_hex, All, Message, Secp256k1}; use super::{KeyPair, XOnlyPublicKey, Signature}; use rand::{rngs::ThreadRng, thread_rng, Error, ErrorKind, RngCore}; use rand_core::impls; use std::iter; use std::str::FromStr; #[cfg(target_arch = "wasm32")] use wasm_bindgen_test::wasm_bindgen_test as test; use SecretKey; macro_rules! hex_32 { ($hex:expr) => {{ let mut result = [0u8; 32]; from_hex($hex, &mut result).expect("valid hex string"); result }}; } fn test_schnorrsig_sign_helper( sign: fn(&Secp256k1, &Message, &KeyPair, &mut ThreadRng) -> Signature, ) { let secp = Secp256k1::new(); let mut rng = thread_rng(); let (seckey, pubkey) = secp.generate_schnorrsig_keypair(&mut rng); let mut msg = [0u8; 32]; for _ in 0..100 { rng.fill_bytes(&mut msg); let msg = Message::from_slice(&msg).unwrap(); let sig = sign(&secp, &msg, &seckey, &mut rng); assert!(secp.verify_schnorr(&sig, &msg, &pubkey).is_ok()); } } #[test] fn test_schnorrsig_sign_with_aux_rand_verify() { test_schnorrsig_sign_helper(|secp, msg, seckey, rng| { let mut aux_rand = [0u8; 32]; rng.fill_bytes(&mut aux_rand); secp.sign_schnorr_with_aux_rand(msg, seckey, &aux_rand) }) } #[test] fn test_schnorrsig_sign_with_rng_verify() { test_schnorrsig_sign_helper(|secp, msg, seckey, mut rng| { secp.sign_schnorr_with_rng(msg, seckey, &mut rng) }) } #[test] fn test_schnorrsig_sign_verify() { test_schnorrsig_sign_helper(|secp, msg, seckey, _| { secp.sign_schnorr(msg, seckey) }) } #[test] fn test_schnorrsig_sign_no_aux_rand_verify() { test_schnorrsig_sign_helper(|secp, msg, seckey, _| { secp.sign_schnorr_no_aux_rand(msg, seckey) }) } #[test] #[cfg(not(fuzzing))] // fixed sig vectors can't work with fuzz-sigs fn test_schnorrsig_sign() { let secp = Secp256k1::new(); let hex_msg = hex_32!("E48441762FB75010B2AA31A512B62B4148AA3FB08EB0765D76B252559064A614"); let msg = Message::from_slice(&hex_msg).unwrap(); let sk = KeyPair::from_seckey_str( &secp, "688C77BC2D5AAFF5491CF309D4753B732135470D05B7B2CD21ADD0744FE97BEF", ) .unwrap(); let aux_rand: [u8; 32] = hex_32!("02CCE08E913F22A36C5648D6405A2C7C50106E7AA2F1649E381C7F09D16B80AB"); let expected_sig = Signature::from_str("6470FD1303DDA4FDA717B9837153C24A6EAB377183FC438F939E0ED2B620E9EE5077C4A8B8DCA28963D772A94F5F0DDF598E1C47C137F91933274C7C3EDADCE8").unwrap(); let sig = secp .sign_schnorr_with_aux_rand(&msg, &sk, &aux_rand); assert_eq!(expected_sig, sig); } #[test] #[cfg(not(fuzzing))] // fixed sig vectors can't work with fuzz-sigs fn test_schnorrsig_verify() { let secp = Secp256k1::new(); let hex_msg = hex_32!("E48441762FB75010B2AA31A512B62B4148AA3FB08EB0765D76B252559064A614"); let msg = Message::from_slice(&hex_msg).unwrap(); let sig = Signature::from_str("6470FD1303DDA4FDA717B9837153C24A6EAB377183FC438F939E0ED2B620E9EE5077C4A8B8DCA28963D772A94F5F0DDF598E1C47C137F91933274C7C3EDADCE8").unwrap(); let pubkey = XOnlyPublicKey::from_str("B33CC9EDC096D0A83416964BD3C6247B8FECD256E4EFA7870D2C854BDEB33390") .unwrap(); assert!(secp.verify_schnorr(&sig, &msg, &pubkey).is_ok()); } #[test] fn test_pubkey_from_slice() { assert_eq!(XOnlyPublicKey::from_slice(&[]), Err(InvalidPublicKey)); assert_eq!(XOnlyPublicKey::from_slice(&[1, 2, 3]), Err(InvalidPublicKey)); let pk = XOnlyPublicKey::from_slice(&[ 0xB3, 0x3C, 0xC9, 0xED, 0xC0, 0x96, 0xD0, 0xA8, 0x34, 0x16, 0x96, 0x4B, 0xD3, 0xC6, 0x24, 0x7B, 0x8F, 0xEC, 0xD2, 0x56, 0xE4, 0xEF, 0xA7, 0x87, 0x0D, 0x2C, 0x85, 0x4B, 0xDE, 0xB3, 0x33, 0x90, ]); assert!(pk.is_ok()); } #[test] fn test_pubkey_serialize_roundtrip() { let secp = Secp256k1::new(); let (_, pubkey) = secp.generate_schnorrsig_keypair(&mut thread_rng()); let ser = pubkey.serialize(); let pubkey2 = XOnlyPublicKey::from_slice(&ser).unwrap(); assert_eq!(pubkey, pubkey2); } #[test] fn test_xonly_key_extraction() { let secp = Secp256k1::new(); let sk_str = "688C77BC2D5AAFF5491CF309D4753B732135470D05B7B2CD21ADD0744FE97BEF"; let keypair = KeyPair::from_seckey_str(&secp, sk_str).unwrap(); let sk = SecretKey::from_keypair(&keypair); assert_eq!(SecretKey::from_str(sk_str).unwrap(), sk); let pk = ::key::PublicKey::from_keypair(&keypair); assert_eq!(::key::PublicKey::from_secret_key(&secp, &sk), pk); let xpk = XOnlyPublicKey::from_keypair(&secp, &keypair); assert_eq!(XOnlyPublicKey::from(pk), xpk); } #[test] fn test_pubkey_from_bad_slice() { // Bad sizes assert_eq!( XOnlyPublicKey::from_slice(&[0; constants::SCHNORRSIG_PUBLIC_KEY_SIZE - 1]), Err(InvalidPublicKey) ); assert_eq!( XOnlyPublicKey::from_slice(&[0; constants::SCHNORRSIG_PUBLIC_KEY_SIZE + 1]), Err(InvalidPublicKey) ); // Bad parse assert_eq!( XOnlyPublicKey::from_slice(&[0xff; constants::SCHNORRSIG_PUBLIC_KEY_SIZE]), Err(InvalidPublicKey) ); // In fuzzing mode restrictions on public key validity are much more // relaxed, thus the invalid check below is expected to fail. #[cfg(not(fuzzing))] assert_eq!( XOnlyPublicKey::from_slice(&[0x55; constants::SCHNORRSIG_PUBLIC_KEY_SIZE]), Err(InvalidPublicKey) ); assert_eq!(XOnlyPublicKey::from_slice(&[]), Err(InvalidPublicKey)); } #[test] fn test_pubkey_display_output() { let secp = Secp256k1::new(); static SK_BYTES: [u8; 32] = [ 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, ]; let s = Secp256k1::signing_only(); let sk = KeyPair::from_seckey_slice(&secp, &SK_BYTES).expect("sk"); // In fuzzing mode secret->public key derivation is different, so // hard-code the epected result. #[cfg(not(fuzzing))] let pk = XOnlyPublicKey::from_keypair(&s, &sk); #[cfg(fuzzing)] let pk = XOnlyPublicKey::from_slice(&[0x18, 0x84, 0x57, 0x81, 0xf6, 0x31, 0xc4, 0x8f, 0x1c, 0x97, 0x09, 0xe2, 0x30, 0x92, 0x06, 0x7d, 0x06, 0x83, 0x7f, 0x30, 0xaa, 0x0c, 0xd0, 0x54, 0x4a, 0xc8, 0x87, 0xfe, 0x91, 0xdd, 0xd1, 0x66]).expect("pk"); assert_eq!( pk.to_string(), "18845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd166" ); assert_eq!( XOnlyPublicKey::from_str("18845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd166") .unwrap(), pk ); assert!(XOnlyPublicKey::from_str( "00000000000000000000000000000000000000000000000000000000000000000" ) .is_err()); assert!(XOnlyPublicKey::from_str( "18845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd16601" ) .is_err()); assert!(XOnlyPublicKey::from_str( "18845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd16" ) .is_err()); assert!(XOnlyPublicKey::from_str( "18845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd1" ) .is_err()); assert!(XOnlyPublicKey::from_str( "xx18845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd1" ) .is_err()); let long_str: String = iter::repeat('a').take(1024 * 1024).collect(); assert!(XOnlyPublicKey::from_str(&long_str).is_err()); } #[test] // In fuzzing mode secret->public key derivation is different, so // this test will never correctly derive the static pubkey. #[cfg(not(fuzzing))] fn test_pubkey_serialize() { struct DumbRng(u32); impl RngCore for DumbRng { fn next_u32(&mut self) -> u32 { self.0 = self.0.wrapping_add(1); self.0 } fn next_u64(&mut self) -> u64 { self.next_u32() as u64 } fn try_fill_bytes(&mut self, _dest: &mut [u8]) -> Result<(), Error> { Err(Error::new(ErrorKind::Unavailable, "not implemented")) } fn fill_bytes(&mut self, dest: &mut [u8]) { impls::fill_bytes_via_next(self, dest); } } let s = Secp256k1::new(); let (_, pubkey) = s.generate_schnorrsig_keypair(&mut DumbRng(0)); assert_eq!( &pubkey.serialize()[..], &[ 124, 121, 49, 14, 253, 63, 197, 50, 39, 194, 107, 17, 193, 219, 108, 154, 126, 9, 181, 248, 2, 12, 149, 233, 198, 71, 149, 134, 250, 184, 154, 229 ][..] ); } #[cfg(feature = "serde")] #[cfg(not(fuzzing))] // fixed sig vectors can't work with fuzz-sigs #[test] fn test_serde() { use serde_test::{assert_tokens, Configure, Token}; let s = Secp256k1::new(); let msg = Message::from_slice(&[1; 32]).unwrap(); let keypair = KeyPair::from_seckey_slice(&s, &[2; 32]).unwrap(); let aux = [3u8; 32]; let sig = s .sign_schnorr_with_aux_rand(&msg, &keypair, &aux); static SIG_BYTES: [u8; constants::SCHNORRSIG_SIGNATURE_SIZE] = [ 0x14, 0xd0, 0xbf, 0x1a, 0x89, 0x53, 0x50, 0x6f, 0xb4, 0x60, 0xf5, 0x8b, 0xe1, 0x41, 0xaf, 0x76, 0x7f, 0xd1, 0x12, 0x53, 0x5f, 0xb3, 0x92, 0x2e, 0xf2, 0x17, 0x30, 0x8e, 0x2c, 0x26, 0x70, 0x6f, 0x1e, 0xeb, 0x43, 0x2b, 0x3d, 0xba, 0x9a, 0x01, 0x08, 0x2f, 0x9e, 0x4d, 0x4e, 0xf5, 0x67, 0x8a, 0xd0, 0xd9, 0xd5, 0x32, 0xc0, 0xdf, 0xa9, 0x07, 0xb5, 0x68, 0x72, 0x2d, 0x0b, 0x01, 0x19, 0xba, ]; static SIG_STR: &'static str = "\ 14d0bf1a8953506fb460f58be141af767fd112535fb3922ef217308e2c26706f1eeb432b3dba9a01082f9e4d4ef5678ad0d9d532c0dfa907b568722d0b0119ba\ "; static PK_BYTES: [u8; 32] = [ 24, 132, 87, 129, 246, 49, 196, 143, 28, 151, 9, 226, 48, 146, 6, 125, 6, 131, 127, 48, 170, 12, 208, 84, 74, 200, 135, 254, 145, 221, 209, 102 ]; static PK_STR: &'static str = "\ 18845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd166\ "; let pk = XOnlyPublicKey::from_slice(&PK_BYTES).unwrap(); assert_tokens(&sig.compact(), &[Token::BorrowedBytes(&SIG_BYTES[..])]); assert_tokens(&sig.compact(), &[Token::Bytes(&SIG_BYTES[..])]); assert_tokens(&sig.compact(), &[Token::ByteBuf(&SIG_BYTES[..])]); assert_tokens(&sig.readable(), &[Token::BorrowedStr(SIG_STR)]); assert_tokens(&sig.readable(), &[Token::Str(SIG_STR)]); assert_tokens(&sig.readable(), &[Token::String(SIG_STR)]); assert_tokens(&pk.compact(), &[Token::BorrowedBytes(&PK_BYTES[..])]); assert_tokens(&pk.compact(), &[Token::Bytes(&PK_BYTES[..])]); assert_tokens(&pk.compact(), &[Token::ByteBuf(&PK_BYTES[..])]); assert_tokens(&pk.readable(), &[Token::BorrowedStr(PK_STR)]); assert_tokens(&pk.readable(), &[Token::Str(PK_STR)]); assert_tokens(&pk.readable(), &[Token::String(PK_STR)]); } #[test] fn test_addition() { let s = Secp256k1::new(); for _ in 0..10 { let mut tweak = [0u8; 32]; thread_rng().fill_bytes(&mut tweak); let (mut kp, mut pk) = s.generate_schnorrsig_keypair(&mut thread_rng()); let orig_pk = pk; kp.tweak_add_assign(&s, &tweak).expect("Tweak error"); let parity = pk.tweak_add_assign(&s, &tweak).expect("Tweak error"); assert_eq!(XOnlyPublicKey::from_keypair(&s, &kp), pk); assert!(orig_pk.tweak_add_check(&s, &pk, parity, tweak)); } } #[test] fn test_from_key_pubkey() { let kpk1 = ::key::PublicKey::from_str( "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443", ) .unwrap(); let kpk2 = ::key::PublicKey::from_str( "0384526253c27c7aef56c7b71a5cd25bebb66dddda437826defc5b2568bde81f07", ) .unwrap(); let pk1 = XOnlyPublicKey::from(kpk1); let pk2 = XOnlyPublicKey::from(kpk2); assert_eq!(pk1.serialize()[..], kpk1.serialize()[1..]); assert_eq!(pk2.serialize()[..], kpk2.serialize()[1..]); } }