Update schnorr_fun to latest BIP340 implementation

- Use new csv test file
- Use new hex module from secp25kfun

Author: LLFourn

schnorr_fun/Cargo.toml

@@ -21,10 +21,10 @@ serde = { version = "1.0", default-features = false, optional = true, features =
 
 [dev-dependencies]
 rand = { version = "0.7", features = ["wasm-bindgen"] }
-hex-literal = "0.2"
 lazy_static = "1.4"
 bincode = "1.0"
 sha2 = "0.9"
+secp256kfun = { path = "../secp256kfun", version = "^0.2.5-alpha.0", features = ["alloc"] }
 
 
 [target.'cfg(not(target_arch = "wasm32"))'.dev-dependencies]

schnorr_fun/src/adaptor/encrypted_signature.rs

@@ -11,7 +11,7 @@ use secp256kfun::{marker::*, Point, Scalar};
 )]
 pub struct EncryptedSignature<S = Public> {
     /// The `R` point in the signature
-    pub R: Point<SquareY, Public>,
+    pub R: Point<EvenY, Public>,
     /// The _one-time encrypted_ `s` value of the signature.
     pub s_hat: Scalar<S, Zero>,
     /// Whether the decryptor should negate their decryption key prior to decryption.

schnorr_fun/src/adaptor/mod.rs

@@ -105,7 +105,7 @@ where
             .mark::<NonZero>()
             .expect("computationally unreachable");
 
-        let (R, needs_negation) = R.into_point_with_y_choice::<SquareY>();
+        let (R, needs_negation) = R.into_point_with_even_y();
         // We correct r here but we can't correct the decryption key (y) so we
         // store in "needs_negation" whether the decryptor needs to negate their
         // key before decrypting it

schnorr_fun/src/schnorr.rs

@@ -105,7 +105,7 @@ where
             challenge_hash: CH::default(),
             nonce_gen,
         }
-        .add_protocol_tag("BIP340");
+        .add_protocol_tag("BIP0340");
 
         if let MessageKind::Plain { tag } = msgkind {
             nonce_challenge_bundle = nonce_challenge_bundle.add_application_tag(tag);
@@ -149,7 +149,7 @@ where
             public => [X, message]
         );
 
-        let R = XOnly::<SquareY>::from_scalar_mul(&self.G, &mut r);
+        let R = XOnly::from_scalar_mul(&self.G, &mut r);
         let c = self.challenge(&R, X, message);
         let s = s!(r + c * x).mark::<Public>();
 
@@ -205,18 +205,13 @@ impl<NG, CH: Digest<OutputSize = U32> + Clone, GT> Schnorr<CH, NG, GT> {
     /// let message = b"we rolled our own sign!".as_ref().mark::<Public>();
     /// let keypair = schnorr.new_keypair(Scalar::random(&mut rand::thread_rng()));
     /// let mut r = Scalar::random(&mut rand::thread_rng());
-    /// let R = XOnly::<SquareY>::from_scalar_mul(schnorr.G(), &mut r);
+    /// let R = XOnly::from_scalar_mul(schnorr.G(), &mut r);
     /// let challenge = schnorr.challenge(&R, keypair.public_key(), message);
     /// let s = s!(r + challenge * { keypair.secret_key() });
     /// let signature = Signature { R, s };
     /// assert!(schnorr.verify(&keypair.verification_key(), message, &signature));
     /// ```
-    pub fn challenge<S: Secrecy>(
-        &self,
-        R: &XOnly,
-        X: &XOnly,
-        m: Slice<'_, S>,
-    ) -> Scalar<S, Zero> {
+    pub fn challenge<S: Secrecy>(&self, R: &XOnly, X: &XOnly, m: Slice<'_, S>) -> Scalar<S, Zero> {
         let hash = self.nonce_challenge_bundle.challenge_hash.clone();
         let challenge = Scalar::from_hash(hash.add(R).add(X).add(&m));
         challenge
@@ -243,7 +238,8 @@ impl<NG, CH: Digest<OutputSize = U32> + Clone, GT> Schnorr<CH, NG, GT> {
         let X = public_key;
         let (R, s) = signature.as_tuple();
         let c = self.challenge(R, &X.to_xonly(), message);
-        g!(s * self.G - c * X) == *R
+        let R_tmp = g!(s * self.G - c * X).mark::<Normal>();
+        R_tmp == *R
     }
 
     /// _Anticipates_ a Schnorr signature given the nonce `R` that will be used ahead of time.
@@ -252,7 +248,7 @@ impl<NG, CH: Digest<OutputSize = U32> + Clone, GT> Schnorr<CH, NG, GT> {
     pub fn anticipate_signature(
         &self,
         X: &Point<EvenY, impl Secrecy>,
-        R: &Point<SquareY, impl Secrecy>,
+        R: &Point<EvenY, impl Secrecy>,
         m: Slice<'_, impl Secrecy>,
     ) -> Point<Jacobian, Public, Zero> {
         let c = self.challenge(&R.to_xonly(), &X.to_xonly(), m);

schnorr_fun/src/signature.rs

@@ -84,7 +84,7 @@ impl Signature<Public> {
     /// let random_signature = Signature::random(&mut rand::thread_rng());
     pub fn random<R: RngCore + CryptoRng>(rng: &mut R) -> Self {
         Signature {
-            R: XOnly::<SquareY>::random(rng),
+            R: XOnly::random(rng),
             s: Scalar::random(rng).mark::<(Zero, Public)>(),
         }
     }

schnorr_fun/tests/bip340.rs

@@ -1,6 +1,6 @@
-use hex_literal::hex;
 use schnorr_fun::{
     fun::{
+        hex,
         marker::*,
         nonce::{NonceRng, Synthetic},
         rand_core, Scalar, XOnly,
@@ -9,9 +9,11 @@ use schnorr_fun::{
 };
 use sha2::Sha256;
 
-struct AuxRng([u8; 32]);
+static BIP340_CSV: &'static str = include_str!("./test-vectors.csv");
 
-impl rand_core::RngCore for AuxRng {
+struct AuxRng<'a>(&'a [u8]);
+
+impl<'a> rand_core::RngCore for AuxRng<'a> {
     fn next_u32(&mut self) -> u32 {
         rand_core::impls::next_u32_via_fill(self)
     }
@@ -26,200 +28,76 @@ impl rand_core::RngCore for AuxRng {
     }
 }
 
-impl rand_core::CryptoRng for AuxRng {}
+impl<'a> rand_core::CryptoRng for AuxRng<'a> {}
 
-impl NonceRng for AuxRng {
+impl<'a> NonceRng for AuxRng<'a> {
     fn fill_bytes(&self, bytes: &mut [u8]) {
         bytes.copy_from_slice(&self.0[..])
     }
 }
 
-fn signing_test_vector(
-    secret_key: [u8; 32],
-    public_key: [u8; 32],
-    aux_rand: [u8; 32],
-    message: [u8; 32],
-    target_sig: [u8; 64],
-) {
-    let nonce_gen = Synthetic::<Sha256, _>::new(AuxRng(aux_rand));
-    let bip340 = Schnorr::<Sha256, _>::new(nonce_gen, MessageKind::Prehashed);
-    let secret_key = Scalar::from_bytes_mod_order(secret_key)
-        .mark::<NonZero>()
-        .unwrap();
-    let keypair = bip340.new_keypair(secret_key);
-    let message = message.as_ref().mark::<Public>();
-
-    assert_eq!(keypair.public_key().as_bytes(), &public_key);
-    let signature = bip340.sign(&keypair, message);
-    assert_eq!(signature.to_bytes().as_ref(), target_sig.as_ref());
-    assert!(bip340.verify(&keypair.verification_key(), message, &signature));
-}
-
-enum Outcome {
-    /// The signature was valid
-    Success,
-    /// The signature was invalid
-    Failure,
-    /// The public key was not on the curve
-    BadPublicKey,
-    /// The signature nonce was not on the curve
-    BadSignatureFormat,
+#[test]
+fn signing_test_vectors() {
+    use core::str::FromStr;
+
+    let lines: Vec<&str> = BIP340_CSV.split("\n").collect();
+
+    for line in &lines[1..5] {
+        let line: Vec<&str> = line.split(',').collect();
+        let aux_bytes = hex::decode(line[3]).unwrap();
+        let fake_rng = AuxRng(&aux_bytes[..]);
+        let bip340 = Schnorr::<Sha256, _, _>::new(
+            Synthetic::<Sha256, _>::new(fake_rng),
+            MessageKind::Prehashed,
+        );
+        let secret_key = Scalar::<Secret, NonZero>::from_str(line[1]).unwrap();
+        let expected_public_key = XOnly::from_str(line[2]).unwrap();
+        let keypair = bip340.new_keypair(secret_key);
+        assert_eq!(keypair.public_key(), &expected_public_key);
+        let message = hex::decode(line[4]).unwrap();
+        let signature = bip340.sign(&keypair, message.as_slice().mark::<Public>());
+        let expected_signature = Signature::<Public>::from_str(line[5]).unwrap();
+        assert_eq!(signature, expected_signature);
+    }
 }
 
-fn verification_test_vector(
-    public_key: [u8; 32],
-    message: [u8; 32],
-    sig: [u8; 64],
-    expected_outcome: Outcome,
-) {
+#[test]
+fn verification_test_vectors() {
+    use core::str::FromStr;
     let bip340 = Schnorr::<Sha256>::verify_only(MessageKind::Prehashed);
-    let message = message.as_ref().mark::<Public>();
-    use Outcome::*;
-    let public_key = {
-        let public_key = XOnly::from_bytes(public_key);
-        match expected_outcome {
-            BadPublicKey => return assert!(public_key.is_none()),
-            _ => public_key.unwrap(),
-        }
-    };
-
-    let signature = {
-        let signature = Signature::from_bytes(sig);
-        match expected_outcome {
-            BadSignatureFormat => return assert!(signature.is_none()),
-            _ => signature.unwrap(),
-        }
-    };
-
-    assert_eq!(
-        bip340.verify(&public_key.into(), message, &signature),
-        match expected_outcome {
-            Success => true,
-            Failure => false,
-            _ => unreachable!(),
-        },
-    )
-}
-
-secp256kfun::test_plus_wasm! {
-
-fn bip340_signing_vectors() {
-    signing_test_vector(
-        hex!("0000000000000000000000000000000000000000000000000000000000000003"),
-        hex!("F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F9"),
-        hex!("0000000000000000000000000000000000000000000000000000000000000000"),
-        hex!("0000000000000000000000000000000000000000000000000000000000000000"),
-        hex!("067E337AD551B2276EC705E43F0920926A9CE08AC68159F9D258C9BBA412781C9F059FCDF4824F13B3D7C1305316F956704BB3FEA2C26142E18ACD90A90C947E")
-    );
-
-    signing_test_vector(
-        hex!("B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF"),
-        hex!("DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659"),
-        hex!("0000000000000000000000000000000000000000000000000000000000000001"),
-        hex!("243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89"),
-        hex!("0E12B8C520948A776753A96F21ABD7FDC2D7D0C0DDC90851BE17B04E75EF86A47EF0DA46C4DC4D0D1BCB8668C2CE16C54C7C23A6716EDE303AF86774917CF928")
-    );
-
-    signing_test_vector(
-        hex!("C90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B14E5C9"),
-        hex!("DD308AFEC5777E13121FA72B9CC1B7CC0139715309B086C960E18FD969774EB8"),
-        hex!("C87AA53824B4D7AE2EB035A2B5BBBCCC080E76CDC6D1692C4B0B62D798E6D906"),
-        hex!("7E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C"),
-        hex!("FC012F9FB8FE00A358F51EF93DCE0DC0C895F6E9A87C6C4905BC820B0C3677616B8737D14E703AF8E16E22E5B8F26227D41E5128F82D86F747244CC289C74D1D")
-    );
-
-    signing_test_vector(
-        hex!("0B432B2677937381AEF05BB02A66ECD012773062CF3FA2549E44F58ED2401710"),
-        hex!("25D1DFF95105F5253C4022F628A996AD3A0D95FBF21D468A1B33F8C160D8F517"),
-        hex!("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"),
-        hex!("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"),
-        hex!("FC132D4E426DFF535AEC0FA7083AC5118BC1D5FFFD848ABD8290C23F271CA0DD11AEDCEA3F55DA9BD677FE29C9DDA0CF878BCE43FDE0E313D69D1AF7A5AE8369")
-    );
-}
-
-fn bip340_verification_vectors() {
-    verification_test_vector(
-        hex!("D69C3509BB99E412E68B0FE8544E72837DFA30746D8BE2AA65975F29D22DC7B9"),
-        hex!("4DF3C3F68FCC83B27E9D42C90431A72499F17875C81A599B566C9889B9696703"),
-        hex!("00000000000000000000003B78CE563F89A0ED9414F5AA28AD0D96D6795F9C630EC50E5363E227ACAC6F542CE1C0B186657E0E0D1A6FFE283A33438DE4738419"),
-        Outcome::Success,
-    );
-
-    verification_test_vector(
-        hex!("EEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34"),
-        hex!("243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89"),
-        hex!("7036D6BFE1837AE919631039A2CF652A295DFAC9A8BBB0806014B2F48DD7C807941607B563ABBA414287F374A332BA3636DE009EE1EF551A17796B72B68B8A24"),
-        Outcome::BadPublicKey,
-    );
-
-    verification_test_vector(
-        hex!("DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659"),
-        hex!("243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89"),
-        hex!("F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F995A579DA959FA739FCE39E8BD16FECB5CDCF97060B2C73CDE60E87ABCA1AA5D9"),
-        Outcome::Failure,
-    );
-
-    verification_test_vector(
-        hex!("DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659"),
-        hex!("243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89"),
-        hex!("F8704654F4687B7365ED32E796DE92761390A3BCC495179BFE073817B7ED32824E76B987F7C1F9A751EF5C343F7645D3CFFC7D570B9A7192EBF1898E1344E3BF"),
-        Outcome::Failure
-    );
-
-    verification_test_vector(
-        hex!("DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659"),
-        hex!("243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89"),
-        hex!("7036D6BFE1837AE919631039A2CF652A295DFAC9A8BBB0806014B2F48DD7C8076BE9F84A9C5445BEBD780C8B5CCD45C883D0DC47CD594B21A858F31A19AAB71D"),
-        Outcome::Failure,
-    );
-
-    verification_test_vector(
-        hex!("DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659"),
-        hex!("243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89"),
-        hex!("74556372D3369E8C53E6B84B5D7EE9AE0220EB37A6EA5501EF828FBFBA90A864F6D108D88692535AEEE74170428F4C126A5B6E80D3D965007FF159F46E34B63F"),
-        Outcome::Failure,
-    );
-
-    verification_test_vector(
-        hex!("DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659"),
-        hex!("243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89"),
-        hex!("00000000000000000000000000000000000000000000000000000000000000009915EE59F07F9DBBAEDC31BFCC9B34AD49DE669CD24773BCED77DDA36D073EC8"),
-        Outcome::BadSignatureFormat,
-    );
-
-    verification_test_vector(
-        hex!("DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659"),
-        hex!("243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89"),
-        hex!("0000000000000000000000000000000000000000000000000000000000000001C7EC918B2B9CF34071BB54BED7EB4BB6BAB148E9A7E36E6B228F95DFA08B43EC"),
-        Outcome::Failure,
-    );
-
-    verification_test_vector(
-        hex!("DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659"),
-        hex!("243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89"),
-        hex!("4A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D941607B563ABBA414287F374A332BA3636DE009EE1EF551A17796B72B68B8A24"),
-        Outcome::BadSignatureFormat,
-    );
-
-    verification_test_vector(
-        hex!("DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659"),
-        hex!("243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89"),
-        hex!("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F941607B563ABBA414287F374A332BA3636DE009EE1EF551A17796B72B68B8A24"),
-        Outcome::BadSignatureFormat,
-    );
-
-    verification_test_vector(
-        hex!("DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659"),
-        hex!("243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89"),
-        hex!("7036D6BFE1837AE919631039A2CF652A295DFAC9A8BBB0806014B2F48DD7C807FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141"),
-        Outcome::BadSignatureFormat,
-    );
-
-    verification_test_vector(
-        hex!("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC30"),
-        hex!("243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89"),
-        hex!("74556372D3369E8C53E6B84B5D7EE9AE0220EB37A6EA5501EF828FBFBA90A864092EF727796DACA51118BE8FBD70B3EC50536E65DB6F3B3B3FE1049862018B02"),
-        Outcome::BadPublicKey,
-    )
-}
+    let lines: Vec<&str> = BIP340_CSV.split("\n").collect();
+    for line in &lines[5..16] {
+        let line: Vec<&str> = line.split(',').collect();
+
+        let public_key = match XOnly::from_str(line[2]) {
+            Ok(public_key) => public_key,
+            Err(e) => {
+                if line[6] == "TRUE" {
+                    panic!("{:?}", e);
+                } else {
+                    continue;
+                }
+            }
+        };
+        let message = hex::decode(line[4]).unwrap();
+        let signature = match Signature::<Public>::from_str(line[5]) {
+            Ok(signature) => signature,
+            Err(e) => {
+                if line[6] == "TRUE" {
+                    panic!("{:?}", e)
+                } else {
+                    continue;
+                }
+            }
+        };
+
+        println!("{:?}", line);
+        assert!(
+            bip340.verify(
+                &public_key.to_point(),
+                message.as_slice().mark::<Public>(),
+                &signature
+            ) == (line[6] == "TRUE")
+        );
+    }
 }