This fills in the remaining TODO sections in BIP-376

Author: lucia-w

bip-0376.mediawiki

@@ -146,11 +146,29 @@ These are new fields added to the existing PSBT format. Because PSBT is designed
 
 == Reference implementation ==
 
-'''''TODO'''''
+A Python reference implementation is provided in [[bip-0376/reference.py|<code>bip-0376/reference.py</code>]].
+
+It demonstrates the Signer behavior specified in this BIP:
+
+* Key derivation using ''d = (b<sub>spend</sub> + tweak) mod n''.
+* Key negation when ''d·G'' has odd y-coordinate.
+* Verification that the resulting x-only public key matches the output key ''P''.
+* BIP 340 signing with the derived key.
 
 === Test vectors ===
 
-'''''TODO'''''
+Machine-readable test vectors are provided in [[bip-0376/test-vectors.json|<code>bip-0376/test-vectors.json</code>]].
+
+The vector set includes:
+
+* Valid cases with and without key negation.
+* Invalid cases for output-key mismatch, zero tweaked key, and out-of-range spend key.
+
+The reference implementation can be run against the vectors with:
+
+<pre>
+./bip-0376/reference.py bip-0376/test-vectors.json
+</pre>
 
 == Appendix ==
 

bip-0376/reference.py

@@ -0,0 +1,223 @@
+#!/usr/bin/env python3
+"""BIP-0376 reference implementation and test vector runner.
+
+Run:
+    ./bip-0376/reference.py bip-0376/test-vectors.json
+"""
+
+import json
+import sys
+import hashlib
+from pathlib import Path
+from typing import Optional, Tuple
+
+p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
+n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
+G = (
+    0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798,
+    0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8,
+)
+
+Point = Tuple[int, int]
+
+
+def tagged_hash(tag: str, msg: bytes) -> bytes:
+    tag_hash = hashlib.sha256(tag.encode("utf-8")).digest()
+    return hashlib.sha256(tag_hash + tag_hash + msg).digest()
+
+
+def int_from_bytes(data: bytes) -> int:
+    return int.from_bytes(data, byteorder="big")
+
+
+def bytes_from_int(x: int) -> bytes:
+    return x.to_bytes(32, byteorder="big")
+
+
+def has_even_y(P: Point) -> bool:
+    return (P[1] % 2) == 0
+
+
+def bytes_from_point(P: Point) -> bytes:
+    return bytes_from_int(P[0])
+
+
+def xor_bytes(a: bytes, b: bytes) -> bytes:
+    return bytes(x ^ y for (x, y) in zip(a, b))
+
+
+def lift_x(x_coord: int) -> Optional[Point]:
+    if x_coord >= p:
+        return None
+    y_sq = (pow(x_coord, 3, p) + 7) % p
+    y_coord = pow(y_sq, (p + 1) // 4, p)
+    if pow(y_coord, 2, p) != y_sq:
+        return None
+    return (x_coord, y_coord if (y_coord % 2) == 0 else p - y_coord)
+
+
+def point_add(P1: Optional[Point], P2: Optional[Point]) -> Optional[Point]:
+    if P1 is None:
+        return P2
+    if P2 is None:
+        return P1
+    if (P1[0] == P2[0]) and (P1[1] != P2[1]):
+        return None
+    if P1 == P2:
+        lam = (3 * P1[0] * P1[0] * pow(2 * P1[1], p - 2, p)) % p
+    else:
+        lam = ((P2[1] - P1[1]) * pow(P2[0] - P1[0], p - 2, p)) % p
+    x3 = (lam * lam - P1[0] - P2[0]) % p
+    y3 = (lam * (P1[0] - x3) - P1[1]) % p
+    return (x3, y3)
+
+
+def point_mul(P: Optional[Point], scalar: int) -> Optional[Point]:
+    R = None
+    for i in range(256):
+        if (scalar >> i) & 1:
+            R = point_add(R, P)
+        P = point_add(P, P)
+    return R
+
+
+def schnorr_verify(msg: bytes, pubkey: bytes, sig: bytes) -> bool:
+    if len(pubkey) != 32 or len(sig) != 64:
+        return False
+    P = lift_x(int_from_bytes(pubkey))
+    r = int_from_bytes(sig[0:32])
+    s = int_from_bytes(sig[32:64])
+    if P is None or r >= p or s >= n:
+        return False
+    e = int_from_bytes(tagged_hash("BIP0340/challenge", sig[0:32] + pubkey + msg)) % n
+    R = point_add(point_mul(G, s), point_mul(P, n - e))
+    if R is None:
+        return False
+    return has_even_y(R) and (R[0] == r)
+
+
+def schnorr_sign(msg: bytes, seckey: bytes, aux_rand: bytes) -> bytes:
+    d0 = int_from_bytes(seckey)
+    if not (1 <= d0 <= n - 1):
+        raise ValueError("The secret key must be in the range 1..n-1.")
+    if len(aux_rand) != 32:
+        raise ValueError("aux_rand must be 32 bytes.")
+    P = point_mul(G, d0)
+    assert P is not None
+    d = d0 if has_even_y(P) else n - d0
+    t = xor_bytes(bytes_from_int(d), tagged_hash("BIP0340/aux", aux_rand))
+    k0 = int_from_bytes(tagged_hash("BIP0340/nonce", t + bytes_from_point(P) + msg)) % n
+    if k0 == 0:
+        raise RuntimeError("Failure. This happens only with negligible probability.")
+    R = point_mul(G, k0)
+    assert R is not None
+    k = k0 if has_even_y(R) else n - k0
+    e = int_from_bytes(tagged_hash("BIP0340/challenge", bytes_from_point(R) + bytes_from_point(P) + msg)) % n
+    sig = bytes_from_point(R) + bytes_from_int((k + e * d) % n)
+    if not schnorr_verify(msg, bytes_from_point(P), sig):
+        raise RuntimeError("The created signature does not pass verification.")
+    return sig
+
+
+def parse_hex(data: str, expected_len: int, field_name: str) -> bytes:
+    raw = bytes.fromhex(data)
+    if len(raw) != expected_len:
+        raise ValueError(f"{field_name} must be {expected_len} bytes.")
+    return raw
+
+
+def derive_signing_key(spend_seckey: bytes, tweak: bytes, output_pubkey: bytes) -> Tuple[int, int, bool]:
+    b_spend = int_from_bytes(spend_seckey)
+    if not (1 <= b_spend <= n - 1):
+        raise ValueError("spend key out of range")
+
+    tweak_int = int_from_bytes(tweak)
+    d_raw = (b_spend + tweak_int) % n
+    if d_raw == 0:
+        raise ValueError("tweaked private key is zero")
+
+    Q = point_mul(G, d_raw)
+    assert Q is not None
+    negated = not has_even_y(Q)
+    d = d_raw if not negated else n - d_raw
+
+    Q_even = point_mul(G, d)
+    assert Q_even is not None
+    if bytes_from_point(Q_even) != output_pubkey:
+        raise ValueError("tweaked key does not match output key")
+
+    return d_raw, d, negated
+
+
+def run_test_vectors(path: Path) -> bool:
+    vectors = json.loads(path.read_text(encoding="utf-8"))
+    all_passed = True
+
+    valid_vectors = vectors.get("valid", [])
+    invalid_vectors = vectors.get("invalid", [])
+
+    print(f"Running {len(valid_vectors)} valid vectors")
+    for index, vector in enumerate(valid_vectors):
+        description = vector["description"]
+        given = vector["given"]
+        expected = vector["expected"]
+        print(f"- valid[{index}] {description}")
+        try:
+            spend_seckey = parse_hex(given["spend_seckey"], 32, "spend_seckey")
+            tweak = parse_hex(given["tweak"], 32, "tweak")
+            output_pubkey = parse_hex(given["output_pubkey"], 32, "output_pubkey")
+            message = parse_hex(given["message"], 32, "message")
+            aux_rand = parse_hex(given["aux_rand"], 32, "aux_rand")
+
+            d_raw, d, negated = derive_signing_key(spend_seckey, tweak, output_pubkey)
+            signature = schnorr_sign(message, bytes_from_int(d), aux_rand)
+
+            assert bytes_from_int(d_raw).hex() == expected["raw_tweaked_seckey"]
+            assert negated == expected["negated"]
+            assert bytes_from_int(d).hex() == expected["final_seckey"]
+            assert signature.hex() == expected["signature"]
+        except Exception as exc:
+            all_passed = False
+            print(f"  FAILED: {exc}")
+
+    print(f"Running {len(invalid_vectors)} invalid vectors")
+    for index, vector in enumerate(invalid_vectors):
+        description = vector["description"]
+        given = vector["given"]
+        error_substr = vector["error_substr"]
+        print(f"- invalid[{index}] {description}")
+        try:
+            spend_seckey = parse_hex(given["spend_seckey"], 32, "spend_seckey")
+            tweak = parse_hex(given["tweak"], 32, "tweak")
+            output_pubkey = parse_hex(given["output_pubkey"], 32, "output_pubkey")
+            derive_signing_key(spend_seckey, tweak, output_pubkey)
+            all_passed = False
+            print("  FAILED: expected an exception")
+        except Exception as exc:
+            if error_substr not in str(exc):
+                all_passed = False
+                print(f"  FAILED: wrong error, got: {exc}")
+
+    print("All test vectors passed." if all_passed else "Some test vectors failed.")
+    return all_passed
+
+
+def main() -> int:
+    if len(sys.argv) > 2:
+        print(f"Usage: {sys.argv[0]} [test-vectors.json]")
+        return 1
+
+    if len(sys.argv) == 2:
+        vector_path = Path(sys.argv[1])
+    else:
+        vector_path = Path(__file__).with_name("test-vectors.json")
+
+    if not vector_path.is_file():
+        print(f"Vector file not found: {vector_path}")
+        return 1
+
+    return 0 if run_test_vectors(vector_path) else 1
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

bip-0376/test-vectors.json

@@ -0,0 +1,65 @@
+{
+  "valid": [
+    {
+      "description": "No negation required; tweaked key directly matches output key",
+      "given": {
+        "spend_seckey": "26c6ca8d553ebf5633cad2f5becd608acb99bfade1005254aa59bc4fc372985a",
+        "tweak": "ac7b0d0420f0d4a567d9abcb8a52e02cfae21690fd8d2d5934370dcc5aaee221",
+        "output_pubkey": "528b75296fa646acecf3fcb7c7697f92f7645ea0e41e6ee8a66554739d2da028",
+        "message": "289e5175e02c788c2d442cfe81d6be0533d8c13e253ef763fda45d37accfe4d4",
+        "aux_rand": "a617dfb275f834e26a6f0c94052dd88982c86297dba990fd96645026e7c69e10"
+      },
+      "expected": {
+        "raw_tweaked_seckey": "d341d791762f93fb9ba47ec1492040b7c67bd63ede8d7fadde90ca1c1e217a7b",
+        "negated": false,
+        "final_seckey": "d341d791762f93fb9ba47ec1492040b7c67bd63ede8d7fadde90ca1c1e217a7b",
+        "signature": "d0c4f5ee3768c03a8d8e1204b8e52c6a4ded1f456d0f1707e7841928945c5a45bc1c0bc671d79612ef1c67a54bd50d653ce3d33c1fd966ce9a91e053f9417778"
+      }
+    },
+    {
+      "description": "Negation required because (b_spend + tweak)G has odd Y",
+      "given": {
+        "spend_seckey": "26c6ca8d553ebf5633cad2f5becd608acb99bfade1005254aa59bc4fc372985a",
+        "tweak": "58e2385eb96d1c906bbd807eafd1fddb80fb2f43026a16386a400e6832644cbc",
+        "output_pubkey": "db0edc417c73c567add118de8d138b2d0b64083f0a1bd8e876936415de7edc46",
+        "message": "a78521e49048b6e0d368d3fba417fc20c7546272dafa78a8a173fcca6c81233b",
+        "aux_rand": "6b31977a8ac73ede3f3653ea0d96bc3656242461e31d771985a0b17084d3cf91"
+      },
+      "expected": {
+        "raw_tweaked_seckey": "7fa902ec0eabdbe69f8853746e9f5e664c94eef0e36a688d1499cab7f5d6e516",
+        "negated": true,
+        "final_seckey": "8056fd13f15424196077ac8b9160a1986e19edf5cbde37aeab3893d4da5f5c2b",
+        "signature": "3df67213afd895a833bc046e9455c77a7e40165638ad489669a5c498d4d71ab565a9c54abda2e23e931f7a0f78a9f151bba07b8400b7b96d24f857c8ba65c022"
+      }
+    }
+  ],
+  "invalid": [
+    {
+      "description": "Tweaked key does not match output key",
+      "given": {
+        "spend_seckey": "26c6ca8d553ebf5633cad2f5becd608acb99bfade1005254aa59bc4fc372985a",
+        "tweak": "ac7b0d0420f0d4a567d9abcb8a52e02cfae21690fd8d2d5934370dcc5aaee221",
+        "output_pubkey": "528b75296fa646acecf3fcb7c7697f92f7645ea0e41e6ee8a66554739d2da029"
+      },
+      "error_substr": "tweaked key does not match output key"
+    },
+    {
+      "description": "Tweaked private key is zero",
+      "given": {
+        "spend_seckey": "26c6ca8d553ebf5633cad2f5becd608acb99bfade1005254aa59bc4fc372985a",
+        "tweak": "d9393572aac140a9cc352d0a41329f73ef151d38ce484de71578a23d0cc3a8e7",
+        "output_pubkey": "528b75296fa646acecf3fcb7c7697f92f7645ea0e41e6ee8a66554739d2da028"
+      },
+      "error_substr": "tweaked private key is zero"
+    },
+    {
+      "description": "Spend key out of range",
+      "given": {
+        "spend_seckey": "0000000000000000000000000000000000000000000000000000000000000000",
+        "tweak": "ac7b0d0420f0d4a567d9abcb8a52e02cfae21690fd8d2d5934370dcc5aaee221",
+        "output_pubkey": "528b75296fa646acecf3fcb7c7697f92f7645ea0e41e6ee8a66554739d2da028"
+      },
+      "error_substr": "spend key out of range"
+    }
+  ]
+}