From 1473e4d4951e5f46e25cad1891c0734e2cb5a836 Mon Sep 17 00:00:00 2001
From: Philip Glazman <8378656+philipglazman@users.noreply.github.com>
Date: Tue, 17 Nov 2020 17:39:30 -0800
Subject: [PATCH 1/4] schnorr default signing and verify

---
 btcec/schnorr.go      | 279 ++++++++++++++++++++++++++++++++++++++++++
 btcec/schnorr_test.go | 177 +++++++++++++++++++++++++++
 btcec/signature.go    |  11 ++
 3 files changed, 467 insertions(+)
 create mode 100644 btcec/schnorr.go
 create mode 100644 btcec/schnorr_test.go

diff --git a/btcec/schnorr.go b/btcec/schnorr.go
new file mode 100644
index 0000000000..8f08e46dc9
--- /dev/null
+++ b/btcec/schnorr.go
@@ -0,0 +1,279 @@
+package btcec
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"fmt"
+
+	"math/big"
+)
+
+const (
+	schnorrPublicKeyLen = 32
+	schnorrMessageLen = 32
+	schnorrSignatureLen = 64
+	schnorrAuxLen = 32
+
+	// sha256("BIP0340/challenge")
+	BIP340Challenge = "7bb52d7a9fef58323eb1bf7a407db382d2f3f2d81bb1224f49fe518f6d48d37ctag"
+
+	// sha256("BIP0340/aux")
+	BIP340Aux = "f1ef4e5ec063cada6d94cafa9d987ea069265839ecc11f972d77a52ed8c1cc90tag"
+
+	// sha256("BIP0340/nonce")
+	BIP340Nonce = "07497734a79bcb355b9b8c7d034f121cf434d73ef72dda19870061fb52bfeb2ftag"
+)
+
+
+// SchnorrSign signs a message using the schnorr signature algorithm scheme outlined in BIP340.
+// Message must be 32 bytes.
+// An optional auxiliary random data byte slice can be provided that must be 32 bytes.
+func (p *PrivateKey) SchnorrSign(message, aux []byte) ([64]byte, error) {
+	return schnorrSign(p.D.Bytes(), message, aux)
+}
+
+// SchnorrVerify verifies a schnorr signature.
+// Message, public key, and signature must be 32 bytes.
+func SchnorrVerify(msg, publicKey, signature []byte) (bool, error){
+	return schnorrVerify(msg, publicKey, signature)
+}
+
+// hasEvenY checks that the Point P's y-coordinate is even.
+func hasEvenY(Py *big.Int) bool {
+	// P cannot be infinite.
+	if Py.Cmp(big.NewInt(0)) == 0 {
+		return false
+	}
+
+	// y(P) mod 2 == 0
+	return new(big.Int).Mod(Py, two).Cmp(zero) == 0
+}
+
+// schnorrSign implements BIP340's default signing algorithm.
+func schnorrSign(privKey, msg []byte, a []byte) (sig [64]byte, err error){
+	// Message must be 32 bytes.
+	if l := len(msg); l != schnorrMessageLen {
+		return sig, fmt.Errorf("message is not 32 bytes : got %d, want %d", l, schnorrMessageLen)
+	}
+
+	// Auxiliary data must either be 32 bytes or 0.
+	if l := len(a); l != schnorrAuxLen && l != 0 {
+		return sig, fmt.Errorf("auxillary data is not 32 bytes : got %d, want %d", l, schnorrMessageLen)
+	}
+
+	curve := S256()
+
+	// n is the curve order.
+	n := curve.N
+
+	e := new(big.Int)
+
+	// Nonce k.
+	k := new(big.Int)
+
+	s := new(big.Int)
+
+	// d is the private key integer.
+	d := new(big.Int).SetBytes(privKey)
+
+	// d cannot be zero or greater than the curve order.
+	if d.Cmp(one) < 0 || d.Cmp(new(big.Int).Sub(n, one)) > 0 {
+		return sig, errors.New("private key must be an integer in the range 1..n-1")
+	}
+
+	// P = d*G
+	Px, Py := curve.ScalarBaseMult(d.Bytes())
+
+	// If y(p) is not even, then negate d.
+	if !hasEvenY(Py) {
+		// d = n - d
+		d = d.Sub(n, d)
+	}
+
+	// t is the byte-wise xor of d and the taggedHash(BIP0340/aux | a)
+	t0 := new(big.Int).SetBytes(taggedHash(BIP340Aux, a))
+	t := t0.Xor(d, t0)
+
+	// Get a deterministic nonce k.
+	{
+		m := make([]byte, 96)
+		copy(m[:32], t.Bytes())
+		copy(m[32:64], Px.Bytes())
+		copy(m[64:], msg)
+
+		// rand = sha256(BIP0340/nonce || (t || P || m))
+		k.SetBytes(taggedHash(BIP340Nonce, m))
+
+		// k = rand mod n
+		k.Mod(k, n)
+
+		// k cannot be zero.
+		if k.Cmp(zero) == 0 {
+			return sig, errors.New("k is 0")
+		}
+	}
+
+	// R = k*G
+	Rx, Ry := curve.ScalarBaseMult(k.Bytes())
+
+	// Negate k if y(R) is odd.
+	if !hasEvenY(Ry) {
+		k.Sub(n, k)
+	}
+
+	// e = int(hashBIP0340/challenge(R || P || m)) mod n
+	{
+		m := make([]byte, 96)
+		copy(m[:32], Rx.Bytes())
+		copy(m[32:64], Px.Bytes())
+		copy(m[64:], msg)
+		e.SetBytes(taggedHash(BIP340Challenge,m))
+		e.Mod(e,n)
+	}
+
+	// (k + ed) mod n
+	s.Mul(e, d)
+	s.Add(k, s)
+	s.Mod(s, n)
+
+	// Signature is (x(R), s).
+	copy(sig[:32], Rx.Bytes())
+	copy(sig[32:], s.Bytes())
+
+	// Verify signature before returning.
+	if verify, err := schnorrVerify(msg, Px.Bytes(), sig[:]); !verify || err != nil {
+		return sig, errors.New("cannot create signature")
+	}
+
+	return sig, nil
+}
+
+func liftX(key []byte) (*big.Int, *big.Int, error) {
+	x := new(big.Int).SetBytes(key)
+
+	// p is field size.
+	p := S256().P
+
+	if x.Cmp(p) >= 0 {
+		return nil, nil, errors.New("inf")
+	}
+
+	// c = x^3 + 7 mod P.
+	c := new(big.Int)
+	c.Exp(x,three, p)
+	c.Add(c, seven)
+	c.Mod(c,p)
+
+	// y = c^((p+1)/4) mod P.
+	y := new(big.Int)
+	y.Add(p, one)
+	y.Div(y, four)
+	y.Exp(c, y, p)
+
+	if new(big.Int).And(y, one).Cmp(zero) != 0 {
+		y.Sub(p, y)
+	}
+
+	return x, y, nil
+}
+
+func schnorrVerify(msg, publicKey, signature []byte) (bool, error){
+	if l := len(msg); l != schnorrMessageLen {
+		return false, fmt.Errorf("message is not 32 bytes : got %d, want %d", l, schnorrMessageLen)
+	}
+
+	if l := len(publicKey); l != schnorrPublicKeyLen {
+		return false, fmt.Errorf("public key is not 32 bytes : got %d, want %d", l, schnorrPublicKeyLen)
+	}
+
+	if l := len(signature); l != schnorrSignatureLen {
+		return false, fmt.Errorf("signature is not 32 bytes : got %d, want %d", l, schnorrSignatureLen)
+	}
+
+	curve := S256()
+
+	// n is the curve order.
+	n := curve.N
+
+	p := curve.P
+
+	r := new(big.Int)
+	s := new(big.Int)
+
+	e := new(big.Int)
+
+	// Get Point P from the x-coordinate.
+	Px, Py, err := liftX(publicKey[:])
+	if err != nil {
+		return false, err
+	}
+
+	// Check that P is on the curve.
+	if !curve.IsOnCurve(Px, Py) {
+		return false, errors.New("public key is not on the curve")
+	}
+
+	r.SetBytes(signature[:32])
+	s.SetBytes(signature[32:])
+
+	// Fail if s >= n
+	if s.Cmp(n) >= 0  {
+		return false, nil
+	}
+
+	// Fail if r >= p
+	if r.Cmp(p) >= 0 {
+		return false, nil
+	}
+
+	// e = sha256(hashBIP0340/challenge || r || P || m) mod n.
+	{
+		m := make([]byte, 96)
+		copy(m[:32], signature[:32])
+		copy(m[32:64], publicKey)
+		copy(m[64:], msg)
+		e.SetBytes(taggedHash(BIP340Challenge, m))
+		e.Mod(e, n)
+	}
+
+	// s*G
+	sGx, sGy := curve.ScalarBaseMult(s.Bytes())
+
+	// (n - e)*P
+	ePx, ePy := curve.ScalarMult(Px, Py, new(big.Int).Sub(n, e).Bytes())
+
+	// R = s*G + (N-e)*P
+	Rx, Ry := curve.Add(sGx, sGy, ePx, ePy)
+
+	// Fail if R is at infinity.
+	if Rx.Cmp(zero) == 0 || Ry.Cmp(zero) == 0 {
+		return false, nil
+	}
+
+	// Fail if y(R) is not even
+	if !hasEvenY(Ry) {
+		return false, nil
+	}
+
+	// Fail if x(R) != r
+	if Rx.Cmp(r) != 0 {
+		return false, nil
+	}
+
+	return true, nil
+}
+
+func taggedHash(tag string, msg []byte)  []byte {
+	tagHash, _ := hex.DecodeString(tag)
+
+	tagLen := len(tagHash)
+	msgLen := len(msg)
+
+	m := make([]byte, tagLen*2 + msgLen)
+	copy(m[:tagLen], tagHash)
+	copy(m[tagLen:tagLen*2], tagHash)
+	copy(m[tagLen*2:], msg)
+	h := sha256.Sum256(m)
+	return h[:]
+}
\ No newline at end of file
diff --git a/btcec/schnorr_test.go b/btcec/schnorr_test.go
new file mode 100644
index 0000000000..726c1abe05
--- /dev/null
+++ b/btcec/schnorr_test.go
@@ -0,0 +1,177 @@
+package btcec
+
+import (
+	"encoding/hex"
+	"strings"
+	"testing"
+)
+
+type bip340Test struct {
+	secretKey string
+	publicKey string
+	auxRand string
+	message string
+	signature string
+	verifyResult bool
+}
+
+var bip340TestVectors = []bip340Test{
+	{
+		secretKey: "0000000000000000000000000000000000000000000000000000000000000003",
+		publicKey: "F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F9",
+		auxRand: "0000000000000000000000000000000000000000000000000000000000000000",
+		message: "0000000000000000000000000000000000000000000000000000000000000000",
+		signature: "E907831F80848D1069A5371B402410364BDF1C5F8307B0084C55F1CE2DCA821525F66A4A85EA8B71E482A74F382D2CE5EBEEE8FDB2172F477DF4900D310536C0",
+		verifyResult: true,
+	},
+	{
+		secretKey: "B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF",
+		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		auxRand: "0000000000000000000000000000000000000000000000000000000000000001",
+		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature: "6896BD60EEAE296DB48A229FF71DFE071BDE413E6D43F917DC8DCF8C78DE33418906D11AC976ABCCB20B091292BFF4EA897EFCB639EA871CFA95F6DE339E4B0A",
+		verifyResult: true,
+	},
+	{
+		secretKey: "C90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B14E5C9",
+		publicKey: "DD308AFEC5777E13121FA72B9CC1B7CC0139715309B086C960E18FD969774EB8",
+		auxRand: "C87AA53824B4D7AE2EB035A2B5BBBCCC080E76CDC6D1692C4B0B62D798E6D906",
+		message: "7E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C",
+		signature: "5831AAEED7B44BB74E5EAB94BA9D4294C49BCF2A60728D8B4C200F50DD313C1BAB745879A5AD954A72C45A91C3A51D3C7ADEA98D82F8481E0E1E03674A6F3FB7",
+		verifyResult: true,
+	},
+	{
+		secretKey: "0B432B2677937381AEF05BB02A66ECD012773062CF3FA2549E44F58ED2401710",
+		publicKey: "25D1DFF95105F5253C4022F628A996AD3A0D95FBF21D468A1B33F8C160D8F517",
+		auxRand: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+		message: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+		signature: "7EB0509757E246F19449885651611CB965ECC1A187DD51B64FDA1EDC9637D5EC97582B9CB13DB3933705B32BA982AF5AF25FD78881EBB32771FC5922EFC66EA3",
+		verifyResult: true,
+	},
+}
+
+type bip340VerifyTest struct {
+	publicKey string
+	message string
+	signature string
+	verifyResult bool
+}
+
+var bip340VerifyTestVectors = []bip340VerifyTest{
+	{
+		publicKey: "D69C3509BB99E412E68B0FE8544E72837DFA30746D8BE2AA65975F29D22DC7B9",
+		message: "4DF3C3F68FCC83B27E9D42C90431A72499F17875C81A599B566C9889B9696703",
+		signature:"00000000000000000000003B78CE563F89A0ED9414F5AA28AD0D96D6795F9C6376AFB1548AF603B3EB45C9F8207DEE1060CB71C04E80F593060B07D28308D7F4",
+		verifyResult: true,
+	},
+	{
+		publicKey: "EEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34",
+		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:"6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E17776969E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
+		verifyResult: false,
+	},
+	{
+		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:"FFF97BD5755EEEA420453A14355235D382F6472F8568A18B2F057A14602975563CC27944640AC607CD107AE10923D9EF7A73C643E166BE5EBEAFA34B1AC553E2",
+		verifyResult: false,
+	},
+	{
+		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:"1FA62E331EDBC21C394792D2AB1100A7B432B013DF3F6FF4F99FCB33E0E1515F28890B3EDB6E7189B630448B515CE4F8622A954CFE545735AAEA5134FCCDB2BD",
+		verifyResult: false,
+	},
+	{
+		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:"6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E177769961764B3AA9B2FFCB6EF947B6887A226E8D7C93E00C5ED0C1834FF0D0C2E6DA6",
+		verifyResult: false,
+	},
+	{
+		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:"0000000000000000000000000000000000000000000000000000000000000000123DDA8328AF9C23A94C1FEECFD123BA4FB73476F0D594DCB65C6425BD186051",
+		verifyResult: false,
+	},
+	{
+		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:"00000000000000000000000000000000000000000000000000000000000000017615FBAF5AE28864013C099742DEADB4DBA87F11AC6754F93780D5A1837CF197",
+		verifyResult: false,
+	},
+	{
+		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:"4A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D69E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
+		verifyResult: false,
+	},
+	{
+		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F69E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
+		verifyResult: false,
+	},
+	{
+		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:"6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E177769FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141",
+		verifyResult: false,
+	},
+	{
+		publicKey: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC30",
+		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:"6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E17776969E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
+		verifyResult: false,
+	},
+}
+
+
+func TestSchnorrSign(t *testing.T) {
+	for _, test := range bip340TestVectors {
+		d := decodeHex(test.secretKey)
+		privKey, _ := PrivKeyFromBytes(S256(), d)
+
+		aux := decodeHex(test.auxRand)
+		msg := decodeHex(test.message)
+
+		sig, err := privKey.SchnorrSign(msg, aux)
+		if err != nil {
+			t.Fail()
+		}
+
+		if strings.ToUpper(hex.EncodeToString(sig[:])) != test.signature {
+			t.Fail()
+		}
+
+		pubKey := decodeHex(test.publicKey)
+
+		verify, err := schnorrVerify(msg, pubKey, sig[:])
+		if err != nil {
+			t.Fail()
+		}
+
+		if test.verifyResult != verify {
+			t.Fail()
+		}
+	}
+}
+
+func TestSchnorrVerify(t *testing.T) {
+	for _, test := range bip340VerifyTestVectors {
+		pubKey := decodeHex(test.publicKey)
+
+		msg := decodeHex(test.message)
+
+		sig := decodeHex(test.signature)
+
+		verify, err := SchnorrVerify(msg, pubKey[:], sig[:])
+		if err != nil && test.verifyResult {
+			t.Fail()
+		}
+
+		if test.verifyResult != verify {
+			t.Fail()
+		}
+	}
+}
diff --git a/btcec/signature.go b/btcec/signature.go
index deedd172d8..1fc2ecf9ab 100644
--- a/btcec/signature.go
+++ b/btcec/signature.go
@@ -29,9 +29,20 @@ type Signature struct {
 }
 
 var (
+
+	zero = big.NewInt(0)
+
 	// Used in RFC6979 implementation when testing the nonce for correctness
 	one = big.NewInt(1)
 
+	two = big.NewInt(2)
+
+	three = big.NewInt(3)
+
+	four = big.NewInt(4)
+
+	seven = big.NewInt(7)
+
 	// oneInitializer is used to fill a byte slice with byte 0x01.  It is provided
 	// here to avoid the need to create it multiple times.
 	oneInitializer = []byte{0x01}

From 6c0f5255f6349e475ee3769f6d47d61c3401897e Mon Sep 17 00:00:00 2001
From: Philip Glazman <8378656+philipglazman@users.noreply.github.com>
Date: Wed, 18 Nov 2020 21:57:21 -0800
Subject: [PATCH 2/4] schnorr public key type and conversion. allow compressed
 public keys to be converted to schnorr

---
 btcec/privkey.go      |   6 ++
 btcec/schnorr.go      |  80 +++++++++++----
 btcec/schnorr_test.go | 220 +++++++++++++++++++++++++-----------------
 btcec/signature.go    |   1 -
 4 files changed, 201 insertions(+), 106 deletions(-)

diff --git a/btcec/privkey.go b/btcec/privkey.go
index 676a8c3fb0..dddcd31214 100644
--- a/btcec/privkey.go
+++ b/btcec/privkey.go
@@ -49,6 +49,12 @@ func (p *PrivateKey) PubKey() *PublicKey {
 	return (*PublicKey)(&p.PublicKey)
 }
 
+// SchnorrPubKey returns the PublicKey corresponding to this private key.
+// Unlike the ecdsa.PublicKey, the schnorr public key has a different 32 byte format.
+func (p *PrivateKey) SchnorrPubKey() *SchnorrPublicKey {
+	return &SchnorrPublicKey{x: p.X}
+}
+
 // ToECDSA returns the private key as a *ecdsa.PrivateKey.
 func (p *PrivateKey) ToECDSA() *ecdsa.PrivateKey {
 	return (*ecdsa.PrivateKey)(p)
diff --git a/btcec/schnorr.go b/btcec/schnorr.go
index 8f08e46dc9..b51fc3b6f1 100644
--- a/btcec/schnorr.go
+++ b/btcec/schnorr.go
@@ -5,26 +5,72 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
-
 	"math/big"
 )
 
 const (
 	schnorrPublicKeyLen = 32
-	schnorrMessageLen = 32
+	schnorrMessageLen   = 32
 	schnorrSignatureLen = 64
-	schnorrAuxLen = 32
+	schnorrAuxLen       = 32
 
-	// sha256("BIP0340/challenge")
+	// BIP340Challenge is sha256("BIP0340/challenge")
 	BIP340Challenge = "7bb52d7a9fef58323eb1bf7a407db382d2f3f2d81bb1224f49fe518f6d48d37ctag"
 
-	// sha256("BIP0340/aux")
+	// BIP340Aux is sha256("BIP0340/aux")
 	BIP340Aux = "f1ef4e5ec063cada6d94cafa9d987ea069265839ecc11f972d77a52ed8c1cc90tag"
 
-	// sha256("BIP0340/nonce")
+	// BIP340Nonce is sha256("BIP0340/nonce")
 	BIP340Nonce = "07497734a79bcb355b9b8c7d034f121cf434d73ef72dda19870061fb52bfeb2ftag"
 )
 
+// SchnorrPublicKey is the x-coordinate of a public key that can be used with schnorr.
+type SchnorrPublicKey struct{ x *big.Int }
+
+// Serialize returns x(P) in a 32 byte slice.
+func (p *SchnorrPublicKey) Serialize() []byte {
+	return p.x.Bytes()
+}
+
+// ParseSchnorrPubKey parses a public key, verifies it is valid, and returns the schnorr key.
+func ParseSchnorrPubKey(pubKeyStr []byte) (*SchnorrPublicKey, error) {
+	if len(pubKeyStr) == 0 {
+		return nil, errors.New("pubkey string is empty")
+	}
+
+	switch len(pubKeyStr) {
+	// If key is 33 bytes, check if it using the compressed encoding.
+	// If so, then it is safe to drop the first byte.
+	case PubKeyBytesLenCompressed:
+		format := pubKeyStr[0]
+		format &= ^byte(0x1)
+
+		if format != pubkeyCompressed {
+			return nil, fmt.Errorf("invalid magic in compressed "+
+				"pubkey string: %d", pubKeyStr[0])
+		}
+
+		// Drop first byte.
+		pubKeyStr = pubKeyStr[1:]
+	case schnorrPublicKeyLen:
+	default:
+		return nil, fmt.Errorf("pubkey length invalid : got %d want %d", len(pubKeyStr), schnorrPublicKeyLen)
+	}
+
+	x := new(big.Int)
+	x.SetBytes(pubKeyStr)
+
+	Px, Py, err := liftX(pubKeyStr)
+	if err != nil {
+		return nil, fmt.Errorf("invalid pubkey")
+	}
+
+	if !S256().IsOnCurve(Px, Py) {
+		return nil, fmt.Errorf("pubkey is not on curve")
+	}
+
+	return &SchnorrPublicKey{x: x}, nil
+}
 
 // SchnorrSign signs a message using the schnorr signature algorithm scheme outlined in BIP340.
 // Message must be 32 bytes.
@@ -35,7 +81,7 @@ func (p *PrivateKey) SchnorrSign(message, aux []byte) ([64]byte, error) {
 
 // SchnorrVerify verifies a schnorr signature.
 // Message, public key, and signature must be 32 bytes.
-func SchnorrVerify(msg, publicKey, signature []byte) (bool, error){
+func SchnorrVerify(msg, publicKey, signature []byte) (bool, error) {
 	return schnorrVerify(msg, publicKey, signature)
 }
 
@@ -51,7 +97,7 @@ func hasEvenY(Py *big.Int) bool {
 }
 
 // schnorrSign implements BIP340's default signing algorithm.
-func schnorrSign(privKey, msg []byte, a []byte) (sig [64]byte, err error){
+func schnorrSign(privKey, msg []byte, a []byte) (sig [64]byte, err error) {
 	// Message must be 32 bytes.
 	if l := len(msg); l != schnorrMessageLen {
 		return sig, fmt.Errorf("message is not 32 bytes : got %d, want %d", l, schnorrMessageLen)
@@ -128,8 +174,8 @@ func schnorrSign(privKey, msg []byte, a []byte) (sig [64]byte, err error){
 		copy(m[:32], Rx.Bytes())
 		copy(m[32:64], Px.Bytes())
 		copy(m[64:], msg)
-		e.SetBytes(taggedHash(BIP340Challenge,m))
-		e.Mod(e,n)
+		e.SetBytes(taggedHash(BIP340Challenge, m))
+		e.Mod(e, n)
 	}
 
 	// (k + ed) mod n
@@ -161,9 +207,9 @@ func liftX(key []byte) (*big.Int, *big.Int, error) {
 
 	// c = x^3 + 7 mod P.
 	c := new(big.Int)
-	c.Exp(x,three, p)
+	c.Exp(x, three, p)
 	c.Add(c, seven)
-	c.Mod(c,p)
+	c.Mod(c, p)
 
 	// y = c^((p+1)/4) mod P.
 	y := new(big.Int)
@@ -178,7 +224,7 @@ func liftX(key []byte) (*big.Int, *big.Int, error) {
 	return x, y, nil
 }
 
-func schnorrVerify(msg, publicKey, signature []byte) (bool, error){
+func schnorrVerify(msg, publicKey, signature []byte) (bool, error) {
 	if l := len(msg); l != schnorrMessageLen {
 		return false, fmt.Errorf("message is not 32 bytes : got %d, want %d", l, schnorrMessageLen)
 	}
@@ -218,7 +264,7 @@ func schnorrVerify(msg, publicKey, signature []byte) (bool, error){
 	s.SetBytes(signature[32:])
 
 	// Fail if s >= n
-	if s.Cmp(n) >= 0  {
+	if s.Cmp(n) >= 0 {
 		return false, nil
 	}
 
@@ -264,16 +310,16 @@ func schnorrVerify(msg, publicKey, signature []byte) (bool, error){
 	return true, nil
 }
 
-func taggedHash(tag string, msg []byte)  []byte {
+func taggedHash(tag string, msg []byte) []byte {
 	tagHash, _ := hex.DecodeString(tag)
 
 	tagLen := len(tagHash)
 	msgLen := len(msg)
 
-	m := make([]byte, tagLen*2 + msgLen)
+	m := make([]byte, tagLen*2+msgLen)
 	copy(m[:tagLen], tagHash)
 	copy(m[tagLen:tagLen*2], tagHash)
 	copy(m[tagLen*2:], msg)
 	h := sha256.Sum256(m)
 	return h[:]
-}
\ No newline at end of file
+}
diff --git a/btcec/schnorr_test.go b/btcec/schnorr_test.go
index 726c1abe05..e3ab454fbe 100644
--- a/btcec/schnorr_test.go
+++ b/btcec/schnorr_test.go
@@ -1,164 +1,172 @@
 package btcec
 
 import (
+	"bytes"
 	"encoding/hex"
 	"strings"
 	"testing"
 )
 
 type bip340Test struct {
-	secretKey string
-	publicKey string
-	auxRand string
-	message string
-	signature string
+	secretKey    string
+	publicKey    string
+	auxRand      string
+	message      string
+	signature    string
 	verifyResult bool
+	validPubKey  bool
 }
 
 var bip340TestVectors = []bip340Test{
 	{
-		secretKey: "0000000000000000000000000000000000000000000000000000000000000003",
-		publicKey: "F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F9",
-		auxRand: "0000000000000000000000000000000000000000000000000000000000000000",
-		message: "0000000000000000000000000000000000000000000000000000000000000000",
-		signature: "E907831F80848D1069A5371B402410364BDF1C5F8307B0084C55F1CE2DCA821525F66A4A85EA8B71E482A74F382D2CE5EBEEE8FDB2172F477DF4900D310536C0",
+		secretKey:    "0000000000000000000000000000000000000000000000000000000000000003",
+		publicKey:    "F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F9",
+		auxRand:      "0000000000000000000000000000000000000000000000000000000000000000",
+		message:      "0000000000000000000000000000000000000000000000000000000000000000",
+		signature:    "E907831F80848D1069A5371B402410364BDF1C5F8307B0084C55F1CE2DCA821525F66A4A85EA8B71E482A74F382D2CE5EBEEE8FDB2172F477DF4900D310536C0",
 		verifyResult: true,
+		validPubKey:  true,
 	},
 	{
-		secretKey: "B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF",
-		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
-		auxRand: "0000000000000000000000000000000000000000000000000000000000000001",
-		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
-		signature: "6896BD60EEAE296DB48A229FF71DFE071BDE413E6D43F917DC8DCF8C78DE33418906D11AC976ABCCB20B091292BFF4EA897EFCB639EA871CFA95F6DE339E4B0A",
+		secretKey:    "B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFEF",
+		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		auxRand:      "0000000000000000000000000000000000000000000000000000000000000001",
+		message:      "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:    "6896BD60EEAE296DB48A229FF71DFE071BDE413E6D43F917DC8DCF8C78DE33418906D11AC976ABCCB20B091292BFF4EA897EFCB639EA871CFA95F6DE339E4B0A",
 		verifyResult: true,
+		validPubKey:  true,
 	},
 	{
-		secretKey: "C90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B14E5C9",
-		publicKey: "DD308AFEC5777E13121FA72B9CC1B7CC0139715309B086C960E18FD969774EB8",
-		auxRand: "C87AA53824B4D7AE2EB035A2B5BBBCCC080E76CDC6D1692C4B0B62D798E6D906",
-		message: "7E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C",
-		signature: "5831AAEED7B44BB74E5EAB94BA9D4294C49BCF2A60728D8B4C200F50DD313C1BAB745879A5AD954A72C45A91C3A51D3C7ADEA98D82F8481E0E1E03674A6F3FB7",
+		secretKey:    "C90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B14E5C9",
+		publicKey:    "DD308AFEC5777E13121FA72B9CC1B7CC0139715309B086C960E18FD969774EB8",
+		auxRand:      "C87AA53824B4D7AE2EB035A2B5BBBCCC080E76CDC6D1692C4B0B62D798E6D906",
+		message:      "7E2D58D8B3BCDF1ABADEC7829054F90DDA9805AAB56C77333024B9D0A508B75C",
+		signature:    "5831AAEED7B44BB74E5EAB94BA9D4294C49BCF2A60728D8B4C200F50DD313C1BAB745879A5AD954A72C45A91C3A51D3C7ADEA98D82F8481E0E1E03674A6F3FB7",
 		verifyResult: true,
+		validPubKey:  true,
 	},
 	{
-		secretKey: "0B432B2677937381AEF05BB02A66ECD012773062CF3FA2549E44F58ED2401710",
-		publicKey: "25D1DFF95105F5253C4022F628A996AD3A0D95FBF21D468A1B33F8C160D8F517",
-		auxRand: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
-		message: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
-		signature: "7EB0509757E246F19449885651611CB965ECC1A187DD51B64FDA1EDC9637D5EC97582B9CB13DB3933705B32BA982AF5AF25FD78881EBB32771FC5922EFC66EA3",
+		secretKey:    "0B432B2677937381AEF05BB02A66ECD012773062CF3FA2549E44F58ED2401710",
+		publicKey:    "25D1DFF95105F5253C4022F628A996AD3A0D95FBF21D468A1B33F8C160D8F517",
+		auxRand:      "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+		message:      "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+		signature:    "7EB0509757E246F19449885651611CB965ECC1A187DD51B64FDA1EDC9637D5EC97582B9CB13DB3933705B32BA982AF5AF25FD78881EBB32771FC5922EFC66EA3",
 		verifyResult: true,
+		validPubKey:  true,
 	},
-}
-
-type bip340VerifyTest struct {
-	publicKey string
-	message string
-	signature string
-	verifyResult bool
-}
-
-var bip340VerifyTestVectors = []bip340VerifyTest{
 	{
-		publicKey: "D69C3509BB99E412E68B0FE8544E72837DFA30746D8BE2AA65975F29D22DC7B9",
-		message: "4DF3C3F68FCC83B27E9D42C90431A72499F17875C81A599B566C9889B9696703",
-		signature:"00000000000000000000003B78CE563F89A0ED9414F5AA28AD0D96D6795F9C6376AFB1548AF603B3EB45C9F8207DEE1060CB71C04E80F593060B07D28308D7F4",
+		publicKey:    "D69C3509BB99E412E68B0FE8544E72837DFA30746D8BE2AA65975F29D22DC7B9",
+		message:      "4DF3C3F68FCC83B27E9D42C90431A72499F17875C81A599B566C9889B9696703",
+		signature:    "00000000000000000000003B78CE563F89A0ED9414F5AA28AD0D96D6795F9C6376AFB1548AF603B3EB45C9F8207DEE1060CB71C04E80F593060B07D28308D7F4",
 		verifyResult: true,
+		validPubKey:  true,
 	},
 	{
-		publicKey: "EEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34",
-		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
-		signature:"6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E17776969E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
+		publicKey:    "EEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34",
+		message:      "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:    "6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E17776969E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
 		verifyResult: false,
+		validPubKey:  false,
 	},
 	{
-		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
-		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
-		signature:"FFF97BD5755EEEA420453A14355235D382F6472F8568A18B2F057A14602975563CC27944640AC607CD107AE10923D9EF7A73C643E166BE5EBEAFA34B1AC553E2",
+		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		message:      "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:    "FFF97BD5755EEEA420453A14355235D382F6472F8568A18B2F057A14602975563CC27944640AC607CD107AE10923D9EF7A73C643E166BE5EBEAFA34B1AC553E2",
 		verifyResult: false,
+		validPubKey:  true,
 	},
 	{
-		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
-		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
-		signature:"1FA62E331EDBC21C394792D2AB1100A7B432B013DF3F6FF4F99FCB33E0E1515F28890B3EDB6E7189B630448B515CE4F8622A954CFE545735AAEA5134FCCDB2BD",
+		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		message:      "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:    "1FA62E331EDBC21C394792D2AB1100A7B432B013DF3F6FF4F99FCB33E0E1515F28890B3EDB6E7189B630448B515CE4F8622A954CFE545735AAEA5134FCCDB2BD",
 		verifyResult: false,
+		validPubKey:  true,
 	},
 	{
-		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
-		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
-		signature:"6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E177769961764B3AA9B2FFCB6EF947B6887A226E8D7C93E00C5ED0C1834FF0D0C2E6DA6",
+		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		message:      "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:    "6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E177769961764B3AA9B2FFCB6EF947B6887A226E8D7C93E00C5ED0C1834FF0D0C2E6DA6",
 		verifyResult: false,
+		validPubKey:  true,
 	},
 	{
-		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
-		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
-		signature:"0000000000000000000000000000000000000000000000000000000000000000123DDA8328AF9C23A94C1FEECFD123BA4FB73476F0D594DCB65C6425BD186051",
+		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		message:      "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:    "0000000000000000000000000000000000000000000000000000000000000000123DDA8328AF9C23A94C1FEECFD123BA4FB73476F0D594DCB65C6425BD186051",
 		verifyResult: false,
+		validPubKey:  true,
 	},
 	{
-		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
-		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
-		signature:"00000000000000000000000000000000000000000000000000000000000000017615FBAF5AE28864013C099742DEADB4DBA87F11AC6754F93780D5A1837CF197",
+		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		message:      "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:    "00000000000000000000000000000000000000000000000000000000000000017615FBAF5AE28864013C099742DEADB4DBA87F11AC6754F93780D5A1837CF197",
 		verifyResult: false,
+		validPubKey:  true,
 	},
 	{
-		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
-		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
-		signature:"4A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D69E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
+		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		message:      "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:    "4A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D69E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
 		verifyResult: false,
+		validPubKey:  true,
 	},
 	{
-		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
-		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
-		signature:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F69E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
+		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		message:      "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:    "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F69E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
 		verifyResult: false,
+		validPubKey:  true,
 	},
 	{
-		publicKey: "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
-		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
-		signature:"6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E177769FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141",
+		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
+		message:      "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:    "6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E177769FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141",
 		verifyResult: false,
+		validPubKey:  true,
 	},
 	{
-		publicKey: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC30",
-		message: "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
-		signature:"6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E17776969E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
+		publicKey:    "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC30",
+		message:      "243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89",
+		signature:    "6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E17776969E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
 		verifyResult: false,
+		validPubKey:  false,
 	},
 }
 
-
 func TestSchnorrSign(t *testing.T) {
 	for _, test := range bip340TestVectors {
-		d := decodeHex(test.secretKey)
-		privKey, _ := PrivKeyFromBytes(S256(), d)
+		if len(test.secretKey) != 0 {
+			d := decodeHex(test.secretKey)
+			privKey, _ := PrivKeyFromBytes(S256(), d)
 
-		aux := decodeHex(test.auxRand)
-		msg := decodeHex(test.message)
+			aux := decodeHex(test.auxRand)
+			msg := decodeHex(test.message)
 
-		sig, err := privKey.SchnorrSign(msg, aux)
-		if err != nil {
-			t.Fail()
-		}
+			sig, err := privKey.SchnorrSign(msg, aux)
+			if err != nil {
+				t.Fail()
+			}
 
-		if strings.ToUpper(hex.EncodeToString(sig[:])) != test.signature {
-			t.Fail()
-		}
+			if strings.ToUpper(hex.EncodeToString(sig[:])) != test.signature {
+				t.Fail()
+			}
 
-		pubKey := decodeHex(test.publicKey)
+			pubKey := decodeHex(test.publicKey)
 
-		verify, err := schnorrVerify(msg, pubKey, sig[:])
-		if err != nil {
-			t.Fail()
-		}
+			verify, err := schnorrVerify(msg, pubKey, sig[:])
+			if err != nil {
+				t.Fail()
+			}
 
-		if test.verifyResult != verify {
-			t.Fail()
+			if test.verifyResult != verify {
+				t.Fail()
+			}
 		}
 	}
 }
 
 func TestSchnorrVerify(t *testing.T) {
-	for _, test := range bip340VerifyTestVectors {
+	for _, test := range bip340TestVectors {
 		pubKey := decodeHex(test.publicKey)
 
 		msg := decodeHex(test.message)
@@ -175,3 +183,39 @@ func TestSchnorrVerify(t *testing.T) {
 		}
 	}
 }
+
+func TestParseSchnorrPubKey(t *testing.T) {
+	// Test parsing the test vector public keys.
+	for _, test := range bip340TestVectors {
+		_, err := ParseSchnorrPubKey(decodeHex(test.publicKey))
+		if err != nil && test.validPubKey {
+			t.Fail()
+		}
+
+		// If the test has a private key, then test the serialization of the public key.
+		if len(test.secretKey) != 0 {
+			privKey, _ := PrivKeyFromBytes(S256(), decodeHex(test.secretKey))
+			pubKey := privKey.SchnorrPubKey()
+
+			if !bytes.Equal(decodeHex(test.publicKey), pubKey.Serialize()) {
+				t.Fail()
+			}
+		}
+	}
+
+	// Test conversion of a compressed public key to a schnorr public key.
+	{
+		for _, test := range pubKeyTests {
+			key, err := ParseSchnorrPubKey(test.key)
+			if err != nil && test.format == pubkeyCompressed {
+				t.Fail()
+			}
+
+			if key != nil {
+				if len(key.Serialize()) != 32 {
+					t.Fail()
+				}
+			}
+		}
+	}
+}
diff --git a/btcec/signature.go b/btcec/signature.go
index 1fc2ecf9ab..730c16d7fd 100644
--- a/btcec/signature.go
+++ b/btcec/signature.go
@@ -29,7 +29,6 @@ type Signature struct {
 }
 
 var (
-
 	zero = big.NewInt(0)
 
 	// Used in RFC6979 implementation when testing the nonce for correctness

From dc5a02658c066fe2ec5029d30ebae66c1b587d58 Mon Sep 17 00:00:00 2001
From: Philip Glazman <8378656+philipglazman@users.noreply.github.com>
Date: Fri, 18 Dec 2020 10:40:00 -0800
Subject: [PATCH 3/4] Pad coordinates coordinates to 32 bytes. Return better
 errors from schnorrVerify.

---
 btcec/schnorr.go | 42 +++++++++++++++++++++++++-----------------
 1 file changed, 25 insertions(+), 17 deletions(-)

diff --git a/btcec/schnorr.go b/btcec/schnorr.go
index b51fc3b6f1..f8e11aedb0 100644
--- a/btcec/schnorr.go
+++ b/btcec/schnorr.go
@@ -144,9 +144,9 @@ func schnorrSign(privKey, msg []byte, a []byte) (sig [64]byte, err error) {
 	// Get a deterministic nonce k.
 	{
 		m := make([]byte, 96)
-		copy(m[:32], t.Bytes())
-		copy(m[32:64], Px.Bytes())
-		copy(m[64:], msg)
+		copy(m[:32], intToBytes(32, t))
+		copy(m[32:64], intToBytes(32, Px))
+		copy(m[64:96], msg)
 
 		// rand = sha256(BIP0340/nonce || (t || P || m))
 		k.SetBytes(taggedHash(BIP340Nonce, m))
@@ -171,9 +171,9 @@ func schnorrSign(privKey, msg []byte, a []byte) (sig [64]byte, err error) {
 	// e = int(hashBIP0340/challenge(R || P || m)) mod n
 	{
 		m := make([]byte, 96)
-		copy(m[:32], Rx.Bytes())
-		copy(m[32:64], Px.Bytes())
-		copy(m[64:], msg)
+		copy(m[:32], intToBytes(32, Rx))
+		copy(m[32:64], intToBytes(32, Px))
+		copy(m[64:96], msg)
 		e.SetBytes(taggedHash(BIP340Challenge, m))
 		e.Mod(e, n)
 	}
@@ -184,12 +184,12 @@ func schnorrSign(privKey, msg []byte, a []byte) (sig [64]byte, err error) {
 	s.Mod(s, n)
 
 	// Signature is (x(R), s).
-	copy(sig[:32], Rx.Bytes())
-	copy(sig[32:], s.Bytes())
+	copy(sig[:32], intToBytes(32, Rx))
+	copy(sig[32:], intToBytes(32, s))
 
 	// Verify signature before returning.
-	if verify, err := schnorrVerify(msg, Px.Bytes(), sig[:]); !verify || err != nil {
-		return sig, errors.New("cannot create signature")
+	if verify, err := schnorrVerify(msg, intToBytes(32, Px), sig[:]); !verify || err != nil {
+		return sig, fmt.Errorf("cannot create signature: %w", err)
 	}
 
 	return sig, nil
@@ -257,7 +257,7 @@ func schnorrVerify(msg, publicKey, signature []byte) (bool, error) {
 
 	// Check that P is on the curve.
 	if !curve.IsOnCurve(Px, Py) {
-		return false, errors.New("public key is not on the curve")
+		return false, errors.New("point P is not on the curve")
 	}
 
 	r.SetBytes(signature[:32])
@@ -265,19 +265,19 @@ func schnorrVerify(msg, publicKey, signature []byte) (bool, error) {
 
 	// Fail if s >= n
 	if s.Cmp(n) >= 0 {
-		return false, nil
+		return false, errors.New("s is greater than curve order")
 	}
 
 	// Fail if r >= p
 	if r.Cmp(p) >= 0 {
-		return false, nil
+		return false, errors.New("r is greater than p")
 	}
 
 	// e = sha256(hashBIP0340/challenge || r || P || m) mod n.
 	{
 		m := make([]byte, 96)
 		copy(m[:32], signature[:32])
-		copy(m[32:64], publicKey)
+		copy(m[32:64], publicKey[:])
 		copy(m[64:], msg)
 		e.SetBytes(taggedHash(BIP340Challenge, m))
 		e.Mod(e, n)
@@ -294,17 +294,17 @@ func schnorrVerify(msg, publicKey, signature []byte) (bool, error) {
 
 	// Fail if R is at infinity.
 	if Rx.Cmp(zero) == 0 || Ry.Cmp(zero) == 0 {
-		return false, nil
+		return false, errors.New("point R is at infinity")
 	}
 
 	// Fail if y(R) is not even
 	if !hasEvenY(Ry) {
-		return false, nil
+		return false, errors.New("coordinate R(y) is not even")
 	}
 
 	// Fail if x(R) != r
 	if Rx.Cmp(r) != 0 {
-		return false, nil
+		return false, errors.New("coordinate R(x) != r")
 	}
 
 	return true, nil
@@ -323,3 +323,11 @@ func taggedHash(tag string, msg []byte) []byte {
 	h := sha256.Sum256(m)
 	return h[:]
 }
+
+// intToBytes accepts an integer and converts it to a byte slice.
+// Zeros are prepended to the byte slice to have a slice len of a given size.
+func intToBytes(size int, src *big.Int) []byte {
+	ret := make([]byte, size)
+	copy(ret[size-len(src.Bytes()):], src.Bytes())
+	return ret
+}

From c56255f97470bedcf93bcfa1cdaa0143c8659136 Mon Sep 17 00:00:00 2001
From: Philip Glazman <8378656+philipglazman@users.noreply.github.com>
Date: Sun, 31 Jan 2021 22:27:56 -0800
Subject: [PATCH 4/4] Use error constants and check for correct error response
 in tests.

---
 btcec/schnorr.go      | 24 +++++++++++++++++-------
 btcec/schnorr_test.go | 19 ++++++++++++++++++-
 2 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/btcec/schnorr.go b/btcec/schnorr.go
index f8e11aedb0..0a77d0eef7 100644
--- a/btcec/schnorr.go
+++ b/btcec/schnorr.go
@@ -24,6 +24,15 @@ const (
 	BIP340Nonce = "07497734a79bcb355b9b8c7d034f121cf434d73ef72dda19870061fb52bfeb2ftag"
 )
 
+var (
+	errCurveOrder       = errors.New("greater than or equal to curve order")
+	errFieldOrder       = errors.New("greater than or equal to field order")
+	errPubKeyNotOnCurve = errors.New("public key is not on the curve")
+	errRyNotEven        = errors.New("coordinate R(y) is not even")
+	errCoordinateAtInf  = errors.New("coordinate at infinity")
+	errRxNotEqual       = errors.New("coordinate R(x) != r")
+)
+
 // SchnorrPublicKey is the x-coordinate of a public key that can be used with schnorr.
 type SchnorrPublicKey struct{ x *big.Int }
 
@@ -202,7 +211,7 @@ func liftX(key []byte) (*big.Int, *big.Int, error) {
 	p := S256().P
 
 	if x.Cmp(p) >= 0 {
-		return nil, nil, errors.New("inf")
+		return nil, nil, errCoordinateAtInf
 	}
 
 	// c = x^3 + 7 mod P.
@@ -242,6 +251,7 @@ func schnorrVerify(msg, publicKey, signature []byte) (bool, error) {
 	// n is the curve order.
 	n := curve.N
 
+	// p is the field order.
 	p := curve.P
 
 	r := new(big.Int)
@@ -257,7 +267,7 @@ func schnorrVerify(msg, publicKey, signature []byte) (bool, error) {
 
 	// Check that P is on the curve.
 	if !curve.IsOnCurve(Px, Py) {
-		return false, errors.New("point P is not on the curve")
+		return false, errPubKeyNotOnCurve
 	}
 
 	r.SetBytes(signature[:32])
@@ -265,12 +275,12 @@ func schnorrVerify(msg, publicKey, signature []byte) (bool, error) {
 
 	// Fail if s >= n
 	if s.Cmp(n) >= 0 {
-		return false, errors.New("s is greater than curve order")
+		return false, errCurveOrder
 	}
 
 	// Fail if r >= p
 	if r.Cmp(p) >= 0 {
-		return false, errors.New("r is greater than p")
+		return false, errFieldOrder
 	}
 
 	// e = sha256(hashBIP0340/challenge || r || P || m) mod n.
@@ -294,17 +304,17 @@ func schnorrVerify(msg, publicKey, signature []byte) (bool, error) {
 
 	// Fail if R is at infinity.
 	if Rx.Cmp(zero) == 0 || Ry.Cmp(zero) == 0 {
-		return false, errors.New("point R is at infinity")
+		return false, errCoordinateAtInf
 	}
 
 	// Fail if y(R) is not even
 	if !hasEvenY(Ry) {
-		return false, errors.New("coordinate R(y) is not even")
+		return false, errRyNotEven
 	}
 
 	// Fail if x(R) != r
 	if Rx.Cmp(r) != 0 {
-		return false, errors.New("coordinate R(x) != r")
+		return false, errRxNotEqual
 	}
 
 	return true, nil
diff --git a/btcec/schnorr_test.go b/btcec/schnorr_test.go
index e3ab454fbe..b5c8aa4d62 100644
--- a/btcec/schnorr_test.go
+++ b/btcec/schnorr_test.go
@@ -15,6 +15,7 @@ type bip340Test struct {
 	signature    string
 	verifyResult bool
 	validPubKey  bool
+	expectErr    error
 }
 
 var bip340TestVectors = []bip340Test{
@@ -67,6 +68,7 @@ var bip340TestVectors = []bip340Test{
 		signature:    "6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E17776969E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
 		verifyResult: false,
 		validPubKey:  false,
+		expectErr:    errPubKeyNotOnCurve,
 	},
 	{
 		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
@@ -74,6 +76,7 @@ var bip340TestVectors = []bip340Test{
 		signature:    "FFF97BD5755EEEA420453A14355235D382F6472F8568A18B2F057A14602975563CC27944640AC607CD107AE10923D9EF7A73C643E166BE5EBEAFA34B1AC553E2",
 		verifyResult: false,
 		validPubKey:  true,
+		expectErr:    errRyNotEven,
 	},
 	{
 		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
@@ -81,6 +84,7 @@ var bip340TestVectors = []bip340Test{
 		signature:    "1FA62E331EDBC21C394792D2AB1100A7B432B013DF3F6FF4F99FCB33E0E1515F28890B3EDB6E7189B630448B515CE4F8622A954CFE545735AAEA5134FCCDB2BD",
 		verifyResult: false,
 		validPubKey:  true,
+		expectErr:    errRyNotEven,
 	},
 	{
 		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
@@ -88,6 +92,7 @@ var bip340TestVectors = []bip340Test{
 		signature:    "6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E177769961764B3AA9B2FFCB6EF947B6887A226E8D7C93E00C5ED0C1834FF0D0C2E6DA6",
 		verifyResult: false,
 		validPubKey:  true,
+		expectErr:    errRxNotEqual,
 	},
 	{
 		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
@@ -95,6 +100,7 @@ var bip340TestVectors = []bip340Test{
 		signature:    "0000000000000000000000000000000000000000000000000000000000000000123DDA8328AF9C23A94C1FEECFD123BA4FB73476F0D594DCB65C6425BD186051",
 		verifyResult: false,
 		validPubKey:  true,
+		expectErr:    errCoordinateAtInf,
 	},
 	{
 		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
@@ -102,6 +108,7 @@ var bip340TestVectors = []bip340Test{
 		signature:    "00000000000000000000000000000000000000000000000000000000000000017615FBAF5AE28864013C099742DEADB4DBA87F11AC6754F93780D5A1837CF197",
 		verifyResult: false,
 		validPubKey:  true,
+		expectErr:    errCoordinateAtInf,
 	},
 	{
 		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
@@ -109,6 +116,7 @@ var bip340TestVectors = []bip340Test{
 		signature:    "4A298DACAE57395A15D0795DDBFD1DCB564DA82B0F269BC70A74F8220429BA1D69E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
 		verifyResult: false,
 		validPubKey:  true,
+		expectErr:    errRxNotEqual,
 	},
 	{
 		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
@@ -116,6 +124,7 @@ var bip340TestVectors = []bip340Test{
 		signature:    "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F69E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
 		verifyResult: false,
 		validPubKey:  true,
+		expectErr:    errFieldOrder,
 	},
 	{
 		publicKey:    "DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659",
@@ -123,6 +132,7 @@ var bip340TestVectors = []bip340Test{
 		signature:    "6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E177769FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141",
 		verifyResult: false,
 		validPubKey:  true,
+		expectErr:    errCurveOrder,
 	},
 	{
 		publicKey:    "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC30",
@@ -130,6 +140,7 @@ var bip340TestVectors = []bip340Test{
 		signature:    "6CFF5C3BA86C69EA4B7376F31A9BCB4F74C1976089B2D9963DA2E5543E17776969E89B4C5564D00349106B8497785DD7D1D713A8AE82B32FA79D5F7FC407D39B",
 		verifyResult: false,
 		validPubKey:  false,
+		expectErr:    errCoordinateAtInf,
 	},
 }
 
@@ -148,7 +159,7 @@ func TestSchnorrSign(t *testing.T) {
 			}
 
 			if strings.ToUpper(hex.EncodeToString(sig[:])) != test.signature {
-				t.Fail()
+				t.Fatalf("got signature %x : want %s", sig[:], test.signature)
 			}
 
 			pubKey := decodeHex(test.publicKey)
@@ -181,6 +192,12 @@ func TestSchnorrVerify(t *testing.T) {
 		if test.verifyResult != verify {
 			t.Fail()
 		}
+
+		if !test.verifyResult && test.expectErr != nil {
+			if err != test.expectErr {
+				t.Fatalf("expect error %v : got %v", test.expectErr, err)
+			}
+		}
 	}
 }