kallewoof/test_vectors.md

## test_vectors.md

      
    Raw
  

              test_vectors.md
            
          
    Schnorr signature test vectors

Test vector overview


Hash function H(m) = SHA256(m)

Basics


For a private key x, the public key is xG.
A signature on the message m with private key x is (R, s) where R=kG, s=k+H(R,X,m)x.
Verifying a signature is testing whether sG = R+H(R,X,m)X.

Gotchas


When doing the point operations, the modulo operation uses p, but the Schnorr operations use n  (https://en.bitcoin.it/wiki/Secp256k1); this applies only to the creation of s in the signature part (which uses n).

Test vector 1

The hash function here is single SHA256, aka SHA256(m).
Given (as big endian (hash style) 256 bit numbers):

x = bed123a21c0e50b003d302e83e755a444cbd436dfc4ea6635696c49499e47da6, a private key
k = 6dfb9c259dc3b79f03470418af01cb1e064692dacc353f0f656cad0bfec583a7, an ephemeral random value (supposed to change for every signature)
m = 21fbd20b359eee7bfea88e837108be44a1a421e33a05a45bc832d3e1a7aa713a, the message being signed, aka the sighash

Signature part

Input: m (message), x (privkey)
Output: (R, s) (signature)

pubkey X = (7f032a1e20deb84dc51d44cd11657c4a4d3c6bccb19c05cfd5b4b007e8a478d3 , 56e3dcb493aa83b590954d6c33cdfd20ef4b083d33b051efda091486035a4a69) = (serialized) = 037f032a1e20deb84dc51d44cd11657c4a4d3c6bccb19c05cfd5b4b007e8a478d3
ephemeral random nonce k = 6dfb9c259dc3b79f03470418af01cb1e064692dacc353f0f656cad0bfec583a7
R (point) = kG = (83b62cb5324d37f5ad971ce99fda0d8e2a922407df6fa9b73dea4835b7fdb1dc , ef1f1211e51938e79f9c0b6929f1da6feba68f2dd48db68adc4539f39d9fa52e)
R (serialized) = 0283b62cb5324d37f5ad971ce99fda0d8e2a922407df6fa9b73dea4835b7fdb1dc
`H(R,X,m) = 64821fe9a06c9daa280f7ac4182e82e18b6e0fba1eefb8620a434289aaee9560
s = k + H(R,X,m)*x = 154f020e7841eab3507bf3bb1b0b2cdc4e0ee413c380098096128171c26c2ee0
(R, s) = ((83b62cb5324d37f5ad971ce99fda0d8e2a922407df6fa9b73dea4835b7fdb1dc , ef1f1211e51938e79f9c0b6929f1da6feba68f2dd48db68adc4539f39d9fa52e), 154f020e7841eab3507bf3bb1b0b2cdc4e0ee413c380098096128171c26c2ee0)

Verification part

Input: m (message), (R, s) (signature), X (pubkey)
Output: true or false

sG = 03cc83cf2ae222fb66ece196534d6608fba8ee0faef867e0f94ab7ecb225b44e4f
R (point) + H(R (serialized),X,m)X = 03cc83cf2ae222fb66ece196534d6608fba8ee0faef867e0f94ab7ecb225b44e4f
Equality check sG = R + H(R,X,m)X: true