Skip to content

Instantly share code, notes, and snippets.

Last active April 18, 2022 14:51
Show Gist options
  • Save kallewoof/5d623445802a84f17cc7ff5572109074 to your computer and use it in GitHub Desktop.
Save kallewoof/5d623445802a84f17cc7ff5572109074 to your computer and use it in GitHub Desktop.
Test vectors, Schnorr signatures

Schnorr signature test vectors

Test vector overview

  1. Hash function H(m) = SHA256(m)


  • For a private key x, the public key is xG.
  • A signature on the message m with private key x is (R, s) where R=kG, s=k+H(R,X,m)x.
  • Verifying a signature is testing whether sG = R+H(R,X,m)X.


  • When doing the point operations, the modulo operation uses p, but the Schnorr operations use n (; this applies only to the creation of s in the signature part (which uses n).

Test vector 1

The hash function here is single SHA256, aka SHA256(m).

Given (as big endian (hash style) 256 bit numbers):

  • x = bed123a21c0e50b003d302e83e755a444cbd436dfc4ea6635696c49499e47da6, a private key
  • k = 6dfb9c259dc3b79f03470418af01cb1e064692dacc353f0f656cad0bfec583a7, an ephemeral random value (supposed to change for every signature)
  • m = 21fbd20b359eee7bfea88e837108be44a1a421e33a05a45bc832d3e1a7aa713a, the message being signed, aka the sighash

Signature part

Input: m (message), x (privkey)

Output: (R, s) (signature)

  • pubkey X = (7f032a1e20deb84dc51d44cd11657c4a4d3c6bccb19c05cfd5b4b007e8a478d3 , 56e3dcb493aa83b590954d6c33cdfd20ef4b083d33b051efda091486035a4a69) = (serialized) = 037f032a1e20deb84dc51d44cd11657c4a4d3c6bccb19c05cfd5b4b007e8a478d3
  • ephemeral random nonce k = 6dfb9c259dc3b79f03470418af01cb1e064692dacc353f0f656cad0bfec583a7
  • R (point) = kG = (83b62cb5324d37f5ad971ce99fda0d8e2a922407df6fa9b73dea4835b7fdb1dc , ef1f1211e51938e79f9c0b6929f1da6feba68f2dd48db68adc4539f39d9fa52e)
  • R (serialized) = 0283b62cb5324d37f5ad971ce99fda0d8e2a922407df6fa9b73dea4835b7fdb1dc
  • `H(R,X,m) = 64821fe9a06c9daa280f7ac4182e82e18b6e0fba1eefb8620a434289aaee9560
  • s = k + H(R,X,m)*x = 154f020e7841eab3507bf3bb1b0b2cdc4e0ee413c380098096128171c26c2ee0
  • (R, s) = ((83b62cb5324d37f5ad971ce99fda0d8e2a922407df6fa9b73dea4835b7fdb1dc , ef1f1211e51938e79f9c0b6929f1da6feba68f2dd48db68adc4539f39d9fa52e), 154f020e7841eab3507bf3bb1b0b2cdc4e0ee413c380098096128171c26c2ee0)

Verification part

Input: m (message), (R, s) (signature), X (pubkey)

Output: true or false

  • sG = 03cc83cf2ae222fb66ece196534d6608fba8ee0faef867e0f94ab7ecb225b44e4f
  • R (point) + H(R (serialized),X,m)X = 03cc83cf2ae222fb66ece196534d6608fba8ee0faef867e0f94ab7ecb225b44e4f
  • Equality check sG = R + H(R,X,m)X: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment