Skip to content

Instantly share code, notes, and snippets.

@tnakagawa

tnakagawa/test_vectors.md

Forked from kallewoof/test_vectors.md
Created March 6, 2018 00:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tnakagawa/cacf146499d9d6b5351ec36de165b3dc to your computer and use it in GitHub Desktop.
Save tnakagawa/cacf146499d9d6b5351ec36de165b3dc to your computer and use it in GitHub Desktop.
Download ZIP
Test vectors, Schnorr signatures
Raw
test_vectors.md

Schnorr signature test vectors

Test vector overview

  1. Hash function H(m) = SHA256(SHA256(m))
  2. Hash function H(m) = SHA256(m)

Basics

  • For a private key x, the public key is xG.
  • A signature on the message m with private key x is (R, s) where R=kG, s=k+H(R,X,m)x.
  • Verifying a signature is testing whether sG = R+H(R,X,m)X.

Gotchas

  • When doing the point operations, the modulo operation uses p, but the Schnorr operations use n (https://en.bitcoin.it/wiki/Secp256k1); this applies only to the creation of s in the signature part (which uses n).

Test vector 1

The hash function here is double SHA256, aka SHA256(SHA256(m)).

Given (as big endian (hash style) 256 bit numbers):

  • x = bed123a21c0e50b003d302e83e755a444cbd436dfc4ea6635696c49499e47da6, a private key
  • k = 2b919415ad9383f4ab49c708c164efe3e1be09e639e2e296710f767644529ccb, an ephemeral random value (supposed to change for every signature)
  • m = 21fbd20b359eee7bfea88e837108be44a1a421e33a05a45bc832d3e1a7aa713a, the message being signed, aka the sighash

Signature part

Input: m (message), x (privkey)

Output: (R, s) (signature)

  • pubkey X = (7f032a1e20deb84dc51d44cd11657c4a4d3c6bccb19c05cfd5b4b007e8a478d3 , 56e3dcb493aa83b590954d6c33cdfd20ef4b083d33b051efda091486035a4a69) = (serialized) = 03d378a4e807b0b4d5cf059cb1cc6b3c4d4a7c6511cd441dc54db8de201e2a037f
  • ephemeral random nonce k = 2b919415ad9383f4ab49c708c164efe3e1be09e639e2e296710f767644529ccb
  • R (point) = kG = (8d8cc637f2394ebe4cfd7aaaa736f305c28ce939139bced9b9ba25acda75bd6d , 23212f4d2754bba6df5cdfea3c9fb4188de69f06de30f35c5676b58429aebba8)
  • R (serialized) = 026dbd75daac25bab9d9ce9b1339e98cc205f336a7aa7afd4cbe4e39f237c68c8d
  • H(R,X,m) = bf3b6fa52e65462a97ba91f0e83c9d411f0c7974b24afa58bc7dff39bda47f59
  • s = k + H(R,X,m)*x = 79754f88c825acf9d49255aa006b84395d2778c4a39107336f6434d95049046b (NOTE: modulo n here)
  • (R, s) = ((8d8cc637f2394ebe4cfd7aaaa736f305c28ce939139bced9b9ba25acda75bd6d , 23212f4d2754bba6df5cdfea3c9fb4188de69f06de30f35c5676b58429aebba8), 79754f88c825acf9d49255aa006b84395d2778c4a39107336f6434d95049046b)

Verification part

Input: m (message), (R, s) (signature), X (pubkey)

Output: true or false

  • sG = (5b73b516eb93548aeb77a12d7569f86323e088d44525caa0c5f5d60982b54b7b , 83c9712a1b84c2a21be6e32082f154b10947f1d83fba1174272fb33708569307)
  • R (point) + H(R (serialized),X,m)X = (5b73b516eb93548aeb77a12d7569f86323e088d44525caa0c5f5d60982b54b7b , 83c9712a1b84c2a21be6e32082f154b10947f1d83fba1174272fb33708569307)
  • Equality check sG = R + H(R,X,m)X: true

Test vector 2

The hash function here is single SHA256, aka SHA256(m).

Given (as big endian (hash style) 256 bit numbers):

  • x = bed123a21c0e50b003d302e83e755a444cbd436dfc4ea6635696c49499e47da6, a private key
  • k = a053d85c799ff2763d50d67400e362398ec56f5ce94d801ff85c5f0dcc82a8a2, an ephemeral random value (supposed to change for every signature)
  • m = 21fbd20b359eee7bfea88e837108be44a1a421e33a05a45bc832d3e1a7aa713a, the message being signed, aka the sighash

Signature part

Input: m (message), x (privkey)

Output: (R, s) (signature)

  • pubkey X = (7f032a1e20deb84dc51d44cd11657c4a4d3c6bccb19c05cfd5b4b007e8a478d3 , 56e3dcb493aa83b590954d6c33cdfd20ef4b083d33b051efda091486035a4a69) = (serialized) = 03d378a4e807b0b4d5cf059cb1cc6b3c4d4a7c6511cd441dc54db8de201e2a037f
  • ephemeral random nonce k = 8a4290fe60d9632e8ef618086b7745266249c2ae26ba84330f1becbeac055b55
  • R (point) = kG = (ca814e114e1b5b6cdcfd36fe6ddc3b3340a897be8f1a32c01edcd3bd6d97c82d , a501451ddc052e8c15700630069c26ddf68f56958b2464283c17f8fca1388a89)
  • R (serialized) = 032dc8976dbdd3dc1ec0321a8fbe97a840333bdc6dfe36fddc6c5b1b4e114e81ca
  • H(R,X,m) = 8a4290fe60d9632e8ef618086b7745266249c2ae26ba84330f1becbeac055b55
  • s = k + H(R,X,m)*x = 51809959afd7371a892905c9d5b67bd4435ca06b59e0a48bfc42184cf9727668 (NOTE: modulo n here)
  • (R, s) = ((ca814e114e1b5b6cdcfd36fe6ddc3b3340a897be8f1a32c01edcd3bd6d97c82d , a501451ddc052e8c15700630069c26ddf68f56958b2464283c17f8fca1388a89), 51809959afd7371a892905c9d5b67bd4435ca06b59e0a48bfc42184cf9727668)

Verification part

Input: m (message), (R, s) (signature), X (pubkey)

Output: true or false

  • sG = (1187131d9b8cff93825a92ce2b965db8594ab7d330389b2ebd68ceab84215efd , e887884c35aedbb775f474a1d1d245f82a3343ffa268677ef1d4564a37296098)
  • R (point) + H(R (serialized),X,m)X = (1187131d9b8cff93825a92ce2b965db8594ab7d330389b2ebd68ceab84215efd , e887884c35aedbb775f474a1d1d245f82a3343ffa268677ef1d4564a37296098)
  • Equality check sG = R + H(R,X,m)X: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment