- Hash function
H(m) = SHA256(SHA256(m))
- Hash function
H(m) = SHA256(m)
- For a private key
x
, the public key isxG
. - A signature on the message
m
with private keyx
is(R, s)
whereR=kG
,s=k+H(R,X,m)x
. - Verifying a signature is testing whether
sG
=R+H(R,X,m)X
.
- When doing the point operations, the modulo operation uses
p
, but the Schnorr operations usen
(https://en.bitcoin.it/wiki/Secp256k1); this applies only to the creation ofs
in the signature part (which usesn
).
The hash function here is double SHA256, aka SHA256(SHA256(m))
.
Given (as big endian (hash style) 256 bit numbers):
x = bed123a21c0e50b003d302e83e755a444cbd436dfc4ea6635696c49499e47da6
, a private keyk = 2b919415ad9383f4ab49c708c164efe3e1be09e639e2e296710f767644529ccb
, an ephemeral random value (supposed to change for every signature)m = 21fbd20b359eee7bfea88e837108be44a1a421e33a05a45bc832d3e1a7aa713a
, the message being signed, aka the sighash
Input: m
(message), x
(privkey)
Output: (R, s)
(signature)
- pubkey
X = (7f032a1e20deb84dc51d44cd11657c4a4d3c6bccb19c05cfd5b4b007e8a478d3 , 56e3dcb493aa83b590954d6c33cdfd20ef4b083d33b051efda091486035a4a69)
= (serialized) =03d378a4e807b0b4d5cf059cb1cc6b3c4d4a7c6511cd441dc54db8de201e2a037f
- ephemeral random nonce
k = 2b919415ad9383f4ab49c708c164efe3e1be09e639e2e296710f767644529ccb
R
(point) =kG
=(8d8cc637f2394ebe4cfd7aaaa736f305c28ce939139bced9b9ba25acda75bd6d , 23212f4d2754bba6df5cdfea3c9fb4188de69f06de30f35c5676b58429aebba8)
R
(serialized) =026dbd75daac25bab9d9ce9b1339e98cc205f336a7aa7afd4cbe4e39f237c68c8d
H(R,X,m) = bf3b6fa52e65462a97ba91f0e83c9d411f0c7974b24afa58bc7dff39bda47f59
s = k + H(R,X,m)*x = 79754f88c825acf9d49255aa006b84395d2778c4a39107336f6434d95049046b
(NOTE: modulon
here)(R, s) = ((8d8cc637f2394ebe4cfd7aaaa736f305c28ce939139bced9b9ba25acda75bd6d , 23212f4d2754bba6df5cdfea3c9fb4188de69f06de30f35c5676b58429aebba8), 79754f88c825acf9d49255aa006b84395d2778c4a39107336f6434d95049046b)
Input: m
(message), (R, s)
(signature), X
(pubkey)
Output: true
or false
sG = (5b73b516eb93548aeb77a12d7569f86323e088d44525caa0c5f5d60982b54b7b , 83c9712a1b84c2a21be6e32082f154b10947f1d83fba1174272fb33708569307)
R
(point)+ H(R
(serialized),X,m)X = (5b73b516eb93548aeb77a12d7569f86323e088d44525caa0c5f5d60982b54b7b , 83c9712a1b84c2a21be6e32082f154b10947f1d83fba1174272fb33708569307)
- Equality check
sG = R + H(R,X,m)X
:true
The hash function here is single SHA256, aka SHA256(m)
.
Given (as big endian (hash style) 256 bit numbers):
x = bed123a21c0e50b003d302e83e755a444cbd436dfc4ea6635696c49499e47da6
, a private keyk = a053d85c799ff2763d50d67400e362398ec56f5ce94d801ff85c5f0dcc82a8a2
, an ephemeral random value (supposed to change for every signature)m = 21fbd20b359eee7bfea88e837108be44a1a421e33a05a45bc832d3e1a7aa713a
, the message being signed, aka the sighash
Input: m
(message), x
(privkey)
Output: (R, s)
(signature)
- pubkey
X = (7f032a1e20deb84dc51d44cd11657c4a4d3c6bccb19c05cfd5b4b007e8a478d3 , 56e3dcb493aa83b590954d6c33cdfd20ef4b083d33b051efda091486035a4a69)
= (serialized) =03d378a4e807b0b4d5cf059cb1cc6b3c4d4a7c6511cd441dc54db8de201e2a037f
- ephemeral random nonce
k = 8a4290fe60d9632e8ef618086b7745266249c2ae26ba84330f1becbeac055b55
R
(point) =kG
=(ca814e114e1b5b6cdcfd36fe6ddc3b3340a897be8f1a32c01edcd3bd6d97c82d , a501451ddc052e8c15700630069c26ddf68f56958b2464283c17f8fca1388a89)
R
(serialized) =032dc8976dbdd3dc1ec0321a8fbe97a840333bdc6dfe36fddc6c5b1b4e114e81ca
H(R,X,m) = 8a4290fe60d9632e8ef618086b7745266249c2ae26ba84330f1becbeac055b55
s = k + H(R,X,m)*x = 51809959afd7371a892905c9d5b67bd4435ca06b59e0a48bfc42184cf9727668
(NOTE: modulon
here)(R, s) = ((ca814e114e1b5b6cdcfd36fe6ddc3b3340a897be8f1a32c01edcd3bd6d97c82d , a501451ddc052e8c15700630069c26ddf68f56958b2464283c17f8fca1388a89), 51809959afd7371a892905c9d5b67bd4435ca06b59e0a48bfc42184cf9727668)
Input: m
(message), (R, s)
(signature), X
(pubkey)
Output: true
or false
sG = (1187131d9b8cff93825a92ce2b965db8594ab7d330389b2ebd68ceab84215efd , e887884c35aedbb775f474a1d1d245f82a3343ffa268677ef1d4564a37296098)
R
(point)+ H(R
(serialized),X,m)X = (1187131d9b8cff93825a92ce2b965db8594ab7d330389b2ebd68ceab84215efd , e887884c35aedbb775f474a1d1d245f82a3343ffa268677ef1d4564a37296098)
- Equality check
sG = R + H(R,X,m)X
:true