Test vectors, Schnorr signatures

test_vectors.md

Schnorr signature test vectors

Test vector overview

1. Hash function H(m) = SHA256(m)

Basics

• For a private key x, the public key is xG.
• A signature on the message m with private key x is (R, s) where R=kG, s=k+H(R,X,m)x.
• Verifying a signature is testing whether sG = R+H(R,X,m)X.

Gotchas

• When doing the point operations, the modulo operation uses p, but the Schnorr operations use n (https://en.bitcoin.it/wiki/Secp256k1); this applies only to the creation of s in the signature part (which uses n).

Test vector 1

The hash function here is single SHA256, aka SHA256(m).

Given (as big endian (hash style) 256 bit numbers):

• x = bed123a21c0e50b003d302e83e755a444cbd436dfc4ea6635696c49499e47da6, a private key
• k = 6dfb9c259dc3b79f03470418af01cb1e064692dacc353f0f656cad0bfec583a7, an ephemeral random value (supposed to change for every signature)
• m = 21fbd20b359eee7bfea88e837108be44a1a421e33a05a45bc832d3e1a7aa713a, the message being signed, aka the sighash

Signature part

Input: m (message), x (privkey)

Output: (R, s) (signature)

• pubkey X = (7f032a1e20deb84dc51d44cd11657c4a4d3c6bccb19c05cfd5b4b007e8a478d3 , 56e3dcb493aa83b590954d6c33cdfd20ef4b083d33b051efda091486035a4a69) = (serialized) = 037f032a1e20deb84dc51d44cd11657c4a4d3c6bccb19c05cfd5b4b007e8a478d3
• ephemeral random nonce k = 6dfb9c259dc3b79f03470418af01cb1e064692dacc353f0f656cad0bfec583a7
• R (point) = kG = (83b62cb5324d37f5ad971ce99fda0d8e2a922407df6fa9b73dea4835b7fdb1dc , ef1f1211e51938e79f9c0b6929f1da6feba68f2dd48db68adc4539f39d9fa52e)
• R (serialized) = 0283b62cb5324d37f5ad971ce99fda0d8e2a922407df6fa9b73dea4835b7fdb1dc
• `H(R,X,m) = 64821fe9a06c9daa280f7ac4182e82e18b6e0fba1eefb8620a434289aaee9560
• s = k + H(R,X,m)*x = 154f020e7841eab3507bf3bb1b0b2cdc4e0ee413c380098096128171c26c2ee0
• (R, s) = ((83b62cb5324d37f5ad971ce99fda0d8e2a922407df6fa9b73dea4835b7fdb1dc , ef1f1211e51938e79f9c0b6929f1da6feba68f2dd48db68adc4539f39d9fa52e), 154f020e7841eab3507bf3bb1b0b2cdc4e0ee413c380098096128171c26c2ee0)

Verification part

Input: m (message), (R, s) (signature), X (pubkey)

Output: true or false

• sG = 03cc83cf2ae222fb66ece196534d6608fba8ee0faef867e0f94ab7ecb225b44e4f
• R (point) + H(R (serialized),X,m)X = 03cc83cf2ae222fb66ece196534d6608fba8ee0faef867e0f94ab7ecb225b44e4f
• Equality check sG = R + H(R,X,m)X: true