Draft reply (to be continued)

These bip340_test_vectors are utilized in two locations: the unit exams (src/test/key_tests.cpp) and the practical exams (test/functional/test_framework/key.py).

There are 15 take a look at instances in all however solely four distinct secret keys, 7 distinct public keys (Three of them haven’t got secret keys) however 15 distinct signatures.

The general public key DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659 is reused 9 occasions for instance however the distinct signatures are generated utilizing completely different messages, auxiliary randomness and many others.

The primary 5 take a look at instances have legitimate signatures (a verification results of TRUE) though the fourth take a look at case (index = 3) has a remark of take a look at fails if msg is lowered modulo p or n (I am unsure what this implies)

That leaves the remaining take a look at instances that fail the signature verification:
Index 5 has a public key that’s not on the secp256k1 curve y^2 = x^3 + 7 (mod P) the place P = 2^256 - 2^32 - 977 that Bitcoin makes use of. This elliptic curve is similar for Schnorr as it’s for ECDSA. The general public secret’s calculated by multiplying the non-public key by the generator level and so it have to be on the elliptic curve. If it is not it isn’t attainable to generate a sound signature. Certainly the key key is just not offered for this public key as there is no such thing as a secret key that may multiply with the generator level to get the general public key.

Index 6 is referring to the BIP 340 design option to implicitly select the Y coordinate that’s even (every legitimate X coordinate has two attainable Y coordinates, one that is odd and one that is even). If the Y coordinate is odd then it isn’t following the BIP 340 specification and the signature verification ought to fail.

Index 7 has a negated message (Schnorr signature algorithm cannot signal a negated message?)

Index eight has a negated s worth (adverse signature?)

Index 14 has a public key with a x coordinate that exceeds the sector dimension (P = 2^256 - 2^32 - 977). This isn’t attainable below mod P so no legitimate signature is feasible right here.

Source link


Please enter your comment!
Please enter your name here