These bip340_test_vectors are utilized in two locations: the unit exams (src/check/key_tests.cpp) and the practical exams (check/practical/test_framework/key.py).
The Python code for testing the bip340_test_vectors is right here.
There are 15 check instances in all however solely 4 distinct secret keys, 7 distinct public keys (3 of them do not have secret keys) and 15 distinct signatures.
The general public key DFF1D77F2A671C5F36183726DB2341BE58FEAE1DA2DECED843240F7B502BA659 is reused 9 occasions for instance however the distinct signatures are generated utilizing totally different messages, auxiliary randomness and so on.
The primary 5 check instances have legitimate signatures (a verification results of TRUE) though the fourth check case (index = 3) has a remark of check fails if msg is diminished modulo p or n (I am unsure what this implies)
That leaves the remaining check instances that fail the signature verification:
The elliptic curve that BIP 340 signatures are outlined upon is secp256k1 (the identical curve that we use for ECDSA) which is:
y2 = x3 + 7 (mod p)
the place the sphere dimension p = 2256 – 232 – 977 or
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F in hex and is prime.
The generator level G (on the curve) that we use is (Gx, Gy) the place
Gx=0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798
Gy=0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8
The curve order of secp256k1 is:
n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
(The curve order n is such that nG = level at infinity. Each n occasions we cycle again to the purpose at infinity. The purpose at infinity is outlined right here. It isn’t on the curve and is outlined by (x,y) + (x,-y) = infinity.)
The general public key P (level) related to a secret (personal) secret is calculated utilizing:
P = d (mod n).G
the place d is the personal key (scalar) and G is the generator level (level).
A BIP 340 Schnorr signature is a 64 byte array (Rx , s).
The primary 32 bytes is the X coordinate of R.
R = ok’⋅G
R is a degree (Rx, Ry)
ok’ is randomness (mod n) as specified by BIP 340
G is the generator level outlined earlier
The second 32 bytes is the s that satisfies:
s⋅G = R + H(r | pk | m)⋅P (mod n)
This may be written as s.G = R + e.P the place e = H(r | pk | m)
Or alternatively s = ok’ + e.d the place d is the personal key (scalar).
G is the generator level outlined earlier (level)
R is calculated earlier (level)
H is the hash perform (perform)
r is the the X coordinate of R, Rx (scalar)
pk is the X coordinate of the general public key P, Px (scalar)
m is the message (scalar). The message in Bitcoin’s case is the a part of the Bitcoin transaction that must be signed based on the SIGHASH flag.
P is the general public key (level)
Index 5 has a public key that’s not on the secp256k1 curve that Bitcoin makes use of. The general public secret is calculated by multiplying the personal key (scalar) by the generator level and so it should be on the elliptic curve. If it is not it isn’t doable to generate a legitimate signature. Certainly the key key just isn’t offered for this public key as there isn’t any secret key that may multiply with the generator level to get the general public key.
Index 6 is referring to the BIP 340 design option to implicitly select the Y coordinate that’s even (every legitimate X coordinate has two doable Y coordinates, one that’s odd and one that’s even). If the Y coordinate is odd then it isn’t following the BIP 340 specification and the signature verification ought to fail.
Index 7 makes use of a negated message to confirm a signature of an authentic message. Negated means taking the complement with the group order n. The signature will not be legitimate for those who confirm it utilizing the negated message quite than the precise message used within the signature.
-m = n-m (mod n)
Clearly there aren’t any precise “destructive” numbers within the ring of integers (mod n).
Index 8 has a negated s worth. See Index 7 for the definition of negated. In case you validate with a negated s quite than the preliminary s the signature validation will fail.
Index 9 states R = sG - eP is infinite and that the check fails if has_even_y(inf) is TRUE and x(inf)=0. The purpose at infinity just isn’t on the curve, has no coordinates in any respect however implementations want a illustration of it. If an implementation makes use of (0,0) as the purpose at infinity then this check will fail if has_even_y returns TRUE (which it should not) and x(inf) returns 0.
Index 10 states R = sG - eP is infinite.
Index 11 states sig[0:32] just isn’t an X coordinate on the curve. If the primary 32 bytes of the BIP 340 Schnorr signature just isn’t an X coordinate on the elliptic curve then this isn’t a legitimate signature.
Index 12 additionally refers to first 32 bytes of the signature. However this time the 32 bytes are equal to the sphere dimension of the curve p. This isn’t doable below mod p (all values should be between 0 and p-1) so no legitimate signature is feasible right here.
Index 13 refers back to the second 32 bytes of the 64 byte signature. s cannot be equal to the curve order n as a result of it’s outlined mod n which implies it could actually solely take a price between 0 and n-1.
Index 14 has a public key with a X coordinate that exceeds the sphere dimension (p = 2^256 – 2^32 – 977). This isn’t doable below mod p (all values should be between 0 and p-1) so no legitimate signature is feasible right here.
(Jimmy Music’s Chapter 3 on Elliptic Curve Cryptography of his ebook Programming Bitcoin is useful for explaining the secp256k1 curve. It was revealed earlier than BIP 340 was finalized and so solely covers ECDSA signatures, not Schnorr signatures. For an introduction to Schnorr signatures see Elichai Turkel’s presentation at Chaincode Labs or this London BitDevs Socratic Seminar on BIP 340)
Due to Pieter Wuille and Jonas Nick for recommended edits on the preliminary submit.