1# Test vectors for short (zero-padded) values of s.
2
3# S is the maximum length.
4Curve = P-256
5Digest = SHA256
6Msg = ""
7Q = 0430345fd47ea21a11129be651b0884bfac698377611acc9f689458e13b9ed7d4b9d7599a68dcf125e7f31055ccb374cd04f6d6fd2b217438a63f6f667d50ef2f0
8Sig = 341f6779b75e98bb42e01095dd48356cbf9002dc704ac8bd2a8240b88d3796c6555843b1b4e264fe6ffe6e2b705a376c05c09404303ffe5d2711f3e3b3a010a1
9Result = P (0 )
10
11# S is one byte shorter than the maximum length.
12Curve = P-256
13Digest = SHA256
14Msg = ""
15Q = 0430345fd47ea21a11129be651b0884bfac698377611acc9f689458e13b9ed7d4b9d7599a68dcf125e7f31055ccb374cd04f6d6fd2b217438a63f6f667d50ef2f0
16Sig = 31ed574e9688aed7016e985c0e742fb788be73d9ad0a895e6182c77751817ed000d98eb6d480d64d1729c680693cb13bd6bf0c7b651007e459e667683ff65b92
17Result = P (0 )
18
19# S is 2 bytes shorter than the maximum length.
20Curve = P-256
21Digest = SHA256
22Msg = ""
23Q = 0430345fd47ea21a11129be651b0884bfac698377611acc9f689458e13b9ed7d4b9d7599a68dcf125e7f31055ccb374cd04f6d6fd2b217438a63f6f667d50ef2f0
24Sig = f59cf66594cc837415f16494fb52c02f2a6264bf6ce7dccbf2f78c090cdcefb000005a8c8a04ba7825f3f8e56517056daa1a51129cd91382a24589ed05d0c13d
25Result = P (0 )
26
27# S is the maximum length.
28Curve = P-384
29Digest = SHA384
30Msg = ""
31Q = 045c5e788a805c77d34128b8401cb59b2373b8b468336c9318252bf39fd31d2507557987a5180a9435f9fb8eb971c426f1c485170dcb18fb688a257f89387a09fc4c5b8bd4b320616b54a0a7b1d1d7c6a0c59f6dff78c78ad4e3d6fca9c9a17b96
32Sig = 85ac708d4b0126bac1f5eeebdf911409070a286fdde5649582611b60046de353761660dd03903f58b44148f25142eef8183475ec1f1392f3d6838abc0c01724709c446888bed7f2ce4642c6839dc18044a2a6ab9ddc960bfac79f6988e62d452
33Result = P (0 )
34
35# S is one byte shorter than the maximum length.
36Curve = P-384
37Digest = SHA384
38Msg = ""
39Q = 045c5e788a805c77d34128b8401cb59b2373b8b468336c9318252bf39fd31d2507557987a5180a9435f9fb8eb971c426f1c485170dcb18fb688a257f89387a09fc4c5b8bd4b320616b54a0a7b1d1d7c6a0c59f6dff78c78ad4e3d6fca9c9a17b96
40Sig = 4dec97b54c4150ebaffc2dbfc2bc17c302be47cfc4b541ada34108b1080f2482a3e7f5f2b16f730210bd8c29b6681e0b000575984f37064bfbbdda76836f5ef2d632f006c338a9585c8b9108c46ea812ce066110156de9806ae5711153e2ef0b
41Result = P (0 )
42
43# S is 2 bytes shorter than the maximum length.
44Curve = P-384
45Digest = SHA384
46Msg = ""
47Q = 045c5e788a805c77d34128b8401cb59b2373b8b468336c9318252bf39fd31d2507557987a5180a9435f9fb8eb971c426f1c485170dcb18fb688a257f89387a09fc4c5b8bd4b320616b54a0a7b1d1d7c6a0c59f6dff78c78ad4e3d6fca9c9a17b96
48Sig = ad8e51ec23d5b8130a5e0636a2f0d1740e8b5404c368b7dab5ae82d307d653c6ef70dcee70b112bf678801f87fb8f5a90000806d69e0c2834c27666996d55655cf9358b201aa85d3b08891abcc68c854cac6c67c53b3bf92df9a677d11aba13d
49Result = P (0 )
50
51
52# Generated Test vectors.
53#
54# TODO: Test the range of `r` in addition to the range of `s`.
55# TODO: Test what happens when the message digests to zero.
56# TODO: Additional test coverage. libsecp256k1 is a good example.
57
58
59# Test vectors for Gregory Maxwell's trick.
60#
61# In all cases, the `s` component of the signature was selected
62# arbitrarily as 4 and then the `r` component was chosen to be the
63# smallest value where the public key recovery from the signature
64# works.
65
66# The signature has r < q - n. This is the control case for the next
67# test case; this signature is the same but the public key is
68# different. Notice that both public keys work for the same signature!
69# This signature will validate even if the implementation doesn't
70# reduce the X coordinate of the multiplication result (mod n).
71Curve = P-256
72Digest = SHA256
73Msg = ""
74Q = 041548fc88953e06cd34d4b300804c5322cb48c24aaaa4d07a541b0f0ccfeedeb0ae4991b90519ea405588bdf699f5e6d0c6b2d5217a5c16e8371062737aa1dae1
75Sig = 00000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000004
76Result = P (0 )
77
78# The signature has r < q - n. s Since r < q - n, r + n < q. Notice
79# that this signature is the same as the signature in the preceding
80# test case, but the public key is different. That the signature
81# validates for this case too is what's special about the case where
82# r < q - n. If this test case fails it is likely that the
83# implementation doesn't reduce the X coordinate of the multiplication
84# result (mod n), or it is missing the second step of Gregory
85# Maxwell's trick.
86Curve = P-256
87Digest = SHA256
88Msg = ""
89Q = 04ad8f60e4ec1ebdb6a260b559cb55b1e9d2c5ddd43a41a2d11b0741ef2567d84e166737664104ebbc337af3d861d3524cfbc761c12edae974a0759750c8324f9a
90Sig = 00000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000004
91Result = P (0 )
92
93# The signature has r > q - n. The signature is for the public key
94# recovered from r. r + n > q since r > q - n. This is the control
95# for the next test case; this signature is the same as the signature
96# in the following test case but the public key is different.
97Curve = P-256
98Digest = SHA256
99Msg = ""
100Q = 0445bd879143a64af5746e2e82aa65fd2ea07bba4e35594095a981b59984dacb219d59697387ac721b1f1eccf4b11f43ddc39e8367147abab3084142ed3ea170e4
101Sig = 000000000000000000000000000000004319055358e8617b0c46353d039cdaae0000000000000000000000000000000000000000000000000000000000000004
102Result = P (0 )
103
104# The signature has r > q - n. The signature is for the public key
105# recovered from r + n (mod q). r + n > q since r > q - n, and so
106# r + n (mod q) < r because r + n (mod n) != r + n (mod q). Notice
107# that this signature is the same as the signature in the preceding
108# test case but the public key is different. Also, notice that the
109# signature fails to validate in this case, unlike other related test
110# cases. If this test case fails (the signature validates), it is
111# likely that the implementation didn't guard the second case of
112# Gregory Maxwell's trick on the condition r < q - n.
113Curve = P-256
114Digest = SHA256
115Msg = ""
116Q = 040feb5df4cc78b35ec9c180cc0de5842f75f088b48456978ffa98e716d94883e1e6500b2a1f6c1d9d493428d7ae7d9a8a560fff30a3d14aa160be0c5e7edcd887
117Sig = 000000000000000000000000000000004319055358e8617b0c46353d039cdaae0000000000000000000000000000000000000000000000000000000000000004
118Result = F
119
120# The signature has r < q - n. This is the control case for the next
121# test case; this signature is the same but the public key is
122# different. Notice that both public keys work for the same signature!
123# This signature will validate even if the implementation doesn't
124# reduce the X coordinate of the multiplication result (mod n).
125Curve = P-384
126Digest = SHA384
127Msg = ""
128Q = 0425b890b9597155baf7e7ffb48d8123184cbb76ea3f7b10d8f1702136f969e915188cff306c67950437f816ce6ecb739204cc069edac95929dfbd719313552797962789e2210a0bf270c2f0ffc109a70e40da6303a2599bdd702c19070dd51f42
129Sig = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004
130Result = P (0 )
131
132# The signature has r < q - n. s Since r < q - n, r + n < q. Notice
133# that this signature is the same as the signature in the preceding
134# test case, but the public key is different. That the signature
135# validates for this case too is what's special about the case where
136# r < q - n. If this test case fails it is likely that the
137# implementation doesn't reduce the X coordinate of the multiplication
138# result (mod n), or it is missing the second step of Gregory
139# Maxwell's trick.
140Curve = P-384
141Digest = SHA384
142Msg = ""
143Q = 045a3c576f0c2a615063c6e8ec40f5bf0dd67e549e9f13f8f881703ec40a8d6d8ecbb0d8e5b20f3aa0f2e581b594cea3e654a450cabcf24bd908cc47da98eba648a0440332ee19fb53da96dddaec521f718f7b52a161b67134d6e0d6e81dc45502
144Sig = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004
145Result = P (0 )
146
147# The signature has r > q - n. The signature is for the public key
148# recovered from r. r + n > q since r > q - n. This is the control
149# for the next test case; this signature is the same as the signature
150# in the following test case but the public key is different.
151Curve = P-384
152Digest = SHA384
153Msg = ""
154Q = 04a93588bffb32417bd2b0fa03a6a30d2cf90034e6070b9333d4e7a42fe88bce5a03e8be7f2a84fbc25ec84dc34915c53fd975cfd0db77ec2b5c548994dc9f62756e018882a31d883471b0bbbd8588d9a2acab1aeaaa1eb217f8e528e7114162df
155Sig = 000000000000000000000000000000000000000000000000389cb27e0bc8d21fa7e5f24cb74f58851313e696333ad68e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004
156Result = P (0 )
157
158# The signature has r > q - n. The signature is for the public key
159# recovered from r + n (mod q). r + n > q since r > q - n, and so
160# r + n (mod q) < r because r + n (mod n) != r + n (mod q). Notice
161# that this signature is the same as the signature in the preceding
162# test case but the public key is different. Also, notice that the
163# signature fails to validate in this case, unlike other related test
164# cases. If this test case fails (the signature validates), it is
165# likely that the implementation didn't guard the second case of
166# Gregory Maxwell's trick on the condition r < q - n.
167Curve = P-384
168Digest = SHA384
169Msg = ""
170Q = 04576270f9571c9e99b9c71be1a1a705e5155e46b8c6dd920c14e2aaf0f9f96ed30754e2c8f8464d015a9bc779495ea568ac39c555c3b03de021e8167a27425588d6a82b68cf7a0f6ae389a202d8663ed32b5e1782c0377a8f0dc309ae28143961
171Sig = 000000000000000000000000000000000000000000000000389cb27e0bc8d21fa7e5f24cb74f58851313e696333ad68e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004
172Result = F
173
174
175# Generated Test vectors edge cases of signature (r, s) values.
176
177# s == 0 (out of range)
178Curve = P-256
179Digest = SHA256
180Msg = ""
181Q = 0471db746fd153cf5c5a7c7210f9008c0e99c3a936ef0e720b202b304771431a230af53931e70cbe279ca47ce819616ed1db6604490f70abbcef3036732426eb6d
182Sig = 00000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000000
183Result = F
184
185# s == 1 (minimum allowed)
186Curve = P-256
187Digest = SHA256
188Msg = ""
189Q = 046e3f95fae7606c1cdfab1f1560de160ed806bbc2a85dc5a2d002aa1c0ac3e1fb5bcd5f7a325415824365cc584f08c144118318ce4d0f5df82b7753b291c4fe96
190Sig = 00000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000001
191Result = P (0 )
192
193# s == n (out of range)
194Curve = P-256
195Digest = SHA256
196Msg = ""
197Q = 0471db746fd153cf5c5a7c7210f9008c0e99c3a936ef0e720b202b304771431a230af53931e70cbe279ca47ce819616ed1db6604490f70abbcef3036732426eb6d
198Sig = 0000000000000000000000000000000000000000000000000000000000000006ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
199Result = F
200
201# s == n - 1 (maximum allowed)
202Curve = P-256
203Digest = SHA256
204Msg = ""
205Q = 04d78f14b53bf825c9f7146193f775458ef5ee46500cd44b18488cb4115c3f00f04b11fc7c6aa1045dc83e4f3e8a14d4a017db8415b5fe3f1a32afba4b8c707ab4
206Sig = 0000000000000000000000000000000000000000000000000000000000000006ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
207Result = P (0 )
208
209# s == n - 1 (maximum allowed), missing first zero byte.
210Curve = P-256
211Digest = SHA256
212Msg = ""
213Q = 04d78f14b53bf825c9f7146193f775458ef5ee46500cd44b18488cb4115c3f00f04b11fc7c6aa1045dc83e4f3e8a14d4a017db8415b5fe3f1a32afba4b8c707ab4
214Sig = 00000000000000000000000000000000000000000000000000000000000006ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550
215Result = F
216
217# s == n - 1 (maximum allowed), missing last nonzero byte.
218Curve = P-256
219Digest = SHA256
220Msg = ""
221Q = 04d78f14b53bf825c9f7146193f775458ef5ee46500cd44b18488cb4115c3f00f04b11fc7c6aa1045dc83e4f3e8a14d4a017db8415b5fe3f1a32afba4b8c707ab4
222Sig = 0000000000000000000000000000000000000000000000000000000000000006ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325
223Result = F
224
225# s == 0 (out of range)
226Curve = P-384
227Digest = SHA384
228Msg = ""
229Q = 04aad95ed7839057e221d46bb203f8b6c977588966fffccf815542429477dc45e61ed6b86fec0a2f3dfb453ea56ac0a6c06933416550a7158ed3f06aca1822c9b83102b40e5ada71651ec153a919a32755ee0292f6a5530d5889c1dc6cb020351f
230Sig = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
231Result = F
232
233# s == 1 (minimum allowed)
234Curve = P-384
235Digest = SHA384
236Msg = ""
237Q = 042aadde5424928b888e20ecef2525f99d646519aa994c075a4081aa852ec309a6ac63006421ff756c6c0924d611d1bda82df99267266ba603b07ba85c678f4ae69daf4634a5e597d77d0b0338f343d8090b2d4420a29302ab47ef04ad45e1461f
238Sig = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001
239Result = P (0 )
240
241# s == n (out of range)
242Curve = P-384
243Digest = SHA384
244Msg = ""
245Q = 04aad95ed7839057e221d46bb203f8b6c977588966fffccf815542429477dc45e61ed6b86fec0a2f3dfb453ea56ac0a6c06933416550a7158ed3f06aca1822c9b83102b40e5ada71651ec153a919a32755ee0292f6a5530d5889c1dc6cb020351f
246Sig = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973
247Result = F
248
249# s == n - 1 (maximum allowed)
250Curve = P-384
251Digest = SHA384
252Msg = ""
253Q = 04a1d58e8df7f27c4483be9369f8d73d3ea968fce26ff5374d822c5cb4286c00f6fef54d525f4c8b180065dcc1f95f7a0c291171ca5894ba3f4d52ae091ec36c81ee2f34a384c59183284d85dddc3b196c6d7deaab1626d662bc628136126eef6b
254Sig = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
255Result = P (0 )
256
257# s == n - 1 (maximum allowed), missing first zero byte.
258Curve = P-384
259Digest = SHA384
260Msg = ""
261Q = 04a1d58e8df7f27c4483be9369f8d73d3ea968fce26ff5374d822c5cb4286c00f6fef54d525f4c8b180065dcc1f95f7a0c291171ca5894ba3f4d52ae091ec36c81ee2f34a384c59183284d85dddc3b196c6d7deaab1626d662bc628136126eef6b
262Sig = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972
263Result = F
264
265# s == n - 1 (maximum allowed), missing last nonzero byte.
266Curve = P-384
267Digest = SHA384
268Msg = ""
269Q = 04a1d58e8df7f27c4483be9369f8d73d3ea968fce26ff5374d822c5cb4286c00f6fef54d525f4c8b180065dcc1f95f7a0c291171ca5894ba3f4d52ae091ec36c81ee2f34a384c59183284d85dddc3b196c6d7deaab1626d662bc628136126eef6b
270Sig = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc529
271Result = F
272