1# Test vectors for short (zero-padded) values of s. 2 3# S is the maximum length. 4Curve = P-256 5Digest = SHA256 6Msg = "" 7Q = 0430345fd47ea21a11129be651b0884bfac698377611acc9f689458e13b9ed7d4b9d7599a68dcf125e7f31055ccb374cd04f6d6fd2b217438a63f6f667d50ef2f0 8Sig = 341f6779b75e98bb42e01095dd48356cbf9002dc704ac8bd2a8240b88d3796c6555843b1b4e264fe6ffe6e2b705a376c05c09404303ffe5d2711f3e3b3a010a1 9Result = P (0 ) 10 11# S is one byte shorter than the maximum length. 12Curve = P-256 13Digest = SHA256 14Msg = "" 15Q = 0430345fd47ea21a11129be651b0884bfac698377611acc9f689458e13b9ed7d4b9d7599a68dcf125e7f31055ccb374cd04f6d6fd2b217438a63f6f667d50ef2f0 16Sig = 31ed574e9688aed7016e985c0e742fb788be73d9ad0a895e6182c77751817ed000d98eb6d480d64d1729c680693cb13bd6bf0c7b651007e459e667683ff65b92 17Result = P (0 ) 18 19# S is 2 bytes shorter than the maximum length. 20Curve = P-256 21Digest = SHA256 22Msg = "" 23Q = 0430345fd47ea21a11129be651b0884bfac698377611acc9f689458e13b9ed7d4b9d7599a68dcf125e7f31055ccb374cd04f6d6fd2b217438a63f6f667d50ef2f0 24Sig = f59cf66594cc837415f16494fb52c02f2a6264bf6ce7dccbf2f78c090cdcefb000005a8c8a04ba7825f3f8e56517056daa1a51129cd91382a24589ed05d0c13d 25Result = P (0 ) 26 27# S is the maximum length. 28Curve = P-384 29Digest = SHA384 30Msg = "" 31Q = 045c5e788a805c77d34128b8401cb59b2373b8b468336c9318252bf39fd31d2507557987a5180a9435f9fb8eb971c426f1c485170dcb18fb688a257f89387a09fc4c5b8bd4b320616b54a0a7b1d1d7c6a0c59f6dff78c78ad4e3d6fca9c9a17b96 32Sig = 85ac708d4b0126bac1f5eeebdf911409070a286fdde5649582611b60046de353761660dd03903f58b44148f25142eef8183475ec1f1392f3d6838abc0c01724709c446888bed7f2ce4642c6839dc18044a2a6ab9ddc960bfac79f6988e62d452 33Result = P (0 ) 34 35# S is one byte shorter than the maximum length. 36Curve = P-384 37Digest = SHA384 38Msg = "" 39Q = 045c5e788a805c77d34128b8401cb59b2373b8b468336c9318252bf39fd31d2507557987a5180a9435f9fb8eb971c426f1c485170dcb18fb688a257f89387a09fc4c5b8bd4b320616b54a0a7b1d1d7c6a0c59f6dff78c78ad4e3d6fca9c9a17b96 40Sig = 4dec97b54c4150ebaffc2dbfc2bc17c302be47cfc4b541ada34108b1080f2482a3e7f5f2b16f730210bd8c29b6681e0b000575984f37064bfbbdda76836f5ef2d632f006c338a9585c8b9108c46ea812ce066110156de9806ae5711153e2ef0b 41Result = P (0 ) 42 43# S is 2 bytes shorter than the maximum length. 44Curve = P-384 45Digest = SHA384 46Msg = "" 47Q = 045c5e788a805c77d34128b8401cb59b2373b8b468336c9318252bf39fd31d2507557987a5180a9435f9fb8eb971c426f1c485170dcb18fb688a257f89387a09fc4c5b8bd4b320616b54a0a7b1d1d7c6a0c59f6dff78c78ad4e3d6fca9c9a17b96 48Sig = ad8e51ec23d5b8130a5e0636a2f0d1740e8b5404c368b7dab5ae82d307d653c6ef70dcee70b112bf678801f87fb8f5a90000806d69e0c2834c27666996d55655cf9358b201aa85d3b08891abcc68c854cac6c67c53b3bf92df9a677d11aba13d 49Result = P (0 ) 50 51 52# Generated Test vectors. 53# 54# TODO: Test the range of `r` in addition to the range of `s`. 55# TODO: Test what happens when the message digests to zero. 56# TODO: Additional test coverage. libsecp256k1 is a good example. 57 58 59# Test vectors for Gregory Maxwell's trick. 60# 61# In all cases, the `s` component of the signature was selected 62# arbitrarily as 4 and then the `r` component was chosen to be the 63# smallest value where the public key recovery from the signature 64# works. 65 66# The signature has r < q - n. This is the control case for the next 67# test case; this signature is the same but the public key is 68# different. Notice that both public keys work for the same signature! 69# This signature will validate even if the implementation doesn't 70# reduce the X coordinate of the multiplication result (mod n). 71Curve = P-256 72Digest = SHA256 73Msg = "" 74Q = 041548fc88953e06cd34d4b300804c5322cb48c24aaaa4d07a541b0f0ccfeedeb0ae4991b90519ea405588bdf699f5e6d0c6b2d5217a5c16e8371062737aa1dae1 75Sig = 00000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000004 76Result = P (0 ) 77 78# The signature has r < q - n. s Since r < q - n, r + n < q. Notice 79# that this signature is the same as the signature in the preceding 80# test case, but the public key is different. That the signature 81# validates for this case too is what's special about the case where 82# r < q - n. If this test case fails it is likely that the 83# implementation doesn't reduce the X coordinate of the multiplication 84# result (mod n), or it is missing the second step of Gregory 85# Maxwell's trick. 86Curve = P-256 87Digest = SHA256 88Msg = "" 89Q = 04ad8f60e4ec1ebdb6a260b559cb55b1e9d2c5ddd43a41a2d11b0741ef2567d84e166737664104ebbc337af3d861d3524cfbc761c12edae974a0759750c8324f9a 90Sig = 00000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000004 91Result = P (0 ) 92 93# The signature has r > q - n. The signature is for the public key 94# recovered from r. r + n > q since r > q - n. This is the control 95# for the next test case; this signature is the same as the signature 96# in the following test case but the public key is different. 97Curve = P-256 98Digest = SHA256 99Msg = "" 100Q = 0445bd879143a64af5746e2e82aa65fd2ea07bba4e35594095a981b59984dacb219d59697387ac721b1f1eccf4b11f43ddc39e8367147abab3084142ed3ea170e4 101Sig = 000000000000000000000000000000004319055358e8617b0c46353d039cdaae0000000000000000000000000000000000000000000000000000000000000004 102Result = P (0 ) 103 104# The signature has r > q - n. The signature is for the public key 105# recovered from r + n (mod q). r + n > q since r > q - n, and so 106# r + n (mod q) < r because r + n (mod n) != r + n (mod q). Notice 107# that this signature is the same as the signature in the preceding 108# test case but the public key is different. Also, notice that the 109# signature fails to validate in this case, unlike other related test 110# cases. If this test case fails (the signature validates), it is 111# likely that the implementation didn't guard the second case of 112# Gregory Maxwell's trick on the condition r < q - n. 113Curve = P-256 114Digest = SHA256 115Msg = "" 116Q = 040feb5df4cc78b35ec9c180cc0de5842f75f088b48456978ffa98e716d94883e1e6500b2a1f6c1d9d493428d7ae7d9a8a560fff30a3d14aa160be0c5e7edcd887 117Sig = 000000000000000000000000000000004319055358e8617b0c46353d039cdaae0000000000000000000000000000000000000000000000000000000000000004 118Result = F 119 120# The signature has r < q - n. This is the control case for the next 121# test case; this signature is the same but the public key is 122# different. Notice that both public keys work for the same signature! 123# This signature will validate even if the implementation doesn't 124# reduce the X coordinate of the multiplication result (mod n). 125Curve = P-384 126Digest = SHA384 127Msg = "" 128Q = 0425b890b9597155baf7e7ffb48d8123184cbb76ea3f7b10d8f1702136f969e915188cff306c67950437f816ce6ecb739204cc069edac95929dfbd719313552797962789e2210a0bf270c2f0ffc109a70e40da6303a2599bdd702c19070dd51f42 129Sig = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004 130Result = P (0 ) 131 132# The signature has r < q - n. s Since r < q - n, r + n < q. Notice 133# that this signature is the same as the signature in the preceding 134# test case, but the public key is different. That the signature 135# validates for this case too is what's special about the case where 136# r < q - n. If this test case fails it is likely that the 137# implementation doesn't reduce the X coordinate of the multiplication 138# result (mod n), or it is missing the second step of Gregory 139# Maxwell's trick. 140Curve = P-384 141Digest = SHA384 142Msg = "" 143Q = 045a3c576f0c2a615063c6e8ec40f5bf0dd67e549e9f13f8f881703ec40a8d6d8ecbb0d8e5b20f3aa0f2e581b594cea3e654a450cabcf24bd908cc47da98eba648a0440332ee19fb53da96dddaec521f718f7b52a161b67134d6e0d6e81dc45502 144Sig = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004 145Result = P (0 ) 146 147# The signature has r > q - n. The signature is for the public key 148# recovered from r. r + n > q since r > q - n. This is the control 149# for the next test case; this signature is the same as the signature 150# in the following test case but the public key is different. 151Curve = P-384 152Digest = SHA384 153Msg = "" 154Q = 04a93588bffb32417bd2b0fa03a6a30d2cf90034e6070b9333d4e7a42fe88bce5a03e8be7f2a84fbc25ec84dc34915c53fd975cfd0db77ec2b5c548994dc9f62756e018882a31d883471b0bbbd8588d9a2acab1aeaaa1eb217f8e528e7114162df 155Sig = 000000000000000000000000000000000000000000000000389cb27e0bc8d21fa7e5f24cb74f58851313e696333ad68e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004 156Result = P (0 ) 157 158# The signature has r > q - n. The signature is for the public key 159# recovered from r + n (mod q). r + n > q since r > q - n, and so 160# r + n (mod q) < r because r + n (mod n) != r + n (mod q). Notice 161# that this signature is the same as the signature in the preceding 162# test case but the public key is different. Also, notice that the 163# signature fails to validate in this case, unlike other related test 164# cases. If this test case fails (the signature validates), it is 165# likely that the implementation didn't guard the second case of 166# Gregory Maxwell's trick on the condition r < q - n. 167Curve = P-384 168Digest = SHA384 169Msg = "" 170Q = 04576270f9571c9e99b9c71be1a1a705e5155e46b8c6dd920c14e2aaf0f9f96ed30754e2c8f8464d015a9bc779495ea568ac39c555c3b03de021e8167a27425588d6a82b68cf7a0f6ae389a202d8663ed32b5e1782c0377a8f0dc309ae28143961 171Sig = 000000000000000000000000000000000000000000000000389cb27e0bc8d21fa7e5f24cb74f58851313e696333ad68e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004 172Result = F 173 174 175# Generated Test vectors edge cases of signature (r, s) values. 176 177# s == 0 (out of range) 178Curve = P-256 179Digest = SHA256 180Msg = "" 181Q = 0471db746fd153cf5c5a7c7210f9008c0e99c3a936ef0e720b202b304771431a230af53931e70cbe279ca47ce819616ed1db6604490f70abbcef3036732426eb6d 182Sig = 00000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000000 183Result = F 184 185# s == 1 (minimum allowed) 186Curve = P-256 187Digest = SHA256 188Msg = "" 189Q = 046e3f95fae7606c1cdfab1f1560de160ed806bbc2a85dc5a2d002aa1c0ac3e1fb5bcd5f7a325415824365cc584f08c144118318ce4d0f5df82b7753b291c4fe96 190Sig = 00000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000001 191Result = P (0 ) 192 193# s == n (out of range) 194Curve = P-256 195Digest = SHA256 196Msg = "" 197Q = 0471db746fd153cf5c5a7c7210f9008c0e99c3a936ef0e720b202b304771431a230af53931e70cbe279ca47ce819616ed1db6604490f70abbcef3036732426eb6d 198Sig = 0000000000000000000000000000000000000000000000000000000000000006ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551 199Result = F 200 201# s == n - 1 (maximum allowed) 202Curve = P-256 203Digest = SHA256 204Msg = "" 205Q = 04d78f14b53bf825c9f7146193f775458ef5ee46500cd44b18488cb4115c3f00f04b11fc7c6aa1045dc83e4f3e8a14d4a017db8415b5fe3f1a32afba4b8c707ab4 206Sig = 0000000000000000000000000000000000000000000000000000000000000006ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550 207Result = P (0 ) 208 209# s == n - 1 (maximum allowed), missing first zero byte. 210Curve = P-256 211Digest = SHA256 212Msg = "" 213Q = 04d78f14b53bf825c9f7146193f775458ef5ee46500cd44b18488cb4115c3f00f04b11fc7c6aa1045dc83e4f3e8a14d4a017db8415b5fe3f1a32afba4b8c707ab4 214Sig = 00000000000000000000000000000000000000000000000000000000000006ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550 215Result = F 216 217# s == n - 1 (maximum allowed), missing last nonzero byte. 218Curve = P-256 219Digest = SHA256 220Msg = "" 221Q = 04d78f14b53bf825c9f7146193f775458ef5ee46500cd44b18488cb4115c3f00f04b11fc7c6aa1045dc83e4f3e8a14d4a017db8415b5fe3f1a32afba4b8c707ab4 222Sig = 0000000000000000000000000000000000000000000000000000000000000006ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325 223Result = F 224 225# s == 0 (out of range) 226Curve = P-384 227Digest = SHA384 228Msg = "" 229Q = 04aad95ed7839057e221d46bb203f8b6c977588966fffccf815542429477dc45e61ed6b86fec0a2f3dfb453ea56ac0a6c06933416550a7158ed3f06aca1822c9b83102b40e5ada71651ec153a919a32755ee0292f6a5530d5889c1dc6cb020351f 230Sig = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 231Result = F 232 233# s == 1 (minimum allowed) 234Curve = P-384 235Digest = SHA384 236Msg = "" 237Q = 042aadde5424928b888e20ecef2525f99d646519aa994c075a4081aa852ec309a6ac63006421ff756c6c0924d611d1bda82df99267266ba603b07ba85c678f4ae69daf4634a5e597d77d0b0338f343d8090b2d4420a29302ab47ef04ad45e1461f 238Sig = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 239Result = P (0 ) 240 241# s == n (out of range) 242Curve = P-384 243Digest = SHA384 244Msg = "" 245Q = 04aad95ed7839057e221d46bb203f8b6c977588966fffccf815542429477dc45e61ed6b86fec0a2f3dfb453ea56ac0a6c06933416550a7158ed3f06aca1822c9b83102b40e5ada71651ec153a919a32755ee0292f6a5530d5889c1dc6cb020351f 246Sig = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973 247Result = F 248 249# s == n - 1 (maximum allowed) 250Curve = P-384 251Digest = SHA384 252Msg = "" 253Q = 04a1d58e8df7f27c4483be9369f8d73d3ea968fce26ff5374d822c5cb4286c00f6fef54d525f4c8b180065dcc1f95f7a0c291171ca5894ba3f4d52ae091ec36c81ee2f34a384c59183284d85dddc3b196c6d7deaab1626d662bc628136126eef6b 254Sig = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972 255Result = P (0 ) 256 257# s == n - 1 (maximum allowed), missing first zero byte. 258Curve = P-384 259Digest = SHA384 260Msg = "" 261Q = 04a1d58e8df7f27c4483be9369f8d73d3ea968fce26ff5374d822c5cb4286c00f6fef54d525f4c8b180065dcc1f95f7a0c291171ca5894ba3f4d52ae091ec36c81ee2f34a384c59183284d85dddc3b196c6d7deaab1626d662bc628136126eef6b 262Sig = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972 263Result = F 264 265# s == n - 1 (maximum allowed), missing last nonzero byte. 266Curve = P-384 267Digest = SHA384 268Msg = "" 269Q = 04a1d58e8df7f27c4483be9369f8d73d3ea968fce26ff5374d822c5cb4286c00f6fef54d525f4c8b180065dcc1f95f7a0c291171ca5894ba3f4d52ae091ec36c81ee2f34a384c59183284d85dddc3b196c6d7deaab1626d662bc628136126eef6b 270Sig = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc529 271Result = F 272