Deterministic Usage of DSA and ECDSA Digital Signature Algorithms (RFC 6979)

[fpgaminer]

I've seen this RFC mentioned once or twice on this forum, but could not find any extensive dialog about it.  I would like to implement this as part of my hardware wallet, but am hesitant to do so without seeing what others have to think about the approach.

Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)


Summary of RFC 6979
ECDSA signature generation uses a number k, which must be randomly and uniformly chosen each time a signature is created.  Under deterministic ECDSA, as proposed by RFC 6979, k is chosen deterministically.

We start by creating an instance of HMAC-DRBG, with the private key as the source of entropy, and the hash of the message as the nonce.  k is generated from the output of this HMAC-DRBG instance.  This makes k deterministic, given the message and the private key, but still uniformly distributed and ~impossible for an attacker to guess/calculate.

Most importantly, signatures generated this way are compatible with existing ECDSA signature verification implementations.


Why make ECDSA deterministic?
There are two major reasons to use a deterministic algorithm here.  In regular ECDSA, if two signatures are created (different messages) with the same k value, the private key can be calculated.  This means that ECDSA immediately fails if k is not chosen randomly.  The recent Android mishap led to such a problem.  Using deterministic ECDSA avoids this.

Secondly, it allows easy verification of ECDSA implementations, using fixed test vectors.  Regular ECDSA implementations cannot use signature test vectors, because the signatures are random by design.


Thoughts?

[1715015116]

1715015116

[1715015116]

1715015116

[1715015116]

1715015116

[gmaxwell]

Here are my thoughts: http://permalink.gmane.org/gmane.comp.bitcoin.devel/2734

[fpgaminer]

Here are my thoughts: http://permalink.gmane.org/gmane.comp.bitcoin.devel/2734

Yup, that seems to resonate well with my conclusions.  Thank you for the link.

I just finished coding an HMAC_DRBG implementation in Python and threw it up on github, as a nice reference.  I'll follow that up with an implementation of RFC 6979 in Python, to play around with.

Personally, I'm leaning towards an implementation of RFC 6979, with an extra switch in the API to enable the usage of additional entropy.  The switch could default on, thus avoiding concerns over leaking information about the private key.  During unit or continuous tests, though, it could be switched off to verify conformance to RFC 6979, and switched back on to verify non-conformance (and thus confirm that entropy is being added).

[gmaxwell]

I was leaning towards recommending using HMAC-SHA512 since its already required for  BIP32.

I'd generally recommend against non-deterministic signatures. If the signatures are non-deterministic it is impossible for someone to verify that the implementation is not using the R value as a side channel to leak the private keys.

In open source pure software implementations it easy to be relatively confident that an implementation isn't cryptographically encoding the private key in the choice of R value (via, e.g. incrementing K until an R that leaks a non-deterministic part of the master private key), but in a hardware wallet implementation this is impossible, and it is trivial to construct a malicious implementation that leaks the private key via the R value in just a few signatures.

I actually have two implementations of example malicious signers:  One produces non-deterministic signatures and leaks a 256 bit private key, to the holder of a specific public key and no one else, in ~33 signatures with very high probability (failure rate of 1 in 1000 for 33 signatures, around 1 in a million for 34). The other produces a seemingly RFC 6979 like deterministic signatures and with a single signature leaks the current private key, and with 16 signatures leaks an additional 256 bit secret (e.g. a master private key, with a failure rate of around 1:1000 for 16 signatures, ~1:1e6 for 17 signatures).

Both work by performing an extra point multiply to gain an ECDH shared secret between the attacker and the user's key.

In the first case it then searches for a K value where H(secret||R)'s least significant bits match the data being leaked.  The leaked data is selected based using the data being signed to drive a fountain code over the private data.

In the second, the ECDH shared secret replaces the secret key in the RFC6979 K value selection (this is especially diabolical because the implementation with openssl looks fairly benign as its just point multiplying the secret by a constant), and appeneding 16 bits of (again) message digest selected secret data (which just looks like more 'salt') this time just a index into 65535 16 bit words from a 16 bit RS code expansion of the private key.  The attacker computes the shared secret and then searches for the 16 bit value that gives him the same R. He then knows K and can recover the current key and has learned 16 bits of secret data. The RS code can be precomputed and passed off as just storage redundancy for the master key.

Because tractability in hardware devices is already weak, it would sure be better if the device could be put in a mode which would make its behavior completely reproducible externally. If the security assumptions underlying the SHA2 based derandomized DSA do not hold, then it is almost certain that SHA2 using ECDSA will also not hold.  Whatever version you implement, I hope there will be a way for someone with the device to verify that it's doing what its supposted to be doing.

[fpgaminer]

Wonderful and insightful comments, gmaxwell; thank you.

but in a hardware wallet implementation this is impossible

If the hardware is known, and it is running open source firmware, what concerns would there be?

Also, malicious firmware doesn't need to leak information through signatures to enable an attack vector.  It could be using a DRBG to select the private keys, seeded from a secret known to the attacker and a device specific id.  This would enable the attacker to calculate potential private keys and search the blockchain.  To an outside observer, the private keys would look random as usual.  (This is the same worry people have about the RdRand instruction)

it would sure be better if the device could be put in a mode which would make its behavior completely reproducible externally

Perhaps deterministic signatures could be a user configurable option, allowing expert users to "pick their poison".

[gmaxwell]

but in a hardware wallet implementation this is impossible

If the hardware is known, and it is running open source firmware, what concerns would there be?
Also, malicious firmware doesn't need to leak information through signatures to enable an attack vector.

How do you actually know that it is running the open source firmware and not a modified version installed by the manufacturer or replaced in transit?

Generally if your computing device is compromised you're kind of doomed, but in this case not so much... because the behavior of the device is sufficiently narrow and all communication mediated via the host, it should be possible to be a little more confident here.

Also, malicious firmware doesn't need to leak information through signatures to enable an attack vector.  It could be using a DRBG to select the private keys, seeded from a secret known to the attacker and a device specific id.  This would enable the attacker to calculate potential private keys and search the blockchain.  To an outside observer, the private keys would look random as usual.  (This is the same worry people have about the RdRand instruction)

My expectation is that you'd make your master key  some H(device randomness || user or initial host randomness).  You need a way to export the master key data for backup purposes, so with an addition that also lets the user obtain the contributing randomness after obtaining the device master key.  Effectively this means the the device cannot undetectable cheat in the way you suggest.

(now, any particular user may fail to detect it— but it changes the risk model for someone substituting the firmware, since after already committing itself to some behavior and signing transactions on behalf of the user the user could then demand it provide the device randomness and they could fully repeat the output)

it would sure be better if the device could be put in a mode which would make its behavior completely reproducible externally

Perhaps deterministic signatures could be a user configurable option, allowing expert users to "pick their poison".
[/quote]I prefer fewer options to more... but indeed.

[stick]

Last news about DRBG: http://en.wikipedia.org/wiki/Dual_EC_DRBG#Controversy 

Btw, slush and I are trying to implement RFC6979 into python-ecdsa/microecdsa. Hopefully we'll publish the results soon (or watch https://github.com/trezor/python-ecdsa and https://github.com/trezor/microecdsa repos).

[gmaxwell]

Last news about DRBG: http://en.wikipedia.org/wiki/Dual_EC_DRBG#Controversy 

Old news and fpgaminer is not talking about Dual_EC_DRBG. He's implemented the DRBG based on SHA256.

[natb]

Wow, thanks for posting your 'microecdsa' code - now I get to see how what I came up with stacks up to your version

Couple questions:

Is the algo you created resistant to side-channel attacks (constant time for doing the scalar multiply)?
Can you give me any insights/references into your 'PRECOMPUTED_CP/IV' technique?

Last news about DRBG: http://en.wikipedia.org/wiki/Dual_EC_DRBG#Controversy 

Btw, slush and I are trying to implement RFC6979 into python-ecdsa/microecdsa. Hopefully we'll publish the results soon (or watch https://github.com/trezor/python-ecdsa and https://github.com/trezor/microecdsa repos).

[Crowex]

What would be the disadvantage of deterministically generating k each time and then multiplying by a PRNG generated number and reducing mod n and use this to sign?
Wouldn't you get protection against the failure of either method this way?

[natb]

This is all well and good - yes it works just fine. However as I understand it, it spoils the benefits of having a 3rd party entity be able to *exactly* reproduce your signatures to verify that your HW device is not doing anything dumb when generating said signatures. This gives them confidence that your HW wallet is not leaking information about private keys through sub-par 'random' number generation.

What would be the disadvantage of deterministically generating k each time and then multiplying by a PRNG generated number and reducing mod n and use this to sign?
Wouldn't you get protection against the failure of either method this way?

[fpgaminer]

How do you actually know that it is running the open source firmware and not a modified version installed by the manufacturer or replaced in transit?

Two stages, depending on user paranoia:

1) Update the device before using it, with known good firmware (cryptographically signed + deterministic compilation). [Does not rule out rootkit]
2) Open the device, visually verify hardware, and use JTAG/SWD to manually wipe and flash. [Rules out rootkit, FPGA masquerade, etc]

This will mitigate all reasonable attacks.  The only one left would a malicious custom ASIC pretending to be the MCU.  But if your attacker is willing to spend millions of dollars ... hell, you must be doing something right in your life.

Generally if your computing device is compromised you're kind of doomed, but in this case not so much... because the behavior of the device is sufficiently narrow and all communication mediated via the host, it should be possible to be a little more confident here.

Yes, there are a million and one ways to attack a user when a malicious party can manipulate the hardware.  But, you make a great point regardless; better safer than sorry.

My expectation is that you'd make your master key  some H(device randomness || user or initial host randomness).  You need a way to export the master key data for backup purposes, so with an addition that also lets the user obtain the contributing randomness after obtaining the device master key.  Effectively this means the the device cannot undetectable cheat in the way you suggest.

Rather than that, and assuming you have a trusted computer on which to do all this (since it will have access to your master key), just build the backup manually using your own entropy and restore it to the device.  Then query the device for a few public keys to verify it's using your backup.  I specifically left this option open on my platform, so that advanced users could choose their own means of creating the master key.  For example, choosing it like a brainwallet.

As usual, gmaxwell, your comments are wonderfully insightful and helpful.  Thank you for taking the time to bat around these ideas with me (and the rest of the community).

[fpgaminer]

I reached out to Colin Percival (who wrote scrypt, for example) for his thoughts/comments on RFC 6979.  Here's what he had to say (with his permission):

I don't see any concrete problems with this proposal, but using the private key
as part of the hashed input does make me a bit nervous.

Personally, I'd prefer to feed these into an HMAC-DRBG to be used for entropy
*in addition to* normal seeding of entropy from the operating system -- unless
you really need deterministic signatures.

This seems to be in agreement with pretty much everyone else's opinion on RFC 6979, which is good to see.  Many thanks to Colin Percival for taking the time to respond to my inquiry!

Wow, thanks for posting your 'microecdsa' code - now I get to see how what I came up with stacks up to your version Smiley

Shameless self-promotion: https://github.com/fpgaminer/strong-arm

Can you give me any insights/references into your 'PRECOMPUTED_CP/IV' technique?

Looks to me like the LUT implementation of EC scalar multiplication.  You have 256 pre-computed values, each of the form 2^i * G so you can just add them together depending on the bits of the scalar.  I can go into a more detailed explanation if you would like.

I chose not to implement that optimization in strong-arm, since it really wasn't much of a bottleneck, and I personally prefer transparent code over optimized code.  Easier to audit and avoid bugs.

What would be the disadvantage of deterministically generating k each time and then multiplying by a PRNG generated number and reducing mod n and use this to sign?

You can do that in pseudo-RFC 6979 by just reseeding the DRBG with any extra entropy you'd like.  Though, as natb pointed out, gmaxwell and others believe it best to leave things fully deterministic.  I'm ... still on the fence, but leaning more towards deterministic after reading gmaxwell's arguments.

[stick]

I chose not to implement that optimization in strong-arm, since it really wasn't much of a bottleneck, and I personally prefer transparent code over optimized code.  Easier to audit and avoid bugs.

This optimization makes code 5x faster on x86. Even more on ARM devices. That's a significant improvement. Unfortunately, it makes also code 3x-4x bigger, that's why there are macros to turn it on/off.

[slush]

Pull request adding RFC 6979 into python-ecdsa: https://github.com/warner/python-ecdsa/pull/10

[fpgaminer]

Pull request adding RFC 6979 into python-ecdsa: https://github.com/warner/python-ecdsa/pull/10

Round of applause.  Very awesome to see!  Thank you for sharing, and pushing to warner's repo.

Personally, I'd like to see it use a separate HMAC-DRBG module, to help code separation, unit testing, and code reuse (https://github.com/fpgaminer/python-hmac-drbg is public domain).  Also, the possibility to swap out HMAC-DRBG for a different function, so it can be used as a test-bed for using plain HMAC.

[gmaxwell]

I reached out to Colin Percival (who wrote scrypt, for example) for his thoughts/comments on RFC 6979.  Here's what he had to say (with his permission):

::sigh::  If adding the secret to the input were problematic the entire signing function would very likely be insecure: Computing a collision is easier than recovering an unknown pre-image, doubly so because the next thing you do is multiply K by G to get R, which both reduces the space of the output, and makes K unrecoverable from unless you can solve a discrete log problem.

The cost of this is that you produce a device whos correct behavior is not measurable. It could have backdoors inserted in several forms which would be very difficult to discover, or it could have flawed operation.

e.g. if it gets hot there are random bitflips in the multiply used to derive R from K, because the twist of secp256k1 is a smooth field where solving the DLP is relatively easy a single bit-flip in the multiply can result in a R value from which K can be recovered in about 2^51 work.

[Edit: Actually this is incorrect secp256k1 is twist secure, the error there resulted from an apparently transcription error copying down the order of the twist for factoring.  Of course the potential for backdoors in DSA nonce generation are universal and apply to all curves, and to edDSA as well]

Essentially I view this as increasing weakness to these specific but "kind of boring" threats which I can articulate and even show you demonstrations of (e.g. the backdoored signers) in favor or speculatively increasing security against vague cryptographic boogymen, which— if they exist at all— will probably kill us all regardless (by allowing collisions on the data being signed, and thus allowing signature rebinding).

Two stages, depending on user paranoia:

1) Update the device before using it, with known good firmware (cryptographically signed + deterministic compilation). [Does not rule out rootkit]
2) Open the device, visually verify hardware, and use JTAG/SWD to manually wipe and flash. [Rules out rootkit, FPGA masquerade, etc]

This will mitigate all reasonable attacks.  The only one left would a malicious custom ASIC pretending to be the MCU.  But if your attacker is willing to spend millions of dollars ... hell, you must be doing something right in your life.

So this doesn't really quite reflect the "defense model" I'm going for. Realistically— whos going to go and do those things?  Even of those people with a million dollars to protect?  Very few.

But not zero, a few geeks are reasonably likely to go splunking around— and I'd think that really any one attempting to be a vendor in this space should even set aside some budget to pay for third party auditing to make _sure_ some external eyes dig in deep.

What I think what would be beneficial for the Bitcoin-using economy is if these few rare instances of crazy, curious, or otherwise motivated adventure seekers somehow protected all of us from badness.   This is what happens with open code: When I review code thoroughly, I'm not just protecting myself: I'm protecting everyone I can communicate with.

The problem with (2) there is that I can't tell if the device was unfaithful to begin with. So if I'm the guy who doesn't trust my device the result is that I get a safe device, but I don't get the ability to sound an alarm to warn anyone else.  In particular, if the device is deterministic, someone who goes in with the logic analyzers can certify the device and document the behavior, then other people can randomly check that their devices measure the documented behavior with far less work.

A compromise in the middle if the device has a display: when signing, show the extra "bonus" randomness on the display. The behavior could still then be completely deterministic (assuming you capture the bonus randomness).. but since the protocol should still be secure against anything by cryptographic boogymen even if the "bonus randomness" is just a constant it should be harmless to display it, you could even send it over USB to the host.  Unless you're worried about boogmen who can invert sha256 and own a camcorder (or, in the latter, and who've hacked your computer).

I hope you don't think I'm ranting at you too much. My replies here are all in the spirit of talking through building the best and most practically secure systems possible— a goal I think we all share.

[iddo]

I reached out to Colin Percival (who wrote scrypt, for example) for his thoughts/comments on RFC 6979.  Here's what he had to say (with his permission):

I don't see any concrete problems with this proposal, but using the private key
as part of the hashed input does make me a bit nervous.

Personally, I'd prefer to feed these into an HMAC-DRBG to be used for entropy
*in addition to* normal seeding of entropy from the operating system -- unless
you really need deterministic signatures.

This seems to be in agreement with pretty much everyone else's opinion on RFC 6979, which is good to see.

::sigh::  If adding the secret to the input were problematic the entire signing function would very likely be insecure: Computing a collision is easier than recovering an unknown pre-image, doubly so because the next thing you do is multiply K by G to get R, which both reduces the space of the output, and makes K unrecoverable from unless you can solve a discrete log problem.

The cost of this is that you produce a device whos correct behavior is not measurable. It could have backdoors inserted in several forms which would be very difficult to discover, or it could have flawed operation.

e.g. if it gets hot there are random bitflips in the multiply used to derive R from K, because the twist of secp256k1 is a smooth field where solving the DLP is relatively easy a single bit-flip in the multiply can result in a R value from which K can be recovered in about 2^51 work.

I'm probably missing something here, but it seems to me that the argument that you're giving is similar to what Colin Percival had in mind, though you're interpreting it in the opposite way than he, and I don't exactly understand your argument yet.

I think that the concern is that there might be side-channel attacks on the hash function (heat as in your example, acoustic noise, timing, etc.) that may recover the input that it's invoked with. On the other hand, while it is true that the privkey and K are also used in the next calculations that finally derive the signature, those calculations can be masked in order to protect from such side-channel attacks (like multiplying k by a fresh random value before calculating k^{-1} and then unmasking). For the hash function, there's no way to do these masking tricks, hence the concern?

I suppose that it's a good idea that deterministic signatures would be a user configurable option, but the important question still remains regarding whether the default behavior should be deterministic or random.

Other than this supposed protection from side-channel attacks, does anyone know if there are any other advantages or practical use cases for random signatures (as is obviously the case with random encryption so that it'd be semantically secure) ?

[Crowex]

This is all well and good - yes it works just fine. However as I understand it, it spoils the benefits of having a 3rd party entity be able to *exactly* reproduce your signatures to verify that your HW device is not doing anything dumb when generating said signatures. This gives them confidence that your HW wallet is not leaking information about private keys through sub-par 'random' number generation.

What would be the disadvantage of deterministically generating k each time and then multiplying by a PRNG generated number and reducing mod n and use this to sign?
Wouldn't you get protection against the failure of either method this way?

Ok. I was seeing it as insurance against faulty PRNGs. Hardware wallets are always going to have a problem in ensuring the private keys are generated ok anyway.
 But if you did want to check the signing nonce would it be possible to pre-generate a file of random numbers, store them on the wallet and give them to the purchaser of the wallet in a file or online, then deterministically generate the number and add the next number from the random number file and reduce mod n and sign with this?

[gmaxwell]

I'm probably missing something here, but it seems to me that the argument that you're giving is similar to what Colin Percival had in mind, though you're interpreting it in the opposite way than he, and I don't exactly understand your argument yet.

Colin Percival is the author of the only recent notable hash-function with significant data-dependent-timing attack problems, so perhaps thats why it's on his brain.

If you have non-memory access related power or timing side channels (e.g. like adders leaking data, which is what would be required for HMAC-SHA512 to leak) then there is going to be no way to avoid the ECDSA point math leaking like crazy. Using non-deterministic DSA does not save you from side channels. Maybe deterministic makes a really side-channel heavy implementation more vulnerable, but people have already demonstrated recovery on devices with randomized DSA, so I am a little skeptical that it matters. Some masking behavior would be fine, but it wouldn't require making the output non-deterministic.

Being hard against an attacker with physical access is very hard, as I mentioned a simple bit error in our the multiply will put you on the twist and the largest prime factor of the order of SECP256k1's twist is only around 2^50.

[natb]

Ok. I was seeing it as insurance against faulty PRNGs. Hardware wallets are always going to have a problem in ensuring the private keys are generated ok anyway.
 But if you did want to check the signing nonce would it be possible to pre-generate a file of random numbers, store them on the wallet and give them to the purchaser of the wallet in a file or online, then deterministically generate the number and add the next number from the random number file and reduce mod n and sign with this?

Sure, I suppose you could do this. However, its probably easier to do the following if your wallet is conforming to BIP 32 and using RFC 6979 for signing:

1. User generates their own master seed
2. User, with software running on their own computer, generates N keys using BIP 32 and the seed from step 1 and signs a bunch of test transactions using these keys.
3. User loads your HW wallet with the master seed from step 1
4. User asks your wallet to sign the same test transactions they did in step 2.
5. User compares his local signatures with the ones generated by you, if they match - your wallet is working as expected without any code review needed.

Now, the normal user will generate a master seed based on input from the user plus randomness from your device. This seed is displayed only on your devices screen so it never leaves the device. The user could then, if they so chose, repeat steps 2,4,5 on a secure computer to again verify your wallet was 100% doing as they expected.

This is what I plan on doing for my device. I think its pretty solid. And I don't buy the argument that you need 'insurance' by adding randomness to RFC 6979 - if you think you need to do that aren't you saying you don't trust that SHA-256 is truly a 1-way trapdoor function with no fast way to brute force it? If you believe that then there are alot more problems in the Bitcoin protocol itself which relies on SHA-2 for alot of things.

I'm happy to be proven wrong if anyone finds something bad about my logic above

[iddo]

If you have non-memory access related power or timing side channels (e.g. like adders leaking data, which is what would be required for HMAC-SHA512 to leak) then there is going to be no way to avoid the ECDSA point math leaking like crazy. Using non-deterministic DSA does not save you from side channels. Maybe deterministic makes a really side-channel heavy implementation more vulnerable, but people have already demonstrated recovery on devices with randomized DSA, so I am a little skeptical that it matters. Some masking behavior would be fine, but it wouldn't require making the output non-deterministic.

I'm not sure that in general it's completely true that a side-channel attack on a hash function like SHA512 involves only non-memory access, because the input to the hash function probably resides in memory, so there might be side-channel attacks that involve cache misses etc., though I suspect that in this case you're right because the input is short (privkey + hash of the message), and even if there was a possible danger here then there are probably side-channel resistance techniques to mitigate the risk.

More importantly, in the specific case of ECDSA it's enough to recover the output of k=hash(privkey, msg) rather than the input (privkey, msg) because if k leaks then the privkey also leaks. Therefore, it doesn't really matter if we use deterministic signatures via k=hash(privkey, msg) or random signatures via e.g. k=hash(privkey xor random, msg) because carrying out a side-channel attack that recovers the output of the hash function should be much easier than carrying out a side-channel attack that recovers the input to the hash function.

And more generally, side-channels attacks against symmetric crypto primitives like AES and SHA2 are a lot more difficult than side-channel attacks on public-key/asymmetric crypto primitives, so the risk of possible side-channel attacks on either the input or the output of SHA512 are probably not so significant.

Maybe there should be a parameter (on by default as in OpenSSL ?) to toggle the protection from side-channels attacks, and if the user wishes to have the best possible protection then he could specify via this parameter that the input to the hash function should be masked with randomness, which would imply random signatures because it cannot be unmasked.

I'm not sure if we're missing anything interesting here, so it'd be a good idea to consult with experts on side-channel attacks before having deterministic signatures as the default.

[gmaxwell]

I'm not sure that in general it's completely true that a side-channel attack on a hash function like SHA512 involves only non-memory access, because the input to the hash function probably resides in memory, so there might be side-channel attacks that involve cache misses etc.,

In SHA512 none of the memory accesses are data dependent, every execution reads from the same locations. I believe this is true of all relatively modern hash functions (SCRYPT is the notable exception, though it's normally used in a way that probably makes them harmless).

(just a minor comment— I agree with everything you're writing)

[Crowex]

Ok. I was seeing it as insurance against faulty PRNGs. Hardware wallets are always going to have a problem in ensuring the private keys are generated ok anyway.
 But if you did want to check the signing nonce would it be possible to pre-generate a file of random numbers, store them on the wallet and give them to the purchaser of the wallet in a file or online, then deterministically generate the number and add the next number from the random number file and reduce mod n and sign with this?

Sure, I suppose you could do this. However, its probably easier to do the following if your wallet is conforming to BIP 32 and using RFC 6979 for signing:

1. User generates their own master seed
2. User, with software running on their own computer, generates N keys using BIP 32 and the seed from step 1 and signs a bunch of test transactions using these keys.
3. User loads your HW wallet with the master seed from step 1
4. User asks your wallet to sign the same test transactions they did in step 2.
5. User compares his local signatures with the ones generated by you, if they match - your wallet is working as expected without any code review needed.

Now, the normal user will generate a master seed based on input from the user plus randomness from your device. This seed is displayed only on your devices screen so it never leaves the device. The user could then, if they so chose, repeat steps 2,4,5 on a secure computer to again verify your wallet was 100% doing as they expected.

This is what I plan on doing for my device. I think its pretty solid. And I don't buy the argument that you need 'insurance' by adding randomness to RFC 6979 - if you think you need to do that aren't you saying you don't trust that SHA-256 is truly a 1-way trapdoor function with no fast way to brute force it? If you believe that then there are alot more problems in the Bitcoin protocol itself which relies on SHA-2 for alot of things.

I'm happy to be proven wrong if anyone finds something bad about my logic above

I'm not making any arguments as to the security of SHA-256. To the question as to whether it was better to use deterministic RFC6976 signing nonces in preference to prng generated numbers I just suggested using both methods as a belt and braces option.
 When you pointed out that my method didn't allow checking by a third party I gave an option that did and uses both methods so that if someone did have doubts about RFC6976 then they could be secure in knowing that there was a random element in the signing nonce.
 I just thought it was an interesting idea to use pre-generated random numbers but I can't see a problem with it. Maybe there is?
 As to generating private keys and BIP32,  that's a completely different question.
 

[stick]

JFYI: Latest commit adds RFC 6979 to microecdsa code as well: https://github.com/trezor/microecdsa

[fpgaminer]

Using my own implementation of RFC 6979 on top of warner's ECDSA code, I generated a few test vectors.  slush's patch matches up perfectly!

For future reference, here are the test vectors:

Code:

# Test Vectors for RFC 6979 ECDSA, secp256k1, SHA-256
# (private key, message, expected k, expected signature)
test_vectors = [
	(0x1, "Satoshi Nakamoto", 0x8F8A276C19F4149656B280621E358CCE24F5F52542772691EE69063B74F15D15, "934b1ea10a4b3c1757e2b0c017d0b6143ce3c9a7e6a4a49860d7a6ab210ee3d8dbbd3162d46e9f9bef7feb87c16dc13b4f6568a87f4e83f728e2443ba586675c"),
	(0x1, "All those moments will be lost in time, like tears in rain. Time to die...", 0x38AA22D72376B4DBC472E06C3BA403EE0A394DA63FC58D88686C611ABA98D6B3, "8600dbd41e348fe5c9465ab92d23e3db8b98b873beecd930736488696438cb6bab8019bbd8b6924cc4099fe625340ffb1eaac34bf4477daa39d0835429094520"),
	(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364140, "Satoshi Nakamoto", 0x33A19B60E25FB6F4435AF53A3D42D493644827367E6453928554F43E49AA6F90, "fd567d121db66e382991534ada77a6bd3106f0a1098c231e47993447cd6af2d094c632f14e4379fc1ea610a3df5a375152549736425ee17cebe10abbc2a2826c"),
	(0xf8b8af8ce3c7cca5e300d33939540c10d45ce001b8f252bfbc57ba0342904181, "Alan Turing", 0x525A82B70E67874398067543FD84C83D30C175FDC45FDEEE082FE13B1D7CFDF1, "7063ae83e7f62bbb171798131b4a0564b956930092b33b07b395615d9ec7e15ca72033e1ff5ca1ea8d0c99001cb45f0272d3be7525d3049c0d9e98dc7582b857")
]

[chriswilmer]

Cool. I am a fan of this deterministic ECDSA idea. Allowing others to exactly reproduce your output is one of those things I under appreciated in my youth...

[slush]

Today the new version of python-ecdsa has been released. Version 0.9 contains implementation of RFC 6979 as well as secp256k1 curve, used in bitcoin.

[BurtW]

Today the new version of python-ecdsa has been released. Version 0.9 contains implementation of RFC 6979 as well as secp256k1 curve, used in bitcoin.

Thanks for all the hard work on this.

[plaprade]

Code:

# Test Vectors for RFC 6979 ECDSA, secp256k1, SHA-256
# (private key, message, expected k, expected signature)
(0xf8b8af8ce3c7cca5e300d33939540c10d45ce001b8f252bfbc57ba0342904181, "Alan Turing", 0x525A82B70E67874398067543FD84C83D30C175FDC45FDEEE082FE13B1D7CFDF1, "7063ae83e7f62bbb171798131b4a0564b956930092b33b07b395615d9ec7e15ca72033e1ff5ca1ea8d0c99001cb45f0272d3be7525d3049c0d9e98dc7582b857")

Thanks for the test vectors! They are really useful as none are provided for our curve in the RFC.

I had an issue with your last test vector. After some investigation, I noticed that the problem came from the parity of 'S'. The 'S' component is odd in your last test vector. I think that going forward, new code should produce fully valid and canonical signatures, which includes making the 'S' component even. Let me know if that is a reasonable statement or not.

For reference, here is my results for this test vector:

Code:

# Test Vectors for RFC 6979 ECDSA, secp256k1, SHA-256
# (private key, message, expected k, expected signature)
(0xf8b8af8ce3c7cca5e300d33939540c10d45ce001b8f252bfbc57ba0342904181, "Alan Turing", 0x525A82B70E67874398067543FD84C83D30C175FDC45FDEEE082FE13B1D7CFDF1, "7063ae83e7f62bbb171798131b4a0564b956930092b33b07b395615d9ec7e15c58dfcc1e00a35e1572f366ffe34ba0fc47db1e7189759b9fb233c5b05ab388ea")

[stick]

I noticed that the problem came from the parity of 'S'. The 'S' component is odd in your last test vector.

Why should S be even? Any citation?

[gmaxwell]

Why should S be even? Any citation?

To prevent third parties from changing your txids out from under you and invalidating transactions spending your unconfirmed transactions by replacing S with the alternative value which also allows the signature to pass.  This malleability can be used to create enormous nuisances for Bitcoin users, causing stuck transactions and making innocent people look like malicious double-spenders, as well as can be abused to extort people in some escrow protocols.

See the second half of: http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg02721.html

There are multiple ways to remove this 1-bit of freedom. One way is to make S even. Another way, now used by bitcoin-qt git, is to make s < order/2. The advantage of this way of removing the vs others freedom is that it also reduces the average signature size slightly.  I now prefer the s < order/2 version of this just because it produces smaller signatures and the flip is even easier to implement than the even/odd version.

[plaprade]

I noticed that the problem came from the parity of 'S'. The 'S' component is odd in your last test vector.

Why should S be even? Any citation?

From the bitcoind reference implementation:

https://github.com/bitcoin/bitcoin/blob/master/src/script.cpp (line 295)

Code:

    if (flags & SCRIPT_VERIFY_EVEN_S) {
        if (S[nLenS-1] & 1)
            return error("Non-canonical signature: S value odd");
    }

However there's a flag to activate this check. Most of the unit tests in the reference implementation do not take even 'S' into account yet.

[gmaxwell]

However there's a flag to activate this check. Most of the unit tests in the reference implementation do not take even 'S' into account yet.

This will be changed to the alternative I described.

[plaprade]

This will be changed to the alternative I described.

Thanks! I'll update my code accordingly.

[stick]

I now prefer the s < order/2 version of this just because it produces smaller signatures and the flip is even easier to implement than the even/odd version.

So how exactly K needs to be changed/processed to have S < order/2 ?
Or we keep K as it is and just postprocess S ?

[Mike Hearn]

if you look at the current code in git master, it just subtracts order/2 when s > order/2 - pretty simple.

[stick]

There are multiple ways to remove this 1-bit of freedom. One way is to make S even. Another way, now used by bitcoin-qt git, is to make s < order/2. The advantage of this way of removing the vs others freedom is that it also reduces the average signature size slightly.  I now prefer the s < order/2 version of this just because it produces smaller signatures and the flip is even easier to implement than the even/odd version.

if you look at the current code in git master, it just subtracts order/2 when s > order/2 - pretty simple.

Flip is already being done when you deal with compressed public keys. All software that can process compressed public keys already knows how to do the flip (val = prime - val). It would be nice to be consistent here IMO.

FWIW when I used this method on S (if S is odd: S = prime -S) - the code produced signatures that are considered invalid by both my code (microecdsa) and OpenSSL. *puzzled* When I used the other way (if S > prime/2 : S -= prime/2) I ended up with the same result (invalid signatures). Any hints on what is going on?

[johoe]

FWIW when I used this method on S (if S is odd: S = prime -S) - the code produced signatures that are considered invalid by both my code (microecdsa) and OpenSSL. *puzzled* When I used the other way (if S > prime/2 : S -= prime/2) I ended up with the same result (invalid signatures). Any hints on what is going on?

The theory behind this is: if you negate K you get the same R and the negated S.  Hence you need to negate S as a post-processing step, i.e., S' = prime - S in both cases.  Did you use the right prime?  It should be the order of the elliptic curve not the size of the prime field.

[stick]

The theory behind this is: if you negate K you get the same R and the negated S. Hence you need to negate S as a post-processing step, i.e., S' = prime - S in both cases.

Thanks. That's what I thought but wanted to confirm.

Did you use the right prime?  It should be the order of the elliptic curve not the size of the prime field.

Tried both with the same result (invalid sigs).

[fpgaminer]

Tried both with the same result (invalid sigs).

This works for me:

Code:

	if sig.s > (q / 2):
		sig.s = q - sig.s

Where q is the order of the curve.  Note that no modulus is needed for the subtraction.  It would only ever result in an invalid value if s were 0, but s can never be 0 (forbidden by ECDSA).

Here are my test vectors, updated with this rule:

Code:

# Test Vectors for RFC 6979 ECDSA, secp256k1, SHA-256
# (private key, message, expected k, expected signature)
test_vectors = [
	(0x1, "Satoshi Nakamoto", 0x8F8A276C19F4149656B280621E358CCE24F5F52542772691EE69063B74F15D15, "934b1ea10a4b3c1757e2b0c017d0b6143ce3c9a7e6a4a49860d7a6ab210ee3d82442ce9d2b916064108014783e923ec36b49743e2ffa1c4496f01a512aafd9e5"),
	(0x1, "All those moments will be lost in time, like tears in rain. Time to die...", 0x38AA22D72376B4DBC472E06C3BA403EE0A394DA63FC58D88686C611ABA98D6B3, "8600dbd41e348fe5c9465ab92d23e3db8b98b873beecd930736488696438cb6b547fe64427496db33bf66019dacbf0039c04199abb0122918601db38a72cfc21"),
	(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364140, "Satoshi Nakamoto", 0x33A19B60E25FB6F4435AF53A3D42D493644827367E6453928554F43E49AA6F90, "fd567d121db66e382991534ada77a6bd3106f0a1098c231e47993447cd6af2d06b39cd0eb1bc8603e159ef5c20a5c8ad685a45b06ce9bebed3f153d10d93bed5"),
	(0xf8b8af8ce3c7cca5e300d33939540c10d45ce001b8f252bfbc57ba0342904181, "Alan Turing", 0x525A82B70E67874398067543FD84C83D30C175FDC45FDEEE082FE13B1D7CFDF1, "7063ae83e7f62bbb171798131b4a0564b956930092b33b07b395615d9ec7e15c58dfcc1e00a35e1572f366ffe34ba0fc47db1e7189759b9fb233c5b05ab388ea"),
	(0xe91671c46231f833a6406ccbea0e3e392c76c167bac1cb013f6f1013980455c2, "There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!", 0x1F4B84C23A86A221D233F2521BE018D9318639D5B8BBD6374A8A59232D16AD3D, "b552edd27580141f3b2a5463048cb7cd3e047b97c9f98076c32dbdf85a68718b279fa72dd19bfae05577e06c7c0c1900c371fcd5893f7e1d56a37d30174671f6")
]

Note that I added one more vector, since all of the existing ones resulted in s being larger than order/2.


And here is the code I've been using to play around:

Code:

import sys
import ecdsa
import hashlib
from types import MethodType
from ecdsa.util import number_to_string
from hmac_drbg import HMAC_DRBG


def sign_number_rfc6979 (self, number, entropy=None):
	q = self.curve.order
	x = self.privkey.secret_multiplier

	assert (q.bit_length () % 8) == 0

	# k = HMAC_DRBG (private_key || SHA256 (message))
	entropy = number_to_string (x, q) + number_to_string (number, q)
	drbg = HMAC_DRBG (entropy=entropy)
	k = drbg.generate (q.bit_length () / 8)
	k = int (k.encode ('hex'), 16)

	# In strict RFC 6979, we should loop until a suitable k was found.
	# However, such a condition occuring is ~impossible, and so we simply
	# throw an error if it happens.
	assert 1 <= k < q

	print "Chosen k: %X" % k

	sig = self.privkey.sign (number, k)

	if sig.s > (q / 2):
		sig.s = q - sig.s
		assert sig.s <= (q / 2)
		print "moop"
	return sig.r, sig.s


sk = ecdsa.SigningKey.generate (curve=ecdsa.curves.SECP256k1, hashfunc=hashlib.sha256)
sk.sign_number = MethodType (sign_number_rfc6979, sk, ecdsa.SigningKey)
open ('sk.pem', 'w').write (sk.to_pem ())

message = open ("data", "rb").read ()
sig = sk.sign (message, hashfunc=hashlib.sha256, sigencode=ecdsa.util.sigencode_der)

open ("data.sig", 'wb').write (sig)



# Test Vectors for RFC 6979 ECDSA, secp256k1, SHA-256
# (private key, message, expected k, expected signature)
test_vectors = [
	(0x1, "Satoshi Nakamoto", 0x8F8A276C19F4149656B280621E358CCE24F5F52542772691EE69063B74F15D15, "934b1ea10a4b3c1757e2b0c017d0b6143ce3c9a7e6a4a49860d7a6ab210ee3d82442ce9d2b916064108014783e923ec36b49743e2ffa1c4496f01a512aafd9e5"),
	(0x1, "All those moments will be lost in time, like tears in rain. Time to die...", 0x38AA22D72376B4DBC472E06C3BA403EE0A394DA63FC58D88686C611ABA98D6B3, "8600dbd41e348fe5c9465ab92d23e3db8b98b873beecd930736488696438cb6b547fe64427496db33bf66019dacbf0039c04199abb0122918601db38a72cfc21"),
	(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364140, "Satoshi Nakamoto", 0x33A19B60E25FB6F4435AF53A3D42D493644827367E6453928554F43E49AA6F90, "fd567d121db66e382991534ada77a6bd3106f0a1098c231e47993447cd6af2d06b39cd0eb1bc8603e159ef5c20a5c8ad685a45b06ce9bebed3f153d10d93bed5"),
	(0xf8b8af8ce3c7cca5e300d33939540c10d45ce001b8f252bfbc57ba0342904181, "Alan Turing", 0x525A82B70E67874398067543FD84C83D30C175FDC45FDEEE082FE13B1D7CFDF1, "7063ae83e7f62bbb171798131b4a0564b956930092b33b07b395615d9ec7e15c58dfcc1e00a35e1572f366ffe34ba0fc47db1e7189759b9fb233c5b05ab388ea"),
	(0xe91671c46231f833a6406ccbea0e3e392c76c167bac1cb013f6f1013980455c2, "There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!", 0x1F4B84C23A86A221D233F2521BE018D9318639D5B8BBD6374A8A59232D16AD3D, "b552edd27580141f3b2a5463048cb7cd3e047b97c9f98076c32dbdf85a68718b279fa72dd19bfae05577e06c7c0c1900c371fcd5893f7e1d56a37d30174671f6")
]

print ""

for vector in test_vectors:
	priv = ecdsa.SigningKey.from_secret_exponent (vector[0], ecdsa.curves.SECP256k1, hashfunc=hashlib.sha256)
	priv.sign_number = MethodType (sign_number_rfc6979, priv, ecdsa.SigningKey)
	print vector[1]
	sig = priv.sign (vector[1], hashfunc=hashlib.sha256).encode ('hex')
	print sig
	assert str (sig) == vector[3]
	print ""

The first part of it generates a random private key, writes that to sk.pem, signs the data read from the "data" file, and writes the signature to "data.sig".  So the results can be tested against openssl:

Code:

openssl dgst -sha256 -prverify sk.pem -signature data.sig data

[fpgaminer]

if you look at the current code in git master, it just subtracts order/2 when s > order/2 - pretty simple.

Satoshi client git?  Mmmm...

https://github.com/bitcoin/bitcoin/blob/master/src/key.cpp#L209

Code:

        if (BN_cmp(sig->s, halforder) > 0) {
            // enforce low S values, by negating the value (modulo the order) if above order/2.
            BN_sub(sig->s, order, sig->s);
        }

It doesn't subtract order/2.  It's s = order - s.

Another way, now used by bitcoin-qt git, is to make s < order/2.

You mean s <= order/2, right?  I'm a bit pedantic about this stuff...

[stick]

Ah, I found a bug in my code (used substract function that performs mod prime at the same time, now we use curve order not prime). Now it works. Thanks fpgaminer for kicking me into the right direction (also for new test vector).

[Mike Hearn]

Yeah, sorry, that was sloppy of me (I was going from memory but wrote things too confidently). You're right about what the code does.

[Peter Todd]

if you look at the current code in git master, it just subtracts order/2 when s > order/2 - pretty simple.

Satoshi client git?  Mmmm...

https://github.com/bitcoin/bitcoin/blob/master/src/key.cpp#L209

Code:

        if (BN_cmp(sig->s, halforder) > 0) {
            // enforce low S values, by negating the value (modulo the order) if above order/2.
            BN_sub(sig->s, order, sig->s);
        }

It doesn't subtract order/2.  It's s = order - s.

Another way, now used by bitcoin-qt git, is to make s < order/2.

You mean s <= order/2, right?  I'm a bit pedantic about this stuff...

You're both right in a way.

The code changed recently: https://github.com/bitcoin/bitcoin/pull/3016

[plaprade]

I'd like to contribute some test vectors of my own.

The test vectors are fully canonical signatures with S components <= order/2. They contain both vectors were the S component had to be flipped and not flipped.

Code:

"Haskoin test vectors for RFC 6979 ECDSA (secp256k1, SHA-256)"
"(PrvKey HEX, PrvKey WIF, message, R || S as HEX, sig as DER)"
( "0000000000000000000000000000000000000000000000000000000000000001"
, "KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qYjgd9M7rFU73sVHnoWn"
, "Everything should be made as simple as possible, but not simpler."
, "33a69cd2065432a30f3d1ce4eb0d59b8ab58c74f27c41a7fdb5696ad4e6108c96f807982866f785d3f6418d24163ddae117b7db4d5fdf0071de069fa54342262"
, "3044022033a69cd2065432a30f3d1ce4eb0d59b8ab58c74f27c41a7fdb5696ad4e6108c902206f807982866f785d3f6418d24163ddae117b7db4d5fdf0071de069fa54342262"
)
( "fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140"
, "L5oLkpV3aqBjhki6LmvChTCV6odsp4SXM6FfU2Gppt5kFLaHLuZ9"
, "Equations are more important to me, because politics is for the present, but an equation is something for eternity."
, "54c4a33c6423d689378f160a7ff8b61330444abb58fb470f96ea16d99d4a2fed07082304410efa6b2943111b6a4e0aaa7b7db55a07e9861d1fb3cb1f421044a5"
, "3044022054c4a33c6423d689378f160a7ff8b61330444abb58fb470f96ea16d99d4a2fed022007082304410efa6b2943111b6a4e0aaa7b7db55a07e9861d1fb3cb1f421044a5"
)
( "fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140"
, "L5oLkpV3aqBjhki6LmvChTCV6odsp4SXM6FfU2Gppt5kFLaHLuZ9"
, "Not only is the Universe stranger than we think, it is stranger than we can think."
, "ff466a9f1b7b273e2f4c3ffe032eb2e814121ed18ef84665d0f515360dab3dd06fc95f5132e5ecfdc8e5e6e616cc77151455d46ed48f5589b7db7771a332b283"
, "3045022100ff466a9f1b7b273e2f4c3ffe032eb2e814121ed18ef84665d0f515360dab3dd002206fc95f5132e5ecfdc8e5e6e616cc77151455d46ed48f5589b7db7771a332b283"
)
( "0000000000000000000000000000000000000000000000000000000000000001"
, "KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qYjgd9M7rFU73sVHnoWn"
, "How wonderful that we have met with a paradox. Now we have some hope of making progress."
, "c0dafec8251f1d5010289d210232220b03202cba34ec11fec58b3e93a85b91d375afdc06b7d6322a590955bf264e7aaa155847f614d80078a90292fe205064d3"
, "3045022100c0dafec8251f1d5010289d210232220b03202cba34ec11fec58b3e93a85b91d3022075afdc06b7d6322a590955bf264e7aaa155847f614d80078a90292fe205064d3"
)
( "69ec59eaa1f4f2e36b639716b7c30ca86d9a5375c7b38d8918bd9c0ebc80ba64"
, "KzmcSTRmg8Gtoq8jbBCwsrvgiTKRrewQXniAHHTf7hsten8MZmBB"
, "Computer science is no more about computers than astronomy is about telescopes."
, "7186363571d65e084e7f02b0b77c3ec44fb1b257dee26274c38c928986fea45d0de0b38e06807e46bda1f1e293f4f6323e854c86d58abdd00c46c16441085df6"
, "304402207186363571d65e084e7f02b0b77c3ec44fb1b257dee26274c38c928986fea45d02200de0b38e06807e46bda1f1e293f4f6323e854c86d58abdd00c46c16441085df6"
)
( "00000000000000000000000000007246174ab1e92e9149c6e446fe194d072637"
, "KwDiBf89QgGbjEhKnhXJwe1E2mCa8asowBrSKuCaBV6EsPYEAFZ8"
, "...if you aren't, at any given time, scandalized by code you wrote five or even three years ago, you're not learning anywhere near enough"
, "fbfe5076a15860ba8ed00e75e9bd22e05d230f02a936b653eb55b61c99dda4870e68880ebb0050fe4312b1b1eb0899e1b82da89baa5b895f612619edf34cbd37"
, "3045022100fbfe5076a15860ba8ed00e75e9bd22e05d230f02a936b653eb55b61c99dda48702200e68880ebb0050fe4312b1b1eb0899e1b82da89baa5b895f612619edf34cbd37"
)
( "000000000000000000000000000000000000000000056916d0f9b31dc9b637f3"
, "KwDiBf89QgGbjEhKnhXJuH7LrciVrZiib5S9h4knkymNojPUVsWN"
, "The question of whether computers can think is like the question of whether submarines can swim."
, "cde1302d83f8dd835d89aef803c74a119f561fbaef3eb9129e45f30de86abbf906ce643f5049ee1f27890467b77a6a8e11ec4661cc38cd8badf90115fbd03cef"
, "3045022100cde1302d83f8dd835d89aef803c74a119f561fbaef3eb9129e45f30de86abbf9022006ce643f5049ee1f27890467b77a6a8e11ec4661cc38cd8badf90115fbd03cef"
)

The test vectors were generated with haskoin:

http://github.com/plaprade/haskoin-crypto/blob/master/src/Haskoin/Crypto/ECDSA.hs

The project is still experimental and I haven't announced it publicly yet, but the cryptography part should be relatively stable by now.

I hope it can help!

[fpgaminer]

I'd like to contribute some test vectors of my own.

The test vectors are fully canonical signatures with S components <= order/2. They contain both vectors were the S component had to be flipped and not flipped.

Awesome!  I just double checked them against my code, and they all look good.

[natb]

Thanks for the additional vectors

I'd like to contribute some test vectors of my own.

The test vectors are fully canonical signatures with S components <= order/2. They contain both vectors were the S component had to be flipped and not flipped.

Code:

"Haskoin test vectors for RFC 6979 ECDSA (secp256k1, SHA-256)"
"(PrvKey HEX, PrvKey WIF, message, R || S as HEX, sig as DER)"
( "0000000000000000000000000000000000000000000000000000000000000001"
, "KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qYjgd9M7rFU73sVHnoWn"
, "Everything should be made as simple as possible, but not simpler."
, "33a69cd2065432a30f3d1ce4eb0d59b8ab58c74f27c41a7fdb5696ad4e6108c96f807982866f785d3f6418d24163ddae117b7db4d5fdf0071de069fa54342262"
, "3044022033a69cd2065432a30f3d1ce4eb0d59b8ab58c74f27c41a7fdb5696ad4e6108c902206f807982866f785d3f6418d24163ddae117b7db4d5fdf0071de069fa54342262"
)
( "fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140"
, "L5oLkpV3aqBjhki6LmvChTCV6odsp4SXM6FfU2Gppt5kFLaHLuZ9"
, "Equations are more important to me, because politics is for the present, but an equation is something for eternity."
, "54c4a33c6423d689378f160a7ff8b61330444abb58fb470f96ea16d99d4a2fed07082304410efa6b2943111b6a4e0aaa7b7db55a07e9861d1fb3cb1f421044a5"
, "3044022054c4a33c6423d689378f160a7ff8b61330444abb58fb470f96ea16d99d4a2fed022007082304410efa6b2943111b6a4e0aaa7b7db55a07e9861d1fb3cb1f421044a5"
)
( "fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140"
, "L5oLkpV3aqBjhki6LmvChTCV6odsp4SXM6FfU2Gppt5kFLaHLuZ9"
, "Not only is the Universe stranger than we think, it is stranger than we can think."
, "ff466a9f1b7b273e2f4c3ffe032eb2e814121ed18ef84665d0f515360dab3dd06fc95f5132e5ecfdc8e5e6e616cc77151455d46ed48f5589b7db7771a332b283"
, "3045022100ff466a9f1b7b273e2f4c3ffe032eb2e814121ed18ef84665d0f515360dab3dd002206fc95f5132e5ecfdc8e5e6e616cc77151455d46ed48f5589b7db7771a332b283"
)
( "0000000000000000000000000000000000000000000000000000000000000001"
, "KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qYjgd9M7rFU73sVHnoWn"
, "How wonderful that we have met with a paradox. Now we have some hope of making progress."
, "c0dafec8251f1d5010289d210232220b03202cba34ec11fec58b3e93a85b91d375afdc06b7d6322a590955bf264e7aaa155847f614d80078a90292fe205064d3"
, "3045022100c0dafec8251f1d5010289d210232220b03202cba34ec11fec58b3e93a85b91d3022075afdc06b7d6322a590955bf264e7aaa155847f614d80078a90292fe205064d3"
)
( "69ec59eaa1f4f2e36b639716b7c30ca86d9a5375c7b38d8918bd9c0ebc80ba64"
, "KzmcSTRmg8Gtoq8jbBCwsrvgiTKRrewQXniAHHTf7hsten8MZmBB"
, "Computer science is no more about computers than astronomy is about telescopes."
, "7186363571d65e084e7f02b0b77c3ec44fb1b257dee26274c38c928986fea45d0de0b38e06807e46bda1f1e293f4f6323e854c86d58abdd00c46c16441085df6"
, "304402207186363571d65e084e7f02b0b77c3ec44fb1b257dee26274c38c928986fea45d02200de0b38e06807e46bda1f1e293f4f6323e854c86d58abdd00c46c16441085df6"
)
( "00000000000000000000000000007246174ab1e92e9149c6e446fe194d072637"
, "KwDiBf89QgGbjEhKnhXJwe1E2mCa8asowBrSKuCaBV6EsPYEAFZ8"
, "...if you aren't, at any given time, scandalized by code you wrote five or even three years ago, you're not learning anywhere near enough"
, "fbfe5076a15860ba8ed00e75e9bd22e05d230f02a936b653eb55b61c99dda4870e68880ebb0050fe4312b1b1eb0899e1b82da89baa5b895f612619edf34cbd37"
, "3045022100fbfe5076a15860ba8ed00e75e9bd22e05d230f02a936b653eb55b61c99dda48702200e68880ebb0050fe4312b1b1eb0899e1b82da89baa5b895f612619edf34cbd37"
)
( "000000000000000000000000000000000000000000056916d0f9b31dc9b637f3"
, "KwDiBf89QgGbjEhKnhXJuH7LrciVrZiib5S9h4knkymNojPUVsWN"
, "The question of whether computers can think is like the question of whether submarines can swim."
, "cde1302d83f8dd835d89aef803c74a119f561fbaef3eb9129e45f30de86abbf906ce643f5049ee1f27890467b77a6a8e11ec4661cc38cd8badf90115fbd03cef"
, "3045022100cde1302d83f8dd835d89aef803c74a119f561fbaef3eb9129e45f30de86abbf9022006ce643f5049ee1f27890467b77a6a8e11ec4661cc38cd8badf90115fbd03cef"
)

The test vectors were generated with haskoin:

http://github.com/plaprade/haskoin-crypto/blob/master/src/Haskoin/Crypto/ECDSA.hs

The project is still experimental and I haven't announced it publicly yet, but the cryptography part should be relatively stable by now.

I hope it can help!

[Jus12]

Test vectors for deterministic k generation for SECP256K1 (using rfc6979)
Format: (PrvKey (Int), String, DER Signature)

SET 1 (small private keys, from 1 to 100)

Code:

(1,Absence makes the heart grow fonder.,3045022100AFFF580595971B8C1700E77069D73602AEF4C2A760DBD697881423DFFF845DE80220579ADB6A1AC03ACDE461B5821A049EBD39A8A8EBF2506B841B15C27342D2E342)
(2,Actions speak louder than words.,304502210085F28BBC90975B1907A51CBFE7BF0DC1AC74ADE49318EE97498DBBDE3894A31C0220241D24DA8D263E7AF7FF49BCA6A7A850F0E087FAF6FEF44F85851B0283C3F026)
(3,All for one and one for all.,30440220502C6AC38E1C68CE68F044F5AB680F2880A6C1CD34E70F2B4F945C6FD30ABD03022018EF5C6C3392B9D67AD5109C85476A0E159425D7F6ACE2CEBEAA65F02F210BBB)
(4,All's fair in love and war.,30440220452D4AB234891CF6E5432CD5472BDCA1CFC6FB28563333885F068DA02EE216D8022056C368D16A64D29CFF92F17203D926E113064527AF0480D3BCC1D3FADFDE9364)
(5,All work and no play makes Jack a dull boy.,3045022100995025B4880EEB1ECEDBA945FE8C9B2DDF2B07DBC293C2586C079D7B663EF38A022022FB54AB95014616D014277E05C97A7ED9E22596A0420BBD2D749CA9A2F876FE)
(6,All's well that ends well.,3045022100A9C1593FA6459777B2EBA6D7E2A206E3BB119E85B2163973CF28FFAF24EC381C02202F166F13230B3853B928EFB649D30375EC6A4B1A64A8D56FBCC0A9D86A0943E9)
(7,An apple a day keeps the doctor away.,304402202FC9C8B749621241C33FD51B57FC5140C1D7FC1594F91B073953E79DA2F5E8F60220345E4EA7693B5069C0251771EA476CBE236586ED24B90AEEEA7B7C2814EDF477)
(8,An apple never falls far from the tree.,3044022052B6E2C49A6F6ADBE52FB6BBE744CAA3F49364085DB118EAB8670BC766BE160302207D96A42866637CA3D4CAF36E597A460EB305ADAC0220B027410C821A7191A1C4)
(9,An ounce of prevention is worth a pound of cure.,3045022100BE53E7C00788E4417083D7511800F18C7C6F5F259DE39BC6F8B1BEBCD5056BD002201F389E13CFE7D1DBD8D2D1BFF18138219F57DE166673762009686A28FBC44DF6)
(10,Appearances can be deceiving.,304402202F2413A1673F642C30EA2E23FCAE45776BC77A94F96920AEA3C14303B1469428022053AC3E8EA0A488E9159D56E429A51F207BF04E462F8D4BA2C69B1B1635F30217)
(11,April showers bring May flowers.,3045022100C3E88134E4874D353FBFB530499DC5F8C09043A5DBDF8E24633A642E034165D302201C3D899A34306E3EB80133B5E3B52AFD75C14A33ACA295AEC3BCC284B7EE0865)
(12,Bad news travels fast.,3045022100EA6EE01C2A458C31585530542B2A04A59DE73D8B034655A4E612D50E73BA40F102204D4731AE87D9DA3BC5E5392F161F3B6574A7C892149CACA07FAF7BDB6FE061BA)
(13,Beauty is in the eye of the beholder.,30440220634BC82C780F63CE74AE4765D3E72008976AB9CCF3132416EB9C5CEACE6676E5022006FCD9562BA6367DBB309093973A9752DC8A6FCF82F296631024A0503260B658)
(14,Beauty is only skin deep.,304402204A7A5C29F2E9EB7F6D87192C520BDCDF037EB1F62D96ECC3373D31327C9409500220127351E4BABE4EF05E63B2968E1D112E231E3E892C92112F4D6F512FF5F92FCC)
(15,Beggars can't be choosers.,30440220533284E9661C816521195FEF08DF6973D5F631FB11699EA24AC7042A24B5EF22022020C61601F9B942A6DFC7491DC6C44AA81D8FBA3C6D883861C1C0B43E4A6A1973)
(16,Behind every good man is a good woman.,3045022100ABC4CBE82E86735A04B9A675233C388A99308C08FF7223C922DCA8E8589669050220651047B119D0AD3A58BC908BD18A7A0C3164C99D21AC82928C44D7A17A6EA935)
(17,The best defense is a good offense.,304402206AE468482A5B2B9720465FF3F02D1CAACECB3164C05EC020A0DE829B6A160321022010398FC5896B4E4D1B96E26AF57D0F48D9D63852B5D1611E179FEAEC2032C086)
(18,The best laid plans of mice and men (often go astray).,304402206377CE959BC9A5558ADD3AB39D4AB8FB8D2C0347D5968A80E51D46C2DC8CDEE302204E45F909710F6F36E0019F14D436AC02FD7457E438D38DD5E8F134493741AA79)
(19,Better late than never.,3045022100A01CAE6AFB387D5764CEB8322CE98602B15A0A1D494A9B5B1C78C8BD7C7306600220787371FAA1EC673FEB087564D3A3A8A8ECB8D82A3EC6D1FDA6CA1D4EC0581745)
(20,Better safe than sorry.,3045022100C86DCBF806AF15DFFF66237E84B4CB30FFBCEF762925FA712C8C8627586601EF022043A99CAD99B4C16623FBB72336C9C656416DE9AE70163427BA15899B5174CAF5)
(21,Better to have loved and lost than never to have loved at all.,3044022022E73BA4F1F9C2A7350ACB6610F849C7AAE7D86E5B8B896E9B08A5B16719382702200AAF418CC5478F1A130D77B6F4ACD91491FA0945BA6034322279A69043173EEC)
(22,Beware of Greeks bearing gifts.,30440220516959CBF03BA144E67F7C334EE60EFF136618E32C39A78E7CEEAB1701D6AB0D02202A3B2DD5E65A2396800259FA565739A89FFDD47E16BF457FF94DE92C5EDFFBE3)
(23,The bigger thet are the harder they fall.,3044022056AC2695E91832A091FFBB4DBBB4115F3D3BF5458F82D779179701EDFE68EE1902202782826E6B9B4898EA0FEB079B354C7AA1B442850BFA28CE161ADE7A9D63B10E)
(24,A bird in the hand is worth two in the bush.,3044022051F82DEF40226C38BAF9C2271E796DEEEEF1533428D2107247C74A10581BF23D02201207C780F67909AEBB09DF6A6003454F6E5DB065487F24EF0164F46FE5CF5B74)
(25,Birds of a feather flock together.,304402203801BB7A593DB2D03D2881418ED9FBFC01C91E95E7A4ADF1D434A7C3BFE95786022012A6495E70FE790CC4DD6DCDE100C131E0BAE0F3BB34F4C0E611608BC1E55446)
(26,Blood is thicker than water.,3045022100811F3533E8F3F2CFEECB79A48D8B3034BF62E0C144C1BCB86DF2FF96895A7B710220658AB1632CC863E401B8F3301351434A3BB3ACEC757698F72C8EA1BA81E70494)
(27,Boys will be boys.,30440220785F0946BABD23A98157C08CE0CC1CFD528901203B866F3ED9347F4CBB5A12E00220038E772B978D63668E453D4547BCCC2C6CA87FE5FD3D1D494053F55D6B76BBA6)
(28,Caught between a rock and a hard place.,3045022100D364C3FC66E4C2DF234809F8887FC0FA996C819F7C53A8DB3E5A25677B492C9502201BDCECF0B8C362929626164E734739F74430AAB3EA16A62FFF87BBC4B08D3EBE)
(29,A chain is only a strong as its weakest link.,30440220730ABF083CECEF16D11B5147C9C45AB2D7C30791F6DFDFD7E1EFFC358F98536B02206E1CC0709178909764BBA8DE8F2F899C0AD98444DCDE57353269706477ED8E00)
(30,Charity begins at home.,30450221009EED6808C0BBEEF2D2A220BD88D157B8C91ABCD1B6698B27019F83312107A1860220405FB4ECB22E7D1D178B516BC36273987C521842EF679DE5F077902DB76243F5)
(31,The chickens have come home to roost.,304402205605A1CC0456AE4D25317E0B936CDDB16281611F3BCE9749E2EEB1CBB9C84F1A0220344BC57E6D959E7F9B03A137BD1700145E90E67D6F40229489E8A1E5C630C9CE)
(32,Cleanliness is next to godliness.,304502210094DDC950C2A19FA9E9B17836C145CCD51AEA790646BF75534CF1CD496A51D34D02207E9CCC5F9776BEC888C1997BF50ADB17833D9986D24F9D96347764FEF6EA3FCF)
(33,Close, but no cigar.,3045022100AD2E8F66D4C2C8A92611F310BC5AE5DDB2A16429916D38170DD30881D9DA31B902206EDF64F9DFDD16CA36AF486462355EFA7FEEB842C14AA68ED165953618895D85)
(34,Cold hands, warm heart.,3045022100A8BD308BD19FA6391080FF0B7343128805A2F1218251E19EB6368EECF36C0EB8022071F26D38E1DB7B862BE90A65800D0370B6E6BCFA2EC391AB044887922B0CA774)
(35,The cure is worse than the disease.,30450221009D17CA1FD0E9ABFF1E3FCB7FC37612C58EDE7A344FBC13A32D8AFBE304E8F19102202869C16789B1A25B143603C3F2E121C9E9710D868134C1E5F472C514ECA4F9D5)
(36,Curiosity killed the cat.,30440220304BD8C9FB4C40CE58F7C9B6C5C089E6A7A6774D9C53B4A25875B36660B9F29C022005AE349F0A892C78957C16EF5CE33E3217954578811F7125ADE23DE0AF8FDAE0)
(37,The customer is always right.,3044022066F7E73DE832C4B2BC1FA7AC6728B69A2F5F62D8309E0AFBC6787F81ED59D456022027CA1E32F399BA4F49BC282C031E272A76A15B5C68E6609872BECED45587B5EB)
(38,Damned if you do, damned if you don't.,3045022100B82965EC6A5F31B498D00EB5572E6F6F15D86511FC1C8EB91B89D55FAC61570802204BB80A76337ABEA1D93BFBBAC79D23ADBFEF66A9302A6B3B25D8A8F1F3FF94E0)
(39,Discretion is the better part of valor.,3044022042C2FD8863DDFAD9ACAE314417863BE490820B5CD9A5EB94F7DCC01BC037140802204FE030E9446253D3EEB914E16C50C7F182FC126F1B92C63E0899E88FE52ED96F)
(40,Do unto others as you would have them do unto you.,3045022100E9BED0AF3A3A7898AF813B009CAD55D07520D8680E937EC4C3199D61E60BC9D102206748ACD43611B747EFCE312B2C0369F32B1CE357D437EAF4CE10924394D0310F)
(41,A dog is a man's best friend.,304402207095DC6D860F932161572E5614BEBCDA51924477A0515A3A494A2CDB443F41CA022046F1CFE2AAB0ED8AFA3D339D7908DEB5225701B55E80CE4FA67226CF4DA50132)
(42,Don't bite off more than you can chew.,3045022100C925031C1514AF5FC7B26902219ADFAE5D6ACEB98D46BD6EB46B246107FC0B5402204DD1F1DBA6424489DA3AF8F172C5C7D4EC5EF3DB804AEC60D56F96FC0E7A8998)
(43,Don't bite the hand that feeds you.,304402204D346547B1C16746FD12E84EAF293EF811E4D2A74E69C672E3C3C53540CB571C0220439212BEB52751D79B39354FA6F8A4702040F188F6C4A67C08FC2719DC70A491)
(44,Don't change horses in midstream.,3045022100CB54CFE6425A7C03C125740C14A04A491D7F3FC447D2209EE5149D2E0C9F616C02206C27718262A485051817F7A0D1E1006B637FD08FBD9309CE31DD1A26CFA01417)
(45,Don't count your chickens before they hatch.,304502210083ACA5E20379E4CFE2D18402BA8FB51A3E5029234049784E48A3AE37B453D3A40220504BBF9F2CF58072CE91845E5117A144F72C91BA2596C226554F9D08A8931F9E)
(46,Don't cry over spilt milk.,304402203914E751AE9E280D17851D688DD993A2F32D1E5E1ABDBEC952F5368D5FF0B2DF0220120FFBE3965FE46C4EF108291400EB7AA95C7D26583FF8A609CDC2D00C3922E8)
(47,Don't cut off your nose to spite your face.,304402201EE7EDD44AC5085EE72995D5340F467EDE8279BE296E971A16CBFD3EBB758D860220703BBE3EA9B62952A214F57775D1DF964EA879FBE49E33EBD51B0AE490456D7B)
(48,Don't judge a book by its cover.,304402201B2B96390C875850DD77A8D13F7542F013A51EE3C16AD20E0B9F793001B9E62D02206B1F680BC574D7B8910991DC12B5EE1C608DFAC4F9BF631DB454E0891B843328)
(49,Don't lock the stable door after the horse is gone.,304402205CE80619F16B8FEAC8F05DAD4C7C2962A72B905083C50B579902289C5DE82E8302207BB010AC724C9E3127513BA7F75894F02E55BC6E307324BDBC6CF0D266EF63D4)
(50,Don't look a gift horse in the mouth.,3045022100D2137C6BAB1D17F46435C82516C7CB88B3A4FC7F9AE54A0CCE303557A97BC31A02207237C90282E373B18DE95AB404E4890205901DB1AA3A9866AFAC1F685BB69B18)
(51,Don't make a mountain out of a mole-hill.,30450221009D70E5D33006A7C779DE4456B595AFDF936E600F8E5F54A1FFE1424CD7FA451702207678B11EDD7D892170B05614A2E615A4E3B3424BB387DF6BF6E3B9269C86B45C)
(52,Don't put all your eggs in one basket.,3045022100F76A8312192B1D8C25519074C5E598468A0CEE7C4EA0D3F3242E4BCC732425F902206CE89B69EA3A88FAFFF83B45D92450D41078940DAC161C14BD2DC2D74EFCCCCF)
(53,Don't put the cart before the horse.,304402206D782AB08EA72D771E97717A24A83E12D947C70F14B5FA24B87F97A244ABC34002205099119D253171A0A77B7BF2C458FFBAB27CAA2ACF1085A8F12E3C05B544C960)
(54,Don't rock the boat.,3044022011B8C9E88B1C330150F10BCF8DAD5B4DA8E2726183C7F4D75520329643CB4D240220463651B276FB01068D37281773C18C9784B58AFF85FF688E4A50C28D209D3D88)
(55,Don't throw the baby out with the bathwater.,3044022016B9E67EA2D764CFDE9539CD36F26DE84B6D0B9D6D439E17797B3E3333F12B7F0220202E115B461759DF098569CC27197531A8CEF430CE794688AE40B448A26D6FF5)
(56,Don't upset the apple cart.,3044022049A49249343BEA4EAF0FD363D3A32C224425BE95C60E7DD8925F65A135C6E92702201B508055CE95B3E9300652C4AEDB469EE73DE614437C907DCA8BBCAAFC5AD4FD)
(57,Early to bed and early to rise makes a man healthy, wealthy, and wise.,304402207E9A9CBEE1528B90DE54D5AE2062A7345BA64240DAB11A8181381219C59D8829022026E01564186C154BF91BCDB8311737BA31DF55CA1E3B907C2B3166A30BE6C5AF)
(58,The early bird catches the worm.,3044022032CF67ED5625BAAFE11EAA22FD61E1F43331EA44EA2EF13D8F847E79245C04BC02201025072788066A25167F75F6B5AF2A27C141ED2E7141A6C7FFABA4F1B3A08D42)
(59,Easy come, easy go.,304502210093B0C08826C981D265316D8D3F5A2A54A4E91B3B3D20339A454F708CCCD3930702204E054D2DDF4490E5EA03163E81D693202B7DD1BBF2B7D198F0754D3D6F95EE03)
(60,Easy does it.,3045022100E3E305E7E7871A493EAC6147B737D77FEB690577757C71FC3FDE2C63510F1D330220569B46912230B239378623103A4A5B743B4D37209E39B9597529ED3CD1620807)
(61,The end justifies the means.,3045022100D0DD7C22C7C81B956D5737C5AA04C4C9817F5EA660078ADD719791547CD0C7F002202E90B0499601CF381B175847E4B0732D44CAE5E0E39D253E486E8CD82B26A8A8)
(62,Every cloud has a silver lining.,3045022100F7CF4A731AEBE7C86E7D47D1547B8AD8E20B5C46C2A1879397E6A7C133B7111B02207625766EED54736F2B24AFB058F089EBB4C679293A7046F590371BC68E60B969)
(63,Every dog has its day.,3045022100FE5D8AF7AD58EB4E8BC8A3311B28E478042A4696DF563BF7F32E84CD411E19A9022040787C645F066B338500F4EF851A90044F23EA67DEC9FBFC7810C1A7C8B7F3C0)
(64,Every man pays his price.,304502210094E4C74BEBF42251C82CAB8FF1F19D1AD42B0823BD4E4FBD8E5889CBF627378102203C4AD0C2119DBE2F8A6A81F7C6E96557984354A949B7A4709C096EC2DD979504)
(65,The exception that proves the rule.,304402201BF2B6DCF4B997804D4E3706AD535E2BAB90A2654349056D2012320960E19D6302200627AEB25A467FAC80DC6E1DC7B801CC5BC7B8C9994D862ED48212932927F501)
(66,Experience is the best teacher.,3045022100BDB69C973C330EE3FF42DDB1440D3A0519A26E1E8DE372F200E783BA67C63FE802207F809F900B59724D8171AD1EABB8F22F686918854B12B8B65413A6528AD14718)
(67,Feed a cold, starve a fever.,3044022011952B82467FD224A2AF227DFAB334FC7593BD59C0911F927C456055F8FD957C022041C4B0FF6EB7CD03390E11ACFCCF74B910954ED00CE714E3D7D9245D17D6B6D1)
(68,Finders keepers, losers weepers.,3045022100830669BDB8581DC218AB4A572CC2BB1A0D636DCE3BE52652ECBEA734C5FB28BB02203C492233F5B3E3766DA448184A4BC719784BF956C31C0FD9C7C952ECDC907413)
(69,First things first.,3045022100AB7F22AFF7142616A6978742961CC625625F44208DAABE23CB8C57E24145B248022045879B2DD302405E4C05DFE340B63367420FA5CC8614454ABF662AC771A3B38B)
(70,Fish, or cut bait.,3045022100C77ABB9498961A1F6597B016D8CAADB300CBBD56D2FDACD721A4C317A622B8B402205EEC0D3F337E8CF276C1262E352418140AD57B1B4234F9B438D1D814867554F4)
(71,A fool and his money are soon parted.,304402207A6516D826B815CA214E9159F695E1A5C7CA4C70B1A6D0B62FE897855369BD0D02202BCBED448C9796EDC4193B001249B790278606DB5A9A81B24E947246A3D4C753)
(72,A friend in need is a friend indeed.,3045022100D53F0D73FF61CCD1E4F412E8D1F6C19464DF7296DEC51F01E2AB3783C15F1535022037B7851E82AF7DF42BC74297A35ACD8454FC6FA91FE6B14C3206E5EE182FD4ED)
(73,Give the devil his due.,30440220083B9EAE03BB859B33FCCF4603EAD577A7097CD3EBDE3546582455AA9EBA9B5602202858EBC20C15DE5C52E0B60CB1420B9948420221A0F5ED59DC2E85DCC6D53708)
(74,God helps those who help themselves.,304402205E4D9C227E84A6E8732C8B960FE2ECB7572AAFB1B69E14D77A27D1F79D7E1DC4022026457CF3A5C61928781025C9C5E83DFCCD4304251F51FDFA0808286892294C9F)
(75,Going to hell in a handbasket.,304402207C65C9E9F77F8A6A0232D1C8FE6CC76063965B84E231C342C37D687A4DA36FD3022034D36E1110CB1AA7B83414AC19A689FFCBFD8684213CEDD1B340234FEC4514F6)
(76,Good fences make good neighbors.,3045022100F3622BDCA3372CC5289CA72482E36B087C05D32030AB3039564E7ED7C24F72BD022048458652ACD27C99A4B22DDFAA5080E2D8DDA6AA23E0A9F06DC4727CBC4EB115)
(77,Good men are hard to find.,3045022100D65600CCD204F49E2796FFA2EB661FFD7582B8893DAE13048C3B8A17DC9B18B5022033395B99376A18E70184BF770ED8040F519B1ABB43D51C2D003137ADAA868014)
(78,Great minds think alike.,3044022076C6512EDF68772E8EDD9B1B37215E0839C3646D7D2200BC112072BF6DB602AF02205F7404B3C0B0ADC165959A7A1BC2DA5ADB641B98D262B4F1A7366721C3AEDEFA)
(79,Good things come in small packages.,3045022100F3A2A4F029B160F9B7C7CA54160A24A63724D998226AD93FC0DF93DE951274060220752A9D4439E024FDBF624045FDE8E24AADB6DC4131696C4933B8CF1473126BC7)
(80,Good things come to he who waits.,30440220780D0E6C12791C2AEB094CC1FA51DA2FB25E4578DBABC18A69CD83365ECCB84D022043A9866EE92634BC9F25775CD1D33D920ED282D2C9178E9CC8E0B7554D6525F1)
(81,The grass is always greener (on the other side of the fence).,304402200733B0E68EEB117495094813D12FEA643D74A68DFD1E67EFC7DC4AD578BB32310220352B974F01045D5FB99908A8FABC0958DA7D823FD671CA4D5160D9CEBCFE55D1)
(82,Great oaks from little acorns grow.,3045022100F51C9240DA42CF139582D569738A7DB2F66542EF4E603E9909726D3C4500413502203CA7183F5538BFCE7F4195163EBC031388D16CD84F26F880D268D6C9BFB6033A)
(83,Half a loaf is better than none.,3044022058E5255C876E18ADC4EA93985D3F939BE23653FEEC06008694997A0915D35D20022031E75849C91F092AE3423685F7A10670EEDC82FE1AC3F7B9E7C2B1ED388BB680)
(84,Haste makes waste.,3045022100DF67647EDAE205720A70769572DD3E73282D2DBA4FD1B7BC6551E383B60CD79102200D68A41CBC0296306DE54AB5297449DAFC33E3AC69C53A28846A087CD94B9103)
(85,Here today, gone tomorrow,304402201820AC5CD79257C0AB800216FE6A04D054CF98CE06D3C1E6AC27C25F8543F7E802205B4AE080727BFE0D7824538321E294F0228F65CAC2401F033272790356184A8D)
(86,He who hesitates is lost.,3044022019C9120B0FEA5B9C9176950D315992AE931F2A5D0666095D3EC89D7D6D1EDF6D0220250884CF958B2F35A818FE89CA91CB1D8402FBFCB60253D5DEB40546F854C2B1)
(87,He who laughs last, laughs best. (or 'longest'),304402203311A7E6C0CFFF65DC18B2404C48C0C8AE9EBB4445041B57A8A7A4036B2858ED022003BC887284ED62B8782B2BB980A4FD159EC8AF7B93B3CC2950A824913A7C5593)
(88,He who lives by the sword, dies by the sword.,3044022034727C4933FC6F3A696D11300450025CA8BA259A22D74EA4DDA9761A1D56A8DD02205CED946D22E225DBF8F02DCD4EF11F5BEDD3D75CF49B1432A9AFB2ED80111B06)
(89,Hindsight is 20-20.,304402201B8D1A7C94D4A659BADEA97CCEFE17A659E55B471AF423175AF4492675C2EC36022011D73AF0C8A543F209C105C9C8AE5953347DAC7702387A4F4409A36726FC8C7F)
(90,His bark is worse than his bite.,3044022016F80D29A2D2277539142766C928865ED59D7DC473CFEEB4BC4922F7C385A1C402207800D15C02864CD0BD822E3C422BA675141DA8AE719C0297260341F5A521ADDF)
(91,Honesty is the best policy.,30440220444DDA207C77E57C16361712CB9217F6CB69D9E2FA931B89CE7F0A61A2D2845D022022543F223DBAECB8D78E078F06F350559C6950BD75B89B68F145E363966D7EA3)
(92,Honey catches more flies than vinegar.,3045022100BBAC6B8AD9AA0F3D373EA1ADBF19ED945205A3447C6AF5C8FF07F6C97DE8729F022033A43C3699189E17BF5FAFFA9FDDD6899630F4573CD6C71D8211166866DF1586)
(93,A house is not a home.,3044022029782A53F11CF0C08EBCFC502BF90025A2BA9C1D95B47DB9E45A76CE6A1C177102205B05FC2CFF9A5CBEF7D6359CD02F628D14D85EB029A55DDF0BB5473AB78EAA03)
(94,Idle minds are the devil's workshop.,30440220293D28091EDDE182C419FA6C9CA93AA17D3001FE5587E7846B3D47BC63B96DBF022017F263C1921D38B5A785CE48F2192E6EE436EA38029E6B888F87F39CC6B7C803)
(95,If at first you don't succeed, try, try again.,304502210088F7B2AB2F44330D33BCFEEA113FF3BC74DD5617FB476FD615519777FE7B00B402206CC0191ADB53BABDBA1D9287805B3670D5A65A6146511B8A53D1974C2704D027)
(96,If God had meant us to fly he'd have given us wings.,30440220579575747DD27ACB060CD1DA207A9E87E9B31EDBF30CA26F0B08526356FFAAAF02202DC4619BE00EB22C3A7DF57F124D389765C9619ACF18F0557A799D659F0907CC)
(97,If it ain't broke, don't fix it.,30450221008AF54551188EE3B25A9BAD860397E6DD970CA6F28B6AB9437B7CA25AE10027DD022025E11F17C48E7F0C3022F767A54279C45E08043395EE35E9754B12EF3C937BEB)
(98,If it's not one thing, it's another.,304402204B6FD537E74EC5189357A2F7BA09787A438064724032F544DE3CAC9761839627022075908D76F0F0A2B88B22D9BCC07268E5B82D0C8241242384E3BEAF28DDDE7AD5)
(99,If the shoe fits, wear it.,304402207349B33EAACCED064C152E066D948D4B7739F3AF5D2269498318FD949FBB9FF8022045C188EAF5324A6FEFACB0C8A5D0380122D676BEBD7D2A9126A306704C9F2A20)
(100,If wishes were horses then beggars would ride.,304502210087C24C73A0501B07A34C2196798A657E56089C609810651994ED312CBD2DBB7B02201F4413F7FBB68589B85156C76017DD5244182E1FFAF7A3170EDAD87A20D9E37A)

[Jus12]

SET 2: Large private keys. (large key is Sha256(small key))

Again, format is: (PrvKey (Int), String, DER Signature)

Code:

(34356466678672179216206944866734405838331831190171667647615530531663699592602,Absence makes the heart grow fonder.,3045022100996D79FBA54B24E9394FC5FAB6BF94D173F3752645075DE6E32574FE08625F770220345E638B373DCB0CE0C09E5799695EF64FFC5E01DD8367B9A205CE25F28870F6)
(99398763056634537812744552006896172984671876672520535998211840060697129507206,Actions speak louder than words.,304502210088164430985A4437471417C2386FAA536E1FE8EC91BD0F1F642BC22A776891530220090DC83D6E3B54A1A54DC2E79C693144179A512D9C9E686A6C25E7641A2101A8)
(3759719655879806965811134282268177329967523491661175987246621825209053686213,All for one and one for all.,30450221009F1073C9C09B664498D4B216983330B01C29A0FB55DD61AA145B4EBD0579905502204592FB6626F672D4F3AD4BB2D0A1ED6C2A161CC35C6BB77E6F0FD3B63FEAB36F)
(103660229287485550546857170818258546832194359524010586713457827121778385264241,All's fair in love and war.,304502210080EABF24117B492635043886E7229B9705B970CBB6828C4E03A39DAE7AC34BDA022070E8A32CA1DF82ADD53FACBD58B4F2D3984D0A17B6B13C44460238D9FF74E41F)
(104702657257102633579772822622124422673143939576486771274630765314225900831707,All work and no play makes Jack a dull boy.,3045022100A43FF5EDEA7EA0B9716D4359574E990A6859CDAEB9D7D6B4964AFD40BE11BD35022067F9D82E22FC447A122997335525F117F37B141C3EFA9F8C6D77B586753F962F)
(46744469262201639974910661553202053327388301297897803474665777634455660653814,All's well that ends well.,3044022053CE16251F4FAE7EB87E2AB040A6F334E08687FB445566256CD217ECE389E0440220576506A168CBC9EE0DD485D6C418961E7A0861B0F05D22A93401812978D0B215)
(91461772442478604154082755547318472082410323943823420797096392355159818037369,An apple a day keeps the doctor away.,3045022100DF8744CC06A304B041E88149ACFD84A68D8F4A2A4047056644E1EC8357E11EBE02204BA2D5499A26D072C797A86C7851533F287CEB8B818CAE2C5D4483C37C62750C)
(86354370597268376573642079301756246922349732255591245149271869674095200273050,An apple never falls far from the tree.,3045022100878372D211ED0DBDE1273AE3DD85AEC577C08A06A55960F2E274F97CC9F2F38F02203F992CAA66F472A64F6CCDD8076C0A12202C674155A6A61B8CD23C1DED08AAB7)
(19584093032798730129230525910686445865718710074652466673872143043325364812985,An ounce of prevention is worth a pound of cure.,3045022100D5CB4E148C0A29CE37F1542BE416E8EF575DA522666B19B541960D726C99662B022045C951C1CA938C90DAD6C3EEDE7C5DF67FCF0D14F90FAF201E8D215F215C5C18)
(781437121688497986836158713061237152541328908182646473971063062031575438443,Appearances can be deceiving.,304402203E2F0118062306E2239C873828A7275DD35545A143797E224148C5BBBD59DD08022073A8C9E17BE75C66362913B5E05D81FD619B434EDDA766FAE6C352E86987809D)
(104850492813721710139991317702163600547455850521784745263548374318180841866150,April showers bring May flowers.,3045022100A0B6F84EBE95B579CB43BD37B90D8109B92B5EC927AD6E641ABF1006D5AD68640220292CCD58343F8F37BE9A9592491D11525FEC3169D5E889C1BA91F7291FEEE751)
(108294895624446446854494029508230251498772737340287805651138023631639695116663,Bad news travels fast.,30440220379DC5CC74F2C49E6801A129047E7AA16E051FFCB81C7F48B84E20056E9427F102203F842FE9CB4677A5F4D9BEE2457E11C2C78DB6AD9017DA89CDA5E3D7BB2A2FEE)
(71066220492785796115493323581994430418788261467619766175488093873426581002692,Beauty is in the eye of the beholder.,30440220306A8EE0C28BF4ACFBFEA5D63A61762DEC700F5D32DD0D8DEF4FE862B6D3B476022030EA9F381465614C5D4EBCEBD4A2B57E9F8F913BF1532571F3026BC55282987E)
(35045846102319018084060210757321307814085153616757073976816227693320402177863,Beauty is only skin deep.,304402206A3D33C2A9B9CB6E1F568D695C41022200A61AE711415BC5CB370F6DB2C4E05902205FF611C51A1C60BF8FCF04A0AB22F7547DB5BE384159AE656B7E9616E87E5706)
(99534640684826698821425281314607391133871552380931284835129111207337931017400,Beggars can't be choosers.,3044022050DFC92497123F7B331622528C324AE272915F4C1838D45F100626B3CAE735DF022075C7FF8C5B498D85EC20B8E5E9447A3D2A202A56FB326EFE9F62BBEB384ADC92)
(89257433042642737077388553319869424410599423587810843672556525580102751784675,Behind every good man is a good woman.,3045022100CA4A18C113D53239C819E58C578BECBA0729EF84CC07E70ACCF9846E773795110220555A20257C1E80B977B5AB5E77CB2D2079C60445A1877DB448B416E400607D6E)
(33648946896879551350753991616036334622602839139780100591470253765180571691018,The best defense is a good offense.,304402201DB6D76B325B6FB3D14A329A4566C0DD39A72400ECB723BD33C3B105318D2286022060A51B6954D7D704AA72CB7938416F9E5F5C05946DCB6BCAA12F58E988A7639D)
(109730872847609188478309451572148122150330802072000585050763249942403213063436,The best laid plans of mice and men (often go astray).,30450221008CFB828C3433A6AE49EF126BF821BD7E52547D026657DC2555139B2D5A5694CC0220730FBEF0896952F9D88D94FE8A72658DCFCA316FFC7BB69032E97F104A4418E8)
(77588436797891139544418814766534468803014273060081371807081646554441205834466,Better late than never.,3044022071CDE862E982296C38D88B500670265E73612B3FCAA4034A543E583E6B99C608022037B3EE21D826DD98B318E7E39DFFA8709A05B736F3CD9184E346A054EE74FA20)
(59495244811310200848851895665864074436920957692190392920402856263689962707065,Better safe than sorry.,3044022038CBEC03CDDF534EFB6A32594434491612E6AAAFE92650674FF0A2BAE89F45DE02204929E77BD80C60154AD607765E199855FC6BDF3FC1147948ABAB471579DFAD59)
(21286655325461074170433854936958520153527866913129257091162428017511033570824,Better to have loved and lost than never to have loved at all.,3045022100C2776796AC0EBD5A3D3153A3CE1DCEDD8FD21D51634162613C8BF3F52F558CCF022063A87A635B95687262FE7BEE38E8F7D2540F7E15B055D1801E7E5483C9734B20)
(56411481257257407311361431638085419514194654231027488196123425356268835453370,Beware of Greeks bearing gifts.,3045022100ABFAEAE5B23A3528CCE8A0BEDDFE7CE95C857406A7ECED518CEA4E8DEDD71C9C02205054505FB2A75E62C9B00ECC9DD844F65A19979EBB944CDB6D11749CDB6110E1)
(64711990979782633764235335182907867215764819413400737737290858442391000674356,The bigger thet are the harder they fall.,3045022100CFEA93684039027659136AA8BF170F194DFC75CEFC5D258D4D769AFB75F5AB2302204EB9D12558D2C30656BBC72A9A4CA988C90CE7777B6362102B14DC17E24C34B7)
(31286678140563250429092325029588884449111616215545514642646378702995208845135,A bird in the hand is worth two in the bush.,30440220623B9E6E3B81039B9CED6725B5B5BEF29738BBDA95789469BA5B1336E1EF716B022056F68BB529E17FBC6C5A25AD26B6D472234D07445C21E1570BC54B17F39D2E9E)
(47341218998370181272201734249467598282837551308605752382922318982742813172692,Birds of a feather flock together.,304502210090A79808886CA7E5D3921AE1E02DAFD683067EFFAC51C63F2F0BFC202B7D16A80220609EC23BBF8DA031DE6FD85139B907C9D6579314BC429BB62C0E9A9107548183)
(40241159843464965789709657159621889568362300375338787238278532119942155301709,Blood is thicker than water.,3045022100EE176B8FA1D03FC90C1121C900934E90E875A823EA339AC8B53976BA7A34AC46022021CAC658E808B4F6DC7B3602D0649C0CAD055052210C6FC713A71B9EFC88DA69)
(54132636781002613258080006730528971631263185867153178192870305586617722495485,Boys will be boys.,3045022100B50ACBD7CA9F66C16A45BF460BC327E5609F105E33623B03A62FFC5E7915DC2902206CE6B865EB12FE6C06B7EE2E113DE4BA6AEA2F40AD182A9C520129BDA3650394)
(85628063178531417137250289274482681265391882398581258629769500564440252022808,Caught between a rock and a hard place.,30440220385211BCA964463F1A5D64A0B6F6735DC7F98E9EA76CEDFA157CCB14D738A09702204E7D6A07FB87171B7FF3A30B504BBAC72342A1851AC2F911764E34F2B45672FF)
(14065581788267869624605598613765187681849512226188411479909592996934654088141,A chain is only a strong as its weakest link.,304402206DC992211ADCE5ABF9D0FC59141E6FEC8BDEFA58BF7381EDA1F1BBF60110A0F202205413C6C62A12D87D571BBA382A6E3378DAD1D7FF5DD2D691BD452A0FACB0EF79)
(67992425569311590821219226297886711523289820287188838554909174573759534955130,Charity begins at home.,304402204A0DF633FDBF89BEE9CDEA22A93726E4EF765187C3482C675B52B6A4FA265A5F02203FEBA847D4D32AAFDF7F6E417D4D78AC2E037C25C016FB43B40FA2FAF55D3D1B)
(115746991380257615166156612555702087421192056499897692302605912764706677979678,The chickens have come home to roost.,3045022100E82FC279B5EE92E94BBE712F39347657F407974F25F6A9C5519A77EFE32F1BEB022065287788D2F5D218F7ECEA42F88EBDC50A9E87EEECDC296FA880085F2AF95195)
(24725091799402603688614593151141908335745916334489781770578761787218146381928,Cleanliness is next to godliness.,304402204B2A389F747FC73FE9D9012B7D331A3E101F2D3A83DDAA664C80A7531F861FB302207C47E8F819C6605637C2306303960F2C8BEE39E562B9C57F90A40DD41B7FB5AB)
(84783983549258160669137366770885509408211009960610860350324922232842582506338,Close, but no cigar.,304402200E295F27E8C29D1ACA46911AECA3C61E23B919630C6096A1DD78D46CD3E2E23D02205CA708852AEE1590F29F50D38EF2F374691416994EF628494518A5875FBE1136)
(62509502241407872498268968770315331569487373848001874947313984388082535116807,Cold hands, warm heart.,3045022100CB21A601CDF35532E37E772D175977AF49D39269BCAB39660B90045F36677702022034A23E87A8F4F46FA9C5D5C481367AC90EBCB05B8D1963A93C8427C80BB7C1CF)
(23186953275680943042435571704743471307745800717744010637583379876856721308811,The cure is worse than the disease.,30440220038E888A2B9E35D9ECEFC92E72720CD858029EA25384D7D531441D72D95699390220346EE5D7DA5B4ED5A836208681E89753F65BDFBB65D7F07FEDA16E21B111CB07)
(4517096579965900103028972556780794479849945358541907836842574175128857601355,Curiosity killed the cat.,3045022100940F68559DE86221CA1FFC30AE129CA6F70161781D1A0A2722B330DF2E20A030022039335EECD291E93500B193BBB5D6D3429C45A42BDFE681A4648ADF26636EC549)
(85013510616695718054333606117315353499657231642870673775083743533942269196524,The customer is always right.,3045022100D605C0E902B259702889FB134E793382466B8A5BEFA6DB6DE6CF1BBD3319FD42022034DD34A271D26F4CA7CAB19E358AB86AF5F2C040AB35D8F3E444A33C9550444E)
(67447280901095607265937018907395160069575820429680866331492777838375721247544,Damned if you do, damned if you don't.,3045022100C8701ED5FAD2C45F42FFBB21637762359605B5D41DC4BBE1348FFE3BD6309DE6022022DBF38382D27BDEECC366F47CE8696EF1A9EFA9E191E67BCF9DE33AEB38C0A3)
(17357243935295171259629857915784378506509129892947602750891058009584163116297,Discretion is the better part of valor.,3045022100D3E0AFFE152DC860821A5972619B9CE63F00191078E32D957B0C90422D46C33D02201E209962EB19BFB5975DBB0EBC2B96ED6F75762A717F406B2B9D8D8A70EABD65)
(23032077730135882228543230081183836307549943491994194742179759411831149072841,Do unto others as you would have them do unto you.,3045022100A652F02524828CE89ED0650DA6DFFCEDD492DAA69185ED3D2F7A231F1762ECE702205A287B05B566E811B7A553084ED40B0A0FB8BA015DA025DCD63689F64C0048CB)
(84297633887250415666262488757073481315675723762879744432952432869863198097902,A dog is a man's best friend.,3045022100D77D14F1A232937C45FBB459930BB2A23D629A126FB02CD9AD3F8DEDD276D85302200761833D37E04C076715BC43474050DFF6BBC9175C74200886157DBD55E0DA20)
(47168693079958078218931202593856790437935975962911552787191921557083156729793,Don't bite off more than you can chew.,3045022100C720EF0A04331929464AE3C258358D88B82DBB0161F111ED20A8886AAD5EBC5902200E1DAE96ED53629C66C4D5594E2408C67F10CC1350441431F59D3B6642617D57)
(73770739369183464215593484912469126642265335419742487579442389609834997640507,Don't bite the hand that feeds you.,3045022100979AAA044E0A16A7756C53B1B7BB15E2D1EA8F6248C38CE316AEF6380E4E4E0C022055EBD6F1538EB1C5CB0F710F74F822D2A4B5803F013E1BD129A7F5B11950EFCF)
(94174734493866934921280270524671607451130593072446049850696049995770919334887,Don't change horses in midstream.,304402205E266B5F89B90E7C4EDE60D500ED397F0A05B3738CE6BB11C01341036ED4229F0220778D7E0C71F0085A4808C402D9B4EA0A35101B10229491A5269C117BDBC924F9)
(25986566714073951856161164015496770788121160783318935748340120786046011003154,Don't count your chickens before they hatch.,304502210081542BD7F81BC40897619BF6F52BD109C49397B97B091583455D218EF4D75732022063F9E7C90E0818B19C6EE2B1DC7F8DB329E3B480CDA1171022AF2DF898DC62B5)
(93043810203864614199387609231593002638727392641579193254981137958693909313960,Don't cry over spilt milk.,304402202EBD9309C3CE9C4C882484E0BE957E8B7C75EA3FB5651C2880AC96442F44E8F4022048723E0CA6A7301C0434E01A6D8519D86187D0E3991E5C2AFB2406306D054FE0)
(62586766121885419244084944967690336208153045345391999957960483785940517429489,Don't cut off your nose to spite your face.,30450221008987F43057B6264FE5A266DC4EE0762F915758C9A08F0BBC53FADDBFBB90EB4D02205DC95B01F1C3DE57DD2564A8DAF6BA20D9615C212D1838179E05935289FC2709)
(43388321209941149759420236104888244958223766953174235657296806338137402595305,Don't judge a book by its cover.,3044022079A1236C44EE847BD9B6908CD74C238FD5C237B2B6EA8F953178443CBBCF501C022037BBB20742F4217561056A522161A098D9AFA14221EF874EA009C37E6F376728)
(48635463943209834798109814161294753926839975257569795305637098542720658922315,Don't lock the stable door after the horse is gone.,3045022100AA4BE1AC7920DA0E7D92DDE3C729F7EFD033A0EF840C757322524FB966879A0002204D661D5B9229E7D28EB4D0982955AB83BA417B91C29058AD094C5AFBAE449768)
(96094161643976066833367867971426158458230048495430276217795328666133331159861,Don't look a gift horse in the mouth.,304402205D3C551742F34D6335A5D42896B967F5A4D70CF1D55BC209388D0D4F9CF3852D02207B5AE2EE2A3E457FAA19750D4CA2ADB37E7D606FE68A718A337209F1718E2C4C)
(35293215426786447154857697798367884701614677727176325092965345248689205321678,Don't make a mountain out of a mole-hill.,3044022073DF38B0C3303F39B9BBF26829400ABAF23F30EFDD37E390083238C73CC5A020022010FED902DC606F9BC7BB7C25BE482E83B15959DC04184B70C33A50E772B59BAD)
(33984360982413536682390860969296307922929415152052354251133793603654468157322,Don't put all your eggs in one basket.,30440220745A77730A6C67E84A701E832B5D419CDBAC0D912E664E0478173E2F6237147902203788273C21BAD214446C19838E95A03FA8BD482F036BF711AA0FEF6E24A3C418)
(108182406554699997314868250957730053259073589402365819770572592736584172823453,Don't put the cart before the horse.,3045022100B87288FAA730A5B91569832A7BE15D1041B57086102F4799E482E9956E5B5185022006169CC7B7FF9EFE6D7D2E5CD34D1D4901FFFB411A62DA6D07540CC70F02A59D)
(104920238006865337205013407090248200170018306865343388364051008767965015414403,Don't rock the boat.,30450221009DD11E64C7DC4939D8D87FCEBC170554755CE83B448FE650FD1747AC6FB1DBDE022041779CE1183CEAE4461AA4997152C732AE7909F06EC3DFB173E4D607C1C116FA)
(54734117258892461880478870895348100103198302433611928089023761078319507514449,Don't throw the baby out with the bathwater.,304402201A3425C00BC86E916F698FE4B6E8CFD47D0DC66658F0249B58BC659D4C66FDE1022008251C787C38CE54E36604C831BED2A75CDF366E3F03FD30A0433503ECF4336E)
(20075373234943686845167158285967784892467090849631486320124245130906619831459,Don't upset the apple cart.,30440220055D2D4A97DE7C9A6501234F953F2E7AF7620E274C10C26D181DD10BEFB163550220143D2ACD1A332ABF25E3AE6C180B9B1D19E4AE4EEB1044F90FA39D3701B1CA9B)
(11463511883541201508393500803711559652562721115888819482889049505863143503287,Early to bed and early to rise makes a man healthy, wealthy, and wise.,304402203267090B761ACBEB84F2CD02CD4E0930D20B6B49D45099D1C4057B0735C3146302200BD0FB1CB3872EB645C2DA771CB50B3AC68D652054C9F52C1D759CC804E33777)
(104788217653533993529500207339169988426238520411097126462217698131804705208935,The early bird catches the worm.,304402205F404525F54E3AF3253EFD758EC58B5201E38258683ABC2B19A5686F5B7DCCD202200D64A40877C729547AE0742B3BD1073D3EABB9C5040D62D7C81967DBEC206CA1)
(29725475848117909387987199084733829234796841806308573833449480309880370012644,Easy come, easy go.,3044022074BE1B8EFAE324EDD6804D6F71D89AA4E486CA0D876FB4839A6489368B7A734B02204F654BEF89786E2B37175DE113F3CC5BE02EC7E3B181576B4D05ED1AC603833F)
(98938542274961973227532227547365287026005317478843446182666410829170768588402,Easy does it.,304402200F5921434AB61D40CCA2EB3B86E141360FCB0BA05ECA0249D46790AD6A56614E022052D232679C07D938FDCE0BBE39E5F985DE01A0548958504C3B5ADE58C5028658)
(25345591781188178775667434134095314792298629566501986531420139124561633292739,The end justifies the means.,30450221008A44F438CC83563144DCEB4EBD467AF2BB7A30BD2F9C157853583A4994C53E8702204D1621A1F5375AB170FCFC34E21FE00BD83722707165C34ACC4804D0AC25B90C)
(44649095793737933446832577458612460225436951291425724632909742739318562533921,Every cloud has a silver lining.,3045022100BC0FA8303875B02FE1AF55925202560BF98EF409FCC474A01474F3BAB24E729602201D0ECF80A88909B630DACD745029AE14AB069FEFBF9C08262E5233FB5B296964)
(62669900711904216563486095771954079702918192672165292201911236683364964051169,Every dog has its day.,3045022100F933F94650BA5A3A082FF131C6CB4452B80572F8489FC4DE1137C7FEDAA1D3BD02202B31B089D154A3643E3A87B6BD0A7F5A169EABDE3AF486AB1D0CCE82D70BA3DA)
(88377907727274431936127109178550888646018052965691818831345698981874107586990,Every man pays his price.,304402201D165740B55717DB763D4240A0A60B8D48656E6324DD00DBC9E2BBBF0254CF48022050BDE7BBD984ABF40B3E862FE82A4E8324BC5C48063A14A10F7098C4102A7274)
(38720307207599648528211736436817930416103789439318178660273974026535871438845,The exception that proves the rule.,30440220493360B0A585DEDDAB3E4FD6AD5C6060C0F20B6F6366F1FC2D284DF4DD8110F802200A04FF9476893DD867C8E8456573EF0AC05C1245105FF81C56FCC71BCDC85BF3)
(101089167133868482642301738280228084727114034694682239136375376240207457290844,Experience is the best teacher.,3045022100916196758EB4A6BC5C3ACFEBD4F197BCFDCE58B1ACA66CA40C45B8D0A279BF1E022010A7B4E9C7153A6F73C233CF433674BCBD708E34C9E94CB3858EE1C899B330B8)
(48460645349073159255392546928735832743630670255455966114641223049275890963469,Feed a cold, starve a fever.,3045022100CFBAB57AE1D7AEA6B7006DB40E050D0C4652DAE9F769DFDC8299733BFF77942B0220190FB51C7643750E4C91DF594E8FA399326D32C4B534C94EF148F4030AE8E3A8)
(28597895080276602050146347684670005088124896791372568093956852821741316365635,Finders keepers, losers weepers.,3045022100CBD3693C1A662E215B567FFEEA8E43FD81A8A8DB74C4BB84F6B475316F0A459802206C0E87606C3A28088A6BD0FF8F8DB2928AC4705C593EA114FFE32F2BFFFC580E)
(76873896647976970905635061314080969806679817137860970410812190421278837173336,First things first.,3044022014AB99B3821D4C32D91263847970DBC722075BB6019B87B26D534D4E549336C9022054439454C0E730B3C43050B6807BB3A3E5AF1F8CE3033CD0E9B1F4A051DF703E)
(111485737994509659498044467867576034197262524114183546611539441564110959814825,Fish, or cut bait.,30450221008C9E7FA2BFA14A8A0229815392C95B98FEA3B5640AA6120E6F33B6B219BC81870220412FB66930AC09E068C9CF12E09846E4DEEEFB9F5718483A9352D2095884819D)
(23177569626185109979099152276592650253336606370393688582308013769166849937827,A fool and his money are soon parted.,3045022100C6E4F7765348E049913E11E7D2793EC71A93DFD39419837D3EC49101DD2F2523022043DE86DCF42B4898600A150794297AF795E4F103F3E9ED000B4B20E54CB3025A)
(31092056014356393906785039968662863653100463781144139110217300916574271085601,A friend in need is a friend indeed.,304402204F80A301B3609D4C445CB6969C4A24D79B04AFE5E9DF19C08B756FCA23B7DF9A022040499B779E9CCE1598A667D9F68B2D46C4BD2C513B2C7C450F99E16BB5A286B6)
(76097777316228717378801657339713059277348630502596052814782254801954869906540,Give the devil his due.,3045022100E17C7CEBEF64B93078A549A9DC055475D932E42BD0C2FEED14E5924BACEC175A02200370C55057F11852B635C21953406CE775593B263ACA0E6EB3074C82E6DFF274)
(49592274615550774149788999072529213810569403405125804891481588145119932782005,God helps those who help themselves.,3045022100C7D790ABFD35D7EEDB65D18C8163712DD0827BF7CFBCAF7A718A4770E8EE268002207EBDCDE74B96B8B3AAA733C6DA8D83AB81539EFFEED02402A06173147598EAB0)
(60946687825443903268951144757956503669286317289045114237985014846031267737975,Going to hell in a handbasket.,3045022100C7E337F29138BFEF33B8FDA694884004F1E6930A8560A12543339644DB56BBD1022024827723E881E315726D3A2E2F471F41921F519416AA657CE3F63DE6AC4FAE91)
(51959105061069906967788357770173388915187597923772762569168288018267661951738,Good fences make good neighbors.,30440220662C081F588E8F308491DD86C9B7E8FFB663B5A8D8F59DBAED2F0042A76FFC86022044A626E026EFD87B497C9EA36214D9F94EE1A269BC267AD087A7BF33C367C1FA)
(4046863355387123130204462347062573430393022542838002397178812848050724434929,Good men are hard to find.,3045022100CCE497A49047339C31039AD0EF38664525BA8702A88B60220701961C8C18C22E02207E8E58436A87C458B2ADAB4DADD489ADFE1C8E528FB44C74759EFFB4057C4D06)
(63734441787813158815963844338605708673149670312566499169923257784981476877419,Great minds think alike.,304402202CFA3158CE842B107E078918D065FBAF6A2BBBF7EF20BA1F106B333F579429AD02203E42D274F4F676932C645FBF91502A79F880F36C6404D58BBE61629019383D69)
(88839383757809732027294628355181124362766043099157447794153980098371674745484,Good things come in small packages.,304502210095D96836BA89B09EAEE5377D4AFA76EA21F3F5144F1611B614C3B9DC4723F927022053B5AC9F8E3FF46D77DAC311EE842F154A3B973902E0EBA595D7DF082E6BCC24)
(41787483001839321897217417372545050114009480237083633772420308371683519833810,Good things come to he who waits.,304402206584A78B7AD401A24A62AFC7E8EBA70759471B4AB0E638CEF520905DF1C7B8C3022033407494236995CB21769080DF7D047C702B8BB9BD02221FDCFC6BE8B5D33826)
(33881207349617746184107317224608716430628250000829238886266783800488219587168,The grass is always greener (on the other side of the fence).,3045022100BB67A4C74A9DD56FB8BB1B6A531CB5FEC4F73404059E6EA1C2036EE271F413F70220766781263616B193E7C951ECBBE778754E0283FA83BD0C887220639CE2042B15)
(63389976442554136337772899922086777626536502367003206636548827552911843082668,Great oaks from little acorns grow.,304402203B3BB415F2BAE50B4671F9528EC29B538DDF0692693E64B4EC4256C2A8B2C5E2022023A25B5CE65F68BBFE346B9E1D3A40253443BFB027422E9C25FB6C1922D0BE42)
(64173126102878266825973548857623937542199493221847288896856545601982722397763,Half a loaf is better than none.,3045022100C814FB14439AD99F90986D299D300E94E04476A2B19517CB4CFAC68C35CC4EC20220568C48E47F4151228BA0EB3018625999C867D177952E11F798CFC40F2B42748F)
(104121560799199505662314404680230714687088204542840346521462647167686731131347,Haste makes waste.,3044022053CA6B0583DF2AD282D203422018B453A3D836B7F18CAC44732FE79302A90C1402205CF5F5151B20F886AFA4D4E662C4809AB7535EFD7024B646678533588AADA932)
(73424999992896822310519991820076556424305791564430106078467790309720552646631,Here today, gone tomorrow,30440220101387D3F2E25F7AD5529D17D2CD4D12065402A82590095507EDA59079D504680220347FA5D12CCB4143FD68F79A0C8B80C11552ADF6D8E39818C7DC53E69D165EFF)
(100573237952189172174826312895169688110774060550025431039972439755031087993036,He who hesitates is lost.,304402201E7ABA8A5D2D40FE2A8DB42BAF3D9C384C179574C1595748268D6DB5036377BE022001AD4081379F4619E18F08D55618A975B333E27FEA834DC6552F9945D14DF839)
(114304321564597036133304250140814301377287107280188595123870160279490966779636,He who laughs last, laughs best. (or 'longest'),3045022100C7803D7C9EBA9FB22F20FF578507BACC4FF029B9AC1B94E4F69A7D9E0FD93013022046E4D2F5947BD2DC1B74B661C15F0E6BB3EC5DA56B4D3C83AF5933A6A4CA67DE)
(34108397454446258992765888429068894539509886489338754337414944113991988510741,He who lives by the sword, dies by the sword.,3045022100BDEC0028F071573FD0F0768477E4F87B68069210E0D79D2CE0E8AC61003D952F022008B1B1F863EEACDD9FF178BF8F5D3209DD862911CF1579463C842725F29A72D5)
(11288774479925517110699312673577653720420640208452718047236389802202654446930,Hindsight is 20-20.,3045022100A188C9345467D6CDA2E7826B94B0CBC09DF55E58F7AD7B4617645B60C064E93502201D7FC6D400A738115C434FA6E775A7320A828A40B48B47605DE9CA3158F98A9F)
(85004320372792095998710787662581837616766068228894278544271024385475719049091,His bark is worse than his bite.,30440220753FDB6CFA298CA7B97E27081A4E5F56A3344E2E84F7E78EF0D5F10ACBB0F11A022042FBE3765A4099D544DCEA65BD0F61D5D8B0B09D7D63019B1FC4C8E2D159F428)
(16439212143089022638599819885124041729771020965445519805260476878657759184913,Honesty is the best policy.,304402205D174541F11E24CB5B8668016F56D76414526087781F90283BAECE98ACF3FDBA022058A0568ACD20123FF636159D2249B7C863CACCC0FA7E63D8217637808644F524)
(76506671159185839068671489248564301899420248994104855395900353458050452129643,Honey catches more flies than vinegar.,304402200FEE7AD8C618BED0EB9BDD09E399E2CAC0BF1FBA6057779931842955615B98FC02204CCF3D3723B53438B5471067C83BA2AF730CEA78DC9E07AE08026F66B358D2F6)
(93936282555750696919250673713970033213184365389367180572261018410200430428159,A house is not a home.,3045022100A02ACCB5D0C7889110166F9B177D129A93837B2ED62B2051A6F603DD78FA0B9B02205228D0D4AD00441A0AB7A2E08F6B4E5DEA2FEE8E004411900B744A868D93F743)
(52831591293937841751723035646938014137093860741985773100546736527643434950091,Idle minds are the devil's workshop.,3045022100F1F66E93A182F36E82EE5762EBEE874284C168D76E6065966AE6E8CF0C11D63C0220160F09BA1DBA41FDA1B7938B984FEAB61F7822240AACF330AE2602B5A90E3970)
(95386206302823656863047626088556007240214938571824801484732646305460110397406,If at first you don't succeed, try, try again.,304402202FC44C80F8470BB887EB57DF1BB2F44F058DE0157084FB596872196D7B4AA7F60220115942C7D90F88F04625B76D9FDB73D72BDB4F989A5E81C4E8573BE24C245E51)
(63867912658364381249959996456776407656548961237284539765555655210050097451987,If God had meant us to fly he'd have given us wings.,30440220421D3FFA3EE46BF5B4DBC53E34560F073D88D8A86C9D2AB99ACCD4CFA88D4A19022017D0A8CEACF30D6D2F02121CA4E7787B15CB1BE53DB6F5985DC8DECF82DE91ED)
(91634880152443617534842621287039938041581081254914058002978601050179556493499,If it ain't broke, don't fix it.,3045022100B0A5A462D5DC9723367A6624CB697AF16FB4527A4A3A65867050310182C83EFF022030A1F6F1B1CEF4AF1EE93BB486CCED7885B488FFD16FFC61A383D9601D7B18BB)
(28106838057724633541991236405213533498809717615002287594759165789551252471965,If it's not one thing, it's another.,304402200DE1EA3582FDBBDBD0E4D3FC2586C967D932CDA6FA52B5596AE816194DB768F602200D245525A84E7E8C0F1482E43C3F9712AA678CF32BDA45F3C8EE535152D49AA4)
(21027550693477535543327579570081618952892630736730429980018215117041635618758,If the shoe fits, wear it.,3045022100922027AE8B8EBDBEDEED8B29DF0B12F7ECDE217EA147FCA9422901326863176602202E2D5D0F81B66B91DE74DF2E106DE73598284B7211ED19961C6D28665970AC9C)
(11159837076962333191061022530120819165602563890003519397264714176721379981540,If wishes were horses then beggars would ride.,304402207175C8DC964F3F58F3F7F300FC3B08A78ED612EDC748628C6D8F69098860C82B02205E81019FF0ABFE11BB6164389A7763B528C2F30B196CD0B4A4C66ADEA3CE814F)

BTW sorry for reviving an old thread. I could not find good test vectors and the only ones I found were here, so adding to it.

[BrittneyHarkins]

you can subtracts order/2 when s > order/2