Reading the "Simple Schnorr Multi-Signatures with Applications to Bitcoin" by Gregory Maxwell, Andrew Poelstra, Yannick Seurin, and Pieter Wuille
.pdf link. I have some questions about some notations. I am generating a signature but the verification doesn't pass which leads me to believe I am misunderstanding some stuff here.
in
ai = Hagg(L,Xi) what do we hash? Is it the all public keys (L) "concatenated" together then public key i "concatenated" at the end?
Don't think this makes a difference if consistency is kept but are pub keys in compressed form or uncompressed?
For example with 2 keys is it calculated like this (so hash of a 99 byte long array: 3*(1+32
compressed))?:
a1=Hash(pub1 || pub2 || pub1)a2=Hash(pub1 || pub2 || pub2)Similarly for calculation of 'c' is it again concatenation of bytes, also are the points (X
~ and R) in their compressed form or uncompressed (again I don't think it makes a difference but want to make sure)?
c = Hsig(X~ ,R,m)Also I am assuming H
sig, H
agg,.. are all the same hash function like SHA256.
And finally in verification step shouldn't it be
R + X~ in the following equation since they are both points, multiplication doesn't make any sense?