bitcoin core – In the Taproot implementation of Schnorr signatures, is “e” the hash of R or r?


BIP340 describes the Schnorr signature scheme that will be implemented with Taproot.

The signature scheme involves computing an integer, e, during both signing and verification.

Under Default Signing, e is defined as

Let e = int(hashBIP0340/challenge(bytes(R) || bytes(P) || m)) mod n.

Under Verification, it is defined as

Let e = int(hashBIP0340/challenge(bytes(r) || bytes(P) || m)) mod n.

It seems to me that a the signature is valid only if e has an unambiguous definition.

Does it use the curve point, R, or its x-coordinate, r?

Link to the BIP340-documentation:

Source link

Leave a reply