Wasn't able to find any problems with my tagged hashes, @kallewoof are you sure yours are correct?

@benthecarman Will investigate. I assume your tagged hashes / BIP 340 stuff passes the test vectors in https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv ?

@benthecarman Will investigate. I assume your tagged hashes / BIP 340 stuff passes the test vectors in https://github.com/bitcoin/bips/blob/master/bip-0340/test-vectors.csv ?

Yes

I realize the message serialization into the hasher is a little ambiguous. That's probably where the difference is happening.

Edit: this is how it is done in Core:

/**
 * string
 */
template<typename Stream, typename C>
void Serialize(Stream& os, const std::basic_string<C>& str)
{
    WriteCompactSize(os, str.size());
    if (!str.empty())
        os.write((char*)str.data(), str.size() * sizeof(C));
}

So for the empty string case, it would result in 0x00 (the length 0), and for the string "Hello World" it would be 0x0B + "Hello World", i.e. it prefixes the compact size of the string.

Updated BIP to clarify that the message serialization is done without length prefix and without null terminator.

I mistakenly thought the signatures were the same but looking closer they aren't. So, hashes are now identical but the signatures are different (and only mine pass the verifymessage call).

I added a clarification to the to_sign transaction that version must be 0 for SIMPLE (signature only) format.

If the spent destination turns out to have locktimes and/or such, they need to use FULL format. (Half-hearted ping @apoelstra who's probably too busy to look at this.)

Since it's all guess-work for SIMPLE format, I've changed the spec to require version, locktime, and sequence to all be 0 for the to_sign transaction. Will convert this to a non-draft if no one objects.

Self-ACK f52e047

Ping @luke-jr -- I will merge this soon unless you have reservations; I don't think there's anything controversial in here, but better safe than sorry.

ack f52e047