fix(core): Fix proof of ownership sighash computation.

core/.changelog.d/2034.fixed

@@ -0,0 +1 @@
+Fix sighash computation in proofs of ownership.

core/src/apps/bitcoin/ownership.py

@@ -1,12 +1,19 @@
 from typing import TYPE_CHECKING
 
 from trezor import utils, wire
-from trezor.crypto import bip32, hashlib, hmac
+from trezor.crypto import bip32, hmac
+from trezor.crypto.hashlib import sha256
 from trezor.enums import InputScriptType
+from trezor.utils import HashWriter
 
+from apps.bitcoin.writers import (
+    write_bitcoin_varint,
+    write_bytes_fixed,
+    write_bytes_prefixed,
+    write_uint8,
+)
 from apps.common.keychain import Keychain
 from apps.common.readers import read_bitcoin_varint
-from apps.common.writers import write_bitcoin_varint, write_bytes_fixed, write_uint8
 
 from . import common
 from .scripts import read_bip322_signature_proof, write_bip322_signature_proof
@@ -48,18 +55,18 @@ def generate_proof(
     for ownership_id in ownership_ids:
         write_bytes_fixed(proof, ownership_id, _OWNERSHIP_ID_LEN)
 
-    sighash = hashlib.sha256(proof)
+    sighash = HashWriter(sha256(proof))
-    sighash.update(script_pubkey)
+    write_bytes_prefixed(sighash, script_pubkey)
-    sighash.update(commitment_data)
+    write_bytes_prefixed(sighash, commitment_data)
     if script_type in (
         InputScriptType.SPENDADDRESS,
         InputScriptType.SPENDMULTISIG,
         InputScriptType.SPENDWITNESS,
         InputScriptType.SPENDP2SHWITNESS,
     ):
-        signature = common.ecdsa_sign(node, sighash.digest())
+        signature = common.ecdsa_sign(node, sighash.get_digest())
     elif script_type == InputScriptType.SPENDTAPROOT:
-        signature = common.bip340_sign(node, sighash.digest())
+        signature = common.bip340_sign(node, sighash.get_digest())
     else:
         raise wire.DataError("Unsupported script type.")
     public_key = node.public_key()
@@ -97,17 +104,19 @@ def verify_nonownership(
         # Verify the BIP-322 SignatureProof.
 
         proof_body = memoryview(proof)[: r.offset]
-        sighash = hashlib.sha256(proof_body)
+        if commitment_data is None:
-        sighash.update(script_pubkey)
+            commitment_data = bytes()
-        if commitment_data:
+
-            sighash.update(commitment_data)
+        sighash = HashWriter(sha256(proof_body))
+        write_bytes_prefixed(sighash, script_pubkey)
+        write_bytes_prefixed(sighash, commitment_data)
         script_sig, witness = read_bip322_signature_proof(r)
 
         # We don't call verifier.ensure_hash_type() to avoid possible compatibility
         # issues between implementations, because the hash type doesn't influence
         # the digest and the value to use is not defined in BIP-322.
         verifier = SignatureVerifier(script_pubkey, script_sig, witness, coin)
-        verifier.verify(sighash.digest())
+        verifier.verify(sighash.get_digest())
     except (ValueError, EOFError):
         raise wire.DataError("Invalid proof of ownership")
 

core/tests/test_apps.bitcoin.ownership_proof.py

@@ -15,6 +15,7 @@ from apps.bitcoin.multisig import multisig_get_pubkeys
 class TestOwnershipProof(unittest.TestCase):
 
     def test_p2wpkh_gen_proof(self):
+        # SLIP-0019 test vector 1
         coin = coins.by_name('Bitcoin')
         seed = bip39.seed(' '.join(['all'] * 12), '')
         keychain = Keychain(seed, coin.curve_name, [AlwaysMatchingSchema], slip21_namespaces=[[b"SLIP-0019"]])
@@ -36,11 +37,12 @@ class TestOwnershipProof(unittest.TestCase):
             script_pubkey=script_pubkey,
             commitment_data=commitment_data,
         )
-        self.assertEqual(signature, unhexlify("3045022100e5eaf2cb0a473b4545115c7b85323809e75cb106175ace38129fd62323d73df30220363dbc7acb7afcda022b1f8d97acb8f47c42043cfe0595583aa26e30bc8b3bb5"))
+        self.assertEqual(signature, unhexlify("3045022100c0dc28bb563fc5fea76cacff75dba9cb4122412faae01937cdebccfb065f9a7002202e980bfbd8a434a7fc4cd2ca49da476ce98ca097437f8159b1a386b41fcdfac5"))
-        self.assertEqual(proof, unhexlify("534c00190001a122407efc198211c81af4450f40b235d54775efd934d16b9e31c6ce9bad57070002483045022100e5eaf2cb0a473b4545115c7b85323809e75cb106175ace38129fd62323d73df30220363dbc7acb7afcda022b1f8d97acb8f47c42043cfe0595583aa26e30bc8b3bb50121032ef68318c8f6aaa0adec0199c69901f0db7d3485eb38d9ad235221dc3d61154b"))
+        self.assertEqual(proof, unhexlify("534c00190001a122407efc198211c81af4450f40b235d54775efd934d16b9e31c6ce9bad57070002483045022100c0dc28bb563fc5fea76cacff75dba9cb4122412faae01937cdebccfb065f9a7002202e980bfbd8a434a7fc4cd2ca49da476ce98ca097437f8159b1a386b41fcdfac50121032ef68318c8f6aaa0adec0199c69901f0db7d3485eb38d9ad235221dc3d61154b"))
         self.assertFalse(ownership.verify_nonownership(proof, script_pubkey, commitment_data, keychain, coin))
 
     def test_p2wpkh_in_p2sh_gen_proof(self):
+        # SLIP-0019 test vector 2
         coin = coins.by_name('Bitcoin')
         seed = bip39.seed(' '.join(['all'] * 12), '')
         keychain = Keychain(seed, coin.curve_name, [AlwaysMatchingSchema], slip21_namespaces=[[b"SLIP-0019"]])
@@ -63,11 +65,12 @@ class TestOwnershipProof(unittest.TestCase):
             script_pubkey=script_pubkey,
             commitment_data=commitment_data,
         )
-        self.assertEqual(signature, unhexlify("3045022100a37330dca699725db613dd1b30059843d1248340642162a0adef114509c9849402201126c9044b998065d40b44fd2399b52c409794bbc3bfdd358cd5fb450c94316d"))
+        self.assertEqual(signature, unhexlify("30440220484072ca317663dd685d372115a9d2ff43d9afc6d352c10445a94e555e12154602202d3ffee5f780dbc74e67fcc4bcbc75a9816ed00df1142d571014724af9959355"))
-        self.assertEqual(proof, unhexlify("534c0019000192caf0b8daf78f1d388dbbceaec34bd2dabc31b217e32343663667f6694a3f4617160014e0cffbee1925a411844f44c3b8d81365ab51d03602483045022100a37330dca699725db613dd1b30059843d1248340642162a0adef114509c9849402201126c9044b998065d40b44fd2399b52c409794bbc3bfdd358cd5fb450c94316d012103a961687895a78da9aef98eed8e1f2a3e91cfb69d2f3cf11cbd0bb1773d951928"))
+        self.assertEqual(proof, unhexlify("534c0019000192caf0b8daf78f1d388dbbceaec34bd2dabc31b217e32343663667f6694a3f4617160014e0cffbee1925a411844f44c3b8d81365ab51d036024730440220484072ca317663dd685d372115a9d2ff43d9afc6d352c10445a94e555e12154602202d3ffee5f780dbc74e67fcc4bcbc75a9816ed00df1142d571014724af9959355012103a961687895a78da9aef98eed8e1f2a3e91cfb69d2f3cf11cbd0bb1773d951928"))
         self.assertFalse(ownership.verify_nonownership(proof, script_pubkey, commitment_data, keychain, coin))
 
     def test_p2tr_gen_proof(self):
+        # SLIP-0019 test vector 5
         coin = coins.by_name('Bitcoin')
         seed = bip39.seed(' '.join(['all'] * 12), '')
         keychain = Keychain(seed, coin.curve_name, [AlwaysMatchingSchema], slip21_namespaces=[[b"SLIP-0019"]])
@@ -89,11 +92,12 @@ class TestOwnershipProof(unittest.TestCase):
             script_pubkey=script_pubkey,
             commitment_data=commitment_data,
         )
-        self.assertEqual(signature, unhexlify("6cd08474ea019c9ab4b9b7b76ec03c4dd4db76abc3a460434a91cfc1b190174949eb7111c8e762407730a215421a0da0b5e01f48de62d7ccea0abea046e2a496"))
+        self.assertEqual(signature, unhexlify("1b553e5b9cc787b531bbc78417aea901272b4ea905136a2babc4d6ca471549743b5e0e39ddc14e620b254e42faa7f6d5bd953e97aa231d764d21bc5a58e8b7d9"))
-        self.assertEqual(proof, unhexlify("534c00190001dc18066224b9e30e306303436dc18ab881c7266c13790350a3fe415e438135ec0001406cd08474ea019c9ab4b9b7b76ec03c4dd4db76abc3a460434a91cfc1b190174949eb7111c8e762407730a215421a0da0b5e01f48de62d7ccea0abea046e2a496"))
+        self.assertEqual(proof, unhexlify("534c00190001dc18066224b9e30e306303436dc18ab881c7266c13790350a3fe415e438135ec0001401b553e5b9cc787b531bbc78417aea901272b4ea905136a2babc4d6ca471549743b5e0e39ddc14e620b254e42faa7f6d5bd953e97aa231d764d21bc5a58e8b7d9"))
         self.assertFalse(ownership.verify_nonownership(proof, script_pubkey, commitment_data, keychain, coin))
 
     def test_p2pkh_gen_proof(self):
+        # SLIP-0019 test vector 3
         coin = coins.by_name('Bitcoin')
         seed = bip39.seed(' '.join(['all'] * 12), 'TREZOR')
         keychain = Keychain(seed, coin.curve_name, [AlwaysMatchingSchema], slip21_namespaces=[[b"SLIP-0019"]])
@@ -115,11 +119,12 @@ class TestOwnershipProof(unittest.TestCase):
             script_pubkey=script_pubkey,
             commitment_data=commitment_data,
         )
-        self.assertEqual(signature, unhexlify("304402206682f40a12f3609a308acb872888470a07760f2f4790ee4ff62665a39c02a5fc022026f3f38a7c2b2668c2eff9cc1e712c7f254926a482bae411ad18947eba9fd21c"))
+        self.assertEqual(signature, unhexlify("3045022100e818002d0a85438a7f2140503a6aa0a6af6002fa956d0101fd3db24e776e546f0220430fd59dc1498bc96ab6e71a4829b60224828cf1fc35edc98e0973db203ca3f0"))
-        self.assertEqual(proof, unhexlify("534c00190001ccc49ac5fede0efc80725fbda8b763d4e62a221c51cc5425076cffa7722c0bda6a47304402206682f40a12f3609a308acb872888470a07760f2f4790ee4ff62665a39c02a5fc022026f3f38a7c2b2668c2eff9cc1e712c7f254926a482bae411ad18947eba9fd21c012102f63159e21fbcb54221ec993def967ad2183a9c243c8bff6e7d60f4d5ed3b386500"))
+        self.assertEqual(proof, unhexlify("534c00190001ccc49ac5fede0efc80725fbda8b763d4e62a221c51cc5425076cffa7722c0bda6b483045022100e818002d0a85438a7f2140503a6aa0a6af6002fa956d0101fd3db24e776e546f0220430fd59dc1498bc96ab6e71a4829b60224828cf1fc35edc98e0973db203ca3f0012102f63159e21fbcb54221ec993def967ad2183a9c243c8bff6e7d60f4d5ed3b386500"))
         self.assertFalse(ownership.verify_nonownership(proof, script_pubkey, commitment_data, keychain, coin))
 
     def test_p2wpkh_verify_proof(self):
+        # SLIP-0019 test vector 1
         coin = coins.by_name('Bitcoin')
         seed = bip39.seed(' '.join(['all'] * 12), 'TREZOR')
         keychain = Keychain(seed, coin.curve_name, [AlwaysMatchingSchema], slip21_namespaces=[[b"SLIP-0019"]])
@@ -127,10 +132,11 @@ class TestOwnershipProof(unittest.TestCase):
 
         # Proof for "all all ... all" seed without passphrase.
         script_pubkey = unhexlify("0014b2f771c370ccf219cd3059cda92bdf7f00cf2103")
-        proof = unhexlify("534c00190001a122407efc198211c81af4450f40b235d54775efd934d16b9e31c6ce9bad57070002483045022100e5eaf2cb0a473b4545115c7b85323809e75cb106175ace38129fd62323d73df30220363dbc7acb7afcda022b1f8d97acb8f47c42043cfe0595583aa26e30bc8b3bb50121032ef68318c8f6aaa0adec0199c69901f0db7d3485eb38d9ad235221dc3d61154b")
+        proof = unhexlify("534c00190001a122407efc198211c81af4450f40b235d54775efd934d16b9e31c6ce9bad57070002483045022100c0dc28bb563fc5fea76cacff75dba9cb4122412faae01937cdebccfb065f9a7002202e980bfbd8a434a7fc4cd2ca49da476ce98ca097437f8159b1a386b41fcdfac50121032ef68318c8f6aaa0adec0199c69901f0db7d3485eb38d9ad235221dc3d61154b")
         self.assertTrue(ownership.verify_nonownership(proof, script_pubkey, commitment_data, keychain, coin))
 
     def test_p2tr_verify_proof(self):
+        # SLIP-0019 test vector 5
         coin = coins.by_name('Bitcoin')
         seed = bip39.seed(' '.join(['all'] * 12), 'TREZOR')
         keychain = Keychain(seed, coin.curve_name, [AlwaysMatchingSchema], slip21_namespaces=[[b"SLIP-0019"]])
@@ -138,18 +144,23 @@ class TestOwnershipProof(unittest.TestCase):
 
         # Proof for "all all ... all" seed without passphrase.
         script_pubkey = unhexlify("51204102897557de0cafea0a8401ea5b59668eccb753e4b100aebe6a19609f3cc79f")
-        proof = unhexlify("534c00190001dc18066224b9e30e306303436dc18ab881c7266c13790350a3fe415e438135ec0001406cd08474ea019c9ab4b9b7b76ec03c4dd4db76abc3a460434a91cfc1b190174949eb7111c8e762407730a215421a0da0b5e01f48de62d7ccea0abea046e2a496")
+        proof = unhexlify("534c00190001dc18066224b9e30e306303436dc18ab881c7266c13790350a3fe415e438135ec0001401b553e5b9cc787b531bbc78417aea901272b4ea905136a2babc4d6ca471549743b5e0e39ddc14e620b254e42faa7f6d5bd953e97aa231d764d21bc5a58e8b7d9")
         self.assertTrue(ownership.verify_nonownership(proof, script_pubkey, commitment_data, keychain, coin))
 
     def test_p2wsh_gen_proof(self):
+        # SLIP-0019 test vector 4
         coin = coins.by_name('Bitcoin')
-        seed = bip39.seed(' '.join(['all'] * 12), '')
+        seed1 = bip39.seed(' '.join(['all'] * 12), '')
-        keychain = Keychain(seed, coin.curve_name, [AlwaysMatchingSchema], slip21_namespaces=[[b"SLIP-0019"]])
+        seed2 = bip39.seed('abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about', '')
+        seed3 = bip39.seed('zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo wrong', '')
         commitment_data = b"TREZOR"
 
         nodes = []
-        for index in range(1, 4):
+        keychains = []
-            node = keychain.derive([84 | HARDENED, 0 | HARDENED, index | HARDENED])
+        for seed in [seed1, seed2, seed3]:
+            keychain = Keychain(seed, coin.curve_name, [AlwaysMatchingSchema], slip21_namespaces=[[b"SLIP-0019"]])
+            keychains.append(keychain)
+            node = keychain.derive([84 | HARDENED, 0 | HARDENED, 0 | HARDENED])
             nodes.append(HDNodeType(
                 depth=node.depth(),
                 child_num=node.child_num(),
@@ -160,7 +171,7 @@ class TestOwnershipProof(unittest.TestCase):
 
         multisig = MultisigRedeemScriptType(
             nodes=nodes,
-            address_n=[0, 1],
+            address_n=[1, 0],
             signatures=[b"", b"", b""],
             m=2,
         )
@@ -168,13 +179,14 @@ class TestOwnershipProof(unittest.TestCase):
         pubkeys = multisig_get_pubkeys(multisig)
         address = address_multisig_p2wsh(pubkeys, multisig.m, coin.bech32_prefix)
         script_pubkey = scripts.output_derive_script(address, coin)
-        ownership_id = ownership.get_identifier(script_pubkey, keychain)
+        ownership_ids = [ownership.get_identifier(script_pubkey, keychain) for keychain in keychains]
-        ownership_ids = [b'\x00' * 32, ownership_id, b'\x01' * 32]
+        self.assertEqual(ownership_ids[0], unhexlify("309c4ffec5c228cc836b51d572c0a730dbabd39df9f01862502ac9eabcdeb94a"))
-        self.assertEqual(ownership_id, unhexlify("9c27411da79a23811856f897da890452ab9e17086038c4a3e70e9efa875cb3ef"))
+        self.assertEqual(ownership_ids[1], unhexlify("46307177b959c48bf2eb516e0463bb651aad388c7f8f597320df7854212fa344"))
+        self.assertEqual(ownership_ids[2], unhexlify("3892f9573e08cedff9160b243759520733a980fed45b131a8bba171317ae5d94"))
 
         # Sign with the first key.
         _, signature = ownership.generate_proof(
-            node=keychain.derive([84 | HARDENED, 0 | HARDENED, 1 | HARDENED, 0, 1]),
+            node=keychains[0].derive([84 | HARDENED, 0 | HARDENED, 0 | HARDENED, 1, 0]),
             script_type=InputScriptType.SPENDWITNESS,
             multisig=multisig,
             coin=coin,
@@ -183,12 +195,12 @@ class TestOwnershipProof(unittest.TestCase):
             script_pubkey=script_pubkey,
             commitment_data=commitment_data,
         )
-        self.assertEqual(signature, unhexlify("304402207568cf003ff548c52ce8e3a46a1c1e681462ca8f1651b0c82f688d41280753b4022024f977fa96fd23cf71e35d4d3c5087c375fcf1b6eed6d11ab00d552817d39ba4"))
+        self.assertEqual(signature, unhexlify("30450221009d8cd2d792633732b3a406ea86072e94c72c0d1ffb5ddde466993ee2142eeef502206fa9c6273ab35400ebf689028ebcf8d2031edb3326106339e92d499652dc4303"))
         multisig.signatures[0] = signature
 
         # Sign with the third key.
         proof, signature = ownership.generate_proof(
-            node=keychain.derive([84 | HARDENED, 0 | HARDENED, 3 | HARDENED, 0, 1]),
+            node=keychain.derive([84 | HARDENED, 0 | HARDENED, 0 | HARDENED, 1, 0]),
             script_type=InputScriptType.SPENDWITNESS,
             multisig=multisig,
             coin=coin,
@@ -197,8 +209,8 @@ class TestOwnershipProof(unittest.TestCase):
             script_pubkey=script_pubkey,
             commitment_data=commitment_data,
         )
-        self.assertEqual(signature, unhexlify("304402203c4fedba34aebd213aba5b5af1ae26240a10a05cfc1c5b75c629275aa21560bb02203b90b4079c20f792f4ec533c72af31435b1e5f648ca8302730c309690133a710"))
+        self.assertEqual(signature, unhexlify("304402205fae1218bc4600ad6c28b6093e8f3757603681b024e60f1d92fca579bfce210b022011d6f1c6ef1c7f7601f635ed237dafc774386dd9f4be0aef85e3af3f095d8a92"))
-        self.assertEqual(proof, unhexlify("534c0019000300000000000000000000000000000000000000000000000000000000000000009c27411da79a23811856f897da890452ab9e17086038c4a3e70e9efa875cb3ef010101010101010101010101010101010101010101010101010101010101010100040047304402207568cf003ff548c52ce8e3a46a1c1e681462ca8f1651b0c82f688d41280753b4022024f977fa96fd23cf71e35d4d3c5087c375fcf1b6eed6d11ab00d552817d39ba40147304402203c4fedba34aebd213aba5b5af1ae26240a10a05cfc1c5b75c629275aa21560bb02203b90b4079c20f792f4ec533c72af31435b1e5f648ca8302730c309690133a71001695221022aff3e39acd2d510c661e097a9657962ad6bf75a977c2c905152d2eb2cd58c7b210241ec073f3bb3f701a87b78fbc5f7b4daec140b87da38303173eddd0860ac55e321030205585a3eb01cbebbbb7b9138f7796117cca8e30eba5cd143ff4e3e617d221553ae"))
+        self.assertEqual(proof, unhexlify("534c00190003309c4ffec5c228cc836b51d572c0a730dbabd39df9f01862502ac9eabcdeb94a46307177b959c48bf2eb516e0463bb651aad388c7f8f597320df7854212fa3443892f9573e08cedff9160b243759520733a980fed45b131a8bba171317ae5d940004004830450221009d8cd2d792633732b3a406ea86072e94c72c0d1ffb5ddde466993ee2142eeef502206fa9c6273ab35400ebf689028ebcf8d2031edb3326106339e92d499652dc43030147304402205fae1218bc4600ad6c28b6093e8f3757603681b024e60f1d92fca579bfce210b022011d6f1c6ef1c7f7601f635ed237dafc774386dd9f4be0aef85e3af3f095d8a9201695221032ef68318c8f6aaa0adec0199c69901f0db7d3485eb38d9ad235221dc3d61154b2103025324888e429ab8e3dbaf1f7802648b9cd01e9b418485c5fa4c1b9b5700e1a621033057150eb57e2b21d69866747f3d377e928f864fa88ecc5ddb1c0e501cce3f8153ae"))
         self.assertFalse(ownership.verify_nonownership(proof, script_pubkey, commitment_data, keychain, coin))
 
     def test_p2wsh_in_p2sh_gen_proof(self):
@@ -243,7 +255,7 @@ class TestOwnershipProof(unittest.TestCase):
             script_pubkey=script_pubkey,
             commitment_data=commitment_data,
         )
-        self.assertEqual(signature, unhexlify("3045022100deccf7735da7a8236efd59d5759c4cbe9fa32d567bcd57d8d718cc689bc6972402202ce7fe49b0f0caea049be69c91bca9c9397d693d79388f1cfb65d51deadfb3d8"))
+        self.assertEqual(signature, unhexlify("30450221008c2c61ac2b50fd5f644baf5e8815b41caaf41d3b085d6e79c1ab38ab9ff4ef0702206742f837eddd4484ebf642e0bcb9621fe39165d3c9d62706bb01b2a8d854fb39"))
         multisig.signatures[1] = signature
 
         # Sign with the fourth key.
@@ -257,7 +269,7 @@ class TestOwnershipProof(unittest.TestCase):
             script_pubkey=script_pubkey,
             commitment_data=commitment_data,
         )
-        self.assertEqual(signature, unhexlify("304402206e8219a013e94de493c4ff50b44d31f443d37a2c4dbcba6af1ac825b28cc631202200741a72035acd122a6f4fdb994c15ab19aa20cecdfdb19aa37490e7bb011a617"))
+        self.assertEqual(signature, unhexlify("304402200f5ec86b369f6a980a237944a1a06e6615afb147c6d84baf28cd1b8a58faf52702205614240e1582adeaa84685398a24d3678d0781371678b402b290ae3de3e058ee"))
         multisig.signatures[3] = signature
 
         # Sign with the fifth key.
@@ -271,8 +283,8 @@ class TestOwnershipProof(unittest.TestCase):
             script_pubkey=script_pubkey,
             commitment_data=commitment_data,
         )
-        self.assertEqual(signature, unhexlify("304402202f6066733abf4671b74f1f883dd3c8d4810aa71b7b7b5f6196b1ceff83d5370e022053aad3bde0fe6ce6c4553dd72ddf07e7f06447a7bd35edf6f0b4e9690ee7ce79"))
+        self.assertEqual(signature, unhexlify("304402201ce53fcd797b6f5ceefa839817d6285551ff420457503ae2dab3f90ca1f6f2330220522f030423c22d5582c4f8fe243839031f584642ba5c085af712145d1e8146b7"))
-        self.assertEqual(proof, unhexlify("534c0019000400000000000000000000000000000000000000000000000000000000000000000101010101010101010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202020202020202020266f99db388dfa7ae137f7bdb5f0004b4d6968014921cfaff1fec042e3bb83ae0232200208c256ed80a97a421656daa1468f6d4d43f475cb52ed79532d8bcb315518298120500483045022100deccf7735da7a8236efd59d5759c4cbe9fa32d567bcd57d8d718cc689bc6972402202ce7fe49b0f0caea049be69c91bca9c9397d693d79388f1cfb65d51deadfb3d80147304402206e8219a013e94de493c4ff50b44d31f443d37a2c4dbcba6af1ac825b28cc631202200741a72035acd122a6f4fdb994c15ab19aa20cecdfdb19aa37490e7bb011a6170147304402202f6066733abf4671b74f1f883dd3c8d4810aa71b7b7b5f6196b1ceff83d5370e022053aad3bde0fe6ce6c4553dd72ddf07e7f06447a7bd35edf6f0b4e9690ee7ce7901ad5321032922ce9b0b71ae2d2d8a7f239610ae8226e0fb8c0f445ec4c88cf9aa4787f44b21028373a1cdb9a1afbc67e57f75eeea1f53e7210ae8ec4b3441a5f2bc4a250b663c21028ab4c06e3ad19053b370eff097697d4cb6d3738712ebcdcdc27c58a5639ac3aa2103e3247fab300aeba459257e4605245f85378ecbfe092ca3bc55ec1259baa456f521023b0d8d97398d97c4dba10f788344abd4bd1058ad3959724d32079ad04bdbde8a55ae"))
+        self.assertEqual(proof, unhexlify("534c0019000400000000000000000000000000000000000000000000000000000000000000000101010101010101010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202020202020202020266f99db388dfa7ae137f7bdb5f0004b4d6968014921cfaff1fec042e3bb83ae0232200208c256ed80a97a421656daa1468f6d4d43f475cb52ed79532d8bcb3155182981205004830450221008c2c61ac2b50fd5f644baf5e8815b41caaf41d3b085d6e79c1ab38ab9ff4ef0702206742f837eddd4484ebf642e0bcb9621fe39165d3c9d62706bb01b2a8d854fb390147304402200f5ec86b369f6a980a237944a1a06e6615afb147c6d84baf28cd1b8a58faf52702205614240e1582adeaa84685398a24d3678d0781371678b402b290ae3de3e058ee0147304402201ce53fcd797b6f5ceefa839817d6285551ff420457503ae2dab3f90ca1f6f2330220522f030423c22d5582c4f8fe243839031f584642ba5c085af712145d1e8146b701ad5321032922ce9b0b71ae2d2d8a7f239610ae8226e0fb8c0f445ec4c88cf9aa4787f44b21028373a1cdb9a1afbc67e57f75eeea1f53e7210ae8ec4b3441a5f2bc4a250b663c21028ab4c06e3ad19053b370eff097697d4cb6d3738712ebcdcdc27c58a5639ac3aa2103e3247fab300aeba459257e4605245f85378ecbfe092ca3bc55ec1259baa456f521023b0d8d97398d97c4dba10f788344abd4bd1058ad3959724d32079ad04bdbde8a55ae"))
         self.assertFalse(ownership.verify_nonownership(proof, script_pubkey, commitment_data, keychain, coin))
 
     def test_p2sh_gen_proof(self):
@@ -317,7 +329,7 @@ class TestOwnershipProof(unittest.TestCase):
             script_pubkey=script_pubkey,
             commitment_data=commitment_data,
         )
-        self.assertEqual(signature, unhexlify("3045022100bc63486f167b911dc8ef2414c4bca6dcfac999797b67159957802a9c49c2179402201cec0d53fee78fcfde496e30be35bd855d93a5be89604c55dcfdbdc515fbb41a"))
+        self.assertEqual(signature, unhexlify("3044022058091b367ab67281963029435046abcb51057d143077a36737780a7cbcd6c1af02202f54147645b970c60b5b631b233ed93c15304294a4214b2c44b57db84815ca14"))
         multisig.signatures[0] = signature
 
         # Sign with the third key.
@@ -331,8 +343,8 @@ class TestOwnershipProof(unittest.TestCase):
             script_pubkey=script_pubkey,
             commitment_data=commitment_data,
         )
-        self.assertEqual(signature, unhexlify("3045022100d9d5966eb7858cc1a600a9c05be252c1df11d662f319a107d04e219a27c1386c02200674523e50e89164d6d5683dfbe9a50594b08011e11c18813b56cf855755afde"))
+        self.assertEqual(signature, unhexlify("304402200d8f270ea9a80678f266b3fbe6e4aa59aab46b440d8066dcf46fb46a4beaf58202201198d73e355158ebf532ca6527e28ea97b79594e016a65c7a0c68813c26271ff"))
-        self.assertEqual(proof, unhexlify("534c001900020000000000000000000000000000000000000000000000000000000000000000ce4ee8298ad105c3495a1d2b620343133521ab34de2450deeb32eec39475fef4db00483045022100bc63486f167b911dc8ef2414c4bca6dcfac999797b67159957802a9c49c2179402201cec0d53fee78fcfde496e30be35bd855d93a5be89604c55dcfdbdc515fbb41a01483045022100d9d5966eb7858cc1a600a9c05be252c1df11d662f319a107d04e219a27c1386c02200674523e50e89164d6d5683dfbe9a50594b08011e11c18813b56cf855755afde014752210203ed6187880ae932660086e55d4561a57952dd200aa3ed2aa66b73e5723a0ce7210360e7f32fd3c8dee27a166f6614c598929699ee66acdcbda5fb24571bf2ae1ca052ae00"))
+        self.assertEqual(proof, unhexlify("534c001900020000000000000000000000000000000000000000000000000000000000000000ce4ee8298ad105c3495a1d2b620343133521ab34de2450deeb32eec39475fef4d900473044022058091b367ab67281963029435046abcb51057d143077a36737780a7cbcd6c1af02202f54147645b970c60b5b631b233ed93c15304294a4214b2c44b57db84815ca140147304402200d8f270ea9a80678f266b3fbe6e4aa59aab46b440d8066dcf46fb46a4beaf58202201198d73e355158ebf532ca6527e28ea97b79594e016a65c7a0c68813c26271ff014752210203ed6187880ae932660086e55d4561a57952dd200aa3ed2aa66b73e5723a0ce7210360e7f32fd3c8dee27a166f6614c598929699ee66acdcbda5fb24571bf2ae1ca052ae00"))
         self.assertFalse(ownership.verify_nonownership(proof, script_pubkey, commitment_data, keychain, coin))