Within the e-book Programming Bitcoin (2019) by Jimmy Music (pg’s 61-72) the ECDSA signing/verification process for message hash z, personal/public key pair (e, P), generator level G = (0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798,
0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8), elliptic curve cyclic group order
N = |
-
Signature (r, s) created as follows :
r = x coordinate of the purpose R = kG (so r is within the vary [0, p – 1]),
s = (z + re) / ok mod N (so s is in vary [0, N – 1]) -
Signature (r, s) is validated as follows :
Calculate the purpose Q = (z/s)G + (r/s)P.
(r, s) is legitimate if x coordinate of Q equals r
That is carried out within the e-book code at :
https://github.com/jimmysong/programmingbitcoin/blob/grasp/code-ch13/ecc.py
within the strategies PrivateKey.signal and S256Point.confirm.
Nonetheless in different sources, eg :
https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm
https://andrea.corbellini.title/2015/05/30/elliptic-curve-cryptography-ecdh-and-ecdsa/
https://www.secg.org/sec1-v2.pdf
the algorithm is barely completely different :
-
r is taken to be mod N (so r is within the vary [0, N – 1]),
-
(r, s) is taken into account legitimate if (x coordinate of Q mod N) equals r
My query is which method does Bitcoin itself undertake ?
If Bitcoin adopts the latter method then if we signal as in Jimmy’s e-book, and if the x coordinate of R is within the vary [N, p – 1], which is feasible as N < p, then our r worth is within the vary [N, p – 1]. Nonetheless then, on validation utilizing the second method we compute (x coordinate of Q mod N), which should lie within the vary [0, N – 1] and thus it could actually by no means equal r, and the validation fails.
The chance of acquiring the x coord of R within the vary [N, p – 1] may be very small as N is proportionately very near p, nevertheless is it good apply in Bitcoin programming to imagine this could by no means occur ?
Within the e-book Programming Bitcoin (2019) by Jimmy Music (pg’s 61-72) the ECDSA signing/verification process for message hash z, personal/public key pair (e, P), generator level G = (0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798,
0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8), elliptic curve cyclic group order
N = |
-
Signature (r, s) created as follows :
r = x coordinate of the purpose R = kG (so r is within the vary [0, p – 1]),
s = (z + re) / ok mod N (so s is in vary [0, N – 1]) -
Signature (r, s) is validated as follows :
Calculate the purpose Q = (z/s)G + (r/s)P.
(r, s) is legitimate if x coordinate of Q equals r
That is carried out within the e-book code at :
https://github.com/jimmysong/programmingbitcoin/blob/grasp/code-ch13/ecc.py
within the strategies PrivateKey.signal and S256Point.confirm.
Nonetheless in different sources, eg :
https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm
https://andrea.corbellini.title/2015/05/30/elliptic-curve-cryptography-ecdh-and-ecdsa/
https://www.secg.org/sec1-v2.pdf
the algorithm is barely completely different :
-
r is taken to be mod N (so r is within the vary [0, N – 1]),
-
(r, s) is taken into account legitimate if (x coordinate of Q mod N) equals r
My query is which method does Bitcoin itself undertake ?
If Bitcoin adopts the latter method then if we signal as in Jimmy’s e-book, and if the x coordinate of R is within the vary [N, p – 1], which is feasible as N < p, then our r worth is within the vary [N, p – 1]. Nonetheless then, on validation utilizing the second method we compute (x coordinate of Q mod N), which should lie within the vary [0, N – 1] and thus it could actually by no means equal r, and the validation fails.
The chance of acquiring the x coord of R within the vary [N, p – 1] may be very small as N is proportionately very near p, nevertheless is it good apply in Bitcoin programming to imagine this could by no means occur ?
