Format of ECDSA signature | Bitcointalksearch.org

jackjack

legendary

Activity: 1176

Merit: 1280

May Bitcoin be touched by his Noodly Appendage

Quote from: Shevek on May 24, 2013, 04:23:36 PM

Quote from: jackjack on May 24, 2013, 02:03:34 PM

Beware: r and s are unsigned, so if first byte of r is > 7f: r='\x00'+r

I don't see the logic behind this null addition. Unsigned is unsigned, so you can occupy the highest bit without permission....

It's a concatenation

Quote from: Shevek on May 24, 2013, 04:23:36 PM

Quote from: jackjack on May 24, 2013, 02:03:34 PM

Same for s
r and s are 32 bytes numbers, so, as it can one additional byte because of above, you have size(r)=0x20 or 0x21

So, I guess 0x1F, 0x1E, 0x1D... are allowed.

Thanks a lot! Cheesy

I never thought about that, but now you mention it I think so

scintill

sr. member

Activity: 448

Merit: 254

Quote from: Shevek on May 24, 2013, 04:23:36 PM

I don't see the logic behind this null addition. Unsigned is unsigned, so you can occupy the highest bit without permission....

I think he means they are unsigned, but the encoding specifies signed if the most significant bit is 1. So you have to make sure the MSB is never 1 and pad with a zero if it would be.

It might be worth a look at https://github.com/bitcoin/bitcoin/blob/ef9acc5124459b111d8643323a71d8198d0eaae8/src/script.cpp#L245 (which includes making sure the most significant bit is never 1) to make sure you are passing these checks. My understanding is that they would otherwise be valid DER encodings but are considered non-standard and may eventually be invalid.

Shevek

sr. member

Activity: 252

Merit: 250

Quote from: jackjack on May 24, 2013, 02:03:34 PM

Sorry, I was on my mobile phone
It's 30 + len(z) + 02 + len(r) + r + 02 + len(s) + s, z being what follows its size, ie 02+len(r)+r+02+len(s)+s

Wow, it make sense now.

Quote from: jackjack on May 24, 2013, 02:03:34 PM

Beware: r and s are unsigned, so if first byte of r is > 7f: r='\x00'+r

I don't see the logic behind this null addition. Unsigned is unsigned, so you can occupy the highest bit without permission....

Quote from: jackjack on May 24, 2013, 02:03:34 PM

Same for s
r and s are 32 bytes numbers, so, as it can one additional byte because of above, you have size(r)=0x20 or 0x21

So, I guess 0x1F, 0x1E, 0x1D... are allowed.

Thanks a lot! Cheesy

jackjack

legendary

Activity: 1176

Merit: 1280

May Bitcoin be touched by his Noodly Appendage

Sorry, I was on my mobile phone
It's 30 + len(z) + 02 + len(r) + r + 02 + len(s) + s, z being what follows its size, ie 02+len(r)+r+02+len(s)+s

Beware: r and s are unsigned, so if first byte of r is > 7f: r='\x00'+r
Same for s
r and s are 32 bytes numbers, so, as it can one additional byte because of above, you have size(r)=0x20 or 0x21

Shevek

sr. member

Activity: 252

Merit: 250

Quote from: jackjack on May 24, 2013, 10:49:14 AM

Look for DER format

Well, I've found the following: http://bitcoin.stackexchange.com/questions/2376/ecdsa-r-s-encoding-as-a-signature

which gives an orientation of how this matter works.

Thanks!

jackjack

legendary

Activity: 1176

Merit: 1280

May Bitcoin be touched by his Noodly Appendage

Look for DER format

Shevek

sr. member

Activity: 252

Merit: 250

The only information about how bitcoin handles ECDSA-signatures, I've found here: https://en.bitcoin.it/wiki/ECDSA

If your read the link, It is said that Signatures are are either 73, 72, or 71 bytes long, But it does not make sense: signatures are pair of numbers (r,s), each of 32 bytes; so, 64 byte total. Plus an eventual id. prefix, 65 bytes maximum. If you want to add extra CRC-like stuff, then 65+4=69 bytes (and length fixed, because all leading '0's in the binary chain of (r,s) should be counted up).

So where the numbres "73,72,71" come from!?

TIA

Topic: Format of ECDSA signature (Read 3507 times)