The other way is to perform what is known as public key recovery operation (section 4.1.6 of Standards for Efficient Cryptography 1 vol. 2).
True. Learnt something new today.
Actions: Find public key Q as follows.
1. For j from 0 to h do the following.
1.1. Let x = r + jn.
1.2. Convert the integer x to an octet string X of length mlen using the conversion routine
specified in Section 2.3.7, where mlen = (log2p)/8 or mlen = m/8.
1.3. Convert the octet string X to an elliptic curve point R using the conversion routine
specified in Section 2.3.4. If this conversion routine outputs “invalid”, then do another
iteration of Step 1.
1.4. If nR ≠ O, then do another iteration of Step 1.
1.5. Compute e from M using Steps 2 and 3 of ECDSA signature verification.
1.6. For k from 1 to 2 do the following.
1.6.1. Compute a candidate public key as:
Q = r-1(sR − eG).
1.6.2. Verify that Q is the authentic public key. (For example, verify the signature of a
certification authority in a certificate which has been truncated by the omission of
Q from the certificate.) If Q is authenticated, stop and output Q.
1.6.3. Change R to −R.
I'd be thankful if you represented the implementation of this as I don't understand what's R. Here's a pair of R, S, Z:
20206c79208eeb03c8ecab3c17a3e9efae5953460c71dff6306ecda4a12533c8, 3604945cde5ea4f3d3f3d4eb007a589b6763c25d5f765bbbadbd554f70abd8ad, 836d795b585d8014d3f015791d183da57e7caf6a678135c345af78b2bfa9317a
I googled and found a
stackexchange post, but I can't seem to get this:
First, you find the two points R, R′ which have the value r as the x-coordinate r.
Is R = r * G?
Also, if you can derive the public key from R, S, Z why do we have to provide it in the scriptSig? It only takes space and hence, makes the transaction fee greater.
