In the sourcecode, what does this line mean that recovers the key from the signature?

1

I understand that the public key (Q) can be extracted from a signature (r,s), but I'm having trouble understanding this line:

if (!key.Recover(hash, &vchSig[1], (vchSig[0] - 27) & ~4))

The third variable is called "rec" and must 0 through 3.

  • What is the purpose of this parameter (3rd one)?

  • Why is the signature starting a byte1 and not [0]? Perhaps I'm not properly understanding "where" r and s is located in the Bitcoin signature.

By any chance is the signature format encapsulated in any standard? PKCS..? etc.

goodguys_activate

Posted 2013-11-02T17:44:01.190

Reputation: 11 898

Answers

2

It's a custom format that encodes both a signature, and a parameter that allows the public key to be reconstructed from it.

Given a signature (an (r,s) pair), and the message it signs, there can be up to 4 different public keys for which it is valid. To know which one, the number is encoded along the signature.

The first byte is this recovery parameter plus 27. If the corresponding public key is to be a compressed one, 4 is added. The next 32 bytes encode r. The last 32 bytes encode s.

Note that this format is only used for message signatures. The scheme used for transaction signatures is older, doesn't support recovery, and uses DER encoding.

Pieter Wuille

Posted 2013-11-02T17:44:01.190

Reputation: 54 032