4
OpenSSL (from ssl in Mac OS X Version 10.11.6) and Secp256k1 (from the bitcoin-core repository) seem to differ in their implementations of ECDSA. I'm having issues with these differences and want to make sure they actually exist, and if they do, how to reconcile the differences.
For example, using OpenSSL, the recoverable signatures I get can end in any byte. However, from this line in Secp256k1, it seems that the 65th byte (i.e. the last byte) is required to be between 0 and 4 inclusively.
If this is the case, then why does OpenSSL allow the last byte, which seems to be referred to as rec_id, to be of any value?
Where should I be looking? Is
secp256k1_schnorr.hthe header I actually need to use? – Cisplatin – 2016-11-21T20:25:36.9801No, that's for Schnorr signatures (another experimental signature type). You need to use secp256k1_ecdsa_parse_der to load a signature, and secp256k1_ecdsa_verify to verify. The 'recoverable' things are for message signing. – Pieter Wuille – 2016-11-21T20:51:41.247
Thanks for the help! One last question - why is it that the signatures coming out of secp256k1 are 64 bytes instead of 65? And how would I generate the 65th byte? – Cisplatin – 2016-11-22T14:58:45.273
Read the documentation in the .h files. – Pieter Wuille – 2016-11-22T17:05:59.923
I have checked and can't find anything except for a lower-S format (64 bytes) and a serialized format (70 bytes). There doesn't seem to be anything with 65 bytes. – Cisplatin – 2016-11-22T17:25:19.403
Recoverable signature, as used by message signing, are 65 bytes. See secp256k1_ecdsa_recoverable_signature_serialize_compact to construct those. For Bitcoin's normal signatures, use secp256k1_ecdsa_signature_der. – Pieter Wuille – 2016-11-22T17:31:26.643