Recovering ECDSA public key from the signature

0

2

How to recover ECDSA public key from the signature?

I know that all is need is a hash of the unsigned message and signature.

But may be there is some detailed method for to calculate ECDSA public key?

D L

Posted 2017-10-20T07:09:19.390

Reputation: 478

do want to sign a message, or do you want to extract pubkey from an already signed tx?pebwindkraft 2017-10-20T07:57:47.050

i interested about extraction publickey from already signed txD L 2017-10-20T08:02:20.540

@HughMarstonHefner Are you asking about transactions, or you are looking for a general way of deriving an ECDSA public key from a given signature and message?sr-gi 2017-10-20T15:22:43.490

@sr-gi i pointed out very clearlyD L 2017-10-20T22:52:51.643

@sr-gi Actually, it is not possible to uniquely recover the public key from an ECDSA signature from this linkD L 2017-10-20T22:56:45.590

Read a little bit further, "However, with the signature and the message that was signed, and the knowledge of the curve, it is possible to generate two public keys; one of which will be the public key corresponding to the private key used"sr-gi 2017-10-20T23:01:45.363

Answers

3

when looking at a signed (P2PKH) tx, the signature looks like this:

483045022100A428348FF55B2B59BC55DDACB1A00F4ECDABE282707BA5185D39FE9CDF05D7F0022074232DAE76965B6311CEA2D9E5708A0F137F4EA2B0E36D0818450C67C9BA259D0121025F95E8A33556E9D7311FA748E9434B333A4ECFB590C773480A196DEAB0DEDEE1

This can be further split into two parts:

signature: 483045022100A428348FF55B2B59BC55DDACB1A00F4ECDABE282707BA5185D39FE9CDF05D7F0022074232DAE76965B6311CEA2D9E5708A0F137F4EA2B0E36D0818450C67C9BA259D01

pubkey: 21025F95E8A33556E9D7311FA748E9434B333A4ECFB590C773480A196DEAB0DEDEE1

and further looks like this in detail (with address for pubkey at the end):

  ##################################################################
    48: OP_DATA_0x48:     push hex 48 (decimal 72) bytes as data
    30: OP_SEQUENCE_0x30: type tag indicating SEQUENCE, begin sigscript
    45: OP_LENGTH_0x45:   length of R + S
    02: OP_INT_0x02:      type tag indicating INTEGER
    21: OP_LENGTH_0x21:   this is SIG R
        00A428348FF55B2B:59BC55DDACB1A00F
        4ECDABE282707BA5:185D39FE9CDF05D7
        F0
    02: OP_INT_0x02:      type tag indicating INTEGER
    20: OP_LENGTH_0x20:   this is SIG S
        74232DAE76965B63:11CEA2D9E5708A0F
        137F4EA2B0E36D08:18450C67C9BA259D
    01: OP_SIGHASHALL:    this terminates the ECDSA signature (ASN1-DER structure)
    #########################################################
    21: OP_DATA_0x21:     type tag indicating LENGTH
    02: OP_INT_0x02:      type tag indicating INTEGER
        5F95E8A33556E9D7:311FA748E9434B33
        3A4ECFB590C77348:0A196DEAB0DEDEE1

    * This terminates the Public Key (X9.63 COMPRESSED form)
    * corresponding bitcoin address is:
   1HTNtayFkoBV28wqDygMbW33qSnRjxAuNR

pebwindkraft

Posted 2017-10-20T07:09:19.390

Reputation: 4 568

please tell where is the hash which is need for signature verification with corresponding public key?D L 2017-10-20T08:10:38.737

hmmm, I think I don't get it.... the hash is constructed before signing, or can be reconstructed, as described here https://bitcoin.stackexchange.com/questions/60051/how-transaction-becomes-confirmed-by-miners-if-inputscript-has-only-the-sig - achow explained it with another link. So the hash is not included in the tx itself.

pebwindkraft 2017-10-20T08:17:13.663

Hmm I don't get the answer. The question is about key recovery while the answer talks about signatures without key recovery.Jus12 2017-12-27T05:20:40.257

maybe I need some help then... the first line in the question says: "How to recover ECDSA public key from the signature?", I thought I'd show how to get to the pubkey from the signature... There it is in X9.63 (compressed) format. Is op looking for a different format, like the p,r,s and z format?pebwindkraft 2017-12-27T07:41:06.653

late, but anyhow: based on the comment from @Jus12, I reviewed some other posts on ECDSA, and found this link, which is also referenced in some other threads: https://bitcointalk.org/index.php?topic=6430.0 - it shows tht pubkey is included in signature itself, but not implemented in Bitcoin, due to more CPU cycles - and it would probably require a hardfork.

pebwindkraft 2018-03-02T22:58:02.107