2
I do realize that in bitcoin when we return the signature result for signing a message the first byte includes information for recovering the public key required for verification using a formula like this:
27 + (4 if comp. 0 if not) + (0<=num<=3)
What I am struggling with is how do we determine that num number?
According to section 4.1.6 of SEC:1 for recovering public keys:
x = r + jn- Calculate
Qbased onRif invalid move to next - Calculate
Qbased on-R
Since j (cofactor of secp256k1) is 0 and 1 and there are two values for R. So there should be 4 possible public keys. Is num the number of public keys that we rejected before reaching the correct one? Because that is the only explanation that I can come up with based on comparisons I have made between signatures generated using Electrum and public key recovery I have done myself using SEC1.
Bonus question: Why was 27 chosen?
1
I'm not sure what
– arubi – 2018-12-19T12:34:22.983nummeans there either, but I wrote this a while ago which might interest you. It explains exactly how to encode and decode the recid byte : https://github.com/fivepiece/sign-verify-message/blob/master/signverifymessage.md#encoding-of-a-recoverable-signature@arubi Thanks for the reply. Based on your comment and another answer I've received on bitcointalk, I believe the main cause of my confusion is that I was thinking you find that
numafter signing and findingr,s. But it seems like you must find it during using the y coordinate ofrwhich is discarded and doesn't come out of sign function. Now I am trying to figure out the details... – Coding Enthusiast – 2018-12-19T13:03:30.717Dupe https://bitcoin.stackexchange.com/a/38909
– dave_thompson_085 – 2018-12-19T22:58:26.230