1
In the answer to this question, it is stated that:
Rearranging this equation you get rP = sR - mG, or P = (s/r)R - (m/r)G. Thus, it seems we can just compute the public key from the message and the signature. Unfortunately, there can be up to 4 different points R for which R.x mod n = r (in practice, the number is almost always 2).
How is it possible that there could be up to 4 different points for R? And why would it most often be 2 different points?
Then, is the reason that R.x + 2n, R.x + 3n, etc. are not possible X coordinates because of a size constraint (I'm guessing they would be larger than 256 bits)? Perhaps this is also the reason for why R.x < p-n? – Shaun – 2019-07-11T03:14:07.897
Yes, p and n are both very close to 2^256, but n is slightly smaller. – Pieter Wuille – 2019-07-11T03:49:29.967