4

OpenSSL (from ssl in Mac OS X Version 10.11.6) and Secp256k1 (from the bitcoin-core repository) seem to differ in their implementations of ECDSA. I'm having issues with these differences and want to make sure they actually exist, and if they do, how to reconcile the differences.

For example, using OpenSSL, the recoverable signatures I get can end in any byte. However, from this line in Secp256k1, it seems that the 65th byte (i.e. the last byte) is required to be between 0 and 4 inclusively.

If this is the case, then why does OpenSSL allow the last byte, which seems to be referred to as rec_id, to be of any value?

Cisplatin
  • 143
  • 4

1 Answers1

4

The code you are referring to in libsecp256k1 is not for ECDSA.

It implements the custom compact signatures that Bitcoin Core uses for message signing and verification.

The normal ECDSA code in libsecp256k1 should be identical in acceptance to the one in OpenSSL (apart from the fact that by default, it only accepts and produces low-s signatures, as a way to reduce malleability potential).

Pieter Wuille
  • 98,249
  • 9
  • 183
  • 287
  • Where should I be looking? Is `secp256k1_schnorr.h` the header I actually need to use? – Cisplatin Nov 21 '16 at 20:25
  • 1
    No, that's for Schnorr signatures (another experimental signature type). You need to use secp256k1_ecdsa_parse_der to load a signature, and secp256k1_ecdsa_verify to verify. The 'recoverable' things are for message signing. – Pieter Wuille Nov 21 '16 at 20:51
  • Thanks for the help! One last question - why is it that the signatures coming out of secp256k1 are 64 bytes instead of 65? And how would I generate the 65th byte? – Cisplatin Nov 22 '16 at 14:58
  • Read the documentation in the .h files. – Pieter Wuille Nov 22 '16 at 17:05
  • I have checked and can't find anything except for a lower-S format (64 bytes) and a serialized format (70 bytes). There doesn't seem to be anything with 65 bytes. – Cisplatin Nov 22 '16 at 17:25
  • Recoverable signature, as used by message signing, are 65 bytes. See secp256k1_ecdsa_recoverable_signature_serialize_compact to construct those. For Bitcoin's normal signatures, use secp256k1_ecdsa_signature_der. – Pieter Wuille Nov 22 '16 at 17:31