Bitcoin Stack Exchange
Bitcoin Stack Exchange

Questions tagged [ecdsa]

The Elliptic Curve Digital Signature Algorithm

The Elliptic Curve Digital Signature Algorithm is one of the core algorithms used by Bitcoin.

229 questions
80
votes
1 answer

If someone wanted to pretend to be Satoshi by posting a fake signature to defraud people how could they?

If a random fraudster wanted to post a bunch of mysterious ECDSA signatures that the public would believe came from Bitcoin's creator, in order to disrupt the Bitcoin market, extract money from people, or otherwise convince people to listen to them.…
G. Maxwell
  • 7,676
  • 2
  • 19
  • 46
50
votes
5 answers

How do you get a Bitcoin Public Key from a Private Key

How do I, in extreme specificity, convert a given private bitcoin key into a public bitcoin key (Talk to me like I'm 5 and I have to do this step by step or the evil witch will cook me alive in her oven). NOT where can I find a program that will do…
Mine
  • 1,416
  • 2
  • 16
  • 27
48
votes
4 answers

ECDSA: (v, r, s), what is v?

Deterministically signing a Tx with RFC6979 returns v, r, s, where r and s are the 2 values used in standard ECDSA signatures. v = 27 + (y % 2), so 27 + the parity of r, as pybitcointools indicates. So for even r, we get v = 27, odd r we get v =…
Wizard Of Ozzie
  • 5,268
  • 4
  • 30
  • 63
25
votes
1 answer

Why the signature is always 65 (1+32+32) bytes long?

A signature created by the Bitcoin-Qt client can always be decoded (base64) to a 65-byte array. This array seems (according to https://github.com/bitcoin/bitcoin/blob/master/src/key.cpp#L217) to contain a header byte, a 32-byte R part, and a 32-byte…
Ning
  • 2,741
  • 3
  • 18
  • 16
20
votes
3 answers

Recovering private key when someone uses the same k twice in ECDSA signatures

In this blog: https://web.archive.org/web/20160308014317/http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html the author showed a case that using same k twice will leak private key. Many people know this method. But I find…
jiedo
  • 315
  • 1
  • 3
  • 9
18
votes
2 answers

ECDSA r, s encoding as a signature

An ECDSA algorithm when signing a given messages produces a pair of outputs, r and s. How, given a sigStr from a Tx can one extract r and s? Are they just concatenated byte arrays of a specific length, or is there more to it?
ThePiachu
  • 42,931
  • 25
  • 138
  • 347
17
votes
3 answers

How do you derive the private key from two signatures that share the same k value?

I wrote my own ECDSA signature algorithm just for the purpose of creating unit tests. With it I created two signatures which went into transaction 56ec7ca7df..., sending from 1GXFXm3es.... These signatures used the same k values, although k values…
Thorkil Værge
  • 1,047
  • 8
  • 24
17
votes
1 answer

Why use DER encoding for signatures?

A signature in secp256k1 is two 32 byte numbers. DER encoding a signature adds about 6-7 bytes. It also needlessly complicates things (is DER encoding used anywhere else?). In a transaction format that seems to try to squeeze every byte out, this…
user3243135
  • 295
  • 1
  • 7
15
votes
1 answer

How many bitcoin transactions can be verified per second on commodity hardware in 2020?

I am trying to figure out how many Bitcoin transactions could be verified per second. Am I correct that signature verification is more expensive than computing Merkletrees and hashes and therefore constitutes the bottleneck of the verification…
Rene Pickhardt
  • 11,670
  • 8
  • 35
15
votes
1 answer

What is the origin of insecure 64-bit nonces in signatures in the Bitcoin chain?

In Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies Joachim Breitner and Nadia Heninger use a lattice based algorithm to recover private keys from signatures in the Bitcoin chain that were produced by insecure…
G. Maxwell
  • 7,676
  • 2
  • 19
  • 46
15
votes
1 answer

What are the advantages of Schnorr vs ECDSA?

I understand that Schnorr signatures provide an improvement on ECDSA in that they are a fixed 64 bytes instead of the longer ECDSA sig format, however, I don't see how this is an advantage over ECDSA in any situation except multisig. With ECDSA,…
Lev Knoblock
  • 253
  • 2
  • 6
14
votes
1 answer

What are the potential attacks against ECDSA that would be possible if we used raw public keys as addresses?

According to this answer about why addresses are hashes rather than public keys there are potential attacks that are possible if you have the public key rather than the address, what are these attacks? If one was writing a cryptocurrency would you…
Leah Cornelius
  • 362
  • 2
  • 7
11
votes
1 answer

Problems with deterministic ECDSA based on RFC6979 in Bitcoin

Generating random number k in elliptic curve is crucial and in any transactions signature in Bitcoin, random number k is required to compute a point k*G. If this k is chosen not randomly, it instantly leaks the private key. Therefore, they came up…
abeikverdi
  • 854
  • 8
  • 21
11
votes
2 answers

How does the ECDSA verification algorithm work during transaction?

I understand the basic concept ECDSA where if Bob wants to sign a message it generates a random number n, multiply it with the secp256k1, r = the x value , s = (H(x)dr)*n^-1 mod q. Also the verification is done by P=u1(G)+u2(P), where G is the…
Kuriz
  • 113
  • 1
  • 4
10
votes
1 answer

Why was the Oct 2015 Transaction Malleability event possible in spite of BIP62/66?

The recent re-emergence of transaction malleability has been responsible for a large number of Txs which are being double spent (October 2015). /r/Bitcoin has posted some C++ code which @amaclin has taken responsibility for. I understand that,…
Wizard Of Ozzie
  • 5,268
  • 4
  • 30
  • 63
1
2 3
15 16