Problem
Let's say I receive a signature $(r,s)$, the corresponding public key and the message that was signed. I don't have access to the private key. I need to know what the recid
(Recovery ID) is that corresponds to the public key. One thing I can do is recover the public key from the signature using a multitude of libraries and trying all the possible recid
values (0 or 1, very rarely 2 or 3). But I was wondering, why would I try multiple options instead of just calculating it directly?
Now according to this article...
http://coders-errand.com/ecrecover-signature-verification-ethereum/
... I can simply reverse the formula and fill in all the constants of the secpk256k1
curve:
https://en.bitcoin.it/wiki/Secp256k1
So I tried to think about how this would be implemented. The difference between the article and my situation is that I already have the public key $Q$. I'm interested in the $y$-parity of the Point $[k]G$ ($X$ in the article). I can calculate $X$ because I have $Q$, $R$, $S$ and all the constant values given in the wiki. But then I would have to calculate two points again:
\begin{align}
X &= \frac{(eG + rQ)}{s} \bmod n\\
-X &= \frac{(eG + rQ)}{-s} \bmod n\\
\end{align}
but it's the parity precisely which I am interested in, the -
. However, now I would have two points, where 1 is invalid because it would belong to a different Q
, and I wouldn't know how to verify which one is correct. Furthermore, I am now again checking two points, which is what I wanted to prevent in the first place.
Question
My question is, is the only way to simply recover the public key for multiple recid
values and narrow it down to the recid
for your own public key? Or is it possible to come up with a formula, where recid
is on one side and the other terms on the other side, something like $recid$ $=$ $Q$... $G$... $r$ $s$... $e$