Join Log in
Score:1
nuhhtyy avatar Crypto

Recovering the curve-point R from a signature ECDSA

er flag
nuhhtyy

When recovering the public key from ECDSA signature (r, s), the first step is recovering the point R.

You do this by plugging in (r + xn) into the curve equation where n is the order of the basepoint and x is some integer

my question is how do you find this x value, say for secp256k1 but also the general case

I have a vauge notion that this may be related to the cofactor of the curve (usually working with secp256k1 this shouldnt be important). But im failing to find more info on it.

71
1 + 0
Score:1
poncho avatar Crypto
my flag
poncho

my question is how do you find this x value, say for secp256k1 but also the general case

Well, in the case of secp256k1, we have $n \approx p$, and so (with extremely high probability) $r + n > p$, and so we have $x = 0$.

Now, for curves with non-1 cofactors, we have $n \approx p/h$ (where $h$ is the cofactor), and so there may be several possible $x$ values for which $r + xn < p$, and so in the general case, this needs to be considered.

+ 4
fgrieu avatar
ng flag
fgrieu
Uh, I have trouble recognizing the question's _"plugging in $(r + xn)$ into the curve equation where $n$ is the order of the basepoint"_ in the [ECDSA signature verification](https://www.secg.org/sec1-v2.pdf#subsubsection.4.1.4) steps. Where exactly would that be ?
0
Reply
poncho avatar
my flag
poncho
@fgrieu: actually, he's referring to the 'Public key recovery' section of the ECDSA wikipage https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm
1
Reply
nuhhtyy avatar
er flag
nuhhtyy
@poncho thank you for the response and sorry for my late one... I guess I was just confused about if all of the possible r' values (r' = (r + xn)) correspond to actual curve points (not true), and the nature of the points when x > h. is there a chance this is a field element?
0
Reply
nuhhtyy avatar
er flag
nuhhtyy
@poncho and last question can two points that satisfy (x) mod n = r both be in the same subgroup, ie both multiples of G ?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.