Score:1

Recovering the curve-point R from a signature ECDSA

er flag

When recovering the public key from ECDSA signature (r, s), the first step is recovering the point R.

You do this by plugging in (r + xn) into the curve equation where n is the order of the basepoint and x is some integer

my question is how do you find this x value, say for secp256k1 but also the general case

I have a vauge notion that this may be related to the cofactor of the curve (usually working with secp256k1 this shouldnt be important). But im failing to find more info on it.

Score:1
my flag

my question is how do you find this x value, say for secp256k1 but also the general case

Well, in the case of secp256k1, we have $n \approx p$, and so (with extremely high probability) $r + n > p$, and so we have $x = 0$.

Now, for curves with non-1 cofactors, we have $n \approx p/h$ (where $h$ is the cofactor), and so there may be several possible $x$ values for which $r + xn < p$, and so in the general case, this needs to be considered.

fgrieu avatar
ng flag
Uh, I have trouble recognizing the question's _"plugging in $(r + xn)$ into the curve equation where $n$ is the order of the basepoint"_ in the [ECDSA signature verification](https://www.secg.org/sec1-v2.pdf#subsubsection.4.1.4) steps. Where exactly would that be ?
poncho avatar
my flag
@fgrieu: actually, he's referring to the 'Public key recovery' section of the ECDSA wikipage https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm
nuhhtyy avatar
er flag
@poncho thank you for the response and sorry for my late one... I guess I was just confused about if all of the possible r' values (r' = (r + xn)) correspond to actual curve points (not true), and the nature of the points when x > h. is there a chance this is a field element?
nuhhtyy avatar
er flag
@poncho and last question can two points that satisfy (x) mod n = r both be in the same subgroup, ie both multiples of G ?
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.