2

How to recover ECDSA public key from the signature?

I know that all is need is a hash of the unsigned message and signature.

But may be there is some detailed method for to calculate ECDSA public key?

Denis Leonov
  • 915
  • 12
  • 26
  • do want to sign a message, or do you want to extract pubkey from an already signed tx? – pebwindkraft Oct 20 '17 at 07:57
  • i interested about extraction publickey from already signed tx – Denis Leonov Oct 20 '17 at 08:02
  • @HughMarstonHefner Are you asking about transactions, or you are looking for a general way of deriving an ECDSA public key from a given signature and message? – sr_gi Oct 20 '17 at 15:22
  • @sr-gi i pointed out very clearly – Denis Leonov Oct 20 '17 at 22:52
  • That may be the way then: https://crypto.stackexchange.com/questions/18105/how-does-recovering-the-public-key-from-an-ecdsa-signature-work – sr_gi Oct 20 '17 at 22:55
  • @sr-gi `Actually, it is not possible to uniquely recover the public key from an ECDSA signature` from this link – Denis Leonov Oct 20 '17 at 22:56
  • Read a little bit further, "However, with the signature and the message that was signed, and the knowledge of the curve, it is possible to generate two public keys; one of which will be the public key corresponding to the private key used" – sr_gi Oct 20 '17 at 23:01

1 Answers1

5

when looking at a signed (P2PKH) tx, the signature looks like this:

483045022100A428348FF55B2B59BC55DDACB1A00F4ECDABE282707BA5185D39FE9CDF05D7F0022074232DAE76965B6311CEA2D9E5708A0F137F4EA2B0E36D0818450C67C9BA259D0121025F95E8A33556E9D7311FA748E9434B333A4ECFB590C773480A196DEAB0DEDEE1

This can be further split into two parts:

signature: 483045022100A428348FF55B2B59BC55DDACB1A00F4ECDABE282707BA5185D39FE9CDF05D7F0022074232DAE76965B6311CEA2D9E5708A0F137F4EA2B0E36D0818450C67C9BA259D01

pubkey: 21025F95E8A33556E9D7311FA748E9434B333A4ECFB590C773480A196DEAB0DEDEE1

and further looks like this in detail (with address for pubkey at the end):

  ##################################################################
    48: OP_DATA_0x48:     push hex 48 (decimal 72) bytes as data
    30: OP_SEQUENCE_0x30: type tag indicating SEQUENCE, begin sigscript
    45: OP_LENGTH_0x45:   length of R + S
    02: OP_INT_0x02:      type tag indicating INTEGER
    21: OP_LENGTH_0x21:   this is SIG R
        00A428348FF55B2B:59BC55DDACB1A00F
        4ECDABE282707BA5:185D39FE9CDF05D7
        F0
    02: OP_INT_0x02:      type tag indicating INTEGER
    20: OP_LENGTH_0x20:   this is SIG S
        74232DAE76965B63:11CEA2D9E5708A0F
        137F4EA2B0E36D08:18450C67C9BA259D
    01: OP_SIGHASHALL:    this terminates the ECDSA signature (ASN1-DER structure)
    #########################################################
    21: OP_DATA_0x21:     type tag indicating LENGTH
    02: OP_INT_0x02:      type tag indicating INTEGER
        5F95E8A33556E9D7:311FA748E9434B33
        3A4ECFB590C77348:0A196DEAB0DEDEE1

    * This terminates the Public Key (X9.63 COMPRESSED form)
    * corresponding bitcoin address is:
   1HTNtayFkoBV28wqDygMbW33qSnRjxAuNR
pebwindkraft
  • 5,086
  • 2
  • 13
  • 34
  • please tell where is the hash which is need for signature verification with corresponding public key? – Denis Leonov Oct 20 '17 at 08:10
  • hmmm, I think I don't get it.... the hash is constructed before signing, or can be reconstructed, as described here https://bitcoin.stackexchange.com/questions/60051/how-transaction-becomes-confirmed-by-miners-if-inputscript-has-only-the-sig - achow explained it with another link. So the hash is not included in the tx itself. – pebwindkraft Oct 20 '17 at 08:17
  • 2
    Hmm I don't get the answer. The question is about key recovery while the answer talks about signatures without key recovery. – Jus12 Dec 27 '17 at 05:20
  • maybe I need some help then... the first line in the question says: "How to recover ECDSA public key from the signature?", I thought I'd show how to get to the pubkey from the signature... There it is in X9.63 (compressed) format. Is op looking for a different format, like the p,r,s and z format? – pebwindkraft Dec 27 '17 at 07:41
  • late, but anyhow: based on the comment from @Jus12, I reviewed some other posts on ECDSA, and found this link, which is also referenced in some other threads: https://bitcointalk.org/index.php?topic=6430.0 - it shows tht pubkey is included in signature itself, but not implemented in Bitcoin, due to more CPU cycles - and it would probably require a hardfork. – pebwindkraft Mar 02 '18 at 22:58