What are the problems related in using the "normal" ( bigger than N/2) value of the s number in transaction signature and why we use the lower one? Is it about the math behind the ecdsa?
Asked
Active
Viewed 1,056 times
1 Answers
2
Details are in BIP 146:
We require that the S value inside ECDSA signatures is at most the curve order divided by 2...
...
A high S value in signature could be trivially replaced by S' = 0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141 - S.
Signatures encode two important values for verification r and S. If (r, S) is a valid signature, then so is (r, -S), which is equivalent to (r, curver_order -S).
-
Maybe I've understood. Before BIP 146, a relay node could invalidate my trx using the higher s value, which is mathematically equals, but it would have result in a completely different trx hash. So low-s value is a care for the trx malleability? – dc_Bita98 Apr 09 '19 at 14:26
-
1Yes, both transactions would be valid, but with different signatures and TX hash. Yes, it's against TX (and TXID) malleability @dc_Bita98 – MCCCS Apr 09 '19 at 15:59