Closed hea9549 closed 4 months ago
The recovery bit is important for proper recovery. That’s whole point of it. You need to store it somewhere after signature is done if you want to restore it. That’s what Ethereum does.
@paulmillr then, you mean that it is theoretically correct to verify a single signature with two public keys?
Correct, it's called "Exclusive Ownership", and ECDSA does not have this property.
verif 0 02260e3fa4c347cccdcc12e86e2f1a543f679648a31d0b26484da39f75b16b0be0 true
verif 1 03761c025b761d7a7c6d4bfd8d944975915e3d4879a2fead6e4417bdfe5de0ac36 true
EDDSA (ed25519) does not suffer from that problem, when implemented properly.
I tried to recover public key from P256 signature. With 2 recovery id ( 0, 1 ), signature makes 2 public key. And I tried to verify signature with public key and verification was succeed all of 2 keys.
Isn’t it correct that only one of the two should succeed? Or is there some cryptographic knowledge I don't know about? Is it correct that both public keys succeed? I attach the data I used below.
original public key
Signature
Recovered Public Key
and all of two keys succeed to verify above signature(
3046022100cf4f4....
).In order to extract the correct public key from the signature, I obtained the public key corresponding to all recovery IDs (0 to 3, a total of 4), and verified the signature with these public keys to find a successful public key. However, both public keys successfully verified their signatures. I'm curious about this.
Below is the code where I experimented with this process.
Thank you for your interest in my problem.