recovery bit and compact signature

[wighawag]

Hey, I got a question about the api for signatures

When I get a signature from calling secp256k1.sign(msgHash, priv); I get a signature object

Then if I call sig.toCompactHex(); or sig.toDERHex(); and try to recover the signature object from the resulting string with secp256k1.Signature.fromCompact( or secp256k1.Signature.fromDER the signature object is missing the recovery id

Does this means I should also save it along the result of sig.toCompactHex and add it back with addRecoveryBit ? or am I using the api wrong somehow ?

[paulmillr]

1. Recovery bit is only used for recovering public key from a signature
2. It is not used in verification
3. We don't know how to serialize it, and there is no standard. Any custom format will break compatibility with other libraries.

If you want to recover keys while passing it along hexed, you can invent your own format, for example, just prepend it to compact hex.

[nflatrea]

It depends on the signature format, usually in ECC the signature is represented as a ScalarPoint in the curve, x and y. Some tools serialize is in base64. For public keys, you have something called SEC1 format. The latter is like this :

04 for uncompressed key + X coord bytes + X coord bytes 02 for compressed key with even Y coord + X coord bytes 03 for compressed key with odd Y coord + X coord bytes

This format can be very convenient for compressing and deflating keys, keeping it at 33 bytes

You could typically find some format close to this based on a prefix with your recovery bits and signature. But be aware that the recovery bit is never used in the signature-verification process. I don't know if the signature can be compressed, the only requirement is that the point is on the curve.

Good luck.