Computing recovery id for ECDSA signature

taurushq-io / multi-party-sig

Implementation of protocols for threshold signatures

Apache License 2.0

308 stars 117 forks source link

Computing recovery id for ECDSA signature #82

Open tmpfs opened 1 year ago

tmpfs commented 1 year ago

The type ecdsa.Signature included R and S but no recovery id (or v) value which would be required for ethereum-style recoverable signatures.

If memory serves correctly v is just whether the y co-ordinate for the point is negative but looking at the Point type I can't see any way to compute this easily.

Any advice on how we could compute the recovery id for ecdsa.Signature please?

tmpfs commented 1 year ago

My bad, I just saw HasEvenY on Secp256k1Point: https://github.com/taurusgroup/multi-party-sig/blob/v0.6.0-alpha-2021-09-21/pkg/math/curve/secp256k1.go#L260

valli0x commented 1 year ago

@tmpfs I was able to get the value of v and send tx- signature := signResult.(*ecdsa.Signature)

r, _ := signature.R.MarshalBinary()
s, _ := signature.S.MarshalBinary()
rs := make([]byte, 0)

rs = append(rs, r...)
rs = append(rs, s...)

v := rs[0] - 2
copy(rs, rs[1:])
rs[64] = v

but I got another error - Invalid Signature: s-values greater than secp256k1n/2 are considered invalid https://eips.ethereum.org/EIPS/eip-2 - paragraph 2 https://ethereum.stackexchange.com/questions/55245/why-is-s-in-transaction-signature-limited-to-n-21

valli0x commented 1 year ago

the value of v has been changed in the MarshalBinary function: https://github.com/taurusgroup/multi-party-sig/blob/d44e9838043a4bd8ecaf9b7471b80ee8a952a81d/pkg/math/curve/secp256k1.go#L199-L210