Elliptic Curve Signatures

Let's dig into when, where, and how Bitcoin uses Elliptic curve signatures in transactions. This chapter covers the importance of signatures to transactions, the three purposes these signatures serve, and how they are applied.

Digital Signatures (ECDSA)

How Digital Signatures Work

A digital signature is a mathematical scheme that consists of two parts. The first part is an algorithm for creating a signature, using a private key (the signing key), from a message (the transaction). The second part is an algorithm that allows anyone to verify the signature, given also the message and a public key.

 

Creating a digital signature 

In bitcoin's implementation of the ECDSA algorithm, the "message" being signed is the transaction, or more accurately a hash of a specific subset of the data in the transaction. The signing key is the user's private key. The result is the signature:

Sig = F_{sig}(F_{hash}(m), dA)

where:

  • dA is the signing private key
  • m is the transaction (or parts of it)
  • Fhash is the hashing function
  • Fsig is the signing algorithm
  • Sig is the resulting signature

More details on the mathematics of ECDSA can be found in ECDSA Math.

The function Fsig produces a signature Sig that is composed of two values, commonly referred to as R and S:

Sig = (R, S)

Now that the two values R and S have been calculated, they are serialized into a byte-stream using an international standard encoding scheme called the Distinguished Encoding Rules, or DER.

 

Serialization of signatures (DER)

Let's look at the transaction Alice created again. In the transaction input there is an unlocking script that contains the following DER-encoded signature from Alice's wallet:

3045022100884d142d86652a3f47ba4746ec719bbfbd040a570b1deccbb6498c75c4ae24cb02204
b9f039ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e381301

That signature is a serialized byte-stream of the R and S values produced by Alice's wallet to prove she owns the private key authorized to spend that output. The serialization format consists of nine elements as follows:

  • 0x30 – indicating the start of a DER sequence
  • 0x45 – the length of the sequence (69 bytes)
  • 0x02 – an integer value follows
  • 0x21 – the length of the integer (33 bytes)
  • R – 00884d142d86652a3f47ba4746ec719bbfbd040a570b1deccbb6498c75c4ae24cb
  • 0x02 – another integer follows
  • 0x20 – the length of the integer (32 bytes)
  • S – 4b9f039ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e3813
  • A suffix (0x01) indicating the type of hash used (SIGHASH_ALL)

See if you can decode Alice's serialized (DER-encoded) signature using this list. The important numbers are R and S; the rest of the data is part of the DER encoding scheme.