Segwit Bitcoin Transaction Signing

Question

As I could understand, we can recover the R and the S values from any transaction following the ScriptSig where we have DER serialization.

Segwit transactions, where the signature will be in the witness section, recovering R and S follow the same steps?
If I use the compressed public key (starting with 0x02 or 0x03) how can I verify the signature, since I don't have the Y coordinate of the public key?
For multi-sig transactions using P2SH as I understand we need to sign with the first key, then get the output transaction with the first signature and sign it with the other key, but using the signature math we use the hash of the message which is the txId, but on segwit the txid will not change after signing since the witness is not counting as part of the hash for txid?

Any other thing that I should look when signing a transaction?

score 1 · Answer 1 · answered Feb 19 '20 at 17:45

Yes
Most of crypto-libraries have the verify method. You can pass the compressed public key as an input. BTW, it is possible to recover Y part from compressed public key
No. For multisig P2SH (and any other type) we (a)calculate the digest, (b)sign this digest with private keys and (c)create the final transaction from all parts. We do not need to use any signatures on step (b) as a source for calculations

Any other thing that I should look when signing a transaction?

On 2. I am not using any libraries, how can I recover the Y part using just the compressed key? On 3, what would be this digest? — Allan Romanato, Feb 19 '20 at 17:48

Coding Enthusiast · Accepted Answer · 2020-02-19T18:07:47.910

1

In any transaction you'll have the signature inside scriptsig using a push OP to indicate its length and in a SegWit tx you'll have it as a witness item with a CompactInt to indicate its length. After extracting the signature it is only a matter of decoding DER.
To get the full (x,y) coordinates you have to use the elliptic curve equation (y^2 = x^3 + ax + b) to compute y by only having x. ECDSA x,y coordinate validity verification doesn't seem to work
To sign a transaction, a modified serialization is always used as the data to be hashed and then signed not the original transaction (in other words the resulting hash will be different from txid). This is true for all standard scripts such as P2PK, P2PKH, P2SH, P2WPKH, P2WSH,... The only difference is the modification and serialization. In legacy ones (the first 3) the procedure is described in OP_CheckSig on bitcoin wiki and the SegWit ones are defined in BIP-143.

edited Feb 19 '20 at 18:07

answered Feb 19 '20 at 17:49

Coding Enthusiast

Using this equation is just simple math like y = sqrt(xˆ3+0+7)? – Allan Romanato Feb 19 '20 at 17:51
1

Not exactly. sqrt is modular square root not a normal square root. A fast way to compute it for bitcoin curve is to find the result of ModPow(a, (p+1)/4, p) – Coding Enthusiast Feb 19 '20 at 17:53
So it is a normal square root that I have to use right? – Allan Romanato Feb 19 '20 at 17:57
What is the meaning of this equation ModPow(a, (p+1)/4, p) – Allan Romanato Feb 19 '20 at 17:59
1

It means find the result of (a ^ ((p+1)/4)) % p where a is the result of the right side of the equation (y_squared) or xˆ3+7. Usually BigInteger classes in different languages have ModPow methods, in .Net it is BigInteger.ModPow, in python it is pow(val, val, val) that takes 3 values. – Coding Enthusiast Feb 19 '20 at 18:03

2 Answers2