[ad_1]

The verification equation for ECDSA is

```
X coordinate of ((z/s)G + (r/s)Q) mod n = r
```

The place the divisions occur modulo the order of the curve (*n*), and *z* is the message hash (taken modulo *n* once more). Additionally, whereas the X coordinate that comes out is a quantity within the area *GF(p)* (not *GF(n)*), it’s interpreted as an integer, after which taken modulo *n* earlier than comparability with *r*.

If it so occurs that you’ve got a pair *(r, s)* that satisfies this equation, then substituting *-s* (which equals *n-s* modulo *n*) offers:

```
( (z/(-s))G + (r/(-s))Q)
```

As a result of the truth that in elliptic curve multiplication it holds that `(-a)P = -(aP)`

(the place the primary `-`

is an integer negation modulo `n`

, and the second `-`

is elliptic curve level negation), it follows that:

```
= (-(z/ s) G + -(r/ s )Q)
= -( (z/ s) G + (r/ s )Q)
```

In different phrases, the result’s the (level) negation of the `((z/s)G + (r/s)Q)`

that seems within the regular formulation. Negating an elliptic curve level solely modifications its Y coordinate, not its X coordinate, so the consequence may have the identical X coordinate, `r`

, and thus the verification equation will even succeed for the signature with negated `s`

.

Word that in Bitcoin there’s a coverage rule that each `s`

must be between `0`

and `n/2`

, disallowing one of many two variants.

[ad_2]