I want to verify the validity of a transaction
Signing a tx
In order to sign a tx, I need:
- <privKey>, Random Number = RN and the hash of tx = txHash
To sign the tx I must publish the <pubKey> = <privKey> * G = (X, Y)
where G is the Generator point
and I also must publish a signature = <sig> = (r,s)
where s is a random number:
generate a random number RN, and compute s = RNx like this:
RN * G = (RNx, RNy)
and r is a signature factor built with txHash, RNx, <privKey> and RN
then the signature script <sigScript> = <sig> + <PubKey> = (r,s) + (X,Y)
Verify a tx
If I have all infos r, s = RNx, RNy, X, Y, I can sign a tx and verify its validity with my script
BUT in a Bitcoin transaction sometimes X and Y are given: 04 X Y
and sometimes only X is given: 02 X or 03 X
also only s = RNx is given and not RNy.
So in order to verify a tx, I need to compute Y and RNy
Question 1) is there a way to do it without Y and/or RNy ?
question 2) There is a simplify algorithm to find Y when
computing square roots mod p when p = 3 (mod 4).
I checked that this condition is satisfied with the p used in Bitcoin.
Am I correct ? Can I use this algorithm ?
if p = 3 (mod 4) the solution of y^2 = x^3 + 4 = a (mod p)
has the form y = a^(k+1)
proof: if p = 4k+3 then set y=a^(k+1) mod p then
y^2 = a^(2k+2) = a^(2k+1) a = a^((p-1)/2) a = a (mod p)
by Euler's Criterion. So y = a^(k+1) is a solution.
Question 3) Is there a risk of collision when finding Y or RNy?
In a simple example (
http://www.royalforkblog.com/2014/09/04/ecc/)
p = 29 and privKey = 7 => 7 * G = (17,9)
If I only have X = 17 I have 2 choices for Y: (17,9) or (17,20)
Thanks