Public key recovery is not something that we really need to perform. All transactions include the public key so there is no need to recover it. The only time such functions are called is for message signature verification, and such operation is only performed once so it doesn't matter if it takes 1 milisecond or 10!

You're right. There is almost

*no* difference between the time spent checking 4 or 16 variants. In any case, I wonder

**why** such a helpful function as recovering the public key from a signature is [/u]not[/u] used in Bitcoin transactions?

I suggest introducing a new

**OP_RECOVER-PUBKEY-FROM-SIG** instruction which will extract the public key (that is, the

X and

Y coordinates of the point lying on the

**secp256k1** elliptic curve) from an ECDSA signature using the recovery flag and will

replace the top stack item.

Thus, the "

**scriptPubKey**" output script for P2PK will have the following format:

OP_RECOVER-PUBKEY-FROM-SIG OP_DUP OP_HASH160 <pubKeyHash>

OP_EQUALVERIFY OP_CHECKSIG

By the way, the first three instructions can be combined into one

*OP_P2PK-USING-RECOVERY-FLAG*.

Accordingly, the "

**scriptSig**" input script used to redeem coins will look like this:

<sig> <recoveryFlag>

Obviously, the size of the <

**recoveryFlag**> component is one byte, so its value is much

*smaller* than the size of the <

**pubKey**> component. Hence, the size of transactions will be significantly

reduced, and as a result, the total number of transactions included in one Bitcoin block can be

increased.