Help:How convert the high S signature value to the low S signature value?

[carter2006]

When I used Brainwallet to create bitcoin offline transactions, I generated Raw Transaction information, and when submitted to https://blockchain.info/pushtx for broadcasting, I received an error message: "Code: - 26, the Error: non - mandatory - the script - verify - flag (non - canonical signature: S value is unnecessarily high) (Code 64)", I search the Internet to find the solution, say only need to convert high signature S values into low signature S value can be solved. So how do I convert from high S to low S?

[cryptomaniac_xxx]

I don't know if this old thread can help you out, Bitcoin pushTx fail - Non-canonical signature.

[akhjob]

I think you can find the answer in this thread - https://bitcointalk.org/index.php?topic=5226185.0 and I believe this answers your query

Ok I'm back!

The problem is

Code:

openssl dgst -sha256 -hex -sign chiave_priv_3.pem a.txt

In that way I do another SHA256! I did SHA256 3 times!  

To resolve this issue, I can do something like

Code:

$ openssl pkeyutl -inkey chiave_priv_3.pem -sign -in a.txt -pkeyopt digest:sha256 | xxd -p -c 256

or I can do single SHA256 and apply another SHA256 with openssl

Code:

$ printf 0200000001e2a8148889a8ec60fd9d28564ed8996bf7ffd6b11388ed9c044d2c250088d83b000000001976a914d2bb7890f3f6356d89673367b44e9a7d0265009188acffffffff01c0e4022a010000001976a914824441111b374bec1952a5b3fa9dd4e3ed679b3888ac0000000001000000 | xxd -r -p | sha256sum -b | xxd -r -p > a.txt
$ openssl dgst -sha256 -hex -sign chiave_priv_3.pem a.txt

I prefer the first solution!

About "mandatory-script-verify-flag-failed (Non-canonical signature: S value is unnecessarily high) (code 16)" it's more complicated than that.
I converted the S (DER signature) to base10. (it's another signature, not the same of thread, sorry but I have my notes)
For example:

Code:

$ s=`echo "ibase=16; $(printf 00f00e64e164ce4fee984165ba8205a8544ece37458006687cdaa53d4e6e1859bc  | tr '[:lower:]' '[:upper:]')" | bc |  tr -d '\n' | tr -d '\' | awk '{print $1}'`
$ echo $s
108580515770129610852831425129233053758690240817412348750872366071983533218236

Then convert N to base 10, and get N/2

Code:

$ N=`echo "ibase=16;FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141" | bc  |  tr -d '\n' | tr -d '\' | awk '{print $1}'`
$ echo $N
108580515770129610852831425129233053758690240817412348750872366071983533218236

$ N2=`echo "$N/2" | bc |  tr -d '\n' | tr -d '\' | awk '{print $1}'` 
$ echo $N2
57896044618658097711785492504343953926418782139537452191302581570759080747168

You can find very cool stuffs if u search 108580515770129610852831425129233053758690240817412348750872366071983533218236 or 57896044618658097711785492504343953926418782139537452191302581570759080747168 in google

Now I Check if s is greater than N/2, if it is I need to subtract it. (N-S)

Code:

$ s=`echo "$N - $s" | bc |  tr -d '\n' | tr -d '\' | awk '{print $1}'`  
$ echo $s
7211573467186584570739559879454854094147323461662555631732797069534628276101

Convert the result to base16

Code:

$ s=`echo "obase=16;$s" | bc`
$ echo $s
E2412F237BCDCA1AD1AD7DA1075D8C0AD258A07066D695F99DEA0AAEC7034A4

Sometimes you can get odd bytes, in that case I have 63 hex.

Code:

$ printf FF19B1E9B31B01167BE9A457DFA57AA6BE0A5A12F4237BEE52D213E621DE785 | wc -c
  63

It's very similar when you get seed phrase, if you don't have a block of 11 bits, you need to add some "padding", then I add 0 at the beginning.

Code:

s=0FF19B1E9B31B01167BE9A457DFA57AA6BE0A5A12F4237BEE52D213E621DE785

Now I can make a "new" DER signature, replace the old s with the new one, calculate the length of it and the length of signature!
And it works!
I hope to help someone!
Thanks to Andrew Chow and BrewMaster for your time guys
(English is not my mother tongue; please excuse any errors on my part)

[pooya87]

the solution is that you use a wallet or library that is designed for bitcoin and is popular enough to be reviewed and have no bugs (popular wallets such as bitcoin core and electrum are some examples) then you will never face such problems.

if you just want to learn here is how things work:
if `s` value is bigger than curve's N/2 then you have to simply replace `s` with `-s`. but in modular arithmetic, by contract, we only report positive numbers that are already reduced to be in range so instead of `-s` we use the congruence `n-s`. this is done to solve one of the cases that can cause malleability.

imagine n is 7 and s is 6:
since 6 > 7/2 we use -6
and since -6 ≡ 1 (mod 7) we use 1 instead.

that's how modular arithmetic works:
... -13 ≡ -6 ≡ 1 ≡ 8 ≡ 15 ≡ 22 ≡ 29 ... (mod 7)

[carter2006]

I really appreciate everybody's help。but I don't know much about technology, so I was wondering if there is a simple conversion script or tool or something that can do this?

[Chikito]

so I was wondering if there is a simple conversion script or tool or something that can do this?

Better to try that suggestion, learning it all step by step. Using third-party tools you never know the source is dangerous.

[akhjob]

the solution is that you use a wallet or library that is designed for bitcoin and is popular enough to be reviewed and have no bugs (popular wallets such as bitcoin core and electrum are some examples) then you will never face such problems.

Trying to educate myself here.
Are you claiming that usage of Brainwallet to create the offline transaction was a wrong idea instead of using Electrum or Bitcoin Core?
Or the usage of blockchain.info to broadcast the raw transaction, a wrong idea? If this is the case, will the issue be resolved if he broadcast the raw transaction using Electrum or Bitcoin Core?

[pooya87]

the solution is that you use a wallet or library that is designed for bitcoin and is popular enough to be reviewed and have no bugs (popular wallets such as bitcoin core and electrum are some examples) then you will never face such problems.

Trying to educate myself here.
Are you claiming that usage of Brainwallet to create the offline transaction was a wrong idea instead of using Electrum or Bitcoin Core?

yes, tools such as "Brainwallet" are never supposed to be used for anything security critical such as signing a transaction. they may even leak your private key without you knowing it (eg. reusing k). and OP's example is a good evidence that it obviously has bugs.

Or the usage of blockchain.info to broadcast the raw transaction, a wrong idea? If this is the case, will the issue be resolved if he broadcast the raw transaction using Electrum or Bitcoin Core?

no, that part doesn't make any difference. when the transaction is already signed then it doesn't matter (security-wise) how you broadcast it to the network. when using blockchain.com you are connecting to a bitcoin node through a web interface.