TX signature verification (derive z value with TX having mutiple inputs)

[akaki]

Hello,

I would like to verify a signature for a given input of a transaction having multiple inputs and 1 output.
My calculations work in case of 1 input and 1 output.

My question is close to the one in this topic: https://bitcointalk.org/index.php?topic=5327054.0/ However, I still need help to know where I make errors.


For example, let's consider this TX=3c457f53a327aec79a851b19679bd9a2825d848f3bf11c2f9785375c9818b201
I tried to check the signature (s) for the first input.

From the raw transaction, I was able to fill the fields that make the message (m):

version                                                     01000000

Inputs count (=2*UTXO)                            02
1st UTXO
     previous TX hash                                  2cce4dc9e7a2de90bacf13073c1b256c714c73f5f42f8d28d291ae40c58b0f21
     index of UTXO in previous TX                 00000000
     scriptSig (with prev. TX scriptPubKey)    19+76a914+e3e67d92d6334b0274beb908067eddd09d37900d+88ac+ffffffff
2nd UTXO
     previous TX hash                                 1e4f4d473a0488f3afccecf7e4facb09f1ef67975c6901af001663c79823437c
     index of UTXO in previous TX                00000000
     scriptSig (empty)                                 01+00+ffffffff

Output count                                            01
Value of 1st UTXO (=14791 Satoshis)         C739000000000000
Output script                                            19+76a914+232fc87e0fb5171b82bace360eed8e35ae59f056+88ac
lock time + hash code type                        00000000+01000000

I'm not sure about the fields, nor about their contents, so I need confirmation or correction ! Assuming it's OK, than we concatenate all:

m=01000000022cce4dc9e7a2de90bacf13073c1b256c714c73f5f42f8d28d291ae40c58b0f21000000001976a914e3e67d92d6334b0274beb908067eddd09d37900d88acffffffff1e4f4d473a0488f3afccecf7e4facb09f1ef67975c6901af001663c79823437c000000000100ffffffff01C7390000000000001976a914232fc87e0fb5171b82bace360eed8e35ae59f05688ac0000000001000000

z=double_sha256(m)
 =b83840d74ed30ec294a62cb3606fb860630b1a675f73d8b31375c5bb2d97dd9a

and we know:
r=2b269ced03190b5933d84e3147b215ebb96e353aca78814af507633e6c0a06d8
s=731cf71abcd0f50640ba94751da00e4a101d22d2fa4ab4dc65821edacc99864401
Public key (calculated from compressed form)   X=5d88794d2312098c661a6d12d1cd423bc2e2f6cc309ebcd3d710270d50e30d7f
                                                                     Y=1d247221f5b6f08b1a7158def26407db1d766bba0b8a54c82c7941e043925cc1


r_calc= (h * s_inv) * G + (r * s_inv) * pubKey
         =106765858465750765076100522084960429065592682877327173698145890404372588967248 ≠r (NOK  )

I'm sure about the implementation of last formula using ecdsa bceause it works with a single input transaction. Thus, the probleme is in the fields and/or their filling.

Regards,

Akaki

[bitcoinbeto]

I made a little debugging with bitcoin-java library, with the help of blockstream api, to obtain the full hex of the transaction, and obtained the following:

m=01000000022cce4dc9e7a2de90bacf13073c1b256c714c73f5f42f8d28d291ae40c58b0f21000000001976a914e3e67d92d6334b0274beb908067eddd09d37900d88acffffffff1e4f4d473a0488f3afccecf7e4facb09f1ef67975c6901af001663c79823437c0000000000ffffffff01d0390000000000001976a914232fc87e0fb5171b82bace360eed8e35ae59f05688ac0000000001000000

z=b7855748a719df6a358a6d4d83b47d6848403830481273eb81a1cde1a32343f8

So, if my m is correct, the mistake is in the 2nd input scriptSig field and the value.

[pooya87]

I'm not sure about the fields, nor about their contents, so I need confirmation or correction !

Then you should start at the beginning and first learn what each of those fields mean and how they are encoded.
https://developer.bitcoin.org/devguide/transactions.html
https://developer.bitcoin.org/reference/transactions.html#raw-transaction-format

     scriptSig (empty)                                 01+00+ffffffff

Value of 1st UTXO (=14791 Satoshis)         C739000000000000

You have 2 mistakes.
1. Your signature script is not empty, it is OP_0. You should set it to empty.
That is why I said you should start at the beginning. Each script has a length (yours is 0x01 byte) followed by the script as bytes (your script is 0x00). To set it to empty you have to set the length to 0 and not have any extra bytes.

2. You changed the amount from 14800 to 14791.

[akaki]

Thanks pooya87 and bitcoinbeto. It solved it.