Pubkey recovery from ECDSA signature (getting owner's public key from its tx)

[anubisthecracker]

Hi,

following the next topic: https://bitcointalk.org/index.php?topic=6430.0 and I have several newbie questions...

I would like to recover the public key from an address. I think the only way to do it is to check if there is any transaction done, but if a tx is done, then which pubkey is exposed, from the one that sends the money or the one who receives it?

And which is the difference between tx input and tx output. Input is who receives the money and output who emits it?

Also, I had check the bitcoin wiki, and I saw that there is a OP_CHECKSIG opcode: https://en.bitcoin.it/wiki/OP_CHECKSIG which states: "OP_CHECKSIG expects two values to be on the stack. These are, in order of stack depth, the public key and the signature of the script."

I think that the owner's pubkey is not exposed there, so, which pubkey does it refers to?

But I saw that with an ECDSA signature you can recover the original public key.

In that case, the ECDSA signature is from the person who emits the money?

[1715300947]

1715300947

[1715300947]

1715300947

[1715300947]

1715300947

[1715300947]

1715300947

[1715300947]

1715300947

[pooya87]

You can recover possible candidate public keys by having ECDSA signature and the message [hash]. But in bitcoin transactions you don't need to because the public key is already included in any transaction that has a OP_CHECK(MULTI)SIG(VERIFY) op code.
When spending a P2PKH output, the public key is the top stack element when reaching OP_CHECKSIG.
When spending a P2WPKH output, the public key is the second witness item.
When spending a P2PK output, the public key is in the output.
When spending a P2TR output, the public key is a tweaked pubkey in the output (the witness program).
When spending other scripts such as P2SH when you reach any of the above op codes it should be the top stack element or in case of multi signatures there are multiple pubkeys.

then which pubkey is exposed, from the one that sends the money or the one who receives it?

It depends. P2PK outputs are not used anymore but P2TR outputs are new and are used and in both the receiver's public key is revealed (tweaked pubkey in taproot). In most other output scripts only the hash of the receiver's pubkey is used.
But in all cases, one way or another, you will know sender's public key.

And which is the difference between tx input and tx output. Input is who receives the money and output who emits it?

Inputs are the coins being spent and outputs are the new coins being created.
So inputs belong to the sender and outputs belong to receiver.

[anubisthecracker]

Thanks for your quick response!

I have another question, then I cannot know any pubkey from any unspent address, if I understood it correctly it's called utxo?

So, utxo which means unspent transaction output, now I can understand, but correct me if I'm wrong:

So if utxo belongs to output then it means there is a receiver, but if it's unspent it's because there isn't any sender.

But then, the following question assaults me, how is a utxo created, so if I only have a receiver who sent the money? You can create an address from real money? Or what is going on here?

[pooya87]

I have another question, then I cannot know any pubkey from any unspent address, if I understood it correctly it's called utxo?

As I mentioned above it depends on that output's script:
- Most of them (P2PKH, P2SH, P2MS, P2WPKH and P2WSH) only contain a hash and since hashes are not reversible you can't know the message that was hashed (pubkey or script in case of P2SH and P2WSH) without the owner spending from that address.
- But if it is one of the scripts that already contains the public key like P2PK you can easily see the pubkey in the output script. Taproot (P2TR) is slightly different as it contains a tweaked pubkey.

So, utxo which means unspent transaction output, now I can understand, but correct me if I'm wrong:

So if utxo belongs to output then it means there is a receiver, but if it's unspent it's because there isn't any sender.

But then, the following question assaults me, how is a utxo created, so if I only have a receiver who sent the money? You can create an address from real money? Or what is going on here?

Basically each bitcoin transaction contains 2 arrays: txins aka inputs and txouts aka outputs. If the output is not yet spent we call it a UTXO.
The inputs of a transaction and UTXOs from other previous transactions.
You can read more about raw transaction format here: https://developer.bitcoin.org/reference/transactions.html#raw-transaction-format

[anubisthecracker]

Thanks again!

I read the following: "UTXOs are created through the consumption of existing UTXOs. Every Bitcoin transaction is composed of inputs and outputs. Inputs consume an existing UTXO, while outputs create a new UTXO."

And also, there is something called coinbase which is where all root outputs come from.

I have more questions, can an address have spent outputs with a positive balance?

For example, this account has 17 BTC (balance), it has received 20 BTC and sent 3 BTC, then it is pubkey exposed? (I'm unsure if it works like this)

https://www.blockchain.com/btc/address/18yGdLieoWDBrkfFcU6mSJJzNMMfRztDUg

[o_e_l_e_o]

And also, there is something called coinbase which is where all root outputs come from.

The coinbase transaction is the first transaction in each block in which the miner who found that block sends the block reward of (currently) 6.25 BTC brand new bitcoin to themselves, along with the transaction fees collected from all the transactions within that block they just found.

I have more questions, can an address have spent outputs with a positive balance?

Absolutely. If I send two outputs of 1 BTC each to an address, and then spend one of those bitcoin, the address will have used up an output and will still have a balance of 1 BTC.

For example, this account has 17 BTC (balance), it has received 20 BTC and sent 3 BTC, then it is pubkey exposed? (I'm unsure if it works like this)

Yes. To make any transaction the pubkey is exposed. The remaining balance on the address (or lack thereof) is irrelevant.

For the address you have linked, the public key is in uncompressed format and is as follows:

Code:

044188e7b878d0d88872ba579b8bbdb05161d985f4063d520e751340a6ec50d9f62544911e4b2ff1de589e452b7cfd0f786fd58fcdf5ecf80b6405304db173bba5

[anubisthecracker]

The coinbase transaction is the first transaction in each block in which the miner who found that block sends the block reward of (currently) 6.25 BTC brand new bitcoin to themselves, along with the transaction fees collected from all the transactions within that block they just found.

So, if every 2,016 blocks the difficulty increases (I think it doubles), there are 21,000,000/2,016=972.2222 (bits?) of difficulty.
And each difficulty has 12,600 BTC. Interesting.

Also, you mentioned: "along with the transaction fees collected from all the transactions within that block they just found".

Then, you mean that all future tx done by anyone within that block their fees are returned back to the miner that found that block?

Absolutely. If I send two outputs of 1 BTC each to an address, and then spend one of those bitcoin, the address will have used up an output and will still have a balance of 1 BTC.

Yes, I see two world icons on the blockchain page. The one in red is the 3BTC tx that was spent so the balance is taken from the full one (20-3=17BTC).

Yes. To make any transaction the pubkey is exposed. The remaining balance on the address (or lack thereof) is irrelevant.

Why do you say it's irrelevant, I didn't understand, sorry.

For the address you have linked, the public key is in uncompressed format and is as follows:

Code:

044188e7b878d0d88872ba579b8bbdb05161d985f4063d520e751340a6ec50d9f62544911e4b2ff1de589e452b7cfd0f786fd58fcdf5ecf80b6405304db173bba5

And how did you recovered it? I'd like to learn this.

[pooya87]

So, if every 2,016 blocks the difficulty increases (I think it doubles), there are 21,000,000/2,016=972.2222 (bits?) of difficulty.
And each difficulty has 12,600 BTC. Interesting.

Every 2016 blocks the difficulty adjusts so that it takes 2 weeks to mine 2016 blocks. It may go down or up based on how long it took to mine previous 2016 blocks.
The reward for blocks remains the same for 210,000 blocks (about 4 years) and after each 210,000 block the reward is reduces by 50% (cut in half).

Then, you mean that all future tx done by anyone within that block their fees are returned back to the miner that found that block?

Not exactly returned back. When the miner wants to start the work they first construct the block. The steps is including as many transactions in that block as they can until its weight reaches 4000000 units. Then they update the block header (merkle root hash) and the first transaction in that block known as coinbase transaction by updating its output amount to be block reward + sum of fees of all transactions in that block.
Then they start mining it and if they find the correct hash they publish the whole block for the rest of the network to sync.

Why do you say it's irrelevant, I didn't understand, sorry.

Bitcoin is not using a balance-based ledger, it is using an output based ledger. Meaning you only have UTXOs at protocol level and only the wallet or block explorers show "balance" for convenience.

And how did you recovered it? I'd like to learn this.

You simply take any of the outgoing transactions and decode them to get the public key which is located in signature script or inside the witness depending on the output type they are spending.
I think blockchain.com has an API for it too where you entered the address and it gave you the public key if it could but I can't find it anymore.

[stanner.austin]

Hello
api  blockchain.info/q/pubkeyaddr/18yGdLieoWDBrkfFcU6mSJJzNMMfRztDUg
Also you can extract public x,y from R,S,Z if its made output transaction.
Math is "Y = (R*s-G*m)/r"

[anubisthecracker]

Bitcoin is not using a balance-based ledger, it is using an output based ledger. Meaning you only have UTXOs at protocol level and only the wallet or block explorers show "balance" for convenience.

So you mean that explorer shows everything but real balance are the utxo. Then we can assume that this address I share it has 17BTC?

Hello
api  blockchain.info/q/pubkeyaddr/18yGdLieoWDBrkfFcU6mSJJzNMMfRztDUg
Also you can extract public x,y from R,S,Z method is "Y = (R*s-G*m)/r"

Thanks for the API, but to clarify I want to implement it by myself, so I cannot abuse an API for this task. Anything guidance here is welcome!

[BlackHatCoiner]

Note that recovering a public key from an ECDSA signature, alone, is impossible. To compute the public key (without knowing it from the transaction data) you need to know the values r, s and z, where (r, s) represents the signature and z the hash of the message you want to sign.

Also note that recovering a public key from r, s and z is a different (more computationally expensive) procedure than to recover it from the transaction data. When you sign a transaction, you include your signature with your public key.

[o_e_l_e_o]

So you mean that explorer shows everything but real balance are the utxo. Then we can assume that this address I share it has 17BTC?

Correct. The balance of addresses really only exists to make things easier for us to interpret. The protocol deals with individual UTXOs.

Thanks for the API, but to clarify I want to implement it by myself, so I cannot abuse an API for this task. Anything guidance here is welcome!

So let's take the address you linked to, and then look at the transaction where it spends coins: https://mempool.space/tx/4d5cfc3a5d8d81e64235d527ad0521fd92fdaa7e8bf65d73421d5bc999f9b30c

Hit the button titled "Details", and then let's look at the scriptsig (in hex) for any of the inputs (the scriptsig is the same for all three inputs since all three inputs come from the same address):

Code:

47304402207965f47d583936d18267c1a207f5b7884c9dff5ab6b2cda644d078a9692aecd702204f08a3cb3529189e1967bdbdec88cc07a8baf19f0aee777224a37d39c39d0eff0141044188e7b878d0d88872ba579b8bbdb05161d985f4063d520e751340a6ec50d9f62544911e4b2ff1de589e452b7cfd0f786fd58fcdf5ecf80b6405304db173bba5

So let's break this down and see what it is telling us.

47	Push 71 bytes
30	Header byte indicating signature
44	Length of what follows (68 bytes)
02	Header byte for R
20	Length of R (32 bytes)
7965.....ecd7	R
02	Header byte for S
20	Length of S (32 bytes)
4f08.....0eff	S
01	Hashtype byte (SIGHASH_ALL)
------------------------------------	------------------------------------
41	Push 65 bytes
0441....bba5	Pubkey

However, this is just one example for a legacy P2PKH UTXO. Even other P2PKH UTXOs could be a little different as the length of every element is not necessarily fixed, and if the UTXO is of a different format, such as segwit or taproot, then it will be completely different altogether.

[anubisthecracker]

Note that recovering a public key from an ECDSA signature, alone, is impossible. To compute the public key (without knowing it from the transaction data) you need to know the values r, s and z, where (r, s) represents the signature and z the hash of the message you want to sign.

Also note that recovering a public key from r, s and z is a different (more computationally expensive) procedure than to recover it from the transaction data. When you sign a transaction, you include your signature with your public key.

Thanks. I think that by the moment I'm not interested in doing I have Kangaroo implementation of Jean-Luc Pons.

So you mean that explorer shows everything but real balance are the utxo. Then we can assume that this address I share it has 17BTC?

Correct. The balance of addresses really only exists to make things easier for us to interpret. The protocol deals with individual UTXOs.

Thanks for the API, but to clarify I want to implement it by myself, so I cannot abuse an API for this task. Anything guidance here is welcome!

So let's take the address you linked to, and then look at the transaction where it spends coins: https://mempool.space/tx/4d5cfc3a5d8d81e64235d527ad0521fd92fdaa7e8bf65d73421d5bc999f9b30c

Hit the button titled "Details", and then let's look at the scriptsig (in hex) for any of the inputs (the scriptsig is the same for all three inputs since all three inputs come from the same address):

Code:

47304402207965f47d583936d18267c1a207f5b7884c9dff5ab6b2cda644d078a9692aecd702204f08a3cb3529189e1967bdbdec88cc07a8baf19f0aee777224a37d39c39d0eff0141044188e7b878d0d88872ba579b8bbdb05161d985f4063d520e751340a6ec50d9f62544911e4b2ff1de589e452b7cfd0f786fd58fcdf5ecf80b6405304db173bba5

So let's break this down and see what it is telling us.

47	Push 71 bytes
30	Header byte indicating signature
44	Length of what follows (68 bytes)
02	Header byte for R
20	Length of R (32 bytes)
7965.....ecd7	R
02	Header byte for S
20	Length of S (32 bytes)
4f08.....0eff	S
01	Hashtype byte (SIGHASH_ALL)
------------------------------------	------------------------------------
41	Push 65 bytes
0441....bba5	Pubkey

However, this is just one example for a legacy P2PKH UTXO. Even other P2PKH UTXOs could be a little different as the length of every element is not necessarily fixed, and if the UTXO is of a different format, such as segwit or taproot, then it will be completely different altogether.

Thanks for your guidance! Now I have a little bit clearer approach.

Then: https://github.com/graymauser/btcposbal2csv this is correct, I need first utxo that are have the addresses with outputs (so that money can still be spent).

But also, inherent to the extracted addresses we can look if it has spent outputs (it has sent money) and then look for its public key depending on the address type.

But then, this program has something I don't trust on, can two utxo point to the same address? Maybe I'll need to search for duplicates.

And also, I'm feeling like if missing something, like addresses that aren't pointing to any real address, but maybre I'm wrong. I'll like to extract as much as addresses with spendable money as I can and I onoy have like 31M.

But blocksci is powerful, but unmaintained and complex to understand so, Idk what to do more.

Also, this page: http://alladdresses.loyce.club/ gives me a clue that there are more addresses, but every address that existed doesn't mean that has it can be spent or even have balance.

[pooya87]

Thanks. I think that by the moment I'm not interested in doing I have Kangaroo implementation of Jean-Luc Pons.

That's not how you recover public keys from signature and message [hash]!
It's actually a simple process of computing Q = r⁻¹(sR − eG) for R and -R.

So is the Kangroo project the reason why you are looking for public keys? Are you trying to recover "private" key of other people by having their public key?!!

[o_e_l_e_o]

But then, this program has something I don't trust on, can two utxo point to the same address?

Of course. There is no limit to how many UTXOs can be sent to a single address.

And also, I'm feeling like if missing something, like addresses that aren't pointing to any real address

You'll need to clarify what you are asking here since this doesn't make sense.

Are you trying to recover "private" key of other people by having their public key?!!

Certainly looks like that. And here I just thought it was an interested newbie trying to learn.

[anubisthecracker]

That's not how you recover public keys from signature and message [hash]!
It's actually a simple process of computing Q = r⁻¹(sR − eG) for R and -R.

So is the Kangroo project the reason why you are looking for public keys? Are you trying to recover "private" key of other people by having their public key?!!

Yes, I know that's not the way to recover public keys. But I would like to ask, recovering the pubkey from its signature it's really expensive process or not?

Of course. There is no limit to how many UTXOs can be sent to a single address.

Then, I'll need to find duplicates.
EDIT: No, this py program I shared already does that, so isn't neccesary.

You'll need to clarify what you are asking here since this doesn't make sense.

I mean that the only addresses that have money are utxos with a positive balance, everything else isn't worth it.

Certainly looks like that. And here I just thought it was an interested newbie trying to learn.

Well, I'm just a newbie trying to learn. Implementing this thing will require much more knowledge, so you can be relaxed!

Anyways, thanks to both, because nnow I understand blockchain clearly.

[BlackHatCoiner]

But I would like to ask, recovering the pubkey from its signature it's really expensive process or not?

It's considered expensive, but it's not going to take lots of computational effort. See: [Questions] Public key cost comparison.

Then, I¡ll need to find duplicates.

What do you mean duplicates? Addresses that have spent once and still have a balance?

Well, I'm just a newbie trying to learn. Implementing this thing will require much more knowledge, so you can be relaxed!

Perhaps you're using Google Translate as this neither makes sense.

[anubisthecracker]

What do you mean duplicates? Addresses that have spent once and still have a balance?

Addresses that are duplicated on the list. But I edited my last post, all the addresses I crawled are not duped because the program was storing all addrs in a map.

Perhaps you're using Google Translate as this neither makes sense.

No, I don't.

[o_e_l_e_o]

But I would like to ask, recovering the pubkey from its signature it's really expensive process or not?

Not hugely for a handful of addresses. You need to hash the message if you don’t already have the hash, calculate the multiplicative inverse of r, and some elliptic curve multiplication, but the rest is pretty trivial. Different if you want to do it for millions of messages/signatures. You would only need to do this to recover the public key from a signed message which was not a transaction though, since with transactions the public key is revealed anyway.

I mean that the only addresses that have money are utxos with a positive balance, everything else isn't worth it.

The only addresses which have money are addresses which contain unspent UTXOs. You can't deduct part of a balance from a UTXO like you can with an address. You either spend the entire UTXO or you spend none of it.

[anubisthecracker]

Thanks for your response,

I have done some research, this repositories has interesting methods:

- https://github.com/bitcoin-core/btcdeb/blob/master/doc/btcdeb.md
- https://github.com/yogh-io/bitcoin-transaction-explorer (in Java)

But the one that I think is the best, is this: https://github.com/Bit-Wasp/bitcoin-p2p-php/issues/29 (the problem is that the code has changed a lot since 2015, so I'll be researching on this).

It can run on top of the bitcoind, so I can be interesting because I don't need to stop it.