The Signature Prefix Value (v) and Public Key Recovery

As mentioned in The Structure of a Transaction, the transaction message doesn’t include a “from” field. That’s because the originator’s public key can be computed directly from the ECDSA signature. Once you have the public key, you can compute the address easily. The process of recovering the signer’s public key is called public key recovery.

Given the values r and s that were computed in ECDSA Math, we can compute two possible public keys.

First, we compute two elliptic curve points, R and R**’, from the x coordinate r value that is in the signature. There are two points because the elliptic curve is symmetric across the x-axis, so that for any value x there are two possible values that fit the curve, one on each side of the x-axis.

From r we also calculate r-1, which is the multiplicative inverse of r.

Finally, we calculate z, which is the n lowest bits of the message hash, where n is the order of the elliptic curve.

The two possible public keys are then:

  • K1 = r–1 (sRzG)

and:

  • K2 = r–1 (sR‘ – zG)

where:

  • K1 and K2 are the two possibilities for the signer’s public key.

  • r-1 is the multiplicative inverse of the signature’s r value.

  • s is the signature’s s value.

  • R and R‘ are the two possibilities for the ephemeral public key Q.

  • z is the n-lowest bits of the message hash.

  • G is the elliptic curve generator point.

To make things more efficient, the transaction signature includes a prefix value v, which tells us which of the two possible R values is the ephemeral public key. If v is even, then R is the correct value. If v is odd, then it is R‘. That way, we need to calculate only one value for R and only one value for K.