A bitcoin address is the hash of an elliptic curve point representation. Bitcoin addresses are ambiguous in several ways.
- First: This point can be represented in two ways: ‘full’, or ‘compressed’.
- Then, there are some points which can be represented in two ways, this is because the group order is not exactly 2^256, but a little bit less.
- Another issue: during signature checking, the sign of an equation is ignore, leading to more ambiguity.
A bitcoin transaction is considered valid when the output script confirms the input script:
--- input script
<signature>
<pubkey>
--- output script
DUP
HASH160
<addrhash>
EQUALVERIFY
CHECKSIG
the input will be considered valid when:
HASH160(<pubkey>) == <addrhash>
and
CHECKSIG(<signature>, <pubkey>) == true
signature: (r,s) pubkey: Y = (x,y) message: m verify that:
xcoord[ G*(m/s) + Y*(r/s) ] == r
since only the xcoord is verified, the equation will also hold for the negative:
xcoord[ G*(-m/s) + Y*(-r/s) ] == r
- an addresshash can be either the hash of the full public key, or of the compressed public key.
- for some public keys ( with a small ‘x’ value ) there can be two representations: (x, y) and (x+grouporder,y) the same for ‘y’.
