diff --git a/Paper.tex b/Paper.tex index f6092bb0..3b4987df 100644 --- a/Paper.tex +++ b/Paper.tex @@ -1404,7 +1404,7 @@ \section{Signing Transactions}\label{app:signing} \mathtt{\small ECDSARECOVER}(e \in \mathbb{B}_{32}, v \in \mathbb{B}_{1}, r \in \mathbb{B}_{32}, s \in \mathbb{B}_{32}) & \equiv & p_u \in \mathbb{B}_{64} \end{eqnarray} -Where $p_u$ is the public key, assumed to be a byte array of size 64 (formed from the concatenation of two positive integers each $< 2^{256}$) and $p_r$ is the private key, a byte array of size 32 (or a single positive integer in the aforementioned range). It is assumed that $v$ is the `recovery id', a 1 byte value specifying the sign and finiteness of the curve point; this value is in the range of $[27, 30]$, however we declare the upper two possibilities, representing infinite values, invalid. +Where $p_u$ is the public key, assumed to be a byte array of size 64 (formed from the concatenation of two positive integers each $< 2^{256}$) and $p_r$ is the private key, a byte array of size 32 (or a single positive integer in the aforementioned range). It is assumed that $v$ is either the `recovery identifier' or `chain identifier doubled plus 35 or 36'. The recovery identifier is a 1 byte value specifying the sign and finiteness of the curve point; this value is in the range of $[27, 30]$, however we declare the upper two possibilities, representing infinite values, invalid. The chain identifier $\mathtt{\tiny chain\_id}$ is a constant natural number. \newcommand{\slimit}{\ensuremath{\text{s-limit}}} @@ -1412,7 +1412,7 @@ \section{Signing Transactions}\label{app:signing} \begin{align} 0 < r &< \mathtt{\tiny secp256k1n} \\ 0 < s &< \mathtt{\tiny secp256k1n} \div 2 + 1 \\ -v &\in \{27,28\} +v &\in \{27,28,\mathtt{\tiny chain\_id} \times 2 + 35, \mathtt{\tiny chain\_id} \times 2 + 36\} \end{align} where: \begin{align} @@ -1425,11 +1425,16 @@ \section{Signing Transactions}\label{app:signing} A(p_r) = \mathcal{B}_{96..255}\big(\mathtt{\tiny KEC}\big( \mathtt{\small ECDSAPUBKEY}(p_r) \big) \big) \end{equation} -The message hash, $h(T)$, to be signed is the Keccak hash of the transaction without the latter three signature components, formally described as $T_r$, $T_s$ and $T_w$: +The message hash, $h(T)$, to be signed is the Keccak hash of the transaction. Two different flavors of signing schemes are available. One operates without the latter three signature components, formally described as $T_r$, $T_s$ and $T_w$. The other operates on nine elements: \begin{eqnarray} L_S(T) & \equiv & \begin{cases} -(T_n, T_p, T_g, T_t, T_v, T_\mathbf{i}) & \text{if} \; T_t = 0\\ -(T_n, T_p, T_g, T_t, T_v, T_\mathbf{d}) & \text{otherwise} +(T_n, T_p, T_g, T_t, T_v, \mathbf{p}) & \text{if} \; v \in \{27, 28\} \\ +(T_n, T_p, T_g, T_t, T_v, \mathbf{p}, \mathtt{\tiny chain\_id}, (), ()) & \text{otherwise} \\ +\end{cases} \\ +\nonumber \text{where} \\ +\nonumber \mathbf{p} & \equiv & \begin{cases} +T_{\mathbf{i}} & \text{if}\ T_t = 0 \\ +T_{\mathbf{d}} & \text{otherwise} \end{cases} \\ h(T) & \equiv & \mathtt{\small KEC}( L_S(T) ) \end{eqnarray} @@ -1441,9 +1446,13 @@ \section{Signing Transactions}\label{app:signing} \end{eqnarray} We may then define the sender function $S$ of the transaction as: -\begin{equation} -S(T) \equiv \mathcal{B}_{96..255}\big(\mathtt{\tiny KEC}\big( \mathtt{\small ECDSARECOVER}(h(T), T_w, T_r, T_s) \big) \big) -\end{equation} +\begin{eqnarray} +S(T) &\equiv& \mathcal{B}_{96..255}\big(\mathtt{\tiny KEC}\big( \mathtt{\small ECDSARECOVER}(h(T), v_0, T_r, T_s) \big) \big) \\ +v_0 &\equiv& \begin{cases} +T_w &\text{if}\ T_w\in\{27, 28\} \\ +28 - (T_w \bmod 2) &\text{otherwise} +\end{cases} +\end{eqnarray} The assertion that the sender of a signed transaction equals the address of the signer should be self-evident: \begin{equation}