Skip to content

Add VerifyLowS helper function to ECDSA signature #2463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MPins wants to merge 2 commits into
base: master
Choose a base branch
from
+56 −7
Open

Add VerifyLowS helper function to ECDSA signature #2463

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
538fc9f
go.mod, go.sum: updated secp256k1 to v4.4.0
MPins Nov 18, 2025
f8dfe21
ecdsa: add VerifyLowS helper and tests
MPins Nov 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 20 additions & 1 deletion btcec/ecdsa/signature.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ import (
var (
errNegativeValue = errors.New("value may be interpreted as negative")
errExcessivelyPaddedValue = errors.New("value is excessively padded")
errHighS = errors.New("signature is not canonical due to unnecessarily high S value")
errNoHeaderMagic = errors.New("malformed signature: no header magic")
)

// Signature is a type representing an ecdsa signature.
Expand Down Expand Up @@ -90,7 +92,7 @@ func parseSig(sigStr []byte, der bool) (*Signature, error) {
// 0x30
index := 0
if sigStr[index] != 0x30 {
return nil, errors.New("malformed signature: no header magic")
return nil, errNoHeaderMagic
}
index++
// length of remaining message
Expand Down Expand Up @@ -254,3 +256,20 @@ func RecoverCompact(signature, hash []byte) (*btcec.PublicKey, bool, error) {
func Sign(key *btcec.PrivateKey, hash []byte) *Signature {
return secp_ecdsa.Sign(key, hash)
}

// VerifyLowS verifies that the given ECDSA signature is strictly DER-encoded
// and uses a canonical low-S value. It returns nil if the signature is valid;
// otherwise it returns the encountered error.
func VerifyLowS(sigStr []byte) error {
sig, err := parseSig(sigStr, true)
if err != nil {
return err
}
sValue := sig.S()
if sValue.IsOverHalfOrder() {
// High-S, s > N/2.
return errHighS
}
// Low-S, s <= N/2.
return nil
}
30 changes: 30 additions & 0 deletions btcec/ecdsa/signature_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import (
"testing"

"github.com/btcsuite/btcd/btcec/v2"
"github.com/stretchr/testify/require"
)

type signatureTest struct {
Expand Down Expand Up @@ -800,3 +801,32 @@ func TestPrivKeys(t *testing.T) {
}
}
}

func TestVerifyLowS(t *testing.T) {
signatureTests := []struct {
name string
sig []byte
wantErr error
}{
{
name: "Low S value",
sig: hexToBytes("3045022100af340daf02cc15c8d5d08d7735dfe6b98a474ed373bdb5fbecf7571be52b384202205009fb27f37034a9b24b707b7c6b79ca23ddef9e25f7282e8a797efe53a8f124"),
wantErr: nil,
},
{
name: "High S value",
sig: hexToBytes("304502200d309104bc47fecb3e23fadbabb26d3495ae1b48c1b14e8886b3f4f1c8ab122f02210085d04c97c30f69063b820a139cf17473d8e89ed587f7fa669e78175f798431fc"),
wantErr: errHighS,
},
{
name: "Invalid signature format",
sig: hexToBytes("404502200d309104bc47fecb3e23fadbabb26d3495ae1b48c1b14e8886b3f4f1c8ab122f02210085d04c97c30f69063b820a139cf17473d8e89ed587f7fa669e78175f798431fc"),
wantErr: errNoHeaderMagic,
},
}

for _, test := range signatureTests {
err := VerifyLowS(test.sig)
require.ErrorIs(t, err, test.wantErr)
}
}
4 changes: 2 additions & 2 deletions btcec/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,12 @@ go 1.22
require (
github.com/btcsuite/btcd/chaincfg/chainhash v1.0.1
github.com/davecgh/go-spew v1.1.1
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0
github.com/stretchr/testify v1.8.0
)

require (
github.com/decred/dcrd/crypto/blake256 v1.0.0 // indirect
github.com/decred/dcrd/crypto/blake256 v1.1.0 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)
8 changes: 4 additions & 4 deletions btcec/go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ github.com/btcsuite/btcd/chaincfg/chainhash v1.0.1/go.mod h1:7SFka0XMvUgj3hfZtyd
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/decred/dcrd/crypto/blake256 v1.0.0 h1:/8DMNYp9SGi5f0w7uCm6d6M4OU2rGFK09Y2A4Xv7EE0=
github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 h1:YLtO71vCjJRCBcrPMtQ9nqBsqpA1m5sE92cU+pd5Mcc=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs=
github.com/decred/dcrd/crypto/blake256 v1.1.0 h1:zPMNGQCm0g4QTY27fOCorQW7EryeQ/U0x++OzVrdms8=
github.com/decred/dcrd/crypto/blake256 v1.1.0/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
Expand Down
Loading