Why does a same transaction signed separately have different witness values?

3

1

I signed a bitcoin testnet transaction using nbitcoin library and got an output:

 02000000000101853b6bcbc78cf4cd621abb7edca78383ce15a34b6617347258d72d13ecb8fcbc000000001716001487463af228c128aad9371c3df1236d0518c32f44ffffffff01604898000000000017a9141b16cfd66b7f084bf95baf36d14df67f03ef230487024730440220376c73ba8bacbc791fc45ed596c8f973fe79ef0c1bb37a16fb2043dc0998ea62022027c7135359a103f243d865d89eb913e180ea751669b7a2f910b08eb3edcc76f5012102739a2f893507714c7e1b37510dede5aad15862b018f6ad9e9402e0b7290a133300000000

then I signed the same transaction with bitcoin-core and it returned an output :

  02000000000101853b6bcbc78cf4cd621abb7edca78383ce15a34b6617347258d72d13ecb8fcbc000000001716001487463af228c128aad9371c3df1236d0518c32f44ffffffff01604898000000000017a9141b16cfd66b7f084bf95baf36d14df67f03ef23048702473044022015499aee1e03fc9dd853abf3a9307ebd19dfd9e4f5209a7810be48dfed1c698002205d6c0da0a26918ca38d5aaf9629f7dd71119334e168aafd9f3363f05cb06c967012102739a2f893507714c7e1b37510dede5aad15862b018f6ad9e9402e0b7290a133300000000

On comparing the outputs, the txwitness stack value differs.

bitcoin-core witness data

"txinwitness": [
                "3044022015499aee1e03fc9dd853abf3a9307ebd19dfd9e4f5209a7810be48dfed1c698002205d6c0da0a26918ca38d5aaf9629f7dd71119334e168aafd9f3363f05cb06c96701",
                "02739a2f893507714c7e1b37510dede5aad15862b018f6ad9e9402e0b7290a1333"
            ]

nBitcoin witness data

 "txinwitness": [
                "30440220376c73ba8bacbc791fc45ed596c8f973fe79ef0c1bb37a16fb2043dc0998ea62022027c7135359a103f243d865d89eb913e180ea751669b7a2f910b08eb3edcc76f501",
                "02739a2f893507714c7e1b37510dede5aad15862b018f6ad9e9402e0b7290a1333"
            ]

But still, I'm able to send the transaction signed by nBitcoin.

So my questions are:

1) what are the values in witness stack?

2) why the same transaction have different txwitness value?

Akshay Dev

Posted 2019-12-18T07:42:17.553

Reputation: 65

Answers

4

Bitcoin signatures have two components: s and R. To sign a Bitcoin transaction with private key k, the signing algorithm generates an ephemeral private key r. The R component of the signature is the x-coordinate of that ephemeral public key. The s component of the signature is calculated in the following way: s = r-1 (Hash(m) + k * R) mod p; where Hash(m) is the hash of the transaction data m.

Since, s changes with r, as shown in the equation above, the signature component will be completely different when you compare two transactions signed if their ephemeral key generation algorithm differs.

Most softwares uses RFC 6979 to deterministically but securely generate the ephemeral key used to sign transactions. So for two identical transactions, the ephemeral key should be the same and that is the reason you are seeing the same signatures on different Bitcoin Core software. However, RFC 6979 algorithm also allows the usage of other additional optional data while generating the ephemeral key. This additional optional data might be different for different softwares and as a result you are seeing different (s,R) signature from Bitcoin-Core and nBitcoin.

Ugam Kamat

Posted 2019-12-18T07:42:17.553

Reputation: 6 378

What is P in this equation s = r-1 (Hash(m) + k * R) mod p ? – Akshay Dev – 2019-12-18T11:10:51.823

If S changes with R, why bitcoin core, even on different machines produce the same signature? – Akshay Dev – 2019-12-18T11:12:47.777

1@AkshayDev I have updated my answer to make it more clear. The mod p (modulo prime number p) indicates that the Bitcoin curve (secp256k1) is over a finite field of prime order p. – Ugam Kamat – 2019-12-18T12:54:09.280