P256K.Recovery

secp256k1 ECDSA recoverable signature namespace: sign with P256K.Recovery.PrivateKey to produce an P256K.Recovery.ECDSASignature that allows any verifier to recover the signer’s P256K.Recovery.PublicKey without prior knowledge.

iOS 13.0+
macCatalyst 13.0+
macOS 10.15+
tvOS 13.0+
visionOS 1.0+
watchOS 6.0+

enum Recovery

Mentioned In

Choosing Between P256K and ZKP

Overview

Recoverable signatures are 65 bytes (64-byte compact ECDSA signature + 1-byte recovery ID). They are produced by secp256k1_ecdsa_sign_recoverable and allow the signing public key to be recovered via secp256k1_ecdsa_recover given only the message hash. See Vendor/secp256k1/include/secp256k1_recovery.h for the upstream API reference.

Bitcoin’s BIP-137 and BIP-322 “signed message” formats rely on this primitive for address-from-signature recovery. Recoverability trades one byte of signature size for the ability to skip transmitting the public key — a win whenever the signer and verifier share only a message and want to establish identity without a pre-exchanged key. The deterministic-nonce convention follows RFC 6979, as with all ECDSA signing in this library.

Important

A recoverable signature that successfully passes secp256k1_ecdsa_recover is not guaranteed to pass secp256k1_ecdsa_verify after conversion, because the converted signature may not be in lower-S normalized form. Call secp256k1_ecdsa_signature_normalize after normalize if you need a signature that passes standard ECDSA verification.

Warning

Recovery is not verification. A successfully-recovered key is merely a candidate public key whose signature of the given message would be this exact byte pattern. To confirm the candidate is the expected signer, compare it to the known-authentic public key via constant-time equality (e.g. safeCompare). Never trust a recovered key as-authenticated without that compare step.

Topics