I would like to understand exactly which signatures are used in the Ethereum. Here https://bitcoin.stackexchange.com/questions/12554/why-the-signature-is-always-65-13232-bytes-long it says that there are DER encoded and custom encoded (also called recoverable) signatures in bitcoin. Can I use both types of these signatures in Ethereum? Are there any types besides these two? Is it possible to convert one type to another?
signature – Understanding Ethereum Signatures
cryptographysignature
Related Solutions
I think this is actually just a notational issue. In the original paper the groups are written multiplicatively, while the groups in the Ethereum docs are written additively.
In particular,
e(g1, σ) = e(g1, x1*h1+x2*h2+...) = x1*e(g1,h1) + x2*e(g1,h2)+...+xn*e(g1,hn)
Then you can do the check simply by using the n-ary pairing check
e(-g1, σ, v1, h1, v2, h2, ..., vn, hn)
The recid value (v) is only a way to speed up verification and address recovery, as explained here.
So your actual v value is defined in {0, 1, 2, 3}.
In the Ethereum network the recid value (v) is computed that way since EIP-155 which was included in the Spurious Dragon fork from EIP-607 (to protect against tx replay attack with Ethereum classic) :
{0,1} + CHAIN_ID * 2 + 35
Meaning that the possible outcomes for the Ethereum mainnet with CHAIN_ID 1 are : 37 and 38 (while 39 and 40 are still possible as per my understanding but extremely unlikely, don't take my word for it though).
The previous computation scheme (not encoding chain_id, r=0, s=0) was defined as : {0,1} + 27
giving the most probable outcomes 27 and 28. (Again, I think that 29 and 30 are possible but highly unlikely)
So my question is very simple: why is the value of v nearly never neither 27 nor 28 although all the documentation out there says it's always either 27 or 28?
Because your documentation is outdated, and doesn't take EIP-155 into consideration.
Additionally, EIP-155 states that :
The currently existing signature scheme using v = 27 and v = 28 remains valid and continues to operate under the same rules as it did previously.
I haven't found anything invalidating that previous signature scheme (certainly kept for backward compatibility) so it might very well still be valid, but its usage is discouraged. This is why you mostly see 37 and 38 on mainnet as people switched to the new computation scheme.
Best Answer
Ethereum uses RLP encoding of signatures and Bitcoin uses DER encoding. You cannot use DER encoded signatures in Ethereum, only RLP encoded signatures. The underlying numbers (R and S) are the same in that they are derived from the same elliptic curve (called secp256k1).
An Ethereum signature contains three values: v, R, S. A Bitcoin signature contains only two numbers: R and S. The extra value that Ethereum uses makes it possible to recover the public key from the signature which means that an Ethereum transaction does not include the public key. Bitcoin does not use this trick, thus a signed Bitcoin transaction is larger than a signed Ethereum transaction, because it also includes the public key.
It is possible to convert an RLP signature to a DER encoded signature but not the other way around since the DER signature does not contain the v value. The v value can for practical purposes only have two values (representing the parity of a number).