The (r, s) Components

An ECDSA signature is composed of two 256-bit numbers: r and s. Understanding these numbers is key to understanding how Bitcoin prevents forgery and ensures the "Uniqueness" of every signature.

1. What is 'r'? (The Commitment)

The value r is derived from a temporary, secret number called a Nonce ($k$).

1. The wallet picks a random $k$.

2. It calculates a temporary point $R = k \times G$.

3. r is simply the X-coordinate of that point $R$.

4. By publishing r, you are "Committing" to a specific point on the curve without revealing the $k$ that generated it.

2. What is 's'? (The Proof)

The value s is the result of the actual signature math: $$s = k^{-1}(z + r \times d) \pmod n$$

• $z$: The transaction hash.

• $r$: The commitment from step 1.

• $d$: Your private key.

• $k$: The nonce.

This equation "mixes" the secret key and the transaction data into a single number.

3. The 512-bit Signature

Since both $r$ and $s$ are 256-bit integers, the "Raw" signature is 512 bits (64 bytes). However, as we will see in the next section, Bitcoin adds extra formatting (DER) which makes the final signature slightly larger.

4. The Critical Importance of 'k'

If you ever use the same k (nonce) to sign two different transactions, a hacker can perform simple subtraction to find your Private Key.

• The Disaster: Reusing a nonce results in the same $r$ value. If a hacker sees two transactions with the same $r$, they can steal your Bitcoin instantly.

• The Fix: Modern wallets use Deterministic RFC6979, where the $k$ is derived from a hash of the private key and the message, ensuring it is always unique for every transaction.

Component	Mathematical Definition	Purpose
r	$x$-coordinate of $k \times G$	Commit to a temporary point
s	$k^{-1}(z + r \times d)$	Prove knowledge of the key

In the next section, we will look at the DER Encoding Standard.