I am looking at how Bitcoin signs transactions in the src/key.cpp file, in particular the RAII wrapper around the OpenSSL implementation of ECDSA.
In the function
bool CECKey::Sign(const uint256 &hash, std::vector& vchSig)
I see the regular call to ECDA which returns the signature in
sigECDSA_SIG *sig = ECDSA_do_sign((unsigned char*)&hash, sizeof(hash), pkey);
However, after that there are some additional manipulations of the signature
BN_CTX *ctx = BN_CTX_new();
BN_CTX_start(ctx);
const EC_GROUP *group = EC_KEY_get0_group(pkey);
BIGNUM *order = BN_CTX_get(ctx);
BIGNUM *halforder = BN_CTX_get(ctx);
EC_GROUP_get_order(group, order, ctx);
BN_rshift1(halforder, order);
if (BN_cmp(sig->s, halforder) > 0) {
// enforce low S values, by negating the value (modulo the order) if above order/2.
BN_sub(sig->s, order, sig->s);
}
BN_CTX_end(ctx);
BN_CTX_free(ctx);
What purpose do these manipulations serve? If one were to remove that code snippet, would that invalidate the signature? Or would that leak information about the private key?