As described in this reply to What’s the most dimension of a DER encoded ECDSA signature? the DER encoded signature for a given ECDSA signature (r, s) has format:
0x30 = 1 byte constructed sequence kind
L = 1 byte size of the next bytes (excluding SIGHASH byte)
0x02 = 1 byte primitive integer kind
LR = 1 byte size of integer r
R = integer r in large endian
0x02 = 1 byte primitive integer kind
LS = 1 byte size of integer s
S = integer s in large endian
SIGHASH = 1 byte
the place r is prepended with a byte 0x00 within the case the place it has a highest little bit of 1, and likewise with s.
Nevertheless how is the case the place r has a byte size lower than 32 dealt with?
Suppose for instance we had :
r = 0x83e1ed5c6298a2dfb3e98f2d8963575487c888ac02483045022100ec6ab2
which is 30 bytes.
Will we
(1) prepend this with 0x00 due to the very best bit (ie. bit 239) being 1, so we put :
0x0083e1ed5c6298a2dfb3e98f2d8963575487c888ac02483045022100ec6ab2
within the R subject above, or :
(2) write it in full 32 byte format :
0x000083e1ed5c6298a2dfb3e98f2d8963575487c888ac02483045022100ec6ab2
and due to this fact don’t prepend it with 0x00 as a result of the very best bit (ie. bit 255) is zero, so we put :
0x000083e1ed5c6298a2dfb3e98f2d8963575487c888ac02483045022100ec6ab2
within the R subject above?
Can anybody level to any instance blockchain transactions illustrating how these shorter r, s values are dealt with?
Is there any risk of malleability right here, ie. each choices (1) and (2) are accepted by Bitcoin Core, assuming (r, s) is a sound signature?
Or are main zero bytes all the time stripped away from r and s earlier than contemplating whether or not their highest bit is 1? (If r or s was truly zero, we’d then have to go away one zero byte in).