EIP-2 Signature malleability: Why low s instead of dropping v?

wjmelements · September 8, 2025, 9:24pm

From EIP-2:

Allowing transactions with any s value with 0 < s < secp256k1n , as is currently the case, opens a transaction malleability concern, as one can take any transaction, flip the s value from s to secp256k1n - s , flip the v value (27 -> 28 , 28 -> 27 ), and the resulting signature would still be valid.

Malleability was addressed by enforcing “low s”:

All transaction signatures whose s-value is greater than secp256k1n/2 are now considered invalid.

It seems that another way to fix this could have been to enforce v = 27. Then Ethereum signatures could be specified with 64 bytes (r,s) instead of 65 (v,r,s). Why didn’t we do that?

wjmelements · October 17, 2025, 6:15pm

A similar solution was proposed for ERC-2098: Compact Signature Representation. I think the approach I describe here is better because it is backward compatible with ecrecover.

wjmelements · December 23, 2025, 7:32pm

Bitcoin made the same low s decision in BIP 146. Seems they also have a degree of freedom for r.

wjmelements · December 26, 2025, 1:17am

I made an ERC for low-v.