I am curious why equations for signing/validating with ECDSA have forms they have. Is it possible to use simpler equation that have same properties.
For example, this is an equation I found in the book on Bitcoin:
$$ s = (z + re)/k $$ where,
$r = x\_coordinate\_of(k \cdot G)$,
$e$ - private key,
$z$ - message hash,
$k$ - random number,
$(s, r)$ - signature
What is interesting is that original paper for ECDSA uses a little bit different formula:
$$ s = k / (z + re) $$
Question
But is it possible to use something even simpler? For example:
$$ s = k/ze $$
And then we can check on validation that next equation holds:
$$ s \cdot z \cdot P = r, $$ where $P = e \cdot G$ is public key.
Why do we need to incorporate $r$ in the formula? And why it should be incorporated via addition, but not multiplication, for example?
Sorry, but I have mistakenly asked this question on different forum... Here is the link to the answer.
First, there is a cryptography stack exchange.
Second
Unfortunately, the short answer is "because that makes things work out". I'll briefly describe what "makes things work out" means.
Modern cryptography is all about building secure systems. Unfortunately, it very rarely can prove the systems are secure unconditionally. Instead, it does it via "reduction to a hard problem". What this means is the system is built such that, anyone who can break its security, can also break the (assumed) hard problem.
This has been an incredibly successful design paradigm, but means that many internal details of algorithms are "rigid". If you start making random changes (even if they are small!), the aforementioned reductions may no longer hold. Sometimes, the reductions not holding is not thought to be a problem (there are many examples here, although they are technical). People often point to these things (oddities in constructions that are included to make reductions work) as "proof artifacts", with the idea that they are not a fundamental part of the construction, and instead a limitation of the current proof. Concretely, the thought is that they could be removed while preserving security, although how to formally prove security without the proof artifact may not be known (or may be harder, or lead to worse bounds, etc).
Sometimes, reductions failing are indicative of a deeper issue. A reduction can be interpreted as saying "The problem of breaking this construction is no easier than (the assumed hard problem)". If the reduction no longer holds, it may be because breaking the construction is drastically easier than before. This is a very real problem in cryptography --- often innocuous changes/issues can lead to total breaks of systems.
This is to say that, for questions like yours, there are really only two possible answers.
Because it makes the reduction work, and also clearly prevents a known attack (and perhaps one can describe the attack), and
Because it makes the reduction work, but is plausibly not needed, i.e. is a proof artifact.
In general though, a prerequisite to understanding either of those is being able to formally study the underlying reduction. If you are at this level, i.e. you've read the ECDSA reduction and are curious where this term is needed, I encourage you to clarify that, but as your question doesn't contain the healthy fear of "minor" changes to protocols that many cryptographers have, I have assumed that you are not at this level.