diff --git a/ecdsa.c b/ecdsa.c
index 44c4b8be54..9e16447fcd 100644
--- a/ecdsa.c
+++ b/ecdsa.c
@@ -296,28 +296,28 @@ int generate_k_rfc6979(bignum256 *secret, const uint8_t *priv_key, const uint8_t
 
 // msg is a data to be signed
 // msg_len is the message length
-int ecdsa_sign(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, uint8_t *sig)
+int ecdsa_sign(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint8_t *pby)
 {
 	uint8_t hash[32];
 	sha256_Raw(msg, msg_len, hash);
-	return ecdsa_sign_digest(priv_key, hash, sig);
+	return ecdsa_sign_digest(priv_key, hash, sig, pby);
 }
 
 // msg is a data to be signed
 // msg_len is the message length
-int ecdsa_sign_double(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, uint8_t *sig)
+int ecdsa_sign_double(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint8_t *pby)
 {
 	uint8_t hash[32];
 	sha256_Raw(msg, msg_len, hash);
 	sha256_Raw(hash, 32, hash);
-	return ecdsa_sign_digest(priv_key, hash, sig);
+	return ecdsa_sign_digest(priv_key, hash, sig, pby);
 }
 
 // uses secp256k1 curve
 // priv_key is a 32 byte big endian stored number
 // sig is 64 bytes long array for the signature
 // digest is 32 bytes of digest
-int ecdsa_sign_digest(const uint8_t *priv_key, const uint8_t *digest, uint8_t *sig)
+int ecdsa_sign_digest(const uint8_t *priv_key, const uint8_t *digest, uint8_t *sig, uint8_t *pby)
 {
 	uint32_t i;
 	curve_point R;
@@ -340,6 +340,9 @@ int ecdsa_sign_digest(const uint8_t *priv_key, const uint8_t *digest, uint8_t *s
 
 	// compute k*G
 	scalar_multiply(&k, &R);
+	if (pby) {
+		*pby = R.y.val[0] & 1;
+	}
 	// r = (rx mod n)
 	bn_mod(&R.x, &order256k1);
 	// if r is zero, we fail
diff --git a/ecdsa.h b/ecdsa.h
index 0596d90319..292aeaf589 100644
--- a/ecdsa.h
+++ b/ecdsa.h
@@ -39,9 +39,9 @@ int point_is_negative_of(const curve_point *p, const curve_point *q);
 void scalar_multiply(const bignum256 *k, curve_point *res);
 void uncompress_coords(uint8_t odd, const bignum256 *x, bignum256 *y);
 
-int ecdsa_sign(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, uint8_t *sig);
-int ecdsa_sign_double(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, uint8_t *sig);
-int ecdsa_sign_digest(const uint8_t *priv_key, const uint8_t *digest, uint8_t *sig);
+int ecdsa_sign(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint8_t *pby);
+int ecdsa_sign_double(const uint8_t *priv_key, const uint8_t *msg, uint32_t msg_len, uint8_t *sig, uint8_t *pby);
+int ecdsa_sign_digest(const uint8_t *priv_key, const uint8_t *digest, uint8_t *sig, uint8_t *pby);
 void ecdsa_get_public_key33(const uint8_t *priv_key, uint8_t *pub_key);
 void ecdsa_get_public_key65(const uint8_t *priv_key, uint8_t *pub_key);
 void ecdsa_get_pubkeyhash(const uint8_t *pub_key, uint8_t *pubkeyhash);
diff --git a/test-openssl.c b/test-openssl.c
index caf3b9a11b..ccef802ce5 100644
--- a/test-openssl.c
+++ b/test-openssl.c
@@ -82,7 +82,7 @@ int main(int argc, char *argv[])
 		}
 
 		// use our ECDSA signer to sign the message with the key
-		if (ecdsa_sign(priv_key, msg, msg_len, sig) != 0) {
+		if (ecdsa_sign(priv_key, msg, msg_len, sig, 0) != 0) {
 			printf("trezor-crypto signing failed\n");
 			break;
 		}
diff --git a/tests.c b/tests.c
index dc72b373d1..91115ea1df 100644
--- a/tests.c
+++ b/tests.c
@@ -386,13 +386,13 @@ START_TEST(test_sign_speed)
 
 	memcpy(priv_key, fromhex("c55ece858b0ddd5263f96810fe14437cd3b5e1fbd7c6a2ec1e031f05e86d8bd5"), 32);
 	for (i = 0 ; i < 250; i++) {
-		res = ecdsa_sign(priv_key, msg, sizeof(msg), sig);
+		res = ecdsa_sign(priv_key, msg, sizeof(msg), sig, 0);
 		ck_assert_int_eq(res, 0);
 	}
 
 	memcpy(priv_key, fromhex("509a0382ff5da48e402967a671bdcde70046d07f0df52cff12e8e3883b426a0a"), 32);
 	for (i = 0 ; i < 250; i++) {
-		res = ecdsa_sign(priv_key, msg, sizeof(msg), sig);
+		res = ecdsa_sign(priv_key, msg, sizeof(msg), sig, 0);
 		ck_assert_int_eq(res, 0);
 	}