-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
k256 Schnorr / BIP340 doesn't handle the y odd case #1070
Comments
It did in my original implementation. It must've regressed at some point: https://github.com/RustCrypto/elliptic-curves/pull/482/files#diff-7ee5e04f685838d30d3bb56a9c532ffc01948c79f1c7a7faecc989186d803ee1R94-R98 |
@randombit on the Are you encountering a codepath where this isn't happening, or do you want a lazy inversion instead of an eager one? There are definitely test vectors in our suite which break if I remove that logic.
I guess that should be modified to try decompressing both odd and even |
@randombit can you provide a reproduction of where you think it's being mishandled? |
I think the main thing that caught me up here is that |
It could be changed to auto-invert |
For both signature generation and verification,
k256
doesn't seem to handle the case where they
coordinate of the public key is odd. I guess it is implicitly assuming that the user handles this, but this doesn't match how BIP340 describes the operation.When signing BIP340 specifies that the secret key is negated, if the
y
coordinate ofG*sk
would otherwise be odd.k256
doesn't do this, leading it to produce incorrect signatures for half of all secret keys.BIP340 defines verification as taking
pk
the 32-byte encoding of just thex
coordinate. It then verifies on the assumption that they
coordinate is the even one. Howeverk256
seems to assume/require that the public key is a point with bothx
andy
coordinates, andy
is even; thenk256::schnorr::VerifyingKey::try_from
rejects points with odd y. My understanding is that in such a case, the verification key does exist/is well formed; it just is the negation of the input point.Both issues can be worked around by checking in advance if an odd
y
would occur and inverting the private or public key before use.The text was updated successfully, but these errors were encountered: