I'm currently trying to understand electrum's approach to decompress compressed public keys. However, I'm struggling with two things:
- What is the meaning of the offset? Why is it needed? Other implementations seem to be fine without it.
What are the mathematical foundations? Why does x + offset still result in the same y (or does it?)? - When calculating y^2, why is the coefficent a multiplied by x^2 instead of just x, like in the basic elliptic curve equation?
Could this be a bug, that has not yet been discovered, because a is 0 in secp256k1?
This is the function in question (in
lib/bitcoin.py):
def ECC_YfromX(x,curved=curve_secp256k1, odd=True):
_p = curved.p()
_a = curved.a()
_b = curved.b()
for offset in range(128):
Mx = x + offset
My2 = pow(Mx, 3, _p) + _a * pow(Mx, 2, _p) + _b % _p
My = pow(My2, (_p+1)//4, _p )
if curved.contains_point(Mx,My):
if odd == bool(My&1):
return [My,offset]
return [_p-My,offset]
raise Exception('ECC_YfromX: No Y found')
I'm glad for any help or pointers in the right direction...