Re: Question about public key decompression algorithm (ECC_YfromX(...))
Quote
but both the "My" and offset are returned to the calling function and sent to Point() in the end
To me it looks like only the My is sent to Point() (there is a \[0] after the call, easy to miss):
Code:
return Point( curve, Mx, ECC_YfromX(Mx, curve, Aser[0] == 0x03)[0], _r )
Re-reading the code, my opinion is now that the offset must always be "0" otherwise it would return the y-coordinate of a wrong point!!!!!!
I can see no reason why the for loop wont go through with the first try with offset 0. That is if the x is a valid x point on the curve. IF x is not valid, then that function returns y from a wrong point !
Quote from: flipperfish
The way of doing the square root seems to only work for 3 mod 4 fields. I have seen this in other implementations, too. A good explanation is here: https://www.johannes-bauer.com/compsci/ecc/#anchor11
Now I understand the sqrt. Thanks for explaining that. Btw, there is another bug in there. It should be (_p+1)/4 and not (_p+1)//4 Shouldn't it?Code:
My = pow(My2, (_p+1)//4, _p )
I was wondering how is it possible to omit the remainder of dividing by 4. But by luck in this case (p+1) does divide by 4 nicely. So there is no remainder and it works with bitcoin curve.
Edit: Just realized that "/" and "//" both work the same here, because both would omit the remainder here...
Also if the ECC_YfromX() function assumes that p%4=3 (and p+1 is divisible by 4) when taking the sqrt, it definitely cannot handle changing the curve that bitcoin uses. So the whole "_a * pow(Mx, 2, _p) + _b % _p" part is pointless and could be changed to simply be "+7" (or + _b)
Quite worrying to see that kind of code in my favorite wallet program.
