I'm currently trying to understand electrum's approach to decompress compressed public keys. However, I'm struggling with two things:
- What is the meaning of the offset? Why is it needed? Other implementations seem to be fine without it.
What are the mathematical foundations? Why does x + offset still result in the same y (or does it?)? - When calculating y^2, why is the coefficent a multiplied by x^2 instead of just x, like in the basic elliptic curve equation?
Could this be a bug, that has not yet been discovered, because a is 0 in secp256k1?
Did you ever forward your find to the Electrum team so that they can take a look at it and fix it?
It is indeed strange that they have the "offset" variable, which could only ever return false results if it is not 0
On the other hand. When does Electrum use that function? I suppose it is used very rarely, and that is why that bug has not been found before.
No, I didn't forward. I had the hope that they would notice it here. If you are more active on github than me, feel free to report it.
I think I stumbled over it, when I tried to understand the signature verification part. If I remember correctly, the python ecdsa module can only take uncompressed public keys and that's where it's used.