BIP352: ECDSA verify compare x(R) modulo n to r #1959

1. 
   radik878 commented at 7:18 am on September 8, 2025: contributor

   The signer computes r = x(R) mod n, but the verifier compared the affine x-coordinate directly to r. This could incorrectly reject valid signatures when x(R) ≥ n (rare but possible). Update ECPubKey.verify_ecdsa to check (x(R) % n) == r, aligning verification with ECDSA as defined in SEC1/FIPS 186 and matching our signer’s behavior.
2. BIP352: ECDSA verify compare x(R) modulo n to r ab1ba2b464
3. jonatack assigned RubenSomsen on Sep 10, 2025
4. jonatack added the label Proposed BIP modification on Sep 10, 2025
5. jonatack added the label Pending acceptance on Sep 10, 2025
6. 
   murchandamus commented at 3:35 pm on November 10, 2025: member

   Ping authors, @RubenSomsen, @josibake
7. 
   murchandamus commented at 0:15 am on February 28, 2026: member

   cc: @theStack
8. 
   theStack commented at 4:21 pm on March 2, 2026: contributor

   ECDSA signature verification is not relevant to BIP-352 (neither in the reference implementation nor in test vector generation/execution), and secp256k1.py is planned to be replaced with secp256k1lab anyway (see #2087), which currently doesn’t even have ECDSA support.

   I was going to suggest the possibility of submitting this upstream to Bitcoin Core (since this code appears to be based on its test framework), but it looks like the modulo logic is already there: https://github.com/bitcoin/bitcoin/blob/6b0a980de94bc5b64703151be708991f954161ea/test/functional/test_framework/key.py#L109

   This PR can be closed.

9. murchandamus closed this on Mar 2, 2026

   ---

10. murchandamus removed the label Pending acceptance on Mar 2, 2026

Contributors
radik878 murchandamus theStack

Labels
Proposed BIP modification