Fix infinity loop in secp256k1_schnorr_sign #416

pull fanatid wants to merge 1 commits into bitcoin-core:master from fanatid:fix/schnorr-sign changing 1 files +12 −10
  1. fanatid commented at 2:54 PM on September 13, 2016: contributor

    secp256k1_schnorr_sign stop the loop only if secp256k1_schnorr_sig_sign return non-zero. But if secret key is zero secp256k1_schnorr_sig_sign will always return zero and secp256k1_schnorr_sign never stops.

  2. apoelstra commented at 3:20 PM on September 13, 2016: contributor

    utACK. Note this also catches the case when the user passes the field order as secret key (which will also be interpreted as zero). I think this is a reasonably likely footgun to run into, especially because in many cases applications can accept secret keys from untrusted sources and not worry that anything will break.

    Also note that secp256k1_ecdsa_sign has the same behaviour as this fix.

  3. fanatid commented at 7:53 PM on September 13, 2016: contributor

    @apoelstra I don't sure, but shouldn't we also check that secret key is less than field order?

  4. fanatid force-pushed on Sep 14, 2016
  5. fanatid commented at 8:58 AM on September 14, 2016: contributor

    Updated. I also changed conditions order for nonce, because with overflow first makes check faster (overflow already exists, while for zero we should call function)

  6. fanatid cross-referenced this on Sep 14, 2016 from issue (WIP) Schnorr signatures by fanatid
  7. fanatid commented at 8:34 AM on October 23, 2016: contributor

    ping :)

  8. sipa commented at 9:32 PM on October 26, 2016: contributor

    Needs rebase. Note that I plan to remove the Schnorr code in this repository, as it shouldn't be used for production use in its current form (and both API and signature compatibility will break before it's brough back).

  9. Fix infinity loop in secp256k1_schnorr_sign 8b5003269a
  10. fanatid force-pushed on Oct 27, 2016
  11. fanatid commented at 6:56 AM on October 27, 2016: contributor

    Rebased. @sipa does it means that secp256k1 bindings (like secp256k1-node) should not use Schnorr right now?

  12. sipa commented at 3:47 PM on October 27, 2016: contributor

    Nobody should use Schnorr as implemented now. It is an experiment, and subject to change at any time (as the configure script will warn you about if you try to enable it). The reason I want to remove it from the codebase is because I keep hearing about people who want to use it for production, so this is apparently not clear.

  13. fanatid commented at 3:48 PM on October 27, 2016: contributor

    Thank you for explanation.

  14. fanatid cross-referenced this on Oct 27, 2016 from issue Schnorr signatures by chjj
  15. sipa commented at 8:34 PM on November 25, 2016: contributor

    No longer needed.

  16. sipa closed this on Nov 25, 2016
  17. fanatid deleted the branch on Jan 7, 2017
Contributors
fanatidapoelstrasipa
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-14 18:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me