It is/(looks like) an unnecessary test for an overflow flag which is always 0 #697

issue dr-orlovsky opened this issue on November 28, 2019
  2. dr-orlovsky renamed this:
    (looks like) unnecessary test for an overflow flag wich is always 0
    It is/(looks like) an unnecessary test for an overflow flag which is always 0
    on Nov 28, 2019
  3. sipa commented at 11:15 PM on November 28, 2019: contributor

    You're looking at a mock implementation of scalar*, for exhaustive testing purposes. Real 256-bit scalar implementations do set the flag.

  4. dr-orlovsky commented at 11:28 PM on November 28, 2019: none

    Right, sorry, I found it. But why the overflow is important for the key tweaking? If we add the point to itself n times (where n is the field order) we will get the same original point. Is the overflow flag tells about this? If yes, why it prevents from doing the tweak?

    For instance, knowing the original public key, and knowing the curve parameters, I can compose a tweaking factor that is equal to n so the tweak procedure always results the same original public key. However, I would not be able to compose a message, that results in the digest equial to n, so at least for commitment procedures this should be not a problem.

    On the other hand, coming back to the issue https://github.com/sipa/bips/issues/152 it seems that usage of SHA256 instead of HMAC can allow the attacker (very theoretically) to compose a message which hash will result in n, opening possibility for instance to claim that any public key is committed for the equivalent message, which bytecode can be re-interpreted under different protocols opening a way for a hack.

  5. dr-orlovsky cross-referenced this on Nov 28, 2019 from issue bip-taproot: Publick key tweak resulting in point-at-infinity by dr-orlovsky
  6. real-or-random commented at 7:49 AM on November 29, 2019: contributor

    Right, sorry, I found it. But why the overflow is important for the key tweaking?

    Scalars are numbers in Z_p, which are typically represented by the integers 0..p-1 (where p is the group order of the elliptic curve group secp256k1, not the field order). An overflow is basically a number s >= p.

    Now there are two ways to look at it:

    • You can say that integers s >= p are simply invalid representations, and we don't want invalid scalars.
    • You can interpret a 256-bit s >= p by taking it mod p. Then the resulting integer is in range again but then there are a few scalars now which have two 256-bit representations instead of just one. That means that taking an uniform 256-bit integer is not equivalent to taking an uniform scalar in Z_p. We don't want that either.

    However, overflow happens with negligible probability for a random tweak, so it's not an issue that the function fails here.

  7. dr-orlovsky commented at 2:12 PM on November 29, 2019: none

    Thank you for the explanation, I think we can close the issue.

  8. dr-orlovsky closed this on Nov 29, 2019
Contributors
dr-orlovskysipareal-or-random
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-23 01:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me