You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Severity: Informational; clarity / future-defense. Source: TOB May 2026 revision, Appendix D — "Malformed scalar
and point edge cases" (pp. 63-64).
Problem
libsecp256k1's seckey_* helpers reject zero by design (because
zero is not a valid ECDSA secret key), but the CMPT protocol has
mathematical scalars that can legitimately be zero (amounts,
balances, response scalars in negligible-probability cases) and
mathematical points that can legitimately be the identity
(homomorphic differences, MSM intermediates). Mixing the two
conventions has caused several historical bugs in this codebase
(#37/#38, #39, #41, #51).
Each API boundary should make an explicit, documented choice
between three options:
Accept as a valid result — produce identity / zero output.
Recommended change
For every API that can be reached with zero scalar input or identity point output, document the decision in the doxygen, add
tests that cover both the "zero is valid" and "zero is rejected"
cases, and ensure internal helpers don't silently fail when
encountering it.
TOB-specific call sites to cover (per Appendix D p. 63-64):
The four compact-proof verifiers reject zero proof scalars via secp256k1_ec_seckey_verify: secp256k1_mpt_pok_sk_verify, secp256k1_compact_standard_verify, secp256k1_compact_convertback_verify, secp256k1_compact_clawback_verify. Document the choice
explicitly in each doxygen (current code does it implicitly).
Secret scalar inputs are rejected when zero in secp256k1_mpt_pedersen_commit, secp256k1_bulletproof_create_commitment, and the compact
convertback prover. Decide whether zero is invalid input or a
valid mathematical edge case for each API.
Homomorphic / commitment-difference paths can produce
point-at-infinity: secp256k1_elgamal_add (RIPCTXR-5, tracked
in [Bug] secp256k1_elgamal_add fails on identity point — enables MergeInbox griefing #102), secp256k1_elgamal_subtract, mpt_compute_convert_back_remainder, mpt_verify_send_range_proof. Each path should document whether
infinity is a malformed input, an expected zero result, or a
separate sentinel case.
Acceptance
Every API boundary listed above has a doxygen sentence stating
the zero / identity handling decision.
Each has at least one test case exercising the zero / identity
input or output explicitly.
The current code's behavior is preserved; this is a
documentation + test-coverage issue, not a behavior change
(except for any specific bugs found during the sweep).
Severity: Informational; clarity / future-defense.
Source: TOB May 2026 revision, Appendix D — "Malformed scalar
and point edge cases" (pp. 63-64).
Problem
libsecp256k1'sseckey_*helpers reject zero by design (becausezero is not a valid ECDSA secret key), but the CMPT protocol has
mathematical scalars that can legitimately be zero (amounts,
balances, response scalars in negligible-probability cases) and
mathematical points that can legitimately be the identity
(homomorphic differences, MSM intermediates). Mixing the two
conventions has caused several historical bugs in this codebase
(#37/#38, #39, #41, #51).
Each API boundary should make an explicit, documented choice
between three options:
out-of-band representation (e.g., the 33-zero-bytes BP
transcript convention from fix: handle zero amount in clawback Fiat-Shamir transcript #59).
Recommended change
For every API that can be reached with
zeroscalar input oridentitypoint output, document the decision in the doxygen, addtests that cover both the "zero is valid" and "zero is rejected"
cases, and ensure internal helpers don't silently fail when
encountering it.
TOB-specific call sites to cover (per Appendix D p. 63-64):
compute_sigma_response(mpt_internal.h:L116-L117) — routeszero witnesses through
scalar_*helpers, notseckey_*. Donevia [Bug] compute_sigma_response fails when secret witness is zero (amount=0 or balance=0) #37/[Bug] compute_sigma_response fails when secret witness is zero (amount=0 or balance=0) #38 (PR fix: make compute_sigma_response infallible on zero witness #58).
compute_amount_point— documents that amount=0 cannot beencoded as a non-identity pubkey. Done via [Bug] compute_amount_point returns 0 for amount=0, breaking clawback proofs #39 (PR fix: handle zero amount in clawback Fiat-Shamir transcript #59).
secp256k1_ec_seckey_verify:secp256k1_mpt_pok_sk_verify,secp256k1_compact_standard_verify,secp256k1_compact_convertback_verify,secp256k1_compact_clawback_verify. Document the choiceexplicitly in each doxygen (current code does it implicitly).
secp256k1_mpt_pedersen_commit,secp256k1_bulletproof_create_commitment, and the compactconvertback prover. Decide whether zero is invalid input or a
valid mathematical edge case for each API.
point-at-infinity:
secp256k1_elgamal_add(RIPCTXR-5, trackedin [Bug] secp256k1_elgamal_add fails on identity point — enables MergeInbox griefing #102),
secp256k1_elgamal_subtract,mpt_compute_convert_back_remainder,mpt_verify_send_range_proof. Each path should document whetherinfinity is a malformed input, an expected zero result, or a
separate sentinel case.
Acceptance
the zero / identity handling decision.
input or output explicitly.
documentation + test-coverage issue, not a behavior change
(except for any specific bugs found during the sweep).
References