I was surprised to see that this may be violated in secp256k1_eckey_pubkey_parse:
|
secp256k1_ge_set_xy(elem, &x, &y); |
|
if ((pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_EVEN || pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_ODD) && |
|
secp256k1_fe_is_odd(&y) != (pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_ODD)) { |
|
return 0; |
|
} |
|
return secp256k1_ge_is_valid_var(elem); |
I claim
ge(j) objects should always represent valid points on the curve.- This invariant should be checked in VERIFY mode, in
secp256k1_ge(j)_verify or at least in secp256k1_ge_set_xy
- There should be a separate function
secp256k1_ge_try_set_xy which checks if (x,y) is on the curve, and only if yes, returns 1 and outputs a ge. That function can be used to implement secp256k1_eckey_pubkey_parse.
secp256k1_ge_is_valid_var should be removed (or repurposed to secp256k1_ge_verify_on_curve_var without return value, as mentioned above).
I was surprised to see that this may be violated in
secp256k1_eckey_pubkey_parse:secp256k1/src/eckey_impl.h
Lines 26 to 31 in cc55757
I claim
ge(j)objects should always represent valid points on the curve.secp256k1_ge(j)_verifyor at least insecp256k1_ge_set_xysecp256k1_ge_try_set_xywhich checks if (x,y) is on the curve, and only if yes, returns 1 and outputs age. That function can be used to implementsecp256k1_eckey_pubkey_parse.secp256k1_ge_is_valid_varshould be removed (or repurposed tosecp256k1_ge_verify_on_curve_varwithout return value, as mentioned above).