group: ge(j) should have as invariant that the curve equation holds #1376
Comments
|
secp256k1_ge(j) are also used to represent points on effective affine isomorphic curves. Does that mean that in VERIFY mode we need to store the isomorphism factor inside ge(j). |
Oh right, that's a valid point. [1]
Perhaps it makes sense to have a separate type for effective affine computations. This will also make the code more self-documenting and thus enhance readability. [1] Absolutely no pun intended. |
|
When doing the exhaustive tests we also use off-curve points (though we stick to a single group, so we use a fixed isomoprhism class). So we would need to be able to configure or disable this check. I was going to say that there's also some really awful abuse of ge_storage in ecmult_impl.h, which I introduced in #557, but sadly(?) all that got deleted in #956 when we deleted ecmult_context.
I think this is a good idea, independently of this. |
I was surprised to see that this may be violated in
secp256k1_eckey_pubkey_parse:secp256k1/src/eckey_impl.h
Lines 26 to 31 in cc55757
I claim
ge(j)objects should always represent valid points on the curve.secp256k1_ge(j)_verifyor at least insecp256k1_ge_set_xysecp256k1_ge_try_set_xywhich checks if (x,y) is on the curve, and only if yes, returns 1 and outputs age. That function can be used to implementsecp256k1_eckey_pubkey_parse.secp256k1_ge_is_valid_varshould be removed (or repurposed tosecp256k1_ge_verify_on_curve_varwithout return value, as mentioned above).The text was updated successfully, but these errors were encountered: