Skip to content

Rare case when Schnorr's signature can't be verified #56

Description

@StackOverflowExcept1on

this case occurs with probability $\approx \frac{1}{ 2^{128} }$
ecrecover(e, v, r, s) accepts any e, 27/28 for v and r, s in [1, Secp256k1.N), where N = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141

suppose public key has pubKey.x >= N and in that case ecrecover will return address(0). so the protocol can't verify the signature. which means you lose control of the smart contract.

// Set r = Pₓ
uint r = pubKey.x;

r, s range:

fix: if (!(pubKey.isOnCurve() && pubKey.x < LibSecp256k1.Q())) {

also need to reject pubKey.x >= Secp256k1.N for group public key on backend and at constructor?

if (!pubKey.isOnCurve()) {
return false;
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions