fastecdsa: Bug: multiplication of Point by negative const produces wrong results
from fastecdsa.curve import P256
from fastecdsa.point import Point
xs = 0xde2444bebc8d36e682edd27e0f271508617519b3221a8fa0b77cab3989da97c9
ys = 0xc093ae7ff36e5380fc01a5aad1e66659702de80f53cec576b6350b243042a256
S = Point(xs, ys, curve=P256)
print(S)
# X: 0xde2444bebc8d36e682edd27e0f271508617519b3221a8fa0b77cab3989da97c9
# Y: 0xc093ae7ff36e5380fc01a5aad1e66659702de80f53cec576b6350b243042a256
# (On curve <P256>)
print((-1)*S)
# X: 0xde2444bebc8d36e682edd27e0f271508617519b3221a8fa0b77cab3989da97c9
# Y: 0xc093ae7ff36e5380fc01a5aad1e66659702de80f53cec576b6350b243042a256
# (On curve <P256>)
print(-S)
# X: 0xde2444bebc8d36e682edd27e0f271508617519b3221a8fa0b77cab3989da97c9
# Y: 0x3f6c517f0c91ac8003fe5a552e1999a68fd217f1ac313a8949caf4dbcfbd5da9
# (On curve <P256>)
print((-1-P256.q)*S)
# X: 0x2754ffb5ff6ff19af1bb2fe0ef25a22d3a28731031d319afa9bf707c3595d58d
# Y: 0x3832af93a61dc91177c094f3c1723e5a3f4e29cc9fbc862da05be393b54a9a9e
# (On curve <P256>)
version 2.1.5
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 15 (14 by maintainers)
Revisiting this issue - given that the fallback code is needed anyway I’m in favor of keeping things as they are and not introducing an additional cofactor field. If anyone has objections we can discuss here.
Just to be clear: you cannot always calculate the cofactor like I give in the pointer. So in the end, you need the fallback code anyway – i.e. no scalar reduction, and sign considerations – which is what you’ve merged already.
For curves already built into fastecdsa, this doesn’t matter because
his a precomputed constant. It’s only a question of custom curves instantiated with theCurveclass.I am agreed with you,
scalar %= self.curve.qmust be included… I guess it was removed by accident, those commits are concerning on the special case when the output point is degenerated (in short Weierstrass, the point at infinity does not have affine representation).