|
Title: ECDSA points with x-values between n and p Post by: vjudeu on January 22, 2023, 10:29:19 PM This point seems to be valid, and on secp256k1, as far as I know:
Code: 04 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 98F66641CB0AE1776B463EBDEE3D77FE2658F021DB48E2C8AC7AB4C92F83621E Code: 04 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364143 C94E559D14883E68CFDA34341568BF1127153254788DD974C6AF9BB9CD962A5C Title: Re: ECDSA points with x-values between n and p Post by: ymgve2 on January 23, 2023, 02:06:46 AM Nevermind, I misunderstood. I think technically it might be a malleability, but since I assume you don't know the actual private keys behind any of the public keys, it's more a theoretical issue than practical. Title: Re: ECDSA points with x-values between n and p Post by: pooya87 on January 23, 2023, 04:35:53 AM You can derive more than one possible public key from a valid ECDSA signature and message but that is not related to malleability since the public key is always locked in the script that is being spent one way or another (it is unchangeable).
For example in a P2PKH script the hash of the public key is already locked in the scriptpub and if you use a different public key the transaction will be rejected on OP_EQUALVERIFY before it even reaches the signature verification step. P.S. All 3 public keys you posted are valid since they are on secp256k1 curve. Title: Re: ECDSA points with x-values between n and p Post by: witcher_sense on January 23, 2023, 11:26:07 AM This point seems to be valid, and on secp256k1, as far as I know: According to BIP62 (https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki#user-content-Low_S_values_in_signatures), when the value of s is more than half of n (the total number of points), we simply take s = n - s. In other words, given this rule, any signature where the value of s is too high is considered invalid. As for public keys, there can theoretically be 4 different public keys for the same message and private key if the value of r is lower than n-p. In this case, you will have two x-coordinates (x=r and x=r+n) and two y-coordinates for each x (even and odd).Code: 04 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 98F66641CB0AE1776B463EBDEE3D77FE2658F021DB48E2C8AC7AB4C92F83621E Code: 04 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364143 C94E559D14883E68CFDA34341568BF1127153254788DD974C6AF9BB9CD962A5C Title: Re: ECDSA points with x-values between n and p Post by: NotATether on January 23, 2023, 10:03:31 PM It is purely an academic discussion, as the probability of hitting any x mod n is already so low that dividing the probability by two won't make much of a difference in terms of security.
|