If message is curve order, the produced signature differs from C libsecp256k1 #62

guidovranken · 2020-12-03T19:47:06Z

operation name: ECDSA_Sign
ecc curve: secp256k1
private key: 56312477249014209074628570412053507700651251817507875221581725004376025072551
input: {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 
 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41} (32 bytes)
nonce source: RFC 6979
digest: NULL

Module rust_libsecp256k1 result:

X: 47388130725345365543943056156955089862855904171373701656697778116764682363258
Y: 37092251669891195025340922069241978179057338816763561493770821876984336293314
R: 6375717680451201706338283387674951504853972890504340254901358912364890170048
S: 38089468653229875417331679605347400350541399507585865787553720087037855685678


Module secp256k1 result:

X: 47388130725345365543943056156955089862855904171373701656697778116764682363258
Y: 37092251669891195025340922069241978179057338816763561493770821876984336293314
R: 33254199737740308679695132562303764730039452340150568623617514127015066954758
S: 6671420881794714356399876285623712604606322001251819062355155017162344624447

Similar bug: trezor/trezor-firmware#1374
Found with Cryptofuzz.

The text was updated successfully, but these errors were encountered:

cairoeth mentioned this issue Jun 24, 2024

Implement P256 verification via RIP-7212 precompile with Solidity fallback OpenZeppelin/openzeppelin-contracts#4881

Open

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

If message is curve order, the produced signature differs from C libsecp256k1 #62

If message is curve order, the produced signature differs from C libsecp256k1 #62

guidovranken commented Dec 3, 2020

If message is curve order, the produced signature differs from C libsecp256k1 #62

If message is curve order, the produced signature differs from C libsecp256k1 #62

Comments

guidovranken commented Dec 3, 2020