search

paritytech / libsecp256k1

Pure Rust Implementation of secp256k1.
Apache License 2.0
175 stars 84 forks source link

If message is curve order, the produced signature differs from C libsecp256k1 #62

Open guidovranken opened 3 years ago

guidovranken commented 3 years ago 
operation name: ECDSA_Sign
ecc curve: secp256k1
private key: 56312477249014209074628570412053507700651251817507875221581725004376025072551
input: {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 
 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41} (32 bytes)
nonce source: RFC 6979
digest: NULL

Module rust_libsecp256k1 result:

X: 47388130725345365543943056156955089862855904171373701656697778116764682363258
Y: 37092251669891195025340922069241978179057338816763561493770821876984336293314
R: 6375717680451201706338283387674951504853972890504340254901358912364890170048
S: 38089468653229875417331679605347400350541399507585865787553720087037855685678

Module secp256k1 result:

X: 47388130725345365543943056156955089862855904171373701656697778116764682363258
Y: 37092251669891195025340922069241978179057338816763561493770821876984336293314
R: 33254199737740308679695132562303764730039452340150568623617514127015066954758
S: 6671420881794714356399876285623712604606322001251819062355155017162344624447

Similar bug: https://github.com/trezor/trezor-firmware/pull/1374 Found with Cryptofuzz.