diff options
| author | Pieter Wuille <pieter@wuille.net> | 2020-09-02 14:20:42 -0700 |
|---|---|---|
| committer | Pieter Wuille <pieter@wuille.net> | 2020-09-03 14:38:22 -0700 |
| commit | 3b1fb9600b938172dd98a63e4906a861af9c3ab0 (patch) | |
| tree | e9bbf70fe3c22394512934eb294a96f80e286845 /bip-0340.mediawiki | |
| parent | d8531483f53adb39bf2265ea2148a8b05334d747 (diff) | |
| download | bips-3b1fb9600b938172dd98a63e4906a861af9c3ab0.tar.xz | |
Clarify that R=infinity is invalid in BIP340
Also rename is_infinity to is_infinite is reference implementation,
to match the wording in BIP340.
Diffstat (limited to 'bip-0340.mediawiki')
| -rw-r--r-- | bip-0340.mediawiki | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/bip-0340.mediawiki b/bip-0340.mediawiki index 9502a69..f22194f 100644 --- a/bip-0340.mediawiki +++ b/bip-0340.mediawiki @@ -110,7 +110,7 @@ The following conventions are used, with constants as defined for [https://www.s ** The function ''bytes(x)'', where ''x'' is an integer, returns the 32-byte encoding of ''x'', most significant byte first. ** The function ''bytes(P)'', where ''P'' is a point, returns ''bytes(x(P))''. ** The function ''int(x)'', where ''x'' is a 32-byte array, returns the 256-bit unsigned integer whose most significant byte first encoding is ''x''. -** The function ''has_even_y(P)'', where ''P'' is a point, returns ''y(P) mod 2 = 0''. +** The function ''has_even_y(P)'', where ''P'' is a point for which ''not is_infinite(P)'', returns ''y(P) mod 2 = 0''. ** The function ''lift_x(x)'', where ''x'' is an integer in range ''0..p-1'', returns the point ''P'' for which ''x(P) = x''<ref> Given a candidate X coordinate ''x'' in the range ''0..p-1'', there exist either exactly two or exactly zero valid Y coordinates. If no valid Y coordinate exists, then ''x'' is not a valid X coordinate either, i.e., no point ''P'' exists for which ''x(P) = x''. The valid Y coordinates for a given candidate ''x'' are the square roots of ''c = x<sup>3</sup> + 7 mod p'' and they can be computed as ''y = ±c<sup>(p+1)/4</sup> mod p'' (see [https://en.wikipedia.org/wiki/Quadratic_residue#Prime_or_prime_power_modulus Quadratic residue]) if they exist, which can be checked by squaring and comparing with ''c''.</ref> and ''has_even_y(P)'', or fails if no such point exists. The function ''lift_x(x)'' is equivalent to the following pseudocode: *** Let ''c = x<sup>3</sup> + 7 mod p''. @@ -184,7 +184,9 @@ The algorithm ''Verify(pk, m, sig)'' is defined as: * Let ''s = int(sig[32:64])''; fail if ''s ≥ n''. * Let ''e = int(hash<sub>BIP0340/challenge</sub>(bytes(r) || bytes(P) || m)) mod n''. * Let ''R = s⋅G - e⋅P''. -* Fail if ''not has_even_y(R)'' or ''x(R) ≠ r''. +* Fail if ''is_infinite(R)''. +* Fail if ''not has_even_y(R)''. +* Fail if ''x(R) ≠ r''. * Return success iff no failure occurred before reaching this point. For every valid secret key ''sk'' and message ''m'', ''Verify(PubKey(sk),m,Sign(sk,m))'' will succeed. |