From 13278f642ccf58ed3e1ca7c97b97b52778f1b2e4 Mon Sep 17 00:00:00 2001 From: Pieter Wuille Date: Mon, 1 Dec 2014 13:29:47 +0100 Subject: [PATCH] Add explanation about how inversion can be avoided --- src/ecdsa_impl.h | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/ecdsa_impl.h b/src/ecdsa_impl.h index 569db59..b4023be 100644 --- a/src/ecdsa_impl.h +++ b/src/ecdsa_impl.h @@ -126,15 +126,33 @@ static int secp256k1_ecdsa_sig_verify(const secp256k1_ecdsa_sig_t *sig, const se secp256k1_scalar_get_b32(c, &sig->r); secp256k1_fe_t xr; secp256k1_fe_set_b32(&xr, c); + + // We now have the recomputed R point in pr, and its claimed x coordinate (modulo n) + // in xr. Naively, we would extract the x coordinate from pr (requiring a inversion modulo p), + // compute the remainder modulo n, and compare it to xr. However: + // + // xr == X(pr) mod n + // <=> exists h. (xr + h * n < p && xr + h * n == X(pr)) + // [Since 2 * n > p, h can only be 0 or 1] + // <=> (xr == X(pr)) || (xr + n < p && xr + n == X(pr)) + // [In Jacobian coordinates, X(pr) is pr.x / pr.z^2 mod p] + // <=> (xr == pr.x / pr.z^2 mod p) || (xr + n < p && xr + n == pr.x / pr.z^2 mod p) + // [Multiplying both sides of the equations by pr.z^2 mod p] + // <=> (xr * pr.z^2 mod p == pr.x) || (xr + n < p && (xr + n) * pr.z^2 mod p == pr.x) + // + // Thus, we can avoid the inversion, but we have to check both cases separately. + // secp256k1_gej_eq_x implements the (xr * pr.z^2 mod p == pr.x) test. if (secp256k1_gej_eq_x_var(&xr, &pr)) { + // xr.x == xr * xr.z^2 mod p, so the signature is valid. return 1; } if (secp256k1_fe_cmp_var(&xr, &secp256k1_ecdsa_consts->p_minus_order) >= 0) { - // We can't add the order to r. This will be the case for almost every r. + // xr + p >= n, so we can skip testing the second case. return 0; } secp256k1_fe_add(&xr, &secp256k1_ecdsa_consts->order_as_fe); if (secp256k1_gej_eq_x_var(&xr, &pr)) { + // (xr + n) * pr.z^2 mod p == pr.x, so the signature is valid. return 1; } return 0;