Author: Anthony Towns 2015-10-05 14:49:00
Published on: 2015-10-05T14:49:00+00:00
In an email exchange, Richard Kiss and aj discussed a problem with libsec256k1 where SHA256(y||x) is run with y being '\x02' for even values of y and '\x03' for odd values of y. The issue was that openssl only gives the x value, so it's difficult to determine the correct secret directly. Richard suggested that aj could use his open source library pycoin to get Y from X. However, aj still needs to know whether to set is_even True or False. To address this, aj implemented ECDH directly by performing a single EC_POINT_mul operation. A bug was found where aj was checking eveness by comparing the last byte to 0 instead of the last bit. To make ECDH friendlier to alternative implementations, aj added a comment to an existing secp256k1 pull request suggesting that only the x value be used when creating secrets.
Updated on: 2023-05-18T15:26:24.544427+00:00