* [Bitcoin-development] Signature with negative integer?
@ 2014-07-19 4:33 Richard Moore
2014-07-19 7:03 ` Gregory Maxwell
0 siblings, 1 reply; 2+ messages in thread
From: Richard Moore @ 2014-07-19 4:33 UTC (permalink / raw)
To: Bitcoin Dev
Hey all,
I'm wondering if anyone can help explain to me tx 70f7c15c6f62139cc41afa858894650344eda9975b46656d893ee59df8914a3d...
(https://blockchain.info/tx/70f7c15c6f62139cc41afa858894650344eda9975b46656d893ee59df8914a3d)
The input signature script is:
304402206b5c3b1c86748dcf328b9f3a65e10085afcf5d1af5b40970d8ce3a9355e06b5b0220cdbdc23e6d3618e47056fccc60c5f73d1a542186705197e5791e97f0e6582a3201
Which decodes to:
r= 48560432700441876832361368709121298776045893858160378595187765610521057848155
s= -22732680560694206332190468058638664750027418114195068375538144640549433890254
(http://lapo.it/asn1js/#304402206B5C3B1C86748DCF328B9F3A65E10085AFCF5D1AF5B40970D8CE3A9355E06B5B0220CDBDC23E6D3618E47056FCCC60C5F73D1A542186705197E5791E97F0E6582A32)
The ECC library I'm using is failing to verify this, which I think makes sense, since I the point needs to be positive, no? But it is obviously valid, as it has been verified and spent. I have tried simply modulo curve.order to positive-ify it, but that didn't seem to work either. Given a point P (with Py < 0) is there some fancy way to bring it into the elliptic curve space, such that Px >= 0 and Py >= 0?
Thanks!
RicMoo
.·´¯`·.¸¸.·´¯`·.¸¸.·´¯`·.¸¸.·´¯`·.¸¸.·´¯`·.¸><(((º>
Richard Moore ~ Founder
Genetic Mistakes Software inc.
phone: (778) 882-6125
email: ricmoo@geneticmistakes•com
www: http://GeneticMistakes.com
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [Bitcoin-development] Signature with negative integer?
2014-07-19 4:33 [Bitcoin-development] Signature with negative integer? Richard Moore
@ 2014-07-19 7:03 ` Gregory Maxwell
0 siblings, 0 replies; 2+ messages in thread
From: Gregory Maxwell @ 2014-07-19 7:03 UTC (permalink / raw)
To: Richard Moore; +Cc: Bitcoin Dev
On Fri, Jul 18, 2014 at 9:33 PM, Richard Moore <me@ricmoo•com> wrote:
> Hey all,
> I'm wondering if anyone can help explain to me tx 70f7c15c6f62139cc41afa858894650344eda9975b46656d893ee59df8914a3d...
A rather timely post. See the other thread on BIP0062. What you're
looking at is an example of a well-known-to-implementers-here where
invisible and undocumented "over permissiveness" in interpreting
invalid encoding in a cryptographic library (OpenSSL in our case)
which would have been probably-not-unwelcome in many other protocol
uses results in an unexpected consensus critical normative rule in
Bitcoin.
Modern releases of Bitcoin core will no longer relay or mine them but
they're still valid in blocks should they show up.
BIP62 proposes, among other things, soft-forking (backwards
compatible) changes that will strictly limit the DER encoding to avoid
ambiguity. If adopted by the network implementations would still need
to grandfather in existing weird transactions but could do so on a
txid by txid basis since there would be no more broken encoding
permitted in blocks, and use different DER decoding code without risk
of consensus inconsistency (so long as it uses der decoding which is
functionally identical to what BIP62 requires— of course).
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-07-19 7:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-07-19 4:33 [Bitcoin-development] Signature with negative integer? Richard Moore
2014-07-19 7:03 ` Gregory Maxwell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox