--- Day changed Mon Aug 29 2016 03:57 -!- ratoder [~ratoder@static.111.19.201.138.clients.your-server.de] has joined #secp256k1 04:25 < waxwing> andytoshi: https://twitter.com/techieben86/status/769506922336776192 "All numbers from 1 to 101000" 07:16 -!- GAit [~GAit@212.91.77.39] has joined #secp256k1 07:21 -!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has joined #secp256k1 07:37 -!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has quit [Quit: Leaving.] 07:46 < andytoshi> hahaha 07:49 < andytoshi> i don't have a twitter account, sadly, or i'd reply "uhh, 1792? we're still doing that in 2016" 08:26 -!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has joined #secp256k1 09:05 -!- GAit [~GAit@212.91.77.39] has quit [Quit: Leaving.] 11:12 -!- GAit1 [~GAit@net-5-94-135-81.cust.dsl.vodafone.it] has joined #secp256k1 11:28 -!- GAit1 [~GAit@net-5-94-135-81.cust.dsl.vodafone.it] has quit [Quit: Leaving.] 13:11 -!- andytoshi [~andytoshi@unaffiliated/andytoshi] has quit [Read error: Connection reset by peer] 13:12 -!- andytoshi [~andytoshi@wpsoftware.net] has joined #secp256k1 14:20 -!- andytoshi [~andytoshi@wpsoftware.net] has quit [Quit: WeeChat 1.5] 14:34 -!- andytoshi [~andytoshi@unaffiliated/andytoshi] has joined #secp256k1 16:04 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1 18:32 -!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has quit [Quit: Leaving.] 18:33 -!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has joined #secp256k1 18:33 -!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has quit [Client Quit] 19:03 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Read error: Connection reset by peer] 19:04 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1 20:45 < jl2012> sipa: if either the size of R or S is > 32 bytes, the signature is transformed to R=0 and S=0 in ecdsa_signature_parse_der_lax? 21:09 < gmaxwell> jl2012: that is a special value which is guarenteed to be rejected. (I believe the parse also returns an error) 21:10 < jl2012> if R or S are 32 bytes but fail secp256k1_scalar_check_overflow, they are also transformed to 0 before passing to secp256k1_ecdsa_signature_normalize 21:11 < jl2012> gmaxwell: I made some tests here: https://github.com/bitcoin/bitcoin/pull/8533/commits/4ed48ef0228abc5e3fd238f49c3321332565261f 21:12 < jl2012> the S value in the last test is 1 above the secp256k1 order 21:14 < jl2012> it is not considered as a HIGH_S. The signature is just "wrong", not invalid, so it pass the CHECKSIG NOT script 21:24 -!- FNinTak [~jonhbit@2601:600:8c01:6ab0:ee1a:59ff:fec0:acd6] has joined #secp256k1 21:28 < gmaxwell> You mean that it is one higher than the field rather than one higher than the group order? 21:29 < jl2012> S = 0x00fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 in the last test 21:30 < jl2012> if S=fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140, the test returns HIGH_S error (the second last test) 21:30 < jl2012> if S = 0x00fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141, the test returns OK 21:33 < jl2012> With my limited understanding of the code, I think the process for my last test is: 1. secp256k1_scalar_check_overflow finds S is above the upper limit; 2. ecdsa_signature_parse_der_lax transforms R and S to 0, and returns 1; 3. secp256k1_scalar_is_high (therefore secp256k1_ecdsa_signature_normalize) returns 0 because S is 0; 4. secp256k1_ecdsa_verify 21:33 < jl2012> returns 0 because the signature is wrong 22:27 -!- FNinTak [~jonhbit@2601:600:8c01:6ab0:ee1a:59ff:fec0:acd6] has quit [Quit: Leaving]