@@ -78,7 +78,7 @@ SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(
7878) SECP256K1_ARG_NONNULL (1 ) SECP256K1_ARG_NONNULL (2 ) SECP256K1_ARG_NONNULL (4 );
7979
8080/** A pointer to a function to deterministically generate a nonce.
81- * Returns: 1 if a nonce was succesfully generated. 0 will cause signing to fail.
81+ * Returns: 1 if a nonce was successfully generated. 0 will cause signing to fail.
8282 * In: msg32: the 32-byte message hash being verified (will not be NULL)
8383 * key32: pointer to a 32-byte secret key (will not be NULL)
8484 * attempt: how many iterations we have tried to find a nonce.
@@ -115,6 +115,32 @@ extern const secp256k1_nonce_function_t secp256k1_nonce_function_default;
115115 * In/Out: siglen: pointer to an int with the length of sig, which will be updated
116116 * to contain the actual signature length (<=72).
117117 * Requires starting using SECP256K1_START_SIGN.
118+ *
119+ * The sig always has an s value in the lower half of the range (From 0x1
120+ * to 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0,
121+ * inclusive), unlike many other implementations.
122+ * With ECDSA a third-party can can forge a second distinct signature
123+ * of the same message given a single initial signature without knowing
124+ * the key by setting s to its additive inverse mod-order, 'flipping' the
125+ * sign of the random point R which is not included in the signature.
126+ * Since the forgery is of the same message this isn't universally
127+ * problematic, but in systems where message malleability or uniqueness
128+ * of signatures is important this can cause issues. This forgery can be
129+ * blocked by all verifiers forcing signers to use a canonical form. The
130+ * lower-S form reduces the size of signatures slightly on average when
131+ * variable length encodings (such as DER) are used and is cheap to
132+ * verify, making it a good choice. Security of always using lower-S is
133+ * assured because anyone can trivially modify a signature after the
134+ * fact to enforce this property. Adjusting it inside the signing
135+ * function avoids the need to re-serialize or have curve specific
136+ * constants outside of the library. By always using a canonical form
137+ * even in applications where it isn't needed it becomes possible to
138+ * impose a requirement later if a need is discovered.
139+ * No other forms of ECDSA malleability are known and none seem likely,
140+ * but there is no formal proof that ECDSA, even with this additional
141+ * restriction, is free of other malleability. Commonly used serialization
142+ * schemes will also accept various non-unique encodings, so care should
143+ * be taken when this property is required for an application.
118144 */
119145int secp256k1_ecdsa_sign (
120146 const unsigned char * msg32 ,
0 commit comments