1. 2
  1. 1

    The elliptic curve used for signatures can be represented in 2 different (isomorphic) ways:

    • Curve25519 - the montgomery form
    • Ed25519 - the twisted edwards form

    In the montgomery form the sign of the y coordinate matters. In the edwards form all terms are squares so the sign doesn’t matter. The sign of the y coordinate is important for checking signatures.

    There’s a couple different algorithms to raise a number to a power (while doing all the arithmetic on the curve), the Ed25519 is the fastest. Most of monocypher uses the Curve25519 form.

    So to take advantage of the fast algorithm the library converts to the other form, applies the algorithm, converts back.

    There are a small number of exceptional values (zero being one of them) that don’t survive the generic coordinate transform which caused this bug. I think the problem can be solved by checking for these special values.