bitdevs

waxwing commentary on twist attacks + bitcoin’s curve

niftynei

The privatekey -> pubkey function is “fine”. It isn’t a vector for being subjected to twist attack.

The pubkey you get back from this function will be on the curve as it’s internally munged to be. The risk is that it won’t “match” the private key that you provided. 

The attack specifically requires you not to verify a pubkey you’ve been given is on the curve.

> am I not using secp256k1 just because the library has a vulnerability?

Technically, yes 😂 in this case the bug is the library is not living up to its name 🤷 