Description

The functions ShamirMultJacobian and _preComputeJacobianPoints use (0, 0, 0) with the intention to represent the point at infinity in Jacobian coordinates. However, this is not a valid point in Jacobian coordinates. The point at infinity is represented in Jacobian coordinates with (c^2, c^3, 0), with 0 < c < p and exponentiation done modulo p .

Impact

As _affineFromJacobian and _jAdd check for an argument being the point at infinity by only comparing the last component with 0, they work as intended anyway. The function _modifiedJacobianDouble will return (0,0,0) if passed (0,0,0). Results are thus currently correct if (0, 0, 0) is treated as an alias for the point at infinity.

Recommendations

Consider changing (0,0,0) to (1,1,0) in the two places; or, if it is preferred to keep (0,0,0) as an efficiency trick to save gas, document that this is intentional and that functions such as _jAdd, _modifiedJacobianDouble, and _affineFromJacobian must treat (0,0,0) as the point at infinity. In the latter case, we recommend adding test cases for this as well.

Remediation

This issue has been acknowledged by Biconomy Labs, and fixes were implemented in the following commits:

• f7e03db2↗
• 55d6e09c↗
• 43525074↗