From e72e93ad9ce1793bc8e5f66905e595156c2652b0 Mon Sep 17 00:00:00 2001
From: Andrew Poelstra <apoelstra@wpsoftware.net>
Date: Sun, 10 Jan 2016 08:35:59 +0000
Subject: [PATCH] Add note about y=0 being possible on one of the sextic twists

---
 src/group_impl.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/group_impl.h b/src/group_impl.h
index 42e2f6e6ebf..afb1470a04a 100644
--- a/src/group_impl.h
+++ b/src/group_impl.h
@@ -256,6 +256,12 @@ static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, s
     /** For secp256k1, 2Q is infinity if and only if Q is infinity. This is because if 2Q = infinity,
      *  Q must equal -Q, or that Q.y == -(Q.y), or Q.y is 0. For a point on y^2 = x^3 + 7 to have
      *  y=0, x^3 must be -7 mod p. However, -7 has no cube root mod p.
+     *  
+     *  Having said this, if this function receives a point on a sextic twist, e.g. by
+     *  a fault attack, it is possible for y to be 0. This happens for y^2 = x^3 + 6,
+     *  since -6 does have a cube root mod p. For this point, this function will not set
+     *  the infinity flag even though the point doubles to infinity, and the result
+     *  point will be gibberish (z = 0 but infinity = 0).
      */
     r->infinity = a->infinity;
     if (r->infinity) {