Edwards Goes Degenerate
There is a bug in the implementation, specifically 1 2 3 4 5 6 def recover_x(self, xbit, y): xsqr = (y**2 - 1)*inverse(1 + self.d*y**2, self.p) % self.p x = pow(xsqr, (self.p + 1)//4, self.p) if x**2 == xsqr : ... return 0 the function recover_x will always return 0, as the check is not done on modulo $p$. The challenge is now straightforward as the base point has a x-coordinate of 0....