Skip to content

Commit

Permalink
Reintroduce projective blinding
Browse files Browse the repository at this point in the history
  • Loading branch information
sipa committed Dec 30, 2021
1 parent 1f531c0 commit 74af58c
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 1 deletion.
4 changes: 4 additions & 0 deletions src/ecmult_gen.h
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,10 @@ typedef struct {
/* Blinding values used when computing nG as (n-b)G + bG. */
secp256k1_scalar scalar_offset; /* -b */
secp256k1_ge final_point_add; /* bG */

/* Factor used for projective blinding. This value is used
* to rescale the Z coordinate of the first table lookup. */
secp256k1_fe proj_blind;
} secp256k1_ecmult_gen_context;

static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context* ctx);
Expand Down
10 changes: 9 additions & 1 deletion src/ecmult_gen_impl.h
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,8 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
if (EXPECT(first, 0)) {
/* If this is the first table lookup, we can skip addition. */
secp256k1_gej_set_ge(r, &add);
/* Give the entry a random Z coordinate to blind intermediary results. */
secp256k1_gej_rescale(r, &ctx->proj_blind);
first = 0;
} else {
secp256k1_gej_add_ge(r, r, &add);
Expand Down Expand Up @@ -222,6 +224,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
secp256k1_scalar b;
secp256k1_scalar diff;
secp256k1_gej gb;
secp256k1_fe f;
unsigned char nonce32[32];
secp256k1_rfc6979_hmac_sha256 rng;
unsigned char keydata[64] = {0};
Expand All @@ -233,6 +236,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
/* When seed is NULL, reset the final point and blinding value. */
secp256k1_ge_neg(&ctx->final_point_add, &secp256k1_ge_const_g);
secp256k1_scalar_add(&ctx->scalar_offset, &secp256k1_scalar_one, &diff);
ctx->proj_blind = secp256k1_fe_one;
}
/* The prior blinding value (if not reset) is chained forward by including it in the hash. */
secp256k1_scalar_get_b32(nonce32, &ctx->scalar_offset);
Expand All @@ -247,7 +251,11 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32);
memset(keydata, 0, sizeof(keydata));

/* TODO: reintroduce projective blinding. */
/* Compute projective blinding factor (cannot be 0). */
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
secp256k1_fe_set_b32(&f, nonce32);
secp256k1_fe_cmov(&f, &secp256k1_fe_one, secp256k1_fe_is_zero(&f));
ctx->proj_blind = f;

/* For a random blinding value b, set scalar_offset=diff-n, final_point_add=bG */
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
Expand Down

0 comments on commit 74af58c

Please sign in to comment.