Skip to content

Commit

Permalink
Merge bitcoin-core/secp256k1#1120: ecmult_gen: Skip RNG when creating…
Browse files Browse the repository at this point in the history
… blinding if no seed is available

55f8bc9 ecmult_gen: Improve comments about projective blinding (Tim Ruffing)
7a86955 ecmult_gen: Simplify code (no observable change) (Tim Ruffing)
4cc0b1b ecmult_gen: Skip RNG when creating blinding if no seed is available (Tim Ruffing)

Pull request description:

  Running the RNG is pointless if no seed is available because the key
  will be fixed. The computation just wastes time.

  Previously, users could avoid this computation at least by asking for
  a context without signing capabilities. But since 3b0c218 we always
  build an ecmult_gen context, ignoring the context flags. Moreover,
  users could never avoid this pointless computation when asking for
  the creation of a signing context.

  This fixes one item in bitcoin#1065.

ACKs for top commit:
  sipa:
    ACK 55f8bc9
  apoelstra:
    ACK 55f8bc9

Tree-SHA512: 5ccba56041f94fa8f40a8a56ce505369ff2e0ed20cd7f0bfc3fdfffa5fa7bf826a93602b9b2455a352865a9548ab4928e858c19bb5af7ec221594a3bf25c4f3d
  • Loading branch information
real-or-random committed Jul 7, 2022
2 parents af65d30 + 55f8bc9 commit 63a3565
Showing 1 changed file with 9 additions and 8 deletions.
17 changes: 9 additions & 8 deletions src/ecmult_gen_impl.h
Original file line number Diff line number Diff line change
Expand Up @@ -88,31 +88,31 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
unsigned char nonce32[32];
secp256k1_rfc6979_hmac_sha256 rng;
int overflow;
unsigned char keydata[64] = {0};
unsigned char keydata[64];
if (seed32 == NULL) {
/* When seed is NULL, reset the initial point and blinding value. */
secp256k1_gej_set_ge(&ctx->initial, &secp256k1_ge_const_g);
secp256k1_gej_neg(&ctx->initial, &ctx->initial);
secp256k1_scalar_set_int(&ctx->blind, 1);
return;
}
/* The prior blinding value (if not reset) is chained forward by including it in the hash. */
secp256k1_scalar_get_b32(nonce32, &ctx->blind);
secp256k1_scalar_get_b32(keydata, &ctx->blind);
/** Using a CSPRNG allows a failure free interface, avoids needing large amounts of random data,
* and guards against weak or adversarial seeds. This is a simpler and safer interface than
* asking the caller for blinding values directly and expecting them to retry on failure.
*/
memcpy(keydata, nonce32, 32);
if (seed32 != NULL) {
memcpy(keydata + 32, seed32, 32);
}
secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32);
VERIFY_CHECK(seed32 != NULL);
memcpy(keydata + 32, seed32, 32);
secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, 64);
memset(keydata, 0, sizeof(keydata));
/* Accept unobservably small non-uniformity. */
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
overflow = !secp256k1_fe_set_b32(&s, nonce32);
overflow |= secp256k1_fe_is_zero(&s);
secp256k1_fe_cmov(&s, &secp256k1_fe_one, overflow);
/* Randomize the projection to defend against multiplier sidechannels. */
/* Randomize the projection to defend against multiplier sidechannels.
Do this before our own call to secp256k1_ecmult_gen below. */
secp256k1_gej_rescale(&ctx->initial, &s);
secp256k1_fe_clear(&s);
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
Expand All @@ -121,6 +121,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
secp256k1_scalar_cmov(&b, &secp256k1_scalar_one, secp256k1_scalar_is_zero(&b));
secp256k1_rfc6979_hmac_sha256_finalize(&rng);
memset(nonce32, 0, 32);
/* The random projection in ctx->initial ensures that gb will have a random projection. */
secp256k1_ecmult_gen(ctx, &gb, &b);
secp256k1_scalar_negate(&b, &b);
ctx->blind = b;
Expand Down

0 comments on commit 63a3565

Please sign in to comment.