secp256k1-zkp/src/ecmult_gen_impl.h

/***********************************************************************
 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell       *
 * Distributed under the MIT software license, see the accompanying    *
 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
 ***********************************************************************/

#ifndef SECP256K1_ECMULT_GEN_IMPL_H
#define SECP256K1_ECMULT_GEN_IMPL_H

#include "util.h"
#include "scalar.h"
#include "group.h"
#include "ecmult_gen.h"
#include "hash_impl.h"
#include "ecmult_static_context.h"

static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE = 0;

static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context *ctx) {
    ctx->prec = NULL;
}

static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx, void **prealloc) {
    if (ctx->prec != NULL) {
        return;
    }
    (void)prealloc;
    ctx->prec = (secp256k1_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])secp256k1_ecmult_static_context;
    secp256k1_ecmult_gen_blind(ctx, NULL);
}

static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context* ctx) {
    return ctx->prec != NULL;
}

static void secp256k1_ecmult_gen_context_finalize_memcpy(secp256k1_ecmult_gen_context *dst, const secp256k1_ecmult_gen_context *src) {
    (void)dst, (void)src;
}

static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx) {
    secp256k1_scalar_clear(&ctx->blind);
    secp256k1_gej_clear(&ctx->initial);
    ctx->prec = NULL;
}

static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *gn) {
    secp256k1_ge add;
    secp256k1_ge_storage adds;
    secp256k1_scalar gnb;
    int bits;
    int i, j;
    memset(&adds, 0, sizeof(adds));
    *r = ctx->initial;
    /* Blind scalar/point multiplication by computing (n-b)G + bG instead of nG. */
    secp256k1_scalar_add(&gnb, gn, &ctx->blind);
    add.infinity = 0;
    for (j = 0; j < ECMULT_GEN_PREC_N; j++) {
        bits = secp256k1_scalar_get_bits(&gnb, j * ECMULT_GEN_PREC_B, ECMULT_GEN_PREC_B);
        for (i = 0; i < ECMULT_GEN_PREC_G; i++) {
            /** This uses a conditional move to avoid any secret data in array indexes.
             *   _Any_ use of secret indexes has been demonstrated to result in timing
             *   sidechannels, even when the cache-line access patterns are uniform.
             *  See also:
             *   "A word of warning", CHES 2013 Rump Session, by Daniel J. Bernstein and Peter Schwabe
             *    (https://cryptojedi.org/peter/data/chesrump-20130822.pdf) and
             *   "Cache Attacks and Countermeasures: the Case of AES", RSA 2006,
             *    by Dag Arne Osvik, Adi Shamir, and Eran Tromer
             *    (https://www.tau.ac.il/~tromer/papers/cache.pdf)
             */
            secp256k1_ge_storage_cmov(&adds, &(*ctx->prec)[j][i], i == bits);
        }
        secp256k1_ge_from_storage(&add, &adds);
        secp256k1_gej_add_ge(r, r, &add);
    }
    bits = 0;
    secp256k1_ge_clear(&add);
    secp256k1_scalar_clear(&gnb);
}

/* Setup blinding values for secp256k1_ecmult_gen. */
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32) {
    secp256k1_scalar b;
    secp256k1_gej gb;
    secp256k1_fe s;
    unsigned char nonce32[32];
    secp256k1_rfc6979_hmac_sha256 rng;
    int overflow;
    unsigned char keydata[64] = {0};
    if (seed32 == NULL) {
        /* When seed is NULL, reset the initial point and blinding value. */
        secp256k1_gej_set_ge(&ctx->initial, &secp256k1_ge_const_g);
        secp256k1_gej_neg(&ctx->initial, &ctx->initial);
        secp256k1_scalar_set_int(&ctx->blind, 1);
    }
    /* The prior blinding value (if not reset) is chained forward by including it in the hash. */
    secp256k1_scalar_get_b32(nonce32, &ctx->blind);
    /** Using a CSPRNG allows a failure free interface, avoids needing large amounts of random data,
     *   and guards against weak or adversarial seeds.  This is a simpler and safer interface than
     *   asking the caller for blinding values directly and expecting them to retry on failure.
     */
    memcpy(keydata, nonce32, 32);
    if (seed32 != NULL) {
        memcpy(keydata + 32, seed32, 32);
    }
    secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32);
    memset(keydata, 0, sizeof(keydata));
    /* Accept unobservably small non-uniformity. */
    secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
    overflow = !secp256k1_fe_set_b32(&s, nonce32);
    overflow |= secp256k1_fe_is_zero(&s);
    secp256k1_fe_cmov(&s, &secp256k1_fe_one, overflow);
    /* Randomize the projection to defend against multiplier sidechannels. */
    secp256k1_gej_rescale(&ctx->initial, &s);
    secp256k1_fe_clear(&s);
    secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
    secp256k1_scalar_set_b32(&b, nonce32, NULL);
    /* A blinding value of 0 works, but would undermine the projection hardening. */
    secp256k1_scalar_cmov(&b, &secp256k1_scalar_one, secp256k1_scalar_is_zero(&b));
    secp256k1_rfc6979_hmac_sha256_finalize(&rng);
    memset(nonce32, 0, 32);
    secp256k1_ecmult_gen(ctx, &gb, &b);
    secp256k1_scalar_negate(&b, &b);
    ctx->blind = b;
    ctx->initial = gb;
    secp256k1_scalar_clear(&b);
    secp256k1_gej_clear(&gb);
}

#endif /* SECP256K1_ECMULT_GEN_IMPL_H */
Fix insecure links 2020-12-17 08:33:49 +02:00			`/***********************************************************************`
			`* Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *`
			`* Distributed under the MIT software license, see the accompanying *`
			`* file COPYING or https://www.opensource.org/licenses/mit-license.php.*`
			`***********************************************************************/`
Split up ecmult and ecmult_gen entirely 2014-10-26 03:42:24 -07:00
Fix header guards using reserved identifiers Identifiers starting with an underscore and followed immediately by a capital letter are reserved by the C++ standard. The only header guards not fixed are those in the headers auto-generated from java. 2017-08-26 18:44:21 +03:00			`#ifndef SECP256K1_ECMULT_GEN_IMPL_H`
			`#define SECP256K1_ECMULT_GEN_IMPL_H`
Split up ecmult and ecmult_gen entirely 2014-10-26 03:42:24 -07:00
Add size constants for preallocated memory 2018-10-22 16:23:09 +02:00			`#include "util.h"`
Introduce secp256k1_scalar_t for future constant-time mod order operations 2014-10-28 04:08:15 -07:00			`#include "scalar.h"`
Split up ecmult and ecmult_gen entirely 2014-10-26 03:42:24 -07:00			`#include "group.h"`
			`#include "ecmult_gen.h"`
Add scalar blinding and a secp256k1_context_randomize() call. This computes (n-b)G + bG with random value b, in place of nG in ecmult_gen() for signing. This is intended to reduce exposure to potential power/EMI sidechannels during signing and pubkey generation by blinding the secret value with another value which is hopefully unknown to the attacker. It may not be very helpful if the attacker is able to observe the setup or if even the scalar addition has an unacceptable leak, but it has low overhead in any case and the security should be purely additive on top of the existing defenses against sidechannels. 2015-04-15 21:35:50 +00:00			`#include "hash_impl.h"`
Add ability to use a statically generated ecmult context. This vastly shrinks the size of the context required for signing on devices with memory-mapped Flash. Tables are generated by the new gen_context tool into a header. 2015-05-19 17:32:35 -07:00			`#include "ecmult_static_context.h"`
Add size constants for preallocated memory 2018-10-22 16:23:09 +02:00
ecmult_gen: Move table creation to new file and force static prec 2021-09-09 16:46:19 +02:00			`static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE = 0;`
Add size constants for preallocated memory 2018-10-22 16:23:09 +02:00
Get rid of _t as it is POSIX reserved 2015-09-21 20:57:54 +02:00			`static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context *ctx) {`
[API BREAK] Introduce explicit contexts 2015-02-03 17:27:00 -08:00			`ctx->prec = NULL;`
			`}`
Split up ecmult and ecmult_gen entirely 2014-10-26 03:42:24 -07:00
Switch to a single malloc call 2018-10-22 16:25:26 +02:00			`static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context ctx, void *prealloc) {`
[API BREAK] Introduce explicit contexts 2015-02-03 17:27:00 -08:00			`if (ctx->prec != NULL) {`
Split up ecmult and ecmult_gen entirely 2014-10-26 03:42:24 -07:00			`return;`
Brace all the if/for/while. Unbraced statements spanning multiple lines has been shown in many projects to contribute to the introduction of bugs and a failure to catch them in review, especially for maintenance on infrequently modified code. Most, but not all, of the existing practice in the codebase were not cases that I would have expected to eventually result in bugs but applying it as a rule makes it easier for other people to safely contribute. I'm not aware of any such evidence for the case with the statement on a single line, but some people strongly prefer to never do that and the opposite rule of "_always_ use a single line for single statement blocks" isn't a reasonable rule for formatting reasons. Might as well brace all these too, since that's more universally acceptable. [In any case, I seem to have introduced the vast majority of the single-line form (as they're my preference where they fit).] This also removes a broken test which is no longer needed. 2015-03-27 23:14:17 +00:00			`}`
Switch to a single malloc call 2018-10-22 16:25:26 +02:00			`(void)prealloc;`
variable signing precompute table make ECMULT_GEN_PREC_BITS configurable ecmult_static_context.h: add compile time config assertion (#3) - Prevents accidentally using a file which was generated with a different configuration. README: mention valgrind issue With --with-ecmult-gen-precision=8, valgrind needs a max stack size adjustment to not run into a stack switching heuristic: http://valgrind.org/docs/manual/manual-core.html > -max-stackframe= [default: 2000000] > The maximum size of a stack frame. If the stack pointer moves by more than this amount then Valgrind will assume that the program is switching to a different stack. You may need to use this option if your program has large stack-allocated arrays. basic-config: undef ECMULT_WINDOW_SIZE before (re-)defining it 2015-10-18 10:35:16 +02:00			`ctx->prec = (secp256k1_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])secp256k1_ecmult_static_context;`
Add scalar blinding and a secp256k1_context_randomize() call. This computes (n-b)G + bG with random value b, in place of nG in ecmult_gen() for signing. This is intended to reduce exposure to potential power/EMI sidechannels during signing and pubkey generation by blinding the secret value with another value which is hopefully unknown to the attacker. It may not be very helpful if the attacker is able to observe the setup or if even the scalar addition has an unacceptable leak, but it has low overhead in any case and the security should be purely additive on top of the existing defenses against sidechannels. 2015-04-15 21:35:50 +00:00			`secp256k1_ecmult_gen_blind(ctx, NULL);`
Split up ecmult and ecmult_gen entirely 2014-10-26 03:42:24 -07:00			`}`

Get rid of _t as it is POSIX reserved 2015-09-21 20:57:54 +02:00			`static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context* ctx) {`
[API BREAK] Introduce explicit contexts 2015-02-03 17:27:00 -08:00			`return ctx->prec != NULL;`
			`}`
Split up ecmult and ecmult_gen entirely 2014-10-26 03:42:24 -07:00
Switch to a single malloc call 2018-10-22 16:25:26 +02:00			`static void secp256k1_ecmult_gen_context_finalize_memcpy(secp256k1_ecmult_gen_context dst, const secp256k1_ecmult_gen_context src) {`
			`(void)dst, (void)src;`
Expose ability to deep-copy a context 2015-04-11 14:06:54 -05:00			`}`

Get rid of _t as it is POSIX reserved 2015-09-21 20:57:54 +02:00			`static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx) {`
Add scalar blinding and a secp256k1_context_randomize() call. This computes (n-b)G + bG with random value b, in place of nG in ecmult_gen() for signing. This is intended to reduce exposure to potential power/EMI sidechannels during signing and pubkey generation by blinding the secret value with another value which is hopefully unknown to the attacker. It may not be very helpful if the attacker is able to observe the setup or if even the scalar addition has an unacceptable leak, but it has low overhead in any case and the security should be purely additive on top of the existing defenses against sidechannels. 2015-04-15 21:35:50 +00:00			`secp256k1_scalar_clear(&ctx->blind);`
			`secp256k1_gej_clear(&ctx->initial);`
[API BREAK] Introduce explicit contexts 2015-02-03 17:27:00 -08:00			`ctx->prec = NULL;`
Split up ecmult and ecmult_gen entirely 2014-10-26 03:42:24 -07:00			`}`

Get rid of _t as it is POSIX reserved 2015-09-21 20:57:54 +02:00			`static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context ctx, secp256k1_gej r, const secp256k1_scalar *gn) {`
			`secp256k1_ge add;`
			`secp256k1_ge_storage adds;`
			`secp256k1_scalar gnb;`
Convert the rest of the codebase to C89. Update build system to enforce -std=c89 -pedantic. 2015-01-25 17:32:08 +00:00			`int bits;`
			`int i, j;`
initialize variable 2015-04-03 17:16:09 -04:00			`memset(&adds, 0, sizeof(adds));`
Add scalar blinding and a secp256k1_context_randomize() call. This computes (n-b)G + bG with random value b, in place of nG in ecmult_gen() for signing. This is intended to reduce exposure to potential power/EMI sidechannels during signing and pubkey generation by blinding the secret value with another value which is hopefully unknown to the attacker. It may not be very helpful if the attacker is able to observe the setup or if even the scalar addition has an unacceptable leak, but it has low overhead in any case and the security should be purely additive on top of the existing defenses against sidechannels. 2015-04-15 21:35:50 +00:00			`*r = ctx->initial;`
			`/* Blind scalar/point multiplication by computing (n-b)G + bG instead of nG. */`
			`secp256k1_scalar_add(&gnb, gn, &ctx->blind);`
Use constant-time conditional moves instead of byte slicing 2014-12-02 20:20:13 +01:00			`add.infinity = 0;`
variable signing precompute table make ECMULT_GEN_PREC_BITS configurable ecmult_static_context.h: add compile time config assertion (#3) - Prevents accidentally using a file which was generated with a different configuration. README: mention valgrind issue With --with-ecmult-gen-precision=8, valgrind needs a max stack size adjustment to not run into a stack switching heuristic: http://valgrind.org/docs/manual/manual-core.html > -max-stackframe= [default: 2000000] > The maximum size of a stack frame. If the stack pointer moves by more than this amount then Valgrind will assume that the program is switching to a different stack. You may need to use this option if your program has large stack-allocated arrays. basic-config: undef ECMULT_WINDOW_SIZE before (re-)defining it 2015-10-18 10:35:16 +02:00			`for (j = 0; j < ECMULT_GEN_PREC_N; j++) {`
			`bits = secp256k1_scalar_get_bits(&gnb, j * ECMULT_GEN_PREC_B, ECMULT_GEN_PREC_B);`
			`for (i = 0; i < ECMULT_GEN_PREC_G; i++) {`
Add a comment about the avoidance of secret data in array indexes. People elsewhere still seem to be writing crypto code making this mistake, so it must not be that well known. 2015-04-06 03:48:08 +00:00			`/** This uses a conditional move to avoid any secret data in array indexes.`
			`* _Any_ use of secret indexes has been demonstrated to result in timing`
			`* sidechannels, even when the cache-line access patterns are uniform.`
			`* See also:`
			`* "A word of warning", CHES 2013 Rump Session, by Daniel J. Bernstein and Peter Schwabe`
			`* (https://cryptojedi.org/peter/data/chesrump-20130822.pdf) and`
			`* "Cache Attacks and Countermeasures: the Case of AES", RSA 2006,`
			`* by Dag Arne Osvik, Adi Shamir, and Eran Tromer`
Fix insecure links 2020-12-17 08:33:49 +02:00			`* (https://www.tau.ac.il/~tromer/papers/cache.pdf)`
Add a comment about the avoidance of secret data in array indexes. People elsewhere still seem to be writing crypto code making this mistake, so it must not be that well known. 2015-04-06 03:48:08 +00:00			`*/`
[API BREAK] Introduce explicit contexts 2015-02-03 17:27:00 -08:00			`secp256k1_ge_storage_cmov(&adds, &(*ctx->prec)[j][i], i == bits);`
Use constant-time conditional moves instead of byte slicing 2014-12-02 20:20:13 +01:00			`}`
Switch ecmult_gen to use storage types 2015-01-25 00:46:31 -04:00			`secp256k1_ge_from_storage(&add, &adds);`
Branch-free point addition 2014-11-11 10:32:50 -08:00			`secp256k1_gej_add_ge(r, r, &add);`
Split up ecmult and ecmult_gen entirely 2014-10-26 03:42:24 -07:00			`}`
			`bits = 0;`
			`secp256k1_ge_clear(&add);`
Add scalar blinding and a secp256k1_context_randomize() call. This computes (n-b)G + bG with random value b, in place of nG in ecmult_gen() for signing. This is intended to reduce exposure to potential power/EMI sidechannels during signing and pubkey generation by blinding the secret value with another value which is hopefully unknown to the attacker. It may not be very helpful if the attacker is able to observe the setup or if even the scalar addition has an unacceptable leak, but it has low overhead in any case and the security should be purely additive on top of the existing defenses against sidechannels. 2015-04-15 21:35:50 +00:00			`secp256k1_scalar_clear(&gnb);`
			`}`

			`/* Setup blinding values for secp256k1_ecmult_gen. */`
Get rid of _t as it is POSIX reserved 2015-09-21 20:57:54 +02:00			`static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context ctx, const unsigned char seed32) {`
			`secp256k1_scalar b;`
			`secp256k1_gej gb;`
			`secp256k1_fe s;`
Add scalar blinding and a secp256k1_context_randomize() call. This computes (n-b)G + bG with random value b, in place of nG in ecmult_gen() for signing. This is intended to reduce exposure to potential power/EMI sidechannels during signing and pubkey generation by blinding the secret value with another value which is hopefully unknown to the attacker. It may not be very helpful if the attacker is able to observe the setup or if even the scalar addition has an unacceptable leak, but it has low overhead in any case and the security should be purely additive on top of the existing defenses against sidechannels. 2015-04-15 21:35:50 +00:00			`unsigned char nonce32[32];`
Get rid of reserved _t in type names 2017-09-27 15:01:26 -07:00			`secp256k1_rfc6979_hmac_sha256 rng;`
Eliminate harmless non-constant time operations on secret data. There were several places where the code was non-constant time for invalid secret inputs. These are harmless under sane use but get in the way of automatic const-time validation. (Nonce overflow in signing is not addressed, nor is s==0 in signing) 2020-01-11 01:01:05 +00:00			`int overflow;`
Change rfc6979 implementation to be a generic PRNG 2015-07-08 18:10:25 -04:00			`unsigned char keydata[64] = {0};`
Use the explicit NULL macro for pointer comparisons. This makes it more clear that a null check is intended. Avoiding the use of a pointer as a test condition alse increases the type-safety of the comparisons. (This is also MISRA C 2012 rules 14.4 and 11.9) 2015-09-23 21:56:04 +00:00			`if (seed32 == NULL) {`
Add scalar blinding and a secp256k1_context_randomize() call. This computes (n-b)G + bG with random value b, in place of nG in ecmult_gen() for signing. This is intended to reduce exposure to potential power/EMI sidechannels during signing and pubkey generation by blinding the secret value with another value which is hopefully unknown to the attacker. It may not be very helpful if the attacker is able to observe the setup or if even the scalar addition has an unacceptable leak, but it has low overhead in any case and the security should be purely additive on top of the existing defenses against sidechannels. 2015-04-15 21:35:50 +00:00			`/* When seed is NULL, reset the initial point and blinding value. */`
			`secp256k1_gej_set_ge(&ctx->initial, &secp256k1_ge_const_g);`
			`secp256k1_gej_neg(&ctx->initial, &ctx->initial);`
			`secp256k1_scalar_set_int(&ctx->blind, 1);`
			`}`
			`/* The prior blinding value (if not reset) is chained forward by including it in the hash. */`
			`secp256k1_scalar_get_b32(nonce32, &ctx->blind);`
			`/** Using a CSPRNG allows a failure free interface, avoids needing large amounts of random data,`
			`* and guards against weak or adversarial seeds. This is a simpler and safer interface than`
			`* asking the caller for blinding values directly and expecting them to retry on failure.`
			`*/`
Change rfc6979 implementation to be a generic PRNG 2015-07-08 18:10:25 -04:00			`memcpy(keydata, nonce32, 32);`
Use the explicit NULL macro for pointer comparisons. This makes it more clear that a null check is intended. Avoiding the use of a pointer as a test condition alse increases the type-safety of the comparisons. (This is also MISRA C 2012 rules 14.4 and 11.9) 2015-09-23 21:56:04 +00:00			`if (seed32 != NULL) {`
Change rfc6979 implementation to be a generic PRNG 2015-07-08 18:10:25 -04:00			`memcpy(keydata + 32, seed32, 32);`
			`}`
			`secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32);`
			`memset(keydata, 0, sizeof(keydata));`
Eliminate harmless non-constant time operations on secret data. There were several places where the code was non-constant time for invalid secret inputs. These are harmless under sane use but get in the way of automatic const-time validation. (Nonce overflow in signing is not addressed, nor is s==0 in signing) 2020-01-11 01:01:05 +00:00			`/* Accept unobservably small non-uniformity. */`
			`secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);`
			`overflow = !secp256k1_fe_set_b32(&s, nonce32);`
			`overflow \|= secp256k1_fe_is_zero(&s);`
			`secp256k1_fe_cmov(&s, &secp256k1_fe_one, overflow);`
Add scalar blinding and a secp256k1_context_randomize() call. This computes (n-b)G + bG with random value b, in place of nG in ecmult_gen() for signing. This is intended to reduce exposure to potential power/EMI sidechannels during signing and pubkey generation by blinding the secret value with another value which is hopefully unknown to the attacker. It may not be very helpful if the attacker is able to observe the setup or if even the scalar addition has an unacceptable leak, but it has low overhead in any case and the security should be purely additive on top of the existing defenses against sidechannels. 2015-04-15 21:35:50 +00:00			`/* Randomize the projection to defend against multiplier sidechannels. */`
			`secp256k1_gej_rescale(&ctx->initial, &s);`
			`secp256k1_fe_clear(&s);`
Eliminate harmless non-constant time operations on secret data. There were several places where the code was non-constant time for invalid secret inputs. These are harmless under sane use but get in the way of automatic const-time validation. (Nonce overflow in signing is not addressed, nor is s==0 in signing) 2020-01-11 01:01:05 +00:00			`secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);`
			`secp256k1_scalar_set_b32(&b, nonce32, NULL);`
			`/* A blinding value of 0 works, but would undermine the projection hardening. */`
			`secp256k1_scalar_cmov(&b, &secp256k1_scalar_one, secp256k1_scalar_is_zero(&b));`
Add scalar blinding and a secp256k1_context_randomize() call. This computes (n-b)G + bG with random value b, in place of nG in ecmult_gen() for signing. This is intended to reduce exposure to potential power/EMI sidechannels during signing and pubkey generation by blinding the secret value with another value which is hopefully unknown to the attacker. It may not be very helpful if the attacker is able to observe the setup or if even the scalar addition has an unacceptable leak, but it has low overhead in any case and the security should be purely additive on top of the existing defenses against sidechannels. 2015-04-15 21:35:50 +00:00			`secp256k1_rfc6979_hmac_sha256_finalize(&rng);`
			`memset(nonce32, 0, 32);`
			`secp256k1_ecmult_gen(ctx, &gb, &b);`
			`secp256k1_scalar_negate(&b, &b);`
			`ctx->blind = b;`
			`ctx->initial = gb;`
			`secp256k1_scalar_clear(&b);`
			`secp256k1_gej_clear(&gb);`
Split up ecmult and ecmult_gen entirely 2014-10-26 03:42:24 -07:00			`}`

Fix header guards using reserved identifiers Identifiers starting with an underscore and followed immediately by a capital letter are reserved by the C++ standard. The only header guards not fixed are those in the headers auto-generated from java. 2017-08-26 18:44:21 +03:00			`#endif /* SECP256K1_ECMULT_GEN_IMPL_H */`