frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge #732: Retry if r is zero during signing

Browse Source 
37ed51a7eafa5fd9955ceb66213251cdd8b8b8c4 Make ecdsa_sig_sign constant-time again after reverting 25e3cfb (Tim Ruffing)
93d343bfc5323e56f6a60cb41d60b96368cc09c7 Revert "ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign" (Tim Ruffing)

Pull request description:

ACKs for top commit:
  elichai:
    ACK 37ed51a7eafa5fd9955ceb66213251cdd8b8b8c4 makes sense.
  jonasnick:
    ACK 37ed51a7eafa5fd9955ceb66213251cdd8b8b8c4

Tree-SHA512: 82b5b8e29f48e84fd7a0681b62923d3bd87d724b38ef18e8c7969b0dcc5a405ebb26c14b5c5f4c7ba0ccabd152d1531d217809d1daf40872fe0c1e079b55c64b
This commit is contained in:
Jonas Nick 2020-04-18 12:22:39 +00:00
commit 39198a03ea
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/ecdsa_impl.h
View File

@ -288,10 +288,6 @@ static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, sec
secp256k1_fe_normalize(&r.y); secp256k1_fe_normalize(&r.y);
secp256k1_fe_get_b32(b, &r.x); secp256k1_fe_get_b32(b, &r.x);
secp256k1_scalar_set_b32(sigr, b, &overflow); secp256k1_scalar_set_b32(sigr, b, &overflow);
/* These two conditions should be checked before calling */
VERIFY_CHECK(!secp256k1_scalar_is_zero(sigr));
VERIFY_CHECK(overflow == 0);
if (recid) { if (recid) {
/* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log /* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log
* of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria. * of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria.
@ -310,7 +306,10 @@ static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, sec
if (recid) { if (recid) {
*recid ^= high; *recid ^= high;
} }
return !secp256k1_scalar_is_zero(sigs); /* P.x = order is on the curve, so technically sig->r could end up being zero, which would be an invalid signature.
* This is cryptographically unreachable as hitting it requires finding the discrete log of P.x = N.
*/
return !secp256k1_scalar_is_zero(sigr) & !secp256k1_scalar_is_zero(sigs);
} }
#endif /* SECP256K1_ECDSA_IMPL_H */ #endif /* SECP256K1_ECDSA_IMPL_H */