frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ecmult_gen: Skip RNG when creating blinding if no seed is available

Browse Source 
Running the RNG is pointless if no seed is available because the key
will be fixed. The computation just wastes time.

Previously, users could avoid this computation at least by asking for
a context without signing capabilities. But since 3b0c218 we always
build an ecmult_gen context, ignoring the context flags. Moreover,
users could never avoid this pointless computation when asking for
the creation of a signing context.
This commit is contained in:
Tim Ruffing 2022-07-05 18:43:23 +02:00
parent af65d30cc8
commit 4cc0b1b669
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/ecmult_gen_impl.h
View File

@ -88,12 +88,13 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
unsigned char nonce32[32]; unsigned char nonce32[32];
secp256k1_rfc6979_hmac_sha256 rng; secp256k1_rfc6979_hmac_sha256 rng;
int overflow; int overflow;
unsigned char keydata[64] = {0}; unsigned char keydata[64];
if (seed32 == NULL) { if (seed32 == NULL) {
/* When seed is NULL, reset the initial point and blinding value. */ /* When seed is NULL, reset the initial point and blinding value. */
secp256k1_gej_set_ge(&ctx->initial, &secp256k1_ge_const_g); secp256k1_gej_set_ge(&ctx->initial, &secp256k1_ge_const_g);
secp256k1_gej_neg(&ctx->initial, &ctx->initial); secp256k1_gej_neg(&ctx->initial, &ctx->initial);
secp256k1_scalar_set_int(&ctx->blind, 1); secp256k1_scalar_set_int(&ctx->blind, 1);
return;
} }
/* The prior blinding value (if not reset) is chained forward by including it in the hash. */ /* The prior blinding value (if not reset) is chained forward by including it in the hash. */
secp256k1_scalar_get_b32(nonce32, &ctx->blind); secp256k1_scalar_get_b32(nonce32, &ctx->blind);
@ -102,10 +103,9 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
* asking the caller for blinding values directly and expecting them to retry on failure. * asking the caller for blinding values directly and expecting them to retry on failure.
*/ */
memcpy(keydata, nonce32, 32); memcpy(keydata, nonce32, 32);
if (seed32 != NULL) { VERIFY_CHECK(seed32 != NULL);
memcpy(keydata + 32, seed32, 32); memcpy(keydata + 32, seed32, 32);
} secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, 64);
secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32);
memset(keydata, 0, sizeof(keydata)); memset(keydata, 0, sizeof(keydata));
/* Accept unobservably small non-uniformity. */ /* Accept unobservably small non-uniformity. */
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);