From 70ff29b6a77266c55f41c966cfc2a766fd252cdf Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Tue, 14 Feb 2017 15:29:33 +1030 Subject: [PATCH 1/2] secp256k1_context_randomize: document. I think I summarized it correctly after IRC discussion with gmaxwell and andytoshi; I didn't know it existed :( It's regrettable to expose this level of detail, but users need to know this to make a decision about how to use it. Signed-off-by: Rusty Russell --- include/secp256k1.h | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/include/secp256k1.h b/include/secp256k1.h index f268e309..bd7b7832 100644 --- a/include/secp256k1.h +++ b/include/secp256k1.h @@ -163,6 +163,8 @@ typedef int (*secp256k1_nonce_function)( * * Returns: a newly created context object. * In: flags: which parts of the context to initialize. + * + * See also secp256k1_context_randomize. */ SECP256K1_API secp256k1_context* secp256k1_context_create( unsigned int flags @@ -543,11 +545,24 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul( const unsigned char *tweak ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); -/** Updates the context randomization. +/** Updates the context randomization to protect against side-channel leakage. * Returns: 1: randomization successfully updated * 0: error * Args: ctx: pointer to a context object (cannot be NULL) * In: seed32: pointer to a 32-byte random seed (NULL resets to initial state) + * + * While secp256k1 code is written to be constant-time no matter what secret + * values are, it's possible that a future compiler may output code which isn't, + * and also that the CPU may not emit the same radio frequencies or draw the same + * amount power for all values. + * + * This function provides a seed which is combined into the blinding value: that + * blinding value added before each multiplication (and removed afterwards) so + * that it does not affect function results, but shields against attacks which + * rely on any input-dependent behaviour. + * + * You should call this after secp256k1_context_create or + * secp256k1_context_clone, and may call this repeatedly afterwards. */ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize( secp256k1_context* ctx, From 72d952c9c48d0b8d68c872f835acc1c75b34e2d2 Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Tue, 21 Feb 2017 14:43:09 +1030 Subject: [PATCH 2/2] FIXUP: Missing "is" Signed-off-by: Rusty Russell --- include/secp256k1.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/secp256k1.h b/include/secp256k1.h index bd7b7832..16e96e80 100644 --- a/include/secp256k1.h +++ b/include/secp256k1.h @@ -557,7 +557,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul( * amount power for all values. * * This function provides a seed which is combined into the blinding value: that - * blinding value added before each multiplication (and removed afterwards) so + * blinding value is added before each multiplication (and removed afterwards) so * that it does not affect function results, but shields against attacks which * rely on any input-dependent behaviour. *