diff --git a/include/secp256k1_ecdsa_s2c.h b/include/secp256k1_ecdsa_s2c.h index 482b0c13..e5920acd 100644 --- a/include/secp256k1_ecdsa_s2c.h +++ b/include/secp256k1_ecdsa_s2c.h @@ -4,7 +4,7 @@ #include "secp256k1.h" /** This module implements the sign-to-contract scheme for ECDSA signatures, as - * well as the "ECDSA Anti-Klepto Protocol" that is based on sign-to-contract + * well as the "ECDSA Anti-Exfil Protocol" that is based on sign-to-contract * and is specified further down. The sign-to-contract scheme allows creating a * signature that also commits to some data. This works by offsetting the public * nonce point of the signature R by hash(R, data)*G where G is the secp256k1 @@ -97,9 +97,9 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_s2c_verify_commit ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); -/** ECDSA Anti-Klepto Protocol +/** ECDSA Anti-Exfil Protocol * - * The ecdsa_anti_klepto_* functions can be used to prevent a signing device from + * The ecdsa_anti_exfil_* functions can be used to prevent a signing device from * exfiltrating the secret signing keys through biased signature nonces. The general * idea is that a host provides additional randomness to the signing device client * and the client commits to the randomness in the nonce using sign-to-contract. @@ -113,9 +113,9 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_s2c_verify_commit * keys, or the signing device to bias the nonce despite the host's contributions, * the host and client must engage in a commit-reveal protocol as follows: * 1. The host draws randomness `rho` and computes a sha256 commitment to it using - * `secp256k1_ecdsa_anti_klepto_host_commit`. It sends this to the signing device. + * `secp256k1_ecdsa_anti_exfil_host_commit`. It sends this to the signing device. * 2. The signing device computes a public nonce `R` using the host's commitment - * as auxiliary randomness, using `secp256k1_ecdsa_anti_klepto_signer_commit`. + * as auxiliary randomness, using `secp256k1_ecdsa_anti_exfil_signer_commit`. * The signing device sends the resulting `R` to the host as a s2c_opening. * * If, at any point from this step onward, the hardware device fails, it is @@ -135,10 +135,10 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_s2c_verify_commit * EVER, they should change hardware vendors and perhaps sweep their coins. * * 3. The host replies with `rho` generated in step 1. - * 4. The device signs with `secp256k1_anti_klepto_sign`, using `rho` as `host_data32`, + * 4. The device signs with `secp256k1_anti_exfil_sign`, using `rho` as `host_data32`, * and sends the signature to the host. * 5. The host verifies that the signature's public nonce matches the opening from - * step 2 and its original randomness `rho`, using `secp256k1_anti_klepto_host_verify`. + * step 2 and its original randomness `rho`, using `secp256k1_anti_exfil_host_verify`. * * Rationale: * - The reason for having a host commitment is to allow the signing device to @@ -154,7 +154,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_s2c_verify_commit * maintain any state about the progress of the protocol. */ -/** Create the initial host commitment to `rho`. Part of the ECDSA Anti-Klepto Protocol. +/** Create the initial host commitment to `rho`. Part of the ECDSA Anti-Exfil Protocol. * * Returns 1 on success, 0 on failure. * Args: ctx: pointer to a context object (cannot be NULL) @@ -164,13 +164,13 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_s2c_verify_commit * be revealed to the client until after the host has received the client * commitment. */ -SECP256K1_API int secp256k1_ecdsa_anti_klepto_host_commit( +SECP256K1_API int secp256k1_ecdsa_anti_exfil_host_commit( const secp256k1_context* ctx, unsigned char* rand_commitment32, const unsigned char* rand32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); -/** Compute signer's original nonce. Part of the ECDSA Anti-Klepto Protocol. +/** Compute signer's original nonce. Part of the ECDSA Anti-Exfil Protocol. * * Returns 1 on success, 0 on failure. * Args: ctx: pointer to a context object, initialized for signing (cannot be NULL) @@ -180,7 +180,7 @@ SECP256K1_API int secp256k1_ecdsa_anti_klepto_host_commit( * seckey32: the 32-byte secret key used for signing (cannot be NULL) * rand_commitment32: the 32-byte randomness commitment from the host (cannot be NULL) */ -SECP256K1_API int secp256k1_ecdsa_anti_klepto_signer_commit( +SECP256K1_API int secp256k1_ecdsa_anti_exfil_signer_commit( const secp256k1_context* ctx, secp256k1_ecdsa_s2c_opening* s2c_opening, const unsigned char* msg32, @@ -189,7 +189,7 @@ SECP256K1_API int secp256k1_ecdsa_anti_klepto_signer_commit( ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5); /** Same as secp256k1_ecdsa_sign, but commits to host randomness in the nonce. Part of the - * ECDSA Anti-Klepto Protocol. + * ECDSA Anti-Exfil Protocol. * * Returns: 1: signature created * 0: the nonce generation function failed, or the private key was invalid. @@ -199,7 +199,7 @@ SECP256K1_API int secp256k1_ecdsa_anti_klepto_signer_commit( * seckey: pointer to a 32-byte secret key (cannot be NULL) * host_data32: pointer to 32-byte host-provided randomness (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_anti_klepto_sign( +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_anti_exfil_sign( const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char* msg32, @@ -207,7 +207,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_anti_klepto_sign( const unsigned char* host_data32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5); -/** Verify a signature was correctly constructed using the ECDSA Anti-Klepto Protocol. +/** Verify a signature was correctly constructed using the ECDSA Anti-Exfil Protocol. * * Returns: 1: the signature is valid and contains a commitment to host_data32 * 0: incorrect opening @@ -218,7 +218,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_anti_klepto_sign( * host_data32: the 32-byte data provided by the host (cannot be NULL) * opening: the s2c opening provided by the signer (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_anti_klepto_host_verify( +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_anti_exfil_host_verify( const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, diff --git a/src/modules/ecdsa_s2c/main_impl.h b/src/modules/ecdsa_s2c/main_impl.h index 093bab85..aae8a0eb 100755 --- a/src/modules/ecdsa_s2c/main_impl.h +++ b/src/modules/ecdsa_s2c/main_impl.h @@ -82,7 +82,7 @@ int secp256k1_ecdsa_s2c_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signa /* Provide `s2c_data32` to the nonce function as additional data to * derive the nonce. It is first hashed because it should be possible * to derive nonces even if only a SHA256 commitment to the data is - * known. This is important in the ECDSA anti-klepto protocol. */ + * known. This is important in the ECDSA anti-exfil protocol. */ secp256k1_s2c_ecdsa_data_sha256_tagged(&s2c_sha); secp256k1_sha256_write(&s2c_sha, s2c_data32, 32); secp256k1_sha256_finalize(&s2c_sha, ndata); @@ -130,15 +130,15 @@ int secp256k1_ecdsa_s2c_verify_commit(const secp256k1_context* ctx, const secp25 /* Do not check overflow; overflowing a scalar does not affect whether * or not the R value is a cryptographic commitment, only whether it * is a valid R value for an ECDSA signature. If users care about that - * they should use `ecdsa_verify` or `anti_klepto_host_verify`. In other + * they should use `ecdsa_verify` or `anti_exfil_host_verify`. In other * words, this check would be (at best) unnecessary, and (at worst) * insufficient. */ secp256k1_scalar_set_b32(&x_scalar, x_bytes, NULL); return secp256k1_scalar_eq(&sigr, &x_scalar); } -/*** anti-klepto ***/ -int secp256k1_ecdsa_anti_klepto_host_commit(const secp256k1_context* ctx, unsigned char* rand_commitment32, const unsigned char* rand32) { +/*** anti-exfil ***/ +int secp256k1_ecdsa_anti_exfil_host_commit(const secp256k1_context* ctx, unsigned char* rand_commitment32, const unsigned char* rand32) { secp256k1_sha256 sha; VERIFY_CHECK(ctx != NULL); @@ -151,7 +151,7 @@ int secp256k1_ecdsa_anti_klepto_host_commit(const secp256k1_context* ctx, unsign return 1; } -int secp256k1_ecdsa_anti_klepto_signer_commit(const secp256k1_context* ctx, secp256k1_ecdsa_s2c_opening* opening, const unsigned char* msg32, const unsigned char* seckey32, const unsigned char* rand_commitment32) { +int secp256k1_ecdsa_anti_exfil_signer_commit(const secp256k1_context* ctx, secp256k1_ecdsa_s2c_opening* opening, const unsigned char* msg32, const unsigned char* seckey32, const unsigned char* rand_commitment32) { unsigned char nonce32[32]; secp256k1_scalar k; secp256k1_gej rj; @@ -186,11 +186,11 @@ int secp256k1_ecdsa_anti_klepto_signer_commit(const secp256k1_context* ctx, secp return 1; } -int secp256k1_anti_klepto_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char* msg32, const unsigned char* seckey, const unsigned char* host_data32) { +int secp256k1_anti_exfil_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char* msg32, const unsigned char* seckey, const unsigned char* host_data32) { return secp256k1_ecdsa_s2c_sign(ctx, sig, NULL, msg32, seckey, host_data32); } -int secp256k1_anti_klepto_host_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey, const unsigned char *host_data32, const secp256k1_ecdsa_s2c_opening *opening) { +int secp256k1_anti_exfil_host_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey, const unsigned char *host_data32, const secp256k1_ecdsa_s2c_opening *opening) { return secp256k1_ecdsa_s2c_verify_commit(ctx, sig, host_data32, opening) && secp256k1_ecdsa_verify(ctx, sig, msg32, pubkey); } diff --git a/src/modules/ecdsa_s2c/tests_impl.h b/src/modules/ecdsa_s2c/tests_impl.h index c76e6b11..7ca1a3a6 100644 --- a/src/modules/ecdsa_s2c/tests_impl.h +++ b/src/modules/ecdsa_s2c/tests_impl.h @@ -150,63 +150,63 @@ static void test_ecdsa_s2c_api(void) { CHECK(secp256k1_ecdsa_s2c_sign(sign, &sig, NULL, msg, sec, s2c_data) == 1); CHECK(secp256k1_ecdsa_s2c_verify_commit(vrfy, &sig, s2c_data, &s2c_opening) == 1); - /* anti-klepto */ + /* anti-exfil */ ecount = 0; - CHECK(secp256k1_ecdsa_anti_klepto_host_commit(none, NULL, hostrand) == 0); + CHECK(secp256k1_ecdsa_anti_exfil_host_commit(none, NULL, hostrand) == 0); CHECK(ecount == 1); - CHECK(secp256k1_ecdsa_anti_klepto_host_commit(none, hostrand_commitment, NULL) == 0); + CHECK(secp256k1_ecdsa_anti_exfil_host_commit(none, hostrand_commitment, NULL) == 0); CHECK(ecount == 2); - CHECK(secp256k1_ecdsa_anti_klepto_host_commit(none, hostrand_commitment, hostrand) == 1); + CHECK(secp256k1_ecdsa_anti_exfil_host_commit(none, hostrand_commitment, hostrand) == 1); CHECK(ecount == 2); ecount = 0; - CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(both, NULL, msg, sec, hostrand_commitment) == 0); + CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(both, NULL, msg, sec, hostrand_commitment) == 0); CHECK(ecount == 1); - CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(both, &s2c_opening, NULL, sec, hostrand_commitment) == 0); + CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(both, &s2c_opening, NULL, sec, hostrand_commitment) == 0); CHECK(ecount == 2); - CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(both, &s2c_opening, msg, NULL, hostrand_commitment) == 0); + CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(both, &s2c_opening, msg, NULL, hostrand_commitment) == 0); CHECK(ecount == 3); - CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(both, &s2c_opening, msg, sec, NULL) == 0); + CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(both, &s2c_opening, msg, sec, NULL) == 0); CHECK(ecount == 4); - CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(none, &s2c_opening, msg, sec, hostrand_commitment) == 0); + CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(none, &s2c_opening, msg, sec, hostrand_commitment) == 0); CHECK(ecount == 5); - CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(vrfy, &s2c_opening, msg, sec, hostrand_commitment) == 0); + CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(vrfy, &s2c_opening, msg, sec, hostrand_commitment) == 0); CHECK(ecount == 6); - CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(sign, &s2c_opening, msg, sec, hostrand_commitment) == 1); + CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(sign, &s2c_opening, msg, sec, hostrand_commitment) == 1); CHECK(ecount == 6); ecount = 0; - CHECK(secp256k1_anti_klepto_sign(both, NULL, msg, sec, hostrand) == 0); + CHECK(secp256k1_anti_exfil_sign(both, NULL, msg, sec, hostrand) == 0); CHECK(ecount == 1); - CHECK(secp256k1_anti_klepto_sign(both, &sig, NULL, sec, hostrand) == 0); + CHECK(secp256k1_anti_exfil_sign(both, &sig, NULL, sec, hostrand) == 0); CHECK(ecount == 2); - CHECK(secp256k1_anti_klepto_sign(both, &sig, msg, NULL, hostrand) == 0); + CHECK(secp256k1_anti_exfil_sign(both, &sig, msg, NULL, hostrand) == 0); CHECK(ecount == 3); - CHECK(secp256k1_anti_klepto_sign(both, &sig, msg, sec, NULL) == 0); + CHECK(secp256k1_anti_exfil_sign(both, &sig, msg, sec, NULL) == 0); CHECK(ecount == 4); - CHECK(secp256k1_anti_klepto_sign(none, &sig, msg, sec, hostrand) == 0); + CHECK(secp256k1_anti_exfil_sign(none, &sig, msg, sec, hostrand) == 0); CHECK(ecount == 5); - CHECK(secp256k1_anti_klepto_sign(vrfy, &sig, msg, sec, hostrand) == 0); + CHECK(secp256k1_anti_exfil_sign(vrfy, &sig, msg, sec, hostrand) == 0); CHECK(ecount == 6); - CHECK(secp256k1_anti_klepto_sign(both, &sig, msg, sec, hostrand) == 1); + CHECK(secp256k1_anti_exfil_sign(both, &sig, msg, sec, hostrand) == 1); CHECK(ecount == 6); ecount = 0; - CHECK(secp256k1_anti_klepto_host_verify(both, NULL, msg, &pk, hostrand, &s2c_opening) == 0); + CHECK(secp256k1_anti_exfil_host_verify(both, NULL, msg, &pk, hostrand, &s2c_opening) == 0); CHECK(ecount == 1); - CHECK(secp256k1_anti_klepto_host_verify(both, &sig, NULL, &pk, hostrand, &s2c_opening) == 0); + CHECK(secp256k1_anti_exfil_host_verify(both, &sig, NULL, &pk, hostrand, &s2c_opening) == 0); CHECK(ecount == 2); - CHECK(secp256k1_anti_klepto_host_verify(both, &sig, msg, NULL, hostrand, &s2c_opening) == 0); + CHECK(secp256k1_anti_exfil_host_verify(both, &sig, msg, NULL, hostrand, &s2c_opening) == 0); CHECK(ecount == 3); - CHECK(secp256k1_anti_klepto_host_verify(both, &sig, msg, &pk, NULL, &s2c_opening) == 0); + CHECK(secp256k1_anti_exfil_host_verify(both, &sig, msg, &pk, NULL, &s2c_opening) == 0); CHECK(ecount == 4); - CHECK(secp256k1_anti_klepto_host_verify(both, &sig, msg, &pk, hostrand, NULL) == 0); + CHECK(secp256k1_anti_exfil_host_verify(both, &sig, msg, &pk, hostrand, NULL) == 0); CHECK(ecount == 5); - CHECK(secp256k1_anti_klepto_host_verify(none, &sig, msg, &pk, hostrand, &s2c_opening) == 0); + CHECK(secp256k1_anti_exfil_host_verify(none, &sig, msg, &pk, hostrand, &s2c_opening) == 0); CHECK(ecount == 6); - CHECK(secp256k1_anti_klepto_host_verify(sign, &sig, msg, &pk, hostrand, &s2c_opening) == 0); + CHECK(secp256k1_anti_exfil_host_verify(sign, &sig, msg, &pk, hostrand, &s2c_opening) == 0); CHECK(ecount == 7); - CHECK(secp256k1_anti_klepto_host_verify(vrfy, &sig, msg, &pk, hostrand, &s2c_opening) == 1); + CHECK(secp256k1_anti_exfil_host_verify(vrfy, &sig, msg, &pk, hostrand, &s2c_opening) == 1); CHECK(ecount == 7); secp256k1_context_destroy(both); @@ -221,8 +221,8 @@ typedef struct { unsigned char s2c_data[32]; /* Original nonce */ unsigned char expected_s2c_opening[33]; - /* Original nonce (anti-klepto protocol, which mixes in host randomness) */ - unsigned char expected_s2c_klepto_opening[33]; + /* Original nonce (anti-exfil protocol, which mixes in host randomness) */ + unsigned char expected_s2c_exfil_opening[33]; } ecdsa_s2c_test; static ecdsa_s2c_test ecdsa_s2c_tests[] = { @@ -315,7 +315,7 @@ static void test_ecdsa_s2c_sign_verify(void) { } } -static void test_ecdsa_anti_klepto_signer_commit(void) { +static void test_ecdsa_anti_exfil_signer_commit(void) { size_t i; unsigned char privkey[32] = { 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, @@ -330,14 +330,14 @@ static void test_ecdsa_anti_klepto_signer_commit(void) { secp256k1_ecdsa_s2c_opening s2c_opening; unsigned char buf[33]; const ecdsa_s2c_test *test = &ecdsa_s2c_tests[i]; - CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(ctx, &s2c_opening, message, privkey, test->s2c_data) == 1); + CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, message, privkey, test->s2c_data) == 1); CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, buf, &s2c_opening) == 1); - CHECK(memcmp(test->expected_s2c_klepto_opening, buf, sizeof(buf)) == 0); + CHECK(memcmp(test->expected_s2c_exfil_opening, buf, sizeof(buf)) == 0); } } -/* This tests the full ECDSA Anti-Klepto Protocol */ -static void test_ecdsa_anti_klepto(void) { +/* This tests the full ECDSA Anti-Exfil Protocol */ +static void test_ecdsa_anti_exfil(void) { unsigned char signer_privkey[32]; unsigned char host_msg[32]; unsigned char host_commitment[32]; @@ -357,14 +357,14 @@ static void test_ecdsa_anti_klepto(void) { } /* Protocol step 1. */ - CHECK(secp256k1_ecdsa_anti_klepto_host_commit(ctx, host_commitment, host_nonce_contribution) == 1); + CHECK(secp256k1_ecdsa_anti_exfil_host_commit(ctx, host_commitment, host_nonce_contribution) == 1); /* Protocol step 2. */ - CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(ctx, &s2c_opening, host_msg, signer_privkey, host_commitment) == 1); + CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, host_msg, signer_privkey, host_commitment) == 1); /* Protocol step 3: host_nonce_contribution send to signer to be used in step 4. */ /* Protocol step 4. */ - CHECK(secp256k1_anti_klepto_sign(ctx, &signature, host_msg, signer_privkey, host_nonce_contribution) == 1); + CHECK(secp256k1_anti_exfil_sign(ctx, &signature, host_msg, signer_privkey, host_nonce_contribution) == 1); /* Protocol step 5. */ - CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1); + CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1); /* Protocol step 5 (explicitly) */ CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, host_nonce_contribution, &s2c_opening) == 1); CHECK(secp256k1_ecdsa_verify(ctx, &signature, host_msg, &signer_pubkey) == 1); @@ -378,7 +378,7 @@ static void test_ecdsa_anti_klepto(void) { sigbytes[i] += 1; CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1); CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, host_nonce_contribution, &s2c_opening) == 0); - CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); + CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); /* revert */ sigbytes[i] -= 1; } @@ -387,8 +387,8 @@ static void test_ecdsa_anti_klepto(void) { { /* host_verify: message does not match */ unsigned char bad_msg[32]; secp256k1_testrand256_test(bad_msg); - CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1); - CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, bad_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); + CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1); + CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, bad_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); } { /* s2c_sign: host provided data that didn't match commitment */ secp256k1_ecdsa_s2c_opening orig_opening = s2c_opening; @@ -396,8 +396,8 @@ static void test_ecdsa_anti_klepto(void) { CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, host_msg, signer_privkey, bad_nonce_contribution) == 1); /* good signature but the opening (original public nonce does not match the original */ CHECK(secp256k1_ecdsa_verify(ctx, &signature, host_msg, &signer_pubkey) == 1); - CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); - CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, host_msg, &signer_pubkey, bad_nonce_contribution, &s2c_opening) == 1); + CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); + CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, bad_nonce_contribution, &s2c_opening) == 1); CHECK(memcmp(&s2c_opening, &orig_opening, sizeof(s2c_opening)) != 0); } } @@ -409,8 +409,8 @@ static void run_ecdsa_s2c_tests(void) { test_ecdsa_s2c_fixed_vectors(); test_ecdsa_s2c_sign_verify(); - test_ecdsa_anti_klepto_signer_commit(); - test_ecdsa_anti_klepto(); + test_ecdsa_anti_exfil_signer_commit(); + test_ecdsa_anti_exfil(); } #endif /* SECP256K1_MODULE_ECDSA_S2C_TESTS_H */ diff --git a/src/valgrind_ctime_test.c b/src/valgrind_ctime_test.c index 9750d185..4dba9b03 100644 --- a/src/valgrind_ctime_test.c +++ b/src/valgrind_ctime_test.c @@ -169,13 +169,13 @@ int main(void) { CHECK(ret == 1); VALGRIND_MAKE_MEM_UNDEFINED(s2c_data, 32); - ret = secp256k1_ecdsa_anti_klepto_host_commit(ctx, s2c_data_comm, s2c_data); + ret = secp256k1_ecdsa_anti_exfil_host_commit(ctx, s2c_data_comm, s2c_data); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); VALGRIND_MAKE_MEM_UNDEFINED(key, 32); VALGRIND_MAKE_MEM_UNDEFINED(s2c_data, 32); - ret = secp256k1_ecdsa_anti_klepto_signer_commit(ctx, &s2c_opening, msg, key, s2c_data); + ret = secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, msg, key, s2c_data); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); }