frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #124 from apoelstra/2021-02--rename-klepto

Browse Source 
ecdsa_s2c: rename anti-klepto to anti-exfil
This commit is contained in:
Andrew Poelstra 2021-02-10 19:06:07 +00:00 committed by GitHub
commit 6da00ec624
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 68 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
include/secp256k1_ecdsa_s2c.h
View File

@ -4,7 +4,7 @@
#include "secp256k1.h"
/** This module implements the sign-to-contract scheme for ECDSA signatures, as
* well as the "ECDSA Anti-Klepto Protocol" that is based on sign-to-contract
* well as the "ECDSA Anti-Exfil Protocol" that is based on sign-to-contract
* and is specified further down. The sign-to-contract scheme allows creating a
* signature that also commits to some data. This works by offsetting the public
* nonce point of the signature R by hash(R, data)*G where G is the secp256k1
@ -97,9 +97,9 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_s2c_verify_commit
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
/** ECDSA Anti-Klepto Protocol
/** ECDSA Anti-Exfil Protocol
*
* The ecdsa_anti_klepto_* functions can be used to prevent a signing device from
* The ecdsa_anti_exfil_* functions can be used to prevent a signing device from
* exfiltrating the secret signing keys through biased signature nonces. The general
* idea is that a host provides additional randomness to the signing device client
* and the client commits to the randomness in the nonce using sign-to-contract.
@ -113,9 +113,9 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_s2c_verify_commit
* keys, or the signing device to bias the nonce despite the host's contributions,
* the host and client must engage in a commit-reveal protocol as follows:
* 1. The host draws randomness `rho` and computes a sha256 commitment to it using
* `secp256k1_ecdsa_anti_klepto_host_commit`. It sends this to the signing device.
* `secp256k1_ecdsa_anti_exfil_host_commit`. It sends this to the signing device.
* 2. The signing device computes a public nonce `R` using the host's commitment
* as auxiliary randomness, using `secp256k1_ecdsa_anti_klepto_signer_commit`.
* as auxiliary randomness, using `secp256k1_ecdsa_anti_exfil_signer_commit`.
* The signing device sends the resulting `R` to the host as a s2c_opening.
*
* If, at any point from this step onward, the hardware device fails, it is
@ -135,10 +135,10 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_s2c_verify_commit
* EVER, they should change hardware vendors and perhaps sweep their coins.
*
* 3. The host replies with `rho` generated in step 1.
* 4. The device signs with `secp256k1_anti_klepto_sign`, using `rho` as `host_data32`,
* 4. The device signs with `secp256k1_anti_exfil_sign`, using `rho` as `host_data32`,
* and sends the signature to the host.
* 5. The host verifies that the signature's public nonce matches the opening from
* step 2 and its original randomness `rho`, using `secp256k1_anti_klepto_host_verify`.
* step 2 and its original randomness `rho`, using `secp256k1_anti_exfil_host_verify`.
*
* Rationale:
* - The reason for having a host commitment is to allow the signing device to
@ -154,7 +154,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_s2c_verify_commit
* maintain any state about the progress of the protocol.
*/
/** Create the initial host commitment to `rho`. Part of the ECDSA Anti-Klepto Protocol.
/** Create the initial host commitment to `rho`. Part of the ECDSA Anti-Exfil Protocol.
*
* Returns 1 on success, 0 on failure.
* Args: ctx: pointer to a context object (cannot be NULL)
@ -164,13 +164,13 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_s2c_verify_commit
* be revealed to the client until after the host has received the client
* commitment.
*/
SECP256K1_API int secp256k1_ecdsa_anti_klepto_host_commit(
SECP256K1_API int secp256k1_ecdsa_anti_exfil_host_commit(
const secp256k1_context* ctx,
unsigned char* rand_commitment32,
const unsigned char* rand32
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
/** Compute signer's original nonce. Part of the ECDSA Anti-Klepto Protocol.
/** Compute signer's original nonce. Part of the ECDSA Anti-Exfil Protocol.
*
* Returns 1 on success, 0 on failure.
* Args: ctx: pointer to a context object, initialized for signing (cannot be NULL)
@ -180,7 +180,7 @@ SECP256K1_API int secp256k1_ecdsa_anti_klepto_host_commit(
* seckey32: the 32-byte secret key used for signing (cannot be NULL)
* rand_commitment32: the 32-byte randomness commitment from the host (cannot be NULL)
*/
SECP256K1_API int secp256k1_ecdsa_anti_klepto_signer_commit(
SECP256K1_API int secp256k1_ecdsa_anti_exfil_signer_commit(
const secp256k1_context* ctx,
secp256k1_ecdsa_s2c_opening* s2c_opening,
const unsigned char* msg32,
@ -189,7 +189,7 @@ SECP256K1_API int secp256k1_ecdsa_anti_klepto_signer_commit(
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
/** Same as secp256k1_ecdsa_sign, but commits to host randomness in the nonce. Part of the
* ECDSA Anti-Klepto Protocol.
* ECDSA Anti-Exfil Protocol.
*
* Returns: 1: signature created
* 0: the nonce generation function failed, or the private key was invalid.
@ -199,7 +199,7 @@ SECP256K1_API int secp256k1_ecdsa_anti_klepto_signer_commit(
* seckey: pointer to a 32-byte secret key (cannot be NULL)
* host_data32: pointer to 32-byte host-provided randomness (cannot be NULL)
*/
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_anti_klepto_sign(
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_anti_exfil_sign(
const secp256k1_context* ctx,
secp256k1_ecdsa_signature* sig,
const unsigned char* msg32,
@ -207,7 +207,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_anti_klepto_sign(
const unsigned char* host_data32
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
/** Verify a signature was correctly constructed using the ECDSA Anti-Klepto Protocol.
/** Verify a signature was correctly constructed using the ECDSA Anti-Exfil Protocol.
*
* Returns: 1: the signature is valid and contains a commitment to host_data32
* 0: incorrect opening
@ -218,7 +218,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_anti_klepto_sign(
* host_data32: the 32-byte data provided by the host (cannot be NULL)
* opening: the s2c opening provided by the signer (cannot be NULL)
*/
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_anti_klepto_host_verify(
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_anti_exfil_host_verify(
const secp256k1_context* ctx,
const secp256k1_ecdsa_signature *sig,
const unsigned char *msg32,

14
src/modules/ecdsa_s2c/main_impl.h
View File

@ -82,7 +82,7 @@ int secp256k1_ecdsa_s2c_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signa
/* Provide `s2c_data32` to the nonce function as additional data to
* derive the nonce. It is first hashed because it should be possible
* to derive nonces even if only a SHA256 commitment to the data is
* known. This is important in the ECDSA anti-klepto protocol. */
* known. This is important in the ECDSA anti-exfil protocol. */
secp256k1_s2c_ecdsa_data_sha256_tagged(&s2c_sha);
secp256k1_sha256_write(&s2c_sha, s2c_data32, 32);
secp256k1_sha256_finalize(&s2c_sha, ndata);
@ -130,15 +130,15 @@ int secp256k1_ecdsa_s2c_verify_commit(const secp256k1_context* ctx, const secp25
/* Do not check overflow; overflowing a scalar does not affect whether
* or not the R value is a cryptographic commitment, only whether it
* is a valid R value for an ECDSA signature. If users care about that
* they should use `ecdsa_verify` or `anti_klepto_host_verify`. In other
* they should use `ecdsa_verify` or `anti_exfil_host_verify`. In other
* words, this check would be (at best) unnecessary, and (at worst)
* insufficient. */
secp256k1_scalar_set_b32(&x_scalar, x_bytes, NULL);
return secp256k1_scalar_eq(&sigr, &x_scalar);
}
/*** anti-klepto ***/
int secp256k1_ecdsa_anti_klepto_host_commit(const secp256k1_context* ctx, unsigned char* rand_commitment32, const unsigned char* rand32) {
/*** anti-exfil ***/
int secp256k1_ecdsa_anti_exfil_host_commit(const secp256k1_context* ctx, unsigned char* rand_commitment32, const unsigned char* rand32) {
secp256k1_sha256 sha;
VERIFY_CHECK(ctx != NULL);
@ -151,7 +151,7 @@ int secp256k1_ecdsa_anti_klepto_host_commit(const secp256k1_context* ctx, unsign
return 1;
}
int secp256k1_ecdsa_anti_klepto_signer_commit(const secp256k1_context* ctx, secp256k1_ecdsa_s2c_opening* opening, const unsigned char* msg32, const unsigned char* seckey32, const unsigned char* rand_commitment32) {
int secp256k1_ecdsa_anti_exfil_signer_commit(const secp256k1_context* ctx, secp256k1_ecdsa_s2c_opening* opening, const unsigned char* msg32, const unsigned char* seckey32, const unsigned char* rand_commitment32) {
unsigned char nonce32[32];
secp256k1_scalar k;
secp256k1_gej rj;
@ -186,11 +186,11 @@ int secp256k1_ecdsa_anti_klepto_signer_commit(const secp256k1_context* ctx, secp
return 1;
}
int secp256k1_anti_klepto_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char* msg32, const unsigned char* seckey, const unsigned char* host_data32) {
int secp256k1_anti_exfil_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char* msg32, const unsigned char* seckey, const unsigned char* host_data32) {
return secp256k1_ecdsa_s2c_sign(ctx, sig, NULL, msg32, seckey, host_data32);
}
int secp256k1_anti_klepto_host_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey, const unsigned char *host_data32, const secp256k1_ecdsa_s2c_opening *opening) {
int secp256k1_anti_exfil_host_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey, const unsigned char *host_data32, const secp256k1_ecdsa_s2c_opening *opening) {
return secp256k1_ecdsa_s2c_verify_commit(ctx, sig, host_data32, opening) &&
secp256k1_ecdsa_verify(ctx, sig, msg32, pubkey);
}

88
src/modules/ecdsa_s2c/tests_impl.h
View File

@ -150,63 +150,63 @@ static void test_ecdsa_s2c_api(void) {
CHECK(secp256k1_ecdsa_s2c_sign(sign, &sig, NULL, msg, sec, s2c_data) == 1);
CHECK(secp256k1_ecdsa_s2c_verify_commit(vrfy, &sig, s2c_data, &s2c_opening) == 1);
/* anti-klepto */
/* anti-exfil */
ecount = 0;
CHECK(secp256k1_ecdsa_anti_klepto_host_commit(none, NULL, hostrand) == 0);
CHECK(secp256k1_ecdsa_anti_exfil_host_commit(none, NULL, hostrand) == 0);
CHECK(ecount == 1);
CHECK(secp256k1_ecdsa_anti_klepto_host_commit(none, hostrand_commitment, NULL) == 0);
CHECK(secp256k1_ecdsa_anti_exfil_host_commit(none, hostrand_commitment, NULL) == 0);
CHECK(ecount == 2);
CHECK(secp256k1_ecdsa_anti_klepto_host_commit(none, hostrand_commitment, hostrand) == 1);
CHECK(secp256k1_ecdsa_anti_exfil_host_commit(none, hostrand_commitment, hostrand) == 1);
CHECK(ecount == 2);
ecount = 0;
CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(both, NULL, msg, sec, hostrand_commitment) == 0);
CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(both, NULL, msg, sec, hostrand_commitment) == 0);
CHECK(ecount == 1);
CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(both, &s2c_opening, NULL, sec, hostrand_commitment) == 0);
CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(both, &s2c_opening, NULL, sec, hostrand_commitment) == 0);
CHECK(ecount == 2);
CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(both, &s2c_opening, msg, NULL, hostrand_commitment) == 0);
CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(both, &s2c_opening, msg, NULL, hostrand_commitment) == 0);
CHECK(ecount == 3);
CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(both, &s2c_opening, msg, sec, NULL) == 0);
CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(both, &s2c_opening, msg, sec, NULL) == 0);
CHECK(ecount == 4);
CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(none, &s2c_opening, msg, sec, hostrand_commitment) == 0);
CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(none, &s2c_opening, msg, sec, hostrand_commitment) == 0);
CHECK(ecount == 5);
CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(vrfy, &s2c_opening, msg, sec, hostrand_commitment) == 0);
CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(vrfy, &s2c_opening, msg, sec, hostrand_commitment) == 0);
CHECK(ecount == 6);
CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(sign, &s2c_opening, msg, sec, hostrand_commitment) == 1);
CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(sign, &s2c_opening, msg, sec, hostrand_commitment) == 1);
CHECK(ecount == 6);
ecount = 0;
CHECK(secp256k1_anti_klepto_sign(both, NULL, msg, sec, hostrand) == 0);
CHECK(secp256k1_anti_exfil_sign(both, NULL, msg, sec, hostrand) == 0);
CHECK(ecount == 1);
CHECK(secp256k1_anti_klepto_sign(both, &sig, NULL, sec, hostrand) == 0);
CHECK(secp256k1_anti_exfil_sign(both, &sig, NULL, sec, hostrand) == 0);
CHECK(ecount == 2);
CHECK(secp256k1_anti_klepto_sign(both, &sig, msg, NULL, hostrand) == 0);
CHECK(secp256k1_anti_exfil_sign(both, &sig, msg, NULL, hostrand) == 0);
CHECK(ecount == 3);
CHECK(secp256k1_anti_klepto_sign(both, &sig, msg, sec, NULL) == 0);
CHECK(secp256k1_anti_exfil_sign(both, &sig, msg, sec, NULL) == 0);
CHECK(ecount == 4);
CHECK(secp256k1_anti_klepto_sign(none, &sig, msg, sec, hostrand) == 0);
CHECK(secp256k1_anti_exfil_sign(none, &sig, msg, sec, hostrand) == 0);
CHECK(ecount == 5);
CHECK(secp256k1_anti_klepto_sign(vrfy, &sig, msg, sec, hostrand) == 0);
CHECK(secp256k1_anti_exfil_sign(vrfy, &sig, msg, sec, hostrand) == 0);
CHECK(ecount == 6);
CHECK(secp256k1_anti_klepto_sign(both, &sig, msg, sec, hostrand) == 1);
CHECK(secp256k1_anti_exfil_sign(both, &sig, msg, sec, hostrand) == 1);
CHECK(ecount == 6);
ecount = 0;
CHECK(secp256k1_anti_klepto_host_verify(both, NULL, msg, &pk, hostrand, &s2c_opening) == 0);
CHECK(secp256k1_anti_exfil_host_verify(both, NULL, msg, &pk, hostrand, &s2c_opening) == 0);
CHECK(ecount == 1);
CHECK(secp256k1_anti_klepto_host_verify(both, &sig, NULL, &pk, hostrand, &s2c_opening) == 0);
CHECK(secp256k1_anti_exfil_host_verify(both, &sig, NULL, &pk, hostrand, &s2c_opening) == 0);
CHECK(ecount == 2);
CHECK(secp256k1_anti_klepto_host_verify(both, &sig, msg, NULL, hostrand, &s2c_opening) == 0);
CHECK(secp256k1_anti_exfil_host_verify(both, &sig, msg, NULL, hostrand, &s2c_opening) == 0);
CHECK(ecount == 3);
CHECK(secp256k1_anti_klepto_host_verify(both, &sig, msg, &pk, NULL, &s2c_opening) == 0);
CHECK(secp256k1_anti_exfil_host_verify(both, &sig, msg, &pk, NULL, &s2c_opening) == 0);
CHECK(ecount == 4);
CHECK(secp256k1_anti_klepto_host_verify(both, &sig, msg, &pk, hostrand, NULL) == 0);
CHECK(secp256k1_anti_exfil_host_verify(both, &sig, msg, &pk, hostrand, NULL) == 0);
CHECK(ecount == 5);
CHECK(secp256k1_anti_klepto_host_verify(none, &sig, msg, &pk, hostrand, &s2c_opening) == 0);
CHECK(secp256k1_anti_exfil_host_verify(none, &sig, msg, &pk, hostrand, &s2c_opening) == 0);
CHECK(ecount == 6);
CHECK(secp256k1_anti_klepto_host_verify(sign, &sig, msg, &pk, hostrand, &s2c_opening) == 0);
CHECK(secp256k1_anti_exfil_host_verify(sign, &sig, msg, &pk, hostrand, &s2c_opening) == 0);
CHECK(ecount == 7);
CHECK(secp256k1_anti_klepto_host_verify(vrfy, &sig, msg, &pk, hostrand, &s2c_opening) == 1);
CHECK(secp256k1_anti_exfil_host_verify(vrfy, &sig, msg, &pk, hostrand, &s2c_opening) == 1);
CHECK(ecount == 7);
secp256k1_context_destroy(both);
@ -221,8 +221,8 @@ typedef struct {
unsigned char s2c_data[32];
/* Original nonce */
unsigned char expected_s2c_opening[33];
/* Original nonce (anti-klepto protocol, which mixes in host randomness) */
unsigned char expected_s2c_klepto_opening[33];
/* Original nonce (anti-exfil protocol, which mixes in host randomness) */
unsigned char expected_s2c_exfil_opening[33];
} ecdsa_s2c_test;
static ecdsa_s2c_test ecdsa_s2c_tests[] = {
@ -315,7 +315,7 @@ static void test_ecdsa_s2c_sign_verify(void) {
}
}
static void test_ecdsa_anti_klepto_signer_commit(void) {
static void test_ecdsa_anti_exfil_signer_commit(void) {
size_t i;
unsigned char privkey[32] = {
0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55,
@ -330,14 +330,14 @@ static void test_ecdsa_anti_klepto_signer_commit(void) {
secp256k1_ecdsa_s2c_opening s2c_opening;
unsigned char buf[33];
const ecdsa_s2c_test *test = &ecdsa_s2c_tests[i];
CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(ctx, &s2c_opening, message, privkey, test->s2c_data) == 1);
CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, message, privkey, test->s2c_data) == 1);
CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, buf, &s2c_opening) == 1);
CHECK(memcmp(test->expected_s2c_klepto_opening, buf, sizeof(buf)) == 0);
CHECK(memcmp(test->expected_s2c_exfil_opening, buf, sizeof(buf)) == 0);
}
}
/* This tests the full ECDSA Anti-Klepto Protocol */
static void test_ecdsa_anti_klepto(void) {
/* This tests the full ECDSA Anti-Exfil Protocol */
static void test_ecdsa_anti_exfil(void) {
unsigned char signer_privkey[32];
unsigned char host_msg[32];
unsigned char host_commitment[32];
@ -357,14 +357,14 @@ static void test_ecdsa_anti_klepto(void) {
}
/* Protocol step 1. */
CHECK(secp256k1_ecdsa_anti_klepto_host_commit(ctx, host_commitment, host_nonce_contribution) == 1);
CHECK(secp256k1_ecdsa_anti_exfil_host_commit(ctx, host_commitment, host_nonce_contribution) == 1);
/* Protocol step 2. */
CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(ctx, &s2c_opening, host_msg, signer_privkey, host_commitment) == 1);
CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, host_msg, signer_privkey, host_commitment) == 1);
/* Protocol step 3: host_nonce_contribution send to signer to be used in step 4. */
/* Protocol step 4. */
CHECK(secp256k1_anti_klepto_sign(ctx, &signature, host_msg, signer_privkey, host_nonce_contribution) == 1);
CHECK(secp256k1_anti_exfil_sign(ctx, &signature, host_msg, signer_privkey, host_nonce_contribution) == 1);
/* Protocol step 5. */
CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1);
CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1);
/* Protocol step 5 (explicitly) */
CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, host_nonce_contribution, &s2c_opening) == 1);
CHECK(secp256k1_ecdsa_verify(ctx, &signature, host_msg, &signer_pubkey) == 1);
@ -378,7 +378,7 @@ static void test_ecdsa_anti_klepto(void) {
sigbytes[i] += 1;
CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1);
CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, host_nonce_contribution, &s2c_opening) == 0);
CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0);
CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0);
/* revert */
sigbytes[i] -= 1;
}
@ -387,8 +387,8 @@ static void test_ecdsa_anti_klepto(void) {
{ /* host_verify: message does not match */
unsigned char bad_msg[32];
secp256k1_testrand256_test(bad_msg);
CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1);
CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, bad_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0);
CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1);
CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, bad_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0);
}
{ /* s2c_sign: host provided data that didn't match commitment */
secp256k1_ecdsa_s2c_opening orig_opening = s2c_opening;
@ -396,8 +396,8 @@ static void test_ecdsa_anti_klepto(void) {
CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, host_msg, signer_privkey, bad_nonce_contribution) == 1);
/* good signature but the opening (original public nonce does not match the original */
CHECK(secp256k1_ecdsa_verify(ctx, &signature, host_msg, &signer_pubkey) == 1);
CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0);
CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, host_msg, &signer_pubkey, bad_nonce_contribution, &s2c_opening) == 1);
CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0);
CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, bad_nonce_contribution, &s2c_opening) == 1);
CHECK(memcmp(&s2c_opening, &orig_opening, sizeof(s2c_opening)) != 0);
}
}
@ -409,8 +409,8 @@ static void run_ecdsa_s2c_tests(void) {
test_ecdsa_s2c_fixed_vectors();
test_ecdsa_s2c_sign_verify();
test_ecdsa_anti_klepto_signer_commit();
test_ecdsa_anti_klepto();
test_ecdsa_anti_exfil_signer_commit();
test_ecdsa_anti_exfil();
}
#endif /* SECP256K1_MODULE_ECDSA_S2C_TESTS_H */

4
src/valgrind_ctime_test.c
View File

@ -169,13 +169,13 @@ int main(void) {
CHECK(ret == 1);
VALGRIND_MAKE_MEM_UNDEFINED(s2c_data, 32);
ret = secp256k1_ecdsa_anti_klepto_host_commit(ctx, s2c_data_comm, s2c_data);
ret = secp256k1_ecdsa_anti_exfil_host_commit(ctx, s2c_data_comm, s2c_data);
VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
CHECK(ret == 1);
VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
VALGRIND_MAKE_MEM_UNDEFINED(s2c_data, 32);
ret = secp256k1_ecdsa_anti_klepto_signer_commit(ctx, &s2c_opening, msg, key, s2c_data);
ret = secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, msg, key, s2c_data);
VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
CHECK(ret == 1);
}