frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make secp256k1_ecmult_const handle infinity

Browse Source 
Infinity isn't currently needed here, but correctly handling it is a
little more safe against future changes.

Update docs for it to make it clear that it is not constant time in A
(the input point). It never was constant time in Q (and would be a little
complicated to make constant time in A).

If it was later made constant time in A, infinity support would be easy
to preserve, e.g. by running it on a dummy value and cmoving infinity into
the output.
This commit is contained in:
Gregory Maxwell 2020-08-08 03:52:34 +00:00 committed by Pieter Wuille
parent 24c768ae09
commit a0e696fd4d
3 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/ecmult_const.h
View File

@ -11,8 +11,7 @@
#include "group.h"
/**
* Multiply: R = q*A (in constant-time)
* A must not be infinity.
* Multiply: R = q*A (in constant-time for q)
*/
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q);

5
src/ecmult_const_impl.h
View File

@ -144,6 +144,11 @@ static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, cons
int i;
if (secp256k1_ge_is_infinity(a)) {
secp256k1_gej_set_infinity(r);
return;
}
/* build wnaf representation for q. */
/* split q into q_1 and q_lam (where q = q_1 + q_lam*lambda, and q_1 and q_lam are ~128 bit) */
secp256k1_scalar_split_lambda(&q_1, &q_lam, scalar);

4
src/tests_exhaustive.c
View File

@ -193,7 +193,7 @@ static void test_exhaustive_ecmult(const secp256k1_ge *group, const secp256k1_ge
}
for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) {
for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) {
for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
int ret;
secp256k1_gej tmp;
secp256k1_fe xn, xd, tmpf;
@ -207,7 +207,7 @@ static void test_exhaustive_ecmult(const secp256k1_ge *group, const secp256k1_ge
secp256k1_ecmult_const(&tmp, &group[i], &ng);
ge_equals_gej(&group[(i * j) % EXHAUSTIVE_TEST_ORDER], &tmp);
if (j != 0) {
if (i != 0 && j != 0) {
/* Test secp256k1_ecmult_const_xonly with all curve X coordinates, and xd=NULL. */
ret = secp256k1_ecmult_const_xonly(&tmpf, &group[i].x, NULL, &ng, 0);
CHECK(ret);