frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
516 Commits 14 Branches 0 Tags
Commit Graph

31 Commits

Author SHA1 Message Date
Gregory Maxwell
d2275795ff Add scalar blinding and a secp256k1_context_randomize() call. 
This computes (n-b)G + bG with random value b, in place of nG in
 ecmult_gen() for signing.

This is intended to reduce exposure to potential power/EMI sidechannels
 during signing and pubkey generation by blinding the secret value with
 another value which is hopefully unknown to the attacker.

It may not be very helpful if the attacker is able to observe the setup
 or if even the scalar addition has an unacceptable leak, but it has low
 overhead in any case and the security should be purely additive on top
 of the existing defenses against sidechannels.
 2015-04-22 19:25:16 +00:00
Pieter Wuille
443cd4b8ee Get rid of hex format and some binary conversions 2015-02-23 04:37:21 -08:00
Pieter Wuille
55422b6aaf Switch ecmult_gen to use storage types 2015-01-25 00:46:31 -04:00
Pieter Wuille
e68d7208ec Add group element storage type 2015-01-25 00:31:56 -04:00
Pieter Wuille
0768bd55a1 Get rid of variable-length hex string conversions 2015-01-24 21:52:48 -04:00
Gregory Maxwell
3627437d80 C89 nits and dead code removal. 2015-01-23 04:17:12 +00:00
Pieter Wuille
4732d26069 Convert the field/group/ecdsa constant initialization to static consts 2015-01-22 22:44:52 -05:00
Pieter Wuille
0295f0a33d weak normalization 2014-12-20 14:38:07 +01:00
Pieter Wuille
ce7eb6fb3d Optimize verification: avoid field inverse 
Suggested by Greg Maxwell.
 2014-12-16 22:38:17 +01:00
Pieter Wuille
39bd94d86d Variable time normalize 2014-12-06 18:18:28 +01:00
Pieter Wuille
efb7d4b299 Use constant-time conditional moves instead of byte slicing 2014-12-03 02:41:55 +01:00
Pieter Wuille
659b554d7b Make constant initializers independent from num 2014-12-01 12:38:38 +01:00
Pieter Wuille
4285a98722 Move lambda-splitting code to scalar. 
It's not really an operation on group elements.
 2014-11-30 23:38:01 +01:00
Gregory Maxwell
71712b27e5 Switch to C89 comments in prep for making the whole codebase C89 compatible. 
This should be whitespace/comment only changes and should produce the same
object code.
 2014-11-15 07:33:07 -08:00
Gregory Maxwell
a4a43d7543 Reorder static to comply with C99 and switch to the inline macro. 2014-11-12 13:07:55 -08:00
Pieter Wuille
9338dbf791 Branch-free point addition 2014-11-11 14:28:22 -08:00
Pieter Wuille
da55986fdf Label variable-time functions correctly and don't use those in sign 2014-11-04 02:50:06 -08:00
Gregory Maxwell
2f6c801911
Try to not leave secret data on the stack or heap. 
This makes a basic effort and has not been audited.
Doesn't appear to have a measurable performance impact on bench.

It also adds a secp256k1_num_free to secp256k1_ecdsa_pubkey_create.
 2014-08-14 07:06:36 -07:00
Peter Dettman
f16be77ffc Use batch inversion in G precomputation 2014-07-17 15:33:00 +07:00
Pieter Wuille
4d79bebdff Do not free endomorphism constants when disabled 2014-06-15 23:31:17 +02:00
Peter Dettman
09ca4f32e2 secp256k1_fe_sqrt checks for success 
- secp256k1_fe_sqrt now checks that the value it calculated is actually a square root.
- Add return values to secp256k1_fe_sqrt and secp256k1_ge_set_xo.
- Callers of secp256k1_ge_set_xo can use return value instead of explicit validity checks
- Add random value tests for secp256k1_fe_sqrt
 2014-05-21 10:22:14 +07:00
Pieter Wuille
399c03f227 Make endomorphism optimization optional 2013-12-01 21:06:20 +01:00
Pieter Wuille
d0b33489f2 Break malleability by producing S <= order/2 2013-09-19 00:58:42 +02:00
Pieter Wuille
0a433ea23c MIT License 2013-05-09 15:24:32 +02:00
Pieter Wuille
764332d05d Make pubkeys, set_xo, ... ge instead of gej 2013-05-05 01:18:23 +02:00
Pieter Wuille
f491cd35df Make constants constant 2013-04-30 15:57:40 +02:00
Pieter Wuille
7fef66199e Some group.h comments 2013-04-03 00:58:51 +02:00
Pieter Wuille
eb0be8eec6 Final step in converting to C 2013-04-01 07:52:58 +02:00
Pieter Wuille
f11ff5be70 Third step in converting to C: group 2013-03-31 17:02:52 +02:00
Pieter Wuille
254327e49a Begin group C interface + start/stop 2013-03-31 06:36:03 +02:00
Pieter Wuille
2d93809255 Source tree reorganization 2013-03-31 05:03:27 +02:00