frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
666 Commits 14 Branches 0 Tags
Commit Graph

150 Commits

Author SHA1 Message Date
Gregory Maxwell
d2275795ff Add scalar blinding and a secp256k1_context_randomize() call. 
This computes (n-b)G + bG with random value b, in place of nG in
 ecmult_gen() for signing.

This is intended to reduce exposure to potential power/EMI sidechannels
 during signing and pubkey generation by blinding the secret value with
 another value which is hopefully unknown to the attacker.

It may not be very helpful if the attacker is able to observe the setup
 or if even the scalar addition has an unacceptable leak, but it has low
 overhead in any case and the security should be purely additive on top
 of the existing defenses against sidechannels.
 2015-04-22 19:25:16 +00:00
Gregory Maxwell
9c4fb23dd9 Add a secp256k1_fe_cmov unit test. 
(Also add my name to the top of tests.c: I wrote a bunch of that
 and update the copyright dates)
 2015-04-22 19:10:17 +00:00
Andrew Poelstra
5c2a4fad1c Fix memory leak in context unit test 
Before fix, `valgrind ./tests 1` outputs
  ==21959==     in use at exit: 2,228,288 bytes in 8 blocks

after:
  ==23974==     in use at exit: 0 bytes in 0 blocks
 2015-04-16 15:56:04 -05:00
Andrew Poelstra
d899b5b67c Expose ability to deep-copy a context 2015-04-11 22:16:03 -05:00
Pieter Wuille
a9b6595ef8 [API BREAK] Introduce explicit contexts 2015-04-11 01:01:10 -07:00
Gregory Maxwell
c01df1adc9 Avoid some implicit type conversions to make C++ compilers happy. 2015-03-28 02:20:36 +00:00
Gregory Maxwell
2632019713 Brace all the if/for/while. 
Unbraced statements spanning multiple lines has been shown in many
 projects to contribute to the introduction of bugs and a failure
 to catch them in review, especially for maintenance on infrequently
 modified code.

Most, but not all, of the existing practice in the codebase were not
 cases that I would have expected to eventually result in bugs but
 applying it as a rule makes it easier for other people to safely
 contribute.

I'm not aware of any such evidence for the case with the statement
 on a single line, but some people strongly prefer to never do that
 and the opposite rule of "_always_ use a single line for single
 statement blocks" isn't a reasonable rule for formatting reasons.
 Might as well brace all these too, since that's more universally
 acceptable.

[In any case, I seem to have introduced the vast majority of the
 single-line form (as they're my preference where they fit).]

This also removes a broken test which is no longer needed.
 2015-03-27 23:24:32 +00:00
Gregory Maxwell
efc571ceea Add simple testcases for signing with rfc6979 extra entropy. 2015-03-27 13:46:02 -07:00
Pieter Wuille
1573a102c0 Add ability to pass extra entropy to rfc6979 
Suggested by Greg Maxwell.
 2015-03-23 05:39:56 -07:00
Pieter Wuille
3b7ea633fb
Merge pull request #221 
443cd4b Get rid of hex format and some binary conversions (Pieter Wuille)
 2015-03-02 02:45:32 -08:00
Pieter Wuille
8956111802 use 128-bit hex seed 2015-02-23 07:32:37 -08:00
Pieter Wuille
443cd4b8ee Get rid of hex format and some binary conversions 2015-02-23 04:37:21 -08:00
Pieter Wuille
8030d7c0e5 Improve signing API documentation & specification 2015-02-14 15:38:27 -08:00
Gregory Maxwell
f735446c4d Convert the rest of the codebase to C89. 
Update build system to enforce -std=c89 -pedantic.
 2015-01-25 17:44:10 +00:00
Gregory Maxwell
bf2e1ac7cd Convert tests to C89. (also fixes a use of bare "inline" in field) 2015-01-25 15:47:04 +00:00
Pieter Wuille
fcc48c4561 Remove the non-storage cmov 2015-01-25 00:56:22 -04:00
Pieter Wuille
ff889f7d90 Field storage type 2015-01-25 00:11:20 -04:00
Pieter Wuille
0768bd55a1 Get rid of variable-length hex string conversions 2015-01-24 21:52:48 -04:00
Pieter Wuille
4732d26069 Convert the field/group/ecdsa constant initialization to static consts 2015-01-22 22:44:52 -05:00
Pieter Wuille
f1ebfe399f Convert the scalar constant initialization to static consts 2015-01-22 22:44:48 -05:00
Gregory Maxwell
941e221f66 Add tests for handling of the nonce function in signing. 2015-01-04 17:28:39 -08:00
Pieter Wuille
9ab93355f2 Add a reference consistency test to ge_tests. 
This adds all points used in the test together in random order, which
should result in infinity.

Suggested by Greg Maxwell.
 2014-12-29 17:21:39 +01:00
Pieter Wuille
60571c6e45 Rework group tests 2014-12-29 15:38:17 +01:00
Pieter Wuille
b450c34843
Merge pull request #163 
bbd5ba7 Use rfc6979 as default nonce generation function (Pieter Wuille)
b37fbc2 Implement SHA256 / HMAC-SHA256 / RFC6979. (Pieter Wuille)
c6e7f4e [API BREAK] Use a nonce-generation function instead of a nonce (Pieter Wuille)
 2014-12-23 14:40:47 +01:00
Pieter Wuille
d7174edf5f Weak normalization for secp256k1_fe_equal 2014-12-20 14:38:20 +01:00
Pieter Wuille
bbd5ba7cfa Use rfc6979 as default nonce generation function 2014-12-20 14:36:13 +01:00
Pieter Wuille
b37fbc280e Implement SHA256 / HMAC-SHA256 / RFC6979. 2014-12-20 14:36:13 +01:00
Pieter Wuille
c6e7f4e8d8 [API BREAK] Use a nonce-generation function instead of a nonce 2014-12-20 14:36:11 +01:00
Pieter Wuille
603c33bc80 Make signing fail if a too small buffer is passed. 
Bug discovered by Sergio Demian Lerner.
 2014-12-18 01:28:06 +01:00
Pieter Wuille
cf7b2b4647 Fix ECDSA message hashes to 32 bytes 2014-12-09 12:50:47 +01:00
Pieter Wuille
ee1eaa792d
Merge pull request #141 
7c6fed2 Add a few more additional tests. (Gregory Maxwell)
8d11164 Add some additional tests. (Gregory Maxwell)
 2014-12-09 01:38:01 +01:00
Gregory Maxwell
7c6fed2857 Add a few more additional tests. 2014-12-08 14:15:09 -08:00
Pavel Janík
e06a9244bf Include time.h header for time(). 2014-12-08 20:48:58 +01:00
Gregory Maxwell
8d11164bc0 Add some additional tests. 2014-12-08 09:13:35 -08:00
Pieter Wuille
6a9901e15b
Merge pull request #137 
39bd94d Variable time normalize (Pieter Wuille)
 2014-12-07 14:35:23 +01:00
Pieter Wuille
39bd94d86d Variable time normalize 2014-12-06 18:18:28 +01:00
Pieter Wuille
2b9388b647 Remove unused secp256k1_fe_inv_all 2014-12-05 18:13:51 +01:00
Pieter Wuille
b0210a95da
Merge pull request #135 
ee3eb4b Fix a memory leak and add a number of small tests. (Gregory Maxwell)
 2014-12-04 19:16:09 +01:00
Gregory Maxwell
ee3eb4be9e Fix a memory leak and add a number of small tests. 
This fixes a simple copy and paste induced memory leak for the ecdsa init.

The tests are mostly just improving coverage and aren't interesting.
 2014-12-04 07:17:08 -08:00
Pieter Wuille
4d879a3a66
Merge pull request #134 
29ae131 Make scalar_add_bit test's overflow detection exact (Pieter Wuille)
 2014-12-04 12:21:06 +01:00
Pieter Wuille
29ae1310ce Make scalar_add_bit test's overflow detection exact 2014-12-03 18:54:01 +01:00
Pieter Wuille
ff8746d457 Add secp256k1_scalar_mul_shift_var 2014-12-02 16:50:00 +01:00
Pieter Wuille
bd313f7d6e
Merge pull request #119 
597128d Make num optional (Pieter Wuille)
659b554 Make constant initializers independent from num (Pieter Wuille)
 2014-12-02 16:42:50 +01:00
Pieter Wuille
24b3c65e0d Add a test case for ECDSA recomputing infinity 2014-12-01 14:45:05 +01:00
Pieter Wuille
32600e5086 Add a test for r >= order signature handling 
Suggested by Greg Maxwell.
 2014-12-01 14:23:09 +01:00
Pieter Wuille
597128d389 Make num optional 2014-12-01 12:38:38 +01:00
Pieter Wuille
659b554d7b Make constant initializers independent from num 2014-12-01 12:38:38 +01:00
Pieter Wuille
c76be9efa0 Remove unused num functions 2014-11-30 23:38:01 +01:00
Pieter Wuille
f24041d6aa Switch all EC/ECDSA logic from num to scalar 2014-11-30 23:38:01 +01:00
Pieter Wuille
b5c9ee756f Make test_point_times_order test meaningful again 
As wnaf splitting is scalar based, multiplying with the order directly
would be reduced to multiplication with zero before even converting to
wnaf.
 2014-11-30 23:38:01 +01:00