mirror of
https://github.com/bitcoin/bitcoin.git
synced 2025-01-14 13:52:36 -03:00
Merge pull request #94
da55986 Label variable-time functions correctly and don't use those in sign (Pieter Wuille)This commit is contained in:
Pieter Wuille
commit
0ce80ef47e
5 changed files with 56 additions and 41 deletions
|
|
@ -70,7 +70,7 @@ int static secp256k1_ecdsa_sig_recompute(secp256k1_num_t *r2, const secp256k1_ec
|
|||
secp256k1_gej_t pubkeyj; secp256k1_gej_set_ge(&pubkeyj, pubkey);
|
||||
secp256k1_gej_t pr; secp256k1_ecmult(&pr, &pubkeyj, &u2, &u1);
|
||||
if (!secp256k1_gej_is_infinity(&pr)) {
|
||||
secp256k1_fe_t xr; secp256k1_gej_get_x(&xr, &pr);
|
||||
secp256k1_fe_t xr; secp256k1_gej_get_x_var(&xr, &pr);
|
||||
secp256k1_fe_normalize(&xr);
|
||||
unsigned char xrb[32]; secp256k1_fe_get_b32(xrb, &xr);
|
||||
secp256k1_num_set_bin(r2, xrb, 32);
|
||||
|
|
@ -121,7 +121,7 @@ int static secp256k1_ecdsa_sig_recover(const secp256k1_ecdsa_sig_t *sig, secp256
|
|||
secp256k1_num_mod_mul(&u2, &rn, &sig->s, &c->order);
|
||||
secp256k1_gej_t qj;
|
||||
secp256k1_ecmult(&qj, &xj, &u2, &u1);
|
||||
secp256k1_ge_set_gej(pubkey, &qj);
|
||||
secp256k1_ge_set_gej_var(pubkey, &qj);
|
||||
secp256k1_num_free(&rn);
|
||||
secp256k1_num_free(&u1);
|
||||
secp256k1_num_free(&u2);
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ static void secp256k1_ecmult_gen_start(void) {
|
|||
VERIFY_CHECK(secp256k1_ge_set_xo(&nums_ge, &nums_x, 0));
|
||||
secp256k1_gej_set_ge(&nums_gej, &nums_ge);
|
||||
// Add G to make the bits in x uniformly distributed.
|
||||
secp256k1_gej_add_ge(&nums_gej, &nums_gej, g);
|
||||
secp256k1_gej_add_ge_var(&nums_gej, &nums_gej, g);
|
||||
}
|
||||
|
||||
// compute prec.
|
||||
|
|
@ -63,21 +63,21 @@ static void secp256k1_ecmult_gen_start(void) {
|
|||
// Set precj[j*16 .. j*16+15] to (numsbase, numsbase + gbase, ..., numsbase + 15*gbase).
|
||||
precj[j*16] = numsbase;
|
||||
for (int i=1; i<16; i++) {
|
||||
secp256k1_gej_add(&precj[j*16 + i], &precj[j*16 + i - 1], &gbase);
|
||||
secp256k1_gej_add_var(&precj[j*16 + i], &precj[j*16 + i - 1], &gbase);
|
||||
}
|
||||
// Multiply gbase by 16.
|
||||
for (int i=0; i<4; i++) {
|
||||
secp256k1_gej_double(&gbase, &gbase);
|
||||
secp256k1_gej_double_var(&gbase, &gbase);
|
||||
}
|
||||
// Multiply numbase by 2.
|
||||
secp256k1_gej_double(&numsbase, &numsbase);
|
||||
secp256k1_gej_double_var(&numsbase, &numsbase);
|
||||
if (j == 62) {
|
||||
// In the last iteration, numsbase is (1 - 2^j) * nums instead.
|
||||
secp256k1_gej_neg(&numsbase, &numsbase);
|
||||
secp256k1_gej_add(&numsbase, &numsbase, &nums_gej);
|
||||
secp256k1_gej_add_var(&numsbase, &numsbase, &nums_gej);
|
||||
}
|
||||
}
|
||||
secp256k1_ge_set_all_gej(1024, prec, precj);
|
||||
secp256k1_ge_set_all_gej_var(1024, prec, precj);
|
||||
}
|
||||
for (int j=0; j<64; j++) {
|
||||
for (int i=0; i<16; i++) {
|
||||
|
|
@ -109,7 +109,10 @@ void static secp256k1_ecmult_gen(secp256k1_gej_t *r, const secp256k1_scalar_t *g
|
|||
bits = secp256k1_scalar_get_bits(gn, j * 4, 4);
|
||||
for (int k=0; k<sizeof(secp256k1_ge_t); k++)
|
||||
((unsigned char*)(&add))[k] = c->prec[j][k][bits];
|
||||
secp256k1_gej_add_ge(r, r, &add);
|
||||
// Note that the next line uses a variable-time addition function, which
|
||||
// is fine, as the inputs are blinded (they have no known corresponding
|
||||
// private key).
|
||||
secp256k1_gej_add_ge_var(r, r, &add);
|
||||
}
|
||||
bits = 0;
|
||||
secp256k1_ge_clear(&add);
|
||||
|
|
|
|||
|
|
@ -29,22 +29,22 @@
|
|||
* To compute a*P + b*G, we use the jacobian version for P, and the affine version for G, as
|
||||
* G is constant, so it only needs to be done once in advance.
|
||||
*/
|
||||
void static secp256k1_ecmult_table_precomp_gej(secp256k1_gej_t *pre, const secp256k1_gej_t *a, int w) {
|
||||
void static secp256k1_ecmult_table_precomp_gej_var(secp256k1_gej_t *pre, const secp256k1_gej_t *a, int w) {
|
||||
pre[0] = *a;
|
||||
secp256k1_gej_t d; secp256k1_gej_double(&d, &pre[0]);
|
||||
secp256k1_gej_t d; secp256k1_gej_double_var(&d, &pre[0]);
|
||||
for (int i=1; i<(1 << (w-2)); i++)
|
||||
secp256k1_gej_add(&pre[i], &d, &pre[i-1]);
|
||||
secp256k1_gej_add_var(&pre[i], &d, &pre[i-1]);
|
||||
}
|
||||
|
||||
void static secp256k1_ecmult_table_precomp_ge(secp256k1_ge_t *pre, const secp256k1_gej_t *a, int w) {
|
||||
void static secp256k1_ecmult_table_precomp_ge_var(secp256k1_ge_t *pre, const secp256k1_gej_t *a, int w) {
|
||||
const int table_size = 1 << (w-2);
|
||||
secp256k1_gej_t prej[table_size];
|
||||
prej[0] = *a;
|
||||
secp256k1_gej_t d; secp256k1_gej_double(&d, a);
|
||||
secp256k1_gej_t d; secp256k1_gej_double_var(&d, a);
|
||||
for (int i=1; i<table_size; i++) {
|
||||
secp256k1_gej_add(&prej[i], &d, &prej[i-1]);
|
||||
secp256k1_gej_add_var(&prej[i], &d, &prej[i-1]);
|
||||
}
|
||||
secp256k1_ge_set_all_gej(table_size, pre, prej);
|
||||
secp256k1_ge_set_all_gej_var(table_size, pre, prej);
|
||||
}
|
||||
|
||||
/** The number of entries a table with precomputed multiples needs to have. */
|
||||
|
|
@ -87,11 +87,11 @@ static void secp256k1_ecmult_start(void) {
|
|||
// calculate 2^128*generator
|
||||
secp256k1_gej_t g_128j = gj;
|
||||
for (int i=0; i<128; i++)
|
||||
secp256k1_gej_double(&g_128j, &g_128j);
|
||||
secp256k1_gej_double_var(&g_128j, &g_128j);
|
||||
|
||||
// precompute the tables with odd multiples
|
||||
secp256k1_ecmult_table_precomp_ge(ret->pre_g, &gj, WINDOW_G);
|
||||
secp256k1_ecmult_table_precomp_ge(ret->pre_g_128, &g_128j, WINDOW_G);
|
||||
secp256k1_ecmult_table_precomp_ge_var(ret->pre_g, &gj, WINDOW_G);
|
||||
secp256k1_ecmult_table_precomp_ge_var(ret->pre_g_128, &g_128j, WINDOW_G);
|
||||
|
||||
// Set the global pointer to the precomputation table.
|
||||
secp256k1_ecmult_consts = ret;
|
||||
|
|
@ -150,7 +150,7 @@ void static secp256k1_ecmult(secp256k1_gej_t *r, const secp256k1_gej_t *a, const
|
|||
#ifdef USE_ENDOMORPHISM
|
||||
secp256k1_num_t na_1, na_lam;
|
||||
// split na into na_1 and na_lam (where na = na_1 + na_lam*lambda, and na_1 and na_lam are ~128 bit)
|
||||
secp256k1_gej_split_exp(&na_1, &na_lam, na);
|
||||
secp256k1_gej_split_exp_var(&na_1, &na_lam, na);
|
||||
|
||||
// build wnaf representation for na_1 and na_lam.
|
||||
int wnaf_na_1[129]; int bits_na_1 = secp256k1_ecmult_wnaf(wnaf_na_1, &na_1, WINDOW_A);
|
||||
|
|
@ -165,7 +165,7 @@ void static secp256k1_ecmult(secp256k1_gej_t *r, const secp256k1_gej_t *a, const
|
|||
|
||||
// calculate odd multiples of a
|
||||
secp256k1_gej_t pre_a[ECMULT_TABLE_SIZE(WINDOW_A)];
|
||||
secp256k1_ecmult_table_precomp_gej(pre_a, a, WINDOW_A);
|
||||
secp256k1_ecmult_table_precomp_gej_var(pre_a, a, WINDOW_A);
|
||||
|
||||
#ifdef USE_ENDOMORPHISM
|
||||
secp256k1_gej_t pre_a_lam[ECMULT_TABLE_SIZE(WINDOW_A)];
|
||||
|
|
@ -190,30 +190,30 @@ void static secp256k1_ecmult(secp256k1_gej_t *r, const secp256k1_gej_t *a, const
|
|||
secp256k1_ge_t tmpa;
|
||||
|
||||
for (int i=bits-1; i>=0; i--) {
|
||||
secp256k1_gej_double(r, r);
|
||||
secp256k1_gej_double_var(r, r);
|
||||
int n;
|
||||
#ifdef USE_ENDOMORPHISM
|
||||
if (i < bits_na_1 && (n = wnaf_na_1[i])) {
|
||||
ECMULT_TABLE_GET_GEJ(&tmpj, pre_a, n, WINDOW_A);
|
||||
secp256k1_gej_add(r, r, &tmpj);
|
||||
secp256k1_gej_add_var(r, r, &tmpj);
|
||||
}
|
||||
if (i < bits_na_lam && (n = wnaf_na_lam[i])) {
|
||||
ECMULT_TABLE_GET_GEJ(&tmpj, pre_a_lam, n, WINDOW_A);
|
||||
secp256k1_gej_add(r, r, &tmpj);
|
||||
secp256k1_gej_add_var(r, r, &tmpj);
|
||||
}
|
||||
#else
|
||||
if (i < bits_na && (n = wnaf_na[i])) {
|
||||
ECMULT_TABLE_GET_GEJ(&tmpj, pre_a, n, WINDOW_A);
|
||||
secp256k1_gej_add(r, r, &tmpj);
|
||||
secp256k1_gej_add_var(r, r, &tmpj);
|
||||
}
|
||||
#endif
|
||||
if (i < bits_ng_1 && (n = wnaf_ng_1[i])) {
|
||||
ECMULT_TABLE_GET_GE(&tmpa, c->pre_g, n, WINDOW_G);
|
||||
secp256k1_gej_add_ge(r, r, &tmpa);
|
||||
secp256k1_gej_add_ge_var(r, r, &tmpa);
|
||||
}
|
||||
if (i < bits_ng_128 && (n = wnaf_ng_128[i])) {
|
||||
ECMULT_TABLE_GET_GE(&tmpa, c->pre_g_128, n, WINDOW_G);
|
||||
secp256k1_gej_add_ge(r, r, &tmpa);
|
||||
secp256k1_gej_add_ge_var(r, r, &tmpa);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
12
src/group.h
12
src/group.h
|
|
@ -69,7 +69,7 @@ void static secp256k1_ge_get_hex(char *r, int *rlen, const secp256k1_ge_t *a);
|
|||
void static secp256k1_ge_set_gej(secp256k1_ge_t *r, secp256k1_gej_t *a);
|
||||
|
||||
/** Set a batch of group elements equal to the inputs given in jacobian coordinates */
|
||||
void static secp256k1_ge_set_all_gej(size_t len, secp256k1_ge_t r[len], const secp256k1_gej_t a[len]);
|
||||
void static secp256k1_ge_set_all_gej_var(size_t len, secp256k1_ge_t r[len], const secp256k1_gej_t a[len]);
|
||||
|
||||
|
||||
/** Set a group element (jacobian) equal to the point at infinity. */
|
||||
|
|
@ -82,7 +82,7 @@ void static secp256k1_gej_set_xy(secp256k1_gej_t *r, const secp256k1_fe_t *x, co
|
|||
void static secp256k1_gej_set_ge(secp256k1_gej_t *r, const secp256k1_ge_t *a);
|
||||
|
||||
/** Get the X coordinate of a group element (jacobian). */
|
||||
void static secp256k1_gej_get_x(secp256k1_fe_t *r, const secp256k1_gej_t *a);
|
||||
void static secp256k1_gej_get_x_var(secp256k1_fe_t *r, const secp256k1_gej_t *a);
|
||||
|
||||
/** Set r equal to the inverse of a (i.e., mirrored around the X axis) */
|
||||
void static secp256k1_gej_neg(secp256k1_gej_t *r, const secp256k1_gej_t *a);
|
||||
|
|
@ -91,14 +91,14 @@ void static secp256k1_gej_neg(secp256k1_gej_t *r, const secp256k1_gej_t *a);
|
|||
int static secp256k1_gej_is_infinity(const secp256k1_gej_t *a);
|
||||
|
||||
/** Set r equal to the double of a. */
|
||||
void static secp256k1_gej_double(secp256k1_gej_t *r, const secp256k1_gej_t *a);
|
||||
void static secp256k1_gej_double_var(secp256k1_gej_t *r, const secp256k1_gej_t *a);
|
||||
|
||||
/** Set r equal to the sum of a and b. */
|
||||
void static secp256k1_gej_add(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_gej_t *b);
|
||||
void static secp256k1_gej_add_var(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_gej_t *b);
|
||||
|
||||
/** Set r equal to the sum of a and b (with b given in affine coordinates). This is more efficient
|
||||
than secp256k1_gej_add. */
|
||||
void static secp256k1_gej_add_ge(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_ge_t *b);
|
||||
void static secp256k1_gej_add_ge_var(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_ge_t *b);
|
||||
|
||||
/** Get a hex representation of a point. *rlen will be overwritten with the real length. */
|
||||
void static secp256k1_gej_get_hex(char *r, int *rlen, const secp256k1_gej_t *a);
|
||||
|
|
@ -109,7 +109,7 @@ void static secp256k1_gej_mul_lambda(secp256k1_gej_t *r, const secp256k1_gej_t *
|
|||
|
||||
/** Find r1 and r2 such that r1+r2*lambda = a, and r1 and r2 are maximum 128 bits long (given that a is
|
||||
not more than 256 bits). */
|
||||
void static secp256k1_gej_split_exp(secp256k1_num_t *r1, secp256k1_num_t *r2, const secp256k1_num_t *a);
|
||||
void static secp256k1_gej_split_exp_var(secp256k1_num_t *r1, secp256k1_num_t *r2, const secp256k1_num_t *a);
|
||||
#endif
|
||||
|
||||
/** Clear a secp256k1_gej_t to prevent leaking sensitive information. */
|
||||
|
|
|
|||
|
|
@ -55,6 +55,18 @@ void static secp256k1_ge_get_hex(char *r, int *rlen, const secp256k1_ge_t *a) {
|
|||
}
|
||||
|
||||
void static secp256k1_ge_set_gej(secp256k1_ge_t *r, secp256k1_gej_t *a) {
|
||||
r->infinity = a->infinity;
|
||||
secp256k1_fe_inv(&a->z, &a->z);
|
||||
secp256k1_fe_t z2; secp256k1_fe_sqr(&z2, &a->z);
|
||||
secp256k1_fe_t z3; secp256k1_fe_mul(&z3, &a->z, &z2);
|
||||
secp256k1_fe_mul(&a->x, &a->x, &z2);
|
||||
secp256k1_fe_mul(&a->y, &a->y, &z3);
|
||||
secp256k1_fe_set_int(&a->z, 1);
|
||||
r->x = a->x;
|
||||
r->y = a->y;
|
||||
}
|
||||
|
||||
void static secp256k1_ge_set_gej_var(secp256k1_ge_t *r, secp256k1_gej_t *a) {
|
||||
r->infinity = a->infinity;
|
||||
if (a->infinity) {
|
||||
return;
|
||||
|
|
@ -69,7 +81,7 @@ void static secp256k1_ge_set_gej(secp256k1_ge_t *r, secp256k1_gej_t *a) {
|
|||
r->y = a->y;
|
||||
}
|
||||
|
||||
void static secp256k1_ge_set_all_gej(size_t len, secp256k1_ge_t r[len], const secp256k1_gej_t a[len]) {
|
||||
void static secp256k1_ge_set_all_gej_var(size_t len, secp256k1_ge_t r[len], const secp256k1_gej_t a[len]) {
|
||||
int count = 0;
|
||||
secp256k1_fe_t az[len];
|
||||
for (int i=0; i<len; i++) {
|
||||
|
|
@ -140,7 +152,7 @@ void static secp256k1_gej_set_ge(secp256k1_gej_t *r, const secp256k1_ge_t *a) {
|
|||
secp256k1_fe_set_int(&r->z, 1);
|
||||
}
|
||||
|
||||
void static secp256k1_gej_get_x(secp256k1_fe_t *r, const secp256k1_gej_t *a) {
|
||||
void static secp256k1_gej_get_x_var(secp256k1_fe_t *r, const secp256k1_gej_t *a) {
|
||||
secp256k1_fe_t zi2; secp256k1_fe_inv_var(&zi2, &a->z); secp256k1_fe_sqr(&zi2, &zi2);
|
||||
secp256k1_fe_mul(r, &a->x, &zi2);
|
||||
}
|
||||
|
|
@ -189,7 +201,7 @@ int static secp256k1_ge_is_valid(const secp256k1_ge_t *a) {
|
|||
return secp256k1_fe_equal(&y2, &x3);
|
||||
}
|
||||
|
||||
void static secp256k1_gej_double(secp256k1_gej_t *r, const secp256k1_gej_t *a) {
|
||||
void static secp256k1_gej_double_var(secp256k1_gej_t *r, const secp256k1_gej_t *a) {
|
||||
if (a->infinity) {
|
||||
r->infinity = 1;
|
||||
return;
|
||||
|
|
@ -226,7 +238,7 @@ void static secp256k1_gej_double(secp256k1_gej_t *r, const secp256k1_gej_t *a) {
|
|||
r->infinity = 0;
|
||||
}
|
||||
|
||||
void static secp256k1_gej_add(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_gej_t *b) {
|
||||
void static secp256k1_gej_add_var(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_gej_t *b) {
|
||||
if (a->infinity) {
|
||||
*r = *b;
|
||||
return;
|
||||
|
|
@ -248,7 +260,7 @@ void static secp256k1_gej_add(secp256k1_gej_t *r, const secp256k1_gej_t *a, cons
|
|||
secp256k1_fe_normalize(&s1);
|
||||
secp256k1_fe_normalize(&s2);
|
||||
if (secp256k1_fe_equal(&s1, &s2)) {
|
||||
secp256k1_gej_double(r, a);
|
||||
secp256k1_gej_double_var(r, a);
|
||||
} else {
|
||||
r->infinity = 1;
|
||||
}
|
||||
|
|
@ -267,7 +279,7 @@ void static secp256k1_gej_add(secp256k1_gej_t *r, const secp256k1_gej_t *a, cons
|
|||
secp256k1_fe_add(&r->y, &h3);
|
||||
}
|
||||
|
||||
void static secp256k1_gej_add_ge(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_ge_t *b) {
|
||||
void static secp256k1_gej_add_ge_var(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_ge_t *b) {
|
||||
if (a->infinity) {
|
||||
r->infinity = b->infinity;
|
||||
r->x = b->x;
|
||||
|
|
@ -291,7 +303,7 @@ void static secp256k1_gej_add_ge(secp256k1_gej_t *r, const secp256k1_gej_t *a, c
|
|||
secp256k1_fe_normalize(&s1);
|
||||
secp256k1_fe_normalize(&s2);
|
||||
if (secp256k1_fe_equal(&s1, &s2)) {
|
||||
secp256k1_gej_double(r, a);
|
||||
secp256k1_gej_double_var(r, a);
|
||||
} else {
|
||||
r->infinity = 1;
|
||||
}
|
||||
|
|
@ -323,7 +335,7 @@ void static secp256k1_gej_mul_lambda(secp256k1_gej_t *r, const secp256k1_gej_t *
|
|||
secp256k1_fe_mul(&r->x, &r->x, beta);
|
||||
}
|
||||
|
||||
void static secp256k1_gej_split_exp(secp256k1_num_t *r1, secp256k1_num_t *r2, const secp256k1_num_t *a) {
|
||||
void static secp256k1_gej_split_exp_var(secp256k1_num_t *r1, secp256k1_num_t *r2, const secp256k1_num_t *a) {
|
||||
const secp256k1_ge_consts_t *c = secp256k1_ge_consts;
|
||||
secp256k1_num_t bnc1, bnc2, bnt1, bnt2, bnn2;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue