Skip to content

Commit

Permalink
Reintroduce projective blinding
Browse files Browse the repository at this point in the history
  • Loading branch information
sipa committed Apr 15, 2024
1 parent f9efd12 commit 0425c7c
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 2 deletions.
4 changes: 4 additions & 0 deletions src/ecmult_gen.h
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,10 @@ typedef struct {
* ecmult_gen_impl.h for more details. */
secp256k1_scalar scalar_offset;
secp256k1_ge ge_offset;

/* Factor used for projective blinding. This value is used to rescale the Z
* coordinate of the first table lookup. */
secp256k1_fe proj_blind;
} secp256k1_ecmult_gen_context;

static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context* ctx);
Expand Down
12 changes: 11 additions & 1 deletion src/ecmult_gen_impl.h
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx
ctx->built = 0;
secp256k1_scalar_clear(&ctx->scalar_offset);
secp256k1_ge_clear(&ctx->ge_offset);
secp256k1_fe_clear(&ctx->proj_blind);
}

/* Compute the scalar (2^COMB_BITS - 1) / 2, the difference between the gn argument to
Expand Down Expand Up @@ -256,6 +257,8 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
if (EXPECT(first, 0)) {
/* If this is the first table lookup, we can skip addition. */
secp256k1_gej_set_ge(r, &add);
/* Give the entry a random Z coordinate to blind intermediary results. */
secp256k1_gej_rescale(r, &ctx->proj_blind);
first = 0;
} else {
secp256k1_gej_add_ge(r, r, &add);
Expand Down Expand Up @@ -283,6 +286,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
secp256k1_scalar b;
secp256k1_scalar diff;
secp256k1_gej gb;
secp256k1_fe f;
unsigned char nonce32[32];
secp256k1_rfc6979_hmac_sha256 rng;
unsigned char keydata[64];
Expand All @@ -294,6 +298,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
/* When seed is NULL, reset the final point and blinding value. */
secp256k1_ge_neg(&ctx->ge_offset, &secp256k1_ge_const_g);
secp256k1_scalar_add(&ctx->scalar_offset, &secp256k1_scalar_one, &diff);
ctx->proj_blind = secp256k1_fe_one;
return;
}
/* The prior blinding value (if not reset) is chained forward by including it in the hash. */
Expand All @@ -307,7 +312,11 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, 64);
memset(keydata, 0, sizeof(keydata));

/* TODO: reintroduce projective blinding. */
/* Compute projective blinding factor (cannot be 0). */
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
secp256k1_fe_set_b32_mod(&f, nonce32);
secp256k1_fe_cmov(&f, &secp256k1_fe_one, secp256k1_fe_normalizes_to_zero(&f));
ctx->proj_blind = f;

/* For a random blinding value b, set scalar_offset=diff-n, ge_offset=bG */
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
Expand All @@ -325,6 +334,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
/* Clean up. */
secp256k1_scalar_clear(&b);
secp256k1_gej_clear(&gb);
secp256k1_fe_clear(&f);
}

#endif /* SECP256K1_ECMULT_GEN_IMPL_H */
3 changes: 2 additions & 1 deletion src/tests.c
Original file line number Diff line number Diff line change
Expand Up @@ -249,7 +249,8 @@ static void run_selftest_tests(void) {
static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b) {
return a->built == b->built
&& secp256k1_scalar_eq(&a->scalar_offset, &b->scalar_offset)
&& secp256k1_ge_eq_var(&a->ge_offset, &b->ge_offset);
&& secp256k1_ge_eq_var(&a->ge_offset, &b->ge_offset)
&& secp256k1_fe_equal(&a->proj_blind, &b->proj_blind);
}

static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {
Expand Down

0 comments on commit 0425c7c

Please sign in to comment.