From 883856b6979c8796f227c160ddf9959f8f010be3 Mon Sep 17 00:00:00 2001 From: Pieter Wuille Date: Sun, 26 Dec 2021 22:45:30 -0500 Subject: [PATCH] Reintroduce projective blinding --- src/ecmult_gen.h | 4 ++++ src/ecmult_gen_impl.h | 12 +++++++++++- src/tests.c | 3 ++- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/src/ecmult_gen.h b/src/ecmult_gen.h index 9adbf485f0..91c109ff23 100644 --- a/src/ecmult_gen.h +++ b/src/ecmult_gen.h @@ -109,6 +109,10 @@ typedef struct { * ecmult_gen_impl.h for more details. */ secp256k1_scalar scalar_offset; secp256k1_ge ge_offset; + + /* Factor used for projective blinding. This value is used to rescale the Z + * coordinate of the first table lookup. */ + secp256k1_fe proj_blind; } secp256k1_ecmult_gen_context; static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context* ctx); diff --git a/src/ecmult_gen_impl.h b/src/ecmult_gen_impl.h index a726270d88..a09dfecb9e 100644 --- a/src/ecmult_gen_impl.h +++ b/src/ecmult_gen_impl.h @@ -27,6 +27,7 @@ static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx ctx->built = 0; secp256k1_scalar_clear(&ctx->scalar_offset); secp256k1_ge_clear(&ctx->ge_offset); + secp256k1_fe_clear(&ctx->proj_blind); } /* Compute the scalar (2^COMB_BITS - 1) / 2. */ @@ -245,6 +246,8 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25 if (EXPECT(first, 0)) { /* If this is the first table lookup, we can skip addition. */ secp256k1_gej_set_ge(r, &add); + /* Give the entry a random Z coordinate to blind intermediary results. */ + secp256k1_gej_rescale(r, &ctx->proj_blind); first = 0; } else { secp256k1_gej_add_ge(r, r, &add); @@ -272,6 +275,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const secp256k1_scalar b; secp256k1_scalar diff; secp256k1_gej gb; + secp256k1_fe f; unsigned char nonce32[32]; secp256k1_rfc6979_hmac_sha256 rng; unsigned char keydata[64]; @@ -283,6 +287,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const /* When seed is NULL, reset the final point and blinding value. */ secp256k1_ge_neg(&ctx->ge_offset, &secp256k1_ge_const_g); secp256k1_scalar_add(&ctx->scalar_offset, &secp256k1_scalar_one, &diff); + ctx->proj_blind = secp256k1_fe_one; return; } /* The prior blinding value (if not reset) is chained forward by including it in the hash. */ @@ -296,7 +301,11 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, 64); memset(keydata, 0, sizeof(keydata)); - /* TODO: reintroduce projective blinding. */ + /* Compute projective blinding factor (cannot be 0). */ + secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); + secp256k1_fe_set_b32_mod(&f, nonce32); + secp256k1_fe_cmov(&f, &secp256k1_fe_one, secp256k1_fe_normalizes_to_zero(&f)); + ctx->proj_blind = f; /* For a random blinding value b, set scalar_offset=diff-n, ge_offset=bG */ secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); @@ -314,6 +323,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const /* Clean up. */ secp256k1_scalar_clear(&b); secp256k1_gej_clear(&gb); + secp256k1_fe_clear(&f); } #endif /* SECP256K1_ECMULT_GEN_IMPL_H */ diff --git a/src/tests.c b/src/tests.c index 72c7849d00..f08ab433a5 100644 --- a/src/tests.c +++ b/src/tests.c @@ -249,7 +249,8 @@ static void run_selftest_tests(void) { static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b) { return a->built == b->built && secp256k1_scalar_eq(&a->scalar_offset, &b->scalar_offset) - && secp256k1_ge_eq_var(&a->ge_offset, &b->ge_offset); + && secp256k1_ge_eq_var(&a->ge_offset, &b->ge_offset) + && secp256k1_fe_equal(&a->proj_blind, &b->proj_blind); } static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {