boxtec
/
bitcoin
mirror of https://github.com/bitcoin/bitcoin
4
1
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #94

Browse Source 
da55986 Label variable-time functions correctly and don't use those in sign (Pieter Wuille)
pull/11871/head
Pieter Wuille 10 years ago
parent 784e62f3b2 da55986fdf
commit 0ce80ef47e
No known key found for this signature in database
GPG Key ID: 57896D2FF8F0B657
5 changed files with 56 additions and 41 deletions
Show Stats Download Patch File Download Diff File

4
src/ecdsa_impl.h
Unescape View File

@ -70,7 +70,7 @@ int static secp256k1_ecdsa_sig_recompute(secp256k1_num_t *r2, const secp256k1_ec
secp256k1_gej_t pubkeyj; secp256k1_gej_set_ge(&pubkeyj, pubkey);
secp256k1_gej_t pr; secp256k1_ecmult(&pr, &pubkeyj, &u2, &u1);
if (!secp256k1_gej_is_infinity(&pr)) {
secp256k1_fe_t xr; secp256k1_gej_get_x(&xr, &pr);
secp256k1_fe_t xr; secp256k1_gej_get_x_var(&xr, &pr);
secp256k1_fe_normalize(&xr);
unsigned char xrb[32]; secp256k1_fe_get_b32(xrb, &xr);
secp256k1_num_set_bin(r2, xrb, 32);
@ -121,7 +121,7 @@ int static secp256k1_ecdsa_sig_recover(const secp256k1_ecdsa_sig_t *sig, secp256
secp256k1_num_mod_mul(&u2, &rn, &sig->s, &c->order);
secp256k1_gej_t qj;
secp256k1_ecmult(&qj, &xj, &u2, &u1);
secp256k1_ge_set_gej(pubkey, &qj);
secp256k1_ge_set_gej_var(pubkey, &qj);
secp256k1_num_free(&rn);
secp256k1_num_free(&u1);
secp256k1_num_free(&u2);

17
src/ecmult_gen_impl.h
Unescape View File

@ -49,7 +49,7 @@ static void secp256k1_ecmult_gen_start(void) {
VERIFY_CHECK(secp256k1_ge_set_xo(&nums_ge, &nums_x, 0));
secp256k1_gej_set_ge(&nums_gej, &nums_ge);
// Add G to make the bits in x uniformly distributed.
secp256k1_gej_add_ge(&nums_gej, &nums_gej, g);
secp256k1_gej_add_ge_var(&nums_gej, &nums_gej, g);
}
// compute prec.
@ -63,21 +63,21 @@ static void secp256k1_ecmult_gen_start(void) {
// Set precj[j*16 .. j*16+15] to (numsbase, numsbase + gbase, ..., numsbase + 15*gbase).
precj[j*16] = numsbase;
for (int i=1; i<16; i++) {
secp256k1_gej_add(&precj[j*16 + i], &precj[j*16 + i - 1], &gbase);
secp256k1_gej_add_var(&precj[j*16 + i], &precj[j*16 + i - 1], &gbase);
}
// Multiply gbase by 16.
for (int i=0; i<4; i++) {
secp256k1_gej_double(&gbase, &gbase);
secp256k1_gej_double_var(&gbase, &gbase);
}
// Multiply numbase by 2.
secp256k1_gej_double(&numsbase, &numsbase);
secp256k1_gej_double_var(&numsbase, &numsbase);
if (j == 62) {
// In the last iteration, numsbase is (1 - 2^j) * nums instead.
secp256k1_gej_neg(&numsbase, &numsbase);
secp256k1_gej_add(&numsbase, &numsbase, &nums_gej);
secp256k1_gej_add_var(&numsbase, &numsbase, &nums_gej);
}
}
secp256k1_ge_set_all_gej(1024, prec, precj);
secp256k1_ge_set_all_gej_var(1024, prec, precj);
}
for (int j=0; j<64; j++) {
for (int i=0; i<16; i++) {
@ -109,7 +109,10 @@ void static secp256k1_ecmult_gen(secp256k1_gej_t *r, const secp256k1_scalar_t *g
bits = secp256k1_scalar_get_bits(gn, j * 4, 4);
for (int k=0; k<sizeof(secp256k1_ge_t); k++)
((unsigned char*)(&add))[k] = c->prec[j][k][bits];
secp256k1_gej_add_ge(r, r, &add);
// Note that the next line uses a variable-time addition function, which
// is fine, as the inputs are blinded (they have no known corresponding
// private key).
secp256k1_gej_add_ge_var(r, r, &add);
}
bits = 0;
secp256k1_ge_clear(&add);

36
src/ecmult_impl.h
Unescape View File

@ -29,22 +29,22 @@
* To compute a*P + b*G, we use the jacobian version for P, and the affine version for G, as
* G is constant, so it only needs to be done once in advance.
*/
void static secp256k1_ecmult_table_precomp_gej(secp256k1_gej_t *pre, const secp256k1_gej_t *a, int w) {
void static secp256k1_ecmult_table_precomp_gej_var(secp256k1_gej_t *pre, const secp256k1_gej_t *a, int w) {
pre[0] = *a;
secp256k1_gej_t d; secp256k1_gej_double(&d, &pre[0]);
secp256k1_gej_t d; secp256k1_gej_double_var(&d, &pre[0]);
for (int i=1; i<(1 << (w-2)); i++)
secp256k1_gej_add(&pre[i], &d, &pre[i-1]);
secp256k1_gej_add_var(&pre[i], &d, &pre[i-1]);
}
void static secp256k1_ecmult_table_precomp_ge(secp256k1_ge_t *pre, const secp256k1_gej_t *a, int w) {
void static secp256k1_ecmult_table_precomp_ge_var(secp256k1_ge_t *pre, const secp256k1_gej_t *a, int w) {
const int table_size = 1 << (w-2);
secp256k1_gej_t prej[table_size];
prej[0] = *a;
secp256k1_gej_t d; secp256k1_gej_double(&d, a);
secp256k1_gej_t d; secp256k1_gej_double_var(&d, a);
for (int i=1; i<table_size; i++) {
secp256k1_gej_add(&prej[i], &d, &prej[i-1]);
secp256k1_gej_add_var(&prej[i], &d, &prej[i-1]);
}
secp256k1_ge_set_all_gej(table_size, pre, prej);
secp256k1_ge_set_all_gej_var(table_size, pre, prej);
}
/** The number of entries a table with precomputed multiples needs to have. */
@ -87,11 +87,11 @@ static void secp256k1_ecmult_start(void) {
// calculate 2^128*generator
secp256k1_gej_t g_128j = gj;
for (int i=0; i<128; i++)
secp256k1_gej_double(&g_128j, &g_128j);
secp256k1_gej_double_var(&g_128j, &g_128j);
// precompute the tables with odd multiples
secp256k1_ecmult_table_precomp_ge(ret->pre_g, &gj, WINDOW_G);
secp256k1_ecmult_table_precomp_ge(ret->pre_g_128, &g_128j, WINDOW_G);
secp256k1_ecmult_table_precomp_ge_var(ret->pre_g, &gj, WINDOW_G);
secp256k1_ecmult_table_precomp_ge_var(ret->pre_g_128, &g_128j, WINDOW_G);
// Set the global pointer to the precomputation table.
secp256k1_ecmult_consts = ret;
@ -150,7 +150,7 @@ void static secp256k1_ecmult(secp256k1_gej_t *r, const secp256k1_gej_t *a, const
#ifdef USE_ENDOMORPHISM
secp256k1_num_t na_1, na_lam;
// split na into na_1 and na_lam (where na = na_1 + na_lam*lambda, and na_1 and na_lam are ~128 bit)
secp256k1_gej_split_exp(&na_1, &na_lam, na);
secp256k1_gej_split_exp_var(&na_1, &na_lam, na);
// build wnaf representation for na_1 and na_lam.
int wnaf_na_1[129]; int bits_na_1 = secp256k1_ecmult_wnaf(wnaf_na_1, &na_1, WINDOW_A);
@ -165,7 +165,7 @@ void static secp256k1_ecmult(secp256k1_gej_t *r, const secp256k1_gej_t *a, const
// calculate odd multiples of a
secp256k1_gej_t pre_a[ECMULT_TABLE_SIZE(WINDOW_A)];
secp256k1_ecmult_table_precomp_gej(pre_a, a, WINDOW_A);
secp256k1_ecmult_table_precomp_gej_var(pre_a, a, WINDOW_A);
#ifdef USE_ENDOMORPHISM
secp256k1_gej_t pre_a_lam[ECMULT_TABLE_SIZE(WINDOW_A)];
@ -190,30 +190,30 @@ void static secp256k1_ecmult(secp256k1_gej_t *r, const secp256k1_gej_t *a, const
secp256k1_ge_t tmpa;
for (int i=bits-1; i>=0; i--) {
secp256k1_gej_double(r, r);
secp256k1_gej_double_var(r, r);
int n;
#ifdef USE_ENDOMORPHISM
if (i < bits_na_1 && (n = wnaf_na_1[i])) {
ECMULT_TABLE_GET_GEJ(&tmpj, pre_a, n, WINDOW_A);
secp256k1_gej_add(r, r, &tmpj);
secp256k1_gej_add_var(r, r, &tmpj);
}
if (i < bits_na_lam && (n = wnaf_na_lam[i])) {
ECMULT_TABLE_GET_GEJ(&tmpj, pre_a_lam, n, WINDOW_A);
secp256k1_gej_add(r, r, &tmpj);
secp256k1_gej_add_var(r, r, &tmpj);
}
#else
if (i < bits_na && (n = wnaf_na[i])) {
ECMULT_TABLE_GET_GEJ(&tmpj, pre_a, n, WINDOW_A);
secp256k1_gej_add(r, r, &tmpj);
secp256k1_gej_add_var(r, r, &tmpj);
}
#endif
if (i < bits_ng_1 && (n = wnaf_ng_1[i])) {
ECMULT_TABLE_GET_GE(&tmpa, c->pre_g, n, WINDOW_G);
secp256k1_gej_add_ge(r, r, &tmpa);
secp256k1_gej_add_ge_var(r, r, &tmpa);
}
if (i < bits_ng_128 && (n = wnaf_ng_128[i])) {
ECMULT_TABLE_GET_GE(&tmpa, c->pre_g_128, n, WINDOW_G);
secp256k1_gej_add_ge(r, r, &tmpa);
secp256k1_gej_add_ge_var(r, r, &tmpa);
}
}
}

12
src/group.h
Unescape View File

@ -69,7 +69,7 @@ void static secp256k1_ge_get_hex(char *r, int *rlen, const secp256k1_ge_t *a);
void static secp256k1_ge_set_gej(secp256k1_ge_t *r, secp256k1_gej_t *a);
/** Set a batch of group elements equal to the inputs given in jacobian coordinates */
void static secp256k1_ge_set_all_gej(size_t len, secp256k1_ge_t r[len], const secp256k1_gej_t a[len]);
void static secp256k1_ge_set_all_gej_var(size_t len, secp256k1_ge_t r[len], const secp256k1_gej_t a[len]);
/** Set a group element (jacobian) equal to the point at infinity. */
@ -82,7 +82,7 @@ void static secp256k1_gej_set_xy(secp256k1_gej_t *r, const secp256k1_fe_t *x, co
void static secp256k1_gej_set_ge(secp256k1_gej_t *r, const secp256k1_ge_t *a);
/** Get the X coordinate of a group element (jacobian). */
void static secp256k1_gej_get_x(secp256k1_fe_t *r, const secp256k1_gej_t *a);
void static secp256k1_gej_get_x_var(secp256k1_fe_t *r, const secp256k1_gej_t *a);
/** Set r equal to the inverse of a (i.e., mirrored around the X axis) */
void static secp256k1_gej_neg(secp256k1_gej_t *r, const secp256k1_gej_t *a);
@ -91,14 +91,14 @@ void static secp256k1_gej_neg(secp256k1_gej_t *r, const secp256k1_gej_t *a);
int static secp256k1_gej_is_infinity(const secp256k1_gej_t *a);
/** Set r equal to the double of a. */
void static secp256k1_gej_double(secp256k1_gej_t *r, const secp256k1_gej_t *a);
void static secp256k1_gej_double_var(secp256k1_gej_t *r, const secp256k1_gej_t *a);
/** Set r equal to the sum of a and b. */
void static secp256k1_gej_add(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_gej_t *b);
void static secp256k1_gej_add_var(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_gej_t *b);
/** Set r equal to the sum of a and b (with b given in affine coordinates). This is more efficient
than secp256k1_gej_add. */
void static secp256k1_gej_add_ge(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_ge_t *b);
void static secp256k1_gej_add_ge_var(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_ge_t *b);
/** Get a hex representation of a point. *rlen will be overwritten with the real length. */
void static secp256k1_gej_get_hex(char *r, int *rlen, const secp256k1_gej_t *a);
@ -109,7 +109,7 @@ void static secp256k1_gej_mul_lambda(secp256k1_gej_t *r, const secp256k1_gej_t *
/** Find r1 and r2 such that r1+r2*lambda = a, and r1 and r2 are maximum 128 bits long (given that a is
not more than 256 bits). */
void static secp256k1_gej_split_exp(secp256k1_num_t *r1, secp256k1_num_t *r2, const secp256k1_num_t *a);
void static secp256k1_gej_split_exp_var(secp256k1_num_t *r1, secp256k1_num_t *r2, const secp256k1_num_t *a);
#endif
/** Clear a secp256k1_gej_t to prevent leaking sensitive information. */

28
src/group_impl.h
Unescape View File

@ -55,6 +55,18 @@ void static secp256k1_ge_get_hex(char *r, int *rlen, const secp256k1_ge_t *a) {
}
void static secp256k1_ge_set_gej(secp256k1_ge_t *r, secp256k1_gej_t *a) {
r->infinity = a->infinity;
secp256k1_fe_inv(&a->z, &a->z);
secp256k1_fe_t z2; secp256k1_fe_sqr(&z2, &a->z);
secp256k1_fe_t z3; secp256k1_fe_mul(&z3, &a->z, &z2);
secp256k1_fe_mul(&a->x, &a->x, &z2);
secp256k1_fe_mul(&a->y, &a->y, &z3);
secp256k1_fe_set_int(&a->z, 1);
r->x = a->x;
r->y = a->y;
}
void static secp256k1_ge_set_gej_var(secp256k1_ge_t *r, secp256k1_gej_t *a) {
r->infinity = a->infinity;
if (a->infinity) {
return;
@ -69,7 +81,7 @@ void static secp256k1_ge_set_gej(secp256k1_ge_t *r, secp256k1_gej_t *a) {
r->y = a->y;
}
void static secp256k1_ge_set_all_gej(size_t len, secp256k1_ge_t r[len], const secp256k1_gej_t a[len]) {
void static secp256k1_ge_set_all_gej_var(size_t len, secp256k1_ge_t r[len], const secp256k1_gej_t a[len]) {
int count = 0;
secp256k1_fe_t az[len];
for (int i=0; i<len; i++) {
@ -140,7 +152,7 @@ void static secp256k1_gej_set_ge(secp256k1_gej_t *r, const secp256k1_ge_t *a) {
secp256k1_fe_set_int(&r->z, 1);
}
void static secp256k1_gej_get_x(secp256k1_fe_t *r, const secp256k1_gej_t *a) {
void static secp256k1_gej_get_x_var(secp256k1_fe_t *r, const secp256k1_gej_t *a) {
secp256k1_fe_t zi2; secp256k1_fe_inv_var(&zi2, &a->z); secp256k1_fe_sqr(&zi2, &zi2);
secp256k1_fe_mul(r, &a->x, &zi2);
}
@ -189,7 +201,7 @@ int static secp256k1_ge_is_valid(const secp256k1_ge_t *a) {
return secp256k1_fe_equal(&y2, &x3);
}
void static secp256k1_gej_double(secp256k1_gej_t *r, const secp256k1_gej_t *a) {
void static secp256k1_gej_double_var(secp256k1_gej_t *r, const secp256k1_gej_t *a) {
if (a->infinity) {
r->infinity = 1;
return;
@ -226,7 +238,7 @@ void static secp256k1_gej_double(secp256k1_gej_t *r, const secp256k1_gej_t *a) {
r->infinity = 0;
}
void static secp256k1_gej_add(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_gej_t *b) {
void static secp256k1_gej_add_var(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_gej_t *b) {
if (a->infinity) {
*r = *b;
return;
@ -248,7 +260,7 @@ void static secp256k1_gej_add(secp256k1_gej_t *r, const secp256k1_gej_t *a, cons
secp256k1_fe_normalize(&s1);
secp256k1_fe_normalize(&s2);
if (secp256k1_fe_equal(&s1, &s2)) {
secp256k1_gej_double(r, a);
secp256k1_gej_double_var(r, a);
} else {
r->infinity = 1;
}
@ -267,7 +279,7 @@ void static secp256k1_gej_add(secp256k1_gej_t *r, const secp256k1_gej_t *a, cons
secp256k1_fe_add(&r->y, &h3);
}
void static secp256k1_gej_add_ge(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_ge_t *b) {
void static secp256k1_gej_add_ge_var(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_ge_t *b) {
if (a->infinity) {
r->infinity = b->infinity;
r->x = b->x;
@ -291,7 +303,7 @@ void static secp256k1_gej_add_ge(secp256k1_gej_t *r, const secp256k1_gej_t *a, c
secp256k1_fe_normalize(&s1);
secp256k1_fe_normalize(&s2);
if (secp256k1_fe_equal(&s1, &s2)) {
secp256k1_gej_double(r, a);
secp256k1_gej_double_var(r, a);
} else {
r->infinity = 1;
}
@ -323,7 +335,7 @@ void static secp256k1_gej_mul_lambda(secp256k1_gej_t *r, const secp256k1_gej_t *
secp256k1_fe_mul(&r->x, &r->x, beta);
}
void static secp256k1_gej_split_exp(secp256k1_num_t *r1, secp256k1_num_t *r2, const secp256k1_num_t *a) {
void static secp256k1_gej_split_exp_var(secp256k1_num_t *r1, secp256k1_num_t *r2, const secp256k1_num_t *a) {
const secp256k1_ge_consts_t *c = secp256k1_ge_consts;
secp256k1_num_t bnc1, bnc2, bnt1, bnt2, bnn2;

Write Preview
Loading…
Cancel
Save