Skip to content

Commit 644e86d

Browse files
committed
Reintroduce projective blinding
1 parent 07810d9 commit 644e86d

File tree

3 files changed

+17
-2
lines changed

3 files changed

+17
-2
lines changed

src/ecmult_gen.h

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,10 @@ typedef struct {
109109
* ecmult_gen_impl.h for more details. */
110110
secp256k1_scalar scalar_offset;
111111
secp256k1_ge ge_offset;
112+
113+
/* Factor used for projective blinding. This value is used to rescale the Z
114+
* coordinate of the first table lookup. */
115+
secp256k1_fe proj_blind;
112116
} secp256k1_ecmult_gen_context;
113117

114118
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context* ctx);

src/ecmult_gen_impl.h

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx
2727
ctx->built = 0;
2828
secp256k1_scalar_clear(&ctx->scalar_offset);
2929
secp256k1_ge_clear(&ctx->ge_offset);
30+
secp256k1_fe_clear(&ctx->proj_blind);
3031
}
3132

3233
/* Compute the scalar (2^COMB_BITS - 1) / 2, the difference between the gn argument to
@@ -256,6 +257,8 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
256257
if (EXPECT(first, 0)) {
257258
/* If this is the first table lookup, we can skip addition. */
258259
secp256k1_gej_set_ge(r, &add);
260+
/* Give the entry a random Z coordinate to blind intermediary results. */
261+
secp256k1_gej_rescale(r, &ctx->proj_blind);
259262
first = 0;
260263
} else {
261264
secp256k1_gej_add_ge(r, r, &add);
@@ -283,6 +286,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
283286
secp256k1_scalar b;
284287
secp256k1_scalar diff;
285288
secp256k1_gej gb;
289+
secp256k1_fe f;
286290
unsigned char nonce32[32];
287291
secp256k1_rfc6979_hmac_sha256 rng;
288292
unsigned char keydata[64];
@@ -294,6 +298,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
294298
/* When seed is NULL, reset the final point and blinding value. */
295299
secp256k1_ge_neg(&ctx->ge_offset, &secp256k1_ge_const_g);
296300
secp256k1_scalar_add(&ctx->scalar_offset, &secp256k1_scalar_one, &diff);
301+
ctx->proj_blind = secp256k1_fe_one;
297302
return;
298303
}
299304
/* The prior blinding value (if not reset) is chained forward by including it in the hash. */
@@ -307,7 +312,11 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
307312
secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, 64);
308313
memset(keydata, 0, sizeof(keydata));
309314

310-
/* TODO: reintroduce projective blinding. */
315+
/* Compute projective blinding factor (cannot be 0). */
316+
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
317+
secp256k1_fe_set_b32_mod(&f, nonce32);
318+
secp256k1_fe_cmov(&f, &secp256k1_fe_one, secp256k1_fe_normalizes_to_zero(&f));
319+
ctx->proj_blind = f;
311320

312321
/* For a random blinding value b, set scalar_offset=diff-b, ge_offset=bG */
313322
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
@@ -325,6 +334,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
325334
/* Clean up. */
326335
secp256k1_scalar_clear(&b);
327336
secp256k1_gej_clear(&gb);
337+
secp256k1_fe_clear(&f);
328338
}
329339

330340
#endif /* SECP256K1_ECMULT_GEN_IMPL_H */

src/tests.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -249,7 +249,8 @@ static void run_selftest_tests(void) {
249249
static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b) {
250250
return a->built == b->built
251251
&& secp256k1_scalar_eq(&a->scalar_offset, &b->scalar_offset)
252-
&& secp256k1_ge_eq_var(&a->ge_offset, &b->ge_offset);
252+
&& secp256k1_ge_eq_var(&a->ge_offset, &b->ge_offset)
253+
&& secp256k1_fe_equal(&a->proj_blind, &b->proj_blind);
253254
}
254255

255256
static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {

0 commit comments

Comments
 (0)