Skip to content

Commit 4a4d16e

Browse files
sipasipa
committed
Reintroduce projective blinding
1 parent 3d90274 commit 4a4d16e

File tree

2 files changed

+13
-1
lines changed

2 files changed

+13
-1
lines changed

src/ecmult_gen.h

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,10 @@ typedef struct {
9090
/* Blinding values used when computing nG as (n-b)G + bG. */
9191
secp256k1_scalar scalar_offset; /* -b */
9292
secp256k1_ge final_point_add; /* bG */
93+
94+
/* Factor used for projective blinding. This value is used
95+
* to rescale the Z coordinate of the first table lookup. */
96+
secp256k1_fe proj_blind;
9397
} secp256k1_ecmult_gen_context;
9498

9599
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context* ctx);

src/ecmult_gen_impl.h

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -175,6 +175,8 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
175175
if (EXPECT(first, 0)) {
176176
/* If this is the first table lookup, we can skip addition. */
177177
secp256k1_gej_set_ge(r, &add);
178+
/* Give the entry a random Z coordinate to blind intermediary results. */
179+
secp256k1_gej_rescale(r, &ctx->proj_blind);
178180
first = 0;
179181
} else {
180182
secp256k1_gej_add_ge(r, r, &add);
@@ -203,6 +205,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
203205
secp256k1_scalar base_offset, negone;
204206
unsigned i;
205207
secp256k1_gej gb;
208+
secp256k1_fe f;
206209
unsigned char nonce32[32];
207210
secp256k1_rfc6979_hmac_sha256 rng;
208211
unsigned char keydata[64] = {0};
@@ -220,6 +223,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
220223
secp256k1_ge_neg(&ctx->final_point_add, &secp256k1_ge_const_g);
221224
ctx->scalar_offset = secp256k1_scalar_one;
222225
secp256k1_scalar_add(&ctx->scalar_offset, &ctx->scalar_offset, &base_offset);
226+
ctx->proj_blind = secp256k1_fe_one;
223227
}
224228
/* The prior blinding value (if not reset) is chained forward by including it in the hash. */
225229
secp256k1_scalar_get_b32(nonce32, &ctx->scalar_offset);
@@ -234,7 +238,11 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
234238
secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32);
235239
memset(keydata, 0, sizeof(keydata));
236240

237-
/* TODO: reintroduce projective blinding. */
241+
/* Compute projective blinding factor (cannot be 0). */
242+
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
243+
secp256k1_fe_set_b32(&f, nonce32);
244+
secp256k1_fe_cmov(&f, &secp256k1_fe_one, secp256k1_fe_is_zero(&f));
245+
ctx->proj_blind = f;
238246

239247
/* For a random blinding value b, set scalar_offset=base_offset-n, final_point_add=bG */
240248
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);

0 commit comments

Comments
 (0)