Make secp256k1_ecmult_const handle infinity

Infinity isn't currently needed here, but correctly handling it is a little more safe against future changes. Update docs for it to make it clear that it is not constant time in A (the input point). It never was constant time in Q (and would be a little complicated to make constant time in A). If it was later made constant time in A, infinity support would be easy to preserve, e.g. by running it on a dummy value and cmoving infinity into the output.
sipa · May 10, 2023 · a0e696f · a0e696f
1 parent 24c768a
commit a0e696f
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/src/ecmult_const.h b/src/ecmult_const.h
@@ -11,8 +11,7 @@
 #include "group.h"
 
 /**
- * Multiply: R = q*A (in constant-time)
- * A must not be infinity.
+ * Multiply: R = q*A (in constant-time for q)
  */
 static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q);
 

diff --git a/src/ecmult_const_impl.h b/src/ecmult_const_impl.h
@@ -144,6 +144,11 @@ static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, cons
 
     int i;
 
+    if (secp256k1_ge_is_infinity(a)) {
+        secp256k1_gej_set_infinity(r);
+        return;
+    }
+
     /* build wnaf representation for q. */
     /* split q into q_1 and q_lam (where q = q_1 + q_lam*lambda, and q_1 and q_lam are ~128 bit) */
     secp256k1_scalar_split_lambda(&q_1, &q_lam, scalar);

diff --git a/src/tests_exhaustive.c b/src/tests_exhaustive.c
@@ -193,7 +193,7 @@ static void test_exhaustive_ecmult(const secp256k1_ge *group, const secp256k1_ge
     }
 
     for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) {
-        for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) {
+        for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
             int ret;
             secp256k1_gej tmp;
             secp256k1_fe xn, xd, tmpf;
@@ -207,7 +207,7 @@ static void test_exhaustive_ecmult(const secp256k1_ge *group, const secp256k1_ge
             secp256k1_ecmult_const(&tmp, &group[i], &ng);
             ge_equals_gej(&group[(i * j) % EXHAUSTIVE_TEST_ORDER], &tmp);
 
-            if (j != 0) {
+            if (i != 0 && j != 0) {
                 /* Test secp256k1_ecmult_const_xonly with all curve X coordinates, and xd=NULL. */
                 ret = secp256k1_ecmult_const_xonly(&tmpf, &group[i].x, NULL, &ng, 0);
                 CHECK(ret);