From a0e696fd4da3788758bb3fdae66c7ae262dbf224 Mon Sep 17 00:00:00 2001 From: Gregory Maxwell Date: Sat, 8 Aug 2020 03:52:34 +0000 Subject: [PATCH] Make secp256k1_ecmult_const handle infinity Infinity isn't currently needed here, but correctly handling it is a little more safe against future changes. Update docs for it to make it clear that it is not constant time in A (the input point). It never was constant time in Q (and would be a little complicated to make constant time in A). If it was later made constant time in A, infinity support would be easy to preserve, e.g. by running it on a dummy value and cmoving infinity into the output. --- src/ecmult_const.h | 3 +-- src/ecmult_const_impl.h | 5 +++++ src/tests_exhaustive.c | 4 ++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/ecmult_const.h b/src/ecmult_const.h index 9e065d555d7b9..080e04bc882f2 100644 --- a/src/ecmult_const.h +++ b/src/ecmult_const.h @@ -11,8 +11,7 @@ #include "group.h" /** - * Multiply: R = q*A (in constant-time) - * A must not be infinity. + * Multiply: R = q*A (in constant-time for q) */ static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q); diff --git a/src/ecmult_const_impl.h b/src/ecmult_const_impl.h index f2b6f48285fc5..81e16e343de99 100644 --- a/src/ecmult_const_impl.h +++ b/src/ecmult_const_impl.h @@ -144,6 +144,11 @@ static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, cons int i; + if (secp256k1_ge_is_infinity(a)) { + secp256k1_gej_set_infinity(r); + return; + } + /* build wnaf representation for q. */ /* split q into q_1 and q_lam (where q = q_1 + q_lam*lambda, and q_1 and q_lam are ~128 bit) */ secp256k1_scalar_split_lambda(&q_1, &q_lam, scalar); diff --git a/src/tests_exhaustive.c b/src/tests_exhaustive.c index 5a990f7d64dda..ee60fe9f45458 100644 --- a/src/tests_exhaustive.c +++ b/src/tests_exhaustive.c @@ -193,7 +193,7 @@ static void test_exhaustive_ecmult(const secp256k1_ge *group, const secp256k1_ge } for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) { - for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) { + for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) { int ret; secp256k1_gej tmp; secp256k1_fe xn, xd, tmpf; @@ -207,7 +207,7 @@ static void test_exhaustive_ecmult(const secp256k1_ge *group, const secp256k1_ge secp256k1_ecmult_const(&tmp, &group[i], &ng); ge_equals_gej(&group[(i * j) % EXHAUSTIVE_TEST_ORDER], &tmp); - if (j != 0) { + if (i != 0 && j != 0) { /* Test secp256k1_ecmult_const_xonly with all curve X coordinates, and xd=NULL. */ ret = secp256k1_ecmult_const_xonly(&tmpf, &group[i].x, NULL, &ng, 0); CHECK(ret);