Skip to content

Commit a20c1e9

Browse files
apoelstraapoelstra
committed
rangeproof_sign_exact: compute k in a more obviously non-reusing way
1 parent 7cf34e2 commit a20c1e9

File tree

1 file changed

+12
-13
lines changed

1 file changed

+12
-13
lines changed

src/modules/rangeproof/main_impl.h

+12-13
Original file line numberDiff line numberDiff line change
@@ -447,12 +447,20 @@ int secp256k1_rangeproof_create_exact(const secp256k1_context* ctx, unsigned cha
447447

448448
/* Now we have to make a Schnorr signature in (e, s) form. */
449449

450-
/* 1. Compute random k */
450+
/* 1. Compute slow/overwrought commitment to proof params */
451451
secp256k1_sha256_initialize(&sha2);
452-
secp256k1_sha256_write(&sha2, blind, 32);
453-
secp256k1_sha256_write(&sha2, proof, offset);
452+
secp256k1_rangeproof_serialize_point(tmpch, &commitp);
453+
secp256k1_sha256_write(&sha2, tmpch, 33);
454454
secp256k1_rangeproof_serialize_point(tmpch, &genp);
455455
secp256k1_sha256_write(&sha2, tmpch, 33);
456+
secp256k1_sha256_write(&sha2, proof, offset);
457+
secp256k1_sha256_finalize(&sha2, pp_comm);
458+
459+
/* 2. Compute random k */
460+
secp256k1_sha256_initialize(&sha2);
461+
secp256k1_sha256_write(&sha2, blind, 32);
462+
secp256k1_sha256_write(&sha2, proof, offset);
463+
secp256k1_sha256_write(&sha2, pp_comm, 32);
456464
secp256k1_sha256_finalize(&sha2, tmpch);
457465
secp256k1_scalar_set_b32(&ks, tmpch, &overflow);
458466
if (overflow || secp256k1_scalar_is_zero(&ks)) {
@@ -461,19 +469,10 @@ int secp256k1_rangeproof_create_exact(const secp256k1_context* ctx, unsigned cha
461469
return 0;
462470
}
463471

464-
/* 2. Compute R = kG */
472+
/* 3. Compute R = kG */
465473
secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &tmpj, &ks);
466474
secp256k1_ge_set_gej(&tmpp, &tmpj);
467475

468-
/* 3. Compute slow/overwrought commitment to proof params */
469-
secp256k1_sha256_initialize(&sha2);
470-
secp256k1_rangeproof_serialize_point(tmpch, &commitp);
471-
secp256k1_sha256_write(&sha2, tmpch, 33);
472-
secp256k1_rangeproof_serialize_point(tmpch, &genp);
473-
secp256k1_sha256_write(&sha2, tmpch, 33);
474-
secp256k1_sha256_write(&sha2, proof, offset);
475-
secp256k1_sha256_finalize(&sha2, pp_comm);
476-
477476
/* 4. Compute e0 = H(R || proof params) and serialize it into the proof */
478477
secp256k1_sha256_initialize(&sha2);
479478
secp256k1_eckey_pubkey_serialize(&tmpp, tmpch, &sz, 1);

0 commit comments

Comments
 (0)