Skip to content

Commit 151935e

Browse files
sipasipa
committed
Reintroduce projective blinding
1 parent 75b1e4c commit 151935e

File tree

2 files changed

+13
-1
lines changed

2 files changed

+13
-1
lines changed

src/ecmult_gen.h

+4
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,10 @@ typedef struct {
8989
/* Blinding values used when computing nG as (n-b)G + bG. */
9090
secp256k1_scalar scalar_offset; /* -b */
9191
secp256k1_ge final_point_add; /* bG */
92+
93+
/* Factor used for projective blinding. This value is used
94+
* to rescale the Z coordinate of the first table lookup. */
95+
secp256k1_fe proj_blind;
9296
} secp256k1_ecmult_gen_context;
9397

9498
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context* ctx);

src/ecmult_gen_impl.h

+9-1
Original file line numberDiff line numberDiff line change
@@ -174,6 +174,8 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
174174
if (EXPECT(first, 0)) {
175175
/* If this is the first table lookup, we can skip addition. */
176176
secp256k1_gej_set_ge(r, &add);
177+
/* Give the entry a random Z coordinate to blind intermediary results. */
178+
secp256k1_gej_rescale(r, &ctx->proj_blind);
177179
first = 0;
178180
} else {
179181
secp256k1_gej_add_ge(r, r, &add);
@@ -202,6 +204,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
202204
secp256k1_scalar base_offset, negone;
203205
unsigned i;
204206
secp256k1_gej gb;
207+
secp256k1_fe f;
205208
unsigned char nonce32[32];
206209
secp256k1_rfc6979_hmac_sha256 rng;
207210
unsigned char keydata[64] = {0};
@@ -219,6 +222,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
219222
secp256k1_ge_neg(&ctx->final_point_add, &secp256k1_ge_const_g);
220223
ctx->scalar_offset = secp256k1_scalar_one;
221224
secp256k1_scalar_add(&ctx->scalar_offset, &ctx->scalar_offset, &base_offset);
225+
ctx->proj_blind = secp256k1_fe_one;
222226
}
223227
/* The prior blinding value (if not reset) is chained forward by including it in the hash. */
224228
secp256k1_scalar_get_b32(nonce32, &ctx->scalar_offset);
@@ -233,7 +237,11 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
233237
secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32);
234238
memset(keydata, 0, sizeof(keydata));
235239

236-
/* TODO: reintroduce projective blinding. */
240+
/* Compute projective blinding factor (cannot be 0). */
241+
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
242+
secp256k1_fe_set_b32(&f, nonce32);
243+
secp256k1_fe_cmov(&f, &secp256k1_fe_one, secp256k1_fe_is_zero(&f));
244+
ctx->proj_blind = f;
237245

238246
/* For a random blinding value b, set scalar_offset=base_offset-n, final_point_add=bG */
239247
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);

0 commit comments

Comments
 (0)