Skip to content

Commit a7f0d0e

Browse files
sipasipa
committed
Reintroduce projective blinding
1 parent 80ba4c5 commit a7f0d0e

File tree

2 files changed

+13
-1
lines changed

2 files changed

+13
-1
lines changed

src/ecmult_gen.h

+4
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,10 @@ typedef struct {
9090
/* Blinding values used when computing nG as (n-b)G + bG. */
9191
secp256k1_scalar scalar_offset; /* -b */
9292
secp256k1_ge final_point_add; /* bG */
93+
94+
/* Factor used for projective blinding. This value is used
95+
* to rescale the Z coordinate of the first table lookup. */
96+
secp256k1_fe proj_blind;
9397
} secp256k1_ecmult_gen_context;
9498

9599
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context* ctx);

src/ecmult_gen_impl.h

+9-1
Original file line numberDiff line numberDiff line change
@@ -195,6 +195,8 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
195195
if (EXPECT(first, 0)) {
196196
/* If this is the first table lookup, we can skip addition. */
197197
secp256k1_gej_set_ge(r, &add);
198+
/* Give the entry a random Z coordinate to blind intermediary results. */
199+
secp256k1_gej_rescale(r, &ctx->proj_blind);
198200
first = 0;
199201
} else {
200202
secp256k1_gej_add_ge(r, r, &add);
@@ -222,6 +224,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
222224
secp256k1_scalar b;
223225
secp256k1_scalar diff;
224226
secp256k1_gej gb;
227+
secp256k1_fe f;
225228
unsigned char nonce32[32];
226229
secp256k1_rfc6979_hmac_sha256 rng;
227230
unsigned char keydata[64] = {0};
@@ -233,6 +236,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
233236
/* When seed is NULL, reset the final point and blinding value. */
234237
secp256k1_ge_neg(&ctx->final_point_add, &secp256k1_ge_const_g);
235238
secp256k1_scalar_add(&ctx->scalar_offset, &secp256k1_scalar_one, &diff);
239+
ctx->proj_blind = secp256k1_fe_one;
236240
}
237241
/* The prior blinding value (if not reset) is chained forward by including it in the hash. */
238242
secp256k1_scalar_get_b32(nonce32, &ctx->scalar_offset);
@@ -247,7 +251,11 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
247251
secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32);
248252
memset(keydata, 0, sizeof(keydata));
249253

250-
/* TODO: reintroduce projective blinding. */
254+
/* Compute projective blinding factor (cannot be 0). */
255+
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
256+
secp256k1_fe_set_b32(&f, nonce32);
257+
secp256k1_fe_cmov(&f, &secp256k1_fe_one, secp256k1_fe_is_zero(&f));
258+
ctx->proj_blind = f;
251259

252260
/* For a random blinding value b, set scalar_offset=diff-n, final_point_add=bG */
253261
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);

0 commit comments

Comments
 (0)