Optimization: use Nx32 representation for recoded bits

peterdettman · sipa · commit c727086ea989 · 2021-12-30T12:23:36.000-05:00
The existing code needs to deal with the edge case that bit_pos &gt;= 256,
which would lead to an out-of-bounds read from secp256k1_scalar.

Instead, recode the scalar into an array of uint32_t with enough zero
padding at the end to alleviate the issue. This also simplifies the
code, and is necessary for a security improvement in a follow-up
commit.

Original code by Peter Dettman, with modifications by Pieter Wuille.
diff --git a/src/ecmult_gen_impl.h b/src/ecmult_gen_impl.h
@@ -53,8 +53,12 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
     secp256k1_ge add;
     secp256k1_fe neg;
     secp256k1_ge_storage adds;
-    secp256k1_scalar recoded;
-    int first = 1;
+    secp256k1_scalar tmp;
+    /* Array of uint32_t values large enough to store COMB_BITS bits. Only the bottom
+     * 8 are ever nonzero, but having the zero padding at the end if COMB_BITS>256
+     * avoids the need to deal with out-of-bounds reads from a scalar. */
+    uint32_t recoded[(COMB_BITS + 31) >> 5] = {0};
+    int first = 1, i;
 
     memset(&adds, 0, sizeof(adds));
 
@@ -74,7 +78,12 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
      */
 
     /* Compute the scalar (gn + ctx->scalar_offset). */
-    secp256k1_scalar_add(&recoded, &ctx->scalar_offset, gn);
+    secp256k1_scalar_add(&tmp, &ctx->scalar_offset, gn);
+    /* Convert to recoded array. */
+    for (i = 0; i < 8; ++i) {
+        recoded[i] = secp256k1_scalar_get_bits(&tmp, 32 * i, 32);
+    }
+    secp256k1_scalar_clear(&tmp);
 
     /* In secp256k1_ecmult_gen_prec_table we have precomputed sums of the
      * (2*d_i-1) * 2^(i-1) * G points, for various combinations of i positions.
@@ -142,8 +151,8 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
              * together: bit (tooth) of bits = bit
              * ((block*COMB_TEETH + tooth)*COMB_SPACING + comb_off) of recoded. */
             uint32_t bits = 0, sign, abs, index, tooth;
-            for (tooth = 0; tooth < COMB_TEETH && bit_pos < 256; ++tooth) {
-                uint32_t bit = secp256k1_scalar_get_bits(&recoded, bit_pos, 1);
+            for (tooth = 0; tooth < COMB_TEETH; ++tooth) {
+                uint32_t bit = (recoded[bit_pos >> 5] >> (bit_pos & 0x1f)) & 1;
                 bits |= bit << tooth;
                 bit_pos += COMB_SPACING;
             }
@@ -198,7 +207,7 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
     secp256k1_fe_clear(&neg);
     secp256k1_ge_clear(&add);
     memset(&adds, 0, sizeof(adds));
-    secp256k1_scalar_clear(&recoded);
+    memset(&recoded, 0, sizeof(recoded));
 }
 
 /* Setup blinding values for secp256k1_ecmult_gen. */
