Electroneum
ecmult_gen_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #ifndef SECP256K1_ECMULT_GEN_IMPL_H
8 #define SECP256K1_ECMULT_GEN_IMPL_H
9 
10 #include "util.h"
11 #include "scalar.h"
12 #include "group.h"
13 #include "ecmult_gen.h"
14 #include "hash_impl.h"
15 #include "precomputed_ecmult_gen.h"
16 
17 static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx) {
18  secp256k1_ecmult_gen_blind(ctx, NULL);
19  ctx->built = 1;
20 }
21 
22 static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context* ctx) {
23  return ctx->built;
24 }
25 
26 static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx) {
27  ctx->built = 0;
28  secp256k1_scalar_clear(&ctx->blind);
29  secp256k1_gej_clear(&ctx->initial);
30 }
31 
32 /* For accelerating the computation of a*G:
33  * To harden against timing attacks, use the following mechanism:
34  * * Break up the multiplicand into groups of PREC_BITS bits, called n_0, n_1, n_2, ..., n_(PREC_N-1).
35  * * Compute sum(n_i * (PREC_G)^i * G + U_i, i=0 ... PREC_N-1), where:
36  * * U_i = U * 2^i, for i=0 ... PREC_N-2
37  * * U_i = U * (1-2^(PREC_N-1)), for i=PREC_N-1
38  * where U is a point with no known corresponding scalar. Note that sum(U_i, i=0 ... PREC_N-1) = 0.
39  * For each i, and each of the PREC_G possible values of n_i, (n_i * (PREC_G)^i * G + U_i) is
40  * precomputed (call it prec(i, n_i)). The formula now becomes sum(prec(i, n_i), i=0 ... PREC_N-1).
41  * None of the resulting prec group elements have a known scalar, and neither do any of
42  * the intermediate sums while computing a*G.
43  * The prec values are stored in secp256k1_ecmult_gen_prec_table[i][n_i] = n_i * (PREC_G)^i * G + U_i.
44  */
45 static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *gn) {
47  int g = ECMULT_GEN_PREC_G(bits);
48  int n = ECMULT_GEN_PREC_N(bits);
49 
50  secp256k1_ge add;
52  secp256k1_scalar gnb;
53  int i, j, n_i;
54 
55  memset(&adds, 0, sizeof(adds));
56  *r = ctx->initial;
57  /* Blind scalar/point multiplication by computing (n-b)G + bG instead of nG. */
58  secp256k1_scalar_add(&gnb, gn, &ctx->blind);
59  add.infinity = 0;
60  for (i = 0; i < n; i++) {
61  n_i = secp256k1_scalar_get_bits(&gnb, i * bits, bits);
62  for (j = 0; j < g; j++) {
73  secp256k1_ge_storage_cmov(&adds, &secp256k1_ecmult_gen_prec_table[i][j], j == n_i);
74  }
75  secp256k1_ge_from_storage(&add, &adds);
76  secp256k1_gej_add_ge(r, r, &add);
77  }
78  n_i = 0;
79  secp256k1_ge_clear(&add);
80  secp256k1_scalar_clear(&gnb);
81 }
82 
83 /* Setup blinding values for secp256k1_ecmult_gen. */
84 static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32) {
86  secp256k1_gej gb;
87  secp256k1_fe s;
88  unsigned char nonce32[32];
90  int overflow;
91  unsigned char keydata[64];
92  if (seed32 == NULL) {
93  /* When seed is NULL, reset the initial point and blinding value. */
94  secp256k1_gej_set_ge(&ctx->initial, &secp256k1_ge_const_g);
95  secp256k1_gej_neg(&ctx->initial, &ctx->initial);
96  secp256k1_scalar_set_int(&ctx->blind, 1);
97  return;
98  }
99  /* The prior blinding value (if not reset) is chained forward by including it in the hash. */
100  secp256k1_scalar_get_b32(keydata, &ctx->blind);
105  VERIFY_CHECK(seed32 != NULL);
106  memcpy(keydata + 32, seed32, 32);
107  secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, 64);
108  memset(keydata, 0, sizeof(keydata));
109  /* Accept unobservably small non-uniformity. */
110  secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
111  overflow = !secp256k1_fe_set_b32(&s, nonce32);
112  overflow |= secp256k1_fe_is_zero(&s);
113  secp256k1_fe_cmov(&s, &secp256k1_fe_one, overflow);
114  /* Randomize the projection to defend against multiplier sidechannels.
115  Do this before our own call to secp256k1_ecmult_gen below. */
116  secp256k1_gej_rescale(&ctx->initial, &s);
117  secp256k1_fe_clear(&s);
118  secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
119  secp256k1_scalar_set_b32(&b, nonce32, NULL);
120  /* A blinding value of 0 works, but would undermine the projection hardening. */
121  secp256k1_scalar_cmov(&b, &secp256k1_scalar_one, secp256k1_scalar_is_zero(&b));
122  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
123  memset(nonce32, 0, 32);
124  /* The random projection in ctx->initial ensures that gb will have a random projection. */
125  secp256k1_ecmult_gen(ctx, &gb, &b);
126  secp256k1_scalar_negate(&b, &b);
127  ctx->blind = b;
128  ctx->initial = gb;
129  secp256k1_scalar_clear(&b);
130  secp256k1_gej_clear(&gb);
131 }
132 
133 #endif /* SECP256K1_ECMULT_GEN_IMPL_H */
#define VERIFY_CHECK(cond)
Definition: util.h:96
#define ECMULT_GEN_PREC_G(bits)
Definition: ecmult_gen.h:28
const secp256k1_ge_storage secp256k1_ecmult_gen_prec_table[ECMULT_GEN_PREC_N(ECMULT_GEN_PREC_BITS)][ECMULT_GEN_PREC_G(ECMULT_GEN_PREC_BITS)]
secp256k1_scalar blind
Definition: ecmult_gen.h:36
#define ECMULT_GEN_PREC_N(bits)
Definition: ecmult_gen.h:29
int infinity
Definition: group.h:19
void * memcpy(void *a, const void *b, size_t c)
#define ECMULT_GEN_PREC_BITS
Definition: ecmult_gen.h:14
unsigned int bits[ATOMS]
Definition: rctTypes.h:136