[secp256k1.git] / src / ecmult_gen_impl.h

/**********************************************************************
 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell      *
 * Distributed under the MIT software license, see the accompanying   *
 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
 **********************************************************************/

#ifndef _SECP256K1_ECMULT_GEN_IMPL_H_
#define _SECP256K1_ECMULT_GEN_IMPL_H_

#include "scalar.h"
#include "group.h"
#include "ecmult_gen.h"
#include "hash_impl.h"
#ifdef USE_ECMULT_STATIC_PRECOMPUTATION
#include "ecmult_static_context.h"
#endif
static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context_t *ctx) {
    ctx->prec = NULL;
}

static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context_t *ctx, const callback_t* cb) {
#ifndef USE_ECMULT_STATIC_PRECOMPUTATION
    secp256k1_ge_t prec[1024];
    secp256k1_gej_t gj;
    secp256k1_gej_t nums_gej;
    int i, j;
#endif

    if (ctx->prec != NULL) {
        return;
    }
#ifndef USE_ECMULT_STATIC_PRECOMPUTATION
    ctx->prec = (secp256k1_ge_storage_t (*)[64][16])checked_malloc(cb, sizeof(*ctx->prec));

    /* get the generator */
    secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);

    /* Construct a group element with no known corresponding scalar (nothing up my sleeve). */
    {
        static const unsigned char nums_b32[33] = "The scalar for this x is unknown";
        secp256k1_fe_t nums_x;
        secp256k1_ge_t nums_ge;
        VERIFY_CHECK(secp256k1_fe_set_b32(&nums_x, nums_b32));
        VERIFY_CHECK(secp256k1_ge_set_xo_var(&nums_ge, &nums_x, 0));
        secp256k1_gej_set_ge(&nums_gej, &nums_ge);
        /* Add G to make the bits in x uniformly distributed. */
        secp256k1_gej_add_ge_var(&nums_gej, &nums_gej, &secp256k1_ge_const_g, NULL);
    }

    /* compute prec. */
    {
        secp256k1_gej_t precj[1024]; /* Jacobian versions of prec. */
        secp256k1_gej_t gbase;
        secp256k1_gej_t numsbase;
        gbase = gj; /* 16^j * G */
        numsbase = nums_gej; /* 2^j * nums. */
        for (j = 0; j < 64; j++) {
            /* Set precj[j*16 .. j*16+15] to (numsbase, numsbase + gbase, ..., numsbase + 15*gbase). */
            precj[j*16] = numsbase;
            for (i = 1; i < 16; i++) {
                secp256k1_gej_add_var(&precj[j*16 + i], &precj[j*16 + i - 1], &gbase, NULL);
            }
            /* Multiply gbase by 16. */
            for (i = 0; i < 4; i++) {
                secp256k1_gej_double_var(&gbase, &gbase, NULL);
            }
            /* Multiply numbase by 2. */
            secp256k1_gej_double_var(&numsbase, &numsbase, NULL);
            if (j == 62) {
                /* In the last iteration, numsbase is (1 - 2^j) * nums instead. */
                secp256k1_gej_neg(&numsbase, &numsbase);
                secp256k1_gej_add_var(&numsbase, &numsbase, &nums_gej, NULL);
            }
        }
        secp256k1_ge_set_all_gej_var(1024, prec, precj, cb);
    }
    for (j = 0; j < 64; j++) {
        for (i = 0; i < 16; i++) {
            secp256k1_ge_to_storage(&(*ctx->prec)[j][i], &prec[j*16 + i]);
        }
    }
#else
    (void)cb;
    ctx->prec = (secp256k1_ge_storage_t (*)[64][16])secp256k1_ecmult_static_context;
#endif
    secp256k1_ecmult_gen_blind(ctx, NULL);
}

static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context_t* ctx) {
    return ctx->prec != NULL;
}

static void secp256k1_ecmult_gen_context_clone(secp256k1_ecmult_gen_context_t *dst,
                                               const secp256k1_ecmult_gen_context_t *src, const callback_t* cb) {
    if (src->prec == NULL) {
        dst->prec = NULL;
    } else {
#ifndef USE_ECMULT_STATIC_PRECOMPUTATION
        dst->prec = (secp256k1_ge_storage_t (*)[64][16])checked_malloc(cb, sizeof(*dst->prec));
        memcpy(dst->prec, src->prec, sizeof(*dst->prec));
#else
        (void)cb;
        dst->prec = src->prec;
#endif
        dst->initial = src->initial;
        dst->blind = src->blind;
    }
}

static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context_t *ctx) {
#ifndef USE_ECMULT_STATIC_PRECOMPUTATION
    free(ctx->prec);
#endif
    secp256k1_scalar_clear(&ctx->blind);
    secp256k1_gej_clear(&ctx->initial);
    ctx->prec = NULL;
}

static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context_t *ctx, secp256k1_gej_t *r, const secp256k1_scalar_t *gn) {
    secp256k1_ge_t add;
    secp256k1_ge_storage_t adds;
    secp256k1_scalar_t gnb;
    int bits;
    int i, j;
    memset(&adds, 0, sizeof(adds));
    *r = ctx->initial;
    /* Blind scalar/point multiplication by computing (n-b)G + bG instead of nG. */
    secp256k1_scalar_add(&gnb, gn, &ctx->blind);
    add.infinity = 0;
    for (j = 0; j < 64; j++) {
        bits = secp256k1_scalar_get_bits(&gnb, j * 4, 4);
        for (i = 0; i < 16; i++) {
            /** This uses a conditional move to avoid any secret data in array indexes.
             *   _Any_ use of secret indexes has been demonstrated to result in timing
             *   sidechannels, even when the cache-line access patterns are uniform.
             *  See also:
             *   "A word of warning", CHES 2013 Rump Session, by Daniel J. Bernstein and Peter Schwabe
             *    (https://cryptojedi.org/peter/data/chesrump-20130822.pdf) and
             *   "Cache Attacks and Countermeasures: the Case of AES", RSA 2006,
             *    by Dag Arne Osvik, Adi Shamir, and Eran Tromer
             *    (http://www.tau.ac.il/~tromer/papers/cache.pdf)
             */
            secp256k1_ge_storage_cmov(&adds, &(*ctx->prec)[j][i], i == bits);
        }
        secp256k1_ge_from_storage(&add, &adds);
        secp256k1_gej_add_ge(r, r, &add);
    }
    bits = 0;
    secp256k1_ge_clear(&add);
    secp256k1_scalar_clear(&gnb);
}

/* Setup blinding values for secp256k1_ecmult_gen. */
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context_t *ctx, const unsigned char *seed32) {
    secp256k1_scalar_t b;
    secp256k1_gej_t gb;
    secp256k1_fe_t s;
    unsigned char nonce32[32];
    secp256k1_rfc6979_hmac_sha256_t rng;
    int retry;
    unsigned char keydata[64] = {0};
    if (!seed32) {
        /* When seed is NULL, reset the initial point and blinding value. */
        secp256k1_gej_set_ge(&ctx->initial, &secp256k1_ge_const_g);
        secp256k1_gej_neg(&ctx->initial, &ctx->initial);
        secp256k1_scalar_set_int(&ctx->blind, 1);
    }
    /* The prior blinding value (if not reset) is chained forward by including it in the hash. */
    secp256k1_scalar_get_b32(nonce32, &ctx->blind);
    /** Using a CSPRNG allows a failure free interface, avoids needing large amounts of random data,
     *   and guards against weak or adversarial seeds.  This is a simpler and safer interface than
     *   asking the caller for blinding values directly and expecting them to retry on failure.
     */
    memcpy(keydata, nonce32, 32);
    if (seed32) {
        memcpy(keydata + 32, seed32, 32);
    }
    secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32);
    memset(keydata, 0, sizeof(keydata));
    /* Retry for out of range results to achieve uniformity. */
    do {
        secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
        retry = !secp256k1_fe_set_b32(&s, nonce32);
        retry |= secp256k1_fe_is_zero(&s);
    } while (retry);
    /* Randomize the projection to defend against multiplier sidechannels. */
    secp256k1_gej_rescale(&ctx->initial, &s);
    secp256k1_fe_clear(&s);
    do {
        secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
        secp256k1_scalar_set_b32(&b, nonce32, &retry);
        /* A blinding value of 0 works, but would undermine the projection hardening. */
        retry |= secp256k1_scalar_is_zero(&b);
    } while (retry);
    secp256k1_rfc6979_hmac_sha256_finalize(&rng);
    memset(nonce32, 0, 32);
    secp256k1_ecmult_gen(ctx, &gb, &b);
    secp256k1_scalar_negate(&b, &b);
    ctx->blind = b;
    ctx->initial = gb;
    secp256k1_scalar_clear(&b);
    secp256k1_gej_clear(&gb);
}

#endif
Commit	Line	Data
71712b27	1	/**********************************************************************
d2275795	2	* Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
71712b27 GM	3	* Distributed under the MIT software license, see the accompanying *
	4	* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
	5	**********************************************************************/
949c1ebb PW	6
	7	#ifndef _SECP256K1_ECMULT_GEN_IMPL_H_
	8	#define _SECP256K1_ECMULT_GEN_IMPL_H_
	9
a9f5c8b8	10	#include "scalar.h"
949c1ebb PW	11	#include "group.h"
949c1ebb PW	12	#include "ecmult_gen.h"
d2275795	13	#include "hash_impl.h"
fbecc38a TD	14	#ifdef USE_ECMULT_STATIC_PRECOMPUTATION
	15	#include "ecmult_static_context.h"
	16	#endif
a9b6595e PW	17	static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context_t *ctx) {
	18	ctx->prec = NULL;
	19	}
949c1ebb	20
995c5487	21	static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context_t ctx, const callback_t cb) {
fbecc38a	22	#ifndef USE_ECMULT_STATIC_PRECOMPUTATION
f735446c GM	23	secp256k1_ge_t prec[1024];
	24	secp256k1_gej_t gj;
	25	secp256k1_gej_t nums_gej;
f735446c	26	int i, j;
fbecc38a	27	#endif
a9b6595e PW	28
a9b6595e PW	29	if (ctx->prec != NULL) {
949c1ebb	30	return;
26320197	31	}
fbecc38a	32	#ifndef USE_ECMULT_STATIC_PRECOMPUTATION
995c5487	33	ctx->prec = (secp256k1_ge_storage_t ()[64][16])checked_malloc(cb, sizeof(ctx->prec));
949c1ebb	34
71712b27	35	/* get the generator */
f735446c	36	secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
949c1ebb	37
71712b27	38	/* Construct a group element with no known corresponding scalar (nothing up my sleeve). */
949c1ebb	39	{
27bc1311	40	static const unsigned char nums_b32[33] = "The scalar for this x is unknown";
949c1ebb	41	secp256k1_fe_t nums_x;
949c1ebb	42	secp256k1_ge_t nums_ge;
f735446c	43	VERIFY_CHECK(secp256k1_fe_set_b32(&nums_x, nums_b32));
39bd94d8	44	VERIFY_CHECK(secp256k1_ge_set_xo_var(&nums_ge, &nums_x, 0));
949c1ebb	45	secp256k1_gej_set_ge(&nums_gej, &nums_ge);
71712b27	46	/* Add G to make the bits in x uniformly distributed. */
2d5a186c	47	secp256k1_gej_add_ge_var(&nums_gej, &nums_gej, &secp256k1_ge_const_g, NULL);
949c1ebb PW	48	}
949c1ebb PW	49
71712b27	50	/* compute prec. */
949c1ebb	51	{
71712b27	52	secp256k1_gej_t precj[1024]; /* Jacobian versions of prec. */
f735446c GM	53	secp256k1_gej_t gbase;
	54	secp256k1_gej_t numsbase;
	55	gbase = gj; /* 16^j * G */
	56	numsbase = nums_gej; /* 2^j * nums. */
	57	for (j = 0; j < 64; j++) {
71712b27	58	/* Set precj[j16 .. j16+15] to (numsbase, numsbase + gbase, ..., numsbase + 15gbase). /
949c1ebb	59	precj[j*16] = numsbase;
f735446c	60	for (i = 1; i < 16; i++) {
4f9791ab	61	secp256k1_gej_add_var(&precj[j16 + i], &precj[j16 + i - 1], &gbase, NULL);
949c1ebb	62	}
71712b27	63	/* Multiply gbase by 16. */
f735446c	64	for (i = 0; i < 4; i++) {
4f9791ab	65	secp256k1_gej_double_var(&gbase, &gbase, NULL);
949c1ebb	66	}
71712b27	67	/* Multiply numbase by 2. */
4f9791ab	68	secp256k1_gej_double_var(&numsbase, &numsbase, NULL);
949c1ebb	69	if (j == 62) {
71712b27	70	/* In the last iteration, numsbase is (1 - 2^j) * nums instead. */
0295f0a3	71	secp256k1_gej_neg(&numsbase, &numsbase);
4f9791ab	72	secp256k1_gej_add_var(&numsbase, &numsbase, &nums_gej, NULL);
949c1ebb PW	73	}
949c1ebb PW	74	}
995c5487	75	secp256k1_ge_set_all_gej_var(1024, prec, precj, cb);
949c1ebb	76	}
f735446c GM	77	for (j = 0; j < 64; j++) {
f735446c GM	78	for (i = 0; i < 16; i++) {
a9b6595e	79	secp256k1_ge_to_storage(&(ctx->prec)[j][i], &prec[j16 + i]);
949c1ebb PW	80	}
949c1ebb PW	81	}
fbecc38a	82	#else
995c5487	83	(void)cb;
fbecc38a TD	84	ctx->prec = (secp256k1_ge_storage_t (*)[64][16])secp256k1_ecmult_static_context;
fbecc38a TD	85	#endif
d2275795	86	secp256k1_ecmult_gen_blind(ctx, NULL);
949c1ebb PW	87	}
949c1ebb PW	88
a9b6595e PW	89	static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context_t* ctx) {
	90	return ctx->prec != NULL;
	91	}
949c1ebb	92
d899b5b6	93	static void secp256k1_ecmult_gen_context_clone(secp256k1_ecmult_gen_context_t *dst,
995c5487	94	const secp256k1_ecmult_gen_context_t src, const callback_t cb) {
d899b5b6 AP	95	if (src->prec == NULL) {
	96	dst->prec = NULL;
	97	} else {
fbecc38a	98	#ifndef USE_ECMULT_STATIC_PRECOMPUTATION
995c5487	99	dst->prec = (secp256k1_ge_storage_t ()[64][16])checked_malloc(cb, sizeof(dst->prec));
d899b5b6	100	memcpy(dst->prec, src->prec, sizeof(*dst->prec));
fbecc38a	101	#else
995c5487	102	(void)cb;
fbecc38a TD	103	dst->prec = src->prec;
fbecc38a TD	104	#endif
d2275795 GM	105	dst->initial = src->initial;
d2275795 GM	106	dst->blind = src->blind;
d899b5b6 AP	107	}
	108	}
	109
a9b6595e	110	static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context_t *ctx) {
fbecc38a	111	#ifndef USE_ECMULT_STATIC_PRECOMPUTATION
a9b6595e	112	free(ctx->prec);
fbecc38a	113	#endif
d2275795 GM	114	secp256k1_scalar_clear(&ctx->blind);
d2275795 GM	115	secp256k1_gej_clear(&ctx->initial);
a9b6595e	116	ctx->prec = NULL;
949c1ebb PW	117	}
949c1ebb PW	118
a9b6595e	119	static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context_t ctx, secp256k1_gej_t r, const secp256k1_scalar_t *gn) {
949c1ebb	120	secp256k1_ge_t add;
55422b6a	121	secp256k1_ge_storage_t adds;
d2275795	122	secp256k1_scalar_t gnb;
f735446c GM	123	int bits;
f735446c GM	124	int i, j;
6534ee12	125	memset(&adds, 0, sizeof(adds));
d2275795 GM	126	*r = ctx->initial;
	127	/* Blind scalar/point multiplication by computing (n-b)G + bG instead of nG. */
	128	secp256k1_scalar_add(&gnb, gn, &ctx->blind);
efb7d4b2	129	add.infinity = 0;
f735446c	130	for (j = 0; j < 64; j++) {
d2275795	131	bits = secp256k1_scalar_get_bits(&gnb, j * 4, 4);
f735446c	132	for (i = 0; i < 16; i++) {
4450e24a GM	133	/** This uses a conditional move to avoid any secret data in array indexes.
	134	* _Any_ use of secret indexes has been demonstrated to result in timing
	135	* sidechannels, even when the cache-line access patterns are uniform.
	136	* See also:
	137	* "A word of warning", CHES 2013 Rump Session, by Daniel J. Bernstein and Peter Schwabe
	138	* (https://cryptojedi.org/peter/data/chesrump-20130822.pdf) and
	139	* "Cache Attacks and Countermeasures: the Case of AES", RSA 2006,
	140	* by Dag Arne Osvik, Adi Shamir, and Eran Tromer
	141	* (http://www.tau.ac.il/~tromer/papers/cache.pdf)
	142	*/
a9b6595e	143	secp256k1_ge_storage_cmov(&adds, &(*ctx->prec)[j][i], i == bits);
efb7d4b2	144	}
55422b6a	145	secp256k1_ge_from_storage(&add, &adds);
9338dbf7	146	secp256k1_gej_add_ge(r, r, &add);
949c1ebb PW	147	}
	148	bits = 0;
	149	secp256k1_ge_clear(&add);
d2275795 GM	150	secp256k1_scalar_clear(&gnb);
	151	}
	152
	153	/* Setup blinding values for secp256k1_ecmult_gen. */
	154	static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context_t ctx, const unsigned char seed32) {
	155	secp256k1_scalar_t b;
	156	secp256k1_gej_t gb;
	157	secp256k1_fe_t s;
	158	unsigned char nonce32[32];
	159	secp256k1_rfc6979_hmac_sha256_t rng;
	160	int retry;
3e6f1e20	161	unsigned char keydata[64] = {0};
d2275795 GM	162	if (!seed32) {
	163	/* When seed is NULL, reset the initial point and blinding value. */
	164	secp256k1_gej_set_ge(&ctx->initial, &secp256k1_ge_const_g);
	165	secp256k1_gej_neg(&ctx->initial, &ctx->initial);
	166	secp256k1_scalar_set_int(&ctx->blind, 1);
	167	}
	168	/* The prior blinding value (if not reset) is chained forward by including it in the hash. */
	169	secp256k1_scalar_get_b32(nonce32, &ctx->blind);
	170	/** Using a CSPRNG allows a failure free interface, avoids needing large amounts of random data,
	171	* and guards against weak or adversarial seeds. This is a simpler and safer interface than
	172	* asking the caller for blinding values directly and expecting them to retry on failure.
	173	*/
3e6f1e20 PW	174	memcpy(keydata, nonce32, 32);
	175	if (seed32) {
	176	memcpy(keydata + 32, seed32, 32);
	177	}
	178	secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32);
	179	memset(keydata, 0, sizeof(keydata));
d2275795 GM	180	/* Retry for out of range results to achieve uniformity. */
	181	do {
	182	secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
	183	retry = !secp256k1_fe_set_b32(&s, nonce32);
	184	retry \|= secp256k1_fe_is_zero(&s);
	185	} while (retry);
	186	/* Randomize the projection to defend against multiplier sidechannels. */
	187	secp256k1_gej_rescale(&ctx->initial, &s);
	188	secp256k1_fe_clear(&s);
	189	do {
	190	secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
	191	secp256k1_scalar_set_b32(&b, nonce32, &retry);
	192	/* A blinding value of 0 works, but would undermine the projection hardening. */
	193	retry \|= secp256k1_scalar_is_zero(&b);
	194	} while (retry);
	195	secp256k1_rfc6979_hmac_sha256_finalize(&rng);
	196	memset(nonce32, 0, 32);
	197	secp256k1_ecmult_gen(ctx, &gb, &b);
	198	secp256k1_scalar_negate(&b, &b);
	199	ctx->blind = b;
	200	ctx->initial = gb;
	201	secp256k1_scalar_clear(&b);
	202	secp256k1_gej_clear(&gb);
949c1ebb PW	203	}
	204
	205	#endif