Differential D18158

[secp256k1] ct: Use volatile "trick" in all fe/scalar cmov implementations
ClosedPublic
Actions

Authored by Fabien on May 27 2025, 12:51.

Tags

None

Subscribers

None

Details

Reviewers

Group Reviewers

Restricted Project

Commits

rABC6b929618200e: [secp256k1] ct: Use volatile "trick" in all fe/scalar cmov implementations

Summary

Apparently clang 15 is able to compile our cmov code into a branch,
at least for fe_cmov and fe_storage_cmov. This commit makes the
condition volatile in all cmov implementations (except ge but that
one only calls into the fe impls).

This is just a quick fix. We should still look into other methods,
e.g., asm and #457. We should also consider not caring about
constant-time in scalar_low_impl.h

We should also consider testing on very new compilers in nightly CI,
see https://github.com/bitcoin-core/secp256k1/pull/864#issuecomment-769211867

Backport of secp256k1#1257 and secp256k1#1303.

Depends on D18157.

Test Plan

See CI (the issue occurs after the CI migration to bookworm) here: https://cirrus-ci.com/build/6479968802177024
ninja check-secp256k1

Diff Detail

Repository

rABC Bitcoin ABC

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

Fabien created this revision.May 27 2025, 12:51

Herald added a reviewer: Restricted Project. · View Herald TranscriptMay 27 2025, 12:51

Fabien requested review of this revision.May 27 2025, 12:51

teamcity edited the summary of this revision. (Show Details)May 27 2025, 12:51

Fabien added a child revision: D18159: ci: Adjust Docker image to Debian 12 "bookworm".May 27 2025, 13:02

Harbormaster completed remote builds in B33452: Diff 54211.May 27 2025, 13:04

PiRK accepted this revision.May 27 2025, 15:07

This revision is now accepted and ready to land.May 27 2025, 15:07

Closed by commit rABC6b929618200e: [secp256k1] ct: Use volatile "trick" in all fe/scalar cmov implementations (authored by Fabien). · Explain WhyMay 27 2025, 21:27

This revision was automatically updated to reflect the committed changes.

Fabien added a commit: rABC6b929618200e: [secp256k1] ct: Use volatile "trick" in all fe/scalar cmov implementations.

Revision Contents
Changeset List

Path

Size

src/

secp256k1/

src/

ecmult_const_impl.h

2 lines

field_10x26_impl.h

6 lines

field_5x52_impl.h

6 lines

modinv32_impl.h

33 lines

modinv64_impl.h

31 lines

scalar_4x64_impl.h

9 lines

scalar_8x32_impl.h

9 lines

scalar_low_impl.h

3 lines

Diff 54216

src/secp256k1/src/ecmult_const_impl.h

Loading...

src/secp256k1/src/field_10x26_impl.h

Loading...

src/secp256k1/src/field_5x52_impl.h

Loading...

src/secp256k1/src/modinv32_impl.h

Loading...

src/secp256k1/src/modinv64_impl.h

Loading...

src/secp256k1/src/scalar_4x64_impl.h

Loading...

src/secp256k1/src/scalar_8x32_impl.h

Loading...

src/secp256k1/src/scalar_low_impl.h

Loading...