Eliminate harmless non-constant time operations on secret data.
ClosedPublic
Actions

Authored by deadalnix on Mar 20 2020, 00:37.

Details

Reviewers

Group Reviewers

Restricted Project

Commits

rSTAGING46e449e05795: Eliminate harmless non-constant time operations on secret data.
rABC46e449e05795: Eliminate harmless non-constant time operations on secret data.

Summary

Eliminate harmless non-constant time operations on secret data.

There were several places where the code was non-constant time
for invalid secret inputs. These are harmless under sane use
but get in the way of automatic const-time validation.

(Nonce overflow in signing is not addressed, nor is s==0 in
signing)

Adds a declassify operation to aid constant-time analysis.

ECDSA signing has a retry loop for the exceptionally unlikely case
that S==0. S is not a secret at this point and this case is so
rare that it will never be observed but branching on it will trip
up tools analysing if the code is constant time with respect to
secrets.

Derandomized ECDSA can also loop on k being zero or overflowing,
and while k is a secret these cases are too rare (1:2^255) to
ever observe and are also of no concern.

This adds a function for marking memory as no-longer-secret and
sets it up for use with the valgrind memcheck constant-time
test.

This is a backport of secp256k1 PR710

Test Plan

ninja check-secp256k1

Diff Detail

Repository

rABC Bitcoin ABC

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

deadalnix created this revision.Mar 20 2020, 00:37

Herald added a reviewer: Restricted Project. · View Herald TranscriptMar 20 2020, 00:37

Build Bitcoin-ABC / Diffs / Diff Testing (build-diff) started.

Build Bitcoin-ABC / Diffs / Diff Testing (build-diff) passed.

Harbormaster completed remote builds in B9903: Diff 17068.Mar 20 2020, 00:54

Did you run the Travis build ?
Should we add a cmake option to enable valgrind as well ? That would at least make the CI cover the same tests between the 2 builds.

Comments can be addressed later on

This revision is now accepted and ready to land.Mar 26 2020, 16:31

Closed by commit rABC46e449e05795: Eliminate harmless non-constant time operations on secret data. (authored by Gregory Maxwell <greg@xiph.org>, committed by deadalnix). · Explain WhyMar 26 2020, 16:32

This revision was automatically updated to reflect the committed changes.

deadalnix added a commit: rABC46e449e05795: Eliminate harmless non-constant time operations on secret data..

Fabien mentioned this in D5588: [SECP256K1] Fix Travis missing ninja.Mar 27 2020, 13:46

Fabien mentioned this in rABCb6265e2acb6c: [SECP256K1] Fix Travis missing ninja.Mar 27 2020, 13:56

deadalnix added a commit: rSTAGING46e449e05795: Eliminate harmless non-constant time operations on secret data..Apr 7 2020, 23:29

Fabien mentioned this in rSTAGINGb6265e2acb6c: [SECP256K1] Fix Travis missing ninja.Apr 7 2020, 23:30