Differential D7586

Retry if r is zero during signing
ClosedPublic
Actions

Authored by deadalnix on Sep 27 2020, 21:33.

Tags

None

Subscribers

None

Details

Reviewers

Group Reviewers

Restricted Project

Commits

rABC1745e523aae1: Retry if r is zero during signing

Summary

Revert "ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign"

This reverts commit 25e3cfbf9b52d2f5afa543f967a73aa8850d2038. The reverted
commit was probably based on the assumption that this is about the touched
checks cover the secret nonce k instead of r, which is the x-coord of the public
nonce. A signature with a zero r is invalid by the spec, so we should return 0
to make the caller retry with a different nonce. Overflow is not an issue.

Fixes #720.

Make ecdsa_sig_sign constant-time again after reverting 25e3cfb

This is a backport of libsecp256k1 PR732

Test Plan

ninja check-secp256k1

Diff Detail

Repository

rABC Bitcoin ABC

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

deadalnix created this revision.Sep 27 2020, 21:33

Herald added a reviewer: Restricted Project. · View Herald TranscriptSep 27 2020, 21:33

deadalnix requested review of this revision.Sep 27 2020, 21:33

[Bot Message]
One or more PR numbers were detected in the summary.
Links to those PRs have been inserted into the summary for reference.

majcosta accepted this revision.Sep 27 2020, 21:48

This revision is now accepted and ready to land.Sep 27 2020, 21:48

Harbormaster completed remote builds in B12948: Diff 23838.Sep 27 2020, 21:49

Closed by commit rABC1745e523aae1: Retry if r is zero during signing (authored by Tim Ruffing <crypto@timruffing.de>, committed by deadalnix). · Explain WhySep 27 2020, 21:53

This revision was automatically updated to reflect the committed changes.

deadalnix added a commit: rABC1745e523aae1: Retry if r is zero during signing.

Revision Contents
Changeset List

Path

Size

src/

secp256k1/

src/

9 lines

Diff 23845

src/secp256k1/src/ecdsa_impl.h

Loading...