Page MenuHomePhabricator

Retry if r is zero during signing

Authored by deadalnix on Sep 27 2020, 21:33.


Group Reviewers
Restricted Project
rABC1745e523aae1: Retry if r is zero during signing
  • Revert "ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign"

This reverts commit 25e3cfbf9b52d2f5afa543f967a73aa8850d2038. The reverted
commit was probably based on the assumption that this is about the touched
checks cover the secret nonce k instead of r, which is the x-coord of the public
nonce. A signature with a zero r is invalid by the spec, so we should return 0
to make the caller retry with a different nonce. Overflow is not an issue.

Fixes #720.

  • Make ecdsa_sig_sign constant-time again after reverting 25e3cfb

This is a backport of libsecp256k1 PR732

Test Plan
ninja check-secp256k1

Diff Detail

rABC Bitcoin ABC
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

[Bot Message]
One or more PR numbers were detected in the summary.
Links to those PRs have been inserted into the summary for reference.

This revision is now accepted and ready to land.Sep 27 2020, 21:48
This revision was automatically updated to reflect the committed changes.