Differential D5347 Diff 16590 src/secp256k1/src/ecmult_gen_impl.h

Changeset View

Standalone View

src/secp256k1/src/ecmult_gen_impl.h

Show First 20 Lines • Show All 181 Lines • ▼ Show 20 Lines	if (seed32 != NULL) {
memcpy(keydata + 32, seed32, 32);		memcpy(keydata + 32, seed32, 32);
}		}
secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32);		secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32);
memset(keydata, 0, sizeof(keydata));		memset(keydata, 0, sizeof(keydata));
/* Retry for out of range results to achieve uniformity. */		/* Retry for out of range results to achieve uniformity. */
do {		do {
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);		secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
retry = !secp256k1_fe_set_b32(&s, nonce32);		retry = !secp256k1_fe_set_b32(&s, nonce32);
retry \|= secp256k1_fe_is_zero(&s);		retry = retry \|\| secp256k1_fe_is_zero(&s);
} while (retry); /* This branch true is cryptographically unreachable. Requires sha256_hmac output > Fp. */		} while (retry); /* This branch true is cryptographically unreachable. Requires sha256_hmac output > Fp. */
/* Randomize the projection to defend against multiplier sidechannels. */		/* Randomize the projection to defend against multiplier sidechannels. */
secp256k1_gej_rescale(&ctx->initial, &s);		secp256k1_gej_rescale(&ctx->initial, &s);
secp256k1_fe_clear(&s);		secp256k1_fe_clear(&s);
do {		do {
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);		secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
secp256k1_scalar_set_b32(&b, nonce32, &retry);		secp256k1_scalar_set_b32(&b, nonce32, &retry);
/* A blinding value of 0 works, but would undermine the projection hardening. */		/* A blinding value of 0 works, but would undermine the projection hardening. */
retry \|= secp256k1_scalar_is_zero(&b);		retry = retry \|\| secp256k1_scalar_is_zero(&b);
} while (retry); /* This branch true is cryptographically unreachable. Requires sha256_hmac output > order. */		} while (retry); /* This branch true is cryptographically unreachable. Requires sha256_hmac output > order. */
secp256k1_rfc6979_hmac_sha256_finalize(&rng);		secp256k1_rfc6979_hmac_sha256_finalize(&rng);
memset(nonce32, 0, 32);		memset(nonce32, 0, 32);
secp256k1_ecmult_gen(ctx, &gb, &b);		secp256k1_ecmult_gen(ctx, &gb, &b);
secp256k1_scalar_negate(&b, &b);		secp256k1_scalar_negate(&b, &b);
ctx->blind = b;		ctx->blind = b;
ctx->initial = gb;		ctx->initial = gb;
secp256k1_scalar_clear(&b);		secp256k1_scalar_clear(&b);
secp256k1_gej_clear(&gb);		secp256k1_gej_clear(&gb);
}		}

#endif /* SECP256K1_ECMULT_GEN_IMPL_H */		#endif /* SECP256K1_ECMULT_GEN_IMPL_H */