Page MenuHomePhabricator

Retry if r is zero during signing
ClosedPublic

Authored by deadalnix on Sep 27 2020, 21:33.

Details

Reviewers
majcosta
Group Reviewers
Restricted Project
Commits
rABC1745e523aae1: Retry if r is zero during signing
Summary
  • Revert "ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign"

This reverts commit 25e3cfbf9b52d2f5afa543f967a73aa8850d2038. The reverted
commit was probably based on the assumption that this is about the touched
checks cover the secret nonce k instead of r, which is the x-coord of the public
nonce. A signature with a zero r is invalid by the spec, so we should return 0
to make the caller retry with a different nonce. Overflow is not an issue.

Fixes #720.

  • Make ecdsa_sig_sign constant-time again after reverting 25e3cfb

This is a backport of libsecp256k1 PR732

Test Plan
ninja check-secp256k1

Event Timeline

[Bot Message]
One or more PR numbers were detected in the summary.
Links to those PRs have been inserted into the summary for reference.

This revision is now accepted and ready to land.Sep 27 2020, 21:48
This revision was automatically updated to reflect the committed changes.