HomePhabricator

Eliminate harmless non-constant time operations on secret data.

Authored by Gregory Maxwell <greg@xiph.org> on Jan 11 2020, 01:01.

Description

Eliminate harmless non-constant time operations on secret data.

Summary:

  • Eliminate harmless non-constant time operations on secret data.

There were several places where the code was non-constant time
for invalid secret inputs. These are harmless under sane use
but get in the way of automatic const-time validation.

(Nonce overflow in signing is not addressed, nor is s==0 in
signing)

  • Adds a declassify operation to aid constant-time analysis.

ECDSA signing has a retry loop for the exceptionally unlikely case
that S==0. S is not a secret at this point and this case is so
rare that it will never be observed but branching on it will trip
up tools analysing if the code is constant time with respect to
secrets.

Derandomized ECDSA can also loop on k being zero or overflowing,
and while k is a secret these cases are too rare (1:2^255) to
ever observe and are also of no concern.

This adds a function for marking memory as no-longer-secret and
sets it up for use with the valgrind memcheck constant-time
test.

This is a backport of secp256k1 PR710

Test Plan:

ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Subscribers: Fabien

Differential Revision: https://reviews.bitcoinabc.org/D5524

Details

Committed
deadalnixThu, Mar 26, 16:32
Pushed
deadalnixThu, Mar 26, 16:32
Reviewer
Restricted Project
Differential Revision
D5524: Eliminate harmless non-constant time operations on secret data.
Parents
rABCc90fe30c1983: [depends] Don't build libevent sample code
Branches
Unknown
Tags
Unknown