Merge bitcoin-core/secp256k1#942: Verify that secp256k1_ge_set_gej_zinv does not operate on infinity.
099bad945e
Comment and check a parameter for inf in secp256k1_ecmult_const. (Russell O'Connor)6c0be857f8
Verify that secp256k1_ge_set_gej_zinv does not operate on infinity. a->x and a->y should not be used if the infinity flag is set. (Russell O'Connor) Pull request description: a->x and a->y should not be used if the infinity flag is set. ACKs for top commit: robot-dreams: ACK099bad945e
real-or-random: ACK099bad945e
I inspected all call sites, they all ensure that a is not infinity Tree-SHA512: 495fcfe4ec4cacb3fc64bd5d04ecc67ab34f6b63666c6169d473abfd63c2041bc501a9a60d817566517435b986406ea2b7db3f5806043cecf30e214eba9892e9
This commit is contained in:
commit
5d0dbef018
|
@ -14,6 +14,7 @@
|
||||||
* Multiply: R = q*A (in constant-time)
|
* Multiply: R = q*A (in constant-time)
|
||||||
* Here `bits` should be set to the maximum bitlength of the _absolute value_ of `q`, plus
|
* Here `bits` should be set to the maximum bitlength of the _absolute value_ of `q`, plus
|
||||||
* one because we internally sometimes add 2 to the number during the WNAF conversion.
|
* one because we internally sometimes add 2 to the number during the WNAF conversion.
|
||||||
|
* A must not be infinity.
|
||||||
*/
|
*/
|
||||||
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q, int bits);
|
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q, int bits);
|
||||||
|
|
||||||
|
|
|
@ -168,6 +168,7 @@ static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, cons
|
||||||
* that the Z coordinate was 1, use affine addition formulae, and correct
|
* that the Z coordinate was 1, use affine addition formulae, and correct
|
||||||
* the Z coordinate of the result once at the end.
|
* the Z coordinate of the result once at the end.
|
||||||
*/
|
*/
|
||||||
|
VERIFY_CHECK(!a->infinity);
|
||||||
secp256k1_gej_set_ge(r, a);
|
secp256k1_gej_set_ge(r, a);
|
||||||
secp256k1_ecmult_odd_multiples_table_globalz_windowa(pre_a, &Z, r);
|
secp256k1_ecmult_odd_multiples_table_globalz_windowa(pre_a, &Z, r);
|
||||||
for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) {
|
for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) {
|
||||||
|
|
|
@ -67,6 +67,7 @@ static const secp256k1_fe secp256k1_fe_const_b = SECP256K1_FE_CONST(0, 0, 0, 0,
|
||||||
static void secp256k1_ge_set_gej_zinv(secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_fe *zi) {
|
static void secp256k1_ge_set_gej_zinv(secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_fe *zi) {
|
||||||
secp256k1_fe zi2;
|
secp256k1_fe zi2;
|
||||||
secp256k1_fe zi3;
|
secp256k1_fe zi3;
|
||||||
|
VERIFY_CHECK(!a->infinity);
|
||||||
secp256k1_fe_sqr(&zi2, zi);
|
secp256k1_fe_sqr(&zi2, zi);
|
||||||
secp256k1_fe_mul(&zi3, &zi2, zi);
|
secp256k1_fe_mul(&zi3, &zi2, zi);
|
||||||
secp256k1_fe_mul(&r->x, &a->x, &zi2);
|
secp256k1_fe_mul(&r->x, &a->x, &zi2);
|
||||||
|
|
Loading…
Reference in New Issue