Merge bitcoin-core/secp256k1#942: Verify that secp256k1_ge_set_gej_zinv does not operate on infinity.

099bad945e Comment and check a parameter for inf in secp256k1_ecmult_const. (Russell O'Connor)
6c0be857f8 Verify that secp256k1_ge_set_gej_zinv does not operate on infinity. a->x and a->y should not be used if the infinity flag is set. (Russell O'Connor)

Pull request description:

  a->x and a->y should not be used if the infinity flag is set.

ACKs for top commit:
  robot-dreams:
    ACK 099bad945e
  real-or-random:
    ACK 099bad945e I inspected all call sites, they all ensure that a is not infinity

Tree-SHA512: 495fcfe4ec4cacb3fc64bd5d04ecc67ab34f6b63666c6169d473abfd63c2041bc501a9a60d817566517435b986406ea2b7db3f5806043cecf30e214eba9892e9
This commit is contained in:
Tim Ruffing 2021-12-07 11:07:08 +01:00
commit 5d0dbef018
No known key found for this signature in database
GPG Key ID: 8C461CCD293F6011
3 changed files with 3 additions and 0 deletions

View File

@ -14,6 +14,7 @@
* Multiply: R = q*A (in constant-time) * Multiply: R = q*A (in constant-time)
* Here `bits` should be set to the maximum bitlength of the _absolute value_ of `q`, plus * Here `bits` should be set to the maximum bitlength of the _absolute value_ of `q`, plus
* one because we internally sometimes add 2 to the number during the WNAF conversion. * one because we internally sometimes add 2 to the number during the WNAF conversion.
* A must not be infinity.
*/ */
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q, int bits); static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q, int bits);

View File

@ -168,6 +168,7 @@ static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, cons
* that the Z coordinate was 1, use affine addition formulae, and correct * that the Z coordinate was 1, use affine addition formulae, and correct
* the Z coordinate of the result once at the end. * the Z coordinate of the result once at the end.
*/ */
VERIFY_CHECK(!a->infinity);
secp256k1_gej_set_ge(r, a); secp256k1_gej_set_ge(r, a);
secp256k1_ecmult_odd_multiples_table_globalz_windowa(pre_a, &Z, r); secp256k1_ecmult_odd_multiples_table_globalz_windowa(pre_a, &Z, r);
for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) { for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) {

View File

@ -67,6 +67,7 @@ static const secp256k1_fe secp256k1_fe_const_b = SECP256K1_FE_CONST(0, 0, 0, 0,
static void secp256k1_ge_set_gej_zinv(secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_fe *zi) { static void secp256k1_ge_set_gej_zinv(secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_fe *zi) {
secp256k1_fe zi2; secp256k1_fe zi2;
secp256k1_fe zi3; secp256k1_fe zi3;
VERIFY_CHECK(!a->infinity);
secp256k1_fe_sqr(&zi2, zi); secp256k1_fe_sqr(&zi2, zi);
secp256k1_fe_mul(&zi3, &zi2, zi); secp256k1_fe_mul(&zi3, &zi2, zi);
secp256k1_fe_mul(&r->x, &a->x, &zi2); secp256k1_fe_mul(&r->x, &a->x, &zi2);