status-im
/
secp256k1
mirror of https://github.com/status-im/secp256k1.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Don't invert scalar in wnaf_fixed when it is even because a caller might 

intentionally give a scalar with many leading zeros.
This commit is contained in:
Jonas Nick 2018-03-11 15:32:54 -04:00
parent 6dbb007869
commit 96f68a0afc
1 changed files with 5 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/ecmult_impl.h
View File

@ -563,15 +563,11 @@ static size_t secp256k1_strauss_max_points(secp256k1_scratch *scratch) {
* It has the following guarantees: * It has the following guarantees:
* - each wnaf[i] is either 0 or an odd integer between -(1 << w) and (1 << w) * - each wnaf[i] is either 0 or an odd integer between -(1 << w) and (1 << w)
* - the number of words set is always WNAF_SIZE(w) * - the number of words set is always WNAF_SIZE(w)
* - the returned skew is 0 without endomorphism, or 0 or 1 with endomorphism * - the returned skew is 0 or 1
*/ */
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w) { static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w) {
int sign = 0;
int skew = 0; int skew = 0;
int pos = 1; int pos = 1;
#ifndef USE_ENDOMORPHISM
secp256k1_scalar neg_s;
#endif
const secp256k1_scalar *work = s; const secp256k1_scalar *work = s;
if (secp256k1_scalar_is_zero(s)) { if (secp256k1_scalar_is_zero(s)) {
@ -583,16 +579,10 @@ static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w) {
} }
if (secp256k1_scalar_is_even(s)) { if (secp256k1_scalar_is_even(s)) {
#ifdef USE_ENDOMORPHISM
skew = 1; skew = 1;
#else
secp256k1_scalar_negate(&neg_s, s);
work = &neg_s;
sign = -1;
#endif
} }
wnaf[0] = (secp256k1_scalar_get_bits_var(work, 0, w) + skew + sign) ^ sign; wnaf[0] = secp256k1_scalar_get_bits_var(work, 0, w) + skew;
while (pos * w < WNAF_BITS) { while (pos * w < WNAF_BITS) {
int now = w; int now = w;
@ -602,10 +592,10 @@ static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w) {
} }
val = secp256k1_scalar_get_bits_var(work, pos * w, now); val = secp256k1_scalar_get_bits_var(work, pos * w, now);
if ((val & 1) == 0) { if ((val & 1) == 0) {
wnaf[pos - 1] -= ((1 << w) + sign) ^ sign; wnaf[pos - 1] -= (1 << w);
wnaf[pos] = (val + 1 + sign) ^ sign; wnaf[pos] = (val + 1);
} else { } else {
wnaf[pos] = (val + sign) ^ sign; wnaf[pos] = val;
} }
/* Set a coefficient to zero if it is 1 or -1 and the proceeding digit /* Set a coefficient to zero if it is 1 or -1 and the proceeding digit
* is strictly negative or strictly positive respectively. Only change * is strictly negative or strictly positive respectively. Only change
@ -678,7 +668,6 @@ static int secp256k1_ecmult_pippenger_wnaf(secp256k1_gej *buckets, int bucket_wi
secp256k1_ge tmp; secp256k1_ge tmp;
int idx; int idx;
#ifdef USE_ENDOMORPHISM
if (i == 0) { if (i == 0) {
/* correct for wnaf skew */ /* correct for wnaf skew */
int skew = point_state.skew_na; int skew = point_state.skew_na;
@ -687,7 +676,6 @@ static int secp256k1_ecmult_pippenger_wnaf(secp256k1_gej *buckets, int bucket_wi
secp256k1_gej_add_ge_var(&buckets[0], &buckets[0], &tmp, NULL); secp256k1_gej_add_ge_var(&buckets[0], &buckets[0], &tmp, NULL);
} }
} }
#endif
if (n > 0) { if (n > 0) {
idx = (n - 1)/2; idx = (n - 1)/2;
secp256k1_gej_add_ge_var(&buckets[idx], &buckets[idx], &pt[point_state.input_pos], NULL); secp256k1_gej_add_ge_var(&buckets[idx], &buckets[idx], &pt[point_state.input_pos], NULL);