Skip to content

Commit

Permalink
Make ecdsa_sig_sign constant-time again after reverting 25e3cfb
Browse files Browse the repository at this point in the history
  • Loading branch information
real-or-random committed Mar 31, 2020
1 parent 93d343b commit 37ed51a
Showing 1 changed file with 4 additions and 9 deletions.
13 changes: 4 additions & 9 deletions src/ecdsa_impl.h
Original file line number Diff line number Diff line change
Expand Up @@ -288,14 +288,6 @@ static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, sec
secp256k1_fe_normalize(&r.y);
secp256k1_fe_get_b32(b, &r.x);
secp256k1_scalar_set_b32(sigr, b, &overflow);
if (secp256k1_scalar_is_zero(sigr)) {
/* P.x = order is on the curve, so technically sig->r could end up zero, which would be an invalid signature.
* This branch is cryptographically unreachable as hitting it requires finding the discrete log of P.x = N.
*/
secp256k1_gej_clear(&rp);
secp256k1_ge_clear(&r);
return 0;
}
if (recid) {
/* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log
* of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria.
Expand All @@ -314,7 +306,10 @@ static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, sec
if (recid) {
*recid ^= high;
}
return !secp256k1_scalar_is_zero(sigs);
/* P.x = order is on the curve, so technically sig->r could end up being zero, which would be an invalid signature.
* This is cryptographically unreachable as hitting it requires finding the discrete log of P.x = N.
*/
return !secp256k1_scalar_is_zero(sigr) & !secp256k1_scalar_is_zero(sigs);
}

#endif /* SECP256K1_ECDSA_IMPL_H */

0 comments on commit 37ed51a

Please sign in to comment.