Add _ge_set_all_gej and use it in musig for own public nonces #1614
Conversation
src/group.h
Outdated
| @@ -80,7 +80,10 @@ static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a); | |||
| /** Set a group element equal to another which is given in jacobian coordinates. */ | |||
| static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a); | |||
|
|
|||
| /** Set a batch of group elements equal to the inputs given in jacobian coordinates */ | |||
| /** Set a batch of group elements equal to the inputs given in jacobian coordinates (affine). Constant time. */ | |||
There was a problem hiding this comment.
Explicitly say that the inputs are not allowed to be infinity?
There was a problem hiding this comment.
rephrased the entire docstring
real-or-random
force-pushed
the
202410-ct-batch-inv
branch
2 times, most recently
from
218ebfb
to
1ba332a
Compare
src/group.h
Outdated
| static void secp256k1_ge_set_all_gej(secp256k1_ge *r, const secp256k1_gej *a, size_t len); | ||
|
|
||
| /** Set group elements r[0:len] (affine) equal to group elements a[0:len] (jacobian). | ||
| * None of the group elements in a[0:len] may be infinity. */ |
There was a problem hiding this comment.
Shouldn't this description differ from the constant-time variant, as infinity group elements are allowed here? (e.g. "can be infinity")
There was a problem hiding this comment.
Oh, copy and paste... Should be fixed, I simply dropped the sentence.
This is a dump mechanical translation of secp256k1_ge_set_all_gej_var that assumes that inputs are not infinity.
No semantic changes.
real-or-random
force-pushed
the
202410-ct-batch-inv
branch
from
1ba332a
to
f24e3e6
Compare
| secp256k1_scalar_clear(&k[i]); | ||
| } | ||
| secp256k1_ge_set_all_gej(nonce_pts, nonce_ptj, 2); | ||
| for (i = 0; i < 2; i++) { | ||
| secp256k1_declassify(ctx, &nonce_pts[i], sizeof(nonce_pts)); |
There was a problem hiding this comment.
nit: not directly related to this PR, as the _declassify call is only moved but still called with the same values, but the size passed seems too large, if I'm not missing anything (should be sizeof(nonce_pts[i]), rather than the full array size, otherwise we mark beyond the array on the second iteration, and the second half of the array twice).
…once points 57eda3b musig: ctimetests: fix _declassify range for generated nonce points (Sebastian Falbesoner) Pull request description: As noticed in #1614 (comment), the area marked as non-secret exceeds the nonce_pts array in the second iteration of the for loop. Fix that by passing the correct size to the _declassify call. ACKs for top commit: sipa: utACK 57eda3b real-or-random: utACK 57eda3b Tree-SHA512: ff8074e3d1078d66a52d08c661997856ff586b3b4564a865a75212b32fafd7906d58885371bd63005007fde554ebcad121ab66125abe4331cf0aac63fc018ed0
As suggested in #1479 (comment)