[Pkg-bitcoin-commits] [libsecp256k1] 04/37: secp256k1_context_randomize: document.
Jonas Smedegaard
dr at jones.dk
Fri Aug 18 11:27:51 UTC 2017
This is an automated email from the git hooks/post-receive script.
js pushed a commit to branch master
in repository libsecp256k1.
commit 70ff29b6a77266c55f41c966cfc2a766fd252cdf
Author: Rusty Russell <rusty at rustcorp.com.au>
Date: Tue Feb 14 15:29:33 2017 +1030
secp256k1_context_randomize: document.
I think I summarized it correctly after IRC discussion with gmaxwell
and andytoshi; I didn't know it existed :(
It's regrettable to expose this level of detail, but users need to know
this to make a decision about how to use it.
Signed-off-by: Rusty Russell <rusty at rustcorp.com.au>
---
include/secp256k1.h | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/include/secp256k1.h b/include/secp256k1.h
index f268e30..bd7b783 100644
--- a/include/secp256k1.h
+++ b/include/secp256k1.h
@@ -163,6 +163,8 @@ typedef int (*secp256k1_nonce_function)(
*
* Returns: a newly created context object.
* In: flags: which parts of the context to initialize.
+ *
+ * See also secp256k1_context_randomize.
*/
SECP256K1_API secp256k1_context* secp256k1_context_create(
unsigned int flags
@@ -543,11 +545,24 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(
const unsigned char *tweak
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
-/** Updates the context randomization.
+/** Updates the context randomization to protect against side-channel leakage.
* Returns: 1: randomization successfully updated
* 0: error
* Args: ctx: pointer to a context object (cannot be NULL)
* In: seed32: pointer to a 32-byte random seed (NULL resets to initial state)
+ *
+ * While secp256k1 code is written to be constant-time no matter what secret
+ * values are, it's possible that a future compiler may output code which isn't,
+ * and also that the CPU may not emit the same radio frequencies or draw the same
+ * amount power for all values.
+ *
+ * This function provides a seed which is combined into the blinding value: that
+ * blinding value added before each multiplication (and removed afterwards) so
+ * that it does not affect function results, but shields against attacks which
+ * rely on any input-dependent behaviour.
+ *
+ * You should call this after secp256k1_context_create or
+ * secp256k1_context_clone, and may call this repeatedly afterwards.
*/
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(
secp256k1_context* ctx,
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-bitcoin/libsecp256k1.git
More information about the Pkg-bitcoin-commits
mailing list