Skip to content

Commit

Permalink
Clear _gej instances after point multiplication to avoid potential leaks
Browse files Browse the repository at this point in the history
Quoting sipa (see bitcoin-core#1479 (comment)):
"When performing an EC multiplication A = aG for secret a, the resulting
 _affine_ coordinates of A are presumed to not leak information about a (ECDLP),
  but the same is not necessarily true for the Jacobian coordinates that come
  out of our multiplication algorithm."

For the ECDH point multiplication result, the result in Jacobi coordinates should be
cleared not only to avoid leaking the scalar, but even more so as it's a representation
of the resulting shared secret.
  • Loading branch information
theStack committed Oct 25, 2024
1 parent 349e6ab commit 765ef53
Show file tree
Hide file tree
Showing 4 changed files with 4 additions and 0 deletions.
1 change: 1 addition & 0 deletions src/modules/ecdh/main_impl.h
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ int secp256k1_ecdh(const secp256k1_context* ctx, unsigned char *output, const se
secp256k1_memclear(y, sizeof(y));
secp256k1_scalar_clear(&s);
secp256k1_ge_clear(&pt);
secp256k1_gej_clear(&res);

return !!ret & !overflow;
}
Expand Down
1 change: 1 addition & 0 deletions src/modules/musig/session_impl.h
Original file line number Diff line number Diff line change
Expand Up @@ -450,6 +450,7 @@ int secp256k1_musig_nonce_gen_internal(const secp256k1_context* ctx, secp256k1_m
secp256k1_ge_set_gej(&nonce_pts[i], &nonce_ptj);
secp256k1_declassify(ctx, &nonce_pts[i], sizeof(nonce_pts));
secp256k1_scalar_clear(&k[i]);
secp256k1_gej_clear(&nonce_ptj);
}
/* None of the nonce_pts will be infinity because k != 0 with overwhelming
* probability */
Expand Down
1 change: 1 addition & 0 deletions src/modules/schnorrsig/main_impl.h
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,7 @@ static int secp256k1_schnorrsig_sign_internal(const secp256k1_context* ctx, unsi
secp256k1_scalar_clear(&k);
secp256k1_scalar_clear(&sk);
secp256k1_memclear(seckey, sizeof(seckey));
secp256k1_gej_clear(&rj);

return ret;
}
Expand Down
1 change: 1 addition & 0 deletions src/secp256k1.c
Original file line number Diff line number Diff line change
Expand Up @@ -597,6 +597,7 @@ static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context

secp256k1_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar);
secp256k1_ge_set_gej(p, &pj);
secp256k1_gej_clear(&pj);
return ret;
}

Expand Down

0 comments on commit 765ef53

Please sign in to comment.