mirror/zig
1
0
Fork 0
mirror of https://github.com/ziglang/zig.git synced 2026-02-14 21:38:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

secp256k1: Endormorphism.splitScalar() can return an error (#15270)

Browse Source 
Fixes #15267
This commit is contained in:
Frank Denis 2023-04-14 06:06:00 +02:00 committed by GitHub
parent 4a0508e56c
commit 9adee806e3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/std/crypto/ecdsa.zig
View File

@ -249,7 +249,7 @@ pub fn Ecdsa(comptime Curve: type, comptime Hash: type) type {
}
/// Verify that the signature is valid for the entire message.
pub fn verify(self: *Verifier) (IdentityElementError || SignatureVerificationError)!void {
pub fn verify(self: *Verifier) (IdentityElementError || NonCanonicalError || SignatureVerificationError)!void {
const ht = Curve.scalar.encoded_length;
const h_len = @max(Hash.digest_length, ht);
var h: [h_len]u8 = [_]u8{0} ** h_len;

16
lib/std/crypto/pcurves/secp256k1.zig
View File

@ -51,7 +51,7 @@ pub const Secp256k1 = struct {
};
/// Compute r1 and r2 so that k = r1 + r2*lambda (mod L).
pub fn splitScalar(s: [32]u8, endian: std.builtin.Endian) SplitScalar {
pub fn splitScalar(s: [32]u8, endian: std.builtin.Endian) NonCanonicalError!SplitScalar {
const b1_neg_s = comptime s: {
var buf: [32]u8 = undefined;
mem.writeIntLittle(u256, &buf, 303414439467246543595250775667605759171);
@ -73,15 +73,15 @@ pub const Secp256k1 = struct {
var buf: [32]u8 = undefined;
mem.writeIntLittle(u256, &buf, c1);
const c1x = scalar.mul(buf, b1_neg_s, .Little) catch unreachable;
const c1x = try scalar.mul(buf, b1_neg_s, .Little);
mem.writeIntLittle(u256, &buf, c2);
const c2x = scalar.mul(buf, b2_neg_s, .Little) catch unreachable;
const c2x = try scalar.mul(buf, b2_neg_s, .Little);
const r2 = scalar.add(c1x, c2x, .Little) catch unreachable;
const r2 = try scalar.add(c1x, c2x, .Little);
var r1 = scalar.mul(r2, lambda_s, .Little) catch unreachable;
r1 = scalar.sub(s, r1, .Little) catch unreachable;
var r1 = try scalar.mul(r2, lambda_s, .Little);
r1 = try scalar.sub(s, r1, .Little);
return SplitScalar{ .r1 = r1, .r2 = r2 };
}
@ -435,7 +435,7 @@ pub const Secp256k1 = struct {
/// Multiply an elliptic curve point by a *PUBLIC* scalar *IN VARIABLE TIME*
/// This can be used for signature verification.
pub fn mulPublic(p: Secp256k1, s_: [32]u8, endian: std.builtin.Endian) IdentityElementError!Secp256k1 {
pub fn mulPublic(p: Secp256k1, s_: [32]u8, endian: std.builtin.Endian) (IdentityElementError || NonCanonicalError)!Secp256k1 {
const s = if (endian == .Little) s_ else Fe.orderSwap(s_);
const zero = comptime scalar.Scalar.zero.toBytes(.Little);
if (mem.eql(u8, &zero, &s)) {
@ -443,7 +443,7 @@ pub const Secp256k1 = struct {
}
const pc = precompute(p, 8);
var lambda_p = try pcMul(&pc, Endormorphism.lambda_s, true);
var split_scalar = Endormorphism.splitScalar(s, .Little);
var split_scalar = try Endormorphism.splitScalar(s, .Little);
var px = p;
// If a key is negative, flip the sign to keep it half-sized,