Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add anti nonce-sidechannel protocol to schnorrsigs [̶a̶l̶t̶e̶r̶n̶a̶t̶i̶v̶e̶]̶ #590

Open
wants to merge 8 commits into
base: master
from

Conversation

@jonasnick
Copy link
Contributor

commented Feb 15, 2019

This is an alternative to #572 based on #589 (EDIT: this seems to be generally preferred now). It's a demonstration that the anti nonce-sidechannel protocol can be build just as well on #589 as on #588.

@real-or-random
Copy link
Contributor

left a comment

Concept ACK

* Returns 1 on success, 0 on failure.
* Args: ctx: pointer to a context object (cannot be NULL)
* Out: rand_commitment32: pointer to 32-byte array to store the returned commitment (cannot be NULL)
* In: rand32: the 32-byte randomness to commit to (cannot be NULL)

This comment has been minimized.

Copy link
@real-or-random

real-or-random Feb 15, 2019

Contributor

Maybe it's even better to make this function responsible for calling secp256k1_rand256 to avoid that the user screws up when producing randomness.

(But then the user can't use his fancy hardware RNG... If we want to support that, then maybe there could also a callback to a randomness function, and if it's NULL, then just call lsecp256k1_rand256. But in general, I don't like the idea of the user providing randomness, unless really necessary.)

* 2. The client commits to its sign-to-contract original nonce (which is the nonce without the
* sign-to-contract tweak) using the hosts commitment by calling the
* `secp256k1_schnorrsig_anti_nonce_sidechan_client_commit` function. The client sends the
* rusulting commitment to the host

This comment has been minimized.

Copy link
@benma

benma Jun 11, 2019

Contributor

rusulting -> resulting :)

@jonasnick jonasnick changed the title Add anti nonce-sidechannel protocol to schnorrsigs [alternative] Add anti nonce-sidechannel protocol to schnorrsigs [̶a̶l̶t̶e̶r̶n̶a̶t̶i̶v̶e̶]̶ Jul 3, 2019

@jonasnick

This comment has been minimized.

Copy link
Contributor Author

commented Jul 4, 2019

This thing needs a better name. Covert channel is a much better term for this than side channel. If no one comes up with something better I'll go on with anti_covert_channel.

@jonasnick jonasnick force-pushed the jonasnick:schnorrsig-s2c-only-new-ans branch from ae5fb7f to ed4add7 Jul 5, 2019

@jonasnick

This comment has been minimized.

Copy link
Contributor Author

commented Jul 5, 2019

Rebased

/* Return commitment == commitment_tmp */
secp256k1_gej_set_infinity(&pj);
secp256k1_pubkey_load(ctx, &p, &commitment_tmp);
secp256k1_gej_add_ge_var(&pj, &pj, &p, NULL);

This comment has been minimized.

Copy link
@elichai

elichai Jul 28, 2019

Contributor

You can use secp256k1_gej_set_ge() instead of setting to infinity and adding

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.