Skip to content

Commit

Permalink
add missing group element invariant checks
Browse files Browse the repository at this point in the history
The group element checks `secp256k1_{ge,gej}_verify` have first been
implemented and added in commit f202667
(PR bitcoin-core#1299). This commit adds additional verification calls in group
functions, to match the ones that were originally proposed in commit
09dbba5 of WIP-PR bitcoin-core#1032 (which is
obviously not rebased on bitcoin-core#1299 yet).

Co-authored-by: Peter Dettman <peter.dettman@gmail.com>
  • Loading branch information
theStack and peterdettman committed Jul 10, 2023
1 parent cc55757 commit 672b101
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions src/group_impl.h
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,8 @@ static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a) {
secp256k1_fe_mul(&a->x, &a->x, &z2);
secp256k1_fe_mul(&a->y, &a->y, &z3);
secp256k1_fe_set_int(&a->z, 1);
secp256k1_gej_verify(a);

r->x = a->x;
r->y = a->y;
secp256k1_ge_verify(r);
Expand All @@ -173,6 +175,8 @@ static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a) {
secp256k1_fe_mul(&a->x, &a->x, &z2);
secp256k1_fe_mul(&a->y, &a->y, &z3);
secp256k1_fe_set_int(&a->z, 1);
secp256k1_gej_verify(a);

secp256k1_ge_set_xy(r, &a->x, &a->y);
secp256k1_ge_verify(r);
}
Expand Down Expand Up @@ -231,6 +235,7 @@ static void secp256k1_ge_table_set_globalz(size_t len, secp256k1_ge *a, const se
secp256k1_fe_verify(&zr[i]);
/* Ensure all y values are in weak normal form for fast negation of points */
secp256k1_fe_normalize_weak(&a[i].y);
secp256k1_ge_verify(&a[i]);
zs = zr[i];

/* Work our way backwards, using the z-ratios to scale the x/y values. */
Expand Down Expand Up @@ -269,12 +274,14 @@ static void secp256k1_gej_clear(secp256k1_gej *r) {
secp256k1_fe_clear(&r->x);
secp256k1_fe_clear(&r->y);
secp256k1_fe_clear(&r->z);
secp256k1_gej_verify(r);
}

static void secp256k1_ge_clear(secp256k1_ge *r) {
r->infinity = 0;
secp256k1_fe_clear(&r->x);
secp256k1_fe_clear(&r->y);
secp256k1_ge_verify(r);
}

static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd) {
Expand Down Expand Up @@ -547,6 +554,7 @@ static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a,
/* 9 mul, 3 sqr, 13 add/negate/normalize_weak/normalizes_to_zero (ignoring special cases) */
secp256k1_fe az, z12, u1, u2, s1, s2, h, i, h2, h3, t;

secp256k1_gej_verify(a);
secp256k1_ge_verify(b);
secp256k1_fe_verify(bzinv);
if (a->infinity) {
Expand All @@ -557,6 +565,7 @@ static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a,
secp256k1_fe_mul(&r->x, &b->x, &bzinv2);
secp256k1_fe_mul(&r->y, &b->y, &bzinv3);
secp256k1_fe_set_int(&r->z, 1);
secp256k1_gej_verify(r);
return;
}
if (b->infinity) {
Expand Down Expand Up @@ -820,6 +829,7 @@ static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge* ge) {
}
return secp256k1_gej_is_infinity(&out);
#else
secp256k1_ge_verify(ge);
(void)ge;
/* The real secp256k1 group has cofactor 1, so the subgroup is the entire curve. */
return 1;
Expand Down

0 comments on commit 672b101

Please sign in to comment.