use variable-time group addition in _ec_pubkey_combine #1587

pull theStack wants to merge 1 commits into bitcoin-core:master from theStack:pubkey_combine_var_time changing 1 files +1 −1
  1. theStack commented at 5:02 pm on August 14, 2024: contributor
    Unless I’m missing something, it seems that there is no need to use constant-time group addition for secp256k1_ec_pubkey_combine, so the faster variable-time addition function _gej_add_ge_var can be used instead. Happy to add a benchmark if wanted.
  2. use variable-time group addition in `_ec_pubkey_combine` 319ff2cde5
  3. real-or-random added the label performance on Aug 17, 2024
  4. real-or-random added the label refactor/smell on Aug 17, 2024
  5. Bigheem approved
  6. jonasnick commented at 1:33 pm on September 3, 2024: contributor

    I don’t know what the original intention of using constant time addition was. Maybe @sipa remembers. It was added here: https://github.com/bitcoin-core/secp256k1/pull/212/files#diff-6f71b0372be086d45b4f2740508c03a21835d87008840032fbb767f419fd988aR552

    I’m aware that some implementations use pubkey_combine to add “secret” group elements in a “blind DH” (see here, here and here). I haven’t checked in detail if using variable time addition leads to a sidechannel that isn’t already there with constant time addition. In any case, constant time addition is not something one can expect from libsecp’s API (it’s called “public key combine”).


github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-09-20 03:15 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me