Reintroduce projective blinding

Author: sipa

src/ecmult_gen.h

@@ -109,6 +109,10 @@ typedef struct {
      * ecmult_gen_impl.h for more details. */
     secp256k1_scalar scalar_offset;
     secp256k1_ge ge_offset;
+
+    /* Factor used for projective blinding. This value is used to rescale the Z
+     * coordinate of the first table lookup. */
+    secp256k1_fe proj_blind;
 } secp256k1_ecmult_gen_context;
 
 static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context* ctx);

src/ecmult_gen_impl.h

@@ -27,6 +27,7 @@ static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx
     ctx->built = 0;
     secp256k1_scalar_clear(&ctx->scalar_offset);
     secp256k1_ge_clear(&ctx->ge_offset);
+    secp256k1_fe_clear(&ctx->proj_blind);
 }
 
 /* Compute the scalar (2^COMB_BITS - 1) / 2, the difference between the gn argument to
@@ -256,6 +257,8 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
             if (EXPECT(first, 0)) {
                 /* If this is the first table lookup, we can skip addition. */
                 secp256k1_gej_set_ge(r, &add);
+                /* Give the entry a random Z coordinate to blind intermediary results. */
+                secp256k1_gej_rescale(r, &ctx->proj_blind);
                 first = 0;
             } else {
                 secp256k1_gej_add_ge(r, r, &add);
@@ -283,6 +286,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
     secp256k1_scalar b;
     secp256k1_scalar diff;
     secp256k1_gej gb;
+    secp256k1_fe f;
     unsigned char nonce32[32];
     secp256k1_rfc6979_hmac_sha256 rng;
     unsigned char keydata[64];
@@ -294,6 +298,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
         /* When seed is NULL, reset the final point and blinding value. */
         secp256k1_ge_neg(&ctx->ge_offset, &secp256k1_ge_const_g);
         secp256k1_scalar_add(&ctx->scalar_offset, &secp256k1_scalar_one, &diff);
+        ctx->proj_blind = secp256k1_fe_one;
         return;
     }
     /* The prior blinding value (if not reset) is chained forward by including it in the hash. */
@@ -307,7 +312,11 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
     secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, 64);
     memset(keydata, 0, sizeof(keydata));
 
-    /* TODO: reintroduce projective blinding. */
+    /* Compute projective blinding factor (cannot be 0). */
+    secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
+    secp256k1_fe_set_b32_mod(&f, nonce32);
+    secp256k1_fe_cmov(&f, &secp256k1_fe_one, secp256k1_fe_normalizes_to_zero(&f));
+    ctx->proj_blind = f;
 
     /* For a random blinding value b, set scalar_offset=diff-b, ge_offset=bG */
     secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
@@ -325,6 +334,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
     /* Clean up. */
     secp256k1_scalar_clear(&b);
     secp256k1_gej_clear(&gb);
+    secp256k1_fe_clear(&f);
 }
 
 #endif /* SECP256K1_ECMULT_GEN_IMPL_H */

src/tests.c

@@ -249,7 +249,8 @@ static void run_selftest_tests(void) {
 static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b) {
     return a->built == b->built
             && secp256k1_scalar_eq(&a->scalar_offset, &b->scalar_offset)
-            && secp256k1_ge_eq_var(&a->ge_offset, &b->ge_offset);
+            && secp256k1_ge_eq_var(&a->ge_offset, &b->ge_offset)
+            && secp256k1_fe_equal(&a->proj_blind, &b->proj_blind);
 }
 
 static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {