Remove old ecmult_gen code and always use multi-comb

Author: sipa

README.md

@@ -49,13 +49,11 @@ Implementation details
   * Use a much larger window for multiples of G, using precomputed multiples.
   * Use Shamir's trick to do the multiplication with the public key and the generator simultaneously.
   * Use secp256k1's efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones.
-* Point multiplication for signing
-  * Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
+* Point multiplication for signing using Mike Hamburg's signed-digit multi-comb method (see https://eprint.iacr.org/2012/309, section 3.3)
   * Intended to be completely free of timing sidechannels for secret-key operations (on reasonable hardware/toolchains)
     * Access the table with branch-free conditional moves so memory access is uniform.
     * No data-dependent branches
   * Optional runtime blinding which attempts to frustrate differential power analysis.
-  * The precomputed tables add and eventually subtract points for which no known scalar (secret key) is known, preventing even an attacker with control over the secret key used to control the data internally.
 
 Build steps
 -----------

src/ecmult_gen.h

@@ -10,10 +10,6 @@
 #include "scalar.h"
 #include "group.h"
 
-#define USE_COMB 1
-
-#ifdef USE_COMB
-
 #if defined(EXHAUSTIVE_TEST_ORDER)
 
   /* We need to control these values for exhaustive tests because
@@ -71,19 +67,7 @@
 #  error "COMB_BITS must be in the range [256, 288]"
 #endif
 
-#else
-
-#if ECMULT_GEN_PREC_BITS != 2 && ECMULT_GEN_PREC_BITS != 4 && ECMULT_GEN_PREC_BITS != 8
-#  error "Set ECMULT_GEN_PREC_BITS to 2, 4 or 8."
-#endif
-#define ECMULT_GEN_PREC_B ECMULT_GEN_PREC_BITS
-#define ECMULT_GEN_PREC_G (1 << ECMULT_GEN_PREC_B)
-#define ECMULT_GEN_PREC_N (256 / ECMULT_GEN_PREC_B)
-
-#endif
-
 typedef struct {
-#ifdef USE_COMB
     /* Precomputation data for the signed-digit multi-comb algorithm as described in section 3.3 of:
      *     "Fast and compact elliptic-curve cryptography", Mike Hamburg
      *         (https://eprint.iacr.org/2012/309)
@@ -96,21 +80,6 @@ typedef struct {
      * for the (COMB_SPACING - 1) doublings in the _ecmult_gen ladder.
      */
     secp256k1_ge offset;
-#endif
-#else
-    /* For accelerating the computation of a*G:
-     * To harden against timing attacks, use the following mechanism:
-     * * Break up the multiplicand into groups of PREC_B bits, called n_0, n_1, n_2, ..., n_(PREC_N-1).
-     * * Compute sum(n_i * (PREC_G)^i * G + U_i, i=0 ... PREC_N-1), where:
-     *   * U_i = U * 2^i, for i=0 ... PREC_N-2
-     *   * U_i = U * (1-2^(PREC_N-1)), for i=PREC_N-1
-     *   where U is a point with no known corresponding scalar. Note that sum(U_i, i=0 ... PREC_N-1) = 0.
-     * For each i, and each of the PREC_G possible values of n_i, (n_i * (PREC_G)^i * G + U_i) is
-     * precomputed (call it prec(i, n_i)). The formula now becomes sum(prec(i, n_i), i=0 ... PREC_N-1).
-     * None of the resulting prec group elements have a known scalar, and neither do any of
-     * the intermediate sums while computing a*G.
-     */
-    secp256k1_ge_storage (*prec)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G]; /* prec[j][i] = (PREC_G)^j * i * G + U_i */
 #endif
     secp256k1_scalar blind;
     secp256k1_gej initial;

src/ecmult_gen_impl.h

@@ -28,16 +28,9 @@ static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context *ctx)
 
 static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx, void **prealloc) {
 #ifndef USE_ECMULT_STATIC_PRECOMPUTATION
-#ifdef USE_COMB
     secp256k1_ge prec[COMB_POINTS_TOTAL + COMB_OFFSET];
     secp256k1_gej u, sum;
     int block, index, spacing, stride, tooth;
-#else
-    secp256k1_ge prec[ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G];
-    secp256k1_gej gj;
-    secp256k1_gej nums_gej;
-    int i, j;
-#endif
     size_t const prealloc_size = SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE;
     void* const base = *prealloc;
 #endif
@@ -46,7 +39,6 @@ static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx
         return;
     }
 #ifndef USE_ECMULT_STATIC_PRECOMPUTATION
-#ifdef USE_COMB
     ctx->prec = (secp256k1_ge_storage (*)[COMB_BLOCKS][COMB_POINTS])manual_alloc(prealloc, prealloc_size, base, prealloc_size);
 
     /* get the generator */
@@ -95,72 +87,12 @@ static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx
     ctx->offset = prec[COMB_POINTS_TOTAL];
 #endif
 
-#else
-    ctx->prec = (secp256k1_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])manual_alloc(prealloc, prealloc_size, base, prealloc_size);
-
-    /* get the generator */
-    secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
-
-    /* Construct a group element with no known corresponding scalar (nothing up my sleeve). */
-    {
-        static const unsigned char nums_b32[33] = "The scalar for this x is unknown";
-        secp256k1_fe nums_x;
-        secp256k1_ge nums_ge;
-        int r;
-        r = secp256k1_fe_set_b32(&nums_x, nums_b32);
-        (void)r;
-        VERIFY_CHECK(r);
-        r = secp256k1_ge_set_xo_var(&nums_ge, &nums_x, 0);
-        (void)r;
-        VERIFY_CHECK(r);
-        secp256k1_gej_set_ge(&nums_gej, &nums_ge);
-        /* Add G to make the bits in x uniformly distributed. */
-        secp256k1_gej_add_ge_var(&nums_gej, &nums_gej, &secp256k1_ge_const_g, NULL);
-    }
-
-    /* compute prec. */
-    {
-        secp256k1_gej precj[ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G]; /* Jacobian versions of prec. */
-        secp256k1_gej gbase;
-        secp256k1_gej numsbase;
-        gbase = gj; /* PREC_G^j * G */
-        numsbase = nums_gej; /* 2^j * nums. */
-        for (j = 0; j < ECMULT_GEN_PREC_N; j++) {
-            /* Set precj[j*PREC_G .. j*PREC_G+(PREC_G-1)] to (numsbase, numsbase + gbase, ..., numsbase + (PREC_G-1)*gbase). */
-            precj[j*ECMULT_GEN_PREC_G] = numsbase;
-            for (i = 1; i < ECMULT_GEN_PREC_G; i++) {
-                secp256k1_gej_add_var(&precj[j*ECMULT_GEN_PREC_G + i], &precj[j*ECMULT_GEN_PREC_G + i - 1], &gbase, NULL);
-            }
-            /* Multiply gbase by PREC_G. */
-            for (i = 0; i < ECMULT_GEN_PREC_B; i++) {
-                secp256k1_gej_double_var(&gbase, &gbase, NULL);
-            }
-            /* Multiply numbase by 2. */
-            secp256k1_gej_double_var(&numsbase, &numsbase, NULL);
-            if (j == ECMULT_GEN_PREC_N - 2) {
-                /* In the last iteration, numsbase is (1 - 2^j) * nums instead. */
-                secp256k1_gej_neg(&numsbase, &numsbase);
-                secp256k1_gej_add_var(&numsbase, &numsbase, &nums_gej, NULL);
-            }
-        }
-        secp256k1_ge_set_all_gej_var(prec, precj, ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G);
-    }
-    for (j = 0; j < ECMULT_GEN_PREC_N; j++) {
-        for (i = 0; i < ECMULT_GEN_PREC_G; i++) {
-            secp256k1_ge_to_storage(&(*ctx->prec)[j][i], &prec[j*ECMULT_GEN_PREC_G + i]);
-        }
-    }
-#endif
 #else
     (void)prealloc;
-#if USE_COMB
     ctx->prec = (secp256k1_ge_storage (*)[COMB_BLOCKS][COMB_POINTS])secp256k1_ecmult_gen_ctx_prec;
 #if COMB_OFFSET
     secp256k1_ge_from_storage(&ctx->offset, &secp256k1_ecmult_gen_ctx_offset);
 #endif
-#else
-    ctx->prec = (secp256k1_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])secp256k1_ecmult_static_context;
-#endif
 #endif
     secp256k1_ecmult_gen_blind(ctx, NULL);
 }
@@ -171,28 +103,20 @@ static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_cont
 
 static void secp256k1_ecmult_gen_context_finalize_memcpy(secp256k1_ecmult_gen_context *dst, const secp256k1_ecmult_gen_context *src) {
 #ifndef USE_ECMULT_STATIC_PRECOMPUTATION
-#ifdef USE_COMB
     if (src->prec != NULL) {
         /* We cast to void* first to suppress a -Wcast-align warning. */
         dst->prec = (secp256k1_ge_storage (*)[COMB_BLOCKS][COMB_POINTS])(void*)((unsigned char*)dst + ((unsigned char*)src->prec - (unsigned char*)src));
     }
 #if COMB_OFFSET
     dst->offset = src->offset;
 #endif
-#else
-    if (src->prec != NULL) {
-        dst->prec = (secp256k1_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])(void*)((unsigned char*)dst + ((unsigned char*)src->prec - (unsigned char*)src));
-    }
-#endif
 #endif
     (void)dst, (void)src;
 }
 
 static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx) {
-#ifdef USE_COMB
 #if COMB_OFFSET
     secp256k1_ge_clear(&ctx->offset);
-#endif
 #endif
     secp256k1_scalar_clear(&ctx->blind);
     secp256k1_gej_clear(&ctx->initial);
@@ -205,8 +129,6 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
     secp256k1_scalar gnb;
     uint32_t bits;
 
-#ifdef USE_COMB
-
     uint32_t abs, bit_pos, block, comb_off, index, sign;
 #if !COMB_GROUPED
     uint32_t bit, tooth;
@@ -245,6 +167,16 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
             VERIFY_CHECK(abs < COMB_POINTS);
 
             for (index = 0; index < COMB_POINTS; ++index) {
+                /** This uses a conditional move to avoid any secret data in array indexes.
+                 *   _Any_ use of secret indexes has been demonstrated to result in timing
+                 *   sidechannels, even when the cache-line access patterns are uniform.
+                 *  See also:
+                 *   "A word of warning", CHES 2013 Rump Session, by Daniel J. Bernstein and Peter Schwabe
+                 *    (https://cryptojedi.org/peter/data/chesrump-20130822.pdf) and
+                 *   "Cache Attacks and Countermeasures: the Case of AES", RSA 2006,
+                 *    by Dag Arne Osvik, Adi Shamir, and Eran Tromer
+                 *    (http://www.tau.ac.il/~tromer/papers/cache.pdf)
+                 */
                 secp256k1_ge_storage_cmov(&adds, &(*ctx->prec)[block][index], index == abs);
             }
 
@@ -267,32 +199,6 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
     abs = 0;
     sign = 0;
 
-#else
-    int i, j;
-    memset(&adds, 0, sizeof(adds));
-    *r = ctx->initial;
-    /* Blind scalar/point multiplication by computing (n-b)G + bG instead of nG. */
-    secp256k1_scalar_add(&gnb, gn, &ctx->blind);
-    add.infinity = 0;
-    for (j = 0; j < ECMULT_GEN_PREC_N; j++) {
-        bits = secp256k1_scalar_get_bits(&gnb, j * ECMULT_GEN_PREC_B, ECMULT_GEN_PREC_B);
-        for (i = 0; i < ECMULT_GEN_PREC_G; i++) {
-            /** This uses a conditional move to avoid any secret data in array indexes.
-             *   _Any_ use of secret indexes has been demonstrated to result in timing
-             *   sidechannels, even when the cache-line access patterns are uniform.
-             *  See also:
-             *   "A word of warning", CHES 2013 Rump Session, by Daniel J. Bernstein and Peter Schwabe
-             *    (https://cryptojedi.org/peter/data/chesrump-20130822.pdf) and
-             *   "Cache Attacks and Countermeasures: the Case of AES", RSA 2006,
-             *    by Dag Arne Osvik, Adi Shamir, and Eran Tromer
-             *    (https://www.tau.ac.il/~tromer/papers/cache.pdf)
-             */
-            secp256k1_ge_storage_cmov(&adds, &(*ctx->prec)[j][i], i == bits);
-        }
-        secp256k1_ge_from_storage(&add, &adds);
-        secp256k1_gej_add_ge(r, r, &add);
-    }
-#endif
     bits = 0;
     secp256k1_ge_clear(&add);
     memset(&adds, 0, sizeof(adds));
@@ -301,9 +207,7 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
 
 /* Setup blinding values for secp256k1_ecmult_gen. */
 static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32) {
-#ifdef USE_COMB
     int spacing;
-#endif
     secp256k1_scalar b;
     secp256k1_gej gb;
     secp256k1_fe s;
@@ -316,13 +220,11 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
         secp256k1_gej_set_ge(&ctx->initial, &secp256k1_ge_const_g);
         secp256k1_gej_neg(&ctx->initial, &ctx->initial);
         secp256k1_scalar_set_int(&ctx->blind, 1);
-#ifdef USE_COMB
         for (spacing = 1; spacing < COMB_SPACING; ++spacing) {
             secp256k1_scalar_add(&ctx->blind, &ctx->blind, &ctx->blind);
         }
 #if COMB_OFFSET
         secp256k1_gej_add_ge(&ctx->initial, &ctx->initial, &ctx->offset);
-#endif
 #endif
     }
     /* The prior blinding value (if not reset) is chained forward by including it in the hash. */
@@ -355,13 +257,11 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
     secp256k1_scalar_negate(&b, &b);
     ctx->blind = b;
     ctx->initial = gb;
-#ifdef USE_COMB
     for (spacing = 1; spacing < COMB_SPACING; ++spacing) {
         secp256k1_scalar_add(&ctx->blind, &ctx->blind, &ctx->blind);
     }
 #if COMB_OFFSET
     secp256k1_gej_add_ge(&ctx->initial, &ctx->initial, &ctx->offset);
-#endif
 #endif
     secp256k1_scalar_clear(&b);
     secp256k1_gej_clear(&gb);

src/gen_context.c

@@ -39,16 +39,11 @@ int main(int argc, char **argv) {
     FILE* fp;
     const char *SC_FORMAT = "    SC(%uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu)";
 
-#if USE_COMB
     const int blocks = COMB_BLOCKS;
     const int points = COMB_POINTS;
 #if COMB_OFFSET
     secp256k1_ge_storage offset;
 #endif
-#else
-    const int blocks = ECMULT_GEN_PREC_N;
-    const int points = ECMULT_GEN_PREC_G;
-#endif
 
     (void)argc;
     (void)argv;
@@ -63,31 +58,20 @@ int main(int argc, char **argv) {
     fprintf(fp, "#define SECP256K1_ECMULT_STATIC_CONTEXT_H\n");
     fprintf(fp, "#include \"src/group.h\"\n");
     fprintf(fp, "#define SC SECP256K1_GE_STORAGE_CONST\n");
-    fprintf(fp, "#if USE_COMB != %i\n", USE_COMB);
-    fprintf(fp, "   #error configuration mismatch, invalid USE_COMB. Try deleting ecmult_static_context.h before the build.\n");
-    fprintf(fp, "#endif\n");
-#if USE_COMB
     fprintf(fp, "#if COMB_BLOCKS != %i || COMB_TEETH != %i || COMB_SPACING != %i\n", COMB_BLOCKS, COMB_TEETH, COMB_SPACING);
     fprintf(fp, "   #error configuration mismatch, invalid COMB_BLOCKS, COMB_TEETH, or COMB_SPACING. Try deleting ecmult_static_context.h before the build.\n");
     fprintf(fp, "#endif\n");
-#else
-    fprintf(fp, "#if ECMULT_GEN_PREC_N != %d || ECMULT_GEN_PREC_G != %d\n", ECMULT_GEN_PREC_N, ECMULT_GEN_PREC_G);
-    fprintf(fp, "   #error configuration mismatch, invalid ECMULT_GEN_PREC_N, ECMULT_GEN_PREC_G. Try deleting ecmult_static_context.h before the build.\n");
-    fprintf(fp, "#endif\n");
-#endif
 
     base = checked_malloc(&default_error_callback, SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE);
     prealloc = base;
     secp256k1_ecmult_gen_context_init(&ctx);
     secp256k1_ecmult_gen_context_build(&ctx, &prealloc);
 
-#if USE_COMB
 #if COMB_OFFSET
     secp256k1_ge_to_storage(&offset, &ctx.offset);
     fprintf(fp, "static const secp256k1_ge_storage secp256k1_ecmult_gen_ctx_offset =\n");
     fprintf(fp, SC_FORMAT, SECP256K1_GE_STORAGE_CONST_GET(offset));
     fprintf(fp, ";\n");
-#endif
 #endif
 
     fprintf(fp, "static const secp256k1_ge_storage secp256k1_ecmult_gen_ctx_prec[%i][%i] = {\n", blocks, points);