Skip to content

Reject weak entropy in nonce_gen when seckey isn't provided #156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Reject weak entropy in nonce_gen when seckey isn't provided #156

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions src/modules/musig/session_impl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -283,10 +283,14 @@ int secp256k1_musig_nonce_gen(const secp256k1_context* ctx, secp256k1_musig_secn
ARG_CHECK(session_id32 != NULL);
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
if (seckey == NULL) {
/* Check in constant time that the session_id is not 0 as a
* defense-in-depth measure that may protect against a faulty RNG. */
/* Check in constant time that if seckey isn't provided, then the
* middle 16 bytes of session_id are not all 0.
*
* This is a defense-in-depth measure that may protect against a
* faulty RNG, as well invalid use of a 64-bit counter (in any
* endian-ness) instead of a secure RNG. */
unsigned char acc = 0;
for (i = 0; i < 32; i++) {
for (i = 8; i < 24; i++) {
acc |= session_id32[i];
}
ret &= !!acc;
Expand Down
13 changes: 13 additions & 0 deletions src/modules/musig/tests_impl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,7 @@ void musig_api_tests(secp256k1_scratch_space *scratch) {
unsigned char max64[64];
unsigned char zeros68[68] = { 0 };
unsigned char session_id[2][32];
unsigned char invalid_session_id[32];
secp256k1_musig_secnonce secnonce[2];
secp256k1_musig_secnonce secnonce_tmp;
secp256k1_musig_secnonce invalid_secnonce;
Expand Down Expand Up @@ -293,6 +294,18 @@ void musig_api_tests(secp256k1_scratch_space *scratch) {
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], zeros68, NULL, msg, &keyagg_cache, max64) == 0);
CHECK(ecount == 5);
CHECK(memcmp_and_randomize(secnonce[0].data, zeros68, sizeof(secnonce[0].data)) == 0);
/* no seckey and session_id looks like a counter (little-endian) */
memset(invalid_session_id, 0x55, 8);
memset(invalid_session_id + 8, 0, 24);
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], invalid_session_id, NULL, msg, &keyagg_cache, max64) == 0);
CHECK(ecount == 5);
CHECK(memcmp_and_randomize(secnonce[0].data, zeros68, sizeof(secnonce[0].data)) == 0);
/* no seckey and session_id looks like a counter (big-endian) */
memset(invalid_session_id, 0, 24);
memset(invalid_session_id + 24, 0x55, 8);
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], invalid_session_id, NULL, msg, &keyagg_cache, max64) == 0);
CHECK(ecount == 5);
CHECK(memcmp_and_randomize(secnonce[0].data, zeros68, sizeof(secnonce[0].data)) == 0);
/* session_id 0 is fine when a seckey is provided */
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], zeros68, sk[0], msg, &keyagg_cache, max64) == 1);
CHECK(secp256k1_musig_nonce_gen(sign, &secnonce[0], &pubnonce[0], session_id[0], NULL, msg, &keyagg_cache, max64) == 1);
Expand Down