commit f2c4950f58ec4e87c2d246c0ec516153dd24ded7
parent 9673a435e410b989fb34ac2d4fd75e54e8139d60
Author: Jared Tobin <jared@jtobin.io>
Date: Sun, 21 Dec 2025 17:38:25 -0330
lib: improve sign_ecdsa constant-time properties
Diffstat:
2 files changed, 8 insertions(+), 10 deletions(-)
diff --git a/flake.lock b/flake.lock
@@ -184,11 +184,11 @@
]
},
"locked": {
- "lastModified": 1766326001,
- "narHash": "sha256-F4jW49qqBoHe/QqrKU0evVttXbHFzZxLrWKpdYgV/XE=",
+ "lastModified": 1766351184,
+ "narHash": "sha256-+fXHSabk0hjARotjB65uPRktAlvbH02orI/SNyyBub0=",
"ref": "master",
- "rev": "92b527cd0141dbd24b28e92290c0b5949d1a4a0c",
- "revCount": 250,
+ "rev": "497ffce0197e28b28e7534a278d52002accfd5b9",
+ "revCount": 251,
"type": "git",
"url": "git://git.ppad.tech/fixed.git"
},
diff --git a/lib/Crypto/Curve/Secp256k1.hs b/lib/Crypto/Curve/Secp256k1.hs
@@ -988,8 +988,8 @@ _sign_schnorr
_sign_schnorr _mul _SECRET m a = do
p <- _mul _SECRET
let Affine (C.retr -> x_p) (C.retr -> y_p) = affine p
- s = S.to _SECRET
- d = S.select s (negate s) (W.odd y_p)
+ s = S.to _SECRET
+ d = S.select s (negate s) (W.odd y_p)
bytes_d = unroll32 (S.retr d)
bytes_p = unroll32 x_p
t = xor bytes_d (hash_aux a)
@@ -998,7 +998,7 @@ _sign_schnorr _mul _SECRET m a = do
guard (k' /= 0) -- negligible probability
pt <- _mul (S.retr k')
let Affine (C.retr -> x_r) (C.retr -> y_r) = affine pt
- k = S.select k' (negate k') (W.odd y_r)
+ k = S.select k' (negate k') (W.odd y_r)
bytes_r = unroll32 x_r
rand' = hash_challenge (bytes_r <> bytes_p <> m)
e = S.to (unsafe_roll32 rand')
@@ -1133,9 +1133,7 @@ data HashFlag =
-- Convert an ECDSA signature to low-S form.
low :: ECDSA -> ECDSA
-low (ECDSA r s) = ECDSA r ms where
- ms | s > _CURVE_QH = _CURVE_Q - s
- | otherwise = s
+low (ECDSA r s) = ECDSA r (W.select s (_CURVE_Q - s) (W.gt s _CURVE_QH))
{-# INLINE low #-}
-- | Produce an ECDSA signature for the provided message, using the
