Merge pull request #4408 from randombit/jack/odd-blinding

When scalar blinding use an odd blinding factor
randombit · Oct 26, 2024 · dfad46e · dfad46e
2 parents 0a16e2c + 9ea1fe1
commit dfad46e
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/src/lib/math/pcurves/pcurves_impl/pcurves_impl.h b/src/lib/math/pcurves/pcurves_impl/pcurves_impl.h
@@ -1035,6 +1035,7 @@ class BlindedScalarBits final {
             W mask[n_words] = {0};
             load_le(mask, maskb, mask_words);
             mask[mask_words - 1] |= WordInfo<W>::top_bit;
+            mask[0] |= 1;
 
             W mask_n[2 * n_words] = {0};
 

diff --git a/src/lib/pubkey/ec_group/point_mul.cpp b/src/lib/pubkey/ec_group/point_mul.cpp
@@ -19,6 +19,12 @@ size_t blinding_size(const BigInt& group_order) {
    return (group_order.bits() + 1) / 2;
 }
 
+BigInt blinding_mask(const BigInt& group_order, RandomNumberGenerator& rng) {
+   BigInt mask(rng, blinding_size(group_order));
+   mask.set_bit(0);
+   return mask;
+}
+
 }  // namespace
 
 EC_Point multi_exponentiate(const EC_Point& x, const BigInt& z1, const EC_Point& y, const BigInt& z2) {
@@ -83,8 +89,7 @@ EC_Point EC_Point_Base_Point_Precompute::mul(const BigInt& k,
 
    if(rng.is_seeded()) {
       // Choose a small mask m and use k' = k + m*order (Coron's 1st countermeasure)
-      const BigInt mask(rng, blinding_size(group_order));
-      scalar += group_order * mask;
+      scalar += group_order * blinding_mask(group_order, rng);
    } else {
       /*
       When we don't have an RNG we cannot do scalar blinding. Instead use the
@@ -209,8 +214,7 @@ EC_Point EC_Point_Var_Point_Precompute::mul(const BigInt& k,
    }
 
    // Choose a small mask m and use k' = k + m*order (Coron's 1st countermeasure)
-   const BigInt mask(rng, blinding_size(group_order), false);
-   const BigInt scalar = k + group_order * mask;
+   const BigInt scalar = k + group_order * blinding_mask(group_order, rng);
 
    const size_t elem_size = 3 * m_p_words;
    const size_t window_elems = static_cast<size_t>(1) << m_window_bits;