secp256k1-native 0.15.0 → 0.17.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +40 -0
- data/README.md +16 -14
- data/ext/secp256k1_native/jacobian.c +84 -42
- data/ext/secp256k1_native/secp256k1_native.h +15 -0
- data/lib/secp256k1/version.rb +1 -1
- data/lib/secp256k1.rb +60 -12
- data/lib/secp256k1_native.bundle +0 -0
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b6a8b3524bbf944accbd5ee819c3623ce7495829d30b280fb29a905e43dcf52b
|
|
4
|
+
data.tar.gz: a0204b6cf5b4c37447d63e29425086320642cb881b9c107847a00111b4d07373
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7f0a0fd90e016a83ef50ce79f4d70c058524ae47d008992edb6250b12363ebf6c12397376da0ae6978592d9bf9a5ea05038765384f5379aba537503af9fc2b54
|
|
7
|
+
data.tar.gz: e22b4b04332c215353bfaf38f45eb03825fc9d1012a926e0c4da2369fbdc9c39bb305e3faecd69a9c476755f6c67872570d492c8531b93e0e9edaa6e7bd61872
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,45 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [0.17.0] - 2026-05-01
|
|
4
|
+
|
|
5
|
+
### Added
|
|
6
|
+
|
|
7
|
+
- Dudect-based constant-time verification harness (`rake timing:verify`) — empirical timing leakage detection using Welch's t-test for all constant-time C extension functions
|
|
8
|
+
- Cryptographic development principles codified in CLAUDE.md — seven principles governing all development decisions
|
|
9
|
+
- Property-based testing suite (field arithmetic, scalar arithmetic, point operations, cross-implementation parity)
|
|
10
|
+
- GitHub Actions CI workflow for Ruby 2.7–3.4 matrix
|
|
11
|
+
- Security findings disclosure process
|
|
12
|
+
|
|
13
|
+
### Fixed
|
|
14
|
+
|
|
15
|
+
- **Timing side-channel in `scalar_multiply_ct`** — `jp_add_internal` had early-return branches on infinity checks that leaked timing information about the secret scalar inside the Montgomery ladder (dudect t = -875). Made `jp_add_internal` fully branchless with mask-based conditional selection. Verified fix via dudect (t = 1.0)
|
|
16
|
+
|
|
17
|
+
### Changed
|
|
18
|
+
|
|
19
|
+
- Field arithmetic (`fred`, `fsub`, `fneg`, `fadd`) constant-time properties now empirically verified via dudect, not just code inspection
|
|
20
|
+
|
|
21
|
+
## [0.16.0] - 2026-04-29
|
|
22
|
+
|
|
23
|
+
### Breaking Changes
|
|
24
|
+
|
|
25
|
+
- `Point#mul` is now constant-time (Montgomery ladder) by default, matching OpenSSL behaviour. The previous variable-time wNAF implementation is available as `Point#mul_vt`
|
|
26
|
+
- `Point#mul` raises `InsecureOperationError` without the native C extension unless explicitly allowed via `SECP256K1_ALLOW_PURE_RUBY_CT=1` or `Secp256k1.allow_pure_ruby_ct!`
|
|
27
|
+
|
|
28
|
+
### Added
|
|
29
|
+
|
|
30
|
+
- `Point#mul_vt` for explicit variable-time scalar multiplication (public scalars only)
|
|
31
|
+
- `Secp256k1.native?` to check whether the C extension is loaded
|
|
32
|
+
- `Secp256k1.allow_pure_ruby_ct!` and `SECP256K1_ALLOW_PURE_RUBY_CT` env var for opting in to pure-Ruby constant-time operations
|
|
33
|
+
- Evidence-based risk assessment documentation (`docs/risks.md`)
|
|
34
|
+
- MkDocs site with GitHub Pages automation
|
|
35
|
+
- YARD-generated API reference
|
|
36
|
+
|
|
37
|
+
### Changed
|
|
38
|
+
|
|
39
|
+
- `Point#mul_ct` is now a deprecated alias for `Point#mul`
|
|
40
|
+
- Licence changed from Open BSV License to MIT
|
|
41
|
+
- Documentation reorganised into focused documents (architecture, security, performance, design rationale)
|
|
42
|
+
|
|
3
43
|
## [0.15.0] - 2026-04-27
|
|
4
44
|
|
|
5
45
|
### Added
|
data/README.md
CHANGED
|
@@ -1,8 +1,10 @@
|
|
|
1
1
|
# secp256k1-native
|
|
2
2
|
|
|
3
|
+
> **Before using a custom cryptographic implementation, read [Evaluating the risks](https://sgbett.github.io/secp256k1-native/risks/) — it examines what the empirical evidence says about rolling your own crypto and where this gem sits in that landscape.**
|
|
4
|
+
|
|
3
5
|
Pure native C secp256k1 implementation for Ruby (no libsecp256k1 dependency).
|
|
4
6
|
|
|
5
|
-
Provides secp256k1 elliptic curve cryptography for Ruby — field arithmetic, scalar operations, Jacobian point arithmetic, and constant-time scalar multiplication — via an optional native C extension. The gem ships a pure-Ruby base layer that works out of the box on any Ruby 2.7+ platform, with the C extension
|
|
7
|
+
Provides secp256k1 elliptic curve cryptography for Ruby — field arithmetic, scalar operations, Jacobian point arithmetic, and constant-time scalar multiplication — via an optional native C extension. The gem ships a pure-Ruby base layer that works out of the box on any Ruby 2.7+ platform, with the C extension providing constant-time guarantees and ~22x acceleration when available.
|
|
6
8
|
|
|
7
9
|
Used by the [bsv-ruby-sdk](https://github.com/sgbett/bsv-ruby-sdk) and suitable for any Ruby project requiring secp256k1 operations.
|
|
8
10
|
|
|
@@ -36,14 +38,14 @@ require 'secp256k1'
|
|
|
36
38
|
# Generator point
|
|
37
39
|
g = Secp256k1::Point.generator
|
|
38
40
|
|
|
39
|
-
# Scalar multiplication (
|
|
40
|
-
scalar = 0xdeadbeef
|
|
41
|
-
point = g.mul(scalar)
|
|
42
|
-
puts point.x.to_s(16)
|
|
43
|
-
|
|
44
|
-
# Constant-time scalar multiplication (for secret scalars)
|
|
41
|
+
# Scalar multiplication (constant-time by default — safe for all scalars)
|
|
45
42
|
secret = 0xcafebabe
|
|
46
|
-
pubkey = g.
|
|
43
|
+
pubkey = g.mul(secret)
|
|
44
|
+
puts pubkey.x.to_s(16)
|
|
45
|
+
|
|
46
|
+
# Variable-time scalar multiplication (faster, for public scalars only)
|
|
47
|
+
scalar = 0xdeadbeef
|
|
48
|
+
point = g.mul_vt(scalar)
|
|
47
49
|
|
|
48
50
|
# SEC1 encoding / decoding
|
|
49
51
|
compressed = pubkey.to_octet_string(:compressed) # 33 bytes
|
|
@@ -95,12 +97,12 @@ The wNAF loop and ECDSA/Schnorr logic remain in Ruby, calling native primitives
|
|
|
95
97
|
|
|
96
98
|
### Performance
|
|
97
99
|
|
|
98
|
-
| Mode |
|
|
99
|
-
|
|
100
|
-
| Pure Ruby |
|
|
101
|
-
|
|
|
100
|
+
| Mode | Sign (ops/sec) | Verify (ops/sec) |
|
|
101
|
+
|------|---------------|-----------------|
|
|
102
|
+
| Pure Ruby | 100 | 97 |
|
|
103
|
+
| C extension | 2,302 | 1,826 |
|
|
102
104
|
|
|
103
|
-
The extension provides
|
|
105
|
+
The C extension provides ~23× speedup for signing and ~19× for verification — but performance is secondary to security. The primary purpose of the C extension is to provide **hardware-level constant-time guarantees** that Ruby's variable-width `Integer` internals cannot offer. Users handling secret key material should evaluate whether the pure-Ruby implementation is appropriate for their threat model. See [docs/performance.md](docs/performance.md) for detailed analysis.
|
|
104
106
|
|
|
105
107
|
## Building the native extension
|
|
106
108
|
|
|
@@ -116,7 +118,7 @@ bundle exec rake compile
|
|
|
116
118
|
|
|
117
119
|
The compiled bundle is placed at `lib/secp256k1_native.bundle` (macOS) or `lib/secp256k1_native.so` (Linux).
|
|
118
120
|
|
|
119
|
-
`extconf.rb` checks for `__uint128_t` availability at configure time. If the type is absent, a no-op Makefile is generated and the extension is
|
|
121
|
+
`extconf.rb` checks for `__uint128_t` availability at configure time. If the type is absent, a no-op Makefile is generated and the extension is skipped. At runtime, `secp256k1.rb` wraps the `require` in a `rescue LoadError` — if the bundle is absent, the pure-Ruby implementation is used for public-scalar operations. Constant-time operations (`mul_ct`) will raise `InsecureOperationError` unless explicitly allowed via `SECP256K1_ALLOW_PURE_RUBY_CT=1` or `Secp256k1.allow_pure_ruby_ct!`.
|
|
120
122
|
|
|
121
123
|
## Running tests
|
|
122
124
|
|
|
@@ -24,9 +24,12 @@
|
|
|
24
24
|
* ------------------------
|
|
25
25
|
* jp_double: The Y=0 (point at infinity) check is handled branchlessly by
|
|
26
26
|
* computing the full result and masking to JP_INFINITY when Y is zero.
|
|
27
|
-
* jp_add:
|
|
28
|
-
*
|
|
29
|
-
*
|
|
27
|
+
* jp_add: Fully branchless. All 18 field operations for the normal case
|
|
28
|
+
* are computed unconditionally, along with an unconditional jp_double for
|
|
29
|
+
* the h==0 (equal points) case. Mask-based selects choose the correct
|
|
30
|
+
* result (normal, double, infinity, or passthrough) without branching on
|
|
31
|
+
* any input-dependent value. This is essential for constant-time scalar
|
|
32
|
+
* multiplication via the Montgomery ladder.
|
|
30
33
|
* jp_neg: Branchless — delegates the zero-checking to fneg_internal.
|
|
31
34
|
*/
|
|
32
35
|
|
|
@@ -138,7 +141,7 @@ void jp_double_internal(uint256_t r[3], const uint256_t p[3])
|
|
|
138
141
|
}
|
|
139
142
|
|
|
140
143
|
/*
|
|
141
|
-
* jp_add_internal — add two Jacobian points.
|
|
144
|
+
* jp_add_internal — add two Jacobian points (branchless).
|
|
142
145
|
*
|
|
143
146
|
* Formula (from hyperelliptic.org, "add-2007-bl"):
|
|
144
147
|
*
|
|
@@ -153,27 +156,41 @@ void jp_double_internal(uint256_t r[3], const uint256_t p[3])
|
|
|
153
156
|
* Y3 = R·(V - X3) - S1·H3
|
|
154
157
|
* Z3 = H·Z1·Z2
|
|
155
158
|
*
|
|
156
|
-
* Special cases (handled
|
|
157
|
-
* - pz == 0 (p is infinity) →
|
|
158
|
-
* - qz == 0 (q is infinity) →
|
|
159
|
-
* - h == 0, r == 0 → points are equal
|
|
160
|
-
* - h == 0, r != 0 → points are negatives
|
|
161
|
-
*
|
|
162
|
-
*
|
|
159
|
+
* Special cases (handled branchlessly via mask-based selects):
|
|
160
|
+
* - pz == 0 (p is infinity) → result = q
|
|
161
|
+
* - qz == 0 (q is infinity) → result = p
|
|
162
|
+
* - h == 0, r == 0 → points are equal → jp_double(p)
|
|
163
|
+
* - h == 0, r != 0 → points are negatives → infinity
|
|
164
|
+
*
|
|
165
|
+
* All field operations and the jp_double call are computed unconditionally.
|
|
166
|
+
* The correct result is chosen at the end via uint256_select, ensuring
|
|
167
|
+
* constant-time execution for the Montgomery ladder in scalar_multiply_ct.
|
|
168
|
+
*
|
|
169
|
+
* When h==0, the main path computes with h2=0, h3=0, z3=0 — well-defined
|
|
170
|
+
* field elements (no undefined behaviour), just mathematically meaningless.
|
|
171
|
+
* The mask-based selects override with the correct result.
|
|
172
|
+
*
|
|
173
|
+
* Selection order (later overrides earlier):
|
|
174
|
+
* 1. Start with normal addition result
|
|
175
|
+
* 2. If h==0 && r_val==0: select jp_double result (equal points)
|
|
176
|
+
* 3. If h==0 && r_val!=0: select infinity (negated points)
|
|
177
|
+
* 4. If qz==0: select p (q was infinity)
|
|
178
|
+
* 5. If pz==0: select q (p was infinity)
|
|
163
179
|
*/
|
|
164
180
|
void jp_add_internal(uint256_t r[3], const uint256_t p[3], const uint256_t q[3])
|
|
165
181
|
{
|
|
166
|
-
/*
|
|
167
|
-
*
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
182
|
+
/* Save copies of inputs for the final mask-based selects, since r may
|
|
183
|
+
* alias p or q (e.g. jp_add_internal(r1, r0, r1) in the Montgomery ladder).
|
|
184
|
+
* Writing the normal result into r[] would corrupt the source otherwise. */
|
|
185
|
+
uint256_t p_copy[3], q_copy[3];
|
|
186
|
+
memcpy(p_copy, p, sizeof(uint256_t) * 3);
|
|
187
|
+
memcpy(q_copy, q, sizeof(uint256_t) * 3);
|
|
188
|
+
|
|
189
|
+
/* 1. Capture input-dependent flags (evaluated once, used only in selects). */
|
|
190
|
+
uint64_t pz_zero = uint256_is_zero(&p[2]);
|
|
191
|
+
uint64_t qz_zero = uint256_is_zero(&q[2]);
|
|
192
|
+
|
|
193
|
+
/* 2. Compute all 18 field operations unconditionally. */
|
|
177
194
|
uint256_t z1z1, z2z2;
|
|
178
195
|
uint256_t u1, u2;
|
|
179
196
|
uint256_t s1, s2;
|
|
@@ -199,21 +216,8 @@ void jp_add_internal(uint256_t r[3], const uint256_t p[3], const uint256_t q[3])
|
|
|
199
216
|
fsub_internal(&h, &u2, &u1);
|
|
200
217
|
fsub_internal(&r_val, &s2, &s1);
|
|
201
218
|
|
|
202
|
-
/*
|
|
203
|
-
* h
|
|
204
|
-
* r == 0 additionally means the same Y → equal points → double.
|
|
205
|
-
* r != 0 means opposite Y → additive inverse → infinity. */
|
|
206
|
-
if (uint256_is_zero(&h)) {
|
|
207
|
-
if (uint256_is_zero(&r_val)) {
|
|
208
|
-
jp_double_internal(r, p);
|
|
209
|
-
} else {
|
|
210
|
-
r[0] = JP_INF_X;
|
|
211
|
-
r[1] = JP_INF_Y;
|
|
212
|
-
r[2] = JP_INF_Z;
|
|
213
|
-
}
|
|
214
|
-
return;
|
|
215
|
-
}
|
|
216
|
-
|
|
219
|
+
/* 3. Remaining field ops for the normal addition path.
|
|
220
|
+
* When h==0 these produce h2=0, h3=0, z3=0 — valid field elements. */
|
|
217
221
|
uint256_t h2, h3, v, x3, y3, z3;
|
|
218
222
|
|
|
219
223
|
/* h2 = h², h3 = h * h2 */
|
|
@@ -241,9 +245,48 @@ void jp_add_internal(uint256_t r[3], const uint256_t p[3], const uint256_t q[3])
|
|
|
241
245
|
fmul_internal(&tmp, &p[2], &q[2]);
|
|
242
246
|
fmul_internal(&z3, &h, &tmp);
|
|
243
247
|
|
|
248
|
+
/* 4. Compute jp_double unconditionally for the h==0 && r_val==0 case.
|
|
249
|
+
* Uses p_copy since r may alias p. */
|
|
250
|
+
uint256_t dbl[3];
|
|
251
|
+
jp_double_internal(dbl, p_copy);
|
|
252
|
+
|
|
253
|
+
/* 5. Capture remaining flags for mask-based selection. */
|
|
254
|
+
uint64_t h_zero = uint256_is_zero(&h);
|
|
255
|
+
uint64_t r_zero = uint256_is_zero(&r_val);
|
|
256
|
+
|
|
257
|
+
/* 6. Branchless result selection — order matters (later overrides earlier).
|
|
258
|
+
*
|
|
259
|
+
* Start with the normal addition result, then overlay special cases.
|
|
260
|
+
* Each uint256_select replaces r[i] only when the flag is non-zero. */
|
|
261
|
+
|
|
262
|
+
/* Start with normal addition result. */
|
|
244
263
|
r[0] = x3;
|
|
245
264
|
r[1] = y3;
|
|
246
265
|
r[2] = z3;
|
|
266
|
+
|
|
267
|
+
/* If h==0 && r_val==0: points are equal → use jp_double result. */
|
|
268
|
+
uint64_t select_dbl = h_zero & r_zero;
|
|
269
|
+
uint256_select(&r[0], &r[0], &dbl[0], select_dbl);
|
|
270
|
+
uint256_select(&r[1], &r[1], &dbl[1], select_dbl);
|
|
271
|
+
uint256_select(&r[2], &r[2], &dbl[2], select_dbl);
|
|
272
|
+
|
|
273
|
+
/* If h==0 && r_val!=0: points are negatives → result is infinity. */
|
|
274
|
+
uint64_t select_inf = h_zero & (~r_zero & 1);
|
|
275
|
+
uint256_select(&r[0], &r[0], &JP_INF_X, select_inf);
|
|
276
|
+
uint256_select(&r[1], &r[1], &JP_INF_Y, select_inf);
|
|
277
|
+
uint256_select(&r[2], &r[2], &JP_INF_Z, select_inf);
|
|
278
|
+
|
|
279
|
+
/* If qz==0: q was infinity → result is p.
|
|
280
|
+
* Uses p_copy since r may alias p. */
|
|
281
|
+
uint256_select(&r[0], &r[0], &p_copy[0], qz_zero);
|
|
282
|
+
uint256_select(&r[1], &r[1], &p_copy[1], qz_zero);
|
|
283
|
+
uint256_select(&r[2], &r[2], &p_copy[2], qz_zero);
|
|
284
|
+
|
|
285
|
+
/* If pz==0: p was infinity → result is q.
|
|
286
|
+
* Uses q_copy since r may alias q. */
|
|
287
|
+
uint256_select(&r[0], &r[0], &q_copy[0], pz_zero);
|
|
288
|
+
uint256_select(&r[1], &r[1], &q_copy[1], pz_zero);
|
|
289
|
+
uint256_select(&r[2], &r[2], &q_copy[2], pz_zero);
|
|
247
290
|
}
|
|
248
291
|
|
|
249
292
|
/*
|
|
@@ -399,11 +442,10 @@ void scalar_multiply_ct_internal(uint256_t r[3], const uint256_t *k, const uint2
|
|
|
399
442
|
* Constant-time scalar multiplication using the Montgomery ladder.
|
|
400
443
|
*
|
|
401
444
|
* Computes k × (px, py) entirely in C with no per-iteration Ruby dispatch.
|
|
402
|
-
* The ladder loop is branchless with respect to the scalar bits (via cswap)
|
|
403
|
-
*
|
|
404
|
-
*
|
|
405
|
-
*
|
|
406
|
-
* never a valid private key or nonce).
|
|
445
|
+
* The ladder loop is branchless with respect to the scalar bits (via cswap),
|
|
446
|
+
* and jp_add_internal is fully branchless (mask-based selects for all
|
|
447
|
+
* input-dependent special cases). The k==0 early return is on a non-secret
|
|
448
|
+
* value (k==0 is never a valid private key or nonce).
|
|
407
449
|
*
|
|
408
450
|
* @param k [Integer] scalar (must be in [0, N))
|
|
409
451
|
* @param px [Integer] affine x-coordinate of the base point
|
|
@@ -103,6 +103,21 @@ void scalar_inv_internal(uint256_t *r, const uint256_t *a);
|
|
|
103
103
|
/* Registration helper — called from Init_secp256k1_native. */
|
|
104
104
|
void register_scalar_methods(VALUE mod);
|
|
105
105
|
|
|
106
|
+
/* -----------------------------------------------------------------------
|
|
107
|
+
* Branchless selection helper
|
|
108
|
+
* ----------------------------------------------------------------------- */
|
|
109
|
+
|
|
110
|
+
/* Branchless conditional select: if flag is non-zero, *r = *b; else *r = *a.
|
|
111
|
+
* Constant-time: no branch on flag. */
|
|
112
|
+
static inline void uint256_select(uint256_t *r, const uint256_t *a,
|
|
113
|
+
const uint256_t *b, uint64_t flag) {
|
|
114
|
+
uint64_t mask = -(uint64_t)(flag != 0);
|
|
115
|
+
r->d[0] = (a->d[0] & ~mask) | (b->d[0] & mask);
|
|
116
|
+
r->d[1] = (a->d[1] & ~mask) | (b->d[1] & mask);
|
|
117
|
+
r->d[2] = (a->d[2] & ~mask) | (b->d[2] & mask);
|
|
118
|
+
r->d[3] = (a->d[3] & ~mask) | (b->d[3] & mask);
|
|
119
|
+
}
|
|
120
|
+
|
|
106
121
|
/* -----------------------------------------------------------------------
|
|
107
122
|
* Jacobian point operations — internal functions declared here so that
|
|
108
123
|
* future modules (e.g. a scalar multiply module) can call them directly
|
data/lib/secp256k1/version.rb
CHANGED
data/lib/secp256k1.rb
CHANGED
|
@@ -19,6 +19,32 @@ require_relative 'secp256k1/version'
|
|
|
19
19
|
# All field operations work on plain Ruby +Integer+ values (arbitrary
|
|
20
20
|
# precision, C-backed in MRI). No external gems required.
|
|
21
21
|
module Secp256k1
|
|
22
|
+
# Raised when a constant-time operation is attempted without the native
|
|
23
|
+
# C extension loaded. The pure-Ruby implementation cannot guarantee
|
|
24
|
+
# constant-time execution due to interpreter-introduced timing variability.
|
|
25
|
+
class InsecureOperationError < SecurityError; end
|
|
26
|
+
|
|
27
|
+
# Whether the native C extension is loaded and active.
|
|
28
|
+
#
|
|
29
|
+
# @return [Boolean]
|
|
30
|
+
def self.native?
|
|
31
|
+
@native == true
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
# Explicitly allow constant-time operations in pure-Ruby mode.
|
|
35
|
+
# Call this only after evaluating the risks documented in docs/risks.md.
|
|
36
|
+
def self.allow_pure_ruby_ct!
|
|
37
|
+
@allow_pure_ruby_ct = true
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
# @api private
|
|
41
|
+
def self.pure_ruby_ct_allowed?
|
|
42
|
+
@allow_pure_ruby_ct || ENV.key?('SECP256K1_ALLOW_PURE_RUBY_CT')
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
@native = false
|
|
46
|
+
@allow_pure_ruby_ct = false
|
|
47
|
+
|
|
22
48
|
# The secp256k1 field prime: p = 2^256 - 2^32 - 977
|
|
23
49
|
P = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
|
|
24
50
|
|
|
@@ -510,41 +536,58 @@ module Secp256k1
|
|
|
510
536
|
end
|
|
511
537
|
end
|
|
512
538
|
|
|
513
|
-
# Scalar multiplication: self * scalar (
|
|
539
|
+
# Scalar multiplication: self * scalar (constant-time, Montgomery ladder).
|
|
540
|
+
#
|
|
541
|
+
# Processes all 256 bits unconditionally so execution time does not
|
|
542
|
+
# depend on the scalar value. Safe for both secret and public scalars.
|
|
543
|
+
# This is the default because the safe path should be the easy path.
|
|
514
544
|
#
|
|
515
|
-
#
|
|
516
|
-
#
|
|
545
|
+
# For performance-critical public-scalar paths (e.g. batch verification)
|
|
546
|
+
# where constant-time is unnecessary, use {#mul_vt}.
|
|
547
|
+
#
|
|
548
|
+
# Raises {InsecureOperationError} if the native C extension is not loaded,
|
|
549
|
+
# unless explicitly allowed via {Secp256k1.allow_pure_ruby_ct!} or the
|
|
550
|
+
# +SECP256K1_ALLOW_PURE_RUBY_CT+ environment variable.
|
|
517
551
|
#
|
|
518
552
|
# @param scalar [Integer] the scalar multiplier
|
|
519
553
|
# @return [Point] the resulting point
|
|
520
554
|
def mul(scalar)
|
|
555
|
+
unless Secp256k1.native? || Secp256k1.pure_ruby_ct_allowed?
|
|
556
|
+
raise Secp256k1::InsecureOperationError,
|
|
557
|
+
'mul requires the native C extension for constant-time guarantees. ' \
|
|
558
|
+
'Set SECP256K1_ALLOW_PURE_RUBY_CT=1 or call Secp256k1.allow_pure_ruby_ct! to override.'
|
|
559
|
+
end
|
|
560
|
+
|
|
521
561
|
return self.class.infinity if scalar.zero? || infinity?
|
|
522
562
|
|
|
523
563
|
scalar %= N
|
|
524
564
|
return self.class.infinity if scalar.zero?
|
|
525
565
|
|
|
526
|
-
jp = Secp256k1.
|
|
566
|
+
jp = Secp256k1.scalar_multiply_ct(scalar, @x, @y)
|
|
527
567
|
affine = Secp256k1.jp_to_affine(jp)
|
|
528
568
|
return self.class.infinity if affine.nil?
|
|
529
569
|
|
|
530
570
|
self.class.new(affine[0], affine[1])
|
|
531
571
|
end
|
|
532
572
|
|
|
533
|
-
#
|
|
573
|
+
# @deprecated Use {#mul} instead. Alias retained for backward compatibility.
|
|
574
|
+
alias mul_ct mul
|
|
575
|
+
|
|
576
|
+
# Variable-time scalar multiplication: self * scalar (wNAF).
|
|
534
577
|
#
|
|
535
|
-
#
|
|
536
|
-
#
|
|
537
|
-
#
|
|
578
|
+
# Faster than {#mul} but leaks timing information about the scalar.
|
|
579
|
+
# Use only when the scalar is public (e.g. signature verification,
|
|
580
|
+
# computing known generator multiples). Never use with secret scalars.
|
|
538
581
|
#
|
|
539
|
-
# @param scalar [Integer] the
|
|
582
|
+
# @param scalar [Integer] the public scalar multiplier
|
|
540
583
|
# @return [Point] the resulting point
|
|
541
|
-
def
|
|
584
|
+
def mul_vt(scalar)
|
|
542
585
|
return self.class.infinity if scalar.zero? || infinity?
|
|
543
586
|
|
|
544
587
|
scalar %= N
|
|
545
588
|
return self.class.infinity if scalar.zero?
|
|
546
589
|
|
|
547
|
-
jp = Secp256k1.
|
|
590
|
+
jp = Secp256k1.scalar_multiply_wnaf(scalar, @x, @y)
|
|
548
591
|
affine = Secp256k1.jp_to_affine(jp)
|
|
549
592
|
return self.class.infinity if affine.nil?
|
|
550
593
|
|
|
@@ -619,8 +662,13 @@ module Secp256k1
|
|
|
619
662
|
jp_double jp_add jp_neg scalar_multiply_ct].each do |m|
|
|
620
663
|
singleton_class.define_method(m, Secp256k1Native.method(m).to_proc)
|
|
621
664
|
end
|
|
665
|
+
|
|
666
|
+
@native = true
|
|
622
667
|
rescue LoadError
|
|
623
|
-
# Extension not compiled — pure-Ruby fallback
|
|
668
|
+
# Extension not compiled — pure-Ruby fallback.
|
|
669
|
+
warn '[secp256k1-native] Native C extension not loaded — falling back to pure Ruby. ' \
|
|
670
|
+
'Constant-time operations (mul_ct) will raise unless explicitly allowed. ' \
|
|
671
|
+
'See: https://sgbett.github.io/secp256k1-native/risks/'
|
|
624
672
|
end
|
|
625
673
|
end
|
|
626
674
|
# rubocop:enable Naming/MethodParameterName, Metrics/ModuleLength
|
data/lib/secp256k1_native.bundle
CHANGED
|
Binary file
|