secp256k1-native 0.15.0 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3721e2220de6d65f6bda10fe26a47bd2eaa248ba5d645caf70a0e40901720268
4
- data.tar.gz: e07a7c79de6e4055581fd4a009dd48c375f7deb722bd2a18f5b99e9c444341ef
3
+ metadata.gz: b6a8b3524bbf944accbd5ee819c3623ce7495829d30b280fb29a905e43dcf52b
4
+ data.tar.gz: a0204b6cf5b4c37447d63e29425086320642cb881b9c107847a00111b4d07373
5
5
  SHA512:
6
- metadata.gz: a5b109ef38d0589630ac73eab3ff5b910e2592926fe949aea7c12c4b9285dc94242ebfb449075276666806c659c32e7366cd61e3f43bb3bbd6a12d848ec12330
7
- data.tar.gz: 4298a51739c11a6a5d01231fcf9274f1bfcdd7a93518b2920c255b8361f10bdf25c5e0c85e2c080a11380c55f4382b6980cc7a90d0eaab6f2f06b518c64da91f
6
+ metadata.gz: 7f0a0fd90e016a83ef50ce79f4d70c058524ae47d008992edb6250b12363ebf6c12397376da0ae6978592d9bf9a5ea05038765384f5379aba537503af9fc2b54
7
+ data.tar.gz: e22b4b04332c215353bfaf38f45eb03825fc9d1012a926e0c4da2369fbdc9c39bb305e3faecd69a9c476755f6c67872570d492c8531b93e0e9edaa6e7bd61872
data/CHANGELOG.md CHANGED
@@ -1,5 +1,45 @@
1
1
  # Changelog
2
2
 
3
+ ## [0.17.0] - 2026-05-01
4
+
5
+ ### Added
6
+
7
+ - Dudect-based constant-time verification harness (`rake timing:verify`) — empirical timing leakage detection using Welch's t-test for all constant-time C extension functions
8
+ - Cryptographic development principles codified in CLAUDE.md — seven principles governing all development decisions
9
+ - Property-based testing suite (field arithmetic, scalar arithmetic, point operations, cross-implementation parity)
10
+ - GitHub Actions CI workflow for Ruby 2.7–3.4 matrix
11
+ - Security findings disclosure process
12
+
13
+ ### Fixed
14
+
15
+ - **Timing side-channel in `scalar_multiply_ct`** — `jp_add_internal` had early-return branches on infinity checks that leaked timing information about the secret scalar inside the Montgomery ladder (dudect t = -875). Made `jp_add_internal` fully branchless with mask-based conditional selection. Verified fix via dudect (t = 1.0)
16
+
17
+ ### Changed
18
+
19
+ - Field arithmetic (`fred`, `fsub`, `fneg`, `fadd`) constant-time properties now empirically verified via dudect, not just code inspection
20
+
21
+ ## [0.16.0] - 2026-04-29
22
+
23
+ ### Breaking Changes
24
+
25
+ - `Point#mul` is now constant-time (Montgomery ladder) by default, matching OpenSSL behaviour. The previous variable-time wNAF implementation is available as `Point#mul_vt`
26
+ - `Point#mul` raises `InsecureOperationError` without the native C extension unless explicitly allowed via `SECP256K1_ALLOW_PURE_RUBY_CT=1` or `Secp256k1.allow_pure_ruby_ct!`
27
+
28
+ ### Added
29
+
30
+ - `Point#mul_vt` for explicit variable-time scalar multiplication (public scalars only)
31
+ - `Secp256k1.native?` to check whether the C extension is loaded
32
+ - `Secp256k1.allow_pure_ruby_ct!` and `SECP256K1_ALLOW_PURE_RUBY_CT` env var for opting in to pure-Ruby constant-time operations
33
+ - Evidence-based risk assessment documentation (`docs/risks.md`)
34
+ - MkDocs site with GitHub Pages automation
35
+ - YARD-generated API reference
36
+
37
+ ### Changed
38
+
39
+ - `Point#mul_ct` is now a deprecated alias for `Point#mul`
40
+ - Licence changed from Open BSV License to MIT
41
+ - Documentation reorganised into focused documents (architecture, security, performance, design rationale)
42
+
3
43
  ## [0.15.0] - 2026-04-27
4
44
 
5
45
  ### Added
data/README.md CHANGED
@@ -1,8 +1,10 @@
1
1
  # secp256k1-native
2
2
 
3
+ > **Before using a custom cryptographic implementation, read [Evaluating the risks](https://sgbett.github.io/secp256k1-native/risks/) — it examines what the empirical evidence says about rolling your own crypto and where this gem sits in that landscape.**
4
+
3
5
  Pure native C secp256k1 implementation for Ruby (no libsecp256k1 dependency).
4
6
 
5
- Provides secp256k1 elliptic curve cryptography for Ruby — field arithmetic, scalar operations, Jacobian point arithmetic, and constant-time scalar multiplication — via an optional native C extension. The gem ships a pure-Ruby base layer that works out of the box on any Ruby 2.7+ platform, with the C extension as an optional accelerator (~22× speedup) that is silently skipped when unavailable.
7
+ Provides secp256k1 elliptic curve cryptography for Ruby — field arithmetic, scalar operations, Jacobian point arithmetic, and constant-time scalar multiplication — via an optional native C extension. The gem ships a pure-Ruby base layer that works out of the box on any Ruby 2.7+ platform, with the C extension providing constant-time guarantees and ~22x acceleration when available.
6
8
 
7
9
  Used by the [bsv-ruby-sdk](https://github.com/sgbett/bsv-ruby-sdk) and suitable for any Ruby project requiring secp256k1 operations.
8
10
 
@@ -36,14 +38,14 @@ require 'secp256k1'
36
38
  # Generator point
37
39
  g = Secp256k1::Point.generator
38
40
 
39
- # Scalar multiplication (variable-time, for public scalars)
40
- scalar = 0xdeadbeef
41
- point = g.mul(scalar)
42
- puts point.x.to_s(16)
43
-
44
- # Constant-time scalar multiplication (for secret scalars)
41
+ # Scalar multiplication (constant-time by default — safe for all scalars)
45
42
  secret = 0xcafebabe
46
- pubkey = g.mul_ct(secret)
43
+ pubkey = g.mul(secret)
44
+ puts pubkey.x.to_s(16)
45
+
46
+ # Variable-time scalar multiplication (faster, for public scalars only)
47
+ scalar = 0xdeadbeef
48
+ point = g.mul_vt(scalar)
47
49
 
48
50
  # SEC1 encoding / decoding
49
51
  compressed = pubkey.to_octet_string(:compressed) # 33 bytes
@@ -95,12 +97,12 @@ The wNAF loop and ECDSA/Schnorr logic remain in Ruby, calling native primitives
95
97
 
96
98
  ### Performance
97
99
 
98
- | Mode | Operations/sec (scalar multiplication) |
99
- |---|---|
100
- | Pure Ruby | ~100 |
101
- | Native C extension | ~2,277 |
100
+ | Mode | Sign (ops/sec) | Verify (ops/sec) |
101
+ |------|---------------|-----------------|
102
+ | Pure Ruby | 100 | 97 |
103
+ | C extension | 2,302 | 1,826 |
102
104
 
103
- The extension provides approximately 22× speedup for scalar multiplication — the dominant cost in signing, public key derivation, and Schnorr proof generation.
105
+ The C extension provides ~23× speedup for signing and ~19× for verification but performance is secondary to security. The primary purpose of the C extension is to provide **hardware-level constant-time guarantees** that Ruby's variable-width `Integer` internals cannot offer. Users handling secret key material should evaluate whether the pure-Ruby implementation is appropriate for their threat model. See [docs/performance.md](docs/performance.md) for detailed analysis.
104
106
 
105
107
  ## Building the native extension
106
108
 
@@ -116,7 +118,7 @@ bundle exec rake compile
116
118
 
117
119
  The compiled bundle is placed at `lib/secp256k1_native.bundle` (macOS) or `lib/secp256k1_native.so` (Linux).
118
120
 
119
- `extconf.rb` checks for `__uint128_t` availability at configure time. If the type is absent, a no-op Makefile is generated and the extension is silently skipped. At runtime, `secp256k1.rb` wraps the `require` in a `rescue LoadError` — if the bundle is absent, the pure-Ruby implementation is used without any error.
121
+ `extconf.rb` checks for `__uint128_t` availability at configure time. If the type is absent, a no-op Makefile is generated and the extension is skipped. At runtime, `secp256k1.rb` wraps the `require` in a `rescue LoadError` — if the bundle is absent, the pure-Ruby implementation is used for public-scalar operations. Constant-time operations (`mul_ct`) will raise `InsecureOperationError` unless explicitly allowed via `SECP256K1_ALLOW_PURE_RUBY_CT=1` or `Secp256k1.allow_pure_ruby_ct!`.
120
122
 
121
123
  ## Running tests
122
124
 
@@ -24,9 +24,12 @@
24
24
  * ------------------------
25
25
  * jp_double: The Y=0 (point at infinity) check is handled branchlessly by
26
26
  * computing the full result and masking to JP_INFINITY when Y is zero.
27
- * jp_add: Branches on pz==0 / qz==0 / h==0 operate on public data in all
28
- * call paths (the wNAF accumulator starts at infinity, which is public).
29
- * The field arithmetic within the main computation path is branchless.
27
+ * jp_add: Fully branchless. All 18 field operations for the normal case
28
+ * are computed unconditionally, along with an unconditional jp_double for
29
+ * the h==0 (equal points) case. Mask-based selects choose the correct
30
+ * result (normal, double, infinity, or passthrough) without branching on
31
+ * any input-dependent value. This is essential for constant-time scalar
32
+ * multiplication via the Montgomery ladder.
30
33
  * jp_neg: Branchless — delegates the zero-checking to fneg_internal.
31
34
  */
32
35
 
@@ -138,7 +141,7 @@ void jp_double_internal(uint256_t r[3], const uint256_t p[3])
138
141
  }
139
142
 
140
143
  /*
141
- * jp_add_internal — add two Jacobian points.
144
+ * jp_add_internal — add two Jacobian points (branchless).
142
145
  *
143
146
  * Formula (from hyperelliptic.org, "add-2007-bl"):
144
147
  *
@@ -153,27 +156,41 @@ void jp_double_internal(uint256_t r[3], const uint256_t p[3])
153
156
  * Y3 = R·(V - X3) - S1·H3
154
157
  * Z3 = H·Z1·Z2
155
158
  *
156
- * Special cases (handled with branches all operate on public data):
157
- * - pz == 0 (p is infinity) → return q
158
- * - qz == 0 (q is infinity) → return p
159
- * - h == 0, r == 0 → points are equal, call jp_double_internal(p)
160
- * - h == 0, r != 0 → points are negatives of each other → infinity
161
- *
162
- * Matches the Ruby jp_add implementation exactly.
159
+ * Special cases (handled branchlessly via mask-based selects):
160
+ * - pz == 0 (p is infinity) → result = q
161
+ * - qz == 0 (q is infinity) → result = p
162
+ * - h == 0, r == 0 → points are equal jp_double(p)
163
+ * - h == 0, r != 0 → points are negatives → infinity
164
+ *
165
+ * All field operations and the jp_double call are computed unconditionally.
166
+ * The correct result is chosen at the end via uint256_select, ensuring
167
+ * constant-time execution for the Montgomery ladder in scalar_multiply_ct.
168
+ *
169
+ * When h==0, the main path computes with h2=0, h3=0, z3=0 — well-defined
170
+ * field elements (no undefined behaviour), just mathematically meaningless.
171
+ * The mask-based selects override with the correct result.
172
+ *
173
+ * Selection order (later overrides earlier):
174
+ * 1. Start with normal addition result
175
+ * 2. If h==0 && r_val==0: select jp_double result (equal points)
176
+ * 3. If h==0 && r_val!=0: select infinity (negated points)
177
+ * 4. If qz==0: select p (q was infinity)
178
+ * 5. If pz==0: select q (p was infinity)
163
179
  */
164
180
  void jp_add_internal(uint256_t r[3], const uint256_t p[3], const uint256_t q[3])
165
181
  {
166
- /* Handle point-at-infinity cases (pz == 0 or qz == 0).
167
- * These branch on public data (Z coordinates are public in all call paths). */
168
- if (uint256_is_zero(&p[2])) {
169
- r[0] = q[0]; r[1] = q[1]; r[2] = q[2];
170
- return;
171
- }
172
- if (uint256_is_zero(&q[2])) {
173
- r[0] = p[0]; r[1] = p[1]; r[2] = p[2];
174
- return;
175
- }
176
-
182
+ /* Save copies of inputs for the final mask-based selects, since r may
183
+ * alias p or q (e.g. jp_add_internal(r1, r0, r1) in the Montgomery ladder).
184
+ * Writing the normal result into r[] would corrupt the source otherwise. */
185
+ uint256_t p_copy[3], q_copy[3];
186
+ memcpy(p_copy, p, sizeof(uint256_t) * 3);
187
+ memcpy(q_copy, q, sizeof(uint256_t) * 3);
188
+
189
+ /* 1. Capture input-dependent flags (evaluated once, used only in selects). */
190
+ uint64_t pz_zero = uint256_is_zero(&p[2]);
191
+ uint64_t qz_zero = uint256_is_zero(&q[2]);
192
+
193
+ /* 2. Compute all 18 field operations unconditionally. */
177
194
  uint256_t z1z1, z2z2;
178
195
  uint256_t u1, u2;
179
196
  uint256_t s1, s2;
@@ -199,21 +216,8 @@ void jp_add_internal(uint256_t r[3], const uint256_t p[3], const uint256_t q[3])
199
216
  fsub_internal(&h, &u2, &u1);
200
217
  fsub_internal(&r_val, &s2, &s1);
201
218
 
202
- /* Handle the h == 0 special cases.
203
- * h == 0 means the points have the same X (in affine).
204
- * r == 0 additionally means the same Y → equal points → double.
205
- * r != 0 means opposite Y → additive inverse → infinity. */
206
- if (uint256_is_zero(&h)) {
207
- if (uint256_is_zero(&r_val)) {
208
- jp_double_internal(r, p);
209
- } else {
210
- r[0] = JP_INF_X;
211
- r[1] = JP_INF_Y;
212
- r[2] = JP_INF_Z;
213
- }
214
- return;
215
- }
216
-
219
+ /* 3. Remaining field ops for the normal addition path.
220
+ * When h==0 these produce h2=0, h3=0, z3=0 valid field elements. */
217
221
  uint256_t h2, h3, v, x3, y3, z3;
218
222
 
219
223
  /* h2 = h², h3 = h * h2 */
@@ -241,9 +245,48 @@ void jp_add_internal(uint256_t r[3], const uint256_t p[3], const uint256_t q[3])
241
245
  fmul_internal(&tmp, &p[2], &q[2]);
242
246
  fmul_internal(&z3, &h, &tmp);
243
247
 
248
+ /* 4. Compute jp_double unconditionally for the h==0 && r_val==0 case.
249
+ * Uses p_copy since r may alias p. */
250
+ uint256_t dbl[3];
251
+ jp_double_internal(dbl, p_copy);
252
+
253
+ /* 5. Capture remaining flags for mask-based selection. */
254
+ uint64_t h_zero = uint256_is_zero(&h);
255
+ uint64_t r_zero = uint256_is_zero(&r_val);
256
+
257
+ /* 6. Branchless result selection — order matters (later overrides earlier).
258
+ *
259
+ * Start with the normal addition result, then overlay special cases.
260
+ * Each uint256_select replaces r[i] only when the flag is non-zero. */
261
+
262
+ /* Start with normal addition result. */
244
263
  r[0] = x3;
245
264
  r[1] = y3;
246
265
  r[2] = z3;
266
+
267
+ /* If h==0 && r_val==0: points are equal → use jp_double result. */
268
+ uint64_t select_dbl = h_zero & r_zero;
269
+ uint256_select(&r[0], &r[0], &dbl[0], select_dbl);
270
+ uint256_select(&r[1], &r[1], &dbl[1], select_dbl);
271
+ uint256_select(&r[2], &r[2], &dbl[2], select_dbl);
272
+
273
+ /* If h==0 && r_val!=0: points are negatives → result is infinity. */
274
+ uint64_t select_inf = h_zero & (~r_zero & 1);
275
+ uint256_select(&r[0], &r[0], &JP_INF_X, select_inf);
276
+ uint256_select(&r[1], &r[1], &JP_INF_Y, select_inf);
277
+ uint256_select(&r[2], &r[2], &JP_INF_Z, select_inf);
278
+
279
+ /* If qz==0: q was infinity → result is p.
280
+ * Uses p_copy since r may alias p. */
281
+ uint256_select(&r[0], &r[0], &p_copy[0], qz_zero);
282
+ uint256_select(&r[1], &r[1], &p_copy[1], qz_zero);
283
+ uint256_select(&r[2], &r[2], &p_copy[2], qz_zero);
284
+
285
+ /* If pz==0: p was infinity → result is q.
286
+ * Uses q_copy since r may alias q. */
287
+ uint256_select(&r[0], &r[0], &q_copy[0], pz_zero);
288
+ uint256_select(&r[1], &r[1], &q_copy[1], pz_zero);
289
+ uint256_select(&r[2], &r[2], &q_copy[2], pz_zero);
247
290
  }
248
291
 
249
292
  /*
@@ -399,11 +442,10 @@ void scalar_multiply_ct_internal(uint256_t r[3], const uint256_t *k, const uint2
399
442
  * Constant-time scalar multiplication using the Montgomery ladder.
400
443
  *
401
444
  * Computes k × (px, py) entirely in C with no per-iteration Ruby dispatch.
402
- * The ladder loop is branchless with respect to the scalar bits (via cswap).
403
- * Note: jp_add_internal still branches on infinity/collision edge cases,
404
- * so full constant-time depends on the point operations being hardened
405
- * separately. The k==0 early return is on a non-secret value (k==0 is
406
- * never a valid private key or nonce).
445
+ * The ladder loop is branchless with respect to the scalar bits (via cswap),
446
+ * and jp_add_internal is fully branchless (mask-based selects for all
447
+ * input-dependent special cases). The k==0 early return is on a non-secret
448
+ * value (k==0 is never a valid private key or nonce).
407
449
  *
408
450
  * @param k [Integer] scalar (must be in [0, N))
409
451
  * @param px [Integer] affine x-coordinate of the base point
@@ -103,6 +103,21 @@ void scalar_inv_internal(uint256_t *r, const uint256_t *a);
103
103
  /* Registration helper — called from Init_secp256k1_native. */
104
104
  void register_scalar_methods(VALUE mod);
105
105
 
106
+ /* -----------------------------------------------------------------------
107
+ * Branchless selection helper
108
+ * ----------------------------------------------------------------------- */
109
+
110
+ /* Branchless conditional select: if flag is non-zero, *r = *b; else *r = *a.
111
+ * Constant-time: no branch on flag. */
112
+ static inline void uint256_select(uint256_t *r, const uint256_t *a,
113
+ const uint256_t *b, uint64_t flag) {
114
+ uint64_t mask = -(uint64_t)(flag != 0);
115
+ r->d[0] = (a->d[0] & ~mask) | (b->d[0] & mask);
116
+ r->d[1] = (a->d[1] & ~mask) | (b->d[1] & mask);
117
+ r->d[2] = (a->d[2] & ~mask) | (b->d[2] & mask);
118
+ r->d[3] = (a->d[3] & ~mask) | (b->d[3] & mask);
119
+ }
120
+
106
121
  /* -----------------------------------------------------------------------
107
122
  * Jacobian point operations — internal functions declared here so that
108
123
  * future modules (e.g. a scalar multiply module) can call them directly
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Secp256k1
4
- VERSION = '0.15.0'
4
+ VERSION = '0.17.0'
5
5
  end
data/lib/secp256k1.rb CHANGED
@@ -19,6 +19,32 @@ require_relative 'secp256k1/version'
19
19
  # All field operations work on plain Ruby +Integer+ values (arbitrary
20
20
  # precision, C-backed in MRI). No external gems required.
21
21
  module Secp256k1
22
+ # Raised when a constant-time operation is attempted without the native
23
+ # C extension loaded. The pure-Ruby implementation cannot guarantee
24
+ # constant-time execution due to interpreter-introduced timing variability.
25
+ class InsecureOperationError < SecurityError; end
26
+
27
+ # Whether the native C extension is loaded and active.
28
+ #
29
+ # @return [Boolean]
30
+ def self.native?
31
+ @native == true
32
+ end
33
+
34
+ # Explicitly allow constant-time operations in pure-Ruby mode.
35
+ # Call this only after evaluating the risks documented in docs/risks.md.
36
+ def self.allow_pure_ruby_ct!
37
+ @allow_pure_ruby_ct = true
38
+ end
39
+
40
+ # @api private
41
+ def self.pure_ruby_ct_allowed?
42
+ @allow_pure_ruby_ct || ENV.key?('SECP256K1_ALLOW_PURE_RUBY_CT')
43
+ end
44
+
45
+ @native = false
46
+ @allow_pure_ruby_ct = false
47
+
22
48
  # The secp256k1 field prime: p = 2^256 - 2^32 - 977
23
49
  P = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
24
50
 
@@ -510,41 +536,58 @@ module Secp256k1
510
536
  end
511
537
  end
512
538
 
513
- # Scalar multiplication: self * scalar (variable-time, wNAF).
539
+ # Scalar multiplication: self * scalar (constant-time, Montgomery ladder).
540
+ #
541
+ # Processes all 256 bits unconditionally so execution time does not
542
+ # depend on the scalar value. Safe for both secret and public scalars.
543
+ # This is the default because the safe path should be the easy path.
514
544
  #
515
- # Suitable for public scalars only (e.g. signature verification).
516
- # For secret-scalar paths use {#mul_ct}.
545
+ # For performance-critical public-scalar paths (e.g. batch verification)
546
+ # where constant-time is unnecessary, use {#mul_vt}.
547
+ #
548
+ # Raises {InsecureOperationError} if the native C extension is not loaded,
549
+ # unless explicitly allowed via {Secp256k1.allow_pure_ruby_ct!} or the
550
+ # +SECP256K1_ALLOW_PURE_RUBY_CT+ environment variable.
517
551
  #
518
552
  # @param scalar [Integer] the scalar multiplier
519
553
  # @return [Point] the resulting point
520
554
  def mul(scalar)
555
+ unless Secp256k1.native? || Secp256k1.pure_ruby_ct_allowed?
556
+ raise Secp256k1::InsecureOperationError,
557
+ 'mul requires the native C extension for constant-time guarantees. ' \
558
+ 'Set SECP256K1_ALLOW_PURE_RUBY_CT=1 or call Secp256k1.allow_pure_ruby_ct! to override.'
559
+ end
560
+
521
561
  return self.class.infinity if scalar.zero? || infinity?
522
562
 
523
563
  scalar %= N
524
564
  return self.class.infinity if scalar.zero?
525
565
 
526
- jp = Secp256k1.scalar_multiply_wnaf(scalar, @x, @y)
566
+ jp = Secp256k1.scalar_multiply_ct(scalar, @x, @y)
527
567
  affine = Secp256k1.jp_to_affine(jp)
528
568
  return self.class.infinity if affine.nil?
529
569
 
530
570
  self.class.new(affine[0], affine[1])
531
571
  end
532
572
 
533
- # Constant-time scalar multiplication: self * scalar (Montgomery ladder).
573
+ # @deprecated Use {#mul} instead. Alias retained for backward compatibility.
574
+ alias mul_ct mul
575
+
576
+ # Variable-time scalar multiplication: self * scalar (wNAF).
534
577
  #
535
- # Processes all 256 bits unconditionally so execution time does not
536
- # depend on the scalar value. Use this for secret-scalar paths:
537
- # key generation, signing, and ECDH shared-secret derivation.
578
+ # Faster than {#mul} but leaks timing information about the scalar.
579
+ # Use only when the scalar is public (e.g. signature verification,
580
+ # computing known generator multiples). Never use with secret scalars.
538
581
  #
539
- # @param scalar [Integer] the secret scalar multiplier
582
+ # @param scalar [Integer] the public scalar multiplier
540
583
  # @return [Point] the resulting point
541
- def mul_ct(scalar)
584
+ def mul_vt(scalar)
542
585
  return self.class.infinity if scalar.zero? || infinity?
543
586
 
544
587
  scalar %= N
545
588
  return self.class.infinity if scalar.zero?
546
589
 
547
- jp = Secp256k1.scalar_multiply_ct(scalar, @x, @y)
590
+ jp = Secp256k1.scalar_multiply_wnaf(scalar, @x, @y)
548
591
  affine = Secp256k1.jp_to_affine(jp)
549
592
  return self.class.infinity if affine.nil?
550
593
 
@@ -619,8 +662,13 @@ module Secp256k1
619
662
  jp_double jp_add jp_neg scalar_multiply_ct].each do |m|
620
663
  singleton_class.define_method(m, Secp256k1Native.method(m).to_proc)
621
664
  end
665
+
666
+ @native = true
622
667
  rescue LoadError
623
- # Extension not compiled — pure-Ruby fallback, no action needed.
668
+ # Extension not compiled — pure-Ruby fallback.
669
+ warn '[secp256k1-native] Native C extension not loaded — falling back to pure Ruby. ' \
670
+ 'Constant-time operations (mul_ct) will raise unless explicitly allowed. ' \
671
+ 'See: https://sgbett.github.io/secp256k1-native/risks/'
624
672
  end
625
673
  end
626
674
  # rubocop:enable Naming/MethodParameterName, Metrics/ModuleLength
Binary file
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secp256k1-native
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.15.0
4
+ version: 0.17.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Simon Bettison