Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use variable-time group addition in _ec_pubkey_combine #1587

Closed

Conversation

theStack
Copy link
Contributor

Unless I'm missing something, it seems that there is no need to use constant-time group addition for secp256k1_ec_pubkey_combine, so the faster variable-time addition function _gej_add_ge_var can be used instead. Happy to add a benchmark if wanted.

Copy link
Contributor

@jonasnick jonasnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know what the original intention of using constant time addition was. Maybe @sipa remembers. It was added here:
https://github.com/bitcoin-core/secp256k1/pull/212/files#diff-6f71b0372be086d45b4f2740508c03a21835d87008840032fbb767f419fd988aR552

I'm aware that some implementations use pubkey_combine to add "secret" group elements in a "blind DH" (see here, here and here). I haven't checked in detail if using variable time addition leads to a sidechannel that isn't already there with constant time addition. In any case, constant time addition is not something one can expect from libsecp's API (it's called "public key combine").

@real-or-random
Copy link
Contributor

I don't know what the original intention of using constant time addition was. Maybe @sipa remembers. It was added here: #212 (files)

The function was added for key aggregation in multi-signatures (predating MuSig(2)). Variable-time group addition was available back then.

Perhaps the idea was that the individual keys to be aggregated are secrets. One can make that point (also in MuSig), but I think our current implicit policy is that only secret keys are secret when it comes to timing (and public keys are, well, public).

I'm aware that some implementations use pubkey_combine to add "secret" group elements in a "blind DH" (see here, here and here). I haven't checked in detail if using variable time addition leads to a sidechannel that isn't already there with constant time addition. In any case, constant time addition is not something one can expect from libsecp's API (it's called "public key combine").

Hm, yeah. I suggest not bothering with these functions for now. I think our long-term plan is to deprecate them and replace them with a properly designed hazmat API (see for example #1471 (comment)). No matter, if we'll do this in the future or not, it's not a big deal for performance if this function stays constant-time.

@theStack
Copy link
Contributor Author

Hm, yeah. I suggest not bothering with these functions for now. I think our long-term plan is to deprecate them and replace them with a properly designed hazmat API (see for example #1471 (comment)). No matter, if we'll do this in the future or not, it's not a big deal for performance if this function stays constant-time.

Makes sense! Closing this PR accordingly.

@theStack theStack closed this Sep 25, 2024
@theStack theStack deleted the pubkey_combine_var_time branch September 25, 2024 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants