scalar: Verify invariants on every entry #1360
Labels
Comments
|
yes! i'd be interested in trying this. |
|
done in #1373! |
real-or-random
added a commit
that referenced
this issue
Aug 18, 2023
d23da6d use secp256k1_scalar_verify checks (stratospher) c7d0454 add verification for scalars (stratospher) ad15215 update max scalar in scalar_cmov_test and fix schnorrsig_verify exhaustive test (stratospher) Pull request description: From #1360. This PR: 1. adds `secp256k1_scalar_verify` to make sure scalars are reduced mod the group order in VERIFY mode 2. uses `secp256k1_scalar_verify` in all the scalar functions except `secp256k1_scalar_clear`, `secp256k1_scalar_reduce_512`, `secp256k1_scalar_mul_512` and `secp256k1_scalar_*_var` functions in `scalar_low_impl.h` ACKs for top commit: real-or-random: utACK d23da6d theStack: Code-review ACK d23da6d Tree-SHA512: a371b319d948198c4038d35c9ea58f4b94de4dc312215e2b78a323c2acd4ae1355d97935c558b388774832d6d0058b97ff8ca50c3aab40b9ede5307760d0a505
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We have
secp256k1_ge_verify,secp256k1_gej_verify, andsecp256k1_fe_verifyfunctions to the invariants of the respective type. We call them on every entry/exit of a function that operates on a respective element.We should add a similar function for scalars. I think the only invariant is that scalars
aare reduced mod the group order, i.e.,secp256k1_scalar_check_overflow(a) == 0.(see #1184 (comment))
@stratospher Are you interested in working on this?
The text was updated successfully, but these errors were encountered: