Declassify non-secrets to fix constant time tests

BlockstreamResearch · Dec 7, 2023 · 6078d4b · 6078d4b
1 parent 443f88d
commit 6078d4b
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/src/modules/frost/keygen_impl.h b/src/modules/frost/keygen_impl.h
@@ -63,6 +63,8 @@ static void secp256k1_frost_share_save(secp256k1_frost_share* share, secp256k1_s
 static int secp256k1_frost_share_load(const secp256k1_context* ctx, secp256k1_scalar *s, const secp256k1_frost_share* share) {
  int overflow;
 
+ /* The magic is non-secret so it can be declassified to allow branching. */
+ secp256k1_declassify(ctx, &share->data[0], 4);
  ARG_CHECK(secp256k1_memcmp_var(&share->data[0], secp256k1_frost_share_magic, 4) == 0);
  secp256k1_scalar_set_b32(s, &share->data[4], &overflow);
  /* Parsed shares cannot overflow */
@@ -152,6 +154,9 @@ int secp256k1_frost_shares_trusted_gen(const secp256k1_context *ctx, secp256k1_f
  /* Compute commitment to constant term */
  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &coeff_i);
  secp256k1_ge_set_gej(&rp, &rj);
+ /* The commitment is non-secret so it can be declassified to
+ * allow branching. */
+ secp256k1_declassify(ctx, &rp, sizeof(rp));
  secp256k1_fe_normalize_var(&rp.y);
  pk_parity = secp256k1_extrakeys_ge_even_y(&rp);
  secp256k1_xonly_pubkey_save(pk, &rp);