Update secp256k1-zkp

core/.changelog.d/2261.changed

@@ -0,0 +1 @@
+Updated secp256k1-zkp.

core/SConscript.firmware

@@ -122,13 +122,7 @@ if FEATURE_FLAGS["SECP256K1_ZKP"]:
         'USE_SECP256K1_ZKP_ECDSA',
         ('SECP256K1_CONTEXT_SIZE', '184'),
         'USE_ASM_ARM',
-        'USE_NUM_NONE',
-        'USE_FIELD_INV_BUILTIN',
-        'USE_SCALAR_INV_BUILTIN',
         'USE_EXTERNAL_ASM',
-        'USE_FIELD_10X26',
-        'USE_SCALAR_8X32',
-        'USE_ECMULT_STATIC_PRECOMPUTATION',
         'USE_EXTERNAL_DEFAULT_CALLBACKS',
         ('ECMULT_GEN_PREC_BITS', '4'),
         ('ECMULT_WINDOW_SIZE', '8'),
@@ -139,6 +133,8 @@ if FEATURE_FLAGS["SECP256K1_ZKP"]:
     ]
     SOURCE_MOD_SECP256K1_ZKP = [
         'vendor/secp256k1-zkp/src/secp256k1.c',
+        'vendor/secp256k1-zkp/src/precomputed_ecmult.c',
+        'vendor/secp256k1-zkp/src/precomputed_ecmult_gen.c',
         'vendor/secp256k1-zkp/src/asm/field_10x26_arm.s'
     ]
     SOURCE_MOD += [
@@ -677,29 +673,6 @@ if FROZEN:
 
     env.Depends(source_mpyc, qstr_generated)
 
-#
-# static secp256-zkp ecmult context
-#
-if FEATURE_FLAGS["SECP256K1_ZKP"]:
-    host_env = Environment(ENV=os.environ)
-    host_env.Replace(
-        CC=os.getenv('CC_FOR_BUILD') or 'cc',
-        COPT='-O2',
-        CPPPATH='vendor/secp256k1-zkp',
-        CPPDEFINES=[
-            ('ECMULT_GEN_PREC_BITS', '4'),
-        ]
-    )
-    gen_context = host_env.Program(
-        target='vendor/secp256k1-zkp/gen_context',
-        source='vendor/secp256k1-zkp/src/gen_context.c',
-    )
-    secp256k1_zkp_ecmult_static_context = host_env.Command(
-        target='vendor/secp256k1-zkp/src/ecmult_static_context.h',
-        source='vendor/secp256k1-zkp/gen_context',
-        action='cd ${SOURCE.dir}; ./gen_context',
-    )
-
 #
 # Rust library
 #
@@ -784,8 +757,6 @@ obj_program.extend(
         ' $SOURCE $TARGET', ))
 
 env.Depends(obj_program, qstr_generated)
-if FEATURE_FLAGS["SECP256K1_ZKP"]:
-    env.Depends(obj_program, secp256k1_zkp_ecmult_static_context)
 
 program_elf = env.Command(
     target='firmware.elf',

core/SConscript.unix

@@ -120,12 +120,6 @@ if FEATURE_FLAGS["SECP256K1_ZKP"]:
         'USE_SECP256K1_ZKP',
         'USE_SECP256K1_ZKP_ECDSA',
         ('SECP256K1_CONTEXT_SIZE', '208'),
-        'USE_NUM_NONE',
-        'USE_FIELD_INV_BUILTIN',
-        'USE_SCALAR_INV_BUILTIN',
-        'USE_FIELD_10X26',
-        'USE_SCALAR_8X32',
-        'USE_ECMULT_STATIC_PRECOMPUTATION',
         'USE_EXTERNAL_DEFAULT_CALLBACKS',
         ('ECMULT_GEN_PREC_BITS', '4'),
         ('ECMULT_WINDOW_SIZE', '8'),
@@ -136,6 +130,8 @@ if FEATURE_FLAGS["SECP256K1_ZKP"]:
     ]
     SOURCE_MOD_SECP256K1_ZKP = [
         'vendor/secp256k1-zkp/src/secp256k1.c',
+        'vendor/secp256k1-zkp/src/precomputed_ecmult.c',
+        'vendor/secp256k1-zkp/src/precomputed_ecmult_gen.c',
     ]
     SOURCE_MOD += [
         'vendor/trezor-crypto/zkp_context.c',
@@ -640,29 +636,6 @@ if FROZEN:
 
     env.Depends(source_mpyc, qstr_generated)
 
-#
-# static secp256-zkp ecmult context
-#
-if FEATURE_FLAGS["SECP256K1_ZKP"]:
-    host_env = Environment(ENV=os.environ)
-    host_env.Replace(
-        CC=os.getenv('CC_FOR_BUILD') or 'cc',
-        COPT='-O2',
-        CPPPATH='vendor/secp256k1-zkp',
-        CPPDEFINES=[
-            ('ECMULT_GEN_PREC_BITS', '4'),
-        ]
-    )
-    gen_context = host_env.Program(
-        target='vendor/secp256k1-zkp/gen_context',
-        source='vendor/secp256k1-zkp/src/gen_context.c',
-    )
-    secp256k1_zkp_ecmult_static_context = host_env.Command(
-        target='vendor/secp256k1-zkp/src/ecmult_static_context.h',
-        source='vendor/secp256k1-zkp/gen_context',
-        action='cd ${SOURCE.dir}; ./gen_context',
-    )
-
 #
 # Rust library
 #
@@ -726,8 +699,6 @@ if FROZEN:
     obj_program.extend(env.Object(source=source_mpyc))
 
 env.Depends(obj_program, qstr_generated)
-if FEATURE_FLAGS["SECP256K1_ZKP"]:
-    env.Depends(obj_program, secp256k1_zkp_ecmult_static_context)
 
 program = env.Command(
     target='trezor-emu-core',

core/embed/firmware/memory_T.ld

@@ -45,6 +45,8 @@ SECTIONS {
   .flash2 : ALIGN(512) {
     build/firmware/frozen_mpy.o(.rodata*);
     build/firmware/vendor/secp256k1-zkp/src/secp256k1.o(.rodata*);
+    build/firmware/vendor/secp256k1-zkp/src/precomputed_ecmult.o(.rodata*);
+    build/firmware/vendor/secp256k1-zkp/src/precomputed_ecmult_gen.o(.rodata*);
     . = ALIGN(512);
   } >FLASH2 AT>FLASH2
 

core/embed/rust/build.rs

@@ -201,9 +201,8 @@ fn link_core_objects() {
     let crate_path = env::var("CARGO_MANIFEST_DIR").unwrap();
     let build_path = format!("{}/../../build/unix", crate_path);
 
-    // List of object filenames to ignore in the `embed` and `vendor` directory
+    // List of object filenames to ignore in the `embed` directory
     let embed_blocklist = [OsStr::new("main_main.o")];
-    let vendor_blocklist = [OsStr::new("gen_context.o")];
 
     // Collect all objects that the `core` library uses, and link it in. We have to
     // make sure to avoid the object with the `_main` symbol, so we don't get any
@@ -220,13 +219,8 @@ fn link_core_objects() {
 
     for obj in glob::glob(&format!("{}/vendor/**/*.o", build_path)).unwrap() {
         let obj = obj.unwrap();
-        if vendor_blocklist.contains(&obj.file_name().unwrap()) {
-            // Ignore.
-        } else {
-            cc.object(obj);
-        }
+        cc.object(obj);
     }
-
     // Compile all the objects into a static library and link it in automatically.
     cc.compile("core_lib");
 

crypto/Makefile

@@ -63,12 +63,6 @@ CFLAGS   += $(OPTFLAGS) \
             -Werror
 
 ZKP_CFLAGS = \
-	-DUSE_NUM_NONE \
-	-DUSE_FIELD_INV_BUILTIN \
-	-DUSE_SCALAR_INV_BUILTIN \
-	-DUSE_FIELD_10X26 \
-	-DUSE_SCALAR_8X32 \
-	-DUSE_ECMULT_STATIC_PRECOMPUTATION \
 	-DECMULT_GEN_PREC_BITS=4 \
 	-DECMULT_WINDOW_SIZE=8 \
 	-DENABLE_MODULE_GENERATOR \
@@ -139,6 +133,8 @@ SRCS  += cardano.c
 
 OBJS   = $(SRCS:.c=.o)
 OBJS  += secp256k1-zkp.o
+OBJS  += precomputed_ecmult.o
+OBJS  += precomputed_ecmult_gen.o
 
 TESTLIBS = $(shell pkg-config --libs check) -lpthread -lm
 TESTSSLLIBS = $(shell pkg-config --libs openssl)
@@ -164,8 +160,8 @@ tests/test_speed: tests/test_speed.o $(OBJS)
 tests/test_openssl: tests/test_openssl.o $(OBJS)
 	$(CC) $(CFLAGS) tests/test_openssl.o $(OBJS) $(TESTSSLLIBS) -o tests/test_openssl
 
-tests/libtrezor-crypto.so: $(SRCS) secp256k1-zkp.o
-	$(CC) $(CFLAGS) -DAES_128 -DAES_192 -fPIC -shared $(SRCS) secp256k1-zkp.o -o tests/libtrezor-crypto.so
+tests/libtrezor-crypto.so: $(SRCS) secp256k1-zkp.o precomputed_ecmult.o precomputed_ecmult_gen.o
+	$(CC) $(CFLAGS) -DAES_128 -DAES_192 -fPIC -shared $(SRCS) secp256k1-zkp.o precomputed_ecmult.o precomputed_ecmult_gen.o -o tests/libtrezor-crypto.so
 
 tools: tools/xpubaddrgen tools/mktable tools/bip39bruteforce
 
@@ -181,21 +177,21 @@ tools/bip39bruteforce: tools/bip39bruteforce.o $(OBJS)
 fuzzer: fuzzer/fuzzer.o $(OBJS)
 	$(CC) $(CFLAGS) fuzzer/fuzzer.o $(OBJS) -o fuzzer/fuzzer
 
-$(ZKP_PATH)/src/ecmult_static_context.h: $(ZKP_PATH)/src/gen_context.c
-	$(CC) $(ZKP_CFLAGS) $(ZKP_PATH)/src/gen_context.c -o $(ZKP_PATH)/gen_context
-	cd $(ZKP_PATH) && ./gen_context
+precomputed_ecmult.o:
+	$(CC) $(CFLAGS) -Wno-unused-function $(ZKP_CFLAGS) -fPIC -c $(ZKP_PATH)/src/precomputed_ecmult.c -o precomputed_ecmult.o
 
-secp256k1-zkp.o: $(ZKP_PATH)/src/ecmult_static_context.h
+precomputed_ecmult_gen.o:
+	$(CC) $(CFLAGS) -Wno-unused-function $(ZKP_CFLAGS) -fPIC -c $(ZKP_PATH)/src/precomputed_ecmult_gen.c -o precomputed_ecmult_gen.o
+
+secp256k1-zkp.o:
 	$(CC) $(CFLAGS) -Wno-unused-function $(ZKP_CFLAGS) -fPIC -I$(ZKP_PATH) -I$(ZKP_PATH)/src -c $(ZKP_PATH)/src/secp256k1.c -o secp256k1-zkp.o
 
 clean:
 	rm -f *.o aes/*.o chacha20poly1305/*.o ed25519-donna/*.o monero/*.o
 	rm -f tests/*.o tests/test_check tests/test_speed tests/test_openssl tests/libtrezor-crypto.so tests/aestst
 	rm -f tools/*.o tools/xpubaddrgen tools/mktable tools/bip39bruteforce
 	rm -f fuzzer/*.o fuzzer/fuzzer
-	rm -f secp256k1-zkp.o
-	rm -f $(ZKP_PATH)/gen_context
-	rm -f $(ZKP_PATH)/src/ecmult_static_context.h
+	rm -f secp256k1-zkp.o precomputed_ecmult.o precomputed_ecmult_gen.o
 
 clean-fuzzer: clean
 	rm -f crash-* fuzz-*.log slow-unit-* timeout-*

crypto/ecdsa.c

@@ -687,7 +687,7 @@ int ecdsa_sign_digest(const ecdsa_curve *curve, const uint8_t *priv_key,
 
 #if USE_RFC6979
   rfc6979_state rng = {0};
-  init_rfc6979(priv_key, digest, &rng);
+  init_rfc6979(priv_key, digest, curve, &rng);
 #endif
 
   bn_read_be(digest, &z);

crypto/rfc6979.c

@@ -21,14 +21,30 @@
  * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
  * OTHER DEALINGS IN THE SOFTWARE.
  */
+#include <assert.h>
 
-#include "rfc6979.h"
 #include "hmac_drbg.h"
 #include "memzero.h"
+#include "rfc6979.h"
 
 void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash,
-                  rfc6979_state *state) {
-  hmac_drbg_init(state, priv_key, 32, hash, 32);
+                  const ecdsa_curve *curve, rfc6979_state *state) {
+  if (curve) {
+    bignum256 hash_bn = {0};
+    bn_read_be(hash, &hash_bn);
+
+    // Make sure hash is partly reduced modulo order
+    assert(bn_bitcount(&curve->order) >= 256);
+    bn_mod(&hash_bn, &curve->order);
+
+    uint8_t hash_reduced[32] = {0};
+    bn_write_be(&hash_bn, hash_reduced);
+    memzero(&hash_bn, sizeof(hash_bn));
+    hmac_drbg_init(state, priv_key, 32, hash_reduced, 32);
+    memzero(hash_reduced, sizeof(hash_reduced));
+  } else {
+    hmac_drbg_init(state, priv_key, 32, hash, 32);
+  }
 }
 
 // generate next number from deterministic random number generator

crypto/rfc6979.h

@@ -27,13 +27,14 @@
 
 #include <stdint.h>
 #include "bignum.h"
+#include "ecdsa.h"
 #include "hmac_drbg.h"
 
 // rfc6979 pseudo random number generator state
 typedef HMAC_DRBG_CTX rfc6979_state;
 
 void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash,
-                  rfc6979_state *rng);
+                  const ecdsa_curve *curve, rfc6979_state *rng);
 void generate_rfc6979(uint8_t rnd[32], rfc6979_state *rng);
 void generate_k_rfc6979(bignum256 *k, rfc6979_state *rng);
 

crypto/tests/test_check.c

@@ -3757,7 +3757,7 @@ END_TEST
 #define test_deterministic(KEY, MSG, K)           \
   do {                                            \
     sha256_Raw((uint8_t *)MSG, strlen(MSG), buf); \
-    init_rfc6979(fromhex(KEY), buf, &rng);        \
+    init_rfc6979(fromhex(KEY), buf, NULL, &rng);  \
     generate_k_rfc6979(&k, &rng);                 \
     bn_write_be(&k, buf);                         \
     ck_assert_mem_eq(buf, fromhex(K), 32);        \
@@ -3802,6 +3802,54 @@ START_TEST(test_rfc6979) {
 }
 END_TEST
 
+static void test_ecdsa_sign_digest_deterministic_helper(
+    int (*ecdsa_sign_digest_fn)(const ecdsa_curve *, const uint8_t *,
+                                const uint8_t *, uint8_t *, uint8_t *,
+                                int (*)(uint8_t by, uint8_t sig[64]))) {
+  static struct {
+    const char *priv_key;
+    const char *digest;
+    const char *sig;
+  } tests[] = {
+      {"312155017c70a204106e034520e0cdf17b3e54516e2ece38e38e38e38e38e38e",
+       "ffffffffffffffffffffffffffffffff20202020202020202020202020202020",
+       "e3d70248ea2fc771fc8d5e62d76b9cfd5402c96990333549eaadce1ae9f737eb"
+       "5cfbdc7d1e0ec18cc9b57bbb18f0a57dc929ec3c4dfac9073c581705015f6a8a"},
+      {"312155017c70a204106e034520e0cdf17b3e54516e2ece38e38e38e38e38e38e",
+       "2020202020202020202020202020202020202020202020202020202020202020",
+       "40666188895430715552a7e4c6b53851f37a93030fb94e043850921242db78e8"
+       "75aa2ac9fd7e5a19402973e60e64382cdc29a09ebf6cb37e92f23be5b9251aee"},
+  };
+
+  const ecdsa_curve *curve = &secp256k1;
+  uint8_t priv_key[32] = {0};
+  uint8_t digest[32] = {0};
+  uint8_t expected_sig[64] = {0};
+  uint8_t computed_sig[64] = {0};
+  int res = 0;
+
+  for (size_t i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
+    memcpy(priv_key, fromhex(tests[i].priv_key), 32);
+    memcpy(digest, fromhex(tests[i].digest), 32);
+    memcpy(expected_sig, fromhex(tests[i].sig), 64);
+
+    res =
+        ecdsa_sign_digest_fn(curve, priv_key, digest, computed_sig, NULL, NULL);
+    ck_assert_int_eq(res, 0);
+    ck_assert_mem_eq(expected_sig, computed_sig, 64);
+  }
+}
+
+START_TEST(test_ecdsa_sign_digest_deterministic) {
+  test_ecdsa_sign_digest_deterministic_helper(ecdsa_sign_digest);
+}
+END_TEST
+
+START_TEST(test_zkp_ecdsa_sign_digest_deterministic) {
+  test_ecdsa_sign_digest_deterministic_helper(zkp_ecdsa_sign_digest);
+}
+END_TEST
+
 // test vectors from
 // http://www.inconteam.com/software-development/41-encryption/55-aes-test-vectors
 START_TEST(test_aes) {
@@ -6790,7 +6838,7 @@ START_TEST(test_ed25519_cosi) {
           "26c76712d89d906e6672dafa614c42e5cb1caac8c6568e4d2493087db51f0d36"),
       fromhex(
           "26659c1cf7321c178c07437150639ff0c5b7679c7ea195253ed9abda2e081a37"),
-      &rng);
+      NULL, &rng);
 
   for (int N = 1; N < 11; N++) {
     ed25519_public_key pk;
@@ -9461,6 +9509,10 @@ Suite *test_suite(void) {
   tcase_add_test(tc, test_zkp_ecdsa_get_public_key65);
   tcase_add_test(tc, test_zkp_ecdsa_recover_pub_from_sig);
   tcase_add_test(tc, test_zkp_ecdsa_verify_digest);
+#if USE_RFC6979
+  tcase_add_test(tc, test_ecdsa_sign_digest_deterministic);
+  tcase_add_test(tc, test_zkp_ecdsa_sign_digest_deterministic);
+#endif
   suite_add_tcase(s, tc);
 
   tc = tcase_create("rfc6979");

crypto/zkp_bip340.c

@@ -136,12 +136,8 @@ int zkp_bip340_sign_digest(const uint8_t *private_key_bytes,
   }
 
   if (result == 0) {
-    uint8_t zero[32] = {0};
-    if (!auxiliary_data) {
-      auxiliary_data = zero;
-    }
-    if (secp256k1_schnorrsig_sign(context_writable, signature_bytes, digest,
-                                  &keypair, auxiliary_data) != 1) {
+    if (secp256k1_schnorrsig_sign32(context_writable, signature_bytes, digest,
+                                    &keypair, auxiliary_data) != 1) {
       result = -1;
     }
   }