cosmos · bizk · Dec 4, 2023 · Aug 15, 2023 · Aug 15, 2023 · Aug 15, 2023
@@ -68,6 +68,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 * (types) [#17670](https://github.com/cosmos/cosmos-sdk/pull/17670) Use `ctx.CometInfo` in place of `ctx.VoteInfos`
 * [#17733](https://github.com/cosmos/cosmos-sdk/pull/17733) Ensure `buf export` exports all proto dependencies
 * [#18204](https://github.com/cosmos/cosmos-sdk/pull/18204) Use streaming json parser to parse chain-id from genesis file.
+* (crypto/keys) [#7051](https://github.com/cosmos/cosmos-sdk/issues/7051) Made public key generation constant time on `secp256k1`
 
 ### Bug Fixes
 

@@ -11,7 +11,7 @@ import (
 func BenchmarkKeyGeneration(b *testing.B) {
 	b.ReportAllocs()
 	benchmarkKeygenWrapper := func(reader io.Reader) types.PrivKey {
-		priv := genPrivKey(reader)
+		priv := genPrivKey()
 		return &PrivKey{Key: priv}
 	}
 	benchmarking.BenchmarkKeyGeneration(b, benchmarkKeygenWrapper)

@@ -10,7 +10,6 @@ package secp256k1
 import (
 	"bytes"
 	"crypto/ecdsa"
-	"crypto/elliptic"
 	"crypto/rand"
 	"encoding/hex"
 	"io"
@@ -24,7 +23,11 @@ func generateKeyPair() (pubkey, privkey []byte) {
 	if err != nil {
 		panic(err)
 	}
-	pubkey = elliptic.Marshal(S256(), key.X, key.Y) //nolint:staticcheck // crypto will be refactored soon.
+	publicKeyEcdh, err := key.PublicKey.ECDH()
+	if err != nil {
+		panic(err)
+	}
+	pubkey = publicKeyEcdh.Bytes()
 	privkey = make([]byte, 32)
 	blob := key.D.Bytes()
 	copy(privkey[32-len(blob):], blob)

@@ -5,7 +5,7 @@ import (
 	"crypto/sha256"
 	"crypto/subtle"
 	"fmt"
-	"io"
+	"gitlab.com/yawning/secp256k1-voi/secec"
 	"math/big"
 
 	"github.com/cometbft/cometbft/crypto"
@@ -39,9 +39,12 @@ func (privKey *PrivKey) Bytes() []byte {
 // PubKey performs the point-scalar multiplication from the privKey on the
 // generator point to get the pubkey.
 func (privKey *PrivKey) PubKey() cryptotypes.PubKey {
-	pubkeyObject := secp256k1.PrivKeyFromBytes(privKey.Key).PubKey()
-	pk := pubkeyObject.SerializeCompressed()
-	return &PubKey{Key: pk}
+	privateKeyObject, err := secec.NewPrivateKey(privKey.Key)
+	if err != nil {
+		panic(err)
+	}
+
+	return &PubKey{Key: privateKeyObject.PublicKey().CompressedBytes()}
 }
 
 // Equals - you probably don't need to use this.
@@ -84,29 +87,17 @@ func (privKey *PrivKey) UnmarshalAminoJSON(bz []byte) error {
 // GenPrivKey generates a new ECDSA private key on curve secp256k1 private key.
 // It uses OS randomness to generate the private key.
 func GenPrivKey() *PrivKey {
-	return &PrivKey{Key: genPrivKey(crypto.CReader())}
+	return &PrivKey{Key: genPrivKey()}
 }
 
 // genPrivKey generates a new secp256k1 private key using the provided reader.
-func genPrivKey(rand io.Reader) []byte {
-	var privKeyBytes [PrivKeySize]byte
-	d := new(big.Int)
-	for {
-		privKeyBytes = [PrivKeySize]byte{}
-		_, err := io.ReadFull(rand, privKeyBytes[:])
-		if err != nil {
-			panic(err)
-		}
-
-		d.SetBytes(privKeyBytes[:])
-		// break if we found a valid point (i.e. > 0 and < N == curverOrder)
-		isValidFieldElement := 0 < d.Sign() && d.Cmp(secp256k1.S256().N) < 0
-		if isValidFieldElement {
-			break
-		}
+func genPrivKey() []byte {
+	privateKeyObject, err := secec.GenerateKey()
+	if err != nil {
+		panic(err)
 	}
 
-	return privKeyBytes[:]
+	return privateKeyObject.Bytes()
 }
 
 var one = new(big.Int).SetInt64(1)

@@ -1,7 +1,6 @@
 package secp256k1
 
 import (
-	"bytes"
 	"math/big"
 	"testing"
 
@@ -22,20 +21,18 @@ func Test_genPrivKey(t *testing.T) {
 		notSoRand   []byte
 		shouldPanic bool
 	}{
-		{"empty bytes (panics because 1st 32 bytes are zero and 0 is not a valid field element)", empty, true},
-		{"curve order: N", secp.S256().N.Bytes(), true},
 		{"valid because 0 < 1 < N", validOne, false},
 	}
 	for _, tt := range tests {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			if tt.shouldPanic {
 				require.Panics(t, func() {
-					genPrivKey(bytes.NewReader(tt.notSoRand))
+					genPrivKey()
 				})
 				return
 			}
-			got := genPrivKey(bytes.NewReader(tt.notSoRand))
+			got := genPrivKey()
 			fe := new(big.Int).SetBytes(got)
 			require.True(t, fe.Cmp(secp.S256().N) < 0)
 			require.True(t, fe.Sign() > 0)

@@ -6,7 +6,7 @@ package secp256k1
 import (
 	"testing"
 
-	secp256k1 "github.com/decred/dcrd/dcrec/secp256k1/v4"
+	secp256k1_dcrd "github.com/decred/dcrd/dcrec/secp256k1/v4"
 	"github.com/stretchr/testify/require"
 )
 
@@ -19,18 +19,18 @@ func TestSignatureVerificationAndRejectUpperS(t *testing.T) {
 		priv := GenPrivKey()
 		sigStr, err := priv.Sign(msg)
 		require.NoError(t, err)
-		var r secp256k1.ModNScalar
+		var r secp256k1_dcrd.ModNScalar
 		r.SetByteSlice(sigStr[:32])
-		var s secp256k1.ModNScalar
+		var s secp256k1_dcrd.ModNScalar
 		s.SetByteSlice(sigStr[32:64])
 		require.False(t, s.IsOverHalfOrder())
 
 		pub := priv.PubKey()
 		require.True(t, pub.VerifySignature(msg, sigStr))
 
 		// malleate:
-		var S256 secp256k1.ModNScalar
-		S256.SetByteSlice(secp256k1.S256().N.Bytes())
+		var S256 secp256k1_dcrd.ModNScalar
+		S256.SetByteSlice(secp256k1_dcrd.S256().N.Bytes())
 		s.Negate().Add(&S256)
 		require.True(t, s.IsOverHalfOrder())
 
@@ -46,3 +46,20 @@ func TestSignatureVerificationAndRejectUpperS(t *testing.T) {
 		)
 	}
 }
+
+func TestConstantTimePubKeyGeneration(t *testing.T) {
+	for i := 0; i < 500; i++ {
+		pk := GenPrivKey().PubKey()
+		require.NotNil(t, pk)
+	}
+}
+
+// Legacy generation code
+func TestNonConstantTimePubKeyGeneration(t *testing.T) {
+	for i := 0; i < 500; i++ {
+		privKey := GenPrivKey()
+		nonConstantTimePk := secp256k1_dcrd.PrivKeyFromBytes(privKey.Key).PubKey().SerializeCompressed() // Legacy functionability from pubkey
+		pk := &PubKey{Key: nonConstantTimePk}
+		require.NotNil(t, pk)
+	}
+}
@@ -450,3 +450,14 @@ func TestMarshalAmino_BackwardsCompatibility(t *testing.T) {
 		})
 	}
 }
+
+func TestLegacyKeyGenerationAgainstConstantTime(t *testing.T) {
+	privKey := secp256k1.GenPrivKey()
+
+	pubKey := privKey.PubKey()
+
+	nonConstantTimePk := secp.PrivKeyFromBytes(privKey.Key).PubKey().SerializeCompressed() // Legacy functionability from pubkey
+	legacyPubKey := &secp256k1.PubKey{Key: nonConstantTimePk}
+
+	require.Equal(t, legacyPubKey, pubKey)
+}
@@ -52,6 +52,7 @@ require (
 	github.com/spf13/viper v1.17.0
 	github.com/stretchr/testify v1.8.4
 	github.com/tendermint/go-amino v0.16.0
+	gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b
 	golang.org/x/crypto v0.14.0
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
 	golang.org/x/sync v0.4.0
@@ -148,6 +149,7 @@ require (
 	github.com/tidwall/btree v1.7.0 // indirect
 	github.com/zondax/hid v0.9.2 // indirect
 	github.com/zondax/ledger-go v0.14.3 // indirect
+	gitlab.com/yawning/tuplehash v0.0.0-20230713102510-df83abbf9a02 // indirect
 	go.etcd.io/bbolt v1.3.7 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/net v0.17.0 // indirect

@@ -794,6 +794,10 @@ github.com/zondax/hid v0.9.2 h1:WCJFnEDMiqGF64nlZz28E9qLVZ0KSJ7xpc5DLEyma2U=
 github.com/zondax/hid v0.9.2/go.mod h1:l5wttcP0jwtdLjqjMMWFVEE7d1zO0jvSPA9OPZxWpEM=
 github.com/zondax/ledger-go v0.14.3 h1:wEpJt2CEcBJ428md/5MgSLsXLBos98sBOyxNmCjfUCw=
 github.com/zondax/ledger-go v0.14.3/go.mod h1:IKKaoxupuB43g4NxeQmbLXv7T9AlQyie1UpHb342ycI=
+gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b h1:CzigHMRySiX3drau9C6Q5CAbNIApmLdat5jPMqChvDA=
+gitlab.com/yawning/secp256k1-voi v0.0.0-20230925100816-f2616030848b/go.mod h1:/y/V339mxv2sZmYYR64O07VuCpdNZqCTwO8ZcouTMI8=
+gitlab.com/yawning/tuplehash v0.0.0-20230713102510-df83abbf9a02 h1:qwDnMxjkyLmAFgcfgTnfJrmYKWhHnci3GjDqcZp1M3Q=
+gitlab.com/yawning/tuplehash v0.0.0-20230713102510-df83abbf9a02/go.mod h1:JTnUj0mpYiAsuZLmKjTx/ex3AtMowcCgnE7YNyCEP0I=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
 go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=