Unify secp256k1_zkp usage #2385
Conversation
andrewkozlik
added
crypto
andrewkozlik
requested review from
matejcik,
prusnak and
onvej-sl
as code owners
| int recid) { | ||
| #ifdef USE_SECP256K1_ZKP_ECDSA | ||
| if (curve == &secp256k1) { | ||
| return zkp_ecdsa_recover_pub_from_sig(curve, pub_key, sig, digest, recid); |
There was a problem hiding this comment.
What do you think about moving these wrappers into a separate file?
I'm thinking about something like
- renaming
ecdsa.ctonative_ecdsa.c, - renaming
ecdsa_internal.htonative_ecdsa.hand - moving the wrappers back to
ecdsa.c.
There was a problem hiding this comment.
So let me get this straight. Based on the described scheme all the other ecdsa functions such as scalar_multiply() would be implemented in native_ecdsa.c, but their declaration would remain in ecdsa.h while there exists a file called native_ecdsa.h? That seems confusing.
There was a problem hiding this comment.
Based on the described scheme all the other ecdsa functions such as scalar_multiply() would be implemented in native_ecdsa.c, but their declaration would remain in ecdsa.h while there exists a file called native_ecdsa.h?
A would move the declaration of scalar_multiply() to native_ecdsa.h.
The thing I don't like about the architecture is ecdsa.c contains both the ecdsa wrappers and the native implementation of ecdsa. These functions should be in separate files, in my opinion.
There was a problem hiding this comment.
[I] would move the declaration of scalar_multiply() to native_ecdsa.h.
Then any code that uses functions that were originally declared in ecdsa.h but do not have a counterpart in the secp256k1 library, i.e. are not wrapped, would have to include native_ecdsa.h instead of ecdsa.h (or both). Again seems confusing and technically breaks the API although only a little.
The thing I don't like about the architecture is
ecdsa.ccontains both the ecdsa wrappers and the native implementation of ecdsa.
I don't see a problem with that other than unit testing, which is an internal matter.
There was a problem hiding this comment.
Then any code that uses functions that were originally declared in ecdsa.h but do not have a counterpart in the secp256k1 library, i.e. are not wrapped, would have to include native_ecdsa.h instead of ecdsa.h (or both).
Exactly.
Again seems confusing and technically breaks the API although only a little.
What is confusing about it? Which API does it breaks and how?
I think it's the most natural approach. I see it as ecdsa.c being an interface and zkp_ecdsa.c and native_ecdsa.c being two implementations.
There was a problem hiding this comment.
What is confusing about it? Which API does it breaks and how?
It moves certain functions to different header files, such as scalar_multiply() and others.
I think it's the most natural approach. I see it as ecdsa.c being an interface and zkp_ecdsa.c and native_ecdsa.c being two implementations.
If it's meant to be an "interface", then we would also have to add dummy wrappers to ecdsa.c for the functions that are in native_ecdsa.c only. The caller shouldn't have to deal with the question of whether the implementation is native or non-native.
There was a problem hiding this comment.
It moves certain functions to different header files, such as scalar_multiply() and others.
What is wrong about it? What is confusing about it?
If it's meant to be an "interface", then we would also have to add dummy wrappers to ecdsa.c for the functions that are in native_ecdsa.c only. The caller shouldn't have to deal with the question of whether the implementation is native or non-native.
This may surprise you but I'm all for it. Nevertheless, I don't think it's necessary because I see nothing wrong with using an "implementation" directly instead of an "interface".
There was a problem hiding this comment.
What is wrong about it? What is confusing about it?
As I stated, the caller shouldn't have to deal with the question of whether the implementation is native or non-native. The whole point of this PR is to simplify the usage of the ecdsa calls.
I am not a fan of creating dummy code where it serves no purpose. So I don't like that option either. This is purely a matter of style. It makes no difference in terms of functionality, usability, maintainability or in any other respect. Feel free to create a separate issue.
|
@andrewkozlik What is the state of this pr? |
Awaiting review from @onvej-sl. Probably needs manual rebase afterwards. |
|
I announce in advance I'm not going to approve this pull request. The pull request is ok in terms of functionality and security (this is the last comment that has to be resolved in this sense) but I don't agree with one of the architectural decisions made. To be specific, I don't like that
See this thread. In my opinion, I and Andrew have a different perspective on this. Let someone else review this part of the pull request. |
|
I did a very brief review of the A larger refactor, with possible header API breakage, would be nice -- but this PR is not it and doesn't need to be it. (that said, my view into trezor-crypto architecture is limited and i might be missing something) As such I'm approving the PR as it is now. Please resolve the conflicts and let's get this merged. |
andrewkozlik
force-pushed
the
andrewkozlik/1864
branch
from
eaa0afe
to
81f081f
Compare
andrewkozlik
force-pushed
the
andrewkozlik/1864
branch
from
81f081f
to
ad31d1b
Compare
andrewkozlik
dismissed
onvej-sl’s stale review
The last unresolved requested change is unrelated to this PR.
Resolves #1864.
zkp_ecdsa_*()vs.ecdsa_*()functions toecdsa.cto simplify usage (no more#ifdefsfor this incoreandlegacycode).crypto/bip32.cto use the secp256k1_zkp functions for public key derivation and signing without any code changes inbip32.c.ecdsa_*functions totc_ecdsa_*so that they can be tested independently in thecryptotests.bip32.ccauses a different amount of data to be taken from the PRNG, which in turn causes the PIN matrix layouts to change, hence the changes to UI tests.