bitcoin-core · gmaxwell · Aug 8, 2020 · Aug 8, 2020 · Sep 1, 2020 · Sep 2, 2020
diff --git a/src/ecmult_const.h b/src/ecmult_const.h
@@ -11,7 +11,7 @@
 #include "group.h"
 
 /**
- * Multiply: R = q*A (in constant-time)
+ * Multiply: R = q*A (in constant-time for q)
  * Here `bits` should be set to the maximum bitlength of the _absolute value_ of `q`, plus
  * one because we internally sometimes add 2 to the number during the WNAF conversion.
  */

diff --git a/src/ecmult_const_impl.h b/src/ecmult_const_impl.h
@@ -150,6 +150,10 @@ static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, cons
 
     /* build wnaf representation for q. */
     int rsize = size;
+    if (secp256k1_ge_is_infinity(a)) {
+      secp256k1_gej_set_infinity(r);
+      return;
+    }
     if (size > 128) {
         rsize = 128;
         /* split q into q_1 and q_lam (where q = q_1 + q_lam*lambda, and q_1 and q_lam are ~128 bit) */

diff --git a/src/ecmult_impl.h b/src/ecmult_impl.h
@@ -81,6 +81,7 @@
  *  the values [1*a,3*a,...,(2*n-1)*a], so it space for n values. zr[0] will
  *  contain prej[0].z / a.z. The other zr[i] values = prej[i].z / prej[i-1].z.
  *  Prej's Z values are undefined, except for the last value.
+ *  'a' cannot be infinity.
  */
 static void secp256k1_ecmult_odd_multiples_table(int n, secp256k1_gej *prej, secp256k1_fe *zr, const secp256k1_gej *a) {
     secp256k1_gej d;
@@ -97,13 +98,13 @@ static void secp256k1_ecmult_odd_multiples_table(int n, secp256k1_gej *prej, sec
      */
     d_ge.x = d.x;
     d_ge.y = d.y;
-    d_ge.infinity = 0;
+    d_ge.infinity = d.infinity;
 
     secp256k1_ge_set_gej_zinv(&a_ge, a, &d.z);
     prej[0].x = a_ge.x;
     prej[0].y = a_ge.y;
     prej[0].z = a->z;
-    prej[0].infinity = 0;
+    prej[0].infinity = a->infinity;
 
     zr[0] = d.z;
     for (i = 1; i < n; i++) {
@@ -164,13 +165,13 @@ static void secp256k1_ecmult_odd_multiples_table_storage_var(const int n, secp25
      */
     d_ge.x = d.x;
     d_ge.y = d.y;
-    d_ge.infinity = 0;
+    d_ge.infinity = d.infinity;
 
     secp256k1_ge_set_gej_zinv(&p_ge, a, &d.z);
     pj.x = p_ge.x;
     pj.y = p_ge.y;
     pj.z = a->z;
-    pj.infinity = 0;
+    pj.infinity = p_ge.infinity;
 
     for (i = 0; i < (n - 1); i++) {
         secp256k1_fe_normalize_var(&pj.y);

diff --git a/src/field.h b/src/field.h
@@ -131,4 +131,7 @@ static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_f
 /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time.  Both *r and *a must be initialized.*/
 static void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag);
 
+/** Check invariants on a field element (no-op unless VERIFY is enabled). */
+static void secp256k1_fe_verify(const secp256k1_fe *a);
+
 #endif /* SECP256K1_FIELD_H */
diff --git a/src/field_10x26_impl.h b/src/field_10x26_impl.h
@@ -10,8 +10,8 @@
 #include "util.h"
 #include "field.h"
 
-#ifdef VERIFY
 static void secp256k1_fe_verify(const secp256k1_fe *a) {
+#ifdef VERIFY
     const uint32_t *d = a->n;
     int m = a->normalized ? 1 : 2 * a->magnitude, r = 1;
     r &= (d[0] <= 0x3FFFFFFUL * m);
@@ -36,8 +36,9 @@ static void secp256k1_fe_verify(const secp256k1_fe *a) {
         }
     }
     VERIFY_CHECK(r == 1);
-}
 #endif
+    (void)a;
+}
 
 static void secp256k1_fe_normalize(secp256k1_fe *r) {
     uint32_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4],

diff --git a/src/field_5x52_impl.h b/src/field_5x52_impl.h
@@ -28,8 +28,8 @@
  *  output.
  */
 
-#ifdef VERIFY
 static void secp256k1_fe_verify(const secp256k1_fe *a) {
+#ifdef VERIFY
     const uint64_t *d = a->n;
     int m = a->normalized ? 1 : 2 * a->magnitude, r = 1;
    /* secp256k1 'p' value defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1. */
@@ -47,8 +47,9 @@ static void secp256k1_fe_verify(const secp256k1_fe *a) {
         }
     }
     VERIFY_CHECK(r == 1);
-}
 #endif
+    (void)a;
+}
 
 static void secp256k1_fe_normalize(secp256k1_fe *r) {
     uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];

diff --git a/src/group.h b/src/group.h
@@ -148,4 +148,10 @@ static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b);
  */
 static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge* ge);
 
+/** Check invariants on an affine group element (no-op unless VERIFY is enabled). */
+static void secp256k1_ge_verify(const secp256k1_ge *a);
+
+/** Check invariants on a Jacobian group element (no-op unless VERIFY is enabled). */
+static void secp256k1_gej_verify(const secp256k1_gej *a);
+
 #endif /* SECP256K1_GROUP_H */