No secp256k1_context_randomize after secp256k1_context_create? #128
Description
I noticed that addon.cc doesn't randomize the secp256k1_context after creating it. Is this an intentional trade-off? (And if so, is it described somewhere?)
If I understand correctly, context randomization is only important in scenarios where the attacker has the ability to carefully measure timing/electromagnetic emissions/power usage of the machine, and so isn't really a security concern for the vast majority of consumers of this library.
I probably don't understand it well enough, so I'd love to know – can someone explain (or link me to an explanation) of why it isn't necessary here?
For reference, here's the documentation for secp256k1_context_randomize:
/** Updates the context randomization to protect against side-channel leakage.
* Returns: 1: randomization successfully updated
* 0: error
* Args: ctx: pointer to a context object (cannot be NULL)
* In: seed32: pointer to a 32-byte random seed (NULL resets to initial state)
*
* While secp256k1 code is written to be constant-time no matter what secret
* values are, it's possible that a future compiler may output code which isn't,
* and also that the CPU may not emit the same radio frequencies or draw the same
* amount power for all values.
*
* This function provides a seed which is combined into the blinding value: that
* blinding value is added before each multiplication (and removed afterwards) so
* that it does not affect function results, but shields against attacks which
* rely on any input-dependent behaviour.
*
* You should call this after secp256k1_context_create or
* secp256k1_context_clone, and may call this repeatedly afterwards.
*/
What (if any) hypothetical attacks are possible given secp256k1-node doesn't call secp256k1_context_randomize when the context is created?