[bitcoin-dev] libsecp256k1 0.3.2 released

From: Tim Ruffing <crypto@timruffing•de>
To: bitcoin-dev@lists•linuxfoundation.org
Subject: [bitcoin-dev] libsecp256k1 0.3.2 released
Date: Sun, 14 May 2023 19:35:38 +0200	[thread overview]
Message-ID: <cf010a83bf60a16e66e40f78494fc7b7b17a336a.camel@timruffing.de> (raw)

Hello,

We'd like to announce the release of version 0.3.2 of libsecp256k1:

  https://github.com/bitcoin-core/secp256k1/releases/tag/v0.3.2

This is a bugfix release after 0.3.1. The impetus for this release is
the discovery that GCC 13 became smart enough to optimize out a
specific timing side-channel protection mechanism in the ECDH code that
could leave applications vulnerable to a side-channel attack. This has
been fixed in 0.3.2 [1].

For the full changelog, see
  https://github.com/bitcoin-core/secp256k1/blob/master/CHANGELOG.md

We strongly recommend any users of the library to upgrade if their code
may end up being compiled with GCC >=13. Bitcoin Core is not affected
because it does not use libsecp256k1's ECDH module.

Note: The underlying side-channel issue is very similar to the issue
that lead to the previous 0.3.1 release. Unfortunately, there is no
generic way to prevent compilers from "optimizing" code by adding
secret-dependent branches (which are undesired in cryptographic
applications), and it is hard to predict what optimizations future
compiler versions will add. There's ongoing work [2] to test on
unreleased development snapshots of GCC and Clang, which would make it
possible to catch similar cases earlier in the future.

[1]: https://github.com/bitcoin-core/secp256k1/pull/1303
[2]: https://github.com/bitcoin-core/secp256k1/pull/1313