ecdsa: remove scalar blinding. CSPRNG dep not good: cryptofuzz, other envs will fail

src/abstract/weierstrass.ts

@@ -943,16 +943,10 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       const q = Point.BASE.multiply(k).toAffine(); // q = Gk
       const r = modN(q.x); // r = q.x mod n
       if (r === _0n) return;
-      // X blinding according to https://tches.iacr.org/index.php/TCHES/article/view/7337/6509
+      // Can use scalar blinding b^-1(bm + bdr) where b ∈ [1,q−1] according to
-      // b * m + b * r * d ∈ [0,q−1] exposed via side-channel, but d (private scalar) is not.
+      // https://tches.iacr.org/index.php/TCHES/article/view/7337/6509. We've decided against it:
-      // NOTE: there is still probable some leak in multiplication, since it is not constant-time
+      // a) dependency on CSPRNG b) 15% slowdown c) doesn't really help since bigints are not CT
-      const b = ut.bytesToNumberBE(utils.randomPrivateKey()); // random scalar, b ∈ [1,q−1]
+      const s = modN(ik * modN(m + r * d)); // Not using blinding here
-      const bi = invN(b); // b^-1
-      const bdr = modN(b * d * r); // b * d * r
-      const bm = modN(b * m); // b * m
-      const mrx = modN(bi * modN(bdr + bm)); // b^-1(bm + bdr) -> m + rd
-
-      const s = modN(ik * mrx); // s = k^-1(m + rd) mod n
       if (s === _0n) return;
       let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n); // recovery bit (2 or 3, when q.x > n)
       let normS = s;