Skip to content

Norm arg: allow X and R to be point at infinity #218

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
May 9, 2023
Merged

Norm arg: allow X and R to be point at infinity #218

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
d8e7f37
musig: move ge_{serialize,parse}_ext to module-independent file
jonasnick Apr 19, 2023
f22834f
norm arg: add verify vector for n = [0], l = [0]
jonasnick Feb 28, 2023
c0de361
norm arg: allow X and R to be the point at infinity
jonasnick Mar 1, 2023
f5e4b16
norm arg: add test vector for sign bit malleability
jonasnick Mar 1, 2023
a70c4d4
norm arg: add test vector for |n| = 0
jonasnick Mar 1, 2023
bf7bf8a
norm arg: split norm_arg_zero into prove_edge and verify_zero_len
jonasnick Mar 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 2 additions & 17 deletions src/modules/bppp/bppp_norm_product_impl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -300,17 +300,8 @@ static int secp256k1_bppp_rangeproof_norm_product_prove(
return 0;
}

/* We only fail here because we cannot serialize points at infinity. */
if (secp256k1_gej_is_infinity(&xj) || secp256k1_gej_is_infinity(&rj)) {
return 0;
}

secp256k1_ge_set_gej_var(&x_ge, &xj);
secp256k1_fe_normalize_var(&x_ge.x);
secp256k1_fe_normalize_var(&x_ge.y);
secp256k1_ge_set_gej_var(&r_ge, &rj);
secp256k1_fe_normalize_var(&r_ge.x);
secp256k1_fe_normalize_var(&r_ge.y);
secp256k1_bppp_serialize_points(&proof[proof_idx], &x_ge, &r_ge);
proof_idx += 65;

Expand Down Expand Up @@ -379,26 +370,20 @@ static int ec_mult_verify_cb1(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx
}
idx -= 1;
if (idx % 2 == 0) {
unsigned char pk_buf[33];
idx /= 2;
*sc = data->gammas[idx];
pk_buf[0] = 2 | (data->proof[65*idx] >> 1);
memcpy(&pk_buf[1], &data->proof[65*idx + 1], 32);
if (!secp256k1_eckey_pubkey_parse(pt, pk_buf, sizeof(pk_buf))) {
if (!secp256k1_bppp_parse_one_of_points(pt, &data->proof[65*idx], 0)) {
return 0;
}
} else {
unsigned char pk_buf[33];
secp256k1_scalar neg_one;
idx /= 2;
secp256k1_scalar_set_int(&neg_one, 1);
secp256k1_scalar_negate(&neg_one, &neg_one);
*sc = data->gammas[idx];
secp256k1_scalar_sqr(sc, sc);
secp256k1_scalar_add(sc, sc, &neg_one);
pk_buf[0] = 2 | data->proof[65*idx];
memcpy(&pk_buf[1], &data->proof[65*idx + 33], 32);
if (!secp256k1_eckey_pubkey_parse(pt, pk_buf, sizeof(pk_buf))) {
if (!secp256k1_bppp_parse_one_of_points(pt, &data->proof[65*idx], 1)) {
return 0;
}
}
Expand Down
31 changes: 27 additions & 4 deletions src/modules/bppp/bppp_util.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,33 @@
/* Outputs a pair of points, amortizing the parity byte between them
* Assumes both points' coordinates have been normalized.
*/
static void secp256k1_bppp_serialize_points(unsigned char *output, const secp256k1_ge *lpt, const secp256k1_ge *rpt) {
output[0] = (secp256k1_fe_is_odd(&lpt->y) << 1) + secp256k1_fe_is_odd(&rpt->y);
secp256k1_fe_get_b32(&output[1], &lpt->x);
secp256k1_fe_get_b32(&output[33], &rpt->x);
static void secp256k1_bppp_serialize_points(unsigned char *output, secp256k1_ge *lpt, secp256k1_ge *rpt) {
unsigned char tmp[33];
secp256k1_ge_serialize_ext(tmp, lpt);
output[0] = (tmp[0] & 1) << 1;
memcpy(&output[1], &tmp[1], 32);
secp256k1_ge_serialize_ext(tmp, rpt);
output[0] |= (tmp[0] & 1);
memcpy(&output[33], &tmp[1], 32);
}

static int secp256k1_bppp_parse_one_of_points(secp256k1_ge *pt, const unsigned char *in65, int idx) {
unsigned char tmp[33] = { 0 };
if (in65[0] > 3) {
return 0;
}
/* Check if the input array encodes the point at infinity */
if ((secp256k1_memcmp_var(tmp, &in65[1 + 32*idx], 32)) != 0) {
tmp[0] = 2 | ((in65[0] & (2 - idx)) >> (1 - idx));
memcpy(&tmp[1], &in65[1 + 32*idx], 32);
} else {
/* If we're parsing the point at infinity, enforce that the sign bit is
* 0. */
if ((in65[0] & (2 - idx)) != 0) {
return 0;
}
}
return secp256k1_ge_parse_ext(pt, tmp);
}

/* Outputs a serialized point in compressed form. Returns 0 at point at infinity.
Expand Down
28 changes: 28 additions & 0 deletions src/modules/bppp/test_vectors/verify.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,4 +62,32 @@ static secp256k1_scalar verify_vector_8_c_vec[1];
static const unsigned char verify_vector_8_r32[32] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x34 };
static const unsigned char verify_vector_8_proof[] = { 0x00, 0xBC, 0x4C, 0x42, 0x67, 0x71, 0x69, 0x52, 0x6A, 0x65, 0xFE, 0xA0, 0xCB, 0x3F, 0x58, 0x8B, 0x48, 0x48, 0x6E, 0x59, 0xFC, 0x55, 0x51, 0x10, 0xB9, 0xBF, 0x6A, 0x7D, 0xBF, 0x32, 0x34, 0x4E, 0x7D, 0xBA, 0xD5, 0xCB, 0xCC, 0x19, 0xED, 0xAA, 0x9F, 0x8D, 0x93, 0x26, 0x5E, 0x3F, 0x3E, 0xAA, 0xDF, 0x0B, 0x1C, 0xB3, 0xDC, 0x37, 0xB6, 0xDB, 0xAE, 0x43, 0x63, 0x92, 0xB5, 0xFF, 0x0D, 0x1C, 0x77, 0x02, 0x7E, 0x2B, 0xB8, 0x87, 0x85, 0x81, 0x13, 0x70, 0x1F, 0x03, 0x65, 0x7D, 0xD8, 0x91, 0x83, 0xE5, 0x7E, 0x8B, 0x9E, 0x6F, 0x1C, 0x08, 0x9C, 0x9C, 0x5F, 0xA4, 0x12, 0x5F, 0xD3, 0xEE, 0xE2, 0x74, 0x7A, 0x2C, 0x58, 0x3A, 0x29, 0x4F, 0x64, 0x10, 0xE7, 0x89, 0xBF, 0xB2, 0xE5, 0xD9, 0xD5, 0xC5, 0x62, 0x83, 0x0C, 0xA8, 0xDD, 0x1E, 0x24, 0x6D, 0xD1, 0x58, 0x8D, 0x80, 0x74, 0xF3, 0xD9, 0x3A, 0x68, 0x7B, 0xF5, 0x12, 0xC6, 0xC2, 0x3F, 0x71, 0x47, 0xDF, 0xCF, 0xC8, 0xE2, 0xC4, 0x59, 0xDF, 0x4F, 0xEC, 0x86, 0xE9, 0xF9, 0x31, 0x94, 0x6A, 0x5F, 0xD9, 0x1E, 0x6B, 0x09, 0xCD, 0xCF, 0x5D, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x3E };
static const int verify_vector_8_result = 0;
static const unsigned char verify_vector_9_commit33[33] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
static const size_t verify_vector_9_n_vec_len = 1;
static const unsigned char verify_vector_9_c_vec32[1][32] = { { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x3C } };
static secp256k1_scalar verify_vector_9_c_vec[1];
static const unsigned char verify_vector_9_r32[32] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x34 };
static const unsigned char verify_vector_9_proof[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
static const int verify_vector_9_result = 1;
static const unsigned char verify_vector_10_commit33[33] = { 0x03, 0x62, 0x8A, 0xC2, 0xF1, 0xF2, 0x00, 0xE0, 0x81, 0xBD, 0xA0, 0xA9, 0x6D, 0x25, 0x53, 0xB4, 0x17, 0xC1, 0x02, 0x93, 0x50, 0x3E, 0x91, 0xD4, 0xD1, 0x3A, 0x82, 0x89, 0x02, 0x24, 0x78, 0x49, 0xA5 };
static const size_t verify_vector_10_n_vec_len = 2;
static const unsigned char verify_vector_10_c_vec32[1][32] = { { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x3C } };
static secp256k1_scalar verify_vector_10_c_vec[1];
static const unsigned char verify_vector_10_r32[32] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x34 };
static const unsigned char verify_vector_10_proof[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x3A };
static const int verify_vector_10_result = 1;
static const unsigned char verify_vector_11_commit33[33] = { 0x03, 0x62, 0x8A, 0xC2, 0xF1, 0xF2, 0x00, 0xE0, 0x81, 0xBD, 0xA0, 0xA9, 0x6D, 0x25, 0x53, 0xB4, 0x17, 0xC1, 0x02, 0x93, 0x50, 0x3E, 0x91, 0xD4, 0xD1, 0x3A, 0x82, 0x89, 0x02, 0x24, 0x78, 0x49, 0xA5 };
static const size_t verify_vector_11_n_vec_len = 2;
static const unsigned char verify_vector_11_c_vec32[1][32] = { { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x3C } };
static secp256k1_scalar verify_vector_11_c_vec[1];
static const unsigned char verify_vector_11_r32[32] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x34 };
static const unsigned char verify_vector_11_proof[] = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x3A };
static const int verify_vector_11_result = 0;
static const unsigned char verify_vector_12_commit33[33] = { 0x02, 0x7D, 0x5F, 0x4B, 0x11, 0xC0, 0xE4, 0x2E, 0x4C, 0x1B, 0x56, 0xAE, 0xF0, 0x5F, 0xAA, 0xD8, 0x77, 0x0C, 0x93, 0x71, 0xA2, 0x92, 0xF9, 0x89, 0xA2, 0xB4, 0x69, 0x9B, 0x46, 0x8A, 0x03, 0xF1, 0x50 };
static const size_t verify_vector_12_n_vec_len = 0;
static const unsigned char verify_vector_12_c_vec32[1][32] = { { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x3C } };
static secp256k1_scalar verify_vector_12_c_vec[1];
static const unsigned char verify_vector_12_r32[32] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x34 };
static const unsigned char verify_vector_12_proof[] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x34, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x3A };
static const int verify_vector_12_result = 0;

130 changes: 110 additions & 20 deletions src/modules/bppp/tests_impl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,80 @@ void test_norm_util_helpers(void) {
secp256k1_scalar_set_int(&res, 256); CHECK(secp256k1_scalar_eq(&res, &rho_pows[3]));
}


void test_serialize_two_points_roundtrip(secp256k1_ge *X, secp256k1_ge *R) {
secp256k1_ge X_tmp, R_tmp;
unsigned char buf[65];
secp256k1_bppp_serialize_points(buf, X, R);
CHECK(secp256k1_bppp_parse_one_of_points(&X_tmp, buf, 0));
CHECK(secp256k1_bppp_parse_one_of_points(&R_tmp, buf, 1));
ge_equals_ge(X, &X_tmp);
ge_equals_ge(R, &R_tmp);
}

void test_serialize_two_points(void) {
secp256k1_ge X, R;
int i;

for (i = 0; i < count; i++) {
random_group_element_test(&X);
random_group_element_test(&R);
test_serialize_two_points_roundtrip(&X, &R);
}

for (i = 0; i < count; i++) {
random_group_element_test(&X);
secp256k1_ge_set_infinity(&R);
test_serialize_two_points_roundtrip(&X, &R);
}

for (i = 0; i < count; i++) {
secp256k1_ge_set_infinity(&X);
random_group_element_test(&R);
test_serialize_two_points_roundtrip(&X, &R);
}

secp256k1_ge_set_infinity(&X);
secp256k1_ge_set_infinity(&R);
test_serialize_two_points_roundtrip(&X, &R);

/* Test invalid sign byte */
{
secp256k1_ge X_tmp, R_tmp;
unsigned char buf[65];
random_group_element_test(&X);
random_group_element_test(&R);
secp256k1_bppp_serialize_points(buf, &X, &R);
buf[0] |= 4 + (unsigned char)secp256k1_testrandi64(4, 255);
CHECK(!secp256k1_bppp_parse_one_of_points(&X_tmp, buf, 0));
CHECK(!secp256k1_bppp_parse_one_of_points(&R_tmp, buf, 0));
}
/* Check that sign bit is 0 for point at infinity */
for (i = 0; i < count; i++) {
secp256k1_ge X_tmp, R_tmp;
unsigned char buf[65];
int expect;
random_group_element_test(&X);
random_group_element_test(&R);
secp256k1_bppp_serialize_points(buf, &X, &R);
memset(&buf[1], 0, 32);
if ((buf[0] & 2) == 0) {
expect = 1;
} else {
expect = 0;
}
CHECK(secp256k1_bppp_parse_one_of_points(&X_tmp, buf, 0) == expect);
CHECK(secp256k1_bppp_parse_one_of_points(&R_tmp, buf, 1));
memset(&buf[33], 0, 32);
if ((buf[0] & 1) == 0) {
expect = 1;
} else {
expect = 0;
}
CHECK(secp256k1_bppp_parse_one_of_points(&R_tmp, buf, 1) == expect);
}
}

static void secp256k1_norm_arg_commit_initial_data(
secp256k1_sha256* transcript,
const secp256k1_scalar* rho,
Expand Down Expand Up @@ -362,7 +436,7 @@ static int secp256k1_norm_arg_verify(
return res;
}

void norm_arg_zero(void) {
void norm_arg_prove_edge(void) {
secp256k1_scalar n_vec[64], l_vec[64], c_vec[64];
secp256k1_scalar rho, mu;
secp256k1_ge commit;
Expand Down Expand Up @@ -416,27 +490,37 @@ void norm_arg_zero(void) {
random_scalar_order(&c_vec[i]);
}
CHECK(secp256k1_bppp_commit(ctx, scratch, &commit, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &mu));
CHECK(!secp256k1_norm_arg_prove(scratch, proof, &plen, &rho, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &commit));
secp256k1_bppp_generators_destroy(ctx, gs);
}

/* Verify vectors of length 0 */
{
unsigned int n_vec_len = 1;
unsigned int c_vec_len = 1;
secp256k1_bppp_generators *gs = secp256k1_bppp_generators_create(ctx, n_vec_len + c_vec_len);
size_t plen = sizeof(proof);
random_scalar_order(&n_vec[0]);
random_scalar_order(&c_vec[0]);
random_scalar_order(&l_vec[0]);
CHECK(secp256k1_bppp_commit(ctx, scratch, &commit, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &mu));
CHECK(secp256k1_norm_arg_prove(scratch, proof, &plen, &rho, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &commit));
secp256k1_sha256_initialize(&transcript);
CHECK(secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, n_vec_len, c_vec, c_vec_len, &commit));
CHECK(!secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, 0, c_vec, c_vec_len, &commit));
CHECK(!secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, n_vec_len, c_vec, 0, &commit));

secp256k1_bppp_generators_destroy(ctx, gs);
}
}

/* Verify |c| = 0 */
void norm_arg_verify_zero_len(void) {
secp256k1_scalar n_vec[64], l_vec[64], c_vec[64];
secp256k1_scalar rho, mu;
secp256k1_ge commit;
secp256k1_scratch *scratch = secp256k1_scratch_space_create(ctx, 1000*10); /* shouldn't need much */
unsigned char proof[1000];
unsigned int n_vec_len = 1;
unsigned int c_vec_len = 1;
secp256k1_bppp_generators *gs = secp256k1_bppp_generators_create(ctx, n_vec_len + c_vec_len);
size_t plen = sizeof(proof);

random_scalar_order(&rho);
secp256k1_scalar_sqr(&mu, &rho);

random_scalar_order(&n_vec[0]);
random_scalar_order(&c_vec[0]);
random_scalar_order(&l_vec[0]);
CHECK(secp256k1_bppp_commit(ctx, scratch, &commit, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &mu));
CHECK(secp256k1_norm_arg_prove(scratch, proof, &plen, &rho, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &commit));
CHECK(secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, n_vec_len, c_vec, c_vec_len, &commit));
CHECK(!secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, n_vec_len, c_vec, 0, &commit));

secp256k1_bppp_generators_destroy(ctx, gs);

secp256k1_scratch_space_destroy(ctx, scratch);
}
Expand Down Expand Up @@ -535,7 +619,7 @@ int norm_arg_verify_vectors_helper(secp256k1_scratch *scratch, const unsigned ch
secp256k1_scalar_set_b32(&c_vec[i], c_vec32[i], &overflow);
CHECK(!overflow);
}
CHECK(secp256k1_eckey_pubkey_parse(&commit, commit33, 33));
CHECK(secp256k1_ge_parse_ext(&commit, commit33));
ret = secp256k1_bppp_rangeproof_norm_product_verify(ctx, scratch, proof, plen, &transcript, &rho, gs, n_vec_len, c_vec, c_vec_len, &commit);

secp256k1_bppp_generators_destroy(ctx, gs);
Expand All @@ -557,6 +641,10 @@ void norm_arg_verify_vectors(void) {
CHECK(IDX_TO_TEST(6));
CHECK(IDX_TO_TEST(7));
CHECK(IDX_TO_TEST(8));
CHECK(IDX_TO_TEST(9));
CHECK(IDX_TO_TEST(10));
CHECK(IDX_TO_TEST(11));
CHECK(IDX_TO_TEST(12));

CHECK(alloc == scratch->alloc_size);
secp256k1_scratch_space_destroy(ctx, scratch);
Expand All @@ -566,11 +654,13 @@ void norm_arg_verify_vectors(void) {
void run_bppp_tests(void) {
test_log_exp();
test_norm_util_helpers();
test_serialize_two_points();
test_bppp_generators_api();
test_bppp_generators_fixed();
test_bppp_tagged_hash();

norm_arg_zero();
norm_arg_prove_edge();
norm_arg_verify_zero_len();
norm_arg_test(1, 1);
norm_arg_test(1, 64);
norm_arg_test(64, 1);
Expand Down
26 changes: 0 additions & 26 deletions src/modules/musig/session_impl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,32 +200,6 @@ int secp256k1_musig_pubnonce_parse(const secp256k1_context* ctx, secp256k1_musig
return 1;
}

/* Outputs 33 zero bytes if the given group element is the point at infinity and
* otherwise outputs the compressed serialization */
static void secp256k1_ge_serialize_ext(unsigned char *out33, secp256k1_ge* ge) {
if (secp256k1_ge_is_infinity(ge)) {
memset(out33, 0, 33);
} else {
int ret;
size_t size = 33;
ret = secp256k1_eckey_pubkey_serialize(ge, out33, &size, 1);
/* Serialize must succeed because the point is not at infinity */
VERIFY_CHECK(ret && size == 33);
}
}

/* Outputs the point at infinity if the given byte array is all zero, otherwise
* attempts to parse compressed point serialization. */
static int secp256k1_ge_parse_ext(secp256k1_ge* ge, const unsigned char *in33) {
unsigned char zeros[33] = { 0 };

if (memcmp(in33, zeros, sizeof(zeros)) == 0) {
secp256k1_ge_set_infinity(ge);
return 1;
}
return secp256k1_eckey_pubkey_parse(ge, in33, 33);
}

int secp256k1_musig_aggnonce_serialize(const secp256k1_context* ctx, unsigned char *out66, const secp256k1_musig_aggnonce* nonce) {
secp256k1_ge ge[2];
int i;
Expand Down
Loading