Add X-only ECDH unit tests

sipa · sipa · commit 0e8602cd5f5e · 2023-09-19T12:54:01.000-04:00
diff --git a/src/modules/ecdh/tests_impl.h b/src/modules/ecdh/tests_impl.h
@@ -15,6 +15,13 @@ static int ecdh_hash_function_test_fail(unsigned char *output, const unsigned ch
     return 0;
 }
 
+static int ecdh_xonly_hash_function_test_fail(unsigned char *output, const unsigned char *x, void *data) {
+    (void)output;
+    (void)x;
+    (void)data;
+    return 0;
+}
+
 static int ecdh_hash_function_custom(unsigned char *output, const unsigned char *x, const unsigned char *y, void *data) {
     (void)data;
     /* Save x and y as uncompressed public key */
@@ -24,9 +31,17 @@ static int ecdh_hash_function_custom(unsigned char *output, const unsigned char
     return 1;
 }
 
+static int ecdh_xonly_hash_function_custom(unsigned char *output, const unsigned char *x, void *data) {
+    (void)data;
+    /* Output X coordinate. */
+    memcpy(output, x, 32);
+    return 1;
+}
+
 static void test_ecdh_api(void) {
     secp256k1_pubkey point;
     unsigned char res[32];
+    unsigned char x32[32];
     unsigned char s_one[32] = { 0 };
     s_one[31] = 1;
 
@@ -38,14 +53,28 @@ static void test_ecdh_api(void) {
     CHECK_ILLEGAL(CTX, secp256k1_ecdh(CTX, res, NULL, s_one, NULL, NULL));
     CHECK_ILLEGAL(CTX, secp256k1_ecdh(CTX, res, &point, NULL, NULL, NULL));
     CHECK(secp256k1_ecdh(CTX, res, &point, s_one, NULL, NULL) == 1);
+
+    /* And the same for secp256k1_ecdh_xonly. */
+    memset(x32, 131, 32); /* sum(131*256^j, j=0..31) is a valid x coordinate. */
+    CHECK(secp256k1_ecdh_xonly(CTX, res, x32, s_one, NULL, NULL) == 1);
+    CHECK_ILLEGAL(CTX, secp256k1_ecdh_xonly(CTX, NULL, x32, s_one, NULL, NULL));
+    CHECK_ILLEGAL(CTX, secp256k1_ecdh_xonly(CTX, res, NULL, s_one, NULL, NULL));
+    CHECK_ILLEGAL(CTX, secp256k1_ecdh_xonly(CTX, res, x32, NULL, NULL, NULL));
+    CHECK(secp256k1_ecdh_xonly(CTX, res, x32, s_one, NULL, NULL) == 1);
+    memset(x32, 205, 32); /* sum(205*256^j, j=0..31) is not a valid x coordinate. */
+    CHECK(secp256k1_ecdh_xonly(CTX, res, x32, s_one, NULL, NULL) == 0);
 }
 
 static void test_ecdh_generator_basepoint(void) {
     unsigned char s_one[32] = { 0 };
+    unsigned char x32_g[32];
     secp256k1_pubkey point[2];
     int i;
 
     s_one[31] = 1;
+    CHECK(secp256k1_ec_pubkey_create(CTX, &point[0], s_one) == 1);
+    secp256k1_fe_get_b32(x32_g, &secp256k1_ge_const_g.x);
+
     /* Check against pubkey creation when the basepoint is the generator */
     for (i = 0; i < 2 * COUNT; ++i) {
         secp256k1_sha256 sha;
@@ -59,7 +88,6 @@ static void test_ecdh_generator_basepoint(void) {
         random_scalar_order(&s);
         secp256k1_scalar_get_b32(s_b32, &s);
 
-        CHECK(secp256k1_ec_pubkey_create(CTX, &point[0], s_one) == 1);
         CHECK(secp256k1_ec_pubkey_create(CTX, &point[1], s_b32) == 1);
 
         /* compute using ECDH function with custom hash function */
@@ -69,6 +97,11 @@ static void test_ecdh_generator_basepoint(void) {
         /* compare */
         CHECK(secp256k1_memcmp_var(output_ecdh, point_ser, 65) == 0);
 
+        /* Do the same with x-only ECDH. */
+        CHECK(secp256k1_ecdh_xonly(CTX, output_ecdh, x32_g, s_b32, ecdh_xonly_hash_function_custom, NULL) == 1);
+        /* compare */
+        CHECK(secp256k1_memcmp_var(output_ecdh, point_ser + 1, 32) == 0);
+
         /* compute using ECDH function with default hash function */
         CHECK(secp256k1_ecdh(CTX, output_ecdh, &point[0], s_b32, NULL, NULL) == 1);
         /* compute "explicitly" */
@@ -78,6 +111,15 @@ static void test_ecdh_generator_basepoint(void) {
         secp256k1_sha256_finalize(&sha, output_ser);
         /* compare */
         CHECK(secp256k1_memcmp_var(output_ecdh, output_ser, 32) == 0);
+
+        /* And the same with x-only ECDH. */
+        CHECK(secp256k1_ecdh_xonly(CTX, output_ecdh, x32_g, s_b32, NULL, NULL) == 1);
+        /* compute "explicitly" */
+        secp256k1_sha256_initialize(&sha);
+        secp256k1_sha256_write(&sha, point_ser +1 , 32);
+        secp256k1_sha256_finalize(&sha, output_ser);
+        /* compare */
+        CHECK(secp256k1_memcmp_var(output_ecdh, output_ser, 32) == 0);
     }
 }
 
@@ -91,13 +133,16 @@ static void test_bad_scalar(void) {
     };
     unsigned char s_rand[32] = { 0 };
     unsigned char output[32];
+    unsigned char point_ser[33];
     secp256k1_scalar rand;
     secp256k1_pubkey point;
+    size_t point_ser_len = sizeof(point_ser);
 
     /* Create random point */
     random_scalar_order(&rand);
     secp256k1_scalar_get_b32(s_rand, &rand);
     CHECK(secp256k1_ec_pubkey_create(CTX, &point, s_rand) == 1);
+    CHECK(secp256k1_ec_pubkey_serialize(CTX, point_ser, &point_ser_len, &point, SECP256K1_EC_COMPRESSED) == 1);
 
     /* Try to multiply it by bad values */
     CHECK(secp256k1_ecdh(CTX, output, &point, s_zero, NULL, NULL) == 0);
@@ -106,39 +151,63 @@ static void test_bad_scalar(void) {
     s_overflow[31] -= 1;
     CHECK(secp256k1_ecdh(CTX, output, &point, s_overflow, NULL, NULL) == 1);
 
+    /* And repeat for x-only. */
+    s_overflow[31] += 1;
+    CHECK(secp256k1_ecdh_xonly(CTX, output, point_ser + 1, s_zero, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdh_xonly(CTX, output, point_ser + 1, s_overflow, NULL, NULL) == 0);
+    s_overflow[31] -= 1;
+    CHECK(secp256k1_ecdh_xonly(CTX, output, point_ser + 1, s_overflow, NULL, NULL) == 1);
+
     /* Hash function failure results in ecdh failure */
     CHECK(secp256k1_ecdh(CTX, output, &point, s_overflow, ecdh_hash_function_test_fail, NULL) == 0);
+    CHECK(secp256k1_ecdh_xonly(CTX, output, point_ser, s_overflow, ecdh_xonly_hash_function_test_fail, NULL) == 0);
 }
 
 /** Test that ECDH(sG, 1/s) == ECDH((1/s)G, s) == ECDH(G, 1) for a few random s. */
 static void test_result_basepoint(void) {
     secp256k1_pubkey point;
     secp256k1_scalar rand;
+    unsigned char point_ser[33];
+    unsigned char x32_g[32];
     unsigned char s[32];
     unsigned char s_inv[32];
     unsigned char out[32];
     unsigned char out_inv[32];
     unsigned char out_base[32];
+    unsigned char out_base_xonly[32];
+    size_t point_ser_len;
     int i;
 
     unsigned char s_one[32] = { 0 };
     s_one[31] = 1;
+    secp256k1_fe_get_b32(x32_g, &secp256k1_ge_const_g.x);
     CHECK(secp256k1_ec_pubkey_create(CTX, &point, s_one) == 1);
     CHECK(secp256k1_ecdh(CTX, out_base, &point, s_one, NULL, NULL) == 1);
+    CHECK(secp256k1_ecdh_xonly(CTX, out_base_xonly, x32_g, s_one, NULL, NULL) == 1);
 
     for (i = 0; i < 2 * COUNT; i++) {
         random_scalar_order(&rand);
         secp256k1_scalar_get_b32(s, &rand);
-        secp256k1_scalar_inverse(&rand, &rand);
+        secp256k1_scalar_inverse_var(&rand, &rand);
         secp256k1_scalar_get_b32(s_inv, &rand);
 
         CHECK(secp256k1_ec_pubkey_create(CTX, &point, s) == 1);
+        point_ser_len = sizeof(point_ser);
+        CHECK(secp256k1_ec_pubkey_serialize(CTX, point_ser, &point_ser_len, &point, SECP256K1_EC_COMPRESSED));
+
         CHECK(secp256k1_ecdh(CTX, out, &point, s_inv, NULL, NULL) == 1);
         CHECK(secp256k1_memcmp_var(out, out_base, 32) == 0);
+        CHECK(secp256k1_ecdh_xonly(CTX, out, point_ser + 1, s_inv, NULL, NULL) == 1);
+        CHECK(secp256k1_memcmp_var(out, out_base_xonly, 32) == 0);
 
         CHECK(secp256k1_ec_pubkey_create(CTX, &point, s_inv) == 1);
         CHECK(secp256k1_ecdh(CTX, out_inv, &point, s, NULL, NULL) == 1);
+        point_ser_len = sizeof(point_ser);
+        CHECK(secp256k1_ec_pubkey_serialize(CTX, point_ser, &point_ser_len, &point, SECP256K1_EC_COMPRESSED));
+
         CHECK(secp256k1_memcmp_var(out_inv, out_base, 32) == 0);
+        CHECK(secp256k1_ecdh_xonly(CTX, out_inv, point_ser + 1, s, NULL, NULL) == 1);
+        CHECK(secp256k1_memcmp_var(out_inv, out_base_xonly, 32) == 0);
     }
 }
 
