Add X-only ECDH unit tests

sipa · sipa · commit dc7525c0cfe7 · 2023-01-27T13:25:24.000-05:00
diff --git a/src/modules/ecdh/tests_impl.h b/src/modules/ecdh/tests_impl.h
@@ -15,6 +15,13 @@ static int ecdh_hash_function_test_fail(unsigned char *output, const unsigned ch
     return 0;
 }
 
+static int ecdh_xonly_hash_function_test_fail(unsigned char *output, const unsigned char *x, void *data) {
+    (void)output;
+    (void)x;
+    (void)data;
+    return 0;
+}
+
 static int ecdh_hash_function_custom(unsigned char *output, const unsigned char *x, const unsigned char *y, void *data) {
     (void)data;
     /* Save x and y as uncompressed public key */
@@ -24,11 +31,19 @@ static int ecdh_hash_function_custom(unsigned char *output, const unsigned char
     return 1;
 }
 
+static int ecdh_xonly_hash_function_custom(unsigned char *output, const unsigned char *x, void *data) {
+    (void)data;
+    /* Output X coordinate. */
+    memcpy(output, x, 32);
+    return 1;
+}
+
 static void test_ecdh_api(void) {
     /* Setup context that just counts errors */
     secp256k1_context *tctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
     secp256k1_pubkey point;
     unsigned char res[32];
+    unsigned char x32[32];
     unsigned char s_one[32] = { 0 };
     int32_t ecount = 0;
     s_one[31] = 1;
@@ -37,7 +52,7 @@ static void test_ecdh_api(void) {
     secp256k1_context_set_illegal_callback(tctx, counting_illegal_callback_fn, &ecount);
     CHECK(secp256k1_ec_pubkey_create(tctx, &point, s_one) == 1);
 
-    /* Check all NULLs are detected */
+    /* Check all NULLs are detected by secp256k1_ecdh. */
     CHECK(secp256k1_ecdh(tctx, res, &point, s_one, NULL, NULL) == 1);
     CHECK(ecount == 0);
     CHECK(secp256k1_ecdh(tctx, NULL, &point, s_one, NULL, NULL) == 0);
@@ -49,16 +64,36 @@ static void test_ecdh_api(void) {
     CHECK(secp256k1_ecdh(tctx, res, &point, s_one, NULL, NULL) == 1);
     CHECK(ecount == 3);
 
+    /* And the same for secp256k1_ecdh_xonly. */
+    memset(x32, 131, 32); /* sum(131*256^j, j=0..31) is a valid x coordinate. */
+    CHECK(secp256k1_ecdh_xonly(tctx, res, x32, s_one, NULL, NULL) == 1);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_ecdh_xonly(tctx, NULL, x32, s_one, NULL, NULL) == 0);
+    CHECK(ecount == 4);
+    CHECK(secp256k1_ecdh_xonly(tctx, res, NULL, s_one, NULL, NULL) == 0);
+    CHECK(ecount == 5);
+    CHECK(secp256k1_ecdh_xonly(tctx, res, x32, NULL, NULL, NULL) == 0);
+    CHECK(ecount == 6);
+    CHECK(secp256k1_ecdh_xonly(tctx, res, x32, s_one, NULL, NULL) == 1);
+    CHECK(ecount == 6);
+    memset(x32, 205, 32); /* sum(205*256^j, j=0..31) is not a valid x coordinate. */
+    CHECK(secp256k1_ecdh_xonly(tctx, res, x32, s_one, NULL, NULL) == 0);
+    CHECK(ecount == 6);
+
     /* Cleanup */
     secp256k1_context_destroy(tctx);
 }
 
 static void test_ecdh_generator_basepoint(void) {
     unsigned char s_one[32] = { 0 };
+    unsigned char x32_g[32];
     secp256k1_pubkey point[2];
     int i;
 
     s_one[31] = 1;
+    CHECK(secp256k1_ec_pubkey_create(CTX, &point[0], s_one) == 1);
+    secp256k1_fe_get_b32(x32_g, &secp256k1_ge_const_g.x);
+
     /* Check against pubkey creation when the basepoint is the generator */
     for (i = 0; i < 2 * COUNT; ++i) {
         secp256k1_sha256 sha;
@@ -72,7 +107,6 @@ static void test_ecdh_generator_basepoint(void) {
         random_scalar_order(&s);
         secp256k1_scalar_get_b32(s_b32, &s);
 
-        CHECK(secp256k1_ec_pubkey_create(CTX, &point[0], s_one) == 1);
         CHECK(secp256k1_ec_pubkey_create(CTX, &point[1], s_b32) == 1);
 
         /* compute using ECDH function with custom hash function */
@@ -82,6 +116,11 @@ static void test_ecdh_generator_basepoint(void) {
         /* compare */
         CHECK(secp256k1_memcmp_var(output_ecdh, point_ser, 65) == 0);
 
+        /* Do the same with x-only ECDH. */
+        CHECK(secp256k1_ecdh_xonly(CTX, output_ecdh, x32_g, s_b32, ecdh_xonly_hash_function_custom, NULL) == 1);
+        /* compare */
+        CHECK(secp256k1_memcmp_var(output_ecdh, point_ser + 1, 32) == 0);
+
         /* compute using ECDH function with default hash function */
         CHECK(secp256k1_ecdh(CTX, output_ecdh, &point[0], s_b32, NULL, NULL) == 1);
         /* compute "explicitly" */
@@ -91,6 +130,15 @@ static void test_ecdh_generator_basepoint(void) {
         secp256k1_sha256_finalize(&sha, output_ser);
         /* compare */
         CHECK(secp256k1_memcmp_var(output_ecdh, output_ser, 32) == 0);
+
+        /* And the same with x-only ECDH. */
+        CHECK(secp256k1_ecdh_xonly(CTX, output_ecdh, x32_g, s_b32, NULL, NULL) == 1);
+        /* compute "explicitly" */
+        secp256k1_sha256_initialize(&sha);
+        secp256k1_sha256_write(&sha, point_ser +1 , 32);
+        secp256k1_sha256_finalize(&sha, output_ser);
+        /* compare */
+        CHECK(secp256k1_memcmp_var(output_ecdh, output_ser, 32) == 0);
     }
 }
 
@@ -104,13 +152,16 @@ static void test_bad_scalar(void) {
     };
     unsigned char s_rand[32] = { 0 };
     unsigned char output[32];
+    unsigned char point_ser[33];
     secp256k1_scalar rand;
     secp256k1_pubkey point;
+    size_t point_ser_len = sizeof(point_ser);
 
     /* Create random point */
     random_scalar_order(&rand);
     secp256k1_scalar_get_b32(s_rand, &rand);
     CHECK(secp256k1_ec_pubkey_create(CTX, &point, s_rand) == 1);
+    CHECK(secp256k1_ec_pubkey_serialize(CTX, point_ser, &point_ser_len, &point, SECP256K1_EC_COMPRESSED) == 1);
 
     /* Try to multiply it by bad values */
     CHECK(secp256k1_ecdh(CTX, output, &point, s_zero, NULL, NULL) == 0);
@@ -119,39 +170,63 @@ static void test_bad_scalar(void) {
     s_overflow[31] -= 1;
     CHECK(secp256k1_ecdh(CTX, output, &point, s_overflow, NULL, NULL) == 1);
 
+    /* And repeat for x-only. */
+    s_overflow[31] += 1;
+    CHECK(secp256k1_ecdh_xonly(CTX, output, point_ser + 1, s_zero, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdh_xonly(CTX, output, point_ser + 1, s_overflow, NULL, NULL) == 0);
+    s_overflow[31] -= 1;
+    CHECK(secp256k1_ecdh_xonly(CTX, output, point_ser + 1, s_overflow, NULL, NULL) == 1);
+
     /* Hash function failure results in ecdh failure */
     CHECK(secp256k1_ecdh(CTX, output, &point, s_overflow, ecdh_hash_function_test_fail, NULL) == 0);
+    CHECK(secp256k1_ecdh_xonly(CTX, output, point_ser, s_overflow, ecdh_xonly_hash_function_test_fail, NULL) == 0);
 }
 
 /** Test that ECDH(sG, 1/s) == ECDH((1/s)G, s) == ECDH(G, 1) for a few random s. */
 static void test_result_basepoint(void) {
     secp256k1_pubkey point;
     secp256k1_scalar rand;
+    unsigned char point_ser[33];
+    unsigned char x32_g[32];
     unsigned char s[32];
     unsigned char s_inv[32];
     unsigned char out[32];
     unsigned char out_inv[32];
     unsigned char out_base[32];
+    unsigned char out_base_xonly[32];
+    size_t point_ser_len;
     int i;
 
     unsigned char s_one[32] = { 0 };
     s_one[31] = 1;
+    secp256k1_fe_get_b32(x32_g, &secp256k1_ge_const_g.x);
     CHECK(secp256k1_ec_pubkey_create(CTX, &point, s_one) == 1);
     CHECK(secp256k1_ecdh(CTX, out_base, &point, s_one, NULL, NULL) == 1);
+    CHECK(secp256k1_ecdh_xonly(CTX, out_base_xonly, x32_g, s_one, NULL, NULL) == 1);
 
     for (i = 0; i < 2 * COUNT; i++) {
         random_scalar_order(&rand);
         secp256k1_scalar_get_b32(s, &rand);
-        secp256k1_scalar_inverse(&rand, &rand);
+        secp256k1_scalar_inverse_var(&rand, &rand);
         secp256k1_scalar_get_b32(s_inv, &rand);
 
         CHECK(secp256k1_ec_pubkey_create(CTX, &point, s) == 1);
+        point_ser_len = sizeof(point_ser);
+        CHECK(secp256k1_ec_pubkey_serialize(CTX, point_ser, &point_ser_len, &point, SECP256K1_EC_COMPRESSED));
+
         CHECK(secp256k1_ecdh(CTX, out, &point, s_inv, NULL, NULL) == 1);
         CHECK(secp256k1_memcmp_var(out, out_base, 32) == 0);
+        CHECK(secp256k1_ecdh_xonly(CTX, out, point_ser + 1, s_inv, NULL, NULL) == 1);
+        CHECK(secp256k1_memcmp_var(out, out_base_xonly, 32) == 0);
 
         CHECK(secp256k1_ec_pubkey_create(CTX, &point, s_inv) == 1);
         CHECK(secp256k1_ecdh(CTX, out_inv, &point, s, NULL, NULL) == 1);
+        point_ser_len = sizeof(point_ser);
+        CHECK(secp256k1_ec_pubkey_serialize(CTX, point_ser, &point_ser_len, &point, SECP256K1_EC_COMPRESSED));
+
         CHECK(secp256k1_memcmp_var(out_inv, out_base, 32) == 0);
+        CHECK(secp256k1_ecdh_xonly(CTX, out_inv, point_ser + 1, s, NULL, NULL) == 1);
+        CHECK(secp256k1_memcmp_var(out_inv, out_base_xonly, 32) == 0);
     }
 }
 
