tests: impl bitflip test for xonly pub tweak randomizer gen

siv2r · siv2r · commit 8a1da31a16b2 · 2022-07-02T17:47:28.000+05:30
diff --git a/src/modules/extrakeys/batch_add_impl.h b/src/modules/extrakeys/batch_add_impl.h
@@ -5,13 +5,12 @@
 #include "src/hash.h"
 #include "src/modules/batch/main_impl.h"
 
-static void secp256k1_batch_add_xonlypub_tweak_check_randomizer_gen(unsigned char *randomizer32, secp256k1_sha256 *sha256, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const unsigned char *internal_pk33, const unsigned char *tweak32) {
+static void secp256k1_batch_xonlypub_tweak_randomizer_gen(unsigned char *randomizer32, secp256k1_sha256 *sha256, const unsigned char *tweaked_pubkey32, const unsigned char *tweaked_pk_parity, const unsigned char *internal_pk33, const unsigned char *tweak32) {
     secp256k1_sha256 sha256_cpy;
-    unsigned char parity = (unsigned char) tweaked_pk_parity;
 
     /* add tweaked pubkey check data to sha object */
     secp256k1_sha256_write(sha256, tweaked_pubkey32, 32);
-    secp256k1_sha256_write(sha256, &parity, sizeof(parity));
+    secp256k1_sha256_write(sha256, tweaked_pk_parity, 1);
     secp256k1_sha256_write(sha256, tweak32, 32);
     secp256k1_sha256_write(sha256, internal_pk33, 33);
 
@@ -20,10 +19,11 @@ static void secp256k1_batch_add_xonlypub_tweak_check_randomizer_gen(unsigned cha
     secp256k1_sha256_finalize(&sha256_cpy, randomizer32);
 }
 
-static int secp256k1_batch_add_xonlypub_tweak_check_randomizer_set(const secp256k1_context* ctx, secp256k1_batch *batch, secp256k1_scalar *r, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey,const unsigned char *tweak32) {
+static int secp256k1_batch_xonlypub_tweak_randomizer_set(const secp256k1_context* ctx, secp256k1_batch *batch, secp256k1_scalar *r, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey,const unsigned char *tweak32) {
     unsigned char randomizer[32];
     unsigned char internal_buf[33];
     size_t internal_buflen = sizeof(internal_buf);
+    unsigned char parity = (unsigned char) tweaked_pk_parity;
     int overflow;
 
     /* We use compressed serialization here. If we would use
@@ -34,7 +34,7 @@ static int secp256k1_batch_add_xonlypub_tweak_check_randomizer_set(const secp256
         return 0;
     }
 
-    secp256k1_batch_add_xonlypub_tweak_check_randomizer_gen(randomizer, &batch->sha256, tweaked_pubkey32, tweaked_pk_parity, internal_buf, tweak32);
+    secp256k1_batch_xonlypub_tweak_randomizer_gen(randomizer, &batch->sha256, tweaked_pubkey32, &parity, internal_buf, tweak32);
     secp256k1_scalar_set_b32(r, randomizer, &overflow);
     VERIFY_CHECK(overflow == 0);
 
@@ -117,7 +117,9 @@ int secp256k1_batch_add_xonlypub_tweak_check(const secp256k1_context* ctx, secp2
     secp256k1_gej_set_ge(&batch->points[i+1], &pk);
 
     /* Compute ai */
-    secp256k1_batch_add_xonlypub_tweak_check_randomizer_set(ctx, batch, &ai, tweaked_pubkey32, tweaked_pk_parity, internal_pubkey, tweak32);
+    if(!secp256k1_batch_xonlypub_tweak_randomizer_set(ctx, batch, &ai, tweaked_pubkey32, tweaked_pk_parity, internal_pubkey, tweak32)) {
+        return 0;
+    }
 
     /* append scalars -ai, ai respectively to scratch space */
     secp256k1_scalar_negate(&tmp, &ai);
diff --git a/src/modules/extrakeys/batch_add_tests_impl.h b/src/modules/extrakeys/batch_add_tests_impl.h
@@ -3,7 +3,63 @@
 
 #include "include/secp256k1_extrakeys.h"
 
+/* Checks that a bit flip in the n_flip-th argument (that has n_bytes many
+ * bytes) changes the hash function */
+void batch_xonlypub_tweak_randomizer_gen_bitflip(secp256k1_sha256 *sha, unsigned char **args, size_t n_flip, size_t n_bytes) {
+    unsigned char randomizers[2][32];
+    secp256k1_sha256 sha_cpy;
+    sha_cpy = *sha;
+    secp256k1_batch_xonlypub_tweak_randomizer_gen(randomizers[0], &sha_cpy, args[0], args[1], args[2], args[3]);
+    secp256k1_testrand_flip(args[n_flip], n_bytes);
+    sha_cpy = *sha;
+    secp256k1_batch_xonlypub_tweak_randomizer_gen(randomizers[1], &sha_cpy, args[0], args[1], args[2], args[3]);
+    CHECK(secp256k1_memcmp_var(randomizers[0], randomizers[1], 32) != 0);
+}
+
 void run_batch_xonlypub_tweak_randomizer_gen_tests(void) {
+    secp256k1_sha256 sha;
+    size_t n_checks = 20;
+    unsigned char tweaked_pk[32];
+    unsigned char tweaked_pk_parity;
+    unsigned char tweak[32];
+    unsigned char internal_pk[33];
+    unsigned char *args[4];
+    size_t i; /* loops through n_checks */
+    int j; /* loops through count */
+
+    secp256k1_batch_sha256_tagged(&sha);
+
+    for (i = 0; i < n_checks; i++) {
+        uint8_t temp_rand;
+
+        /* generate i-th tweak check data */
+        secp256k1_testrand256(tweaked_pk);
+        tweaked_pk_parity = (unsigned char) secp256k1_testrand_int(2);
+        secp256k1_testrand256(tweak);
+        secp256k1_testrand256(&internal_pk[1]);
+        temp_rand = secp256k1_testrand_int(2) + 2; /* randomly choose 2 or 3 */
+        internal_pk[0] = (unsigned char)temp_rand;
+
+        /* check bitflip in any argument results in generates randomizers */
+        args[0] = tweaked_pk;
+        args[1] = &tweaked_pk_parity;
+        args[2] = internal_pk;
+        args[3] = tweak;
+
+        for (j = 0; j < count; j++) {
+            batch_xonlypub_tweak_randomizer_gen_bitflip(&sha, args, 0, 32);
+            batch_xonlypub_tweak_randomizer_gen_bitflip(&sha, args, 1, 1);
+            batch_xonlypub_tweak_randomizer_gen_bitflip(&sha, args, 2, 32);
+            batch_xonlypub_tweak_randomizer_gen_bitflip(&sha, args, 3, 33);
+        }
+
+        /* write i-th tweak check data to the sha object
+         * this is required for generating the next randomizer */
+        secp256k1_sha256_write(&sha, tweaked_pk, 32);
+        secp256k1_sha256_write(&sha, &tweaked_pk_parity, 1);
+        secp256k1_sha256_write(&sha, tweak, 32);
+        secp256k1_sha256_write(&sha, internal_pk, 33);
+    }
 
 }
 
diff --git a/src/modules/schnorrsig/batch_add_impl.h b/src/modules/schnorrsig/batch_add_impl.h
@@ -19,10 +19,10 @@ static void secp256k1_batch_schnorrsig_randomizer_gen(unsigned char *randomizer3
 }
 
 static int secp256k1_batch_schnorrsig_randomizer_set(const secp256k1_context *ctx, secp256k1_batch *batch, secp256k1_scalar *r, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) {
-    int overflow;
     unsigned char randomizer[32];
     unsigned char buf[33];
     size_t buflen = sizeof(buf);
+    int overflow;
 
     /* We use compressed serialization here. If we would use
     * xonly_pubkey serialization and a user would wrongly memcpy
