Test the Elligator Squared mapping functions

- source: src/modules/ellsq/tests_impl.h from bitcoin-core/secp256k1#982
- 3 tests are added:
    1. Generate random field elements and use f to map it to a valid group element on the curve.
       Then use r to map back the group element to the 4 possible pre-images, out of which only 1
       is the field element we started with.
    2. Generate random group elements on the curve and use r to map it to the 4 possible pre-images.
       Then map the field elements back to the group element and check if it's the same group element
       we started with, also making sure that the pre-images are distinct.
    3. Verify the test cases which consists of group element and the 4 field elements.Map the group element
       to the 4 possible pre-images using r and check whether it's consistent with the 4 field elements
       given in the test case. Map the field element back to the group element using f and check whether
       it matches the test case.

Author: stratospher

test/functional/test_framework/ellsq.py

@@ -4,7 +4,10 @@
 WARNING: This code is slow and uses bad randomness.
 Do not use for anything but tests."""
 
-from .key import fe
+import random
+import unittest
+
+from .key import fe, SECP256K1, SECP256K1_G, SECP256K1_ORDER
 
 C1 = fe(-3).sqrt()
 C2 = (C1 - fe(1)) / fe(2)
@@ -137,3 +140,42 @@ def reverse_map(x, y, i):
     [(fe(0xd09a4047f158fe52f96c661d02c68657c4c976ea96ea85ef46d6985bd540756b), fe(0xe793bfaae9300f18e6f9b55aae26322368b61d51ae5022efe266c72d574178bc)), [fe(0x7e6175fdfbb9fb4faf6e2b925ef86c4a444d819aaa82dbee545d3d9b296375be), None                                                                  , None                                                                  , None                                                                  ]],
     [(fe(0x3498662504b73c7c8cecb6c33cd493bdfc190e0f87d913d7ff9ad42e222bfe95), fe(0x245b3a61b8d46997f14f2fea2874899691eb32542b9907d65eb9d21d42454021)), [fe(0x7f556282c3dd9d263390d6bbddada698ab8fd7c7d1a06498f42b30437c8361ad), None                                                                  , None                                                                  , None                                                                  ]]
 ]
+
+class TestFrameworkEllsq(unittest.TestCase):
+    def test_fe_to_ge_to_fe(self):
+        for i in range(100):
+            matches = 0
+            t = fe(random.randrange(1, SECP256K1_ORDER))
+            ge = forward_map(t)
+            jac_ge = ge[0].val, ge[1].val, 1
+            assert SECP256K1.on_curve(jac_ge)
+            # t should appear exactly once in preimages
+            for j in range(4):
+                field_ele = reverse_map(ge[0], ge[1], j)
+                if field_ele is not None:
+                    matches += (field_ele == t)
+            assert matches == 1
+
+    def test_ge_to_fe_to_ge(self):
+        for i in range(100):
+            m = random.randrange(1, SECP256K1_ORDER)
+            A = SECP256K1.affine(SECP256K1.mul([(SECP256K1_G, m)]))
+            ge = fe(A[0]), fe(A[1])
+            preimages = []
+            for j in range(4):
+                field_ele = reverse_map(ge[0], ge[1], j)
+                if field_ele is not None:
+                    preimages.append(field_ele)
+                    group_ele = forward_map(field_ele)
+                    assert ge == group_ele
+            assert len(set(preimages)) == len(preimages)
+
+    def test_ellsq_mapping(self):
+        for test_vector in ELLSQ_TESTS:
+            ge, fes = test_vector
+            for j, fe1 in enumerate(fes):
+                fe2 = reverse_map(ge[0], ge[1], j)
+                assert fe1 == fe2
+                if fe2 is not None:
+                    group_ele = forward_map(fe2)
+                    assert ge == group_ele

test/functional/test_runner.py

@@ -70,8 +70,9 @@
 TEST_FRAMEWORK_MODULES = [
     "address",
     "blocktools",
-    "muhash",
+    "ellsq",
     "key",
+    "muhash",
     "script",
     "segwit_addr",
     "util",