ecdh_2tests__impl_8h_source.html

/***********************************************************************

 * Copyright (c) 2015 Andrew Poelstra                                  *

 * Distributed under the MIT software license, see the accompanying    *

 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*

 ***********************************************************************/


#ifndef SECP256K1_MODULE_ECDH_TESTS_H

#define SECP256K1_MODULE_ECDH_TESTS_H


#include "../../unit_test.h"

#include "../../testutil.h"


static int ecdh_hash_function_test_xpassthru(unsigned char *output, const unsigned char *x, const unsigned char *y, void *data) {

    (void)y;

    (void)data;

    memcpy(output, x, 32);

    return 1;

}


static int ecdh_hash_function_test_fail(unsigned char *output, const unsigned char *x, const unsigned char *y, void *data) {

    (void)output;

    (void)x;

    (void)y;

    (void)data;

    return 0;

}


static int ecdh_hash_function_custom(unsigned char *output, const unsigned char *x, const unsigned char *y, void *data) {

    (void)data;

    /* Save x and y as uncompressed public key */

    output[0] = 0x04;

    memcpy(output + 1, x, 32);

    memcpy(output + 33, y, 32);

    return 1;

}


static void test_ecdh_api(void) {

    secp256k1_pubkey point;

    unsigned char res[32];

    unsigned char s_one[32] = { 0 };

    s_one[31] = 1;


    CHECK(secp256k1_ec_pubkey_create(CTX, &point, s_one) == 1);


    /* Check all NULLs are detected */

    CHECK(secp256k1_ecdh(CTX, res, &point, s_one, NULL, NULL) == 1);

    CHECK_ILLEGAL(CTX, secp256k1_ecdh(CTX, NULL, &point, s_one, NULL, NULL));

    CHECK_ILLEGAL(CTX, secp256k1_ecdh(CTX, res, NULL, s_one, NULL, NULL));

    CHECK_ILLEGAL(CTX, secp256k1_ecdh(CTX, res, &point, NULL, NULL, NULL));

    CHECK(secp256k1_ecdh(CTX, res, &point, s_one, NULL, NULL) == 1);

}


static void test_ecdh_generator_basepoint(void) {

    unsigned char s_one[32] = { 0 };

    secp256k1_pubkey point[2];

    int i;


    s_one[31] = 1;

    /* Check against pubkey creation when the basepoint is the generator */

    for (i = 0; i < 2 * COUNT; ++i) {

        secp256k1_sha256 sha;

        unsigned char s_b32[32];

        unsigned char output_ecdh[65];

        unsigned char output_ser[32];

        unsigned char point_ser[65];

        size_t point_ser_len = sizeof(point_ser);

        secp256k1_scalar s;


        testutil_random_scalar_order(&s);

        secp256k1_scalar_get_b32(s_b32, &s);


        CHECK(secp256k1_ec_pubkey_create(CTX, &point[0], s_one) == 1);

        CHECK(secp256k1_ec_pubkey_create(CTX, &point[1], s_b32) == 1);


        /* compute using ECDH function with custom hash function */

        CHECK(secp256k1_ecdh(CTX, output_ecdh, &point[0], s_b32, ecdh_hash_function_custom, NULL) == 1);

        /* compute "explicitly" */

        CHECK(secp256k1_ec_pubkey_serialize(CTX, point_ser, &point_ser_len, &point[1], SECP256K1_EC_UNCOMPRESSED) == 1);

        /* compare */

        CHECK(secp256k1_memcmp_var(output_ecdh, point_ser, 65) == 0);


        /* compute using ECDH function with default hash function */

        CHECK(secp256k1_ecdh(CTX, output_ecdh, &point[0], s_b32, NULL, NULL) == 1);

        /* compute "explicitly" */

        CHECK(secp256k1_ec_pubkey_serialize(CTX, point_ser, &point_ser_len, &point[1], SECP256K1_EC_COMPRESSED) == 1);

        secp256k1_sha256_initialize(&sha);

        secp256k1_sha256_write(secp256k1_get_hash_context(CTX), &sha, point_ser, point_ser_len);

        secp256k1_sha256_finalize(secp256k1_get_hash_context(CTX), &sha, output_ser);

        /* compare */

        CHECK(secp256k1_memcmp_var(output_ecdh, output_ser, 32) == 0);

    }

}


DEFINE_SHA256_TRANSFORM_PROBE(sha256_ecdh)

static void test_ecdh_ctx_sha256(void) {

    /* Check ctx-provided SHA256 compression override takes effect */

    secp256k1_context *ctx = secp256k1_context_clone(CTX);

    unsigned char out_default[65], out_custom[65];

    const unsigned char sk[32] = {1};

    secp256k1_pubkey pubkey;

    CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, sk) == 1);


    /* Default behavior */

    CHECK(secp256k1_ecdh(ctx, out_default, &pubkey, sk, NULL, NULL) == 1);

    CHECK(!sha256_ecdh_called);


    /* Override SHA256 compression directly, bypassing the ctx setter sanity checks */

    ctx->hash_ctx.fn_sha256_compression = sha256_ecdh;

    CHECK(secp256k1_ecdh(ctx, out_custom, &pubkey, sk, NULL, NULL) == 1);


    /* Outputs must differ if custom compression was used */

    CHECK(secp256k1_memcmp_var(out_default, out_custom, 32) != 0);

    CHECK(sha256_ecdh_called);


    secp256k1_context_destroy(ctx);

}


static void test_bad_scalar(void) {

    unsigned char s_zero[32] = { 0 };

    unsigned char s_overflow[32] = { 0 };

    unsigned char s_rand[32] = { 0 };

    unsigned char output[32];

    secp256k1_scalar rand;

    secp256k1_pubkey point;


    /* Create random point */

    testutil_random_scalar_order(&rand);

    secp256k1_scalar_get_b32(s_rand, &rand);

    CHECK(secp256k1_ec_pubkey_create(CTX, &point, s_rand) == 1);


    /* Try to multiply it by bad values */

    memcpy(s_overflow, secp256k1_group_order_bytes, 32);

    CHECK(secp256k1_ecdh(CTX, output, &point, s_zero, NULL, NULL) == 0);

    CHECK(secp256k1_ecdh(CTX, output, &point, s_overflow, NULL, NULL) == 0);

    /* ...and a good one */

    s_overflow[31] -= 1;

    CHECK(secp256k1_ecdh(CTX, output, &point, s_overflow, NULL, NULL) == 1);


    /* Hash function failure results in ecdh failure */

    CHECK(secp256k1_ecdh(CTX, output, &point, s_overflow, ecdh_hash_function_test_fail, NULL) == 0);

}


static void test_result_basepoint(void) {

    secp256k1_pubkey point;

    secp256k1_scalar rand;

    unsigned char s[32];

    unsigned char s_inv[32];

    unsigned char out[32];

    unsigned char out_inv[32];

    unsigned char out_base[32];

    int i;


    unsigned char s_one[32] = { 0 };

    s_one[31] = 1;

    CHECK(secp256k1_ec_pubkey_create(CTX, &point, s_one) == 1);

    CHECK(secp256k1_ecdh(CTX, out_base, &point, s_one, NULL, NULL) == 1);


    for (i = 0; i < 2 * COUNT; i++) {

        testutil_random_scalar_order(&rand);

        secp256k1_scalar_get_b32(s, &rand);

        secp256k1_scalar_inverse(&rand, &rand);

        secp256k1_scalar_get_b32(s_inv, &rand);


        CHECK(secp256k1_ec_pubkey_create(CTX, &point, s) == 1);

        CHECK(secp256k1_ecdh(CTX, out, &point, s_inv, NULL, NULL) == 1);

        CHECK(secp256k1_memcmp_var(out, out_base, 32) == 0);


        CHECK(secp256k1_ec_pubkey_create(CTX, &point, s_inv) == 1);

        CHECK(secp256k1_ecdh(CTX, out_inv, &point, s, NULL, NULL) == 1);

        CHECK(secp256k1_memcmp_var(out_inv, out_base, 32) == 0);

    }

}


static void test_ecdh_wycheproof(void) {

#include "../../wycheproof/ecdh_secp256k1_test.h"

    int t;

    for (t = 0; t < SECP256K1_ECDH_WYCHEPROOF_NUMBER_TESTVECTORS; t++) {

        int parsed_ok;

        secp256k1_pubkey point;

        const unsigned char *pk;

        const unsigned char *sk;

        const unsigned char *expected_shared_secret;

        unsigned char output_ecdh[65] = { 0 };


        int expected_result;


        memset(&point, 0, sizeof(point));

        pk = &wycheproof_ecdh_public_keys[testvectors[t].pk_offset];

        parsed_ok = secp256k1_ec_pubkey_parse(CTX, &point, pk, testvectors[t].pk_len);


        expected_result = testvectors[t].expected_result;

        CHECK(parsed_ok == expected_result);

        if (!parsed_ok) {

            continue;

        }


        sk = &wycheproof_ecdh_private_keys[testvectors[t].sk_offset];

        CHECK(testvectors[t].sk_len == 32);


        CHECK(secp256k1_ecdh(CTX, output_ecdh, &point, sk, ecdh_hash_function_test_xpassthru, NULL) == 1);

        expected_shared_secret = &wycheproof_ecdh_shared_secrets[testvectors[t].shared_offset];


        CHECK(secp256k1_memcmp_var(output_ecdh, expected_shared_secret, testvectors[t].shared_len) == 0);

    }

}


/* --- Test registry --- */

static const struct tf_test_entry tests_ecdh[] = {

    CASE1(test_ecdh_api),

    CASE1(test_ecdh_generator_basepoint),

    CASE1(test_bad_scalar),

    CASE1(test_result_basepoint),

    CASE1(test_ecdh_wycheproof),

    CASE1(test_ecdh_ctx_sha256),

};


#endif /* SECP256K1_MODULE_ECDH_TESTS_H */

test_ecdh_api
static void test_ecdh_api(void)
Definition: tests_impl.h:37

tests_ecdh
static const struct tf_test_entry tests_ecdh[]
Definition: tests_impl.h:209

test_bad_scalar
static void test_bad_scalar(void)
Definition: tests_impl.h:118

ecdh_hash_function_test_fail
static int ecdh_hash_function_test_fail(unsigned char *output, const unsigned char *x, const unsigned char *y, void *data)
Definition: tests_impl.h:20

test_result_basepoint
static void test_result_basepoint(void)
Test that ECDH(sG, 1/s) == ECDH((1/s)G, s) == ECDH(G, 1) for a few random s.
Definition: tests_impl.h:144

test_ecdh_ctx_sha256
static void test_ecdh_ctx_sha256(void)
Definition: tests_impl.h:95

test_ecdh_generator_basepoint
static void test_ecdh_generator_basepoint(void)
Definition: tests_impl.h:53

ecdh_hash_function_custom
static int ecdh_hash_function_custom(unsigned char *output, const unsigned char *x, const unsigned char *y, void *data)
Definition: tests_impl.h:28

test_ecdh_wycheproof
static void test_ecdh_wycheproof(void)
Definition: tests_impl.h:175

ecdh_hash_function_test_xpassthru
static int ecdh_hash_function_test_xpassthru(unsigned char *output, const unsigned char *x, const unsigned char *y, void *data)
Definition: tests_impl.h:13

wycheproof_ecdh_public_keys
static const unsigned char wycheproof_ecdh_public_keys[]
Definition: ecdh_secp256k1_test.h:40

SECP256K1_ECDH_WYCHEPROOF_NUMBER_TESTVECTORS
#define SECP256K1_ECDH_WYCHEPROOF_NUMBER_TESTVECTORS
Definition: ecdh_secp256k1_test.h:2

testvectors
static const wycheproof_ecdh_testvector testvectors[SECP256K1_ECDH_WYCHEPROOF_NUMBER_TESTVECTORS]
Definition: ecdh_secp256k1_test.h:1000

wycheproof_ecdh_private_keys
static const unsigned char wycheproof_ecdh_private_keys[]
Definition: ecdh_secp256k1_test.h:15

wycheproof_ecdh_shared_secrets
static const unsigned char wycheproof_ecdh_shared_secrets[]
Definition: ecdh_secp256k1_test.h:519

CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35

test_vectors_musig2_generate.s
tuple s
Definition: test_vectors_musig2_generate.py:72

test_vectors_musig2_generate.data
data
Definition: test_vectors_musig2_generate.py:98

tests_wycheproof_generate_ecdh.expected_result
def expected_result
Definition: tests_wycheproof_generate_ecdh.py:93

tests_wycheproof_generate_ecdh.sk
sk
Definition: tests_wycheproof_generate_ecdh.py:101

tests_wycheproof_generate_ecdh.pk
def pk
Definition: tests_wycheproof_generate_ecdh.py:115

tests_wycheproof_generate_ecdsa.out
string out
Definition: tests_wycheproof_generate_ecdsa.py:24

secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.

secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).

secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(const secp256k1_hash_ctx *hash_ctx, secp256k1_sha256 *hash, unsigned char *out32)

secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)

secp256k1_sha256_write
static void secp256k1_sha256_write(const secp256k1_hash_ctx *hash_ctx, secp256k1_sha256 *hash, const unsigned char *data, size_t size)

secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:271

secp256k1_get_hash_context
static SECP256K1_INLINE const secp256k1_hash_ctx * secp256k1_get_hash_context(const secp256k1_context *ctx)
Definition: secp256k1.c:238

secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:190

secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:287

secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:269

secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:639

SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:225

secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:166

SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:226

secp256k1_ecdh
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdh(const secp256k1_context *ctx, unsigned char *output, const secp256k1_pubkey *pubkey, const unsigned char *seckey, secp256k1_ecdh_hash_function hashfp, void *data) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Compute an EC Diffie-Hellman secret in constant time.
Definition: main_impl.h:34

ByteUnit::t
@ t

secp256k1_context_struct
Definition: secp256k1.c:61

secp256k1_context_struct::hash_ctx
secp256k1_hash_ctx hash_ctx
Definition: secp256k1.c:63

secp256k1_hash_ctx::fn_sha256_compression
secp256k1_sha256_compression_function fn_sha256_compression
Definition: hash.h:14

secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:62

secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13

secp256k1_sha256
Definition: hash.h:19

tf_test_entry
Definition: unit_test.h:53

wycheproof_ecdh_testvector::expected_result
int expected_result
Definition: ecdh_secp256k1_test.h:11

wycheproof_ecdh_testvector::pk_offset
size_t pk_offset
Definition: ecdh_secp256k1_test.h:5

wycheproof_ecdh_testvector::sk_offset
size_t sk_offset
Definition: ecdh_secp256k1_test.h:7

wycheproof_ecdh_testvector::shared_offset
size_t shared_offset
Definition: ecdh_secp256k1_test.h:9

CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:79

CTX
static secp256k1_context * CTX
Definition: tests.c:42

secp256k1_group_order_bytes
static const unsigned char secp256k1_group_order_bytes[32]
Definition: testutil.h:24

testutil_random_scalar_order
static void testutil_random_scalar_order(secp256k1_scalar *num)
Definition: testutil.h:142

DEFINE_SHA256_TRANSFORM_PROBE
#define DEFINE_SHA256_TRANSFORM_PROBE(name)
Definition: testutil.h:15

COUNT
int COUNT
Definition: unit_test.c:23

CASE1
#define CASE1(name)
Definition: unit_test.h:27