See #1108
TODO:
test_secp256k1_sign_libecc_verify(). (I still need to figure out how to try it without the whole ci overhead)libecc and verify with libsecp256k16913+ pubkey_buf += 1; // this is needed because libecc only supports uncompressed points
6914+ pubkey_len -= 1; // and does not recoginze B0
6915+
6916+ ec_pub_key ec_pubkey;
6917+ CHECK(ec_pub_key_import_from_aff_buf(&ec_pubkey, (const ec_params *)¶ms,
6918+ pubkey_buf + 1, pubkey_len - 1,
pubkey_buf and pubkey_len?
pubkey_buf and pubkey_len), I thought modifying them first would “look” better. So I did it and forgot to run the test again to check.
I turns out that the code doesn’t even compile with pubkey_buf += 1, so the “better looking” modification is actually worse. I’ll correct the mistake. My bad!
My bad!
No worries, we all have bugs in our draft code. ^^
6909+
6910+ const ec_sig_mapping *sig_mapping;
6911+ CHECK(get_sig_by_name("ECDSA", &sig_mapping) == 0);
6912+
6913+ pubkey_buf += 1; // this is needed because libecc only supports uncompressed points
6914+ pubkey_len -= 1; // and does not recoginze B0
What is B0?
Are you sure libecc doesn’t support compressed keys? that would surprise me.
and typo: “recoginze” ;)
After reading https://github.com/ANSSI-FR/libecc/blob/master/src/sig/ec_key.h several times, I concluded that libecc supports importing projective or affine coordinates, in either a “structured” or an “unstructured” format. By structured they mean that the buffer includes the curve parameters, the signature algorithm, etc., in addition to the key. So I thought the simplest way to port libsecp’s public key to libecc is through an unstructured affine buffer.
By B0 I just mean the first byte :). I took this terminology from here. I was puzzled why the public key produced by libsecp is 65 bytes long when a key is really two 32-byte values. So I googled a bit and found that “uncompressed keys” have an extra 04 at the beginning.
Are you confusing jacobian/projective coordinates with compressed/uncompressed encoding?
SECG encoding of public keys is (all representing affine coordinates):
pubkey_buf twice.
libecc really only supports uncompressed keys, but throws errors at the header byte. It explicitly checks that the public key is exactly 64 bytes long (for curve secp256k1). Does that clear the misunderstanding?
Ok, yes. It’s surprising to me that libecc does not support compressed keys but I agree after looking at their code…
Anyway, this problem will just disappear if you simply pass the secret key to libecc and let libecc compute the public key (in whatever format it needs). That’s anyway necessary if you want to compare the result of signing (see below) and it’s also simpler.
@real-or-random For byte-by-byte comparison I’ll do that, but when signing with libsecp and verifying with libecc, isn’t it more logical to give libecc access only to the public key? I mean, the verifier doesn’t normally have the private key, they’re supposed to read the public key and the message from the signer then check the signature. Right?
So yes, in the real world, the signer obviously wouldn’t reveal the secret key.
For our purpose of cross-testing however, this is fine. If libecc recomputes the public key, then the cross-test would also cover the computation of the public key from the secret key. So if there’s a difference between the two libs in that algorithm, the test would also catch it.
test_compare_libecc_secp256k1, I think having both is better, more or less.
What do you think?
Hm, I think if we verify with libsecp256k1 and libecc in test_compare_libecc_secp256k1, then we won’t need the other two tests anymore.
edit: Let me try to explain in more detail. So in general, I see that it makes sense to have multiple test cases. But one of the goals here should be efficiency because later on we want to run many iterations in a loop. In that sense
seems a rather efficient way of doing tests, i.e., we get a lot of “test value” per running time.
Nice :)
Do you have some instructions on how to build this together with libecc, so that people can play around with it?
I think the next step would be to try to produce the same signature with libsecp256k1 and libecc, and see if they match exactly. This should work out as libecc also uses deterministic ECDSA with RFC6979, so it should be the exact same algorithm. (If not, we need to see if they do something differently, and you may need to switch to their low-level function https://github.com/ANSSI-FR/libecc/blob/master/src/sig/fuzzing_ecdsa.c#L31.)
Do you have some instructions on how to build this together with libecc, so that people can play around with it?
The way I build them is a bit hacky and I am actually looking for a better way. But here it is:
CFLAGS="-W -Werror -Wextra -Wall -pedantic -fno-builtin -O3 -DWITH_LIBECC_CONFIG_OVERRIDE -DWITH_CURVE_SECP256K1 -DWITH_HASH_SHA256 -DWITH_SIG_ECDSA -DWITH_SIG_DECDSA -DWITH_HMAC -DWITH_STDLIB -fPIC" make debug (I used debug to know why tests failed when they did)gcc -ggdb -Wall -Wextra -Wno-unused-function tests.c ./precomputed_*.c ./libecc/src/external_deps/rand.o -I.. -L./libecc/build -lsign -o tests -D ECMULT_GEN_PREC_BITS=4 -D ECMULT_WINDOW_SIZE=15 -DENABLE_LIBECC_TESTS -DWITH_STDLIB -DWITH_LIBECC_CONFIG_OVERRIDE -DWITH_CURVE_SECP256K1 -DWITH_HASH_SHA256 -DWITH_SIG_ECDSA -DWITH_SIG_DECDSA -DWITH_HMAC . I don’t like that I have to (seemingly?) compile libecc twice. So I was thinking I could just declare the structs and functions I use in a little header file to be a part of libsecp, but I was postponing this decision till the end../tests 1 (to reach the libecc cross-tests quickly)EDIT: modified to accommodate deterministic ECDSA
ci fails
I think the next step would be to try to produce the same signature with libsecp256k1 and libecc, and see if they match exactly. This should work out as libecc also uses deterministic ECDSA with RFC6979, so it should be the exact same algorithm. (If not, we need to see if they do something differently, and you may need to switch to their low-level function https://github.com/ANSSI-FR/libecc/blob/master/src/sig/fuzzing_ecdsa.c#L31.)
By this, do you mean comparing the signatures byte by byte?
By this, do you mean comparing the signatures byte by byte?
Yes, the serialized representations should be identical byte by byte.
I am having some difficulty in including libecc cleanly.
What I thought I could do:
libsig.h in src of libsecp256k1. In this header, forward declare all libecc structs and functions which will be used in tests.c. Include this file in tests.c, naturally.libecc in any directory, x, and build it. Then link the archive while compiling tests.c.But the problem I’m facing right now is that most (if not all) libecc’s structs are anonymous (e.g., https://github.com/ANSSI-FR/libecc/blob/master/src/curves/ec_params.h#L51), and anonymous structs cannot be forward-declared.
I think there must be a way of “plugging in” libecc’s archive without compiling it twice..
Any help would be appreciated!
Hm, I’m not sure I can follow. So why would you want to forward-declare those?
So the usual way to use a C library is include its header in your source file and then later link against the compiled library. So you would
src/libecc-tests.c or similar (you could also use tests.c but I think a separate program will be cleaner, just make sure you #include "secp256k1.c like in tests.c to have full access to all internal functions).src/libecc-tests.cOr if item 1 adds complexity, first skip it and use the existing tests.c.
Or is the problem that you need access to internal functions or types of libecc?