ecdh: Add test computing shared_secret=basepoint with random inputs #1026

pull real-or-random wants to merge 2 commits into bitcoin-core:master from real-or-random:202112-ecdh-test-basepoint changing 1 files +34 −1
  1. real-or-random commented at 12:01 PM on December 3, 2021: contributor

    I was playing around with the ECDH code and wrote this test on way.

  2. robot-dreams commented at 4:07 PM on December 6, 2021: contributor

    ACK 18fe75b19e5cf5e1d4c6192e09a0d6346566b098

    Agreed that we should get ecdh(g^s, s_inv) == ecdh(g^s_inv, s) == ecdh(g, 1) for any s, s_inv pair.

    Non-blocking suggestion, would the intent be more clear if you explicitly calculate and compare against the expected constant value ecdh(g, 1), instead of comparing out against the previous iteration's out_eq?

    void test_result_basepoint(void) {
    secp256k1_pubkey point;
    secp256k1_scalar rand;
    unsigned char s[32];
    unsigned char s_inv[32];
    unsigned char out[32];
    unsigned char out_inv[32];
    unsigned char out_base[32];
    int i;

    unsigned char s_one[32] = { 0 };
    s_one[31] = 1;
    CHECK(secp256k1_ec_pubkey_create(ctx, &point, s_one) == 1);
    CHECK(secp256k1_ecdh(ctx, out_base, &point, s_one, NULL, NULL) == 1);

    for (i = 0; i < 64; i++) {
        random_scalar_order(&rand);
        secp256k1_scalar_get_b32(s, &rand);
        secp256k1_scalar_inverse(&rand, &rand);
        secp256k1_scalar_get_b32(s_inv, &rand);

        CHECK(secp256k1_ec_pubkey_create(ctx, &point, s) == 1);
        CHECK(secp256k1_ecdh(ctx, out, &point, s_inv, NULL, NULL) == 1);
        CHECK(secp256k1_memcmp_var(out, out_base, 32) == 0);

        CHECK(secp256k1_ec_pubkey_create(ctx, &point, s_inv) == 1);
        CHECK(secp256k1_ecdh(ctx, out_inv, &point, s, NULL, NULL) == 1);
        CHECK(secp256k1_memcmp_var(out_inv, out_base, 32) == 0);
    }
}
  3. real-or-random commented at 10:19 AM on December 7, 2021: contributor

    Non-blocking suggestion, would the intent be more clear if you explicitly calculate and compare against the expected constant value ecdh(g, 1), instead of comparing out against the previous iteration's out_eq?

    Probably yes. I'll change this.

  4. in src/modules/ecdh/tests_impl.h:135 in 18fe75b19e outdated 
     130 | +    unsigned char s_inv[32];
 131 | +    unsigned char out[32];
 132 | +    unsigned char out_eq[32];
 133 | +    int i;
 134 | +
 135 | +    for (i = 0; i < 64; i++) {
    real-or-random commented at 6:55 PM on December 7, 2021:

    This should depend on count

    robot-dreams commented at 6:56 PM on December 7, 2021:

    test_ecdh_generator_basepoint above also has a similar issue, right?

    real-or-random commented at 10:25 AM on February 9, 2022:

    No, it turns out that's a known-output test with a fixed output.

    real-or-random commented at 10:37 AM on February 9, 2022:

    No, it turns out that's a known-output test with a fixed output.

    Nevermind, I misremembered this. I saw a test where I assumed it should depend on count but it turned out to be a known-output test. But it wasn't this one.

    Fixed.

  5. uvhw changes_requested
  6. uvhw commented at 8:58 PM on February 8, 2022: none

    @uvhw @bitchaincoin @totongcute

  7. real-or-random force-pushed on Feb 9, 2022
  8. real-or-random force-pushed on Feb 9, 2022
  9. real-or-random force-pushed on Feb 9, 2022
  10. real-or-random commented at 11:41 AM on February 9, 2022: contributor

    Forcedpushed to rebase and add you as a coauthor.

  11. michaelfolkson cross-referenced this on Feb 9, 2022 from issue . by uvhw
  12. robot-dreams commented at 1:50 PM on February 9, 2022: contributor

    ACK 6bc47a170319efb7bc6b07ce1eeba3dbbb5e6ca9

    Test passes locally, first commit is directly from #1026#pullrequestreview-824152063 (only with iteration count changed).

    Thanks for adding me, gotta pump those commit numbers up :)

  13. real-or-random commented at 2:04 PM on February 9, 2022: contributor

    Thanks for adding me, gotta pump those commit numbers up :)

    I think it's good and right to acknowledge people. :)

    But here's an off-topic rant about code stats, which I think are always misleading:

    • Commit scope is very different among contributors and stages of a project.
    • Line numbers are a stupid metric, too. Wanna have ten thousand lines? Change the format of the precomputed tables.
    • Commits and line numbers say nothing about the time invested in a change or its value (whatever that even is).
    • Often less is more. Except for docs where more is often better.
    • Common stats ignore code review (which is by far the largest chunk of time spent here) and conceptual contributions.

    So I think it's better for our wellbeing to ignore the numbers... At least that's why I decided to do.

  14. robot-dreams commented at 2:22 PM on February 9, 2022: contributor

    Hopefully it's clear I was joking about pumping those rookie numbers up. I strongly agree with all of that! Goodhart's Law and etc. Especially about less is more:

    If we wish to count lines of code, we should not regard them as "lines produced" but as "lines spent": the current conventional wisdom is so foolish as to book that count on the wrong side of the ledger. --Dijkstra

  15. real-or-random commented at 3:26 PM on February 9, 2022: contributor

    Hopefully it's clear I was joking about pumping those rookie numbers up.

    Yes, I assumed you were joking. :) (Sorry if my post looked like the opposite... I was in the mood to write that rant down.)

  16. jonasnick commented at 9:45 AM on February 11, 2022: contributor

    Concept ACK

    Would be helpful to add a comment describing what the test does, similar to what @robot-dreams says above:

    [...] ecdh(g^s, s_inv) == ecdh(g^s_inv, s) == ecdh(g, 1) for any s, s_inv pair.

  17. real-or-random force-pushed on Feb 11, 2022
  18. ecdh: Add test computing shared_secret=basepoint with random inputs c881dd49bd
  19. ecdh: Make generator_basepoint test depend on global iteration count
    Co-authored-by: Elliott Jin <elliott.jin@gmail.com>
    3531a43b5b
  20. real-or-random force-pushed on Feb 11, 2022
  21. real-or-random commented at 3:40 PM on February 11, 2022: contributor

    @jonasnick Indeed! Fixed.

  22. jonasnick commented at 7:33 PM on February 11, 2022: contributor

    ACK 3531a43b5bc739838f5634afcfd02bdbef71b1ef

  23. jonasnick merged this on Feb 11, 2022
  24. jonasnick closed this on Feb 11, 2022
  25. fanquake referenced this in commit 8f8631d826 on Mar 17, 2022
  26. fanquake referenced this in commit 4bb1d7e62a on Mar 17, 2022
  27. fanquake referenced this in commit 465d05253a on Mar 30, 2022
  28. jonasnick cross-referenced this on Mar 30, 2022 from issue Upstream PRs 1064, 1049, 899, 1068, 1072, 1069, 1074, 1026, 1033, 748, 1079, 1088, 1090, 731, 1089, 995, 1094, 1093 by jonasnick
  29. real-or-random referenced this in commit 6c0aecf72b on Apr 1, 2022
  30. fanquake referenced this in commit afb7a6fe06 on Apr 6, 2022
  31. gwillen referenced this in commit 35d6112a72 on May 25, 2022
  32. patricklodder referenced this in commit 21badcf9d2 on Jul 25, 2022
  33. patricklodder referenced this in commit 03002a9013 on Jul 28, 2022
  34. janus referenced this in commit 3a0652a777 on Aug 4, 2022
  35. str4d referenced this in commit 522190d5c3 on Apr 21, 2023
  36. vmta referenced this in commit e1120c94a1 on Jun 4, 2023
  37. vmta referenced this in commit 8f03457eed on Jul 1, 2023
Contributors
real-or-randomrobot-dreamsuvhwjonasnick
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-01 14:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me