dleq: Apply review feedback

Reject proofs that produce infinity points during verification
Add public API test case for infinity point scenario
Add note to clarify contents of msg to reduce confusion with m
Add missing includes
Format tools/test_vectors_dleq_generate.py

Author: macgyver13

src/modules/dleq/Makefile.am.include

@@ -1,3 +1,4 @@
 include_HEADERS += include/secp256k1_dleq.h
-noinst_HEADERS += src/modules/dleq/dleq_vectors.h
 noinst_HEADERS += src/modules/dleq/main_impl.h
+noinst_HEADERS += src/modules/dleq/tests_impl.h
+noinst_HEADERS += src/modules/dleq/dleq_vectors.h

src/modules/dleq/dleq_vectors.h

@@ -3,7 +3,7 @@
      *
      * Test vectors according to BIP-374 ("Discrete Log Equality Proofs") are included in this file.
      * Tests are included in src/modules/dleq/tests_impl.h. */
-    
+
 static const unsigned char a_bytes[6][32] = {
     { 0xC0, 0x8C, 0xA8, 0xE0, 0xBB, 0x59, 0x76, 0x9F, 0xC6, 0xA4, 0xE0, 0x78, 0x45, 0x62, 0x84, 0xE0, 0x0E, 0xA3, 0x4F, 0x65, 0xAD, 0xD9, 0x88, 0xC2, 0x46, 0xE1, 0xBB, 0xA8, 0x58, 0x24, 0xCC, 0xDC },
     { 0x8E, 0x64, 0x1B, 0xA6, 0xBF, 0x7F, 0x64, 0xEE, 0xC7, 0x60, 0x05, 0xA2, 0x95, 0x85, 0xA5, 0x03, 0x53, 0x76, 0x37, 0x5F, 0x33, 0xE3, 0x31, 0x21, 0x5A, 0xED, 0xFE, 0x03, 0xB8, 0xE8, 0x0E, 0x7A },

src/modules/dleq/main_impl.h

@@ -8,6 +8,7 @@
 
 #include "../../../include/secp256k1.h"
 #include "../../../include/secp256k1_dleq.h"
+#include "../../hash.h"
 
 /* Initializes SHA256 with fixed midstate. This midstate was computed by applying
  * SHA256 to SHA256("BIP0374/aux")||SHA256("BIP0374/aux"). */
@@ -60,10 +61,6 @@ static void secp256k1_dleq_sha256_tagged(secp256k1_sha256 *sha) {
 static int secp256k1_dleq_hash_point(secp256k1_sha256 *sha, secp256k1_ge *p) {
     unsigned char buf[33];
     size_t size = 33;
-    /* Reject infinity point */
-    if (secp256k1_ge_is_infinity(p)) {
-        return 0;
-    }
     secp256k1_eckey_pubkey_serialize33(p, buf);
     secp256k1_sha256_write(sha, buf, size);
     return 1;
@@ -95,7 +92,8 @@ static void secp256k1_nonce_function_dleq(unsigned char *nonce32, const unsigned
     }
 
     secp256k1_nonce_function_bip374_sha256_tagged(&sha);
-    /* Hash masked-key||msg||m using the tagged hash as per BIP-374 v0.2.0 */
+    /* Hash masked-key||msg||m using the tagged hash as defined in BIP0374
+     * Note: msg contains the serialized points A||C (66 bytes) */
     secp256k1_sha256_write(&sha, masked_key, 32);
     secp256k1_sha256_write(&sha, msg, msglen);
     if (m != NULL) {
@@ -106,7 +104,7 @@ static void secp256k1_nonce_function_dleq(unsigned char *nonce32, const unsigned
     secp256k1_memclear_explicit(masked_key, sizeof(masked_key));
 }
 
-/* Generates a nonce as defined in BIP0374 v0.2.0 */
+/* Generates a nonce as defined in BIP0374 */
 static int secp256k1_dleq_nonce(secp256k1_scalar *k, const unsigned char *a32, const unsigned char *A_33, const unsigned char *C_33, const unsigned char *aux_rand32, const unsigned char *m) {
     unsigned char buf[66];
     unsigned char nonce[32];
@@ -237,6 +235,10 @@ static int secp256k1_dleq_verify_internal(secp256k1_scalar *s, secp256k1_scalar
     secp256k1_ecmult(&R2j, &Bj, s, &secp256k1_scalar_zero);
     secp256k1_gej_add_var(&R2j, &R2j, &tmpj, NULL);
 
+    /* Fail verification if R1j or R2j are infinity */
+    if (secp256k1_gej_is_infinity(&R1j) || secp256k1_gej_is_infinity(&R2j)) {
+        return 0;
+    }
     secp256k1_ge_set_gej(&R1, &R1j);
     secp256k1_ge_set_gej(&R2, &R2j);
     secp256k1_dleq_challenge(&e_expected, B, &R1, &R2, A, C, m);
@@ -277,16 +279,14 @@ int secp256k1_dleq_prove(
     secp256k1_dleq_pair(&ctx->ecmult_gen_ctx, &A, &C, &a, &B);
 
     ret = secp256k1_dleq_prove_internal(ctx, &s, &e, &a, &B, &A, &C, aux_rand32, msg);
+    secp256k1_scalar_clear(&a);
     if (!ret) {
-        secp256k1_scalar_clear(&a);
         return 0;
     }
 
     secp256k1_scalar_get_b32(&proof64[0], &e);
     secp256k1_scalar_get_b32(&proof64[32], &s);
 
-    secp256k1_scalar_clear(&a);
-
     return 1;
 }
 

src/modules/dleq/tests_impl.h

@@ -7,6 +7,7 @@
 #define SECP256K1_MODULE_DLEQ_TESTS_H
 
 #include "dleq_vectors.h"
+#include "../../unit_test.h"
 
 static void dleq_nonce_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes) {
     secp256k1_scalar k1, k2;
@@ -176,7 +177,7 @@ static void run_test_dleq_bip374_vectors(void) {
         if (i > 2 && i < 6) {
             /* Skip tests indices 3-5: proof generation failure cases (a=0, a=N, B=infinity).
             * These contain placeholder data from test_vectors_generate_proof.csv that would
-            * fail to parse. Only indices 0-2 and 6-12 have valid test data. 
+            * fail to parse. Only indices 0-2 and 6-12 have valid test data.
             * */
             continue;
         }
@@ -191,7 +192,7 @@ static void run_test_dleq_bip374_vectors(void) {
         if (is_not_empty(msg_bytes[i])) {
             m = msg_bytes[i];
         }
-        
+
         CHECK(secp256k1_dleq_verify_internal(&s, &e, &A, &B, &C, m) == success[i]);
     }
 }
@@ -231,7 +232,10 @@ static void run_test_dleq_api(void) {
     CHECK_ILLEGAL(CTX, secp256k1_dleq_verify(CTX, proof, NULL, &B, &C, msg));
     CHECK_ILLEGAL(CTX, secp256k1_dleq_verify(CTX, proof, &A, NULL, &C, msg));
     CHECK_ILLEGAL(CTX, secp256k1_dleq_verify(CTX, proof, &A, &B, NULL, msg));
-    
+    /* Verify rejects an invalid (all-zero) proof */
+    memset(proof, 0, sizeof(proof));
+    CHECK(secp256k1_dleq_verify(CTX, proof, &A, &B, &C, msg) == 0);
+
     /* Verify public API prove and verify functions */
     CHECK(secp256k1_dleq_prove(CTX, proof, seckey, &B, aux_rand, msg) == 1);
     CHECK(secp256k1_dleq_verify(CTX, proof, &A, &B, &C, msg) == 1);

tools/test_vectors_dleq_generate.py

@@ -11,21 +11,21 @@
     print("Usage: %s <dir>" % sys.argv[0])
     sys.exit(1)
 
-s = (
-     """/**
+s = """/**
      * Automatically generated by %s.
      *
      * Test vectors according to BIP-374 ("Discrete Log Equality Proofs") are included in this file.
      * Tests are included in src/modules/dleq/tests_impl.h. */
-    """ % sys.argv[0]
-)
+""" % sys.argv[0]
+
 
 def hexstr_to_intarray(str):
     try:
         return ", ".join([f"0x{b:02X}" for b in bytes.fromhex(str)])
     except ValueError:
         return "0x00"
 
+
 def create_init(name, rows, cols):
     return """
 static const unsigned char %s[%d][%d] = {
@@ -35,9 +35,11 @@ def create_init(name, rows, cols):
         cols,
     )
 
+
 def init_array(key):
     return textwrap.indent("{ %s };" % ", ".join(test_case[key]), "")
 
+
 def init_arrays(key):
     s = textwrap.indent(
         ",\n".join(["{ %s }" % hexstr_to_intarray(x) for x in test_case[key]]), 4 * " "
@@ -62,7 +64,7 @@ def init_arrays(key):
 }
 
 
-with open(sys.argv[1] + "/test_vectors_generate_proof.csv", newline='') as csvfile:
+with open(sys.argv[1] + "/test_vectors_generate_proof.csv", newline="") as csvfile:
     reader = csv.DictReader(csvfile)
     # Skip the first 5 rows since those test vectors don't use secp's generator point
     for _ in range(5):
@@ -76,27 +78,35 @@ def init_arrays(key):
                 special_cases = {
                     "point_B": "INFINITY",
                     "result_proof": "INVALID",
-                    "message": ""
+                    "message": "",
                 }
-                test_case[key].append("0" if row[key] in special_cases.get(key, []) else row[key])
+                test_case[key].append(
+                    "0" if row[key] in special_cases.get(key, []) else row[key]
+                )
             else:
                 # these keys are not present in current csv file but are present in test_vectors_verify_proof.csv
                 if key in {"point_A", "point_C"}:
                     # "0" is filled as value for these missing keys
                     test_case[key].append("0")
                 elif key == "result_success":
                     # success/failure value is obtained from row["comment"] for the missing key "result_success"
-                    test_case[key].append("1" if "Success" in row.get("comment", "") else "0")
+                    test_case[key].append(
+                        "1" if "Success" in row.get("comment", "") else "0"
+                    )
                 else:
-                    sys.exit("Unexpected missing_key encountered when parsing test_vectors_generate_proof.csv")
+                    sys.exit(
+                        "Unexpected missing_key encountered when parsing test_vectors_generate_proof.csv"
+                    )
 
 
-with open(sys.argv[1] + "/test_vectors_verify_proof.csv", newline='') as csvfile:
+with open(sys.argv[1] + "/test_vectors_verify_proof.csv", newline="") as csvfile:
     reader = csv.DictReader(csvfile)
-    for _ in range(5):  # Skip the first 5 rows since those test vectors don't use secp's generator point
+    for _ in range(
+        5
+    ):  # Skip the first 5 rows since those test vectors don't use secp's generator point
         next(reader, None)
 
-    for i in range(3):  
+    for i in range(3):
         # Fill point_A and point_C for the 3 success cases (array indices 0-2) from verify CSV
         # These correspond to generate and verify CSV rows 5-7
         row = next(reader)
@@ -108,15 +118,19 @@ def init_arrays(key):
             if key in row:
                 # these keys are present in test_vectors_verify_proof.csv
                 # not handling row[key] == "TRUE" since it doesn't appear in the BIP test vectors
-                test_case[key].append("0" if key == "result_success" and row[key] == "FALSE" else row[key])
+                test_case[key].append(
+                    "0" if key == "result_success" and row[key] == "FALSE" else row[key]
+                )
             else:
                 # these keys are not present in current csv file but are present in test_vectors_generate_proof.csv
                 if key == "result_proof":
                     # interpret "result_proof" key in the test_vectors_generate_proof.csv test vectors
                     # same as  "proof" key in the test_vectors_verify_proof.csv test vectors
                     test_case["result_proof"].append(row["proof"])
                 elif key not in {"scalar_a", "auxrand_r"}:  # skip expected missing keys
-                    sys.exit("Unexpected missing key encountered when test_vectors_verify_proof.csv")
+                    sys.exit(
+                        "Unexpected missing key encountered when test_vectors_verify_proof.csv"
+                    )
 
 
 s += create_init("a_bytes", len(test_case["scalar_a"]), 32)