Tighten group magnitude limits

- adjust test methods that randomize magnitudes
bitcoin-core · Apr 20, 2022 · e70c08c · e70c08c
1 parent 50c0c6d
commit e70c08c
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 19 deletions.
diff --git a/src/group_impl.h b/src/group_impl.h
@@ -67,15 +67,15 @@ static const secp256k1_fe secp256k1_fe_const_b = SECP256K1_FE_CONST(0, 0, 0, 0,
 #ifdef VERIFY
 static void secp256k1_ge_verify(const secp256k1_ge *a) {
     VERIFY_CHECK(a->infinity == 0 || a->infinity == 1);
-    secp256k1_fe_verify_magnitude(&a->x, 8);
-    secp256k1_fe_verify_magnitude(&a->y, 8);
+    secp256k1_fe_verify_magnitude(&a->x, 6);
+    secp256k1_fe_verify_magnitude(&a->y, 4);
 }
 
 static void secp256k1_gej_verify(const secp256k1_gej *a) {
     VERIFY_CHECK(a->infinity == 0 || a->infinity == 1);
-    secp256k1_fe_verify_magnitude(&a->x, 8);
-    secp256k1_fe_verify_magnitude(&a->y, 8);
-    secp256k1_fe_verify_magnitude(&a->z, 8);
+    secp256k1_fe_verify_magnitude(&a->x, 6);
+    secp256k1_fe_verify_magnitude(&a->y, 4);
+    secp256k1_fe_verify_magnitude(&a->z, 2);
 }
 #endif
 

diff --git a/src/tests.c b/src/tests.c
@@ -59,9 +59,9 @@ void random_field_element_test(secp256k1_fe *fe) {
     } while(1);
 }
 
-void random_field_element_magnitude(secp256k1_fe *fe) {
+void random_field_element_magnitude(secp256k1_fe *fe, int m) {
     secp256k1_fe zero;
-    int n = secp256k1_testrand_int(9);
+    int n = secp256k1_testrand_int(m + 1);
     secp256k1_fe_normalize(fe);
     if (n == 0) {
         return;
@@ -75,6 +75,30 @@ void random_field_element_magnitude(secp256k1_fe *fe) {
 #endif
 }
 
+void random_fe_magnitude(secp256k1_fe *fe) {
+    random_field_element_magnitude(fe, 8);
+}
+
+void random_ge_x_magnitude(secp256k1_ge *ge) {
+    random_field_element_magnitude(&ge->x, 6);
+}
+
+void random_ge_y_magnitude(secp256k1_ge *ge) {
+    random_field_element_magnitude(&ge->y, 4);
+}
+
+void random_gej_x_magnitude(secp256k1_gej *gej) {
+    random_field_element_magnitude(&gej->x, 6);
+}
+
+void random_gej_y_magnitude(secp256k1_gej *gej) {
+    random_field_element_magnitude(&gej->y, 4);
+}
+
+void random_gej_z_magnitude(secp256k1_gej *gej) {
+    random_field_element_magnitude(&gej->z, 2);
+}
+
 void random_group_element_test(secp256k1_ge *ge) {
     secp256k1_fe fe;
     do {
@@ -2783,13 +2807,13 @@ void run_fe_mul(void) {
     for (i = 0; i < 100 * count; ++i) {
         secp256k1_fe a, b, c, d;
         random_fe(&a);
-        random_field_element_magnitude(&a);
+        random_fe_magnitude(&a);
         random_fe(&b);
-        random_field_element_magnitude(&b);
+        random_fe_magnitude(&b);
         random_fe_test(&c);
-        random_field_element_magnitude(&c);
+        random_fe_magnitude(&c);
         random_fe_test(&d);
-        random_field_element_magnitude(&d);
+        random_fe_magnitude(&d);
         test_fe_mul(&a, &a, 1);
         test_fe_mul(&c, &c, 1);
         test_fe_mul(&a, &b, 0);
@@ -3261,19 +3285,19 @@ void test_ge(void) {
         secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
         random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
         for (j = 0; j < 4; j++) {
-            random_field_element_magnitude(&ge[1 + j + 4 * i].x);
-            random_field_element_magnitude(&ge[1 + j + 4 * i].y);
-            random_field_element_magnitude(&gej[1 + j + 4 * i].x);
-            random_field_element_magnitude(&gej[1 + j + 4 * i].y);
-            random_field_element_magnitude(&gej[1 + j + 4 * i].z);
+            random_ge_x_magnitude(&ge[1 + j + 4 * i]);
+            random_ge_y_magnitude(&ge[1 + j + 4 * i]);
+            random_gej_x_magnitude(&gej[1 + j + 4 * i]);
+            random_gej_y_magnitude(&gej[1 + j + 4 * i]);
+            random_gej_z_magnitude(&gej[1 + j + 4 * i]);
         }
     }
 
     /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
     do {
         random_field_element_test(&zf);
     } while(secp256k1_fe_is_zero(&zf));
-    random_field_element_magnitude(&zf);
+    random_fe_magnitude(&zf);
     secp256k1_fe_inv_var(&zfi3, &zf);
     secp256k1_fe_sqr(&zfi2, &zfi3);
     secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
@@ -3306,8 +3330,8 @@ void test_ge(void) {
                 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
                 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
                 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
-                random_field_element_magnitude(&ge2_zfi.x);
-                random_field_element_magnitude(&ge2_zfi.y);
+                random_ge_x_magnitude(&ge2_zfi);
+                random_ge_y_magnitude(&ge2_zfi);
                 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
                 ge_equals_gej(&ref, &resj);
             }