#264 restircted fuzz coverage due to conversion to real private -> public key conversion

[TheBlueMatt]

Sorry for the late comments on this one, but #264 is somewhat less appealing than the previous version at least in rust-lightning. Specifically, in our "lol just shove the whole library into the fuzzer" target, we want to be able to do state revocation by revealing the private key corresponding to a previously-provided public key. Obviously this would imply a real cryptographic operation on 32 bytes for the fuzzer to guess, which isn't possible. How important is it that all the tests pass in fuzz mode, and can we swap the private->public conversion to something more dummy, eg xor or simply map them 1:1?

[apoelstra]

So, the issue is that these unit tests reflect assumptions that are needed in real code. In particular, that if I do a BIP32 derivation on a series of secret keys, and sign with the result, that it will be verifiable by somebody who did the "same" derivation using the public keys.

I think we were able to get away with having an inconsistent pubkey derivation scheme for so long because

• rust-bitcoin had no fuzztests that depended on this
• rust-lighting had no fuzztests
• nobody but you and I had a clear idea of what the "fuzztest" target was for, so if anyone else was fuzzing at all, they were doing so using the real crypto

Now that we are using the fuzzing config flag rather than doing our own custom cargo-flag thing, I expect other people who depend on this lib, and who fuzz their stuff, to run into problems.

As a secondary thing, the more tests we can get to pass with the fuzztarget on, the more assuredness we have that we haven't badly broken it. For example, before the recent fuzz changes, elichai and I had totally broken context creation with fuzztarget on with our alignment-munging stuff, and we didn't notice (though we would've noticed immediately as soon as there was a release and you came down on us :)).

[apoelstra]

There are a few options for how to move forward:

1. Do some dumb xor thing that isn't really consistent (but which we can make consistent with signing at least), and wait for people to file bugs because they hit "impossible" assertions when fuzzing.
2. Rewrite the whole fuzz harness to use a broken xor-y group, but make it actually be a group
3. Revisit using the order-17 group -- I have some ideas here which are a bit of a PITA but not nearly as much as creating a whole new group.

[TheBlueMatt]

Right, I guess I also didn’t understand this as a now-supported feature - I was still under the impression fuzzing support in rust-secp remained a “well, I mean you can do it, but you’ll probably have to rewrite bits of upstream when you hit it breaking what you wanted”- feature. Which, I suppose, indeed, I hit it breaking when I went to upgrade and couldn’t easily fix our fuzztests. In general, I’m fine with (1), and figure it’s pretty unlikely to generate much, but I admit (2) feels much nicer and more complete. Happy to take a stab at it but I’d need to think hard or have more guidance on what format you have in mind. Matt

…

On Jan 15, 2021, at 10:09, Andrew Poelstra ***@***.***> wrote:  There are a few options for how to move forward: Do some dumb xor thing that isn't really consistent (but which we can make consistent with signing at least), and wait for people to file bugs because they hit "impossible" assertions when fuzzing. Rewrite the whole fuzz harness to use a broken xor-y group, but make it actually be a group Revisit using the order-17 group -- I have some ideas here which are a bit of a PITA but not nearly as much as creating a whole new group. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[apoelstra]

As for (2), I want the following things to hold:

• if you use seckey_tweak_mul then pubkey_create, or pubkey_create then pubkey_tweak_mul, you get the same result
• ditto for the _add functions
• ditto for the xonly variants of the above two
• if you ECDSA sign with a seckey, then use pubkey_create and verify the resulting sig, it should pass
• ditto for schnorr signatures
• ditto for recoverable signatures
• if you start with two secret keys, and turn either one of them into a pubkey with pubkey_create, then do ECDH with the resulting (secret, public) pair, you get the same result

Unfortunately this is a really long list now.

[TheBlueMatt]

Can we set pk=sk? I think that would make an xor approach rather easy, though several operations would end up equivalent.

…

On Jan 15, 2021, at 10:52, Andrew Poelstra ***@***.***> wrote:  As for (2), I want the following things to hold: if you use seckey_tweak_mul then pubkey_create, or pubkey_create then pubkey_tweak_mul, you get the same result ditto for the _add functions ditto for the xonly variants of the above two if you ECDSA sign with a seckey, then use pubkey_create and verify the resulting sig, it should pass ditto for schnorr signatures ditto for recoverable signatures if you start with two secret keys, and turn either one of them into a pubkey with pubkey_create, then do ECDH with the resulting (secret, public) pair, you get the same result Unfortunately this is a really long list now. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[apoelstra]

You can, though it has the minor drawback of eliminating the "half of all pubkeys are invalid even though almost no secret keys are invalid" property. But you still have to re-implement basically the entire library in terms of that.