Extra consistency checks for co-z

bitcoin-core · Aug 4, 2015 · d6243bd · d6243bd
1 parent e20865e
commit d6243bd
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 0 deletions.
diff --git a/src/group.h b/src/group.h
@@ -38,6 +38,10 @@ typedef struct {
 typedef struct {
     secp256k1_fe_t x; /* actual X: x/z^2 (z implied) */
     secp256k1_fe_t y; /* actual Y: y/z^3 (z implied) */
+#ifdef VERIFY
+    secp256k1_fe_t z; /* the implied z coordinate, make explicit for debug purposes */
+    int infinity;
+#endif
 } secp256k1_coz_t;
 #endif
 

diff --git a/src/group_impl.h b/src/group_impl.h
@@ -640,22 +640,37 @@ static void secp256k1_coz_dblu_impl_var(secp256k1_coz_t *r, secp256k1_coz_t *ra,
 
 static void secp256k1_coz_dblu_var(secp256k1_coz_t *r, secp256k1_gej_t *ra, const secp256k1_gej_t *a, secp256k1_fe_t *rzr) {
     ra->infinity = a->infinity;
+#ifdef VERIFY
+    r->infinity = a->infinity;
+#endif
     if (a->infinity) {
         return;
     }
     secp256k1_coz_dblu_impl_var(r, (secp256k1_coz_t*)ra, rzr, a);
     secp256k1_fe_mul(&ra->z, &a->z, rzr);
+#ifdef VERIFY
+    r->z = ra->z;
+#endif
 }
 
 static void secp256k1_coz_zaddu_var(secp256k1_gej_t *r, secp256k1_coz_t *ra, secp256k1_fe_t *rzr, const secp256k1_gej_t *b) {
     /* 5 mul, 2 sqr, 6 normalize, 12 add/negate/mul_int */
     secp256k1_fe_t X1, Y1, X2, Y2, dX, dY, C, D, W1, W2, A1;
 
+#ifdef VERIFY
+    secp256k1_fe_t raz = ra->z, bz = b->z;
+    secp256k1_fe_normalize_var(&raz);
+    secp256k1_fe_normalize_var(&bz);
     VERIFY_CHECK(rzr != &r->z);
+    VERIFY_CHECK((ra->infinity && b->infinity) || (!ra->infinity && !b->infinity && secp256k1_fe_equal_var(&raz, &bz)));
+#endif
     /* Note that when b is infinity, ra is also infinity per the co-z definition */
     r->infinity = b->infinity;
     if (b->infinity) {
         secp256k1_fe_set_int(rzr, 0);
+#ifdef VERIFY
+        ra->infinity = 1;
+#endif
         return;
     }
 
@@ -673,6 +688,9 @@ static void secp256k1_coz_zaddu_var(secp256k1_gej_t *r, secp256k1_coz_t *ra, sec
             secp256k1_fe_mul(&r->z, &b->z, rzr);
         } else {
             r->infinity = 1;
+#ifdef VERIFY
+            ra->infinity = 1;
+#endif
             secp256k1_fe_set_int(rzr, 0);
         }
         return;
@@ -695,6 +713,10 @@ static void secp256k1_coz_zaddu_var(secp256k1_gej_t *r, secp256k1_coz_t *ra, sec
 
     secp256k1_fe_mul(&r->z, &b->z, &dX);
     *rzr = dX;
+#ifdef VERIFY
+    ra->z = r->z;
+    ra->infinity = r->infinity;
+#endif
 }
 #endif
 

diff --git a/src/tests.c b/src/tests.c
@@ -1112,6 +1112,10 @@ void test_ge(void) {
                 secp256k1_fe_t zr2;
                 secp256k1_fe_mul(&ra.x, &ge[i1].x, &gej[i2].z); secp256k1_fe_mul(&ra.x, &ra.x, &gej[i2].z);
                 secp256k1_fe_mul(&ra.y, &ge[i1].y, &gej[i2].z); secp256k1_fe_mul(&ra.y, &ra.y, &gej[i2].z); secp256k1_fe_mul(&ra.y, &ra.y, &gej[i2].z);
+#ifdef VERIFY
+                ra.z = gej[i2].z;
+                ra.infinity = gej[i2].infinity;
+#endif
                 secp256k1_coz_zaddu_var(&resj, &ra, &zr2, &gej[i2]);
                 ge_equals_gej(&ref, &resj); /* Check sum */
                 if (!secp256k1_gej_is_infinity(&resj)) {