Test the Elligator Squared mapping functions

- source: src/modules/ellsq/tests_impl.h from bitcoin-core/secp256k1#982 - 3 tests are added: 1. Generate random field elements and use f to map it to a valid group element on the curve. Then use r to map back the group element to the 4 possible pre-images, out of which only 1 is the field element we started with. 2. Generate random group elements on the curve and use r to map it to the 4 possible pre-images. Then map the field elements back to the group element and check if it's the same group element we started with, also making sure that the pre-images are distinct. 3. Verify the test cases which consists of group element and the 4 field elements.Map the group element to the 4 possible pre-images using r and check whether it's consistent with the 4 field elements given in the test case. Map the field element back to the group element using f and check whether it matches the test case.
stratospher · Jan 8, 2022 · 1c2ef4c · 1c2ef4c
1 parent 2e831ff
commit 1c2ef4c
Showing 1 changed file with 43 additions and 1 deletion.
diff --git a/test/functional/test_framework/ellsq.py b/test/functional/test_framework/ellsq.py
@@ -5,7 +5,10 @@
 keys, and is trivially vulnerable to side channel attacks. Do not use for
 anything but tests."""
 
-from .key import fe
+import random
+import unittest
+
+from .key import fe, SECP256K1, SECP256K1_G, SECP256K1_ORDER
 
 C1 = fe(-3).sqrt()
 C2 = (C1 - fe(1)) / fe(2)
@@ -120,3 +123,42 @@ def r(x,y,i):
     [(fe(0xd09a4047f158fe52f96c661d02c68657c4c976ea96ea85ef46d6985bd540756b), fe(0xe793bfaae9300f18e6f9b55aae26322368b61d51ae5022efe266c72d574178bc)), [fe(0x7e6175fdfbb9fb4faf6e2b925ef86c4a444d819aaa82dbee545d3d9b296375be), None                                                                  , None                                                                  , None                                                                  ]],
     [(fe(0x3498662504b73c7c8cecb6c33cd493bdfc190e0f87d913d7ff9ad42e222bfe95), fe(0x245b3a61b8d46997f14f2fea2874899691eb32542b9907d65eb9d21d42454021)), [fe(0x7f556282c3dd9d263390d6bbddada698ab8fd7c7d1a06498f42b30437c8361ad), None                                                                  , None                                                                  , None                                                                  ]]
 ]
+
+class TestFrameworkEllsq(unittest.TestCase):
+    def test_fe_to_ge_to_fe(self):
+        for i in range(100):
+            matches = 0
+            t = fe(random.randrange(1, SECP256K1_ORDER))
+            ge = f(t)
+            jac_ge = (ge[0].val, ge[1].val, 1)
+            assert(SECP256K1.on_curve(jac_ge))
+            # t should appear exactly once in preimages
+            for j in range(4):
+                field_ele = r(ge[0], ge[1], j)
+                if field_ele is not None:
+                    matches += (field_ele == t)
+            assert(matches == 1)
+
+    def test_ge_to_fe_to_ge(self):
+        for i in range(100):
+            m = random.randrange(1, SECP256K1_ORDER)
+            A = SECP256K1.affine(SECP256K1.mul([(SECP256K1_G, m)]))
+            ge = (fe(A[0]), fe(A[1]))
+            preimages = []
+            for j in range(4):
+                field_ele = r(ge[0], ge[1], j)
+                if field_ele is not None:
+                    preimages.append(field_ele)
+                    group_ele = f(field_ele)
+                    assert (ge == group_ele)
+            assert len(set(preimages)) == len(preimages)
+
+    def test_ellsq_mapping(self):
+        for test_vector in ELLSQ_TESTS:
+            ge, fe = test_vector
+            for j, fe1 in enumerate(fe):
+                fe2 = r(ge[0], ge[1], j)
+                assert(fe1 == fe2)
+                if fe2 is not None:
+                    group_ele = f(fe2)
+                    assert (ge == group_ele)