rangeproof: add more tests for exact-value proofs

apoelstra · apoelstra · commit f871fc137ebe · 2022-08-13T15:24:39.000Z
diff --git a/src/modules/rangeproof/tests_impl.h b/src/modules/rangeproof/tests_impl.h
@@ -655,6 +655,7 @@ static void test_single_value_proof(uint64_t val) {
     uint64_t max_val_out = 0;
     uint64_t val_out = 0;
     size_t m_len_out = 0;
+    const int using_exact_value = secp256k1_testrand32() & 1;
 
     secp256k1_testrand256(blind);
     secp256k1_testrand256(nonce);
@@ -673,19 +674,27 @@ static void test_single_value_proof(uint64_t val) {
         secp256k1_generator_h
     ) == 0);
 
-    plen = sizeof(proof);
-    CHECK(secp256k1_rangeproof_sign(
-        ctx,
-        proof, &plen,
-        val, /* min_val */
-        &commit, blind, nonce,
-        -1, /* exp: -1 is magic value to indicate a single-value proof */
-        0, /* min_bits */
-        val, /* val */
-        NULL, 0,
-        NULL, 0,
-        secp256k1_generator_h
-    ) == 1);
+    if (using_exact_value && val == 0) {
+        plen = 70; /* sanity-check that plen can be <73 for 0-value proofs */
+    } else {
+        plen = sizeof(proof);
+    }
+    if (using_exact_value) {
+        CHECK(secp256k1_rangeproof_create_value(ctx, proof, &plen, val, blind, &commit, secp256k1_generator_h) == 1);
+    } else {
+        CHECK(secp256k1_rangeproof_sign(
+            ctx,
+            proof, &plen,
+            val, /* min_val */
+            &commit, blind, nonce,
+            -1, /* exp: -1 is magic value to indicate a single-value proof */
+            0, /* min_bits */
+            val, /* val */
+            NULL, 0,
+            NULL, 0,
+            secp256k1_generator_h
+        ) == 1);
+    }
 
     /* Different proof sizes are unfortunate but is caused by `min_value` of
      * zero being special-cased and encoded more efficiently. */
@@ -708,25 +717,29 @@ static void test_single_value_proof(uint64_t val) {
 
     memset(message_out, 0, sizeof(message_out));
     m_len_out = sizeof(message_out);
-    CHECK(secp256k1_rangeproof_rewind(
-        ctx,
-        blind_out, &val_out,
-        message_out, &m_len_out,
-        nonce,
-        &min_val_out, &max_val_out,
-        &commit,
-        proof, plen,
-        NULL, 0,
-        secp256k1_generator_h
-    ) == 1);
-    CHECK(val_out == val);
-    CHECK(min_val_out == val);
-    CHECK(max_val_out == val);
-    CHECK(m_len_out == 0);
-    CHECK(secp256k1_memcmp_var(blind, blind_out, 32) == 0);
-    for (m_len_out = 0; m_len_out < sizeof(message_out); m_len_out++) {
-        CHECK(message_out[m_len_out] == 0);
+    /* exact-value proofs cannot be rewound */
+    if (!using_exact_value) {
+        CHECK(secp256k1_rangeproof_rewind(
+            ctx,
+            blind_out, &val_out,
+            message_out, &m_len_out,
+            nonce,
+            &min_val_out, &max_val_out,
+            &commit,
+            proof, plen,
+            NULL, 0,
+            secp256k1_generator_h
+        ) == 1);
+        CHECK(val_out == val);
+        CHECK(min_val_out == val);
+        CHECK(max_val_out == val);
+        CHECK(m_len_out == 0);
+        CHECK(secp256k1_memcmp_var(blind, blind_out, 32) == 0);
+        for (m_len_out = 0; m_len_out < sizeof(message_out); m_len_out++) {
+            CHECK(message_out[m_len_out] == 0);
+        }
     }
+    CHECK(secp256k1_rangeproof_verify_value(ctx, proof, plen, val, &commit, secp256k1_generator_h));
 }
 
 #define MAX_N_GENS	30
@@ -1045,8 +1058,10 @@ void run_rangeproof_tests(void) {
     test_single_value_proof(0);
     test_single_value_proof(12345678);
     test_single_value_proof(UINT64_MAX);
-    test_single_value_proof(secp256k1_testrand32());
-    test_single_value_proof(((uint64_t) secp256k1_testrand32() << 32) + secp256k1_testrand32());
+    for (i = 0; i < count / 2; i++) {
+        test_single_value_proof(secp256k1_testrand32());
+        test_single_value_proof(((uint64_t) secp256k1_testrand32() << 32) + secp256k1_testrand32());
+    }
 
     test_rangeproof_fixed_vectors();
     test_pedersen_commitment_fixed_vector();
