2
I'm trying to code up BIP0032, with full test coverage and I hit a snag with these very rare edge cases:
Private parent key → private child key
In case parse256(IL) ≥ n or ki = 0, the resulting key is invalid, and one should proceed with the next value for i. (Note: this has probability lower than 1 in 2^127.)
Public parent key → public child key
In case parse256(IL) ≥ n or Ki is the point at infinity, the resulting key is invalid, and one should proceed with the next value for i.
I have not written any code around these conditions as without test cases to show I have done it correctly, it's pointless.
I've successfully tested my code with 30 million addresses generated from another library, but I think to stand a better than 50/50 chance of finding one of these edge cases I would have to check in the order of 10^19 (source: Birthday attack).
So my question is, does anyone have any test vectors for these cases?
The alternative is to have a whitebox test that passes bad IL values directly to an otherwise private function, but I'd rather have a blackbox test.
I think you're probably correct, and this is exactly what I ended up doing, see
– weston – 2018-06-11T11:19:36.810fakeHmacSha512Responseshttps://github.com/NovaCrypto/BIP32/blob/master/src/test/java/io/github/novacrypto/bip32/ExtendedPrivateKeyEdgeCases.javawhy is the sentence there if it will never happen? also, what happens if there is no "next value for i"? The last key could be invalid. If the BIP is attempting to handle all cases (even 'impossible' ones), it should handle this one too. – Janus Troelsen – 2018-06-11T14:01:40.457
@JanusTroelsen No one said "it will never happen" (although chances are it won't). I said that probably no one has spent several PHs to calculate such a preimage to use for a unit test. – Mike D – 2018-06-11T14:14:44.663