Use Squares RNG instead of RFC6979 for tests

Author: sipa

src/modules/schnorrsig/tests_impl.h

@@ -87,7 +87,7 @@ void run_nonce_function_bip340_tests(void) {
     CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
     CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
     /* Other algo is fine */
-    secp256k1_rfc6979_hmac_sha256_generate(&secp256k1_test_rng, algo, algolen);
+    secp256k1_testrand_bytes_test(algo, algolen);
     CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
 
     for (i = 0; i < count; i++) {

src/testrand_impl.h

@@ -14,22 +14,44 @@
 #include "testrand.h"
 #include "hash.h"
 
-static secp256k1_rfc6979_hmac_sha256 secp256k1_test_rng;
-static uint32_t secp256k1_test_rng_precomputed[8];
-static int secp256k1_test_rng_precomputed_used = 8;
+static uint64_t secp256k1_test_rng_key1, secp256k1_test_rng_key2;
+static uint64_t secp256k1_test_rng_cnt = 1;
 static uint64_t secp256k1_test_rng_integer;
 static int secp256k1_test_rng_integer_bits_left = 0;
 
-SECP256K1_INLINE static void secp256k1_testrand_seed(const unsigned char *seed16) {
-    secp256k1_rfc6979_hmac_sha256_initialize(&secp256k1_test_rng, seed16, 16);
+SECP256K1_INLINE static uint32_t secp256k1_testrand32(void) {
+    /* RNG based on https://arxiv.org/abs/2004.06278, using two separate keys, and
+     * only using odd counters to avoid entropy loss of key1. */
+    uint64_t x, y, z;
+    y = x = secp256k1_test_rng_cnt * secp256k1_test_rng_key1;
+    z = y + secp256k1_test_rng_key2;
+    secp256k1_test_rng_cnt += 2;
+
+    x = x*x + y; x = (x>>32) | (x<<32); /* round 1 */
+    x = x*x + z; x = (x>>32) | (x<<32); /* round 2 */
+    x = x*x + y; x = (x>>32) | (x<<32); /* round 3 */
+    return (x*x + z) >> 32; /* round 4 */
 }
 
-SECP256K1_INLINE static uint32_t secp256k1_testrand32(void) {
-    if (secp256k1_test_rng_precomputed_used == 8) {
-        secp256k1_rfc6979_hmac_sha256_generate(&secp256k1_test_rng, (unsigned char*)(&secp256k1_test_rng_precomputed[0]), sizeof(secp256k1_test_rng_precomputed));
-        secp256k1_test_rng_precomputed_used = 0;
+SECP256K1_INLINE static void secp256k1_testrand_seed(const unsigned char *seed16) {
+    static const unsigned char PREFIX[19] = "secp256k1 RNG init";
+    unsigned char out32[32];
+    int i;
+
+    secp256k1_sha256 hash;
+    secp256k1_sha256_initialize(&hash);
+    secp256k1_sha256_write(&hash, PREFIX, sizeof(PREFIX));
+    secp256k1_sha256_write(&hash, seed16, 16);
+    secp256k1_sha256_finalize(&hash, out32);
+
+    secp256k1_test_rng_key1 = 0;
+    secp256k1_test_rng_key2 = 0;
+    for (i = 0; i < 8; ++i) {
+        secp256k1_test_rng_key1 = (secp256k1_test_rng_key1 << 8) | out32[i];
+        secp256k1_test_rng_key2 = (secp256k1_test_rng_key2 << 8) | out32[i + 8];
     }
-    return secp256k1_test_rng_precomputed[secp256k1_test_rng_precomputed_used++];
+    secp256k1_test_rng_cnt = 0;
+    secp256k1_test_rng_integer_bits_left = 0;
 }
 
 static uint32_t secp256k1_testrand_bits(int bits) {
@@ -85,7 +107,15 @@ static uint32_t secp256k1_testrand_int(uint32_t range) {
 }
 
 static void secp256k1_testrand256(unsigned char *b32) {
-    secp256k1_rfc6979_hmac_sha256_generate(&secp256k1_test_rng, b32, 32);
+    int i;
+    for (i = 0; i < 8; ++i) {
+        uint32_t val = secp256k1_testrand32();
+        b32[0] = val;
+        b32[1] = val >> 8;
+        b32[2] = val >> 16;
+        b32[3] = val >> 24;
+        b32 += 4;
+    }
 }
 
 static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len) {
@@ -109,7 +139,7 @@ static void secp256k1_testrand256_test(unsigned char *b32) {
 }
 
 static void secp256k1_testrand_flip(unsigned char *b, size_t len) {
-    b[secp256k1_testrand_int(len)] ^= (1 << secp256k1_testrand_int(8));
+    b[secp256k1_testrand_int(len)] ^= (1 << secp256k1_testrand_bits(3));
 }
 
 static void secp256k1_testrand_init(const char* hexseed) {