fix: resolve zero-value proof failure in tests (#13)

* fix: resolve zero-value proof failure in tests

Updated the commitment logic to safely skip empty curve points (Point at Infinity) generated by all-zero bit vectors, rather than treating them as a fatal library error.

* refactor: address reviewer comments for helper function and formatting

* test: resolve Copilot warning by using dynamic allocation

* fix: resolve msm masking and add test safety guards

* fix: max-value overflow and explicit fast path for n_pts == 1

* Update src/bulletproof_aggregated.c

Co-authored-by: Ayaz Salikhov <mathbunnyru@users.noreply.github.com>

* Update src/bulletproof_aggregated.c

Co-authored-by: Ayaz Salikhov <mathbunnyru@users.noreply.github.com>

---------

Co-authored-by: Ayaz Salikhov <mathbunnyru@users.noreply.github.com>

Author: mrtcnk

src/bulletproof_aggregated.c

@@ -1092,6 +1092,62 @@ int secp256k1_bulletproof_create_commitment(
     return 1;
 }
 
+/* Helper for a vector 0 */
+static int scalar_vector_all_zero(const unsigned char* scalars, size_t n) {
+    unsigned char zero[32] = {0};
+    for (size_t i = 0; i < n; ++i) {
+        if (memcmp(scalars + 32*i, zero, 32) != 0)
+            return 0; /* found non-zero */
+    }
+    return 1; /* all zero */
+}
+
+/* Helper to calculate commitment terms like A and S */
+static int calculate_commitment_term(
+        const secp256k1_context* ctx,
+        secp256k1_pubkey* out,
+        const secp256k1_pubkey* pk_base,
+        const unsigned char* base_scalar,
+        const unsigned char* vec_l,
+        const unsigned char* vec_r,
+        const secp256k1_pubkey* G_vec,
+        const secp256k1_pubkey* H_vec,
+        size_t n
+) {
+    secp256k1_pubkey tG, tH, tB;
+    const secp256k1_pubkey* pts[3];
+    int n_pts = 0;
+
+    /* 1. base_scalar * Base */
+    tB = *pk_base;
+    if (!secp256k1_ec_pubkey_tweak_mul(ctx, &tB, base_scalar)) return 0;
+    pts[n_pts++] = &tB;
+
+    /* 2. <vec_l, G> */
+    if (!scalar_vector_all_zero(vec_l, n)) {
+        if (!secp256k1_bulletproof_ipa_msm(ctx, &tG, G_vec, vec_l, n))
+            return 0; /* REAL FAILURE */
+        pts[n_pts++] = &tG;
+    }
+
+    /* 3. <vec_r, H> */
+    if (!scalar_vector_all_zero(vec_r, n)) {
+        if (!secp256k1_bulletproof_ipa_msm(ctx, &tH, H_vec, vec_r, n))
+            return 0; /* REAL FAILURE */
+        pts[n_pts++] = &tH;
+    }
+
+    if (n_pts == 1) {
+        *out = *pts[0];
+        return 1;
+    }
+
+    if (!secp256k1_ec_pubkey_combine(ctx, out, pts, n_pts))
+        return 0;
+
+    return 1;
+}
+
 /**
  * Generates an aggregated Bulletproof for m values.
  *
@@ -1217,24 +1273,8 @@ int secp256k1_bulletproof_prove_agg(
      * A = alpha*Base + <al,G> + <ar,H>
      * S = rho*Base   + <sl,G> + <sr,H>
      */
-    {
-        secp256k1_pubkey tG, tH, tB;
-        const secp256k1_pubkey* pts[3];
-
-        if (!secp256k1_bulletproof_ipa_msm(ctx, &tG, G_vec, al, n)) goto cleanup;
-        if (!secp256k1_bulletproof_ipa_msm(ctx, &tH, H_vec, ar, n)) goto cleanup;
-        tB = *pk_base;
-        if (!secp256k1_ec_pubkey_tweak_mul(ctx, &tB, alpha)) goto cleanup;
-        pts[0] = &tB; pts[1] = &tG; pts[2] = &tH;
-        if (!secp256k1_ec_pubkey_combine(ctx, &A, pts, 3)) goto cleanup;
-
-        if (!secp256k1_bulletproof_ipa_msm(ctx, &tG, G_vec, sl, n)) goto cleanup;
-        if (!secp256k1_bulletproof_ipa_msm(ctx, &tH, H_vec, sr, n)) goto cleanup;
-        tB = *pk_base;
-        if (!secp256k1_ec_pubkey_tweak_mul(ctx, &tB, rho)) goto cleanup;
-        pts[0] = &tB; pts[1] = &tG; pts[2] = &tH;
-        if (!secp256k1_ec_pubkey_combine(ctx, &S, pts, 3)) goto cleanup;
-    }
+        if (!calculate_commitment_term(ctx, &A, pk_base, alpha, al, ar, G_vec, H_vec, n)) goto cleanup;
+        if (!calculate_commitment_term(ctx, &S, pk_base, rho, sl, sr, G_vec, H_vec, n)) goto cleanup;
 
     /* ---- 6. Fiat–Shamir y,z ---- */
     {

tests/test_bulletproof_agg.c

@@ -6,46 +6,33 @@
 #include "secp256k1_mpt.h"
 #include "test_utils.h"
 
-/* ---- Aggregation parameters ---- */
-#define M 2
 #define BP_VALUE_BITS 64
 #define BP_TOTAL_BITS(m) ((size_t)(BP_VALUE_BITS * (m)))
-
-/* ---- Benchmark parameters ---- */
 #define VERIFY_RUNS 5
 
-
 /* ---- Helpers ---- */
-
 static inline double elapsed_ms(struct timespec a, struct timespec b) {
     return (b.tv_sec - a.tv_sec) * 1000.0 +
            (b.tv_nsec - a.tv_nsec) / 1e6;
 }
 
-/* ---- Main ---- */
-int main(void) {
-    printf("[TEST] Aggregated Bulletproof test (m = %d)\n", M);
+/* ---- Core Test Logic ---- */
+void run_test_case(secp256k1_context* ctx, const char* name, uint64_t* values, size_t num_values, int run_benchmarks) {
+    EXPECT(num_values > 0);
+    printf("\n[TEST] %s (num_values = %zu)\n", name, num_values);
 
-    /* ---- Context ---- */
-    secp256k1_context* ctx =
-            secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
-    EXPECT(ctx != NULL);
-
-    /* ---- Values ---- */
-    uint64_t values[M] = { 5000, 123456 };
-    unsigned char blindings[M][32];
-    secp256k1_pubkey commitments[M];
-
-    /* ---- Context Binding ---- */
+    unsigned char (*blindings)[32] = malloc(num_values * sizeof(*blindings));
+    secp256k1_pubkey* commitments = malloc(num_values * sizeof(*commitments));
     unsigned char context_id[32];
+
+    EXPECT(blindings != NULL && commitments != NULL);
     EXPECT(RAND_bytes(context_id, 32) == 1);
 
     secp256k1_pubkey pk_base;
-    /* Use the standard H generator from the library */
     EXPECT(secp256k1_mpt_get_h_generator(ctx, &pk_base));
 
     /* ---- Commitments ---- */
-    for (size_t i = 0; i < M; i++) {
+    for (size_t i = 0; i < num_values; i++) {
         random_scalar(ctx, blindings[i]);
         EXPECT(secp256k1_bulletproof_create_commitment(
                 ctx,
@@ -56,7 +43,7 @@ int main(void) {
     }
 
     /* ---- Generator vectors ---- */
-    const size_t n = BP_TOTAL_BITS(M);
+    const size_t n = BP_TOTAL_BITS(num_values);
     secp256k1_pubkey* G_vec = malloc(n * sizeof(secp256k1_pubkey));
     secp256k1_pubkey* H_vec = malloc(n * sizeof(secp256k1_pubkey));
     EXPECT(G_vec && H_vec);
@@ -66,35 +53,28 @@ int main(void) {
     EXPECT(secp256k1_mpt_get_generator_vector(
             ctx, H_vec, n, (const unsigned char*)"H", 1));
 
-    /* ---- Prove (timed) ---- */
+    /* ---- Prove ---- */
     unsigned char proof[4096];
     size_t proof_len = sizeof(proof);
 
-    printf("[TEST] Proving aggregated range proof...\n");
-
     struct timespec t_p_start, t_p_end;
     clock_gettime(CLOCK_MONOTONIC, &t_p_start);
 
-    /* Note: We cast the 2D array 'blindings' to flat pointer */
     EXPECT(secp256k1_bulletproof_prove_agg(
             ctx,
             proof,
             &proof_len,
             values,
             (const unsigned char*)blindings,
-            M,
+            num_values,
             &pk_base,
             context_id));
 
     clock_gettime(CLOCK_MONOTONIC, &t_p_end);
+    printf("  Proof size: %zu bytes\n", proof_len);
+    if (run_benchmarks) printf("  [BENCH] Proving time: %.3f ms\n", elapsed_ms(t_p_start, t_p_end));
 
-    printf("[TEST] Proof size = %zu bytes\n", proof_len);
-    printf("[BENCH] Proving time: %.3f ms\n",
-           elapsed_ms(t_p_start, t_p_end));
-
-    /* ---- Verify (single run, timed) ---- */
-    printf("[TEST] Verifying aggregated proof...\n");
-
+    /* ---- Verify ---- */
     struct timespec t_v_start, t_v_end;
     clock_gettime(CLOCK_MONOTONIC, &t_v_start);
 
@@ -105,59 +85,53 @@ int main(void) {
             proof,
             proof_len,
             commitments,
-            M,
+            num_values,
             &pk_base,
             context_id);
 
     clock_gettime(CLOCK_MONOTONIC, &t_v_end);
-
     EXPECT(ok);
-
-    printf("PASSED\n");
-    printf("[BENCH] Verification time (single): %.3f ms\n",
-           elapsed_ms(t_v_start, t_v_end));
-
-    /* ---- Verify benchmark (average) ---- */
-    double total_ms = 0.0;
-
-    for (int i = 0; i < VERIFY_RUNS; i++) {
-        struct timespec ts, te;
-        clock_gettime(CLOCK_MONOTONIC, &ts);
-
-        ok = secp256k1_bulletproof_verify_agg(
-                ctx,
-                G_vec,
-                H_vec,
-                proof,
-                proof_len,
-                commitments,
-                M,
-                &pk_base,
-                context_id);
-
-        clock_gettime(CLOCK_MONOTONIC, &te);
-
-        EXPECT(ok);
-        total_ms += elapsed_ms(ts, te);
+    printf("  PASSED (Verification)\n");
+    if (run_benchmarks) printf("  [BENCH] Verification time: %.3f ms\n", elapsed_ms(t_v_start, t_v_end));
+
+    /* ---- Benchmark Verify ---- */
+    if (run_benchmarks) {
+        double total_ms = 0.0;
+        for (int i = 0; i < VERIFY_RUNS; i++) {
+            struct timespec ts, te;
+            clock_gettime(CLOCK_MONOTONIC, &ts);
+            ok = secp256k1_bulletproof_verify_agg(
+                    ctx,
+                    G_vec,
+                    H_vec,
+                    proof,
+                    proof_len,
+                    commitments,
+                    num_values,
+                    &pk_base,
+                    context_id);
+            clock_gettime(CLOCK_MONOTONIC, &te);
+            EXPECT(ok);
+            total_ms += elapsed_ms(ts, te);
+        }
+        printf("  [BENCH] Verification avg over %d runs: %.3f ms\n", VERIFY_RUNS, total_ms / VERIFY_RUNS);
     }
 
-    printf("[BENCH] Verification avg over %d runs: %.3f ms\n",
-           VERIFY_RUNS, total_ms / VERIFY_RUNS);
-
-    /* ---- Negative test ---- */
-    printf("[TEST] Tamper test... ");
-
-    secp256k1_pubkey bad_commitments[M];
-    memcpy(bad_commitments, commitments, sizeof(commitments));
+    /* ---- Negative Test (Tamper) ---- */
+    secp256k1_pubkey* bad_commitments = malloc(num_values * sizeof(*bad_commitments));
+    EXPECT(bad_commitments != NULL);
 
+    memcpy(bad_commitments, commitments, sizeof(*commitments) * num_values);
     unsigned char bad_blinding[32];
     random_scalar(ctx, bad_blinding);
 
-    /* Create a fake commitment to (value + 1) to break the sum */
+    /* Create fake commitment to (value + 1) */
     EXPECT(secp256k1_bulletproof_create_commitment(
             ctx,
-            &bad_commitments[1],
-            values[M - 1] + 1,
+            &bad_commitments[num_values - 1],
+            (values[num_values - 1] == UINT64_MAX)
+            ? values[num_values - 1] - 1
+            : values[num_values - 1] + 1,
             bad_blinding,
             &pk_base));
 
@@ -168,22 +142,49 @@ int main(void) {
             proof,
             proof_len,
             bad_commitments,
-            M,
+            num_values,
             &pk_base,
             context_id);
 
     if (ok) {
         fprintf(stderr, "FAILED: Accepted invalid proof!\n");
         exit(EXIT_FAILURE);
     }
+    printf("  PASSED (Rejected invalid proof)\n");
 
-    printf("PASSED (rejected invalid proof)\n");
-
-    /* ---- Cleanup ---- */
+    free(bad_commitments);
+    free(commitments);
+    free(blindings);
     free(G_vec);
     free(H_vec);
-    secp256k1_context_destroy(ctx);
+}
+
+/* ---- Main ---- */
+int main(void) {
+    secp256k1_context* ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
+    EXPECT(ctx != NULL);
+
+    /* 1. Single proof, value 0 (The Bug Fix) */
+    uint64_t v1[] = {0};
+    run_test_case(ctx, "Single Proof (Value 0)", v1, 1, 0);
+
+    /* 2. Single proof, value 1 */
+    uint64_t v2[] = {1};
+    run_test_case(ctx, "Single Proof (Value 1)", v2, 1, 0);
 
-    printf("[TEST] Aggregated Bulletproof test completed successfully\n");
+    /* 3. Single proof, MAX VALUE (Tests opposite vector edge case) */
+    uint64_t v3[] = {0xFFFFFFFFFFFFFFFF}; // 2^64 - 1
+    run_test_case(ctx, "Single Proof (MAX Value)", v3, 1, 0);
+
+    /* 4. Aggregated proof, {0, 1} */
+    uint64_t v4[] = {0, 1};
+    run_test_case(ctx, "Aggregated Proof (0, 1)", v4, 2, 0);
+
+    /* 5. Aggregated proof, {0, 0} with Benchmarks */
+    uint64_t v5[] = {0, 0};
+    run_test_case(ctx, "Aggregated Proof (0, 0)", v5, 2, 1);
+
+    secp256k1_context_destroy(ctx);
+    printf("\n[TEST] All Bulletproof tests completed successfully\n");
     return 0;
 }