1 /**********************************************************************
2 * Copyright (c) 2013, 2014 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
16 #include "secp256k1.c"
17 #include "testrand_impl.h"
19 #ifdef ENABLE_OPENSSL_TESTS
20 #include "openssl/bn.h"
21 #include "openssl/ec.h"
22 #include "openssl/ecdsa.h"
23 #include "openssl/obj_mac.h"
26 static int count = 64;
28 void random_field_element_test(secp256k1_fe_t *fe) {
30 unsigned char b32[32];
31 secp256k1_rand256_test(b32);
32 if (secp256k1_fe_set_b32(fe, b32)) {
38 void random_field_element_magnitude(secp256k1_fe_t *fe) {
39 int n = secp256k1_rand32() % 9;
40 secp256k1_fe_normalize(fe);
45 secp256k1_fe_clear(&zero);
46 secp256k1_fe_negate(&zero, &zero, 0);
47 secp256k1_fe_mul_int(&zero, n - 1);
48 secp256k1_fe_add(fe, &zero);
50 CHECK(fe->magnitude == n);
54 void random_group_element_test(secp256k1_ge_t *ge) {
57 random_field_element_test(&fe);
58 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand32() & 1))
63 void random_group_element_jacobian_test(secp256k1_gej_t *gej, const secp256k1_ge_t *ge) {
65 random_field_element_test(&gej->z);
66 if (!secp256k1_fe_is_zero(&gej->z)) {
70 secp256k1_fe_t z2; secp256k1_fe_sqr(&z2, &gej->z);
71 secp256k1_fe_t z3; secp256k1_fe_mul(&z3, &z2, &gej->z);
72 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
73 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
74 gej->infinity = ge->infinity;
77 void random_scalar_order_test(secp256k1_scalar_t *num) {
79 unsigned char b32[32];
80 secp256k1_rand256_test(b32);
82 secp256k1_scalar_set_b32(num, b32, &overflow);
83 if (overflow || secp256k1_scalar_is_zero(num))
89 void random_scalar_order(secp256k1_scalar_t *num) {
91 unsigned char b32[32];
92 secp256k1_rand256(b32);
94 secp256k1_scalar_set_b32(num, b32, &overflow);
95 if (overflow || secp256k1_scalar_is_zero(num))
101 /***** HASH TESTS *****/
103 void run_sha256_tests(void) {
104 static const char *inputs[8] = {
105 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
106 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
107 "For this sample, this 63-byte string will be used as input data",
108 "This is exactly 64 bytes long, not counting the terminating byte"
110 static const unsigned char outputs[8][32] = {
111 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
112 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
113 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
114 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
115 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
116 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
117 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
118 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
120 for (int i = 0; i < 8; i++) {
121 secp256k1_sha256_t hasher;
122 secp256k1_sha256_initialize(&hasher);
123 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
124 unsigned char out[32];
125 secp256k1_sha256_finalize(&hasher, out);
126 CHECK(memcmp(out, outputs[i], 32) == 0);
127 if (strlen(inputs[i]) > 0) {
128 secp256k1_sha256_initialize(&hasher);
129 int split = secp256k1_rand32() % strlen(inputs[i]);
130 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
131 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
132 secp256k1_sha256_finalize(&hasher, out);
133 CHECK(memcmp(out, outputs[i], 32) == 0);
138 void run_hmac_sha256_tests(void) {
139 static const char *keys[6] = {
140 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
142 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
143 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
144 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
145 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
147 static const char *inputs[6] = {
148 "\x48\x69\x20\x54\x68\x65\x72\x65",
149 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
150 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
151 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
152 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
153 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
155 static const unsigned char outputs[6][32] = {
156 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
157 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
158 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
159 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
160 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
161 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
163 for (int i = 0; i < 6; i++) {
164 secp256k1_hmac_sha256_t hasher;
165 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
166 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
167 unsigned char out[32];
168 secp256k1_hmac_sha256_finalize(&hasher, out);
169 CHECK(memcmp(out, outputs[i], 32) == 0);
170 if (strlen(inputs[i]) > 0) {
171 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
172 int split = secp256k1_rand32() % strlen(inputs[i]);
173 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
174 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
175 secp256k1_hmac_sha256_finalize(&hasher, out);
176 CHECK(memcmp(out, outputs[i], 32) == 0);
181 void run_rfc6979_hmac_sha256_tests(void) {
182 static const unsigned char key1[32] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00};
183 static const unsigned char msg1[32] = {0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a};
184 static const unsigned char out1[3][32] = {
185 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
186 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
187 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
190 static const unsigned char key2[32] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
191 static const unsigned char msg2[32] = {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
192 static const unsigned char out2[3][32] = {
193 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
194 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
195 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
198 secp256k1_rfc6979_hmac_sha256_t rng;
199 unsigned char out[32];
201 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 32, msg1, 32);
202 for (int i = 0; i < 3; i++) {
203 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
204 CHECK(memcmp(out, out1[i], 32) == 0);
206 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
208 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 32, msg2, 32);
209 for (int i = 0; i < 3; i++) {
210 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
211 CHECK(memcmp(out, out2[i], 32) == 0);
213 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
216 /***** NUM TESTS *****/
219 void random_num_negate(secp256k1_num_t *num) {
220 if (secp256k1_rand32() & 1)
221 secp256k1_num_negate(num);
224 void random_num_order_test(secp256k1_num_t *num) {
225 secp256k1_scalar_t sc;
226 random_scalar_order_test(&sc);
227 secp256k1_scalar_get_num(num, &sc);
230 void random_num_order(secp256k1_num_t *num) {
231 secp256k1_scalar_t sc;
232 random_scalar_order(&sc);
233 secp256k1_scalar_get_num(num, &sc);
236 void test_num_negate(void) {
239 random_num_order_test(&n1); /* n1 = R */
240 random_num_negate(&n1);
241 secp256k1_num_copy(&n2, &n1); /* n2 = R */
242 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
243 CHECK(secp256k1_num_is_zero(&n1));
244 secp256k1_num_copy(&n1, &n2); /* n1 = R */
245 secp256k1_num_negate(&n1); /* n1 = -R */
246 CHECK(!secp256k1_num_is_zero(&n1));
247 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
248 CHECK(secp256k1_num_is_zero(&n1));
249 secp256k1_num_copy(&n1, &n2); /* n1 = R */
250 secp256k1_num_negate(&n1); /* n1 = -R */
251 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
252 secp256k1_num_negate(&n1); /* n1 = R */
253 CHECK(secp256k1_num_eq(&n1, &n2));
256 void test_num_add_sub(void) {
257 int r = secp256k1_rand32();
260 random_num_order_test(&n1); /* n1 = R1 */
262 random_num_negate(&n1);
264 random_num_order_test(&n2); /* n2 = R2 */
266 random_num_negate(&n2);
268 secp256k1_num_t n1p2, n2p1, n1m2, n2m1;
269 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
270 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
271 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
272 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
273 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
274 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
275 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
276 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
277 CHECK(!secp256k1_num_eq(&n2m1, &n1));
278 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
279 CHECK(secp256k1_num_eq(&n2m1, &n1));
280 CHECK(!secp256k1_num_eq(&n2p1, &n1));
281 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
282 CHECK(secp256k1_num_eq(&n2p1, &n1));
285 void run_num_smalltests(void) {
286 for (int i=0; i<100*count; i++) {
293 /***** SCALAR TESTS *****/
295 void scalar_test(void) {
298 /* Set 's' to a random scalar, with value 'snum'. */
299 secp256k1_scalar_t s;
300 random_scalar_order_test(&s);
302 /* Set 's1' to a random scalar, with value 's1num'. */
303 secp256k1_scalar_t s1;
304 random_scalar_order_test(&s1);
306 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
307 secp256k1_scalar_t s2;
308 random_scalar_order_test(&s2);
309 secp256k1_scalar_get_b32(c, &s2);
312 secp256k1_num_t snum, s1num, s2num;
313 secp256k1_scalar_get_num(&snum, &s);
314 secp256k1_scalar_get_num(&s1num, &s1);
315 secp256k1_scalar_get_num(&s2num, &s2);
317 secp256k1_num_t order;
318 secp256k1_scalar_order_get_num(&order);
319 secp256k1_num_t half_order = order;
320 secp256k1_num_shift(&half_order, 1);
324 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
325 secp256k1_scalar_t n;
326 secp256k1_scalar_set_int(&n, 0);
327 for (int i = 0; i < 256; i += 4) {
328 secp256k1_scalar_t t;
329 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
330 for (int j = 0; j < 4; j++) {
331 secp256k1_scalar_add(&n, &n, &n);
333 secp256k1_scalar_add(&n, &n, &t);
335 CHECK(secp256k1_scalar_eq(&n, &s));
339 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
340 secp256k1_scalar_t n;
341 secp256k1_scalar_set_int(&n, 0);
344 int now = (secp256k1_rand32() % 15) + 1;
348 secp256k1_scalar_t t;
349 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
350 for (int j = 0; j < now; j++) {
351 secp256k1_scalar_add(&n, &n, &n);
353 secp256k1_scalar_add(&n, &n, &t);
356 CHECK(secp256k1_scalar_eq(&n, &s));
361 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
362 secp256k1_num_t rnum;
363 secp256k1_num_add(&rnum, &snum, &s2num);
364 secp256k1_num_mod(&rnum, &order);
365 secp256k1_scalar_t r;
366 secp256k1_scalar_add(&r, &s, &s2);
367 secp256k1_num_t r2num;
368 secp256k1_scalar_get_num(&r2num, &r);
369 CHECK(secp256k1_num_eq(&rnum, &r2num));
373 /* Test that multipying the scalars is equal to multiplying their numbers modulo the order. */
374 secp256k1_num_t rnum;
375 secp256k1_num_mul(&rnum, &snum, &s2num);
376 secp256k1_num_mod(&rnum, &order);
377 secp256k1_scalar_t r;
378 secp256k1_scalar_mul(&r, &s, &s2);
379 secp256k1_num_t r2num;
380 secp256k1_scalar_get_num(&r2num, &r);
381 CHECK(secp256k1_num_eq(&rnum, &r2num));
382 /* The result can only be zero if at least one of the factors was zero. */
383 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
384 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
385 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
386 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
390 /* Check that comparison with zero matches comparison with zero on the number. */
391 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
392 /* Check that comparison with the half order is equal to testing for high scalar. */
393 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
394 secp256k1_scalar_t neg;
395 secp256k1_scalar_negate(&neg, &s);
396 secp256k1_num_t negnum;
397 secp256k1_num_sub(&negnum, &order, &snum);
398 secp256k1_num_mod(&negnum, &order);
399 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
400 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
401 /* Negating should change the high property, unless the value was already zero. */
402 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
403 secp256k1_num_t negnum2;
404 secp256k1_scalar_get_num(&negnum2, &neg);
405 /* Negating a scalar should be equal to (order - n) mod order on the number. */
406 CHECK(secp256k1_num_eq(&negnum, &negnum2));
407 secp256k1_scalar_add(&neg, &neg, &s);
408 /* Adding a number to its negation should result in zero. */
409 CHECK(secp256k1_scalar_is_zero(&neg));
410 secp256k1_scalar_negate(&neg, &neg);
411 /* Negating zero should still result in zero. */
412 CHECK(secp256k1_scalar_is_zero(&neg));
416 /* Test secp256k1_scalar_mul_shift_var. */
417 secp256k1_scalar_t r;
418 unsigned int shift = 256 + (secp256k1_rand32() % 257);
419 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
420 secp256k1_num_t rnum;
421 secp256k1_num_mul(&rnum, &s1num, &s2num);
422 secp256k1_num_shift(&rnum, shift - 1);
424 unsigned char cone[1] = {0x01};
425 secp256k1_num_set_bin(&one, cone, 1);
426 secp256k1_num_add(&rnum, &rnum, &one);
427 secp256k1_num_shift(&rnum, 1);
428 secp256k1_num_t rnum2;
429 secp256k1_scalar_get_num(&rnum2, &r);
430 CHECK(secp256k1_num_eq(&rnum, &rnum2));
435 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
436 if (!secp256k1_scalar_is_zero(&s)) {
437 secp256k1_scalar_t inv;
438 secp256k1_scalar_inverse(&inv, &s);
440 secp256k1_num_t invnum;
441 secp256k1_num_mod_inverse(&invnum, &snum, &order);
442 secp256k1_num_t invnum2;
443 secp256k1_scalar_get_num(&invnum2, &inv);
444 CHECK(secp256k1_num_eq(&invnum, &invnum2));
446 secp256k1_scalar_mul(&inv, &inv, &s);
447 /* Multiplying a scalar with its inverse must result in one. */
448 CHECK(secp256k1_scalar_is_one(&inv));
449 secp256k1_scalar_inverse(&inv, &inv);
450 /* Inverting one must result in one. */
451 CHECK(secp256k1_scalar_is_one(&inv));
456 /* Test commutativity of add. */
457 secp256k1_scalar_t r1, r2;
458 secp256k1_scalar_add(&r1, &s1, &s2);
459 secp256k1_scalar_add(&r2, &s2, &s1);
460 CHECK(secp256k1_scalar_eq(&r1, &r2));
465 int bit = secp256k1_rand32() % 256;
466 secp256k1_scalar_t b;
467 secp256k1_scalar_set_int(&b, 1);
468 CHECK(secp256k1_scalar_is_one(&b));
469 for (int i = 0; i < bit; i++) {
470 secp256k1_scalar_add(&b, &b, &b);
472 secp256k1_scalar_t r1 = s1, r2 = s1;
473 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
474 /* No overflow happened. */
475 secp256k1_scalar_add_bit(&r2, bit);
476 CHECK(secp256k1_scalar_eq(&r1, &r2));
481 /* Test commutativity of mul. */
482 secp256k1_scalar_t r1, r2;
483 secp256k1_scalar_mul(&r1, &s1, &s2);
484 secp256k1_scalar_mul(&r2, &s2, &s1);
485 CHECK(secp256k1_scalar_eq(&r1, &r2));
489 /* Test associativity of add. */
490 secp256k1_scalar_t r1, r2;
491 secp256k1_scalar_add(&r1, &s1, &s2);
492 secp256k1_scalar_add(&r1, &r1, &s);
493 secp256k1_scalar_add(&r2, &s2, &s);
494 secp256k1_scalar_add(&r2, &s1, &r2);
495 CHECK(secp256k1_scalar_eq(&r1, &r2));
499 /* Test associativity of mul. */
500 secp256k1_scalar_t r1, r2;
501 secp256k1_scalar_mul(&r1, &s1, &s2);
502 secp256k1_scalar_mul(&r1, &r1, &s);
503 secp256k1_scalar_mul(&r2, &s2, &s);
504 secp256k1_scalar_mul(&r2, &s1, &r2);
505 CHECK(secp256k1_scalar_eq(&r1, &r2));
509 /* Test distributitivity of mul over add. */
510 secp256k1_scalar_t r1, r2, t;
511 secp256k1_scalar_add(&r1, &s1, &s2);
512 secp256k1_scalar_mul(&r1, &r1, &s);
513 secp256k1_scalar_mul(&r2, &s1, &s);
514 secp256k1_scalar_mul(&t, &s2, &s);
515 secp256k1_scalar_add(&r2, &r2, &t);
516 CHECK(secp256k1_scalar_eq(&r1, &r2));
521 secp256k1_scalar_t r1, r2;
522 secp256k1_scalar_sqr(&r1, &s1);
523 secp256k1_scalar_mul(&r2, &s1, &s1);
524 CHECK(secp256k1_scalar_eq(&r1, &r2));
528 /* Test multiplicative identity. */
529 secp256k1_scalar_t r1, v1;
530 secp256k1_scalar_set_int(&v1,1);
531 secp256k1_scalar_mul(&r1, &s1, &v1);
532 CHECK(secp256k1_scalar_eq(&r1, &s1));
536 /* Test additive identity. */
537 secp256k1_scalar_t r1, v0;
538 secp256k1_scalar_set_int(&v0,0);
539 secp256k1_scalar_add(&r1, &s1, &v0);
540 CHECK(secp256k1_scalar_eq(&r1, &s1));
544 /* Test zero product property. */
545 secp256k1_scalar_t r1, v0;
546 secp256k1_scalar_set_int(&v0,0);
547 secp256k1_scalar_mul(&r1, &s1, &v0);
548 CHECK(secp256k1_scalar_eq(&r1, &v0));
553 void run_scalar_tests(void) {
554 for (int i = 0; i < 128 * count; i++) {
559 /* (-1)+1 should be zero. */
560 secp256k1_scalar_t s, o;
561 secp256k1_scalar_set_int(&s, 1);
562 CHECK(secp256k1_scalar_is_one(&s));
563 secp256k1_scalar_negate(&o, &s);
564 secp256k1_scalar_add(&o, &o, &s);
565 CHECK(secp256k1_scalar_is_zero(&o));
566 secp256k1_scalar_negate(&o, &o);
567 CHECK(secp256k1_scalar_is_zero(&o));
572 /* A scalar with value of the curve order should be 0. */
573 secp256k1_num_t order;
574 secp256k1_scalar_order_get_num(&order);
575 unsigned char bin[32];
576 secp256k1_num_get_bin(bin, 32, &order);
577 secp256k1_scalar_t zero;
579 secp256k1_scalar_set_b32(&zero, bin, &overflow);
580 CHECK(overflow == 1);
581 CHECK(secp256k1_scalar_is_zero(&zero));
586 /***** FIELD TESTS *****/
588 void random_fe(secp256k1_fe_t *x) {
589 unsigned char bin[32];
591 secp256k1_rand256(bin);
592 if (secp256k1_fe_set_b32(x, bin)) {
598 void random_fe_non_zero(secp256k1_fe_t *nz) {
600 while (--tries >= 0) {
602 secp256k1_fe_normalize(nz);
603 if (!secp256k1_fe_is_zero(nz))
606 /* Infinitesimal probability of spurious failure here */
610 void random_fe_non_square(secp256k1_fe_t *ns) {
611 random_fe_non_zero(ns);
613 if (secp256k1_fe_sqrt_var(&r, ns)) {
614 secp256k1_fe_negate(ns, ns, 1);
618 int check_fe_equal(const secp256k1_fe_t *a, const secp256k1_fe_t *b) {
619 secp256k1_fe_t an = *a; secp256k1_fe_normalize_weak(&an);
620 secp256k1_fe_t bn = *b; secp256k1_fe_normalize_var(&bn);
621 return secp256k1_fe_equal_var(&an, &bn);
624 int check_fe_inverse(const secp256k1_fe_t *a, const secp256k1_fe_t *ai) {
625 secp256k1_fe_t x; secp256k1_fe_mul(&x, a, ai);
626 secp256k1_fe_t one; secp256k1_fe_set_int(&one, 1);
627 return check_fe_equal(&x, &one);
630 void run_field_misc(void) {
631 const unsigned char f32_5[32] = {
632 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
633 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
634 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
635 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
642 CHECK(secp256k1_fe_set_b32(&fe5, f32_5));
643 for (int i=0; i<5*count; i++) {
645 random_fe_non_zero(&y);
646 /* Test the fe equality and comparison operations. */
647 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
648 CHECK(secp256k1_fe_equal_var(&x, &x));
650 secp256k1_fe_add(&z,&y);
651 secp256k1_fe_normalize(&z);
652 /* Test the conditional move. */
653 secp256k1_fe_cmov(&z, &x, 0);
654 CHECK(secp256k1_fe_equal_var(&x, &z) == 0);
655 CHECK(secp256k1_fe_cmp_var(&x, &z) != 0);
656 secp256k1_fe_cmov(&y, &x, 1);
657 CHECK(secp256k1_fe_equal_var(&x, &y));
658 /* Test that mul_int, mul, and add agree. */
659 secp256k1_fe_add(&y, &x);
660 secp256k1_fe_add(&y, &x);
662 secp256k1_fe_mul_int(&z, 3);
663 CHECK(check_fe_equal(&y, &z));
664 secp256k1_fe_add(&y, &x);
665 secp256k1_fe_add(&z, &x);
666 CHECK(check_fe_equal(&z, &y));
668 secp256k1_fe_mul_int(&z, 5);
669 secp256k1_fe_mul(&q, &x, &fe5);
670 CHECK(check_fe_equal(&z, &q));
671 secp256k1_fe_negate(&x, &x, 1);
672 secp256k1_fe_add(&z, &x);
673 secp256k1_fe_add(&q, &x);
674 CHECK(check_fe_equal(&y, &z));
675 CHECK(check_fe_equal(&q, &y));
679 void run_field_inv(void) {
680 secp256k1_fe_t x, xi, xii;
681 for (int i=0; i<10*count; i++) {
682 random_fe_non_zero(&x);
683 secp256k1_fe_inv(&xi, &x);
684 CHECK(check_fe_inverse(&x, &xi));
685 secp256k1_fe_inv(&xii, &xi);
686 CHECK(check_fe_equal(&x, &xii));
690 void run_field_inv_var(void) {
691 secp256k1_fe_t x, xi, xii;
692 for (int i=0; i<10*count; i++) {
693 random_fe_non_zero(&x);
694 secp256k1_fe_inv_var(&xi, &x);
695 CHECK(check_fe_inverse(&x, &xi));
696 secp256k1_fe_inv_var(&xii, &xi);
697 CHECK(check_fe_equal(&x, &xii));
701 void run_field_inv_all_var(void) {
702 secp256k1_fe_t x[16], xi[16], xii[16];
703 /* Check it's safe to call for 0 elements */
704 secp256k1_fe_inv_all_var(0, xi, x);
705 for (int i=0; i<count; i++) {
706 size_t len = (secp256k1_rand32() & 15) + 1;
707 for (size_t j=0; j<len; j++)
708 random_fe_non_zero(&x[j]);
709 secp256k1_fe_inv_all_var(len, xi, x);
710 for (size_t j=0; j<len; j++)
711 CHECK(check_fe_inverse(&x[j], &xi[j]));
712 secp256k1_fe_inv_all_var(len, xii, xi);
713 for (size_t j=0; j<len; j++)
714 CHECK(check_fe_equal(&x[j], &xii[j]));
722 secp256k1_fe_set_int(&x, 1);
723 secp256k1_fe_negate(&x, &x, 1);
725 for (int i=1; i<=512; ++i) {
726 secp256k1_fe_mul_int(&x, 2);
727 secp256k1_fe_normalize(&x);
728 secp256k1_fe_sqr(&s, &x);
733 void test_sqrt(const secp256k1_fe_t *a, const secp256k1_fe_t *k) {
734 secp256k1_fe_t r1, r2;
735 int v = secp256k1_fe_sqrt_var(&r1, a);
736 CHECK((v == 0) == (k == NULL));
739 /* Check that the returned root is +/- the given known answer */
740 secp256k1_fe_negate(&r2, &r1, 1);
741 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
742 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
743 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
747 void run_sqrt(void) {
748 secp256k1_fe_t ns, x, s, t;
750 /* Check sqrt(0) is 0 */
751 secp256k1_fe_set_int(&x, 0);
752 secp256k1_fe_sqr(&s, &x);
755 /* Check sqrt of small squares (and their negatives) */
756 for (int i=1; i<=100; i++) {
757 secp256k1_fe_set_int(&x, i);
758 secp256k1_fe_sqr(&s, &x);
760 secp256k1_fe_negate(&t, &s, 1);
764 /* Consistency checks for large random values */
765 for (int i=0; i<10; i++) {
766 random_fe_non_square(&ns);
767 for (int j=0; j<count; j++) {
769 secp256k1_fe_sqr(&s, &x);
771 secp256k1_fe_negate(&t, &s, 1);
773 secp256k1_fe_mul(&t, &s, &ns);
779 /***** GROUP TESTS *****/
781 void ge_equals_ge(const secp256k1_ge_t *a, const secp256k1_ge_t *b) {
782 CHECK(a->infinity == b->infinity);
785 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
786 CHECK(secp256k1_fe_equal_var(&b->y, &b->y));
789 void ge_equals_gej(const secp256k1_ge_t *a, const secp256k1_gej_t *b) {
790 CHECK(a->infinity == b->infinity);
793 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
795 secp256k1_fe_sqr(&z2s, &b->z);
796 secp256k1_fe_t u1, u2, s1, s2;
797 secp256k1_fe_mul(&u1, &a->x, &z2s);
798 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
799 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
800 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
801 CHECK(secp256k1_fe_equal_var(&u1, &u2));
802 CHECK(secp256k1_fe_equal_var(&s1, &s2));
807 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
808 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
809 * All magnitudes are randomized.
810 * All 17*17 combinations of points are added to eachother, using all applicable methods.
812 secp256k1_ge_t *ge = malloc(sizeof(secp256k1_ge_t) * (1 + 4 * runs));
813 secp256k1_gej_t *gej = malloc(sizeof(secp256k1_gej_t) * (1 + 4 * runs));
814 secp256k1_gej_set_infinity(&gej[0]);
815 secp256k1_ge_clear(&ge[0]);
816 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
817 for (int i = 0; i < runs; i++) {
819 random_group_element_test(&g);
822 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
823 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
824 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
825 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
826 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
827 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
828 for (int j = 0; j < 4; j++) {
829 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
830 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
831 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
832 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
833 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
837 for (int i1 = 0; i1 < 1 + 4 * runs; i1++) {
838 for (int i2 = 0; i2 < 1 + 4 * runs; i2++) {
839 /* Compute reference result using gej + gej (var). */
840 secp256k1_gej_t refj, resj;
842 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2]);
843 secp256k1_ge_set_gej_var(&ref, &refj);
845 /* Test gej + ge (var). */
846 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2]);
847 ge_equals_gej(&ref, &resj);
849 /* Test gej + ge (const). */
851 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
852 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
853 ge_equals_gej(&ref, &resj);
856 /* Test doubling (var). */
857 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
858 /* Normal doubling. */
859 secp256k1_gej_double_var(&resj, &gej[i1]);
860 ge_equals_gej(&ref, &resj);
861 secp256k1_gej_double_var(&resj, &gej[i2]);
862 ge_equals_gej(&ref, &resj);
865 /* Test adding opposites. */
866 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
867 CHECK(secp256k1_ge_is_infinity(&ref));
870 /* Test adding infinity. */
872 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
873 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
874 ge_equals_gej(&ref, &gej[i2]);
877 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
878 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
879 ge_equals_gej(&ref, &gej[i1]);
884 /* Test adding all points together in random order equals infinity. */
886 secp256k1_gej_t *gej_shuffled = malloc((4 * runs + 1) * sizeof(secp256k1_gej_t));
887 for (int i = 0; i < 4 * runs + 1; i++) {
888 gej_shuffled[i] = gej[i];
890 for (int i = 0; i < 4 * runs + 1; i++) {
891 int swap = i + secp256k1_rand32() % (4 * runs + 1 - i);
893 secp256k1_gej_t t = gej_shuffled[i];
894 gej_shuffled[i] = gej_shuffled[swap];
895 gej_shuffled[swap] = t;
899 secp256k1_gej_set_infinity(&sum);
900 for (int i = 0; i < 4 * runs + 1; i++) {
901 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i]);
903 CHECK(secp256k1_gej_is_infinity(&sum));
907 /* Test batch gej -> ge conversion. */
909 secp256k1_ge_t *ge_set_all = malloc((4 * runs + 1) * sizeof(secp256k1_ge_t));
910 secp256k1_ge_set_all_gej_var(4 * runs + 1, ge_set_all, gej);
911 for (int i = 0; i < 4 * runs + 1; i++) {
912 ge_equals_gej(&ge_set_all[i], &gej[i]);
922 for (int i = 0; i < count * 32; i++) {
927 /***** ECMULT TESTS *****/
929 void run_ecmult_chain(void) {
930 /* random starting point A (on the curve) */
931 secp256k1_fe_t ax; VERIFY_CHECK(secp256k1_fe_set_hex(&ax, "8b30bbe9ae2a990696b22f670709dff3727fd8bc04d3362c6c7bf458e2846004", 64));
932 secp256k1_fe_t ay; VERIFY_CHECK(secp256k1_fe_set_hex(&ay, "a357ae915c4a65281309edf20504740f0eb3343990216b4f81063cb65f2f7e0f", 64));
933 secp256k1_gej_t a; secp256k1_gej_set_xy(&a, &ax, &ay);
934 /* two random initial factors xn and gn */
935 static const unsigned char xni[32] = {
936 0x84, 0xcc, 0x54, 0x52, 0xf7, 0xfd, 0xe1, 0xed,
937 0xb4, 0xd3, 0x8a, 0x8c, 0xe9, 0xb1, 0xb8, 0x4c,
938 0xce, 0xf3, 0x1f, 0x14, 0x6e, 0x56, 0x9b, 0xe9,
939 0x70, 0x5d, 0x35, 0x7a, 0x42, 0x98, 0x54, 0x07
941 secp256k1_scalar_t xn;
942 secp256k1_scalar_set_b32(&xn, xni, NULL);
943 static const unsigned char gni[32] = {
944 0xa1, 0xe5, 0x8d, 0x22, 0x55, 0x3d, 0xcd, 0x42,
945 0xb2, 0x39, 0x80, 0x62, 0x5d, 0x4c, 0x57, 0xa9,
946 0x6e, 0x93, 0x23, 0xd4, 0x2b, 0x31, 0x52, 0xe5,
947 0xca, 0x2c, 0x39, 0x90, 0xed, 0xc7, 0xc9, 0xde
949 secp256k1_scalar_t gn;
950 secp256k1_scalar_set_b32(&gn, gni, NULL);
951 /* two small multipliers to be applied to xn and gn in every iteration: */
952 static const unsigned char xfi[32] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0x13,0x37};
953 secp256k1_scalar_t xf;
954 secp256k1_scalar_set_b32(&xf, xfi, NULL);
955 static const unsigned char gfi[32] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0x71,0x13};
956 secp256k1_scalar_t gf;
957 secp256k1_scalar_set_b32(&gf, gfi, NULL);
958 /* accumulators with the resulting coefficients to A and G */
959 secp256k1_scalar_t ae;
960 secp256k1_scalar_set_int(&ae, 1);
961 secp256k1_scalar_t ge;
962 secp256k1_scalar_set_int(&ge, 0);
963 /* the point being computed */
964 secp256k1_gej_t x = a;
965 for (int i=0; i<200*count; i++) {
966 /* in each iteration, compute X = xn*X + gn*G; */
967 secp256k1_ecmult(&x, &x, &xn, &gn);
968 /* also compute ae and ge: the actual accumulated factors for A and G */
969 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
970 secp256k1_scalar_mul(&ae, &ae, &xn);
971 secp256k1_scalar_mul(&ge, &ge, &xn);
972 secp256k1_scalar_add(&ge, &ge, &gn);
973 /* modify xn and gn */
974 secp256k1_scalar_mul(&xn, &xn, &xf);
975 secp256k1_scalar_mul(&gn, &gn, &gf);
979 char res[132]; int resl = 132;
980 secp256k1_gej_get_hex(res, &resl, &x);
981 CHECK(strcmp(res, "(D6E96687F9B10D092A6F35439D86CEBEA4535D0D409F53586440BD74B933E830,B95CBCA2C77DA786539BE8FD53354D2D3B4F566AE658045407ED6015EE1B2A88)") == 0);
984 /* redo the computation, but directly with the resulting ae and ge coefficients: */
985 secp256k1_gej_t x2; secp256k1_ecmult(&x2, &a, &ae, &ge);
986 char res[132]; int resl = 132;
987 char res2[132]; int resl2 = 132;
988 secp256k1_gej_get_hex(res, &resl, &x);
989 secp256k1_gej_get_hex(res2, &resl2, &x2);
990 CHECK(strcmp(res, res2) == 0);
991 CHECK(strlen(res) == 131);
994 void test_point_times_order(const secp256k1_gej_t *point) {
995 unsigned char pub[65];
996 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
997 secp256k1_scalar_t x;
998 random_scalar_order_test(&x);
999 secp256k1_scalar_t nx;
1000 secp256k1_scalar_negate(&nx, &x);
1001 secp256k1_gej_t res1, res2;
1002 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
1003 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
1004 secp256k1_gej_add_var(&res1, &res1, &res2);
1005 CHECK(secp256k1_gej_is_infinity(&res1));
1006 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
1007 secp256k1_ge_t res3;
1008 secp256k1_ge_set_gej(&res3, &res1);
1009 CHECK(secp256k1_ge_is_infinity(&res3));
1010 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
1012 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
1014 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
1017 void run_point_times_order(void) {
1018 secp256k1_fe_t x; VERIFY_CHECK(secp256k1_fe_set_hex(&x, "02", 2));
1019 for (int i=0; i<500; i++) {
1021 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
1022 CHECK(secp256k1_ge_is_valid_var(&p));
1024 secp256k1_gej_set_ge(&j, &p);
1025 CHECK(secp256k1_gej_is_valid_var(&j));
1026 test_point_times_order(&j);
1028 secp256k1_fe_sqr(&x, &x);
1033 secp256k1_fe_get_hex(c, &cl, &x); /* Check that fe_get_hex handles a too short input. */
1036 secp256k1_fe_get_hex(c, &cl, &x);
1037 CHECK(strcmp(c, "7603CB59B0EF6C63FE6084792A0C378CDB3233A80F8A9A09A877DEAD31B38C45") == 0);
1040 void test_wnaf(const secp256k1_scalar_t *number, int w) {
1041 secp256k1_scalar_t x, two, t;
1042 secp256k1_scalar_set_int(&x, 0);
1043 secp256k1_scalar_set_int(&two, 2);
1045 int bits = secp256k1_ecmult_wnaf(wnaf, number, w);
1048 for (int i=bits-1; i>=0; i--) {
1049 secp256k1_scalar_mul(&x, &x, &two);
1052 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
1054 CHECK((v & 1) == 1); /* check non-zero elements are odd */
1055 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
1056 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
1058 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
1062 secp256k1_scalar_set_int(&t, v);
1064 secp256k1_scalar_set_int(&t, -v);
1065 secp256k1_scalar_negate(&t, &t);
1067 secp256k1_scalar_add(&x, &x, &t);
1069 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
1072 void run_wnaf(void) {
1073 secp256k1_scalar_t n;
1074 for (int i=0; i<count; i++) {
1075 random_scalar_order(&n);
1077 secp256k1_scalar_negate(&n, &n);
1078 test_wnaf(&n, 4+(i%10));
1082 void random_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_scalar_t *key, const secp256k1_scalar_t *msg, int *recid) {
1083 secp256k1_scalar_t nonce;
1085 random_scalar_order_test(&nonce);
1086 } while(!secp256k1_ecdsa_sig_sign(sig, key, msg, &nonce, recid));
1089 void test_ecdsa_sign_verify(void) {
1092 secp256k1_scalar_t msg, key;
1093 random_scalar_order_test(&msg);
1094 random_scalar_order_test(&key);
1095 secp256k1_gej_t pubj; secp256k1_ecmult_gen(&pubj, &key);
1096 secp256k1_ge_t pub; secp256k1_ge_set_gej(&pub, &pubj);
1097 secp256k1_ecdsa_sig_t sig;
1098 getrec = secp256k1_rand32()&1;
1099 random_sign(&sig, &key, &msg, getrec?&recid:NULL);
1100 if (getrec) CHECK(recid >= 0 && recid < 4);
1101 CHECK(secp256k1_ecdsa_sig_verify(&sig, &pub, &msg));
1102 secp256k1_scalar_t one;
1103 secp256k1_scalar_set_int(&one, 1);
1104 secp256k1_scalar_add(&msg, &msg, &one);
1105 CHECK(!secp256k1_ecdsa_sig_verify(&sig, &pub, &msg));
1108 void run_ecdsa_sign_verify(void) {
1109 for (int i=0; i<10*count; i++) {
1110 test_ecdsa_sign_verify();
1114 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
1115 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, unsigned int counter, const void *data) {
1118 memcpy(nonce32, data, 32);
1119 return (counter == 0);
1122 void test_ecdsa_end_to_end(void) {
1123 unsigned char privkey[32];
1124 unsigned char message[32];
1126 /* Generate a random key and message. */
1128 secp256k1_scalar_t msg, key;
1129 random_scalar_order_test(&msg);
1130 random_scalar_order_test(&key);
1131 secp256k1_scalar_get_b32(privkey, &key);
1132 secp256k1_scalar_get_b32(message, &msg);
1135 /* Construct and verify corresponding public key. */
1136 CHECK(secp256k1_ec_seckey_verify(privkey) == 1);
1137 unsigned char pubkey[65]; int pubkeylen = 65;
1138 CHECK(secp256k1_ec_pubkey_create(pubkey, &pubkeylen, privkey, (secp256k1_rand32() & 3) != 0) == 1);
1139 if (secp256k1_rand32() & 1) {
1140 CHECK(secp256k1_ec_pubkey_decompress(pubkey, &pubkeylen));
1142 CHECK(secp256k1_ec_pubkey_verify(pubkey, pubkeylen));
1144 /* Verify private key import and export. */
1145 unsigned char seckey[300]; int seckeylen = 300;
1146 CHECK(secp256k1_ec_privkey_export(privkey, seckey, &seckeylen, secp256k1_rand32() % 2) == 1);
1147 unsigned char privkey2[32];
1148 CHECK(secp256k1_ec_privkey_import(privkey2, seckey, seckeylen) == 1);
1149 CHECK(memcmp(privkey, privkey2, 32) == 0);
1151 /* Optionally tweak the keys using addition. */
1152 if (secp256k1_rand32() % 3 == 0) {
1153 unsigned char rnd[32];
1154 secp256k1_rand256_test(rnd);
1155 int ret1 = secp256k1_ec_privkey_tweak_add(privkey, rnd);
1156 int ret2 = secp256k1_ec_pubkey_tweak_add(pubkey, pubkeylen, rnd);
1157 CHECK(ret1 == ret2);
1158 if (ret1 == 0) return;
1159 unsigned char pubkey2[65]; int pubkeylen2 = 65;
1160 CHECK(secp256k1_ec_pubkey_create(pubkey2, &pubkeylen2, privkey, pubkeylen == 33) == 1);
1161 CHECK(memcmp(pubkey, pubkey2, pubkeylen) == 0);
1164 /* Optionally tweak the keys using multiplication. */
1165 if (secp256k1_rand32() % 3 == 0) {
1166 unsigned char rnd[32];
1167 secp256k1_rand256_test(rnd);
1168 int ret1 = secp256k1_ec_privkey_tweak_mul(privkey, rnd);
1169 int ret2 = secp256k1_ec_pubkey_tweak_mul(pubkey, pubkeylen, rnd);
1170 CHECK(ret1 == ret2);
1171 if (ret1 == 0) return;
1172 unsigned char pubkey2[65]; int pubkeylen2 = 65;
1173 CHECK(secp256k1_ec_pubkey_create(pubkey2, &pubkeylen2, privkey, pubkeylen == 33) == 1);
1174 CHECK(memcmp(pubkey, pubkey2, pubkeylen) == 0);
1178 unsigned char signature[72]; int signaturelen = 72;
1179 CHECK(secp256k1_ecdsa_sign(message, signature, &signaturelen, privkey, NULL, NULL) == 1);
1181 CHECK(secp256k1_ecdsa_verify(message, signature, signaturelen, pubkey, pubkeylen) == 1);
1182 /* Destroy signature and verify again. */
1183 signature[signaturelen - 1 - secp256k1_rand32() % 20] += 1 + (secp256k1_rand32() % 255);
1184 CHECK(secp256k1_ecdsa_verify(message, signature, signaturelen, pubkey, pubkeylen) != 1);
1187 unsigned char csignature[64]; int recid = 0;
1188 CHECK(secp256k1_ecdsa_sign_compact(message, csignature, privkey, NULL, NULL, &recid) == 1);
1190 unsigned char recpubkey[65]; int recpubkeylen = 0;
1191 CHECK(secp256k1_ecdsa_recover_compact(message, csignature, recpubkey, &recpubkeylen, pubkeylen == 33, recid) == 1);
1192 CHECK(recpubkeylen == pubkeylen);
1193 CHECK(memcmp(pubkey, recpubkey, pubkeylen) == 0);
1194 /* Destroy signature and verify again. */
1195 csignature[secp256k1_rand32() % 64] += 1 + (secp256k1_rand32() % 255);
1196 CHECK(secp256k1_ecdsa_recover_compact(message, csignature, recpubkey, &recpubkeylen, pubkeylen == 33, recid) != 1 ||
1197 memcmp(pubkey, recpubkey, pubkeylen) != 0);
1198 CHECK(recpubkeylen == pubkeylen);
1202 void test_random_pubkeys(void) {
1203 unsigned char in[65];
1204 /* Generate some randomly sized pubkeys. */
1205 uint32_t r = secp256k1_rand32();
1206 int len = (r & 3) == 0 ? 65 : 33;
1208 if ((r & 3) == 0) len = (r & 252) >> 3;
1211 in[0] = (r & 2) ? 4 : (r & 1? 6 : 7);
1213 in[0] = (r & 1) ? 2 : 3;
1216 if ((r & 7) == 0) in[0] = (r & 2040) >> 3;
1218 if (len > 1) secp256k1_rand256(&in[1]);
1219 if (len > 33) secp256k1_rand256(&in[33]);
1220 secp256k1_ge_t elem;
1221 secp256k1_ge_t elem2;
1222 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
1223 unsigned char out[65];
1224 unsigned char firstb;
1228 /* If the pubkey can be parsed, it should round-trip... */
1229 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
1231 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
1232 /* ... except for the type of hybrid inputs. */
1233 if ((in[0] != 6) && (in[0] != 7)) CHECK(in[0] == out[0]);
1235 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
1237 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
1238 ge_equals_ge(&elem,&elem2);
1239 /* Check that the X9.62 hybrid type is checked. */
1240 in[0] = (r & 1) ? 6 : 7;
1241 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
1242 if (firstb == 2 || firstb == 3) {
1243 if (in[0] == firstb + 4) CHECK(res);
1247 ge_equals_ge(&elem,&elem2);
1248 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
1249 CHECK(memcmp(&in[1], &out[1], 64) == 0);
1254 void run_random_pubkeys(void) {
1255 for (int i=0; i<10*count; i++) {
1256 test_random_pubkeys();
1260 void run_ecdsa_end_to_end(void) {
1261 for (int i=0; i<64*count; i++) {
1262 test_ecdsa_end_to_end();
1266 /* Tests several edge cases. */
1267 void test_ecdsa_edge_cases(void) {
1268 const unsigned char msg32[32] = {
1269 'T', 'h', 'i', 's', ' ', 'i', 's', ' ',
1270 'a', ' ', 'v', 'e', 'r', 'y', ' ', 's',
1271 'e', 'c', 'r', 'e', 't', ' ', 'm', 'e',
1272 's', 's', 'a', 'g', 'e', '.', '.', '.'
1274 const unsigned char sig64[64] = {
1275 /* Generated by signing the above message with nonce 'This is the nonce we will use...'
1276 * and secret key 0 (which is not valid), resulting in recid 0. */
1277 0x67, 0xCB, 0x28, 0x5F, 0x9C, 0xD1, 0x94, 0xE8,
1278 0x40, 0xD6, 0x29, 0x39, 0x7A, 0xF5, 0x56, 0x96,
1279 0x62, 0xFD, 0xE4, 0x46, 0x49, 0x99, 0x59, 0x63,
1280 0x17, 0x9A, 0x7D, 0xD1, 0x7B, 0xD2, 0x35, 0x32,
1281 0x4B, 0x1B, 0x7D, 0xF3, 0x4C, 0xE1, 0xF6, 0x8E,
1282 0x69, 0x4F, 0xF6, 0xF1, 0x1A, 0xC7, 0x51, 0xDD,
1283 0x7D, 0xD7, 0x3E, 0x38, 0x7E, 0xE4, 0xFC, 0x86,
1284 0x6E, 0x1B, 0xE8, 0xEC, 0xC7, 0xDD, 0x95, 0x57
1286 unsigned char pubkey[65];
1288 CHECK(!secp256k1_ecdsa_recover_compact(msg32, sig64, pubkey, &pubkeylen, 0, 0));
1289 CHECK(secp256k1_ecdsa_recover_compact(msg32, sig64, pubkey, &pubkeylen, 0, 1));
1290 CHECK(!secp256k1_ecdsa_recover_compact(msg32, sig64, pubkey, &pubkeylen, 0, 2));
1291 CHECK(!secp256k1_ecdsa_recover_compact(msg32, sig64, pubkey, &pubkeylen, 0, 3));
1293 /* signature (r,s) = (4,4), which can be recovered with all 4 recids. */
1294 const unsigned char sigb64[64] = {
1295 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1296 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1297 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1298 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1299 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1300 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1301 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1302 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1304 unsigned char pubkeyb[33];
1305 int pubkeyblen = 33;
1306 for (int recid = 0; recid < 4; recid++) {
1307 /* (4,4) encoded in DER. */
1308 unsigned char sigbder[8] = {0x30, 0x06, 0x02, 0x01, 0x04, 0x02, 0x01, 0x04};
1309 unsigned char sigcder_zr[7] = {0x30, 0x05, 0x02, 0x00, 0x02, 0x01, 0x01};
1310 unsigned char sigcder_zs[7] = {0x30, 0x05, 0x02, 0x01, 0x01, 0x02, 0x00};
1311 unsigned char sigbderalt1[39] = {
1312 0x30, 0x25, 0x02, 0x20, 0x00, 0x00, 0x00, 0x00,
1313 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1314 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1315 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1316 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
1318 unsigned char sigbderalt2[39] = {
1319 0x30, 0x25, 0x02, 0x01, 0x04, 0x02, 0x20, 0x00,
1320 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1321 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1322 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1323 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1325 unsigned char sigbderalt3[40] = {
1326 0x30, 0x26, 0x02, 0x21, 0x00, 0x00, 0x00, 0x00,
1327 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1328 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1329 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1330 0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
1332 unsigned char sigbderalt4[40] = {
1333 0x30, 0x26, 0x02, 0x01, 0x04, 0x02, 0x21, 0x00,
1334 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1335 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1336 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1337 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1339 /* (order + r,4) encoded in DER. */
1340 unsigned char sigbderlong[40] = {
1341 0x30, 0x26, 0x02, 0x21, 0x00, 0xFF, 0xFF, 0xFF,
1342 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
1343 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC,
1344 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E,
1345 0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04
1347 CHECK(secp256k1_ecdsa_recover_compact(msg32, sigb64, pubkeyb, &pubkeyblen, 1, recid));
1348 CHECK(secp256k1_ecdsa_verify(msg32, sigbder, sizeof(sigbder), pubkeyb, pubkeyblen) == 1);
1349 for (int recid2 = 0; recid2 < 4; recid2++) {
1350 unsigned char pubkey2b[33];
1351 int pubkey2blen = 33;
1352 CHECK(secp256k1_ecdsa_recover_compact(msg32, sigb64, pubkey2b, &pubkey2blen, 1, recid2));
1353 /* Verifying with (order + r,4) should always fail. */
1354 CHECK(secp256k1_ecdsa_verify(msg32, sigbderlong, sizeof(sigbderlong), pubkey2b, pubkey2blen) != 1);
1356 /* DER parsing tests. */
1357 /* Zero length r/s. */
1358 CHECK(secp256k1_ecdsa_verify(msg32, sigcder_zr, sizeof(sigcder_zr), pubkeyb, pubkeyblen) == -2);
1359 CHECK(secp256k1_ecdsa_verify(msg32, sigcder_zs, sizeof(sigcder_zs), pubkeyb, pubkeyblen) == -2);
1360 /* Leading zeros. */
1361 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt1, sizeof(sigbderalt1), pubkeyb, pubkeyblen) == 1);
1362 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt2, sizeof(sigbderalt2), pubkeyb, pubkeyblen) == 1);
1363 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt3, sizeof(sigbderalt3), pubkeyb, pubkeyblen) == 1);
1364 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt4, sizeof(sigbderalt4), pubkeyb, pubkeyblen) == 1);
1366 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt3, sizeof(sigbderalt3), pubkeyb, pubkeyblen) == -2);
1368 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt4, sizeof(sigbderalt4), pubkeyb, pubkeyblen) == -2);
1369 /* Damage signature. */
1371 CHECK(secp256k1_ecdsa_verify(msg32, sigbder, sizeof(sigbder), pubkeyb, pubkeyblen) == 0);
1373 CHECK(secp256k1_ecdsa_verify(msg32, sigbder, 6, pubkeyb, pubkeyblen) == -2);
1374 CHECK(secp256k1_ecdsa_verify(msg32, sigbder, sizeof(sigbder)-1, pubkeyb, pubkeyblen) == -2);
1375 for(int i = 0; i<8; i++) {
1376 unsigned char orig = sigbder[i];
1377 /*Try every single-byte change.*/
1378 for (int c=0; c<256; c++) {
1379 if (c == orig ) continue;
1381 CHECK(secp256k1_ecdsa_verify(msg32, sigbder, sizeof(sigbder), pubkeyb, pubkeyblen) ==
1382 (i==4 || i==7) ? 0 : -2 );
1388 /* Test the case where ECDSA recomputes a point that is infinity. */
1390 secp256k1_ecdsa_sig_t sig;
1391 secp256k1_scalar_set_int(&sig.s, 1);
1392 secp256k1_scalar_negate(&sig.s, &sig.s);
1393 secp256k1_scalar_inverse(&sig.s, &sig.s);
1394 secp256k1_scalar_set_int(&sig.r, 1);
1395 secp256k1_gej_t keyj;
1396 secp256k1_ecmult_gen(&keyj, &sig.r);
1398 secp256k1_ge_set_gej(&key, &keyj);
1399 secp256k1_scalar_t msg = sig.s;
1400 CHECK(secp256k1_ecdsa_sig_verify(&sig, &key, &msg) == 0);
1403 /* Test r/s equal to zero */
1405 /* (1,1) encoded in DER. */
1406 unsigned char sigcder[8] = {0x30, 0x06, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01};
1407 unsigned char sigc64[64] = {
1408 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1409 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1410 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1411 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1412 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1413 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1414 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1415 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1417 unsigned char pubkeyc[65];
1418 int pubkeyclen = 65;
1419 CHECK(secp256k1_ecdsa_recover_compact(msg32, sigc64, pubkeyc, &pubkeyclen, 0, 0) == 1);
1420 CHECK(secp256k1_ecdsa_verify(msg32, sigcder, sizeof(sigcder), pubkeyc, pubkeyclen) == 1);
1423 CHECK(secp256k1_ecdsa_recover_compact(msg32, sigc64, pubkeyb, &pubkeyblen, 1, 0) == 0);
1424 CHECK(secp256k1_ecdsa_verify(msg32, sigcder, sizeof(sigcder), pubkeyc, pubkeyclen) == 0);
1429 CHECK(secp256k1_ecdsa_recover_compact(msg32, sigc64, pubkeyb, &pubkeyblen, 1, 0) == 0);
1430 CHECK(secp256k1_ecdsa_verify(msg32, sigcder, sizeof(sigcder), pubkeyc, pubkeyclen) == 0);
1433 /*Signature where s would be zero.*/
1435 const unsigned char nonce[32] = {
1436 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1437 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1438 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1439 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1441 const unsigned char key[32] = {
1442 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1443 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1444 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1445 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1447 unsigned char msg[32] = {
1448 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
1449 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
1450 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
1451 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
1453 unsigned char sig[72];
1455 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, precomputed_nonce_function, nonce) == 0);
1458 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, precomputed_nonce_function, nonce) == 1);
1460 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, precomputed_nonce_function, nonce) != 1);
1463 /* Privkey export where pubkey is the point at infinity. */
1465 unsigned char privkey[300];
1466 unsigned char seckey[32] = {
1467 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1468 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1469 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1470 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
1473 CHECK(!secp256k1_ec_privkey_export(seckey, privkey, &outlen, 0));
1474 CHECK(!secp256k1_ec_privkey_export(seckey, privkey, &outlen, 1));
1478 void run_ecdsa_edge_cases(void) {
1479 test_ecdsa_edge_cases();
1482 #ifdef ENABLE_OPENSSL_TESTS
1483 EC_KEY *get_openssl_key(const secp256k1_scalar_t *key) {
1484 unsigned char privkey[300];
1486 int compr = secp256k1_rand32() & 1;
1487 const unsigned char* pbegin = privkey;
1488 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
1489 CHECK(secp256k1_eckey_privkey_serialize(privkey, &privkeylen, key, compr));
1490 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
1491 CHECK(EC_KEY_check_key(ec_key));
1495 void test_ecdsa_openssl(void) {
1496 secp256k1_scalar_t key, msg;
1497 unsigned char message[32];
1498 secp256k1_rand256_test(message);
1499 secp256k1_scalar_set_b32(&msg, message, NULL);
1500 random_scalar_order_test(&key);
1502 secp256k1_ecmult_gen(&qj, &key);
1504 secp256k1_ge_set_gej(&q, &qj);
1505 EC_KEY *ec_key = get_openssl_key(&key);
1507 unsigned char signature[80];
1508 unsigned int sigsize = 80;
1509 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
1510 secp256k1_ecdsa_sig_t sig;
1511 CHECK(secp256k1_ecdsa_sig_parse(&sig, signature, sigsize));
1512 CHECK(secp256k1_ecdsa_sig_verify(&sig, &q, &msg));
1513 secp256k1_scalar_t one;
1514 secp256k1_scalar_set_int(&one, 1);
1515 secp256k1_scalar_t msg2;
1516 secp256k1_scalar_add(&msg2, &msg, &one);
1517 CHECK(!secp256k1_ecdsa_sig_verify(&sig, &q, &msg2));
1519 random_sign(&sig, &key, &msg, NULL);
1520 int secp_sigsize = 80;
1521 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sig));
1522 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
1524 EC_KEY_free(ec_key);
1527 void run_ecdsa_openssl(void) {
1528 for (int i=0; i<10*count; i++) {
1529 test_ecdsa_openssl();
1534 int main(int argc, char **argv) {
1535 /* find iteration count */
1537 count = strtol(argv[1], NULL, 0);
1540 /* find random seed */
1543 seed = strtoull(argv[2], NULL, 0);
1545 FILE *frand = fopen("/dev/urandom", "r");
1546 if (!frand || !fread(&seed, sizeof(seed), 1, frand)) {
1547 seed = time(NULL) * 1337;
1551 secp256k1_rand_seed(seed);
1553 printf("test count = %i\n", count);
1554 printf("random seed = %llu\n", (unsigned long long)seed);
1557 secp256k1_start(SECP256K1_START_SIGN | SECP256K1_START_VERIFY);
1559 /* initializing a second time shouldn't cause any harm or memory leaks. */
1560 secp256k1_start(SECP256K1_START_SIGN | SECP256K1_START_VERIFY);
1562 /* Likewise, re-running the internal init functions should be harmless. */
1563 secp256k1_fe_start();
1564 secp256k1_ge_start();
1565 secp256k1_scalar_start();
1566 secp256k1_ecdsa_start();
1569 run_hmac_sha256_tests();
1570 run_rfc6979_hmac_sha256_tests();
1572 #ifndef USE_NUM_NONE
1574 run_num_smalltests();
1582 run_field_inv_var();
1583 run_field_inv_all_var();
1593 run_point_times_order();
1597 run_random_pubkeys();
1598 run_ecdsa_sign_verify();
1599 run_ecdsa_end_to_end();
1600 run_ecdsa_edge_cases();
1601 #ifdef ENABLE_OPENSSL_TESTS
1602 run_ecdsa_openssl();
1605 printf("random run = %llu\n", (unsigned long long)secp256k1_rand32() + ((unsigned long long)secp256k1_rand32() << 32));
1610 /* shutting down twice shouldn't cause any double frees. */
1613 /* Same for the internal shutdown functions. */
1614 secp256k1_fe_stop();
1615 secp256k1_ge_stop();
1616 secp256k1_scalar_stop();
1617 secp256k1_ecdsa_stop();
projects / secp256k1.git / blob