1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "testrand_impl.h"
21 #ifdef ENABLE_OPENSSL_TESTS
22 #include "openssl/bn.h"
23 #include "openssl/ec.h"
24 #include "openssl/ecdsa.h"
25 #include "openssl/obj_mac.h"
26 # if OPENSSL_VERSION_NUMBER < 0x10100000L
27 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
31 #include "contrib/lax_der_parsing.c"
32 #include "contrib/lax_der_privatekey_parsing.c"
34 #if !defined(VG_CHECK)
35 # if defined(VALGRIND)
36 # include <valgrind/memcheck.h>
37 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
38 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
40 # define VG_UNDEF(x,y)
41 # define VG_CHECK(x,y)
45 static int count = 64;
46 static secp256k1_context *ctx = NULL;
48 static void counting_illegal_callback_fn(const char* str, void* data) {
49 /* Dummy callback function that just counts. */
56 static void uncounting_illegal_callback_fn(const char* str, void* data) {
57 /* Dummy callback function that just counts (backwards). */
64 void random_field_element_test(secp256k1_fe *fe) {
66 unsigned char b32[32];
67 secp256k1_rand256_test(b32);
68 if (secp256k1_fe_set_b32(fe, b32)) {
74 void random_field_element_magnitude(secp256k1_fe *fe) {
76 int n = secp256k1_rand_int(9);
77 secp256k1_fe_normalize(fe);
81 secp256k1_fe_clear(&zero);
82 secp256k1_fe_negate(&zero, &zero, 0);
83 secp256k1_fe_mul_int(&zero, n - 1);
84 secp256k1_fe_add(fe, &zero);
85 VERIFY_CHECK(fe->magnitude == n);
88 void random_group_element_test(secp256k1_ge *ge) {
91 random_field_element_test(&fe);
92 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
93 secp256k1_fe_normalize(&ge->y);
99 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
102 random_field_element_test(&gej->z);
103 if (!secp256k1_fe_is_zero(&gej->z)) {
107 secp256k1_fe_sqr(&z2, &gej->z);
108 secp256k1_fe_mul(&z3, &z2, &gej->z);
109 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
110 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
111 gej->infinity = ge->infinity;
114 void random_scalar_order_test(secp256k1_scalar *num) {
116 unsigned char b32[32];
118 secp256k1_rand256_test(b32);
119 secp256k1_scalar_set_b32(num, b32, &overflow);
120 if (overflow || secp256k1_scalar_is_zero(num)) {
127 void random_scalar_order(secp256k1_scalar *num) {
129 unsigned char b32[32];
131 secp256k1_rand256(b32);
132 secp256k1_scalar_set_b32(num, b32, &overflow);
133 if (overflow || secp256k1_scalar_is_zero(num)) {
140 void run_context_tests(void) {
141 secp256k1_pubkey pubkey;
142 secp256k1_pubkey zero_pubkey;
143 secp256k1_ecdsa_signature sig;
144 unsigned char ctmp[32];
147 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
148 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
149 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
150 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
154 secp256k1_scalar msg, key, nonce;
155 secp256k1_scalar sigr, sigs;
157 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
161 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
162 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
163 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
164 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
166 /*** clone and destroy all of them to make sure cloning was complete ***/
168 secp256k1_context *ctx_tmp;
170 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp);
171 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp);
172 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp);
173 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp);
176 /* Verify that the error callback makes it across the clone. */
177 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
178 /* And that it resets back to default. */
179 secp256k1_context_set_error_callback(sign, NULL, NULL);
180 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
182 /*** attempt to use them ***/
183 random_scalar_order_test(&msg);
184 random_scalar_order_test(&key);
185 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
186 secp256k1_ge_set_gej(&pub, &pubj);
188 /* Verify context-type checking illegal-argument errors. */
190 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
192 VG_UNDEF(&pubkey, sizeof(pubkey));
193 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
194 VG_CHECK(&pubkey, sizeof(pubkey));
195 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
197 VG_UNDEF(&sig, sizeof(sig));
198 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
199 VG_CHECK(&sig, sizeof(sig));
200 CHECK(ecount2 == 10);
201 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
202 CHECK(ecount2 == 11);
203 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
205 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
206 CHECK(ecount2 == 12);
207 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
209 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
210 CHECK(ecount2 == 13);
211 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
213 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
215 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
216 CHECK(ecount2 == 14);
217 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
219 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
221 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
223 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
225 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
226 CHECK(ecount2 == 14);
227 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
228 CHECK(ecount2 == 14);
229 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
230 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
232 /* This shouldn't leak memory, due to already-set tests. */
233 secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL);
234 secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL);
236 /* obtain a working nonce */
238 random_scalar_order_test(&nonce);
239 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
242 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
243 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
246 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
247 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
250 secp256k1_context_destroy(none);
251 secp256k1_context_destroy(sign);
252 secp256k1_context_destroy(vrfy);
253 secp256k1_context_destroy(both);
254 /* Defined as no-op. */
255 secp256k1_context_destroy(NULL);
258 void run_scratch_tests(void) {
260 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
261 secp256k1_scratch_space *scratch;
263 /* Test public API */
264 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
266 scratch = secp256k1_scratch_space_create(none, 1000);
267 CHECK(scratch != NULL);
270 /* Test internal API */
271 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
272 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 1000);
274 /* Allocating 500 bytes with no frame fails */
275 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
276 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
278 /* ...but pushing a new stack frame does affect the max allocation */
279 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1 == 1));
280 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 500); /* 500 - ALIGNMENT */
281 CHECK(secp256k1_scratch_alloc(scratch, 500) != NULL);
282 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
284 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1) == 0);
286 /* ...and this effect is undone by popping the frame */
287 secp256k1_scratch_deallocate_frame(scratch);
288 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
289 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
292 secp256k1_scratch_space_destroy(scratch);
293 secp256k1_context_destroy(none);
296 /***** HASH TESTS *****/
298 void run_sha256_tests(void) {
299 static const char *inputs[8] = {
300 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
301 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
302 "For this sample, this 63-byte string will be used as input data",
303 "This is exactly 64 bytes long, not counting the terminating byte"
305 static const unsigned char outputs[8][32] = {
306 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
307 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
308 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
309 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
310 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
311 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
312 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
313 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
316 for (i = 0; i < 8; i++) {
317 unsigned char out[32];
318 secp256k1_sha256 hasher;
319 secp256k1_sha256_initialize(&hasher);
320 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
321 secp256k1_sha256_finalize(&hasher, out);
322 CHECK(memcmp(out, outputs[i], 32) == 0);
323 if (strlen(inputs[i]) > 0) {
324 int split = secp256k1_rand_int(strlen(inputs[i]));
325 secp256k1_sha256_initialize(&hasher);
326 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
327 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
328 secp256k1_sha256_finalize(&hasher, out);
329 CHECK(memcmp(out, outputs[i], 32) == 0);
334 void run_hmac_sha256_tests(void) {
335 static const char *keys[6] = {
336 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
338 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
339 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
340 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
341 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
343 static const char *inputs[6] = {
344 "\x48\x69\x20\x54\x68\x65\x72\x65",
345 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
346 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
347 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
348 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
349 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
351 static const unsigned char outputs[6][32] = {
352 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
353 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
354 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
355 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
356 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
357 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
360 for (i = 0; i < 6; i++) {
361 secp256k1_hmac_sha256 hasher;
362 unsigned char out[32];
363 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
364 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
365 secp256k1_hmac_sha256_finalize(&hasher, out);
366 CHECK(memcmp(out, outputs[i], 32) == 0);
367 if (strlen(inputs[i]) > 0) {
368 int split = secp256k1_rand_int(strlen(inputs[i]));
369 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
370 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
371 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
372 secp256k1_hmac_sha256_finalize(&hasher, out);
373 CHECK(memcmp(out, outputs[i], 32) == 0);
378 void run_rfc6979_hmac_sha256_tests(void) {
379 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
380 static const unsigned char out1[3][32] = {
381 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
382 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
383 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
386 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
387 static const unsigned char out2[3][32] = {
388 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
389 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
390 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
393 secp256k1_rfc6979_hmac_sha256 rng;
394 unsigned char out[32];
397 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
398 for (i = 0; i < 3; i++) {
399 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
400 CHECK(memcmp(out, out1[i], 32) == 0);
402 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
404 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
405 for (i = 0; i < 3; i++) {
406 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
407 CHECK(memcmp(out, out1[i], 32) != 0);
409 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
411 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
412 for (i = 0; i < 3; i++) {
413 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
414 CHECK(memcmp(out, out2[i], 32) == 0);
416 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
419 /***** RANDOM TESTS *****/
421 void test_rand_bits(int rand32, int bits) {
422 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
423 * get a false negative chance below once in a billion */
424 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
425 /* We try multiplying the results with various odd numbers, which shouldn't
426 * influence the uniform distribution modulo a power of 2. */
427 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
428 /* We only select up to 6 bits from the output to analyse */
429 unsigned int usebits = bits > 6 ? 6 : bits;
430 unsigned int maxshift = bits - usebits;
431 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
432 number, track all observed outcomes, one per bit in a uint64_t. */
433 uint64_t x[6][27] = {{0}};
434 unsigned int i, shift, m;
435 /* Multiply the output of all rand calls with the odd number m, which
436 should not change the uniformity of its distribution. */
437 for (i = 0; i < rounds[usebits]; i++) {
438 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
439 CHECK((((uint64_t)r) >> bits) == 0);
440 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
441 uint32_t rm = r * mults[m];
442 for (shift = 0; shift <= maxshift; shift++) {
443 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
447 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
448 for (shift = 0; shift <= maxshift; shift++) {
449 /* Test that the lower usebits bits of x[shift] are 1 */
450 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
455 /* Subrange must be a whole divisor of range, and at most 64 */
456 void test_rand_int(uint32_t range, uint32_t subrange) {
457 /* (1-1/subrange)^rounds < 1/10^9 */
458 int rounds = (subrange * 2073) / 100;
461 CHECK((range % subrange) == 0);
462 for (i = 0; i < rounds; i++) {
463 uint32_t r = secp256k1_rand_int(range);
466 x |= (((uint64_t)1) << r);
468 /* Test that the lower subrange bits of x are 1. */
469 CHECK(((~x) << (64 - subrange)) == 0);
472 void run_rand_bits(void) {
474 test_rand_bits(1, 32);
475 for (b = 1; b <= 32; b++) {
476 test_rand_bits(0, b);
480 void run_rand_int(void) {
481 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
482 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
484 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
485 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
486 test_rand_int(ms[m] * ss[s], ss[s]);
491 /***** NUM TESTS *****/
494 void random_num_negate(secp256k1_num *num) {
495 if (secp256k1_rand_bits(1)) {
496 secp256k1_num_negate(num);
500 void random_num_order_test(secp256k1_num *num) {
502 random_scalar_order_test(&sc);
503 secp256k1_scalar_get_num(num, &sc);
506 void random_num_order(secp256k1_num *num) {
508 random_scalar_order(&sc);
509 secp256k1_scalar_get_num(num, &sc);
512 void test_num_negate(void) {
515 random_num_order_test(&n1); /* n1 = R */
516 random_num_negate(&n1);
517 secp256k1_num_copy(&n2, &n1); /* n2 = R */
518 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
519 CHECK(secp256k1_num_is_zero(&n1));
520 secp256k1_num_copy(&n1, &n2); /* n1 = R */
521 secp256k1_num_negate(&n1); /* n1 = -R */
522 CHECK(!secp256k1_num_is_zero(&n1));
523 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
524 CHECK(secp256k1_num_is_zero(&n1));
525 secp256k1_num_copy(&n1, &n2); /* n1 = R */
526 secp256k1_num_negate(&n1); /* n1 = -R */
527 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
528 secp256k1_num_negate(&n1); /* n1 = R */
529 CHECK(secp256k1_num_eq(&n1, &n2));
532 void test_num_add_sub(void) {
537 secp256k1_num n1p2, n2p1, n1m2, n2m1;
538 random_num_order_test(&n1); /* n1 = R1 */
539 if (secp256k1_rand_bits(1)) {
540 random_num_negate(&n1);
542 random_num_order_test(&n2); /* n2 = R2 */
543 if (secp256k1_rand_bits(1)) {
544 random_num_negate(&n2);
546 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
547 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
548 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
549 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
550 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
551 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
552 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
553 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
554 CHECK(!secp256k1_num_eq(&n2m1, &n1));
555 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
556 CHECK(secp256k1_num_eq(&n2m1, &n1));
557 CHECK(!secp256k1_num_eq(&n2p1, &n1));
558 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
559 CHECK(secp256k1_num_eq(&n2p1, &n1));
562 secp256k1_scalar_set_int(&s, 1);
563 secp256k1_scalar_get_num(&n1, &s);
564 CHECK(secp256k1_num_is_one(&n1));
565 /* check that 2^n + 1 is never 1 */
566 secp256k1_scalar_get_num(&n2, &s);
567 for (i = 0; i < 250; ++i) {
568 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
569 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
570 CHECK(!secp256k1_num_is_one(&n1p2));
574 void test_num_mod(void) {
577 secp256k1_num order, n;
579 /* check that 0 mod anything is 0 */
580 random_scalar_order_test(&s);
581 secp256k1_scalar_get_num(&order, &s);
582 secp256k1_scalar_set_int(&s, 0);
583 secp256k1_scalar_get_num(&n, &s);
584 secp256k1_num_mod(&n, &order);
585 CHECK(secp256k1_num_is_zero(&n));
587 /* check that anything mod 1 is 0 */
588 secp256k1_scalar_set_int(&s, 1);
589 secp256k1_scalar_get_num(&order, &s);
590 secp256k1_scalar_get_num(&n, &s);
591 secp256k1_num_mod(&n, &order);
592 CHECK(secp256k1_num_is_zero(&n));
594 /* check that increasing the number past 2^256 does not break this */
595 random_scalar_order_test(&s);
596 secp256k1_scalar_get_num(&n, &s);
597 /* multiply by 2^8, which'll test this case with high probability */
598 for (i = 0; i < 8; ++i) {
599 secp256k1_num_add(&n, &n, &n);
601 secp256k1_num_mod(&n, &order);
602 CHECK(secp256k1_num_is_zero(&n));
605 void test_num_jacobi(void) {
606 secp256k1_scalar sqr;
607 secp256k1_scalar small;
608 secp256k1_scalar five; /* five is not a quadratic residue */
609 secp256k1_num order, n;
611 /* squares mod 5 are 1, 4 */
612 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
614 /* check some small values with 5 as the order */
615 secp256k1_scalar_set_int(&five, 5);
616 secp256k1_scalar_get_num(&order, &five);
617 for (i = 0; i < 10; ++i) {
618 secp256k1_scalar_set_int(&small, i);
619 secp256k1_scalar_get_num(&n, &small);
620 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
623 /** test large values with 5 as group order */
624 secp256k1_scalar_get_num(&order, &five);
625 /* we first need a scalar which is not a multiple of 5 */
628 random_scalar_order_test(&sqr);
629 secp256k1_scalar_get_num(&fiven, &five);
630 secp256k1_scalar_get_num(&n, &sqr);
631 secp256k1_num_mod(&n, &fiven);
632 } while (secp256k1_num_is_zero(&n));
633 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
634 * just multiply by two, i.e. add the number to itself */
635 if (secp256k1_num_jacobi(&n, &order) == -1) {
636 secp256k1_num_add(&n, &n, &n);
640 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
641 /* test nonresidue */
642 secp256k1_num_add(&n, &n, &n);
643 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
645 /** test with secp group order as order */
646 secp256k1_scalar_order_get_num(&order);
647 random_scalar_order_test(&sqr);
648 secp256k1_scalar_sqr(&sqr, &sqr);
650 secp256k1_scalar_get_num(&n, &sqr);
651 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
652 /* test nonresidue */
653 secp256k1_scalar_mul(&sqr, &sqr, &five);
654 secp256k1_scalar_get_num(&n, &sqr);
655 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
656 /* test multiple of the order*/
657 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
659 /* check one less than the order */
660 secp256k1_scalar_set_int(&small, 1);
661 secp256k1_scalar_get_num(&n, &small);
662 secp256k1_num_sub(&n, &order, &n);
663 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
666 void run_num_smalltests(void) {
668 for (i = 0; i < 100*count; i++) {
677 /***** SCALAR TESTS *****/
679 void scalar_test(void) {
684 secp256k1_num snum, s1num, s2num;
685 secp256k1_num order, half_order;
689 /* Set 's' to a random scalar, with value 'snum'. */
690 random_scalar_order_test(&s);
692 /* Set 's1' to a random scalar, with value 's1num'. */
693 random_scalar_order_test(&s1);
695 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
696 random_scalar_order_test(&s2);
697 secp256k1_scalar_get_b32(c, &s2);
700 secp256k1_scalar_get_num(&snum, &s);
701 secp256k1_scalar_get_num(&s1num, &s1);
702 secp256k1_scalar_get_num(&s2num, &s2);
704 secp256k1_scalar_order_get_num(&order);
706 secp256k1_num_shift(&half_order, 1);
711 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
713 secp256k1_scalar_set_int(&n, 0);
714 for (i = 0; i < 256; i += 4) {
717 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
718 for (j = 0; j < 4; j++) {
719 secp256k1_scalar_add(&n, &n, &n);
721 secp256k1_scalar_add(&n, &n, &t);
723 CHECK(secp256k1_scalar_eq(&n, &s));
727 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
730 secp256k1_scalar_set_int(&n, 0);
734 int now = secp256k1_rand_int(15) + 1;
738 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
739 for (j = 0; j < now; j++) {
740 secp256k1_scalar_add(&n, &n, &n);
742 secp256k1_scalar_add(&n, &n, &t);
745 CHECK(secp256k1_scalar_eq(&n, &s));
750 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
754 secp256k1_num_add(&rnum, &snum, &s2num);
755 secp256k1_num_mod(&rnum, &order);
756 secp256k1_scalar_add(&r, &s, &s2);
757 secp256k1_scalar_get_num(&r2num, &r);
758 CHECK(secp256k1_num_eq(&rnum, &r2num));
762 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
766 secp256k1_num_mul(&rnum, &snum, &s2num);
767 secp256k1_num_mod(&rnum, &order);
768 secp256k1_scalar_mul(&r, &s, &s2);
769 secp256k1_scalar_get_num(&r2num, &r);
770 CHECK(secp256k1_num_eq(&rnum, &r2num));
771 /* The result can only be zero if at least one of the factors was zero. */
772 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
773 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
774 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
775 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
779 secp256k1_scalar neg;
780 secp256k1_num negnum;
781 secp256k1_num negnum2;
782 /* Check that comparison with zero matches comparison with zero on the number. */
783 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
784 /* Check that comparison with the half order is equal to testing for high scalar. */
785 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
786 secp256k1_scalar_negate(&neg, &s);
787 secp256k1_num_sub(&negnum, &order, &snum);
788 secp256k1_num_mod(&negnum, &order);
789 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
790 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
791 /* Negating should change the high property, unless the value was already zero. */
792 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
793 secp256k1_scalar_get_num(&negnum2, &neg);
794 /* Negating a scalar should be equal to (order - n) mod order on the number. */
795 CHECK(secp256k1_num_eq(&negnum, &negnum2));
796 secp256k1_scalar_add(&neg, &neg, &s);
797 /* Adding a number to its negation should result in zero. */
798 CHECK(secp256k1_scalar_is_zero(&neg));
799 secp256k1_scalar_negate(&neg, &neg);
800 /* Negating zero should still result in zero. */
801 CHECK(secp256k1_scalar_is_zero(&neg));
805 /* Test secp256k1_scalar_mul_shift_var. */
810 unsigned char cone[1] = {0x01};
811 unsigned int shift = 256 + secp256k1_rand_int(257);
812 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
813 secp256k1_num_mul(&rnum, &s1num, &s2num);
814 secp256k1_num_shift(&rnum, shift - 1);
815 secp256k1_num_set_bin(&one, cone, 1);
816 secp256k1_num_add(&rnum, &rnum, &one);
817 secp256k1_num_shift(&rnum, 1);
818 secp256k1_scalar_get_num(&rnum2, &r);
819 CHECK(secp256k1_num_eq(&rnum, &rnum2));
823 /* test secp256k1_scalar_shr_int */
826 random_scalar_order_test(&r);
827 for (i = 0; i < 100; ++i) {
829 int shift = 1 + secp256k1_rand_int(15);
830 int expected = r.d[0] % (1 << shift);
831 low = secp256k1_scalar_shr_int(&r, shift);
832 CHECK(expected == low);
838 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
839 if (!secp256k1_scalar_is_zero(&s)) {
840 secp256k1_scalar inv;
842 secp256k1_num invnum;
843 secp256k1_num invnum2;
845 secp256k1_scalar_inverse(&inv, &s);
847 secp256k1_num_mod_inverse(&invnum, &snum, &order);
848 secp256k1_scalar_get_num(&invnum2, &inv);
849 CHECK(secp256k1_num_eq(&invnum, &invnum2));
851 secp256k1_scalar_mul(&inv, &inv, &s);
852 /* Multiplying a scalar with its inverse must result in one. */
853 CHECK(secp256k1_scalar_is_one(&inv));
854 secp256k1_scalar_inverse(&inv, &inv);
855 /* Inverting one must result in one. */
856 CHECK(secp256k1_scalar_is_one(&inv));
858 secp256k1_scalar_get_num(&invnum, &inv);
859 CHECK(secp256k1_num_is_one(&invnum));
865 /* Test commutativity of add. */
866 secp256k1_scalar r1, r2;
867 secp256k1_scalar_add(&r1, &s1, &s2);
868 secp256k1_scalar_add(&r2, &s2, &s1);
869 CHECK(secp256k1_scalar_eq(&r1, &r2));
873 secp256k1_scalar r1, r2;
877 int bit = secp256k1_rand_bits(8);
878 secp256k1_scalar_set_int(&b, 1);
879 CHECK(secp256k1_scalar_is_one(&b));
880 for (i = 0; i < bit; i++) {
881 secp256k1_scalar_add(&b, &b, &b);
885 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
886 /* No overflow happened. */
887 secp256k1_scalar_cadd_bit(&r2, bit, 1);
888 CHECK(secp256k1_scalar_eq(&r1, &r2));
889 /* cadd is a noop when flag is zero */
890 secp256k1_scalar_cadd_bit(&r2, bit, 0);
891 CHECK(secp256k1_scalar_eq(&r1, &r2));
896 /* Test commutativity of mul. */
897 secp256k1_scalar r1, r2;
898 secp256k1_scalar_mul(&r1, &s1, &s2);
899 secp256k1_scalar_mul(&r2, &s2, &s1);
900 CHECK(secp256k1_scalar_eq(&r1, &r2));
904 /* Test associativity of add. */
905 secp256k1_scalar r1, r2;
906 secp256k1_scalar_add(&r1, &s1, &s2);
907 secp256k1_scalar_add(&r1, &r1, &s);
908 secp256k1_scalar_add(&r2, &s2, &s);
909 secp256k1_scalar_add(&r2, &s1, &r2);
910 CHECK(secp256k1_scalar_eq(&r1, &r2));
914 /* Test associativity of mul. */
915 secp256k1_scalar r1, r2;
916 secp256k1_scalar_mul(&r1, &s1, &s2);
917 secp256k1_scalar_mul(&r1, &r1, &s);
918 secp256k1_scalar_mul(&r2, &s2, &s);
919 secp256k1_scalar_mul(&r2, &s1, &r2);
920 CHECK(secp256k1_scalar_eq(&r1, &r2));
924 /* Test distributitivity of mul over add. */
925 secp256k1_scalar r1, r2, t;
926 secp256k1_scalar_add(&r1, &s1, &s2);
927 secp256k1_scalar_mul(&r1, &r1, &s);
928 secp256k1_scalar_mul(&r2, &s1, &s);
929 secp256k1_scalar_mul(&t, &s2, &s);
930 secp256k1_scalar_add(&r2, &r2, &t);
931 CHECK(secp256k1_scalar_eq(&r1, &r2));
936 secp256k1_scalar r1, r2;
937 secp256k1_scalar_sqr(&r1, &s1);
938 secp256k1_scalar_mul(&r2, &s1, &s1);
939 CHECK(secp256k1_scalar_eq(&r1, &r2));
943 /* Test multiplicative identity. */
944 secp256k1_scalar r1, v1;
945 secp256k1_scalar_set_int(&v1,1);
946 secp256k1_scalar_mul(&r1, &s1, &v1);
947 CHECK(secp256k1_scalar_eq(&r1, &s1));
951 /* Test additive identity. */
952 secp256k1_scalar r1, v0;
953 secp256k1_scalar_set_int(&v0,0);
954 secp256k1_scalar_add(&r1, &s1, &v0);
955 CHECK(secp256k1_scalar_eq(&r1, &s1));
959 /* Test zero product property. */
960 secp256k1_scalar r1, v0;
961 secp256k1_scalar_set_int(&v0,0);
962 secp256k1_scalar_mul(&r1, &s1, &v0);
963 CHECK(secp256k1_scalar_eq(&r1, &v0));
968 void run_scalar_tests(void) {
970 for (i = 0; i < 128 * count; i++) {
975 /* (-1)+1 should be zero. */
976 secp256k1_scalar s, o;
977 secp256k1_scalar_set_int(&s, 1);
978 CHECK(secp256k1_scalar_is_one(&s));
979 secp256k1_scalar_negate(&o, &s);
980 secp256k1_scalar_add(&o, &o, &s);
981 CHECK(secp256k1_scalar_is_zero(&o));
982 secp256k1_scalar_negate(&o, &o);
983 CHECK(secp256k1_scalar_is_zero(&o));
988 /* A scalar with value of the curve order should be 0. */
990 secp256k1_scalar zero;
991 unsigned char bin[32];
993 secp256k1_scalar_order_get_num(&order);
994 secp256k1_num_get_bin(bin, 32, &order);
995 secp256k1_scalar_set_b32(&zero, bin, &overflow);
996 CHECK(overflow == 1);
997 CHECK(secp256k1_scalar_is_zero(&zero));
1002 /* Does check_overflow check catch all ones? */
1003 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1004 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1005 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1007 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1011 /* Static test vectors.
1012 * These were reduced from ~10^12 random vectors based on comparison-decision
1013 * and edge-case coverage on 32-bit and 64-bit implementations.
1014 * The responses were generated with Sage 5.9.
1019 secp256k1_scalar zz;
1020 secp256k1_scalar one;
1021 secp256k1_scalar r1;
1022 secp256k1_scalar r2;
1023 #if defined(USE_SCALAR_INV_NUM)
1024 secp256k1_scalar zzv;
1027 unsigned char chal[33][2][32] = {
1028 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1029 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1030 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1031 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1032 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1033 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1034 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1035 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1036 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1037 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1038 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1039 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1040 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1041 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1042 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1043 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1044 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1045 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1046 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1047 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1048 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1049 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1050 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1051 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1052 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1053 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1054 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1055 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1056 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1057 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1058 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1059 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1060 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1061 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1062 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1063 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1064 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1065 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1066 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1067 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1068 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1069 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1070 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1071 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1072 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1073 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1074 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1075 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1076 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1077 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1078 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1079 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1080 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1081 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1082 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1083 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1084 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1085 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1086 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1087 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1088 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1089 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1090 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1091 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1092 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1093 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1094 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1095 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1096 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1097 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1098 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1099 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1100 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1101 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1102 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1103 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1104 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1105 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1106 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1107 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1108 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1109 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1110 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1111 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1112 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1113 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1114 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1115 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1116 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1117 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1118 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1119 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1120 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1121 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1122 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1123 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1124 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1125 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1126 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1127 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1128 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1129 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1130 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1131 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1132 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1133 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1134 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1135 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1136 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1137 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1138 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1139 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1140 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1141 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1142 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1143 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1144 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1145 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1146 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1147 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1148 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1149 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1150 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1151 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1152 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1153 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1154 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1155 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1156 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1157 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1158 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1159 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1160 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1161 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1162 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1163 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1164 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1165 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1166 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1167 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1168 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1169 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1170 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1171 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1172 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1173 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1174 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1175 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1176 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1177 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1178 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1179 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1180 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1181 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1182 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1183 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1184 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1185 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1186 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1187 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1188 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1189 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1192 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1193 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1194 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1195 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1196 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1197 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1199 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1200 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1201 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1202 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1203 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1204 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1205 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1206 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1207 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1208 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1209 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1210 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1211 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1212 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1213 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1214 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1215 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1216 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1217 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1218 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1219 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1220 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1221 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1222 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1223 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1224 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1225 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1226 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1227 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1228 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1229 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1230 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1231 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1232 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1233 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1234 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1236 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1237 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1238 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1239 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1240 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1241 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1242 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1243 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1244 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1245 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1246 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1247 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1248 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1249 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1250 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1251 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1252 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1253 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1254 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1255 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1256 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1257 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1258 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1259 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1260 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1261 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1262 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1263 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1264 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1265 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1266 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1267 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1268 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1269 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1270 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1271 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1272 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1273 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1274 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1275 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1276 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1277 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1278 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1279 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1280 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1281 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1282 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1283 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1284 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1285 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1286 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1287 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1288 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1289 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1290 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1291 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1293 unsigned char res[33][2][32] = {
1294 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1295 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1296 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1297 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1298 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1299 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1300 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1301 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1302 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1303 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1304 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1305 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1306 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1307 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1308 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1309 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1310 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1311 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1312 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1313 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1314 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1315 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1316 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1317 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1318 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1319 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1320 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1321 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1322 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1323 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1324 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1325 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1326 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1327 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1328 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1329 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1330 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1331 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1332 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1333 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1334 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1335 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1336 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1337 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1338 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1339 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1340 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1341 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1342 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1343 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1344 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1345 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1346 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1347 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1348 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1349 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1350 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1351 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1352 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1353 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1354 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1355 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1356 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1357 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1358 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1359 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1360 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1361 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1362 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1363 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1364 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1365 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1366 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1367 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1368 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1369 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1370 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1371 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1372 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1373 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1374 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1375 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1376 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1377 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1378 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1379 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1380 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1381 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1382 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1383 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1384 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1385 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1386 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1387 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1388 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1389 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1390 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1391 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1392 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1393 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1394 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1395 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1396 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1397 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1398 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1399 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1400 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1401 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1402 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1403 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1404 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1405 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1406 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1407 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1408 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1409 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1410 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1411 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1412 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1413 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1414 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1415 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1416 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1417 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1418 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1419 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1420 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1421 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1422 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1423 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1424 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1425 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1426 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1427 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1428 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1429 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1430 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1431 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1432 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1433 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1434 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1435 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1436 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1437 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1438 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1439 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1440 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1441 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1442 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1443 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1444 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1445 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1446 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1447 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1448 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1449 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1450 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1451 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1452 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1453 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1454 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1455 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1456 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1457 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1458 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1459 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1461 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1462 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1463 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1464 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1465 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1466 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1467 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1468 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1469 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1470 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1471 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1472 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1473 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1474 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1475 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1476 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1477 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1478 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1479 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1480 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1481 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1482 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1483 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1484 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1485 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1486 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1487 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1488 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1489 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1490 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1491 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1492 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1493 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1494 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1495 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1496 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1497 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1498 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1499 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1500 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1501 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1502 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1503 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1504 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1505 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1506 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1507 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1508 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1509 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1510 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1511 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1512 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1513 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1514 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1515 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1516 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1517 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1518 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1519 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1520 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1521 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1522 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1523 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1524 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1525 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1526 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1527 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1528 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1529 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1530 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1531 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1532 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1533 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1534 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1535 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1536 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1537 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1538 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1539 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1540 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1541 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1542 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1543 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1544 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1545 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1546 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1547 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1548 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1549 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1550 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1551 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1552 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1553 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1554 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1555 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1556 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1557 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1559 secp256k1_scalar_set_int(&one, 1);
1560 for (i = 0; i < 33; i++) {
1561 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1563 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1565 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1567 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1569 secp256k1_scalar_mul(&z, &x, &y);
1570 CHECK(!secp256k1_scalar_check_overflow(&z));
1571 CHECK(secp256k1_scalar_eq(&r1, &z));
1572 if (!secp256k1_scalar_is_zero(&y)) {
1573 secp256k1_scalar_inverse(&zz, &y);
1574 CHECK(!secp256k1_scalar_check_overflow(&zz));
1575 #if defined(USE_SCALAR_INV_NUM)
1576 secp256k1_scalar_inverse_var(&zzv, &y);
1577 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1579 secp256k1_scalar_mul(&z, &z, &zz);
1580 CHECK(!secp256k1_scalar_check_overflow(&z));
1581 CHECK(secp256k1_scalar_eq(&x, &z));
1582 secp256k1_scalar_mul(&zz, &zz, &y);
1583 CHECK(!secp256k1_scalar_check_overflow(&zz));
1584 CHECK(secp256k1_scalar_eq(&one, &zz));
1586 secp256k1_scalar_mul(&z, &x, &x);
1587 CHECK(!secp256k1_scalar_check_overflow(&z));
1588 secp256k1_scalar_sqr(&zz, &x);
1589 CHECK(!secp256k1_scalar_check_overflow(&zz));
1590 CHECK(secp256k1_scalar_eq(&zz, &z));
1591 CHECK(secp256k1_scalar_eq(&r2, &zz));
1596 /***** FIELD TESTS *****/
1598 void random_fe(secp256k1_fe *x) {
1599 unsigned char bin[32];
1601 secp256k1_rand256(bin);
1602 if (secp256k1_fe_set_b32(x, bin)) {
1608 void random_fe_test(secp256k1_fe *x) {
1609 unsigned char bin[32];
1611 secp256k1_rand256_test(bin);
1612 if (secp256k1_fe_set_b32(x, bin)) {
1618 void random_fe_non_zero(secp256k1_fe *nz) {
1620 while (--tries >= 0) {
1622 secp256k1_fe_normalize(nz);
1623 if (!secp256k1_fe_is_zero(nz)) {
1627 /* Infinitesimal probability of spurious failure here */
1631 void random_fe_non_square(secp256k1_fe *ns) {
1633 random_fe_non_zero(ns);
1634 if (secp256k1_fe_sqrt(&r, ns)) {
1635 secp256k1_fe_negate(ns, ns, 1);
1639 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1640 secp256k1_fe an = *a;
1641 secp256k1_fe bn = *b;
1642 secp256k1_fe_normalize_weak(&an);
1643 secp256k1_fe_normalize_var(&bn);
1644 return secp256k1_fe_equal_var(&an, &bn);
1647 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1649 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1650 secp256k1_fe_mul(&x, a, ai);
1651 return check_fe_equal(&x, &one);
1654 void run_field_convert(void) {
1655 static const unsigned char b32[32] = {
1656 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1657 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1658 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1659 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1661 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1662 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1663 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1665 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1666 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1667 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1670 unsigned char b322[32];
1671 secp256k1_fe_storage fes2;
1672 /* Check conversions to fe. */
1673 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1674 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1675 secp256k1_fe_from_storage(&fe2, &fes);
1676 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1677 /* Check conversion from fe. */
1678 secp256k1_fe_get_b32(b322, &fe);
1679 CHECK(memcmp(b322, b32, 32) == 0);
1680 secp256k1_fe_to_storage(&fes2, &fe);
1681 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1684 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1685 secp256k1_fe t = *b;
1687 t.magnitude = a->magnitude;
1688 t.normalized = a->normalized;
1690 return memcmp(a, &t, sizeof(secp256k1_fe));
1693 void run_field_misc(void) {
1698 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1700 for (i = 0; i < 5*count; i++) {
1701 secp256k1_fe_storage xs, ys, zs;
1703 random_fe_non_zero(&y);
1704 /* Test the fe equality and comparison operations. */
1705 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1706 CHECK(secp256k1_fe_equal_var(&x, &x));
1708 secp256k1_fe_add(&z,&y);
1709 /* Test fe conditional move; z is not normalized here. */
1711 secp256k1_fe_cmov(&x, &z, 0);
1712 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
1713 secp256k1_fe_cmov(&x, &x, 1);
1714 CHECK(fe_memcmp(&x, &z) != 0);
1715 CHECK(fe_memcmp(&x, &q) == 0);
1716 secp256k1_fe_cmov(&q, &z, 1);
1717 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
1718 CHECK(fe_memcmp(&q, &z) == 0);
1719 secp256k1_fe_normalize_var(&x);
1720 secp256k1_fe_normalize_var(&z);
1721 CHECK(!secp256k1_fe_equal_var(&x, &z));
1722 secp256k1_fe_normalize_var(&q);
1723 secp256k1_fe_cmov(&q, &z, (i&1));
1724 VERIFY_CHECK(q.normalized && q.magnitude == 1);
1725 for (j = 0; j < 6; j++) {
1726 secp256k1_fe_negate(&z, &z, j+1);
1727 secp256k1_fe_normalize_var(&q);
1728 secp256k1_fe_cmov(&q, &z, (j&1));
1729 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1731 secp256k1_fe_normalize_var(&z);
1732 /* Test storage conversion and conditional moves. */
1733 secp256k1_fe_to_storage(&xs, &x);
1734 secp256k1_fe_to_storage(&ys, &y);
1735 secp256k1_fe_to_storage(&zs, &z);
1736 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1737 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1738 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1739 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1740 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1741 secp256k1_fe_from_storage(&x, &xs);
1742 secp256k1_fe_from_storage(&y, &ys);
1743 secp256k1_fe_from_storage(&z, &zs);
1744 /* Test that mul_int, mul, and add agree. */
1745 secp256k1_fe_add(&y, &x);
1746 secp256k1_fe_add(&y, &x);
1748 secp256k1_fe_mul_int(&z, 3);
1749 CHECK(check_fe_equal(&y, &z));
1750 secp256k1_fe_add(&y, &x);
1751 secp256k1_fe_add(&z, &x);
1752 CHECK(check_fe_equal(&z, &y));
1754 secp256k1_fe_mul_int(&z, 5);
1755 secp256k1_fe_mul(&q, &x, &fe5);
1756 CHECK(check_fe_equal(&z, &q));
1757 secp256k1_fe_negate(&x, &x, 1);
1758 secp256k1_fe_add(&z, &x);
1759 secp256k1_fe_add(&q, &x);
1760 CHECK(check_fe_equal(&y, &z));
1761 CHECK(check_fe_equal(&q, &y));
1765 void run_field_inv(void) {
1766 secp256k1_fe x, xi, xii;
1768 for (i = 0; i < 10*count; i++) {
1769 random_fe_non_zero(&x);
1770 secp256k1_fe_inv(&xi, &x);
1771 CHECK(check_fe_inverse(&x, &xi));
1772 secp256k1_fe_inv(&xii, &xi);
1773 CHECK(check_fe_equal(&x, &xii));
1777 void run_field_inv_var(void) {
1778 secp256k1_fe x, xi, xii;
1780 for (i = 0; i < 10*count; i++) {
1781 random_fe_non_zero(&x);
1782 secp256k1_fe_inv_var(&xi, &x);
1783 CHECK(check_fe_inverse(&x, &xi));
1784 secp256k1_fe_inv_var(&xii, &xi);
1785 CHECK(check_fe_equal(&x, &xii));
1789 void run_field_inv_all_var(void) {
1790 secp256k1_fe x[16], xi[16], xii[16];
1792 /* Check it's safe to call for 0 elements */
1793 secp256k1_fe_inv_all_var(xi, x, 0);
1794 for (i = 0; i < count; i++) {
1796 size_t len = secp256k1_rand_int(15) + 1;
1797 for (j = 0; j < len; j++) {
1798 random_fe_non_zero(&x[j]);
1800 secp256k1_fe_inv_all_var(xi, x, len);
1801 for (j = 0; j < len; j++) {
1802 CHECK(check_fe_inverse(&x[j], &xi[j]));
1804 secp256k1_fe_inv_all_var(xii, xi, len);
1805 for (j = 0; j < len; j++) {
1806 CHECK(check_fe_equal(&x[j], &xii[j]));
1811 void run_sqr(void) {
1816 secp256k1_fe_set_int(&x, 1);
1817 secp256k1_fe_negate(&x, &x, 1);
1819 for (i = 1; i <= 512; ++i) {
1820 secp256k1_fe_mul_int(&x, 2);
1821 secp256k1_fe_normalize(&x);
1822 secp256k1_fe_sqr(&s, &x);
1827 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1828 secp256k1_fe r1, r2;
1829 int v = secp256k1_fe_sqrt(&r1, a);
1830 CHECK((v == 0) == (k == NULL));
1833 /* Check that the returned root is +/- the given known answer */
1834 secp256k1_fe_negate(&r2, &r1, 1);
1835 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1836 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1837 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1841 void run_sqrt(void) {
1842 secp256k1_fe ns, x, s, t;
1845 /* Check sqrt(0) is 0 */
1846 secp256k1_fe_set_int(&x, 0);
1847 secp256k1_fe_sqr(&s, &x);
1850 /* Check sqrt of small squares (and their negatives) */
1851 for (i = 1; i <= 100; i++) {
1852 secp256k1_fe_set_int(&x, i);
1853 secp256k1_fe_sqr(&s, &x);
1855 secp256k1_fe_negate(&t, &s, 1);
1856 test_sqrt(&t, NULL);
1859 /* Consistency checks for large random values */
1860 for (i = 0; i < 10; i++) {
1862 random_fe_non_square(&ns);
1863 for (j = 0; j < count; j++) {
1865 secp256k1_fe_sqr(&s, &x);
1867 secp256k1_fe_negate(&t, &s, 1);
1868 test_sqrt(&t, NULL);
1869 secp256k1_fe_mul(&t, &s, &ns);
1870 test_sqrt(&t, NULL);
1875 /***** GROUP TESTS *****/
1877 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1878 CHECK(a->infinity == b->infinity);
1882 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
1883 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
1886 /* This compares jacobian points including their Z, not just their geometric meaning. */
1887 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1891 ret &= a->infinity == b->infinity;
1892 if (ret && !a->infinity) {
1895 secp256k1_fe_normalize(&a2.x);
1896 secp256k1_fe_normalize(&a2.y);
1897 secp256k1_fe_normalize(&a2.z);
1898 secp256k1_fe_normalize(&b2.x);
1899 secp256k1_fe_normalize(&b2.y);
1900 secp256k1_fe_normalize(&b2.z);
1901 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1902 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1903 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1908 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1910 secp256k1_fe u1, u2, s1, s2;
1911 CHECK(a->infinity == b->infinity);
1915 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
1916 secp256k1_fe_sqr(&z2s, &b->z);
1917 secp256k1_fe_mul(&u1, &a->x, &z2s);
1918 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1919 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1920 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1921 CHECK(secp256k1_fe_equal_var(&u1, &u2));
1922 CHECK(secp256k1_fe_equal_var(&s1, &s2));
1925 void test_ge(void) {
1927 #ifdef USE_ENDOMORPHISM
1932 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
1933 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
1934 * All magnitudes are randomized.
1935 * All 17*17 combinations of points are added to each other, using all applicable methods.
1937 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
1939 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
1940 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
1941 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1943 secp256k1_fe zfi2, zfi3;
1945 secp256k1_gej_set_infinity(&gej[0]);
1946 secp256k1_ge_clear(&ge[0]);
1947 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
1948 for (i = 0; i < runs; i++) {
1951 random_group_element_test(&g);
1952 #ifdef USE_ENDOMORPHISM
1953 if (i >= runs - 2) {
1954 secp256k1_ge_mul_lambda(&g, &ge[1]);
1956 if (i >= runs - 1) {
1957 secp256k1_ge_mul_lambda(&g, &g);
1962 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
1963 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
1964 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
1965 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
1966 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
1967 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
1968 for (j = 0; j < 4; j++) {
1969 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
1970 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
1971 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
1972 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
1973 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
1977 /* Compute z inverses. */
1979 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1980 for (i = 0; i < 4 * runs + 1; i++) {
1982 /* The point at infinity does not have a meaningful z inverse. Any should do. */
1984 random_field_element_test(&zs[i]);
1985 } while(secp256k1_fe_is_zero(&zs[i]));
1990 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
1994 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1996 random_field_element_test(&zf);
1997 } while(secp256k1_fe_is_zero(&zf));
1998 random_field_element_magnitude(&zf);
1999 secp256k1_fe_inv_var(&zfi3, &zf);
2000 secp256k1_fe_sqr(&zfi2, &zfi3);
2001 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2003 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2005 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2006 /* Compute reference result using gej + gej (var). */
2007 secp256k1_gej refj, resj;
2010 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2011 /* Check Z ratio. */
2012 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2013 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2014 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2016 secp256k1_ge_set_gej_var(&ref, &refj);
2018 /* Test gej + ge with Z ratio result (var). */
2019 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2020 ge_equals_gej(&ref, &resj);
2021 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2022 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2023 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2026 /* Test gej + ge (var, with additional Z factor). */
2028 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2029 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2030 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2031 random_field_element_magnitude(&ge2_zfi.x);
2032 random_field_element_magnitude(&ge2_zfi.y);
2033 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2034 ge_equals_gej(&ref, &resj);
2037 /* Test gej + ge (const). */
2039 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2040 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2041 ge_equals_gej(&ref, &resj);
2044 /* Test doubling (var). */
2045 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2047 /* Normal doubling with Z ratio result. */
2048 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2049 ge_equals_gej(&ref, &resj);
2050 /* Check Z ratio. */
2051 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2052 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2053 /* Normal doubling. */
2054 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2055 ge_equals_gej(&ref, &resj);
2058 /* Test adding opposites. */
2059 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2060 CHECK(secp256k1_ge_is_infinity(&ref));
2063 /* Test adding infinity. */
2065 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2066 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2067 ge_equals_gej(&ref, &gej[i2]);
2070 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2071 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2072 ge_equals_gej(&ref, &gej[i1]);
2077 /* Test adding all points together in random order equals infinity. */
2079 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2080 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2081 for (i = 0; i < 4 * runs + 1; i++) {
2082 gej_shuffled[i] = gej[i];
2084 for (i = 0; i < 4 * runs + 1; i++) {
2085 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2087 secp256k1_gej t = gej_shuffled[i];
2088 gej_shuffled[i] = gej_shuffled[swap];
2089 gej_shuffled[swap] = t;
2092 for (i = 0; i < 4 * runs + 1; i++) {
2093 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2095 CHECK(secp256k1_gej_is_infinity(&sum));
2099 /* Test batch gej -> ge conversion with and without known z ratios. */
2101 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2102 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2103 for (i = 0; i < 4 * runs + 1; i++) {
2104 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2106 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2109 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2110 for (i = 0; i < 4 * runs + 1; i++) {
2112 random_fe_non_zero(&s);
2113 secp256k1_gej_rescale(&gej[i], &s);
2114 ge_equals_gej(&ge_set_all[i], &gej[i]);
2120 /* Test batch gej -> ge conversion with many infinities. */
2121 for (i = 0; i < 4 * runs + 1; i++) {
2122 random_group_element_test(&ge[i]);
2123 /* randomly set half the points to infinitiy */
2124 if(secp256k1_fe_is_odd(&ge[i].x)) {
2125 secp256k1_ge_set_infinity(&ge[i]);
2127 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2130 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2132 for (i = 0; i < 4 * runs + 1; i++) {
2133 ge_equals_gej(&ge[i], &gej[i]);
2141 void test_add_neg_y_diff_x(void) {
2142 /* The point of this test is to check that we can add two points
2143 * whose y-coordinates are negatives of each other but whose x
2144 * coordinates differ. If the x-coordinates were the same, these
2145 * points would be negatives of each other and their sum is
2146 * infinity. This is cool because it "covers up" any degeneracy
2147 * in the addition algorithm that would cause the xy coordinates
2148 * of the sum to be wrong (since infinity has no xy coordinates).
2149 * HOWEVER, if the x-coordinates are different, infinity is the
2150 * wrong answer, and such degeneracies are exposed. This is the
2151 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2152 * which this test is a regression test for.
2154 * These points were generated in sage as
2155 * # secp256k1 params
2156 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2157 * C = EllipticCurve ([F (0), F (7)])
2158 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2159 * N = FiniteField(G.order())
2161 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2163 * lam = (1 - x^3).roots()[1][0]
2165 * # random "bad pair"
2166 * P = C.random_element()
2168 * print " P: %x %x" % P.xy()
2169 * print " Q: %x %x" % Q.xy()
2170 * print "P + Q: %x %x" % (P + Q).xy()
2172 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2173 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2174 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2175 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2176 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2178 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2179 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2180 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2181 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2182 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2184 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2185 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2186 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2187 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2188 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2193 secp256k1_ge_set_gej(&b, &bj);
2195 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2196 secp256k1_ge_set_gej(&res, &resj);
2197 ge_equals_gej(&res, &sumj);
2199 secp256k1_gej_add_ge(&resj, &aj, &b);
2200 secp256k1_ge_set_gej(&res, &resj);
2201 ge_equals_gej(&res, &sumj);
2203 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2204 secp256k1_ge_set_gej(&res, &resj);
2205 ge_equals_gej(&res, &sumj);
2210 for (i = 0; i < count * 32; i++) {
2213 test_add_neg_y_diff_x();
2216 void test_ec_combine(void) {
2217 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2218 secp256k1_pubkey data[6];
2219 const secp256k1_pubkey* d[6];
2220 secp256k1_pubkey sd;
2221 secp256k1_pubkey sd2;
2225 for (i = 1; i <= 6; i++) {
2227 random_scalar_order_test(&s);
2228 secp256k1_scalar_add(&sum, &sum, &s);
2229 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2230 secp256k1_ge_set_gej(&Q, &Qj);
2231 secp256k1_pubkey_save(&data[i - 1], &Q);
2232 d[i - 1] = &data[i - 1];
2233 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2234 secp256k1_ge_set_gej(&Q, &Qj);
2235 secp256k1_pubkey_save(&sd, &Q);
2236 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2237 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2241 void run_ec_combine(void) {
2243 for (i = 0; i < count * 8; i++) {
2248 void test_group_decompress(const secp256k1_fe* x) {
2249 /* The input itself, normalized. */
2250 secp256k1_fe fex = *x;
2252 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2253 secp256k1_ge ge_quad, ge_even, ge_odd;
2254 secp256k1_gej gej_quad;
2255 /* Return values of the above calls. */
2256 int res_quad, res_even, res_odd;
2258 secp256k1_fe_normalize_var(&fex);
2260 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2261 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2262 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2264 CHECK(res_quad == res_even);
2265 CHECK(res_quad == res_odd);
2268 secp256k1_fe_normalize_var(&ge_quad.x);
2269 secp256k1_fe_normalize_var(&ge_odd.x);
2270 secp256k1_fe_normalize_var(&ge_even.x);
2271 secp256k1_fe_normalize_var(&ge_quad.y);
2272 secp256k1_fe_normalize_var(&ge_odd.y);
2273 secp256k1_fe_normalize_var(&ge_even.y);
2275 /* No infinity allowed. */
2276 CHECK(!ge_quad.infinity);
2277 CHECK(!ge_even.infinity);
2278 CHECK(!ge_odd.infinity);
2280 /* Check that the x coordinates check out. */
2281 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2282 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2283 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2285 /* Check that the Y coordinate result in ge_quad is a square. */
2286 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2288 /* Check odd/even Y in ge_odd, ge_even. */
2289 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2290 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2292 /* Check secp256k1_gej_has_quad_y_var. */
2293 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2294 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2296 random_fe_test(&fez);
2297 } while (secp256k1_fe_is_zero(&fez));
2298 secp256k1_gej_rescale(&gej_quad, &fez);
2299 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2300 secp256k1_gej_neg(&gej_quad, &gej_quad);
2301 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2303 random_fe_test(&fez);
2304 } while (secp256k1_fe_is_zero(&fez));
2305 secp256k1_gej_rescale(&gej_quad, &fez);
2306 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2307 secp256k1_gej_neg(&gej_quad, &gej_quad);
2308 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2312 void run_group_decompress(void) {
2314 for (i = 0; i < count * 4; i++) {
2316 random_fe_test(&fe);
2317 test_group_decompress(&fe);
2321 /***** ECMULT TESTS *****/
2323 void run_ecmult_chain(void) {
2324 /* random starting point A (on the curve) */
2325 secp256k1_gej a = SECP256K1_GEJ_CONST(
2326 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2327 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2328 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2329 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2331 /* two random initial factors xn and gn */
2332 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2333 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2334 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2336 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2337 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2338 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2340 /* two small multipliers to be applied to xn and gn in every iteration: */
2341 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2342 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2343 /* accumulators with the resulting coefficients to A and G */
2344 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2345 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2351 /* the point being computed */
2353 for (i = 0; i < 200*count; i++) {
2354 /* in each iteration, compute X = xn*X + gn*G; */
2355 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2356 /* also compute ae and ge: the actual accumulated factors for A and G */
2357 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2358 secp256k1_scalar_mul(&ae, &ae, &xn);
2359 secp256k1_scalar_mul(&ge, &ge, &xn);
2360 secp256k1_scalar_add(&ge, &ge, &gn);
2361 /* modify xn and gn */
2362 secp256k1_scalar_mul(&xn, &xn, &xf);
2363 secp256k1_scalar_mul(&gn, &gn, &gf);
2367 /* expected result after 19999 iterations */
2368 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2369 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2370 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2371 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2372 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2375 secp256k1_gej_neg(&rp, &rp);
2376 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2377 CHECK(secp256k1_gej_is_infinity(&rp));
2380 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2381 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2382 secp256k1_gej_neg(&x2, &x2);
2383 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2384 CHECK(secp256k1_gej_is_infinity(&x2));
2387 void test_point_times_order(const secp256k1_gej *point) {
2388 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2390 secp256k1_scalar nx;
2391 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2392 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2393 secp256k1_gej res1, res2;
2395 unsigned char pub[65];
2397 random_scalar_order_test(&x);
2398 secp256k1_scalar_negate(&nx, &x);
2399 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2400 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2401 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2402 CHECK(secp256k1_gej_is_infinity(&res1));
2403 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2404 secp256k1_ge_set_gej(&res3, &res1);
2405 CHECK(secp256k1_ge_is_infinity(&res3));
2406 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2407 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2409 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2410 /* check zero/one edge cases */
2411 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2412 secp256k1_ge_set_gej(&res3, &res1);
2413 CHECK(secp256k1_ge_is_infinity(&res3));
2414 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2415 secp256k1_ge_set_gej(&res3, &res1);
2416 ge_equals_gej(&res3, point);
2417 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2418 secp256k1_ge_set_gej(&res3, &res1);
2419 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2422 void run_point_times_order(void) {
2424 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2425 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2426 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2427 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2429 for (i = 0; i < 500; i++) {
2431 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2433 CHECK(secp256k1_ge_is_valid_var(&p));
2434 secp256k1_gej_set_ge(&j, &p);
2435 CHECK(secp256k1_gej_is_valid_var(&j));
2436 test_point_times_order(&j);
2438 secp256k1_fe_sqr(&x, &x);
2440 secp256k1_fe_normalize_var(&x);
2441 CHECK(secp256k1_fe_equal_var(&x, &xr));
2444 void ecmult_const_random_mult(void) {
2445 /* random starting point A (on the curve) */
2446 secp256k1_ge a = SECP256K1_GE_CONST(
2447 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2448 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2449 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2450 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2452 /* random initial factor xn */
2453 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2454 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2455 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2457 /* expected xn * A (from sage) */
2458 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2459 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2460 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2461 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2462 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2465 secp256k1_ecmult_const(&b, &a, &xn, 256);
2467 CHECK(secp256k1_ge_is_valid_var(&a));
2468 ge_equals_gej(&expected_b, &b);
2471 void ecmult_const_commutativity(void) {
2478 random_scalar_order_test(&a);
2479 random_scalar_order_test(&b);
2481 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2482 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2483 secp256k1_ge_set_gej(&mid1, &res1);
2484 secp256k1_ge_set_gej(&mid2, &res2);
2485 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2486 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2487 secp256k1_ge_set_gej(&mid1, &res1);
2488 secp256k1_ge_set_gej(&mid2, &res2);
2489 ge_equals_ge(&mid1, &mid2);
2492 void ecmult_const_mult_zero_one(void) {
2493 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2494 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2495 secp256k1_scalar negone;
2499 secp256k1_scalar_negate(&negone, &one);
2501 random_group_element_test(&point);
2502 secp256k1_ecmult_const(&res1, &point, &zero, 3);
2503 secp256k1_ge_set_gej(&res2, &res1);
2504 CHECK(secp256k1_ge_is_infinity(&res2));
2505 secp256k1_ecmult_const(&res1, &point, &one, 2);
2506 secp256k1_ge_set_gej(&res2, &res1);
2507 ge_equals_ge(&res2, &point);
2508 secp256k1_ecmult_const(&res1, &point, &negone, 256);
2509 secp256k1_gej_neg(&res1, &res1);
2510 secp256k1_ge_set_gej(&res2, &res1);
2511 ge_equals_ge(&res2, &point);
2514 void ecmult_const_chain_multiply(void) {
2515 /* Check known result (randomly generated test problem from sage) */
2516 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2517 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2518 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2520 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2521 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2522 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2523 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2524 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2526 secp256k1_gej point;
2530 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2531 for (i = 0; i < 100; ++i) {
2533 secp256k1_ge_set_gej(&tmp, &point);
2534 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2536 secp256k1_ge_set_gej(&res, &point);
2537 ge_equals_gej(&res, &expected_point);
2540 void run_ecmult_const_tests(void) {
2541 ecmult_const_mult_zero_one();
2542 ecmult_const_random_mult();
2543 ecmult_const_commutativity();
2544 ecmult_const_chain_multiply();
2548 secp256k1_scalar *sc;
2550 } ecmult_multi_data;
2552 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2553 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2554 *sc = data->sc[idx];
2555 *pt = data->pt[idx];
2559 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2567 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2569 secp256k1_scalar szero;
2570 secp256k1_scalar sc[32];
2571 secp256k1_ge pt[32];
2574 ecmult_multi_data data;
2575 secp256k1_scratch *scratch_empty;
2579 secp256k1_scalar_set_int(&szero, 0);
2581 /* No points to multiply */
2582 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2584 /* Check 1- and 2-point multiplies against ecmult */
2585 for (ncount = 0; ncount < count; ncount++) {
2588 random_scalar_order(&sc[0]);
2589 random_scalar_order(&sc[1]);
2591 random_group_element_test(&ptg);
2592 secp256k1_gej_set_ge(&ptgj, &ptg);
2594 pt[1] = secp256k1_ge_const_g;
2597 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2598 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2599 secp256k1_gej_neg(&r2, &r2);
2600 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2601 CHECK(secp256k1_gej_is_infinity(&r));
2604 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2605 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2606 secp256k1_gej_neg(&r2, &r2);
2607 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2608 CHECK(secp256k1_gej_is_infinity(&r));
2610 /* Try to multiply 1 point, but scratch space is empty */
2611 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
2612 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2613 secp256k1_scratch_destroy(scratch_empty);
2615 /* Try to multiply 1 point, but callback returns false */
2616 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2619 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2620 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2621 secp256k1_gej_neg(&r2, &r2);
2622 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2623 CHECK(secp256k1_gej_is_infinity(&r));
2625 /* 2-point with G scalar */
2626 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2627 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2628 secp256k1_gej_neg(&r2, &r2);
2629 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2630 CHECK(secp256k1_gej_is_infinity(&r));
2633 /* Check infinite outputs of various forms */
2634 for (ncount = 0; ncount < count; ncount++) {
2637 size_t sizes[] = { 2, 10, 32 };
2639 for (j = 0; j < 3; j++) {
2640 for (i = 0; i < 32; i++) {
2641 random_scalar_order(&sc[i]);
2642 secp256k1_ge_set_infinity(&pt[i]);
2644 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2645 CHECK(secp256k1_gej_is_infinity(&r));
2648 for (j = 0; j < 3; j++) {
2649 for (i = 0; i < 32; i++) {
2650 random_group_element_test(&ptg);
2652 secp256k1_scalar_set_int(&sc[i], 0);
2654 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2655 CHECK(secp256k1_gej_is_infinity(&r));
2658 for (j = 0; j < 3; j++) {
2659 random_group_element_test(&ptg);
2660 for (i = 0; i < 16; i++) {
2661 random_scalar_order(&sc[2*i]);
2662 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2664 pt[2 * i + 1] = ptg;
2667 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2668 CHECK(secp256k1_gej_is_infinity(&r));
2670 random_scalar_order(&sc[0]);
2671 for (i = 0; i < 16; i++) {
2672 random_group_element_test(&ptg);
2677 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2680 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2681 CHECK(secp256k1_gej_is_infinity(&r));
2684 random_group_element_test(&ptg);
2685 secp256k1_scalar_set_int(&sc[0], 0);
2687 for (i = 1; i < 32; i++) {
2690 random_scalar_order(&sc[i]);
2691 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2692 secp256k1_scalar_negate(&sc[i], &sc[i]);
2695 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2696 CHECK(secp256k1_gej_is_infinity(&r));
2699 /* Check random points, constant scalar */
2700 for (ncount = 0; ncount < count; ncount++) {
2702 secp256k1_gej_set_infinity(&r);
2704 random_scalar_order(&sc[0]);
2705 for (i = 0; i < 20; i++) {
2708 random_group_element_test(&ptg);
2710 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2713 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2714 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2715 secp256k1_gej_neg(&r2, &r2);
2716 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2717 CHECK(secp256k1_gej_is_infinity(&r));
2720 /* Check random scalars, constant point */
2721 for (ncount = 0; ncount < count; ncount++) {
2725 secp256k1_scalar rs;
2726 secp256k1_scalar_set_int(&rs, 0);
2728 random_group_element_test(&ptg);
2729 for (i = 0; i < 20; i++) {
2730 random_scalar_order(&sc[i]);
2732 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2735 secp256k1_gej_set_ge(&p0j, &pt[0]);
2736 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
2737 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2738 secp256k1_gej_neg(&r2, &r2);
2739 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2740 CHECK(secp256k1_gej_is_infinity(&r));
2743 /* Sanity check that zero scalars don't cause problems */
2744 for (ncount = 0; ncount < 20; ncount++) {
2745 random_scalar_order(&sc[ncount]);
2746 random_group_element_test(&pt[ncount]);
2749 secp256k1_scalar_clear(&sc[0]);
2750 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2751 secp256k1_scalar_clear(&sc[1]);
2752 secp256k1_scalar_clear(&sc[2]);
2753 secp256k1_scalar_clear(&sc[3]);
2754 secp256k1_scalar_clear(&sc[4]);
2755 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2756 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
2757 CHECK(secp256k1_gej_is_infinity(&r));
2759 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2761 const size_t TOP = 8;
2767 random_group_element_test(&ptg);
2768 secp256k1_gej_set_ge(&ptgj, &ptg);
2770 for(t0i = 0; t0i < TOP; t0i++) {
2771 for(t1i = 0; t1i < TOP; t1i++) {
2772 secp256k1_gej t0p, t1p;
2773 secp256k1_scalar t0, t1;
2775 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2776 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2777 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2778 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2780 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2781 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2783 for(s0i = 0; s0i < TOP; s0i++) {
2784 for(s1i = 0; s1i < TOP; s1i++) {
2785 secp256k1_scalar tmp1, tmp2;
2786 secp256k1_gej expected, actual;
2788 secp256k1_ge_set_gej(&pt[0], &t0p);
2789 secp256k1_ge_set_gej(&pt[1], &t1p);
2791 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2792 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2793 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2794 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2796 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2797 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2798 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2800 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
2801 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
2802 secp256k1_gej_neg(&expected, &expected);
2803 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2804 CHECK(secp256k1_gej_is_infinity(&actual));
2812 void test_secp256k1_pippenger_bucket_window_inv(void) {
2815 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2816 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2817 #ifdef USE_ENDOMORPHISM
2818 /* Bucket_window of 8 is not used with endo */
2823 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2824 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2825 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2831 * Probabilistically test the function returning the maximum number of possible points
2832 * for a given scratch space.
2834 void test_ecmult_multi_pippenger_max_points(void) {
2835 size_t scratch_size = secp256k1_rand_int(256);
2836 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
2837 secp256k1_scratch *scratch;
2838 size_t n_points_supported;
2839 int bucket_window = 0;
2841 for(; scratch_size < max_size; scratch_size+=256) {
2842 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
2843 CHECK(scratch != NULL);
2844 n_points_supported = secp256k1_pippenger_max_points(scratch);
2845 if (n_points_supported == 0) {
2846 secp256k1_scratch_destroy(scratch);
2849 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
2850 CHECK(secp256k1_scratch_allocate_frame(scratch, secp256k1_pippenger_scratch_size(n_points_supported, bucket_window), PIPPENGER_SCRATCH_OBJECTS));
2851 secp256k1_scratch_deallocate_frame(scratch);
2852 secp256k1_scratch_destroy(scratch);
2854 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
2858 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
2859 * 1 <= i <= num points.
2861 void test_ecmult_multi_batching(void) {
2862 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
2863 secp256k1_scalar scG;
2864 secp256k1_scalar szero;
2865 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
2866 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
2869 ecmult_multi_data data;
2871 secp256k1_scratch *scratch;
2873 secp256k1_gej_set_infinity(&r2);
2874 secp256k1_scalar_set_int(&szero, 0);
2876 /* Get random scalars and group elements and compute result */
2877 random_scalar_order(&scG);
2878 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
2879 for(i = 0; i < n_points; i++) {
2882 random_group_element_test(&ptg);
2883 secp256k1_gej_set_ge(&ptgj, &ptg);
2885 random_scalar_order(&sc[i]);
2886 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
2887 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
2892 /* Test with empty scratch space */
2893 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
2894 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2895 secp256k1_scratch_destroy(scratch);
2897 /* Test with space for 1 point in pippenger. That's not enough because
2898 * ecmult_multi selects strauss which requires more memory. */
2899 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2900 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2901 secp256k1_scratch_destroy(scratch);
2903 secp256k1_gej_neg(&r2, &r2);
2904 for(i = 1; i <= n_points; i++) {
2905 if (i > ECMULT_PIPPENGER_THRESHOLD) {
2906 int bucket_window = secp256k1_pippenger_bucket_window(i);
2907 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
2908 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2910 size_t scratch_size = secp256k1_strauss_scratch_size(i);
2911 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2913 CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
2914 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2915 CHECK(secp256k1_gej_is_infinity(&r));
2916 secp256k1_scratch_destroy(scratch);
2922 void run_ecmult_multi_tests(void) {
2923 secp256k1_scratch *scratch;
2925 test_secp256k1_pippenger_bucket_window_inv();
2926 test_ecmult_multi_pippenger_max_points();
2927 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
2928 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2929 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
2930 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
2931 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
2932 secp256k1_scratch_destroy(scratch);
2934 /* Run test_ecmult_multi with space for exactly one point */
2935 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2936 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2937 secp256k1_scratch_destroy(scratch);
2939 test_ecmult_multi_batching();
2942 void test_wnaf(const secp256k1_scalar *number, int w) {
2943 secp256k1_scalar x, two, t;
2948 secp256k1_scalar_set_int(&x, 0);
2949 secp256k1_scalar_set_int(&two, 2);
2950 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
2952 for (i = bits-1; i >= 0; i--) {
2954 secp256k1_scalar_mul(&x, &x, &two);
2956 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
2958 CHECK((v & 1) == 1); /* check non-zero elements are odd */
2959 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
2960 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
2962 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
2966 secp256k1_scalar_set_int(&t, v);
2968 secp256k1_scalar_set_int(&t, -v);
2969 secp256k1_scalar_negate(&t, &t);
2971 secp256k1_scalar_add(&x, &x, &t);
2973 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
2976 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
2977 secp256k1_scalar neg1 = *number;
2978 secp256k1_scalar neg2 = *number;
2982 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
2983 secp256k1_scalar_negate(&neg1, &neg1);
2986 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
2987 CHECK(sign1 == sign2);
2988 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
2991 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
2992 secp256k1_scalar x, shift;
2993 int wnaf[256] = {0};
2997 secp256k1_scalar num = *number;
2999 secp256k1_scalar_set_int(&x, 0);
3000 secp256k1_scalar_set_int(&shift, 1 << w);
3001 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3002 #ifdef USE_ENDOMORPHISM
3003 for (i = 0; i < 16; ++i) {
3004 secp256k1_scalar_shr_int(&num, 8);
3008 skew = secp256k1_wnaf_const(wnaf, num, w, bits);
3010 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3013 CHECK(v != 0); /* check nonzero */
3014 CHECK(v & 1); /* check parity */
3015 CHECK(v > -(1 << w)); /* check range above */
3016 CHECK(v < (1 << w)); /* check range below */
3018 secp256k1_scalar_mul(&x, &x, &shift);
3020 secp256k1_scalar_set_int(&t, v);
3022 secp256k1_scalar_set_int(&t, -v);
3023 secp256k1_scalar_negate(&t, &t);
3025 secp256k1_scalar_add(&x, &x, &t);
3027 /* Skew num because when encoding numbers as odd we use an offset */
3028 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
3029 CHECK(secp256k1_scalar_eq(&x, &num));
3032 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3033 secp256k1_scalar x, shift;
3034 int wnaf[256] = {0};
3037 secp256k1_scalar num = *number;
3039 secp256k1_scalar_set_int(&x, 0);
3040 secp256k1_scalar_set_int(&shift, 1 << w);
3041 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3042 #ifdef USE_ENDOMORPHISM
3043 for (i = 0; i < 16; ++i) {
3044 secp256k1_scalar_shr_int(&num, 8);
3047 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3049 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3052 CHECK(v == 0 || v & 1); /* check parity */
3053 CHECK(v > -(1 << w)); /* check range above */
3054 CHECK(v < (1 << w)); /* check range below */
3056 secp256k1_scalar_mul(&x, &x, &shift);
3058 secp256k1_scalar_set_int(&t, v);
3060 secp256k1_scalar_set_int(&t, -v);
3061 secp256k1_scalar_negate(&t, &t);
3063 secp256k1_scalar_add(&x, &x, &t);
3065 /* If skew is 1 then add 1 to num */
3066 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3067 CHECK(secp256k1_scalar_eq(&x, &num));
3070 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3072 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3074 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3075 CHECK(wnaf[i] == 0);
3077 for (i = 7; i >= 0; --i) {
3078 CHECK(wnaf[i] == wnaf_expected[i]);
3082 void test_fixed_wnaf_small(void) {
3084 int wnaf[256] = {0};
3087 secp256k1_scalar num;
3089 secp256k1_scalar_set_int(&num, 0);
3090 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3091 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3097 secp256k1_scalar_set_int(&num, 1);
3098 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3099 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3103 CHECK(wnaf[0] == 1);
3107 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3108 secp256k1_scalar_set_int(&num, 0xffffffff);
3109 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3110 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3114 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3115 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3116 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3117 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3121 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3122 secp256k1_scalar_set_int(&num, 0x01010101);
3123 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3124 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3128 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3129 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3130 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3131 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3136 void run_wnaf(void) {
3138 secp256k1_scalar n = {{0}};
3140 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3141 * have easier-to-diagnose failure modes */
3143 test_constant_wnaf(&n, 4);
3145 test_constant_wnaf(&n, 4);
3147 test_fixed_wnaf_small();
3149 for (i = 0; i < count; i++) {
3150 random_scalar_order(&n);
3151 test_wnaf(&n, 4+(i%10));
3152 test_constant_wnaf_negate(&n);
3153 test_constant_wnaf(&n, 4 + (i % 10));
3154 test_fixed_wnaf(&n, 4 + (i % 10));
3156 secp256k1_scalar_set_int(&n, 0);
3157 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3158 CHECK(secp256k1_scalar_is_zero(&n));
3159 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3160 CHECK(secp256k1_scalar_is_zero(&n));
3163 void test_ecmult_constants(void) {
3164 /* Test ecmult_gen() for [0..36) and [order-36..0). */
3170 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3171 for (i = 0; i < 36; i++ ) {
3172 secp256k1_scalar_set_int(&x, i);
3173 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3174 for (j = 0; j < i; j++) {
3176 ge_equals_gej(&secp256k1_ge_const_g, &r);
3178 secp256k1_gej_add_ge(&r, &r, &ng);
3180 CHECK(secp256k1_gej_is_infinity(&r));
3182 for (i = 1; i <= 36; i++ ) {
3183 secp256k1_scalar_set_int(&x, i);
3184 secp256k1_scalar_negate(&x, &x);
3185 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3186 for (j = 0; j < i; j++) {
3188 ge_equals_gej(&ng, &r);
3190 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3192 CHECK(secp256k1_gej_is_infinity(&r));
3196 void run_ecmult_constants(void) {
3197 test_ecmult_constants();
3200 void test_ecmult_gen_blind(void) {
3201 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3202 secp256k1_scalar key;
3204 unsigned char seed32[32];
3206 secp256k1_gej pgej2;
3209 random_scalar_order_test(&key);
3210 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3211 secp256k1_rand256(seed32);
3212 b = ctx->ecmult_gen_ctx.blind;
3213 i = ctx->ecmult_gen_ctx.initial;
3214 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3215 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3216 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3217 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3218 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3219 secp256k1_ge_set_gej(&pge, &pgej);
3220 ge_equals_gej(&pge, &pgej2);
3223 void test_ecmult_gen_blind_reset(void) {
3224 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3226 secp256k1_gej initial;
3227 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3228 b = ctx->ecmult_gen_ctx.blind;
3229 initial = ctx->ecmult_gen_ctx.initial;
3230 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3231 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3232 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3235 void run_ecmult_gen_blind(void) {
3237 test_ecmult_gen_blind_reset();
3238 for (i = 0; i < 10; i++) {
3239 test_ecmult_gen_blind();
3243 #ifdef USE_ENDOMORPHISM
3244 /***** ENDOMORPHISH TESTS *****/
3245 void test_scalar_split(void) {
3246 secp256k1_scalar full;
3247 secp256k1_scalar s1, slam;
3248 const unsigned char zero[32] = {0};
3249 unsigned char tmp[32];
3251 random_scalar_order_test(&full);
3252 secp256k1_scalar_split_lambda(&s1, &slam, &full);
3254 /* check that both are <= 128 bits in size */
3255 if (secp256k1_scalar_is_high(&s1)) {
3256 secp256k1_scalar_negate(&s1, &s1);
3258 if (secp256k1_scalar_is_high(&slam)) {
3259 secp256k1_scalar_negate(&slam, &slam);
3262 secp256k1_scalar_get_b32(tmp, &s1);
3263 CHECK(memcmp(zero, tmp, 16) == 0);
3264 secp256k1_scalar_get_b32(tmp, &slam);
3265 CHECK(memcmp(zero, tmp, 16) == 0);
3268 void run_endomorphism_tests(void) {
3269 test_scalar_split();
3273 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3274 unsigned char pubkeyc[65];
3275 secp256k1_pubkey pubkey;
3280 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3281 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3282 /* Smaller sizes are tested exhaustively elsewhere. */
3284 memcpy(&pubkeyc[1], input, 64);
3285 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3286 for (i = 0; i < 256; i++) {
3287 /* Try all type bytes. */
3292 /* What sign does this point have? */
3293 ysign = (input[63] & 1) + 2;
3294 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3295 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3296 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3297 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3298 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3299 if (xpass || ypass) {
3300 /* These cases must parse. */
3301 unsigned char pubkeyo[65];
3303 memset(&pubkey, 0, sizeof(pubkey));
3304 VG_UNDEF(&pubkey, sizeof(pubkey));
3306 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3307 VG_CHECK(&pubkey, sizeof(pubkey));
3309 VG_UNDEF(pubkeyo, 65);
3310 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3311 VG_CHECK(pubkeyo, outl);
3313 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3314 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3316 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3317 CHECK(pubkeyo[0] == ysign);
3318 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3319 memset(&pubkey, 0, sizeof(pubkey));
3320 VG_UNDEF(&pubkey, sizeof(pubkey));
3321 secp256k1_pubkey_save(&pubkey, &ge);
3322 VG_CHECK(&pubkey, sizeof(pubkey));
3324 VG_UNDEF(pubkeyo, 65);
3325 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3326 VG_CHECK(pubkeyo, outl);
3328 CHECK(pubkeyo[0] == 4);
3329 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3333 /* These cases must fail to parse. */
3334 memset(&pubkey, 0xfe, sizeof(pubkey));
3336 VG_UNDEF(&pubkey, sizeof(pubkey));
3337 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3338 VG_CHECK(&pubkey, sizeof(pubkey));
3340 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3345 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3348 void run_ec_pubkey_parse_test(void) {
3349 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3350 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3352 /* Point with leading and trailing zeros in x and y serialization. */
3353 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3354 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3355 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3356 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3359 /* Point with x equal to a 3rd root of unity.*/
3360 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3361 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3362 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3363 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3366 /* Point with largest x. (1/2) */
3367 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3368 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3369 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3370 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3373 /* Point with largest x. (2/2) */
3374 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3375 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3376 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3377 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3380 /* Point with smallest x. (1/2) */
3381 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3382 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3383 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3384 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3387 /* Point with smallest x. (2/2) */
3388 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3389 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3390 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3391 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3394 /* Point with largest y. (1/3) */
3395 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3396 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3397 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3398 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3401 /* Point with largest y. (2/3) */
3402 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3403 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3404 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3405 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3408 /* Point with largest y. (3/3) */
3409 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3410 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3411 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3412 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3415 /* Point with smallest y. (1/3) */
3416 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3417 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3418 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3419 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3422 /* Point with smallest y. (2/3) */
3423 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3424 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3425 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3426 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3429 /* Point with smallest y. (3/3) */
3430 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3431 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3432 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3433 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3436 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3437 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3439 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3440 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3441 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3442 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3443 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3446 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3447 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3448 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3449 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3450 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3453 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3454 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3455 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3456 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3457 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3460 /* x on curve, y is from y^2 = x^3 + 8. */
3461 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3462 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3463 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3464 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3467 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3468 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3470 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3471 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3472 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3473 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3474 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3477 /* Valid if x overflow ignored (x = 1 mod p). */
3478 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3479 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3480 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3481 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3484 /* Valid if x overflow ignored (x = 1 mod p). */
3485 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3486 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3487 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3488 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3491 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3492 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3493 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3494 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3495 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3498 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3499 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3500 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3501 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3502 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3505 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3506 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3507 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3508 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3509 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3512 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3513 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3514 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3515 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3516 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3519 const unsigned char pubkeyc[66] = {
3520 /* Serialization of G. */
3521 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3522 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3523 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3524 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3527 unsigned char sout[65];
3528 unsigned char shortkey[2];
3530 secp256k1_pubkey pubkey;
3536 /* Nothing should be reading this far into pubkeyc. */
3537 VG_UNDEF(&pubkeyc[65], 1);
3538 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3539 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3540 memset(&pubkey, 0xfe, sizeof(pubkey));
3542 VG_UNDEF(shortkey, 2);
3543 VG_UNDEF(&pubkey, sizeof(pubkey));
3544 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3545 VG_CHECK(&pubkey, sizeof(pubkey));
3547 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3549 /* Length one claimed, fail, zeroize, no illegal arg error. */
3550 for (i = 0; i < 256 ; i++) {
3551 memset(&pubkey, 0xfe, sizeof(pubkey));
3554 VG_UNDEF(&shortkey[1], 1);
3555 VG_UNDEF(&pubkey, sizeof(pubkey));
3556 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3557 VG_CHECK(&pubkey, sizeof(pubkey));
3559 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3562 /* Length two claimed, fail, zeroize, no illegal arg error. */
3563 for (i = 0; i < 65536 ; i++) {
3564 memset(&pubkey, 0xfe, sizeof(pubkey));
3566 shortkey[0] = i & 255;
3567 shortkey[1] = i >> 8;
3568 VG_UNDEF(&pubkey, sizeof(pubkey));
3569 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3570 VG_CHECK(&pubkey, sizeof(pubkey));
3572 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3575 memset(&pubkey, 0xfe, sizeof(pubkey));
3577 VG_UNDEF(&pubkey, sizeof(pubkey));
3578 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3579 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3580 VG_CHECK(&pubkey, sizeof(pubkey));
3582 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3584 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3585 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3587 /* NULL input string. Illegal arg and zeroize output. */
3588 memset(&pubkey, 0xfe, sizeof(pubkey));
3590 VG_UNDEF(&pubkey, sizeof(pubkey));
3591 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3592 VG_CHECK(&pubkey, sizeof(pubkey));
3594 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3596 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3597 memset(&pubkey, 0xfe, sizeof(pubkey));
3599 VG_UNDEF(&pubkey, sizeof(pubkey));
3600 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3601 VG_CHECK(&pubkey, sizeof(pubkey));
3603 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3605 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3606 memset(&pubkey, 0xfe, sizeof(pubkey));
3608 VG_UNDEF(&pubkey, sizeof(pubkey));
3609 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3610 VG_CHECK(&pubkey, sizeof(pubkey));
3612 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3615 memset(&pubkey, 0, sizeof(pubkey));
3617 VG_UNDEF(&pubkey, sizeof(pubkey));
3618 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3619 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
3620 VG_CHECK(&pubkey, sizeof(pubkey));
3622 VG_UNDEF(&ge, sizeof(ge));
3623 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3624 VG_CHECK(&ge.x, sizeof(ge.x));
3625 VG_CHECK(&ge.y, sizeof(ge.y));
3626 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3627 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3629 /* secp256k1_ec_pubkey_serialize illegal args. */
3632 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3635 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3639 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3644 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3649 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3653 /* Multiple illegal args. Should still set arg error only once. */
3656 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3658 /* Does the illegal arg callback actually change the behavior? */
3659 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3660 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3662 CHECK(ecount2 == 10);
3663 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3664 /* Try a bunch of prefabbed points with all possible encodings. */
3665 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3666 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3668 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3669 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3671 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3672 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3676 void run_eckey_edge_case_test(void) {
3677 const unsigned char orderc[32] = {
3678 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3679 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3680 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3681 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3683 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3684 unsigned char ctmp[33];
3685 unsigned char ctmp2[33];
3686 secp256k1_pubkey pubkey;
3687 secp256k1_pubkey pubkey2;
3688 secp256k1_pubkey pubkey_one;
3689 secp256k1_pubkey pubkey_negone;
3690 const secp256k1_pubkey *pubkeys[3];
3693 /* Group order is too large, reject. */
3694 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3695 VG_UNDEF(&pubkey, sizeof(pubkey));
3696 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3697 VG_CHECK(&pubkey, sizeof(pubkey));
3698 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3699 /* Maximum value is too large, reject. */
3700 memset(ctmp, 255, 32);
3701 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3702 memset(&pubkey, 1, sizeof(pubkey));
3703 VG_UNDEF(&pubkey, sizeof(pubkey));
3704 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3705 VG_CHECK(&pubkey, sizeof(pubkey));
3706 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3707 /* Zero is too small, reject. */
3708 memset(ctmp, 0, 32);
3709 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3710 memset(&pubkey, 1, sizeof(pubkey));
3711 VG_UNDEF(&pubkey, sizeof(pubkey));
3712 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3713 VG_CHECK(&pubkey, sizeof(pubkey));
3714 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3715 /* One must be accepted. */
3717 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3718 memset(&pubkey, 0, sizeof(pubkey));
3719 VG_UNDEF(&pubkey, sizeof(pubkey));
3720 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3721 VG_CHECK(&pubkey, sizeof(pubkey));
3722 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3723 pubkey_one = pubkey;
3724 /* Group order + 1 is too large, reject. */
3725 memcpy(ctmp, orderc, 32);
3727 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3728 memset(&pubkey, 1, sizeof(pubkey));
3729 VG_UNDEF(&pubkey, sizeof(pubkey));
3730 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3731 VG_CHECK(&pubkey, sizeof(pubkey));
3732 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3733 /* -1 must be accepted. */
3735 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3736 memset(&pubkey, 0, sizeof(pubkey));
3737 VG_UNDEF(&pubkey, sizeof(pubkey));
3738 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3739 VG_CHECK(&pubkey, sizeof(pubkey));
3740 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3741 pubkey_negone = pubkey;
3742 /* Tweak of zero leaves the value unchanged. */
3743 memset(ctmp2, 0, 32);
3744 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3745 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3746 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3747 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3748 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3749 /* Multiply tweak of zero zeroizes the output. */
3750 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3751 CHECK(memcmp(zeros, ctmp, 32) == 0);
3752 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3753 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3754 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3755 /* Overflowing key tweak zeroizes. */
3756 memcpy(ctmp, orderc, 32);
3758 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3759 CHECK(memcmp(zeros, ctmp, 32) == 0);
3760 memcpy(ctmp, orderc, 32);
3762 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3763 CHECK(memcmp(zeros, ctmp, 32) == 0);
3764 memcpy(ctmp, orderc, 32);
3766 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3767 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3768 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3769 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3770 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3771 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3772 /* Private key tweaks results in a key of zero. */
3774 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3775 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3777 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3778 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3779 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3780 /* Tweak computation wraps and results in a key of 1. */
3782 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3783 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3785 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3787 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3788 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3789 /* Tweak mul * 2 = 1+1. */
3790 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3792 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3793 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3794 /* Test argument errors. */
3796 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3798 /* Zeroize pubkey on parse error. */
3799 memset(&pubkey, 0, 32);
3800 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3802 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3803 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3804 memset(&pubkey2, 0, 32);
3805 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3807 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3808 /* Plain argument errors. */
3810 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3812 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3815 memset(ctmp2, 0, 32);
3817 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3819 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3822 memset(ctmp2, 0, 32);
3824 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3826 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3829 memset(ctmp2, 0, 32);
3830 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3832 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3835 memset(ctmp2, 0, 32);
3837 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3839 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3842 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3844 memset(&pubkey, 1, sizeof(pubkey));
3845 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3847 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3848 /* secp256k1_ec_pubkey_combine tests. */
3850 pubkeys[0] = &pubkey_one;
3851 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3852 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3853 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3854 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3855 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3856 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3857 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3858 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3860 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3861 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3863 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3864 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3865 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3866 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3867 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3869 pubkeys[0] = &pubkey_negone;
3870 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3871 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3872 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3873 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3874 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3877 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3878 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
3879 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3880 /* Result is infinity. */
3881 pubkeys[0] = &pubkey_one;
3882 pubkeys[1] = &pubkey_negone;
3883 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3884 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3885 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
3886 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3887 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3889 /* Passes through infinity but comes out one. */
3890 pubkeys[2] = &pubkey_one;
3891 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3892 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3893 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
3894 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3895 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3898 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3899 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
3900 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3902 pubkeys[1] = &pubkey_one;
3903 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3904 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3905 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
3906 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3907 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3909 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3912 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
3913 secp256k1_scalar nonce;
3915 random_scalar_order_test(&nonce);
3916 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
3919 void test_ecdsa_sign_verify(void) {
3922 secp256k1_scalar one;
3923 secp256k1_scalar msg, key;
3924 secp256k1_scalar sigr, sigs;
3927 random_scalar_order_test(&msg);
3928 random_scalar_order_test(&key);
3929 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
3930 secp256k1_ge_set_gej(&pub, &pubj);
3931 getrec = secp256k1_rand_bits(1);
3932 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
3934 CHECK(recid >= 0 && recid < 4);
3936 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3937 secp256k1_scalar_set_int(&one, 1);
3938 secp256k1_scalar_add(&msg, &msg, &one);
3939 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3942 void run_ecdsa_sign_verify(void) {
3944 for (i = 0; i < 10*count; i++) {
3945 test_ecdsa_sign_verify();
3949 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
3950 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3954 memcpy(nonce32, data, 32);
3955 return (counter == 0);
3958 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3959 /* Dummy nonce generator that has a fatal error on the first counter value. */
3963 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
3966 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3967 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
3969 memset(nonce32, counter==0 ? 0 : 255, 32);
3976 static const unsigned char order[] = {
3977 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
3978 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
3979 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
3980 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
3982 memcpy(nonce32, order, 32);
3988 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
3989 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
3993 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
3996 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
3997 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
3998 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4001 void test_ecdsa_end_to_end(void) {
4002 unsigned char extra[32] = {0x00};
4003 unsigned char privkey[32];
4004 unsigned char message[32];
4005 unsigned char privkey2[32];
4006 secp256k1_ecdsa_signature signature[6];
4007 secp256k1_scalar r, s;
4008 unsigned char sig[74];
4010 unsigned char pubkeyc[65];
4011 size_t pubkeyclen = 65;
4012 secp256k1_pubkey pubkey;
4013 secp256k1_pubkey pubkey_tmp;
4014 unsigned char seckey[300];
4015 size_t seckeylen = 300;
4017 /* Generate a random key and message. */
4019 secp256k1_scalar msg, key;
4020 random_scalar_order_test(&msg);
4021 random_scalar_order_test(&key);
4022 secp256k1_scalar_get_b32(privkey, &key);
4023 secp256k1_scalar_get_b32(message, &msg);
4026 /* Construct and verify corresponding public key. */
4027 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4028 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4030 /* Verify exporting and importing public key. */
4031 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4032 memset(&pubkey, 0, sizeof(pubkey));
4033 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4035 /* Verify negation changes the key and changes it back */
4036 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4037 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4038 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4039 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4040 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4042 /* Verify private key import and export. */
4043 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4044 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4045 CHECK(memcmp(privkey, privkey2, 32) == 0);
4047 /* Optionally tweak the keys using addition. */
4048 if (secp256k1_rand_int(3) == 0) {
4051 unsigned char rnd[32];
4052 secp256k1_pubkey pubkey2;
4053 secp256k1_rand256_test(rnd);
4054 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
4055 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4056 CHECK(ret1 == ret2);
4060 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4061 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4064 /* Optionally tweak the keys using multiplication. */
4065 if (secp256k1_rand_int(3) == 0) {
4068 unsigned char rnd[32];
4069 secp256k1_pubkey pubkey2;
4070 secp256k1_rand256_test(rnd);
4071 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
4072 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4073 CHECK(ret1 == ret2);
4077 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4078 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4082 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4083 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4084 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4086 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4089 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4090 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4091 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4092 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4093 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4094 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4095 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4096 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4098 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4099 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4100 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4101 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4102 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4103 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4104 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4105 secp256k1_scalar_negate(&s, &s);
4106 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4107 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4108 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4109 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4110 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4111 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4112 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4113 secp256k1_scalar_negate(&s, &s);
4114 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4115 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4116 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4117 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
4119 /* Serialize/parse DER and verify again */
4120 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4121 memset(&signature[0], 0, sizeof(signature[0]));
4122 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4123 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4124 /* Serialize/destroy/parse DER and verify again. */
4126 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4127 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
4128 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4129 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4132 void test_random_pubkeys(void) {
4135 unsigned char in[65];
4136 /* Generate some randomly sized pubkeys. */
4137 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4138 if (secp256k1_rand_bits(2) == 0) {
4139 len = secp256k1_rand_bits(6);
4142 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
4144 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
4146 if (secp256k1_rand_bits(3) == 0) {
4147 in[0] = secp256k1_rand_bits(8);
4150 secp256k1_rand256(&in[1]);
4153 secp256k1_rand256(&in[33]);
4155 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4156 unsigned char out[65];
4157 unsigned char firstb;
4161 /* If the pubkey can be parsed, it should round-trip... */
4162 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4164 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4165 /* ... except for the type of hybrid inputs. */
4166 if ((in[0] != 6) && (in[0] != 7)) {
4167 CHECK(in[0] == out[0]);
4170 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4172 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4173 ge_equals_ge(&elem,&elem2);
4174 /* Check that the X9.62 hybrid type is checked. */
4175 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
4176 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4177 if (firstb == 2 || firstb == 3) {
4178 if (in[0] == firstb + 4) {
4185 ge_equals_ge(&elem,&elem2);
4186 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4187 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4192 void run_random_pubkeys(void) {
4194 for (i = 0; i < 10*count; i++) {
4195 test_random_pubkeys();
4199 void run_ecdsa_end_to_end(void) {
4201 for (i = 0; i < 64*count; i++) {
4202 test_ecdsa_end_to_end();
4206 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4207 static const unsigned char zeroes[32] = {0};
4208 #ifdef ENABLE_OPENSSL_TESTS
4209 static const unsigned char max_scalar[32] = {
4210 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4211 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4212 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4213 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4219 secp256k1_ecdsa_signature sig_der;
4220 unsigned char roundtrip_der[2048];
4221 unsigned char compact_der[64];
4222 size_t len_der = 2048;
4223 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4225 secp256k1_ecdsa_signature sig_der_lax;
4226 unsigned char roundtrip_der_lax[2048];
4227 unsigned char compact_der_lax[64];
4228 size_t len_der_lax = 2048;
4229 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4231 #ifdef ENABLE_OPENSSL_TESTS
4232 ECDSA_SIG *sig_openssl;
4233 const BIGNUM *r = NULL, *s = NULL;
4234 const unsigned char *sigptr;
4235 unsigned char roundtrip_openssl[2048];
4236 int len_openssl = 2048;
4237 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4240 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4242 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4243 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4246 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4247 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4250 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4251 if (parsed_der_lax) {
4252 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4253 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4255 if (valid_der_lax) {
4256 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4257 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4260 if (certainly_der) {
4261 ret |= (!parsed_der) << 2;
4263 if (certainly_not_der) {
4264 ret |= (parsed_der) << 17;
4267 ret |= (!roundtrips_der) << 3;
4271 ret |= (!roundtrips_der_lax) << 12;
4272 ret |= (len_der != len_der_lax) << 13;
4273 ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
4275 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4277 ret |= (!parsed_der_lax) << 16;
4280 #ifdef ENABLE_OPENSSL_TESTS
4281 sig_openssl = ECDSA_SIG_new();
4283 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4284 if (parsed_openssl) {
4285 ECDSA_SIG_get0(sig_openssl, &r, &s);
4286 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4287 if (valid_openssl) {
4288 unsigned char tmp[32] = {0};
4289 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4290 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4292 if (valid_openssl) {
4293 unsigned char tmp[32] = {0};
4294 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4295 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4298 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4299 if (len_openssl <= 2048) {
4300 unsigned char *ptr = roundtrip_openssl;
4301 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4302 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4306 ECDSA_SIG_free(sig_openssl);
4308 ret |= (parsed_der && !parsed_openssl) << 4;
4309 ret |= (valid_der && !valid_openssl) << 5;
4310 ret |= (roundtrips_openssl && !parsed_der) << 6;
4311 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4312 if (roundtrips_openssl) {
4313 ret |= (len_der != (size_t)len_openssl) << 8;
4314 ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
4320 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4322 for (i = 0; i < ptrlen; i++) {
4323 int shift = ptrlen - 1 - i;
4327 ptr[i] = (val >> shift) & 0xFF;
4332 static void damage_array(unsigned char *sig, size_t *len) {
4334 int action = secp256k1_rand_bits(3);
4335 if (action < 1 && *len > 3) {
4336 /* Delete a byte. */
4337 pos = secp256k1_rand_int(*len);
4338 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4341 } else if (action < 2 && *len < 2048) {
4342 /* Insert a byte. */
4343 pos = secp256k1_rand_int(1 + *len);
4344 memmove(sig + pos + 1, sig + pos, *len - pos);
4345 sig[pos] = secp256k1_rand_bits(8);
4348 } else if (action < 4) {
4349 /* Modify a byte. */
4350 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4352 } else { /* action < 8 */
4354 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4359 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4361 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4362 size_t tlen, elen, glen;
4367 der = secp256k1_rand_bits(2) == 0;
4368 *certainly_der = der;
4369 *certainly_not_der = 0;
4370 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4372 for (n = 0; n < 2; n++) {
4373 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4374 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4375 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4376 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4377 CHECK(nlen[n] <= 232);
4378 /* The top bit of the number. */
4379 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4380 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4381 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4382 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4383 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4384 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4385 *certainly_not_der = 1;
4387 CHECK(nlen[n] + nzlen[n] <= 300);
4388 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4389 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4391 /* nlenlen[n] max 127 bytes */
4392 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4395 *certainly_not_der = 1;
4398 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4401 /* The total length of the data to go, so far */
4402 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4405 /* The length of the garbage inside the tuple. */
4406 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4408 *certainly_not_der = 1;
4413 /* The length of the garbage after the end of the tuple. */
4414 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4416 *certainly_not_der = 1;
4418 CHECK(tlen + glen <= 990);
4420 /* Write the tuple header. */
4421 sig[(*len)++] = 0x30;
4423 /* Indeterminate length */
4424 sig[(*len)++] = 0x80;
4425 *certainly_not_der = 1;
4427 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4429 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4432 *certainly_not_der = 1;
4436 /* Short length notation */
4437 sig[(*len)++] = tlen;
4439 /* Long length notation */
4440 sig[(*len)++] = 128 + tlenlen;
4441 assign_big_endian(sig + *len, tlenlen, tlen);
4447 CHECK(tlen + glen <= 1119);
4449 for (n = 0; n < 2; n++) {
4450 /* Write the integer header. */
4451 sig[(*len)++] = 0x02;
4452 if (nlenlen[n] == 0) {
4453 /* Short length notation */
4454 sig[(*len)++] = nlen[n] + nzlen[n];
4456 /* Long length notation. */
4457 sig[(*len)++] = 128 + nlenlen[n];
4458 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4461 /* Write zero padding */
4462 while (nzlen[n] > 0) {
4463 sig[(*len)++] = 0x00;
4466 if (nlen[n] == 32 && !nlow[n]) {
4467 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4469 for (i = 0; i < 16; i++) {
4470 sig[(*len)++] = 0xFF;
4474 /* Write first byte of number */
4476 sig[(*len)++] = nhbyte[n];
4479 /* Generate remaining random bytes of number */
4480 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4485 /* Generate random garbage inside tuple. */
4486 secp256k1_rand_bytes_test(sig + *len, elen);
4489 /* Generate end-of-contents bytes. */
4495 CHECK(tlen + glen <= 1121);
4497 /* Generate random garbage outside tuple. */
4498 secp256k1_rand_bytes_test(sig + *len, glen);
4501 CHECK(tlen <= 1121);
4502 CHECK(tlen == *len);
4505 void run_ecdsa_der_parse(void) {
4507 for (i = 0; i < 200 * count; i++) {
4508 unsigned char buffer[2048];
4510 int certainly_der = 0;
4511 int certainly_not_der = 0;
4512 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4513 CHECK(buflen <= 2048);
4514 for (j = 0; j < 16; j++) {
4517 damage_array(buffer, &buflen);
4518 /* We don't know anything anymore about the DERness of the result */
4520 certainly_not_der = 0;
4522 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4525 fprintf(stderr, "Failure %x on ", ret);
4526 for (k = 0; k < buflen; k++) {
4527 fprintf(stderr, "%02x ", buffer[k]);
4529 fprintf(stderr, "\n");
4536 /* Tests several edge cases. */
4537 void test_ecdsa_edge_cases(void) {
4539 secp256k1_ecdsa_signature sig;
4541 /* Test the case where ECDSA recomputes a point that is infinity. */
4545 secp256k1_scalar msg;
4546 secp256k1_scalar sr, ss;
4547 secp256k1_scalar_set_int(&ss, 1);
4548 secp256k1_scalar_negate(&ss, &ss);
4549 secp256k1_scalar_inverse(&ss, &ss);
4550 secp256k1_scalar_set_int(&sr, 1);
4551 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4552 secp256k1_ge_set_gej(&key, &keyj);
4554 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4557 /* Verify signature with r of zero fails. */
4559 const unsigned char pubkey_mods_zero[33] = {
4560 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4561 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4562 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4563 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4567 secp256k1_scalar msg;
4568 secp256k1_scalar sr, ss;
4569 secp256k1_scalar_set_int(&ss, 1);
4570 secp256k1_scalar_set_int(&msg, 0);
4571 secp256k1_scalar_set_int(&sr, 0);
4572 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4573 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4576 /* Verify signature with s of zero fails. */
4578 const unsigned char pubkey[33] = {
4579 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4580 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4581 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4582 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4586 secp256k1_scalar msg;
4587 secp256k1_scalar sr, ss;
4588 secp256k1_scalar_set_int(&ss, 0);
4589 secp256k1_scalar_set_int(&msg, 0);
4590 secp256k1_scalar_set_int(&sr, 1);
4591 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4592 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4595 /* Verify signature with message 0 passes. */
4597 const unsigned char pubkey[33] = {
4598 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4599 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4600 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4601 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4604 const unsigned char pubkey2[33] = {
4605 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4606 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4607 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4608 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4613 secp256k1_scalar msg;
4614 secp256k1_scalar sr, ss;
4615 secp256k1_scalar_set_int(&ss, 2);
4616 secp256k1_scalar_set_int(&msg, 0);
4617 secp256k1_scalar_set_int(&sr, 2);
4618 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4619 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4620 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4621 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4622 secp256k1_scalar_negate(&ss, &ss);
4623 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4624 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4625 secp256k1_scalar_set_int(&ss, 1);
4626 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4627 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4630 /* Verify signature with message 1 passes. */
4632 const unsigned char pubkey[33] = {
4633 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4634 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4635 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4636 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4639 const unsigned char pubkey2[33] = {
4640 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4641 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4642 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4643 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4646 const unsigned char csr[32] = {
4647 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4648 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4649 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4650 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4654 secp256k1_scalar msg;
4655 secp256k1_scalar sr, ss;
4656 secp256k1_scalar_set_int(&ss, 1);
4657 secp256k1_scalar_set_int(&msg, 1);
4658 secp256k1_scalar_set_b32(&sr, csr, NULL);
4659 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4660 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4661 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4662 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4663 secp256k1_scalar_negate(&ss, &ss);
4664 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4665 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4666 secp256k1_scalar_set_int(&ss, 2);
4667 secp256k1_scalar_inverse_var(&ss, &ss);
4668 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4669 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4672 /* Verify signature with message -1 passes. */
4674 const unsigned char pubkey[33] = {
4675 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4676 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4677 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4678 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4681 const unsigned char csr[32] = {
4682 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4683 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4684 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4685 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4688 secp256k1_scalar msg;
4689 secp256k1_scalar sr, ss;
4690 secp256k1_scalar_set_int(&ss, 1);
4691 secp256k1_scalar_set_int(&msg, 1);
4692 secp256k1_scalar_negate(&msg, &msg);
4693 secp256k1_scalar_set_b32(&sr, csr, NULL);
4694 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4695 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4696 secp256k1_scalar_negate(&ss, &ss);
4697 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4698 secp256k1_scalar_set_int(&ss, 3);
4699 secp256k1_scalar_inverse_var(&ss, &ss);
4700 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4703 /* Signature where s would be zero. */
4705 secp256k1_pubkey pubkey;
4708 unsigned char signature[72];
4709 static const unsigned char nonce[32] = {
4710 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4711 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4712 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4713 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4715 static const unsigned char nonce2[32] = {
4716 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4717 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4718 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4719 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4721 const unsigned char key[32] = {
4722 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4723 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4724 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4725 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4727 unsigned char msg[32] = {
4728 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4729 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4730 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4731 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4734 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4735 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4736 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4738 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4740 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4742 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4744 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4746 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4747 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4748 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4750 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4752 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4754 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4756 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4758 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4759 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4762 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4764 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4765 CHECK(ecount == 10);
4766 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4767 CHECK(ecount == 11);
4768 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4769 CHECK(ecount == 11);
4770 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4771 CHECK(ecount == 12);
4772 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4773 CHECK(ecount == 13);
4774 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4775 CHECK(ecount == 13);
4777 /* Too little room for a signature does not fail via ARGCHECK. */
4778 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
4779 CHECK(ecount == 13);
4781 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4783 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4785 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4787 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4789 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4791 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4793 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4795 memset(signature, 255, 64);
4796 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4798 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4801 /* Nonce function corner cases. */
4802 for (t = 0; t < 2; t++) {
4803 static const unsigned char zero[32] = {0x00};
4805 unsigned char key[32];
4806 unsigned char msg[32];
4807 secp256k1_ecdsa_signature sig2;
4808 secp256k1_scalar sr[512], ss;
4809 const unsigned char *extra;
4810 extra = t == 0 ? NULL : zero;
4813 /* High key results in signature failure. */
4814 memset(key, 0xFF, 32);
4815 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4816 CHECK(is_empty_signature(&sig));
4817 /* Zero key results in signature failure. */
4819 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4820 CHECK(is_empty_signature(&sig));
4821 /* Nonce function failure results in signature failure. */
4823 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
4824 CHECK(is_empty_signature(&sig));
4825 /* The retry loop successfully makes its way to the first good value. */
4826 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
4827 CHECK(!is_empty_signature(&sig));
4828 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
4829 CHECK(!is_empty_signature(&sig2));
4830 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4831 /* The default nonce function is deterministic. */
4832 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4833 CHECK(!is_empty_signature(&sig2));
4834 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4835 /* The default nonce function changes output with different messages. */
4836 for(i = 0; i < 256; i++) {
4839 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4840 CHECK(!is_empty_signature(&sig2));
4841 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4842 for (j = 0; j < i; j++) {
4843 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4848 /* The default nonce function changes output with different keys. */
4849 for(i = 256; i < 512; i++) {
4852 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4853 CHECK(!is_empty_signature(&sig2));
4854 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4855 for (j = 0; j < i; j++) {
4856 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4863 /* Check that optional nonce arguments do not have equivalent effect. */
4864 const unsigned char zeros[32] = {0};
4865 unsigned char nonce[32];
4866 unsigned char nonce2[32];
4867 unsigned char nonce3[32];
4868 unsigned char nonce4[32];
4870 VG_UNDEF(nonce2,32);
4871 VG_UNDEF(nonce3,32);
4872 VG_UNDEF(nonce4,32);
4873 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4875 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4876 VG_CHECK(nonce2,32);
4877 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
4878 VG_CHECK(nonce3,32);
4879 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
4880 VG_CHECK(nonce4,32);
4881 CHECK(memcmp(nonce, nonce2, 32) != 0);
4882 CHECK(memcmp(nonce, nonce3, 32) != 0);
4883 CHECK(memcmp(nonce, nonce4, 32) != 0);
4884 CHECK(memcmp(nonce2, nonce3, 32) != 0);
4885 CHECK(memcmp(nonce2, nonce4, 32) != 0);
4886 CHECK(memcmp(nonce3, nonce4, 32) != 0);
4890 /* Privkey export where pubkey is the point at infinity. */
4892 unsigned char privkey[300];
4893 unsigned char seckey[32] = {
4894 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4895 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4896 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4897 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
4899 size_t outlen = 300;
4900 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
4902 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
4906 void run_ecdsa_edge_cases(void) {
4907 test_ecdsa_edge_cases();
4910 #ifdef ENABLE_OPENSSL_TESTS
4911 EC_KEY *get_openssl_key(const unsigned char *key32) {
4912 unsigned char privkey[300];
4914 const unsigned char* pbegin = privkey;
4915 int compr = secp256k1_rand_bits(1);
4916 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
4917 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
4918 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
4919 CHECK(EC_KEY_check_key(ec_key));
4923 void test_ecdsa_openssl(void) {
4926 secp256k1_scalar sigr, sigs;
4927 secp256k1_scalar one;
4928 secp256k1_scalar msg2;
4929 secp256k1_scalar key, msg;
4931 unsigned int sigsize = 80;
4932 size_t secp_sigsize = 80;
4933 unsigned char message[32];
4934 unsigned char signature[80];
4935 unsigned char key32[32];
4936 secp256k1_rand256_test(message);
4937 secp256k1_scalar_set_b32(&msg, message, NULL);
4938 random_scalar_order_test(&key);
4939 secp256k1_scalar_get_b32(key32, &key);
4940 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
4941 secp256k1_ge_set_gej(&q, &qj);
4942 ec_key = get_openssl_key(key32);
4943 CHECK(ec_key != NULL);
4944 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
4945 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
4946 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
4947 secp256k1_scalar_set_int(&one, 1);
4948 secp256k1_scalar_add(&msg2, &msg, &one);
4949 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
4951 random_sign(&sigr, &sigs, &key, &msg, NULL);
4952 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
4953 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
4955 EC_KEY_free(ec_key);
4958 void run_ecdsa_openssl(void) {
4960 for (i = 0; i < 10*count; i++) {
4961 test_ecdsa_openssl();
4966 #ifdef ENABLE_MODULE_ECDH
4967 # include "modules/ecdh/tests_impl.h"
4970 #ifdef ENABLE_MODULE_RECOVERY
4971 # include "modules/recovery/tests_impl.h"
4974 int main(int argc, char **argv) {
4975 unsigned char seed16[16] = {0};
4976 unsigned char run32[32] = {0};
4977 /* find iteration count */
4979 count = strtol(argv[1], NULL, 0);
4982 /* find random seed */
4985 const char* ch = argv[2];
4986 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
4988 if (sscanf(ch, "%2hx", &sh)) {
4997 FILE *frand = fopen("/dev/urandom", "r");
4998 if ((frand == NULL) || fread(&seed16, 1, sizeof(seed16), frand) != sizeof(seed16)) {
4999 uint64_t t = time(NULL) * (uint64_t)1337;
5000 fprintf(stderr, "WARNING: could not read 16 bytes from /dev/urandom; falling back to insecure PRNG\n");
5002 seed16[1] ^= t >> 8;
5003 seed16[2] ^= t >> 16;
5004 seed16[3] ^= t >> 24;
5005 seed16[4] ^= t >> 32;
5006 seed16[5] ^= t >> 40;
5007 seed16[6] ^= t >> 48;
5008 seed16[7] ^= t >> 56;
5014 secp256k1_rand_seed(seed16);
5016 printf("test count = %i\n", count);
5017 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
5020 run_context_tests();
5021 run_scratch_tests();
5022 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5023 if (secp256k1_rand_bits(1)) {
5024 secp256k1_rand256(run32);
5025 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
5032 run_hmac_sha256_tests();
5033 run_rfc6979_hmac_sha256_tests();
5035 #ifndef USE_NUM_NONE
5037 run_num_smalltests();
5045 run_field_inv_var();
5046 run_field_inv_all_var();
5048 run_field_convert();
5054 run_group_decompress();
5058 run_point_times_order();
5060 run_ecmult_constants();
5061 run_ecmult_gen_blind();
5062 run_ecmult_const_tests();
5063 run_ecmult_multi_tests();
5066 /* endomorphism tests */
5067 #ifdef USE_ENDOMORPHISM
5068 run_endomorphism_tests();
5071 /* EC point parser test */
5072 run_ec_pubkey_parse_test();
5074 /* EC key edge cases */
5075 run_eckey_edge_case_test();
5077 #ifdef ENABLE_MODULE_ECDH
5083 run_random_pubkeys();
5084 run_ecdsa_der_parse();
5085 run_ecdsa_sign_verify();
5086 run_ecdsa_end_to_end();
5087 run_ecdsa_edge_cases();
5088 #ifdef ENABLE_OPENSSL_TESTS
5089 run_ecdsa_openssl();
5092 #ifdef ENABLE_MODULE_RECOVERY
5093 /* ECDSA pubkey recovery tests */
5094 run_recovery_tests();
5097 secp256k1_rand256(run32);
5098 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
5101 secp256k1_context_destroy(ctx);
5103 printf("no problems found\n");
projects / secp256k1.git / blob