1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "testrand_impl.h"
21 #ifdef ENABLE_OPENSSL_TESTS
22 #include "openssl/bn.h"
23 #include "openssl/ec.h"
24 #include "openssl/ecdsa.h"
25 #include "openssl/obj_mac.h"
26 # if OPENSSL_VERSION_NUMBER < 0x10100000L
27 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
31 #include "contrib/lax_der_parsing.c"
32 #include "contrib/lax_der_privatekey_parsing.c"
34 #if !defined(VG_CHECK)
35 # if defined(VALGRIND)
36 # include <valgrind/memcheck.h>
37 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
38 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
40 # define VG_UNDEF(x,y)
41 # define VG_CHECK(x,y)
45 static int count = 64;
46 static secp256k1_context *ctx = NULL;
48 static void counting_illegal_callback_fn(const char* str, void* data) {
49 /* Dummy callback function that just counts. */
56 static void uncounting_illegal_callback_fn(const char* str, void* data) {
57 /* Dummy callback function that just counts (backwards). */
64 void random_field_element_test(secp256k1_fe *fe) {
66 unsigned char b32[32];
67 secp256k1_rand256_test(b32);
68 if (secp256k1_fe_set_b32(fe, b32)) {
74 void random_field_element_magnitude(secp256k1_fe *fe) {
76 int n = secp256k1_rand_int(9);
77 secp256k1_fe_normalize(fe);
81 secp256k1_fe_clear(&zero);
82 secp256k1_fe_negate(&zero, &zero, 0);
83 secp256k1_fe_mul_int(&zero, n - 1);
84 secp256k1_fe_add(fe, &zero);
85 VERIFY_CHECK(fe->magnitude == n);
88 void random_group_element_test(secp256k1_ge *ge) {
91 random_field_element_test(&fe);
92 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
93 secp256k1_fe_normalize(&ge->y);
99 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
102 random_field_element_test(&gej->z);
103 if (!secp256k1_fe_is_zero(&gej->z)) {
107 secp256k1_fe_sqr(&z2, &gej->z);
108 secp256k1_fe_mul(&z3, &z2, &gej->z);
109 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
110 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
111 gej->infinity = ge->infinity;
114 void random_scalar_order_test(secp256k1_scalar *num) {
116 unsigned char b32[32];
118 secp256k1_rand256_test(b32);
119 secp256k1_scalar_set_b32(num, b32, &overflow);
120 if (overflow || secp256k1_scalar_is_zero(num)) {
127 void random_scalar_order(secp256k1_scalar *num) {
129 unsigned char b32[32];
131 secp256k1_rand256(b32);
132 secp256k1_scalar_set_b32(num, b32, &overflow);
133 if (overflow || secp256k1_scalar_is_zero(num)) {
140 void run_context_tests(void) {
141 secp256k1_pubkey pubkey;
142 secp256k1_pubkey zero_pubkey;
143 secp256k1_ecdsa_signature sig;
144 unsigned char ctmp[32];
147 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
148 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
149 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
150 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
154 secp256k1_scalar msg, key, nonce;
155 secp256k1_scalar sigr, sigs;
157 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
161 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
162 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
163 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
164 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
166 /*** clone and destroy all of them to make sure cloning was complete ***/
168 secp256k1_context *ctx_tmp;
170 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp);
171 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp);
172 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp);
173 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp);
176 /* Verify that the error callback makes it across the clone. */
177 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
178 /* And that it resets back to default. */
179 secp256k1_context_set_error_callback(sign, NULL, NULL);
180 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
182 /*** attempt to use them ***/
183 random_scalar_order_test(&msg);
184 random_scalar_order_test(&key);
185 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
186 secp256k1_ge_set_gej(&pub, &pubj);
188 /* Verify context-type checking illegal-argument errors. */
190 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
192 VG_UNDEF(&pubkey, sizeof(pubkey));
193 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
194 VG_CHECK(&pubkey, sizeof(pubkey));
195 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
197 VG_UNDEF(&sig, sizeof(sig));
198 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
199 VG_CHECK(&sig, sizeof(sig));
200 CHECK(ecount2 == 10);
201 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
202 CHECK(ecount2 == 11);
203 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
205 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
206 CHECK(ecount2 == 12);
207 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
209 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
210 CHECK(ecount2 == 13);
211 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
213 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
215 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
216 CHECK(ecount2 == 14);
217 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
219 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
221 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 0);
223 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
224 CHECK(ecount2 == 14);
225 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
226 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
228 /* This shouldn't leak memory, due to already-set tests. */
229 secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL);
230 secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL);
232 /* obtain a working nonce */
234 random_scalar_order_test(&nonce);
235 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
238 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
239 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
242 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
243 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
246 secp256k1_context_destroy(none);
247 secp256k1_context_destroy(sign);
248 secp256k1_context_destroy(vrfy);
249 secp256k1_context_destroy(both);
250 /* Defined as no-op. */
251 secp256k1_context_destroy(NULL);
254 void run_scratch_tests(void) {
256 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
257 secp256k1_scratch_space *scratch;
259 /* Test public API */
260 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
262 scratch = secp256k1_scratch_space_create(none, 1000);
263 CHECK(scratch != NULL);
266 /* Test internal API */
267 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
268 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 1000);
270 /* Allocating 500 bytes with no frame fails */
271 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
272 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
274 /* ...but pushing a new stack frame does affect the max allocation */
275 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1 == 1));
276 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 500); /* 500 - ALIGNMENT */
277 CHECK(secp256k1_scratch_alloc(scratch, 500) != NULL);
278 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
280 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1) == 0);
282 /* ...and this effect is undone by popping the frame */
283 secp256k1_scratch_deallocate_frame(scratch);
284 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
285 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
288 secp256k1_scratch_space_destroy(scratch);
289 secp256k1_context_destroy(none);
292 /***** HASH TESTS *****/
294 void run_sha256_tests(void) {
295 static const char *inputs[8] = {
296 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
297 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
298 "For this sample, this 63-byte string will be used as input data",
299 "This is exactly 64 bytes long, not counting the terminating byte"
301 static const unsigned char outputs[8][32] = {
302 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
303 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
304 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
305 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
306 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
307 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
308 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
309 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
312 for (i = 0; i < 8; i++) {
313 unsigned char out[32];
314 secp256k1_sha256 hasher;
315 secp256k1_sha256_initialize(&hasher);
316 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
317 secp256k1_sha256_finalize(&hasher, out);
318 CHECK(memcmp(out, outputs[i], 32) == 0);
319 if (strlen(inputs[i]) > 0) {
320 int split = secp256k1_rand_int(strlen(inputs[i]));
321 secp256k1_sha256_initialize(&hasher);
322 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
323 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
324 secp256k1_sha256_finalize(&hasher, out);
325 CHECK(memcmp(out, outputs[i], 32) == 0);
330 void run_hmac_sha256_tests(void) {
331 static const char *keys[6] = {
332 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
334 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
335 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
336 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
337 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
339 static const char *inputs[6] = {
340 "\x48\x69\x20\x54\x68\x65\x72\x65",
341 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
342 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
343 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
344 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
345 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
347 static const unsigned char outputs[6][32] = {
348 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
349 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
350 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
351 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
352 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
353 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
356 for (i = 0; i < 6; i++) {
357 secp256k1_hmac_sha256 hasher;
358 unsigned char out[32];
359 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
360 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
361 secp256k1_hmac_sha256_finalize(&hasher, out);
362 CHECK(memcmp(out, outputs[i], 32) == 0);
363 if (strlen(inputs[i]) > 0) {
364 int split = secp256k1_rand_int(strlen(inputs[i]));
365 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
366 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
367 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
368 secp256k1_hmac_sha256_finalize(&hasher, out);
369 CHECK(memcmp(out, outputs[i], 32) == 0);
374 void run_rfc6979_hmac_sha256_tests(void) {
375 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
376 static const unsigned char out1[3][32] = {
377 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
378 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
379 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
382 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
383 static const unsigned char out2[3][32] = {
384 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
385 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
386 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
389 secp256k1_rfc6979_hmac_sha256 rng;
390 unsigned char out[32];
393 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
394 for (i = 0; i < 3; i++) {
395 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
396 CHECK(memcmp(out, out1[i], 32) == 0);
398 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
400 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
401 for (i = 0; i < 3; i++) {
402 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
403 CHECK(memcmp(out, out1[i], 32) != 0);
405 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
407 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
408 for (i = 0; i < 3; i++) {
409 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
410 CHECK(memcmp(out, out2[i], 32) == 0);
412 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
415 /***** RANDOM TESTS *****/
417 void test_rand_bits(int rand32, int bits) {
418 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
419 * get a false negative chance below once in a billion */
420 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
421 /* We try multiplying the results with various odd numbers, which shouldn't
422 * influence the uniform distribution modulo a power of 2. */
423 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
424 /* We only select up to 6 bits from the output to analyse */
425 unsigned int usebits = bits > 6 ? 6 : bits;
426 unsigned int maxshift = bits - usebits;
427 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
428 number, track all observed outcomes, one per bit in a uint64_t. */
429 uint64_t x[6][27] = {{0}};
430 unsigned int i, shift, m;
431 /* Multiply the output of all rand calls with the odd number m, which
432 should not change the uniformity of its distribution. */
433 for (i = 0; i < rounds[usebits]; i++) {
434 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
435 CHECK((((uint64_t)r) >> bits) == 0);
436 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
437 uint32_t rm = r * mults[m];
438 for (shift = 0; shift <= maxshift; shift++) {
439 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
443 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
444 for (shift = 0; shift <= maxshift; shift++) {
445 /* Test that the lower usebits bits of x[shift] are 1 */
446 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
451 /* Subrange must be a whole divisor of range, and at most 64 */
452 void test_rand_int(uint32_t range, uint32_t subrange) {
453 /* (1-1/subrange)^rounds < 1/10^9 */
454 int rounds = (subrange * 2073) / 100;
457 CHECK((range % subrange) == 0);
458 for (i = 0; i < rounds; i++) {
459 uint32_t r = secp256k1_rand_int(range);
462 x |= (((uint64_t)1) << r);
464 /* Test that the lower subrange bits of x are 1. */
465 CHECK(((~x) << (64 - subrange)) == 0);
468 void run_rand_bits(void) {
470 test_rand_bits(1, 32);
471 for (b = 1; b <= 32; b++) {
472 test_rand_bits(0, b);
476 void run_rand_int(void) {
477 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
478 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
480 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
481 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
482 test_rand_int(ms[m] * ss[s], ss[s]);
487 /***** NUM TESTS *****/
490 void random_num_negate(secp256k1_num *num) {
491 if (secp256k1_rand_bits(1)) {
492 secp256k1_num_negate(num);
496 void random_num_order_test(secp256k1_num *num) {
498 random_scalar_order_test(&sc);
499 secp256k1_scalar_get_num(num, &sc);
502 void random_num_order(secp256k1_num *num) {
504 random_scalar_order(&sc);
505 secp256k1_scalar_get_num(num, &sc);
508 void test_num_negate(void) {
511 random_num_order_test(&n1); /* n1 = R */
512 random_num_negate(&n1);
513 secp256k1_num_copy(&n2, &n1); /* n2 = R */
514 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
515 CHECK(secp256k1_num_is_zero(&n1));
516 secp256k1_num_copy(&n1, &n2); /* n1 = R */
517 secp256k1_num_negate(&n1); /* n1 = -R */
518 CHECK(!secp256k1_num_is_zero(&n1));
519 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
520 CHECK(secp256k1_num_is_zero(&n1));
521 secp256k1_num_copy(&n1, &n2); /* n1 = R */
522 secp256k1_num_negate(&n1); /* n1 = -R */
523 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
524 secp256k1_num_negate(&n1); /* n1 = R */
525 CHECK(secp256k1_num_eq(&n1, &n2));
528 void test_num_add_sub(void) {
533 secp256k1_num n1p2, n2p1, n1m2, n2m1;
534 random_num_order_test(&n1); /* n1 = R1 */
535 if (secp256k1_rand_bits(1)) {
536 random_num_negate(&n1);
538 random_num_order_test(&n2); /* n2 = R2 */
539 if (secp256k1_rand_bits(1)) {
540 random_num_negate(&n2);
542 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
543 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
544 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
545 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
546 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
547 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
548 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
549 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
550 CHECK(!secp256k1_num_eq(&n2m1, &n1));
551 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
552 CHECK(secp256k1_num_eq(&n2m1, &n1));
553 CHECK(!secp256k1_num_eq(&n2p1, &n1));
554 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
555 CHECK(secp256k1_num_eq(&n2p1, &n1));
558 secp256k1_scalar_set_int(&s, 1);
559 secp256k1_scalar_get_num(&n1, &s);
560 CHECK(secp256k1_num_is_one(&n1));
561 /* check that 2^n + 1 is never 1 */
562 secp256k1_scalar_get_num(&n2, &s);
563 for (i = 0; i < 250; ++i) {
564 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
565 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
566 CHECK(!secp256k1_num_is_one(&n1p2));
570 void test_num_mod(void) {
573 secp256k1_num order, n;
575 /* check that 0 mod anything is 0 */
576 random_scalar_order_test(&s);
577 secp256k1_scalar_get_num(&order, &s);
578 secp256k1_scalar_set_int(&s, 0);
579 secp256k1_scalar_get_num(&n, &s);
580 secp256k1_num_mod(&n, &order);
581 CHECK(secp256k1_num_is_zero(&n));
583 /* check that anything mod 1 is 0 */
584 secp256k1_scalar_set_int(&s, 1);
585 secp256k1_scalar_get_num(&order, &s);
586 secp256k1_scalar_get_num(&n, &s);
587 secp256k1_num_mod(&n, &order);
588 CHECK(secp256k1_num_is_zero(&n));
590 /* check that increasing the number past 2^256 does not break this */
591 random_scalar_order_test(&s);
592 secp256k1_scalar_get_num(&n, &s);
593 /* multiply by 2^8, which'll test this case with high probability */
594 for (i = 0; i < 8; ++i) {
595 secp256k1_num_add(&n, &n, &n);
597 secp256k1_num_mod(&n, &order);
598 CHECK(secp256k1_num_is_zero(&n));
601 void test_num_jacobi(void) {
602 secp256k1_scalar sqr;
603 secp256k1_scalar small;
604 secp256k1_scalar five; /* five is not a quadratic residue */
605 secp256k1_num order, n;
607 /* squares mod 5 are 1, 4 */
608 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
610 /* check some small values with 5 as the order */
611 secp256k1_scalar_set_int(&five, 5);
612 secp256k1_scalar_get_num(&order, &five);
613 for (i = 0; i < 10; ++i) {
614 secp256k1_scalar_set_int(&small, i);
615 secp256k1_scalar_get_num(&n, &small);
616 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
619 /** test large values with 5 as group order */
620 secp256k1_scalar_get_num(&order, &five);
621 /* we first need a scalar which is not a multiple of 5 */
624 random_scalar_order_test(&sqr);
625 secp256k1_scalar_get_num(&fiven, &five);
626 secp256k1_scalar_get_num(&n, &sqr);
627 secp256k1_num_mod(&n, &fiven);
628 } while (secp256k1_num_is_zero(&n));
629 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
630 * just multiply by two, i.e. add the number to itself */
631 if (secp256k1_num_jacobi(&n, &order) == -1) {
632 secp256k1_num_add(&n, &n, &n);
636 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
637 /* test nonresidue */
638 secp256k1_num_add(&n, &n, &n);
639 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
641 /** test with secp group order as order */
642 secp256k1_scalar_order_get_num(&order);
643 random_scalar_order_test(&sqr);
644 secp256k1_scalar_sqr(&sqr, &sqr);
646 secp256k1_scalar_get_num(&n, &sqr);
647 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
648 /* test nonresidue */
649 secp256k1_scalar_mul(&sqr, &sqr, &five);
650 secp256k1_scalar_get_num(&n, &sqr);
651 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
652 /* test multiple of the order*/
653 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
655 /* check one less than the order */
656 secp256k1_scalar_set_int(&small, 1);
657 secp256k1_scalar_get_num(&n, &small);
658 secp256k1_num_sub(&n, &order, &n);
659 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
662 void run_num_smalltests(void) {
664 for (i = 0; i < 100*count; i++) {
673 /***** SCALAR TESTS *****/
675 void scalar_test(void) {
680 secp256k1_num snum, s1num, s2num;
681 secp256k1_num order, half_order;
685 /* Set 's' to a random scalar, with value 'snum'. */
686 random_scalar_order_test(&s);
688 /* Set 's1' to a random scalar, with value 's1num'. */
689 random_scalar_order_test(&s1);
691 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
692 random_scalar_order_test(&s2);
693 secp256k1_scalar_get_b32(c, &s2);
696 secp256k1_scalar_get_num(&snum, &s);
697 secp256k1_scalar_get_num(&s1num, &s1);
698 secp256k1_scalar_get_num(&s2num, &s2);
700 secp256k1_scalar_order_get_num(&order);
702 secp256k1_num_shift(&half_order, 1);
707 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
709 secp256k1_scalar_set_int(&n, 0);
710 for (i = 0; i < 256; i += 4) {
713 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
714 for (j = 0; j < 4; j++) {
715 secp256k1_scalar_add(&n, &n, &n);
717 secp256k1_scalar_add(&n, &n, &t);
719 CHECK(secp256k1_scalar_eq(&n, &s));
723 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
726 secp256k1_scalar_set_int(&n, 0);
730 int now = secp256k1_rand_int(15) + 1;
734 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
735 for (j = 0; j < now; j++) {
736 secp256k1_scalar_add(&n, &n, &n);
738 secp256k1_scalar_add(&n, &n, &t);
741 CHECK(secp256k1_scalar_eq(&n, &s));
746 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
750 secp256k1_num_add(&rnum, &snum, &s2num);
751 secp256k1_num_mod(&rnum, &order);
752 secp256k1_scalar_add(&r, &s, &s2);
753 secp256k1_scalar_get_num(&r2num, &r);
754 CHECK(secp256k1_num_eq(&rnum, &r2num));
758 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
762 secp256k1_num_mul(&rnum, &snum, &s2num);
763 secp256k1_num_mod(&rnum, &order);
764 secp256k1_scalar_mul(&r, &s, &s2);
765 secp256k1_scalar_get_num(&r2num, &r);
766 CHECK(secp256k1_num_eq(&rnum, &r2num));
767 /* The result can only be zero if at least one of the factors was zero. */
768 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
769 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
770 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
771 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
775 secp256k1_scalar neg;
776 secp256k1_num negnum;
777 secp256k1_num negnum2;
778 /* Check that comparison with zero matches comparison with zero on the number. */
779 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
780 /* Check that comparison with the half order is equal to testing for high scalar. */
781 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
782 secp256k1_scalar_negate(&neg, &s);
783 secp256k1_num_sub(&negnum, &order, &snum);
784 secp256k1_num_mod(&negnum, &order);
785 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
786 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
787 /* Negating should change the high property, unless the value was already zero. */
788 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
789 secp256k1_scalar_get_num(&negnum2, &neg);
790 /* Negating a scalar should be equal to (order - n) mod order on the number. */
791 CHECK(secp256k1_num_eq(&negnum, &negnum2));
792 secp256k1_scalar_add(&neg, &neg, &s);
793 /* Adding a number to its negation should result in zero. */
794 CHECK(secp256k1_scalar_is_zero(&neg));
795 secp256k1_scalar_negate(&neg, &neg);
796 /* Negating zero should still result in zero. */
797 CHECK(secp256k1_scalar_is_zero(&neg));
801 /* Test secp256k1_scalar_mul_shift_var. */
806 unsigned char cone[1] = {0x01};
807 unsigned int shift = 256 + secp256k1_rand_int(257);
808 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
809 secp256k1_num_mul(&rnum, &s1num, &s2num);
810 secp256k1_num_shift(&rnum, shift - 1);
811 secp256k1_num_set_bin(&one, cone, 1);
812 secp256k1_num_add(&rnum, &rnum, &one);
813 secp256k1_num_shift(&rnum, 1);
814 secp256k1_scalar_get_num(&rnum2, &r);
815 CHECK(secp256k1_num_eq(&rnum, &rnum2));
819 /* test secp256k1_scalar_shr_int */
822 random_scalar_order_test(&r);
823 for (i = 0; i < 100; ++i) {
825 int shift = 1 + secp256k1_rand_int(15);
826 int expected = r.d[0] % (1 << shift);
827 low = secp256k1_scalar_shr_int(&r, shift);
828 CHECK(expected == low);
834 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
835 if (!secp256k1_scalar_is_zero(&s)) {
836 secp256k1_scalar inv;
838 secp256k1_num invnum;
839 secp256k1_num invnum2;
841 secp256k1_scalar_inverse(&inv, &s);
843 secp256k1_num_mod_inverse(&invnum, &snum, &order);
844 secp256k1_scalar_get_num(&invnum2, &inv);
845 CHECK(secp256k1_num_eq(&invnum, &invnum2));
847 secp256k1_scalar_mul(&inv, &inv, &s);
848 /* Multiplying a scalar with its inverse must result in one. */
849 CHECK(secp256k1_scalar_is_one(&inv));
850 secp256k1_scalar_inverse(&inv, &inv);
851 /* Inverting one must result in one. */
852 CHECK(secp256k1_scalar_is_one(&inv));
854 secp256k1_scalar_get_num(&invnum, &inv);
855 CHECK(secp256k1_num_is_one(&invnum));
861 /* Test commutativity of add. */
862 secp256k1_scalar r1, r2;
863 secp256k1_scalar_add(&r1, &s1, &s2);
864 secp256k1_scalar_add(&r2, &s2, &s1);
865 CHECK(secp256k1_scalar_eq(&r1, &r2));
869 secp256k1_scalar r1, r2;
873 int bit = secp256k1_rand_bits(8);
874 secp256k1_scalar_set_int(&b, 1);
875 CHECK(secp256k1_scalar_is_one(&b));
876 for (i = 0; i < bit; i++) {
877 secp256k1_scalar_add(&b, &b, &b);
881 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
882 /* No overflow happened. */
883 secp256k1_scalar_cadd_bit(&r2, bit, 1);
884 CHECK(secp256k1_scalar_eq(&r1, &r2));
885 /* cadd is a noop when flag is zero */
886 secp256k1_scalar_cadd_bit(&r2, bit, 0);
887 CHECK(secp256k1_scalar_eq(&r1, &r2));
892 /* Test commutativity of mul. */
893 secp256k1_scalar r1, r2;
894 secp256k1_scalar_mul(&r1, &s1, &s2);
895 secp256k1_scalar_mul(&r2, &s2, &s1);
896 CHECK(secp256k1_scalar_eq(&r1, &r2));
900 /* Test associativity of add. */
901 secp256k1_scalar r1, r2;
902 secp256k1_scalar_add(&r1, &s1, &s2);
903 secp256k1_scalar_add(&r1, &r1, &s);
904 secp256k1_scalar_add(&r2, &s2, &s);
905 secp256k1_scalar_add(&r2, &s1, &r2);
906 CHECK(secp256k1_scalar_eq(&r1, &r2));
910 /* Test associativity of mul. */
911 secp256k1_scalar r1, r2;
912 secp256k1_scalar_mul(&r1, &s1, &s2);
913 secp256k1_scalar_mul(&r1, &r1, &s);
914 secp256k1_scalar_mul(&r2, &s2, &s);
915 secp256k1_scalar_mul(&r2, &s1, &r2);
916 CHECK(secp256k1_scalar_eq(&r1, &r2));
920 /* Test distributitivity of mul over add. */
921 secp256k1_scalar r1, r2, t;
922 secp256k1_scalar_add(&r1, &s1, &s2);
923 secp256k1_scalar_mul(&r1, &r1, &s);
924 secp256k1_scalar_mul(&r2, &s1, &s);
925 secp256k1_scalar_mul(&t, &s2, &s);
926 secp256k1_scalar_add(&r2, &r2, &t);
927 CHECK(secp256k1_scalar_eq(&r1, &r2));
932 secp256k1_scalar r1, r2;
933 secp256k1_scalar_sqr(&r1, &s1);
934 secp256k1_scalar_mul(&r2, &s1, &s1);
935 CHECK(secp256k1_scalar_eq(&r1, &r2));
939 /* Test multiplicative identity. */
940 secp256k1_scalar r1, v1;
941 secp256k1_scalar_set_int(&v1,1);
942 secp256k1_scalar_mul(&r1, &s1, &v1);
943 CHECK(secp256k1_scalar_eq(&r1, &s1));
947 /* Test additive identity. */
948 secp256k1_scalar r1, v0;
949 secp256k1_scalar_set_int(&v0,0);
950 secp256k1_scalar_add(&r1, &s1, &v0);
951 CHECK(secp256k1_scalar_eq(&r1, &s1));
955 /* Test zero product property. */
956 secp256k1_scalar r1, v0;
957 secp256k1_scalar_set_int(&v0,0);
958 secp256k1_scalar_mul(&r1, &s1, &v0);
959 CHECK(secp256k1_scalar_eq(&r1, &v0));
964 void run_scalar_tests(void) {
966 for (i = 0; i < 128 * count; i++) {
971 /* (-1)+1 should be zero. */
972 secp256k1_scalar s, o;
973 secp256k1_scalar_set_int(&s, 1);
974 CHECK(secp256k1_scalar_is_one(&s));
975 secp256k1_scalar_negate(&o, &s);
976 secp256k1_scalar_add(&o, &o, &s);
977 CHECK(secp256k1_scalar_is_zero(&o));
978 secp256k1_scalar_negate(&o, &o);
979 CHECK(secp256k1_scalar_is_zero(&o));
984 /* A scalar with value of the curve order should be 0. */
986 secp256k1_scalar zero;
987 unsigned char bin[32];
989 secp256k1_scalar_order_get_num(&order);
990 secp256k1_num_get_bin(bin, 32, &order);
991 secp256k1_scalar_set_b32(&zero, bin, &overflow);
992 CHECK(overflow == 1);
993 CHECK(secp256k1_scalar_is_zero(&zero));
998 /* Does check_overflow check catch all ones? */
999 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1000 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1001 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1003 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1007 /* Static test vectors.
1008 * These were reduced from ~10^12 random vectors based on comparison-decision
1009 * and edge-case coverage on 32-bit and 64-bit implementations.
1010 * The responses were generated with Sage 5.9.
1015 secp256k1_scalar zz;
1016 secp256k1_scalar one;
1017 secp256k1_scalar r1;
1018 secp256k1_scalar r2;
1019 #if defined(USE_SCALAR_INV_NUM)
1020 secp256k1_scalar zzv;
1023 unsigned char chal[33][2][32] = {
1024 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1025 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1026 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1027 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1028 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1029 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1030 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1031 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1032 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1033 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1034 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1035 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1036 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1037 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1038 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1039 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1040 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1041 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1042 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1043 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1044 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1045 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1046 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1047 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1048 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1049 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1050 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1051 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1052 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1053 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1054 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1055 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1056 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1057 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1058 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1059 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1060 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1061 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1062 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1063 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1064 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1065 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1066 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1067 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1068 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1069 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1070 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1071 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1072 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1073 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1074 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1075 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1076 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1077 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1078 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1079 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1080 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1081 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1082 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1083 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1084 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1085 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1086 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1087 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1088 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1089 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1090 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1091 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1092 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1093 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1094 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1095 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1096 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1097 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1098 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1099 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1100 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1101 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1102 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1103 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1104 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1105 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1106 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1107 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1108 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1109 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1110 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1111 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1112 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1113 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1114 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1115 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1116 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1117 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1118 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1119 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1120 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1121 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1123 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1124 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1125 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1126 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1127 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1128 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1129 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1130 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1131 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1132 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1133 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1134 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1135 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1136 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1137 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1138 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1139 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1140 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1141 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1142 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1143 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1144 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1145 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1146 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1147 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1148 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1149 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1150 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1151 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1152 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1153 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1154 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1155 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1156 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1157 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1158 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1159 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1160 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1161 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1162 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1163 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1164 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1165 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1166 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1167 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1168 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1169 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1170 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1171 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1172 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1173 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1174 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1175 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1176 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1177 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1178 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1179 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1180 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1181 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1182 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1183 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1184 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1185 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1186 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1187 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1188 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1189 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1190 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1191 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1192 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1194 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1195 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1196 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1197 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1199 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1200 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1201 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1202 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1203 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1204 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1205 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1206 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1207 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1208 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1209 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1210 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1211 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1212 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1213 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1214 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1215 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1216 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1217 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1218 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1219 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1220 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1221 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1222 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1223 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1224 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1225 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1226 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1227 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1228 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1229 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1230 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1231 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1232 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1233 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1234 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1235 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1236 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1237 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1238 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1239 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1240 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1241 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1242 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1243 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1244 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1245 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1246 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1247 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1248 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1249 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1250 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1251 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1252 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1253 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1254 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1255 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1256 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1257 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1258 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1259 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1260 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1261 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1262 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1263 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1264 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1265 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1266 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1267 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1268 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1269 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1270 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1271 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1272 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1273 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1274 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1275 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1276 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1277 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1278 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1279 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1280 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1281 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1282 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1283 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1284 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1285 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1286 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1287 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1289 unsigned char res[33][2][32] = {
1290 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1291 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1292 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1293 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1294 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1295 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1296 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1297 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1298 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1299 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1300 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1301 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1302 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1303 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1304 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1305 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1306 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1307 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1308 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1309 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1310 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1311 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1312 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1313 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1314 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1315 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1316 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1317 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1318 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1319 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1320 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1321 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1322 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1323 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1324 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1325 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1326 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1327 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1328 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1329 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1330 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1331 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1332 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1333 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1334 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1335 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1336 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1337 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1338 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1339 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1340 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1341 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1342 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1343 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1344 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1345 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1346 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1347 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1348 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1349 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1350 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1351 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1352 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1353 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1354 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1355 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1356 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1357 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1358 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1359 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1360 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1361 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1362 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1363 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1364 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1365 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1366 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1367 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1368 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1369 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1370 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1371 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1372 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1373 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1374 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1375 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1376 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1377 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1378 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1379 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1380 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1381 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1382 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1383 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1384 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1385 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1386 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1387 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1388 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1389 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1390 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1391 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1392 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1393 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1394 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1395 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1396 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1397 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1398 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1399 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1400 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1401 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1402 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1403 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1404 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1405 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1406 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1407 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1408 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1409 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1410 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1411 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1412 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1413 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1414 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1415 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1416 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1417 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1418 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1419 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1420 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1421 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1422 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1423 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1424 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1425 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1426 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1427 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1428 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1429 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1430 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1431 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1432 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1433 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1434 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1435 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1436 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1437 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1438 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1439 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1440 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1441 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1442 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1443 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1444 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1445 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1446 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1447 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1448 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1449 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1450 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1451 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1452 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1453 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1454 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1455 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1456 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1457 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1458 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1459 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1461 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1462 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1463 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1464 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1465 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1466 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1467 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1468 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1469 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1470 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1471 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1472 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1473 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1474 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1475 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1476 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1477 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1478 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1479 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1480 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1481 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1482 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1483 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1484 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1485 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1486 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1487 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1488 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1489 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1490 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1491 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1492 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1493 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1494 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1495 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1497 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1498 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1499 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1500 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1501 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1502 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1503 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1504 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1505 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1506 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1507 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1508 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1509 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1510 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1511 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1512 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1513 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1514 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1515 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1516 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1517 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1518 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1519 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1520 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1521 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1522 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1523 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1524 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1525 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1526 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1527 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1528 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1529 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1530 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1531 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1532 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1533 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1534 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1535 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1536 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1537 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1538 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1539 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1540 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1541 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1542 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1543 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1544 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1545 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1546 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1547 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1548 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1549 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1550 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1551 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1552 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1553 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1555 secp256k1_scalar_set_int(&one, 1);
1556 for (i = 0; i < 33; i++) {
1557 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1559 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1561 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1563 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1565 secp256k1_scalar_mul(&z, &x, &y);
1566 CHECK(!secp256k1_scalar_check_overflow(&z));
1567 CHECK(secp256k1_scalar_eq(&r1, &z));
1568 if (!secp256k1_scalar_is_zero(&y)) {
1569 secp256k1_scalar_inverse(&zz, &y);
1570 CHECK(!secp256k1_scalar_check_overflow(&zz));
1571 #if defined(USE_SCALAR_INV_NUM)
1572 secp256k1_scalar_inverse_var(&zzv, &y);
1573 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1575 secp256k1_scalar_mul(&z, &z, &zz);
1576 CHECK(!secp256k1_scalar_check_overflow(&z));
1577 CHECK(secp256k1_scalar_eq(&x, &z));
1578 secp256k1_scalar_mul(&zz, &zz, &y);
1579 CHECK(!secp256k1_scalar_check_overflow(&zz));
1580 CHECK(secp256k1_scalar_eq(&one, &zz));
1582 secp256k1_scalar_mul(&z, &x, &x);
1583 CHECK(!secp256k1_scalar_check_overflow(&z));
1584 secp256k1_scalar_sqr(&zz, &x);
1585 CHECK(!secp256k1_scalar_check_overflow(&zz));
1586 CHECK(secp256k1_scalar_eq(&zz, &z));
1587 CHECK(secp256k1_scalar_eq(&r2, &zz));
1592 /***** FIELD TESTS *****/
1594 void random_fe(secp256k1_fe *x) {
1595 unsigned char bin[32];
1597 secp256k1_rand256(bin);
1598 if (secp256k1_fe_set_b32(x, bin)) {
1604 void random_fe_test(secp256k1_fe *x) {
1605 unsigned char bin[32];
1607 secp256k1_rand256_test(bin);
1608 if (secp256k1_fe_set_b32(x, bin)) {
1614 void random_fe_non_zero(secp256k1_fe *nz) {
1616 while (--tries >= 0) {
1618 secp256k1_fe_normalize(nz);
1619 if (!secp256k1_fe_is_zero(nz)) {
1623 /* Infinitesimal probability of spurious failure here */
1627 void random_fe_non_square(secp256k1_fe *ns) {
1629 random_fe_non_zero(ns);
1630 if (secp256k1_fe_sqrt(&r, ns)) {
1631 secp256k1_fe_negate(ns, ns, 1);
1635 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1636 secp256k1_fe an = *a;
1637 secp256k1_fe bn = *b;
1638 secp256k1_fe_normalize_weak(&an);
1639 secp256k1_fe_normalize_var(&bn);
1640 return secp256k1_fe_equal_var(&an, &bn);
1643 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1645 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1646 secp256k1_fe_mul(&x, a, ai);
1647 return check_fe_equal(&x, &one);
1650 void run_field_convert(void) {
1651 static const unsigned char b32[32] = {
1652 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1653 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1654 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1655 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1657 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1658 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1659 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1661 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1662 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1663 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1666 unsigned char b322[32];
1667 secp256k1_fe_storage fes2;
1668 /* Check conversions to fe. */
1669 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1670 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1671 secp256k1_fe_from_storage(&fe2, &fes);
1672 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1673 /* Check conversion from fe. */
1674 secp256k1_fe_get_b32(b322, &fe);
1675 CHECK(memcmp(b322, b32, 32) == 0);
1676 secp256k1_fe_to_storage(&fes2, &fe);
1677 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1680 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1681 secp256k1_fe t = *b;
1683 t.magnitude = a->magnitude;
1684 t.normalized = a->normalized;
1686 return memcmp(a, &t, sizeof(secp256k1_fe));
1689 void run_field_misc(void) {
1694 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1696 for (i = 0; i < 5*count; i++) {
1697 secp256k1_fe_storage xs, ys, zs;
1699 random_fe_non_zero(&y);
1700 /* Test the fe equality and comparison operations. */
1701 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1702 CHECK(secp256k1_fe_equal_var(&x, &x));
1704 secp256k1_fe_add(&z,&y);
1705 /* Test fe conditional move; z is not normalized here. */
1707 secp256k1_fe_cmov(&x, &z, 0);
1708 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
1709 secp256k1_fe_cmov(&x, &x, 1);
1710 CHECK(fe_memcmp(&x, &z) != 0);
1711 CHECK(fe_memcmp(&x, &q) == 0);
1712 secp256k1_fe_cmov(&q, &z, 1);
1713 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
1714 CHECK(fe_memcmp(&q, &z) == 0);
1715 secp256k1_fe_normalize_var(&x);
1716 secp256k1_fe_normalize_var(&z);
1717 CHECK(!secp256k1_fe_equal_var(&x, &z));
1718 secp256k1_fe_normalize_var(&q);
1719 secp256k1_fe_cmov(&q, &z, (i&1));
1720 VERIFY_CHECK(q.normalized && q.magnitude == 1);
1721 for (j = 0; j < 6; j++) {
1722 secp256k1_fe_negate(&z, &z, j+1);
1723 secp256k1_fe_normalize_var(&q);
1724 secp256k1_fe_cmov(&q, &z, (j&1));
1725 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1727 secp256k1_fe_normalize_var(&z);
1728 /* Test storage conversion and conditional moves. */
1729 secp256k1_fe_to_storage(&xs, &x);
1730 secp256k1_fe_to_storage(&ys, &y);
1731 secp256k1_fe_to_storage(&zs, &z);
1732 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1733 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1734 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1735 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1736 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1737 secp256k1_fe_from_storage(&x, &xs);
1738 secp256k1_fe_from_storage(&y, &ys);
1739 secp256k1_fe_from_storage(&z, &zs);
1740 /* Test that mul_int, mul, and add agree. */
1741 secp256k1_fe_add(&y, &x);
1742 secp256k1_fe_add(&y, &x);
1744 secp256k1_fe_mul_int(&z, 3);
1745 CHECK(check_fe_equal(&y, &z));
1746 secp256k1_fe_add(&y, &x);
1747 secp256k1_fe_add(&z, &x);
1748 CHECK(check_fe_equal(&z, &y));
1750 secp256k1_fe_mul_int(&z, 5);
1751 secp256k1_fe_mul(&q, &x, &fe5);
1752 CHECK(check_fe_equal(&z, &q));
1753 secp256k1_fe_negate(&x, &x, 1);
1754 secp256k1_fe_add(&z, &x);
1755 secp256k1_fe_add(&q, &x);
1756 CHECK(check_fe_equal(&y, &z));
1757 CHECK(check_fe_equal(&q, &y));
1761 void run_field_inv(void) {
1762 secp256k1_fe x, xi, xii;
1764 for (i = 0; i < 10*count; i++) {
1765 random_fe_non_zero(&x);
1766 secp256k1_fe_inv(&xi, &x);
1767 CHECK(check_fe_inverse(&x, &xi));
1768 secp256k1_fe_inv(&xii, &xi);
1769 CHECK(check_fe_equal(&x, &xii));
1773 void run_field_inv_var(void) {
1774 secp256k1_fe x, xi, xii;
1776 for (i = 0; i < 10*count; i++) {
1777 random_fe_non_zero(&x);
1778 secp256k1_fe_inv_var(&xi, &x);
1779 CHECK(check_fe_inverse(&x, &xi));
1780 secp256k1_fe_inv_var(&xii, &xi);
1781 CHECK(check_fe_equal(&x, &xii));
1785 void run_field_inv_all_var(void) {
1786 secp256k1_fe x[16], xi[16], xii[16];
1788 /* Check it's safe to call for 0 elements */
1789 secp256k1_fe_inv_all_var(xi, x, 0);
1790 for (i = 0; i < count; i++) {
1792 size_t len = secp256k1_rand_int(15) + 1;
1793 for (j = 0; j < len; j++) {
1794 random_fe_non_zero(&x[j]);
1796 secp256k1_fe_inv_all_var(xi, x, len);
1797 for (j = 0; j < len; j++) {
1798 CHECK(check_fe_inverse(&x[j], &xi[j]));
1800 secp256k1_fe_inv_all_var(xii, xi, len);
1801 for (j = 0; j < len; j++) {
1802 CHECK(check_fe_equal(&x[j], &xii[j]));
1807 void run_sqr(void) {
1812 secp256k1_fe_set_int(&x, 1);
1813 secp256k1_fe_negate(&x, &x, 1);
1815 for (i = 1; i <= 512; ++i) {
1816 secp256k1_fe_mul_int(&x, 2);
1817 secp256k1_fe_normalize(&x);
1818 secp256k1_fe_sqr(&s, &x);
1823 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1824 secp256k1_fe r1, r2;
1825 int v = secp256k1_fe_sqrt(&r1, a);
1826 CHECK((v == 0) == (k == NULL));
1829 /* Check that the returned root is +/- the given known answer */
1830 secp256k1_fe_negate(&r2, &r1, 1);
1831 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1832 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1833 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1837 void run_sqrt(void) {
1838 secp256k1_fe ns, x, s, t;
1841 /* Check sqrt(0) is 0 */
1842 secp256k1_fe_set_int(&x, 0);
1843 secp256k1_fe_sqr(&s, &x);
1846 /* Check sqrt of small squares (and their negatives) */
1847 for (i = 1; i <= 100; i++) {
1848 secp256k1_fe_set_int(&x, i);
1849 secp256k1_fe_sqr(&s, &x);
1851 secp256k1_fe_negate(&t, &s, 1);
1852 test_sqrt(&t, NULL);
1855 /* Consistency checks for large random values */
1856 for (i = 0; i < 10; i++) {
1858 random_fe_non_square(&ns);
1859 for (j = 0; j < count; j++) {
1861 secp256k1_fe_sqr(&s, &x);
1863 secp256k1_fe_negate(&t, &s, 1);
1864 test_sqrt(&t, NULL);
1865 secp256k1_fe_mul(&t, &s, &ns);
1866 test_sqrt(&t, NULL);
1871 /***** GROUP TESTS *****/
1873 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1874 CHECK(a->infinity == b->infinity);
1878 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
1879 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
1882 /* This compares jacobian points including their Z, not just their geometric meaning. */
1883 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1887 ret &= a->infinity == b->infinity;
1888 if (ret && !a->infinity) {
1891 secp256k1_fe_normalize(&a2.x);
1892 secp256k1_fe_normalize(&a2.y);
1893 secp256k1_fe_normalize(&a2.z);
1894 secp256k1_fe_normalize(&b2.x);
1895 secp256k1_fe_normalize(&b2.y);
1896 secp256k1_fe_normalize(&b2.z);
1897 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1898 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1899 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1904 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1906 secp256k1_fe u1, u2, s1, s2;
1907 CHECK(a->infinity == b->infinity);
1911 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
1912 secp256k1_fe_sqr(&z2s, &b->z);
1913 secp256k1_fe_mul(&u1, &a->x, &z2s);
1914 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1915 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1916 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1917 CHECK(secp256k1_fe_equal_var(&u1, &u2));
1918 CHECK(secp256k1_fe_equal_var(&s1, &s2));
1921 void test_ge(void) {
1923 #ifdef USE_ENDOMORPHISM
1928 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
1929 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
1930 * All magnitudes are randomized.
1931 * All 17*17 combinations of points are added to each other, using all applicable methods.
1933 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
1935 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
1936 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
1937 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1939 secp256k1_fe zfi2, zfi3;
1941 secp256k1_gej_set_infinity(&gej[0]);
1942 secp256k1_ge_clear(&ge[0]);
1943 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
1944 for (i = 0; i < runs; i++) {
1947 random_group_element_test(&g);
1948 #ifdef USE_ENDOMORPHISM
1949 if (i >= runs - 2) {
1950 secp256k1_ge_mul_lambda(&g, &ge[1]);
1952 if (i >= runs - 1) {
1953 secp256k1_ge_mul_lambda(&g, &g);
1958 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
1959 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
1960 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
1961 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
1962 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
1963 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
1964 for (j = 0; j < 4; j++) {
1965 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
1966 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
1967 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
1968 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
1969 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
1973 /* Compute z inverses. */
1975 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1976 for (i = 0; i < 4 * runs + 1; i++) {
1978 /* The point at infinity does not have a meaningful z inverse. Any should do. */
1980 random_field_element_test(&zs[i]);
1981 } while(secp256k1_fe_is_zero(&zs[i]));
1986 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
1990 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1992 random_field_element_test(&zf);
1993 } while(secp256k1_fe_is_zero(&zf));
1994 random_field_element_magnitude(&zf);
1995 secp256k1_fe_inv_var(&zfi3, &zf);
1996 secp256k1_fe_sqr(&zfi2, &zfi3);
1997 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
1999 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2001 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2002 /* Compute reference result using gej + gej (var). */
2003 secp256k1_gej refj, resj;
2006 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2007 /* Check Z ratio. */
2008 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2009 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2010 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2012 secp256k1_ge_set_gej_var(&ref, &refj);
2014 /* Test gej + ge with Z ratio result (var). */
2015 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2016 ge_equals_gej(&ref, &resj);
2017 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2018 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2019 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2022 /* Test gej + ge (var, with additional Z factor). */
2024 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2025 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2026 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2027 random_field_element_magnitude(&ge2_zfi.x);
2028 random_field_element_magnitude(&ge2_zfi.y);
2029 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2030 ge_equals_gej(&ref, &resj);
2033 /* Test gej + ge (const). */
2035 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2036 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2037 ge_equals_gej(&ref, &resj);
2040 /* Test doubling (var). */
2041 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2043 /* Normal doubling with Z ratio result. */
2044 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2045 ge_equals_gej(&ref, &resj);
2046 /* Check Z ratio. */
2047 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2048 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2049 /* Normal doubling. */
2050 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2051 ge_equals_gej(&ref, &resj);
2054 /* Test adding opposites. */
2055 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2056 CHECK(secp256k1_ge_is_infinity(&ref));
2059 /* Test adding infinity. */
2061 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2062 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2063 ge_equals_gej(&ref, &gej[i2]);
2066 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2067 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2068 ge_equals_gej(&ref, &gej[i1]);
2073 /* Test adding all points together in random order equals infinity. */
2075 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2076 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2077 for (i = 0; i < 4 * runs + 1; i++) {
2078 gej_shuffled[i] = gej[i];
2080 for (i = 0; i < 4 * runs + 1; i++) {
2081 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2083 secp256k1_gej t = gej_shuffled[i];
2084 gej_shuffled[i] = gej_shuffled[swap];
2085 gej_shuffled[swap] = t;
2088 for (i = 0; i < 4 * runs + 1; i++) {
2089 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2091 CHECK(secp256k1_gej_is_infinity(&sum));
2095 /* Test batch gej -> ge conversion with and without known z ratios. */
2097 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2098 secp256k1_ge *ge_set_table = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2099 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2100 for (i = 0; i < 4 * runs + 1; i++) {
2101 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2103 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2106 secp256k1_ge_set_table_gej_var(ge_set_table, gej, zr, 4 * runs + 1);
2107 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1, &ctx->error_callback);
2108 for (i = 0; i < 4 * runs + 1; i++) {
2110 random_fe_non_zero(&s);
2111 secp256k1_gej_rescale(&gej[i], &s);
2112 ge_equals_gej(&ge_set_table[i], &gej[i]);
2113 ge_equals_gej(&ge_set_all[i], &gej[i]);
2125 void test_add_neg_y_diff_x(void) {
2126 /* The point of this test is to check that we can add two points
2127 * whose y-coordinates are negatives of each other but whose x
2128 * coordinates differ. If the x-coordinates were the same, these
2129 * points would be negatives of each other and their sum is
2130 * infinity. This is cool because it "covers up" any degeneracy
2131 * in the addition algorithm that would cause the xy coordinates
2132 * of the sum to be wrong (since infinity has no xy coordinates).
2133 * HOWEVER, if the x-coordinates are different, infinity is the
2134 * wrong answer, and such degeneracies are exposed. This is the
2135 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2136 * which this test is a regression test for.
2138 * These points were generated in sage as
2139 * # secp256k1 params
2140 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2141 * C = EllipticCurve ([F (0), F (7)])
2142 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2143 * N = FiniteField(G.order())
2145 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2147 * lam = (1 - x^3).roots()[1][0]
2149 * # random "bad pair"
2150 * P = C.random_element()
2152 * print " P: %x %x" % P.xy()
2153 * print " Q: %x %x" % Q.xy()
2154 * print "P + Q: %x %x" % (P + Q).xy()
2156 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2157 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2158 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2159 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2160 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2162 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2163 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2164 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2165 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2166 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2168 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2169 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2170 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2171 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2172 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2177 secp256k1_ge_set_gej(&b, &bj);
2179 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2180 secp256k1_ge_set_gej(&res, &resj);
2181 ge_equals_gej(&res, &sumj);
2183 secp256k1_gej_add_ge(&resj, &aj, &b);
2184 secp256k1_ge_set_gej(&res, &resj);
2185 ge_equals_gej(&res, &sumj);
2187 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2188 secp256k1_ge_set_gej(&res, &resj);
2189 ge_equals_gej(&res, &sumj);
2194 for (i = 0; i < count * 32; i++) {
2197 test_add_neg_y_diff_x();
2200 void test_ec_combine(void) {
2201 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2202 secp256k1_pubkey data[6];
2203 const secp256k1_pubkey* d[6];
2204 secp256k1_pubkey sd;
2205 secp256k1_pubkey sd2;
2209 for (i = 1; i <= 6; i++) {
2211 random_scalar_order_test(&s);
2212 secp256k1_scalar_add(&sum, &sum, &s);
2213 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2214 secp256k1_ge_set_gej(&Q, &Qj);
2215 secp256k1_pubkey_save(&data[i - 1], &Q);
2216 d[i - 1] = &data[i - 1];
2217 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2218 secp256k1_ge_set_gej(&Q, &Qj);
2219 secp256k1_pubkey_save(&sd, &Q);
2220 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2221 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2225 void run_ec_combine(void) {
2227 for (i = 0; i < count * 8; i++) {
2232 void test_group_decompress(const secp256k1_fe* x) {
2233 /* The input itself, normalized. */
2234 secp256k1_fe fex = *x;
2236 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2237 secp256k1_ge ge_quad, ge_even, ge_odd;
2238 secp256k1_gej gej_quad;
2239 /* Return values of the above calls. */
2240 int res_quad, res_even, res_odd;
2242 secp256k1_fe_normalize_var(&fex);
2244 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2245 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2246 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2248 CHECK(res_quad == res_even);
2249 CHECK(res_quad == res_odd);
2252 secp256k1_fe_normalize_var(&ge_quad.x);
2253 secp256k1_fe_normalize_var(&ge_odd.x);
2254 secp256k1_fe_normalize_var(&ge_even.x);
2255 secp256k1_fe_normalize_var(&ge_quad.y);
2256 secp256k1_fe_normalize_var(&ge_odd.y);
2257 secp256k1_fe_normalize_var(&ge_even.y);
2259 /* No infinity allowed. */
2260 CHECK(!ge_quad.infinity);
2261 CHECK(!ge_even.infinity);
2262 CHECK(!ge_odd.infinity);
2264 /* Check that the x coordinates check out. */
2265 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2266 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2267 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2269 /* Check that the Y coordinate result in ge_quad is a square. */
2270 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2272 /* Check odd/even Y in ge_odd, ge_even. */
2273 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2274 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2276 /* Check secp256k1_gej_has_quad_y_var. */
2277 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2278 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2280 random_fe_test(&fez);
2281 } while (secp256k1_fe_is_zero(&fez));
2282 secp256k1_gej_rescale(&gej_quad, &fez);
2283 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2284 secp256k1_gej_neg(&gej_quad, &gej_quad);
2285 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2287 random_fe_test(&fez);
2288 } while (secp256k1_fe_is_zero(&fez));
2289 secp256k1_gej_rescale(&gej_quad, &fez);
2290 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2291 secp256k1_gej_neg(&gej_quad, &gej_quad);
2292 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2296 void run_group_decompress(void) {
2298 for (i = 0; i < count * 4; i++) {
2300 random_fe_test(&fe);
2301 test_group_decompress(&fe);
2305 /***** ECMULT TESTS *****/
2307 void run_ecmult_chain(void) {
2308 /* random starting point A (on the curve) */
2309 secp256k1_gej a = SECP256K1_GEJ_CONST(
2310 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2311 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2312 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2313 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2315 /* two random initial factors xn and gn */
2316 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2317 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2318 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2320 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2321 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2322 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2324 /* two small multipliers to be applied to xn and gn in every iteration: */
2325 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2326 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2327 /* accumulators with the resulting coefficients to A and G */
2328 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2329 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2335 /* the point being computed */
2337 for (i = 0; i < 200*count; i++) {
2338 /* in each iteration, compute X = xn*X + gn*G; */
2339 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2340 /* also compute ae and ge: the actual accumulated factors for A and G */
2341 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2342 secp256k1_scalar_mul(&ae, &ae, &xn);
2343 secp256k1_scalar_mul(&ge, &ge, &xn);
2344 secp256k1_scalar_add(&ge, &ge, &gn);
2345 /* modify xn and gn */
2346 secp256k1_scalar_mul(&xn, &xn, &xf);
2347 secp256k1_scalar_mul(&gn, &gn, &gf);
2351 /* expected result after 19999 iterations */
2352 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2353 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2354 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2355 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2356 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2359 secp256k1_gej_neg(&rp, &rp);
2360 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2361 CHECK(secp256k1_gej_is_infinity(&rp));
2364 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2365 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2366 secp256k1_gej_neg(&x2, &x2);
2367 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2368 CHECK(secp256k1_gej_is_infinity(&x2));
2371 void test_point_times_order(const secp256k1_gej *point) {
2372 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2374 secp256k1_scalar nx;
2375 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2376 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2377 secp256k1_gej res1, res2;
2379 unsigned char pub[65];
2381 random_scalar_order_test(&x);
2382 secp256k1_scalar_negate(&nx, &x);
2383 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2384 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2385 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2386 CHECK(secp256k1_gej_is_infinity(&res1));
2387 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2388 secp256k1_ge_set_gej(&res3, &res1);
2389 CHECK(secp256k1_ge_is_infinity(&res3));
2390 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2391 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2393 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2394 /* check zero/one edge cases */
2395 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2396 secp256k1_ge_set_gej(&res3, &res1);
2397 CHECK(secp256k1_ge_is_infinity(&res3));
2398 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2399 secp256k1_ge_set_gej(&res3, &res1);
2400 ge_equals_gej(&res3, point);
2401 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2402 secp256k1_ge_set_gej(&res3, &res1);
2403 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2406 void run_point_times_order(void) {
2408 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2409 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2410 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2411 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2413 for (i = 0; i < 500; i++) {
2415 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2417 CHECK(secp256k1_ge_is_valid_var(&p));
2418 secp256k1_gej_set_ge(&j, &p);
2419 CHECK(secp256k1_gej_is_valid_var(&j));
2420 test_point_times_order(&j);
2422 secp256k1_fe_sqr(&x, &x);
2424 secp256k1_fe_normalize_var(&x);
2425 CHECK(secp256k1_fe_equal_var(&x, &xr));
2428 void ecmult_const_random_mult(void) {
2429 /* random starting point A (on the curve) */
2430 secp256k1_ge a = SECP256K1_GE_CONST(
2431 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2432 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2433 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2434 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2436 /* random initial factor xn */
2437 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2438 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2439 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2441 /* expected xn * A (from sage) */
2442 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2443 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2444 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2445 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2446 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2449 secp256k1_ecmult_const(&b, &a, &xn, 256);
2451 CHECK(secp256k1_ge_is_valid_var(&a));
2452 ge_equals_gej(&expected_b, &b);
2455 void ecmult_const_commutativity(void) {
2462 random_scalar_order_test(&a);
2463 random_scalar_order_test(&b);
2465 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2466 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2467 secp256k1_ge_set_gej(&mid1, &res1);
2468 secp256k1_ge_set_gej(&mid2, &res2);
2469 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2470 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2471 secp256k1_ge_set_gej(&mid1, &res1);
2472 secp256k1_ge_set_gej(&mid2, &res2);
2473 ge_equals_ge(&mid1, &mid2);
2476 void ecmult_const_mult_zero_one(void) {
2477 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2478 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2479 secp256k1_scalar negone;
2483 secp256k1_scalar_negate(&negone, &one);
2485 random_group_element_test(&point);
2486 secp256k1_ecmult_const(&res1, &point, &zero, 3);
2487 secp256k1_ge_set_gej(&res2, &res1);
2488 CHECK(secp256k1_ge_is_infinity(&res2));
2489 secp256k1_ecmult_const(&res1, &point, &one, 2);
2490 secp256k1_ge_set_gej(&res2, &res1);
2491 ge_equals_ge(&res2, &point);
2492 secp256k1_ecmult_const(&res1, &point, &negone, 256);
2493 secp256k1_gej_neg(&res1, &res1);
2494 secp256k1_ge_set_gej(&res2, &res1);
2495 ge_equals_ge(&res2, &point);
2498 void ecmult_const_chain_multiply(void) {
2499 /* Check known result (randomly generated test problem from sage) */
2500 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2501 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2502 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2504 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2505 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2506 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2507 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2508 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2510 secp256k1_gej point;
2514 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2515 for (i = 0; i < 100; ++i) {
2517 secp256k1_ge_set_gej(&tmp, &point);
2518 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2520 secp256k1_ge_set_gej(&res, &point);
2521 ge_equals_gej(&res, &expected_point);
2524 void run_ecmult_const_tests(void) {
2525 ecmult_const_mult_zero_one();
2526 ecmult_const_random_mult();
2527 ecmult_const_commutativity();
2528 ecmult_const_chain_multiply();
2532 secp256k1_scalar *sc;
2534 } ecmult_multi_data;
2536 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2537 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2538 *sc = data->sc[idx];
2539 *pt = data->pt[idx];
2543 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2551 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2553 secp256k1_scalar szero;
2554 secp256k1_scalar sc[32];
2555 secp256k1_ge pt[32];
2558 ecmult_multi_data data;
2559 secp256k1_scratch *scratch_empty;
2563 secp256k1_scalar_set_int(&szero, 0);
2565 /* No points to multiply */
2566 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2568 /* Check 1- and 2-point multiplies against ecmult */
2569 for (ncount = 0; ncount < count; ncount++) {
2572 random_scalar_order(&sc[0]);
2573 random_scalar_order(&sc[1]);
2575 random_group_element_test(&ptg);
2576 secp256k1_gej_set_ge(&ptgj, &ptg);
2578 pt[1] = secp256k1_ge_const_g;
2581 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2582 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2583 secp256k1_gej_neg(&r2, &r2);
2584 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2585 CHECK(secp256k1_gej_is_infinity(&r));
2588 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2589 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2590 secp256k1_gej_neg(&r2, &r2);
2591 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2592 CHECK(secp256k1_gej_is_infinity(&r));
2594 /* Try to multiply 1 point, but scratch space is empty */
2595 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
2596 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2597 secp256k1_scratch_destroy(scratch_empty);
2599 /* Try to multiply 1 point, but callback returns false */
2600 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2603 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2604 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2605 secp256k1_gej_neg(&r2, &r2);
2606 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2607 CHECK(secp256k1_gej_is_infinity(&r));
2609 /* 2-point with G scalar */
2610 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2611 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2612 secp256k1_gej_neg(&r2, &r2);
2613 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2614 CHECK(secp256k1_gej_is_infinity(&r));
2617 /* Check infinite outputs of various forms */
2618 for (ncount = 0; ncount < count; ncount++) {
2621 size_t sizes[] = { 2, 10, 32 };
2623 for (j = 0; j < 3; j++) {
2624 for (i = 0; i < 32; i++) {
2625 random_scalar_order(&sc[i]);
2626 secp256k1_ge_set_infinity(&pt[i]);
2628 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2629 CHECK(secp256k1_gej_is_infinity(&r));
2632 for (j = 0; j < 3; j++) {
2633 for (i = 0; i < 32; i++) {
2634 random_group_element_test(&ptg);
2636 secp256k1_scalar_set_int(&sc[i], 0);
2638 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2639 CHECK(secp256k1_gej_is_infinity(&r));
2642 for (j = 0; j < 3; j++) {
2643 random_group_element_test(&ptg);
2644 for (i = 0; i < 16; i++) {
2645 random_scalar_order(&sc[2*i]);
2646 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2648 pt[2 * i + 1] = ptg;
2651 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2652 CHECK(secp256k1_gej_is_infinity(&r));
2654 random_scalar_order(&sc[0]);
2655 for (i = 0; i < 16; i++) {
2656 random_group_element_test(&ptg);
2661 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2664 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2665 CHECK(secp256k1_gej_is_infinity(&r));
2668 random_group_element_test(&ptg);
2669 secp256k1_scalar_set_int(&sc[0], 0);
2671 for (i = 1; i < 32; i++) {
2674 random_scalar_order(&sc[i]);
2675 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2676 secp256k1_scalar_negate(&sc[i], &sc[i]);
2679 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2680 CHECK(secp256k1_gej_is_infinity(&r));
2683 /* Check random points, constant scalar */
2684 for (ncount = 0; ncount < count; ncount++) {
2686 secp256k1_gej_set_infinity(&r);
2688 random_scalar_order(&sc[0]);
2689 for (i = 0; i < 20; i++) {
2692 random_group_element_test(&ptg);
2694 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2697 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2698 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2699 secp256k1_gej_neg(&r2, &r2);
2700 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2701 CHECK(secp256k1_gej_is_infinity(&r));
2704 /* Check random scalars, constant point */
2705 for (ncount = 0; ncount < count; ncount++) {
2709 secp256k1_scalar rs;
2710 secp256k1_scalar_set_int(&rs, 0);
2712 random_group_element_test(&ptg);
2713 for (i = 0; i < 20; i++) {
2714 random_scalar_order(&sc[i]);
2716 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2719 secp256k1_gej_set_ge(&p0j, &pt[0]);
2720 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
2721 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2722 secp256k1_gej_neg(&r2, &r2);
2723 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2724 CHECK(secp256k1_gej_is_infinity(&r));
2727 /* Sanity check that zero scalars don't cause problems */
2728 for (ncount = 0; ncount < 20; ncount++) {
2729 random_scalar_order(&sc[ncount]);
2730 random_group_element_test(&pt[ncount]);
2733 secp256k1_scalar_clear(&sc[0]);
2734 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2735 secp256k1_scalar_clear(&sc[1]);
2736 secp256k1_scalar_clear(&sc[2]);
2737 secp256k1_scalar_clear(&sc[3]);
2738 secp256k1_scalar_clear(&sc[4]);
2739 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2740 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
2741 CHECK(secp256k1_gej_is_infinity(&r));
2743 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2745 const size_t TOP = 8;
2751 random_group_element_test(&ptg);
2752 secp256k1_gej_set_ge(&ptgj, &ptg);
2754 for(t0i = 0; t0i < TOP; t0i++) {
2755 for(t1i = 0; t1i < TOP; t1i++) {
2756 secp256k1_gej t0p, t1p;
2757 secp256k1_scalar t0, t1;
2759 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2760 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2761 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2762 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2764 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2765 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2767 for(s0i = 0; s0i < TOP; s0i++) {
2768 for(s1i = 0; s1i < TOP; s1i++) {
2769 secp256k1_scalar tmp1, tmp2;
2770 secp256k1_gej expected, actual;
2772 secp256k1_ge_set_gej(&pt[0], &t0p);
2773 secp256k1_ge_set_gej(&pt[1], &t1p);
2775 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2776 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2777 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2778 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2780 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2781 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2782 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2784 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
2785 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
2786 secp256k1_gej_neg(&expected, &expected);
2787 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2788 CHECK(secp256k1_gej_is_infinity(&actual));
2796 void test_secp256k1_pippenger_bucket_window_inv(void) {
2799 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2800 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2801 #ifdef USE_ENDOMORPHISM
2802 /* Bucket_window of 8 is not used with endo */
2807 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2808 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2809 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2815 * Probabilistically test the function returning the maximum number of possible points
2816 * for a given scratch space.
2818 void test_ecmult_multi_pippenger_max_points(void) {
2819 size_t scratch_size = secp256k1_rand_int(256);
2820 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
2821 secp256k1_scratch *scratch;
2822 size_t n_points_supported;
2823 int bucket_window = 0;
2825 for(; scratch_size < max_size; scratch_size+=256) {
2826 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
2827 CHECK(scratch != NULL);
2828 n_points_supported = secp256k1_pippenger_max_points(scratch);
2829 if (n_points_supported == 0) {
2830 secp256k1_scratch_destroy(scratch);
2833 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
2834 CHECK(secp256k1_scratch_allocate_frame(scratch, secp256k1_pippenger_scratch_size(n_points_supported, bucket_window), PIPPENGER_SCRATCH_OBJECTS));
2835 secp256k1_scratch_deallocate_frame(scratch);
2836 secp256k1_scratch_destroy(scratch);
2838 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
2842 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
2843 * 1 <= i <= num points.
2845 void test_ecmult_multi_batching(void) {
2846 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
2847 secp256k1_scalar scG;
2848 secp256k1_scalar szero;
2849 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
2850 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
2853 ecmult_multi_data data;
2855 secp256k1_scratch *scratch;
2857 secp256k1_gej_set_infinity(&r2);
2858 secp256k1_scalar_set_int(&szero, 0);
2860 /* Get random scalars and group elements and compute result */
2861 random_scalar_order(&scG);
2862 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
2863 for(i = 0; i < n_points; i++) {
2866 random_group_element_test(&ptg);
2867 secp256k1_gej_set_ge(&ptgj, &ptg);
2869 random_scalar_order(&sc[i]);
2870 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
2871 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
2876 /* Test with empty scratch space */
2877 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
2878 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2879 secp256k1_scratch_destroy(scratch);
2881 /* Test with space for 1 point in pippenger. That's not enough because
2882 * ecmult_multi selects strauss which requires more memory. */
2883 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2884 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2885 secp256k1_scratch_destroy(scratch);
2887 secp256k1_gej_neg(&r2, &r2);
2888 for(i = 1; i <= n_points; i++) {
2889 if (i > ECMULT_PIPPENGER_THRESHOLD) {
2890 int bucket_window = secp256k1_pippenger_bucket_window(i);
2891 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
2892 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2894 size_t scratch_size = secp256k1_strauss_scratch_size(i);
2895 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2897 CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
2898 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2899 CHECK(secp256k1_gej_is_infinity(&r));
2900 secp256k1_scratch_destroy(scratch);
2906 void run_ecmult_multi_tests(void) {
2907 secp256k1_scratch *scratch;
2909 test_secp256k1_pippenger_bucket_window_inv();
2910 test_ecmult_multi_pippenger_max_points();
2911 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
2912 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2913 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
2914 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
2915 secp256k1_scratch_destroy(scratch);
2917 /* Run test_ecmult_multi with space for exactly one point */
2918 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2919 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2920 secp256k1_scratch_destroy(scratch);
2922 test_ecmult_multi_batching();
2925 void test_wnaf(const secp256k1_scalar *number, int w) {
2926 secp256k1_scalar x, two, t;
2931 secp256k1_scalar_set_int(&x, 0);
2932 secp256k1_scalar_set_int(&two, 2);
2933 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
2935 for (i = bits-1; i >= 0; i--) {
2937 secp256k1_scalar_mul(&x, &x, &two);
2939 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
2941 CHECK((v & 1) == 1); /* check non-zero elements are odd */
2942 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
2943 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
2945 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
2949 secp256k1_scalar_set_int(&t, v);
2951 secp256k1_scalar_set_int(&t, -v);
2952 secp256k1_scalar_negate(&t, &t);
2954 secp256k1_scalar_add(&x, &x, &t);
2956 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
2959 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
2960 secp256k1_scalar neg1 = *number;
2961 secp256k1_scalar neg2 = *number;
2965 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
2966 secp256k1_scalar_negate(&neg1, &neg1);
2969 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
2970 CHECK(sign1 == sign2);
2971 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
2974 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
2975 secp256k1_scalar x, shift;
2976 int wnaf[256] = {0};
2980 secp256k1_scalar num = *number;
2982 secp256k1_scalar_set_int(&x, 0);
2983 secp256k1_scalar_set_int(&shift, 1 << w);
2984 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
2985 #ifdef USE_ENDOMORPHISM
2986 for (i = 0; i < 16; ++i) {
2987 secp256k1_scalar_shr_int(&num, 8);
2991 skew = secp256k1_wnaf_const(wnaf, num, w, bits);
2993 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
2996 CHECK(v != 0); /* check nonzero */
2997 CHECK(v & 1); /* check parity */
2998 CHECK(v > -(1 << w)); /* check range above */
2999 CHECK(v < (1 << w)); /* check range below */
3001 secp256k1_scalar_mul(&x, &x, &shift);
3003 secp256k1_scalar_set_int(&t, v);
3005 secp256k1_scalar_set_int(&t, -v);
3006 secp256k1_scalar_negate(&t, &t);
3008 secp256k1_scalar_add(&x, &x, &t);
3010 /* Skew num because when encoding numbers as odd we use an offset */
3011 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
3012 CHECK(secp256k1_scalar_eq(&x, &num));
3015 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3016 secp256k1_scalar x, shift;
3017 int wnaf[256] = {0};
3020 secp256k1_scalar num = *number;
3022 secp256k1_scalar_set_int(&x, 0);
3023 secp256k1_scalar_set_int(&shift, 1 << w);
3024 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3025 #ifdef USE_ENDOMORPHISM
3026 for (i = 0; i < 16; ++i) {
3027 secp256k1_scalar_shr_int(&num, 8);
3030 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3032 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3035 CHECK(v == 0 || v & 1); /* check parity */
3036 CHECK(v > -(1 << w)); /* check range above */
3037 CHECK(v < (1 << w)); /* check range below */
3039 secp256k1_scalar_mul(&x, &x, &shift);
3041 secp256k1_scalar_set_int(&t, v);
3043 secp256k1_scalar_set_int(&t, -v);
3044 secp256k1_scalar_negate(&t, &t);
3046 secp256k1_scalar_add(&x, &x, &t);
3048 /* If skew is 1 then add 1 to num */
3049 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3050 CHECK(secp256k1_scalar_eq(&x, &num));
3053 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3055 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3057 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3058 CHECK(wnaf[i] == 0);
3060 for (i = 7; i >= 0; --i) {
3061 CHECK(wnaf[i] == wnaf_expected[i]);
3065 void test_fixed_wnaf_small(void) {
3067 int wnaf[256] = {0};
3070 secp256k1_scalar num;
3072 secp256k1_scalar_set_int(&num, 0);
3073 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3074 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3080 secp256k1_scalar_set_int(&num, 1);
3081 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3082 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3086 CHECK(wnaf[0] == 1);
3090 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3091 secp256k1_scalar_set_int(&num, 0xffffffff);
3092 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3093 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3097 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3098 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3099 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3100 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3104 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3105 secp256k1_scalar_set_int(&num, 0x01010101);
3106 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3107 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3111 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3112 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3113 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3114 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3119 void run_wnaf(void) {
3121 secp256k1_scalar n = {{0}};
3123 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3124 * have easier-to-diagnose failure modes */
3126 test_constant_wnaf(&n, 4);
3128 test_constant_wnaf(&n, 4);
3130 test_fixed_wnaf_small();
3132 for (i = 0; i < count; i++) {
3133 random_scalar_order(&n);
3134 test_wnaf(&n, 4+(i%10));
3135 test_constant_wnaf_negate(&n);
3136 test_constant_wnaf(&n, 4 + (i % 10));
3137 test_fixed_wnaf(&n, 4 + (i % 10));
3139 secp256k1_scalar_set_int(&n, 0);
3140 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3141 CHECK(secp256k1_scalar_is_zero(&n));
3142 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3143 CHECK(secp256k1_scalar_is_zero(&n));
3146 void test_ecmult_constants(void) {
3147 /* Test ecmult_gen() for [0..36) and [order-36..0). */
3153 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3154 for (i = 0; i < 36; i++ ) {
3155 secp256k1_scalar_set_int(&x, i);
3156 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3157 for (j = 0; j < i; j++) {
3159 ge_equals_gej(&secp256k1_ge_const_g, &r);
3161 secp256k1_gej_add_ge(&r, &r, &ng);
3163 CHECK(secp256k1_gej_is_infinity(&r));
3165 for (i = 1; i <= 36; i++ ) {
3166 secp256k1_scalar_set_int(&x, i);
3167 secp256k1_scalar_negate(&x, &x);
3168 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3169 for (j = 0; j < i; j++) {
3171 ge_equals_gej(&ng, &r);
3173 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3175 CHECK(secp256k1_gej_is_infinity(&r));
3179 void run_ecmult_constants(void) {
3180 test_ecmult_constants();
3183 void test_ecmult_gen_blind(void) {
3184 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3185 secp256k1_scalar key;
3187 unsigned char seed32[32];
3189 secp256k1_gej pgej2;
3192 random_scalar_order_test(&key);
3193 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3194 secp256k1_rand256(seed32);
3195 b = ctx->ecmult_gen_ctx.blind;
3196 i = ctx->ecmult_gen_ctx.initial;
3197 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3198 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3199 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3200 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3201 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3202 secp256k1_ge_set_gej(&pge, &pgej);
3203 ge_equals_gej(&pge, &pgej2);
3206 void test_ecmult_gen_blind_reset(void) {
3207 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3209 secp256k1_gej initial;
3210 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3211 b = ctx->ecmult_gen_ctx.blind;
3212 initial = ctx->ecmult_gen_ctx.initial;
3213 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3214 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3215 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3218 void run_ecmult_gen_blind(void) {
3220 test_ecmult_gen_blind_reset();
3221 for (i = 0; i < 10; i++) {
3222 test_ecmult_gen_blind();
3226 #ifdef USE_ENDOMORPHISM
3227 /***** ENDOMORPHISH TESTS *****/
3228 void test_scalar_split(void) {
3229 secp256k1_scalar full;
3230 secp256k1_scalar s1, slam;
3231 const unsigned char zero[32] = {0};
3232 unsigned char tmp[32];
3234 random_scalar_order_test(&full);
3235 secp256k1_scalar_split_lambda(&s1, &slam, &full);
3237 /* check that both are <= 128 bits in size */
3238 if (secp256k1_scalar_is_high(&s1)) {
3239 secp256k1_scalar_negate(&s1, &s1);
3241 if (secp256k1_scalar_is_high(&slam)) {
3242 secp256k1_scalar_negate(&slam, &slam);
3245 secp256k1_scalar_get_b32(tmp, &s1);
3246 CHECK(memcmp(zero, tmp, 16) == 0);
3247 secp256k1_scalar_get_b32(tmp, &slam);
3248 CHECK(memcmp(zero, tmp, 16) == 0);
3251 void run_endomorphism_tests(void) {
3252 test_scalar_split();
3256 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3257 unsigned char pubkeyc[65];
3258 secp256k1_pubkey pubkey;
3263 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3264 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3265 /* Smaller sizes are tested exhaustively elsewhere. */
3267 memcpy(&pubkeyc[1], input, 64);
3268 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3269 for (i = 0; i < 256; i++) {
3270 /* Try all type bytes. */
3275 /* What sign does this point have? */
3276 ysign = (input[63] & 1) + 2;
3277 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3278 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3279 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3280 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3281 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3282 if (xpass || ypass) {
3283 /* These cases must parse. */
3284 unsigned char pubkeyo[65];
3286 memset(&pubkey, 0, sizeof(pubkey));
3287 VG_UNDEF(&pubkey, sizeof(pubkey));
3289 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3290 VG_CHECK(&pubkey, sizeof(pubkey));
3292 VG_UNDEF(pubkeyo, 65);
3293 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3294 VG_CHECK(pubkeyo, outl);
3296 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3297 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3299 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3300 CHECK(pubkeyo[0] == ysign);
3301 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3302 memset(&pubkey, 0, sizeof(pubkey));
3303 VG_UNDEF(&pubkey, sizeof(pubkey));
3304 secp256k1_pubkey_save(&pubkey, &ge);
3305 VG_CHECK(&pubkey, sizeof(pubkey));
3307 VG_UNDEF(pubkeyo, 65);
3308 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3309 VG_CHECK(pubkeyo, outl);
3311 CHECK(pubkeyo[0] == 4);
3312 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3316 /* These cases must fail to parse. */
3317 memset(&pubkey, 0xfe, sizeof(pubkey));
3319 VG_UNDEF(&pubkey, sizeof(pubkey));
3320 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3321 VG_CHECK(&pubkey, sizeof(pubkey));
3323 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3328 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3331 void run_ec_pubkey_parse_test(void) {
3332 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3333 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3335 /* Point with leading and trailing zeros in x and y serialization. */
3336 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3337 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3338 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3339 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3342 /* Point with x equal to a 3rd root of unity.*/
3343 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3344 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3345 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3346 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3349 /* Point with largest x. (1/2) */
3350 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3351 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3352 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3353 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3356 /* Point with largest x. (2/2) */
3357 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3358 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3359 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3360 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3363 /* Point with smallest x. (1/2) */
3364 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3365 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3366 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3367 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3370 /* Point with smallest x. (2/2) */
3371 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3372 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3373 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3374 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3377 /* Point with largest y. (1/3) */
3378 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3379 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3380 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3381 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3384 /* Point with largest y. (2/3) */
3385 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3386 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3387 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3388 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3391 /* Point with largest y. (3/3) */
3392 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3393 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3394 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3395 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3398 /* Point with smallest y. (1/3) */
3399 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3400 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3401 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3402 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3405 /* Point with smallest y. (2/3) */
3406 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3407 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3408 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3409 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3412 /* Point with smallest y. (3/3) */
3413 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3414 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3415 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3416 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3419 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3420 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3422 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3423 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3424 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3425 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3426 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3429 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3430 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3431 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3432 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3433 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3436 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3437 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3438 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3439 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3440 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3443 /* x on curve, y is from y^2 = x^3 + 8. */
3444 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3445 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3446 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3447 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3450 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3451 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3453 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3454 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3455 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3456 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3457 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3460 /* Valid if x overflow ignored (x = 1 mod p). */
3461 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3462 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3463 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3464 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3467 /* Valid if x overflow ignored (x = 1 mod p). */
3468 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3469 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3470 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3471 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3474 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3475 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3476 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3477 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3478 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3481 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3482 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3483 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3484 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3485 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3488 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3489 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3490 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3491 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3492 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3495 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3497 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3498 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3499 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3502 const unsigned char pubkeyc[66] = {
3503 /* Serialization of G. */
3504 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3505 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3506 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3507 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3510 unsigned char sout[65];
3511 unsigned char shortkey[2];
3513 secp256k1_pubkey pubkey;
3519 /* Nothing should be reading this far into pubkeyc. */
3520 VG_UNDEF(&pubkeyc[65], 1);
3521 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3522 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3523 memset(&pubkey, 0xfe, sizeof(pubkey));
3525 VG_UNDEF(shortkey, 2);
3526 VG_UNDEF(&pubkey, sizeof(pubkey));
3527 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3528 VG_CHECK(&pubkey, sizeof(pubkey));
3530 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3532 /* Length one claimed, fail, zeroize, no illegal arg error. */
3533 for (i = 0; i < 256 ; i++) {
3534 memset(&pubkey, 0xfe, sizeof(pubkey));
3537 VG_UNDEF(&shortkey[1], 1);
3538 VG_UNDEF(&pubkey, sizeof(pubkey));
3539 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3540 VG_CHECK(&pubkey, sizeof(pubkey));
3542 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3545 /* Length two claimed, fail, zeroize, no illegal arg error. */
3546 for (i = 0; i < 65536 ; i++) {
3547 memset(&pubkey, 0xfe, sizeof(pubkey));
3549 shortkey[0] = i & 255;
3550 shortkey[1] = i >> 8;
3551 VG_UNDEF(&pubkey, sizeof(pubkey));
3552 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3553 VG_CHECK(&pubkey, sizeof(pubkey));
3555 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3558 memset(&pubkey, 0xfe, sizeof(pubkey));
3560 VG_UNDEF(&pubkey, sizeof(pubkey));
3561 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3562 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3563 VG_CHECK(&pubkey, sizeof(pubkey));
3565 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3567 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3568 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3570 /* NULL input string. Illegal arg and zeroize output. */
3571 memset(&pubkey, 0xfe, sizeof(pubkey));
3573 VG_UNDEF(&pubkey, sizeof(pubkey));
3574 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3575 VG_CHECK(&pubkey, sizeof(pubkey));
3577 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3579 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3580 memset(&pubkey, 0xfe, sizeof(pubkey));
3582 VG_UNDEF(&pubkey, sizeof(pubkey));
3583 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3584 VG_CHECK(&pubkey, sizeof(pubkey));
3586 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3588 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3589 memset(&pubkey, 0xfe, sizeof(pubkey));
3591 VG_UNDEF(&pubkey, sizeof(pubkey));
3592 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3593 VG_CHECK(&pubkey, sizeof(pubkey));
3595 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3598 memset(&pubkey, 0, sizeof(pubkey));
3600 VG_UNDEF(&pubkey, sizeof(pubkey));
3601 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3602 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
3603 VG_CHECK(&pubkey, sizeof(pubkey));
3605 VG_UNDEF(&ge, sizeof(ge));
3606 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3607 VG_CHECK(&ge.x, sizeof(ge.x));
3608 VG_CHECK(&ge.y, sizeof(ge.y));
3609 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3610 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3612 /* secp256k1_ec_pubkey_serialize illegal args. */
3615 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3618 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3622 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3627 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3632 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3636 /* Multiple illegal args. Should still set arg error only once. */
3639 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3641 /* Does the illegal arg callback actually change the behavior? */
3642 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3643 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3645 CHECK(ecount2 == 10);
3646 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3647 /* Try a bunch of prefabbed points with all possible encodings. */
3648 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3649 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3651 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3652 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3654 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3655 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3659 void run_eckey_edge_case_test(void) {
3660 const unsigned char orderc[32] = {
3661 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3662 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3663 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3664 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3666 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3667 unsigned char ctmp[33];
3668 unsigned char ctmp2[33];
3669 secp256k1_pubkey pubkey;
3670 secp256k1_pubkey pubkey2;
3671 secp256k1_pubkey pubkey_one;
3672 secp256k1_pubkey pubkey_negone;
3673 const secp256k1_pubkey *pubkeys[3];
3676 /* Group order is too large, reject. */
3677 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3678 VG_UNDEF(&pubkey, sizeof(pubkey));
3679 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3680 VG_CHECK(&pubkey, sizeof(pubkey));
3681 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3682 /* Maximum value is too large, reject. */
3683 memset(ctmp, 255, 32);
3684 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3685 memset(&pubkey, 1, sizeof(pubkey));
3686 VG_UNDEF(&pubkey, sizeof(pubkey));
3687 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3688 VG_CHECK(&pubkey, sizeof(pubkey));
3689 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3690 /* Zero is too small, reject. */
3691 memset(ctmp, 0, 32);
3692 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3693 memset(&pubkey, 1, sizeof(pubkey));
3694 VG_UNDEF(&pubkey, sizeof(pubkey));
3695 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3696 VG_CHECK(&pubkey, sizeof(pubkey));
3697 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3698 /* One must be accepted. */
3700 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3701 memset(&pubkey, 0, sizeof(pubkey));
3702 VG_UNDEF(&pubkey, sizeof(pubkey));
3703 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3704 VG_CHECK(&pubkey, sizeof(pubkey));
3705 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3706 pubkey_one = pubkey;
3707 /* Group order + 1 is too large, reject. */
3708 memcpy(ctmp, orderc, 32);
3710 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3711 memset(&pubkey, 1, sizeof(pubkey));
3712 VG_UNDEF(&pubkey, sizeof(pubkey));
3713 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3714 VG_CHECK(&pubkey, sizeof(pubkey));
3715 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3716 /* -1 must be accepted. */
3718 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3719 memset(&pubkey, 0, sizeof(pubkey));
3720 VG_UNDEF(&pubkey, sizeof(pubkey));
3721 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3722 VG_CHECK(&pubkey, sizeof(pubkey));
3723 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3724 pubkey_negone = pubkey;
3725 /* Tweak of zero leaves the value unchanged. */
3726 memset(ctmp2, 0, 32);
3727 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3728 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3729 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3730 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3731 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3732 /* Multiply tweak of zero zeroizes the output. */
3733 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3734 CHECK(memcmp(zeros, ctmp, 32) == 0);
3735 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3736 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3737 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3738 /* Overflowing key tweak zeroizes. */
3739 memcpy(ctmp, orderc, 32);
3741 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3742 CHECK(memcmp(zeros, ctmp, 32) == 0);
3743 memcpy(ctmp, orderc, 32);
3745 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3746 CHECK(memcmp(zeros, ctmp, 32) == 0);
3747 memcpy(ctmp, orderc, 32);
3749 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3750 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3751 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3752 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3753 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3754 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3755 /* Private key tweaks results in a key of zero. */
3757 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3758 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3760 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3761 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3762 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3763 /* Tweak computation wraps and results in a key of 1. */
3765 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3766 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3768 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3770 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3771 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3772 /* Tweak mul * 2 = 1+1. */
3773 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3775 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3776 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3777 /* Test argument errors. */
3779 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3781 /* Zeroize pubkey on parse error. */
3782 memset(&pubkey, 0, 32);
3783 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3785 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3786 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3787 memset(&pubkey2, 0, 32);
3788 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3790 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3791 /* Plain argument errors. */
3793 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3795 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3798 memset(ctmp2, 0, 32);
3800 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3802 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3805 memset(ctmp2, 0, 32);
3807 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3809 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3812 memset(ctmp2, 0, 32);
3813 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3815 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3818 memset(ctmp2, 0, 32);
3820 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3822 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3825 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3827 memset(&pubkey, 1, sizeof(pubkey));
3828 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3830 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3831 /* secp256k1_ec_pubkey_combine tests. */
3833 pubkeys[0] = &pubkey_one;
3834 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3835 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3836 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3837 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3838 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3839 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3840 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3841 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3843 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3844 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3846 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3847 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3848 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3849 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3850 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3852 pubkeys[0] = &pubkey_negone;
3853 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3854 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3855 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3856 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3857 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3860 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3861 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
3862 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3863 /* Result is infinity. */
3864 pubkeys[0] = &pubkey_one;
3865 pubkeys[1] = &pubkey_negone;
3866 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3867 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3868 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
3869 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3870 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3872 /* Passes through infinity but comes out one. */
3873 pubkeys[2] = &pubkey_one;
3874 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3875 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3876 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
3877 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3878 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3881 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3882 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
3883 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3885 pubkeys[1] = &pubkey_one;
3886 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3887 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3888 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
3889 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3890 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3892 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3895 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
3896 secp256k1_scalar nonce;
3898 random_scalar_order_test(&nonce);
3899 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
3902 void test_ecdsa_sign_verify(void) {
3905 secp256k1_scalar one;
3906 secp256k1_scalar msg, key;
3907 secp256k1_scalar sigr, sigs;
3910 random_scalar_order_test(&msg);
3911 random_scalar_order_test(&key);
3912 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
3913 secp256k1_ge_set_gej(&pub, &pubj);
3914 getrec = secp256k1_rand_bits(1);
3915 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
3917 CHECK(recid >= 0 && recid < 4);
3919 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3920 secp256k1_scalar_set_int(&one, 1);
3921 secp256k1_scalar_add(&msg, &msg, &one);
3922 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3925 void run_ecdsa_sign_verify(void) {
3927 for (i = 0; i < 10*count; i++) {
3928 test_ecdsa_sign_verify();
3932 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
3933 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3937 memcpy(nonce32, data, 32);
3938 return (counter == 0);
3941 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3942 /* Dummy nonce generator that has a fatal error on the first counter value. */
3946 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
3949 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3950 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
3952 memset(nonce32, counter==0 ? 0 : 255, 32);
3959 static const unsigned char order[] = {
3960 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
3961 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
3962 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
3963 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
3965 memcpy(nonce32, order, 32);
3971 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
3972 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
3976 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
3979 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
3980 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
3981 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
3984 void test_ecdsa_end_to_end(void) {
3985 unsigned char extra[32] = {0x00};
3986 unsigned char privkey[32];
3987 unsigned char message[32];
3988 unsigned char privkey2[32];
3989 secp256k1_ecdsa_signature signature[6];
3990 secp256k1_scalar r, s;
3991 unsigned char sig[74];
3993 unsigned char pubkeyc[65];
3994 size_t pubkeyclen = 65;
3995 secp256k1_pubkey pubkey;
3996 secp256k1_pubkey pubkey_tmp;
3997 unsigned char seckey[300];
3998 size_t seckeylen = 300;
4000 /* Generate a random key and message. */
4002 secp256k1_scalar msg, key;
4003 random_scalar_order_test(&msg);
4004 random_scalar_order_test(&key);
4005 secp256k1_scalar_get_b32(privkey, &key);
4006 secp256k1_scalar_get_b32(message, &msg);
4009 /* Construct and verify corresponding public key. */
4010 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4011 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4013 /* Verify exporting and importing public key. */
4014 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4015 memset(&pubkey, 0, sizeof(pubkey));
4016 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4018 /* Verify negation changes the key and changes it back */
4019 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4020 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4021 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4022 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4023 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4025 /* Verify private key import and export. */
4026 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4027 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4028 CHECK(memcmp(privkey, privkey2, 32) == 0);
4030 /* Optionally tweak the keys using addition. */
4031 if (secp256k1_rand_int(3) == 0) {
4034 unsigned char rnd[32];
4035 secp256k1_pubkey pubkey2;
4036 secp256k1_rand256_test(rnd);
4037 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
4038 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4039 CHECK(ret1 == ret2);
4043 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4044 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4047 /* Optionally tweak the keys using multiplication. */
4048 if (secp256k1_rand_int(3) == 0) {
4051 unsigned char rnd[32];
4052 secp256k1_pubkey pubkey2;
4053 secp256k1_rand256_test(rnd);
4054 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
4055 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4056 CHECK(ret1 == ret2);
4060 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4061 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4065 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4066 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4067 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4069 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4072 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4073 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4074 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4075 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4076 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4077 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4078 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4079 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4081 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4082 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4083 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4084 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4085 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4086 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4087 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4088 secp256k1_scalar_negate(&s, &s);
4089 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4090 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4091 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4092 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4093 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4094 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4095 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4096 secp256k1_scalar_negate(&s, &s);
4097 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4098 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4099 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4100 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
4102 /* Serialize/parse DER and verify again */
4103 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4104 memset(&signature[0], 0, sizeof(signature[0]));
4105 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4106 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4107 /* Serialize/destroy/parse DER and verify again. */
4109 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4110 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
4111 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4112 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4115 void test_random_pubkeys(void) {
4118 unsigned char in[65];
4119 /* Generate some randomly sized pubkeys. */
4120 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4121 if (secp256k1_rand_bits(2) == 0) {
4122 len = secp256k1_rand_bits(6);
4125 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
4127 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
4129 if (secp256k1_rand_bits(3) == 0) {
4130 in[0] = secp256k1_rand_bits(8);
4133 secp256k1_rand256(&in[1]);
4136 secp256k1_rand256(&in[33]);
4138 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4139 unsigned char out[65];
4140 unsigned char firstb;
4144 /* If the pubkey can be parsed, it should round-trip... */
4145 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4147 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4148 /* ... except for the type of hybrid inputs. */
4149 if ((in[0] != 6) && (in[0] != 7)) {
4150 CHECK(in[0] == out[0]);
4153 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4155 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4156 ge_equals_ge(&elem,&elem2);
4157 /* Check that the X9.62 hybrid type is checked. */
4158 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
4159 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4160 if (firstb == 2 || firstb == 3) {
4161 if (in[0] == firstb + 4) {
4168 ge_equals_ge(&elem,&elem2);
4169 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4170 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4175 void run_random_pubkeys(void) {
4177 for (i = 0; i < 10*count; i++) {
4178 test_random_pubkeys();
4182 void run_ecdsa_end_to_end(void) {
4184 for (i = 0; i < 64*count; i++) {
4185 test_ecdsa_end_to_end();
4189 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4190 static const unsigned char zeroes[32] = {0};
4191 #ifdef ENABLE_OPENSSL_TESTS
4192 static const unsigned char max_scalar[32] = {
4193 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4194 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4195 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4196 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4202 secp256k1_ecdsa_signature sig_der;
4203 unsigned char roundtrip_der[2048];
4204 unsigned char compact_der[64];
4205 size_t len_der = 2048;
4206 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4208 secp256k1_ecdsa_signature sig_der_lax;
4209 unsigned char roundtrip_der_lax[2048];
4210 unsigned char compact_der_lax[64];
4211 size_t len_der_lax = 2048;
4212 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4214 #ifdef ENABLE_OPENSSL_TESTS
4215 ECDSA_SIG *sig_openssl;
4216 const BIGNUM *r = NULL, *s = NULL;
4217 const unsigned char *sigptr;
4218 unsigned char roundtrip_openssl[2048];
4219 int len_openssl = 2048;
4220 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4223 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4225 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4226 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4229 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4230 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4233 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4234 if (parsed_der_lax) {
4235 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4236 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4238 if (valid_der_lax) {
4239 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4240 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4243 if (certainly_der) {
4244 ret |= (!parsed_der) << 2;
4246 if (certainly_not_der) {
4247 ret |= (parsed_der) << 17;
4250 ret |= (!roundtrips_der) << 3;
4254 ret |= (!roundtrips_der_lax) << 12;
4255 ret |= (len_der != len_der_lax) << 13;
4256 ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
4258 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4260 ret |= (!parsed_der_lax) << 16;
4263 #ifdef ENABLE_OPENSSL_TESTS
4264 sig_openssl = ECDSA_SIG_new();
4266 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4267 if (parsed_openssl) {
4268 ECDSA_SIG_get0(sig_openssl, &r, &s);
4269 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4270 if (valid_openssl) {
4271 unsigned char tmp[32] = {0};
4272 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4273 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4275 if (valid_openssl) {
4276 unsigned char tmp[32] = {0};
4277 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4278 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4281 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4282 if (len_openssl <= 2048) {
4283 unsigned char *ptr = roundtrip_openssl;
4284 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4285 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4289 ECDSA_SIG_free(sig_openssl);
4291 ret |= (parsed_der && !parsed_openssl) << 4;
4292 ret |= (valid_der && !valid_openssl) << 5;
4293 ret |= (roundtrips_openssl && !parsed_der) << 6;
4294 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4295 if (roundtrips_openssl) {
4296 ret |= (len_der != (size_t)len_openssl) << 8;
4297 ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
4303 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4305 for (i = 0; i < ptrlen; i++) {
4306 int shift = ptrlen - 1 - i;
4310 ptr[i] = (val >> shift) & 0xFF;
4315 static void damage_array(unsigned char *sig, size_t *len) {
4317 int action = secp256k1_rand_bits(3);
4318 if (action < 1 && *len > 3) {
4319 /* Delete a byte. */
4320 pos = secp256k1_rand_int(*len);
4321 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4324 } else if (action < 2 && *len < 2048) {
4325 /* Insert a byte. */
4326 pos = secp256k1_rand_int(1 + *len);
4327 memmove(sig + pos + 1, sig + pos, *len - pos);
4328 sig[pos] = secp256k1_rand_bits(8);
4331 } else if (action < 4) {
4332 /* Modify a byte. */
4333 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4335 } else { /* action < 8 */
4337 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4342 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4344 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4345 size_t tlen, elen, glen;
4350 der = secp256k1_rand_bits(2) == 0;
4351 *certainly_der = der;
4352 *certainly_not_der = 0;
4353 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4355 for (n = 0; n < 2; n++) {
4356 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4357 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4358 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4359 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4360 CHECK(nlen[n] <= 232);
4361 /* The top bit of the number. */
4362 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4363 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4364 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4365 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4366 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4367 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4368 *certainly_not_der = 1;
4370 CHECK(nlen[n] + nzlen[n] <= 300);
4371 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4372 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4374 /* nlenlen[n] max 127 bytes */
4375 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4378 *certainly_not_der = 1;
4381 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4384 /* The total length of the data to go, so far */
4385 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4388 /* The length of the garbage inside the tuple. */
4389 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4391 *certainly_not_der = 1;
4396 /* The length of the garbage after the end of the tuple. */
4397 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4399 *certainly_not_der = 1;
4401 CHECK(tlen + glen <= 990);
4403 /* Write the tuple header. */
4404 sig[(*len)++] = 0x30;
4406 /* Indeterminate length */
4407 sig[(*len)++] = 0x80;
4408 *certainly_not_der = 1;
4410 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4412 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4415 *certainly_not_der = 1;
4419 /* Short length notation */
4420 sig[(*len)++] = tlen;
4422 /* Long length notation */
4423 sig[(*len)++] = 128 + tlenlen;
4424 assign_big_endian(sig + *len, tlenlen, tlen);
4430 CHECK(tlen + glen <= 1119);
4432 for (n = 0; n < 2; n++) {
4433 /* Write the integer header. */
4434 sig[(*len)++] = 0x02;
4435 if (nlenlen[n] == 0) {
4436 /* Short length notation */
4437 sig[(*len)++] = nlen[n] + nzlen[n];
4439 /* Long length notation. */
4440 sig[(*len)++] = 128 + nlenlen[n];
4441 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4444 /* Write zero padding */
4445 while (nzlen[n] > 0) {
4446 sig[(*len)++] = 0x00;
4449 if (nlen[n] == 32 && !nlow[n]) {
4450 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4452 for (i = 0; i < 16; i++) {
4453 sig[(*len)++] = 0xFF;
4457 /* Write first byte of number */
4459 sig[(*len)++] = nhbyte[n];
4462 /* Generate remaining random bytes of number */
4463 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4468 /* Generate random garbage inside tuple. */
4469 secp256k1_rand_bytes_test(sig + *len, elen);
4472 /* Generate end-of-contents bytes. */
4478 CHECK(tlen + glen <= 1121);
4480 /* Generate random garbage outside tuple. */
4481 secp256k1_rand_bytes_test(sig + *len, glen);
4484 CHECK(tlen <= 1121);
4485 CHECK(tlen == *len);
4488 void run_ecdsa_der_parse(void) {
4490 for (i = 0; i < 200 * count; i++) {
4491 unsigned char buffer[2048];
4493 int certainly_der = 0;
4494 int certainly_not_der = 0;
4495 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4496 CHECK(buflen <= 2048);
4497 for (j = 0; j < 16; j++) {
4500 damage_array(buffer, &buflen);
4501 /* We don't know anything anymore about the DERness of the result */
4503 certainly_not_der = 0;
4505 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4508 fprintf(stderr, "Failure %x on ", ret);
4509 for (k = 0; k < buflen; k++) {
4510 fprintf(stderr, "%02x ", buffer[k]);
4512 fprintf(stderr, "\n");
4519 /* Tests several edge cases. */
4520 void test_ecdsa_edge_cases(void) {
4522 secp256k1_ecdsa_signature sig;
4524 /* Test the case where ECDSA recomputes a point that is infinity. */
4528 secp256k1_scalar msg;
4529 secp256k1_scalar sr, ss;
4530 secp256k1_scalar_set_int(&ss, 1);
4531 secp256k1_scalar_negate(&ss, &ss);
4532 secp256k1_scalar_inverse(&ss, &ss);
4533 secp256k1_scalar_set_int(&sr, 1);
4534 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4535 secp256k1_ge_set_gej(&key, &keyj);
4537 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4540 /* Verify signature with r of zero fails. */
4542 const unsigned char pubkey_mods_zero[33] = {
4543 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4544 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4545 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4546 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4550 secp256k1_scalar msg;
4551 secp256k1_scalar sr, ss;
4552 secp256k1_scalar_set_int(&ss, 1);
4553 secp256k1_scalar_set_int(&msg, 0);
4554 secp256k1_scalar_set_int(&sr, 0);
4555 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4556 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4559 /* Verify signature with s of zero fails. */
4561 const unsigned char pubkey[33] = {
4562 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4563 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4564 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4565 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4569 secp256k1_scalar msg;
4570 secp256k1_scalar sr, ss;
4571 secp256k1_scalar_set_int(&ss, 0);
4572 secp256k1_scalar_set_int(&msg, 0);
4573 secp256k1_scalar_set_int(&sr, 1);
4574 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4575 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4578 /* Verify signature with message 0 passes. */
4580 const unsigned char pubkey[33] = {
4581 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4582 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4583 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4584 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4587 const unsigned char pubkey2[33] = {
4588 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4589 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4590 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4591 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4596 secp256k1_scalar msg;
4597 secp256k1_scalar sr, ss;
4598 secp256k1_scalar_set_int(&ss, 2);
4599 secp256k1_scalar_set_int(&msg, 0);
4600 secp256k1_scalar_set_int(&sr, 2);
4601 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4602 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4603 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4604 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4605 secp256k1_scalar_negate(&ss, &ss);
4606 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4607 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4608 secp256k1_scalar_set_int(&ss, 1);
4609 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4610 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4613 /* Verify signature with message 1 passes. */
4615 const unsigned char pubkey[33] = {
4616 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4617 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4618 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4619 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4622 const unsigned char pubkey2[33] = {
4623 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4624 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4625 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4626 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4629 const unsigned char csr[32] = {
4630 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4631 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4632 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4633 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4637 secp256k1_scalar msg;
4638 secp256k1_scalar sr, ss;
4639 secp256k1_scalar_set_int(&ss, 1);
4640 secp256k1_scalar_set_int(&msg, 1);
4641 secp256k1_scalar_set_b32(&sr, csr, NULL);
4642 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4643 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4644 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4645 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4646 secp256k1_scalar_negate(&ss, &ss);
4647 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4648 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4649 secp256k1_scalar_set_int(&ss, 2);
4650 secp256k1_scalar_inverse_var(&ss, &ss);
4651 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4652 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4655 /* Verify signature with message -1 passes. */
4657 const unsigned char pubkey[33] = {
4658 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4659 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4660 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4661 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4664 const unsigned char csr[32] = {
4665 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4666 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4667 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4668 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4671 secp256k1_scalar msg;
4672 secp256k1_scalar sr, ss;
4673 secp256k1_scalar_set_int(&ss, 1);
4674 secp256k1_scalar_set_int(&msg, 1);
4675 secp256k1_scalar_negate(&msg, &msg);
4676 secp256k1_scalar_set_b32(&sr, csr, NULL);
4677 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4678 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4679 secp256k1_scalar_negate(&ss, &ss);
4680 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4681 secp256k1_scalar_set_int(&ss, 3);
4682 secp256k1_scalar_inverse_var(&ss, &ss);
4683 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4686 /* Signature where s would be zero. */
4688 secp256k1_pubkey pubkey;
4691 unsigned char signature[72];
4692 static const unsigned char nonce[32] = {
4693 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4694 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4695 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4696 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4698 static const unsigned char nonce2[32] = {
4699 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4700 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4701 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4702 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4704 const unsigned char key[32] = {
4705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4708 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4710 unsigned char msg[32] = {
4711 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4712 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4713 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4714 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4717 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4718 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4719 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4721 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4723 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4725 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4727 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4729 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4730 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4731 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4733 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4735 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4737 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4739 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4741 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4742 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4745 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4747 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4748 CHECK(ecount == 10);
4749 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4750 CHECK(ecount == 11);
4751 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4752 CHECK(ecount == 11);
4753 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4754 CHECK(ecount == 12);
4755 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4756 CHECK(ecount == 13);
4757 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4758 CHECK(ecount == 13);
4760 /* Too little room for a signature does not fail via ARGCHECK. */
4761 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
4762 CHECK(ecount == 13);
4764 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4766 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4768 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4770 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4772 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4774 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4776 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4778 memset(signature, 255, 64);
4779 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4781 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4784 /* Nonce function corner cases. */
4785 for (t = 0; t < 2; t++) {
4786 static const unsigned char zero[32] = {0x00};
4788 unsigned char key[32];
4789 unsigned char msg[32];
4790 secp256k1_ecdsa_signature sig2;
4791 secp256k1_scalar sr[512], ss;
4792 const unsigned char *extra;
4793 extra = t == 0 ? NULL : zero;
4796 /* High key results in signature failure. */
4797 memset(key, 0xFF, 32);
4798 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4799 CHECK(is_empty_signature(&sig));
4800 /* Zero key results in signature failure. */
4802 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4803 CHECK(is_empty_signature(&sig));
4804 /* Nonce function failure results in signature failure. */
4806 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
4807 CHECK(is_empty_signature(&sig));
4808 /* The retry loop successfully makes its way to the first good value. */
4809 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
4810 CHECK(!is_empty_signature(&sig));
4811 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
4812 CHECK(!is_empty_signature(&sig2));
4813 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4814 /* The default nonce function is deterministic. */
4815 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4816 CHECK(!is_empty_signature(&sig2));
4817 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4818 /* The default nonce function changes output with different messages. */
4819 for(i = 0; i < 256; i++) {
4822 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4823 CHECK(!is_empty_signature(&sig2));
4824 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4825 for (j = 0; j < i; j++) {
4826 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4831 /* The default nonce function changes output with different keys. */
4832 for(i = 256; i < 512; i++) {
4835 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4836 CHECK(!is_empty_signature(&sig2));
4837 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4838 for (j = 0; j < i; j++) {
4839 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4846 /* Check that optional nonce arguments do not have equivalent effect. */
4847 const unsigned char zeros[32] = {0};
4848 unsigned char nonce[32];
4849 unsigned char nonce2[32];
4850 unsigned char nonce3[32];
4851 unsigned char nonce4[32];
4853 VG_UNDEF(nonce2,32);
4854 VG_UNDEF(nonce3,32);
4855 VG_UNDEF(nonce4,32);
4856 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4858 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4859 VG_CHECK(nonce2,32);
4860 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
4861 VG_CHECK(nonce3,32);
4862 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
4863 VG_CHECK(nonce4,32);
4864 CHECK(memcmp(nonce, nonce2, 32) != 0);
4865 CHECK(memcmp(nonce, nonce3, 32) != 0);
4866 CHECK(memcmp(nonce, nonce4, 32) != 0);
4867 CHECK(memcmp(nonce2, nonce3, 32) != 0);
4868 CHECK(memcmp(nonce2, nonce4, 32) != 0);
4869 CHECK(memcmp(nonce3, nonce4, 32) != 0);
4873 /* Privkey export where pubkey is the point at infinity. */
4875 unsigned char privkey[300];
4876 unsigned char seckey[32] = {
4877 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4878 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4879 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4880 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
4882 size_t outlen = 300;
4883 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
4885 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
4889 void run_ecdsa_edge_cases(void) {
4890 test_ecdsa_edge_cases();
4893 #ifdef ENABLE_OPENSSL_TESTS
4894 EC_KEY *get_openssl_key(const unsigned char *key32) {
4895 unsigned char privkey[300];
4897 const unsigned char* pbegin = privkey;
4898 int compr = secp256k1_rand_bits(1);
4899 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
4900 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
4901 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
4902 CHECK(EC_KEY_check_key(ec_key));
4906 void test_ecdsa_openssl(void) {
4909 secp256k1_scalar sigr, sigs;
4910 secp256k1_scalar one;
4911 secp256k1_scalar msg2;
4912 secp256k1_scalar key, msg;
4914 unsigned int sigsize = 80;
4915 size_t secp_sigsize = 80;
4916 unsigned char message[32];
4917 unsigned char signature[80];
4918 unsigned char key32[32];
4919 secp256k1_rand256_test(message);
4920 secp256k1_scalar_set_b32(&msg, message, NULL);
4921 random_scalar_order_test(&key);
4922 secp256k1_scalar_get_b32(key32, &key);
4923 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
4924 secp256k1_ge_set_gej(&q, &qj);
4925 ec_key = get_openssl_key(key32);
4926 CHECK(ec_key != NULL);
4927 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
4928 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
4929 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
4930 secp256k1_scalar_set_int(&one, 1);
4931 secp256k1_scalar_add(&msg2, &msg, &one);
4932 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
4934 random_sign(&sigr, &sigs, &key, &msg, NULL);
4935 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
4936 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
4938 EC_KEY_free(ec_key);
4941 void run_ecdsa_openssl(void) {
4943 for (i = 0; i < 10*count; i++) {
4944 test_ecdsa_openssl();
4949 #ifdef ENABLE_MODULE_ECDH
4950 # include "modules/ecdh/tests_impl.h"
4953 #ifdef ENABLE_MODULE_RECOVERY
4954 # include "modules/recovery/tests_impl.h"
4957 int main(int argc, char **argv) {
4958 unsigned char seed16[16] = {0};
4959 unsigned char run32[32] = {0};
4960 /* find iteration count */
4962 count = strtol(argv[1], NULL, 0);
4965 /* find random seed */
4968 const char* ch = argv[2];
4969 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
4971 if (sscanf(ch, "%2hx", &sh)) {
4980 FILE *frand = fopen("/dev/urandom", "r");
4981 if ((frand == NULL) || fread(&seed16, sizeof(seed16), 1, frand) != sizeof(seed16)) {
4982 uint64_t t = time(NULL) * (uint64_t)1337;
4984 seed16[1] ^= t >> 8;
4985 seed16[2] ^= t >> 16;
4986 seed16[3] ^= t >> 24;
4987 seed16[4] ^= t >> 32;
4988 seed16[5] ^= t >> 40;
4989 seed16[6] ^= t >> 48;
4990 seed16[7] ^= t >> 56;
4996 secp256k1_rand_seed(seed16);
4998 printf("test count = %i\n", count);
4999 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
5002 run_context_tests();
5003 run_scratch_tests();
5004 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5005 if (secp256k1_rand_bits(1)) {
5006 secp256k1_rand256(run32);
5007 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
5014 run_hmac_sha256_tests();
5015 run_rfc6979_hmac_sha256_tests();
5017 #ifndef USE_NUM_NONE
5019 run_num_smalltests();
5027 run_field_inv_var();
5028 run_field_inv_all_var();
5030 run_field_convert();
5036 run_group_decompress();
5040 run_point_times_order();
5042 run_ecmult_constants();
5043 run_ecmult_gen_blind();
5044 run_ecmult_const_tests();
5045 run_ecmult_multi_tests();
5048 /* endomorphism tests */
5049 #ifdef USE_ENDOMORPHISM
5050 run_endomorphism_tests();
5053 /* EC point parser test */
5054 run_ec_pubkey_parse_test();
5056 /* EC key edge cases */
5057 run_eckey_edge_case_test();
5059 #ifdef ENABLE_MODULE_ECDH
5065 run_random_pubkeys();
5066 run_ecdsa_der_parse();
5067 run_ecdsa_sign_verify();
5068 run_ecdsa_end_to_end();
5069 run_ecdsa_edge_cases();
5070 #ifdef ENABLE_OPENSSL_TESTS
5071 run_ecdsa_openssl();
5074 #ifdef ENABLE_MODULE_RECOVERY
5075 /* ECDSA pubkey recovery tests */
5076 run_recovery_tests();
5079 secp256k1_rand256(run32);
5080 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
5083 secp256k1_context_destroy(ctx);
5085 printf("no problems found\n");
projects / secp256k1.git / blob