1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
22 #ifdef ENABLE_OPENSSL_TESTS
23 #include "openssl/bn.h"
24 #include "openssl/ec.h"
25 #include "openssl/ecdsa.h"
26 #include "openssl/obj_mac.h"
27 # if OPENSSL_VERSION_NUMBER < 0x10100000L
28 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
32 #include "contrib/lax_der_parsing.c"
33 #include "contrib/lax_der_privatekey_parsing.c"
35 #if !defined(VG_CHECK)
36 # if defined(VALGRIND)
37 # include <valgrind/memcheck.h>
38 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
39 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
41 # define VG_UNDEF(x,y)
42 # define VG_CHECK(x,y)
46 static int count = 64;
47 static secp256k1_context *ctx = NULL;
49 static void counting_illegal_callback_fn(const char* str, void* data) {
50 /* Dummy callback function that just counts. */
57 static void uncounting_illegal_callback_fn(const char* str, void* data) {
58 /* Dummy callback function that just counts (backwards). */
65 void random_field_element_test(secp256k1_fe *fe) {
67 unsigned char b32[32];
68 secp256k1_rand256_test(b32);
69 if (secp256k1_fe_set_b32(fe, b32)) {
75 void random_field_element_magnitude(secp256k1_fe *fe) {
77 int n = secp256k1_rand_int(9);
78 secp256k1_fe_normalize(fe);
82 secp256k1_fe_clear(&zero);
83 secp256k1_fe_negate(&zero, &zero, 0);
84 secp256k1_fe_mul_int(&zero, n - 1);
85 secp256k1_fe_add(fe, &zero);
87 CHECK(fe->magnitude == n);
91 void random_group_element_test(secp256k1_ge *ge) {
94 random_field_element_test(&fe);
95 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
96 secp256k1_fe_normalize(&ge->y);
102 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
105 random_field_element_test(&gej->z);
106 if (!secp256k1_fe_is_zero(&gej->z)) {
110 secp256k1_fe_sqr(&z2, &gej->z);
111 secp256k1_fe_mul(&z3, &z2, &gej->z);
112 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
113 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
114 gej->infinity = ge->infinity;
117 void random_scalar_order_test(secp256k1_scalar *num) {
119 unsigned char b32[32];
121 secp256k1_rand256_test(b32);
122 secp256k1_scalar_set_b32(num, b32, &overflow);
123 if (overflow || secp256k1_scalar_is_zero(num)) {
130 void random_scalar_order(secp256k1_scalar *num) {
132 unsigned char b32[32];
134 secp256k1_rand256(b32);
135 secp256k1_scalar_set_b32(num, b32, &overflow);
136 if (overflow || secp256k1_scalar_is_zero(num)) {
143 void run_context_tests(int use_prealloc) {
144 secp256k1_pubkey pubkey;
145 secp256k1_pubkey zero_pubkey;
146 secp256k1_ecdsa_signature sig;
147 unsigned char ctmp[32];
150 secp256k1_context *none;
151 secp256k1_context *sign;
152 secp256k1_context *vrfy;
153 secp256k1_context *both;
154 void *none_prealloc = NULL;
155 void *sign_prealloc = NULL;
156 void *vrfy_prealloc = NULL;
157 void *both_prealloc = NULL;
161 secp256k1_scalar msg, key, nonce;
162 secp256k1_scalar sigr, sigs;
165 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
166 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
167 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
168 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
169 CHECK(none_prealloc != NULL);
170 CHECK(sign_prealloc != NULL);
171 CHECK(vrfy_prealloc != NULL);
172 CHECK(both_prealloc != NULL);
173 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
174 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
175 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
176 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
178 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
179 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
180 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
181 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
184 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
188 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
189 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
190 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
191 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
193 /* check if sizes for cloning are consistent */
194 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
195 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
196 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
197 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
199 /*** clone and destroy all of them to make sure cloning was complete ***/
201 secp256k1_context *ctx_tmp;
204 /* clone into a non-preallocated context and then again into a new preallocated one. */
205 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
206 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
207 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
209 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
210 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
211 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
213 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
214 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
215 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
217 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
218 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
219 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
221 /* clone into a preallocated context and then again into a new non-preallocated one. */
224 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
225 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
226 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
229 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
230 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
231 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
234 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
235 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
236 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
239 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
240 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
241 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
246 /* Verify that the error callback makes it across the clone. */
247 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
248 /* And that it resets back to default. */
249 secp256k1_context_set_error_callback(sign, NULL, NULL);
250 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
252 /*** attempt to use them ***/
253 random_scalar_order_test(&msg);
254 random_scalar_order_test(&key);
255 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
256 secp256k1_ge_set_gej(&pub, &pubj);
258 /* Verify context-type checking illegal-argument errors. */
260 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
262 VG_UNDEF(&pubkey, sizeof(pubkey));
263 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
264 VG_CHECK(&pubkey, sizeof(pubkey));
265 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
267 VG_UNDEF(&sig, sizeof(sig));
268 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
269 VG_CHECK(&sig, sizeof(sig));
270 CHECK(ecount2 == 10);
271 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
272 CHECK(ecount2 == 11);
273 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
275 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
276 CHECK(ecount2 == 12);
277 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
279 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
280 CHECK(ecount2 == 13);
281 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
283 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
285 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
286 CHECK(ecount2 == 14);
287 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
289 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
291 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
293 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
295 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
296 CHECK(ecount2 == 14);
297 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
298 CHECK(ecount2 == 14);
299 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
300 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
302 /* obtain a working nonce */
304 random_scalar_order_test(&nonce);
305 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
308 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
309 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
312 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
313 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
317 secp256k1_context_preallocated_destroy(none);
318 secp256k1_context_preallocated_destroy(sign);
319 secp256k1_context_preallocated_destroy(vrfy);
320 secp256k1_context_preallocated_destroy(both);
326 secp256k1_context_destroy(none);
327 secp256k1_context_destroy(sign);
328 secp256k1_context_destroy(vrfy);
329 secp256k1_context_destroy(both);
331 /* Defined as no-op. */
332 secp256k1_context_destroy(NULL);
333 secp256k1_context_preallocated_destroy(NULL);
337 void run_scratch_tests(void) {
338 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
343 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
344 secp256k1_scratch_space *scratch;
345 secp256k1_scratch_space local_scratch;
347 /* Test public API */
348 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
349 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
351 scratch = secp256k1_scratch_space_create(none, 1000);
352 CHECK(scratch != NULL);
355 /* Test internal API */
356 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
357 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
358 CHECK(scratch->alloc_size == 0);
359 CHECK(scratch->alloc_size % ALIGNMENT == 0);
361 /* Allocating 500 bytes succeeds */
362 checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
363 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
364 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
365 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
366 CHECK(scratch->alloc_size != 0);
367 CHECK(scratch->alloc_size % ALIGNMENT == 0);
369 /* Allocating another 500 bytes fails */
370 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
371 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
372 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
373 CHECK(scratch->alloc_size != 0);
374 CHECK(scratch->alloc_size % ALIGNMENT == 0);
376 /* ...but it succeeds once we apply the checkpoint to undo it */
377 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
378 CHECK(scratch->alloc_size == 0);
379 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
380 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
381 CHECK(scratch->alloc_size != 0);
383 /* try to apply a bad checkpoint */
384 checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
385 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
387 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
389 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
392 /* try to use badly initialized scratch space */
393 secp256k1_scratch_space_destroy(none, scratch);
394 memset(&local_scratch, 0, sizeof(local_scratch));
395 scratch = &local_scratch;
396 CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
398 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
400 secp256k1_scratch_space_destroy(none, scratch);
404 secp256k1_scratch_space_destroy(none, NULL); /* no-op */
405 secp256k1_context_destroy(none);
408 /***** HASH TESTS *****/
410 void run_sha256_tests(void) {
411 static const char *inputs[8] = {
412 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
413 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
414 "For this sample, this 63-byte string will be used as input data",
415 "This is exactly 64 bytes long, not counting the terminating byte"
417 static const unsigned char outputs[8][32] = {
418 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
419 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
420 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
421 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
422 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
423 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
424 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
425 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
428 for (i = 0; i < 8; i++) {
429 unsigned char out[32];
430 secp256k1_sha256 hasher;
431 secp256k1_sha256_initialize(&hasher);
432 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
433 secp256k1_sha256_finalize(&hasher, out);
434 CHECK(memcmp(out, outputs[i], 32) == 0);
435 if (strlen(inputs[i]) > 0) {
436 int split = secp256k1_rand_int(strlen(inputs[i]));
437 secp256k1_sha256_initialize(&hasher);
438 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
439 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
440 secp256k1_sha256_finalize(&hasher, out);
441 CHECK(memcmp(out, outputs[i], 32) == 0);
446 void run_hmac_sha256_tests(void) {
447 static const char *keys[6] = {
448 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
450 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
451 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
452 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
453 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
455 static const char *inputs[6] = {
456 "\x48\x69\x20\x54\x68\x65\x72\x65",
457 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
458 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
459 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
460 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
461 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
463 static const unsigned char outputs[6][32] = {
464 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
465 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
466 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
467 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
468 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
469 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
472 for (i = 0; i < 6; i++) {
473 secp256k1_hmac_sha256 hasher;
474 unsigned char out[32];
475 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
476 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
477 secp256k1_hmac_sha256_finalize(&hasher, out);
478 CHECK(memcmp(out, outputs[i], 32) == 0);
479 if (strlen(inputs[i]) > 0) {
480 int split = secp256k1_rand_int(strlen(inputs[i]));
481 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
482 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
483 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
484 secp256k1_hmac_sha256_finalize(&hasher, out);
485 CHECK(memcmp(out, outputs[i], 32) == 0);
490 void run_rfc6979_hmac_sha256_tests(void) {
491 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
492 static const unsigned char out1[3][32] = {
493 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
494 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
495 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
498 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
499 static const unsigned char out2[3][32] = {
500 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
501 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
502 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
505 secp256k1_rfc6979_hmac_sha256 rng;
506 unsigned char out[32];
509 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
510 for (i = 0; i < 3; i++) {
511 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
512 CHECK(memcmp(out, out1[i], 32) == 0);
514 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
516 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
517 for (i = 0; i < 3; i++) {
518 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
519 CHECK(memcmp(out, out1[i], 32) != 0);
521 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
523 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
524 for (i = 0; i < 3; i++) {
525 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
526 CHECK(memcmp(out, out2[i], 32) == 0);
528 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
531 /***** RANDOM TESTS *****/
533 void test_rand_bits(int rand32, int bits) {
534 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
535 * get a false negative chance below once in a billion */
536 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
537 /* We try multiplying the results with various odd numbers, which shouldn't
538 * influence the uniform distribution modulo a power of 2. */
539 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
540 /* We only select up to 6 bits from the output to analyse */
541 unsigned int usebits = bits > 6 ? 6 : bits;
542 unsigned int maxshift = bits - usebits;
543 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
544 number, track all observed outcomes, one per bit in a uint64_t. */
545 uint64_t x[6][27] = {{0}};
546 unsigned int i, shift, m;
547 /* Multiply the output of all rand calls with the odd number m, which
548 should not change the uniformity of its distribution. */
549 for (i = 0; i < rounds[usebits]; i++) {
550 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
551 CHECK((((uint64_t)r) >> bits) == 0);
552 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
553 uint32_t rm = r * mults[m];
554 for (shift = 0; shift <= maxshift; shift++) {
555 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
559 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
560 for (shift = 0; shift <= maxshift; shift++) {
561 /* Test that the lower usebits bits of x[shift] are 1 */
562 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
567 /* Subrange must be a whole divisor of range, and at most 64 */
568 void test_rand_int(uint32_t range, uint32_t subrange) {
569 /* (1-1/subrange)^rounds < 1/10^9 */
570 int rounds = (subrange * 2073) / 100;
573 CHECK((range % subrange) == 0);
574 for (i = 0; i < rounds; i++) {
575 uint32_t r = secp256k1_rand_int(range);
578 x |= (((uint64_t)1) << r);
580 /* Test that the lower subrange bits of x are 1. */
581 CHECK(((~x) << (64 - subrange)) == 0);
584 void run_rand_bits(void) {
586 test_rand_bits(1, 32);
587 for (b = 1; b <= 32; b++) {
588 test_rand_bits(0, b);
592 void run_rand_int(void) {
593 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
594 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
596 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
597 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
598 test_rand_int(ms[m] * ss[s], ss[s]);
603 /***** NUM TESTS *****/
606 void random_num_negate(secp256k1_num *num) {
607 if (secp256k1_rand_bits(1)) {
608 secp256k1_num_negate(num);
612 void random_num_order_test(secp256k1_num *num) {
614 random_scalar_order_test(&sc);
615 secp256k1_scalar_get_num(num, &sc);
618 void random_num_order(secp256k1_num *num) {
620 random_scalar_order(&sc);
621 secp256k1_scalar_get_num(num, &sc);
624 void test_num_negate(void) {
627 random_num_order_test(&n1); /* n1 = R */
628 random_num_negate(&n1);
629 secp256k1_num_copy(&n2, &n1); /* n2 = R */
630 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
631 CHECK(secp256k1_num_is_zero(&n1));
632 secp256k1_num_copy(&n1, &n2); /* n1 = R */
633 secp256k1_num_negate(&n1); /* n1 = -R */
634 CHECK(!secp256k1_num_is_zero(&n1));
635 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
636 CHECK(secp256k1_num_is_zero(&n1));
637 secp256k1_num_copy(&n1, &n2); /* n1 = R */
638 secp256k1_num_negate(&n1); /* n1 = -R */
639 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
640 secp256k1_num_negate(&n1); /* n1 = R */
641 CHECK(secp256k1_num_eq(&n1, &n2));
644 void test_num_add_sub(void) {
649 secp256k1_num n1p2, n2p1, n1m2, n2m1;
650 random_num_order_test(&n1); /* n1 = R1 */
651 if (secp256k1_rand_bits(1)) {
652 random_num_negate(&n1);
654 random_num_order_test(&n2); /* n2 = R2 */
655 if (secp256k1_rand_bits(1)) {
656 random_num_negate(&n2);
658 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
659 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
660 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
661 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
662 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
663 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
664 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
665 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
666 CHECK(!secp256k1_num_eq(&n2m1, &n1));
667 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
668 CHECK(secp256k1_num_eq(&n2m1, &n1));
669 CHECK(!secp256k1_num_eq(&n2p1, &n1));
670 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
671 CHECK(secp256k1_num_eq(&n2p1, &n1));
674 secp256k1_scalar_set_int(&s, 1);
675 secp256k1_scalar_get_num(&n1, &s);
676 CHECK(secp256k1_num_is_one(&n1));
677 /* check that 2^n + 1 is never 1 */
678 secp256k1_scalar_get_num(&n2, &s);
679 for (i = 0; i < 250; ++i) {
680 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
681 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
682 CHECK(!secp256k1_num_is_one(&n1p2));
686 void test_num_mod(void) {
689 secp256k1_num order, n;
691 /* check that 0 mod anything is 0 */
692 random_scalar_order_test(&s);
693 secp256k1_scalar_get_num(&order, &s);
694 secp256k1_scalar_set_int(&s, 0);
695 secp256k1_scalar_get_num(&n, &s);
696 secp256k1_num_mod(&n, &order);
697 CHECK(secp256k1_num_is_zero(&n));
699 /* check that anything mod 1 is 0 */
700 secp256k1_scalar_set_int(&s, 1);
701 secp256k1_scalar_get_num(&order, &s);
702 secp256k1_scalar_get_num(&n, &s);
703 secp256k1_num_mod(&n, &order);
704 CHECK(secp256k1_num_is_zero(&n));
706 /* check that increasing the number past 2^256 does not break this */
707 random_scalar_order_test(&s);
708 secp256k1_scalar_get_num(&n, &s);
709 /* multiply by 2^8, which'll test this case with high probability */
710 for (i = 0; i < 8; ++i) {
711 secp256k1_num_add(&n, &n, &n);
713 secp256k1_num_mod(&n, &order);
714 CHECK(secp256k1_num_is_zero(&n));
717 void test_num_jacobi(void) {
718 secp256k1_scalar sqr;
719 secp256k1_scalar small;
720 secp256k1_scalar five; /* five is not a quadratic residue */
721 secp256k1_num order, n;
723 /* squares mod 5 are 1, 4 */
724 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
726 /* check some small values with 5 as the order */
727 secp256k1_scalar_set_int(&five, 5);
728 secp256k1_scalar_get_num(&order, &five);
729 for (i = 0; i < 10; ++i) {
730 secp256k1_scalar_set_int(&small, i);
731 secp256k1_scalar_get_num(&n, &small);
732 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
735 /** test large values with 5 as group order */
736 secp256k1_scalar_get_num(&order, &five);
737 /* we first need a scalar which is not a multiple of 5 */
740 random_scalar_order_test(&sqr);
741 secp256k1_scalar_get_num(&fiven, &five);
742 secp256k1_scalar_get_num(&n, &sqr);
743 secp256k1_num_mod(&n, &fiven);
744 } while (secp256k1_num_is_zero(&n));
745 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
746 * just multiply by two, i.e. add the number to itself */
747 if (secp256k1_num_jacobi(&n, &order) == -1) {
748 secp256k1_num_add(&n, &n, &n);
752 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
753 /* test nonresidue */
754 secp256k1_num_add(&n, &n, &n);
755 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
757 /** test with secp group order as order */
758 secp256k1_scalar_order_get_num(&order);
759 random_scalar_order_test(&sqr);
760 secp256k1_scalar_sqr(&sqr, &sqr);
762 secp256k1_scalar_get_num(&n, &sqr);
763 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
764 /* test nonresidue */
765 secp256k1_scalar_mul(&sqr, &sqr, &five);
766 secp256k1_scalar_get_num(&n, &sqr);
767 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
768 /* test multiple of the order*/
769 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
771 /* check one less than the order */
772 secp256k1_scalar_set_int(&small, 1);
773 secp256k1_scalar_get_num(&n, &small);
774 secp256k1_num_sub(&n, &order, &n);
775 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
778 void run_num_smalltests(void) {
780 for (i = 0; i < 100*count; i++) {
789 /***** SCALAR TESTS *****/
791 void scalar_test(void) {
796 secp256k1_num snum, s1num, s2num;
797 secp256k1_num order, half_order;
801 /* Set 's' to a random scalar, with value 'snum'. */
802 random_scalar_order_test(&s);
804 /* Set 's1' to a random scalar, with value 's1num'. */
805 random_scalar_order_test(&s1);
807 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
808 random_scalar_order_test(&s2);
809 secp256k1_scalar_get_b32(c, &s2);
812 secp256k1_scalar_get_num(&snum, &s);
813 secp256k1_scalar_get_num(&s1num, &s1);
814 secp256k1_scalar_get_num(&s2num, &s2);
816 secp256k1_scalar_order_get_num(&order);
818 secp256k1_num_shift(&half_order, 1);
823 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
825 secp256k1_scalar_set_int(&n, 0);
826 for (i = 0; i < 256; i += 4) {
829 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
830 for (j = 0; j < 4; j++) {
831 secp256k1_scalar_add(&n, &n, &n);
833 secp256k1_scalar_add(&n, &n, &t);
835 CHECK(secp256k1_scalar_eq(&n, &s));
839 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
842 secp256k1_scalar_set_int(&n, 0);
846 int now = secp256k1_rand_int(15) + 1;
850 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
851 for (j = 0; j < now; j++) {
852 secp256k1_scalar_add(&n, &n, &n);
854 secp256k1_scalar_add(&n, &n, &t);
857 CHECK(secp256k1_scalar_eq(&n, &s));
862 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
866 secp256k1_num_add(&rnum, &snum, &s2num);
867 secp256k1_num_mod(&rnum, &order);
868 secp256k1_scalar_add(&r, &s, &s2);
869 secp256k1_scalar_get_num(&r2num, &r);
870 CHECK(secp256k1_num_eq(&rnum, &r2num));
874 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
878 secp256k1_num_mul(&rnum, &snum, &s2num);
879 secp256k1_num_mod(&rnum, &order);
880 secp256k1_scalar_mul(&r, &s, &s2);
881 secp256k1_scalar_get_num(&r2num, &r);
882 CHECK(secp256k1_num_eq(&rnum, &r2num));
883 /* The result can only be zero if at least one of the factors was zero. */
884 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
885 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
886 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
887 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
891 secp256k1_scalar neg;
892 secp256k1_num negnum;
893 secp256k1_num negnum2;
894 /* Check that comparison with zero matches comparison with zero on the number. */
895 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
896 /* Check that comparison with the half order is equal to testing for high scalar. */
897 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
898 secp256k1_scalar_negate(&neg, &s);
899 secp256k1_num_sub(&negnum, &order, &snum);
900 secp256k1_num_mod(&negnum, &order);
901 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
902 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
903 /* Negating should change the high property, unless the value was already zero. */
904 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
905 secp256k1_scalar_get_num(&negnum2, &neg);
906 /* Negating a scalar should be equal to (order - n) mod order on the number. */
907 CHECK(secp256k1_num_eq(&negnum, &negnum2));
908 secp256k1_scalar_add(&neg, &neg, &s);
909 /* Adding a number to its negation should result in zero. */
910 CHECK(secp256k1_scalar_is_zero(&neg));
911 secp256k1_scalar_negate(&neg, &neg);
912 /* Negating zero should still result in zero. */
913 CHECK(secp256k1_scalar_is_zero(&neg));
917 /* Test secp256k1_scalar_mul_shift_var. */
922 unsigned char cone[1] = {0x01};
923 unsigned int shift = 256 + secp256k1_rand_int(257);
924 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
925 secp256k1_num_mul(&rnum, &s1num, &s2num);
926 secp256k1_num_shift(&rnum, shift - 1);
927 secp256k1_num_set_bin(&one, cone, 1);
928 secp256k1_num_add(&rnum, &rnum, &one);
929 secp256k1_num_shift(&rnum, 1);
930 secp256k1_scalar_get_num(&rnum2, &r);
931 CHECK(secp256k1_num_eq(&rnum, &rnum2));
935 /* test secp256k1_scalar_shr_int */
938 random_scalar_order_test(&r);
939 for (i = 0; i < 100; ++i) {
941 int shift = 1 + secp256k1_rand_int(15);
942 int expected = r.d[0] % (1 << shift);
943 low = secp256k1_scalar_shr_int(&r, shift);
944 CHECK(expected == low);
950 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
951 if (!secp256k1_scalar_is_zero(&s)) {
952 secp256k1_scalar inv;
954 secp256k1_num invnum;
955 secp256k1_num invnum2;
957 secp256k1_scalar_inverse(&inv, &s);
959 secp256k1_num_mod_inverse(&invnum, &snum, &order);
960 secp256k1_scalar_get_num(&invnum2, &inv);
961 CHECK(secp256k1_num_eq(&invnum, &invnum2));
963 secp256k1_scalar_mul(&inv, &inv, &s);
964 /* Multiplying a scalar with its inverse must result in one. */
965 CHECK(secp256k1_scalar_is_one(&inv));
966 secp256k1_scalar_inverse(&inv, &inv);
967 /* Inverting one must result in one. */
968 CHECK(secp256k1_scalar_is_one(&inv));
970 secp256k1_scalar_get_num(&invnum, &inv);
971 CHECK(secp256k1_num_is_one(&invnum));
977 /* Test commutativity of add. */
978 secp256k1_scalar r1, r2;
979 secp256k1_scalar_add(&r1, &s1, &s2);
980 secp256k1_scalar_add(&r2, &s2, &s1);
981 CHECK(secp256k1_scalar_eq(&r1, &r2));
985 secp256k1_scalar r1, r2;
989 int bit = secp256k1_rand_bits(8);
990 secp256k1_scalar_set_int(&b, 1);
991 CHECK(secp256k1_scalar_is_one(&b));
992 for (i = 0; i < bit; i++) {
993 secp256k1_scalar_add(&b, &b, &b);
997 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
998 /* No overflow happened. */
999 secp256k1_scalar_cadd_bit(&r2, bit, 1);
1000 CHECK(secp256k1_scalar_eq(&r1, &r2));
1001 /* cadd is a noop when flag is zero */
1002 secp256k1_scalar_cadd_bit(&r2, bit, 0);
1003 CHECK(secp256k1_scalar_eq(&r1, &r2));
1008 /* Test commutativity of mul. */
1009 secp256k1_scalar r1, r2;
1010 secp256k1_scalar_mul(&r1, &s1, &s2);
1011 secp256k1_scalar_mul(&r2, &s2, &s1);
1012 CHECK(secp256k1_scalar_eq(&r1, &r2));
1016 /* Test associativity of add. */
1017 secp256k1_scalar r1, r2;
1018 secp256k1_scalar_add(&r1, &s1, &s2);
1019 secp256k1_scalar_add(&r1, &r1, &s);
1020 secp256k1_scalar_add(&r2, &s2, &s);
1021 secp256k1_scalar_add(&r2, &s1, &r2);
1022 CHECK(secp256k1_scalar_eq(&r1, &r2));
1026 /* Test associativity of mul. */
1027 secp256k1_scalar r1, r2;
1028 secp256k1_scalar_mul(&r1, &s1, &s2);
1029 secp256k1_scalar_mul(&r1, &r1, &s);
1030 secp256k1_scalar_mul(&r2, &s2, &s);
1031 secp256k1_scalar_mul(&r2, &s1, &r2);
1032 CHECK(secp256k1_scalar_eq(&r1, &r2));
1036 /* Test distributitivity of mul over add. */
1037 secp256k1_scalar r1, r2, t;
1038 secp256k1_scalar_add(&r1, &s1, &s2);
1039 secp256k1_scalar_mul(&r1, &r1, &s);
1040 secp256k1_scalar_mul(&r2, &s1, &s);
1041 secp256k1_scalar_mul(&t, &s2, &s);
1042 secp256k1_scalar_add(&r2, &r2, &t);
1043 CHECK(secp256k1_scalar_eq(&r1, &r2));
1048 secp256k1_scalar r1, r2;
1049 secp256k1_scalar_sqr(&r1, &s1);
1050 secp256k1_scalar_mul(&r2, &s1, &s1);
1051 CHECK(secp256k1_scalar_eq(&r1, &r2));
1055 /* Test multiplicative identity. */
1056 secp256k1_scalar r1, v1;
1057 secp256k1_scalar_set_int(&v1,1);
1058 secp256k1_scalar_mul(&r1, &s1, &v1);
1059 CHECK(secp256k1_scalar_eq(&r1, &s1));
1063 /* Test additive identity. */
1064 secp256k1_scalar r1, v0;
1065 secp256k1_scalar_set_int(&v0,0);
1066 secp256k1_scalar_add(&r1, &s1, &v0);
1067 CHECK(secp256k1_scalar_eq(&r1, &s1));
1071 /* Test zero product property. */
1072 secp256k1_scalar r1, v0;
1073 secp256k1_scalar_set_int(&v0,0);
1074 secp256k1_scalar_mul(&r1, &s1, &v0);
1075 CHECK(secp256k1_scalar_eq(&r1, &v0));
1080 void run_scalar_tests(void) {
1082 for (i = 0; i < 128 * count; i++) {
1087 /* (-1)+1 should be zero. */
1088 secp256k1_scalar s, o;
1089 secp256k1_scalar_set_int(&s, 1);
1090 CHECK(secp256k1_scalar_is_one(&s));
1091 secp256k1_scalar_negate(&o, &s);
1092 secp256k1_scalar_add(&o, &o, &s);
1093 CHECK(secp256k1_scalar_is_zero(&o));
1094 secp256k1_scalar_negate(&o, &o);
1095 CHECK(secp256k1_scalar_is_zero(&o));
1098 #ifndef USE_NUM_NONE
1100 /* A scalar with value of the curve order should be 0. */
1101 secp256k1_num order;
1102 secp256k1_scalar zero;
1103 unsigned char bin[32];
1105 secp256k1_scalar_order_get_num(&order);
1106 secp256k1_num_get_bin(bin, 32, &order);
1107 secp256k1_scalar_set_b32(&zero, bin, &overflow);
1108 CHECK(overflow == 1);
1109 CHECK(secp256k1_scalar_is_zero(&zero));
1114 /* Does check_overflow check catch all ones? */
1115 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1116 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1117 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1119 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1123 /* Static test vectors.
1124 * These were reduced from ~10^12 random vectors based on comparison-decision
1125 * and edge-case coverage on 32-bit and 64-bit implementations.
1126 * The responses were generated with Sage 5.9.
1131 secp256k1_scalar zz;
1132 secp256k1_scalar one;
1133 secp256k1_scalar r1;
1134 secp256k1_scalar r2;
1135 #if defined(USE_SCALAR_INV_NUM)
1136 secp256k1_scalar zzv;
1139 unsigned char chal[33][2][32] = {
1140 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1141 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1142 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1143 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1144 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1145 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1146 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1147 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1148 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1149 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1150 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1151 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1152 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1153 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1154 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1155 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1156 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1157 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1158 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1159 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1160 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1161 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1162 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1163 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1164 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1165 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1166 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1167 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1168 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1169 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1170 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1171 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1172 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1173 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1174 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1175 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1176 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1177 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1178 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1179 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1180 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1181 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1182 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1183 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1184 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1185 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1186 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1187 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1188 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1189 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1190 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1191 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1192 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1193 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1194 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1195 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1196 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1197 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1198 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1199 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1200 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1201 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1202 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1203 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1204 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1205 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1206 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1207 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1208 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1209 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1210 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1211 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1212 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1213 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1214 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1215 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1216 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1217 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1218 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1219 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1220 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1221 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1222 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1223 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1224 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1225 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1226 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1227 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1228 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1229 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1230 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1231 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1232 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1233 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1234 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1236 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1237 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1238 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1239 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1240 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1241 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1242 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1243 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1244 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1245 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1246 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1247 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1248 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1249 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1250 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1251 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1252 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1253 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1254 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1255 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1256 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1257 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1258 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1259 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1260 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1261 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1262 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1263 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1264 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1265 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1266 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1267 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1268 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1269 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1270 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1271 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1272 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1273 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1274 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1276 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1277 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1278 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1279 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1280 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1281 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1282 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1283 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1284 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1285 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1286 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1287 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1288 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1289 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1290 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1291 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1292 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1293 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1294 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1295 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1296 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1297 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1298 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1299 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1300 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1301 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1302 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1303 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1304 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1305 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1306 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1307 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1308 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1309 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1310 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1311 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1312 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1313 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1314 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1315 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1316 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1317 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1318 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1319 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1320 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1321 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1322 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1323 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1324 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1325 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1326 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1327 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1328 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1329 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1330 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1331 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1332 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1333 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1334 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1335 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1336 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1337 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1338 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1339 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1340 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1341 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1342 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1343 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1344 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1345 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1346 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1347 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1348 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1349 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1350 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1351 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1352 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1353 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1354 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1355 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1356 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1357 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1358 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1359 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1360 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1361 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1362 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1363 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1364 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1365 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1366 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1367 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1368 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1369 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1370 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1371 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1372 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1373 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1374 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1375 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1376 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1377 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1378 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1379 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1380 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1381 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1382 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1383 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1384 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1385 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1386 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1387 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1388 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1389 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1390 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1391 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1392 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1393 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1394 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1395 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1396 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1397 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1398 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1399 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1400 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1401 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1402 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1403 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1405 unsigned char res[33][2][32] = {
1406 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1407 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1408 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1409 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1410 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1411 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1412 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1413 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1414 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1415 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1416 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1417 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1418 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1419 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1420 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1421 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1422 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1423 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1424 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1425 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1426 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1427 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1428 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1429 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1430 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1431 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1432 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1433 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1434 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1435 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1436 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1437 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1438 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1439 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1440 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1441 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1442 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1443 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1444 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1445 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1446 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1447 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1448 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1449 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1450 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1451 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1452 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1453 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1454 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1455 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1456 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1457 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1458 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1459 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1460 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1461 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1462 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1463 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1464 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1465 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1466 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1467 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1468 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1469 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1470 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1471 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1472 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1473 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1474 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1475 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1476 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1477 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1478 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1479 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1480 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1481 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1482 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1483 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1484 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1485 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1486 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1487 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1488 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1489 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1490 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1491 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1492 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1493 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1494 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1495 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1496 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1497 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1498 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1499 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1500 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1501 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1502 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1503 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1504 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1505 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1506 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1507 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1508 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1509 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1510 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1511 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1512 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1513 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1514 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1515 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1516 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1517 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1518 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1519 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1520 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1521 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1522 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1523 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1524 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1525 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1526 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1527 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1528 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1529 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1530 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1531 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1532 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1533 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1534 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1535 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1536 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1537 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1538 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1539 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1540 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1541 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1542 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1543 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1544 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1545 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1546 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1547 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1548 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1549 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1550 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1551 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1552 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1553 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1554 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1555 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1556 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1557 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1558 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1559 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1560 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1561 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1562 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1563 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1564 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1565 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1566 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1567 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1568 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1569 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1570 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1571 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1572 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1573 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1574 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1575 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1578 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1579 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1580 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1581 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1582 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1583 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1584 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1585 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1586 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1587 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1588 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1589 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1590 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1591 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1592 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1593 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1594 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1595 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1596 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1597 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1598 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1599 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1600 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1601 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1602 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1603 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1604 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1605 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1606 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1607 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1608 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1609 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1610 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1611 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1612 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1613 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1614 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1615 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1616 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1617 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1618 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1619 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1620 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1621 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1622 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1623 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1624 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1625 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1626 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1627 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1628 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1629 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1630 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1631 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1632 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1633 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1634 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1635 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1636 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1637 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1638 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1639 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1640 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1641 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1642 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1643 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1644 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1645 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1646 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1647 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1648 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1649 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1650 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1651 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1652 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1653 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1654 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1655 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1656 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1657 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1658 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1659 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1660 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1661 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1662 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1663 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1664 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1665 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1666 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1667 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1668 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1669 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1671 secp256k1_scalar_set_int(&one, 1);
1672 for (i = 0; i < 33; i++) {
1673 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1675 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1677 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1679 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1681 secp256k1_scalar_mul(&z, &x, &y);
1682 CHECK(!secp256k1_scalar_check_overflow(&z));
1683 CHECK(secp256k1_scalar_eq(&r1, &z));
1684 if (!secp256k1_scalar_is_zero(&y)) {
1685 secp256k1_scalar_inverse(&zz, &y);
1686 CHECK(!secp256k1_scalar_check_overflow(&zz));
1687 #if defined(USE_SCALAR_INV_NUM)
1688 secp256k1_scalar_inverse_var(&zzv, &y);
1689 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1691 secp256k1_scalar_mul(&z, &z, &zz);
1692 CHECK(!secp256k1_scalar_check_overflow(&z));
1693 CHECK(secp256k1_scalar_eq(&x, &z));
1694 secp256k1_scalar_mul(&zz, &zz, &y);
1695 CHECK(!secp256k1_scalar_check_overflow(&zz));
1696 CHECK(secp256k1_scalar_eq(&one, &zz));
1698 secp256k1_scalar_mul(&z, &x, &x);
1699 CHECK(!secp256k1_scalar_check_overflow(&z));
1700 secp256k1_scalar_sqr(&zz, &x);
1701 CHECK(!secp256k1_scalar_check_overflow(&zz));
1702 CHECK(secp256k1_scalar_eq(&zz, &z));
1703 CHECK(secp256k1_scalar_eq(&r2, &zz));
1708 /***** FIELD TESTS *****/
1710 void random_fe(secp256k1_fe *x) {
1711 unsigned char bin[32];
1713 secp256k1_rand256(bin);
1714 if (secp256k1_fe_set_b32(x, bin)) {
1720 void random_fe_test(secp256k1_fe *x) {
1721 unsigned char bin[32];
1723 secp256k1_rand256_test(bin);
1724 if (secp256k1_fe_set_b32(x, bin)) {
1730 void random_fe_non_zero(secp256k1_fe *nz) {
1732 while (--tries >= 0) {
1734 secp256k1_fe_normalize(nz);
1735 if (!secp256k1_fe_is_zero(nz)) {
1739 /* Infinitesimal probability of spurious failure here */
1743 void random_fe_non_square(secp256k1_fe *ns) {
1745 random_fe_non_zero(ns);
1746 if (secp256k1_fe_sqrt(&r, ns)) {
1747 secp256k1_fe_negate(ns, ns, 1);
1751 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1752 secp256k1_fe an = *a;
1753 secp256k1_fe bn = *b;
1754 secp256k1_fe_normalize_weak(&an);
1755 secp256k1_fe_normalize_var(&bn);
1756 return secp256k1_fe_equal_var(&an, &bn);
1759 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1761 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1762 secp256k1_fe_mul(&x, a, ai);
1763 return check_fe_equal(&x, &one);
1766 void run_field_convert(void) {
1767 static const unsigned char b32[32] = {
1768 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1769 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1770 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1771 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1773 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1774 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1775 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1777 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1778 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1779 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1782 unsigned char b322[32];
1783 secp256k1_fe_storage fes2;
1784 /* Check conversions to fe. */
1785 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1786 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1787 secp256k1_fe_from_storage(&fe2, &fes);
1788 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1789 /* Check conversion from fe. */
1790 secp256k1_fe_get_b32(b322, &fe);
1791 CHECK(memcmp(b322, b32, 32) == 0);
1792 secp256k1_fe_to_storage(&fes2, &fe);
1793 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1796 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1797 secp256k1_fe t = *b;
1799 t.magnitude = a->magnitude;
1800 t.normalized = a->normalized;
1802 return memcmp(a, &t, sizeof(secp256k1_fe));
1805 void run_field_misc(void) {
1810 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1812 for (i = 0; i < 5*count; i++) {
1813 secp256k1_fe_storage xs, ys, zs;
1815 random_fe_non_zero(&y);
1816 /* Test the fe equality and comparison operations. */
1817 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1818 CHECK(secp256k1_fe_equal_var(&x, &x));
1820 secp256k1_fe_add(&z,&y);
1821 /* Test fe conditional move; z is not normalized here. */
1823 secp256k1_fe_cmov(&x, &z, 0);
1825 CHECK(!x.normalized && x.magnitude == z.magnitude);
1827 secp256k1_fe_cmov(&x, &x, 1);
1828 CHECK(fe_memcmp(&x, &z) != 0);
1829 CHECK(fe_memcmp(&x, &q) == 0);
1830 secp256k1_fe_cmov(&q, &z, 1);
1832 CHECK(!q.normalized && q.magnitude == z.magnitude);
1834 CHECK(fe_memcmp(&q, &z) == 0);
1835 secp256k1_fe_normalize_var(&x);
1836 secp256k1_fe_normalize_var(&z);
1837 CHECK(!secp256k1_fe_equal_var(&x, &z));
1838 secp256k1_fe_normalize_var(&q);
1839 secp256k1_fe_cmov(&q, &z, (i&1));
1841 CHECK(q.normalized && q.magnitude == 1);
1843 for (j = 0; j < 6; j++) {
1844 secp256k1_fe_negate(&z, &z, j+1);
1845 secp256k1_fe_normalize_var(&q);
1846 secp256k1_fe_cmov(&q, &z, (j&1));
1848 CHECK(!q.normalized && q.magnitude == (j+2));
1851 secp256k1_fe_normalize_var(&z);
1852 /* Test storage conversion and conditional moves. */
1853 secp256k1_fe_to_storage(&xs, &x);
1854 secp256k1_fe_to_storage(&ys, &y);
1855 secp256k1_fe_to_storage(&zs, &z);
1856 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1857 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1858 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1859 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1860 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1861 secp256k1_fe_from_storage(&x, &xs);
1862 secp256k1_fe_from_storage(&y, &ys);
1863 secp256k1_fe_from_storage(&z, &zs);
1864 /* Test that mul_int, mul, and add agree. */
1865 secp256k1_fe_add(&y, &x);
1866 secp256k1_fe_add(&y, &x);
1868 secp256k1_fe_mul_int(&z, 3);
1869 CHECK(check_fe_equal(&y, &z));
1870 secp256k1_fe_add(&y, &x);
1871 secp256k1_fe_add(&z, &x);
1872 CHECK(check_fe_equal(&z, &y));
1874 secp256k1_fe_mul_int(&z, 5);
1875 secp256k1_fe_mul(&q, &x, &fe5);
1876 CHECK(check_fe_equal(&z, &q));
1877 secp256k1_fe_negate(&x, &x, 1);
1878 secp256k1_fe_add(&z, &x);
1879 secp256k1_fe_add(&q, &x);
1880 CHECK(check_fe_equal(&y, &z));
1881 CHECK(check_fe_equal(&q, &y));
1885 void run_field_inv(void) {
1886 secp256k1_fe x, xi, xii;
1888 for (i = 0; i < 10*count; i++) {
1889 random_fe_non_zero(&x);
1890 secp256k1_fe_inv(&xi, &x);
1891 CHECK(check_fe_inverse(&x, &xi));
1892 secp256k1_fe_inv(&xii, &xi);
1893 CHECK(check_fe_equal(&x, &xii));
1897 void run_field_inv_var(void) {
1898 secp256k1_fe x, xi, xii;
1900 for (i = 0; i < 10*count; i++) {
1901 random_fe_non_zero(&x);
1902 secp256k1_fe_inv_var(&xi, &x);
1903 CHECK(check_fe_inverse(&x, &xi));
1904 secp256k1_fe_inv_var(&xii, &xi);
1905 CHECK(check_fe_equal(&x, &xii));
1909 void run_field_inv_all_var(void) {
1910 secp256k1_fe x[16], xi[16], xii[16];
1912 /* Check it's safe to call for 0 elements */
1913 secp256k1_fe_inv_all_var(xi, x, 0);
1914 for (i = 0; i < count; i++) {
1916 size_t len = secp256k1_rand_int(15) + 1;
1917 for (j = 0; j < len; j++) {
1918 random_fe_non_zero(&x[j]);
1920 secp256k1_fe_inv_all_var(xi, x, len);
1921 for (j = 0; j < len; j++) {
1922 CHECK(check_fe_inverse(&x[j], &xi[j]));
1924 secp256k1_fe_inv_all_var(xii, xi, len);
1925 for (j = 0; j < len; j++) {
1926 CHECK(check_fe_equal(&x[j], &xii[j]));
1931 void run_sqr(void) {
1936 secp256k1_fe_set_int(&x, 1);
1937 secp256k1_fe_negate(&x, &x, 1);
1939 for (i = 1; i <= 512; ++i) {
1940 secp256k1_fe_mul_int(&x, 2);
1941 secp256k1_fe_normalize(&x);
1942 secp256k1_fe_sqr(&s, &x);
1947 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1948 secp256k1_fe r1, r2;
1949 int v = secp256k1_fe_sqrt(&r1, a);
1950 CHECK((v == 0) == (k == NULL));
1953 /* Check that the returned root is +/- the given known answer */
1954 secp256k1_fe_negate(&r2, &r1, 1);
1955 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1956 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1957 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1961 void run_sqrt(void) {
1962 secp256k1_fe ns, x, s, t;
1965 /* Check sqrt(0) is 0 */
1966 secp256k1_fe_set_int(&x, 0);
1967 secp256k1_fe_sqr(&s, &x);
1970 /* Check sqrt of small squares (and their negatives) */
1971 for (i = 1; i <= 100; i++) {
1972 secp256k1_fe_set_int(&x, i);
1973 secp256k1_fe_sqr(&s, &x);
1975 secp256k1_fe_negate(&t, &s, 1);
1976 test_sqrt(&t, NULL);
1979 /* Consistency checks for large random values */
1980 for (i = 0; i < 10; i++) {
1982 random_fe_non_square(&ns);
1983 for (j = 0; j < count; j++) {
1985 secp256k1_fe_sqr(&s, &x);
1987 secp256k1_fe_negate(&t, &s, 1);
1988 test_sqrt(&t, NULL);
1989 secp256k1_fe_mul(&t, &s, &ns);
1990 test_sqrt(&t, NULL);
1995 /***** GROUP TESTS *****/
1997 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1998 CHECK(a->infinity == b->infinity);
2002 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2003 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2006 /* This compares jacobian points including their Z, not just their geometric meaning. */
2007 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
2011 ret &= a->infinity == b->infinity;
2012 if (ret && !a->infinity) {
2015 secp256k1_fe_normalize(&a2.x);
2016 secp256k1_fe_normalize(&a2.y);
2017 secp256k1_fe_normalize(&a2.z);
2018 secp256k1_fe_normalize(&b2.x);
2019 secp256k1_fe_normalize(&b2.y);
2020 secp256k1_fe_normalize(&b2.z);
2021 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2022 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2023 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2028 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2030 secp256k1_fe u1, u2, s1, s2;
2031 CHECK(a->infinity == b->infinity);
2035 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
2036 secp256k1_fe_sqr(&z2s, &b->z);
2037 secp256k1_fe_mul(&u1, &a->x, &z2s);
2038 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2039 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2040 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2041 CHECK(secp256k1_fe_equal_var(&u1, &u2));
2042 CHECK(secp256k1_fe_equal_var(&s1, &s2));
2045 void test_ge(void) {
2047 #ifdef USE_ENDOMORPHISM
2052 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
2053 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
2054 * All magnitudes are randomized.
2055 * All 17*17 combinations of points are added to each other, using all applicable methods.
2057 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
2059 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2060 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2061 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2063 secp256k1_fe zfi2, zfi3;
2065 secp256k1_gej_set_infinity(&gej[0]);
2066 secp256k1_ge_clear(&ge[0]);
2067 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
2068 for (i = 0; i < runs; i++) {
2071 random_group_element_test(&g);
2072 #ifdef USE_ENDOMORPHISM
2073 if (i >= runs - 2) {
2074 secp256k1_ge_mul_lambda(&g, &ge[1]);
2076 if (i >= runs - 1) {
2077 secp256k1_ge_mul_lambda(&g, &g);
2082 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2083 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2084 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2085 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2086 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2087 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
2088 for (j = 0; j < 4; j++) {
2089 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2090 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2091 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2092 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2093 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2097 /* Compute z inverses. */
2099 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2100 for (i = 0; i < 4 * runs + 1; i++) {
2102 /* The point at infinity does not have a meaningful z inverse. Any should do. */
2104 random_field_element_test(&zs[i]);
2105 } while(secp256k1_fe_is_zero(&zs[i]));
2110 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
2114 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2116 random_field_element_test(&zf);
2117 } while(secp256k1_fe_is_zero(&zf));
2118 random_field_element_magnitude(&zf);
2119 secp256k1_fe_inv_var(&zfi3, &zf);
2120 secp256k1_fe_sqr(&zfi2, &zfi3);
2121 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2123 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2125 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2126 /* Compute reference result using gej + gej (var). */
2127 secp256k1_gej refj, resj;
2130 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2131 /* Check Z ratio. */
2132 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2133 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2134 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2136 secp256k1_ge_set_gej_var(&ref, &refj);
2138 /* Test gej + ge with Z ratio result (var). */
2139 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2140 ge_equals_gej(&ref, &resj);
2141 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2142 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2143 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2146 /* Test gej + ge (var, with additional Z factor). */
2148 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2149 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2150 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2151 random_field_element_magnitude(&ge2_zfi.x);
2152 random_field_element_magnitude(&ge2_zfi.y);
2153 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2154 ge_equals_gej(&ref, &resj);
2157 /* Test gej + ge (const). */
2159 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2160 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2161 ge_equals_gej(&ref, &resj);
2164 /* Test doubling (var). */
2165 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2167 /* Normal doubling with Z ratio result. */
2168 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2169 ge_equals_gej(&ref, &resj);
2170 /* Check Z ratio. */
2171 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2172 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2173 /* Normal doubling. */
2174 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2175 ge_equals_gej(&ref, &resj);
2178 /* Test adding opposites. */
2179 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2180 CHECK(secp256k1_ge_is_infinity(&ref));
2183 /* Test adding infinity. */
2185 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2186 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2187 ge_equals_gej(&ref, &gej[i2]);
2190 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2191 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2192 ge_equals_gej(&ref, &gej[i1]);
2197 /* Test adding all points together in random order equals infinity. */
2199 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2200 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2201 for (i = 0; i < 4 * runs + 1; i++) {
2202 gej_shuffled[i] = gej[i];
2204 for (i = 0; i < 4 * runs + 1; i++) {
2205 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2207 secp256k1_gej t = gej_shuffled[i];
2208 gej_shuffled[i] = gej_shuffled[swap];
2209 gej_shuffled[swap] = t;
2212 for (i = 0; i < 4 * runs + 1; i++) {
2213 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2215 CHECK(secp256k1_gej_is_infinity(&sum));
2219 /* Test batch gej -> ge conversion with and without known z ratios. */
2221 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2222 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2223 for (i = 0; i < 4 * runs + 1; i++) {
2224 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2226 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2229 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2230 for (i = 0; i < 4 * runs + 1; i++) {
2232 random_fe_non_zero(&s);
2233 secp256k1_gej_rescale(&gej[i], &s);
2234 ge_equals_gej(&ge_set_all[i], &gej[i]);
2240 /* Test batch gej -> ge conversion with many infinities. */
2241 for (i = 0; i < 4 * runs + 1; i++) {
2242 random_group_element_test(&ge[i]);
2243 /* randomly set half the points to infinity */
2244 if(secp256k1_fe_is_odd(&ge[i].x)) {
2245 secp256k1_ge_set_infinity(&ge[i]);
2247 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2250 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2252 for (i = 0; i < 4 * runs + 1; i++) {
2253 ge_equals_gej(&ge[i], &gej[i]);
2262 void test_intialized_inf(void) {
2264 secp256k1_gej pj, npj, infj1, infj2, infj3;
2267 /* Test that adding P+(-P) results in a fully initalized infinity*/
2268 random_group_element_test(&p);
2269 secp256k1_gej_set_ge(&pj, &p);
2270 secp256k1_gej_neg(&npj, &pj);
2272 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
2273 CHECK(secp256k1_gej_is_infinity(&infj1));
2274 CHECK(secp256k1_fe_is_zero(&infj1.x));
2275 CHECK(secp256k1_fe_is_zero(&infj1.y));
2276 CHECK(secp256k1_fe_is_zero(&infj1.z));
2278 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
2279 CHECK(secp256k1_gej_is_infinity(&infj2));
2280 CHECK(secp256k1_fe_is_zero(&infj2.x));
2281 CHECK(secp256k1_fe_is_zero(&infj2.y));
2282 CHECK(secp256k1_fe_is_zero(&infj2.z));
2284 secp256k1_fe_set_int(&zinv, 1);
2285 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
2286 CHECK(secp256k1_gej_is_infinity(&infj3));
2287 CHECK(secp256k1_fe_is_zero(&infj3.x));
2288 CHECK(secp256k1_fe_is_zero(&infj3.y));
2289 CHECK(secp256k1_fe_is_zero(&infj3.z));
2294 void test_add_neg_y_diff_x(void) {
2295 /* The point of this test is to check that we can add two points
2296 * whose y-coordinates are negatives of each other but whose x
2297 * coordinates differ. If the x-coordinates were the same, these
2298 * points would be negatives of each other and their sum is
2299 * infinity. This is cool because it "covers up" any degeneracy
2300 * in the addition algorithm that would cause the xy coordinates
2301 * of the sum to be wrong (since infinity has no xy coordinates).
2302 * HOWEVER, if the x-coordinates are different, infinity is the
2303 * wrong answer, and such degeneracies are exposed. This is the
2304 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2305 * which this test is a regression test for.
2307 * These points were generated in sage as
2308 * # secp256k1 params
2309 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2310 * C = EllipticCurve ([F (0), F (7)])
2311 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2312 * N = FiniteField(G.order())
2314 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2316 * lam = (1 - x^3).roots()[1][0]
2318 * # random "bad pair"
2319 * P = C.random_element()
2321 * print " P: %x %x" % P.xy()
2322 * print " Q: %x %x" % Q.xy()
2323 * print "P + Q: %x %x" % (P + Q).xy()
2325 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2326 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2327 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2328 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2329 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2331 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2332 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2333 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2334 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2335 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2337 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2338 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2339 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2340 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2341 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2346 secp256k1_ge_set_gej(&b, &bj);
2348 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2349 secp256k1_ge_set_gej(&res, &resj);
2350 ge_equals_gej(&res, &sumj);
2352 secp256k1_gej_add_ge(&resj, &aj, &b);
2353 secp256k1_ge_set_gej(&res, &resj);
2354 ge_equals_gej(&res, &sumj);
2356 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2357 secp256k1_ge_set_gej(&res, &resj);
2358 ge_equals_gej(&res, &sumj);
2363 for (i = 0; i < count * 32; i++) {
2366 test_add_neg_y_diff_x();
2367 test_intialized_inf();
2370 void test_ec_combine(void) {
2371 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2372 secp256k1_pubkey data[6];
2373 const secp256k1_pubkey* d[6];
2374 secp256k1_pubkey sd;
2375 secp256k1_pubkey sd2;
2379 for (i = 1; i <= 6; i++) {
2381 random_scalar_order_test(&s);
2382 secp256k1_scalar_add(&sum, &sum, &s);
2383 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2384 secp256k1_ge_set_gej(&Q, &Qj);
2385 secp256k1_pubkey_save(&data[i - 1], &Q);
2386 d[i - 1] = &data[i - 1];
2387 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2388 secp256k1_ge_set_gej(&Q, &Qj);
2389 secp256k1_pubkey_save(&sd, &Q);
2390 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2391 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2395 void run_ec_combine(void) {
2397 for (i = 0; i < count * 8; i++) {
2402 void test_group_decompress(const secp256k1_fe* x) {
2403 /* The input itself, normalized. */
2404 secp256k1_fe fex = *x;
2406 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2407 secp256k1_ge ge_quad, ge_even, ge_odd;
2408 secp256k1_gej gej_quad;
2409 /* Return values of the above calls. */
2410 int res_quad, res_even, res_odd;
2412 secp256k1_fe_normalize_var(&fex);
2414 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2415 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2416 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2418 CHECK(res_quad == res_even);
2419 CHECK(res_quad == res_odd);
2422 secp256k1_fe_normalize_var(&ge_quad.x);
2423 secp256k1_fe_normalize_var(&ge_odd.x);
2424 secp256k1_fe_normalize_var(&ge_even.x);
2425 secp256k1_fe_normalize_var(&ge_quad.y);
2426 secp256k1_fe_normalize_var(&ge_odd.y);
2427 secp256k1_fe_normalize_var(&ge_even.y);
2429 /* No infinity allowed. */
2430 CHECK(!ge_quad.infinity);
2431 CHECK(!ge_even.infinity);
2432 CHECK(!ge_odd.infinity);
2434 /* Check that the x coordinates check out. */
2435 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2436 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2437 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2439 /* Check that the Y coordinate result in ge_quad is a square. */
2440 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2442 /* Check odd/even Y in ge_odd, ge_even. */
2443 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2444 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2446 /* Check secp256k1_gej_has_quad_y_var. */
2447 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2448 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2450 random_fe_test(&fez);
2451 } while (secp256k1_fe_is_zero(&fez));
2452 secp256k1_gej_rescale(&gej_quad, &fez);
2453 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2454 secp256k1_gej_neg(&gej_quad, &gej_quad);
2455 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2457 random_fe_test(&fez);
2458 } while (secp256k1_fe_is_zero(&fez));
2459 secp256k1_gej_rescale(&gej_quad, &fez);
2460 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2461 secp256k1_gej_neg(&gej_quad, &gej_quad);
2462 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2466 void run_group_decompress(void) {
2468 for (i = 0; i < count * 4; i++) {
2470 random_fe_test(&fe);
2471 test_group_decompress(&fe);
2475 /***** ECMULT TESTS *****/
2477 void run_ecmult_chain(void) {
2478 /* random starting point A (on the curve) */
2479 secp256k1_gej a = SECP256K1_GEJ_CONST(
2480 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2481 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2482 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2483 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2485 /* two random initial factors xn and gn */
2486 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2487 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2488 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2490 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2491 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2492 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2494 /* two small multipliers to be applied to xn and gn in every iteration: */
2495 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2496 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2497 /* accumulators with the resulting coefficients to A and G */
2498 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2499 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2505 /* the point being computed */
2507 for (i = 0; i < 200*count; i++) {
2508 /* in each iteration, compute X = xn*X + gn*G; */
2509 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2510 /* also compute ae and ge: the actual accumulated factors for A and G */
2511 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2512 secp256k1_scalar_mul(&ae, &ae, &xn);
2513 secp256k1_scalar_mul(&ge, &ge, &xn);
2514 secp256k1_scalar_add(&ge, &ge, &gn);
2515 /* modify xn and gn */
2516 secp256k1_scalar_mul(&xn, &xn, &xf);
2517 secp256k1_scalar_mul(&gn, &gn, &gf);
2521 /* expected result after 19999 iterations */
2522 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2523 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2524 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2525 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2526 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2529 secp256k1_gej_neg(&rp, &rp);
2530 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2531 CHECK(secp256k1_gej_is_infinity(&rp));
2534 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2535 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2536 secp256k1_gej_neg(&x2, &x2);
2537 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2538 CHECK(secp256k1_gej_is_infinity(&x2));
2541 void test_point_times_order(const secp256k1_gej *point) {
2542 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2544 secp256k1_scalar nx;
2545 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2546 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2547 secp256k1_gej res1, res2;
2549 unsigned char pub[65];
2551 random_scalar_order_test(&x);
2552 secp256k1_scalar_negate(&nx, &x);
2553 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2554 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2555 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2556 CHECK(secp256k1_gej_is_infinity(&res1));
2557 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2558 secp256k1_ge_set_gej(&res3, &res1);
2559 CHECK(secp256k1_ge_is_infinity(&res3));
2560 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2561 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2563 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2564 /* check zero/one edge cases */
2565 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2566 secp256k1_ge_set_gej(&res3, &res1);
2567 CHECK(secp256k1_ge_is_infinity(&res3));
2568 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2569 secp256k1_ge_set_gej(&res3, &res1);
2570 ge_equals_gej(&res3, point);
2571 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2572 secp256k1_ge_set_gej(&res3, &res1);
2573 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2576 void run_point_times_order(void) {
2578 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2579 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2580 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2581 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2583 for (i = 0; i < 500; i++) {
2585 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2587 CHECK(secp256k1_ge_is_valid_var(&p));
2588 secp256k1_gej_set_ge(&j, &p);
2589 CHECK(secp256k1_gej_is_valid_var(&j));
2590 test_point_times_order(&j);
2592 secp256k1_fe_sqr(&x, &x);
2594 secp256k1_fe_normalize_var(&x);
2595 CHECK(secp256k1_fe_equal_var(&x, &xr));
2598 void ecmult_const_random_mult(void) {
2599 /* random starting point A (on the curve) */
2600 secp256k1_ge a = SECP256K1_GE_CONST(
2601 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2602 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2603 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2604 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2606 /* random initial factor xn */
2607 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2608 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2609 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2611 /* expected xn * A (from sage) */
2612 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2613 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2614 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2615 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2616 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2619 secp256k1_ecmult_const(&b, &a, &xn, 256);
2621 CHECK(secp256k1_ge_is_valid_var(&a));
2622 ge_equals_gej(&expected_b, &b);
2625 void ecmult_const_commutativity(void) {
2632 random_scalar_order_test(&a);
2633 random_scalar_order_test(&b);
2635 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2636 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2637 secp256k1_ge_set_gej(&mid1, &res1);
2638 secp256k1_ge_set_gej(&mid2, &res2);
2639 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2640 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2641 secp256k1_ge_set_gej(&mid1, &res1);
2642 secp256k1_ge_set_gej(&mid2, &res2);
2643 ge_equals_ge(&mid1, &mid2);
2646 void ecmult_const_mult_zero_one(void) {
2647 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2648 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2649 secp256k1_scalar negone;
2653 secp256k1_scalar_negate(&negone, &one);
2655 random_group_element_test(&point);
2656 secp256k1_ecmult_const(&res1, &point, &zero, 3);
2657 secp256k1_ge_set_gej(&res2, &res1);
2658 CHECK(secp256k1_ge_is_infinity(&res2));
2659 secp256k1_ecmult_const(&res1, &point, &one, 2);
2660 secp256k1_ge_set_gej(&res2, &res1);
2661 ge_equals_ge(&res2, &point);
2662 secp256k1_ecmult_const(&res1, &point, &negone, 256);
2663 secp256k1_gej_neg(&res1, &res1);
2664 secp256k1_ge_set_gej(&res2, &res1);
2665 ge_equals_ge(&res2, &point);
2668 void ecmult_const_chain_multiply(void) {
2669 /* Check known result (randomly generated test problem from sage) */
2670 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2671 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2672 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2674 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2675 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2676 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2677 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2678 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2680 secp256k1_gej point;
2684 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2685 for (i = 0; i < 100; ++i) {
2687 secp256k1_ge_set_gej(&tmp, &point);
2688 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2690 secp256k1_ge_set_gej(&res, &point);
2691 ge_equals_gej(&res, &expected_point);
2694 void run_ecmult_const_tests(void) {
2695 ecmult_const_mult_zero_one();
2696 ecmult_const_random_mult();
2697 ecmult_const_commutativity();
2698 ecmult_const_chain_multiply();
2702 secp256k1_scalar *sc;
2704 } ecmult_multi_data;
2706 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2707 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2708 *sc = data->sc[idx];
2709 *pt = data->pt[idx];
2713 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2721 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2723 secp256k1_scalar szero;
2724 secp256k1_scalar sc[32];
2725 secp256k1_ge pt[32];
2728 ecmult_multi_data data;
2732 secp256k1_scalar_set_int(&szero, 0);
2734 /* No points to multiply */
2735 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2737 /* Check 1- and 2-point multiplies against ecmult */
2738 for (ncount = 0; ncount < count; ncount++) {
2741 random_scalar_order(&sc[0]);
2742 random_scalar_order(&sc[1]);
2744 random_group_element_test(&ptg);
2745 secp256k1_gej_set_ge(&ptgj, &ptg);
2747 pt[1] = secp256k1_ge_const_g;
2750 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2751 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2752 secp256k1_gej_neg(&r2, &r2);
2753 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2754 CHECK(secp256k1_gej_is_infinity(&r));
2757 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2758 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2759 secp256k1_gej_neg(&r2, &r2);
2760 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2761 CHECK(secp256k1_gej_is_infinity(&r));
2763 /* Try to multiply 1 point, but callback returns false */
2764 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2767 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2768 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2769 secp256k1_gej_neg(&r2, &r2);
2770 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2771 CHECK(secp256k1_gej_is_infinity(&r));
2773 /* 2-point with G scalar */
2774 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2775 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2776 secp256k1_gej_neg(&r2, &r2);
2777 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2778 CHECK(secp256k1_gej_is_infinity(&r));
2781 /* Check infinite outputs of various forms */
2782 for (ncount = 0; ncount < count; ncount++) {
2785 size_t sizes[] = { 2, 10, 32 };
2787 for (j = 0; j < 3; j++) {
2788 for (i = 0; i < 32; i++) {
2789 random_scalar_order(&sc[i]);
2790 secp256k1_ge_set_infinity(&pt[i]);
2792 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2793 CHECK(secp256k1_gej_is_infinity(&r));
2796 for (j = 0; j < 3; j++) {
2797 for (i = 0; i < 32; i++) {
2798 random_group_element_test(&ptg);
2800 secp256k1_scalar_set_int(&sc[i], 0);
2802 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2803 CHECK(secp256k1_gej_is_infinity(&r));
2806 for (j = 0; j < 3; j++) {
2807 random_group_element_test(&ptg);
2808 for (i = 0; i < 16; i++) {
2809 random_scalar_order(&sc[2*i]);
2810 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2812 pt[2 * i + 1] = ptg;
2815 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2816 CHECK(secp256k1_gej_is_infinity(&r));
2818 random_scalar_order(&sc[0]);
2819 for (i = 0; i < 16; i++) {
2820 random_group_element_test(&ptg);
2825 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2828 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2829 CHECK(secp256k1_gej_is_infinity(&r));
2832 random_group_element_test(&ptg);
2833 secp256k1_scalar_set_int(&sc[0], 0);
2835 for (i = 1; i < 32; i++) {
2838 random_scalar_order(&sc[i]);
2839 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2840 secp256k1_scalar_negate(&sc[i], &sc[i]);
2843 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2844 CHECK(secp256k1_gej_is_infinity(&r));
2847 /* Check random points, constant scalar */
2848 for (ncount = 0; ncount < count; ncount++) {
2850 secp256k1_gej_set_infinity(&r);
2852 random_scalar_order(&sc[0]);
2853 for (i = 0; i < 20; i++) {
2856 random_group_element_test(&ptg);
2858 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2861 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2862 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2863 secp256k1_gej_neg(&r2, &r2);
2864 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2865 CHECK(secp256k1_gej_is_infinity(&r));
2868 /* Check random scalars, constant point */
2869 for (ncount = 0; ncount < count; ncount++) {
2873 secp256k1_scalar rs;
2874 secp256k1_scalar_set_int(&rs, 0);
2876 random_group_element_test(&ptg);
2877 for (i = 0; i < 20; i++) {
2878 random_scalar_order(&sc[i]);
2880 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2883 secp256k1_gej_set_ge(&p0j, &pt[0]);
2884 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
2885 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2886 secp256k1_gej_neg(&r2, &r2);
2887 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2888 CHECK(secp256k1_gej_is_infinity(&r));
2891 /* Sanity check that zero scalars don't cause problems */
2892 for (ncount = 0; ncount < 20; ncount++) {
2893 random_scalar_order(&sc[ncount]);
2894 random_group_element_test(&pt[ncount]);
2897 secp256k1_scalar_clear(&sc[0]);
2898 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2899 secp256k1_scalar_clear(&sc[1]);
2900 secp256k1_scalar_clear(&sc[2]);
2901 secp256k1_scalar_clear(&sc[3]);
2902 secp256k1_scalar_clear(&sc[4]);
2903 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2904 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
2905 CHECK(secp256k1_gej_is_infinity(&r));
2907 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2909 const size_t TOP = 8;
2915 random_group_element_test(&ptg);
2916 secp256k1_gej_set_ge(&ptgj, &ptg);
2918 for(t0i = 0; t0i < TOP; t0i++) {
2919 for(t1i = 0; t1i < TOP; t1i++) {
2920 secp256k1_gej t0p, t1p;
2921 secp256k1_scalar t0, t1;
2923 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2924 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2925 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2926 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2928 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2929 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2931 for(s0i = 0; s0i < TOP; s0i++) {
2932 for(s1i = 0; s1i < TOP; s1i++) {
2933 secp256k1_scalar tmp1, tmp2;
2934 secp256k1_gej expected, actual;
2936 secp256k1_ge_set_gej(&pt[0], &t0p);
2937 secp256k1_ge_set_gej(&pt[1], &t1p);
2939 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2940 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2941 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2942 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2944 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2945 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2946 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2948 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
2949 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
2950 secp256k1_gej_neg(&expected, &expected);
2951 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2952 CHECK(secp256k1_gej_is_infinity(&actual));
2960 void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
2961 secp256k1_scalar szero;
2962 secp256k1_scalar sc[32];
2963 secp256k1_ge pt[32];
2965 ecmult_multi_data data;
2966 secp256k1_scratch *scratch_empty;
2970 secp256k1_scalar_set_int(&szero, 0);
2972 /* Try to multiply 1 point, but scratch space is empty.*/
2973 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
2974 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2975 secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
2978 void test_secp256k1_pippenger_bucket_window_inv(void) {
2981 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2982 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2983 #ifdef USE_ENDOMORPHISM
2984 /* Bucket_window of 8 is not used with endo */
2989 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2990 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2991 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2997 * Probabilistically test the function returning the maximum number of possible points
2998 * for a given scratch space.
3000 void test_ecmult_multi_pippenger_max_points(void) {
3001 size_t scratch_size = secp256k1_rand_int(256);
3002 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
3003 secp256k1_scratch *scratch;
3004 size_t n_points_supported;
3005 int bucket_window = 0;
3007 for(; scratch_size < max_size; scratch_size+=256) {
3011 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
3012 CHECK(scratch != NULL);
3013 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
3014 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
3015 if (n_points_supported == 0) {
3016 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3019 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
3020 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
3021 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
3022 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
3023 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
3026 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
3027 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
3028 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3030 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
3033 void test_ecmult_multi_batch_size_helper(void) {
3034 size_t n_batches, n_batch_points, max_n_batch_points, n;
3036 max_n_batch_points = 0;
3038 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
3040 max_n_batch_points = 1;
3042 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3043 CHECK(n_batches == 0);
3044 CHECK(n_batch_points == 0);
3046 max_n_batch_points = 2;
3048 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3049 CHECK(n_batches == 3);
3050 CHECK(n_batch_points == 2);
3052 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
3053 n = ECMULT_MAX_POINTS_PER_BATCH;
3054 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3055 CHECK(n_batches == 1);
3056 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
3058 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
3059 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
3060 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3061 CHECK(n_batches == 2);
3062 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
3064 max_n_batch_points = 1;
3066 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3067 CHECK(n_batches == SIZE_MAX);
3068 CHECK(n_batch_points == 1);
3070 max_n_batch_points = 2;
3072 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3073 CHECK(n_batches == SIZE_MAX/2 + 1);
3074 CHECK(n_batch_points == 2);
3078 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
3079 * 1 <= i <= num points.
3081 void test_ecmult_multi_batching(void) {
3082 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
3083 secp256k1_scalar scG;
3084 secp256k1_scalar szero;
3085 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
3086 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3089 ecmult_multi_data data;
3091 secp256k1_scratch *scratch;
3093 secp256k1_gej_set_infinity(&r2);
3094 secp256k1_scalar_set_int(&szero, 0);
3096 /* Get random scalars and group elements and compute result */
3097 random_scalar_order(&scG);
3098 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3099 for(i = 0; i < n_points; i++) {
3102 random_group_element_test(&ptg);
3103 secp256k1_gej_set_ge(&ptgj, &ptg);
3105 random_scalar_order(&sc[i]);
3106 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3107 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
3111 secp256k1_gej_neg(&r2, &r2);
3113 /* Test with empty scratch space. It should compute the correct result using
3114 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
3115 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
3116 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3117 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3118 CHECK(secp256k1_gej_is_infinity(&r));
3119 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3121 /* Test with space for 1 point in pippenger. That's not enough because
3122 * ecmult_multi selects strauss which requires more memory. It should
3123 * therefore select the simple algorithm. */
3124 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3125 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3126 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3127 CHECK(secp256k1_gej_is_infinity(&r));
3128 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3130 for(i = 1; i <= n_points; i++) {
3131 if (i > ECMULT_PIPPENGER_THRESHOLD) {
3132 int bucket_window = secp256k1_pippenger_bucket_window(i);
3133 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
3134 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3136 size_t scratch_size = secp256k1_strauss_scratch_size(i);
3137 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3139 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3140 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3141 CHECK(secp256k1_gej_is_infinity(&r));
3142 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3148 void run_ecmult_multi_tests(void) {
3149 secp256k1_scratch *scratch;
3151 test_secp256k1_pippenger_bucket_window_inv();
3152 test_ecmult_multi_pippenger_max_points();
3153 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
3154 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3155 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
3156 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
3157 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
3158 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
3159 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
3160 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3162 /* Run test_ecmult_multi with space for exactly one point */
3163 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3164 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3165 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3167 test_ecmult_multi_batch_size_helper();
3168 test_ecmult_multi_batching();
3171 void test_wnaf(const secp256k1_scalar *number, int w) {
3172 secp256k1_scalar x, two, t;
3177 secp256k1_scalar_set_int(&x, 0);
3178 secp256k1_scalar_set_int(&two, 2);
3179 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
3181 for (i = bits-1; i >= 0; i--) {
3183 secp256k1_scalar_mul(&x, &x, &two);
3185 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
3187 CHECK((v & 1) == 1); /* check non-zero elements are odd */
3188 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3189 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
3191 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
3195 secp256k1_scalar_set_int(&t, v);
3197 secp256k1_scalar_set_int(&t, -v);
3198 secp256k1_scalar_negate(&t, &t);
3200 secp256k1_scalar_add(&x, &x, &t);
3202 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
3205 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3206 secp256k1_scalar neg1 = *number;
3207 secp256k1_scalar neg2 = *number;
3211 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3212 secp256k1_scalar_negate(&neg1, &neg1);
3215 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3216 CHECK(sign1 == sign2);
3217 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3220 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3221 secp256k1_scalar x, shift;
3222 int wnaf[256] = {0};
3226 secp256k1_scalar num = *number;
3228 secp256k1_scalar_set_int(&x, 0);
3229 secp256k1_scalar_set_int(&shift, 1 << w);
3230 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3231 #ifdef USE_ENDOMORPHISM
3232 for (i = 0; i < 16; ++i) {
3233 secp256k1_scalar_shr_int(&num, 8);
3237 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
3239 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3242 CHECK(v != 0); /* check nonzero */
3243 CHECK(v & 1); /* check parity */
3244 CHECK(v > -(1 << w)); /* check range above */
3245 CHECK(v < (1 << w)); /* check range below */
3247 secp256k1_scalar_mul(&x, &x, &shift);
3249 secp256k1_scalar_set_int(&t, v);
3251 secp256k1_scalar_set_int(&t, -v);
3252 secp256k1_scalar_negate(&t, &t);
3254 secp256k1_scalar_add(&x, &x, &t);
3256 /* Skew num because when encoding numbers as odd we use an offset */
3257 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
3258 CHECK(secp256k1_scalar_eq(&x, &num));
3261 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3262 secp256k1_scalar x, shift;
3263 int wnaf[256] = {0};
3266 secp256k1_scalar num = *number;
3268 secp256k1_scalar_set_int(&x, 0);
3269 secp256k1_scalar_set_int(&shift, 1 << w);
3270 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3271 #ifdef USE_ENDOMORPHISM
3272 for (i = 0; i < 16; ++i) {
3273 secp256k1_scalar_shr_int(&num, 8);
3276 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3278 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3281 CHECK(v == 0 || v & 1); /* check parity */
3282 CHECK(v > -(1 << w)); /* check range above */
3283 CHECK(v < (1 << w)); /* check range below */
3285 secp256k1_scalar_mul(&x, &x, &shift);
3287 secp256k1_scalar_set_int(&t, v);
3289 secp256k1_scalar_set_int(&t, -v);
3290 secp256k1_scalar_negate(&t, &t);
3292 secp256k1_scalar_add(&x, &x, &t);
3294 /* If skew is 1 then add 1 to num */
3295 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3296 CHECK(secp256k1_scalar_eq(&x, &num));
3299 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3301 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3303 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3304 CHECK(wnaf[i] == 0);
3306 for (i = 7; i >= 0; --i) {
3307 CHECK(wnaf[i] == wnaf_expected[i]);
3311 void test_fixed_wnaf_small(void) {
3313 int wnaf[256] = {0};
3316 secp256k1_scalar num;
3318 secp256k1_scalar_set_int(&num, 0);
3319 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3320 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3326 secp256k1_scalar_set_int(&num, 1);
3327 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3328 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3332 CHECK(wnaf[0] == 1);
3336 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3337 secp256k1_scalar_set_int(&num, 0xffffffff);
3338 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3339 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3343 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3344 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3345 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3346 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3350 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3351 secp256k1_scalar_set_int(&num, 0x01010101);
3352 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3353 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3357 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3358 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3359 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3360 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3365 void run_wnaf(void) {
3367 secp256k1_scalar n = {{0}};
3369 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3370 * have easier-to-diagnose failure modes */
3372 test_constant_wnaf(&n, 4);
3374 test_constant_wnaf(&n, 4);
3376 test_fixed_wnaf_small();
3378 for (i = 0; i < count; i++) {
3379 random_scalar_order(&n);
3380 test_wnaf(&n, 4+(i%10));
3381 test_constant_wnaf_negate(&n);
3382 test_constant_wnaf(&n, 4 + (i % 10));
3383 test_fixed_wnaf(&n, 4 + (i % 10));
3385 secp256k1_scalar_set_int(&n, 0);
3386 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3387 CHECK(secp256k1_scalar_is_zero(&n));
3388 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3389 CHECK(secp256k1_scalar_is_zero(&n));
3392 void test_ecmult_constants(void) {
3393 /* Test ecmult_gen() for [0..36) and [order-36..0). */
3399 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3400 for (i = 0; i < 36; i++ ) {
3401 secp256k1_scalar_set_int(&x, i);
3402 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3403 for (j = 0; j < i; j++) {
3405 ge_equals_gej(&secp256k1_ge_const_g, &r);
3407 secp256k1_gej_add_ge(&r, &r, &ng);
3409 CHECK(secp256k1_gej_is_infinity(&r));
3411 for (i = 1; i <= 36; i++ ) {
3412 secp256k1_scalar_set_int(&x, i);
3413 secp256k1_scalar_negate(&x, &x);
3414 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3415 for (j = 0; j < i; j++) {
3417 ge_equals_gej(&ng, &r);
3419 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3421 CHECK(secp256k1_gej_is_infinity(&r));
3425 void run_ecmult_constants(void) {
3426 test_ecmult_constants();
3429 void test_ecmult_gen_blind(void) {
3430 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3431 secp256k1_scalar key;
3433 unsigned char seed32[32];
3435 secp256k1_gej pgej2;
3438 random_scalar_order_test(&key);
3439 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3440 secp256k1_rand256(seed32);
3441 b = ctx->ecmult_gen_ctx.blind;
3442 i = ctx->ecmult_gen_ctx.initial;
3443 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3444 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3445 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3446 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3447 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3448 secp256k1_ge_set_gej(&pge, &pgej);
3449 ge_equals_gej(&pge, &pgej2);
3452 void test_ecmult_gen_blind_reset(void) {
3453 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3455 secp256k1_gej initial;
3456 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3457 b = ctx->ecmult_gen_ctx.blind;
3458 initial = ctx->ecmult_gen_ctx.initial;
3459 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3460 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3461 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3464 void run_ecmult_gen_blind(void) {
3466 test_ecmult_gen_blind_reset();
3467 for (i = 0; i < 10; i++) {
3468 test_ecmult_gen_blind();
3472 #ifdef USE_ENDOMORPHISM
3473 /***** ENDOMORPHISH TESTS *****/
3474 void test_scalar_split(void) {
3475 secp256k1_scalar full;
3476 secp256k1_scalar s1, slam;
3477 const unsigned char zero[32] = {0};
3478 unsigned char tmp[32];
3480 random_scalar_order_test(&full);
3481 secp256k1_scalar_split_lambda(&s1, &slam, &full);
3483 /* check that both are <= 128 bits in size */
3484 if (secp256k1_scalar_is_high(&s1)) {
3485 secp256k1_scalar_negate(&s1, &s1);
3487 if (secp256k1_scalar_is_high(&slam)) {
3488 secp256k1_scalar_negate(&slam, &slam);
3491 secp256k1_scalar_get_b32(tmp, &s1);
3492 CHECK(memcmp(zero, tmp, 16) == 0);
3493 secp256k1_scalar_get_b32(tmp, &slam);
3494 CHECK(memcmp(zero, tmp, 16) == 0);
3497 void run_endomorphism_tests(void) {
3498 test_scalar_split();
3502 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3503 unsigned char pubkeyc[65];
3504 secp256k1_pubkey pubkey;
3509 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3510 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3511 /* Smaller sizes are tested exhaustively elsewhere. */
3513 memcpy(&pubkeyc[1], input, 64);
3514 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3515 for (i = 0; i < 256; i++) {
3516 /* Try all type bytes. */
3521 /* What sign does this point have? */
3522 ysign = (input[63] & 1) + 2;
3523 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3524 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3525 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3526 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3527 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3528 if (xpass || ypass) {
3529 /* These cases must parse. */
3530 unsigned char pubkeyo[65];
3532 memset(&pubkey, 0, sizeof(pubkey));
3533 VG_UNDEF(&pubkey, sizeof(pubkey));
3535 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3536 VG_CHECK(&pubkey, sizeof(pubkey));
3538 VG_UNDEF(pubkeyo, 65);
3539 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3540 VG_CHECK(pubkeyo, outl);
3542 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3543 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3545 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3546 CHECK(pubkeyo[0] == ysign);
3547 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3548 memset(&pubkey, 0, sizeof(pubkey));
3549 VG_UNDEF(&pubkey, sizeof(pubkey));
3550 secp256k1_pubkey_save(&pubkey, &ge);
3551 VG_CHECK(&pubkey, sizeof(pubkey));
3553 VG_UNDEF(pubkeyo, 65);
3554 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3555 VG_CHECK(pubkeyo, outl);
3557 CHECK(pubkeyo[0] == 4);
3558 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3562 /* These cases must fail to parse. */
3563 memset(&pubkey, 0xfe, sizeof(pubkey));
3565 VG_UNDEF(&pubkey, sizeof(pubkey));
3566 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3567 VG_CHECK(&pubkey, sizeof(pubkey));
3569 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3574 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3577 void run_ec_pubkey_parse_test(void) {
3578 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3579 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3581 /* Point with leading and trailing zeros in x and y serialization. */
3582 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3583 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3584 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3585 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3588 /* Point with x equal to a 3rd root of unity.*/
3589 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3590 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3591 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3592 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3595 /* Point with largest x. (1/2) */
3596 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3597 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3598 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3599 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3602 /* Point with largest x. (2/2) */
3603 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3604 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3605 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3606 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3609 /* Point with smallest x. (1/2) */
3610 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3611 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3612 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3613 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3616 /* Point with smallest x. (2/2) */
3617 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3618 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3619 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3620 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3623 /* Point with largest y. (1/3) */
3624 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3625 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3626 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3627 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3630 /* Point with largest y. (2/3) */
3631 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3632 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3633 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3634 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3637 /* Point with largest y. (3/3) */
3638 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3639 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3640 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3641 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3644 /* Point with smallest y. (1/3) */
3645 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3646 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3647 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3648 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3651 /* Point with smallest y. (2/3) */
3652 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3653 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3654 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3655 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3658 /* Point with smallest y. (3/3) */
3659 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3660 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3661 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3662 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3665 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3666 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3668 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3669 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3670 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3671 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3672 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3675 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3676 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3677 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3678 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3679 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3682 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3683 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3684 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3685 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3686 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3689 /* x on curve, y is from y^2 = x^3 + 8. */
3690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3691 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3693 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3696 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3697 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3699 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3700 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3701 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3703 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3706 /* Valid if x overflow ignored (x = 1 mod p). */
3707 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3708 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3709 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3710 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3713 /* Valid if x overflow ignored (x = 1 mod p). */
3714 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3715 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3716 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3717 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3720 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3721 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3722 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3723 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3724 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3727 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3728 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3729 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3730 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3731 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3734 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3735 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3736 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3737 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3738 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3741 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3742 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3743 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3744 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3745 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3748 const unsigned char pubkeyc[66] = {
3749 /* Serialization of G. */
3750 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3751 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3752 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3753 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3756 unsigned char sout[65];
3757 unsigned char shortkey[2];
3759 secp256k1_pubkey pubkey;
3765 /* Nothing should be reading this far into pubkeyc. */
3766 VG_UNDEF(&pubkeyc[65], 1);
3767 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3768 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3769 memset(&pubkey, 0xfe, sizeof(pubkey));
3771 VG_UNDEF(shortkey, 2);
3772 VG_UNDEF(&pubkey, sizeof(pubkey));
3773 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3774 VG_CHECK(&pubkey, sizeof(pubkey));
3776 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3778 /* Length one claimed, fail, zeroize, no illegal arg error. */
3779 for (i = 0; i < 256 ; i++) {
3780 memset(&pubkey, 0xfe, sizeof(pubkey));
3783 VG_UNDEF(&shortkey[1], 1);
3784 VG_UNDEF(&pubkey, sizeof(pubkey));
3785 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3786 VG_CHECK(&pubkey, sizeof(pubkey));
3788 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3791 /* Length two claimed, fail, zeroize, no illegal arg error. */
3792 for (i = 0; i < 65536 ; i++) {
3793 memset(&pubkey, 0xfe, sizeof(pubkey));
3795 shortkey[0] = i & 255;
3796 shortkey[1] = i >> 8;
3797 VG_UNDEF(&pubkey, sizeof(pubkey));
3798 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3799 VG_CHECK(&pubkey, sizeof(pubkey));
3801 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3804 memset(&pubkey, 0xfe, sizeof(pubkey));
3806 VG_UNDEF(&pubkey, sizeof(pubkey));
3807 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3808 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3809 VG_CHECK(&pubkey, sizeof(pubkey));
3811 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3813 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3814 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3816 /* NULL input string. Illegal arg and zeroize output. */
3817 memset(&pubkey, 0xfe, sizeof(pubkey));
3819 VG_UNDEF(&pubkey, sizeof(pubkey));
3820 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3821 VG_CHECK(&pubkey, sizeof(pubkey));
3823 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3825 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3826 memset(&pubkey, 0xfe, sizeof(pubkey));
3828 VG_UNDEF(&pubkey, sizeof(pubkey));
3829 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3830 VG_CHECK(&pubkey, sizeof(pubkey));
3832 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3834 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3835 memset(&pubkey, 0xfe, sizeof(pubkey));
3837 VG_UNDEF(&pubkey, sizeof(pubkey));
3838 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3839 VG_CHECK(&pubkey, sizeof(pubkey));
3841 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3844 memset(&pubkey, 0, sizeof(pubkey));
3846 VG_UNDEF(&pubkey, sizeof(pubkey));
3847 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3848 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
3849 VG_CHECK(&pubkey, sizeof(pubkey));
3851 VG_UNDEF(&ge, sizeof(ge));
3852 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3853 VG_CHECK(&ge.x, sizeof(ge.x));
3854 VG_CHECK(&ge.y, sizeof(ge.y));
3855 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3856 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3858 /* secp256k1_ec_pubkey_serialize illegal args. */
3861 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3864 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3868 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3873 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3878 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3882 /* Multiple illegal args. Should still set arg error only once. */
3885 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3887 /* Does the illegal arg callback actually change the behavior? */
3888 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3889 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3891 CHECK(ecount2 == 10);
3892 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3893 /* Try a bunch of prefabbed points with all possible encodings. */
3894 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3895 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3897 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3898 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3900 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3901 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3905 void run_eckey_edge_case_test(void) {
3906 const unsigned char orderc[32] = {
3907 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3908 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3909 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3910 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3912 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3913 unsigned char ctmp[33];
3914 unsigned char ctmp2[33];
3915 secp256k1_pubkey pubkey;
3916 secp256k1_pubkey pubkey2;
3917 secp256k1_pubkey pubkey_one;
3918 secp256k1_pubkey pubkey_negone;
3919 const secp256k1_pubkey *pubkeys[3];
3922 /* Group order is too large, reject. */
3923 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3924 VG_UNDEF(&pubkey, sizeof(pubkey));
3925 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3926 VG_CHECK(&pubkey, sizeof(pubkey));
3927 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3928 /* Maximum value is too large, reject. */
3929 memset(ctmp, 255, 32);
3930 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3931 memset(&pubkey, 1, sizeof(pubkey));
3932 VG_UNDEF(&pubkey, sizeof(pubkey));
3933 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3934 VG_CHECK(&pubkey, sizeof(pubkey));
3935 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3936 /* Zero is too small, reject. */
3937 memset(ctmp, 0, 32);
3938 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3939 memset(&pubkey, 1, sizeof(pubkey));
3940 VG_UNDEF(&pubkey, sizeof(pubkey));
3941 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3942 VG_CHECK(&pubkey, sizeof(pubkey));
3943 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3944 /* One must be accepted. */
3946 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3947 memset(&pubkey, 0, sizeof(pubkey));
3948 VG_UNDEF(&pubkey, sizeof(pubkey));
3949 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3950 VG_CHECK(&pubkey, sizeof(pubkey));
3951 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3952 pubkey_one = pubkey;
3953 /* Group order + 1 is too large, reject. */
3954 memcpy(ctmp, orderc, 32);
3956 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3957 memset(&pubkey, 1, sizeof(pubkey));
3958 VG_UNDEF(&pubkey, sizeof(pubkey));
3959 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3960 VG_CHECK(&pubkey, sizeof(pubkey));
3961 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3962 /* -1 must be accepted. */
3964 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3965 memset(&pubkey, 0, sizeof(pubkey));
3966 VG_UNDEF(&pubkey, sizeof(pubkey));
3967 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3968 VG_CHECK(&pubkey, sizeof(pubkey));
3969 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3970 pubkey_negone = pubkey;
3971 /* Tweak of zero leaves the value unchanged. */
3972 memset(ctmp2, 0, 32);
3973 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3974 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3975 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3976 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3977 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3978 /* Multiply tweak of zero zeroizes the output. */
3979 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3980 CHECK(memcmp(zeros, ctmp, 32) == 0);
3981 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3982 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3983 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3984 /* Overflowing key tweak zeroizes. */
3985 memcpy(ctmp, orderc, 32);
3987 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3988 CHECK(memcmp(zeros, ctmp, 32) == 0);
3989 memcpy(ctmp, orderc, 32);
3991 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3992 CHECK(memcmp(zeros, ctmp, 32) == 0);
3993 memcpy(ctmp, orderc, 32);
3995 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3996 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3997 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3998 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3999 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
4000 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4001 /* Private key tweaks results in a key of zero. */
4003 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
4004 CHECK(memcmp(zeros, ctmp2, 32) == 0);
4006 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4007 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
4008 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4009 /* Tweak computation wraps and results in a key of 1. */
4011 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
4012 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
4014 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4016 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
4017 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4018 /* Tweak mul * 2 = 1+1. */
4019 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4021 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
4022 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4023 /* Test argument errors. */
4025 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4027 /* Zeroize pubkey on parse error. */
4028 memset(&pubkey, 0, 32);
4029 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4031 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
4032 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4033 memset(&pubkey2, 0, 32);
4034 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
4036 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
4037 /* Plain argument errors. */
4039 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4041 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
4044 memset(ctmp2, 0, 32);
4046 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
4048 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
4051 memset(ctmp2, 0, 32);
4053 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4055 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
4058 memset(ctmp2, 0, 32);
4059 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
4061 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
4064 memset(ctmp2, 0, 32);
4066 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4068 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
4071 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
4073 memset(&pubkey, 1, sizeof(pubkey));
4074 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4076 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4077 /* secp256k1_ec_pubkey_combine tests. */
4079 pubkeys[0] = &pubkey_one;
4080 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
4081 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
4082 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
4083 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4084 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4085 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
4086 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4087 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4089 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4090 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4092 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4093 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4094 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4095 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4096 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4098 pubkeys[0] = &pubkey_negone;
4099 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4100 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4101 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4102 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4103 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4106 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4107 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4108 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4109 /* Result is infinity. */
4110 pubkeys[0] = &pubkey_one;
4111 pubkeys[1] = &pubkey_negone;
4112 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4113 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4114 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4115 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4116 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4118 /* Passes through infinity but comes out one. */
4119 pubkeys[2] = &pubkey_one;
4120 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4121 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4122 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4123 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4124 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4127 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4128 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4129 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4131 pubkeys[1] = &pubkey_one;
4132 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4133 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4134 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4135 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4136 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4138 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4141 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4142 secp256k1_scalar nonce;
4144 random_scalar_order_test(&nonce);
4145 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
4148 void test_ecdsa_sign_verify(void) {
4151 secp256k1_scalar one;
4152 secp256k1_scalar msg, key;
4153 secp256k1_scalar sigr, sigs;
4156 random_scalar_order_test(&msg);
4157 random_scalar_order_test(&key);
4158 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
4159 secp256k1_ge_set_gej(&pub, &pubj);
4160 getrec = secp256k1_rand_bits(1);
4161 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
4163 CHECK(recid >= 0 && recid < 4);
4165 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4166 secp256k1_scalar_set_int(&one, 1);
4167 secp256k1_scalar_add(&msg, &msg, &one);
4168 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4171 void run_ecdsa_sign_verify(void) {
4173 for (i = 0; i < 10*count; i++) {
4174 test_ecdsa_sign_verify();
4178 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
4179 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4183 memcpy(nonce32, data, 32);
4184 return (counter == 0);
4187 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4188 /* Dummy nonce generator that has a fatal error on the first counter value. */
4192 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
4195 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4196 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4198 memset(nonce32, counter==0 ? 0 : 255, 32);
4205 static const unsigned char order[] = {
4206 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4207 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4208 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4209 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4211 memcpy(nonce32, order, 32);
4217 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
4218 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
4222 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
4225 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4226 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4227 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4230 void test_ecdsa_end_to_end(void) {
4231 unsigned char extra[32] = {0x00};
4232 unsigned char privkey[32];
4233 unsigned char message[32];
4234 unsigned char privkey2[32];
4235 secp256k1_ecdsa_signature signature[6];
4236 secp256k1_scalar r, s;
4237 unsigned char sig[74];
4239 unsigned char pubkeyc[65];
4240 size_t pubkeyclen = 65;
4241 secp256k1_pubkey pubkey;
4242 secp256k1_pubkey pubkey_tmp;
4243 unsigned char seckey[300];
4244 size_t seckeylen = 300;
4246 /* Generate a random key and message. */
4248 secp256k1_scalar msg, key;
4249 random_scalar_order_test(&msg);
4250 random_scalar_order_test(&key);
4251 secp256k1_scalar_get_b32(privkey, &key);
4252 secp256k1_scalar_get_b32(message, &msg);
4255 /* Construct and verify corresponding public key. */
4256 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4257 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4259 /* Verify exporting and importing public key. */
4260 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4261 memset(&pubkey, 0, sizeof(pubkey));
4262 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4264 /* Verify negation changes the key and changes it back */
4265 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4266 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4267 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4268 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4269 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4271 /* Verify private key import and export. */
4272 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4273 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4274 CHECK(memcmp(privkey, privkey2, 32) == 0);
4276 /* Optionally tweak the keys using addition. */
4277 if (secp256k1_rand_int(3) == 0) {
4280 unsigned char rnd[32];
4281 secp256k1_pubkey pubkey2;
4282 secp256k1_rand256_test(rnd);
4283 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
4284 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4285 CHECK(ret1 == ret2);
4289 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4290 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4293 /* Optionally tweak the keys using multiplication. */
4294 if (secp256k1_rand_int(3) == 0) {
4297 unsigned char rnd[32];
4298 secp256k1_pubkey pubkey2;
4299 secp256k1_rand256_test(rnd);
4300 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
4301 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4302 CHECK(ret1 == ret2);
4306 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4307 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4311 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4312 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4313 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4315 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4318 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4319 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4320 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4321 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4322 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4323 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4324 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4325 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4327 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4328 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4329 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4330 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4331 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4332 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4333 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4334 secp256k1_scalar_negate(&s, &s);
4335 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4336 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4337 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4338 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4339 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4340 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4341 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4342 secp256k1_scalar_negate(&s, &s);
4343 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4344 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4345 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4346 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
4348 /* Serialize/parse DER and verify again */
4349 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4350 memset(&signature[0], 0, sizeof(signature[0]));
4351 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4352 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4353 /* Serialize/destroy/parse DER and verify again. */
4355 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4356 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
4357 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4358 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4361 void test_random_pubkeys(void) {
4364 unsigned char in[65];
4365 /* Generate some randomly sized pubkeys. */
4366 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4367 if (secp256k1_rand_bits(2) == 0) {
4368 len = secp256k1_rand_bits(6);
4371 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
4373 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
4375 if (secp256k1_rand_bits(3) == 0) {
4376 in[0] = secp256k1_rand_bits(8);
4379 secp256k1_rand256(&in[1]);
4382 secp256k1_rand256(&in[33]);
4384 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4385 unsigned char out[65];
4386 unsigned char firstb;
4390 /* If the pubkey can be parsed, it should round-trip... */
4391 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4393 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4394 /* ... except for the type of hybrid inputs. */
4395 if ((in[0] != 6) && (in[0] != 7)) {
4396 CHECK(in[0] == out[0]);
4399 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4401 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4402 ge_equals_ge(&elem,&elem2);
4403 /* Check that the X9.62 hybrid type is checked. */
4404 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
4405 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4406 if (firstb == 2 || firstb == 3) {
4407 if (in[0] == firstb + 4) {
4414 ge_equals_ge(&elem,&elem2);
4415 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4416 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4421 void run_random_pubkeys(void) {
4423 for (i = 0; i < 10*count; i++) {
4424 test_random_pubkeys();
4428 void run_ecdsa_end_to_end(void) {
4430 for (i = 0; i < 64*count; i++) {
4431 test_ecdsa_end_to_end();
4435 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4436 static const unsigned char zeroes[32] = {0};
4437 #ifdef ENABLE_OPENSSL_TESTS
4438 static const unsigned char max_scalar[32] = {
4439 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4440 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4441 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4442 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4448 secp256k1_ecdsa_signature sig_der;
4449 unsigned char roundtrip_der[2048];
4450 unsigned char compact_der[64];
4451 size_t len_der = 2048;
4452 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4454 secp256k1_ecdsa_signature sig_der_lax;
4455 unsigned char roundtrip_der_lax[2048];
4456 unsigned char compact_der_lax[64];
4457 size_t len_der_lax = 2048;
4458 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4460 #ifdef ENABLE_OPENSSL_TESTS
4461 ECDSA_SIG *sig_openssl;
4462 const BIGNUM *r = NULL, *s = NULL;
4463 const unsigned char *sigptr;
4464 unsigned char roundtrip_openssl[2048];
4465 int len_openssl = 2048;
4466 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4469 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4471 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4472 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4475 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4476 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4479 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4480 if (parsed_der_lax) {
4481 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4482 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4484 if (valid_der_lax) {
4485 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4486 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4489 if (certainly_der) {
4490 ret |= (!parsed_der) << 2;
4492 if (certainly_not_der) {
4493 ret |= (parsed_der) << 17;
4496 ret |= (!roundtrips_der) << 3;
4500 ret |= (!roundtrips_der_lax) << 12;
4501 ret |= (len_der != len_der_lax) << 13;
4502 ret |= ((len_der != len_der_lax) || (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
4504 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4506 ret |= (!parsed_der_lax) << 16;
4509 #ifdef ENABLE_OPENSSL_TESTS
4510 sig_openssl = ECDSA_SIG_new();
4512 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4513 if (parsed_openssl) {
4514 ECDSA_SIG_get0(sig_openssl, &r, &s);
4515 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4516 if (valid_openssl) {
4517 unsigned char tmp[32] = {0};
4518 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4519 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4521 if (valid_openssl) {
4522 unsigned char tmp[32] = {0};
4523 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4524 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4527 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4528 if (len_openssl <= 2048) {
4529 unsigned char *ptr = roundtrip_openssl;
4530 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4531 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4535 ECDSA_SIG_free(sig_openssl);
4537 ret |= (parsed_der && !parsed_openssl) << 4;
4538 ret |= (valid_der && !valid_openssl) << 5;
4539 ret |= (roundtrips_openssl && !parsed_der) << 6;
4540 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4541 if (roundtrips_openssl) {
4542 ret |= (len_der != (size_t)len_openssl) << 8;
4543 ret |= ((len_der != (size_t)len_openssl) || (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9;
4549 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4551 for (i = 0; i < ptrlen; i++) {
4552 int shift = ptrlen - 1 - i;
4556 ptr[i] = (val >> shift) & 0xFF;
4561 static void damage_array(unsigned char *sig, size_t *len) {
4563 int action = secp256k1_rand_bits(3);
4564 if (action < 1 && *len > 3) {
4565 /* Delete a byte. */
4566 pos = secp256k1_rand_int(*len);
4567 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4570 } else if (action < 2 && *len < 2048) {
4571 /* Insert a byte. */
4572 pos = secp256k1_rand_int(1 + *len);
4573 memmove(sig + pos + 1, sig + pos, *len - pos);
4574 sig[pos] = secp256k1_rand_bits(8);
4577 } else if (action < 4) {
4578 /* Modify a byte. */
4579 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4581 } else { /* action < 8 */
4583 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4588 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4590 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4591 size_t tlen, elen, glen;
4596 der = secp256k1_rand_bits(2) == 0;
4597 *certainly_der = der;
4598 *certainly_not_der = 0;
4599 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4601 for (n = 0; n < 2; n++) {
4602 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4603 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4604 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4605 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4606 CHECK(nlen[n] <= 232);
4607 /* The top bit of the number. */
4608 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4609 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4610 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4611 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4612 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4613 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4614 *certainly_not_der = 1;
4616 CHECK(nlen[n] + nzlen[n] <= 300);
4617 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4618 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4620 /* nlenlen[n] max 127 bytes */
4621 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4624 *certainly_not_der = 1;
4627 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4630 /* The total length of the data to go, so far */
4631 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4634 /* The length of the garbage inside the tuple. */
4635 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4637 *certainly_not_der = 1;
4642 /* The length of the garbage after the end of the tuple. */
4643 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4645 *certainly_not_der = 1;
4647 CHECK(tlen + glen <= 990);
4649 /* Write the tuple header. */
4650 sig[(*len)++] = 0x30;
4652 /* Indeterminate length */
4653 sig[(*len)++] = 0x80;
4654 *certainly_not_der = 1;
4656 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4658 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4661 *certainly_not_der = 1;
4665 /* Short length notation */
4666 sig[(*len)++] = tlen;
4668 /* Long length notation */
4669 sig[(*len)++] = 128 + tlenlen;
4670 assign_big_endian(sig + *len, tlenlen, tlen);
4676 CHECK(tlen + glen <= 1119);
4678 for (n = 0; n < 2; n++) {
4679 /* Write the integer header. */
4680 sig[(*len)++] = 0x02;
4681 if (nlenlen[n] == 0) {
4682 /* Short length notation */
4683 sig[(*len)++] = nlen[n] + nzlen[n];
4685 /* Long length notation. */
4686 sig[(*len)++] = 128 + nlenlen[n];
4687 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4690 /* Write zero padding */
4691 while (nzlen[n] > 0) {
4692 sig[(*len)++] = 0x00;
4695 if (nlen[n] == 32 && !nlow[n]) {
4696 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4698 for (i = 0; i < 16; i++) {
4699 sig[(*len)++] = 0xFF;
4703 /* Write first byte of number */
4705 sig[(*len)++] = nhbyte[n];
4708 /* Generate remaining random bytes of number */
4709 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4714 /* Generate random garbage inside tuple. */
4715 secp256k1_rand_bytes_test(sig + *len, elen);
4718 /* Generate end-of-contents bytes. */
4724 CHECK(tlen + glen <= 1121);
4726 /* Generate random garbage outside tuple. */
4727 secp256k1_rand_bytes_test(sig + *len, glen);
4730 CHECK(tlen <= 1121);
4731 CHECK(tlen == *len);
4734 void run_ecdsa_der_parse(void) {
4736 for (i = 0; i < 200 * count; i++) {
4737 unsigned char buffer[2048];
4739 int certainly_der = 0;
4740 int certainly_not_der = 0;
4741 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4742 CHECK(buflen <= 2048);
4743 for (j = 0; j < 16; j++) {
4746 damage_array(buffer, &buflen);
4747 /* We don't know anything anymore about the DERness of the result */
4749 certainly_not_der = 0;
4751 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4754 fprintf(stderr, "Failure %x on ", ret);
4755 for (k = 0; k < buflen; k++) {
4756 fprintf(stderr, "%02x ", buffer[k]);
4758 fprintf(stderr, "\n");
4765 /* Tests several edge cases. */
4766 void test_ecdsa_edge_cases(void) {
4768 secp256k1_ecdsa_signature sig;
4770 /* Test the case where ECDSA recomputes a point that is infinity. */
4774 secp256k1_scalar msg;
4775 secp256k1_scalar sr, ss;
4776 secp256k1_scalar_set_int(&ss, 1);
4777 secp256k1_scalar_negate(&ss, &ss);
4778 secp256k1_scalar_inverse(&ss, &ss);
4779 secp256k1_scalar_set_int(&sr, 1);
4780 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4781 secp256k1_ge_set_gej(&key, &keyj);
4783 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4786 /* Verify signature with r of zero fails. */
4788 const unsigned char pubkey_mods_zero[33] = {
4789 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4790 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4791 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4792 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4796 secp256k1_scalar msg;
4797 secp256k1_scalar sr, ss;
4798 secp256k1_scalar_set_int(&ss, 1);
4799 secp256k1_scalar_set_int(&msg, 0);
4800 secp256k1_scalar_set_int(&sr, 0);
4801 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4802 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4805 /* Verify signature with s of zero fails. */
4807 const unsigned char pubkey[33] = {
4808 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4809 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4810 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4811 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4815 secp256k1_scalar msg;
4816 secp256k1_scalar sr, ss;
4817 secp256k1_scalar_set_int(&ss, 0);
4818 secp256k1_scalar_set_int(&msg, 0);
4819 secp256k1_scalar_set_int(&sr, 1);
4820 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4821 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4824 /* Verify signature with message 0 passes. */
4826 const unsigned char pubkey[33] = {
4827 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4828 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4829 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4830 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4833 const unsigned char pubkey2[33] = {
4834 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4835 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4836 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4837 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4842 secp256k1_scalar msg;
4843 secp256k1_scalar sr, ss;
4844 secp256k1_scalar_set_int(&ss, 2);
4845 secp256k1_scalar_set_int(&msg, 0);
4846 secp256k1_scalar_set_int(&sr, 2);
4847 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4848 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4849 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4850 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4851 secp256k1_scalar_negate(&ss, &ss);
4852 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4853 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4854 secp256k1_scalar_set_int(&ss, 1);
4855 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4856 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4859 /* Verify signature with message 1 passes. */
4861 const unsigned char pubkey[33] = {
4862 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4863 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4864 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4865 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4868 const unsigned char pubkey2[33] = {
4869 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4870 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4871 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4872 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4875 const unsigned char csr[32] = {
4876 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4877 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4878 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4879 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4883 secp256k1_scalar msg;
4884 secp256k1_scalar sr, ss;
4885 secp256k1_scalar_set_int(&ss, 1);
4886 secp256k1_scalar_set_int(&msg, 1);
4887 secp256k1_scalar_set_b32(&sr, csr, NULL);
4888 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4889 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4890 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4891 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4892 secp256k1_scalar_negate(&ss, &ss);
4893 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4894 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4895 secp256k1_scalar_set_int(&ss, 2);
4896 secp256k1_scalar_inverse_var(&ss, &ss);
4897 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4898 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4901 /* Verify signature with message -1 passes. */
4903 const unsigned char pubkey[33] = {
4904 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4905 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4906 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4907 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4910 const unsigned char csr[32] = {
4911 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4912 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4913 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4914 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4917 secp256k1_scalar msg;
4918 secp256k1_scalar sr, ss;
4919 secp256k1_scalar_set_int(&ss, 1);
4920 secp256k1_scalar_set_int(&msg, 1);
4921 secp256k1_scalar_negate(&msg, &msg);
4922 secp256k1_scalar_set_b32(&sr, csr, NULL);
4923 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4924 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4925 secp256k1_scalar_negate(&ss, &ss);
4926 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4927 secp256k1_scalar_set_int(&ss, 3);
4928 secp256k1_scalar_inverse_var(&ss, &ss);
4929 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4932 /* Signature where s would be zero. */
4934 secp256k1_pubkey pubkey;
4937 unsigned char signature[72];
4938 static const unsigned char nonce[32] = {
4939 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4940 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4941 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4942 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4944 static const unsigned char nonce2[32] = {
4945 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4946 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4947 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4948 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4950 const unsigned char key[32] = {
4951 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4952 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4953 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4954 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4956 unsigned char msg[32] = {
4957 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4958 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4959 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4960 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4963 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4964 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4965 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4967 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4969 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4971 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4973 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4975 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4976 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4977 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4979 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4981 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4983 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4985 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4987 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4988 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4991 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4993 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4994 CHECK(ecount == 10);
4995 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4996 CHECK(ecount == 11);
4997 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4998 CHECK(ecount == 11);
4999 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
5000 CHECK(ecount == 12);
5001 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
5002 CHECK(ecount == 13);
5003 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
5004 CHECK(ecount == 13);
5006 /* Too little room for a signature does not fail via ARGCHECK. */
5007 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
5008 CHECK(ecount == 13);
5010 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
5012 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
5014 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
5016 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
5018 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
5020 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
5022 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
5024 memset(signature, 255, 64);
5025 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
5027 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5030 /* Nonce function corner cases. */
5031 for (t = 0; t < 2; t++) {
5032 static const unsigned char zero[32] = {0x00};
5034 unsigned char key[32];
5035 unsigned char msg[32];
5036 secp256k1_ecdsa_signature sig2;
5037 secp256k1_scalar sr[512], ss;
5038 const unsigned char *extra;
5039 extra = t == 0 ? NULL : zero;
5042 /* High key results in signature failure. */
5043 memset(key, 0xFF, 32);
5044 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5045 CHECK(is_empty_signature(&sig));
5046 /* Zero key results in signature failure. */
5048 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5049 CHECK(is_empty_signature(&sig));
5050 /* Nonce function failure results in signature failure. */
5052 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
5053 CHECK(is_empty_signature(&sig));
5054 /* The retry loop successfully makes its way to the first good value. */
5055 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
5056 CHECK(!is_empty_signature(&sig));
5057 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
5058 CHECK(!is_empty_signature(&sig2));
5059 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
5060 /* The default nonce function is deterministic. */
5061 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5062 CHECK(!is_empty_signature(&sig2));
5063 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
5064 /* The default nonce function changes output with different messages. */
5065 for(i = 0; i < 256; i++) {
5068 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5069 CHECK(!is_empty_signature(&sig2));
5070 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5071 for (j = 0; j < i; j++) {
5072 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5077 /* The default nonce function changes output with different keys. */
5078 for(i = 256; i < 512; i++) {
5081 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5082 CHECK(!is_empty_signature(&sig2));
5083 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5084 for (j = 0; j < i; j++) {
5085 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5092 /* Check that optional nonce arguments do not have equivalent effect. */
5093 const unsigned char zeros[32] = {0};
5094 unsigned char nonce[32];
5095 unsigned char nonce2[32];
5096 unsigned char nonce3[32];
5097 unsigned char nonce4[32];
5099 VG_UNDEF(nonce2,32);
5100 VG_UNDEF(nonce3,32);
5101 VG_UNDEF(nonce4,32);
5102 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
5104 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
5105 VG_CHECK(nonce2,32);
5106 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
5107 VG_CHECK(nonce3,32);
5108 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5109 VG_CHECK(nonce4,32);
5110 CHECK(memcmp(nonce, nonce2, 32) != 0);
5111 CHECK(memcmp(nonce, nonce3, 32) != 0);
5112 CHECK(memcmp(nonce, nonce4, 32) != 0);
5113 CHECK(memcmp(nonce2, nonce3, 32) != 0);
5114 CHECK(memcmp(nonce2, nonce4, 32) != 0);
5115 CHECK(memcmp(nonce3, nonce4, 32) != 0);
5119 /* Privkey export where pubkey is the point at infinity. */
5121 unsigned char privkey[300];
5122 unsigned char seckey[32] = {
5123 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5124 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5125 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5126 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5128 size_t outlen = 300;
5129 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
5131 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
5135 void run_ecdsa_edge_cases(void) {
5136 test_ecdsa_edge_cases();
5139 #ifdef ENABLE_OPENSSL_TESTS
5140 EC_KEY *get_openssl_key(const unsigned char *key32) {
5141 unsigned char privkey[300];
5143 const unsigned char* pbegin = privkey;
5144 int compr = secp256k1_rand_bits(1);
5145 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
5146 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
5147 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
5148 CHECK(EC_KEY_check_key(ec_key));
5152 void test_ecdsa_openssl(void) {
5155 secp256k1_scalar sigr, sigs;
5156 secp256k1_scalar one;
5157 secp256k1_scalar msg2;
5158 secp256k1_scalar key, msg;
5160 unsigned int sigsize = 80;
5161 size_t secp_sigsize = 80;
5162 unsigned char message[32];
5163 unsigned char signature[80];
5164 unsigned char key32[32];
5165 secp256k1_rand256_test(message);
5166 secp256k1_scalar_set_b32(&msg, message, NULL);
5167 random_scalar_order_test(&key);
5168 secp256k1_scalar_get_b32(key32, &key);
5169 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
5170 secp256k1_ge_set_gej(&q, &qj);
5171 ec_key = get_openssl_key(key32);
5172 CHECK(ec_key != NULL);
5173 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
5174 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
5175 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
5176 secp256k1_scalar_set_int(&one, 1);
5177 secp256k1_scalar_add(&msg2, &msg, &one);
5178 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
5180 random_sign(&sigr, &sigs, &key, &msg, NULL);
5181 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
5182 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
5184 EC_KEY_free(ec_key);
5187 void run_ecdsa_openssl(void) {
5189 for (i = 0; i < 10*count; i++) {
5190 test_ecdsa_openssl();
5195 #ifdef ENABLE_MODULE_ECDH
5196 # include "modules/ecdh/tests_impl.h"
5199 #ifdef ENABLE_MODULE_RECOVERY
5200 # include "modules/recovery/tests_impl.h"
5203 int main(int argc, char **argv) {
5204 unsigned char seed16[16] = {0};
5205 unsigned char run32[32] = {0};
5207 /* Disable buffering for stdout to improve reliability of getting
5208 * diagnostic information. Happens right at the start of main because
5209 * setbuf must be used before any other operation on the stream. */
5210 setbuf(stdout, NULL);
5211 /* Also disable buffering for stderr because it's not guaranteed that it's
5212 * unbuffered on all systems. */
5213 setbuf(stderr, NULL);
5215 /* find iteration count */
5217 count = strtol(argv[1], NULL, 0);
5220 /* find random seed */
5223 const char* ch = argv[2];
5224 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
5226 if ((sscanf(ch, "%2hx", &sh)) == 1) {
5235 FILE *frand = fopen("/dev/urandom", "r");
5236 if ((frand == NULL) || fread(&seed16, 1, sizeof(seed16), frand) != sizeof(seed16)) {
5237 uint64_t t = time(NULL) * (uint64_t)1337;
5238 fprintf(stderr, "WARNING: could not read 16 bytes from /dev/urandom; falling back to insecure PRNG\n");
5240 seed16[1] ^= t >> 8;
5241 seed16[2] ^= t >> 16;
5242 seed16[3] ^= t >> 24;
5243 seed16[4] ^= t >> 32;
5244 seed16[5] ^= t >> 40;
5245 seed16[6] ^= t >> 48;
5246 seed16[7] ^= t >> 56;
5252 secp256k1_rand_seed(seed16);
5254 printf("test count = %i\n", count);
5255 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
5258 run_context_tests(0);
5259 run_context_tests(1);
5260 run_scratch_tests();
5261 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5262 if (secp256k1_rand_bits(1)) {
5263 secp256k1_rand256(run32);
5264 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
5271 run_hmac_sha256_tests();
5272 run_rfc6979_hmac_sha256_tests();
5274 #ifndef USE_NUM_NONE
5276 run_num_smalltests();
5284 run_field_inv_var();
5285 run_field_inv_all_var();
5287 run_field_convert();
5293 run_group_decompress();
5297 run_point_times_order();
5299 run_ecmult_constants();
5300 run_ecmult_gen_blind();
5301 run_ecmult_const_tests();
5302 run_ecmult_multi_tests();
5305 /* endomorphism tests */
5306 #ifdef USE_ENDOMORPHISM
5307 run_endomorphism_tests();
5310 /* EC point parser test */
5311 run_ec_pubkey_parse_test();
5313 /* EC key edge cases */
5314 run_eckey_edge_case_test();
5316 #ifdef ENABLE_MODULE_ECDH
5322 run_random_pubkeys();
5323 run_ecdsa_der_parse();
5324 run_ecdsa_sign_verify();
5325 run_ecdsa_end_to_end();
5326 run_ecdsa_edge_cases();
5327 #ifdef ENABLE_OPENSSL_TESTS
5328 run_ecdsa_openssl();
5331 #ifdef ENABLE_MODULE_RECOVERY
5332 /* ECDSA pubkey recovery tests */
5333 run_recovery_tests();
5336 secp256k1_rand256(run32);
5337 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
5340 secp256k1_context_destroy(ctx);
5342 printf("no problems found\n");
projects / secp256k1.git / blob