1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "testrand_impl.h"
21 #ifdef ENABLE_OPENSSL_TESTS
22 #include "openssl/bn.h"
23 #include "openssl/ec.h"
24 #include "openssl/ecdsa.h"
25 #include "openssl/obj_mac.h"
26 # if OPENSSL_VERSION_NUMBER < 0x10100000L
27 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
31 #include "contrib/lax_der_parsing.c"
32 #include "contrib/lax_der_privatekey_parsing.c"
34 #if !defined(VG_CHECK)
35 # if defined(VALGRIND)
36 # include <valgrind/memcheck.h>
37 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
38 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
40 # define VG_UNDEF(x,y)
41 # define VG_CHECK(x,y)
45 static int count = 64;
46 static secp256k1_context *ctx = NULL;
48 static void counting_illegal_callback_fn(const char* str, void* data) {
49 /* Dummy callback function that just counts. */
56 static void uncounting_illegal_callback_fn(const char* str, void* data) {
57 /* Dummy callback function that just counts (backwards). */
64 void random_field_element_test(secp256k1_fe *fe) {
66 unsigned char b32[32];
67 secp256k1_rand256_test(b32);
68 if (secp256k1_fe_set_b32(fe, b32)) {
74 void random_field_element_magnitude(secp256k1_fe *fe) {
76 int n = secp256k1_rand_int(9);
77 secp256k1_fe_normalize(fe);
81 secp256k1_fe_clear(&zero);
82 secp256k1_fe_negate(&zero, &zero, 0);
83 secp256k1_fe_mul_int(&zero, n - 1);
84 secp256k1_fe_add(fe, &zero);
85 VERIFY_CHECK(fe->magnitude == n);
88 void random_group_element_test(secp256k1_ge *ge) {
91 random_field_element_test(&fe);
92 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
93 secp256k1_fe_normalize(&ge->y);
99 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
102 random_field_element_test(&gej->z);
103 if (!secp256k1_fe_is_zero(&gej->z)) {
107 secp256k1_fe_sqr(&z2, &gej->z);
108 secp256k1_fe_mul(&z3, &z2, &gej->z);
109 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
110 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
111 gej->infinity = ge->infinity;
114 void random_scalar_order_test(secp256k1_scalar *num) {
116 unsigned char b32[32];
118 secp256k1_rand256_test(b32);
119 secp256k1_scalar_set_b32(num, b32, &overflow);
120 if (overflow || secp256k1_scalar_is_zero(num)) {
127 void random_scalar_order(secp256k1_scalar *num) {
129 unsigned char b32[32];
131 secp256k1_rand256(b32);
132 secp256k1_scalar_set_b32(num, b32, &overflow);
133 if (overflow || secp256k1_scalar_is_zero(num)) {
140 void run_context_tests(void) {
141 secp256k1_pubkey pubkey;
142 secp256k1_pubkey zero_pubkey;
143 secp256k1_ecdsa_signature sig;
144 unsigned char ctmp[32];
147 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
148 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
149 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
150 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
154 secp256k1_scalar msg, key, nonce;
155 secp256k1_scalar sigr, sigs;
157 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
161 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
162 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
163 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
164 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
166 /*** clone and destroy all of them to make sure cloning was complete ***/
168 secp256k1_context *ctx_tmp;
170 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp);
171 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp);
172 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp);
173 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp);
176 /* Verify that the error callback makes it across the clone. */
177 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
178 /* And that it resets back to default. */
179 secp256k1_context_set_error_callback(sign, NULL, NULL);
180 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
182 /*** attempt to use them ***/
183 random_scalar_order_test(&msg);
184 random_scalar_order_test(&key);
185 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
186 secp256k1_ge_set_gej(&pub, &pubj);
188 /* Verify context-type checking illegal-argument errors. */
190 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
192 VG_UNDEF(&pubkey, sizeof(pubkey));
193 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
194 VG_CHECK(&pubkey, sizeof(pubkey));
195 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
197 VG_UNDEF(&sig, sizeof(sig));
198 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
199 VG_CHECK(&sig, sizeof(sig));
200 CHECK(ecount2 == 10);
201 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
202 CHECK(ecount2 == 11);
203 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
205 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
206 CHECK(ecount2 == 12);
207 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
209 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
210 CHECK(ecount2 == 13);
211 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
213 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
215 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
216 CHECK(ecount2 == 14);
217 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
219 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
221 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
223 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
225 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
226 CHECK(ecount2 == 14);
227 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
228 CHECK(ecount2 == 14);
229 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
230 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
232 /* This shouldn't leak memory, due to already-set tests. */
233 secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL);
234 secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL);
236 /* obtain a working nonce */
238 random_scalar_order_test(&nonce);
239 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
242 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
243 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
246 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
247 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
250 secp256k1_context_destroy(none);
251 secp256k1_context_destroy(sign);
252 secp256k1_context_destroy(vrfy);
253 secp256k1_context_destroy(both);
254 /* Defined as no-op. */
255 secp256k1_context_destroy(NULL);
258 void run_scratch_tests(void) {
260 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
261 secp256k1_scratch_space *scratch;
263 /* Test public API */
264 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
266 scratch = secp256k1_scratch_space_create(none, 1000);
267 CHECK(scratch != NULL);
270 /* Test internal API */
271 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
272 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 1000);
274 /* Allocating 500 bytes with no frame fails */
275 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
276 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
278 /* ...but pushing a new stack frame does affect the max allocation */
279 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1 == 1));
280 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 500); /* 500 - ALIGNMENT */
281 CHECK(secp256k1_scratch_alloc(scratch, 500) != NULL);
282 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
284 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1) == 0);
286 /* ...and this effect is undone by popping the frame */
287 secp256k1_scratch_deallocate_frame(scratch);
288 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
289 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
292 secp256k1_scratch_space_destroy(scratch);
293 secp256k1_context_destroy(none);
296 /***** HASH TESTS *****/
298 void run_sha256_tests(void) {
299 static const char *inputs[8] = {
300 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
301 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
302 "For this sample, this 63-byte string will be used as input data",
303 "This is exactly 64 bytes long, not counting the terminating byte"
305 static const unsigned char outputs[8][32] = {
306 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
307 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
308 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
309 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
310 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
311 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
312 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
313 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
316 for (i = 0; i < 8; i++) {
317 unsigned char out[32];
318 secp256k1_sha256 hasher;
319 secp256k1_sha256_initialize(&hasher);
320 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
321 secp256k1_sha256_finalize(&hasher, out);
322 CHECK(memcmp(out, outputs[i], 32) == 0);
323 if (strlen(inputs[i]) > 0) {
324 int split = secp256k1_rand_int(strlen(inputs[i]));
325 secp256k1_sha256_initialize(&hasher);
326 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
327 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
328 secp256k1_sha256_finalize(&hasher, out);
329 CHECK(memcmp(out, outputs[i], 32) == 0);
334 void run_hmac_sha256_tests(void) {
335 static const char *keys[6] = {
336 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
338 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
339 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
340 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
341 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
343 static const char *inputs[6] = {
344 "\x48\x69\x20\x54\x68\x65\x72\x65",
345 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
346 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
347 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
348 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
349 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
351 static const unsigned char outputs[6][32] = {
352 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
353 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
354 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
355 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
356 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
357 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
360 for (i = 0; i < 6; i++) {
361 secp256k1_hmac_sha256 hasher;
362 unsigned char out[32];
363 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
364 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
365 secp256k1_hmac_sha256_finalize(&hasher, out);
366 CHECK(memcmp(out, outputs[i], 32) == 0);
367 if (strlen(inputs[i]) > 0) {
368 int split = secp256k1_rand_int(strlen(inputs[i]));
369 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
370 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
371 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
372 secp256k1_hmac_sha256_finalize(&hasher, out);
373 CHECK(memcmp(out, outputs[i], 32) == 0);
378 void run_rfc6979_hmac_sha256_tests(void) {
379 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
380 static const unsigned char out1[3][32] = {
381 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
382 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
383 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
386 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
387 static const unsigned char out2[3][32] = {
388 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
389 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
390 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
393 secp256k1_rfc6979_hmac_sha256 rng;
394 unsigned char out[32];
397 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
398 for (i = 0; i < 3; i++) {
399 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
400 CHECK(memcmp(out, out1[i], 32) == 0);
402 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
404 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
405 for (i = 0; i < 3; i++) {
406 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
407 CHECK(memcmp(out, out1[i], 32) != 0);
409 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
411 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
412 for (i = 0; i < 3; i++) {
413 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
414 CHECK(memcmp(out, out2[i], 32) == 0);
416 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
419 /***** RANDOM TESTS *****/
421 void test_rand_bits(int rand32, int bits) {
422 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
423 * get a false negative chance below once in a billion */
424 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
425 /* We try multiplying the results with various odd numbers, which shouldn't
426 * influence the uniform distribution modulo a power of 2. */
427 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
428 /* We only select up to 6 bits from the output to analyse */
429 unsigned int usebits = bits > 6 ? 6 : bits;
430 unsigned int maxshift = bits - usebits;
431 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
432 number, track all observed outcomes, one per bit in a uint64_t. */
433 uint64_t x[6][27] = {{0}};
434 unsigned int i, shift, m;
435 /* Multiply the output of all rand calls with the odd number m, which
436 should not change the uniformity of its distribution. */
437 for (i = 0; i < rounds[usebits]; i++) {
438 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
439 CHECK((((uint64_t)r) >> bits) == 0);
440 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
441 uint32_t rm = r * mults[m];
442 for (shift = 0; shift <= maxshift; shift++) {
443 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
447 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
448 for (shift = 0; shift <= maxshift; shift++) {
449 /* Test that the lower usebits bits of x[shift] are 1 */
450 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
455 /* Subrange must be a whole divisor of range, and at most 64 */
456 void test_rand_int(uint32_t range, uint32_t subrange) {
457 /* (1-1/subrange)^rounds < 1/10^9 */
458 int rounds = (subrange * 2073) / 100;
461 CHECK((range % subrange) == 0);
462 for (i = 0; i < rounds; i++) {
463 uint32_t r = secp256k1_rand_int(range);
466 x |= (((uint64_t)1) << r);
468 /* Test that the lower subrange bits of x are 1. */
469 CHECK(((~x) << (64 - subrange)) == 0);
472 void run_rand_bits(void) {
474 test_rand_bits(1, 32);
475 for (b = 1; b <= 32; b++) {
476 test_rand_bits(0, b);
480 void run_rand_int(void) {
481 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
482 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
484 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
485 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
486 test_rand_int(ms[m] * ss[s], ss[s]);
491 /***** NUM TESTS *****/
494 void random_num_negate(secp256k1_num *num) {
495 if (secp256k1_rand_bits(1)) {
496 secp256k1_num_negate(num);
500 void random_num_order_test(secp256k1_num *num) {
502 random_scalar_order_test(&sc);
503 secp256k1_scalar_get_num(num, &sc);
506 void random_num_order(secp256k1_num *num) {
508 random_scalar_order(&sc);
509 secp256k1_scalar_get_num(num, &sc);
512 void test_num_negate(void) {
515 random_num_order_test(&n1); /* n1 = R */
516 random_num_negate(&n1);
517 secp256k1_num_copy(&n2, &n1); /* n2 = R */
518 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
519 CHECK(secp256k1_num_is_zero(&n1));
520 secp256k1_num_copy(&n1, &n2); /* n1 = R */
521 secp256k1_num_negate(&n1); /* n1 = -R */
522 CHECK(!secp256k1_num_is_zero(&n1));
523 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
524 CHECK(secp256k1_num_is_zero(&n1));
525 secp256k1_num_copy(&n1, &n2); /* n1 = R */
526 secp256k1_num_negate(&n1); /* n1 = -R */
527 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
528 secp256k1_num_negate(&n1); /* n1 = R */
529 CHECK(secp256k1_num_eq(&n1, &n2));
532 void test_num_add_sub(void) {
537 secp256k1_num n1p2, n2p1, n1m2, n2m1;
538 random_num_order_test(&n1); /* n1 = R1 */
539 if (secp256k1_rand_bits(1)) {
540 random_num_negate(&n1);
542 random_num_order_test(&n2); /* n2 = R2 */
543 if (secp256k1_rand_bits(1)) {
544 random_num_negate(&n2);
546 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
547 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
548 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
549 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
550 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
551 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
552 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
553 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
554 CHECK(!secp256k1_num_eq(&n2m1, &n1));
555 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
556 CHECK(secp256k1_num_eq(&n2m1, &n1));
557 CHECK(!secp256k1_num_eq(&n2p1, &n1));
558 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
559 CHECK(secp256k1_num_eq(&n2p1, &n1));
562 secp256k1_scalar_set_int(&s, 1);
563 secp256k1_scalar_get_num(&n1, &s);
564 CHECK(secp256k1_num_is_one(&n1));
565 /* check that 2^n + 1 is never 1 */
566 secp256k1_scalar_get_num(&n2, &s);
567 for (i = 0; i < 250; ++i) {
568 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
569 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
570 CHECK(!secp256k1_num_is_one(&n1p2));
574 void test_num_mod(void) {
577 secp256k1_num order, n;
579 /* check that 0 mod anything is 0 */
580 random_scalar_order_test(&s);
581 secp256k1_scalar_get_num(&order, &s);
582 secp256k1_scalar_set_int(&s, 0);
583 secp256k1_scalar_get_num(&n, &s);
584 secp256k1_num_mod(&n, &order);
585 CHECK(secp256k1_num_is_zero(&n));
587 /* check that anything mod 1 is 0 */
588 secp256k1_scalar_set_int(&s, 1);
589 secp256k1_scalar_get_num(&order, &s);
590 secp256k1_scalar_get_num(&n, &s);
591 secp256k1_num_mod(&n, &order);
592 CHECK(secp256k1_num_is_zero(&n));
594 /* check that increasing the number past 2^256 does not break this */
595 random_scalar_order_test(&s);
596 secp256k1_scalar_get_num(&n, &s);
597 /* multiply by 2^8, which'll test this case with high probability */
598 for (i = 0; i < 8; ++i) {
599 secp256k1_num_add(&n, &n, &n);
601 secp256k1_num_mod(&n, &order);
602 CHECK(secp256k1_num_is_zero(&n));
605 void test_num_jacobi(void) {
606 secp256k1_scalar sqr;
607 secp256k1_scalar small;
608 secp256k1_scalar five; /* five is not a quadratic residue */
609 secp256k1_num order, n;
611 /* squares mod 5 are 1, 4 */
612 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
614 /* check some small values with 5 as the order */
615 secp256k1_scalar_set_int(&five, 5);
616 secp256k1_scalar_get_num(&order, &five);
617 for (i = 0; i < 10; ++i) {
618 secp256k1_scalar_set_int(&small, i);
619 secp256k1_scalar_get_num(&n, &small);
620 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
623 /** test large values with 5 as group order */
624 secp256k1_scalar_get_num(&order, &five);
625 /* we first need a scalar which is not a multiple of 5 */
628 random_scalar_order_test(&sqr);
629 secp256k1_scalar_get_num(&fiven, &five);
630 secp256k1_scalar_get_num(&n, &sqr);
631 secp256k1_num_mod(&n, &fiven);
632 } while (secp256k1_num_is_zero(&n));
633 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
634 * just multiply by two, i.e. add the number to itself */
635 if (secp256k1_num_jacobi(&n, &order) == -1) {
636 secp256k1_num_add(&n, &n, &n);
640 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
641 /* test nonresidue */
642 secp256k1_num_add(&n, &n, &n);
643 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
645 /** test with secp group order as order */
646 secp256k1_scalar_order_get_num(&order);
647 random_scalar_order_test(&sqr);
648 secp256k1_scalar_sqr(&sqr, &sqr);
650 secp256k1_scalar_get_num(&n, &sqr);
651 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
652 /* test nonresidue */
653 secp256k1_scalar_mul(&sqr, &sqr, &five);
654 secp256k1_scalar_get_num(&n, &sqr);
655 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
656 /* test multiple of the order*/
657 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
659 /* check one less than the order */
660 secp256k1_scalar_set_int(&small, 1);
661 secp256k1_scalar_get_num(&n, &small);
662 secp256k1_num_sub(&n, &order, &n);
663 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
666 void run_num_smalltests(void) {
668 for (i = 0; i < 100*count; i++) {
677 /***** SCALAR TESTS *****/
679 void scalar_test(void) {
684 secp256k1_num snum, s1num, s2num;
685 secp256k1_num order, half_order;
689 /* Set 's' to a random scalar, with value 'snum'. */
690 random_scalar_order_test(&s);
692 /* Set 's1' to a random scalar, with value 's1num'. */
693 random_scalar_order_test(&s1);
695 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
696 random_scalar_order_test(&s2);
697 secp256k1_scalar_get_b32(c, &s2);
700 secp256k1_scalar_get_num(&snum, &s);
701 secp256k1_scalar_get_num(&s1num, &s1);
702 secp256k1_scalar_get_num(&s2num, &s2);
704 secp256k1_scalar_order_get_num(&order);
706 secp256k1_num_shift(&half_order, 1);
711 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
713 secp256k1_scalar_set_int(&n, 0);
714 for (i = 0; i < 256; i += 4) {
717 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
718 for (j = 0; j < 4; j++) {
719 secp256k1_scalar_add(&n, &n, &n);
721 secp256k1_scalar_add(&n, &n, &t);
723 CHECK(secp256k1_scalar_eq(&n, &s));
727 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
730 secp256k1_scalar_set_int(&n, 0);
734 int now = secp256k1_rand_int(15) + 1;
738 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
739 for (j = 0; j < now; j++) {
740 secp256k1_scalar_add(&n, &n, &n);
742 secp256k1_scalar_add(&n, &n, &t);
745 CHECK(secp256k1_scalar_eq(&n, &s));
750 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
754 secp256k1_num_add(&rnum, &snum, &s2num);
755 secp256k1_num_mod(&rnum, &order);
756 secp256k1_scalar_add(&r, &s, &s2);
757 secp256k1_scalar_get_num(&r2num, &r);
758 CHECK(secp256k1_num_eq(&rnum, &r2num));
762 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
766 secp256k1_num_mul(&rnum, &snum, &s2num);
767 secp256k1_num_mod(&rnum, &order);
768 secp256k1_scalar_mul(&r, &s, &s2);
769 secp256k1_scalar_get_num(&r2num, &r);
770 CHECK(secp256k1_num_eq(&rnum, &r2num));
771 /* The result can only be zero if at least one of the factors was zero. */
772 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
773 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
774 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
775 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
779 secp256k1_scalar neg;
780 secp256k1_num negnum;
781 secp256k1_num negnum2;
782 /* Check that comparison with zero matches comparison with zero on the number. */
783 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
784 /* Check that comparison with the half order is equal to testing for high scalar. */
785 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
786 secp256k1_scalar_negate(&neg, &s);
787 secp256k1_num_sub(&negnum, &order, &snum);
788 secp256k1_num_mod(&negnum, &order);
789 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
790 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
791 /* Negating should change the high property, unless the value was already zero. */
792 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
793 secp256k1_scalar_get_num(&negnum2, &neg);
794 /* Negating a scalar should be equal to (order - n) mod order on the number. */
795 CHECK(secp256k1_num_eq(&negnum, &negnum2));
796 secp256k1_scalar_add(&neg, &neg, &s);
797 /* Adding a number to its negation should result in zero. */
798 CHECK(secp256k1_scalar_is_zero(&neg));
799 secp256k1_scalar_negate(&neg, &neg);
800 /* Negating zero should still result in zero. */
801 CHECK(secp256k1_scalar_is_zero(&neg));
805 /* Test secp256k1_scalar_mul_shift_var. */
810 unsigned char cone[1] = {0x01};
811 unsigned int shift = 256 + secp256k1_rand_int(257);
812 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
813 secp256k1_num_mul(&rnum, &s1num, &s2num);
814 secp256k1_num_shift(&rnum, shift - 1);
815 secp256k1_num_set_bin(&one, cone, 1);
816 secp256k1_num_add(&rnum, &rnum, &one);
817 secp256k1_num_shift(&rnum, 1);
818 secp256k1_scalar_get_num(&rnum2, &r);
819 CHECK(secp256k1_num_eq(&rnum, &rnum2));
823 /* test secp256k1_scalar_shr_int */
826 random_scalar_order_test(&r);
827 for (i = 0; i < 100; ++i) {
829 int shift = 1 + secp256k1_rand_int(15);
830 int expected = r.d[0] % (1 << shift);
831 low = secp256k1_scalar_shr_int(&r, shift);
832 CHECK(expected == low);
838 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
839 if (!secp256k1_scalar_is_zero(&s)) {
840 secp256k1_scalar inv;
842 secp256k1_num invnum;
843 secp256k1_num invnum2;
845 secp256k1_scalar_inverse(&inv, &s);
847 secp256k1_num_mod_inverse(&invnum, &snum, &order);
848 secp256k1_scalar_get_num(&invnum2, &inv);
849 CHECK(secp256k1_num_eq(&invnum, &invnum2));
851 secp256k1_scalar_mul(&inv, &inv, &s);
852 /* Multiplying a scalar with its inverse must result in one. */
853 CHECK(secp256k1_scalar_is_one(&inv));
854 secp256k1_scalar_inverse(&inv, &inv);
855 /* Inverting one must result in one. */
856 CHECK(secp256k1_scalar_is_one(&inv));
858 secp256k1_scalar_get_num(&invnum, &inv);
859 CHECK(secp256k1_num_is_one(&invnum));
865 /* Test commutativity of add. */
866 secp256k1_scalar r1, r2;
867 secp256k1_scalar_add(&r1, &s1, &s2);
868 secp256k1_scalar_add(&r2, &s2, &s1);
869 CHECK(secp256k1_scalar_eq(&r1, &r2));
873 secp256k1_scalar r1, r2;
877 int bit = secp256k1_rand_bits(8);
878 secp256k1_scalar_set_int(&b, 1);
879 CHECK(secp256k1_scalar_is_one(&b));
880 for (i = 0; i < bit; i++) {
881 secp256k1_scalar_add(&b, &b, &b);
885 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
886 /* No overflow happened. */
887 secp256k1_scalar_cadd_bit(&r2, bit, 1);
888 CHECK(secp256k1_scalar_eq(&r1, &r2));
889 /* cadd is a noop when flag is zero */
890 secp256k1_scalar_cadd_bit(&r2, bit, 0);
891 CHECK(secp256k1_scalar_eq(&r1, &r2));
896 /* Test commutativity of mul. */
897 secp256k1_scalar r1, r2;
898 secp256k1_scalar_mul(&r1, &s1, &s2);
899 secp256k1_scalar_mul(&r2, &s2, &s1);
900 CHECK(secp256k1_scalar_eq(&r1, &r2));
904 /* Test associativity of add. */
905 secp256k1_scalar r1, r2;
906 secp256k1_scalar_add(&r1, &s1, &s2);
907 secp256k1_scalar_add(&r1, &r1, &s);
908 secp256k1_scalar_add(&r2, &s2, &s);
909 secp256k1_scalar_add(&r2, &s1, &r2);
910 CHECK(secp256k1_scalar_eq(&r1, &r2));
914 /* Test associativity of mul. */
915 secp256k1_scalar r1, r2;
916 secp256k1_scalar_mul(&r1, &s1, &s2);
917 secp256k1_scalar_mul(&r1, &r1, &s);
918 secp256k1_scalar_mul(&r2, &s2, &s);
919 secp256k1_scalar_mul(&r2, &s1, &r2);
920 CHECK(secp256k1_scalar_eq(&r1, &r2));
924 /* Test distributitivity of mul over add. */
925 secp256k1_scalar r1, r2, t;
926 secp256k1_scalar_add(&r1, &s1, &s2);
927 secp256k1_scalar_mul(&r1, &r1, &s);
928 secp256k1_scalar_mul(&r2, &s1, &s);
929 secp256k1_scalar_mul(&t, &s2, &s);
930 secp256k1_scalar_add(&r2, &r2, &t);
931 CHECK(secp256k1_scalar_eq(&r1, &r2));
936 secp256k1_scalar r1, r2;
937 secp256k1_scalar_sqr(&r1, &s1);
938 secp256k1_scalar_mul(&r2, &s1, &s1);
939 CHECK(secp256k1_scalar_eq(&r1, &r2));
943 /* Test multiplicative identity. */
944 secp256k1_scalar r1, v1;
945 secp256k1_scalar_set_int(&v1,1);
946 secp256k1_scalar_mul(&r1, &s1, &v1);
947 CHECK(secp256k1_scalar_eq(&r1, &s1));
951 /* Test additive identity. */
952 secp256k1_scalar r1, v0;
953 secp256k1_scalar_set_int(&v0,0);
954 secp256k1_scalar_add(&r1, &s1, &v0);
955 CHECK(secp256k1_scalar_eq(&r1, &s1));
959 /* Test zero product property. */
960 secp256k1_scalar r1, v0;
961 secp256k1_scalar_set_int(&v0,0);
962 secp256k1_scalar_mul(&r1, &s1, &v0);
963 CHECK(secp256k1_scalar_eq(&r1, &v0));
968 void run_scalar_tests(void) {
970 for (i = 0; i < 128 * count; i++) {
975 /* (-1)+1 should be zero. */
976 secp256k1_scalar s, o;
977 secp256k1_scalar_set_int(&s, 1);
978 CHECK(secp256k1_scalar_is_one(&s));
979 secp256k1_scalar_negate(&o, &s);
980 secp256k1_scalar_add(&o, &o, &s);
981 CHECK(secp256k1_scalar_is_zero(&o));
982 secp256k1_scalar_negate(&o, &o);
983 CHECK(secp256k1_scalar_is_zero(&o));
988 /* A scalar with value of the curve order should be 0. */
990 secp256k1_scalar zero;
991 unsigned char bin[32];
993 secp256k1_scalar_order_get_num(&order);
994 secp256k1_num_get_bin(bin, 32, &order);
995 secp256k1_scalar_set_b32(&zero, bin, &overflow);
996 CHECK(overflow == 1);
997 CHECK(secp256k1_scalar_is_zero(&zero));
1002 /* Does check_overflow check catch all ones? */
1003 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1004 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1005 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1007 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1011 /* Static test vectors.
1012 * These were reduced from ~10^12 random vectors based on comparison-decision
1013 * and edge-case coverage on 32-bit and 64-bit implementations.
1014 * The responses were generated with Sage 5.9.
1019 secp256k1_scalar zz;
1020 secp256k1_scalar one;
1021 secp256k1_scalar r1;
1022 secp256k1_scalar r2;
1023 #if defined(USE_SCALAR_INV_NUM)
1024 secp256k1_scalar zzv;
1027 unsigned char chal[33][2][32] = {
1028 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1029 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1030 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1031 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1032 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1033 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1034 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1035 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1036 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1037 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1038 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1039 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1040 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1041 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1042 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1043 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1044 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1045 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1046 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1047 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1048 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1049 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1050 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1051 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1052 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1053 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1054 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1055 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1056 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1057 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1058 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1059 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1060 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1061 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1062 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1063 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1064 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1065 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1066 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1067 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1068 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1069 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1070 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1071 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1072 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1073 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1074 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1075 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1076 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1077 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1078 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1079 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1080 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1081 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1082 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1083 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1084 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1085 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1086 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1087 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1088 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1089 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1090 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1091 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1092 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1093 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1094 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1095 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1096 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1097 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1098 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1099 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1100 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1101 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1102 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1103 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1104 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1105 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1106 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1107 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1108 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1109 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1110 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1111 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1112 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1113 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1114 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1115 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1116 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1117 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1118 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1119 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1120 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1121 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1122 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1123 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1124 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1125 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1126 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1127 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1128 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1129 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1130 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1131 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1132 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1133 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1134 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1135 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1136 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1137 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1138 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1139 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1140 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1141 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1142 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1143 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1144 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1145 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1146 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1147 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1148 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1149 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1150 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1151 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1152 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1153 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1154 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1155 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1156 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1157 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1158 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1159 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1160 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1161 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1162 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1163 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1164 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1165 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1166 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1167 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1168 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1169 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1170 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1171 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1172 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1173 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1174 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1175 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1176 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1177 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1178 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1179 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1180 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1181 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1182 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1183 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1184 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1185 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1186 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1187 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1188 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1189 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1192 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1193 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1194 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1195 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1196 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1197 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1199 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1200 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1201 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1202 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1203 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1204 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1205 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1206 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1207 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1208 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1209 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1210 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1211 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1212 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1213 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1214 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1215 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1216 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1217 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1218 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1219 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1220 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1221 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1222 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1223 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1224 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1225 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1226 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1227 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1228 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1229 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1230 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1231 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1232 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1233 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1234 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1236 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1237 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1238 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1239 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1240 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1241 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1242 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1243 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1244 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1245 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1246 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1247 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1248 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1249 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1250 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1251 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1252 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1253 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1254 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1255 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1256 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1257 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1258 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1259 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1260 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1261 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1262 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1263 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1264 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1265 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1266 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1267 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1268 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1269 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1270 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1271 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1272 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1273 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1274 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1275 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1276 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1277 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1278 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1279 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1280 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1281 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1282 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1283 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1284 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1285 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1286 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1287 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1288 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1289 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1290 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1291 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1293 unsigned char res[33][2][32] = {
1294 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1295 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1296 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1297 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1298 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1299 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1300 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1301 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1302 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1303 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1304 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1305 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1306 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1307 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1308 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1309 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1310 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1311 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1312 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1313 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1314 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1315 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1316 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1317 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1318 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1319 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1320 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1321 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1322 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1323 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1324 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1325 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1326 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1327 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1328 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1329 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1330 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1331 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1332 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1333 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1334 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1335 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1336 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1337 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1338 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1339 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1340 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1341 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1342 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1343 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1344 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1345 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1346 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1347 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1348 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1349 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1350 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1351 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1352 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1353 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1354 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1355 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1356 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1357 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1358 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1359 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1360 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1361 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1362 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1363 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1364 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1365 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1366 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1367 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1368 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1369 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1370 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1371 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1372 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1373 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1374 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1375 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1376 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1377 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1378 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1379 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1380 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1381 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1382 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1383 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1384 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1385 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1386 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1387 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1388 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1389 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1390 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1391 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1392 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1393 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1394 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1395 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1396 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1397 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1398 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1399 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1400 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1401 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1402 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1403 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1404 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1405 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1406 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1407 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1408 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1409 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1410 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1411 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1412 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1413 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1414 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1415 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1416 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1417 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1418 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1419 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1420 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1421 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1422 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1423 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1424 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1425 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1426 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1427 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1428 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1429 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1430 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1431 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1432 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1433 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1434 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1435 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1436 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1437 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1438 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1439 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1440 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1441 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1442 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1443 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1444 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1445 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1446 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1447 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1448 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1449 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1450 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1451 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1452 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1453 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1454 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1455 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1456 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1457 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1458 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1459 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1461 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1462 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1463 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1464 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1465 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1466 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1467 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1468 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1469 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1470 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1471 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1472 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1473 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1474 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1475 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1476 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1477 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1478 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1479 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1480 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1481 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1482 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1483 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1484 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1485 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1486 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1487 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1488 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1489 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1490 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1491 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1492 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1493 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1494 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1495 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1496 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1497 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1498 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1499 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1500 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1501 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1502 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1503 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1504 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1505 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1506 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1507 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1508 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1509 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1510 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1511 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1512 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1513 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1514 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1515 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1516 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1517 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1518 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1519 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1520 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1521 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1522 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1523 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1524 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1525 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1526 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1527 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1528 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1529 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1530 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1531 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1532 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1533 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1534 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1535 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1536 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1537 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1538 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1539 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1540 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1541 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1542 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1543 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1544 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1545 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1546 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1547 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1548 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1549 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1550 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1551 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1552 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1553 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1554 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1555 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1556 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1557 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1559 secp256k1_scalar_set_int(&one, 1);
1560 for (i = 0; i < 33; i++) {
1561 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1563 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1565 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1567 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1569 secp256k1_scalar_mul(&z, &x, &y);
1570 CHECK(!secp256k1_scalar_check_overflow(&z));
1571 CHECK(secp256k1_scalar_eq(&r1, &z));
1572 if (!secp256k1_scalar_is_zero(&y)) {
1573 secp256k1_scalar_inverse(&zz, &y);
1574 CHECK(!secp256k1_scalar_check_overflow(&zz));
1575 #if defined(USE_SCALAR_INV_NUM)
1576 secp256k1_scalar_inverse_var(&zzv, &y);
1577 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1579 secp256k1_scalar_mul(&z, &z, &zz);
1580 CHECK(!secp256k1_scalar_check_overflow(&z));
1581 CHECK(secp256k1_scalar_eq(&x, &z));
1582 secp256k1_scalar_mul(&zz, &zz, &y);
1583 CHECK(!secp256k1_scalar_check_overflow(&zz));
1584 CHECK(secp256k1_scalar_eq(&one, &zz));
1586 secp256k1_scalar_mul(&z, &x, &x);
1587 CHECK(!secp256k1_scalar_check_overflow(&z));
1588 secp256k1_scalar_sqr(&zz, &x);
1589 CHECK(!secp256k1_scalar_check_overflow(&zz));
1590 CHECK(secp256k1_scalar_eq(&zz, &z));
1591 CHECK(secp256k1_scalar_eq(&r2, &zz));
1596 /***** FIELD TESTS *****/
1598 void random_fe(secp256k1_fe *x) {
1599 unsigned char bin[32];
1601 secp256k1_rand256(bin);
1602 if (secp256k1_fe_set_b32(x, bin)) {
1608 void random_fe_test(secp256k1_fe *x) {
1609 unsigned char bin[32];
1611 secp256k1_rand256_test(bin);
1612 if (secp256k1_fe_set_b32(x, bin)) {
1618 void random_fe_non_zero(secp256k1_fe *nz) {
1620 while (--tries >= 0) {
1622 secp256k1_fe_normalize(nz);
1623 if (!secp256k1_fe_is_zero(nz)) {
1627 /* Infinitesimal probability of spurious failure here */
1631 void random_fe_non_square(secp256k1_fe *ns) {
1633 random_fe_non_zero(ns);
1634 if (secp256k1_fe_sqrt(&r, ns)) {
1635 secp256k1_fe_negate(ns, ns, 1);
1639 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1640 secp256k1_fe an = *a;
1641 secp256k1_fe bn = *b;
1642 secp256k1_fe_normalize_weak(&an);
1643 secp256k1_fe_normalize_var(&bn);
1644 return secp256k1_fe_equal_var(&an, &bn);
1647 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1649 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1650 secp256k1_fe_mul(&x, a, ai);
1651 return check_fe_equal(&x, &one);
1654 void run_field_convert(void) {
1655 static const unsigned char b32[32] = {
1656 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1657 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1658 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1659 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1661 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1662 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1663 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1665 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1666 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1667 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1670 unsigned char b322[32];
1671 secp256k1_fe_storage fes2;
1672 /* Check conversions to fe. */
1673 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1674 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1675 secp256k1_fe_from_storage(&fe2, &fes);
1676 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1677 /* Check conversion from fe. */
1678 secp256k1_fe_get_b32(b322, &fe);
1679 CHECK(memcmp(b322, b32, 32) == 0);
1680 secp256k1_fe_to_storage(&fes2, &fe);
1681 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1684 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1685 secp256k1_fe t = *b;
1687 t.magnitude = a->magnitude;
1688 t.normalized = a->normalized;
1690 return memcmp(a, &t, sizeof(secp256k1_fe));
1693 void run_field_misc(void) {
1698 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1700 for (i = 0; i < 5*count; i++) {
1701 secp256k1_fe_storage xs, ys, zs;
1703 random_fe_non_zero(&y);
1704 /* Test the fe equality and comparison operations. */
1705 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1706 CHECK(secp256k1_fe_equal_var(&x, &x));
1708 secp256k1_fe_add(&z,&y);
1709 /* Test fe conditional move; z is not normalized here. */
1711 secp256k1_fe_cmov(&x, &z, 0);
1712 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
1713 secp256k1_fe_cmov(&x, &x, 1);
1714 CHECK(fe_memcmp(&x, &z) != 0);
1715 CHECK(fe_memcmp(&x, &q) == 0);
1716 secp256k1_fe_cmov(&q, &z, 1);
1717 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
1718 CHECK(fe_memcmp(&q, &z) == 0);
1719 secp256k1_fe_normalize_var(&x);
1720 secp256k1_fe_normalize_var(&z);
1721 CHECK(!secp256k1_fe_equal_var(&x, &z));
1722 secp256k1_fe_normalize_var(&q);
1723 secp256k1_fe_cmov(&q, &z, (i&1));
1724 VERIFY_CHECK(q.normalized && q.magnitude == 1);
1725 for (j = 0; j < 6; j++) {
1726 secp256k1_fe_negate(&z, &z, j+1);
1727 secp256k1_fe_normalize_var(&q);
1728 secp256k1_fe_cmov(&q, &z, (j&1));
1729 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1731 secp256k1_fe_normalize_var(&z);
1732 /* Test storage conversion and conditional moves. */
1733 secp256k1_fe_to_storage(&xs, &x);
1734 secp256k1_fe_to_storage(&ys, &y);
1735 secp256k1_fe_to_storage(&zs, &z);
1736 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1737 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1738 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1739 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1740 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1741 secp256k1_fe_from_storage(&x, &xs);
1742 secp256k1_fe_from_storage(&y, &ys);
1743 secp256k1_fe_from_storage(&z, &zs);
1744 /* Test that mul_int, mul, and add agree. */
1745 secp256k1_fe_add(&y, &x);
1746 secp256k1_fe_add(&y, &x);
1748 secp256k1_fe_mul_int(&z, 3);
1749 CHECK(check_fe_equal(&y, &z));
1750 secp256k1_fe_add(&y, &x);
1751 secp256k1_fe_add(&z, &x);
1752 CHECK(check_fe_equal(&z, &y));
1754 secp256k1_fe_mul_int(&z, 5);
1755 secp256k1_fe_mul(&q, &x, &fe5);
1756 CHECK(check_fe_equal(&z, &q));
1757 secp256k1_fe_negate(&x, &x, 1);
1758 secp256k1_fe_add(&z, &x);
1759 secp256k1_fe_add(&q, &x);
1760 CHECK(check_fe_equal(&y, &z));
1761 CHECK(check_fe_equal(&q, &y));
1765 void run_field_inv(void) {
1766 secp256k1_fe x, xi, xii;
1768 for (i = 0; i < 10*count; i++) {
1769 random_fe_non_zero(&x);
1770 secp256k1_fe_inv(&xi, &x);
1771 CHECK(check_fe_inverse(&x, &xi));
1772 secp256k1_fe_inv(&xii, &xi);
1773 CHECK(check_fe_equal(&x, &xii));
1777 void run_field_inv_var(void) {
1778 secp256k1_fe x, xi, xii;
1780 for (i = 0; i < 10*count; i++) {
1781 random_fe_non_zero(&x);
1782 secp256k1_fe_inv_var(&xi, &x);
1783 CHECK(check_fe_inverse(&x, &xi));
1784 secp256k1_fe_inv_var(&xii, &xi);
1785 CHECK(check_fe_equal(&x, &xii));
1789 void run_field_inv_all_var(void) {
1790 secp256k1_fe x[16], xi[16], xii[16];
1792 /* Check it's safe to call for 0 elements */
1793 secp256k1_fe_inv_all_var(xi, x, 0);
1794 for (i = 0; i < count; i++) {
1796 size_t len = secp256k1_rand_int(15) + 1;
1797 for (j = 0; j < len; j++) {
1798 random_fe_non_zero(&x[j]);
1800 secp256k1_fe_inv_all_var(xi, x, len);
1801 for (j = 0; j < len; j++) {
1802 CHECK(check_fe_inverse(&x[j], &xi[j]));
1804 secp256k1_fe_inv_all_var(xii, xi, len);
1805 for (j = 0; j < len; j++) {
1806 CHECK(check_fe_equal(&x[j], &xii[j]));
1811 void run_sqr(void) {
1816 secp256k1_fe_set_int(&x, 1);
1817 secp256k1_fe_negate(&x, &x, 1);
1819 for (i = 1; i <= 512; ++i) {
1820 secp256k1_fe_mul_int(&x, 2);
1821 secp256k1_fe_normalize(&x);
1822 secp256k1_fe_sqr(&s, &x);
1827 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1828 secp256k1_fe r1, r2;
1829 int v = secp256k1_fe_sqrt(&r1, a);
1830 CHECK((v == 0) == (k == NULL));
1833 /* Check that the returned root is +/- the given known answer */
1834 secp256k1_fe_negate(&r2, &r1, 1);
1835 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1836 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1837 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1841 void run_sqrt(void) {
1842 secp256k1_fe ns, x, s, t;
1845 /* Check sqrt(0) is 0 */
1846 secp256k1_fe_set_int(&x, 0);
1847 secp256k1_fe_sqr(&s, &x);
1850 /* Check sqrt of small squares (and their negatives) */
1851 for (i = 1; i <= 100; i++) {
1852 secp256k1_fe_set_int(&x, i);
1853 secp256k1_fe_sqr(&s, &x);
1855 secp256k1_fe_negate(&t, &s, 1);
1856 test_sqrt(&t, NULL);
1859 /* Consistency checks for large random values */
1860 for (i = 0; i < 10; i++) {
1862 random_fe_non_square(&ns);
1863 for (j = 0; j < count; j++) {
1865 secp256k1_fe_sqr(&s, &x);
1867 secp256k1_fe_negate(&t, &s, 1);
1868 test_sqrt(&t, NULL);
1869 secp256k1_fe_mul(&t, &s, &ns);
1870 test_sqrt(&t, NULL);
1875 /***** GROUP TESTS *****/
1877 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1878 CHECK(a->infinity == b->infinity);
1882 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
1883 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
1886 /* This compares jacobian points including their Z, not just their geometric meaning. */
1887 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1891 ret &= a->infinity == b->infinity;
1892 if (ret && !a->infinity) {
1895 secp256k1_fe_normalize(&a2.x);
1896 secp256k1_fe_normalize(&a2.y);
1897 secp256k1_fe_normalize(&a2.z);
1898 secp256k1_fe_normalize(&b2.x);
1899 secp256k1_fe_normalize(&b2.y);
1900 secp256k1_fe_normalize(&b2.z);
1901 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1902 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1903 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1908 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1910 secp256k1_fe u1, u2, s1, s2;
1911 CHECK(a->infinity == b->infinity);
1915 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
1916 secp256k1_fe_sqr(&z2s, &b->z);
1917 secp256k1_fe_mul(&u1, &a->x, &z2s);
1918 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1919 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1920 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1921 CHECK(secp256k1_fe_equal_var(&u1, &u2));
1922 CHECK(secp256k1_fe_equal_var(&s1, &s2));
1925 void test_ge(void) {
1927 #ifdef USE_ENDOMORPHISM
1932 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
1933 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
1934 * All magnitudes are randomized.
1935 * All 17*17 combinations of points are added to each other, using all applicable methods.
1937 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
1939 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
1940 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
1941 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1943 secp256k1_fe zfi2, zfi3;
1945 secp256k1_gej_set_infinity(&gej[0]);
1946 secp256k1_ge_clear(&ge[0]);
1947 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
1948 for (i = 0; i < runs; i++) {
1951 random_group_element_test(&g);
1952 #ifdef USE_ENDOMORPHISM
1953 if (i >= runs - 2) {
1954 secp256k1_ge_mul_lambda(&g, &ge[1]);
1956 if (i >= runs - 1) {
1957 secp256k1_ge_mul_lambda(&g, &g);
1962 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
1963 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
1964 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
1965 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
1966 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
1967 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
1968 for (j = 0; j < 4; j++) {
1969 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
1970 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
1971 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
1972 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
1973 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
1977 /* Compute z inverses. */
1979 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1980 for (i = 0; i < 4 * runs + 1; i++) {
1982 /* The point at infinity does not have a meaningful z inverse. Any should do. */
1984 random_field_element_test(&zs[i]);
1985 } while(secp256k1_fe_is_zero(&zs[i]));
1990 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
1994 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1996 random_field_element_test(&zf);
1997 } while(secp256k1_fe_is_zero(&zf));
1998 random_field_element_magnitude(&zf);
1999 secp256k1_fe_inv_var(&zfi3, &zf);
2000 secp256k1_fe_sqr(&zfi2, &zfi3);
2001 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2003 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2005 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2006 /* Compute reference result using gej + gej (var). */
2007 secp256k1_gej refj, resj;
2010 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2011 /* Check Z ratio. */
2012 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2013 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2014 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2016 secp256k1_ge_set_gej_var(&ref, &refj);
2018 /* Test gej + ge with Z ratio result (var). */
2019 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2020 ge_equals_gej(&ref, &resj);
2021 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2022 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2023 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2026 /* Test gej + ge (var, with additional Z factor). */
2028 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2029 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2030 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2031 random_field_element_magnitude(&ge2_zfi.x);
2032 random_field_element_magnitude(&ge2_zfi.y);
2033 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2034 ge_equals_gej(&ref, &resj);
2037 /* Test gej + ge (const). */
2039 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2040 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2041 ge_equals_gej(&ref, &resj);
2044 /* Test doubling (var). */
2045 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2047 /* Normal doubling with Z ratio result. */
2048 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2049 ge_equals_gej(&ref, &resj);
2050 /* Check Z ratio. */
2051 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2052 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2053 /* Normal doubling. */
2054 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2055 ge_equals_gej(&ref, &resj);
2058 /* Test adding opposites. */
2059 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2060 CHECK(secp256k1_ge_is_infinity(&ref));
2063 /* Test adding infinity. */
2065 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2066 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2067 ge_equals_gej(&ref, &gej[i2]);
2070 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2071 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2072 ge_equals_gej(&ref, &gej[i1]);
2077 /* Test adding all points together in random order equals infinity. */
2079 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2080 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2081 for (i = 0; i < 4 * runs + 1; i++) {
2082 gej_shuffled[i] = gej[i];
2084 for (i = 0; i < 4 * runs + 1; i++) {
2085 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2087 secp256k1_gej t = gej_shuffled[i];
2088 gej_shuffled[i] = gej_shuffled[swap];
2089 gej_shuffled[swap] = t;
2092 for (i = 0; i < 4 * runs + 1; i++) {
2093 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2095 CHECK(secp256k1_gej_is_infinity(&sum));
2099 /* Test batch gej -> ge conversion with and without known z ratios. */
2101 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2102 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2103 for (i = 0; i < 4 * runs + 1; i++) {
2104 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2106 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2109 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2110 for (i = 0; i < 4 * runs + 1; i++) {
2112 random_fe_non_zero(&s);
2113 secp256k1_gej_rescale(&gej[i], &s);
2114 ge_equals_gej(&ge_set_all[i], &gej[i]);
2120 /* Test batch gej -> ge conversion with many infinities. */
2121 for (i = 0; i < 4 * runs + 1; i++) {
2122 random_group_element_test(&ge[i]);
2123 /* randomly set half the points to infinitiy */
2124 if(secp256k1_fe_is_odd(&ge[i].x)) {
2125 secp256k1_ge_set_infinity(&ge[i]);
2127 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2130 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2132 for (i = 0; i < 4 * runs + 1; i++) {
2133 ge_equals_gej(&ge[i], &gej[i]);
2141 void test_add_neg_y_diff_x(void) {
2142 /* The point of this test is to check that we can add two points
2143 * whose y-coordinates are negatives of each other but whose x
2144 * coordinates differ. If the x-coordinates were the same, these
2145 * points would be negatives of each other and their sum is
2146 * infinity. This is cool because it "covers up" any degeneracy
2147 * in the addition algorithm that would cause the xy coordinates
2148 * of the sum to be wrong (since infinity has no xy coordinates).
2149 * HOWEVER, if the x-coordinates are different, infinity is the
2150 * wrong answer, and such degeneracies are exposed. This is the
2151 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2152 * which this test is a regression test for.
2154 * These points were generated in sage as
2155 * # secp256k1 params
2156 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2157 * C = EllipticCurve ([F (0), F (7)])
2158 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2159 * N = FiniteField(G.order())
2161 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2163 * lam = (1 - x^3).roots()[1][0]
2165 * # random "bad pair"
2166 * P = C.random_element()
2168 * print " P: %x %x" % P.xy()
2169 * print " Q: %x %x" % Q.xy()
2170 * print "P + Q: %x %x" % (P + Q).xy()
2172 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2173 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2174 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2175 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2176 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2178 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2179 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2180 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2181 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2182 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2184 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2185 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2186 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2187 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2188 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2193 secp256k1_ge_set_gej(&b, &bj);
2195 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2196 secp256k1_ge_set_gej(&res, &resj);
2197 ge_equals_gej(&res, &sumj);
2199 secp256k1_gej_add_ge(&resj, &aj, &b);
2200 secp256k1_ge_set_gej(&res, &resj);
2201 ge_equals_gej(&res, &sumj);
2203 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2204 secp256k1_ge_set_gej(&res, &resj);
2205 ge_equals_gej(&res, &sumj);
2210 for (i = 0; i < count * 32; i++) {
2213 test_add_neg_y_diff_x();
2216 void test_ec_combine(void) {
2217 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2218 secp256k1_pubkey data[6];
2219 const secp256k1_pubkey* d[6];
2220 secp256k1_pubkey sd;
2221 secp256k1_pubkey sd2;
2225 for (i = 1; i <= 6; i++) {
2227 random_scalar_order_test(&s);
2228 secp256k1_scalar_add(&sum, &sum, &s);
2229 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2230 secp256k1_ge_set_gej(&Q, &Qj);
2231 secp256k1_pubkey_save(&data[i - 1], &Q);
2232 d[i - 1] = &data[i - 1];
2233 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2234 secp256k1_ge_set_gej(&Q, &Qj);
2235 secp256k1_pubkey_save(&sd, &Q);
2236 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2237 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2241 void run_ec_combine(void) {
2243 for (i = 0; i < count * 8; i++) {
2248 void test_group_decompress(const secp256k1_fe* x) {
2249 /* The input itself, normalized. */
2250 secp256k1_fe fex = *x;
2252 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2253 secp256k1_ge ge_quad, ge_even, ge_odd;
2254 secp256k1_gej gej_quad;
2255 /* Return values of the above calls. */
2256 int res_quad, res_even, res_odd;
2258 secp256k1_fe_normalize_var(&fex);
2260 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2261 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2262 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2264 CHECK(res_quad == res_even);
2265 CHECK(res_quad == res_odd);
2268 secp256k1_fe_normalize_var(&ge_quad.x);
2269 secp256k1_fe_normalize_var(&ge_odd.x);
2270 secp256k1_fe_normalize_var(&ge_even.x);
2271 secp256k1_fe_normalize_var(&ge_quad.y);
2272 secp256k1_fe_normalize_var(&ge_odd.y);
2273 secp256k1_fe_normalize_var(&ge_even.y);
2275 /* No infinity allowed. */
2276 CHECK(!ge_quad.infinity);
2277 CHECK(!ge_even.infinity);
2278 CHECK(!ge_odd.infinity);
2280 /* Check that the x coordinates check out. */
2281 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2282 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2283 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2285 /* Check that the Y coordinate result in ge_quad is a square. */
2286 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2288 /* Check odd/even Y in ge_odd, ge_even. */
2289 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2290 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2292 /* Check secp256k1_gej_has_quad_y_var. */
2293 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2294 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2296 random_fe_test(&fez);
2297 } while (secp256k1_fe_is_zero(&fez));
2298 secp256k1_gej_rescale(&gej_quad, &fez);
2299 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2300 secp256k1_gej_neg(&gej_quad, &gej_quad);
2301 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2303 random_fe_test(&fez);
2304 } while (secp256k1_fe_is_zero(&fez));
2305 secp256k1_gej_rescale(&gej_quad, &fez);
2306 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2307 secp256k1_gej_neg(&gej_quad, &gej_quad);
2308 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2312 void run_group_decompress(void) {
2314 for (i = 0; i < count * 4; i++) {
2316 random_fe_test(&fe);
2317 test_group_decompress(&fe);
2321 /***** ECMULT TESTS *****/
2323 void run_ecmult_chain(void) {
2324 /* random starting point A (on the curve) */
2325 secp256k1_gej a = SECP256K1_GEJ_CONST(
2326 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2327 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2328 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2329 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2331 /* two random initial factors xn and gn */
2332 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2333 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2334 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2336 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2337 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2338 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2340 /* two small multipliers to be applied to xn and gn in every iteration: */
2341 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2342 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2343 /* accumulators with the resulting coefficients to A and G */
2344 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2345 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2351 /* the point being computed */
2353 for (i = 0; i < 200*count; i++) {
2354 /* in each iteration, compute X = xn*X + gn*G; */
2355 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2356 /* also compute ae and ge: the actual accumulated factors for A and G */
2357 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2358 secp256k1_scalar_mul(&ae, &ae, &xn);
2359 secp256k1_scalar_mul(&ge, &ge, &xn);
2360 secp256k1_scalar_add(&ge, &ge, &gn);
2361 /* modify xn and gn */
2362 secp256k1_scalar_mul(&xn, &xn, &xf);
2363 secp256k1_scalar_mul(&gn, &gn, &gf);
2367 /* expected result after 19999 iterations */
2368 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2369 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2370 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2371 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2372 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2375 secp256k1_gej_neg(&rp, &rp);
2376 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2377 CHECK(secp256k1_gej_is_infinity(&rp));
2380 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2381 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2382 secp256k1_gej_neg(&x2, &x2);
2383 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2384 CHECK(secp256k1_gej_is_infinity(&x2));
2387 void test_point_times_order(const secp256k1_gej *point) {
2388 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2390 secp256k1_scalar nx;
2391 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2392 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2393 secp256k1_gej res1, res2;
2395 unsigned char pub[65];
2397 random_scalar_order_test(&x);
2398 secp256k1_scalar_negate(&nx, &x);
2399 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2400 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2401 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2402 CHECK(secp256k1_gej_is_infinity(&res1));
2403 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2404 secp256k1_ge_set_gej(&res3, &res1);
2405 CHECK(secp256k1_ge_is_infinity(&res3));
2406 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2407 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2409 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2410 /* check zero/one edge cases */
2411 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2412 secp256k1_ge_set_gej(&res3, &res1);
2413 CHECK(secp256k1_ge_is_infinity(&res3));
2414 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2415 secp256k1_ge_set_gej(&res3, &res1);
2416 ge_equals_gej(&res3, point);
2417 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2418 secp256k1_ge_set_gej(&res3, &res1);
2419 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2422 void run_point_times_order(void) {
2424 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2425 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2426 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2427 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2429 for (i = 0; i < 500; i++) {
2431 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2433 CHECK(secp256k1_ge_is_valid_var(&p));
2434 secp256k1_gej_set_ge(&j, &p);
2435 CHECK(secp256k1_gej_is_valid_var(&j));
2436 test_point_times_order(&j);
2438 secp256k1_fe_sqr(&x, &x);
2440 secp256k1_fe_normalize_var(&x);
2441 CHECK(secp256k1_fe_equal_var(&x, &xr));
2444 void ecmult_const_random_mult(void) {
2445 /* random starting point A (on the curve) */
2446 secp256k1_ge a = SECP256K1_GE_CONST(
2447 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2448 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2449 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2450 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2452 /* random initial factor xn */
2453 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2454 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2455 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2457 /* expected xn * A (from sage) */
2458 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2459 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2460 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2461 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2462 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2465 secp256k1_ecmult_const(&b, &a, &xn, 256);
2467 CHECK(secp256k1_ge_is_valid_var(&a));
2468 ge_equals_gej(&expected_b, &b);
2471 void ecmult_const_commutativity(void) {
2478 random_scalar_order_test(&a);
2479 random_scalar_order_test(&b);
2481 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2482 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2483 secp256k1_ge_set_gej(&mid1, &res1);
2484 secp256k1_ge_set_gej(&mid2, &res2);
2485 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2486 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2487 secp256k1_ge_set_gej(&mid1, &res1);
2488 secp256k1_ge_set_gej(&mid2, &res2);
2489 ge_equals_ge(&mid1, &mid2);
2492 void ecmult_const_mult_zero_one(void) {
2493 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2494 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2495 secp256k1_scalar negone;
2499 secp256k1_scalar_negate(&negone, &one);
2501 random_group_element_test(&point);
2502 secp256k1_ecmult_const(&res1, &point, &zero, 3);
2503 secp256k1_ge_set_gej(&res2, &res1);
2504 CHECK(secp256k1_ge_is_infinity(&res2));
2505 secp256k1_ecmult_const(&res1, &point, &one, 2);
2506 secp256k1_ge_set_gej(&res2, &res1);
2507 ge_equals_ge(&res2, &point);
2508 secp256k1_ecmult_const(&res1, &point, &negone, 256);
2509 secp256k1_gej_neg(&res1, &res1);
2510 secp256k1_ge_set_gej(&res2, &res1);
2511 ge_equals_ge(&res2, &point);
2514 void ecmult_const_chain_multiply(void) {
2515 /* Check known result (randomly generated test problem from sage) */
2516 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2517 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2518 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2520 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2521 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2522 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2523 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2524 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2526 secp256k1_gej point;
2530 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2531 for (i = 0; i < 100; ++i) {
2533 secp256k1_ge_set_gej(&tmp, &point);
2534 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2536 secp256k1_ge_set_gej(&res, &point);
2537 ge_equals_gej(&res, &expected_point);
2540 void run_ecmult_const_tests(void) {
2541 ecmult_const_mult_zero_one();
2542 ecmult_const_random_mult();
2543 ecmult_const_commutativity();
2544 ecmult_const_chain_multiply();
2548 secp256k1_scalar *sc;
2550 } ecmult_multi_data;
2552 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2553 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2554 *sc = data->sc[idx];
2555 *pt = data->pt[idx];
2559 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2567 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2569 secp256k1_scalar szero;
2570 secp256k1_scalar sc[32];
2571 secp256k1_ge pt[32];
2574 ecmult_multi_data data;
2575 secp256k1_scratch *scratch_empty;
2579 secp256k1_scalar_set_int(&szero, 0);
2581 /* No points to multiply */
2582 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2584 /* Check 1- and 2-point multiplies against ecmult */
2585 for (ncount = 0; ncount < count; ncount++) {
2588 random_scalar_order(&sc[0]);
2589 random_scalar_order(&sc[1]);
2591 random_group_element_test(&ptg);
2592 secp256k1_gej_set_ge(&ptgj, &ptg);
2594 pt[1] = secp256k1_ge_const_g;
2597 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2598 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2599 secp256k1_gej_neg(&r2, &r2);
2600 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2601 CHECK(secp256k1_gej_is_infinity(&r));
2604 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2605 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2606 secp256k1_gej_neg(&r2, &r2);
2607 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2608 CHECK(secp256k1_gej_is_infinity(&r));
2610 /* Try to multiply 1 point, but scratch space is empty */
2611 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
2612 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2613 secp256k1_scratch_destroy(scratch_empty);
2615 /* Try to multiply 1 point, but callback returns false */
2616 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2619 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2620 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2621 secp256k1_gej_neg(&r2, &r2);
2622 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2623 CHECK(secp256k1_gej_is_infinity(&r));
2625 /* 2-point with G scalar */
2626 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2627 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2628 secp256k1_gej_neg(&r2, &r2);
2629 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2630 CHECK(secp256k1_gej_is_infinity(&r));
2633 /* Check infinite outputs of various forms */
2634 for (ncount = 0; ncount < count; ncount++) {
2637 size_t sizes[] = { 2, 10, 32 };
2639 for (j = 0; j < 3; j++) {
2640 for (i = 0; i < 32; i++) {
2641 random_scalar_order(&sc[i]);
2642 secp256k1_ge_set_infinity(&pt[i]);
2644 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2645 CHECK(secp256k1_gej_is_infinity(&r));
2648 for (j = 0; j < 3; j++) {
2649 for (i = 0; i < 32; i++) {
2650 random_group_element_test(&ptg);
2652 secp256k1_scalar_set_int(&sc[i], 0);
2654 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2655 CHECK(secp256k1_gej_is_infinity(&r));
2658 for (j = 0; j < 3; j++) {
2659 random_group_element_test(&ptg);
2660 for (i = 0; i < 16; i++) {
2661 random_scalar_order(&sc[2*i]);
2662 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2664 pt[2 * i + 1] = ptg;
2667 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2668 CHECK(secp256k1_gej_is_infinity(&r));
2670 random_scalar_order(&sc[0]);
2671 for (i = 0; i < 16; i++) {
2672 random_group_element_test(&ptg);
2677 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2680 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2681 CHECK(secp256k1_gej_is_infinity(&r));
2684 random_group_element_test(&ptg);
2685 secp256k1_scalar_set_int(&sc[0], 0);
2687 for (i = 1; i < 32; i++) {
2690 random_scalar_order(&sc[i]);
2691 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2692 secp256k1_scalar_negate(&sc[i], &sc[i]);
2695 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2696 CHECK(secp256k1_gej_is_infinity(&r));
2699 /* Check random points, constant scalar */
2700 for (ncount = 0; ncount < count; ncount++) {
2702 secp256k1_gej_set_infinity(&r);
2704 random_scalar_order(&sc[0]);
2705 for (i = 0; i < 20; i++) {
2708 random_group_element_test(&ptg);
2710 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2713 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2714 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2715 secp256k1_gej_neg(&r2, &r2);
2716 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2717 CHECK(secp256k1_gej_is_infinity(&r));
2720 /* Check random scalars, constant point */
2721 for (ncount = 0; ncount < count; ncount++) {
2725 secp256k1_scalar rs;
2726 secp256k1_scalar_set_int(&rs, 0);
2728 random_group_element_test(&ptg);
2729 for (i = 0; i < 20; i++) {
2730 random_scalar_order(&sc[i]);
2732 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2735 secp256k1_gej_set_ge(&p0j, &pt[0]);
2736 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
2737 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2738 secp256k1_gej_neg(&r2, &r2);
2739 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2740 CHECK(secp256k1_gej_is_infinity(&r));
2743 /* Sanity check that zero scalars don't cause problems */
2744 for (ncount = 0; ncount < 20; ncount++) {
2745 random_scalar_order(&sc[ncount]);
2746 random_group_element_test(&pt[ncount]);
2749 secp256k1_scalar_clear(&sc[0]);
2750 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2751 secp256k1_scalar_clear(&sc[1]);
2752 secp256k1_scalar_clear(&sc[2]);
2753 secp256k1_scalar_clear(&sc[3]);
2754 secp256k1_scalar_clear(&sc[4]);
2755 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2756 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
2757 CHECK(secp256k1_gej_is_infinity(&r));
2759 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2761 const size_t TOP = 8;
2767 random_group_element_test(&ptg);
2768 secp256k1_gej_set_ge(&ptgj, &ptg);
2770 for(t0i = 0; t0i < TOP; t0i++) {
2771 for(t1i = 0; t1i < TOP; t1i++) {
2772 secp256k1_gej t0p, t1p;
2773 secp256k1_scalar t0, t1;
2775 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2776 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2777 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2778 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2780 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2781 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2783 for(s0i = 0; s0i < TOP; s0i++) {
2784 for(s1i = 0; s1i < TOP; s1i++) {
2785 secp256k1_scalar tmp1, tmp2;
2786 secp256k1_gej expected, actual;
2788 secp256k1_ge_set_gej(&pt[0], &t0p);
2789 secp256k1_ge_set_gej(&pt[1], &t1p);
2791 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2792 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2793 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2794 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2796 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2797 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2798 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2800 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
2801 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
2802 secp256k1_gej_neg(&expected, &expected);
2803 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2804 CHECK(secp256k1_gej_is_infinity(&actual));
2812 void test_secp256k1_pippenger_bucket_window_inv(void) {
2815 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2816 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2817 #ifdef USE_ENDOMORPHISM
2818 /* Bucket_window of 8 is not used with endo */
2823 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2824 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2825 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2831 * Probabilistically test the function returning the maximum number of possible points
2832 * for a given scratch space.
2834 void test_ecmult_multi_pippenger_max_points(void) {
2835 size_t scratch_size = secp256k1_rand_int(256);
2836 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
2837 secp256k1_scratch *scratch;
2838 size_t n_points_supported;
2839 int bucket_window = 0;
2841 for(; scratch_size < max_size; scratch_size+=256) {
2842 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
2843 CHECK(scratch != NULL);
2844 n_points_supported = secp256k1_pippenger_max_points(scratch);
2845 if (n_points_supported == 0) {
2846 secp256k1_scratch_destroy(scratch);
2849 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
2850 CHECK(secp256k1_scratch_allocate_frame(scratch, secp256k1_pippenger_scratch_size(n_points_supported, bucket_window), PIPPENGER_SCRATCH_OBJECTS));
2851 secp256k1_scratch_deallocate_frame(scratch);
2852 secp256k1_scratch_destroy(scratch);
2854 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
2858 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
2859 * 1 <= i <= num points.
2861 void test_ecmult_multi_batching(void) {
2862 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
2863 secp256k1_scalar scG;
2864 secp256k1_scalar szero;
2865 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
2866 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
2869 ecmult_multi_data data;
2871 secp256k1_scratch *scratch;
2873 secp256k1_gej_set_infinity(&r2);
2874 secp256k1_scalar_set_int(&szero, 0);
2876 /* Get random scalars and group elements and compute result */
2877 random_scalar_order(&scG);
2878 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
2879 for(i = 0; i < n_points; i++) {
2882 random_group_element_test(&ptg);
2883 secp256k1_gej_set_ge(&ptgj, &ptg);
2885 random_scalar_order(&sc[i]);
2886 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
2887 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
2892 /* Test with empty scratch space */
2893 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
2894 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2895 secp256k1_scratch_destroy(scratch);
2897 /* Test with space for 1 point in pippenger. That's not enough because
2898 * ecmult_multi selects strauss which requires more memory. */
2899 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2900 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2901 secp256k1_scratch_destroy(scratch);
2903 secp256k1_gej_neg(&r2, &r2);
2904 for(i = 1; i <= n_points; i++) {
2905 if (i > ECMULT_PIPPENGER_THRESHOLD) {
2906 int bucket_window = secp256k1_pippenger_bucket_window(i);
2907 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
2908 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2910 size_t scratch_size = secp256k1_strauss_scratch_size(i);
2911 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2913 CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
2914 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2915 CHECK(secp256k1_gej_is_infinity(&r));
2916 secp256k1_scratch_destroy(scratch);
2922 void run_ecmult_multi_tests(void) {
2923 secp256k1_scratch *scratch;
2925 test_secp256k1_pippenger_bucket_window_inv();
2926 test_ecmult_multi_pippenger_max_points();
2927 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
2928 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2929 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
2930 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
2931 secp256k1_scratch_destroy(scratch);
2933 /* Run test_ecmult_multi with space for exactly one point */
2934 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2935 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2936 secp256k1_scratch_destroy(scratch);
2938 test_ecmult_multi_batching();
2941 void test_wnaf(const secp256k1_scalar *number, int w) {
2942 secp256k1_scalar x, two, t;
2947 secp256k1_scalar_set_int(&x, 0);
2948 secp256k1_scalar_set_int(&two, 2);
2949 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
2951 for (i = bits-1; i >= 0; i--) {
2953 secp256k1_scalar_mul(&x, &x, &two);
2955 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
2957 CHECK((v & 1) == 1); /* check non-zero elements are odd */
2958 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
2959 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
2961 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
2965 secp256k1_scalar_set_int(&t, v);
2967 secp256k1_scalar_set_int(&t, -v);
2968 secp256k1_scalar_negate(&t, &t);
2970 secp256k1_scalar_add(&x, &x, &t);
2972 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
2975 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
2976 secp256k1_scalar neg1 = *number;
2977 secp256k1_scalar neg2 = *number;
2981 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
2982 secp256k1_scalar_negate(&neg1, &neg1);
2985 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
2986 CHECK(sign1 == sign2);
2987 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
2990 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
2991 secp256k1_scalar x, shift;
2992 int wnaf[256] = {0};
2996 secp256k1_scalar num = *number;
2998 secp256k1_scalar_set_int(&x, 0);
2999 secp256k1_scalar_set_int(&shift, 1 << w);
3000 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3001 #ifdef USE_ENDOMORPHISM
3002 for (i = 0; i < 16; ++i) {
3003 secp256k1_scalar_shr_int(&num, 8);
3007 skew = secp256k1_wnaf_const(wnaf, num, w, bits);
3009 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3012 CHECK(v != 0); /* check nonzero */
3013 CHECK(v & 1); /* check parity */
3014 CHECK(v > -(1 << w)); /* check range above */
3015 CHECK(v < (1 << w)); /* check range below */
3017 secp256k1_scalar_mul(&x, &x, &shift);
3019 secp256k1_scalar_set_int(&t, v);
3021 secp256k1_scalar_set_int(&t, -v);
3022 secp256k1_scalar_negate(&t, &t);
3024 secp256k1_scalar_add(&x, &x, &t);
3026 /* Skew num because when encoding numbers as odd we use an offset */
3027 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
3028 CHECK(secp256k1_scalar_eq(&x, &num));
3031 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3032 secp256k1_scalar x, shift;
3033 int wnaf[256] = {0};
3036 secp256k1_scalar num = *number;
3038 secp256k1_scalar_set_int(&x, 0);
3039 secp256k1_scalar_set_int(&shift, 1 << w);
3040 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3041 #ifdef USE_ENDOMORPHISM
3042 for (i = 0; i < 16; ++i) {
3043 secp256k1_scalar_shr_int(&num, 8);
3046 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3048 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3051 CHECK(v == 0 || v & 1); /* check parity */
3052 CHECK(v > -(1 << w)); /* check range above */
3053 CHECK(v < (1 << w)); /* check range below */
3055 secp256k1_scalar_mul(&x, &x, &shift);
3057 secp256k1_scalar_set_int(&t, v);
3059 secp256k1_scalar_set_int(&t, -v);
3060 secp256k1_scalar_negate(&t, &t);
3062 secp256k1_scalar_add(&x, &x, &t);
3064 /* If skew is 1 then add 1 to num */
3065 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3066 CHECK(secp256k1_scalar_eq(&x, &num));
3069 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3071 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3073 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3074 CHECK(wnaf[i] == 0);
3076 for (i = 7; i >= 0; --i) {
3077 CHECK(wnaf[i] == wnaf_expected[i]);
3081 void test_fixed_wnaf_small(void) {
3083 int wnaf[256] = {0};
3086 secp256k1_scalar num;
3088 secp256k1_scalar_set_int(&num, 0);
3089 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3090 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3096 secp256k1_scalar_set_int(&num, 1);
3097 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3098 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3102 CHECK(wnaf[0] == 1);
3106 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3107 secp256k1_scalar_set_int(&num, 0xffffffff);
3108 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3109 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3113 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3114 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3115 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3116 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3120 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3121 secp256k1_scalar_set_int(&num, 0x01010101);
3122 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3123 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3127 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3128 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3129 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3130 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3135 void run_wnaf(void) {
3137 secp256k1_scalar n = {{0}};
3139 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3140 * have easier-to-diagnose failure modes */
3142 test_constant_wnaf(&n, 4);
3144 test_constant_wnaf(&n, 4);
3146 test_fixed_wnaf_small();
3148 for (i = 0; i < count; i++) {
3149 random_scalar_order(&n);
3150 test_wnaf(&n, 4+(i%10));
3151 test_constant_wnaf_negate(&n);
3152 test_constant_wnaf(&n, 4 + (i % 10));
3153 test_fixed_wnaf(&n, 4 + (i % 10));
3155 secp256k1_scalar_set_int(&n, 0);
3156 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3157 CHECK(secp256k1_scalar_is_zero(&n));
3158 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3159 CHECK(secp256k1_scalar_is_zero(&n));
3162 void test_ecmult_constants(void) {
3163 /* Test ecmult_gen() for [0..36) and [order-36..0). */
3169 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3170 for (i = 0; i < 36; i++ ) {
3171 secp256k1_scalar_set_int(&x, i);
3172 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3173 for (j = 0; j < i; j++) {
3175 ge_equals_gej(&secp256k1_ge_const_g, &r);
3177 secp256k1_gej_add_ge(&r, &r, &ng);
3179 CHECK(secp256k1_gej_is_infinity(&r));
3181 for (i = 1; i <= 36; i++ ) {
3182 secp256k1_scalar_set_int(&x, i);
3183 secp256k1_scalar_negate(&x, &x);
3184 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3185 for (j = 0; j < i; j++) {
3187 ge_equals_gej(&ng, &r);
3189 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3191 CHECK(secp256k1_gej_is_infinity(&r));
3195 void run_ecmult_constants(void) {
3196 test_ecmult_constants();
3199 void test_ecmult_gen_blind(void) {
3200 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3201 secp256k1_scalar key;
3203 unsigned char seed32[32];
3205 secp256k1_gej pgej2;
3208 random_scalar_order_test(&key);
3209 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3210 secp256k1_rand256(seed32);
3211 b = ctx->ecmult_gen_ctx.blind;
3212 i = ctx->ecmult_gen_ctx.initial;
3213 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3214 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3215 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3216 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3217 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3218 secp256k1_ge_set_gej(&pge, &pgej);
3219 ge_equals_gej(&pge, &pgej2);
3222 void test_ecmult_gen_blind_reset(void) {
3223 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3225 secp256k1_gej initial;
3226 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3227 b = ctx->ecmult_gen_ctx.blind;
3228 initial = ctx->ecmult_gen_ctx.initial;
3229 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3230 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3231 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3234 void run_ecmult_gen_blind(void) {
3236 test_ecmult_gen_blind_reset();
3237 for (i = 0; i < 10; i++) {
3238 test_ecmult_gen_blind();
3242 #ifdef USE_ENDOMORPHISM
3243 /***** ENDOMORPHISH TESTS *****/
3244 void test_scalar_split(void) {
3245 secp256k1_scalar full;
3246 secp256k1_scalar s1, slam;
3247 const unsigned char zero[32] = {0};
3248 unsigned char tmp[32];
3250 random_scalar_order_test(&full);
3251 secp256k1_scalar_split_lambda(&s1, &slam, &full);
3253 /* check that both are <= 128 bits in size */
3254 if (secp256k1_scalar_is_high(&s1)) {
3255 secp256k1_scalar_negate(&s1, &s1);
3257 if (secp256k1_scalar_is_high(&slam)) {
3258 secp256k1_scalar_negate(&slam, &slam);
3261 secp256k1_scalar_get_b32(tmp, &s1);
3262 CHECK(memcmp(zero, tmp, 16) == 0);
3263 secp256k1_scalar_get_b32(tmp, &slam);
3264 CHECK(memcmp(zero, tmp, 16) == 0);
3267 void run_endomorphism_tests(void) {
3268 test_scalar_split();
3272 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3273 unsigned char pubkeyc[65];
3274 secp256k1_pubkey pubkey;
3279 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3280 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3281 /* Smaller sizes are tested exhaustively elsewhere. */
3283 memcpy(&pubkeyc[1], input, 64);
3284 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3285 for (i = 0; i < 256; i++) {
3286 /* Try all type bytes. */
3291 /* What sign does this point have? */
3292 ysign = (input[63] & 1) + 2;
3293 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3294 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3295 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3296 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3297 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3298 if (xpass || ypass) {
3299 /* These cases must parse. */
3300 unsigned char pubkeyo[65];
3302 memset(&pubkey, 0, sizeof(pubkey));
3303 VG_UNDEF(&pubkey, sizeof(pubkey));
3305 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3306 VG_CHECK(&pubkey, sizeof(pubkey));
3308 VG_UNDEF(pubkeyo, 65);
3309 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3310 VG_CHECK(pubkeyo, outl);
3312 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3313 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3315 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3316 CHECK(pubkeyo[0] == ysign);
3317 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3318 memset(&pubkey, 0, sizeof(pubkey));
3319 VG_UNDEF(&pubkey, sizeof(pubkey));
3320 secp256k1_pubkey_save(&pubkey, &ge);
3321 VG_CHECK(&pubkey, sizeof(pubkey));
3323 VG_UNDEF(pubkeyo, 65);
3324 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3325 VG_CHECK(pubkeyo, outl);
3327 CHECK(pubkeyo[0] == 4);
3328 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3332 /* These cases must fail to parse. */
3333 memset(&pubkey, 0xfe, sizeof(pubkey));
3335 VG_UNDEF(&pubkey, sizeof(pubkey));
3336 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3337 VG_CHECK(&pubkey, sizeof(pubkey));
3339 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3344 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3347 void run_ec_pubkey_parse_test(void) {
3348 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3349 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3351 /* Point with leading and trailing zeros in x and y serialization. */
3352 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3353 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3354 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3355 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3358 /* Point with x equal to a 3rd root of unity.*/
3359 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3360 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3361 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3362 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3365 /* Point with largest x. (1/2) */
3366 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3367 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3368 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3369 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3372 /* Point with largest x. (2/2) */
3373 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3374 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3375 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3376 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3379 /* Point with smallest x. (1/2) */
3380 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3381 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3382 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3383 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3386 /* Point with smallest x. (2/2) */
3387 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3388 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3389 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3390 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3393 /* Point with largest y. (1/3) */
3394 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3395 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3396 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3397 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3400 /* Point with largest y. (2/3) */
3401 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3402 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3403 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3404 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3407 /* Point with largest y. (3/3) */
3408 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3409 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3410 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3411 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3414 /* Point with smallest y. (1/3) */
3415 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3416 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3417 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3418 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3421 /* Point with smallest y. (2/3) */
3422 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3423 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3424 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3425 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3428 /* Point with smallest y. (3/3) */
3429 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3430 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3431 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3432 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3435 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3436 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3438 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3439 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3440 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3441 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3442 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3445 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3446 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3447 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3448 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3449 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3452 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3453 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3454 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3455 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3456 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3459 /* x on curve, y is from y^2 = x^3 + 8. */
3460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3461 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3462 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3463 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3466 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3467 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3469 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3470 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3471 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3472 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3473 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3476 /* Valid if x overflow ignored (x = 1 mod p). */
3477 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3478 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3479 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3480 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3483 /* Valid if x overflow ignored (x = 1 mod p). */
3484 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3485 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3486 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3487 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3490 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3491 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3492 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3493 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3494 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3497 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3498 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3499 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3500 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3501 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3504 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3505 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3506 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3507 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3508 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3511 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3512 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3513 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3514 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3515 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3518 const unsigned char pubkeyc[66] = {
3519 /* Serialization of G. */
3520 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3521 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3522 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3523 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3526 unsigned char sout[65];
3527 unsigned char shortkey[2];
3529 secp256k1_pubkey pubkey;
3535 /* Nothing should be reading this far into pubkeyc. */
3536 VG_UNDEF(&pubkeyc[65], 1);
3537 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3538 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3539 memset(&pubkey, 0xfe, sizeof(pubkey));
3541 VG_UNDEF(shortkey, 2);
3542 VG_UNDEF(&pubkey, sizeof(pubkey));
3543 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3544 VG_CHECK(&pubkey, sizeof(pubkey));
3546 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3548 /* Length one claimed, fail, zeroize, no illegal arg error. */
3549 for (i = 0; i < 256 ; i++) {
3550 memset(&pubkey, 0xfe, sizeof(pubkey));
3553 VG_UNDEF(&shortkey[1], 1);
3554 VG_UNDEF(&pubkey, sizeof(pubkey));
3555 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3556 VG_CHECK(&pubkey, sizeof(pubkey));
3558 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3561 /* Length two claimed, fail, zeroize, no illegal arg error. */
3562 for (i = 0; i < 65536 ; i++) {
3563 memset(&pubkey, 0xfe, sizeof(pubkey));
3565 shortkey[0] = i & 255;
3566 shortkey[1] = i >> 8;
3567 VG_UNDEF(&pubkey, sizeof(pubkey));
3568 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3569 VG_CHECK(&pubkey, sizeof(pubkey));
3571 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3574 memset(&pubkey, 0xfe, sizeof(pubkey));
3576 VG_UNDEF(&pubkey, sizeof(pubkey));
3577 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3578 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3579 VG_CHECK(&pubkey, sizeof(pubkey));
3581 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3583 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3584 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3586 /* NULL input string. Illegal arg and zeroize output. */
3587 memset(&pubkey, 0xfe, sizeof(pubkey));
3589 VG_UNDEF(&pubkey, sizeof(pubkey));
3590 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3591 VG_CHECK(&pubkey, sizeof(pubkey));
3593 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3595 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3596 memset(&pubkey, 0xfe, sizeof(pubkey));
3598 VG_UNDEF(&pubkey, sizeof(pubkey));
3599 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3600 VG_CHECK(&pubkey, sizeof(pubkey));
3602 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3604 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3605 memset(&pubkey, 0xfe, sizeof(pubkey));
3607 VG_UNDEF(&pubkey, sizeof(pubkey));
3608 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3609 VG_CHECK(&pubkey, sizeof(pubkey));
3611 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3614 memset(&pubkey, 0, sizeof(pubkey));
3616 VG_UNDEF(&pubkey, sizeof(pubkey));
3617 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3618 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
3619 VG_CHECK(&pubkey, sizeof(pubkey));
3621 VG_UNDEF(&ge, sizeof(ge));
3622 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3623 VG_CHECK(&ge.x, sizeof(ge.x));
3624 VG_CHECK(&ge.y, sizeof(ge.y));
3625 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3626 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3628 /* secp256k1_ec_pubkey_serialize illegal args. */
3631 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3634 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3638 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3643 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3648 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3652 /* Multiple illegal args. Should still set arg error only once. */
3655 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3657 /* Does the illegal arg callback actually change the behavior? */
3658 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3659 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3661 CHECK(ecount2 == 10);
3662 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3663 /* Try a bunch of prefabbed points with all possible encodings. */
3664 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3665 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3667 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3668 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3670 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3671 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3675 void run_eckey_edge_case_test(void) {
3676 const unsigned char orderc[32] = {
3677 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3678 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3679 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3680 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3682 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3683 unsigned char ctmp[33];
3684 unsigned char ctmp2[33];
3685 secp256k1_pubkey pubkey;
3686 secp256k1_pubkey pubkey2;
3687 secp256k1_pubkey pubkey_one;
3688 secp256k1_pubkey pubkey_negone;
3689 const secp256k1_pubkey *pubkeys[3];
3692 /* Group order is too large, reject. */
3693 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3694 VG_UNDEF(&pubkey, sizeof(pubkey));
3695 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3696 VG_CHECK(&pubkey, sizeof(pubkey));
3697 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3698 /* Maximum value is too large, reject. */
3699 memset(ctmp, 255, 32);
3700 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3701 memset(&pubkey, 1, sizeof(pubkey));
3702 VG_UNDEF(&pubkey, sizeof(pubkey));
3703 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3704 VG_CHECK(&pubkey, sizeof(pubkey));
3705 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3706 /* Zero is too small, reject. */
3707 memset(ctmp, 0, 32);
3708 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3709 memset(&pubkey, 1, sizeof(pubkey));
3710 VG_UNDEF(&pubkey, sizeof(pubkey));
3711 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3712 VG_CHECK(&pubkey, sizeof(pubkey));
3713 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3714 /* One must be accepted. */
3716 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3717 memset(&pubkey, 0, sizeof(pubkey));
3718 VG_UNDEF(&pubkey, sizeof(pubkey));
3719 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3720 VG_CHECK(&pubkey, sizeof(pubkey));
3721 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3722 pubkey_one = pubkey;
3723 /* Group order + 1 is too large, reject. */
3724 memcpy(ctmp, orderc, 32);
3726 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3727 memset(&pubkey, 1, sizeof(pubkey));
3728 VG_UNDEF(&pubkey, sizeof(pubkey));
3729 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3730 VG_CHECK(&pubkey, sizeof(pubkey));
3731 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3732 /* -1 must be accepted. */
3734 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3735 memset(&pubkey, 0, sizeof(pubkey));
3736 VG_UNDEF(&pubkey, sizeof(pubkey));
3737 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3738 VG_CHECK(&pubkey, sizeof(pubkey));
3739 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3740 pubkey_negone = pubkey;
3741 /* Tweak of zero leaves the value unchanged. */
3742 memset(ctmp2, 0, 32);
3743 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3744 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3745 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3746 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3747 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3748 /* Multiply tweak of zero zeroizes the output. */
3749 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3750 CHECK(memcmp(zeros, ctmp, 32) == 0);
3751 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3752 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3753 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3754 /* Overflowing key tweak zeroizes. */
3755 memcpy(ctmp, orderc, 32);
3757 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3758 CHECK(memcmp(zeros, ctmp, 32) == 0);
3759 memcpy(ctmp, orderc, 32);
3761 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3762 CHECK(memcmp(zeros, ctmp, 32) == 0);
3763 memcpy(ctmp, orderc, 32);
3765 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3766 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3767 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3768 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3769 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3770 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3771 /* Private key tweaks results in a key of zero. */
3773 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3774 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3776 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3777 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3778 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3779 /* Tweak computation wraps and results in a key of 1. */
3781 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3782 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3784 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3786 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3787 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3788 /* Tweak mul * 2 = 1+1. */
3789 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3791 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3792 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3793 /* Test argument errors. */
3795 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3797 /* Zeroize pubkey on parse error. */
3798 memset(&pubkey, 0, 32);
3799 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3801 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3802 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3803 memset(&pubkey2, 0, 32);
3804 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3806 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3807 /* Plain argument errors. */
3809 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3811 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3814 memset(ctmp2, 0, 32);
3816 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3818 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3821 memset(ctmp2, 0, 32);
3823 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3825 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3828 memset(ctmp2, 0, 32);
3829 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3831 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3834 memset(ctmp2, 0, 32);
3836 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3838 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3841 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3843 memset(&pubkey, 1, sizeof(pubkey));
3844 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3846 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3847 /* secp256k1_ec_pubkey_combine tests. */
3849 pubkeys[0] = &pubkey_one;
3850 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3851 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3852 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3853 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3854 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3855 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3856 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3857 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3859 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3860 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3862 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3863 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3864 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3865 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3866 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3868 pubkeys[0] = &pubkey_negone;
3869 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3870 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3871 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3872 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3873 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3876 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3877 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
3878 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3879 /* Result is infinity. */
3880 pubkeys[0] = &pubkey_one;
3881 pubkeys[1] = &pubkey_negone;
3882 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3883 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3884 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
3885 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3886 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3888 /* Passes through infinity but comes out one. */
3889 pubkeys[2] = &pubkey_one;
3890 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3891 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3892 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
3893 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3894 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3897 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3898 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
3899 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3901 pubkeys[1] = &pubkey_one;
3902 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3903 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3904 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
3905 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3906 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3908 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3911 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
3912 secp256k1_scalar nonce;
3914 random_scalar_order_test(&nonce);
3915 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
3918 void test_ecdsa_sign_verify(void) {
3921 secp256k1_scalar one;
3922 secp256k1_scalar msg, key;
3923 secp256k1_scalar sigr, sigs;
3926 random_scalar_order_test(&msg);
3927 random_scalar_order_test(&key);
3928 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
3929 secp256k1_ge_set_gej(&pub, &pubj);
3930 getrec = secp256k1_rand_bits(1);
3931 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
3933 CHECK(recid >= 0 && recid < 4);
3935 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3936 secp256k1_scalar_set_int(&one, 1);
3937 secp256k1_scalar_add(&msg, &msg, &one);
3938 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3941 void run_ecdsa_sign_verify(void) {
3943 for (i = 0; i < 10*count; i++) {
3944 test_ecdsa_sign_verify();
3948 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
3949 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3953 memcpy(nonce32, data, 32);
3954 return (counter == 0);
3957 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3958 /* Dummy nonce generator that has a fatal error on the first counter value. */
3962 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
3965 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3966 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
3968 memset(nonce32, counter==0 ? 0 : 255, 32);
3975 static const unsigned char order[] = {
3976 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
3977 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
3978 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
3979 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
3981 memcpy(nonce32, order, 32);
3987 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
3988 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
3992 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
3995 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
3996 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
3997 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4000 void test_ecdsa_end_to_end(void) {
4001 unsigned char extra[32] = {0x00};
4002 unsigned char privkey[32];
4003 unsigned char message[32];
4004 unsigned char privkey2[32];
4005 secp256k1_ecdsa_signature signature[6];
4006 secp256k1_scalar r, s;
4007 unsigned char sig[74];
4009 unsigned char pubkeyc[65];
4010 size_t pubkeyclen = 65;
4011 secp256k1_pubkey pubkey;
4012 secp256k1_pubkey pubkey_tmp;
4013 unsigned char seckey[300];
4014 size_t seckeylen = 300;
4016 /* Generate a random key and message. */
4018 secp256k1_scalar msg, key;
4019 random_scalar_order_test(&msg);
4020 random_scalar_order_test(&key);
4021 secp256k1_scalar_get_b32(privkey, &key);
4022 secp256k1_scalar_get_b32(message, &msg);
4025 /* Construct and verify corresponding public key. */
4026 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4027 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4029 /* Verify exporting and importing public key. */
4030 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4031 memset(&pubkey, 0, sizeof(pubkey));
4032 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4034 /* Verify negation changes the key and changes it back */
4035 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4036 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4037 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4038 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4039 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4041 /* Verify private key import and export. */
4042 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4043 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4044 CHECK(memcmp(privkey, privkey2, 32) == 0);
4046 /* Optionally tweak the keys using addition. */
4047 if (secp256k1_rand_int(3) == 0) {
4050 unsigned char rnd[32];
4051 secp256k1_pubkey pubkey2;
4052 secp256k1_rand256_test(rnd);
4053 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
4054 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4055 CHECK(ret1 == ret2);
4059 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4060 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4063 /* Optionally tweak the keys using multiplication. */
4064 if (secp256k1_rand_int(3) == 0) {
4067 unsigned char rnd[32];
4068 secp256k1_pubkey pubkey2;
4069 secp256k1_rand256_test(rnd);
4070 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
4071 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4072 CHECK(ret1 == ret2);
4076 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4077 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4081 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4082 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4083 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4085 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4088 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4089 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4090 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4091 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4092 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4093 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4094 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4095 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4097 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4098 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4099 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4100 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4101 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4102 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4103 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4104 secp256k1_scalar_negate(&s, &s);
4105 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4106 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4107 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4108 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4109 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4110 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4111 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4112 secp256k1_scalar_negate(&s, &s);
4113 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4114 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4115 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4116 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
4118 /* Serialize/parse DER and verify again */
4119 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4120 memset(&signature[0], 0, sizeof(signature[0]));
4121 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4122 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4123 /* Serialize/destroy/parse DER and verify again. */
4125 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4126 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
4127 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4128 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4131 void test_random_pubkeys(void) {
4134 unsigned char in[65];
4135 /* Generate some randomly sized pubkeys. */
4136 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4137 if (secp256k1_rand_bits(2) == 0) {
4138 len = secp256k1_rand_bits(6);
4141 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
4143 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
4145 if (secp256k1_rand_bits(3) == 0) {
4146 in[0] = secp256k1_rand_bits(8);
4149 secp256k1_rand256(&in[1]);
4152 secp256k1_rand256(&in[33]);
4154 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4155 unsigned char out[65];
4156 unsigned char firstb;
4160 /* If the pubkey can be parsed, it should round-trip... */
4161 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4163 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4164 /* ... except for the type of hybrid inputs. */
4165 if ((in[0] != 6) && (in[0] != 7)) {
4166 CHECK(in[0] == out[0]);
4169 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4171 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4172 ge_equals_ge(&elem,&elem2);
4173 /* Check that the X9.62 hybrid type is checked. */
4174 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
4175 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4176 if (firstb == 2 || firstb == 3) {
4177 if (in[0] == firstb + 4) {
4184 ge_equals_ge(&elem,&elem2);
4185 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4186 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4191 void run_random_pubkeys(void) {
4193 for (i = 0; i < 10*count; i++) {
4194 test_random_pubkeys();
4198 void run_ecdsa_end_to_end(void) {
4200 for (i = 0; i < 64*count; i++) {
4201 test_ecdsa_end_to_end();
4205 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4206 static const unsigned char zeroes[32] = {0};
4207 #ifdef ENABLE_OPENSSL_TESTS
4208 static const unsigned char max_scalar[32] = {
4209 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4210 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4211 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4212 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4218 secp256k1_ecdsa_signature sig_der;
4219 unsigned char roundtrip_der[2048];
4220 unsigned char compact_der[64];
4221 size_t len_der = 2048;
4222 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4224 secp256k1_ecdsa_signature sig_der_lax;
4225 unsigned char roundtrip_der_lax[2048];
4226 unsigned char compact_der_lax[64];
4227 size_t len_der_lax = 2048;
4228 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4230 #ifdef ENABLE_OPENSSL_TESTS
4231 ECDSA_SIG *sig_openssl;
4232 const BIGNUM *r = NULL, *s = NULL;
4233 const unsigned char *sigptr;
4234 unsigned char roundtrip_openssl[2048];
4235 int len_openssl = 2048;
4236 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4239 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4241 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4242 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4245 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4246 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4249 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4250 if (parsed_der_lax) {
4251 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4252 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4254 if (valid_der_lax) {
4255 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4256 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4259 if (certainly_der) {
4260 ret |= (!parsed_der) << 2;
4262 if (certainly_not_der) {
4263 ret |= (parsed_der) << 17;
4266 ret |= (!roundtrips_der) << 3;
4270 ret |= (!roundtrips_der_lax) << 12;
4271 ret |= (len_der != len_der_lax) << 13;
4272 ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
4274 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4276 ret |= (!parsed_der_lax) << 16;
4279 #ifdef ENABLE_OPENSSL_TESTS
4280 sig_openssl = ECDSA_SIG_new();
4282 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4283 if (parsed_openssl) {
4284 ECDSA_SIG_get0(sig_openssl, &r, &s);
4285 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4286 if (valid_openssl) {
4287 unsigned char tmp[32] = {0};
4288 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4289 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4291 if (valid_openssl) {
4292 unsigned char tmp[32] = {0};
4293 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4294 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4297 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4298 if (len_openssl <= 2048) {
4299 unsigned char *ptr = roundtrip_openssl;
4300 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4301 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4305 ECDSA_SIG_free(sig_openssl);
4307 ret |= (parsed_der && !parsed_openssl) << 4;
4308 ret |= (valid_der && !valid_openssl) << 5;
4309 ret |= (roundtrips_openssl && !parsed_der) << 6;
4310 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4311 if (roundtrips_openssl) {
4312 ret |= (len_der != (size_t)len_openssl) << 8;
4313 ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
4319 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4321 for (i = 0; i < ptrlen; i++) {
4322 int shift = ptrlen - 1 - i;
4326 ptr[i] = (val >> shift) & 0xFF;
4331 static void damage_array(unsigned char *sig, size_t *len) {
4333 int action = secp256k1_rand_bits(3);
4334 if (action < 1 && *len > 3) {
4335 /* Delete a byte. */
4336 pos = secp256k1_rand_int(*len);
4337 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4340 } else if (action < 2 && *len < 2048) {
4341 /* Insert a byte. */
4342 pos = secp256k1_rand_int(1 + *len);
4343 memmove(sig + pos + 1, sig + pos, *len - pos);
4344 sig[pos] = secp256k1_rand_bits(8);
4347 } else if (action < 4) {
4348 /* Modify a byte. */
4349 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4351 } else { /* action < 8 */
4353 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4358 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4360 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4361 size_t tlen, elen, glen;
4366 der = secp256k1_rand_bits(2) == 0;
4367 *certainly_der = der;
4368 *certainly_not_der = 0;
4369 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4371 for (n = 0; n < 2; n++) {
4372 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4373 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4374 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4375 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4376 CHECK(nlen[n] <= 232);
4377 /* The top bit of the number. */
4378 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4379 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4380 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4381 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4382 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4383 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4384 *certainly_not_der = 1;
4386 CHECK(nlen[n] + nzlen[n] <= 300);
4387 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4388 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4390 /* nlenlen[n] max 127 bytes */
4391 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4394 *certainly_not_der = 1;
4397 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4400 /* The total length of the data to go, so far */
4401 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4404 /* The length of the garbage inside the tuple. */
4405 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4407 *certainly_not_der = 1;
4412 /* The length of the garbage after the end of the tuple. */
4413 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4415 *certainly_not_der = 1;
4417 CHECK(tlen + glen <= 990);
4419 /* Write the tuple header. */
4420 sig[(*len)++] = 0x30;
4422 /* Indeterminate length */
4423 sig[(*len)++] = 0x80;
4424 *certainly_not_der = 1;
4426 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4428 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4431 *certainly_not_der = 1;
4435 /* Short length notation */
4436 sig[(*len)++] = tlen;
4438 /* Long length notation */
4439 sig[(*len)++] = 128 + tlenlen;
4440 assign_big_endian(sig + *len, tlenlen, tlen);
4446 CHECK(tlen + glen <= 1119);
4448 for (n = 0; n < 2; n++) {
4449 /* Write the integer header. */
4450 sig[(*len)++] = 0x02;
4451 if (nlenlen[n] == 0) {
4452 /* Short length notation */
4453 sig[(*len)++] = nlen[n] + nzlen[n];
4455 /* Long length notation. */
4456 sig[(*len)++] = 128 + nlenlen[n];
4457 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4460 /* Write zero padding */
4461 while (nzlen[n] > 0) {
4462 sig[(*len)++] = 0x00;
4465 if (nlen[n] == 32 && !nlow[n]) {
4466 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4468 for (i = 0; i < 16; i++) {
4469 sig[(*len)++] = 0xFF;
4473 /* Write first byte of number */
4475 sig[(*len)++] = nhbyte[n];
4478 /* Generate remaining random bytes of number */
4479 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4484 /* Generate random garbage inside tuple. */
4485 secp256k1_rand_bytes_test(sig + *len, elen);
4488 /* Generate end-of-contents bytes. */
4494 CHECK(tlen + glen <= 1121);
4496 /* Generate random garbage outside tuple. */
4497 secp256k1_rand_bytes_test(sig + *len, glen);
4500 CHECK(tlen <= 1121);
4501 CHECK(tlen == *len);
4504 void run_ecdsa_der_parse(void) {
4506 for (i = 0; i < 200 * count; i++) {
4507 unsigned char buffer[2048];
4509 int certainly_der = 0;
4510 int certainly_not_der = 0;
4511 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4512 CHECK(buflen <= 2048);
4513 for (j = 0; j < 16; j++) {
4516 damage_array(buffer, &buflen);
4517 /* We don't know anything anymore about the DERness of the result */
4519 certainly_not_der = 0;
4521 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4524 fprintf(stderr, "Failure %x on ", ret);
4525 for (k = 0; k < buflen; k++) {
4526 fprintf(stderr, "%02x ", buffer[k]);
4528 fprintf(stderr, "\n");
4535 /* Tests several edge cases. */
4536 void test_ecdsa_edge_cases(void) {
4538 secp256k1_ecdsa_signature sig;
4540 /* Test the case where ECDSA recomputes a point that is infinity. */
4544 secp256k1_scalar msg;
4545 secp256k1_scalar sr, ss;
4546 secp256k1_scalar_set_int(&ss, 1);
4547 secp256k1_scalar_negate(&ss, &ss);
4548 secp256k1_scalar_inverse(&ss, &ss);
4549 secp256k1_scalar_set_int(&sr, 1);
4550 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4551 secp256k1_ge_set_gej(&key, &keyj);
4553 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4556 /* Verify signature with r of zero fails. */
4558 const unsigned char pubkey_mods_zero[33] = {
4559 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4560 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4561 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4562 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4566 secp256k1_scalar msg;
4567 secp256k1_scalar sr, ss;
4568 secp256k1_scalar_set_int(&ss, 1);
4569 secp256k1_scalar_set_int(&msg, 0);
4570 secp256k1_scalar_set_int(&sr, 0);
4571 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4572 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4575 /* Verify signature with s of zero fails. */
4577 const unsigned char pubkey[33] = {
4578 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4579 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4580 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4581 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4585 secp256k1_scalar msg;
4586 secp256k1_scalar sr, ss;
4587 secp256k1_scalar_set_int(&ss, 0);
4588 secp256k1_scalar_set_int(&msg, 0);
4589 secp256k1_scalar_set_int(&sr, 1);
4590 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4591 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4594 /* Verify signature with message 0 passes. */
4596 const unsigned char pubkey[33] = {
4597 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4598 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4599 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4600 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4603 const unsigned char pubkey2[33] = {
4604 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4605 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4606 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4607 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4612 secp256k1_scalar msg;
4613 secp256k1_scalar sr, ss;
4614 secp256k1_scalar_set_int(&ss, 2);
4615 secp256k1_scalar_set_int(&msg, 0);
4616 secp256k1_scalar_set_int(&sr, 2);
4617 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4618 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4619 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4620 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4621 secp256k1_scalar_negate(&ss, &ss);
4622 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4623 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4624 secp256k1_scalar_set_int(&ss, 1);
4625 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4626 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4629 /* Verify signature with message 1 passes. */
4631 const unsigned char pubkey[33] = {
4632 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4633 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4634 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4635 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4638 const unsigned char pubkey2[33] = {
4639 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4640 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4641 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4642 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4645 const unsigned char csr[32] = {
4646 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4647 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4648 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4649 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4653 secp256k1_scalar msg;
4654 secp256k1_scalar sr, ss;
4655 secp256k1_scalar_set_int(&ss, 1);
4656 secp256k1_scalar_set_int(&msg, 1);
4657 secp256k1_scalar_set_b32(&sr, csr, NULL);
4658 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4659 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4660 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4661 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4662 secp256k1_scalar_negate(&ss, &ss);
4663 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4664 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4665 secp256k1_scalar_set_int(&ss, 2);
4666 secp256k1_scalar_inverse_var(&ss, &ss);
4667 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4668 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4671 /* Verify signature with message -1 passes. */
4673 const unsigned char pubkey[33] = {
4674 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4675 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4676 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4677 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4680 const unsigned char csr[32] = {
4681 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4682 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4683 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4684 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4687 secp256k1_scalar msg;
4688 secp256k1_scalar sr, ss;
4689 secp256k1_scalar_set_int(&ss, 1);
4690 secp256k1_scalar_set_int(&msg, 1);
4691 secp256k1_scalar_negate(&msg, &msg);
4692 secp256k1_scalar_set_b32(&sr, csr, NULL);
4693 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4694 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4695 secp256k1_scalar_negate(&ss, &ss);
4696 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4697 secp256k1_scalar_set_int(&ss, 3);
4698 secp256k1_scalar_inverse_var(&ss, &ss);
4699 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4702 /* Signature where s would be zero. */
4704 secp256k1_pubkey pubkey;
4707 unsigned char signature[72];
4708 static const unsigned char nonce[32] = {
4709 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4710 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4711 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4712 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4714 static const unsigned char nonce2[32] = {
4715 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4716 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4717 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4718 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4720 const unsigned char key[32] = {
4721 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4722 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4723 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4724 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4726 unsigned char msg[32] = {
4727 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4728 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4729 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4730 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4733 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4734 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4735 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4737 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4739 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4741 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4743 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4745 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4746 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4747 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4749 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4751 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4753 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4755 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4757 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4758 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4761 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4763 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4764 CHECK(ecount == 10);
4765 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4766 CHECK(ecount == 11);
4767 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4768 CHECK(ecount == 11);
4769 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4770 CHECK(ecount == 12);
4771 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4772 CHECK(ecount == 13);
4773 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4774 CHECK(ecount == 13);
4776 /* Too little room for a signature does not fail via ARGCHECK. */
4777 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
4778 CHECK(ecount == 13);
4780 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4782 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4784 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4786 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4788 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4790 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4792 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4794 memset(signature, 255, 64);
4795 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4797 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4800 /* Nonce function corner cases. */
4801 for (t = 0; t < 2; t++) {
4802 static const unsigned char zero[32] = {0x00};
4804 unsigned char key[32];
4805 unsigned char msg[32];
4806 secp256k1_ecdsa_signature sig2;
4807 secp256k1_scalar sr[512], ss;
4808 const unsigned char *extra;
4809 extra = t == 0 ? NULL : zero;
4812 /* High key results in signature failure. */
4813 memset(key, 0xFF, 32);
4814 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4815 CHECK(is_empty_signature(&sig));
4816 /* Zero key results in signature failure. */
4818 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4819 CHECK(is_empty_signature(&sig));
4820 /* Nonce function failure results in signature failure. */
4822 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
4823 CHECK(is_empty_signature(&sig));
4824 /* The retry loop successfully makes its way to the first good value. */
4825 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
4826 CHECK(!is_empty_signature(&sig));
4827 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
4828 CHECK(!is_empty_signature(&sig2));
4829 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4830 /* The default nonce function is deterministic. */
4831 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4832 CHECK(!is_empty_signature(&sig2));
4833 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4834 /* The default nonce function changes output with different messages. */
4835 for(i = 0; i < 256; i++) {
4838 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4839 CHECK(!is_empty_signature(&sig2));
4840 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4841 for (j = 0; j < i; j++) {
4842 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4847 /* The default nonce function changes output with different keys. */
4848 for(i = 256; i < 512; i++) {
4851 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4852 CHECK(!is_empty_signature(&sig2));
4853 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4854 for (j = 0; j < i; j++) {
4855 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4862 /* Check that optional nonce arguments do not have equivalent effect. */
4863 const unsigned char zeros[32] = {0};
4864 unsigned char nonce[32];
4865 unsigned char nonce2[32];
4866 unsigned char nonce3[32];
4867 unsigned char nonce4[32];
4869 VG_UNDEF(nonce2,32);
4870 VG_UNDEF(nonce3,32);
4871 VG_UNDEF(nonce4,32);
4872 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4874 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4875 VG_CHECK(nonce2,32);
4876 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
4877 VG_CHECK(nonce3,32);
4878 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
4879 VG_CHECK(nonce4,32);
4880 CHECK(memcmp(nonce, nonce2, 32) != 0);
4881 CHECK(memcmp(nonce, nonce3, 32) != 0);
4882 CHECK(memcmp(nonce, nonce4, 32) != 0);
4883 CHECK(memcmp(nonce2, nonce3, 32) != 0);
4884 CHECK(memcmp(nonce2, nonce4, 32) != 0);
4885 CHECK(memcmp(nonce3, nonce4, 32) != 0);
4889 /* Privkey export where pubkey is the point at infinity. */
4891 unsigned char privkey[300];
4892 unsigned char seckey[32] = {
4893 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4894 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4895 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4896 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
4898 size_t outlen = 300;
4899 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
4901 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
4905 void run_ecdsa_edge_cases(void) {
4906 test_ecdsa_edge_cases();
4909 #ifdef ENABLE_OPENSSL_TESTS
4910 EC_KEY *get_openssl_key(const unsigned char *key32) {
4911 unsigned char privkey[300];
4913 const unsigned char* pbegin = privkey;
4914 int compr = secp256k1_rand_bits(1);
4915 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
4916 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
4917 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
4918 CHECK(EC_KEY_check_key(ec_key));
4922 void test_ecdsa_openssl(void) {
4925 secp256k1_scalar sigr, sigs;
4926 secp256k1_scalar one;
4927 secp256k1_scalar msg2;
4928 secp256k1_scalar key, msg;
4930 unsigned int sigsize = 80;
4931 size_t secp_sigsize = 80;
4932 unsigned char message[32];
4933 unsigned char signature[80];
4934 unsigned char key32[32];
4935 secp256k1_rand256_test(message);
4936 secp256k1_scalar_set_b32(&msg, message, NULL);
4937 random_scalar_order_test(&key);
4938 secp256k1_scalar_get_b32(key32, &key);
4939 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
4940 secp256k1_ge_set_gej(&q, &qj);
4941 ec_key = get_openssl_key(key32);
4942 CHECK(ec_key != NULL);
4943 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
4944 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
4945 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
4946 secp256k1_scalar_set_int(&one, 1);
4947 secp256k1_scalar_add(&msg2, &msg, &one);
4948 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
4950 random_sign(&sigr, &sigs, &key, &msg, NULL);
4951 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
4952 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
4954 EC_KEY_free(ec_key);
4957 void run_ecdsa_openssl(void) {
4959 for (i = 0; i < 10*count; i++) {
4960 test_ecdsa_openssl();
4965 #ifdef ENABLE_MODULE_ECDH
4966 # include "modules/ecdh/tests_impl.h"
4969 #ifdef ENABLE_MODULE_RECOVERY
4970 # include "modules/recovery/tests_impl.h"
4973 int main(int argc, char **argv) {
4974 unsigned char seed16[16] = {0};
4975 unsigned char run32[32] = {0};
4976 /* find iteration count */
4978 count = strtol(argv[1], NULL, 0);
4981 /* find random seed */
4984 const char* ch = argv[2];
4985 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
4987 if (sscanf(ch, "%2hx", &sh)) {
4996 FILE *frand = fopen("/dev/urandom", "r");
4997 if ((frand == NULL) || fread(&seed16, 1, sizeof(seed16), frand) != sizeof(seed16)) {
4998 uint64_t t = time(NULL) * (uint64_t)1337;
4999 fprintf(stderr, "WARNING: could not read 16 bytes from /dev/urandom; falling back to insecure PRNG\n");
5001 seed16[1] ^= t >> 8;
5002 seed16[2] ^= t >> 16;
5003 seed16[3] ^= t >> 24;
5004 seed16[4] ^= t >> 32;
5005 seed16[5] ^= t >> 40;
5006 seed16[6] ^= t >> 48;
5007 seed16[7] ^= t >> 56;
5013 secp256k1_rand_seed(seed16);
5015 printf("test count = %i\n", count);
5016 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
5019 run_context_tests();
5020 run_scratch_tests();
5021 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5022 if (secp256k1_rand_bits(1)) {
5023 secp256k1_rand256(run32);
5024 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
5031 run_hmac_sha256_tests();
5032 run_rfc6979_hmac_sha256_tests();
5034 #ifndef USE_NUM_NONE
5036 run_num_smalltests();
5044 run_field_inv_var();
5045 run_field_inv_all_var();
5047 run_field_convert();
5053 run_group_decompress();
5057 run_point_times_order();
5059 run_ecmult_constants();
5060 run_ecmult_gen_blind();
5061 run_ecmult_const_tests();
5062 run_ecmult_multi_tests();
5065 /* endomorphism tests */
5066 #ifdef USE_ENDOMORPHISM
5067 run_endomorphism_tests();
5070 /* EC point parser test */
5071 run_ec_pubkey_parse_test();
5073 /* EC key edge cases */
5074 run_eckey_edge_case_test();
5076 #ifdef ENABLE_MODULE_ECDH
5082 run_random_pubkeys();
5083 run_ecdsa_der_parse();
5084 run_ecdsa_sign_verify();
5085 run_ecdsa_end_to_end();
5086 run_ecdsa_edge_cases();
5087 #ifdef ENABLE_OPENSSL_TESTS
5088 run_ecdsa_openssl();
5091 #ifdef ENABLE_MODULE_RECOVERY
5092 /* ECDSA pubkey recovery tests */
5093 run_recovery_tests();
5096 secp256k1_rand256(run32);
5097 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
5100 secp256k1_context_destroy(ctx);
5102 printf("no problems found\n");
projects / secp256k1.git / blob