1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
22 #ifdef ENABLE_OPENSSL_TESTS
23 #include "openssl/bn.h"
24 #include "openssl/ec.h"
25 #include "openssl/ecdsa.h"
26 #include "openssl/obj_mac.h"
27 # if OPENSSL_VERSION_NUMBER < 0x10100000L
28 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
32 #include "contrib/lax_der_parsing.c"
33 #include "contrib/lax_der_privatekey_parsing.c"
35 static int count = 64;
36 static secp256k1_context *ctx = NULL;
38 static void counting_illegal_callback_fn(const char* str, void* data) {
39 /* Dummy callback function that just counts. */
46 static void uncounting_illegal_callback_fn(const char* str, void* data) {
47 /* Dummy callback function that just counts (backwards). */
54 void random_field_element_test(secp256k1_fe *fe) {
56 unsigned char b32[32];
57 secp256k1_testrand256_test(b32);
58 if (secp256k1_fe_set_b32(fe, b32)) {
64 void random_field_element_magnitude(secp256k1_fe *fe) {
66 int n = secp256k1_testrand_int(9);
67 secp256k1_fe_normalize(fe);
71 secp256k1_fe_clear(&zero);
72 secp256k1_fe_negate(&zero, &zero, 0);
73 secp256k1_fe_mul_int(&zero, n - 1);
74 secp256k1_fe_add(fe, &zero);
76 CHECK(fe->magnitude == n);
80 void random_group_element_test(secp256k1_ge *ge) {
83 random_field_element_test(&fe);
84 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
85 secp256k1_fe_normalize(&ge->y);
92 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
95 random_field_element_test(&gej->z);
96 if (!secp256k1_fe_is_zero(&gej->z)) {
100 secp256k1_fe_sqr(&z2, &gej->z);
101 secp256k1_fe_mul(&z3, &z2, &gej->z);
102 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
103 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
104 gej->infinity = ge->infinity;
107 void random_scalar_order_test(secp256k1_scalar *num) {
109 unsigned char b32[32];
111 secp256k1_testrand256_test(b32);
112 secp256k1_scalar_set_b32(num, b32, &overflow);
113 if (overflow || secp256k1_scalar_is_zero(num)) {
120 void random_scalar_order(secp256k1_scalar *num) {
122 unsigned char b32[32];
124 secp256k1_testrand256(b32);
125 secp256k1_scalar_set_b32(num, b32, &overflow);
126 if (overflow || secp256k1_scalar_is_zero(num)) {
133 void random_scalar_order_b32(unsigned char *b32) {
134 secp256k1_scalar num;
135 random_scalar_order(&num);
136 secp256k1_scalar_get_b32(b32, &num);
139 void run_context_tests(int use_prealloc) {
140 secp256k1_pubkey pubkey;
141 secp256k1_pubkey zero_pubkey;
142 secp256k1_ecdsa_signature sig;
143 unsigned char ctmp[32];
146 secp256k1_context *none;
147 secp256k1_context *sign;
148 secp256k1_context *vrfy;
149 secp256k1_context *both;
150 void *none_prealloc = NULL;
151 void *sign_prealloc = NULL;
152 void *vrfy_prealloc = NULL;
153 void *both_prealloc = NULL;
157 secp256k1_scalar msg, key, nonce;
158 secp256k1_scalar sigr, sigs;
161 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
162 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
163 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
164 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
165 CHECK(none_prealloc != NULL);
166 CHECK(sign_prealloc != NULL);
167 CHECK(vrfy_prealloc != NULL);
168 CHECK(both_prealloc != NULL);
169 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
170 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
171 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
172 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
174 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
175 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
176 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
177 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
180 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
184 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
185 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
186 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
187 secp256k1_context_set_error_callback(sign, secp256k1_default_illegal_callback_fn, NULL);
188 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
189 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
191 /* check if sizes for cloning are consistent */
192 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
193 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
194 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
195 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
197 /*** clone and destroy all of them to make sure cloning was complete ***/
199 secp256k1_context *ctx_tmp;
202 /* clone into a non-preallocated context and then again into a new preallocated one. */
203 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
204 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
205 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
207 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
208 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
209 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
211 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
212 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
213 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
215 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
216 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
217 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
219 /* clone into a preallocated context and then again into a new non-preallocated one. */
222 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
223 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
224 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
227 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
228 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
229 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
232 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
233 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
234 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
237 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
238 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
239 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
244 /* Verify that the error callback makes it across the clone. */
245 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
246 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
247 /* And that it resets back to default. */
248 secp256k1_context_set_error_callback(sign, NULL, NULL);
249 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
251 /*** attempt to use them ***/
252 random_scalar_order_test(&msg);
253 random_scalar_order_test(&key);
254 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
255 secp256k1_ge_set_gej(&pub, &pubj);
257 /* Verify context-type checking illegal-argument errors. */
259 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
261 VG_UNDEF(&pubkey, sizeof(pubkey));
262 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
263 VG_CHECK(&pubkey, sizeof(pubkey));
264 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
266 VG_UNDEF(&sig, sizeof(sig));
267 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
268 VG_CHECK(&sig, sizeof(sig));
269 CHECK(ecount2 == 10);
270 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
271 CHECK(ecount2 == 11);
272 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
274 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
275 CHECK(ecount2 == 12);
276 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
278 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
279 CHECK(ecount2 == 13);
280 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
282 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
284 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
285 CHECK(ecount2 == 14);
286 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
288 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
290 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
292 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
294 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
295 CHECK(ecount2 == 14);
296 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
297 CHECK(ecount2 == 14);
298 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
299 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
301 /* obtain a working nonce */
303 random_scalar_order_test(&nonce);
304 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
307 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
308 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
311 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
312 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
316 secp256k1_context_preallocated_destroy(none);
317 secp256k1_context_preallocated_destroy(sign);
318 secp256k1_context_preallocated_destroy(vrfy);
319 secp256k1_context_preallocated_destroy(both);
325 secp256k1_context_destroy(none);
326 secp256k1_context_destroy(sign);
327 secp256k1_context_destroy(vrfy);
328 secp256k1_context_destroy(both);
330 /* Defined as no-op. */
331 secp256k1_context_destroy(NULL);
332 secp256k1_context_preallocated_destroy(NULL);
336 void run_scratch_tests(void) {
337 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
342 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
343 secp256k1_scratch_space *scratch;
344 secp256k1_scratch_space local_scratch;
346 /* Test public API */
347 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
348 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
350 scratch = secp256k1_scratch_space_create(none, 1000);
351 CHECK(scratch != NULL);
354 /* Test internal API */
355 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
356 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
357 CHECK(scratch->alloc_size == 0);
358 CHECK(scratch->alloc_size % ALIGNMENT == 0);
360 /* Allocating 500 bytes succeeds */
361 checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
362 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
363 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
364 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
365 CHECK(scratch->alloc_size != 0);
366 CHECK(scratch->alloc_size % ALIGNMENT == 0);
368 /* Allocating another 501 bytes fails */
369 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
370 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
371 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
372 CHECK(scratch->alloc_size != 0);
373 CHECK(scratch->alloc_size % ALIGNMENT == 0);
375 /* ...but it succeeds once we apply the checkpoint to undo it */
376 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
377 CHECK(scratch->alloc_size == 0);
378 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
379 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
380 CHECK(scratch->alloc_size != 0);
382 /* try to apply a bad checkpoint */
383 checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
384 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
386 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
388 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
391 /* try to use badly initialized scratch space */
392 secp256k1_scratch_space_destroy(none, scratch);
393 memset(&local_scratch, 0, sizeof(local_scratch));
394 scratch = &local_scratch;
395 CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
397 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
399 secp256k1_scratch_space_destroy(none, scratch);
402 /* Test that large integers do not wrap around in a bad way */
403 scratch = secp256k1_scratch_space_create(none, 1000);
404 /* Try max allocation with a large number of objects. Only makes sense if
405 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
407 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
408 /* Try allocating SIZE_MAX to test wrap around which only happens if
409 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
410 * space is too small. */
411 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
412 secp256k1_scratch_space_destroy(none, scratch);
415 secp256k1_scratch_space_destroy(none, NULL); /* no-op */
416 secp256k1_context_destroy(none);
419 /***** HASH TESTS *****/
421 void run_sha256_tests(void) {
422 static const char *inputs[8] = {
423 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
424 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
425 "For this sample, this 63-byte string will be used as input data",
426 "This is exactly 64 bytes long, not counting the terminating byte"
428 static const unsigned char outputs[8][32] = {
429 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
430 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
431 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
432 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
433 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
434 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
435 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
436 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
439 for (i = 0; i < 8; i++) {
440 unsigned char out[32];
441 secp256k1_sha256 hasher;
442 secp256k1_sha256_initialize(&hasher);
443 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
444 secp256k1_sha256_finalize(&hasher, out);
445 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
446 if (strlen(inputs[i]) > 0) {
447 int split = secp256k1_testrand_int(strlen(inputs[i]));
448 secp256k1_sha256_initialize(&hasher);
449 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
450 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
451 secp256k1_sha256_finalize(&hasher, out);
452 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
457 void run_hmac_sha256_tests(void) {
458 static const char *keys[6] = {
459 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
461 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
462 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
463 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
464 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
466 static const char *inputs[6] = {
467 "\x48\x69\x20\x54\x68\x65\x72\x65",
468 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
469 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
470 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
471 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
472 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
474 static const unsigned char outputs[6][32] = {
475 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
476 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
477 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
478 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
479 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
480 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
483 for (i = 0; i < 6; i++) {
484 secp256k1_hmac_sha256 hasher;
485 unsigned char out[32];
486 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
487 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
488 secp256k1_hmac_sha256_finalize(&hasher, out);
489 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
490 if (strlen(inputs[i]) > 0) {
491 int split = secp256k1_testrand_int(strlen(inputs[i]));
492 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
493 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
494 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
495 secp256k1_hmac_sha256_finalize(&hasher, out);
496 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
501 void run_rfc6979_hmac_sha256_tests(void) {
502 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
503 static const unsigned char out1[3][32] = {
504 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
505 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
506 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
509 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
510 static const unsigned char out2[3][32] = {
511 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
512 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
513 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
516 secp256k1_rfc6979_hmac_sha256 rng;
517 unsigned char out[32];
520 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
521 for (i = 0; i < 3; i++) {
522 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
523 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
525 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
527 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
528 for (i = 0; i < 3; i++) {
529 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
530 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
532 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
534 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
535 for (i = 0; i < 3; i++) {
536 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
537 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
539 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
542 /***** RANDOM TESTS *****/
544 void test_rand_bits(int rand32, int bits) {
545 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
546 * get a false negative chance below once in a billion */
547 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
548 /* We try multiplying the results with various odd numbers, which shouldn't
549 * influence the uniform distribution modulo a power of 2. */
550 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
551 /* We only select up to 6 bits from the output to analyse */
552 unsigned int usebits = bits > 6 ? 6 : bits;
553 unsigned int maxshift = bits - usebits;
554 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
555 number, track all observed outcomes, one per bit in a uint64_t. */
556 uint64_t x[6][27] = {{0}};
557 unsigned int i, shift, m;
558 /* Multiply the output of all rand calls with the odd number m, which
559 should not change the uniformity of its distribution. */
560 for (i = 0; i < rounds[usebits]; i++) {
561 uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
562 CHECK((((uint64_t)r) >> bits) == 0);
563 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
564 uint32_t rm = r * mults[m];
565 for (shift = 0; shift <= maxshift; shift++) {
566 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
570 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
571 for (shift = 0; shift <= maxshift; shift++) {
572 /* Test that the lower usebits bits of x[shift] are 1 */
573 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
578 /* Subrange must be a whole divisor of range, and at most 64 */
579 void test_rand_int(uint32_t range, uint32_t subrange) {
580 /* (1-1/subrange)^rounds < 1/10^9 */
581 int rounds = (subrange * 2073) / 100;
584 CHECK((range % subrange) == 0);
585 for (i = 0; i < rounds; i++) {
586 uint32_t r = secp256k1_testrand_int(range);
589 x |= (((uint64_t)1) << r);
591 /* Test that the lower subrange bits of x are 1. */
592 CHECK(((~x) << (64 - subrange)) == 0);
595 void run_rand_bits(void) {
597 test_rand_bits(1, 32);
598 for (b = 1; b <= 32; b++) {
599 test_rand_bits(0, b);
603 void run_rand_int(void) {
604 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
605 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
607 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
608 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
609 test_rand_int(ms[m] * ss[s], ss[s]);
614 /***** NUM TESTS *****/
617 void random_num_negate(secp256k1_num *num) {
618 if (secp256k1_testrand_bits(1)) {
619 secp256k1_num_negate(num);
623 void random_num_order_test(secp256k1_num *num) {
625 random_scalar_order_test(&sc);
626 secp256k1_scalar_get_num(num, &sc);
629 void random_num_order(secp256k1_num *num) {
631 random_scalar_order(&sc);
632 secp256k1_scalar_get_num(num, &sc);
635 void test_num_negate(void) {
638 random_num_order_test(&n1); /* n1 = R */
639 random_num_negate(&n1);
640 secp256k1_num_copy(&n2, &n1); /* n2 = R */
641 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
642 CHECK(secp256k1_num_is_zero(&n1));
643 secp256k1_num_copy(&n1, &n2); /* n1 = R */
644 secp256k1_num_negate(&n1); /* n1 = -R */
645 CHECK(!secp256k1_num_is_zero(&n1));
646 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
647 CHECK(secp256k1_num_is_zero(&n1));
648 secp256k1_num_copy(&n1, &n2); /* n1 = R */
649 secp256k1_num_negate(&n1); /* n1 = -R */
650 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
651 secp256k1_num_negate(&n1); /* n1 = R */
652 CHECK(secp256k1_num_eq(&n1, &n2));
655 void test_num_add_sub(void) {
660 secp256k1_num n1p2, n2p1, n1m2, n2m1;
661 random_num_order_test(&n1); /* n1 = R1 */
662 if (secp256k1_testrand_bits(1)) {
663 random_num_negate(&n1);
665 random_num_order_test(&n2); /* n2 = R2 */
666 if (secp256k1_testrand_bits(1)) {
667 random_num_negate(&n2);
669 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
670 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
671 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
672 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
673 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
674 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
675 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
676 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
677 CHECK(!secp256k1_num_eq(&n2m1, &n1));
678 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
679 CHECK(secp256k1_num_eq(&n2m1, &n1));
680 CHECK(!secp256k1_num_eq(&n2p1, &n1));
681 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
682 CHECK(secp256k1_num_eq(&n2p1, &n1));
685 secp256k1_scalar_set_int(&s, 1);
686 secp256k1_scalar_get_num(&n1, &s);
687 CHECK(secp256k1_num_is_one(&n1));
688 /* check that 2^n + 1 is never 1 */
689 secp256k1_scalar_get_num(&n2, &s);
690 for (i = 0; i < 250; ++i) {
691 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
692 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
693 CHECK(!secp256k1_num_is_one(&n1p2));
697 void test_num_mod(void) {
700 secp256k1_num order, n;
702 /* check that 0 mod anything is 0 */
703 random_scalar_order_test(&s);
704 secp256k1_scalar_get_num(&order, &s);
705 secp256k1_scalar_set_int(&s, 0);
706 secp256k1_scalar_get_num(&n, &s);
707 secp256k1_num_mod(&n, &order);
708 CHECK(secp256k1_num_is_zero(&n));
710 /* check that anything mod 1 is 0 */
711 secp256k1_scalar_set_int(&s, 1);
712 secp256k1_scalar_get_num(&order, &s);
713 secp256k1_scalar_get_num(&n, &s);
714 secp256k1_num_mod(&n, &order);
715 CHECK(secp256k1_num_is_zero(&n));
717 /* check that increasing the number past 2^256 does not break this */
718 random_scalar_order_test(&s);
719 secp256k1_scalar_get_num(&n, &s);
720 /* multiply by 2^8, which'll test this case with high probability */
721 for (i = 0; i < 8; ++i) {
722 secp256k1_num_add(&n, &n, &n);
724 secp256k1_num_mod(&n, &order);
725 CHECK(secp256k1_num_is_zero(&n));
728 void test_num_jacobi(void) {
729 secp256k1_scalar sqr;
730 secp256k1_scalar small;
731 secp256k1_scalar five; /* five is not a quadratic residue */
732 secp256k1_num order, n;
734 /* squares mod 5 are 1, 4 */
735 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
737 /* check some small values with 5 as the order */
738 secp256k1_scalar_set_int(&five, 5);
739 secp256k1_scalar_get_num(&order, &five);
740 for (i = 0; i < 10; ++i) {
741 secp256k1_scalar_set_int(&small, i);
742 secp256k1_scalar_get_num(&n, &small);
743 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
746 /** test large values with 5 as group order */
747 secp256k1_scalar_get_num(&order, &five);
748 /* we first need a scalar which is not a multiple of 5 */
751 random_scalar_order_test(&sqr);
752 secp256k1_scalar_get_num(&fiven, &five);
753 secp256k1_scalar_get_num(&n, &sqr);
754 secp256k1_num_mod(&n, &fiven);
755 } while (secp256k1_num_is_zero(&n));
756 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
757 * just multiply by two, i.e. add the number to itself */
758 if (secp256k1_num_jacobi(&n, &order) == -1) {
759 secp256k1_num_add(&n, &n, &n);
763 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
764 /* test nonresidue */
765 secp256k1_num_add(&n, &n, &n);
766 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
768 /** test with secp group order as order */
769 secp256k1_scalar_order_get_num(&order);
770 random_scalar_order_test(&sqr);
771 secp256k1_scalar_sqr(&sqr, &sqr);
773 secp256k1_scalar_get_num(&n, &sqr);
774 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
775 /* test nonresidue */
776 secp256k1_scalar_mul(&sqr, &sqr, &five);
777 secp256k1_scalar_get_num(&n, &sqr);
778 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
779 /* test multiple of the order*/
780 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
782 /* check one less than the order */
783 secp256k1_scalar_set_int(&small, 1);
784 secp256k1_scalar_get_num(&n, &small);
785 secp256k1_num_sub(&n, &order, &n);
786 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
789 void run_num_smalltests(void) {
791 for (i = 0; i < 100*count; i++) {
800 /***** SCALAR TESTS *****/
802 void scalar_test(void) {
807 secp256k1_num snum, s1num, s2num;
808 secp256k1_num order, half_order;
812 /* Set 's' to a random scalar, with value 'snum'. */
813 random_scalar_order_test(&s);
815 /* Set 's1' to a random scalar, with value 's1num'. */
816 random_scalar_order_test(&s1);
818 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
819 random_scalar_order_test(&s2);
820 secp256k1_scalar_get_b32(c, &s2);
823 secp256k1_scalar_get_num(&snum, &s);
824 secp256k1_scalar_get_num(&s1num, &s1);
825 secp256k1_scalar_get_num(&s2num, &s2);
827 secp256k1_scalar_order_get_num(&order);
829 secp256k1_num_shift(&half_order, 1);
834 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
836 secp256k1_scalar_set_int(&n, 0);
837 for (i = 0; i < 256; i += 4) {
840 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
841 for (j = 0; j < 4; j++) {
842 secp256k1_scalar_add(&n, &n, &n);
844 secp256k1_scalar_add(&n, &n, &t);
846 CHECK(secp256k1_scalar_eq(&n, &s));
850 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
853 secp256k1_scalar_set_int(&n, 0);
857 int now = secp256k1_testrand_int(15) + 1;
861 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
862 for (j = 0; j < now; j++) {
863 secp256k1_scalar_add(&n, &n, &n);
865 secp256k1_scalar_add(&n, &n, &t);
868 CHECK(secp256k1_scalar_eq(&n, &s));
873 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
877 secp256k1_num_add(&rnum, &snum, &s2num);
878 secp256k1_num_mod(&rnum, &order);
879 secp256k1_scalar_add(&r, &s, &s2);
880 secp256k1_scalar_get_num(&r2num, &r);
881 CHECK(secp256k1_num_eq(&rnum, &r2num));
885 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
889 secp256k1_num_mul(&rnum, &snum, &s2num);
890 secp256k1_num_mod(&rnum, &order);
891 secp256k1_scalar_mul(&r, &s, &s2);
892 secp256k1_scalar_get_num(&r2num, &r);
893 CHECK(secp256k1_num_eq(&rnum, &r2num));
894 /* The result can only be zero if at least one of the factors was zero. */
895 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
896 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
897 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
898 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
902 secp256k1_scalar neg;
903 secp256k1_num negnum;
904 secp256k1_num negnum2;
905 /* Check that comparison with zero matches comparison with zero on the number. */
906 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
907 /* Check that comparison with the half order is equal to testing for high scalar. */
908 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
909 secp256k1_scalar_negate(&neg, &s);
910 secp256k1_num_sub(&negnum, &order, &snum);
911 secp256k1_num_mod(&negnum, &order);
912 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
913 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
914 /* Negating should change the high property, unless the value was already zero. */
915 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
916 secp256k1_scalar_get_num(&negnum2, &neg);
917 /* Negating a scalar should be equal to (order - n) mod order on the number. */
918 CHECK(secp256k1_num_eq(&negnum, &negnum2));
919 secp256k1_scalar_add(&neg, &neg, &s);
920 /* Adding a number to its negation should result in zero. */
921 CHECK(secp256k1_scalar_is_zero(&neg));
922 secp256k1_scalar_negate(&neg, &neg);
923 /* Negating zero should still result in zero. */
924 CHECK(secp256k1_scalar_is_zero(&neg));
928 /* Test secp256k1_scalar_mul_shift_var. */
933 unsigned char cone[1] = {0x01};
934 unsigned int shift = 256 + secp256k1_testrand_int(257);
935 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
936 secp256k1_num_mul(&rnum, &s1num, &s2num);
937 secp256k1_num_shift(&rnum, shift - 1);
938 secp256k1_num_set_bin(&one, cone, 1);
939 secp256k1_num_add(&rnum, &rnum, &one);
940 secp256k1_num_shift(&rnum, 1);
941 secp256k1_scalar_get_num(&rnum2, &r);
942 CHECK(secp256k1_num_eq(&rnum, &rnum2));
946 /* test secp256k1_scalar_shr_int */
949 random_scalar_order_test(&r);
950 for (i = 0; i < 100; ++i) {
952 int shift = 1 + secp256k1_testrand_int(15);
953 int expected = r.d[0] % (1 << shift);
954 low = secp256k1_scalar_shr_int(&r, shift);
955 CHECK(expected == low);
961 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
962 if (!secp256k1_scalar_is_zero(&s)) {
963 secp256k1_scalar inv;
965 secp256k1_num invnum;
966 secp256k1_num invnum2;
968 secp256k1_scalar_inverse(&inv, &s);
970 secp256k1_num_mod_inverse(&invnum, &snum, &order);
971 secp256k1_scalar_get_num(&invnum2, &inv);
972 CHECK(secp256k1_num_eq(&invnum, &invnum2));
974 secp256k1_scalar_mul(&inv, &inv, &s);
975 /* Multiplying a scalar with its inverse must result in one. */
976 CHECK(secp256k1_scalar_is_one(&inv));
977 secp256k1_scalar_inverse(&inv, &inv);
978 /* Inverting one must result in one. */
979 CHECK(secp256k1_scalar_is_one(&inv));
981 secp256k1_scalar_get_num(&invnum, &inv);
982 CHECK(secp256k1_num_is_one(&invnum));
988 /* Test commutativity of add. */
989 secp256k1_scalar r1, r2;
990 secp256k1_scalar_add(&r1, &s1, &s2);
991 secp256k1_scalar_add(&r2, &s2, &s1);
992 CHECK(secp256k1_scalar_eq(&r1, &r2));
996 secp256k1_scalar r1, r2;
1000 int bit = secp256k1_testrand_bits(8);
1001 secp256k1_scalar_set_int(&b, 1);
1002 CHECK(secp256k1_scalar_is_one(&b));
1003 for (i = 0; i < bit; i++) {
1004 secp256k1_scalar_add(&b, &b, &b);
1008 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1009 /* No overflow happened. */
1010 secp256k1_scalar_cadd_bit(&r2, bit, 1);
1011 CHECK(secp256k1_scalar_eq(&r1, &r2));
1012 /* cadd is a noop when flag is zero */
1013 secp256k1_scalar_cadd_bit(&r2, bit, 0);
1014 CHECK(secp256k1_scalar_eq(&r1, &r2));
1019 /* Test commutativity of mul. */
1020 secp256k1_scalar r1, r2;
1021 secp256k1_scalar_mul(&r1, &s1, &s2);
1022 secp256k1_scalar_mul(&r2, &s2, &s1);
1023 CHECK(secp256k1_scalar_eq(&r1, &r2));
1027 /* Test associativity of add. */
1028 secp256k1_scalar r1, r2;
1029 secp256k1_scalar_add(&r1, &s1, &s2);
1030 secp256k1_scalar_add(&r1, &r1, &s);
1031 secp256k1_scalar_add(&r2, &s2, &s);
1032 secp256k1_scalar_add(&r2, &s1, &r2);
1033 CHECK(secp256k1_scalar_eq(&r1, &r2));
1037 /* Test associativity of mul. */
1038 secp256k1_scalar r1, r2;
1039 secp256k1_scalar_mul(&r1, &s1, &s2);
1040 secp256k1_scalar_mul(&r1, &r1, &s);
1041 secp256k1_scalar_mul(&r2, &s2, &s);
1042 secp256k1_scalar_mul(&r2, &s1, &r2);
1043 CHECK(secp256k1_scalar_eq(&r1, &r2));
1047 /* Test distributitivity of mul over add. */
1048 secp256k1_scalar r1, r2, t;
1049 secp256k1_scalar_add(&r1, &s1, &s2);
1050 secp256k1_scalar_mul(&r1, &r1, &s);
1051 secp256k1_scalar_mul(&r2, &s1, &s);
1052 secp256k1_scalar_mul(&t, &s2, &s);
1053 secp256k1_scalar_add(&r2, &r2, &t);
1054 CHECK(secp256k1_scalar_eq(&r1, &r2));
1059 secp256k1_scalar r1, r2;
1060 secp256k1_scalar_sqr(&r1, &s1);
1061 secp256k1_scalar_mul(&r2, &s1, &s1);
1062 CHECK(secp256k1_scalar_eq(&r1, &r2));
1066 /* Test multiplicative identity. */
1067 secp256k1_scalar r1, v1;
1068 secp256k1_scalar_set_int(&v1,1);
1069 secp256k1_scalar_mul(&r1, &s1, &v1);
1070 CHECK(secp256k1_scalar_eq(&r1, &s1));
1074 /* Test additive identity. */
1075 secp256k1_scalar r1, v0;
1076 secp256k1_scalar_set_int(&v0,0);
1077 secp256k1_scalar_add(&r1, &s1, &v0);
1078 CHECK(secp256k1_scalar_eq(&r1, &s1));
1082 /* Test zero product property. */
1083 secp256k1_scalar r1, v0;
1084 secp256k1_scalar_set_int(&v0,0);
1085 secp256k1_scalar_mul(&r1, &s1, &v0);
1086 CHECK(secp256k1_scalar_eq(&r1, &v0));
1091 void run_scalar_set_b32_seckey_tests(void) {
1092 unsigned char b32[32];
1093 secp256k1_scalar s1;
1094 secp256k1_scalar s2;
1096 /* Usually set_b32 and set_b32_seckey give the same result */
1097 random_scalar_order_b32(b32);
1098 secp256k1_scalar_set_b32(&s1, b32, NULL);
1099 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1100 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1102 memset(b32, 0, sizeof(b32));
1103 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1104 memset(b32, 0xFF, sizeof(b32));
1105 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1108 void run_scalar_tests(void) {
1110 for (i = 0; i < 128 * count; i++) {
1113 for (i = 0; i < count; i++) {
1114 run_scalar_set_b32_seckey_tests();
1118 /* (-1)+1 should be zero. */
1119 secp256k1_scalar s, o;
1120 secp256k1_scalar_set_int(&s, 1);
1121 CHECK(secp256k1_scalar_is_one(&s));
1122 secp256k1_scalar_negate(&o, &s);
1123 secp256k1_scalar_add(&o, &o, &s);
1124 CHECK(secp256k1_scalar_is_zero(&o));
1125 secp256k1_scalar_negate(&o, &o);
1126 CHECK(secp256k1_scalar_is_zero(&o));
1129 #ifndef USE_NUM_NONE
1131 /* Test secp256k1_scalar_set_b32 boundary conditions */
1132 secp256k1_num order;
1133 secp256k1_scalar scalar;
1134 unsigned char bin[32];
1135 unsigned char bin_tmp[32];
1137 /* 2^256-1 - order */
1138 static const secp256k1_scalar all_ones_minus_order = SECP256K1_SCALAR_CONST(
1139 0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000001UL,
1140 0x45512319UL, 0x50B75FC4UL, 0x402DA173UL, 0x2FC9BEBEUL
1143 /* A scalar set to 0s should be 0. */
1145 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1146 CHECK(overflow == 0);
1147 CHECK(secp256k1_scalar_is_zero(&scalar));
1149 /* A scalar with value of the curve order should be 0. */
1150 secp256k1_scalar_order_get_num(&order);
1151 secp256k1_num_get_bin(bin, 32, &order);
1152 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1153 CHECK(overflow == 1);
1154 CHECK(secp256k1_scalar_is_zero(&scalar));
1156 /* A scalar with value of the curve order minus one should not overflow. */
1158 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1159 CHECK(overflow == 0);
1160 secp256k1_scalar_get_b32(bin_tmp, &scalar);
1161 CHECK(secp256k1_memcmp_var(bin, bin_tmp, 32) == 0);
1163 /* A scalar set to all 1s should overflow. */
1164 memset(bin, 0xFF, 32);
1165 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1166 CHECK(overflow == 1);
1167 CHECK(secp256k1_scalar_eq(&scalar, &all_ones_minus_order));
1172 /* Does check_overflow check catch all ones? */
1173 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1174 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1175 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1177 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1181 /* Static test vectors.
1182 * These were reduced from ~10^12 random vectors based on comparison-decision
1183 * and edge-case coverage on 32-bit and 64-bit implementations.
1184 * The responses were generated with Sage 5.9.
1189 secp256k1_scalar zz;
1190 secp256k1_scalar one;
1191 secp256k1_scalar r1;
1192 secp256k1_scalar r2;
1193 #if defined(USE_SCALAR_INV_NUM)
1194 secp256k1_scalar zzv;
1197 unsigned char chal[33][2][32] = {
1198 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1199 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1200 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1201 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1202 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1203 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1204 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1205 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1206 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1207 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1208 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1209 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1210 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1211 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1212 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1213 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1214 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1215 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1216 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1217 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1218 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1219 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1220 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1221 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1222 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1223 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1224 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1225 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1226 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1227 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1228 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1229 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1230 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1231 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1232 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1233 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1234 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1235 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1236 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1237 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1238 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1239 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1240 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1241 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1242 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1243 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1244 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1245 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1246 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1247 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1248 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1249 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1250 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1251 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1252 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1253 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1254 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1255 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1256 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1257 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1258 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1259 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1260 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1261 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1262 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1263 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1264 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1265 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1266 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1267 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1268 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1269 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1270 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1271 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1272 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1273 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1274 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1275 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1276 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1277 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1278 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1279 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1280 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1281 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1282 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1283 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1284 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1285 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1286 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1287 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1288 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1289 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1290 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1291 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1292 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1293 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1294 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1295 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1296 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1297 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1298 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1299 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1300 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1301 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1302 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1303 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1304 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1305 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1306 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1307 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1308 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1309 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1310 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1311 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1312 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1313 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1314 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1315 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1316 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1317 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1318 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1319 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1320 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1321 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1322 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1323 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1324 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1325 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1326 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1327 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1328 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1329 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1330 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1331 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1332 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1333 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1334 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1335 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1336 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1337 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1338 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1339 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1340 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1341 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1342 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1343 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1344 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1345 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1346 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1347 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1348 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1349 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1350 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1351 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1352 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1353 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1354 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1355 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1356 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1357 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1358 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1359 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1360 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1361 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1362 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1363 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1364 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1365 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1366 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1367 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1368 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1369 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1370 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1371 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1372 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1373 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1374 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1375 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1376 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1377 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1378 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1379 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1380 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1381 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1382 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1383 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1384 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1385 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1386 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1387 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1388 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1389 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1390 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1391 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1392 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1393 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1394 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1395 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1396 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1397 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1398 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1399 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1400 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1401 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1402 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1403 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1404 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1405 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1406 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1407 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1408 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1409 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1410 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1411 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1412 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1413 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1414 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1415 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1416 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1417 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1418 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1419 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1420 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1421 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1422 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1423 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1424 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1425 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1426 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1427 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1428 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1429 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1430 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1431 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1432 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1433 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1434 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1435 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1436 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1437 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1438 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1439 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1440 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1441 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1442 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1443 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1444 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1445 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1446 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1447 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1448 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1449 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1450 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1451 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1452 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1453 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1454 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1455 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1456 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1457 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1458 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1459 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1460 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1461 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1463 unsigned char res[33][2][32] = {
1464 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1465 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1466 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1467 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1468 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1469 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1470 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1471 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1472 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1473 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1474 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1475 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1476 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1477 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1478 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1479 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1480 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1481 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1482 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1483 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1484 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1485 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1486 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1487 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1488 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1489 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1490 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1491 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1492 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1493 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1494 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1495 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1496 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1497 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1498 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1499 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1500 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1501 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1502 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1503 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1504 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1505 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1506 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1507 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1508 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1509 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1510 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1511 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1512 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1513 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1514 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1515 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1516 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1517 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1518 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1519 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1520 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1521 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1522 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1523 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1524 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1525 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1526 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1527 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1528 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1529 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1530 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1531 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1532 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1533 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1534 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1535 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1536 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1537 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1538 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1539 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1540 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1541 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1542 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1543 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1544 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1545 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1546 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1547 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1548 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1549 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1550 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1551 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1552 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1553 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1554 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1555 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1556 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1557 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1558 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1559 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1560 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1561 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1562 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1563 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1564 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1565 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1566 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1567 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1568 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1569 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1570 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1571 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1572 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1573 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1574 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1575 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1576 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1577 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1578 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1579 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1580 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1581 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1582 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1583 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1584 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1585 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1586 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1587 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1588 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1589 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1590 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1591 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1592 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1593 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1594 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1595 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1596 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1597 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1598 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1599 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1600 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1601 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1602 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1603 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1604 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1605 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1606 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1607 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1608 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1609 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1610 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1611 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1612 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1613 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1614 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1615 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1616 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1617 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1618 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1619 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1620 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1621 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1622 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1623 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1624 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1625 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1626 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1627 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1628 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1629 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1630 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1631 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1632 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1633 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1634 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1635 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1636 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1637 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1638 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1639 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1640 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1641 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1642 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1643 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1644 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1645 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1646 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1647 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1648 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1649 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1650 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1651 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1652 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1653 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1654 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1655 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1656 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1657 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1658 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1659 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1660 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1661 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1662 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1663 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1664 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1665 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1666 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1667 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1668 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1669 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1670 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1671 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1672 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1673 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1674 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1675 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1676 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1677 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1678 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1679 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1680 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1681 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1682 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1683 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1684 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1685 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1686 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1687 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1688 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1689 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1690 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1691 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1692 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1693 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1694 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1695 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1696 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1697 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1698 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1699 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1700 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1701 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1702 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1703 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1704 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1705 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1706 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1707 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1708 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1709 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1710 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1711 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1712 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1713 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1714 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1715 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1716 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1717 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1718 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1719 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1720 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1721 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1722 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1723 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1724 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1725 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1726 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1727 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1729 secp256k1_scalar_set_int(&one, 1);
1730 for (i = 0; i < 33; i++) {
1731 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1733 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1735 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1737 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1739 secp256k1_scalar_mul(&z, &x, &y);
1740 CHECK(!secp256k1_scalar_check_overflow(&z));
1741 CHECK(secp256k1_scalar_eq(&r1, &z));
1742 if (!secp256k1_scalar_is_zero(&y)) {
1743 secp256k1_scalar_inverse(&zz, &y);
1744 CHECK(!secp256k1_scalar_check_overflow(&zz));
1745 #if defined(USE_SCALAR_INV_NUM)
1746 secp256k1_scalar_inverse_var(&zzv, &y);
1747 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1749 secp256k1_scalar_mul(&z, &z, &zz);
1750 CHECK(!secp256k1_scalar_check_overflow(&z));
1751 CHECK(secp256k1_scalar_eq(&x, &z));
1752 secp256k1_scalar_mul(&zz, &zz, &y);
1753 CHECK(!secp256k1_scalar_check_overflow(&zz));
1754 CHECK(secp256k1_scalar_eq(&one, &zz));
1756 secp256k1_scalar_mul(&z, &x, &x);
1757 CHECK(!secp256k1_scalar_check_overflow(&z));
1758 secp256k1_scalar_sqr(&zz, &x);
1759 CHECK(!secp256k1_scalar_check_overflow(&zz));
1760 CHECK(secp256k1_scalar_eq(&zz, &z));
1761 CHECK(secp256k1_scalar_eq(&r2, &zz));
1766 /***** FIELD TESTS *****/
1768 void random_fe(secp256k1_fe *x) {
1769 unsigned char bin[32];
1771 secp256k1_testrand256(bin);
1772 if (secp256k1_fe_set_b32(x, bin)) {
1778 void random_fe_test(secp256k1_fe *x) {
1779 unsigned char bin[32];
1781 secp256k1_testrand256_test(bin);
1782 if (secp256k1_fe_set_b32(x, bin)) {
1788 void random_fe_non_zero(secp256k1_fe *nz) {
1790 while (--tries >= 0) {
1792 secp256k1_fe_normalize(nz);
1793 if (!secp256k1_fe_is_zero(nz)) {
1797 /* Infinitesimal probability of spurious failure here */
1801 void random_fe_non_square(secp256k1_fe *ns) {
1803 random_fe_non_zero(ns);
1804 if (secp256k1_fe_sqrt(&r, ns)) {
1805 secp256k1_fe_negate(ns, ns, 1);
1809 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1810 secp256k1_fe an = *a;
1811 secp256k1_fe bn = *b;
1812 secp256k1_fe_normalize_weak(&an);
1813 secp256k1_fe_normalize_var(&bn);
1814 return secp256k1_fe_equal_var(&an, &bn);
1817 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1819 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1820 secp256k1_fe_mul(&x, a, ai);
1821 return check_fe_equal(&x, &one);
1824 void run_field_convert(void) {
1825 static const unsigned char b32[32] = {
1826 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1827 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1828 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1829 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1831 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1832 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1833 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1835 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1836 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1837 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1840 unsigned char b322[32];
1841 secp256k1_fe_storage fes2;
1842 /* Check conversions to fe. */
1843 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1844 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1845 secp256k1_fe_from_storage(&fe2, &fes);
1846 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1847 /* Check conversion from fe. */
1848 secp256k1_fe_get_b32(b322, &fe);
1849 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
1850 secp256k1_fe_to_storage(&fes2, &fe);
1851 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
1854 int fe_secp256k1_memcmp_var(const secp256k1_fe *a, const secp256k1_fe *b) {
1855 secp256k1_fe t = *b;
1857 t.magnitude = a->magnitude;
1858 t.normalized = a->normalized;
1860 return secp256k1_memcmp_var(a, &t, sizeof(secp256k1_fe));
1863 void run_field_misc(void) {
1868 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1870 for (i = 0; i < 5*count; i++) {
1871 secp256k1_fe_storage xs, ys, zs;
1873 random_fe_non_zero(&y);
1874 /* Test the fe equality and comparison operations. */
1875 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1876 CHECK(secp256k1_fe_equal_var(&x, &x));
1878 secp256k1_fe_add(&z,&y);
1879 /* Test fe conditional move; z is not normalized here. */
1881 secp256k1_fe_cmov(&x, &z, 0);
1883 CHECK(x.normalized && x.magnitude == 1);
1885 secp256k1_fe_cmov(&x, &x, 1);
1886 CHECK(fe_secp256k1_memcmp_var(&x, &z) != 0);
1887 CHECK(fe_secp256k1_memcmp_var(&x, &q) == 0);
1888 secp256k1_fe_cmov(&q, &z, 1);
1890 CHECK(!q.normalized && q.magnitude == z.magnitude);
1892 CHECK(fe_secp256k1_memcmp_var(&q, &z) == 0);
1893 secp256k1_fe_normalize_var(&x);
1894 secp256k1_fe_normalize_var(&z);
1895 CHECK(!secp256k1_fe_equal_var(&x, &z));
1896 secp256k1_fe_normalize_var(&q);
1897 secp256k1_fe_cmov(&q, &z, (i&1));
1899 CHECK(q.normalized && q.magnitude == 1);
1901 for (j = 0; j < 6; j++) {
1902 secp256k1_fe_negate(&z, &z, j+1);
1903 secp256k1_fe_normalize_var(&q);
1904 secp256k1_fe_cmov(&q, &z, (j&1));
1906 CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
1909 secp256k1_fe_normalize_var(&z);
1910 /* Test storage conversion and conditional moves. */
1911 secp256k1_fe_to_storage(&xs, &x);
1912 secp256k1_fe_to_storage(&ys, &y);
1913 secp256k1_fe_to_storage(&zs, &z);
1914 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1915 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1916 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
1917 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1918 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
1919 secp256k1_fe_from_storage(&x, &xs);
1920 secp256k1_fe_from_storage(&y, &ys);
1921 secp256k1_fe_from_storage(&z, &zs);
1922 /* Test that mul_int, mul, and add agree. */
1923 secp256k1_fe_add(&y, &x);
1924 secp256k1_fe_add(&y, &x);
1926 secp256k1_fe_mul_int(&z, 3);
1927 CHECK(check_fe_equal(&y, &z));
1928 secp256k1_fe_add(&y, &x);
1929 secp256k1_fe_add(&z, &x);
1930 CHECK(check_fe_equal(&z, &y));
1932 secp256k1_fe_mul_int(&z, 5);
1933 secp256k1_fe_mul(&q, &x, &fe5);
1934 CHECK(check_fe_equal(&z, &q));
1935 secp256k1_fe_negate(&x, &x, 1);
1936 secp256k1_fe_add(&z, &x);
1937 secp256k1_fe_add(&q, &x);
1938 CHECK(check_fe_equal(&y, &z));
1939 CHECK(check_fe_equal(&q, &y));
1943 void run_field_inv(void) {
1944 secp256k1_fe x, xi, xii;
1946 for (i = 0; i < 10*count; i++) {
1947 random_fe_non_zero(&x);
1948 secp256k1_fe_inv(&xi, &x);
1949 CHECK(check_fe_inverse(&x, &xi));
1950 secp256k1_fe_inv(&xii, &xi);
1951 CHECK(check_fe_equal(&x, &xii));
1955 void run_field_inv_var(void) {
1956 secp256k1_fe x, xi, xii;
1958 for (i = 0; i < 10*count; i++) {
1959 random_fe_non_zero(&x);
1960 secp256k1_fe_inv_var(&xi, &x);
1961 CHECK(check_fe_inverse(&x, &xi));
1962 secp256k1_fe_inv_var(&xii, &xi);
1963 CHECK(check_fe_equal(&x, &xii));
1967 void run_field_inv_all_var(void) {
1968 secp256k1_fe x[16], xi[16], xii[16];
1970 /* Check it's safe to call for 0 elements */
1971 secp256k1_fe_inv_all_var(xi, x, 0);
1972 for (i = 0; i < count; i++) {
1974 size_t len = secp256k1_testrand_int(15) + 1;
1975 for (j = 0; j < len; j++) {
1976 random_fe_non_zero(&x[j]);
1978 secp256k1_fe_inv_all_var(xi, x, len);
1979 for (j = 0; j < len; j++) {
1980 CHECK(check_fe_inverse(&x[j], &xi[j]));
1982 secp256k1_fe_inv_all_var(xii, xi, len);
1983 for (j = 0; j < len; j++) {
1984 CHECK(check_fe_equal(&x[j], &xii[j]));
1989 void run_sqr(void) {
1994 secp256k1_fe_set_int(&x, 1);
1995 secp256k1_fe_negate(&x, &x, 1);
1997 for (i = 1; i <= 512; ++i) {
1998 secp256k1_fe_mul_int(&x, 2);
1999 secp256k1_fe_normalize(&x);
2000 secp256k1_fe_sqr(&s, &x);
2005 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
2006 secp256k1_fe r1, r2;
2007 int v = secp256k1_fe_sqrt(&r1, a);
2008 CHECK((v == 0) == (k == NULL));
2011 /* Check that the returned root is +/- the given known answer */
2012 secp256k1_fe_negate(&r2, &r1, 1);
2013 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2014 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
2015 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
2019 void run_sqrt(void) {
2020 secp256k1_fe ns, x, s, t;
2023 /* Check sqrt(0) is 0 */
2024 secp256k1_fe_set_int(&x, 0);
2025 secp256k1_fe_sqr(&s, &x);
2028 /* Check sqrt of small squares (and their negatives) */
2029 for (i = 1; i <= 100; i++) {
2030 secp256k1_fe_set_int(&x, i);
2031 secp256k1_fe_sqr(&s, &x);
2033 secp256k1_fe_negate(&t, &s, 1);
2034 test_sqrt(&t, NULL);
2037 /* Consistency checks for large random values */
2038 for (i = 0; i < 10; i++) {
2040 random_fe_non_square(&ns);
2041 for (j = 0; j < count; j++) {
2043 secp256k1_fe_sqr(&s, &x);
2045 secp256k1_fe_negate(&t, &s, 1);
2046 test_sqrt(&t, NULL);
2047 secp256k1_fe_mul(&t, &s, &ns);
2048 test_sqrt(&t, NULL);
2053 /***** GROUP TESTS *****/
2055 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
2056 CHECK(a->infinity == b->infinity);
2060 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2061 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2064 /* This compares jacobian points including their Z, not just their geometric meaning. */
2065 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
2069 ret &= a->infinity == b->infinity;
2070 if (ret && !a->infinity) {
2073 secp256k1_fe_normalize(&a2.x);
2074 secp256k1_fe_normalize(&a2.y);
2075 secp256k1_fe_normalize(&a2.z);
2076 secp256k1_fe_normalize(&b2.x);
2077 secp256k1_fe_normalize(&b2.y);
2078 secp256k1_fe_normalize(&b2.z);
2079 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2080 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2081 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2086 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2088 secp256k1_fe u1, u2, s1, s2;
2089 CHECK(a->infinity == b->infinity);
2093 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
2094 secp256k1_fe_sqr(&z2s, &b->z);
2095 secp256k1_fe_mul(&u1, &a->x, &z2s);
2096 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2097 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2098 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2099 CHECK(secp256k1_fe_equal_var(&u1, &u2));
2100 CHECK(secp256k1_fe_equal_var(&s1, &s2));
2103 void test_ge(void) {
2105 #ifdef USE_ENDOMORPHISM
2110 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
2111 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
2112 * All magnitudes are randomized.
2113 * All 17*17 combinations of points are added to each other, using all applicable methods.
2115 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
2117 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2118 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2119 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2121 secp256k1_fe zfi2, zfi3;
2123 secp256k1_gej_set_infinity(&gej[0]);
2124 secp256k1_ge_clear(&ge[0]);
2125 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
2126 for (i = 0; i < runs; i++) {
2129 random_group_element_test(&g);
2130 #ifdef USE_ENDOMORPHISM
2131 if (i >= runs - 2) {
2132 secp256k1_ge_mul_lambda(&g, &ge[1]);
2134 if (i >= runs - 1) {
2135 secp256k1_ge_mul_lambda(&g, &g);
2140 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2141 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2142 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2143 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2144 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2145 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
2146 for (j = 0; j < 4; j++) {
2147 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2148 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2149 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2150 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2151 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2155 /* Compute z inverses. */
2157 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2158 for (i = 0; i < 4 * runs + 1; i++) {
2160 /* The point at infinity does not have a meaningful z inverse. Any should do. */
2162 random_field_element_test(&zs[i]);
2163 } while(secp256k1_fe_is_zero(&zs[i]));
2168 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
2172 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2174 random_field_element_test(&zf);
2175 } while(secp256k1_fe_is_zero(&zf));
2176 random_field_element_magnitude(&zf);
2177 secp256k1_fe_inv_var(&zfi3, &zf);
2178 secp256k1_fe_sqr(&zfi2, &zfi3);
2179 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2181 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2183 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2184 /* Compute reference result using gej + gej (var). */
2185 secp256k1_gej refj, resj;
2188 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2189 /* Check Z ratio. */
2190 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2191 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2192 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2194 secp256k1_ge_set_gej_var(&ref, &refj);
2196 /* Test gej + ge with Z ratio result (var). */
2197 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2198 ge_equals_gej(&ref, &resj);
2199 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2200 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2201 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2204 /* Test gej + ge (var, with additional Z factor). */
2206 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2207 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2208 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2209 random_field_element_magnitude(&ge2_zfi.x);
2210 random_field_element_magnitude(&ge2_zfi.y);
2211 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2212 ge_equals_gej(&ref, &resj);
2215 /* Test gej + ge (const). */
2217 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2218 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2219 ge_equals_gej(&ref, &resj);
2222 /* Test doubling (var). */
2223 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2225 /* Normal doubling with Z ratio result. */
2226 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2227 ge_equals_gej(&ref, &resj);
2228 /* Check Z ratio. */
2229 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2230 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2231 /* Normal doubling. */
2232 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2233 ge_equals_gej(&ref, &resj);
2234 /* Constant-time doubling. */
2235 secp256k1_gej_double(&resj, &gej[i2]);
2236 ge_equals_gej(&ref, &resj);
2239 /* Test adding opposites. */
2240 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2241 CHECK(secp256k1_ge_is_infinity(&ref));
2244 /* Test adding infinity. */
2246 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2247 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2248 ge_equals_gej(&ref, &gej[i2]);
2251 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2252 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2253 ge_equals_gej(&ref, &gej[i1]);
2258 /* Test adding all points together in random order equals infinity. */
2260 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2261 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2262 for (i = 0; i < 4 * runs + 1; i++) {
2263 gej_shuffled[i] = gej[i];
2265 for (i = 0; i < 4 * runs + 1; i++) {
2266 int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
2268 secp256k1_gej t = gej_shuffled[i];
2269 gej_shuffled[i] = gej_shuffled[swap];
2270 gej_shuffled[swap] = t;
2273 for (i = 0; i < 4 * runs + 1; i++) {
2274 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2276 CHECK(secp256k1_gej_is_infinity(&sum));
2280 /* Test batch gej -> ge conversion with and without known z ratios. */
2282 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2283 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2284 for (i = 0; i < 4 * runs + 1; i++) {
2285 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2287 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2290 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2291 for (i = 0; i < 4 * runs + 1; i++) {
2293 random_fe_non_zero(&s);
2294 secp256k1_gej_rescale(&gej[i], &s);
2295 ge_equals_gej(&ge_set_all[i], &gej[i]);
2301 /* Test batch gej -> ge conversion with many infinities. */
2302 for (i = 0; i < 4 * runs + 1; i++) {
2303 random_group_element_test(&ge[i]);
2304 /* randomly set half the points to infinity */
2305 if(secp256k1_fe_is_odd(&ge[i].x)) {
2306 secp256k1_ge_set_infinity(&ge[i]);
2308 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2311 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2313 for (i = 0; i < 4 * runs + 1; i++) {
2314 ge_equals_gej(&ge[i], &gej[i]);
2323 void test_intialized_inf(void) {
2325 secp256k1_gej pj, npj, infj1, infj2, infj3;
2328 /* Test that adding P+(-P) results in a fully initalized infinity*/
2329 random_group_element_test(&p);
2330 secp256k1_gej_set_ge(&pj, &p);
2331 secp256k1_gej_neg(&npj, &pj);
2333 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
2334 CHECK(secp256k1_gej_is_infinity(&infj1));
2335 CHECK(secp256k1_fe_is_zero(&infj1.x));
2336 CHECK(secp256k1_fe_is_zero(&infj1.y));
2337 CHECK(secp256k1_fe_is_zero(&infj1.z));
2339 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
2340 CHECK(secp256k1_gej_is_infinity(&infj2));
2341 CHECK(secp256k1_fe_is_zero(&infj2.x));
2342 CHECK(secp256k1_fe_is_zero(&infj2.y));
2343 CHECK(secp256k1_fe_is_zero(&infj2.z));
2345 secp256k1_fe_set_int(&zinv, 1);
2346 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
2347 CHECK(secp256k1_gej_is_infinity(&infj3));
2348 CHECK(secp256k1_fe_is_zero(&infj3.x));
2349 CHECK(secp256k1_fe_is_zero(&infj3.y));
2350 CHECK(secp256k1_fe_is_zero(&infj3.z));
2355 void test_add_neg_y_diff_x(void) {
2356 /* The point of this test is to check that we can add two points
2357 * whose y-coordinates are negatives of each other but whose x
2358 * coordinates differ. If the x-coordinates were the same, these
2359 * points would be negatives of each other and their sum is
2360 * infinity. This is cool because it "covers up" any degeneracy
2361 * in the addition algorithm that would cause the xy coordinates
2362 * of the sum to be wrong (since infinity has no xy coordinates).
2363 * HOWEVER, if the x-coordinates are different, infinity is the
2364 * wrong answer, and such degeneracies are exposed. This is the
2365 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2366 * which this test is a regression test for.
2368 * These points were generated in sage as
2369 * # secp256k1 params
2370 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2371 * C = EllipticCurve ([F (0), F (7)])
2372 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2373 * N = FiniteField(G.order())
2375 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2377 * lam = (1 - x^3).roots()[1][0]
2379 * # random "bad pair"
2380 * P = C.random_element()
2382 * print " P: %x %x" % P.xy()
2383 * print " Q: %x %x" % Q.xy()
2384 * print "P + Q: %x %x" % (P + Q).xy()
2386 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2387 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2388 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2389 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2390 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2392 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2393 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2394 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2395 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2396 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2398 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2399 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2400 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2401 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2402 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2407 secp256k1_ge_set_gej(&b, &bj);
2409 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2410 secp256k1_ge_set_gej(&res, &resj);
2411 ge_equals_gej(&res, &sumj);
2413 secp256k1_gej_add_ge(&resj, &aj, &b);
2414 secp256k1_ge_set_gej(&res, &resj);
2415 ge_equals_gej(&res, &sumj);
2417 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2418 secp256k1_ge_set_gej(&res, &resj);
2419 ge_equals_gej(&res, &sumj);
2424 for (i = 0; i < count * 32; i++) {
2427 test_add_neg_y_diff_x();
2428 test_intialized_inf();
2431 void test_ec_combine(void) {
2432 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2433 secp256k1_pubkey data[6];
2434 const secp256k1_pubkey* d[6];
2435 secp256k1_pubkey sd;
2436 secp256k1_pubkey sd2;
2440 for (i = 1; i <= 6; i++) {
2442 random_scalar_order_test(&s);
2443 secp256k1_scalar_add(&sum, &sum, &s);
2444 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2445 secp256k1_ge_set_gej(&Q, &Qj);
2446 secp256k1_pubkey_save(&data[i - 1], &Q);
2447 d[i - 1] = &data[i - 1];
2448 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2449 secp256k1_ge_set_gej(&Q, &Qj);
2450 secp256k1_pubkey_save(&sd, &Q);
2451 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2452 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
2456 void run_ec_combine(void) {
2458 for (i = 0; i < count * 8; i++) {
2463 void test_group_decompress(const secp256k1_fe* x) {
2464 /* The input itself, normalized. */
2465 secp256k1_fe fex = *x;
2467 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2468 secp256k1_ge ge_quad, ge_even, ge_odd;
2469 secp256k1_gej gej_quad;
2470 /* Return values of the above calls. */
2471 int res_quad, res_even, res_odd;
2473 secp256k1_fe_normalize_var(&fex);
2475 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2476 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2477 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2479 CHECK(res_quad == res_even);
2480 CHECK(res_quad == res_odd);
2483 secp256k1_fe_normalize_var(&ge_quad.x);
2484 secp256k1_fe_normalize_var(&ge_odd.x);
2485 secp256k1_fe_normalize_var(&ge_even.x);
2486 secp256k1_fe_normalize_var(&ge_quad.y);
2487 secp256k1_fe_normalize_var(&ge_odd.y);
2488 secp256k1_fe_normalize_var(&ge_even.y);
2490 /* No infinity allowed. */
2491 CHECK(!ge_quad.infinity);
2492 CHECK(!ge_even.infinity);
2493 CHECK(!ge_odd.infinity);
2495 /* Check that the x coordinates check out. */
2496 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2497 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2498 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2500 /* Check that the Y coordinate result in ge_quad is a square. */
2501 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2503 /* Check odd/even Y in ge_odd, ge_even. */
2504 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2505 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2507 /* Check secp256k1_gej_has_quad_y_var. */
2508 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2509 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2511 random_fe_test(&fez);
2512 } while (secp256k1_fe_is_zero(&fez));
2513 secp256k1_gej_rescale(&gej_quad, &fez);
2514 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2515 secp256k1_gej_neg(&gej_quad, &gej_quad);
2516 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2518 random_fe_test(&fez);
2519 } while (secp256k1_fe_is_zero(&fez));
2520 secp256k1_gej_rescale(&gej_quad, &fez);
2521 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2522 secp256k1_gej_neg(&gej_quad, &gej_quad);
2523 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2527 void run_group_decompress(void) {
2529 for (i = 0; i < count * 4; i++) {
2531 random_fe_test(&fe);
2532 test_group_decompress(&fe);
2536 /***** ECMULT TESTS *****/
2538 void run_ecmult_chain(void) {
2539 /* random starting point A (on the curve) */
2540 secp256k1_gej a = SECP256K1_GEJ_CONST(
2541 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2542 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2543 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2544 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2546 /* two random initial factors xn and gn */
2547 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2548 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2549 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2551 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2552 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2553 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2555 /* two small multipliers to be applied to xn and gn in every iteration: */
2556 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2557 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2558 /* accumulators with the resulting coefficients to A and G */
2559 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2560 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2566 /* the point being computed */
2568 for (i = 0; i < 200*count; i++) {
2569 /* in each iteration, compute X = xn*X + gn*G; */
2570 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2571 /* also compute ae and ge: the actual accumulated factors for A and G */
2572 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2573 secp256k1_scalar_mul(&ae, &ae, &xn);
2574 secp256k1_scalar_mul(&ge, &ge, &xn);
2575 secp256k1_scalar_add(&ge, &ge, &gn);
2576 /* modify xn and gn */
2577 secp256k1_scalar_mul(&xn, &xn, &xf);
2578 secp256k1_scalar_mul(&gn, &gn, &gf);
2582 /* expected result after 19999 iterations */
2583 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2584 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2585 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2586 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2587 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2590 secp256k1_gej_neg(&rp, &rp);
2591 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2592 CHECK(secp256k1_gej_is_infinity(&rp));
2595 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2596 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2597 secp256k1_gej_neg(&x2, &x2);
2598 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2599 CHECK(secp256k1_gej_is_infinity(&x2));
2602 void test_point_times_order(const secp256k1_gej *point) {
2603 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2605 secp256k1_scalar nx;
2606 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2607 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2608 secp256k1_gej res1, res2;
2610 unsigned char pub[65];
2612 random_scalar_order_test(&x);
2613 secp256k1_scalar_negate(&nx, &x);
2614 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2615 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2616 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2617 CHECK(secp256k1_gej_is_infinity(&res1));
2618 secp256k1_ge_set_gej(&res3, &res1);
2619 CHECK(secp256k1_ge_is_infinity(&res3));
2620 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2621 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2623 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2624 /* check zero/one edge cases */
2625 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2626 secp256k1_ge_set_gej(&res3, &res1);
2627 CHECK(secp256k1_ge_is_infinity(&res3));
2628 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2629 secp256k1_ge_set_gej(&res3, &res1);
2630 ge_equals_gej(&res3, point);
2631 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2632 secp256k1_ge_set_gej(&res3, &res1);
2633 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2636 void run_point_times_order(void) {
2638 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2639 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2640 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2641 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2643 for (i = 0; i < 500; i++) {
2645 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2647 CHECK(secp256k1_ge_is_valid_var(&p));
2648 secp256k1_gej_set_ge(&j, &p);
2649 test_point_times_order(&j);
2651 secp256k1_fe_sqr(&x, &x);
2653 secp256k1_fe_normalize_var(&x);
2654 CHECK(secp256k1_fe_equal_var(&x, &xr));
2657 void ecmult_const_random_mult(void) {
2658 /* random starting point A (on the curve) */
2659 secp256k1_ge a = SECP256K1_GE_CONST(
2660 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2661 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2662 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2663 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2665 /* random initial factor xn */
2666 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2667 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2668 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2670 /* expected xn * A (from sage) */
2671 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2672 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2673 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2674 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2675 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2678 secp256k1_ecmult_const(&b, &a, &xn, 256);
2680 CHECK(secp256k1_ge_is_valid_var(&a));
2681 ge_equals_gej(&expected_b, &b);
2684 void ecmult_const_commutativity(void) {
2691 random_scalar_order_test(&a);
2692 random_scalar_order_test(&b);
2694 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2695 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2696 secp256k1_ge_set_gej(&mid1, &res1);
2697 secp256k1_ge_set_gej(&mid2, &res2);
2698 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2699 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2700 secp256k1_ge_set_gej(&mid1, &res1);
2701 secp256k1_ge_set_gej(&mid2, &res2);
2702 ge_equals_ge(&mid1, &mid2);
2705 void ecmult_const_mult_zero_one(void) {
2706 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2707 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2708 secp256k1_scalar negone;
2712 secp256k1_scalar_negate(&negone, &one);
2714 random_group_element_test(&point);
2715 secp256k1_ecmult_const(&res1, &point, &zero, 3);
2716 secp256k1_ge_set_gej(&res2, &res1);
2717 CHECK(secp256k1_ge_is_infinity(&res2));
2718 secp256k1_ecmult_const(&res1, &point, &one, 2);
2719 secp256k1_ge_set_gej(&res2, &res1);
2720 ge_equals_ge(&res2, &point);
2721 secp256k1_ecmult_const(&res1, &point, &negone, 256);
2722 secp256k1_gej_neg(&res1, &res1);
2723 secp256k1_ge_set_gej(&res2, &res1);
2724 ge_equals_ge(&res2, &point);
2727 void ecmult_const_chain_multiply(void) {
2728 /* Check known result (randomly generated test problem from sage) */
2729 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2730 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2731 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2733 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2734 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2735 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2736 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2737 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2739 secp256k1_gej point;
2743 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2744 for (i = 0; i < 100; ++i) {
2746 secp256k1_ge_set_gej(&tmp, &point);
2747 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2749 secp256k1_ge_set_gej(&res, &point);
2750 ge_equals_gej(&res, &expected_point);
2753 void run_ecmult_const_tests(void) {
2754 ecmult_const_mult_zero_one();
2755 ecmult_const_random_mult();
2756 ecmult_const_commutativity();
2757 ecmult_const_chain_multiply();
2761 secp256k1_scalar *sc;
2763 } ecmult_multi_data;
2765 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2766 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2767 *sc = data->sc[idx];
2768 *pt = data->pt[idx];
2772 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2780 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2782 secp256k1_scalar szero;
2783 secp256k1_scalar sc[32];
2784 secp256k1_ge pt[32];
2787 ecmult_multi_data data;
2791 secp256k1_scalar_set_int(&szero, 0);
2793 /* No points to multiply */
2794 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2796 /* Check 1- and 2-point multiplies against ecmult */
2797 for (ncount = 0; ncount < count; ncount++) {
2800 random_scalar_order(&sc[0]);
2801 random_scalar_order(&sc[1]);
2803 random_group_element_test(&ptg);
2804 secp256k1_gej_set_ge(&ptgj, &ptg);
2806 pt[1] = secp256k1_ge_const_g;
2809 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2810 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2811 secp256k1_gej_neg(&r2, &r2);
2812 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2813 CHECK(secp256k1_gej_is_infinity(&r));
2816 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2817 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2818 secp256k1_gej_neg(&r2, &r2);
2819 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2820 CHECK(secp256k1_gej_is_infinity(&r));
2822 /* Try to multiply 1 point, but callback returns false */
2823 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2826 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2827 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2828 secp256k1_gej_neg(&r2, &r2);
2829 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2830 CHECK(secp256k1_gej_is_infinity(&r));
2832 /* 2-point with G scalar */
2833 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2834 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2835 secp256k1_gej_neg(&r2, &r2);
2836 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2837 CHECK(secp256k1_gej_is_infinity(&r));
2840 /* Check infinite outputs of various forms */
2841 for (ncount = 0; ncount < count; ncount++) {
2844 size_t sizes[] = { 2, 10, 32 };
2846 for (j = 0; j < 3; j++) {
2847 for (i = 0; i < 32; i++) {
2848 random_scalar_order(&sc[i]);
2849 secp256k1_ge_set_infinity(&pt[i]);
2851 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2852 CHECK(secp256k1_gej_is_infinity(&r));
2855 for (j = 0; j < 3; j++) {
2856 for (i = 0; i < 32; i++) {
2857 random_group_element_test(&ptg);
2859 secp256k1_scalar_set_int(&sc[i], 0);
2861 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2862 CHECK(secp256k1_gej_is_infinity(&r));
2865 for (j = 0; j < 3; j++) {
2866 random_group_element_test(&ptg);
2867 for (i = 0; i < 16; i++) {
2868 random_scalar_order(&sc[2*i]);
2869 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2871 pt[2 * i + 1] = ptg;
2874 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2875 CHECK(secp256k1_gej_is_infinity(&r));
2877 random_scalar_order(&sc[0]);
2878 for (i = 0; i < 16; i++) {
2879 random_group_element_test(&ptg);
2884 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2887 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2888 CHECK(secp256k1_gej_is_infinity(&r));
2891 random_group_element_test(&ptg);
2892 secp256k1_scalar_set_int(&sc[0], 0);
2894 for (i = 1; i < 32; i++) {
2897 random_scalar_order(&sc[i]);
2898 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2899 secp256k1_scalar_negate(&sc[i], &sc[i]);
2902 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2903 CHECK(secp256k1_gej_is_infinity(&r));
2906 /* Check random points, constant scalar */
2907 for (ncount = 0; ncount < count; ncount++) {
2909 secp256k1_gej_set_infinity(&r);
2911 random_scalar_order(&sc[0]);
2912 for (i = 0; i < 20; i++) {
2915 random_group_element_test(&ptg);
2917 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2920 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2921 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2922 secp256k1_gej_neg(&r2, &r2);
2923 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2924 CHECK(secp256k1_gej_is_infinity(&r));
2927 /* Check random scalars, constant point */
2928 for (ncount = 0; ncount < count; ncount++) {
2932 secp256k1_scalar rs;
2933 secp256k1_scalar_set_int(&rs, 0);
2935 random_group_element_test(&ptg);
2936 for (i = 0; i < 20; i++) {
2937 random_scalar_order(&sc[i]);
2939 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2942 secp256k1_gej_set_ge(&p0j, &pt[0]);
2943 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
2944 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2945 secp256k1_gej_neg(&r2, &r2);
2946 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2947 CHECK(secp256k1_gej_is_infinity(&r));
2950 /* Sanity check that zero scalars don't cause problems */
2951 for (ncount = 0; ncount < 20; ncount++) {
2952 random_scalar_order(&sc[ncount]);
2953 random_group_element_test(&pt[ncount]);
2956 secp256k1_scalar_clear(&sc[0]);
2957 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2958 secp256k1_scalar_clear(&sc[1]);
2959 secp256k1_scalar_clear(&sc[2]);
2960 secp256k1_scalar_clear(&sc[3]);
2961 secp256k1_scalar_clear(&sc[4]);
2962 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2963 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
2964 CHECK(secp256k1_gej_is_infinity(&r));
2966 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2968 const size_t TOP = 8;
2974 random_group_element_test(&ptg);
2975 secp256k1_gej_set_ge(&ptgj, &ptg);
2977 for(t0i = 0; t0i < TOP; t0i++) {
2978 for(t1i = 0; t1i < TOP; t1i++) {
2979 secp256k1_gej t0p, t1p;
2980 secp256k1_scalar t0, t1;
2982 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2983 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2984 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2985 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2987 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2988 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2990 for(s0i = 0; s0i < TOP; s0i++) {
2991 for(s1i = 0; s1i < TOP; s1i++) {
2992 secp256k1_scalar tmp1, tmp2;
2993 secp256k1_gej expected, actual;
2995 secp256k1_ge_set_gej(&pt[0], &t0p);
2996 secp256k1_ge_set_gej(&pt[1], &t1p);
2998 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2999 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
3000 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
3001 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
3003 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
3004 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
3005 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
3007 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
3008 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
3009 secp256k1_gej_neg(&expected, &expected);
3010 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
3011 CHECK(secp256k1_gej_is_infinity(&actual));
3019 void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
3020 secp256k1_scalar szero;
3021 secp256k1_scalar sc;
3024 ecmult_multi_data data;
3025 secp256k1_scratch *scratch_empty;
3027 random_group_element_test(&pt);
3028 random_scalar_order(&sc);
3031 secp256k1_scalar_set_int(&szero, 0);
3033 /* Try to multiply 1 point, but scratch space is empty.*/
3034 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
3035 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
3036 secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
3039 void test_secp256k1_pippenger_bucket_window_inv(void) {
3042 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
3043 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
3044 #ifdef USE_ENDOMORPHISM
3045 /* Bucket_window of 8 is not used with endo */
3050 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
3051 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
3052 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
3058 * Probabilistically test the function returning the maximum number of possible points
3059 * for a given scratch space.
3061 void test_ecmult_multi_pippenger_max_points(void) {
3062 size_t scratch_size = secp256k1_testrand_int(256);
3063 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
3064 secp256k1_scratch *scratch;
3065 size_t n_points_supported;
3066 int bucket_window = 0;
3068 for(; scratch_size < max_size; scratch_size+=256) {
3072 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
3073 CHECK(scratch != NULL);
3074 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
3075 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
3076 if (n_points_supported == 0) {
3077 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3080 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
3081 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
3082 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
3083 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
3084 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
3087 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
3088 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
3089 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3091 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
3094 void test_ecmult_multi_batch_size_helper(void) {
3095 size_t n_batches, n_batch_points, max_n_batch_points, n;
3097 max_n_batch_points = 0;
3099 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
3101 max_n_batch_points = 1;
3103 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3104 CHECK(n_batches == 0);
3105 CHECK(n_batch_points == 0);
3107 max_n_batch_points = 2;
3109 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3110 CHECK(n_batches == 3);
3111 CHECK(n_batch_points == 2);
3113 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
3114 n = ECMULT_MAX_POINTS_PER_BATCH;
3115 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3116 CHECK(n_batches == 1);
3117 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
3119 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
3120 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
3121 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3122 CHECK(n_batches == 2);
3123 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
3125 max_n_batch_points = 1;
3127 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3128 CHECK(n_batches == SIZE_MAX);
3129 CHECK(n_batch_points == 1);
3131 max_n_batch_points = 2;
3133 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3134 CHECK(n_batches == SIZE_MAX/2 + 1);
3135 CHECK(n_batch_points == 2);
3139 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
3140 * 1 <= i <= num points.
3142 void test_ecmult_multi_batching(void) {
3143 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
3144 secp256k1_scalar scG;
3145 secp256k1_scalar szero;
3146 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
3147 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3150 ecmult_multi_data data;
3152 secp256k1_scratch *scratch;
3154 secp256k1_gej_set_infinity(&r2);
3155 secp256k1_scalar_set_int(&szero, 0);
3157 /* Get random scalars and group elements and compute result */
3158 random_scalar_order(&scG);
3159 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3160 for(i = 0; i < n_points; i++) {
3163 random_group_element_test(&ptg);
3164 secp256k1_gej_set_ge(&ptgj, &ptg);
3166 random_scalar_order(&sc[i]);
3167 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3168 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
3172 secp256k1_gej_neg(&r2, &r2);
3174 /* Test with empty scratch space. It should compute the correct result using
3175 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
3176 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
3177 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3178 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3179 CHECK(secp256k1_gej_is_infinity(&r));
3180 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3182 /* Test with space for 1 point in pippenger. That's not enough because
3183 * ecmult_multi selects strauss which requires more memory. It should
3184 * therefore select the simple algorithm. */
3185 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3186 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3187 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3188 CHECK(secp256k1_gej_is_infinity(&r));
3189 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3191 for(i = 1; i <= n_points; i++) {
3192 if (i > ECMULT_PIPPENGER_THRESHOLD) {
3193 int bucket_window = secp256k1_pippenger_bucket_window(i);
3194 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
3195 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3197 size_t scratch_size = secp256k1_strauss_scratch_size(i);
3198 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3200 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3201 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3202 CHECK(secp256k1_gej_is_infinity(&r));
3203 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3209 void run_ecmult_multi_tests(void) {
3210 secp256k1_scratch *scratch;
3212 test_secp256k1_pippenger_bucket_window_inv();
3213 test_ecmult_multi_pippenger_max_points();
3214 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
3215 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3216 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
3217 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
3218 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
3219 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
3220 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
3221 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3223 /* Run test_ecmult_multi with space for exactly one point */
3224 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3225 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3226 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3228 test_ecmult_multi_batch_size_helper();
3229 test_ecmult_multi_batching();
3232 void test_wnaf(const secp256k1_scalar *number, int w) {
3233 secp256k1_scalar x, two, t;
3238 secp256k1_scalar_set_int(&x, 0);
3239 secp256k1_scalar_set_int(&two, 2);
3240 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
3242 for (i = bits-1; i >= 0; i--) {
3244 secp256k1_scalar_mul(&x, &x, &two);
3246 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
3248 CHECK((v & 1) == 1); /* check non-zero elements are odd */
3249 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3250 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
3252 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
3256 secp256k1_scalar_set_int(&t, v);
3258 secp256k1_scalar_set_int(&t, -v);
3259 secp256k1_scalar_negate(&t, &t);
3261 secp256k1_scalar_add(&x, &x, &t);
3263 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
3266 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3267 secp256k1_scalar neg1 = *number;
3268 secp256k1_scalar neg2 = *number;
3272 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3273 secp256k1_scalar_negate(&neg1, &neg1);
3276 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3277 CHECK(sign1 == sign2);
3278 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3281 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3282 secp256k1_scalar x, shift;
3283 int wnaf[256] = {0};
3287 secp256k1_scalar num = *number;
3288 secp256k1_scalar scalar_skew;
3290 secp256k1_scalar_set_int(&x, 0);
3291 secp256k1_scalar_set_int(&shift, 1 << w);
3292 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3293 #ifdef USE_ENDOMORPHISM
3294 for (i = 0; i < 16; ++i) {
3295 secp256k1_scalar_shr_int(&num, 8);
3299 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
3301 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3304 CHECK(v != 0); /* check nonzero */
3305 CHECK(v & 1); /* check parity */
3306 CHECK(v > -(1 << w)); /* check range above */
3307 CHECK(v < (1 << w)); /* check range below */
3309 secp256k1_scalar_mul(&x, &x, &shift);
3311 secp256k1_scalar_set_int(&t, v);
3313 secp256k1_scalar_set_int(&t, -v);
3314 secp256k1_scalar_negate(&t, &t);
3316 secp256k1_scalar_add(&x, &x, &t);
3318 /* Skew num because when encoding numbers as odd we use an offset */
3319 secp256k1_scalar_set_int(&scalar_skew, 1 << (skew == 2));
3320 secp256k1_scalar_add(&num, &num, &scalar_skew);
3321 CHECK(secp256k1_scalar_eq(&x, &num));
3324 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3325 secp256k1_scalar x, shift;
3326 int wnaf[256] = {0};
3329 secp256k1_scalar num = *number;
3331 secp256k1_scalar_set_int(&x, 0);
3332 secp256k1_scalar_set_int(&shift, 1 << w);
3333 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3334 #ifdef USE_ENDOMORPHISM
3335 for (i = 0; i < 16; ++i) {
3336 secp256k1_scalar_shr_int(&num, 8);
3339 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3341 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3344 CHECK(v == 0 || v & 1); /* check parity */
3345 CHECK(v > -(1 << w)); /* check range above */
3346 CHECK(v < (1 << w)); /* check range below */
3348 secp256k1_scalar_mul(&x, &x, &shift);
3350 secp256k1_scalar_set_int(&t, v);
3352 secp256k1_scalar_set_int(&t, -v);
3353 secp256k1_scalar_negate(&t, &t);
3355 secp256k1_scalar_add(&x, &x, &t);
3357 /* If skew is 1 then add 1 to num */
3358 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3359 CHECK(secp256k1_scalar_eq(&x, &num));
3362 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3364 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3366 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3367 CHECK(wnaf[i] == 0);
3369 for (i = 7; i >= 0; --i) {
3370 CHECK(wnaf[i] == wnaf_expected[i]);
3374 void test_fixed_wnaf_small(void) {
3376 int wnaf[256] = {0};
3379 secp256k1_scalar num;
3381 secp256k1_scalar_set_int(&num, 0);
3382 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3383 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3389 secp256k1_scalar_set_int(&num, 1);
3390 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3391 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3395 CHECK(wnaf[0] == 1);
3399 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3400 secp256k1_scalar_set_int(&num, 0xffffffff);
3401 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3402 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3406 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3407 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3408 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3409 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3413 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3414 secp256k1_scalar_set_int(&num, 0x01010101);
3415 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3416 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3420 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3421 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3422 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3423 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3428 void run_wnaf(void) {
3430 secp256k1_scalar n = {{0}};
3432 test_constant_wnaf(&n, 4);
3433 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3434 * have easier-to-diagnose failure modes */
3436 test_constant_wnaf(&n, 4);
3438 test_constant_wnaf(&n, 4);
3439 /* Test -1, because it's a special case in wnaf_const */
3440 n = secp256k1_scalar_one;
3441 secp256k1_scalar_negate(&n, &n);
3442 test_constant_wnaf(&n, 4);
3444 /* Test -2, which may not lead to overflows in wnaf_const */
3445 secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
3446 secp256k1_scalar_negate(&n, &n);
3447 test_constant_wnaf(&n, 4);
3449 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
3450 as corner cases of negation handling in wnaf_const */
3451 secp256k1_scalar_inverse(&n, &n);
3452 test_constant_wnaf(&n, 4);
3454 secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
3455 test_constant_wnaf(&n, 4);
3457 /* Test 0 for fixed wnaf */
3458 test_fixed_wnaf_small();
3460 for (i = 0; i < count; i++) {
3461 random_scalar_order(&n);
3462 test_wnaf(&n, 4+(i%10));
3463 test_constant_wnaf_negate(&n);
3464 test_constant_wnaf(&n, 4 + (i % 10));
3465 test_fixed_wnaf(&n, 4 + (i % 10));
3467 secp256k1_scalar_set_int(&n, 0);
3468 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3469 CHECK(secp256k1_scalar_is_zero(&n));
3470 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3471 CHECK(secp256k1_scalar_is_zero(&n));
3474 void test_ecmult_constants(void) {
3475 /* Test ecmult_gen() for [0..36) and [order-36..0). */
3481 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3482 for (i = 0; i < 36; i++ ) {
3483 secp256k1_scalar_set_int(&x, i);
3484 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3485 for (j = 0; j < i; j++) {
3487 ge_equals_gej(&secp256k1_ge_const_g, &r);
3489 secp256k1_gej_add_ge(&r, &r, &ng);
3491 CHECK(secp256k1_gej_is_infinity(&r));
3493 for (i = 1; i <= 36; i++ ) {
3494 secp256k1_scalar_set_int(&x, i);
3495 secp256k1_scalar_negate(&x, &x);
3496 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3497 for (j = 0; j < i; j++) {
3499 ge_equals_gej(&ng, &r);
3501 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3503 CHECK(secp256k1_gej_is_infinity(&r));
3507 void run_ecmult_constants(void) {
3508 test_ecmult_constants();
3511 void test_ecmult_gen_blind(void) {
3512 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3513 secp256k1_scalar key;
3515 unsigned char seed32[32];
3517 secp256k1_gej pgej2;
3520 random_scalar_order_test(&key);
3521 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3522 secp256k1_testrand256(seed32);
3523 b = ctx->ecmult_gen_ctx.blind;
3524 i = ctx->ecmult_gen_ctx.initial;
3525 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3526 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3527 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3528 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3529 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3530 secp256k1_ge_set_gej(&pge, &pgej);
3531 ge_equals_gej(&pge, &pgej2);
3534 void test_ecmult_gen_blind_reset(void) {
3535 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3537 secp256k1_gej initial;
3538 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3539 b = ctx->ecmult_gen_ctx.blind;
3540 initial = ctx->ecmult_gen_ctx.initial;
3541 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3542 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3543 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3546 void run_ecmult_gen_blind(void) {
3548 test_ecmult_gen_blind_reset();
3549 for (i = 0; i < 10; i++) {
3550 test_ecmult_gen_blind();
3554 #ifdef USE_ENDOMORPHISM
3555 /***** ENDOMORPHISH TESTS *****/
3556 void test_scalar_split(void) {
3557 secp256k1_scalar full;
3558 secp256k1_scalar s1, slam;
3559 const unsigned char zero[32] = {0};
3560 unsigned char tmp[32];
3562 random_scalar_order_test(&full);
3563 secp256k1_scalar_split_lambda(&s1, &slam, &full);
3565 /* check that both are <= 128 bits in size */
3566 if (secp256k1_scalar_is_high(&s1)) {
3567 secp256k1_scalar_negate(&s1, &s1);
3569 if (secp256k1_scalar_is_high(&slam)) {
3570 secp256k1_scalar_negate(&slam, &slam);
3573 secp256k1_scalar_get_b32(tmp, &s1);
3574 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
3575 secp256k1_scalar_get_b32(tmp, &slam);
3576 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
3579 void run_endomorphism_tests(void) {
3580 test_scalar_split();
3584 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3585 unsigned char pubkeyc[65];
3586 secp256k1_pubkey pubkey;
3591 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3592 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3593 /* Smaller sizes are tested exhaustively elsewhere. */
3595 memcpy(&pubkeyc[1], input, 64);
3596 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3597 for (i = 0; i < 256; i++) {
3598 /* Try all type bytes. */
3603 /* What sign does this point have? */
3604 ysign = (input[63] & 1) + 2;
3605 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3606 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3607 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3608 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3609 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3610 if (xpass || ypass) {
3611 /* These cases must parse. */
3612 unsigned char pubkeyo[65];
3614 memset(&pubkey, 0, sizeof(pubkey));
3615 VG_UNDEF(&pubkey, sizeof(pubkey));
3617 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3618 VG_CHECK(&pubkey, sizeof(pubkey));
3620 VG_UNDEF(pubkeyo, 65);
3621 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3622 VG_CHECK(pubkeyo, outl);
3624 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3625 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3627 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3628 CHECK(pubkeyo[0] == ysign);
3629 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3630 memset(&pubkey, 0, sizeof(pubkey));
3631 VG_UNDEF(&pubkey, sizeof(pubkey));
3632 secp256k1_pubkey_save(&pubkey, &ge);
3633 VG_CHECK(&pubkey, sizeof(pubkey));
3635 VG_UNDEF(pubkeyo, 65);
3636 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3637 VG_CHECK(pubkeyo, outl);
3639 CHECK(pubkeyo[0] == 4);
3640 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
3644 /* These cases must fail to parse. */
3645 memset(&pubkey, 0xfe, sizeof(pubkey));
3647 VG_UNDEF(&pubkey, sizeof(pubkey));
3648 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3649 VG_CHECK(&pubkey, sizeof(pubkey));
3651 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3656 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3659 void run_ec_pubkey_parse_test(void) {
3660 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3661 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3663 /* Point with leading and trailing zeros in x and y serialization. */
3664 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3665 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3666 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3667 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3670 /* Point with x equal to a 3rd root of unity.*/
3671 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3672 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3673 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3674 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3677 /* Point with largest x. (1/2) */
3678 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3679 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3680 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3681 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3684 /* Point with largest x. (2/2) */
3685 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3686 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3687 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3688 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3691 /* Point with smallest x. (1/2) */
3692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3693 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3694 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3695 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3698 /* Point with smallest x. (2/2) */
3699 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3700 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3701 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3702 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3705 /* Point with largest y. (1/3) */
3706 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3707 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3708 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3709 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3712 /* Point with largest y. (2/3) */
3713 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3714 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3715 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3716 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3719 /* Point with largest y. (3/3) */
3720 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3721 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3722 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3723 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3726 /* Point with smallest y. (1/3) */
3727 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3728 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3729 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3730 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3733 /* Point with smallest y. (2/3) */
3734 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3735 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3736 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3737 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3740 /* Point with smallest y. (3/3) */
3741 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3742 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3743 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3744 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3747 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3748 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3750 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3751 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3752 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3753 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3754 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3757 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3758 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3759 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3760 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3761 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3764 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3765 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3766 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3767 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3768 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3771 /* x on curve, y is from y^2 = x^3 + 8. */
3772 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3773 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3774 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3775 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3778 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3779 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3781 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3782 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3783 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3784 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3785 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3788 /* Valid if x overflow ignored (x = 1 mod p). */
3789 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3790 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3791 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3792 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3795 /* Valid if x overflow ignored (x = 1 mod p). */
3796 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3797 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3798 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3799 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3802 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3803 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3804 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3805 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3806 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3809 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3810 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3811 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3812 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3813 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3816 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3817 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3818 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3819 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3820 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3823 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3824 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3825 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3826 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3827 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3830 const unsigned char pubkeyc[66] = {
3831 /* Serialization of G. */
3832 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3833 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3834 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3835 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3838 unsigned char sout[65];
3839 unsigned char shortkey[2];
3841 secp256k1_pubkey pubkey;
3847 /* Nothing should be reading this far into pubkeyc. */
3848 VG_UNDEF(&pubkeyc[65], 1);
3849 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3850 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3851 memset(&pubkey, 0xfe, sizeof(pubkey));
3853 VG_UNDEF(shortkey, 2);
3854 VG_UNDEF(&pubkey, sizeof(pubkey));
3855 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3856 VG_CHECK(&pubkey, sizeof(pubkey));
3858 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3860 /* Length one claimed, fail, zeroize, no illegal arg error. */
3861 for (i = 0; i < 256 ; i++) {
3862 memset(&pubkey, 0xfe, sizeof(pubkey));
3865 VG_UNDEF(&shortkey[1], 1);
3866 VG_UNDEF(&pubkey, sizeof(pubkey));
3867 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3868 VG_CHECK(&pubkey, sizeof(pubkey));
3870 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3873 /* Length two claimed, fail, zeroize, no illegal arg error. */
3874 for (i = 0; i < 65536 ; i++) {
3875 memset(&pubkey, 0xfe, sizeof(pubkey));
3877 shortkey[0] = i & 255;
3878 shortkey[1] = i >> 8;
3879 VG_UNDEF(&pubkey, sizeof(pubkey));
3880 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3881 VG_CHECK(&pubkey, sizeof(pubkey));
3883 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3886 memset(&pubkey, 0xfe, sizeof(pubkey));
3888 VG_UNDEF(&pubkey, sizeof(pubkey));
3889 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3890 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3891 VG_CHECK(&pubkey, sizeof(pubkey));
3893 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3895 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3896 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3898 /* NULL input string. Illegal arg and zeroize output. */
3899 memset(&pubkey, 0xfe, sizeof(pubkey));
3901 VG_UNDEF(&pubkey, sizeof(pubkey));
3902 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3903 VG_CHECK(&pubkey, sizeof(pubkey));
3905 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3907 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3908 memset(&pubkey, 0xfe, sizeof(pubkey));
3910 VG_UNDEF(&pubkey, sizeof(pubkey));
3911 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3912 VG_CHECK(&pubkey, sizeof(pubkey));
3914 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3916 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3917 memset(&pubkey, 0xfe, sizeof(pubkey));
3919 VG_UNDEF(&pubkey, sizeof(pubkey));
3920 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3921 VG_CHECK(&pubkey, sizeof(pubkey));
3923 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3926 memset(&pubkey, 0, sizeof(pubkey));
3928 VG_UNDEF(&pubkey, sizeof(pubkey));
3929 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3930 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
3931 VG_CHECK(&pubkey, sizeof(pubkey));
3933 VG_UNDEF(&ge, sizeof(ge));
3934 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3935 VG_CHECK(&ge.x, sizeof(ge.x));
3936 VG_CHECK(&ge.y, sizeof(ge.y));
3937 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3938 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3940 /* secp256k1_ec_pubkey_serialize illegal args. */
3943 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3946 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3950 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3955 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3960 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3964 /* Multiple illegal args. Should still set arg error only once. */
3967 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3969 /* Does the illegal arg callback actually change the behavior? */
3970 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3971 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3973 CHECK(ecount2 == 10);
3974 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3975 /* Try a bunch of prefabbed points with all possible encodings. */
3976 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3977 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3979 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3980 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3982 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3983 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3987 void run_eckey_edge_case_test(void) {
3988 const unsigned char orderc[32] = {
3989 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3990 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3991 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3992 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3994 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3995 unsigned char ctmp[33];
3996 unsigned char ctmp2[33];
3997 secp256k1_pubkey pubkey;
3998 secp256k1_pubkey pubkey2;
3999 secp256k1_pubkey pubkey_one;
4000 secp256k1_pubkey pubkey_negone;
4001 const secp256k1_pubkey *pubkeys[3];
4004 /* Group order is too large, reject. */
4005 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
4006 VG_UNDEF(&pubkey, sizeof(pubkey));
4007 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
4008 VG_CHECK(&pubkey, sizeof(pubkey));
4009 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4010 /* Maximum value is too large, reject. */
4011 memset(ctmp, 255, 32);
4012 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4013 memset(&pubkey, 1, sizeof(pubkey));
4014 VG_UNDEF(&pubkey, sizeof(pubkey));
4015 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4016 VG_CHECK(&pubkey, sizeof(pubkey));
4017 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4018 /* Zero is too small, reject. */
4019 memset(ctmp, 0, 32);
4020 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4021 memset(&pubkey, 1, sizeof(pubkey));
4022 VG_UNDEF(&pubkey, sizeof(pubkey));
4023 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4024 VG_CHECK(&pubkey, sizeof(pubkey));
4025 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4026 /* One must be accepted. */
4028 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4029 memset(&pubkey, 0, sizeof(pubkey));
4030 VG_UNDEF(&pubkey, sizeof(pubkey));
4031 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4032 VG_CHECK(&pubkey, sizeof(pubkey));
4033 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4034 pubkey_one = pubkey;
4035 /* Group order + 1 is too large, reject. */
4036 memcpy(ctmp, orderc, 32);
4038 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4039 memset(&pubkey, 1, sizeof(pubkey));
4040 VG_UNDEF(&pubkey, sizeof(pubkey));
4041 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4042 VG_CHECK(&pubkey, sizeof(pubkey));
4043 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4044 /* -1 must be accepted. */
4046 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4047 memset(&pubkey, 0, sizeof(pubkey));
4048 VG_UNDEF(&pubkey, sizeof(pubkey));
4049 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4050 VG_CHECK(&pubkey, sizeof(pubkey));
4051 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4052 pubkey_negone = pubkey;
4053 /* Tweak of zero leaves the value unchanged. */
4054 memset(ctmp2, 0, 32);
4055 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
4056 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
4057 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
4058 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4059 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4060 /* Multiply tweak of zero zeroizes the output. */
4061 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4062 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4063 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
4064 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4065 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4066 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4067 seckey, the seckey is zeroized. */
4068 memcpy(ctmp, orderc, 32);
4069 memset(ctmp2, 0, 32);
4071 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
4072 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4073 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
4074 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4075 memcpy(ctmp, orderc, 32);
4076 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4077 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4078 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4079 tweak, the seckey is zeroized. */
4080 memcpy(ctmp, orderc, 32);
4082 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
4083 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4084 memcpy(ctmp, orderc, 32);
4086 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
4087 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4088 memcpy(ctmp, orderc, 32);
4090 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
4091 tweak, the pubkey is zeroized. */
4092 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
4093 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4094 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4095 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
4096 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4097 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4098 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
4099 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
4100 * case the pubkey is zeroized. */
4101 memcpy(ctmp, orderc, 32);
4103 memset(ctmp2, 0, 32);
4105 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
4106 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
4108 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4109 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4110 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4111 /* Tweak computation wraps and results in a key of 1. */
4113 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
4114 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
4116 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4118 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
4119 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4120 /* Tweak mul * 2 = 1+1. */
4121 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4123 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
4124 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4125 /* Test argument errors. */
4127 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4129 /* Zeroize pubkey on parse error. */
4130 memset(&pubkey, 0, 32);
4131 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4133 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4134 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4135 memset(&pubkey2, 0, 32);
4136 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
4138 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
4139 /* Plain argument errors. */
4141 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4143 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
4146 memset(ctmp2, 0, 32);
4148 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
4150 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
4153 memset(ctmp2, 0, 32);
4155 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4157 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
4160 memset(ctmp2, 0, 32);
4161 CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
4163 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
4166 memset(ctmp2, 0, 32);
4168 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
4170 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
4173 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
4175 memset(&pubkey, 1, sizeof(pubkey));
4176 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4178 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4179 /* secp256k1_ec_pubkey_combine tests. */
4181 pubkeys[0] = &pubkey_one;
4182 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
4183 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
4184 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
4185 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4186 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4187 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
4188 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4189 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4191 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4192 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4194 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4195 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4196 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4197 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4198 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4200 pubkeys[0] = &pubkey_negone;
4201 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4202 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4203 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4204 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4205 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4208 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4209 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4210 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4211 /* Result is infinity. */
4212 pubkeys[0] = &pubkey_one;
4213 pubkeys[1] = &pubkey_negone;
4214 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4215 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4216 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4217 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4218 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4220 /* Passes through infinity but comes out one. */
4221 pubkeys[2] = &pubkey_one;
4222 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4223 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4224 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4225 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4226 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4229 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4230 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4231 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4233 pubkeys[1] = &pubkey_one;
4234 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4235 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4236 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4237 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4238 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4240 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4243 void run_eckey_negate_test(void) {
4244 unsigned char seckey[32];
4245 unsigned char seckey_tmp[32];
4247 random_scalar_order_b32(seckey);
4248 memcpy(seckey_tmp, seckey, 32);
4250 /* Verify negation changes the key and changes it back */
4251 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4252 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
4253 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4254 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4256 /* Check that privkey alias gives same result */
4257 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4258 CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
4259 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4261 /* Negating all 0s fails */
4262 memset(seckey, 0, 32);
4263 memset(seckey_tmp, 0, 32);
4264 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4265 /* Check that seckey is not modified */
4266 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4268 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
4269 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
4270 * doesn't just set seckey to a constant value in case of failure. */
4271 random_scalar_order_b32(seckey);
4272 memset(seckey, 0xFF, 16);
4273 memset(seckey_tmp, 0, 32);
4274 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4275 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4278 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4279 secp256k1_scalar nonce;
4281 random_scalar_order_test(&nonce);
4282 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
4285 void test_ecdsa_sign_verify(void) {
4288 secp256k1_scalar one;
4289 secp256k1_scalar msg, key;
4290 secp256k1_scalar sigr, sigs;
4293 random_scalar_order_test(&msg);
4294 random_scalar_order_test(&key);
4295 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
4296 secp256k1_ge_set_gej(&pub, &pubj);
4297 getrec = secp256k1_testrand_bits(1);
4298 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
4300 CHECK(recid >= 0 && recid < 4);
4302 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4303 secp256k1_scalar_set_int(&one, 1);
4304 secp256k1_scalar_add(&msg, &msg, &one);
4305 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4308 void run_ecdsa_sign_verify(void) {
4310 for (i = 0; i < 10*count; i++) {
4311 test_ecdsa_sign_verify();
4315 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
4316 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4320 memcpy(nonce32, data, 32);
4321 return (counter == 0);
4324 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4325 /* Dummy nonce generator that has a fatal error on the first counter value. */
4329 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
4332 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4333 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4335 memset(nonce32, counter==0 ? 0 : 255, 32);
4342 static const unsigned char order[] = {
4343 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4344 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4345 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4346 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4348 memcpy(nonce32, order, 32);
4354 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
4355 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
4359 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
4362 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4363 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4364 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4367 void test_ecdsa_end_to_end(void) {
4368 unsigned char extra[32] = {0x00};
4369 unsigned char privkey[32];
4370 unsigned char message[32];
4371 unsigned char privkey2[32];
4372 secp256k1_ecdsa_signature signature[6];
4373 secp256k1_scalar r, s;
4374 unsigned char sig[74];
4376 unsigned char pubkeyc[65];
4377 size_t pubkeyclen = 65;
4378 secp256k1_pubkey pubkey;
4379 secp256k1_pubkey pubkey_tmp;
4380 unsigned char seckey[300];
4381 size_t seckeylen = 300;
4383 /* Generate a random key and message. */
4385 secp256k1_scalar msg, key;
4386 random_scalar_order_test(&msg);
4387 random_scalar_order_test(&key);
4388 secp256k1_scalar_get_b32(privkey, &key);
4389 secp256k1_scalar_get_b32(message, &msg);
4392 /* Construct and verify corresponding public key. */
4393 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4394 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4396 /* Verify exporting and importing public key. */
4397 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4398 memset(&pubkey, 0, sizeof(pubkey));
4399 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4401 /* Verify negation changes the key and changes it back */
4402 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4403 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4404 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4405 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4406 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4408 /* Verify private key import and export. */
4409 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
4410 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4411 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
4413 /* Optionally tweak the keys using addition. */
4414 if (secp256k1_testrand_int(3) == 0) {
4418 unsigned char rnd[32];
4419 unsigned char privkey_tmp[32];
4420 secp256k1_pubkey pubkey2;
4421 secp256k1_testrand256_test(rnd);
4422 memcpy(privkey_tmp, privkey, 32);
4423 ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
4424 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4425 /* Check that privkey alias gives same result */
4426 ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
4427 CHECK(ret1 == ret2);
4428 CHECK(ret2 == ret3);
4432 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
4433 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4434 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4437 /* Optionally tweak the keys using multiplication. */
4438 if (secp256k1_testrand_int(3) == 0) {
4442 unsigned char rnd[32];
4443 unsigned char privkey_tmp[32];
4444 secp256k1_pubkey pubkey2;
4445 secp256k1_testrand256_test(rnd);
4446 memcpy(privkey_tmp, privkey, 32);
4447 ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
4448 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4449 /* Check that privkey alias gives same result */
4450 ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
4451 CHECK(ret1 == ret2);
4452 CHECK(ret2 == ret3);
4456 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
4457 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4458 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4462 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4463 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4464 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4466 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4469 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4470 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4471 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4472 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4473 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4474 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4475 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4476 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4478 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4479 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4480 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4481 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4482 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4483 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4484 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4485 secp256k1_scalar_negate(&s, &s);
4486 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4487 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4488 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4489 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4490 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4491 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4492 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4493 secp256k1_scalar_negate(&s, &s);
4494 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4495 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4496 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4497 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
4499 /* Serialize/parse DER and verify again */
4500 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4501 memset(&signature[0], 0, sizeof(signature[0]));
4502 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4503 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4504 /* Serialize/destroy/parse DER and verify again. */
4506 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4507 sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
4508 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4509 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4512 void test_random_pubkeys(void) {
4515 unsigned char in[65];
4516 /* Generate some randomly sized pubkeys. */
4517 size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
4518 if (secp256k1_testrand_bits(2) == 0) {
4519 len = secp256k1_testrand_bits(6);
4522 in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
4524 in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
4526 if (secp256k1_testrand_bits(3) == 0) {
4527 in[0] = secp256k1_testrand_bits(8);
4530 secp256k1_testrand256(&in[1]);
4533 secp256k1_testrand256(&in[33]);
4535 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4536 unsigned char out[65];
4537 unsigned char firstb;
4541 /* If the pubkey can be parsed, it should round-trip... */
4542 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4544 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
4545 /* ... except for the type of hybrid inputs. */
4546 if ((in[0] != 6) && (in[0] != 7)) {
4547 CHECK(in[0] == out[0]);
4550 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4552 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4553 ge_equals_ge(&elem,&elem2);
4554 /* Check that the X9.62 hybrid type is checked. */
4555 in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
4556 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4557 if (firstb == 2 || firstb == 3) {
4558 if (in[0] == firstb + 4) {
4565 ge_equals_ge(&elem,&elem2);
4566 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4567 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
4572 void run_random_pubkeys(void) {
4574 for (i = 0; i < 10*count; i++) {
4575 test_random_pubkeys();
4579 void run_ecdsa_end_to_end(void) {
4581 for (i = 0; i < 64*count; i++) {
4582 test_ecdsa_end_to_end();
4586 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4587 static const unsigned char zeroes[32] = {0};
4588 #ifdef ENABLE_OPENSSL_TESTS
4589 static const unsigned char max_scalar[32] = {
4590 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4591 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4592 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4593 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4599 secp256k1_ecdsa_signature sig_der;
4600 unsigned char roundtrip_der[2048];
4601 unsigned char compact_der[64];
4602 size_t len_der = 2048;
4603 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4605 secp256k1_ecdsa_signature sig_der_lax;
4606 unsigned char roundtrip_der_lax[2048];
4607 unsigned char compact_der_lax[64];
4608 size_t len_der_lax = 2048;
4609 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4611 #ifdef ENABLE_OPENSSL_TESTS
4612 ECDSA_SIG *sig_openssl;
4613 const BIGNUM *r = NULL, *s = NULL;
4614 const unsigned char *sigptr;
4615 unsigned char roundtrip_openssl[2048];
4616 int len_openssl = 2048;
4617 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4620 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4622 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4623 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
4626 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4627 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
4630 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4631 if (parsed_der_lax) {
4632 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4633 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
4635 if (valid_der_lax) {
4636 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4637 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
4640 if (certainly_der) {
4641 ret |= (!parsed_der) << 2;
4643 if (certainly_not_der) {
4644 ret |= (parsed_der) << 17;
4647 ret |= (!roundtrips_der) << 3;
4651 ret |= (!roundtrips_der_lax) << 12;
4652 ret |= (len_der != len_der_lax) << 13;
4653 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
4655 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4657 ret |= (!parsed_der_lax) << 16;
4660 #ifdef ENABLE_OPENSSL_TESTS
4661 sig_openssl = ECDSA_SIG_new();
4663 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4664 if (parsed_openssl) {
4665 ECDSA_SIG_get0(sig_openssl, &r, &s);
4666 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4667 if (valid_openssl) {
4668 unsigned char tmp[32] = {0};
4669 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4670 valid_openssl = secp256k1_memcmp_var(tmp, max_scalar, 32) < 0;
4672 if (valid_openssl) {
4673 unsigned char tmp[32] = {0};
4674 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4675 valid_openssl = secp256k1_memcmp_var(tmp, max_scalar, 32) < 0;
4678 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4679 if (len_openssl <= 2048) {
4680 unsigned char *ptr = roundtrip_openssl;
4681 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4682 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (secp256k1_memcmp_var(roundtrip_openssl, sig, siglen) == 0);
4686 ECDSA_SIG_free(sig_openssl);
4688 ret |= (parsed_der && !parsed_openssl) << 4;
4689 ret |= (valid_der && !valid_openssl) << 5;
4690 ret |= (roundtrips_openssl && !parsed_der) << 6;
4691 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4692 if (roundtrips_openssl) {
4693 ret |= (len_der != (size_t)len_openssl) << 8;
4694 ret |= ((len_der != (size_t)len_openssl) || (secp256k1_memcmp_var(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9;
4700 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4702 for (i = 0; i < ptrlen; i++) {
4703 int shift = ptrlen - 1 - i;
4707 ptr[i] = (val >> shift) & 0xFF;
4712 static void damage_array(unsigned char *sig, size_t *len) {
4714 int action = secp256k1_testrand_bits(3);
4715 if (action < 1 && *len > 3) {
4716 /* Delete a byte. */
4717 pos = secp256k1_testrand_int(*len);
4718 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4721 } else if (action < 2 && *len < 2048) {
4722 /* Insert a byte. */
4723 pos = secp256k1_testrand_int(1 + *len);
4724 memmove(sig + pos + 1, sig + pos, *len - pos);
4725 sig[pos] = secp256k1_testrand_bits(8);
4728 } else if (action < 4) {
4729 /* Modify a byte. */
4730 sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
4732 } else { /* action < 8 */
4734 sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
4739 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4741 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4742 size_t tlen, elen, glen;
4747 der = secp256k1_testrand_bits(2) == 0;
4748 *certainly_der = der;
4749 *certainly_not_der = 0;
4750 indet = der ? 0 : secp256k1_testrand_int(10) == 0;
4752 for (n = 0; n < 2; n++) {
4753 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4754 nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
4755 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4756 nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_int(8) / 8;
4757 CHECK(nlen[n] <= 232);
4758 /* The top bit of the number. */
4759 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
4760 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4761 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
4762 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4763 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_int(8) / 8);
4764 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4765 *certainly_not_der = 1;
4767 CHECK(nlen[n] + nzlen[n] <= 300);
4768 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4769 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4771 /* nlenlen[n] max 127 bytes */
4772 int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
4775 *certainly_not_der = 1;
4778 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4781 /* The total length of the data to go, so far */
4782 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4785 /* The length of the garbage inside the tuple. */
4786 elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_int(8) / 8;
4788 *certainly_not_der = 1;
4793 /* The length of the garbage after the end of the tuple. */
4794 glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_int(8) / 8;
4796 *certainly_not_der = 1;
4798 CHECK(tlen + glen <= 990);
4800 /* Write the tuple header. */
4801 sig[(*len)++] = 0x30;
4803 /* Indeterminate length */
4804 sig[(*len)++] = 0x80;
4805 *certainly_not_der = 1;
4807 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4809 int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
4812 *certainly_not_der = 1;
4816 /* Short length notation */
4817 sig[(*len)++] = tlen;
4819 /* Long length notation */
4820 sig[(*len)++] = 128 + tlenlen;
4821 assign_big_endian(sig + *len, tlenlen, tlen);
4827 CHECK(tlen + glen <= 1119);
4829 for (n = 0; n < 2; n++) {
4830 /* Write the integer header. */
4831 sig[(*len)++] = 0x02;
4832 if (nlenlen[n] == 0) {
4833 /* Short length notation */
4834 sig[(*len)++] = nlen[n] + nzlen[n];
4836 /* Long length notation. */
4837 sig[(*len)++] = 128 + nlenlen[n];
4838 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4841 /* Write zero padding */
4842 while (nzlen[n] > 0) {
4843 sig[(*len)++] = 0x00;
4846 if (nlen[n] == 32 && !nlow[n]) {
4847 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4849 for (i = 0; i < 16; i++) {
4850 sig[(*len)++] = 0xFF;
4854 /* Write first byte of number */
4856 sig[(*len)++] = nhbyte[n];
4859 /* Generate remaining random bytes of number */
4860 secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
4865 /* Generate random garbage inside tuple. */
4866 secp256k1_testrand_bytes_test(sig + *len, elen);
4869 /* Generate end-of-contents bytes. */
4875 CHECK(tlen + glen <= 1121);
4877 /* Generate random garbage outside tuple. */
4878 secp256k1_testrand_bytes_test(sig + *len, glen);
4881 CHECK(tlen <= 1121);
4882 CHECK(tlen == *len);
4885 void run_ecdsa_der_parse(void) {
4887 for (i = 0; i < 200 * count; i++) {
4888 unsigned char buffer[2048];
4890 int certainly_der = 0;
4891 int certainly_not_der = 0;
4892 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4893 CHECK(buflen <= 2048);
4894 for (j = 0; j < 16; j++) {
4897 damage_array(buffer, &buflen);
4898 /* We don't know anything anymore about the DERness of the result */
4900 certainly_not_der = 0;
4902 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4905 fprintf(stderr, "Failure %x on ", ret);
4906 for (k = 0; k < buflen; k++) {
4907 fprintf(stderr, "%02x ", buffer[k]);
4909 fprintf(stderr, "\n");
4916 /* Tests several edge cases. */
4917 void test_ecdsa_edge_cases(void) {
4919 secp256k1_ecdsa_signature sig;
4921 /* Test the case where ECDSA recomputes a point that is infinity. */
4925 secp256k1_scalar msg;
4926 secp256k1_scalar sr, ss;
4927 secp256k1_scalar_set_int(&ss, 1);
4928 secp256k1_scalar_negate(&ss, &ss);
4929 secp256k1_scalar_inverse(&ss, &ss);
4930 secp256k1_scalar_set_int(&sr, 1);
4931 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4932 secp256k1_ge_set_gej(&key, &keyj);
4934 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4937 /* Verify signature with r of zero fails. */
4939 const unsigned char pubkey_mods_zero[33] = {
4940 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4941 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4942 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4943 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4947 secp256k1_scalar msg;
4948 secp256k1_scalar sr, ss;
4949 secp256k1_scalar_set_int(&ss, 1);
4950 secp256k1_scalar_set_int(&msg, 0);
4951 secp256k1_scalar_set_int(&sr, 0);
4952 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4953 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4956 /* Verify signature with s of zero fails. */
4958 const unsigned char pubkey[33] = {
4959 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4960 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4961 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4962 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4966 secp256k1_scalar msg;
4967 secp256k1_scalar sr, ss;
4968 secp256k1_scalar_set_int(&ss, 0);
4969 secp256k1_scalar_set_int(&msg, 0);
4970 secp256k1_scalar_set_int(&sr, 1);
4971 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4972 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4975 /* Verify signature with message 0 passes. */
4977 const unsigned char pubkey[33] = {
4978 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4979 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4980 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4981 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4984 const unsigned char pubkey2[33] = {
4985 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4986 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4987 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4988 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4993 secp256k1_scalar msg;
4994 secp256k1_scalar sr, ss;
4995 secp256k1_scalar_set_int(&ss, 2);
4996 secp256k1_scalar_set_int(&msg, 0);
4997 secp256k1_scalar_set_int(&sr, 2);
4998 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4999 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5000 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5001 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5002 secp256k1_scalar_negate(&ss, &ss);
5003 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5004 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5005 secp256k1_scalar_set_int(&ss, 1);
5006 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5007 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5010 /* Verify signature with message 1 passes. */
5012 const unsigned char pubkey[33] = {
5013 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
5014 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
5015 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
5016 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
5019 const unsigned char pubkey2[33] = {
5020 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
5021 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
5022 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
5023 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
5026 const unsigned char csr[32] = {
5027 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5028 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5029 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5030 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
5034 secp256k1_scalar msg;
5035 secp256k1_scalar sr, ss;
5036 secp256k1_scalar_set_int(&ss, 1);
5037 secp256k1_scalar_set_int(&msg, 1);
5038 secp256k1_scalar_set_b32(&sr, csr, NULL);
5039 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5040 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5041 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5042 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5043 secp256k1_scalar_negate(&ss, &ss);
5044 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5045 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5046 secp256k1_scalar_set_int(&ss, 2);
5047 secp256k1_scalar_inverse_var(&ss, &ss);
5048 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5049 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5052 /* Verify signature with message -1 passes. */
5054 const unsigned char pubkey[33] = {
5055 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
5056 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
5057 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
5058 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
5061 const unsigned char csr[32] = {
5062 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5063 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5064 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5065 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
5068 secp256k1_scalar msg;
5069 secp256k1_scalar sr, ss;
5070 secp256k1_scalar_set_int(&ss, 1);
5071 secp256k1_scalar_set_int(&msg, 1);
5072 secp256k1_scalar_negate(&msg, &msg);
5073 secp256k1_scalar_set_b32(&sr, csr, NULL);
5074 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5075 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5076 secp256k1_scalar_negate(&ss, &ss);
5077 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5078 secp256k1_scalar_set_int(&ss, 3);
5079 secp256k1_scalar_inverse_var(&ss, &ss);
5080 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5083 /* Signature where s would be zero. */
5085 secp256k1_pubkey pubkey;
5088 unsigned char signature[72];
5089 static const unsigned char nonce[32] = {
5090 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5091 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5092 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5093 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5095 static const unsigned char nonce2[32] = {
5096 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
5097 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
5098 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
5099 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
5101 const unsigned char key[32] = {
5102 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5103 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5104 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5105 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5107 unsigned char msg[32] = {
5108 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
5109 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
5110 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
5111 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
5114 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5115 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
5116 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
5118 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
5120 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
5122 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
5124 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
5126 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
5127 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
5128 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
5130 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
5132 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
5134 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
5136 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
5138 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
5139 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
5142 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
5144 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
5145 CHECK(ecount == 10);
5146 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
5147 CHECK(ecount == 11);
5148 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
5149 CHECK(ecount == 11);
5150 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
5151 CHECK(ecount == 12);
5152 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
5153 CHECK(ecount == 13);
5154 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
5155 CHECK(ecount == 13);
5157 /* Too little room for a signature does not fail via ARGCHECK. */
5158 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
5159 CHECK(ecount == 13);
5161 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
5163 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
5165 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
5167 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
5169 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
5171 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
5173 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
5175 memset(signature, 255, 64);
5176 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
5178 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5181 /* Nonce function corner cases. */
5182 for (t = 0; t < 2; t++) {
5183 static const unsigned char zero[32] = {0x00};
5185 unsigned char key[32];
5186 unsigned char msg[32];
5187 secp256k1_ecdsa_signature sig2;
5188 secp256k1_scalar sr[512], ss;
5189 const unsigned char *extra;
5190 extra = t == 0 ? NULL : zero;
5193 /* High key results in signature failure. */
5194 memset(key, 0xFF, 32);
5195 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5196 CHECK(is_empty_signature(&sig));
5197 /* Zero key results in signature failure. */
5199 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5200 CHECK(is_empty_signature(&sig));
5201 /* Nonce function failure results in signature failure. */
5203 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
5204 CHECK(is_empty_signature(&sig));
5205 /* The retry loop successfully makes its way to the first good value. */
5206 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
5207 CHECK(!is_empty_signature(&sig));
5208 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
5209 CHECK(!is_empty_signature(&sig2));
5210 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
5211 /* The default nonce function is deterministic. */
5212 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5213 CHECK(!is_empty_signature(&sig2));
5214 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
5215 /* The default nonce function changes output with different messages. */
5216 for(i = 0; i < 256; i++) {
5219 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5220 CHECK(!is_empty_signature(&sig2));
5221 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5222 for (j = 0; j < i; j++) {
5223 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5228 /* The default nonce function changes output with different keys. */
5229 for(i = 256; i < 512; i++) {
5232 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5233 CHECK(!is_empty_signature(&sig2));
5234 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5235 for (j = 0; j < i; j++) {
5236 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5243 /* Check that optional nonce arguments do not have equivalent effect. */
5244 const unsigned char zeros[32] = {0};
5245 unsigned char nonce[32];
5246 unsigned char nonce2[32];
5247 unsigned char nonce3[32];
5248 unsigned char nonce4[32];
5250 VG_UNDEF(nonce2,32);
5251 VG_UNDEF(nonce3,32);
5252 VG_UNDEF(nonce4,32);
5253 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
5255 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
5256 VG_CHECK(nonce2,32);
5257 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
5258 VG_CHECK(nonce3,32);
5259 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5260 VG_CHECK(nonce4,32);
5261 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
5262 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
5263 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
5264 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
5265 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
5266 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
5270 /* Privkey export where pubkey is the point at infinity. */
5272 unsigned char privkey[300];
5273 unsigned char seckey[32] = {
5274 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5275 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5276 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5277 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5279 size_t outlen = 300;
5280 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
5282 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
5286 void run_ecdsa_edge_cases(void) {
5287 test_ecdsa_edge_cases();
5290 #ifdef ENABLE_OPENSSL_TESTS
5291 EC_KEY *get_openssl_key(const unsigned char *key32) {
5292 unsigned char privkey[300];
5294 const unsigned char* pbegin = privkey;
5295 int compr = secp256k1_testrand_bits(1);
5296 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
5297 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
5298 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
5299 CHECK(EC_KEY_check_key(ec_key));
5303 void test_ecdsa_openssl(void) {
5306 secp256k1_scalar sigr, sigs;
5307 secp256k1_scalar one;
5308 secp256k1_scalar msg2;
5309 secp256k1_scalar key, msg;
5311 unsigned int sigsize = 80;
5312 size_t secp_sigsize = 80;
5313 unsigned char message[32];
5314 unsigned char signature[80];
5315 unsigned char key32[32];
5316 secp256k1_testrand256_test(message);
5317 secp256k1_scalar_set_b32(&msg, message, NULL);
5318 random_scalar_order_test(&key);
5319 secp256k1_scalar_get_b32(key32, &key);
5320 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
5321 secp256k1_ge_set_gej(&q, &qj);
5322 ec_key = get_openssl_key(key32);
5323 CHECK(ec_key != NULL);
5324 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
5325 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
5326 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
5327 secp256k1_scalar_set_int(&one, 1);
5328 secp256k1_scalar_add(&msg2, &msg, &one);
5329 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
5331 random_sign(&sigr, &sigs, &key, &msg, NULL);
5332 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
5333 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
5335 EC_KEY_free(ec_key);
5338 void run_ecdsa_openssl(void) {
5340 for (i = 0; i < 10*count; i++) {
5341 test_ecdsa_openssl();
5346 #ifdef ENABLE_MODULE_ECDH
5347 # include "modules/ecdh/tests_impl.h"
5350 #ifdef ENABLE_MODULE_RECOVERY
5351 # include "modules/recovery/tests_impl.h"
5354 #ifdef ENABLE_MODULE_EXTRAKEYS
5355 # include "modules/extrakeys/tests_impl.h"
5358 #ifdef ENABLE_MODULE_SCHNORRSIG
5359 # include "modules/schnorrsig/tests_impl.h"
5362 void run_memczero_test(void) {
5363 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
5364 unsigned char buf2[sizeof(buf1)];
5366 /* memczero(..., ..., 0) is a noop. */
5367 memcpy(buf2, buf1, sizeof(buf1));
5368 memczero(buf1, sizeof(buf1), 0);
5369 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
5371 /* memczero(..., ..., 1) zeros the buffer. */
5372 memset(buf2, 0, sizeof(buf2));
5373 memczero(buf1, sizeof(buf1) , 1);
5374 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
5377 void int_cmov_test(void) {
5381 secp256k1_int_cmov(&r, &a, 0);
5382 CHECK(r == INT_MAX);
5385 secp256k1_int_cmov(&r, &a, 1);
5386 CHECK(r == INT_MAX);
5389 secp256k1_int_cmov(&r, &a, 1);
5393 secp256k1_int_cmov(&r, &a, 1);
5397 secp256k1_int_cmov(&r, &a, 0);
5402 void fe_cmov_test(void) {
5403 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5404 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5405 static const secp256k1_fe max = SECP256K1_FE_CONST(
5406 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5407 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5409 secp256k1_fe r = max;
5410 secp256k1_fe a = zero;
5412 secp256k1_fe_cmov(&r, &a, 0);
5413 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5416 secp256k1_fe_cmov(&r, &a, 1);
5417 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5420 secp256k1_fe_cmov(&r, &a, 1);
5421 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5424 secp256k1_fe_cmov(&r, &a, 1);
5425 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5428 secp256k1_fe_cmov(&r, &a, 0);
5429 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5432 void fe_storage_cmov_test(void) {
5433 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5434 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5435 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
5436 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5437 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5439 secp256k1_fe_storage r = max;
5440 secp256k1_fe_storage a = zero;
5442 secp256k1_fe_storage_cmov(&r, &a, 0);
5443 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5446 secp256k1_fe_storage_cmov(&r, &a, 1);
5447 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5450 secp256k1_fe_storage_cmov(&r, &a, 1);
5451 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5454 secp256k1_fe_storage_cmov(&r, &a, 1);
5455 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5458 secp256k1_fe_storage_cmov(&r, &a, 0);
5459 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5462 void scalar_cmov_test(void) {
5463 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5464 static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5465 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
5466 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5467 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5469 secp256k1_scalar r = max;
5470 secp256k1_scalar a = zero;
5472 secp256k1_scalar_cmov(&r, &a, 0);
5473 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5476 secp256k1_scalar_cmov(&r, &a, 1);
5477 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5480 secp256k1_scalar_cmov(&r, &a, 1);
5481 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5484 secp256k1_scalar_cmov(&r, &a, 1);
5485 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5488 secp256k1_scalar_cmov(&r, &a, 0);
5489 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5492 void ge_storage_cmov_test(void) {
5493 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
5494 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
5495 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
5496 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5497 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5498 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5499 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5501 secp256k1_ge_storage r = max;
5502 secp256k1_ge_storage a = zero;
5504 secp256k1_ge_storage_cmov(&r, &a, 0);
5505 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5508 secp256k1_ge_storage_cmov(&r, &a, 1);
5509 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5512 secp256k1_ge_storage_cmov(&r, &a, 1);
5513 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5516 secp256k1_ge_storage_cmov(&r, &a, 1);
5517 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5520 secp256k1_ge_storage_cmov(&r, &a, 0);
5521 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5524 void run_cmov_tests(void) {
5527 fe_storage_cmov_test();
5529 ge_storage_cmov_test();
5532 int main(int argc, char **argv) {
5533 /* Disable buffering for stdout to improve reliability of getting
5534 * diagnostic information. Happens right at the start of main because
5535 * setbuf must be used before any other operation on the stream. */
5536 setbuf(stdout, NULL);
5537 /* Also disable buffering for stderr because it's not guaranteed that it's
5538 * unbuffered on all systems. */
5539 setbuf(stderr, NULL);
5541 /* find iteration count */
5543 count = strtol(argv[1], NULL, 0);
5545 printf("test count = %i\n", count);
5547 /* find random seed */
5548 secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
5551 run_context_tests(0);
5552 run_context_tests(1);
5553 run_scratch_tests();
5554 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5555 if (secp256k1_testrand_bits(1)) {
5556 unsigned char rand32[32];
5557 secp256k1_testrand256(rand32);
5558 CHECK(secp256k1_context_randomize(ctx, secp256k1_testrand_bits(1) ? rand32 : NULL));
5565 run_hmac_sha256_tests();
5566 run_rfc6979_hmac_sha256_tests();
5568 #ifndef USE_NUM_NONE
5570 run_num_smalltests();
5578 run_field_inv_var();
5579 run_field_inv_all_var();
5581 run_field_convert();
5587 run_group_decompress();
5591 run_point_times_order();
5593 run_ecmult_constants();
5594 run_ecmult_gen_blind();
5595 run_ecmult_const_tests();
5596 run_ecmult_multi_tests();
5599 /* endomorphism tests */
5600 #ifdef USE_ENDOMORPHISM
5601 run_endomorphism_tests();
5604 /* EC point parser test */
5605 run_ec_pubkey_parse_test();
5607 /* EC key edge cases */
5608 run_eckey_edge_case_test();
5610 /* EC key arithmetic test */
5611 run_eckey_negate_test();
5613 #ifdef ENABLE_MODULE_ECDH
5619 run_random_pubkeys();
5620 run_ecdsa_der_parse();
5621 run_ecdsa_sign_verify();
5622 run_ecdsa_end_to_end();
5623 run_ecdsa_edge_cases();
5624 #ifdef ENABLE_OPENSSL_TESTS
5625 run_ecdsa_openssl();
5628 #ifdef ENABLE_MODULE_RECOVERY
5629 /* ECDSA pubkey recovery tests */
5630 run_recovery_tests();
5633 #ifdef ENABLE_MODULE_EXTRAKEYS
5634 run_extrakeys_tests();
5637 #ifdef ENABLE_MODULE_SCHNORRSIG
5638 run_schnorrsig_tests();
5642 run_memczero_test();
5646 secp256k1_testrand_finish();
5649 secp256k1_context_destroy(ctx);
5651 printf("no problems found\n");