1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
22 #ifdef ENABLE_OPENSSL_TESTS
23 #include "openssl/bn.h"
24 #include "openssl/ec.h"
25 #include "openssl/ecdsa.h"
26 #include "openssl/obj_mac.h"
27 # if OPENSSL_VERSION_NUMBER < 0x10100000L
28 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
32 #include "contrib/lax_der_parsing.c"
33 #include "contrib/lax_der_privatekey_parsing.c"
35 #if !defined(VG_CHECK)
36 # if defined(VALGRIND)
37 # include <valgrind/memcheck.h>
38 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
39 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
41 # define VG_UNDEF(x,y)
42 # define VG_CHECK(x,y)
46 static int count = 64;
47 static secp256k1_context *ctx = NULL;
49 static void counting_illegal_callback_fn(const char* str, void* data) {
50 /* Dummy callback function that just counts. */
57 static void uncounting_illegal_callback_fn(const char* str, void* data) {
58 /* Dummy callback function that just counts (backwards). */
65 void random_field_element_test(secp256k1_fe *fe) {
67 unsigned char b32[32];
68 secp256k1_rand256_test(b32);
69 if (secp256k1_fe_set_b32(fe, b32)) {
75 void random_field_element_magnitude(secp256k1_fe *fe) {
77 int n = secp256k1_rand_int(9);
78 secp256k1_fe_normalize(fe);
82 secp256k1_fe_clear(&zero);
83 secp256k1_fe_negate(&zero, &zero, 0);
84 secp256k1_fe_mul_int(&zero, n - 1);
85 secp256k1_fe_add(fe, &zero);
87 CHECK(fe->magnitude == n);
91 void random_group_element_test(secp256k1_ge *ge) {
94 random_field_element_test(&fe);
95 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
96 secp256k1_fe_normalize(&ge->y);
102 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
105 random_field_element_test(&gej->z);
106 if (!secp256k1_fe_is_zero(&gej->z)) {
110 secp256k1_fe_sqr(&z2, &gej->z);
111 secp256k1_fe_mul(&z3, &z2, &gej->z);
112 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
113 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
114 gej->infinity = ge->infinity;
117 void random_scalar_order_test(secp256k1_scalar *num) {
119 unsigned char b32[32];
121 secp256k1_rand256_test(b32);
122 secp256k1_scalar_set_b32(num, b32, &overflow);
123 if (overflow || secp256k1_scalar_is_zero(num)) {
130 void random_scalar_order(secp256k1_scalar *num) {
132 unsigned char b32[32];
134 secp256k1_rand256(b32);
135 secp256k1_scalar_set_b32(num, b32, &overflow);
136 if (overflow || secp256k1_scalar_is_zero(num)) {
143 void run_context_tests(int use_prealloc) {
144 secp256k1_pubkey pubkey;
145 secp256k1_pubkey zero_pubkey;
146 secp256k1_ecdsa_signature sig;
147 unsigned char ctmp[32];
150 secp256k1_context *none;
151 secp256k1_context *sign;
152 secp256k1_context *vrfy;
153 secp256k1_context *both;
154 void *none_prealloc = NULL;
155 void *sign_prealloc = NULL;
156 void *vrfy_prealloc = NULL;
157 void *both_prealloc = NULL;
161 secp256k1_scalar msg, key, nonce;
162 secp256k1_scalar sigr, sigs;
165 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
166 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
167 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
168 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
169 CHECK(none_prealloc != NULL);
170 CHECK(sign_prealloc != NULL);
171 CHECK(vrfy_prealloc != NULL);
172 CHECK(both_prealloc != NULL);
173 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
174 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
175 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
176 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
178 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
179 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
180 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
181 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
184 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
188 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
189 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
190 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
191 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
193 /* check if sizes for cloning are consistent */
194 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
195 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
196 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
197 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
199 /*** clone and destroy all of them to make sure cloning was complete ***/
201 secp256k1_context *ctx_tmp;
204 /* clone into a non-preallocated context and then again into a new preallocated one. */
205 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
206 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
207 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
209 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
210 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
211 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
213 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
214 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
215 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
217 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
218 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
219 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
221 /* clone into a preallocated context and then again into a new non-preallocated one. */
224 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
225 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
226 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
229 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
230 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
231 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
234 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
235 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
236 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
239 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
240 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
241 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
246 /* Verify that the error callback makes it across the clone. */
247 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
248 /* And that it resets back to default. */
249 secp256k1_context_set_error_callback(sign, NULL, NULL);
250 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
252 /*** attempt to use them ***/
253 random_scalar_order_test(&msg);
254 random_scalar_order_test(&key);
255 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
256 secp256k1_ge_set_gej(&pub, &pubj);
258 /* Verify context-type checking illegal-argument errors. */
260 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
262 VG_UNDEF(&pubkey, sizeof(pubkey));
263 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
264 VG_CHECK(&pubkey, sizeof(pubkey));
265 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
267 VG_UNDEF(&sig, sizeof(sig));
268 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
269 VG_CHECK(&sig, sizeof(sig));
270 CHECK(ecount2 == 10);
271 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
272 CHECK(ecount2 == 11);
273 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
275 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
276 CHECK(ecount2 == 12);
277 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
279 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
280 CHECK(ecount2 == 13);
281 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
283 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
285 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
286 CHECK(ecount2 == 14);
287 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
289 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
291 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
293 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
295 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
296 CHECK(ecount2 == 14);
297 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
298 CHECK(ecount2 == 14);
299 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
300 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
302 /* obtain a working nonce */
304 random_scalar_order_test(&nonce);
305 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
308 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
309 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
312 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
313 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
317 secp256k1_context_preallocated_destroy(none);
318 secp256k1_context_preallocated_destroy(sign);
319 secp256k1_context_preallocated_destroy(vrfy);
320 secp256k1_context_preallocated_destroy(both);
326 secp256k1_context_destroy(none);
327 secp256k1_context_destroy(sign);
328 secp256k1_context_destroy(vrfy);
329 secp256k1_context_destroy(both);
331 /* Defined as no-op. */
332 secp256k1_context_destroy(NULL);
333 secp256k1_context_preallocated_destroy(NULL);
337 void run_scratch_tests(void) {
338 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
343 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
344 secp256k1_scratch_space *scratch;
345 secp256k1_scratch_space local_scratch;
347 /* Test public API */
348 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
349 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
351 scratch = secp256k1_scratch_space_create(none, 1000);
352 CHECK(scratch != NULL);
355 /* Test internal API */
356 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
357 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
358 CHECK(scratch->alloc_size == 0);
359 CHECK(scratch->alloc_size % ALIGNMENT == 0);
361 /* Allocating 500 bytes succeeds */
362 checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
363 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
364 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
365 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
366 CHECK(scratch->alloc_size != 0);
367 CHECK(scratch->alloc_size % ALIGNMENT == 0);
369 /* Allocating another 500 bytes fails */
370 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
371 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
372 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
373 CHECK(scratch->alloc_size != 0);
374 CHECK(scratch->alloc_size % ALIGNMENT == 0);
376 /* ...but it succeeds once we apply the checkpoint to undo it */
377 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
378 CHECK(scratch->alloc_size == 0);
379 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
380 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
381 CHECK(scratch->alloc_size != 0);
383 /* try to apply a bad checkpoint */
384 checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
385 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
387 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
389 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
392 /* try to use badly initialized scratch space */
393 secp256k1_scratch_space_destroy(none, scratch);
394 memset(&local_scratch, 0, sizeof(local_scratch));
395 scratch = &local_scratch;
396 CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
398 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
400 secp256k1_scratch_space_destroy(none, scratch);
404 secp256k1_scratch_space_destroy(none, NULL); /* no-op */
405 secp256k1_context_destroy(none);
408 /***** HASH TESTS *****/
410 void run_sha256_tests(void) {
411 static const char *inputs[8] = {
412 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
413 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
414 "For this sample, this 63-byte string will be used as input data",
415 "This is exactly 64 bytes long, not counting the terminating byte"
417 static const unsigned char outputs[8][32] = {
418 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
419 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
420 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
421 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
422 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
423 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
424 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
425 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
428 for (i = 0; i < 8; i++) {
429 unsigned char out[32];
430 secp256k1_sha256 hasher;
431 secp256k1_sha256_initialize(&hasher);
432 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
433 secp256k1_sha256_finalize(&hasher, out);
434 CHECK(memcmp(out, outputs[i], 32) == 0);
435 if (strlen(inputs[i]) > 0) {
436 int split = secp256k1_rand_int(strlen(inputs[i]));
437 secp256k1_sha256_initialize(&hasher);
438 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
439 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
440 secp256k1_sha256_finalize(&hasher, out);
441 CHECK(memcmp(out, outputs[i], 32) == 0);
446 void run_hmac_sha256_tests(void) {
447 static const char *keys[6] = {
448 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
450 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
451 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
452 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
453 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
455 static const char *inputs[6] = {
456 "\x48\x69\x20\x54\x68\x65\x72\x65",
457 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
458 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
459 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
460 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
461 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
463 static const unsigned char outputs[6][32] = {
464 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
465 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
466 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
467 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
468 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
469 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
472 for (i = 0; i < 6; i++) {
473 secp256k1_hmac_sha256 hasher;
474 unsigned char out[32];
475 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
476 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
477 secp256k1_hmac_sha256_finalize(&hasher, out);
478 CHECK(memcmp(out, outputs[i], 32) == 0);
479 if (strlen(inputs[i]) > 0) {
480 int split = secp256k1_rand_int(strlen(inputs[i]));
481 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
482 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
483 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
484 secp256k1_hmac_sha256_finalize(&hasher, out);
485 CHECK(memcmp(out, outputs[i], 32) == 0);
490 void run_rfc6979_hmac_sha256_tests(void) {
491 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
492 static const unsigned char out1[3][32] = {
493 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
494 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
495 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
498 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
499 static const unsigned char out2[3][32] = {
500 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
501 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
502 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
505 secp256k1_rfc6979_hmac_sha256 rng;
506 unsigned char out[32];
509 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
510 for (i = 0; i < 3; i++) {
511 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
512 CHECK(memcmp(out, out1[i], 32) == 0);
514 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
516 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
517 for (i = 0; i < 3; i++) {
518 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
519 CHECK(memcmp(out, out1[i], 32) != 0);
521 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
523 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
524 for (i = 0; i < 3; i++) {
525 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
526 CHECK(memcmp(out, out2[i], 32) == 0);
528 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
531 /***** RANDOM TESTS *****/
533 void test_rand_bits(int rand32, int bits) {
534 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
535 * get a false negative chance below once in a billion */
536 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
537 /* We try multiplying the results with various odd numbers, which shouldn't
538 * influence the uniform distribution modulo a power of 2. */
539 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
540 /* We only select up to 6 bits from the output to analyse */
541 unsigned int usebits = bits > 6 ? 6 : bits;
542 unsigned int maxshift = bits - usebits;
543 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
544 number, track all observed outcomes, one per bit in a uint64_t. */
545 uint64_t x[6][27] = {{0}};
546 unsigned int i, shift, m;
547 /* Multiply the output of all rand calls with the odd number m, which
548 should not change the uniformity of its distribution. */
549 for (i = 0; i < rounds[usebits]; i++) {
550 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
551 CHECK((((uint64_t)r) >> bits) == 0);
552 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
553 uint32_t rm = r * mults[m];
554 for (shift = 0; shift <= maxshift; shift++) {
555 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
559 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
560 for (shift = 0; shift <= maxshift; shift++) {
561 /* Test that the lower usebits bits of x[shift] are 1 */
562 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
567 /* Subrange must be a whole divisor of range, and at most 64 */
568 void test_rand_int(uint32_t range, uint32_t subrange) {
569 /* (1-1/subrange)^rounds < 1/10^9 */
570 int rounds = (subrange * 2073) / 100;
573 CHECK((range % subrange) == 0);
574 for (i = 0; i < rounds; i++) {
575 uint32_t r = secp256k1_rand_int(range);
578 x |= (((uint64_t)1) << r);
580 /* Test that the lower subrange bits of x are 1. */
581 CHECK(((~x) << (64 - subrange)) == 0);
584 void run_rand_bits(void) {
586 test_rand_bits(1, 32);
587 for (b = 1; b <= 32; b++) {
588 test_rand_bits(0, b);
592 void run_rand_int(void) {
593 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
594 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
596 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
597 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
598 test_rand_int(ms[m] * ss[s], ss[s]);
603 /***** NUM TESTS *****/
606 void random_num_negate(secp256k1_num *num) {
607 if (secp256k1_rand_bits(1)) {
608 secp256k1_num_negate(num);
612 void random_num_order_test(secp256k1_num *num) {
614 random_scalar_order_test(&sc);
615 secp256k1_scalar_get_num(num, &sc);
618 void random_num_order(secp256k1_num *num) {
620 random_scalar_order(&sc);
621 secp256k1_scalar_get_num(num, &sc);
624 void test_num_negate(void) {
627 random_num_order_test(&n1); /* n1 = R */
628 random_num_negate(&n1);
629 secp256k1_num_copy(&n2, &n1); /* n2 = R */
630 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
631 CHECK(secp256k1_num_is_zero(&n1));
632 secp256k1_num_copy(&n1, &n2); /* n1 = R */
633 secp256k1_num_negate(&n1); /* n1 = -R */
634 CHECK(!secp256k1_num_is_zero(&n1));
635 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
636 CHECK(secp256k1_num_is_zero(&n1));
637 secp256k1_num_copy(&n1, &n2); /* n1 = R */
638 secp256k1_num_negate(&n1); /* n1 = -R */
639 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
640 secp256k1_num_negate(&n1); /* n1 = R */
641 CHECK(secp256k1_num_eq(&n1, &n2));
644 void test_num_add_sub(void) {
649 secp256k1_num n1p2, n2p1, n1m2, n2m1;
650 random_num_order_test(&n1); /* n1 = R1 */
651 if (secp256k1_rand_bits(1)) {
652 random_num_negate(&n1);
654 random_num_order_test(&n2); /* n2 = R2 */
655 if (secp256k1_rand_bits(1)) {
656 random_num_negate(&n2);
658 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
659 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
660 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
661 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
662 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
663 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
664 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
665 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
666 CHECK(!secp256k1_num_eq(&n2m1, &n1));
667 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
668 CHECK(secp256k1_num_eq(&n2m1, &n1));
669 CHECK(!secp256k1_num_eq(&n2p1, &n1));
670 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
671 CHECK(secp256k1_num_eq(&n2p1, &n1));
674 secp256k1_scalar_set_int(&s, 1);
675 secp256k1_scalar_get_num(&n1, &s);
676 CHECK(secp256k1_num_is_one(&n1));
677 /* check that 2^n + 1 is never 1 */
678 secp256k1_scalar_get_num(&n2, &s);
679 for (i = 0; i < 250; ++i) {
680 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
681 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
682 CHECK(!secp256k1_num_is_one(&n1p2));
686 void test_num_mod(void) {
689 secp256k1_num order, n;
691 /* check that 0 mod anything is 0 */
692 random_scalar_order_test(&s);
693 secp256k1_scalar_get_num(&order, &s);
694 secp256k1_scalar_set_int(&s, 0);
695 secp256k1_scalar_get_num(&n, &s);
696 secp256k1_num_mod(&n, &order);
697 CHECK(secp256k1_num_is_zero(&n));
699 /* check that anything mod 1 is 0 */
700 secp256k1_scalar_set_int(&s, 1);
701 secp256k1_scalar_get_num(&order, &s);
702 secp256k1_scalar_get_num(&n, &s);
703 secp256k1_num_mod(&n, &order);
704 CHECK(secp256k1_num_is_zero(&n));
706 /* check that increasing the number past 2^256 does not break this */
707 random_scalar_order_test(&s);
708 secp256k1_scalar_get_num(&n, &s);
709 /* multiply by 2^8, which'll test this case with high probability */
710 for (i = 0; i < 8; ++i) {
711 secp256k1_num_add(&n, &n, &n);
713 secp256k1_num_mod(&n, &order);
714 CHECK(secp256k1_num_is_zero(&n));
717 void test_num_jacobi(void) {
718 secp256k1_scalar sqr;
719 secp256k1_scalar small;
720 secp256k1_scalar five; /* five is not a quadratic residue */
721 secp256k1_num order, n;
723 /* squares mod 5 are 1, 4 */
724 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
726 /* check some small values with 5 as the order */
727 secp256k1_scalar_set_int(&five, 5);
728 secp256k1_scalar_get_num(&order, &five);
729 for (i = 0; i < 10; ++i) {
730 secp256k1_scalar_set_int(&small, i);
731 secp256k1_scalar_get_num(&n, &small);
732 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
735 /** test large values with 5 as group order */
736 secp256k1_scalar_get_num(&order, &five);
737 /* we first need a scalar which is not a multiple of 5 */
740 random_scalar_order_test(&sqr);
741 secp256k1_scalar_get_num(&fiven, &five);
742 secp256k1_scalar_get_num(&n, &sqr);
743 secp256k1_num_mod(&n, &fiven);
744 } while (secp256k1_num_is_zero(&n));
745 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
746 * just multiply by two, i.e. add the number to itself */
747 if (secp256k1_num_jacobi(&n, &order) == -1) {
748 secp256k1_num_add(&n, &n, &n);
752 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
753 /* test nonresidue */
754 secp256k1_num_add(&n, &n, &n);
755 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
757 /** test with secp group order as order */
758 secp256k1_scalar_order_get_num(&order);
759 random_scalar_order_test(&sqr);
760 secp256k1_scalar_sqr(&sqr, &sqr);
762 secp256k1_scalar_get_num(&n, &sqr);
763 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
764 /* test nonresidue */
765 secp256k1_scalar_mul(&sqr, &sqr, &five);
766 secp256k1_scalar_get_num(&n, &sqr);
767 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
768 /* test multiple of the order*/
769 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
771 /* check one less than the order */
772 secp256k1_scalar_set_int(&small, 1);
773 secp256k1_scalar_get_num(&n, &small);
774 secp256k1_num_sub(&n, &order, &n);
775 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
778 void run_num_smalltests(void) {
780 for (i = 0; i < 100*count; i++) {
789 /***** SCALAR TESTS *****/
791 void scalar_test(void) {
796 secp256k1_num snum, s1num, s2num;
797 secp256k1_num order, half_order;
801 /* Set 's' to a random scalar, with value 'snum'. */
802 random_scalar_order_test(&s);
804 /* Set 's1' to a random scalar, with value 's1num'. */
805 random_scalar_order_test(&s1);
807 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
808 random_scalar_order_test(&s2);
809 secp256k1_scalar_get_b32(c, &s2);
812 secp256k1_scalar_get_num(&snum, &s);
813 secp256k1_scalar_get_num(&s1num, &s1);
814 secp256k1_scalar_get_num(&s2num, &s2);
816 secp256k1_scalar_order_get_num(&order);
818 secp256k1_num_shift(&half_order, 1);
823 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
825 secp256k1_scalar_set_int(&n, 0);
826 for (i = 0; i < 256; i += 4) {
829 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
830 for (j = 0; j < 4; j++) {
831 secp256k1_scalar_add(&n, &n, &n);
833 secp256k1_scalar_add(&n, &n, &t);
835 CHECK(secp256k1_scalar_eq(&n, &s));
839 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
842 secp256k1_scalar_set_int(&n, 0);
846 int now = secp256k1_rand_int(15) + 1;
850 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
851 for (j = 0; j < now; j++) {
852 secp256k1_scalar_add(&n, &n, &n);
854 secp256k1_scalar_add(&n, &n, &t);
857 CHECK(secp256k1_scalar_eq(&n, &s));
862 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
866 secp256k1_num_add(&rnum, &snum, &s2num);
867 secp256k1_num_mod(&rnum, &order);
868 secp256k1_scalar_add(&r, &s, &s2);
869 secp256k1_scalar_get_num(&r2num, &r);
870 CHECK(secp256k1_num_eq(&rnum, &r2num));
874 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
878 secp256k1_num_mul(&rnum, &snum, &s2num);
879 secp256k1_num_mod(&rnum, &order);
880 secp256k1_scalar_mul(&r, &s, &s2);
881 secp256k1_scalar_get_num(&r2num, &r);
882 CHECK(secp256k1_num_eq(&rnum, &r2num));
883 /* The result can only be zero if at least one of the factors was zero. */
884 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
885 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
886 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
887 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
891 secp256k1_scalar neg;
892 secp256k1_num negnum;
893 secp256k1_num negnum2;
894 /* Check that comparison with zero matches comparison with zero on the number. */
895 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
896 /* Check that comparison with the half order is equal to testing for high scalar. */
897 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
898 secp256k1_scalar_negate(&neg, &s);
899 secp256k1_num_sub(&negnum, &order, &snum);
900 secp256k1_num_mod(&negnum, &order);
901 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
902 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
903 /* Negating should change the high property, unless the value was already zero. */
904 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
905 secp256k1_scalar_get_num(&negnum2, &neg);
906 /* Negating a scalar should be equal to (order - n) mod order on the number. */
907 CHECK(secp256k1_num_eq(&negnum, &negnum2));
908 secp256k1_scalar_add(&neg, &neg, &s);
909 /* Adding a number to its negation should result in zero. */
910 CHECK(secp256k1_scalar_is_zero(&neg));
911 secp256k1_scalar_negate(&neg, &neg);
912 /* Negating zero should still result in zero. */
913 CHECK(secp256k1_scalar_is_zero(&neg));
917 /* Test secp256k1_scalar_mul_shift_var. */
922 unsigned char cone[1] = {0x01};
923 unsigned int shift = 256 + secp256k1_rand_int(257);
924 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
925 secp256k1_num_mul(&rnum, &s1num, &s2num);
926 secp256k1_num_shift(&rnum, shift - 1);
927 secp256k1_num_set_bin(&one, cone, 1);
928 secp256k1_num_add(&rnum, &rnum, &one);
929 secp256k1_num_shift(&rnum, 1);
930 secp256k1_scalar_get_num(&rnum2, &r);
931 CHECK(secp256k1_num_eq(&rnum, &rnum2));
935 /* test secp256k1_scalar_shr_int */
938 random_scalar_order_test(&r);
939 for (i = 0; i < 100; ++i) {
941 int shift = 1 + secp256k1_rand_int(15);
942 int expected = r.d[0] % (1 << shift);
943 low = secp256k1_scalar_shr_int(&r, shift);
944 CHECK(expected == low);
950 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
951 if (!secp256k1_scalar_is_zero(&s)) {
952 secp256k1_scalar inv;
954 secp256k1_num invnum;
955 secp256k1_num invnum2;
957 secp256k1_scalar_inverse(&inv, &s);
959 secp256k1_num_mod_inverse(&invnum, &snum, &order);
960 secp256k1_scalar_get_num(&invnum2, &inv);
961 CHECK(secp256k1_num_eq(&invnum, &invnum2));
963 secp256k1_scalar_mul(&inv, &inv, &s);
964 /* Multiplying a scalar with its inverse must result in one. */
965 CHECK(secp256k1_scalar_is_one(&inv));
966 secp256k1_scalar_inverse(&inv, &inv);
967 /* Inverting one must result in one. */
968 CHECK(secp256k1_scalar_is_one(&inv));
970 secp256k1_scalar_get_num(&invnum, &inv);
971 CHECK(secp256k1_num_is_one(&invnum));
977 /* Test commutativity of add. */
978 secp256k1_scalar r1, r2;
979 secp256k1_scalar_add(&r1, &s1, &s2);
980 secp256k1_scalar_add(&r2, &s2, &s1);
981 CHECK(secp256k1_scalar_eq(&r1, &r2));
985 secp256k1_scalar r1, r2;
989 int bit = secp256k1_rand_bits(8);
990 secp256k1_scalar_set_int(&b, 1);
991 CHECK(secp256k1_scalar_is_one(&b));
992 for (i = 0; i < bit; i++) {
993 secp256k1_scalar_add(&b, &b, &b);
997 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
998 /* No overflow happened. */
999 secp256k1_scalar_cadd_bit(&r2, bit, 1);
1000 CHECK(secp256k1_scalar_eq(&r1, &r2));
1001 /* cadd is a noop when flag is zero */
1002 secp256k1_scalar_cadd_bit(&r2, bit, 0);
1003 CHECK(secp256k1_scalar_eq(&r1, &r2));
1008 /* Test commutativity of mul. */
1009 secp256k1_scalar r1, r2;
1010 secp256k1_scalar_mul(&r1, &s1, &s2);
1011 secp256k1_scalar_mul(&r2, &s2, &s1);
1012 CHECK(secp256k1_scalar_eq(&r1, &r2));
1016 /* Test associativity of add. */
1017 secp256k1_scalar r1, r2;
1018 secp256k1_scalar_add(&r1, &s1, &s2);
1019 secp256k1_scalar_add(&r1, &r1, &s);
1020 secp256k1_scalar_add(&r2, &s2, &s);
1021 secp256k1_scalar_add(&r2, &s1, &r2);
1022 CHECK(secp256k1_scalar_eq(&r1, &r2));
1026 /* Test associativity of mul. */
1027 secp256k1_scalar r1, r2;
1028 secp256k1_scalar_mul(&r1, &s1, &s2);
1029 secp256k1_scalar_mul(&r1, &r1, &s);
1030 secp256k1_scalar_mul(&r2, &s2, &s);
1031 secp256k1_scalar_mul(&r2, &s1, &r2);
1032 CHECK(secp256k1_scalar_eq(&r1, &r2));
1036 /* Test distributitivity of mul over add. */
1037 secp256k1_scalar r1, r2, t;
1038 secp256k1_scalar_add(&r1, &s1, &s2);
1039 secp256k1_scalar_mul(&r1, &r1, &s);
1040 secp256k1_scalar_mul(&r2, &s1, &s);
1041 secp256k1_scalar_mul(&t, &s2, &s);
1042 secp256k1_scalar_add(&r2, &r2, &t);
1043 CHECK(secp256k1_scalar_eq(&r1, &r2));
1048 secp256k1_scalar r1, r2;
1049 secp256k1_scalar_sqr(&r1, &s1);
1050 secp256k1_scalar_mul(&r2, &s1, &s1);
1051 CHECK(secp256k1_scalar_eq(&r1, &r2));
1055 /* Test multiplicative identity. */
1056 secp256k1_scalar r1, v1;
1057 secp256k1_scalar_set_int(&v1,1);
1058 secp256k1_scalar_mul(&r1, &s1, &v1);
1059 CHECK(secp256k1_scalar_eq(&r1, &s1));
1063 /* Test additive identity. */
1064 secp256k1_scalar r1, v0;
1065 secp256k1_scalar_set_int(&v0,0);
1066 secp256k1_scalar_add(&r1, &s1, &v0);
1067 CHECK(secp256k1_scalar_eq(&r1, &s1));
1071 /* Test zero product property. */
1072 secp256k1_scalar r1, v0;
1073 secp256k1_scalar_set_int(&v0,0);
1074 secp256k1_scalar_mul(&r1, &s1, &v0);
1075 CHECK(secp256k1_scalar_eq(&r1, &v0));
1080 void run_scalar_tests(void) {
1082 for (i = 0; i < 128 * count; i++) {
1087 /* (-1)+1 should be zero. */
1088 secp256k1_scalar s, o;
1089 secp256k1_scalar_set_int(&s, 1);
1090 CHECK(secp256k1_scalar_is_one(&s));
1091 secp256k1_scalar_negate(&o, &s);
1092 secp256k1_scalar_add(&o, &o, &s);
1093 CHECK(secp256k1_scalar_is_zero(&o));
1094 secp256k1_scalar_negate(&o, &o);
1095 CHECK(secp256k1_scalar_is_zero(&o));
1098 #ifndef USE_NUM_NONE
1100 /* A scalar with value of the curve order should be 0. */
1101 secp256k1_num order;
1102 secp256k1_scalar zero;
1103 unsigned char bin[32];
1105 secp256k1_scalar_order_get_num(&order);
1106 secp256k1_num_get_bin(bin, 32, &order);
1107 secp256k1_scalar_set_b32(&zero, bin, &overflow);
1108 CHECK(overflow == 1);
1109 CHECK(secp256k1_scalar_is_zero(&zero));
1114 /* Does check_overflow check catch all ones? */
1115 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1116 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1117 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1119 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1123 /* Static test vectors.
1124 * These were reduced from ~10^12 random vectors based on comparison-decision
1125 * and edge-case coverage on 32-bit and 64-bit implementations.
1126 * The responses were generated with Sage 5.9.
1131 secp256k1_scalar zz;
1132 secp256k1_scalar one;
1133 secp256k1_scalar r1;
1134 secp256k1_scalar r2;
1135 #if defined(USE_SCALAR_INV_NUM)
1136 secp256k1_scalar zzv;
1139 unsigned char chal[33][2][32] = {
1140 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1141 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1142 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1143 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1144 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1145 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1146 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1147 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1148 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1149 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1150 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1151 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1152 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1153 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1154 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1155 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1156 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1157 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1158 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1159 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1160 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1161 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1162 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1163 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1164 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1165 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1166 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1167 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1168 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1169 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1170 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1171 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1172 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1173 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1174 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1175 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1176 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1177 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1178 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1179 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1180 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1181 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1182 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1183 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1184 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1185 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1186 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1187 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1188 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1189 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1190 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1191 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1192 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1193 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1194 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1195 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1196 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1197 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1198 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1199 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1200 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1201 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1202 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1203 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1204 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1205 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1206 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1207 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1208 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1209 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1210 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1211 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1212 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1213 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1214 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1215 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1216 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1217 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1218 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1219 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1220 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1221 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1222 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1223 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1224 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1225 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1226 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1227 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1228 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1229 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1230 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1231 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1232 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1233 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1234 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1236 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1237 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1238 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1239 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1240 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1241 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1242 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1243 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1244 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1245 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1246 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1247 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1248 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1249 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1250 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1251 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1252 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1253 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1254 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1255 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1256 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1257 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1258 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1259 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1260 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1261 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1262 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1263 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1264 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1265 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1266 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1267 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1268 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1269 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1270 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1271 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1272 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1273 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1274 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1276 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1277 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1278 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1279 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1280 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1281 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1282 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1283 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1284 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1285 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1286 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1287 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1288 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1289 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1290 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1291 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1292 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1293 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1294 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1295 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1296 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1297 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1298 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1299 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1300 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1301 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1302 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1303 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1304 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1305 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1306 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1307 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1308 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1309 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1310 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1311 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1312 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1313 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1314 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1315 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1316 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1317 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1318 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1319 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1320 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1321 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1322 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1323 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1324 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1325 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1326 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1327 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1328 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1329 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1330 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1331 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1332 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1333 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1334 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1335 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1336 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1337 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1338 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1339 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1340 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1341 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1342 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1343 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1344 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1345 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1346 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1347 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1348 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1349 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1350 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1351 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1352 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1353 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1354 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1355 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1356 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1357 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1358 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1359 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1360 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1361 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1362 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1363 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1364 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1365 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1366 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1367 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1368 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1369 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1370 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1371 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1372 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1373 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1374 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1375 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1376 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1377 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1378 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1379 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1380 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1381 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1382 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1383 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1384 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1385 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1386 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1387 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1388 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1389 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1390 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1391 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1392 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1393 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1394 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1395 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1396 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1397 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1398 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1399 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1400 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1401 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1402 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1403 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1405 unsigned char res[33][2][32] = {
1406 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1407 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1408 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1409 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1410 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1411 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1412 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1413 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1414 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1415 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1416 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1417 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1418 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1419 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1420 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1421 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1422 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1423 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1424 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1425 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1426 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1427 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1428 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1429 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1430 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1431 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1432 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1433 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1434 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1435 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1436 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1437 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1438 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1439 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1440 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1441 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1442 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1443 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1444 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1445 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1446 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1447 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1448 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1449 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1450 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1451 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1452 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1453 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1454 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1455 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1456 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1457 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1458 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1459 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1460 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1461 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1462 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1463 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1464 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1465 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1466 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1467 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1468 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1469 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1470 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1471 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1472 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1473 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1474 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1475 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1476 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1477 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1478 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1479 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1480 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1481 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1482 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1483 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1484 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1485 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1486 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1487 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1488 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1489 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1490 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1491 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1492 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1493 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1494 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1495 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1496 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1497 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1498 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1499 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1500 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1501 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1502 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1503 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1504 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1505 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1506 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1507 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1508 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1509 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1510 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1511 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1512 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1513 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1514 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1515 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1516 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1517 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1518 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1519 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1520 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1521 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1522 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1523 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1524 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1525 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1526 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1527 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1528 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1529 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1530 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1531 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1532 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1533 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1534 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1535 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1536 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1537 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1538 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1539 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1540 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1541 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1542 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1543 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1544 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1545 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1546 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1547 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1548 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1549 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1550 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1551 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1552 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1553 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1554 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1555 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1556 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1557 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1558 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1559 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1560 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1561 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1562 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1563 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1564 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1565 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1566 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1567 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1568 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1569 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1570 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1571 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1572 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1573 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1574 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1575 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1578 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1579 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1580 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1581 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1582 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1583 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1584 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1585 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1586 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1587 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1588 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1589 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1590 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1591 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1592 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1593 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1594 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1595 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1596 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1597 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1598 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1599 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1600 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1601 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1602 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1603 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1604 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1605 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1606 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1607 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1608 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1609 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1610 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1611 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1612 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1613 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1614 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1615 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1616 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1617 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1618 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1619 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1620 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1621 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1622 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1623 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1624 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1625 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1626 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1627 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1628 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1629 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1630 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1631 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1632 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1633 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1634 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1635 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1636 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1637 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1638 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1639 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1640 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1641 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1642 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1643 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1644 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1645 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1646 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1647 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1648 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1649 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1650 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1651 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1652 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1653 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1654 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1655 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1656 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1657 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1658 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1659 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1660 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1661 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1662 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1663 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1664 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1665 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1666 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1667 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1668 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1669 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1671 secp256k1_scalar_set_int(&one, 1);
1672 for (i = 0; i < 33; i++) {
1673 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1675 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1677 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1679 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1681 secp256k1_scalar_mul(&z, &x, &y);
1682 CHECK(!secp256k1_scalar_check_overflow(&z));
1683 CHECK(secp256k1_scalar_eq(&r1, &z));
1684 if (!secp256k1_scalar_is_zero(&y)) {
1685 secp256k1_scalar_inverse(&zz, &y);
1686 CHECK(!secp256k1_scalar_check_overflow(&zz));
1687 #if defined(USE_SCALAR_INV_NUM)
1688 secp256k1_scalar_inverse_var(&zzv, &y);
1689 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1691 secp256k1_scalar_mul(&z, &z, &zz);
1692 CHECK(!secp256k1_scalar_check_overflow(&z));
1693 CHECK(secp256k1_scalar_eq(&x, &z));
1694 secp256k1_scalar_mul(&zz, &zz, &y);
1695 CHECK(!secp256k1_scalar_check_overflow(&zz));
1696 CHECK(secp256k1_scalar_eq(&one, &zz));
1698 secp256k1_scalar_mul(&z, &x, &x);
1699 CHECK(!secp256k1_scalar_check_overflow(&z));
1700 secp256k1_scalar_sqr(&zz, &x);
1701 CHECK(!secp256k1_scalar_check_overflow(&zz));
1702 CHECK(secp256k1_scalar_eq(&zz, &z));
1703 CHECK(secp256k1_scalar_eq(&r2, &zz));
1708 /***** FIELD TESTS *****/
1710 void random_fe(secp256k1_fe *x) {
1711 unsigned char bin[32];
1713 secp256k1_rand256(bin);
1714 if (secp256k1_fe_set_b32(x, bin)) {
1720 void random_fe_test(secp256k1_fe *x) {
1721 unsigned char bin[32];
1723 secp256k1_rand256_test(bin);
1724 if (secp256k1_fe_set_b32(x, bin)) {
1730 void random_fe_non_zero(secp256k1_fe *nz) {
1732 while (--tries >= 0) {
1734 secp256k1_fe_normalize(nz);
1735 if (!secp256k1_fe_is_zero(nz)) {
1739 /* Infinitesimal probability of spurious failure here */
1743 void random_fe_non_square(secp256k1_fe *ns) {
1745 random_fe_non_zero(ns);
1746 if (secp256k1_fe_sqrt(&r, ns)) {
1747 secp256k1_fe_negate(ns, ns, 1);
1751 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1752 secp256k1_fe an = *a;
1753 secp256k1_fe bn = *b;
1754 secp256k1_fe_normalize_weak(&an);
1755 secp256k1_fe_normalize_var(&bn);
1756 return secp256k1_fe_equal_var(&an, &bn);
1759 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1761 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1762 secp256k1_fe_mul(&x, a, ai);
1763 return check_fe_equal(&x, &one);
1766 void run_field_convert(void) {
1767 static const unsigned char b32[32] = {
1768 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1769 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1770 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1771 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1773 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1774 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1775 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1777 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1778 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1779 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1782 unsigned char b322[32];
1783 secp256k1_fe_storage fes2;
1784 /* Check conversions to fe. */
1785 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1786 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1787 secp256k1_fe_from_storage(&fe2, &fes);
1788 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1789 /* Check conversion from fe. */
1790 secp256k1_fe_get_b32(b322, &fe);
1791 CHECK(memcmp(b322, b32, 32) == 0);
1792 secp256k1_fe_to_storage(&fes2, &fe);
1793 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1796 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1797 secp256k1_fe t = *b;
1799 t.magnitude = a->magnitude;
1800 t.normalized = a->normalized;
1802 return memcmp(a, &t, sizeof(secp256k1_fe));
1805 void run_field_misc(void) {
1810 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1812 for (i = 0; i < 5*count; i++) {
1813 secp256k1_fe_storage xs, ys, zs;
1815 random_fe_non_zero(&y);
1816 /* Test the fe equality and comparison operations. */
1817 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1818 CHECK(secp256k1_fe_equal_var(&x, &x));
1820 secp256k1_fe_add(&z,&y);
1821 /* Test fe conditional move; z is not normalized here. */
1823 secp256k1_fe_cmov(&x, &z, 0);
1825 CHECK(x.normalized && x.magnitude == 1);
1827 secp256k1_fe_cmov(&x, &x, 1);
1828 CHECK(fe_memcmp(&x, &z) != 0);
1829 CHECK(fe_memcmp(&x, &q) == 0);
1830 secp256k1_fe_cmov(&q, &z, 1);
1832 CHECK(!q.normalized && q.magnitude == z.magnitude);
1834 CHECK(fe_memcmp(&q, &z) == 0);
1835 secp256k1_fe_normalize_var(&x);
1836 secp256k1_fe_normalize_var(&z);
1837 CHECK(!secp256k1_fe_equal_var(&x, &z));
1838 secp256k1_fe_normalize_var(&q);
1839 secp256k1_fe_cmov(&q, &z, (i&1));
1841 CHECK(q.normalized && q.magnitude == 1);
1843 for (j = 0; j < 6; j++) {
1844 secp256k1_fe_negate(&z, &z, j+1);
1845 secp256k1_fe_normalize_var(&q);
1846 secp256k1_fe_cmov(&q, &z, (j&1));
1848 CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
1851 secp256k1_fe_normalize_var(&z);
1852 /* Test storage conversion and conditional moves. */
1853 secp256k1_fe_to_storage(&xs, &x);
1854 secp256k1_fe_to_storage(&ys, &y);
1855 secp256k1_fe_to_storage(&zs, &z);
1856 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1857 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1858 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1859 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1860 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1861 secp256k1_fe_from_storage(&x, &xs);
1862 secp256k1_fe_from_storage(&y, &ys);
1863 secp256k1_fe_from_storage(&z, &zs);
1864 /* Test that mul_int, mul, and add agree. */
1865 secp256k1_fe_add(&y, &x);
1866 secp256k1_fe_add(&y, &x);
1868 secp256k1_fe_mul_int(&z, 3);
1869 CHECK(check_fe_equal(&y, &z));
1870 secp256k1_fe_add(&y, &x);
1871 secp256k1_fe_add(&z, &x);
1872 CHECK(check_fe_equal(&z, &y));
1874 secp256k1_fe_mul_int(&z, 5);
1875 secp256k1_fe_mul(&q, &x, &fe5);
1876 CHECK(check_fe_equal(&z, &q));
1877 secp256k1_fe_negate(&x, &x, 1);
1878 secp256k1_fe_add(&z, &x);
1879 secp256k1_fe_add(&q, &x);
1880 CHECK(check_fe_equal(&y, &z));
1881 CHECK(check_fe_equal(&q, &y));
1885 void run_field_inv(void) {
1886 secp256k1_fe x, xi, xii;
1888 for (i = 0; i < 10*count; i++) {
1889 random_fe_non_zero(&x);
1890 secp256k1_fe_inv(&xi, &x);
1891 CHECK(check_fe_inverse(&x, &xi));
1892 secp256k1_fe_inv(&xii, &xi);
1893 CHECK(check_fe_equal(&x, &xii));
1897 void run_field_inv_var(void) {
1898 secp256k1_fe x, xi, xii;
1900 for (i = 0; i < 10*count; i++) {
1901 random_fe_non_zero(&x);
1902 secp256k1_fe_inv_var(&xi, &x);
1903 CHECK(check_fe_inverse(&x, &xi));
1904 secp256k1_fe_inv_var(&xii, &xi);
1905 CHECK(check_fe_equal(&x, &xii));
1909 void run_field_inv_all_var(void) {
1910 secp256k1_fe x[16], xi[16], xii[16];
1912 /* Check it's safe to call for 0 elements */
1913 secp256k1_fe_inv_all_var(xi, x, 0);
1914 for (i = 0; i < count; i++) {
1916 size_t len = secp256k1_rand_int(15) + 1;
1917 for (j = 0; j < len; j++) {
1918 random_fe_non_zero(&x[j]);
1920 secp256k1_fe_inv_all_var(xi, x, len);
1921 for (j = 0; j < len; j++) {
1922 CHECK(check_fe_inverse(&x[j], &xi[j]));
1924 secp256k1_fe_inv_all_var(xii, xi, len);
1925 for (j = 0; j < len; j++) {
1926 CHECK(check_fe_equal(&x[j], &xii[j]));
1931 void run_sqr(void) {
1936 secp256k1_fe_set_int(&x, 1);
1937 secp256k1_fe_negate(&x, &x, 1);
1939 for (i = 1; i <= 512; ++i) {
1940 secp256k1_fe_mul_int(&x, 2);
1941 secp256k1_fe_normalize(&x);
1942 secp256k1_fe_sqr(&s, &x);
1947 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1948 secp256k1_fe r1, r2;
1949 int v = secp256k1_fe_sqrt(&r1, a);
1950 CHECK((v == 0) == (k == NULL));
1953 /* Check that the returned root is +/- the given known answer */
1954 secp256k1_fe_negate(&r2, &r1, 1);
1955 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1956 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1957 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1961 void run_sqrt(void) {
1962 secp256k1_fe ns, x, s, t;
1965 /* Check sqrt(0) is 0 */
1966 secp256k1_fe_set_int(&x, 0);
1967 secp256k1_fe_sqr(&s, &x);
1970 /* Check sqrt of small squares (and their negatives) */
1971 for (i = 1; i <= 100; i++) {
1972 secp256k1_fe_set_int(&x, i);
1973 secp256k1_fe_sqr(&s, &x);
1975 secp256k1_fe_negate(&t, &s, 1);
1976 test_sqrt(&t, NULL);
1979 /* Consistency checks for large random values */
1980 for (i = 0; i < 10; i++) {
1982 random_fe_non_square(&ns);
1983 for (j = 0; j < count; j++) {
1985 secp256k1_fe_sqr(&s, &x);
1987 secp256k1_fe_negate(&t, &s, 1);
1988 test_sqrt(&t, NULL);
1989 secp256k1_fe_mul(&t, &s, &ns);
1990 test_sqrt(&t, NULL);
1995 /***** GROUP TESTS *****/
1997 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1998 CHECK(a->infinity == b->infinity);
2002 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2003 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2006 /* This compares jacobian points including their Z, not just their geometric meaning. */
2007 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
2011 ret &= a->infinity == b->infinity;
2012 if (ret && !a->infinity) {
2015 secp256k1_fe_normalize(&a2.x);
2016 secp256k1_fe_normalize(&a2.y);
2017 secp256k1_fe_normalize(&a2.z);
2018 secp256k1_fe_normalize(&b2.x);
2019 secp256k1_fe_normalize(&b2.y);
2020 secp256k1_fe_normalize(&b2.z);
2021 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2022 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2023 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2028 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2030 secp256k1_fe u1, u2, s1, s2;
2031 CHECK(a->infinity == b->infinity);
2035 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
2036 secp256k1_fe_sqr(&z2s, &b->z);
2037 secp256k1_fe_mul(&u1, &a->x, &z2s);
2038 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2039 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2040 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2041 CHECK(secp256k1_fe_equal_var(&u1, &u2));
2042 CHECK(secp256k1_fe_equal_var(&s1, &s2));
2045 void test_ge(void) {
2047 #ifdef USE_ENDOMORPHISM
2052 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
2053 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
2054 * All magnitudes are randomized.
2055 * All 17*17 combinations of points are added to each other, using all applicable methods.
2057 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
2059 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2060 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2061 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2063 secp256k1_fe zfi2, zfi3;
2065 secp256k1_gej_set_infinity(&gej[0]);
2066 secp256k1_ge_clear(&ge[0]);
2067 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
2068 for (i = 0; i < runs; i++) {
2071 random_group_element_test(&g);
2072 #ifdef USE_ENDOMORPHISM
2073 if (i >= runs - 2) {
2074 secp256k1_ge_mul_lambda(&g, &ge[1]);
2076 if (i >= runs - 1) {
2077 secp256k1_ge_mul_lambda(&g, &g);
2082 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2083 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2084 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2085 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2086 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2087 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
2088 for (j = 0; j < 4; j++) {
2089 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2090 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2091 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2092 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2093 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2097 /* Compute z inverses. */
2099 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2100 for (i = 0; i < 4 * runs + 1; i++) {
2102 /* The point at infinity does not have a meaningful z inverse. Any should do. */
2104 random_field_element_test(&zs[i]);
2105 } while(secp256k1_fe_is_zero(&zs[i]));
2110 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
2114 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2116 random_field_element_test(&zf);
2117 } while(secp256k1_fe_is_zero(&zf));
2118 random_field_element_magnitude(&zf);
2119 secp256k1_fe_inv_var(&zfi3, &zf);
2120 secp256k1_fe_sqr(&zfi2, &zfi3);
2121 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2123 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2125 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2126 /* Compute reference result using gej + gej (var). */
2127 secp256k1_gej refj, resj;
2130 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2131 /* Check Z ratio. */
2132 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2133 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2134 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2136 secp256k1_ge_set_gej_var(&ref, &refj);
2138 /* Test gej + ge with Z ratio result (var). */
2139 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2140 ge_equals_gej(&ref, &resj);
2141 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2142 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2143 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2146 /* Test gej + ge (var, with additional Z factor). */
2148 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2149 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2150 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2151 random_field_element_magnitude(&ge2_zfi.x);
2152 random_field_element_magnitude(&ge2_zfi.y);
2153 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2154 ge_equals_gej(&ref, &resj);
2157 /* Test gej + ge (const). */
2159 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2160 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2161 ge_equals_gej(&ref, &resj);
2164 /* Test doubling (var). */
2165 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2167 /* Normal doubling with Z ratio result. */
2168 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2169 ge_equals_gej(&ref, &resj);
2170 /* Check Z ratio. */
2171 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2172 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2173 /* Normal doubling. */
2174 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2175 ge_equals_gej(&ref, &resj);
2178 /* Test adding opposites. */
2179 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2180 CHECK(secp256k1_ge_is_infinity(&ref));
2183 /* Test adding infinity. */
2185 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2186 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2187 ge_equals_gej(&ref, &gej[i2]);
2190 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2191 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2192 ge_equals_gej(&ref, &gej[i1]);
2197 /* Test adding all points together in random order equals infinity. */
2199 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2200 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2201 for (i = 0; i < 4 * runs + 1; i++) {
2202 gej_shuffled[i] = gej[i];
2204 for (i = 0; i < 4 * runs + 1; i++) {
2205 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2207 secp256k1_gej t = gej_shuffled[i];
2208 gej_shuffled[i] = gej_shuffled[swap];
2209 gej_shuffled[swap] = t;
2212 for (i = 0; i < 4 * runs + 1; i++) {
2213 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2215 CHECK(secp256k1_gej_is_infinity(&sum));
2219 /* Test batch gej -> ge conversion with and without known z ratios. */
2221 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2222 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2223 for (i = 0; i < 4 * runs + 1; i++) {
2224 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2226 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2229 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2230 for (i = 0; i < 4 * runs + 1; i++) {
2232 random_fe_non_zero(&s);
2233 secp256k1_gej_rescale(&gej[i], &s);
2234 ge_equals_gej(&ge_set_all[i], &gej[i]);
2240 /* Test batch gej -> ge conversion with many infinities. */
2241 for (i = 0; i < 4 * runs + 1; i++) {
2242 random_group_element_test(&ge[i]);
2243 /* randomly set half the points to infinity */
2244 if(secp256k1_fe_is_odd(&ge[i].x)) {
2245 secp256k1_ge_set_infinity(&ge[i]);
2247 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2250 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2252 for (i = 0; i < 4 * runs + 1; i++) {
2253 ge_equals_gej(&ge[i], &gej[i]);
2261 void test_add_neg_y_diff_x(void) {
2262 /* The point of this test is to check that we can add two points
2263 * whose y-coordinates are negatives of each other but whose x
2264 * coordinates differ. If the x-coordinates were the same, these
2265 * points would be negatives of each other and their sum is
2266 * infinity. This is cool because it "covers up" any degeneracy
2267 * in the addition algorithm that would cause the xy coordinates
2268 * of the sum to be wrong (since infinity has no xy coordinates).
2269 * HOWEVER, if the x-coordinates are different, infinity is the
2270 * wrong answer, and such degeneracies are exposed. This is the
2271 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2272 * which this test is a regression test for.
2274 * These points were generated in sage as
2275 * # secp256k1 params
2276 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2277 * C = EllipticCurve ([F (0), F (7)])
2278 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2279 * N = FiniteField(G.order())
2281 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2283 * lam = (1 - x^3).roots()[1][0]
2285 * # random "bad pair"
2286 * P = C.random_element()
2288 * print " P: %x %x" % P.xy()
2289 * print " Q: %x %x" % Q.xy()
2290 * print "P + Q: %x %x" % (P + Q).xy()
2292 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2293 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2294 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2295 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2296 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2298 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2299 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2300 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2301 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2302 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2304 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2305 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2306 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2307 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2308 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2313 secp256k1_ge_set_gej(&b, &bj);
2315 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2316 secp256k1_ge_set_gej(&res, &resj);
2317 ge_equals_gej(&res, &sumj);
2319 secp256k1_gej_add_ge(&resj, &aj, &b);
2320 secp256k1_ge_set_gej(&res, &resj);
2321 ge_equals_gej(&res, &sumj);
2323 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2324 secp256k1_ge_set_gej(&res, &resj);
2325 ge_equals_gej(&res, &sumj);
2330 for (i = 0; i < count * 32; i++) {
2333 test_add_neg_y_diff_x();
2336 void test_ec_combine(void) {
2337 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2338 secp256k1_pubkey data[6];
2339 const secp256k1_pubkey* d[6];
2340 secp256k1_pubkey sd;
2341 secp256k1_pubkey sd2;
2345 for (i = 1; i <= 6; i++) {
2347 random_scalar_order_test(&s);
2348 secp256k1_scalar_add(&sum, &sum, &s);
2349 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2350 secp256k1_ge_set_gej(&Q, &Qj);
2351 secp256k1_pubkey_save(&data[i - 1], &Q);
2352 d[i - 1] = &data[i - 1];
2353 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2354 secp256k1_ge_set_gej(&Q, &Qj);
2355 secp256k1_pubkey_save(&sd, &Q);
2356 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2357 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2361 void run_ec_combine(void) {
2363 for (i = 0; i < count * 8; i++) {
2368 void test_group_decompress(const secp256k1_fe* x) {
2369 /* The input itself, normalized. */
2370 secp256k1_fe fex = *x;
2372 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2373 secp256k1_ge ge_quad, ge_even, ge_odd;
2374 secp256k1_gej gej_quad;
2375 /* Return values of the above calls. */
2376 int res_quad, res_even, res_odd;
2378 secp256k1_fe_normalize_var(&fex);
2380 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2381 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2382 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2384 CHECK(res_quad == res_even);
2385 CHECK(res_quad == res_odd);
2388 secp256k1_fe_normalize_var(&ge_quad.x);
2389 secp256k1_fe_normalize_var(&ge_odd.x);
2390 secp256k1_fe_normalize_var(&ge_even.x);
2391 secp256k1_fe_normalize_var(&ge_quad.y);
2392 secp256k1_fe_normalize_var(&ge_odd.y);
2393 secp256k1_fe_normalize_var(&ge_even.y);
2395 /* No infinity allowed. */
2396 CHECK(!ge_quad.infinity);
2397 CHECK(!ge_even.infinity);
2398 CHECK(!ge_odd.infinity);
2400 /* Check that the x coordinates check out. */
2401 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2402 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2403 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2405 /* Check that the Y coordinate result in ge_quad is a square. */
2406 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2408 /* Check odd/even Y in ge_odd, ge_even. */
2409 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2410 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2412 /* Check secp256k1_gej_has_quad_y_var. */
2413 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2414 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2416 random_fe_test(&fez);
2417 } while (secp256k1_fe_is_zero(&fez));
2418 secp256k1_gej_rescale(&gej_quad, &fez);
2419 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2420 secp256k1_gej_neg(&gej_quad, &gej_quad);
2421 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2423 random_fe_test(&fez);
2424 } while (secp256k1_fe_is_zero(&fez));
2425 secp256k1_gej_rescale(&gej_quad, &fez);
2426 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2427 secp256k1_gej_neg(&gej_quad, &gej_quad);
2428 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2432 void run_group_decompress(void) {
2434 for (i = 0; i < count * 4; i++) {
2436 random_fe_test(&fe);
2437 test_group_decompress(&fe);
2441 /***** ECMULT TESTS *****/
2443 void run_ecmult_chain(void) {
2444 /* random starting point A (on the curve) */
2445 secp256k1_gej a = SECP256K1_GEJ_CONST(
2446 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2447 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2448 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2449 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2451 /* two random initial factors xn and gn */
2452 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2453 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2454 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2456 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2457 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2458 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2460 /* two small multipliers to be applied to xn and gn in every iteration: */
2461 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2462 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2463 /* accumulators with the resulting coefficients to A and G */
2464 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2465 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2471 /* the point being computed */
2473 for (i = 0; i < 200*count; i++) {
2474 /* in each iteration, compute X = xn*X + gn*G; */
2475 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2476 /* also compute ae and ge: the actual accumulated factors for A and G */
2477 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2478 secp256k1_scalar_mul(&ae, &ae, &xn);
2479 secp256k1_scalar_mul(&ge, &ge, &xn);
2480 secp256k1_scalar_add(&ge, &ge, &gn);
2481 /* modify xn and gn */
2482 secp256k1_scalar_mul(&xn, &xn, &xf);
2483 secp256k1_scalar_mul(&gn, &gn, &gf);
2487 /* expected result after 19999 iterations */
2488 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2489 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2490 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2491 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2492 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2495 secp256k1_gej_neg(&rp, &rp);
2496 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2497 CHECK(secp256k1_gej_is_infinity(&rp));
2500 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2501 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2502 secp256k1_gej_neg(&x2, &x2);
2503 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2504 CHECK(secp256k1_gej_is_infinity(&x2));
2507 void test_point_times_order(const secp256k1_gej *point) {
2508 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2510 secp256k1_scalar nx;
2511 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2512 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2513 secp256k1_gej res1, res2;
2515 unsigned char pub[65];
2517 random_scalar_order_test(&x);
2518 secp256k1_scalar_negate(&nx, &x);
2519 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2520 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2521 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2522 CHECK(secp256k1_gej_is_infinity(&res1));
2523 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2524 secp256k1_ge_set_gej(&res3, &res1);
2525 CHECK(secp256k1_ge_is_infinity(&res3));
2526 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2527 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2529 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2530 /* check zero/one edge cases */
2531 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2532 secp256k1_ge_set_gej(&res3, &res1);
2533 CHECK(secp256k1_ge_is_infinity(&res3));
2534 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2535 secp256k1_ge_set_gej(&res3, &res1);
2536 ge_equals_gej(&res3, point);
2537 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2538 secp256k1_ge_set_gej(&res3, &res1);
2539 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2542 void run_point_times_order(void) {
2544 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2545 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2546 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2547 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2549 for (i = 0; i < 500; i++) {
2551 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2553 CHECK(secp256k1_ge_is_valid_var(&p));
2554 secp256k1_gej_set_ge(&j, &p);
2555 CHECK(secp256k1_gej_is_valid_var(&j));
2556 test_point_times_order(&j);
2558 secp256k1_fe_sqr(&x, &x);
2560 secp256k1_fe_normalize_var(&x);
2561 CHECK(secp256k1_fe_equal_var(&x, &xr));
2564 void ecmult_const_random_mult(void) {
2565 /* random starting point A (on the curve) */
2566 secp256k1_ge a = SECP256K1_GE_CONST(
2567 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2568 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2569 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2570 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2572 /* random initial factor xn */
2573 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2574 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2575 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2577 /* expected xn * A (from sage) */
2578 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2579 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2580 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2581 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2582 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2585 secp256k1_ecmult_const(&b, &a, &xn, 256);
2587 CHECK(secp256k1_ge_is_valid_var(&a));
2588 ge_equals_gej(&expected_b, &b);
2591 void ecmult_const_commutativity(void) {
2598 random_scalar_order_test(&a);
2599 random_scalar_order_test(&b);
2601 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2602 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2603 secp256k1_ge_set_gej(&mid1, &res1);
2604 secp256k1_ge_set_gej(&mid2, &res2);
2605 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2606 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2607 secp256k1_ge_set_gej(&mid1, &res1);
2608 secp256k1_ge_set_gej(&mid2, &res2);
2609 ge_equals_ge(&mid1, &mid2);
2612 void ecmult_const_mult_zero_one(void) {
2613 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2614 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2615 secp256k1_scalar negone;
2619 secp256k1_scalar_negate(&negone, &one);
2621 random_group_element_test(&point);
2622 secp256k1_ecmult_const(&res1, &point, &zero, 3);
2623 secp256k1_ge_set_gej(&res2, &res1);
2624 CHECK(secp256k1_ge_is_infinity(&res2));
2625 secp256k1_ecmult_const(&res1, &point, &one, 2);
2626 secp256k1_ge_set_gej(&res2, &res1);
2627 ge_equals_ge(&res2, &point);
2628 secp256k1_ecmult_const(&res1, &point, &negone, 256);
2629 secp256k1_gej_neg(&res1, &res1);
2630 secp256k1_ge_set_gej(&res2, &res1);
2631 ge_equals_ge(&res2, &point);
2634 void ecmult_const_chain_multiply(void) {
2635 /* Check known result (randomly generated test problem from sage) */
2636 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2637 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2638 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2640 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2641 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2642 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2643 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2644 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2646 secp256k1_gej point;
2650 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2651 for (i = 0; i < 100; ++i) {
2653 secp256k1_ge_set_gej(&tmp, &point);
2654 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2656 secp256k1_ge_set_gej(&res, &point);
2657 ge_equals_gej(&res, &expected_point);
2660 void run_ecmult_const_tests(void) {
2661 ecmult_const_mult_zero_one();
2662 ecmult_const_random_mult();
2663 ecmult_const_commutativity();
2664 ecmult_const_chain_multiply();
2668 secp256k1_scalar *sc;
2670 } ecmult_multi_data;
2672 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2673 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2674 *sc = data->sc[idx];
2675 *pt = data->pt[idx];
2679 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2687 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2689 secp256k1_scalar szero;
2690 secp256k1_scalar sc[32];
2691 secp256k1_ge pt[32];
2694 ecmult_multi_data data;
2698 secp256k1_scalar_set_int(&szero, 0);
2700 /* No points to multiply */
2701 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2703 /* Check 1- and 2-point multiplies against ecmult */
2704 for (ncount = 0; ncount < count; ncount++) {
2707 random_scalar_order(&sc[0]);
2708 random_scalar_order(&sc[1]);
2710 random_group_element_test(&ptg);
2711 secp256k1_gej_set_ge(&ptgj, &ptg);
2713 pt[1] = secp256k1_ge_const_g;
2716 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2717 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2718 secp256k1_gej_neg(&r2, &r2);
2719 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2720 CHECK(secp256k1_gej_is_infinity(&r));
2723 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2724 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2725 secp256k1_gej_neg(&r2, &r2);
2726 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2727 CHECK(secp256k1_gej_is_infinity(&r));
2729 /* Try to multiply 1 point, but callback returns false */
2730 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2733 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2734 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2735 secp256k1_gej_neg(&r2, &r2);
2736 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2737 CHECK(secp256k1_gej_is_infinity(&r));
2739 /* 2-point with G scalar */
2740 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2741 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2742 secp256k1_gej_neg(&r2, &r2);
2743 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2744 CHECK(secp256k1_gej_is_infinity(&r));
2747 /* Check infinite outputs of various forms */
2748 for (ncount = 0; ncount < count; ncount++) {
2751 size_t sizes[] = { 2, 10, 32 };
2753 for (j = 0; j < 3; j++) {
2754 for (i = 0; i < 32; i++) {
2755 random_scalar_order(&sc[i]);
2756 secp256k1_ge_set_infinity(&pt[i]);
2758 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2759 CHECK(secp256k1_gej_is_infinity(&r));
2762 for (j = 0; j < 3; j++) {
2763 for (i = 0; i < 32; i++) {
2764 random_group_element_test(&ptg);
2766 secp256k1_scalar_set_int(&sc[i], 0);
2768 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2769 CHECK(secp256k1_gej_is_infinity(&r));
2772 for (j = 0; j < 3; j++) {
2773 random_group_element_test(&ptg);
2774 for (i = 0; i < 16; i++) {
2775 random_scalar_order(&sc[2*i]);
2776 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2778 pt[2 * i + 1] = ptg;
2781 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2782 CHECK(secp256k1_gej_is_infinity(&r));
2784 random_scalar_order(&sc[0]);
2785 for (i = 0; i < 16; i++) {
2786 random_group_element_test(&ptg);
2791 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2794 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2795 CHECK(secp256k1_gej_is_infinity(&r));
2798 random_group_element_test(&ptg);
2799 secp256k1_scalar_set_int(&sc[0], 0);
2801 for (i = 1; i < 32; i++) {
2804 random_scalar_order(&sc[i]);
2805 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2806 secp256k1_scalar_negate(&sc[i], &sc[i]);
2809 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2810 CHECK(secp256k1_gej_is_infinity(&r));
2813 /* Check random points, constant scalar */
2814 for (ncount = 0; ncount < count; ncount++) {
2816 secp256k1_gej_set_infinity(&r);
2818 random_scalar_order(&sc[0]);
2819 for (i = 0; i < 20; i++) {
2822 random_group_element_test(&ptg);
2824 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2827 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2828 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2829 secp256k1_gej_neg(&r2, &r2);
2830 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2831 CHECK(secp256k1_gej_is_infinity(&r));
2834 /* Check random scalars, constant point */
2835 for (ncount = 0; ncount < count; ncount++) {
2839 secp256k1_scalar rs;
2840 secp256k1_scalar_set_int(&rs, 0);
2842 random_group_element_test(&ptg);
2843 for (i = 0; i < 20; i++) {
2844 random_scalar_order(&sc[i]);
2846 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2849 secp256k1_gej_set_ge(&p0j, &pt[0]);
2850 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
2851 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2852 secp256k1_gej_neg(&r2, &r2);
2853 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2854 CHECK(secp256k1_gej_is_infinity(&r));
2857 /* Sanity check that zero scalars don't cause problems */
2858 for (ncount = 0; ncount < 20; ncount++) {
2859 random_scalar_order(&sc[ncount]);
2860 random_group_element_test(&pt[ncount]);
2863 secp256k1_scalar_clear(&sc[0]);
2864 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2865 secp256k1_scalar_clear(&sc[1]);
2866 secp256k1_scalar_clear(&sc[2]);
2867 secp256k1_scalar_clear(&sc[3]);
2868 secp256k1_scalar_clear(&sc[4]);
2869 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2870 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
2871 CHECK(secp256k1_gej_is_infinity(&r));
2873 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2875 const size_t TOP = 8;
2881 random_group_element_test(&ptg);
2882 secp256k1_gej_set_ge(&ptgj, &ptg);
2884 for(t0i = 0; t0i < TOP; t0i++) {
2885 for(t1i = 0; t1i < TOP; t1i++) {
2886 secp256k1_gej t0p, t1p;
2887 secp256k1_scalar t0, t1;
2889 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2890 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2891 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2892 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2894 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2895 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2897 for(s0i = 0; s0i < TOP; s0i++) {
2898 for(s1i = 0; s1i < TOP; s1i++) {
2899 secp256k1_scalar tmp1, tmp2;
2900 secp256k1_gej expected, actual;
2902 secp256k1_ge_set_gej(&pt[0], &t0p);
2903 secp256k1_ge_set_gej(&pt[1], &t1p);
2905 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2906 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2907 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2908 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2910 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2911 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2912 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2914 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
2915 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
2916 secp256k1_gej_neg(&expected, &expected);
2917 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2918 CHECK(secp256k1_gej_is_infinity(&actual));
2926 void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
2927 secp256k1_scalar szero;
2928 secp256k1_scalar sc[32];
2929 secp256k1_ge pt[32];
2931 ecmult_multi_data data;
2932 secp256k1_scratch *scratch_empty;
2936 secp256k1_scalar_set_int(&szero, 0);
2938 /* Try to multiply 1 point, but scratch space is empty.*/
2939 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
2940 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2941 secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
2944 void test_secp256k1_pippenger_bucket_window_inv(void) {
2947 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2948 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2949 #ifdef USE_ENDOMORPHISM
2950 /* Bucket_window of 8 is not used with endo */
2955 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2956 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2957 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2963 * Probabilistically test the function returning the maximum number of possible points
2964 * for a given scratch space.
2966 void test_ecmult_multi_pippenger_max_points(void) {
2967 size_t scratch_size = secp256k1_rand_int(256);
2968 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
2969 secp256k1_scratch *scratch;
2970 size_t n_points_supported;
2971 int bucket_window = 0;
2973 for(; scratch_size < max_size; scratch_size+=256) {
2977 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
2978 CHECK(scratch != NULL);
2979 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
2980 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
2981 if (n_points_supported == 0) {
2982 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
2985 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
2986 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
2987 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
2988 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
2989 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
2992 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
2993 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
2994 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
2996 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
2999 void test_ecmult_multi_batch_size_helper(void) {
3000 size_t n_batches, n_batch_points, max_n_batch_points, n;
3002 max_n_batch_points = 0;
3004 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
3006 max_n_batch_points = 1;
3008 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3009 CHECK(n_batches == 0);
3010 CHECK(n_batch_points == 0);
3012 max_n_batch_points = 2;
3014 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3015 CHECK(n_batches == 3);
3016 CHECK(n_batch_points == 2);
3018 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
3019 n = ECMULT_MAX_POINTS_PER_BATCH;
3020 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3021 CHECK(n_batches == 1);
3022 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
3024 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
3025 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
3026 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3027 CHECK(n_batches == 2);
3028 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
3030 max_n_batch_points = 1;
3032 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3033 CHECK(n_batches == SIZE_MAX);
3034 CHECK(n_batch_points == 1);
3036 max_n_batch_points = 2;
3038 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3039 CHECK(n_batches == SIZE_MAX/2 + 1);
3040 CHECK(n_batch_points == 2);
3044 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
3045 * 1 <= i <= num points.
3047 void test_ecmult_multi_batching(void) {
3048 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
3049 secp256k1_scalar scG;
3050 secp256k1_scalar szero;
3051 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
3052 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3055 ecmult_multi_data data;
3057 secp256k1_scratch *scratch;
3059 secp256k1_gej_set_infinity(&r2);
3060 secp256k1_scalar_set_int(&szero, 0);
3062 /* Get random scalars and group elements and compute result */
3063 random_scalar_order(&scG);
3064 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3065 for(i = 0; i < n_points; i++) {
3068 random_group_element_test(&ptg);
3069 secp256k1_gej_set_ge(&ptgj, &ptg);
3071 random_scalar_order(&sc[i]);
3072 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3073 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
3077 secp256k1_gej_neg(&r2, &r2);
3079 /* Test with empty scratch space. It should compute the correct result using
3080 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
3081 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
3082 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3083 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3084 CHECK(secp256k1_gej_is_infinity(&r));
3085 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3087 /* Test with space for 1 point in pippenger. That's not enough because
3088 * ecmult_multi selects strauss which requires more memory. It should
3089 * therefore select the simple algorithm. */
3090 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3091 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3092 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3093 CHECK(secp256k1_gej_is_infinity(&r));
3094 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3096 for(i = 1; i <= n_points; i++) {
3097 if (i > ECMULT_PIPPENGER_THRESHOLD) {
3098 int bucket_window = secp256k1_pippenger_bucket_window(i);
3099 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
3100 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3102 size_t scratch_size = secp256k1_strauss_scratch_size(i);
3103 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3105 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3106 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3107 CHECK(secp256k1_gej_is_infinity(&r));
3108 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3114 void run_ecmult_multi_tests(void) {
3115 secp256k1_scratch *scratch;
3117 test_secp256k1_pippenger_bucket_window_inv();
3118 test_ecmult_multi_pippenger_max_points();
3119 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
3120 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3121 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
3122 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
3123 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
3124 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
3125 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
3126 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3128 /* Run test_ecmult_multi with space for exactly one point */
3129 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3130 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3131 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3133 test_ecmult_multi_batch_size_helper();
3134 test_ecmult_multi_batching();
3137 void test_wnaf(const secp256k1_scalar *number, int w) {
3138 secp256k1_scalar x, two, t;
3143 secp256k1_scalar_set_int(&x, 0);
3144 secp256k1_scalar_set_int(&two, 2);
3145 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
3147 for (i = bits-1; i >= 0; i--) {
3149 secp256k1_scalar_mul(&x, &x, &two);
3151 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
3153 CHECK((v & 1) == 1); /* check non-zero elements are odd */
3154 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3155 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
3157 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
3161 secp256k1_scalar_set_int(&t, v);
3163 secp256k1_scalar_set_int(&t, -v);
3164 secp256k1_scalar_negate(&t, &t);
3166 secp256k1_scalar_add(&x, &x, &t);
3168 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
3171 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3172 secp256k1_scalar neg1 = *number;
3173 secp256k1_scalar neg2 = *number;
3177 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3178 secp256k1_scalar_negate(&neg1, &neg1);
3181 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3182 CHECK(sign1 == sign2);
3183 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3186 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3187 secp256k1_scalar x, shift;
3188 int wnaf[256] = {0};
3192 secp256k1_scalar num = *number;
3193 secp256k1_scalar scalar_skew;
3195 secp256k1_scalar_set_int(&x, 0);
3196 secp256k1_scalar_set_int(&shift, 1 << w);
3197 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3198 #ifdef USE_ENDOMORPHISM
3199 for (i = 0; i < 16; ++i) {
3200 secp256k1_scalar_shr_int(&num, 8);
3204 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
3206 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3209 CHECK(v != 0); /* check nonzero */
3210 CHECK(v & 1); /* check parity */
3211 CHECK(v > -(1 << w)); /* check range above */
3212 CHECK(v < (1 << w)); /* check range below */
3214 secp256k1_scalar_mul(&x, &x, &shift);
3216 secp256k1_scalar_set_int(&t, v);
3218 secp256k1_scalar_set_int(&t, -v);
3219 secp256k1_scalar_negate(&t, &t);
3221 secp256k1_scalar_add(&x, &x, &t);
3223 /* Skew num because when encoding numbers as odd we use an offset */
3224 secp256k1_scalar_set_int(&scalar_skew, 1 << (skew == 2));
3225 secp256k1_scalar_add(&num, &num, &scalar_skew);
3226 CHECK(secp256k1_scalar_eq(&x, &num));
3229 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3230 secp256k1_scalar x, shift;
3231 int wnaf[256] = {0};
3234 secp256k1_scalar num = *number;
3236 secp256k1_scalar_set_int(&x, 0);
3237 secp256k1_scalar_set_int(&shift, 1 << w);
3238 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3239 #ifdef USE_ENDOMORPHISM
3240 for (i = 0; i < 16; ++i) {
3241 secp256k1_scalar_shr_int(&num, 8);
3244 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3246 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3249 CHECK(v == 0 || v & 1); /* check parity */
3250 CHECK(v > -(1 << w)); /* check range above */
3251 CHECK(v < (1 << w)); /* check range below */
3253 secp256k1_scalar_mul(&x, &x, &shift);
3255 secp256k1_scalar_set_int(&t, v);
3257 secp256k1_scalar_set_int(&t, -v);
3258 secp256k1_scalar_negate(&t, &t);
3260 secp256k1_scalar_add(&x, &x, &t);
3262 /* If skew is 1 then add 1 to num */
3263 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3264 CHECK(secp256k1_scalar_eq(&x, &num));
3267 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3269 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3271 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3272 CHECK(wnaf[i] == 0);
3274 for (i = 7; i >= 0; --i) {
3275 CHECK(wnaf[i] == wnaf_expected[i]);
3279 void test_fixed_wnaf_small(void) {
3281 int wnaf[256] = {0};
3284 secp256k1_scalar num;
3286 secp256k1_scalar_set_int(&num, 0);
3287 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3288 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3294 secp256k1_scalar_set_int(&num, 1);
3295 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3296 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3300 CHECK(wnaf[0] == 1);
3304 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3305 secp256k1_scalar_set_int(&num, 0xffffffff);
3306 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3307 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3311 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3312 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3313 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3314 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3318 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3319 secp256k1_scalar_set_int(&num, 0x01010101);
3320 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3321 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3325 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3326 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3327 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3328 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3333 void run_wnaf(void) {
3335 secp256k1_scalar n = {{0}};
3337 test_constant_wnaf(&n, 4);
3338 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3339 * have easier-to-diagnose failure modes */
3341 test_constant_wnaf(&n, 4);
3343 test_constant_wnaf(&n, 4);
3344 /* Test -1, because it's a special case in wnaf_const */
3345 n = secp256k1_scalar_one;
3346 secp256k1_scalar_negate(&n, &n);
3347 test_constant_wnaf(&n, 4);
3349 /* Test -2, which may not lead to overflows in wnaf_const */
3350 secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
3351 secp256k1_scalar_negate(&n, &n);
3352 test_constant_wnaf(&n, 4);
3354 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
3355 as corner cases of negation handling in wnaf_const */
3356 secp256k1_scalar_inverse(&n, &n);
3357 test_constant_wnaf(&n, 4);
3359 secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
3360 test_constant_wnaf(&n, 4);
3362 /* Test 0 for fixed wnaf */
3363 test_fixed_wnaf_small();
3365 for (i = 0; i < count; i++) {
3366 random_scalar_order(&n);
3367 test_wnaf(&n, 4+(i%10));
3368 test_constant_wnaf_negate(&n);
3369 test_constant_wnaf(&n, 4 + (i % 10));
3370 test_fixed_wnaf(&n, 4 + (i % 10));
3372 secp256k1_scalar_set_int(&n, 0);
3373 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3374 CHECK(secp256k1_scalar_is_zero(&n));
3375 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3376 CHECK(secp256k1_scalar_is_zero(&n));
3379 void test_ecmult_constants(void) {
3380 /* Test ecmult_gen() for [0..36) and [order-36..0). */
3386 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3387 for (i = 0; i < 36; i++ ) {
3388 secp256k1_scalar_set_int(&x, i);
3389 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3390 for (j = 0; j < i; j++) {
3392 ge_equals_gej(&secp256k1_ge_const_g, &r);
3394 secp256k1_gej_add_ge(&r, &r, &ng);
3396 CHECK(secp256k1_gej_is_infinity(&r));
3398 for (i = 1; i <= 36; i++ ) {
3399 secp256k1_scalar_set_int(&x, i);
3400 secp256k1_scalar_negate(&x, &x);
3401 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3402 for (j = 0; j < i; j++) {
3404 ge_equals_gej(&ng, &r);
3406 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3408 CHECK(secp256k1_gej_is_infinity(&r));
3412 void run_ecmult_constants(void) {
3413 test_ecmult_constants();
3416 void test_ecmult_gen_blind(void) {
3417 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3418 secp256k1_scalar key;
3420 unsigned char seed32[32];
3422 secp256k1_gej pgej2;
3425 random_scalar_order_test(&key);
3426 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3427 secp256k1_rand256(seed32);
3428 b = ctx->ecmult_gen_ctx.blind;
3429 i = ctx->ecmult_gen_ctx.initial;
3430 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3431 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3432 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3433 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3434 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3435 secp256k1_ge_set_gej(&pge, &pgej);
3436 ge_equals_gej(&pge, &pgej2);
3439 void test_ecmult_gen_blind_reset(void) {
3440 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3442 secp256k1_gej initial;
3443 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3444 b = ctx->ecmult_gen_ctx.blind;
3445 initial = ctx->ecmult_gen_ctx.initial;
3446 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3447 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3448 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3451 void run_ecmult_gen_blind(void) {
3453 test_ecmult_gen_blind_reset();
3454 for (i = 0; i < 10; i++) {
3455 test_ecmult_gen_blind();
3459 #ifdef USE_ENDOMORPHISM
3460 /***** ENDOMORPHISH TESTS *****/
3461 void test_scalar_split(void) {
3462 secp256k1_scalar full;
3463 secp256k1_scalar s1, slam;
3464 const unsigned char zero[32] = {0};
3465 unsigned char tmp[32];
3467 random_scalar_order_test(&full);
3468 secp256k1_scalar_split_lambda(&s1, &slam, &full);
3470 /* check that both are <= 128 bits in size */
3471 if (secp256k1_scalar_is_high(&s1)) {
3472 secp256k1_scalar_negate(&s1, &s1);
3474 if (secp256k1_scalar_is_high(&slam)) {
3475 secp256k1_scalar_negate(&slam, &slam);
3478 secp256k1_scalar_get_b32(tmp, &s1);
3479 CHECK(memcmp(zero, tmp, 16) == 0);
3480 secp256k1_scalar_get_b32(tmp, &slam);
3481 CHECK(memcmp(zero, tmp, 16) == 0);
3484 void run_endomorphism_tests(void) {
3485 test_scalar_split();
3489 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3490 unsigned char pubkeyc[65];
3491 secp256k1_pubkey pubkey;
3496 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3497 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3498 /* Smaller sizes are tested exhaustively elsewhere. */
3500 memcpy(&pubkeyc[1], input, 64);
3501 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3502 for (i = 0; i < 256; i++) {
3503 /* Try all type bytes. */
3508 /* What sign does this point have? */
3509 ysign = (input[63] & 1) + 2;
3510 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3511 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3512 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3513 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3514 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3515 if (xpass || ypass) {
3516 /* These cases must parse. */
3517 unsigned char pubkeyo[65];
3519 memset(&pubkey, 0, sizeof(pubkey));
3520 VG_UNDEF(&pubkey, sizeof(pubkey));
3522 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3523 VG_CHECK(&pubkey, sizeof(pubkey));
3525 VG_UNDEF(pubkeyo, 65);
3526 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3527 VG_CHECK(pubkeyo, outl);
3529 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3530 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3532 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3533 CHECK(pubkeyo[0] == ysign);
3534 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3535 memset(&pubkey, 0, sizeof(pubkey));
3536 VG_UNDEF(&pubkey, sizeof(pubkey));
3537 secp256k1_pubkey_save(&pubkey, &ge);
3538 VG_CHECK(&pubkey, sizeof(pubkey));
3540 VG_UNDEF(pubkeyo, 65);
3541 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3542 VG_CHECK(pubkeyo, outl);
3544 CHECK(pubkeyo[0] == 4);
3545 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3549 /* These cases must fail to parse. */
3550 memset(&pubkey, 0xfe, sizeof(pubkey));
3552 VG_UNDEF(&pubkey, sizeof(pubkey));
3553 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3554 VG_CHECK(&pubkey, sizeof(pubkey));
3556 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3561 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3564 void run_ec_pubkey_parse_test(void) {
3565 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3566 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3568 /* Point with leading and trailing zeros in x and y serialization. */
3569 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3570 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3571 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3572 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3575 /* Point with x equal to a 3rd root of unity.*/
3576 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3577 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3578 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3579 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3582 /* Point with largest x. (1/2) */
3583 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3584 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3585 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3586 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3589 /* Point with largest x. (2/2) */
3590 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3591 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3592 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3593 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3596 /* Point with smallest x. (1/2) */
3597 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3598 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3599 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3600 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3603 /* Point with smallest x. (2/2) */
3604 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3605 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3606 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3607 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3610 /* Point with largest y. (1/3) */
3611 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3612 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3613 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3614 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3617 /* Point with largest y. (2/3) */
3618 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3619 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3620 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3621 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3624 /* Point with largest y. (3/3) */
3625 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3626 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3627 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3628 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3631 /* Point with smallest y. (1/3) */
3632 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3633 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3634 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3635 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3638 /* Point with smallest y. (2/3) */
3639 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3640 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3641 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3642 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3645 /* Point with smallest y. (3/3) */
3646 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3647 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3648 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3649 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3652 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3653 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3655 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3656 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3657 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3658 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3659 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3662 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3663 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3664 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3665 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3666 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3669 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3670 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3671 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3672 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3673 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3676 /* x on curve, y is from y^2 = x^3 + 8. */
3677 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3678 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3679 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3680 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3683 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3684 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3686 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3687 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3688 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3689 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3693 /* Valid if x overflow ignored (x = 1 mod p). */
3694 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3695 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3696 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3697 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3700 /* Valid if x overflow ignored (x = 1 mod p). */
3701 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3702 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3703 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3704 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3707 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3708 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3709 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3710 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3711 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3714 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3715 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3716 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3717 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3718 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3721 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3722 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3723 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3724 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3725 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3728 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3729 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3730 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3731 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3732 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3735 const unsigned char pubkeyc[66] = {
3736 /* Serialization of G. */
3737 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3738 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3739 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3740 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3743 unsigned char sout[65];
3744 unsigned char shortkey[2];
3746 secp256k1_pubkey pubkey;
3752 /* Nothing should be reading this far into pubkeyc. */
3753 VG_UNDEF(&pubkeyc[65], 1);
3754 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3755 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3756 memset(&pubkey, 0xfe, sizeof(pubkey));
3758 VG_UNDEF(shortkey, 2);
3759 VG_UNDEF(&pubkey, sizeof(pubkey));
3760 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3761 VG_CHECK(&pubkey, sizeof(pubkey));
3763 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3765 /* Length one claimed, fail, zeroize, no illegal arg error. */
3766 for (i = 0; i < 256 ; i++) {
3767 memset(&pubkey, 0xfe, sizeof(pubkey));
3770 VG_UNDEF(&shortkey[1], 1);
3771 VG_UNDEF(&pubkey, sizeof(pubkey));
3772 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3773 VG_CHECK(&pubkey, sizeof(pubkey));
3775 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3778 /* Length two claimed, fail, zeroize, no illegal arg error. */
3779 for (i = 0; i < 65536 ; i++) {
3780 memset(&pubkey, 0xfe, sizeof(pubkey));
3782 shortkey[0] = i & 255;
3783 shortkey[1] = i >> 8;
3784 VG_UNDEF(&pubkey, sizeof(pubkey));
3785 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3786 VG_CHECK(&pubkey, sizeof(pubkey));
3788 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3791 memset(&pubkey, 0xfe, sizeof(pubkey));
3793 VG_UNDEF(&pubkey, sizeof(pubkey));
3794 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3795 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3796 VG_CHECK(&pubkey, sizeof(pubkey));
3798 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3800 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3801 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3803 /* NULL input string. Illegal arg and zeroize output. */
3804 memset(&pubkey, 0xfe, sizeof(pubkey));
3806 VG_UNDEF(&pubkey, sizeof(pubkey));
3807 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3808 VG_CHECK(&pubkey, sizeof(pubkey));
3810 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3812 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3813 memset(&pubkey, 0xfe, sizeof(pubkey));
3815 VG_UNDEF(&pubkey, sizeof(pubkey));
3816 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3817 VG_CHECK(&pubkey, sizeof(pubkey));
3819 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3821 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3822 memset(&pubkey, 0xfe, sizeof(pubkey));
3824 VG_UNDEF(&pubkey, sizeof(pubkey));
3825 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3826 VG_CHECK(&pubkey, sizeof(pubkey));
3828 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3831 memset(&pubkey, 0, sizeof(pubkey));
3833 VG_UNDEF(&pubkey, sizeof(pubkey));
3834 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3835 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
3836 VG_CHECK(&pubkey, sizeof(pubkey));
3838 VG_UNDEF(&ge, sizeof(ge));
3839 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3840 VG_CHECK(&ge.x, sizeof(ge.x));
3841 VG_CHECK(&ge.y, sizeof(ge.y));
3842 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3843 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3845 /* secp256k1_ec_pubkey_serialize illegal args. */
3848 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3851 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3855 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3860 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3865 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3869 /* Multiple illegal args. Should still set arg error only once. */
3872 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3874 /* Does the illegal arg callback actually change the behavior? */
3875 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3876 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3878 CHECK(ecount2 == 10);
3879 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3880 /* Try a bunch of prefabbed points with all possible encodings. */
3881 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3882 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3884 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3885 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3887 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3888 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3892 void run_eckey_edge_case_test(void) {
3893 const unsigned char orderc[32] = {
3894 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3895 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3896 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3897 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3899 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3900 unsigned char ctmp[33];
3901 unsigned char ctmp2[33];
3902 secp256k1_pubkey pubkey;
3903 secp256k1_pubkey pubkey2;
3904 secp256k1_pubkey pubkey_one;
3905 secp256k1_pubkey pubkey_negone;
3906 const secp256k1_pubkey *pubkeys[3];
3909 /* Group order is too large, reject. */
3910 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3911 VG_UNDEF(&pubkey, sizeof(pubkey));
3912 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3913 VG_CHECK(&pubkey, sizeof(pubkey));
3914 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3915 /* Maximum value is too large, reject. */
3916 memset(ctmp, 255, 32);
3917 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3918 memset(&pubkey, 1, sizeof(pubkey));
3919 VG_UNDEF(&pubkey, sizeof(pubkey));
3920 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3921 VG_CHECK(&pubkey, sizeof(pubkey));
3922 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3923 /* Zero is too small, reject. */
3924 memset(ctmp, 0, 32);
3925 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3926 memset(&pubkey, 1, sizeof(pubkey));
3927 VG_UNDEF(&pubkey, sizeof(pubkey));
3928 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3929 VG_CHECK(&pubkey, sizeof(pubkey));
3930 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3931 /* One must be accepted. */
3933 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3934 memset(&pubkey, 0, sizeof(pubkey));
3935 VG_UNDEF(&pubkey, sizeof(pubkey));
3936 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3937 VG_CHECK(&pubkey, sizeof(pubkey));
3938 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3939 pubkey_one = pubkey;
3940 /* Group order + 1 is too large, reject. */
3941 memcpy(ctmp, orderc, 32);
3943 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3944 memset(&pubkey, 1, sizeof(pubkey));
3945 VG_UNDEF(&pubkey, sizeof(pubkey));
3946 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3947 VG_CHECK(&pubkey, sizeof(pubkey));
3948 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3949 /* -1 must be accepted. */
3951 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3952 memset(&pubkey, 0, sizeof(pubkey));
3953 VG_UNDEF(&pubkey, sizeof(pubkey));
3954 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3955 VG_CHECK(&pubkey, sizeof(pubkey));
3956 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3957 pubkey_negone = pubkey;
3958 /* Tweak of zero leaves the value unchanged. */
3959 memset(ctmp2, 0, 32);
3960 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3961 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3962 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3963 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3964 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3965 /* Multiply tweak of zero zeroizes the output. */
3966 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3967 CHECK(memcmp(zeros, ctmp, 32) == 0);
3968 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3969 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3970 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3971 /* Overflowing key tweak zeroizes. */
3972 memcpy(ctmp, orderc, 32);
3974 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3975 CHECK(memcmp(zeros, ctmp, 32) == 0);
3976 memcpy(ctmp, orderc, 32);
3978 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3979 CHECK(memcmp(zeros, ctmp, 32) == 0);
3980 memcpy(ctmp, orderc, 32);
3982 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3983 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3984 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3985 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3986 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3987 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3988 /* Private key tweaks results in a key of zero. */
3990 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3991 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3993 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3994 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3995 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3996 /* Tweak computation wraps and results in a key of 1. */
3998 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3999 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
4001 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4003 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
4004 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4005 /* Tweak mul * 2 = 1+1. */
4006 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4008 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
4009 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4010 /* Test argument errors. */
4012 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4014 /* Zeroize pubkey on parse error. */
4015 memset(&pubkey, 0, 32);
4016 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4018 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
4019 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4020 memset(&pubkey2, 0, 32);
4021 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
4023 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
4024 /* Plain argument errors. */
4026 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4028 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
4031 memset(ctmp2, 0, 32);
4033 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
4035 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
4038 memset(ctmp2, 0, 32);
4040 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4042 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
4045 memset(ctmp2, 0, 32);
4046 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
4048 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
4051 memset(ctmp2, 0, 32);
4053 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4055 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
4058 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
4060 memset(&pubkey, 1, sizeof(pubkey));
4061 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4063 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4064 /* secp256k1_ec_pubkey_combine tests. */
4066 pubkeys[0] = &pubkey_one;
4067 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
4068 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
4069 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
4070 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4071 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4072 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
4073 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4074 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4076 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4077 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4079 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4080 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4081 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4082 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4083 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4085 pubkeys[0] = &pubkey_negone;
4086 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4087 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4088 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4089 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4090 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4093 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4094 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4095 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4096 /* Result is infinity. */
4097 pubkeys[0] = &pubkey_one;
4098 pubkeys[1] = &pubkey_negone;
4099 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4100 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4101 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4102 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4103 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4105 /* Passes through infinity but comes out one. */
4106 pubkeys[2] = &pubkey_one;
4107 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4108 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4109 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4110 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4111 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4114 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4115 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4116 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4118 pubkeys[1] = &pubkey_one;
4119 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4120 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4121 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4122 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4123 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4125 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4128 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4129 secp256k1_scalar nonce;
4131 random_scalar_order_test(&nonce);
4132 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
4135 void test_ecdsa_sign_verify(void) {
4138 secp256k1_scalar one;
4139 secp256k1_scalar msg, key;
4140 secp256k1_scalar sigr, sigs;
4143 random_scalar_order_test(&msg);
4144 random_scalar_order_test(&key);
4145 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
4146 secp256k1_ge_set_gej(&pub, &pubj);
4147 getrec = secp256k1_rand_bits(1);
4148 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
4150 CHECK(recid >= 0 && recid < 4);
4152 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4153 secp256k1_scalar_set_int(&one, 1);
4154 secp256k1_scalar_add(&msg, &msg, &one);
4155 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4158 void run_ecdsa_sign_verify(void) {
4160 for (i = 0; i < 10*count; i++) {
4161 test_ecdsa_sign_verify();
4165 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
4166 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4170 memcpy(nonce32, data, 32);
4171 return (counter == 0);
4174 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4175 /* Dummy nonce generator that has a fatal error on the first counter value. */
4179 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
4182 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4183 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4185 memset(nonce32, counter==0 ? 0 : 255, 32);
4192 static const unsigned char order[] = {
4193 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4194 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4195 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4196 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4198 memcpy(nonce32, order, 32);
4204 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
4205 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
4209 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
4212 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4213 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4214 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4217 void test_ecdsa_end_to_end(void) {
4218 unsigned char extra[32] = {0x00};
4219 unsigned char privkey[32];
4220 unsigned char message[32];
4221 unsigned char privkey2[32];
4222 secp256k1_ecdsa_signature signature[6];
4223 secp256k1_scalar r, s;
4224 unsigned char sig[74];
4226 unsigned char pubkeyc[65];
4227 size_t pubkeyclen = 65;
4228 secp256k1_pubkey pubkey;
4229 secp256k1_pubkey pubkey_tmp;
4230 unsigned char seckey[300];
4231 size_t seckeylen = 300;
4233 /* Generate a random key and message. */
4235 secp256k1_scalar msg, key;
4236 random_scalar_order_test(&msg);
4237 random_scalar_order_test(&key);
4238 secp256k1_scalar_get_b32(privkey, &key);
4239 secp256k1_scalar_get_b32(message, &msg);
4242 /* Construct and verify corresponding public key. */
4243 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4244 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4246 /* Verify exporting and importing public key. */
4247 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4248 memset(&pubkey, 0, sizeof(pubkey));
4249 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4251 /* Verify negation changes the key and changes it back */
4252 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4253 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4254 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4255 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4256 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4258 /* Verify private key import and export. */
4259 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4260 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4261 CHECK(memcmp(privkey, privkey2, 32) == 0);
4263 /* Optionally tweak the keys using addition. */
4264 if (secp256k1_rand_int(3) == 0) {
4267 unsigned char rnd[32];
4268 secp256k1_pubkey pubkey2;
4269 secp256k1_rand256_test(rnd);
4270 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
4271 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4272 CHECK(ret1 == ret2);
4276 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4277 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4280 /* Optionally tweak the keys using multiplication. */
4281 if (secp256k1_rand_int(3) == 0) {
4284 unsigned char rnd[32];
4285 secp256k1_pubkey pubkey2;
4286 secp256k1_rand256_test(rnd);
4287 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
4288 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4289 CHECK(ret1 == ret2);
4293 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4294 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4298 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4299 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4300 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4302 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4305 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4306 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4307 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4308 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4309 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4310 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4311 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4312 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4314 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4315 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4316 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4317 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4318 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4319 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4320 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4321 secp256k1_scalar_negate(&s, &s);
4322 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4323 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4324 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4325 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4326 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4327 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4328 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4329 secp256k1_scalar_negate(&s, &s);
4330 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4331 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4332 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4333 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
4335 /* Serialize/parse DER and verify again */
4336 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4337 memset(&signature[0], 0, sizeof(signature[0]));
4338 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4339 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4340 /* Serialize/destroy/parse DER and verify again. */
4342 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4343 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
4344 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4345 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4348 void test_random_pubkeys(void) {
4351 unsigned char in[65];
4352 /* Generate some randomly sized pubkeys. */
4353 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4354 if (secp256k1_rand_bits(2) == 0) {
4355 len = secp256k1_rand_bits(6);
4358 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
4360 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
4362 if (secp256k1_rand_bits(3) == 0) {
4363 in[0] = secp256k1_rand_bits(8);
4366 secp256k1_rand256(&in[1]);
4369 secp256k1_rand256(&in[33]);
4371 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4372 unsigned char out[65];
4373 unsigned char firstb;
4377 /* If the pubkey can be parsed, it should round-trip... */
4378 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4380 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4381 /* ... except for the type of hybrid inputs. */
4382 if ((in[0] != 6) && (in[0] != 7)) {
4383 CHECK(in[0] == out[0]);
4386 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4388 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4389 ge_equals_ge(&elem,&elem2);
4390 /* Check that the X9.62 hybrid type is checked. */
4391 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
4392 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4393 if (firstb == 2 || firstb == 3) {
4394 if (in[0] == firstb + 4) {
4401 ge_equals_ge(&elem,&elem2);
4402 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4403 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4408 void run_random_pubkeys(void) {
4410 for (i = 0; i < 10*count; i++) {
4411 test_random_pubkeys();
4415 void run_ecdsa_end_to_end(void) {
4417 for (i = 0; i < 64*count; i++) {
4418 test_ecdsa_end_to_end();
4422 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4423 static const unsigned char zeroes[32] = {0};
4424 #ifdef ENABLE_OPENSSL_TESTS
4425 static const unsigned char max_scalar[32] = {
4426 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4427 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4428 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4429 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4435 secp256k1_ecdsa_signature sig_der;
4436 unsigned char roundtrip_der[2048];
4437 unsigned char compact_der[64];
4438 size_t len_der = 2048;
4439 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4441 secp256k1_ecdsa_signature sig_der_lax;
4442 unsigned char roundtrip_der_lax[2048];
4443 unsigned char compact_der_lax[64];
4444 size_t len_der_lax = 2048;
4445 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4447 #ifdef ENABLE_OPENSSL_TESTS
4448 ECDSA_SIG *sig_openssl;
4449 const BIGNUM *r = NULL, *s = NULL;
4450 const unsigned char *sigptr;
4451 unsigned char roundtrip_openssl[2048];
4452 int len_openssl = 2048;
4453 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4456 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4458 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4459 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4462 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4463 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4466 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4467 if (parsed_der_lax) {
4468 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4469 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4471 if (valid_der_lax) {
4472 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4473 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4476 if (certainly_der) {
4477 ret |= (!parsed_der) << 2;
4479 if (certainly_not_der) {
4480 ret |= (parsed_der) << 17;
4483 ret |= (!roundtrips_der) << 3;
4487 ret |= (!roundtrips_der_lax) << 12;
4488 ret |= (len_der != len_der_lax) << 13;
4489 ret |= ((len_der != len_der_lax) || (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
4491 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4493 ret |= (!parsed_der_lax) << 16;
4496 #ifdef ENABLE_OPENSSL_TESTS
4497 sig_openssl = ECDSA_SIG_new();
4499 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4500 if (parsed_openssl) {
4501 ECDSA_SIG_get0(sig_openssl, &r, &s);
4502 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4503 if (valid_openssl) {
4504 unsigned char tmp[32] = {0};
4505 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4506 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4508 if (valid_openssl) {
4509 unsigned char tmp[32] = {0};
4510 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4511 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4514 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4515 if (len_openssl <= 2048) {
4516 unsigned char *ptr = roundtrip_openssl;
4517 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4518 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4522 ECDSA_SIG_free(sig_openssl);
4524 ret |= (parsed_der && !parsed_openssl) << 4;
4525 ret |= (valid_der && !valid_openssl) << 5;
4526 ret |= (roundtrips_openssl && !parsed_der) << 6;
4527 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4528 if (roundtrips_openssl) {
4529 ret |= (len_der != (size_t)len_openssl) << 8;
4530 ret |= ((len_der != (size_t)len_openssl) || (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9;
4536 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4538 for (i = 0; i < ptrlen; i++) {
4539 int shift = ptrlen - 1 - i;
4543 ptr[i] = (val >> shift) & 0xFF;
4548 static void damage_array(unsigned char *sig, size_t *len) {
4550 int action = secp256k1_rand_bits(3);
4551 if (action < 1 && *len > 3) {
4552 /* Delete a byte. */
4553 pos = secp256k1_rand_int(*len);
4554 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4557 } else if (action < 2 && *len < 2048) {
4558 /* Insert a byte. */
4559 pos = secp256k1_rand_int(1 + *len);
4560 memmove(sig + pos + 1, sig + pos, *len - pos);
4561 sig[pos] = secp256k1_rand_bits(8);
4564 } else if (action < 4) {
4565 /* Modify a byte. */
4566 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4568 } else { /* action < 8 */
4570 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4575 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4577 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4578 size_t tlen, elen, glen;
4583 der = secp256k1_rand_bits(2) == 0;
4584 *certainly_der = der;
4585 *certainly_not_der = 0;
4586 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4588 for (n = 0; n < 2; n++) {
4589 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4590 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4591 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4592 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4593 CHECK(nlen[n] <= 232);
4594 /* The top bit of the number. */
4595 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4596 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4597 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4598 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4599 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4600 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4601 *certainly_not_der = 1;
4603 CHECK(nlen[n] + nzlen[n] <= 300);
4604 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4605 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4607 /* nlenlen[n] max 127 bytes */
4608 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4611 *certainly_not_der = 1;
4614 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4617 /* The total length of the data to go, so far */
4618 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4621 /* The length of the garbage inside the tuple. */
4622 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4624 *certainly_not_der = 1;
4629 /* The length of the garbage after the end of the tuple. */
4630 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4632 *certainly_not_der = 1;
4634 CHECK(tlen + glen <= 990);
4636 /* Write the tuple header. */
4637 sig[(*len)++] = 0x30;
4639 /* Indeterminate length */
4640 sig[(*len)++] = 0x80;
4641 *certainly_not_der = 1;
4643 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4645 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4648 *certainly_not_der = 1;
4652 /* Short length notation */
4653 sig[(*len)++] = tlen;
4655 /* Long length notation */
4656 sig[(*len)++] = 128 + tlenlen;
4657 assign_big_endian(sig + *len, tlenlen, tlen);
4663 CHECK(tlen + glen <= 1119);
4665 for (n = 0; n < 2; n++) {
4666 /* Write the integer header. */
4667 sig[(*len)++] = 0x02;
4668 if (nlenlen[n] == 0) {
4669 /* Short length notation */
4670 sig[(*len)++] = nlen[n] + nzlen[n];
4672 /* Long length notation. */
4673 sig[(*len)++] = 128 + nlenlen[n];
4674 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4677 /* Write zero padding */
4678 while (nzlen[n] > 0) {
4679 sig[(*len)++] = 0x00;
4682 if (nlen[n] == 32 && !nlow[n]) {
4683 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4685 for (i = 0; i < 16; i++) {
4686 sig[(*len)++] = 0xFF;
4690 /* Write first byte of number */
4692 sig[(*len)++] = nhbyte[n];
4695 /* Generate remaining random bytes of number */
4696 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4701 /* Generate random garbage inside tuple. */
4702 secp256k1_rand_bytes_test(sig + *len, elen);
4705 /* Generate end-of-contents bytes. */
4711 CHECK(tlen + glen <= 1121);
4713 /* Generate random garbage outside tuple. */
4714 secp256k1_rand_bytes_test(sig + *len, glen);
4717 CHECK(tlen <= 1121);
4718 CHECK(tlen == *len);
4721 void run_ecdsa_der_parse(void) {
4723 for (i = 0; i < 200 * count; i++) {
4724 unsigned char buffer[2048];
4726 int certainly_der = 0;
4727 int certainly_not_der = 0;
4728 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4729 CHECK(buflen <= 2048);
4730 for (j = 0; j < 16; j++) {
4733 damage_array(buffer, &buflen);
4734 /* We don't know anything anymore about the DERness of the result */
4736 certainly_not_der = 0;
4738 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4741 fprintf(stderr, "Failure %x on ", ret);
4742 for (k = 0; k < buflen; k++) {
4743 fprintf(stderr, "%02x ", buffer[k]);
4745 fprintf(stderr, "\n");
4752 /* Tests several edge cases. */
4753 void test_ecdsa_edge_cases(void) {
4755 secp256k1_ecdsa_signature sig;
4757 /* Test the case where ECDSA recomputes a point that is infinity. */
4761 secp256k1_scalar msg;
4762 secp256k1_scalar sr, ss;
4763 secp256k1_scalar_set_int(&ss, 1);
4764 secp256k1_scalar_negate(&ss, &ss);
4765 secp256k1_scalar_inverse(&ss, &ss);
4766 secp256k1_scalar_set_int(&sr, 1);
4767 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4768 secp256k1_ge_set_gej(&key, &keyj);
4770 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4773 /* Verify signature with r of zero fails. */
4775 const unsigned char pubkey_mods_zero[33] = {
4776 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4777 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4778 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4779 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4783 secp256k1_scalar msg;
4784 secp256k1_scalar sr, ss;
4785 secp256k1_scalar_set_int(&ss, 1);
4786 secp256k1_scalar_set_int(&msg, 0);
4787 secp256k1_scalar_set_int(&sr, 0);
4788 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4789 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4792 /* Verify signature with s of zero fails. */
4794 const unsigned char pubkey[33] = {
4795 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4796 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4797 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4798 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4802 secp256k1_scalar msg;
4803 secp256k1_scalar sr, ss;
4804 secp256k1_scalar_set_int(&ss, 0);
4805 secp256k1_scalar_set_int(&msg, 0);
4806 secp256k1_scalar_set_int(&sr, 1);
4807 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4808 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4811 /* Verify signature with message 0 passes. */
4813 const unsigned char pubkey[33] = {
4814 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4815 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4816 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4817 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4820 const unsigned char pubkey2[33] = {
4821 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4822 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4823 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4824 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4829 secp256k1_scalar msg;
4830 secp256k1_scalar sr, ss;
4831 secp256k1_scalar_set_int(&ss, 2);
4832 secp256k1_scalar_set_int(&msg, 0);
4833 secp256k1_scalar_set_int(&sr, 2);
4834 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4835 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4836 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4837 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4838 secp256k1_scalar_negate(&ss, &ss);
4839 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4840 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4841 secp256k1_scalar_set_int(&ss, 1);
4842 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4843 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4846 /* Verify signature with message 1 passes. */
4848 const unsigned char pubkey[33] = {
4849 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4850 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4851 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4852 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4855 const unsigned char pubkey2[33] = {
4856 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4857 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4858 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4859 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4862 const unsigned char csr[32] = {
4863 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4864 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4865 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4866 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4870 secp256k1_scalar msg;
4871 secp256k1_scalar sr, ss;
4872 secp256k1_scalar_set_int(&ss, 1);
4873 secp256k1_scalar_set_int(&msg, 1);
4874 secp256k1_scalar_set_b32(&sr, csr, NULL);
4875 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4876 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4877 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4878 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4879 secp256k1_scalar_negate(&ss, &ss);
4880 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4881 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4882 secp256k1_scalar_set_int(&ss, 2);
4883 secp256k1_scalar_inverse_var(&ss, &ss);
4884 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4885 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4888 /* Verify signature with message -1 passes. */
4890 const unsigned char pubkey[33] = {
4891 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4892 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4893 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4894 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4897 const unsigned char csr[32] = {
4898 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4899 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4900 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4901 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4904 secp256k1_scalar msg;
4905 secp256k1_scalar sr, ss;
4906 secp256k1_scalar_set_int(&ss, 1);
4907 secp256k1_scalar_set_int(&msg, 1);
4908 secp256k1_scalar_negate(&msg, &msg);
4909 secp256k1_scalar_set_b32(&sr, csr, NULL);
4910 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4911 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4912 secp256k1_scalar_negate(&ss, &ss);
4913 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4914 secp256k1_scalar_set_int(&ss, 3);
4915 secp256k1_scalar_inverse_var(&ss, &ss);
4916 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4919 /* Signature where s would be zero. */
4921 secp256k1_pubkey pubkey;
4924 unsigned char signature[72];
4925 static const unsigned char nonce[32] = {
4926 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4927 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4928 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4929 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4931 static const unsigned char nonce2[32] = {
4932 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4933 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4934 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4935 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4937 const unsigned char key[32] = {
4938 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4939 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4940 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4941 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4943 unsigned char msg[32] = {
4944 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4945 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4946 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4947 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4950 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4951 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4952 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4954 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4956 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4958 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4960 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4962 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4963 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4964 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4966 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4968 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4970 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4972 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4974 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4975 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4978 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4980 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4981 CHECK(ecount == 10);
4982 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4983 CHECK(ecount == 11);
4984 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4985 CHECK(ecount == 11);
4986 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4987 CHECK(ecount == 12);
4988 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4989 CHECK(ecount == 13);
4990 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4991 CHECK(ecount == 13);
4993 /* Too little room for a signature does not fail via ARGCHECK. */
4994 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
4995 CHECK(ecount == 13);
4997 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4999 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
5001 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
5003 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
5005 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
5007 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
5009 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
5011 memset(signature, 255, 64);
5012 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
5014 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5017 /* Nonce function corner cases. */
5018 for (t = 0; t < 2; t++) {
5019 static const unsigned char zero[32] = {0x00};
5021 unsigned char key[32];
5022 unsigned char msg[32];
5023 secp256k1_ecdsa_signature sig2;
5024 secp256k1_scalar sr[512], ss;
5025 const unsigned char *extra;
5026 extra = t == 0 ? NULL : zero;
5029 /* High key results in signature failure. */
5030 memset(key, 0xFF, 32);
5031 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5032 CHECK(is_empty_signature(&sig));
5033 /* Zero key results in signature failure. */
5035 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5036 CHECK(is_empty_signature(&sig));
5037 /* Nonce function failure results in signature failure. */
5039 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
5040 CHECK(is_empty_signature(&sig));
5041 /* The retry loop successfully makes its way to the first good value. */
5042 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
5043 CHECK(!is_empty_signature(&sig));
5044 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
5045 CHECK(!is_empty_signature(&sig2));
5046 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
5047 /* The default nonce function is deterministic. */
5048 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5049 CHECK(!is_empty_signature(&sig2));
5050 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
5051 /* The default nonce function changes output with different messages. */
5052 for(i = 0; i < 256; i++) {
5055 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5056 CHECK(!is_empty_signature(&sig2));
5057 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5058 for (j = 0; j < i; j++) {
5059 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5064 /* The default nonce function changes output with different keys. */
5065 for(i = 256; i < 512; i++) {
5068 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5069 CHECK(!is_empty_signature(&sig2));
5070 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5071 for (j = 0; j < i; j++) {
5072 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5079 /* Check that optional nonce arguments do not have equivalent effect. */
5080 const unsigned char zeros[32] = {0};
5081 unsigned char nonce[32];
5082 unsigned char nonce2[32];
5083 unsigned char nonce3[32];
5084 unsigned char nonce4[32];
5086 VG_UNDEF(nonce2,32);
5087 VG_UNDEF(nonce3,32);
5088 VG_UNDEF(nonce4,32);
5089 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
5091 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
5092 VG_CHECK(nonce2,32);
5093 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
5094 VG_CHECK(nonce3,32);
5095 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5096 VG_CHECK(nonce4,32);
5097 CHECK(memcmp(nonce, nonce2, 32) != 0);
5098 CHECK(memcmp(nonce, nonce3, 32) != 0);
5099 CHECK(memcmp(nonce, nonce4, 32) != 0);
5100 CHECK(memcmp(nonce2, nonce3, 32) != 0);
5101 CHECK(memcmp(nonce2, nonce4, 32) != 0);
5102 CHECK(memcmp(nonce3, nonce4, 32) != 0);
5106 /* Privkey export where pubkey is the point at infinity. */
5108 unsigned char privkey[300];
5109 unsigned char seckey[32] = {
5110 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5111 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5112 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5113 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5115 size_t outlen = 300;
5116 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
5118 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
5122 void run_ecdsa_edge_cases(void) {
5123 test_ecdsa_edge_cases();
5126 #ifdef ENABLE_OPENSSL_TESTS
5127 EC_KEY *get_openssl_key(const unsigned char *key32) {
5128 unsigned char privkey[300];
5130 const unsigned char* pbegin = privkey;
5131 int compr = secp256k1_rand_bits(1);
5132 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
5133 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
5134 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
5135 CHECK(EC_KEY_check_key(ec_key));
5139 void test_ecdsa_openssl(void) {
5142 secp256k1_scalar sigr, sigs;
5143 secp256k1_scalar one;
5144 secp256k1_scalar msg2;
5145 secp256k1_scalar key, msg;
5147 unsigned int sigsize = 80;
5148 size_t secp_sigsize = 80;
5149 unsigned char message[32];
5150 unsigned char signature[80];
5151 unsigned char key32[32];
5152 secp256k1_rand256_test(message);
5153 secp256k1_scalar_set_b32(&msg, message, NULL);
5154 random_scalar_order_test(&key);
5155 secp256k1_scalar_get_b32(key32, &key);
5156 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
5157 secp256k1_ge_set_gej(&q, &qj);
5158 ec_key = get_openssl_key(key32);
5159 CHECK(ec_key != NULL);
5160 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
5161 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
5162 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
5163 secp256k1_scalar_set_int(&one, 1);
5164 secp256k1_scalar_add(&msg2, &msg, &one);
5165 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
5167 random_sign(&sigr, &sigs, &key, &msg, NULL);
5168 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
5169 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
5171 EC_KEY_free(ec_key);
5174 void run_ecdsa_openssl(void) {
5176 for (i = 0; i < 10*count; i++) {
5177 test_ecdsa_openssl();
5182 #ifdef ENABLE_MODULE_ECDH
5183 # include "modules/ecdh/tests_impl.h"
5186 #ifdef ENABLE_MODULE_RECOVERY
5187 # include "modules/recovery/tests_impl.h"
5190 void run_memczero_test(void) {
5191 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
5192 unsigned char buf2[sizeof(buf1)];
5194 /* memczero(..., ..., 0) is a noop. */
5195 memcpy(buf2, buf1, sizeof(buf1));
5196 memczero(buf1, sizeof(buf1), 0);
5197 CHECK(memcmp(buf1, buf2, sizeof(buf1)) == 0);
5199 /* memczero(..., ..., 1) zeros the buffer. */
5200 memset(buf2, 0, sizeof(buf2));
5201 memczero(buf1, sizeof(buf1) , 1);
5202 CHECK(memcmp(buf1, buf2, sizeof(buf1)) == 0);
5205 int main(int argc, char **argv) {
5206 unsigned char seed16[16] = {0};
5207 unsigned char run32[32] = {0};
5209 /* Disable buffering for stdout to improve reliability of getting
5210 * diagnostic information. Happens right at the start of main because
5211 * setbuf must be used before any other operation on the stream. */
5212 setbuf(stdout, NULL);
5213 /* Also disable buffering for stderr because it's not guaranteed that it's
5214 * unbuffered on all systems. */
5215 setbuf(stderr, NULL);
5217 /* find iteration count */
5219 count = strtol(argv[1], NULL, 0);
5222 /* find random seed */
5225 const char* ch = argv[2];
5226 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
5228 if ((sscanf(ch, "%2hx", &sh)) == 1) {
5237 FILE *frand = fopen("/dev/urandom", "r");
5238 if ((frand == NULL) || fread(&seed16, 1, sizeof(seed16), frand) != sizeof(seed16)) {
5239 uint64_t t = time(NULL) * (uint64_t)1337;
5240 fprintf(stderr, "WARNING: could not read 16 bytes from /dev/urandom; falling back to insecure PRNG\n");
5242 seed16[1] ^= t >> 8;
5243 seed16[2] ^= t >> 16;
5244 seed16[3] ^= t >> 24;
5245 seed16[4] ^= t >> 32;
5246 seed16[5] ^= t >> 40;
5247 seed16[6] ^= t >> 48;
5248 seed16[7] ^= t >> 56;
5254 secp256k1_rand_seed(seed16);
5256 printf("test count = %i\n", count);
5257 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
5260 run_context_tests(0);
5261 run_context_tests(1);
5262 run_scratch_tests();
5263 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5264 if (secp256k1_rand_bits(1)) {
5265 secp256k1_rand256(run32);
5266 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
5273 run_hmac_sha256_tests();
5274 run_rfc6979_hmac_sha256_tests();
5276 #ifndef USE_NUM_NONE
5278 run_num_smalltests();
5286 run_field_inv_var();
5287 run_field_inv_all_var();
5289 run_field_convert();
5295 run_group_decompress();
5299 run_point_times_order();
5301 run_ecmult_constants();
5302 run_ecmult_gen_blind();
5303 run_ecmult_const_tests();
5304 run_ecmult_multi_tests();
5307 /* endomorphism tests */
5308 #ifdef USE_ENDOMORPHISM
5309 run_endomorphism_tests();
5312 /* EC point parser test */
5313 run_ec_pubkey_parse_test();
5315 /* EC key edge cases */
5316 run_eckey_edge_case_test();
5318 #ifdef ENABLE_MODULE_ECDH
5324 run_random_pubkeys();
5325 run_ecdsa_der_parse();
5326 run_ecdsa_sign_verify();
5327 run_ecdsa_end_to_end();
5328 run_ecdsa_edge_cases();
5329 #ifdef ENABLE_OPENSSL_TESTS
5330 run_ecdsa_openssl();
5333 #ifdef ENABLE_MODULE_RECOVERY
5334 /* ECDSA pubkey recovery tests */
5335 run_recovery_tests();
5339 run_memczero_test();
5341 secp256k1_rand256(run32);
5342 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
5345 secp256k1_context_destroy(ctx);
5347 printf("no problems found\n");
projects / secp256k1.git / blob