1 /***********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
22 #ifdef ENABLE_OPENSSL_TESTS
23 #include "openssl/bn.h"
24 #include "openssl/ec.h"
25 #include "openssl/ecdsa.h"
26 #include "openssl/obj_mac.h"
27 # if OPENSSL_VERSION_NUMBER < 0x10100000L
28 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
32 #include "contrib/lax_der_parsing.c"
33 #include "contrib/lax_der_privatekey_parsing.c"
35 static int count = 64;
36 static secp256k1_context *ctx = NULL;
38 static void counting_illegal_callback_fn(const char* str, void* data) {
39 /* Dummy callback function that just counts. */
46 static void uncounting_illegal_callback_fn(const char* str, void* data) {
47 /* Dummy callback function that just counts (backwards). */
54 void random_field_element_test(secp256k1_fe *fe) {
56 unsigned char b32[32];
57 secp256k1_testrand256_test(b32);
58 if (secp256k1_fe_set_b32(fe, b32)) {
64 void random_field_element_magnitude(secp256k1_fe *fe) {
66 int n = secp256k1_testrand_int(9);
67 secp256k1_fe_normalize(fe);
71 secp256k1_fe_clear(&zero);
72 secp256k1_fe_negate(&zero, &zero, 0);
73 secp256k1_fe_mul_int(&zero, n - 1);
74 secp256k1_fe_add(fe, &zero);
76 CHECK(fe->magnitude == n);
80 void random_group_element_test(secp256k1_ge *ge) {
83 random_field_element_test(&fe);
84 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
85 secp256k1_fe_normalize(&ge->y);
92 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
95 random_field_element_test(&gej->z);
96 if (!secp256k1_fe_is_zero(&gej->z)) {
100 secp256k1_fe_sqr(&z2, &gej->z);
101 secp256k1_fe_mul(&z3, &z2, &gej->z);
102 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
103 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
104 gej->infinity = ge->infinity;
107 void random_scalar_order_test(secp256k1_scalar *num) {
109 unsigned char b32[32];
111 secp256k1_testrand256_test(b32);
112 secp256k1_scalar_set_b32(num, b32, &overflow);
113 if (overflow || secp256k1_scalar_is_zero(num)) {
120 void random_scalar_order(secp256k1_scalar *num) {
122 unsigned char b32[32];
124 secp256k1_testrand256(b32);
125 secp256k1_scalar_set_b32(num, b32, &overflow);
126 if (overflow || secp256k1_scalar_is_zero(num)) {
133 void random_scalar_order_b32(unsigned char *b32) {
134 secp256k1_scalar num;
135 random_scalar_order(&num);
136 secp256k1_scalar_get_b32(b32, &num);
139 void run_context_tests(int use_prealloc) {
140 secp256k1_pubkey pubkey;
141 secp256k1_pubkey zero_pubkey;
142 secp256k1_ecdsa_signature sig;
143 unsigned char ctmp[32];
146 secp256k1_context *none;
147 secp256k1_context *sign;
148 secp256k1_context *vrfy;
149 secp256k1_context *both;
150 void *none_prealloc = NULL;
151 void *sign_prealloc = NULL;
152 void *vrfy_prealloc = NULL;
153 void *both_prealloc = NULL;
157 secp256k1_scalar msg, key, nonce;
158 secp256k1_scalar sigr, sigs;
161 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
162 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
163 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
164 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
165 CHECK(none_prealloc != NULL);
166 CHECK(sign_prealloc != NULL);
167 CHECK(vrfy_prealloc != NULL);
168 CHECK(both_prealloc != NULL);
169 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
170 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
171 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
172 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
174 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
175 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
176 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
177 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
180 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
184 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
185 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
186 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
187 secp256k1_context_set_error_callback(sign, secp256k1_default_illegal_callback_fn, NULL);
188 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
189 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
191 /* check if sizes for cloning are consistent */
192 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
193 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
194 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
195 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
197 /*** clone and destroy all of them to make sure cloning was complete ***/
199 secp256k1_context *ctx_tmp;
202 /* clone into a non-preallocated context and then again into a new preallocated one. */
203 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
204 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
205 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
207 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
208 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
209 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
211 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
212 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
213 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
215 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
216 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
217 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
219 /* clone into a preallocated context and then again into a new non-preallocated one. */
222 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
223 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
224 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
227 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
228 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
229 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
232 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
233 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
234 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
237 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
238 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
239 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
244 /* Verify that the error callback makes it across the clone. */
245 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
246 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
247 /* And that it resets back to default. */
248 secp256k1_context_set_error_callback(sign, NULL, NULL);
249 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
251 /*** attempt to use them ***/
252 random_scalar_order_test(&msg);
253 random_scalar_order_test(&key);
254 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
255 secp256k1_ge_set_gej(&pub, &pubj);
257 /* Verify context-type checking illegal-argument errors. */
259 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
261 VG_UNDEF(&pubkey, sizeof(pubkey));
262 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
263 VG_CHECK(&pubkey, sizeof(pubkey));
264 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
266 VG_UNDEF(&sig, sizeof(sig));
267 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
268 VG_CHECK(&sig, sizeof(sig));
269 CHECK(ecount2 == 10);
270 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
271 CHECK(ecount2 == 11);
272 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
274 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
275 CHECK(ecount2 == 12);
276 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
278 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
279 CHECK(ecount2 == 13);
280 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
282 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
284 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
285 CHECK(ecount2 == 14);
286 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
288 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
290 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
292 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
294 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
295 CHECK(ecount2 == 14);
296 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
297 CHECK(ecount2 == 14);
298 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
299 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
301 /* obtain a working nonce */
303 random_scalar_order_test(&nonce);
304 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
307 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
308 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
311 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
312 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
316 secp256k1_context_preallocated_destroy(none);
317 secp256k1_context_preallocated_destroy(sign);
318 secp256k1_context_preallocated_destroy(vrfy);
319 secp256k1_context_preallocated_destroy(both);
325 secp256k1_context_destroy(none);
326 secp256k1_context_destroy(sign);
327 secp256k1_context_destroy(vrfy);
328 secp256k1_context_destroy(both);
330 /* Defined as no-op. */
331 secp256k1_context_destroy(NULL);
332 secp256k1_context_preallocated_destroy(NULL);
336 void run_scratch_tests(void) {
337 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
342 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
343 secp256k1_scratch_space *scratch;
344 secp256k1_scratch_space local_scratch;
346 /* Test public API */
347 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
348 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
350 scratch = secp256k1_scratch_space_create(none, 1000);
351 CHECK(scratch != NULL);
354 /* Test internal API */
355 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
356 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
357 CHECK(scratch->alloc_size == 0);
358 CHECK(scratch->alloc_size % ALIGNMENT == 0);
360 /* Allocating 500 bytes succeeds */
361 checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
362 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
363 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
364 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
365 CHECK(scratch->alloc_size != 0);
366 CHECK(scratch->alloc_size % ALIGNMENT == 0);
368 /* Allocating another 501 bytes fails */
369 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
370 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
371 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
372 CHECK(scratch->alloc_size != 0);
373 CHECK(scratch->alloc_size % ALIGNMENT == 0);
375 /* ...but it succeeds once we apply the checkpoint to undo it */
376 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
377 CHECK(scratch->alloc_size == 0);
378 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
379 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
380 CHECK(scratch->alloc_size != 0);
382 /* try to apply a bad checkpoint */
383 checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
384 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
386 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
388 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
391 /* try to use badly initialized scratch space */
392 secp256k1_scratch_space_destroy(none, scratch);
393 memset(&local_scratch, 0, sizeof(local_scratch));
394 scratch = &local_scratch;
395 CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
397 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
399 secp256k1_scratch_space_destroy(none, scratch);
402 /* Test that large integers do not wrap around in a bad way */
403 scratch = secp256k1_scratch_space_create(none, 1000);
404 /* Try max allocation with a large number of objects. Only makes sense if
405 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
407 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
408 /* Try allocating SIZE_MAX to test wrap around which only happens if
409 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
410 * space is too small. */
411 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
412 secp256k1_scratch_space_destroy(none, scratch);
415 secp256k1_scratch_space_destroy(none, NULL); /* no-op */
416 secp256k1_context_destroy(none);
419 /***** HASH TESTS *****/
421 void run_sha256_tests(void) {
422 static const char *inputs[8] = {
423 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
424 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
425 "For this sample, this 63-byte string will be used as input data",
426 "This is exactly 64 bytes long, not counting the terminating byte"
428 static const unsigned char outputs[8][32] = {
429 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
430 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
431 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
432 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
433 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
434 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
435 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
436 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
439 for (i = 0; i < 8; i++) {
440 unsigned char out[32];
441 secp256k1_sha256 hasher;
442 secp256k1_sha256_initialize(&hasher);
443 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
444 secp256k1_sha256_finalize(&hasher, out);
445 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
446 if (strlen(inputs[i]) > 0) {
447 int split = secp256k1_testrand_int(strlen(inputs[i]));
448 secp256k1_sha256_initialize(&hasher);
449 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
450 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
451 secp256k1_sha256_finalize(&hasher, out);
452 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
457 void run_hmac_sha256_tests(void) {
458 static const char *keys[6] = {
459 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
461 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
462 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
463 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
464 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
466 static const char *inputs[6] = {
467 "\x48\x69\x20\x54\x68\x65\x72\x65",
468 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
469 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
470 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
471 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
472 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
474 static const unsigned char outputs[6][32] = {
475 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
476 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
477 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
478 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
479 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
480 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
483 for (i = 0; i < 6; i++) {
484 secp256k1_hmac_sha256 hasher;
485 unsigned char out[32];
486 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
487 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
488 secp256k1_hmac_sha256_finalize(&hasher, out);
489 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
490 if (strlen(inputs[i]) > 0) {
491 int split = secp256k1_testrand_int(strlen(inputs[i]));
492 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
493 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
494 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
495 secp256k1_hmac_sha256_finalize(&hasher, out);
496 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
501 void run_rfc6979_hmac_sha256_tests(void) {
502 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
503 static const unsigned char out1[3][32] = {
504 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
505 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
506 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
509 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
510 static const unsigned char out2[3][32] = {
511 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
512 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
513 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
516 secp256k1_rfc6979_hmac_sha256 rng;
517 unsigned char out[32];
520 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
521 for (i = 0; i < 3; i++) {
522 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
523 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
525 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
527 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
528 for (i = 0; i < 3; i++) {
529 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
530 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
532 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
534 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
535 for (i = 0; i < 3; i++) {
536 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
537 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
539 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
542 /***** RANDOM TESTS *****/
544 void test_rand_bits(int rand32, int bits) {
545 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
546 * get a false negative chance below once in a billion */
547 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
548 /* We try multiplying the results with various odd numbers, which shouldn't
549 * influence the uniform distribution modulo a power of 2. */
550 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
551 /* We only select up to 6 bits from the output to analyse */
552 unsigned int usebits = bits > 6 ? 6 : bits;
553 unsigned int maxshift = bits - usebits;
554 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
555 number, track all observed outcomes, one per bit in a uint64_t. */
556 uint64_t x[6][27] = {{0}};
557 unsigned int i, shift, m;
558 /* Multiply the output of all rand calls with the odd number m, which
559 should not change the uniformity of its distribution. */
560 for (i = 0; i < rounds[usebits]; i++) {
561 uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
562 CHECK((((uint64_t)r) >> bits) == 0);
563 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
564 uint32_t rm = r * mults[m];
565 for (shift = 0; shift <= maxshift; shift++) {
566 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
570 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
571 for (shift = 0; shift <= maxshift; shift++) {
572 /* Test that the lower usebits bits of x[shift] are 1 */
573 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
578 /* Subrange must be a whole divisor of range, and at most 64 */
579 void test_rand_int(uint32_t range, uint32_t subrange) {
580 /* (1-1/subrange)^rounds < 1/10^9 */
581 int rounds = (subrange * 2073) / 100;
584 CHECK((range % subrange) == 0);
585 for (i = 0; i < rounds; i++) {
586 uint32_t r = secp256k1_testrand_int(range);
589 x |= (((uint64_t)1) << r);
591 /* Test that the lower subrange bits of x are 1. */
592 CHECK(((~x) << (64 - subrange)) == 0);
595 void run_rand_bits(void) {
597 test_rand_bits(1, 32);
598 for (b = 1; b <= 32; b++) {
599 test_rand_bits(0, b);
603 void run_rand_int(void) {
604 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
605 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
607 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
608 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
609 test_rand_int(ms[m] * ss[s], ss[s]);
614 /***** NUM TESTS *****/
617 void random_num_negate(secp256k1_num *num) {
618 if (secp256k1_testrand_bits(1)) {
619 secp256k1_num_negate(num);
623 void random_num_order_test(secp256k1_num *num) {
625 random_scalar_order_test(&sc);
626 secp256k1_scalar_get_num(num, &sc);
629 void random_num_order(secp256k1_num *num) {
631 random_scalar_order(&sc);
632 secp256k1_scalar_get_num(num, &sc);
635 void test_num_negate(void) {
638 random_num_order_test(&n1); /* n1 = R */
639 random_num_negate(&n1);
640 secp256k1_num_copy(&n2, &n1); /* n2 = R */
641 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
642 CHECK(secp256k1_num_is_zero(&n1));
643 secp256k1_num_copy(&n1, &n2); /* n1 = R */
644 secp256k1_num_negate(&n1); /* n1 = -R */
645 CHECK(!secp256k1_num_is_zero(&n1));
646 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
647 CHECK(secp256k1_num_is_zero(&n1));
648 secp256k1_num_copy(&n1, &n2); /* n1 = R */
649 secp256k1_num_negate(&n1); /* n1 = -R */
650 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
651 secp256k1_num_negate(&n1); /* n1 = R */
652 CHECK(secp256k1_num_eq(&n1, &n2));
655 void test_num_add_sub(void) {
660 secp256k1_num n1p2, n2p1, n1m2, n2m1;
661 random_num_order_test(&n1); /* n1 = R1 */
662 if (secp256k1_testrand_bits(1)) {
663 random_num_negate(&n1);
665 random_num_order_test(&n2); /* n2 = R2 */
666 if (secp256k1_testrand_bits(1)) {
667 random_num_negate(&n2);
669 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
670 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
671 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
672 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
673 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
674 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
675 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
676 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
677 CHECK(!secp256k1_num_eq(&n2m1, &n1));
678 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
679 CHECK(secp256k1_num_eq(&n2m1, &n1));
680 CHECK(!secp256k1_num_eq(&n2p1, &n1));
681 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
682 CHECK(secp256k1_num_eq(&n2p1, &n1));
685 secp256k1_scalar_set_int(&s, 1);
686 secp256k1_scalar_get_num(&n1, &s);
687 CHECK(secp256k1_num_is_one(&n1));
688 /* check that 2^n + 1 is never 1 */
689 secp256k1_scalar_get_num(&n2, &s);
690 for (i = 0; i < 250; ++i) {
691 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
692 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
693 CHECK(!secp256k1_num_is_one(&n1p2));
697 void test_num_mod(void) {
700 secp256k1_num order, n;
702 /* check that 0 mod anything is 0 */
703 random_scalar_order_test(&s);
704 secp256k1_scalar_get_num(&order, &s);
705 secp256k1_scalar_set_int(&s, 0);
706 secp256k1_scalar_get_num(&n, &s);
707 secp256k1_num_mod(&n, &order);
708 CHECK(secp256k1_num_is_zero(&n));
710 /* check that anything mod 1 is 0 */
711 secp256k1_scalar_set_int(&s, 1);
712 secp256k1_scalar_get_num(&order, &s);
713 secp256k1_scalar_get_num(&n, &s);
714 secp256k1_num_mod(&n, &order);
715 CHECK(secp256k1_num_is_zero(&n));
717 /* check that increasing the number past 2^256 does not break this */
718 random_scalar_order_test(&s);
719 secp256k1_scalar_get_num(&n, &s);
720 /* multiply by 2^8, which'll test this case with high probability */
721 for (i = 0; i < 8; ++i) {
722 secp256k1_num_add(&n, &n, &n);
724 secp256k1_num_mod(&n, &order);
725 CHECK(secp256k1_num_is_zero(&n));
728 void test_num_jacobi(void) {
729 secp256k1_scalar sqr;
730 secp256k1_scalar small;
731 secp256k1_scalar five; /* five is not a quadratic residue */
732 secp256k1_num order, n;
734 /* squares mod 5 are 1, 4 */
735 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
737 /* check some small values with 5 as the order */
738 secp256k1_scalar_set_int(&five, 5);
739 secp256k1_scalar_get_num(&order, &five);
740 for (i = 0; i < 10; ++i) {
741 secp256k1_scalar_set_int(&small, i);
742 secp256k1_scalar_get_num(&n, &small);
743 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
746 /** test large values with 5 as group order */
747 secp256k1_scalar_get_num(&order, &five);
748 /* we first need a scalar which is not a multiple of 5 */
751 random_scalar_order_test(&sqr);
752 secp256k1_scalar_get_num(&fiven, &five);
753 secp256k1_scalar_get_num(&n, &sqr);
754 secp256k1_num_mod(&n, &fiven);
755 } while (secp256k1_num_is_zero(&n));
756 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
757 * just multiply by two, i.e. add the number to itself */
758 if (secp256k1_num_jacobi(&n, &order) == -1) {
759 secp256k1_num_add(&n, &n, &n);
763 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
764 /* test nonresidue */
765 secp256k1_num_add(&n, &n, &n);
766 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
768 /** test with secp group order as order */
769 secp256k1_scalar_order_get_num(&order);
770 random_scalar_order_test(&sqr);
771 secp256k1_scalar_sqr(&sqr, &sqr);
773 secp256k1_scalar_get_num(&n, &sqr);
774 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
775 /* test nonresidue */
776 secp256k1_scalar_mul(&sqr, &sqr, &five);
777 secp256k1_scalar_get_num(&n, &sqr);
778 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
779 /* test multiple of the order*/
780 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
782 /* check one less than the order */
783 secp256k1_scalar_set_int(&small, 1);
784 secp256k1_scalar_get_num(&n, &small);
785 secp256k1_num_sub(&n, &order, &n);
786 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
789 void run_num_smalltests(void) {
791 for (i = 0; i < 100*count; i++) {
800 /***** SCALAR TESTS *****/
802 void scalar_test(void) {
807 secp256k1_num snum, s1num, s2num;
808 secp256k1_num order, half_order;
812 /* Set 's' to a random scalar, with value 'snum'. */
813 random_scalar_order_test(&s);
815 /* Set 's1' to a random scalar, with value 's1num'. */
816 random_scalar_order_test(&s1);
818 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
819 random_scalar_order_test(&s2);
820 secp256k1_scalar_get_b32(c, &s2);
823 secp256k1_scalar_get_num(&snum, &s);
824 secp256k1_scalar_get_num(&s1num, &s1);
825 secp256k1_scalar_get_num(&s2num, &s2);
827 secp256k1_scalar_order_get_num(&order);
829 secp256k1_num_shift(&half_order, 1);
834 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
836 secp256k1_scalar_set_int(&n, 0);
837 for (i = 0; i < 256; i += 4) {
840 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
841 for (j = 0; j < 4; j++) {
842 secp256k1_scalar_add(&n, &n, &n);
844 secp256k1_scalar_add(&n, &n, &t);
846 CHECK(secp256k1_scalar_eq(&n, &s));
850 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
853 secp256k1_scalar_set_int(&n, 0);
857 int now = secp256k1_testrand_int(15) + 1;
861 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
862 for (j = 0; j < now; j++) {
863 secp256k1_scalar_add(&n, &n, &n);
865 secp256k1_scalar_add(&n, &n, &t);
868 CHECK(secp256k1_scalar_eq(&n, &s));
873 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
877 secp256k1_num_add(&rnum, &snum, &s2num);
878 secp256k1_num_mod(&rnum, &order);
879 secp256k1_scalar_add(&r, &s, &s2);
880 secp256k1_scalar_get_num(&r2num, &r);
881 CHECK(secp256k1_num_eq(&rnum, &r2num));
885 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
889 secp256k1_num_mul(&rnum, &snum, &s2num);
890 secp256k1_num_mod(&rnum, &order);
891 secp256k1_scalar_mul(&r, &s, &s2);
892 secp256k1_scalar_get_num(&r2num, &r);
893 CHECK(secp256k1_num_eq(&rnum, &r2num));
894 /* The result can only be zero if at least one of the factors was zero. */
895 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
896 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
897 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
898 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
902 secp256k1_scalar neg;
903 secp256k1_num negnum;
904 secp256k1_num negnum2;
905 /* Check that comparison with zero matches comparison with zero on the number. */
906 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
907 /* Check that comparison with the half order is equal to testing for high scalar. */
908 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
909 secp256k1_scalar_negate(&neg, &s);
910 secp256k1_num_sub(&negnum, &order, &snum);
911 secp256k1_num_mod(&negnum, &order);
912 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
913 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
914 /* Negating should change the high property, unless the value was already zero. */
915 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
916 secp256k1_scalar_get_num(&negnum2, &neg);
917 /* Negating a scalar should be equal to (order - n) mod order on the number. */
918 CHECK(secp256k1_num_eq(&negnum, &negnum2));
919 secp256k1_scalar_add(&neg, &neg, &s);
920 /* Adding a number to its negation should result in zero. */
921 CHECK(secp256k1_scalar_is_zero(&neg));
922 secp256k1_scalar_negate(&neg, &neg);
923 /* Negating zero should still result in zero. */
924 CHECK(secp256k1_scalar_is_zero(&neg));
928 /* Test secp256k1_scalar_mul_shift_var. */
933 unsigned char cone[1] = {0x01};
934 unsigned int shift = 256 + secp256k1_testrand_int(257);
935 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
936 secp256k1_num_mul(&rnum, &s1num, &s2num);
937 secp256k1_num_shift(&rnum, shift - 1);
938 secp256k1_num_set_bin(&one, cone, 1);
939 secp256k1_num_add(&rnum, &rnum, &one);
940 secp256k1_num_shift(&rnum, 1);
941 secp256k1_scalar_get_num(&rnum2, &r);
942 CHECK(secp256k1_num_eq(&rnum, &rnum2));
946 /* test secp256k1_scalar_shr_int */
949 random_scalar_order_test(&r);
950 for (i = 0; i < 100; ++i) {
952 int shift = 1 + secp256k1_testrand_int(15);
953 int expected = r.d[0] % (1 << shift);
954 low = secp256k1_scalar_shr_int(&r, shift);
955 CHECK(expected == low);
961 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
962 if (!secp256k1_scalar_is_zero(&s)) {
963 secp256k1_scalar inv;
965 secp256k1_num invnum;
966 secp256k1_num invnum2;
968 secp256k1_scalar_inverse(&inv, &s);
970 secp256k1_num_mod_inverse(&invnum, &snum, &order);
971 secp256k1_scalar_get_num(&invnum2, &inv);
972 CHECK(secp256k1_num_eq(&invnum, &invnum2));
974 secp256k1_scalar_mul(&inv, &inv, &s);
975 /* Multiplying a scalar with its inverse must result in one. */
976 CHECK(secp256k1_scalar_is_one(&inv));
977 secp256k1_scalar_inverse(&inv, &inv);
978 /* Inverting one must result in one. */
979 CHECK(secp256k1_scalar_is_one(&inv));
981 secp256k1_scalar_get_num(&invnum, &inv);
982 CHECK(secp256k1_num_is_one(&invnum));
988 /* Test commutativity of add. */
989 secp256k1_scalar r1, r2;
990 secp256k1_scalar_add(&r1, &s1, &s2);
991 secp256k1_scalar_add(&r2, &s2, &s1);
992 CHECK(secp256k1_scalar_eq(&r1, &r2));
996 secp256k1_scalar r1, r2;
1000 int bit = secp256k1_testrand_bits(8);
1001 secp256k1_scalar_set_int(&b, 1);
1002 CHECK(secp256k1_scalar_is_one(&b));
1003 for (i = 0; i < bit; i++) {
1004 secp256k1_scalar_add(&b, &b, &b);
1008 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1009 /* No overflow happened. */
1010 secp256k1_scalar_cadd_bit(&r2, bit, 1);
1011 CHECK(secp256k1_scalar_eq(&r1, &r2));
1012 /* cadd is a noop when flag is zero */
1013 secp256k1_scalar_cadd_bit(&r2, bit, 0);
1014 CHECK(secp256k1_scalar_eq(&r1, &r2));
1019 /* Test commutativity of mul. */
1020 secp256k1_scalar r1, r2;
1021 secp256k1_scalar_mul(&r1, &s1, &s2);
1022 secp256k1_scalar_mul(&r2, &s2, &s1);
1023 CHECK(secp256k1_scalar_eq(&r1, &r2));
1027 /* Test associativity of add. */
1028 secp256k1_scalar r1, r2;
1029 secp256k1_scalar_add(&r1, &s1, &s2);
1030 secp256k1_scalar_add(&r1, &r1, &s);
1031 secp256k1_scalar_add(&r2, &s2, &s);
1032 secp256k1_scalar_add(&r2, &s1, &r2);
1033 CHECK(secp256k1_scalar_eq(&r1, &r2));
1037 /* Test associativity of mul. */
1038 secp256k1_scalar r1, r2;
1039 secp256k1_scalar_mul(&r1, &s1, &s2);
1040 secp256k1_scalar_mul(&r1, &r1, &s);
1041 secp256k1_scalar_mul(&r2, &s2, &s);
1042 secp256k1_scalar_mul(&r2, &s1, &r2);
1043 CHECK(secp256k1_scalar_eq(&r1, &r2));
1047 /* Test distributitivity of mul over add. */
1048 secp256k1_scalar r1, r2, t;
1049 secp256k1_scalar_add(&r1, &s1, &s2);
1050 secp256k1_scalar_mul(&r1, &r1, &s);
1051 secp256k1_scalar_mul(&r2, &s1, &s);
1052 secp256k1_scalar_mul(&t, &s2, &s);
1053 secp256k1_scalar_add(&r2, &r2, &t);
1054 CHECK(secp256k1_scalar_eq(&r1, &r2));
1059 secp256k1_scalar r1, r2;
1060 secp256k1_scalar_sqr(&r1, &s1);
1061 secp256k1_scalar_mul(&r2, &s1, &s1);
1062 CHECK(secp256k1_scalar_eq(&r1, &r2));
1066 /* Test multiplicative identity. */
1067 secp256k1_scalar r1, v1;
1068 secp256k1_scalar_set_int(&v1,1);
1069 secp256k1_scalar_mul(&r1, &s1, &v1);
1070 CHECK(secp256k1_scalar_eq(&r1, &s1));
1074 /* Test additive identity. */
1075 secp256k1_scalar r1, v0;
1076 secp256k1_scalar_set_int(&v0,0);
1077 secp256k1_scalar_add(&r1, &s1, &v0);
1078 CHECK(secp256k1_scalar_eq(&r1, &s1));
1082 /* Test zero product property. */
1083 secp256k1_scalar r1, v0;
1084 secp256k1_scalar_set_int(&v0,0);
1085 secp256k1_scalar_mul(&r1, &s1, &v0);
1086 CHECK(secp256k1_scalar_eq(&r1, &v0));
1091 void run_scalar_set_b32_seckey_tests(void) {
1092 unsigned char b32[32];
1093 secp256k1_scalar s1;
1094 secp256k1_scalar s2;
1096 /* Usually set_b32 and set_b32_seckey give the same result */
1097 random_scalar_order_b32(b32);
1098 secp256k1_scalar_set_b32(&s1, b32, NULL);
1099 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1100 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1102 memset(b32, 0, sizeof(b32));
1103 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1104 memset(b32, 0xFF, sizeof(b32));
1105 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1108 void run_scalar_tests(void) {
1110 for (i = 0; i < 128 * count; i++) {
1113 for (i = 0; i < count; i++) {
1114 run_scalar_set_b32_seckey_tests();
1118 /* (-1)+1 should be zero. */
1119 secp256k1_scalar s, o;
1120 secp256k1_scalar_set_int(&s, 1);
1121 CHECK(secp256k1_scalar_is_one(&s));
1122 secp256k1_scalar_negate(&o, &s);
1123 secp256k1_scalar_add(&o, &o, &s);
1124 CHECK(secp256k1_scalar_is_zero(&o));
1125 secp256k1_scalar_negate(&o, &o);
1126 CHECK(secp256k1_scalar_is_zero(&o));
1129 #ifndef USE_NUM_NONE
1131 /* Test secp256k1_scalar_set_b32 boundary conditions */
1132 secp256k1_num order;
1133 secp256k1_scalar scalar;
1134 unsigned char bin[32];
1135 unsigned char bin_tmp[32];
1137 /* 2^256-1 - order */
1138 static const secp256k1_scalar all_ones_minus_order = SECP256K1_SCALAR_CONST(
1139 0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000001UL,
1140 0x45512319UL, 0x50B75FC4UL, 0x402DA173UL, 0x2FC9BEBEUL
1143 /* A scalar set to 0s should be 0. */
1145 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1146 CHECK(overflow == 0);
1147 CHECK(secp256k1_scalar_is_zero(&scalar));
1149 /* A scalar with value of the curve order should be 0. */
1150 secp256k1_scalar_order_get_num(&order);
1151 secp256k1_num_get_bin(bin, 32, &order);
1152 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1153 CHECK(overflow == 1);
1154 CHECK(secp256k1_scalar_is_zero(&scalar));
1156 /* A scalar with value of the curve order minus one should not overflow. */
1158 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1159 CHECK(overflow == 0);
1160 secp256k1_scalar_get_b32(bin_tmp, &scalar);
1161 CHECK(secp256k1_memcmp_var(bin, bin_tmp, 32) == 0);
1163 /* A scalar set to all 1s should overflow. */
1164 memset(bin, 0xFF, 32);
1165 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1166 CHECK(overflow == 1);
1167 CHECK(secp256k1_scalar_eq(&scalar, &all_ones_minus_order));
1172 /* Does check_overflow check catch all ones? */
1173 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1174 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1175 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1177 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1181 /* Static test vectors.
1182 * These were reduced from ~10^12 random vectors based on comparison-decision
1183 * and edge-case coverage on 32-bit and 64-bit implementations.
1184 * The responses were generated with Sage 5.9.
1189 secp256k1_scalar zz;
1190 secp256k1_scalar one;
1191 secp256k1_scalar r1;
1192 secp256k1_scalar r2;
1193 #if defined(USE_SCALAR_INV_NUM)
1194 secp256k1_scalar zzv;
1197 unsigned char chal[33][2][32] = {
1198 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1199 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1200 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1201 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1202 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1203 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1204 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1205 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1206 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1207 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1208 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1209 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1210 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1211 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1212 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1213 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1214 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1215 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1216 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1217 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1218 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1219 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1220 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1221 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1222 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1223 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1224 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1225 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1226 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1227 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1228 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1229 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1230 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1231 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1232 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1233 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1234 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1235 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1236 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1237 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1238 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1239 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1240 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1241 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1242 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1243 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1244 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1245 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1246 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1247 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1248 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1249 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1250 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1251 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1252 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1253 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1254 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1255 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1256 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1257 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1258 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1259 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1260 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1261 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1262 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1263 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1264 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1265 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1266 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1267 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1268 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1269 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1270 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1271 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1272 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1273 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1274 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1275 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1276 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1277 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1278 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1279 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1280 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1281 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1282 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1283 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1284 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1285 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1286 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1287 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1288 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1289 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1290 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1291 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1292 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1293 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1294 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1295 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1296 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1297 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1298 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1299 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1300 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1301 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1302 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1303 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1304 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1305 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1306 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1307 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1308 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1309 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1310 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1311 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1312 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1313 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1314 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1315 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1316 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1317 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1318 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1319 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1320 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1321 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1322 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1323 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1324 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1325 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1326 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1327 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1328 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1329 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1330 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1331 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1332 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1333 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1334 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1335 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1336 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1337 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1338 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1339 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1340 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1341 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1342 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1343 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1344 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1345 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1346 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1347 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1348 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1349 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1350 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1351 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1352 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1353 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1354 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1355 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1356 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1357 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1358 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1359 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1360 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1361 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1362 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1363 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1364 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1365 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1366 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1367 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1368 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1369 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1370 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1371 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1372 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1373 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1374 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1375 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1376 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1377 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1378 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1379 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1380 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1381 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1382 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1383 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1384 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1385 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1386 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1387 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1388 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1389 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1390 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1391 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1392 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1393 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1394 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1395 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1396 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1397 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1398 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1399 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1400 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1401 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1402 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1403 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1404 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1405 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1406 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1407 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1408 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1409 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1410 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1411 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1412 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1413 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1414 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1415 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1416 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1417 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1418 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1419 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1420 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1421 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1422 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1423 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1424 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1425 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1426 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1427 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1428 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1429 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1430 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1431 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1432 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1433 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1434 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1435 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1436 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1437 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1438 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1439 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1440 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1441 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1442 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1443 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1444 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1445 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1446 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1447 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1448 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1449 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1450 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1451 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1452 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1453 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1454 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1455 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1456 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1457 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1458 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1459 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1460 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1461 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1463 unsigned char res[33][2][32] = {
1464 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1465 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1466 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1467 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1468 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1469 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1470 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1471 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1472 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1473 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1474 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1475 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1476 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1477 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1478 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1479 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1480 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1481 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1482 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1483 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1484 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1485 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1486 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1487 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1488 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1489 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1490 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1491 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1492 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1493 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1494 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1495 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1496 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1497 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1498 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1499 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1500 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1501 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1502 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1503 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1504 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1505 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1506 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1507 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1508 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1509 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1510 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1511 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1512 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1513 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1514 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1515 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1516 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1517 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1518 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1519 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1520 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1521 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1522 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1523 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1524 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1525 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1526 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1527 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1528 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1529 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1530 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1531 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1532 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1533 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1534 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1535 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1536 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1537 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1538 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1539 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1540 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1541 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1542 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1543 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1544 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1545 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1546 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1547 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1548 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1549 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1550 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1551 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1552 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1553 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1554 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1555 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1556 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1557 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1558 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1559 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1560 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1561 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1562 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1563 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1564 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1565 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1566 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1567 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1568 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1569 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1570 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1571 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1572 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1573 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1574 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1575 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1576 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1577 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1578 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1579 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1580 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1581 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1582 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1583 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1584 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1585 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1586 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1587 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1588 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1589 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1590 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1591 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1592 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1593 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1594 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1595 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1596 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1597 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1598 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1599 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1600 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1601 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1602 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1603 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1604 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1605 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1606 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1607 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1608 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1609 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1610 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1611 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1612 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1613 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1614 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1615 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1616 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1617 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1618 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1619 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1620 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1621 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1622 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1623 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1624 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1625 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1626 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1627 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1628 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1629 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1630 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1631 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1632 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1633 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1634 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1635 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1636 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1637 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1638 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1639 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1640 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1641 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1642 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1643 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1644 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1645 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1646 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1647 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1648 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1649 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1650 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1651 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1652 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1653 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1654 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1655 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1656 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1657 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1658 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1659 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1660 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1661 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1662 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1663 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1664 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1665 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1666 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1667 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1668 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1669 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1670 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1671 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1672 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1673 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1674 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1675 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1676 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1677 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1678 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1679 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1680 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1681 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1682 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1683 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1684 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1685 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1686 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1687 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1688 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1689 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1690 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1691 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1692 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1693 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1694 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1695 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1696 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1697 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1698 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1699 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1700 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1701 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1702 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1703 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1704 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1705 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1706 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1707 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1708 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1709 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1710 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1711 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1712 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1713 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1714 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1715 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1716 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1717 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1718 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1719 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1720 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1721 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1722 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1723 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1724 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1725 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1726 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1727 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1729 secp256k1_scalar_set_int(&one, 1);
1730 for (i = 0; i < 33; i++) {
1731 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1733 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1735 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1737 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1739 secp256k1_scalar_mul(&z, &x, &y);
1740 CHECK(!secp256k1_scalar_check_overflow(&z));
1741 CHECK(secp256k1_scalar_eq(&r1, &z));
1742 if (!secp256k1_scalar_is_zero(&y)) {
1743 secp256k1_scalar_inverse(&zz, &y);
1744 CHECK(!secp256k1_scalar_check_overflow(&zz));
1745 #if defined(USE_SCALAR_INV_NUM)
1746 secp256k1_scalar_inverse_var(&zzv, &y);
1747 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1749 secp256k1_scalar_mul(&z, &z, &zz);
1750 CHECK(!secp256k1_scalar_check_overflow(&z));
1751 CHECK(secp256k1_scalar_eq(&x, &z));
1752 secp256k1_scalar_mul(&zz, &zz, &y);
1753 CHECK(!secp256k1_scalar_check_overflow(&zz));
1754 CHECK(secp256k1_scalar_eq(&one, &zz));
1756 secp256k1_scalar_mul(&z, &x, &x);
1757 CHECK(!secp256k1_scalar_check_overflow(&z));
1758 secp256k1_scalar_sqr(&zz, &x);
1759 CHECK(!secp256k1_scalar_check_overflow(&zz));
1760 CHECK(secp256k1_scalar_eq(&zz, &z));
1761 CHECK(secp256k1_scalar_eq(&r2, &zz));
1766 /***** FIELD TESTS *****/
1768 void random_fe(secp256k1_fe *x) {
1769 unsigned char bin[32];
1771 secp256k1_testrand256(bin);
1772 if (secp256k1_fe_set_b32(x, bin)) {
1778 void random_fe_test(secp256k1_fe *x) {
1779 unsigned char bin[32];
1781 secp256k1_testrand256_test(bin);
1782 if (secp256k1_fe_set_b32(x, bin)) {
1788 void random_fe_non_zero(secp256k1_fe *nz) {
1790 while (--tries >= 0) {
1792 secp256k1_fe_normalize(nz);
1793 if (!secp256k1_fe_is_zero(nz)) {
1797 /* Infinitesimal probability of spurious failure here */
1801 void random_fe_non_square(secp256k1_fe *ns) {
1803 random_fe_non_zero(ns);
1804 if (secp256k1_fe_sqrt(&r, ns)) {
1805 secp256k1_fe_negate(ns, ns, 1);
1809 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1810 secp256k1_fe an = *a;
1811 secp256k1_fe bn = *b;
1812 secp256k1_fe_normalize_weak(&an);
1813 secp256k1_fe_normalize_var(&bn);
1814 return secp256k1_fe_equal_var(&an, &bn);
1817 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1819 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1820 secp256k1_fe_mul(&x, a, ai);
1821 return check_fe_equal(&x, &one);
1824 void run_field_convert(void) {
1825 static const unsigned char b32[32] = {
1826 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1827 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1828 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1829 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1831 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1832 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1833 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1835 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1836 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1837 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1840 unsigned char b322[32];
1841 secp256k1_fe_storage fes2;
1842 /* Check conversions to fe. */
1843 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1844 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1845 secp256k1_fe_from_storage(&fe2, &fes);
1846 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1847 /* Check conversion from fe. */
1848 secp256k1_fe_get_b32(b322, &fe);
1849 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
1850 secp256k1_fe_to_storage(&fes2, &fe);
1851 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
1854 int fe_secp256k1_memcmp_var(const secp256k1_fe *a, const secp256k1_fe *b) {
1855 secp256k1_fe t = *b;
1857 t.magnitude = a->magnitude;
1858 t.normalized = a->normalized;
1860 return secp256k1_memcmp_var(a, &t, sizeof(secp256k1_fe));
1863 void run_field_misc(void) {
1868 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1870 for (i = 0; i < 5*count; i++) {
1871 secp256k1_fe_storage xs, ys, zs;
1873 random_fe_non_zero(&y);
1874 /* Test the fe equality and comparison operations. */
1875 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1876 CHECK(secp256k1_fe_equal_var(&x, &x));
1878 secp256k1_fe_add(&z,&y);
1879 /* Test fe conditional move; z is not normalized here. */
1881 secp256k1_fe_cmov(&x, &z, 0);
1883 CHECK(x.normalized && x.magnitude == 1);
1885 secp256k1_fe_cmov(&x, &x, 1);
1886 CHECK(fe_secp256k1_memcmp_var(&x, &z) != 0);
1887 CHECK(fe_secp256k1_memcmp_var(&x, &q) == 0);
1888 secp256k1_fe_cmov(&q, &z, 1);
1890 CHECK(!q.normalized && q.magnitude == z.magnitude);
1892 CHECK(fe_secp256k1_memcmp_var(&q, &z) == 0);
1893 secp256k1_fe_normalize_var(&x);
1894 secp256k1_fe_normalize_var(&z);
1895 CHECK(!secp256k1_fe_equal_var(&x, &z));
1896 secp256k1_fe_normalize_var(&q);
1897 secp256k1_fe_cmov(&q, &z, (i&1));
1899 CHECK(q.normalized && q.magnitude == 1);
1901 for (j = 0; j < 6; j++) {
1902 secp256k1_fe_negate(&z, &z, j+1);
1903 secp256k1_fe_normalize_var(&q);
1904 secp256k1_fe_cmov(&q, &z, (j&1));
1906 CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
1909 secp256k1_fe_normalize_var(&z);
1910 /* Test storage conversion and conditional moves. */
1911 secp256k1_fe_to_storage(&xs, &x);
1912 secp256k1_fe_to_storage(&ys, &y);
1913 secp256k1_fe_to_storage(&zs, &z);
1914 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1915 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1916 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
1917 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1918 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
1919 secp256k1_fe_from_storage(&x, &xs);
1920 secp256k1_fe_from_storage(&y, &ys);
1921 secp256k1_fe_from_storage(&z, &zs);
1922 /* Test that mul_int, mul, and add agree. */
1923 secp256k1_fe_add(&y, &x);
1924 secp256k1_fe_add(&y, &x);
1926 secp256k1_fe_mul_int(&z, 3);
1927 CHECK(check_fe_equal(&y, &z));
1928 secp256k1_fe_add(&y, &x);
1929 secp256k1_fe_add(&z, &x);
1930 CHECK(check_fe_equal(&z, &y));
1932 secp256k1_fe_mul_int(&z, 5);
1933 secp256k1_fe_mul(&q, &x, &fe5);
1934 CHECK(check_fe_equal(&z, &q));
1935 secp256k1_fe_negate(&x, &x, 1);
1936 secp256k1_fe_add(&z, &x);
1937 secp256k1_fe_add(&q, &x);
1938 CHECK(check_fe_equal(&y, &z));
1939 CHECK(check_fe_equal(&q, &y));
1943 void run_field_inv(void) {
1944 secp256k1_fe x, xi, xii;
1946 for (i = 0; i < 10*count; i++) {
1947 random_fe_non_zero(&x);
1948 secp256k1_fe_inv(&xi, &x);
1949 CHECK(check_fe_inverse(&x, &xi));
1950 secp256k1_fe_inv(&xii, &xi);
1951 CHECK(check_fe_equal(&x, &xii));
1955 void run_field_inv_var(void) {
1956 secp256k1_fe x, xi, xii;
1958 for (i = 0; i < 10*count; i++) {
1959 random_fe_non_zero(&x);
1960 secp256k1_fe_inv_var(&xi, &x);
1961 CHECK(check_fe_inverse(&x, &xi));
1962 secp256k1_fe_inv_var(&xii, &xi);
1963 CHECK(check_fe_equal(&x, &xii));
1967 void run_sqr(void) {
1972 secp256k1_fe_set_int(&x, 1);
1973 secp256k1_fe_negate(&x, &x, 1);
1975 for (i = 1; i <= 512; ++i) {
1976 secp256k1_fe_mul_int(&x, 2);
1977 secp256k1_fe_normalize(&x);
1978 secp256k1_fe_sqr(&s, &x);
1983 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1984 secp256k1_fe r1, r2;
1985 int v = secp256k1_fe_sqrt(&r1, a);
1986 CHECK((v == 0) == (k == NULL));
1989 /* Check that the returned root is +/- the given known answer */
1990 secp256k1_fe_negate(&r2, &r1, 1);
1991 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1992 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1993 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1997 void run_sqrt(void) {
1998 secp256k1_fe ns, x, s, t;
2001 /* Check sqrt(0) is 0 */
2002 secp256k1_fe_set_int(&x, 0);
2003 secp256k1_fe_sqr(&s, &x);
2006 /* Check sqrt of small squares (and their negatives) */
2007 for (i = 1; i <= 100; i++) {
2008 secp256k1_fe_set_int(&x, i);
2009 secp256k1_fe_sqr(&s, &x);
2011 secp256k1_fe_negate(&t, &s, 1);
2012 test_sqrt(&t, NULL);
2015 /* Consistency checks for large random values */
2016 for (i = 0; i < 10; i++) {
2018 random_fe_non_square(&ns);
2019 for (j = 0; j < count; j++) {
2021 secp256k1_fe_sqr(&s, &x);
2023 secp256k1_fe_negate(&t, &s, 1);
2024 test_sqrt(&t, NULL);
2025 secp256k1_fe_mul(&t, &s, &ns);
2026 test_sqrt(&t, NULL);
2031 /***** GROUP TESTS *****/
2033 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
2034 CHECK(a->infinity == b->infinity);
2038 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2039 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2042 /* This compares jacobian points including their Z, not just their geometric meaning. */
2043 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
2047 ret &= a->infinity == b->infinity;
2048 if (ret && !a->infinity) {
2051 secp256k1_fe_normalize(&a2.x);
2052 secp256k1_fe_normalize(&a2.y);
2053 secp256k1_fe_normalize(&a2.z);
2054 secp256k1_fe_normalize(&b2.x);
2055 secp256k1_fe_normalize(&b2.y);
2056 secp256k1_fe_normalize(&b2.z);
2057 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2058 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2059 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2064 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2066 secp256k1_fe u1, u2, s1, s2;
2067 CHECK(a->infinity == b->infinity);
2071 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
2072 secp256k1_fe_sqr(&z2s, &b->z);
2073 secp256k1_fe_mul(&u1, &a->x, &z2s);
2074 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2075 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2076 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2077 CHECK(secp256k1_fe_equal_var(&u1, &u2));
2078 CHECK(secp256k1_fe_equal_var(&s1, &s2));
2081 void test_ge(void) {
2084 /* 25 points are used:
2086 * - for each of four random points p1 p2 p3 p4, we add the point, its
2087 * negation, and then those two again but with randomized Z coordinate.
2088 * - The same is then done for lambda*p1 and lambda^2*p1.
2090 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2091 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2093 secp256k1_fe zfi2, zfi3;
2095 secp256k1_gej_set_infinity(&gej[0]);
2096 secp256k1_ge_clear(&ge[0]);
2097 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
2098 for (i = 0; i < runs; i++) {
2101 random_group_element_test(&g);
2102 if (i >= runs - 2) {
2103 secp256k1_ge_mul_lambda(&g, &ge[1]);
2105 if (i >= runs - 1) {
2106 secp256k1_ge_mul_lambda(&g, &g);
2110 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2111 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2112 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2113 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2114 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2115 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
2116 for (j = 0; j < 4; j++) {
2117 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2118 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2119 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2120 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2121 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2125 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2127 random_field_element_test(&zf);
2128 } while(secp256k1_fe_is_zero(&zf));
2129 random_field_element_magnitude(&zf);
2130 secp256k1_fe_inv_var(&zfi3, &zf);
2131 secp256k1_fe_sqr(&zfi2, &zfi3);
2132 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2134 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2136 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2137 /* Compute reference result using gej + gej (var). */
2138 secp256k1_gej refj, resj;
2141 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2142 /* Check Z ratio. */
2143 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2144 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2145 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2147 secp256k1_ge_set_gej_var(&ref, &refj);
2149 /* Test gej + ge with Z ratio result (var). */
2150 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2151 ge_equals_gej(&ref, &resj);
2152 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2153 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2154 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2157 /* Test gej + ge (var, with additional Z factor). */
2159 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2160 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2161 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2162 random_field_element_magnitude(&ge2_zfi.x);
2163 random_field_element_magnitude(&ge2_zfi.y);
2164 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2165 ge_equals_gej(&ref, &resj);
2168 /* Test gej + ge (const). */
2170 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2171 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2172 ge_equals_gej(&ref, &resj);
2175 /* Test doubling (var). */
2176 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2178 /* Normal doubling with Z ratio result. */
2179 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2180 ge_equals_gej(&ref, &resj);
2181 /* Check Z ratio. */
2182 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2183 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2184 /* Normal doubling. */
2185 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2186 ge_equals_gej(&ref, &resj);
2187 /* Constant-time doubling. */
2188 secp256k1_gej_double(&resj, &gej[i2]);
2189 ge_equals_gej(&ref, &resj);
2192 /* Test adding opposites. */
2193 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2194 CHECK(secp256k1_ge_is_infinity(&ref));
2197 /* Test adding infinity. */
2199 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2200 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2201 ge_equals_gej(&ref, &gej[i2]);
2204 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2205 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2206 ge_equals_gej(&ref, &gej[i1]);
2211 /* Test adding all points together in random order equals infinity. */
2213 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2214 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2215 for (i = 0; i < 4 * runs + 1; i++) {
2216 gej_shuffled[i] = gej[i];
2218 for (i = 0; i < 4 * runs + 1; i++) {
2219 int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
2221 secp256k1_gej t = gej_shuffled[i];
2222 gej_shuffled[i] = gej_shuffled[swap];
2223 gej_shuffled[swap] = t;
2226 for (i = 0; i < 4 * runs + 1; i++) {
2227 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2229 CHECK(secp256k1_gej_is_infinity(&sum));
2233 /* Test batch gej -> ge conversion without known z ratios. */
2235 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2236 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2237 for (i = 0; i < 4 * runs + 1; i++) {
2239 random_fe_non_zero(&s);
2240 secp256k1_gej_rescale(&gej[i], &s);
2241 ge_equals_gej(&ge_set_all[i], &gej[i]);
2246 /* Test batch gej -> ge conversion with many infinities. */
2247 for (i = 0; i < 4 * runs + 1; i++) {
2248 random_group_element_test(&ge[i]);
2249 /* randomly set half the points to infinity */
2250 if(secp256k1_fe_is_odd(&ge[i].x)) {
2251 secp256k1_ge_set_infinity(&ge[i]);
2253 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2256 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2258 for (i = 0; i < 4 * runs + 1; i++) {
2259 ge_equals_gej(&ge[i], &gej[i]);
2267 void test_intialized_inf(void) {
2269 secp256k1_gej pj, npj, infj1, infj2, infj3;
2272 /* Test that adding P+(-P) results in a fully initalized infinity*/
2273 random_group_element_test(&p);
2274 secp256k1_gej_set_ge(&pj, &p);
2275 secp256k1_gej_neg(&npj, &pj);
2277 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
2278 CHECK(secp256k1_gej_is_infinity(&infj1));
2279 CHECK(secp256k1_fe_is_zero(&infj1.x));
2280 CHECK(secp256k1_fe_is_zero(&infj1.y));
2281 CHECK(secp256k1_fe_is_zero(&infj1.z));
2283 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
2284 CHECK(secp256k1_gej_is_infinity(&infj2));
2285 CHECK(secp256k1_fe_is_zero(&infj2.x));
2286 CHECK(secp256k1_fe_is_zero(&infj2.y));
2287 CHECK(secp256k1_fe_is_zero(&infj2.z));
2289 secp256k1_fe_set_int(&zinv, 1);
2290 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
2291 CHECK(secp256k1_gej_is_infinity(&infj3));
2292 CHECK(secp256k1_fe_is_zero(&infj3.x));
2293 CHECK(secp256k1_fe_is_zero(&infj3.y));
2294 CHECK(secp256k1_fe_is_zero(&infj3.z));
2299 void test_add_neg_y_diff_x(void) {
2300 /* The point of this test is to check that we can add two points
2301 * whose y-coordinates are negatives of each other but whose x
2302 * coordinates differ. If the x-coordinates were the same, these
2303 * points would be negatives of each other and their sum is
2304 * infinity. This is cool because it "covers up" any degeneracy
2305 * in the addition algorithm that would cause the xy coordinates
2306 * of the sum to be wrong (since infinity has no xy coordinates).
2307 * HOWEVER, if the x-coordinates are different, infinity is the
2308 * wrong answer, and such degeneracies are exposed. This is the
2309 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2310 * which this test is a regression test for.
2312 * These points were generated in sage as
2313 * # secp256k1 params
2314 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2315 * C = EllipticCurve ([F (0), F (7)])
2316 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2317 * N = FiniteField(G.order())
2319 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2321 * lam = (1 - x^3).roots()[1][0]
2323 * # random "bad pair"
2324 * P = C.random_element()
2326 * print " P: %x %x" % P.xy()
2327 * print " Q: %x %x" % Q.xy()
2328 * print "P + Q: %x %x" % (P + Q).xy()
2330 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2331 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2332 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2333 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2334 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2336 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2337 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2338 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2339 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2340 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2342 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2343 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2344 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2345 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2346 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2351 secp256k1_ge_set_gej(&b, &bj);
2353 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2354 secp256k1_ge_set_gej(&res, &resj);
2355 ge_equals_gej(&res, &sumj);
2357 secp256k1_gej_add_ge(&resj, &aj, &b);
2358 secp256k1_ge_set_gej(&res, &resj);
2359 ge_equals_gej(&res, &sumj);
2361 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2362 secp256k1_ge_set_gej(&res, &resj);
2363 ge_equals_gej(&res, &sumj);
2368 for (i = 0; i < count * 32; i++) {
2371 test_add_neg_y_diff_x();
2372 test_intialized_inf();
2375 void test_ec_combine(void) {
2376 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2377 secp256k1_pubkey data[6];
2378 const secp256k1_pubkey* d[6];
2379 secp256k1_pubkey sd;
2380 secp256k1_pubkey sd2;
2384 for (i = 1; i <= 6; i++) {
2386 random_scalar_order_test(&s);
2387 secp256k1_scalar_add(&sum, &sum, &s);
2388 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2389 secp256k1_ge_set_gej(&Q, &Qj);
2390 secp256k1_pubkey_save(&data[i - 1], &Q);
2391 d[i - 1] = &data[i - 1];
2392 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2393 secp256k1_ge_set_gej(&Q, &Qj);
2394 secp256k1_pubkey_save(&sd, &Q);
2395 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2396 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
2400 void run_ec_combine(void) {
2402 for (i = 0; i < count * 8; i++) {
2407 void test_group_decompress(const secp256k1_fe* x) {
2408 /* The input itself, normalized. */
2409 secp256k1_fe fex = *x;
2411 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2412 secp256k1_ge ge_quad, ge_even, ge_odd;
2413 secp256k1_gej gej_quad;
2414 /* Return values of the above calls. */
2415 int res_quad, res_even, res_odd;
2417 secp256k1_fe_normalize_var(&fex);
2419 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2420 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2421 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2423 CHECK(res_quad == res_even);
2424 CHECK(res_quad == res_odd);
2427 secp256k1_fe_normalize_var(&ge_quad.x);
2428 secp256k1_fe_normalize_var(&ge_odd.x);
2429 secp256k1_fe_normalize_var(&ge_even.x);
2430 secp256k1_fe_normalize_var(&ge_quad.y);
2431 secp256k1_fe_normalize_var(&ge_odd.y);
2432 secp256k1_fe_normalize_var(&ge_even.y);
2434 /* No infinity allowed. */
2435 CHECK(!ge_quad.infinity);
2436 CHECK(!ge_even.infinity);
2437 CHECK(!ge_odd.infinity);
2439 /* Check that the x coordinates check out. */
2440 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2441 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2442 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2444 /* Check that the Y coordinate result in ge_quad is a square. */
2445 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2447 /* Check odd/even Y in ge_odd, ge_even. */
2448 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2449 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2451 /* Check secp256k1_gej_has_quad_y_var. */
2452 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2453 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2455 random_fe_test(&fez);
2456 } while (secp256k1_fe_is_zero(&fez));
2457 secp256k1_gej_rescale(&gej_quad, &fez);
2458 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2459 secp256k1_gej_neg(&gej_quad, &gej_quad);
2460 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2462 random_fe_test(&fez);
2463 } while (secp256k1_fe_is_zero(&fez));
2464 secp256k1_gej_rescale(&gej_quad, &fez);
2465 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2466 secp256k1_gej_neg(&gej_quad, &gej_quad);
2467 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2471 void run_group_decompress(void) {
2473 for (i = 0; i < count * 4; i++) {
2475 random_fe_test(&fe);
2476 test_group_decompress(&fe);
2480 /***** ECMULT TESTS *****/
2482 void run_ecmult_chain(void) {
2483 /* random starting point A (on the curve) */
2484 secp256k1_gej a = SECP256K1_GEJ_CONST(
2485 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2486 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2487 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2488 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2490 /* two random initial factors xn and gn */
2491 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2492 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2493 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2495 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2496 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2497 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2499 /* two small multipliers to be applied to xn and gn in every iteration: */
2500 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2501 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2502 /* accumulators with the resulting coefficients to A and G */
2503 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2504 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2510 /* the point being computed */
2512 for (i = 0; i < 200*count; i++) {
2513 /* in each iteration, compute X = xn*X + gn*G; */
2514 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2515 /* also compute ae and ge: the actual accumulated factors for A and G */
2516 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2517 secp256k1_scalar_mul(&ae, &ae, &xn);
2518 secp256k1_scalar_mul(&ge, &ge, &xn);
2519 secp256k1_scalar_add(&ge, &ge, &gn);
2520 /* modify xn and gn */
2521 secp256k1_scalar_mul(&xn, &xn, &xf);
2522 secp256k1_scalar_mul(&gn, &gn, &gf);
2526 /* expected result after 19999 iterations */
2527 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2528 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2529 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2530 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2531 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2534 secp256k1_gej_neg(&rp, &rp);
2535 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2536 CHECK(secp256k1_gej_is_infinity(&rp));
2539 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2540 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2541 secp256k1_gej_neg(&x2, &x2);
2542 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2543 CHECK(secp256k1_gej_is_infinity(&x2));
2546 void test_point_times_order(const secp256k1_gej *point) {
2547 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2549 secp256k1_scalar nx;
2550 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2551 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2552 secp256k1_gej res1, res2;
2554 unsigned char pub[65];
2556 random_scalar_order_test(&x);
2557 secp256k1_scalar_negate(&nx, &x);
2558 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2559 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2560 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2561 CHECK(secp256k1_gej_is_infinity(&res1));
2562 secp256k1_ge_set_gej(&res3, &res1);
2563 CHECK(secp256k1_ge_is_infinity(&res3));
2564 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2565 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2567 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2568 /* check zero/one edge cases */
2569 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2570 secp256k1_ge_set_gej(&res3, &res1);
2571 CHECK(secp256k1_ge_is_infinity(&res3));
2572 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2573 secp256k1_ge_set_gej(&res3, &res1);
2574 ge_equals_gej(&res3, point);
2575 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2576 secp256k1_ge_set_gej(&res3, &res1);
2577 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2580 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
2582 * They are computed as:
2583 * - For a in [-2, -1, 0, 1, 2]:
2584 * - For b in [-3, -1, 1, 3]:
2585 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
2587 static const secp256k1_scalar scalars_near_split_bounds[20] = {
2588 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
2589 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
2590 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
2591 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
2592 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
2593 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
2594 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
2595 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
2596 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
2597 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
2598 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
2599 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
2600 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
2601 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
2602 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
2603 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
2604 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
2605 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
2606 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
2607 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
2610 void test_ecmult_target(const secp256k1_scalar* target, int mode) {
2611 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
2612 secp256k1_scalar n1, n2;
2614 secp256k1_gej pj, p1j, p2j, ptj;
2615 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2617 /* Generate random n1,n2 such that n1+n2 = -target. */
2618 random_scalar_order_test(&n1);
2619 secp256k1_scalar_add(&n2, &n1, target);
2620 secp256k1_scalar_negate(&n2, &n2);
2622 /* Generate a random input point. */
2624 random_group_element_test(&p);
2625 secp256k1_gej_set_ge(&pj, &p);
2628 /* EC multiplications */
2630 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
2631 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
2632 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
2633 } else if (mode == 1) {
2634 secp256k1_ecmult(&ctx->ecmult_ctx, &p1j, &pj, &n1, &zero);
2635 secp256k1_ecmult(&ctx->ecmult_ctx, &p2j, &pj, &n2, &zero);
2636 secp256k1_ecmult(&ctx->ecmult_ctx, &ptj, &pj, target, &zero);
2638 secp256k1_ecmult_const(&p1j, &p, &n1, 256);
2639 secp256k1_ecmult_const(&p2j, &p, &n2, 256);
2640 secp256k1_ecmult_const(&ptj, &p, target, 256);
2643 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
2644 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
2645 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
2646 CHECK(secp256k1_gej_is_infinity(&ptj));
2649 void run_ecmult_near_split_bound(void) {
2652 for (i = 0; i < 4*count; ++i) {
2653 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
2654 test_ecmult_target(&scalars_near_split_bounds[j], 0);
2655 test_ecmult_target(&scalars_near_split_bounds[j], 1);
2656 test_ecmult_target(&scalars_near_split_bounds[j], 2);
2661 void run_point_times_order(void) {
2663 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2664 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2665 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2666 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2668 for (i = 0; i < 500; i++) {
2670 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2672 CHECK(secp256k1_ge_is_valid_var(&p));
2673 secp256k1_gej_set_ge(&j, &p);
2674 test_point_times_order(&j);
2676 secp256k1_fe_sqr(&x, &x);
2678 secp256k1_fe_normalize_var(&x);
2679 CHECK(secp256k1_fe_equal_var(&x, &xr));
2682 void ecmult_const_random_mult(void) {
2683 /* random starting point A (on the curve) */
2684 secp256k1_ge a = SECP256K1_GE_CONST(
2685 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2686 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2687 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2688 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2690 /* random initial factor xn */
2691 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2692 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2693 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2695 /* expected xn * A (from sage) */
2696 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2697 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2698 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2699 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2700 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2703 secp256k1_ecmult_const(&b, &a, &xn, 256);
2705 CHECK(secp256k1_ge_is_valid_var(&a));
2706 ge_equals_gej(&expected_b, &b);
2709 void ecmult_const_commutativity(void) {
2716 random_scalar_order_test(&a);
2717 random_scalar_order_test(&b);
2719 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2720 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2721 secp256k1_ge_set_gej(&mid1, &res1);
2722 secp256k1_ge_set_gej(&mid2, &res2);
2723 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2724 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2725 secp256k1_ge_set_gej(&mid1, &res1);
2726 secp256k1_ge_set_gej(&mid2, &res2);
2727 ge_equals_ge(&mid1, &mid2);
2730 void ecmult_const_mult_zero_one(void) {
2731 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2732 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2733 secp256k1_scalar negone;
2737 secp256k1_scalar_negate(&negone, &one);
2739 random_group_element_test(&point);
2740 secp256k1_ecmult_const(&res1, &point, &zero, 3);
2741 secp256k1_ge_set_gej(&res2, &res1);
2742 CHECK(secp256k1_ge_is_infinity(&res2));
2743 secp256k1_ecmult_const(&res1, &point, &one, 2);
2744 secp256k1_ge_set_gej(&res2, &res1);
2745 ge_equals_ge(&res2, &point);
2746 secp256k1_ecmult_const(&res1, &point, &negone, 256);
2747 secp256k1_gej_neg(&res1, &res1);
2748 secp256k1_ge_set_gej(&res2, &res1);
2749 ge_equals_ge(&res2, &point);
2752 void ecmult_const_chain_multiply(void) {
2753 /* Check known result (randomly generated test problem from sage) */
2754 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2755 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2756 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2758 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2759 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2760 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2761 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2762 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2764 secp256k1_gej point;
2768 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2769 for (i = 0; i < 100; ++i) {
2771 secp256k1_ge_set_gej(&tmp, &point);
2772 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2774 secp256k1_ge_set_gej(&res, &point);
2775 ge_equals_gej(&res, &expected_point);
2778 void run_ecmult_const_tests(void) {
2779 ecmult_const_mult_zero_one();
2780 ecmult_const_random_mult();
2781 ecmult_const_commutativity();
2782 ecmult_const_chain_multiply();
2786 secp256k1_scalar *sc;
2788 } ecmult_multi_data;
2790 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2791 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2792 *sc = data->sc[idx];
2793 *pt = data->pt[idx];
2797 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2805 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2807 secp256k1_scalar szero;
2808 secp256k1_scalar sc[32];
2809 secp256k1_ge pt[32];
2812 ecmult_multi_data data;
2816 secp256k1_scalar_set_int(&szero, 0);
2818 /* No points to multiply */
2819 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2821 /* Check 1- and 2-point multiplies against ecmult */
2822 for (ncount = 0; ncount < count; ncount++) {
2825 random_scalar_order(&sc[0]);
2826 random_scalar_order(&sc[1]);
2828 random_group_element_test(&ptg);
2829 secp256k1_gej_set_ge(&ptgj, &ptg);
2831 pt[1] = secp256k1_ge_const_g;
2834 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2835 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2836 secp256k1_gej_neg(&r2, &r2);
2837 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2838 CHECK(secp256k1_gej_is_infinity(&r));
2841 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2842 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2843 secp256k1_gej_neg(&r2, &r2);
2844 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2845 CHECK(secp256k1_gej_is_infinity(&r));
2847 /* Try to multiply 1 point, but callback returns false */
2848 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2851 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2852 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2853 secp256k1_gej_neg(&r2, &r2);
2854 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2855 CHECK(secp256k1_gej_is_infinity(&r));
2857 /* 2-point with G scalar */
2858 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2859 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2860 secp256k1_gej_neg(&r2, &r2);
2861 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2862 CHECK(secp256k1_gej_is_infinity(&r));
2865 /* Check infinite outputs of various forms */
2866 for (ncount = 0; ncount < count; ncount++) {
2869 size_t sizes[] = { 2, 10, 32 };
2871 for (j = 0; j < 3; j++) {
2872 for (i = 0; i < 32; i++) {
2873 random_scalar_order(&sc[i]);
2874 secp256k1_ge_set_infinity(&pt[i]);
2876 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2877 CHECK(secp256k1_gej_is_infinity(&r));
2880 for (j = 0; j < 3; j++) {
2881 for (i = 0; i < 32; i++) {
2882 random_group_element_test(&ptg);
2884 secp256k1_scalar_set_int(&sc[i], 0);
2886 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2887 CHECK(secp256k1_gej_is_infinity(&r));
2890 for (j = 0; j < 3; j++) {
2891 random_group_element_test(&ptg);
2892 for (i = 0; i < 16; i++) {
2893 random_scalar_order(&sc[2*i]);
2894 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2896 pt[2 * i + 1] = ptg;
2899 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2900 CHECK(secp256k1_gej_is_infinity(&r));
2902 random_scalar_order(&sc[0]);
2903 for (i = 0; i < 16; i++) {
2904 random_group_element_test(&ptg);
2909 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2912 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2913 CHECK(secp256k1_gej_is_infinity(&r));
2916 random_group_element_test(&ptg);
2917 secp256k1_scalar_set_int(&sc[0], 0);
2919 for (i = 1; i < 32; i++) {
2922 random_scalar_order(&sc[i]);
2923 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2924 secp256k1_scalar_negate(&sc[i], &sc[i]);
2927 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2928 CHECK(secp256k1_gej_is_infinity(&r));
2931 /* Check random points, constant scalar */
2932 for (ncount = 0; ncount < count; ncount++) {
2934 secp256k1_gej_set_infinity(&r);
2936 random_scalar_order(&sc[0]);
2937 for (i = 0; i < 20; i++) {
2940 random_group_element_test(&ptg);
2942 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2945 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2946 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2947 secp256k1_gej_neg(&r2, &r2);
2948 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2949 CHECK(secp256k1_gej_is_infinity(&r));
2952 /* Check random scalars, constant point */
2953 for (ncount = 0; ncount < count; ncount++) {
2957 secp256k1_scalar rs;
2958 secp256k1_scalar_set_int(&rs, 0);
2960 random_group_element_test(&ptg);
2961 for (i = 0; i < 20; i++) {
2962 random_scalar_order(&sc[i]);
2964 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2967 secp256k1_gej_set_ge(&p0j, &pt[0]);
2968 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
2969 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2970 secp256k1_gej_neg(&r2, &r2);
2971 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2972 CHECK(secp256k1_gej_is_infinity(&r));
2975 /* Sanity check that zero scalars don't cause problems */
2976 for (ncount = 0; ncount < 20; ncount++) {
2977 random_scalar_order(&sc[ncount]);
2978 random_group_element_test(&pt[ncount]);
2981 secp256k1_scalar_clear(&sc[0]);
2982 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2983 secp256k1_scalar_clear(&sc[1]);
2984 secp256k1_scalar_clear(&sc[2]);
2985 secp256k1_scalar_clear(&sc[3]);
2986 secp256k1_scalar_clear(&sc[4]);
2987 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2988 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
2989 CHECK(secp256k1_gej_is_infinity(&r));
2991 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2993 const size_t TOP = 8;
2999 random_group_element_test(&ptg);
3000 secp256k1_gej_set_ge(&ptgj, &ptg);
3002 for(t0i = 0; t0i < TOP; t0i++) {
3003 for(t1i = 0; t1i < TOP; t1i++) {
3004 secp256k1_gej t0p, t1p;
3005 secp256k1_scalar t0, t1;
3007 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
3008 secp256k1_scalar_cond_negate(&t0, t0i & 1);
3009 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
3010 secp256k1_scalar_cond_negate(&t1, t1i & 1);
3012 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
3013 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
3015 for(s0i = 0; s0i < TOP; s0i++) {
3016 for(s1i = 0; s1i < TOP; s1i++) {
3017 secp256k1_scalar tmp1, tmp2;
3018 secp256k1_gej expected, actual;
3020 secp256k1_ge_set_gej(&pt[0], &t0p);
3021 secp256k1_ge_set_gej(&pt[1], &t1p);
3023 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
3024 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
3025 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
3026 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
3028 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
3029 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
3030 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
3032 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
3033 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
3034 secp256k1_gej_neg(&expected, &expected);
3035 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
3036 CHECK(secp256k1_gej_is_infinity(&actual));
3044 void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
3045 secp256k1_scalar szero;
3046 secp256k1_scalar sc;
3049 ecmult_multi_data data;
3050 secp256k1_scratch *scratch_empty;
3052 random_group_element_test(&pt);
3053 random_scalar_order(&sc);
3056 secp256k1_scalar_set_int(&szero, 0);
3058 /* Try to multiply 1 point, but scratch space is empty.*/
3059 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
3060 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
3061 secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
3064 void test_secp256k1_pippenger_bucket_window_inv(void) {
3067 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
3068 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
3069 /* Bucket_window of 8 is not used with endo */
3073 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
3074 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
3075 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
3081 * Probabilistically test the function returning the maximum number of possible points
3082 * for a given scratch space.
3084 void test_ecmult_multi_pippenger_max_points(void) {
3085 size_t scratch_size = secp256k1_testrand_int(256);
3086 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
3087 secp256k1_scratch *scratch;
3088 size_t n_points_supported;
3089 int bucket_window = 0;
3091 for(; scratch_size < max_size; scratch_size+=256) {
3095 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
3096 CHECK(scratch != NULL);
3097 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
3098 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
3099 if (n_points_supported == 0) {
3100 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3103 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
3104 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
3105 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
3106 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
3107 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
3110 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
3111 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
3112 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3114 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
3117 void test_ecmult_multi_batch_size_helper(void) {
3118 size_t n_batches, n_batch_points, max_n_batch_points, n;
3120 max_n_batch_points = 0;
3122 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
3124 max_n_batch_points = 1;
3126 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3127 CHECK(n_batches == 0);
3128 CHECK(n_batch_points == 0);
3130 max_n_batch_points = 2;
3132 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3133 CHECK(n_batches == 3);
3134 CHECK(n_batch_points == 2);
3136 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
3137 n = ECMULT_MAX_POINTS_PER_BATCH;
3138 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3139 CHECK(n_batches == 1);
3140 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
3142 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
3143 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
3144 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3145 CHECK(n_batches == 2);
3146 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
3148 max_n_batch_points = 1;
3150 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3151 CHECK(n_batches == SIZE_MAX);
3152 CHECK(n_batch_points == 1);
3154 max_n_batch_points = 2;
3156 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3157 CHECK(n_batches == SIZE_MAX/2 + 1);
3158 CHECK(n_batch_points == 2);
3162 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
3163 * 1 <= i <= num points.
3165 void test_ecmult_multi_batching(void) {
3166 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
3167 secp256k1_scalar scG;
3168 secp256k1_scalar szero;
3169 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
3170 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3173 ecmult_multi_data data;
3175 secp256k1_scratch *scratch;
3177 secp256k1_gej_set_infinity(&r2);
3178 secp256k1_scalar_set_int(&szero, 0);
3180 /* Get random scalars and group elements and compute result */
3181 random_scalar_order(&scG);
3182 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3183 for(i = 0; i < n_points; i++) {
3186 random_group_element_test(&ptg);
3187 secp256k1_gej_set_ge(&ptgj, &ptg);
3189 random_scalar_order(&sc[i]);
3190 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3191 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
3195 secp256k1_gej_neg(&r2, &r2);
3197 /* Test with empty scratch space. It should compute the correct result using
3198 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
3199 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
3200 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3201 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3202 CHECK(secp256k1_gej_is_infinity(&r));
3203 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3205 /* Test with space for 1 point in pippenger. That's not enough because
3206 * ecmult_multi selects strauss which requires more memory. It should
3207 * therefore select the simple algorithm. */
3208 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3209 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3210 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3211 CHECK(secp256k1_gej_is_infinity(&r));
3212 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3214 for(i = 1; i <= n_points; i++) {
3215 if (i > ECMULT_PIPPENGER_THRESHOLD) {
3216 int bucket_window = secp256k1_pippenger_bucket_window(i);
3217 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
3218 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3220 size_t scratch_size = secp256k1_strauss_scratch_size(i);
3221 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3223 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3224 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3225 CHECK(secp256k1_gej_is_infinity(&r));
3226 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3232 void run_ecmult_multi_tests(void) {
3233 secp256k1_scratch *scratch;
3235 test_secp256k1_pippenger_bucket_window_inv();
3236 test_ecmult_multi_pippenger_max_points();
3237 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
3238 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3239 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
3240 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
3241 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
3242 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
3243 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
3244 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3246 /* Run test_ecmult_multi with space for exactly one point */
3247 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3248 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3249 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3251 test_ecmult_multi_batch_size_helper();
3252 test_ecmult_multi_batching();
3255 void test_wnaf(const secp256k1_scalar *number, int w) {
3256 secp256k1_scalar x, two, t;
3261 secp256k1_scalar_set_int(&x, 0);
3262 secp256k1_scalar_set_int(&two, 2);
3263 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
3265 for (i = bits-1; i >= 0; i--) {
3267 secp256k1_scalar_mul(&x, &x, &two);
3269 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
3271 CHECK((v & 1) == 1); /* check non-zero elements are odd */
3272 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3273 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
3275 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
3279 secp256k1_scalar_set_int(&t, v);
3281 secp256k1_scalar_set_int(&t, -v);
3282 secp256k1_scalar_negate(&t, &t);
3284 secp256k1_scalar_add(&x, &x, &t);
3286 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
3289 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3290 secp256k1_scalar neg1 = *number;
3291 secp256k1_scalar neg2 = *number;
3295 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3296 secp256k1_scalar_negate(&neg1, &neg1);
3299 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3300 CHECK(sign1 == sign2);
3301 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3304 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3305 secp256k1_scalar x, shift;
3306 int wnaf[256] = {0};
3310 secp256k1_scalar num = *number;
3311 secp256k1_scalar scalar_skew;
3313 secp256k1_scalar_set_int(&x, 0);
3314 secp256k1_scalar_set_int(&shift, 1 << w);
3315 for (i = 0; i < 16; ++i) {
3316 secp256k1_scalar_shr_int(&num, 8);
3319 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
3321 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3324 CHECK(v != 0); /* check nonzero */
3325 CHECK(v & 1); /* check parity */
3326 CHECK(v > -(1 << w)); /* check range above */
3327 CHECK(v < (1 << w)); /* check range below */
3329 secp256k1_scalar_mul(&x, &x, &shift);
3331 secp256k1_scalar_set_int(&t, v);
3333 secp256k1_scalar_set_int(&t, -v);
3334 secp256k1_scalar_negate(&t, &t);
3336 secp256k1_scalar_add(&x, &x, &t);
3338 /* Skew num because when encoding numbers as odd we use an offset */
3339 secp256k1_scalar_set_int(&scalar_skew, 1 << (skew == 2));
3340 secp256k1_scalar_add(&num, &num, &scalar_skew);
3341 CHECK(secp256k1_scalar_eq(&x, &num));
3344 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3345 secp256k1_scalar x, shift;
3346 int wnaf[256] = {0};
3349 secp256k1_scalar num = *number;
3351 secp256k1_scalar_set_int(&x, 0);
3352 secp256k1_scalar_set_int(&shift, 1 << w);
3353 for (i = 0; i < 16; ++i) {
3354 secp256k1_scalar_shr_int(&num, 8);
3356 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3358 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3361 CHECK(v == 0 || v & 1); /* check parity */
3362 CHECK(v > -(1 << w)); /* check range above */
3363 CHECK(v < (1 << w)); /* check range below */
3365 secp256k1_scalar_mul(&x, &x, &shift);
3367 secp256k1_scalar_set_int(&t, v);
3369 secp256k1_scalar_set_int(&t, -v);
3370 secp256k1_scalar_negate(&t, &t);
3372 secp256k1_scalar_add(&x, &x, &t);
3374 /* If skew is 1 then add 1 to num */
3375 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3376 CHECK(secp256k1_scalar_eq(&x, &num));
3379 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3381 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3383 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3384 CHECK(wnaf[i] == 0);
3386 for (i = 7; i >= 0; --i) {
3387 CHECK(wnaf[i] == wnaf_expected[i]);
3391 void test_fixed_wnaf_small(void) {
3393 int wnaf[256] = {0};
3396 secp256k1_scalar num;
3398 secp256k1_scalar_set_int(&num, 0);
3399 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3400 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3406 secp256k1_scalar_set_int(&num, 1);
3407 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3408 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3412 CHECK(wnaf[0] == 1);
3416 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3417 secp256k1_scalar_set_int(&num, 0xffffffff);
3418 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3419 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3423 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3424 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3425 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3426 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3430 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3431 secp256k1_scalar_set_int(&num, 0x01010101);
3432 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3433 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3437 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3438 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3439 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3440 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3445 void run_wnaf(void) {
3447 secp256k1_scalar n = {{0}};
3449 test_constant_wnaf(&n, 4);
3450 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3451 * have easier-to-diagnose failure modes */
3453 test_constant_wnaf(&n, 4);
3455 test_constant_wnaf(&n, 4);
3456 /* Test -1, because it's a special case in wnaf_const */
3457 n = secp256k1_scalar_one;
3458 secp256k1_scalar_negate(&n, &n);
3459 test_constant_wnaf(&n, 4);
3461 /* Test -2, which may not lead to overflows in wnaf_const */
3462 secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
3463 secp256k1_scalar_negate(&n, &n);
3464 test_constant_wnaf(&n, 4);
3466 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
3467 as corner cases of negation handling in wnaf_const */
3468 secp256k1_scalar_inverse(&n, &n);
3469 test_constant_wnaf(&n, 4);
3471 secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
3472 test_constant_wnaf(&n, 4);
3474 /* Test 0 for fixed wnaf */
3475 test_fixed_wnaf_small();
3477 for (i = 0; i < count; i++) {
3478 random_scalar_order(&n);
3479 test_wnaf(&n, 4+(i%10));
3480 test_constant_wnaf_negate(&n);
3481 test_constant_wnaf(&n, 4 + (i % 10));
3482 test_fixed_wnaf(&n, 4 + (i % 10));
3484 secp256k1_scalar_set_int(&n, 0);
3485 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3486 CHECK(secp256k1_scalar_is_zero(&n));
3487 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3488 CHECK(secp256k1_scalar_is_zero(&n));
3491 void test_ecmult_constants(void) {
3492 /* Test ecmult_gen() for [0..36) and [order-36..0). */
3498 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3499 for (i = 0; i < 36; i++ ) {
3500 secp256k1_scalar_set_int(&x, i);
3501 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3502 for (j = 0; j < i; j++) {
3504 ge_equals_gej(&secp256k1_ge_const_g, &r);
3506 secp256k1_gej_add_ge(&r, &r, &ng);
3508 CHECK(secp256k1_gej_is_infinity(&r));
3510 for (i = 1; i <= 36; i++ ) {
3511 secp256k1_scalar_set_int(&x, i);
3512 secp256k1_scalar_negate(&x, &x);
3513 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3514 for (j = 0; j < i; j++) {
3516 ge_equals_gej(&ng, &r);
3518 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3520 CHECK(secp256k1_gej_is_infinity(&r));
3524 void run_ecmult_constants(void) {
3525 test_ecmult_constants();
3528 void test_ecmult_gen_blind(void) {
3529 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3530 secp256k1_scalar key;
3532 unsigned char seed32[32];
3534 secp256k1_gej pgej2;
3537 random_scalar_order_test(&key);
3538 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3539 secp256k1_testrand256(seed32);
3540 b = ctx->ecmult_gen_ctx.blind;
3541 i = ctx->ecmult_gen_ctx.initial;
3542 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3543 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3544 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3545 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3546 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3547 secp256k1_ge_set_gej(&pge, &pgej);
3548 ge_equals_gej(&pge, &pgej2);
3551 void test_ecmult_gen_blind_reset(void) {
3552 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3554 secp256k1_gej initial;
3555 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3556 b = ctx->ecmult_gen_ctx.blind;
3557 initial = ctx->ecmult_gen_ctx.initial;
3558 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3559 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3560 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3563 void run_ecmult_gen_blind(void) {
3565 test_ecmult_gen_blind_reset();
3566 for (i = 0; i < 10; i++) {
3567 test_ecmult_gen_blind();
3571 /***** ENDOMORPHISH TESTS *****/
3572 void test_scalar_split(const secp256k1_scalar* full) {
3573 secp256k1_scalar s, s1, slam;
3574 const unsigned char zero[32] = {0};
3575 unsigned char tmp[32];
3577 secp256k1_scalar_split_lambda(&s1, &slam, full);
3579 /* check slam*lambda + s1 == full */
3580 secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
3581 secp256k1_scalar_add(&s, &s, &s1);
3582 CHECK(secp256k1_scalar_eq(&s, full));
3584 /* check that both are <= 128 bits in size */
3585 if (secp256k1_scalar_is_high(&s1)) {
3586 secp256k1_scalar_negate(&s1, &s1);
3588 if (secp256k1_scalar_is_high(&slam)) {
3589 secp256k1_scalar_negate(&slam, &slam);
3592 secp256k1_scalar_get_b32(tmp, &s1);
3593 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
3594 secp256k1_scalar_get_b32(tmp, &slam);
3595 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
3599 void run_endomorphism_tests(void) {
3601 static secp256k1_scalar s;
3602 test_scalar_split(&secp256k1_scalar_zero);
3603 test_scalar_split(&secp256k1_scalar_one);
3604 secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
3605 test_scalar_split(&s);
3606 test_scalar_split(&secp256k1_const_lambda);
3607 secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
3608 test_scalar_split(&s);
3610 for (i = 0; i < 100U * count; ++i) {
3611 secp256k1_scalar full;
3612 random_scalar_order_test(&full);
3613 test_scalar_split(&full);
3615 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
3616 test_scalar_split(&scalars_near_split_bounds[i]);
3620 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3621 unsigned char pubkeyc[65];
3622 secp256k1_pubkey pubkey;
3627 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3628 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3629 /* Smaller sizes are tested exhaustively elsewhere. */
3631 memcpy(&pubkeyc[1], input, 64);
3632 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3633 for (i = 0; i < 256; i++) {
3634 /* Try all type bytes. */
3639 /* What sign does this point have? */
3640 ysign = (input[63] & 1) + 2;
3641 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3642 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3643 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3644 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3645 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3646 if (xpass || ypass) {
3647 /* These cases must parse. */
3648 unsigned char pubkeyo[65];
3650 memset(&pubkey, 0, sizeof(pubkey));
3651 VG_UNDEF(&pubkey, sizeof(pubkey));
3653 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3654 VG_CHECK(&pubkey, sizeof(pubkey));
3656 VG_UNDEF(pubkeyo, 65);
3657 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3658 VG_CHECK(pubkeyo, outl);
3660 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3661 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3663 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3664 CHECK(pubkeyo[0] == ysign);
3665 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3666 memset(&pubkey, 0, sizeof(pubkey));
3667 VG_UNDEF(&pubkey, sizeof(pubkey));
3668 secp256k1_pubkey_save(&pubkey, &ge);
3669 VG_CHECK(&pubkey, sizeof(pubkey));
3671 VG_UNDEF(pubkeyo, 65);
3672 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3673 VG_CHECK(pubkeyo, outl);
3675 CHECK(pubkeyo[0] == 4);
3676 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
3680 /* These cases must fail to parse. */
3681 memset(&pubkey, 0xfe, sizeof(pubkey));
3683 VG_UNDEF(&pubkey, sizeof(pubkey));
3684 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3685 VG_CHECK(&pubkey, sizeof(pubkey));
3687 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3692 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3695 void run_ec_pubkey_parse_test(void) {
3696 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3697 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3699 /* Point with leading and trailing zeros in x and y serialization. */
3700 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3701 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3702 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3703 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3706 /* Point with x equal to a 3rd root of unity.*/
3707 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3708 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3709 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3710 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3713 /* Point with largest x. (1/2) */
3714 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3715 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3716 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3717 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3720 /* Point with largest x. (2/2) */
3721 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3722 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3723 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3724 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3727 /* Point with smallest x. (1/2) */
3728 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3729 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3730 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3731 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3734 /* Point with smallest x. (2/2) */
3735 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3736 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3737 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3738 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3741 /* Point with largest y. (1/3) */
3742 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3743 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3744 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3745 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3748 /* Point with largest y. (2/3) */
3749 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3750 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3751 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3752 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3755 /* Point with largest y. (3/3) */
3756 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3757 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3758 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3759 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3762 /* Point with smallest y. (1/3) */
3763 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3764 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3765 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3766 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3769 /* Point with smallest y. (2/3) */
3770 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3771 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3772 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3773 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3776 /* Point with smallest y. (3/3) */
3777 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3778 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3779 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3780 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3783 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3784 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3786 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3787 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3788 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3789 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3790 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3793 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3794 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3795 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3796 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3797 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3800 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3801 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3802 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3803 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3804 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3807 /* x on curve, y is from y^2 = x^3 + 8. */
3808 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3809 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3810 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3811 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3814 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3815 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3817 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3818 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3819 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3820 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3821 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3824 /* Valid if x overflow ignored (x = 1 mod p). */
3825 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3826 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3827 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3828 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3831 /* Valid if x overflow ignored (x = 1 mod p). */
3832 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3833 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3834 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3835 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3838 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3839 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3840 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3841 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3842 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3845 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3846 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3847 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3848 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3849 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3852 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3853 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3854 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3855 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3856 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3859 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3860 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3861 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3862 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3863 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3866 const unsigned char pubkeyc[66] = {
3867 /* Serialization of G. */
3868 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3869 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3870 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3871 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3874 unsigned char sout[65];
3875 unsigned char shortkey[2];
3877 secp256k1_pubkey pubkey;
3883 /* Nothing should be reading this far into pubkeyc. */
3884 VG_UNDEF(&pubkeyc[65], 1);
3885 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3886 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3887 memset(&pubkey, 0xfe, sizeof(pubkey));
3889 VG_UNDEF(shortkey, 2);
3890 VG_UNDEF(&pubkey, sizeof(pubkey));
3891 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3892 VG_CHECK(&pubkey, sizeof(pubkey));
3894 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3896 /* Length one claimed, fail, zeroize, no illegal arg error. */
3897 for (i = 0; i < 256 ; i++) {
3898 memset(&pubkey, 0xfe, sizeof(pubkey));
3901 VG_UNDEF(&shortkey[1], 1);
3902 VG_UNDEF(&pubkey, sizeof(pubkey));
3903 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3904 VG_CHECK(&pubkey, sizeof(pubkey));
3906 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3909 /* Length two claimed, fail, zeroize, no illegal arg error. */
3910 for (i = 0; i < 65536 ; i++) {
3911 memset(&pubkey, 0xfe, sizeof(pubkey));
3913 shortkey[0] = i & 255;
3914 shortkey[1] = i >> 8;
3915 VG_UNDEF(&pubkey, sizeof(pubkey));
3916 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3917 VG_CHECK(&pubkey, sizeof(pubkey));
3919 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3922 memset(&pubkey, 0xfe, sizeof(pubkey));
3924 VG_UNDEF(&pubkey, sizeof(pubkey));
3925 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3926 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3927 VG_CHECK(&pubkey, sizeof(pubkey));
3929 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3931 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3932 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3934 /* NULL input string. Illegal arg and zeroize output. */
3935 memset(&pubkey, 0xfe, sizeof(pubkey));
3937 VG_UNDEF(&pubkey, sizeof(pubkey));
3938 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3939 VG_CHECK(&pubkey, sizeof(pubkey));
3941 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3943 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3944 memset(&pubkey, 0xfe, sizeof(pubkey));
3946 VG_UNDEF(&pubkey, sizeof(pubkey));
3947 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3948 VG_CHECK(&pubkey, sizeof(pubkey));
3950 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3952 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3953 memset(&pubkey, 0xfe, sizeof(pubkey));
3955 VG_UNDEF(&pubkey, sizeof(pubkey));
3956 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3957 VG_CHECK(&pubkey, sizeof(pubkey));
3959 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3962 memset(&pubkey, 0, sizeof(pubkey));
3964 VG_UNDEF(&pubkey, sizeof(pubkey));
3965 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3966 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
3967 VG_CHECK(&pubkey, sizeof(pubkey));
3969 VG_UNDEF(&ge, sizeof(ge));
3970 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3971 VG_CHECK(&ge.x, sizeof(ge.x));
3972 VG_CHECK(&ge.y, sizeof(ge.y));
3973 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3974 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3976 /* secp256k1_ec_pubkey_serialize illegal args. */
3979 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3982 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3986 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3991 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3996 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
4000 /* Multiple illegal args. Should still set arg error only once. */
4003 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4005 /* Does the illegal arg callback actually change the behavior? */
4006 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
4007 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4009 CHECK(ecount2 == 10);
4010 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4011 /* Try a bunch of prefabbed points with all possible encodings. */
4012 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
4013 ec_pubkey_parse_pointtest(valid[i], 1, 1);
4015 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
4016 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
4018 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
4019 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
4023 void run_eckey_edge_case_test(void) {
4024 const unsigned char orderc[32] = {
4025 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4026 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4027 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4028 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
4030 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
4031 unsigned char ctmp[33];
4032 unsigned char ctmp2[33];
4033 secp256k1_pubkey pubkey;
4034 secp256k1_pubkey pubkey2;
4035 secp256k1_pubkey pubkey_one;
4036 secp256k1_pubkey pubkey_negone;
4037 const secp256k1_pubkey *pubkeys[3];
4040 /* Group order is too large, reject. */
4041 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
4042 VG_UNDEF(&pubkey, sizeof(pubkey));
4043 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
4044 VG_CHECK(&pubkey, sizeof(pubkey));
4045 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4046 /* Maximum value is too large, reject. */
4047 memset(ctmp, 255, 32);
4048 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4049 memset(&pubkey, 1, sizeof(pubkey));
4050 VG_UNDEF(&pubkey, sizeof(pubkey));
4051 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4052 VG_CHECK(&pubkey, sizeof(pubkey));
4053 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4054 /* Zero is too small, reject. */
4055 memset(ctmp, 0, 32);
4056 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4057 memset(&pubkey, 1, sizeof(pubkey));
4058 VG_UNDEF(&pubkey, sizeof(pubkey));
4059 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4060 VG_CHECK(&pubkey, sizeof(pubkey));
4061 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4062 /* One must be accepted. */
4064 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4065 memset(&pubkey, 0, sizeof(pubkey));
4066 VG_UNDEF(&pubkey, sizeof(pubkey));
4067 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4068 VG_CHECK(&pubkey, sizeof(pubkey));
4069 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4070 pubkey_one = pubkey;
4071 /* Group order + 1 is too large, reject. */
4072 memcpy(ctmp, orderc, 32);
4074 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4075 memset(&pubkey, 1, sizeof(pubkey));
4076 VG_UNDEF(&pubkey, sizeof(pubkey));
4077 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4078 VG_CHECK(&pubkey, sizeof(pubkey));
4079 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4080 /* -1 must be accepted. */
4082 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4083 memset(&pubkey, 0, sizeof(pubkey));
4084 VG_UNDEF(&pubkey, sizeof(pubkey));
4085 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4086 VG_CHECK(&pubkey, sizeof(pubkey));
4087 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4088 pubkey_negone = pubkey;
4089 /* Tweak of zero leaves the value unchanged. */
4090 memset(ctmp2, 0, 32);
4091 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
4092 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
4093 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
4094 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4095 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4096 /* Multiply tweak of zero zeroizes the output. */
4097 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4098 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4099 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
4100 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4101 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4102 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4103 seckey, the seckey is zeroized. */
4104 memcpy(ctmp, orderc, 32);
4105 memset(ctmp2, 0, 32);
4107 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
4108 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4109 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
4110 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4111 memcpy(ctmp, orderc, 32);
4112 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4113 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4114 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4115 tweak, the seckey is zeroized. */
4116 memcpy(ctmp, orderc, 32);
4118 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
4119 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4120 memcpy(ctmp, orderc, 32);
4122 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
4123 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4124 memcpy(ctmp, orderc, 32);
4126 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
4127 tweak, the pubkey is zeroized. */
4128 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
4129 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4130 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4131 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
4132 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4133 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4134 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
4135 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
4136 * case the pubkey is zeroized. */
4137 memcpy(ctmp, orderc, 32);
4139 memset(ctmp2, 0, 32);
4141 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
4142 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
4144 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4145 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4146 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4147 /* Tweak computation wraps and results in a key of 1. */
4149 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
4150 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
4152 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4154 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
4155 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4156 /* Tweak mul * 2 = 1+1. */
4157 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4159 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
4160 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4161 /* Test argument errors. */
4163 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4165 /* Zeroize pubkey on parse error. */
4166 memset(&pubkey, 0, 32);
4167 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4169 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4170 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4171 memset(&pubkey2, 0, 32);
4172 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
4174 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
4175 /* Plain argument errors. */
4177 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4179 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
4182 memset(ctmp2, 0, 32);
4184 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
4186 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
4189 memset(ctmp2, 0, 32);
4191 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4193 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
4196 memset(ctmp2, 0, 32);
4197 CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
4199 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
4202 memset(ctmp2, 0, 32);
4204 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
4206 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
4209 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
4211 memset(&pubkey, 1, sizeof(pubkey));
4212 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4214 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4215 /* secp256k1_ec_pubkey_combine tests. */
4217 pubkeys[0] = &pubkey_one;
4218 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
4219 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
4220 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
4221 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4222 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4223 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
4224 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4225 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4227 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4228 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4230 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4231 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4232 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4233 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4234 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4236 pubkeys[0] = &pubkey_negone;
4237 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4238 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4239 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4240 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4241 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4244 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4245 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4246 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4247 /* Result is infinity. */
4248 pubkeys[0] = &pubkey_one;
4249 pubkeys[1] = &pubkey_negone;
4250 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4251 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4252 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4253 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4254 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4256 /* Passes through infinity but comes out one. */
4257 pubkeys[2] = &pubkey_one;
4258 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4259 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4260 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4261 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4262 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4265 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4266 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4267 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4269 pubkeys[1] = &pubkey_one;
4270 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4271 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4272 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4273 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4274 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4276 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4279 void run_eckey_negate_test(void) {
4280 unsigned char seckey[32];
4281 unsigned char seckey_tmp[32];
4283 random_scalar_order_b32(seckey);
4284 memcpy(seckey_tmp, seckey, 32);
4286 /* Verify negation changes the key and changes it back */
4287 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4288 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
4289 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4290 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4292 /* Check that privkey alias gives same result */
4293 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4294 CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
4295 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4297 /* Negating all 0s fails */
4298 memset(seckey, 0, 32);
4299 memset(seckey_tmp, 0, 32);
4300 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4301 /* Check that seckey is not modified */
4302 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4304 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
4305 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
4306 * doesn't just set seckey to a constant value in case of failure. */
4307 random_scalar_order_b32(seckey);
4308 memset(seckey, 0xFF, 16);
4309 memset(seckey_tmp, 0, 32);
4310 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4311 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4314 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4315 secp256k1_scalar nonce;
4317 random_scalar_order_test(&nonce);
4318 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
4321 void test_ecdsa_sign_verify(void) {
4324 secp256k1_scalar one;
4325 secp256k1_scalar msg, key;
4326 secp256k1_scalar sigr, sigs;
4329 random_scalar_order_test(&msg);
4330 random_scalar_order_test(&key);
4331 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
4332 secp256k1_ge_set_gej(&pub, &pubj);
4333 getrec = secp256k1_testrand_bits(1);
4334 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
4336 CHECK(recid >= 0 && recid < 4);
4338 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4339 secp256k1_scalar_set_int(&one, 1);
4340 secp256k1_scalar_add(&msg, &msg, &one);
4341 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4344 void run_ecdsa_sign_verify(void) {
4346 for (i = 0; i < 10*count; i++) {
4347 test_ecdsa_sign_verify();
4351 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
4352 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4356 memcpy(nonce32, data, 32);
4357 return (counter == 0);
4360 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4361 /* Dummy nonce generator that has a fatal error on the first counter value. */
4365 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
4368 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4369 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4371 memset(nonce32, counter==0 ? 0 : 255, 32);
4378 static const unsigned char order[] = {
4379 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4380 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4381 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4382 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4384 memcpy(nonce32, order, 32);
4390 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
4391 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
4395 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
4398 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4399 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4400 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4403 void test_ecdsa_end_to_end(void) {
4404 unsigned char extra[32] = {0x00};
4405 unsigned char privkey[32];
4406 unsigned char message[32];
4407 unsigned char privkey2[32];
4408 secp256k1_ecdsa_signature signature[6];
4409 secp256k1_scalar r, s;
4410 unsigned char sig[74];
4412 unsigned char pubkeyc[65];
4413 size_t pubkeyclen = 65;
4414 secp256k1_pubkey pubkey;
4415 secp256k1_pubkey pubkey_tmp;
4416 unsigned char seckey[300];
4417 size_t seckeylen = 300;
4419 /* Generate a random key and message. */
4421 secp256k1_scalar msg, key;
4422 random_scalar_order_test(&msg);
4423 random_scalar_order_test(&key);
4424 secp256k1_scalar_get_b32(privkey, &key);
4425 secp256k1_scalar_get_b32(message, &msg);
4428 /* Construct and verify corresponding public key. */
4429 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4430 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4432 /* Verify exporting and importing public key. */
4433 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4434 memset(&pubkey, 0, sizeof(pubkey));
4435 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4437 /* Verify negation changes the key and changes it back */
4438 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4439 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4440 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4441 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4442 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4444 /* Verify private key import and export. */
4445 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
4446 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4447 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
4449 /* Optionally tweak the keys using addition. */
4450 if (secp256k1_testrand_int(3) == 0) {
4454 unsigned char rnd[32];
4455 unsigned char privkey_tmp[32];
4456 secp256k1_pubkey pubkey2;
4457 secp256k1_testrand256_test(rnd);
4458 memcpy(privkey_tmp, privkey, 32);
4459 ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
4460 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4461 /* Check that privkey alias gives same result */
4462 ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
4463 CHECK(ret1 == ret2);
4464 CHECK(ret2 == ret3);
4468 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
4469 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4470 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4473 /* Optionally tweak the keys using multiplication. */
4474 if (secp256k1_testrand_int(3) == 0) {
4478 unsigned char rnd[32];
4479 unsigned char privkey_tmp[32];
4480 secp256k1_pubkey pubkey2;
4481 secp256k1_testrand256_test(rnd);
4482 memcpy(privkey_tmp, privkey, 32);
4483 ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
4484 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4485 /* Check that privkey alias gives same result */
4486 ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
4487 CHECK(ret1 == ret2);
4488 CHECK(ret2 == ret3);
4492 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
4493 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4494 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4498 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4499 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4500 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4502 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4505 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4506 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4507 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4508 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4509 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4510 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4511 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4512 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4514 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4515 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4516 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4517 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4518 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4519 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4520 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4521 secp256k1_scalar_negate(&s, &s);
4522 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4523 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4524 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4525 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4526 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4527 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4528 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4529 secp256k1_scalar_negate(&s, &s);
4530 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4531 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4532 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4533 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
4535 /* Serialize/parse DER and verify again */
4536 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4537 memset(&signature[0], 0, sizeof(signature[0]));
4538 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4539 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4540 /* Serialize/destroy/parse DER and verify again. */
4542 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4543 sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
4544 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4545 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4548 void test_random_pubkeys(void) {
4551 unsigned char in[65];
4552 /* Generate some randomly sized pubkeys. */
4553 size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
4554 if (secp256k1_testrand_bits(2) == 0) {
4555 len = secp256k1_testrand_bits(6);
4558 in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
4560 in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
4562 if (secp256k1_testrand_bits(3) == 0) {
4563 in[0] = secp256k1_testrand_bits(8);
4566 secp256k1_testrand256(&in[1]);
4569 secp256k1_testrand256(&in[33]);
4571 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4572 unsigned char out[65];
4573 unsigned char firstb;
4577 /* If the pubkey can be parsed, it should round-trip... */
4578 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4580 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
4581 /* ... except for the type of hybrid inputs. */
4582 if ((in[0] != 6) && (in[0] != 7)) {
4583 CHECK(in[0] == out[0]);
4586 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4588 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4589 ge_equals_ge(&elem,&elem2);
4590 /* Check that the X9.62 hybrid type is checked. */
4591 in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
4592 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4593 if (firstb == 2 || firstb == 3) {
4594 if (in[0] == firstb + 4) {
4601 ge_equals_ge(&elem,&elem2);
4602 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4603 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
4608 void run_random_pubkeys(void) {
4610 for (i = 0; i < 10*count; i++) {
4611 test_random_pubkeys();
4615 void run_ecdsa_end_to_end(void) {
4617 for (i = 0; i < 64*count; i++) {
4618 test_ecdsa_end_to_end();
4622 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4623 static const unsigned char zeroes[32] = {0};
4624 #ifdef ENABLE_OPENSSL_TESTS
4625 static const unsigned char max_scalar[32] = {
4626 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4627 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4628 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4629 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4635 secp256k1_ecdsa_signature sig_der;
4636 unsigned char roundtrip_der[2048];
4637 unsigned char compact_der[64];
4638 size_t len_der = 2048;
4639 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4641 secp256k1_ecdsa_signature sig_der_lax;
4642 unsigned char roundtrip_der_lax[2048];
4643 unsigned char compact_der_lax[64];
4644 size_t len_der_lax = 2048;
4645 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4647 #ifdef ENABLE_OPENSSL_TESTS
4648 ECDSA_SIG *sig_openssl;
4649 const BIGNUM *r = NULL, *s = NULL;
4650 const unsigned char *sigptr;
4651 unsigned char roundtrip_openssl[2048];
4652 int len_openssl = 2048;
4653 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4656 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4658 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4659 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
4662 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4663 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
4666 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4667 if (parsed_der_lax) {
4668 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4669 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
4671 if (valid_der_lax) {
4672 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4673 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
4676 if (certainly_der) {
4677 ret |= (!parsed_der) << 2;
4679 if (certainly_not_der) {
4680 ret |= (parsed_der) << 17;
4683 ret |= (!roundtrips_der) << 3;
4687 ret |= (!roundtrips_der_lax) << 12;
4688 ret |= (len_der != len_der_lax) << 13;
4689 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
4691 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4693 ret |= (!parsed_der_lax) << 16;
4696 #ifdef ENABLE_OPENSSL_TESTS
4697 sig_openssl = ECDSA_SIG_new();
4699 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4700 if (parsed_openssl) {
4701 ECDSA_SIG_get0(sig_openssl, &r, &s);
4702 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4703 if (valid_openssl) {
4704 unsigned char tmp[32] = {0};
4705 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4706 valid_openssl = secp256k1_memcmp_var(tmp, max_scalar, 32) < 0;
4708 if (valid_openssl) {
4709 unsigned char tmp[32] = {0};
4710 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4711 valid_openssl = secp256k1_memcmp_var(tmp, max_scalar, 32) < 0;
4714 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4715 if (len_openssl <= 2048) {
4716 unsigned char *ptr = roundtrip_openssl;
4717 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4718 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (secp256k1_memcmp_var(roundtrip_openssl, sig, siglen) == 0);
4722 ECDSA_SIG_free(sig_openssl);
4724 ret |= (parsed_der && !parsed_openssl) << 4;
4725 ret |= (valid_der && !valid_openssl) << 5;
4726 ret |= (roundtrips_openssl && !parsed_der) << 6;
4727 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4728 if (roundtrips_openssl) {
4729 ret |= (len_der != (size_t)len_openssl) << 8;
4730 ret |= ((len_der != (size_t)len_openssl) || (secp256k1_memcmp_var(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9;
4736 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4738 for (i = 0; i < ptrlen; i++) {
4739 int shift = ptrlen - 1 - i;
4743 ptr[i] = (val >> shift) & 0xFF;
4748 static void damage_array(unsigned char *sig, size_t *len) {
4750 int action = secp256k1_testrand_bits(3);
4751 if (action < 1 && *len > 3) {
4752 /* Delete a byte. */
4753 pos = secp256k1_testrand_int(*len);
4754 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4757 } else if (action < 2 && *len < 2048) {
4758 /* Insert a byte. */
4759 pos = secp256k1_testrand_int(1 + *len);
4760 memmove(sig + pos + 1, sig + pos, *len - pos);
4761 sig[pos] = secp256k1_testrand_bits(8);
4764 } else if (action < 4) {
4765 /* Modify a byte. */
4766 sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
4768 } else { /* action < 8 */
4770 sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
4775 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4777 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4778 size_t tlen, elen, glen;
4783 der = secp256k1_testrand_bits(2) == 0;
4784 *certainly_der = der;
4785 *certainly_not_der = 0;
4786 indet = der ? 0 : secp256k1_testrand_int(10) == 0;
4788 for (n = 0; n < 2; n++) {
4789 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4790 nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
4791 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4792 nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_int(8) / 8;
4793 CHECK(nlen[n] <= 232);
4794 /* The top bit of the number. */
4795 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
4796 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4797 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
4798 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4799 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_int(8) / 8);
4800 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4801 *certainly_not_der = 1;
4803 CHECK(nlen[n] + nzlen[n] <= 300);
4804 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4805 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4807 /* nlenlen[n] max 127 bytes */
4808 int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
4811 *certainly_not_der = 1;
4814 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4817 /* The total length of the data to go, so far */
4818 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4821 /* The length of the garbage inside the tuple. */
4822 elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_int(8) / 8;
4824 *certainly_not_der = 1;
4829 /* The length of the garbage after the end of the tuple. */
4830 glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_int(8) / 8;
4832 *certainly_not_der = 1;
4834 CHECK(tlen + glen <= 990);
4836 /* Write the tuple header. */
4837 sig[(*len)++] = 0x30;
4839 /* Indeterminate length */
4840 sig[(*len)++] = 0x80;
4841 *certainly_not_der = 1;
4843 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4845 int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
4848 *certainly_not_der = 1;
4852 /* Short length notation */
4853 sig[(*len)++] = tlen;
4855 /* Long length notation */
4856 sig[(*len)++] = 128 + tlenlen;
4857 assign_big_endian(sig + *len, tlenlen, tlen);
4863 CHECK(tlen + glen <= 1119);
4865 for (n = 0; n < 2; n++) {
4866 /* Write the integer header. */
4867 sig[(*len)++] = 0x02;
4868 if (nlenlen[n] == 0) {
4869 /* Short length notation */
4870 sig[(*len)++] = nlen[n] + nzlen[n];
4872 /* Long length notation. */
4873 sig[(*len)++] = 128 + nlenlen[n];
4874 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4877 /* Write zero padding */
4878 while (nzlen[n] > 0) {
4879 sig[(*len)++] = 0x00;
4882 if (nlen[n] == 32 && !nlow[n]) {
4883 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4885 for (i = 0; i < 16; i++) {
4886 sig[(*len)++] = 0xFF;
4890 /* Write first byte of number */
4892 sig[(*len)++] = nhbyte[n];
4895 /* Generate remaining random bytes of number */
4896 secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
4901 /* Generate random garbage inside tuple. */
4902 secp256k1_testrand_bytes_test(sig + *len, elen);
4905 /* Generate end-of-contents bytes. */
4911 CHECK(tlen + glen <= 1121);
4913 /* Generate random garbage outside tuple. */
4914 secp256k1_testrand_bytes_test(sig + *len, glen);
4917 CHECK(tlen <= 1121);
4918 CHECK(tlen == *len);
4921 void run_ecdsa_der_parse(void) {
4923 for (i = 0; i < 200 * count; i++) {
4924 unsigned char buffer[2048];
4926 int certainly_der = 0;
4927 int certainly_not_der = 0;
4928 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4929 CHECK(buflen <= 2048);
4930 for (j = 0; j < 16; j++) {
4933 damage_array(buffer, &buflen);
4934 /* We don't know anything anymore about the DERness of the result */
4936 certainly_not_der = 0;
4938 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4941 fprintf(stderr, "Failure %x on ", ret);
4942 for (k = 0; k < buflen; k++) {
4943 fprintf(stderr, "%02x ", buffer[k]);
4945 fprintf(stderr, "\n");
4952 /* Tests several edge cases. */
4953 void test_ecdsa_edge_cases(void) {
4955 secp256k1_ecdsa_signature sig;
4957 /* Test the case where ECDSA recomputes a point that is infinity. */
4961 secp256k1_scalar msg;
4962 secp256k1_scalar sr, ss;
4963 secp256k1_scalar_set_int(&ss, 1);
4964 secp256k1_scalar_negate(&ss, &ss);
4965 secp256k1_scalar_inverse(&ss, &ss);
4966 secp256k1_scalar_set_int(&sr, 1);
4967 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4968 secp256k1_ge_set_gej(&key, &keyj);
4970 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4973 /* Verify signature with r of zero fails. */
4975 const unsigned char pubkey_mods_zero[33] = {
4976 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4977 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4978 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4979 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4983 secp256k1_scalar msg;
4984 secp256k1_scalar sr, ss;
4985 secp256k1_scalar_set_int(&ss, 1);
4986 secp256k1_scalar_set_int(&msg, 0);
4987 secp256k1_scalar_set_int(&sr, 0);
4988 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4989 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4992 /* Verify signature with s of zero fails. */
4994 const unsigned char pubkey[33] = {
4995 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4996 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4997 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4998 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5002 secp256k1_scalar msg;
5003 secp256k1_scalar sr, ss;
5004 secp256k1_scalar_set_int(&ss, 0);
5005 secp256k1_scalar_set_int(&msg, 0);
5006 secp256k1_scalar_set_int(&sr, 1);
5007 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5008 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5011 /* Verify signature with message 0 passes. */
5013 const unsigned char pubkey[33] = {
5014 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5015 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5016 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5017 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5020 const unsigned char pubkey2[33] = {
5021 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5022 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5023 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5024 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5029 secp256k1_scalar msg;
5030 secp256k1_scalar sr, ss;
5031 secp256k1_scalar_set_int(&ss, 2);
5032 secp256k1_scalar_set_int(&msg, 0);
5033 secp256k1_scalar_set_int(&sr, 2);
5034 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5035 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5036 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5037 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5038 secp256k1_scalar_negate(&ss, &ss);
5039 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5040 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5041 secp256k1_scalar_set_int(&ss, 1);
5042 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5043 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5046 /* Verify signature with message 1 passes. */
5048 const unsigned char pubkey[33] = {
5049 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
5050 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
5051 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
5052 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
5055 const unsigned char pubkey2[33] = {
5056 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
5057 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
5058 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
5059 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
5062 const unsigned char csr[32] = {
5063 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5064 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5065 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5066 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
5070 secp256k1_scalar msg;
5071 secp256k1_scalar sr, ss;
5072 secp256k1_scalar_set_int(&ss, 1);
5073 secp256k1_scalar_set_int(&msg, 1);
5074 secp256k1_scalar_set_b32(&sr, csr, NULL);
5075 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5076 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5077 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5078 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5079 secp256k1_scalar_negate(&ss, &ss);
5080 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5081 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5082 secp256k1_scalar_set_int(&ss, 2);
5083 secp256k1_scalar_inverse_var(&ss, &ss);
5084 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5085 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5088 /* Verify signature with message -1 passes. */
5090 const unsigned char pubkey[33] = {
5091 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
5092 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
5093 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
5094 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
5097 const unsigned char csr[32] = {
5098 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5099 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5100 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5101 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
5104 secp256k1_scalar msg;
5105 secp256k1_scalar sr, ss;
5106 secp256k1_scalar_set_int(&ss, 1);
5107 secp256k1_scalar_set_int(&msg, 1);
5108 secp256k1_scalar_negate(&msg, &msg);
5109 secp256k1_scalar_set_b32(&sr, csr, NULL);
5110 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5111 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5112 secp256k1_scalar_negate(&ss, &ss);
5113 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5114 secp256k1_scalar_set_int(&ss, 3);
5115 secp256k1_scalar_inverse_var(&ss, &ss);
5116 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5119 /* Signature where s would be zero. */
5121 secp256k1_pubkey pubkey;
5124 unsigned char signature[72];
5125 static const unsigned char nonce[32] = {
5126 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5127 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5128 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5129 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5131 static const unsigned char nonce2[32] = {
5132 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
5133 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
5134 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
5135 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
5137 const unsigned char key[32] = {
5138 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5139 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5140 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5141 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5143 unsigned char msg[32] = {
5144 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
5145 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
5146 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
5147 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
5150 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5151 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
5152 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
5154 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
5156 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
5158 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
5160 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
5162 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
5163 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
5164 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
5166 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
5168 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
5170 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
5172 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
5174 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
5175 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
5178 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
5180 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
5181 CHECK(ecount == 10);
5182 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
5183 CHECK(ecount == 11);
5184 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
5185 CHECK(ecount == 11);
5186 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
5187 CHECK(ecount == 12);
5188 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
5189 CHECK(ecount == 13);
5190 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
5191 CHECK(ecount == 13);
5193 /* Too little room for a signature does not fail via ARGCHECK. */
5194 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
5195 CHECK(ecount == 13);
5197 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
5199 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
5201 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
5203 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
5205 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
5207 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
5209 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
5211 memset(signature, 255, 64);
5212 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
5214 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5217 /* Nonce function corner cases. */
5218 for (t = 0; t < 2; t++) {
5219 static const unsigned char zero[32] = {0x00};
5221 unsigned char key[32];
5222 unsigned char msg[32];
5223 secp256k1_ecdsa_signature sig2;
5224 secp256k1_scalar sr[512], ss;
5225 const unsigned char *extra;
5226 extra = t == 0 ? NULL : zero;
5229 /* High key results in signature failure. */
5230 memset(key, 0xFF, 32);
5231 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5232 CHECK(is_empty_signature(&sig));
5233 /* Zero key results in signature failure. */
5235 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5236 CHECK(is_empty_signature(&sig));
5237 /* Nonce function failure results in signature failure. */
5239 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
5240 CHECK(is_empty_signature(&sig));
5241 /* The retry loop successfully makes its way to the first good value. */
5242 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
5243 CHECK(!is_empty_signature(&sig));
5244 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
5245 CHECK(!is_empty_signature(&sig2));
5246 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
5247 /* The default nonce function is deterministic. */
5248 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5249 CHECK(!is_empty_signature(&sig2));
5250 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
5251 /* The default nonce function changes output with different messages. */
5252 for(i = 0; i < 256; i++) {
5255 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5256 CHECK(!is_empty_signature(&sig2));
5257 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5258 for (j = 0; j < i; j++) {
5259 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5264 /* The default nonce function changes output with different keys. */
5265 for(i = 256; i < 512; i++) {
5268 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5269 CHECK(!is_empty_signature(&sig2));
5270 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5271 for (j = 0; j < i; j++) {
5272 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5279 /* Check that optional nonce arguments do not have equivalent effect. */
5280 const unsigned char zeros[32] = {0};
5281 unsigned char nonce[32];
5282 unsigned char nonce2[32];
5283 unsigned char nonce3[32];
5284 unsigned char nonce4[32];
5286 VG_UNDEF(nonce2,32);
5287 VG_UNDEF(nonce3,32);
5288 VG_UNDEF(nonce4,32);
5289 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
5291 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
5292 VG_CHECK(nonce2,32);
5293 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
5294 VG_CHECK(nonce3,32);
5295 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5296 VG_CHECK(nonce4,32);
5297 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
5298 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
5299 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
5300 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
5301 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
5302 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
5306 /* Privkey export where pubkey is the point at infinity. */
5308 unsigned char privkey[300];
5309 unsigned char seckey[32] = {
5310 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5311 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5312 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5313 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5315 size_t outlen = 300;
5316 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
5318 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
5322 void run_ecdsa_edge_cases(void) {
5323 test_ecdsa_edge_cases();
5326 #ifdef ENABLE_OPENSSL_TESTS
5327 EC_KEY *get_openssl_key(const unsigned char *key32) {
5328 unsigned char privkey[300];
5330 const unsigned char* pbegin = privkey;
5331 int compr = secp256k1_testrand_bits(1);
5332 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
5333 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
5334 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
5335 CHECK(EC_KEY_check_key(ec_key));
5339 void test_ecdsa_openssl(void) {
5342 secp256k1_scalar sigr, sigs;
5343 secp256k1_scalar one;
5344 secp256k1_scalar msg2;
5345 secp256k1_scalar key, msg;
5347 unsigned int sigsize = 80;
5348 size_t secp_sigsize = 80;
5349 unsigned char message[32];
5350 unsigned char signature[80];
5351 unsigned char key32[32];
5352 secp256k1_testrand256_test(message);
5353 secp256k1_scalar_set_b32(&msg, message, NULL);
5354 random_scalar_order_test(&key);
5355 secp256k1_scalar_get_b32(key32, &key);
5356 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
5357 secp256k1_ge_set_gej(&q, &qj);
5358 ec_key = get_openssl_key(key32);
5359 CHECK(ec_key != NULL);
5360 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
5361 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
5362 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
5363 secp256k1_scalar_set_int(&one, 1);
5364 secp256k1_scalar_add(&msg2, &msg, &one);
5365 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
5367 random_sign(&sigr, &sigs, &key, &msg, NULL);
5368 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
5369 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
5371 EC_KEY_free(ec_key);
5374 void run_ecdsa_openssl(void) {
5376 for (i = 0; i < 10*count; i++) {
5377 test_ecdsa_openssl();
5382 #ifdef ENABLE_MODULE_ECDH
5383 # include "modules/ecdh/tests_impl.h"
5386 #ifdef ENABLE_MODULE_RECOVERY
5387 # include "modules/recovery/tests_impl.h"
5390 #ifdef ENABLE_MODULE_EXTRAKEYS
5391 # include "modules/extrakeys/tests_impl.h"
5394 #ifdef ENABLE_MODULE_SCHNORRSIG
5395 # include "modules/schnorrsig/tests_impl.h"
5398 void run_secp256k1_memczero_test(void) {
5399 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
5400 unsigned char buf2[sizeof(buf1)];
5402 /* secp256k1_memczero(..., ..., 0) is a noop. */
5403 memcpy(buf2, buf1, sizeof(buf1));
5404 secp256k1_memczero(buf1, sizeof(buf1), 0);
5405 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
5407 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
5408 memset(buf2, 0, sizeof(buf2));
5409 secp256k1_memczero(buf1, sizeof(buf1) , 1);
5410 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
5413 void int_cmov_test(void) {
5417 secp256k1_int_cmov(&r, &a, 0);
5418 CHECK(r == INT_MAX);
5421 secp256k1_int_cmov(&r, &a, 1);
5422 CHECK(r == INT_MAX);
5425 secp256k1_int_cmov(&r, &a, 1);
5429 secp256k1_int_cmov(&r, &a, 1);
5433 secp256k1_int_cmov(&r, &a, 0);
5438 void fe_cmov_test(void) {
5439 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5440 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5441 static const secp256k1_fe max = SECP256K1_FE_CONST(
5442 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5443 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5445 secp256k1_fe r = max;
5446 secp256k1_fe a = zero;
5448 secp256k1_fe_cmov(&r, &a, 0);
5449 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5452 secp256k1_fe_cmov(&r, &a, 1);
5453 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5456 secp256k1_fe_cmov(&r, &a, 1);
5457 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5460 secp256k1_fe_cmov(&r, &a, 1);
5461 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5464 secp256k1_fe_cmov(&r, &a, 0);
5465 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5468 void fe_storage_cmov_test(void) {
5469 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5470 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5471 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
5472 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5473 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5475 secp256k1_fe_storage r = max;
5476 secp256k1_fe_storage a = zero;
5478 secp256k1_fe_storage_cmov(&r, &a, 0);
5479 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5482 secp256k1_fe_storage_cmov(&r, &a, 1);
5483 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5486 secp256k1_fe_storage_cmov(&r, &a, 1);
5487 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5490 secp256k1_fe_storage_cmov(&r, &a, 1);
5491 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5494 secp256k1_fe_storage_cmov(&r, &a, 0);
5495 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5498 void scalar_cmov_test(void) {
5499 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5500 static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5501 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
5502 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5503 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5505 secp256k1_scalar r = max;
5506 secp256k1_scalar a = zero;
5508 secp256k1_scalar_cmov(&r, &a, 0);
5509 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5512 secp256k1_scalar_cmov(&r, &a, 1);
5513 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5516 secp256k1_scalar_cmov(&r, &a, 1);
5517 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5520 secp256k1_scalar_cmov(&r, &a, 1);
5521 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5524 secp256k1_scalar_cmov(&r, &a, 0);
5525 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5528 void ge_storage_cmov_test(void) {
5529 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
5530 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
5531 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
5532 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5533 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5534 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5535 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5537 secp256k1_ge_storage r = max;
5538 secp256k1_ge_storage a = zero;
5540 secp256k1_ge_storage_cmov(&r, &a, 0);
5541 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5544 secp256k1_ge_storage_cmov(&r, &a, 1);
5545 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5548 secp256k1_ge_storage_cmov(&r, &a, 1);
5549 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5552 secp256k1_ge_storage_cmov(&r, &a, 1);
5553 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5556 secp256k1_ge_storage_cmov(&r, &a, 0);
5557 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5560 void run_cmov_tests(void) {
5563 fe_storage_cmov_test();
5565 ge_storage_cmov_test();
5568 int main(int argc, char **argv) {
5569 /* Disable buffering for stdout to improve reliability of getting
5570 * diagnostic information. Happens right at the start of main because
5571 * setbuf must be used before any other operation on the stream. */
5572 setbuf(stdout, NULL);
5573 /* Also disable buffering for stderr because it's not guaranteed that it's
5574 * unbuffered on all systems. */
5575 setbuf(stderr, NULL);
5577 /* find iteration count */
5579 count = strtol(argv[1], NULL, 0);
5581 const char* env = getenv("SECP256K1_TEST_ITERS");
5583 count = strtol(env, NULL, 0);
5587 fputs("An iteration count of 0 or less is not allowed.\n", stderr);
5588 return EXIT_FAILURE;
5590 printf("test count = %i\n", count);
5592 /* find random seed */
5593 secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
5596 run_context_tests(0);
5597 run_context_tests(1);
5598 run_scratch_tests();
5599 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5600 if (secp256k1_testrand_bits(1)) {
5601 unsigned char rand32[32];
5602 secp256k1_testrand256(rand32);
5603 CHECK(secp256k1_context_randomize(ctx, secp256k1_testrand_bits(1) ? rand32 : NULL));
5610 run_hmac_sha256_tests();
5611 run_rfc6979_hmac_sha256_tests();
5613 #ifndef USE_NUM_NONE
5615 run_num_smalltests();
5623 run_field_inv_var();
5625 run_field_convert();
5631 run_group_decompress();
5635 run_point_times_order();
5636 run_ecmult_near_split_bound();
5638 run_ecmult_constants();
5639 run_ecmult_gen_blind();
5640 run_ecmult_const_tests();
5641 run_ecmult_multi_tests();
5644 /* endomorphism tests */
5645 run_endomorphism_tests();
5647 /* EC point parser test */
5648 run_ec_pubkey_parse_test();
5650 /* EC key edge cases */
5651 run_eckey_edge_case_test();
5653 /* EC key arithmetic test */
5654 run_eckey_negate_test();
5656 #ifdef ENABLE_MODULE_ECDH
5662 run_random_pubkeys();
5663 run_ecdsa_der_parse();
5664 run_ecdsa_sign_verify();
5665 run_ecdsa_end_to_end();
5666 run_ecdsa_edge_cases();
5667 #ifdef ENABLE_OPENSSL_TESTS
5668 run_ecdsa_openssl();
5671 #ifdef ENABLE_MODULE_RECOVERY
5672 /* ECDSA pubkey recovery tests */
5673 run_recovery_tests();
5676 #ifdef ENABLE_MODULE_EXTRAKEYS
5677 run_extrakeys_tests();
5680 #ifdef ENABLE_MODULE_SCHNORRSIG
5681 run_schnorrsig_tests();
5685 run_secp256k1_memczero_test();
5689 secp256k1_testrand_finish();
5692 secp256k1_context_destroy(ctx);
5694 printf("no problems found\n");
projects / secp256k1.git / blob