1 // Copyright (c) 2013 Pieter Wuille
2 // Distributed under the MIT/X11 software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
5 #if defined HAVE_CONFIG_H
6 #include "libsecp256k1-config.h"
12 #include "impl/field.h"
13 #include "impl/group.h"
14 #include "impl/ecmult.h"
15 #include "impl/ecdsa.h"
16 #include "impl/util.h"
18 #ifdef ENABLE_OPENSSL_TESTS
19 #include "openssl/bn.h"
20 #include "openssl/ec.h"
21 #include "openssl/ecdsa.h"
22 #include "openssl/obj_mac.h"
25 static int count = 100;
27 /***** NUM TESTS *****/
29 void random_num_negate(secp256k1_num_t *num) {
30 if (secp256k1_rand32() & 1)
31 secp256k1_num_negate(num);
34 void random_num_order_test(secp256k1_num_t *num) {
36 unsigned char b32[32];
37 secp256k1_rand256_test(b32);
38 secp256k1_num_set_bin(num, b32, 32);
39 if (secp256k1_num_is_zero(num))
41 if (secp256k1_num_cmp(num, &secp256k1_ge_consts->order) >= 0)
47 void random_num_order(secp256k1_num_t *num) {
49 unsigned char b32[32];
50 secp256k1_rand256(b32);
51 secp256k1_num_set_bin(num, b32, 32);
52 if (secp256k1_num_is_zero(num))
54 if (secp256k1_num_cmp(num, &secp256k1_ge_consts->order) >= 0)
60 void test_num_copy_inc_cmp() {
61 secp256k1_num_t n1,n2;
62 secp256k1_num_init(&n1);
63 secp256k1_num_init(&n2);
64 random_num_order(&n1);
65 secp256k1_num_copy(&n2, &n1);
66 assert(secp256k1_num_cmp(&n1, &n2) == 0);
67 assert(secp256k1_num_cmp(&n2, &n1) == 0);
68 secp256k1_num_inc(&n2);
69 assert(secp256k1_num_cmp(&n1, &n2) != 0);
70 assert(secp256k1_num_cmp(&n2, &n1) != 0);
71 secp256k1_num_free(&n1);
72 secp256k1_num_free(&n2);
76 void test_num_get_set_hex() {
77 secp256k1_num_t n1,n2;
78 secp256k1_num_init(&n1);
79 secp256k1_num_init(&n2);
80 random_num_order_test(&n1);
82 secp256k1_num_get_hex(c, 64, &n1);
83 secp256k1_num_set_hex(&n2, c, 64);
84 assert(secp256k1_num_cmp(&n1, &n2) == 0);
85 for (int i=0; i<64; i++) {
86 // check whether the lower 4 bits correspond to the last hex character
87 int low1 = secp256k1_num_shift(&n1, 4);
89 int low2 = (lowh>>6)*9+(lowh-'0')&15;
91 // shift bits off the hex representation, and compare
94 secp256k1_num_set_hex(&n2, c, 64);
95 assert(secp256k1_num_cmp(&n1, &n2) == 0);
97 secp256k1_num_free(&n2);
98 secp256k1_num_free(&n1);
101 void test_num_get_set_bin() {
102 secp256k1_num_t n1,n2;
103 secp256k1_num_init(&n1);
104 secp256k1_num_init(&n2);
105 random_num_order_test(&n1);
107 secp256k1_num_get_bin(c, 32, &n1);
108 secp256k1_num_set_bin(&n2, c, 32);
109 assert(secp256k1_num_cmp(&n1, &n2) == 0);
110 for (int i=0; i<32; i++) {
111 // check whether the lower 8 bits correspond to the last byte
112 int low1 = secp256k1_num_shift(&n1, 8);
114 assert(low1 == low2);
115 // shift bits off the byte representation, and compare
118 secp256k1_num_set_bin(&n2, c, 32);
119 assert(secp256k1_num_cmp(&n1, &n2) == 0);
121 secp256k1_num_free(&n2);
122 secp256k1_num_free(&n1);
127 secp256k1_num_init(&n1);
128 for (int i=-255; i<256; i++) {
129 unsigned char c1[3] = {};
131 unsigned char c2[3] = {0x11,0x22,0x33};
132 secp256k1_num_set_int(&n1, i);
133 secp256k1_num_get_bin(c2, 3, &n1);
134 assert(memcmp(c1, c2, 3) == 0);
136 secp256k1_num_free(&n1);
139 void test_num_negate() {
142 secp256k1_num_init(&n1);
143 secp256k1_num_init(&n2);
144 random_num_order_test(&n1); // n1 = R
145 random_num_negate(&n1);
146 secp256k1_num_copy(&n2, &n1); // n2 = R
147 secp256k1_num_sub(&n1, &n2, &n1); // n1 = n2-n1 = 0
148 assert(secp256k1_num_is_zero(&n1));
149 secp256k1_num_copy(&n1, &n2); // n1 = R
150 secp256k1_num_negate(&n1); // n1 = -R
151 assert(!secp256k1_num_is_zero(&n1));
152 secp256k1_num_add(&n1, &n2, &n1); // n1 = n2+n1 = 0
153 assert(secp256k1_num_is_zero(&n1));
154 secp256k1_num_copy(&n1, &n2); // n1 = R
155 secp256k1_num_negate(&n1); // n1 = -R
156 assert(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
157 secp256k1_num_negate(&n1); // n1 = R
158 assert(secp256k1_num_cmp(&n1, &n2) == 0);
159 assert(secp256k1_num_is_neg(&n1) == secp256k1_num_is_neg(&n2));
160 secp256k1_num_free(&n2);
161 secp256k1_num_free(&n1);
164 void test_num_add_sub() {
167 secp256k1_num_init(&n1);
168 secp256k1_num_init(&n2);
169 random_num_order_test(&n1); // n1 = R1
170 random_num_negate(&n1);
171 random_num_order_test(&n2); // n2 = R2
172 random_num_negate(&n2);
173 secp256k1_num_t n1p2, n2p1, n1m2, n2m1;
174 secp256k1_num_init(&n1p2);
175 secp256k1_num_init(&n2p1);
176 secp256k1_num_init(&n1m2);
177 secp256k1_num_init(&n2m1);
178 secp256k1_num_add(&n1p2, &n1, &n2); // n1p2 = R1 + R2
179 secp256k1_num_add(&n2p1, &n2, &n1); // n2p1 = R2 + R1
180 secp256k1_num_sub(&n1m2, &n1, &n2); // n1m2 = R1 - R2
181 secp256k1_num_sub(&n2m1, &n2, &n1); // n2m1 = R2 - R1
182 assert(secp256k1_num_cmp(&n1p2, &n2p1) == 0);
183 assert(secp256k1_num_cmp(&n1p2, &n1m2) != 0);
184 secp256k1_num_negate(&n2m1); // n2m1 = -R2 + R1
185 assert(secp256k1_num_cmp(&n2m1, &n1m2) == 0);
186 assert(secp256k1_num_cmp(&n2m1, &n1) != 0);
187 secp256k1_num_add(&n2m1, &n2m1, &n2); // n2m1 = -R2 + R1 + R2 = R1
188 assert(secp256k1_num_cmp(&n2m1, &n1) == 0);
189 assert(secp256k1_num_cmp(&n2p1, &n1) != 0);
190 secp256k1_num_sub(&n2p1, &n2p1, &n2); // n2p1 = R2 + R1 - R2 = R1
191 assert(secp256k1_num_cmp(&n2p1, &n1) == 0);
192 secp256k1_num_free(&n2m1);
193 secp256k1_num_free(&n1m2);
194 secp256k1_num_free(&n2p1);
195 secp256k1_num_free(&n1p2);
196 secp256k1_num_free(&n2);
197 secp256k1_num_free(&n1);
200 void run_num_smalltests() {
201 for (int i=0; i<100*count; i++) {
202 test_num_copy_inc_cmp();
203 test_num_get_set_hex();
204 test_num_get_set_bin();
211 void run_ecmult_chain() {
212 // random starting point A (on the curve)
213 secp256k1_fe_t ax; secp256k1_fe_set_hex(&ax, "8b30bbe9ae2a990696b22f670709dff3727fd8bc04d3362c6c7bf458e2846004", 64);
214 secp256k1_fe_t ay; secp256k1_fe_set_hex(&ay, "a357ae915c4a65281309edf20504740f0eb3343990216b4f81063cb65f2f7e0f", 64);
215 secp256k1_gej_t a; secp256k1_gej_set_xy(&a, &ax, &ay);
216 // two random initial factors xn and gn
218 secp256k1_num_init(&xn);
219 secp256k1_num_set_hex(&xn, "84cc5452f7fde1edb4d38a8ce9b1b84ccef31f146e569be9705d357a42985407", 64);
221 secp256k1_num_init(&gn);
222 secp256k1_num_set_hex(&gn, "a1e58d22553dcd42b23980625d4c57a96e9323d42b3152e5ca2c3990edc7c9de", 64);
223 // two small multipliers to be applied to xn and gn in every iteration:
225 secp256k1_num_init(&xf);
226 secp256k1_num_set_hex(&xf, "1337", 4);
228 secp256k1_num_init(&gf);
229 secp256k1_num_set_hex(&gf, "7113", 4);
230 // accumulators with the resulting coefficients to A and G
232 secp256k1_num_init(&ae);
233 secp256k1_num_set_int(&ae, 1);
235 secp256k1_num_init(&ge);
236 secp256k1_num_set_int(&ge, 0);
237 // the point being computed
238 secp256k1_gej_t x = a;
239 const secp256k1_num_t *order = &secp256k1_ge_consts->order;
240 for (int i=0; i<200*count; i++) {
241 // in each iteration, compute X = xn*X + gn*G;
242 secp256k1_ecmult(&x, &x, &xn, &gn);
243 // also compute ae and ge: the actual accumulated factors for A and G
244 // if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G)
245 secp256k1_num_mod_mul(&ae, &ae, &xn, order);
246 secp256k1_num_mod_mul(&ge, &ge, &xn, order);
247 secp256k1_num_add(&ge, &ge, &gn);
248 secp256k1_num_mod(&ge, order);
250 secp256k1_num_mod_mul(&xn, &xn, &xf, order);
251 secp256k1_num_mod_mul(&gn, &gn, &gf, order);
255 char res[132]; int resl = 132;
256 secp256k1_gej_get_hex(res, &resl, &x);
257 assert(strcmp(res, "(D6E96687F9B10D092A6F35439D86CEBEA4535D0D409F53586440BD74B933E830,B95CBCA2C77DA786539BE8FD53354D2D3B4F566AE658045407ED6015EE1B2A88)") == 0);
260 // redo the computation, but directly with the resulting ae and ge coefficients:
261 secp256k1_gej_t x2; secp256k1_ecmult(&x2, &a, &ae, &ge);
262 char res[132]; int resl = 132;
263 char res2[132]; int resl2 = 132;
264 secp256k1_gej_get_hex(res, &resl, &x);
265 secp256k1_gej_get_hex(res2, &resl2, &x2);
266 assert(strcmp(res, res2) == 0);
267 assert(strlen(res) == 131);
268 secp256k1_num_free(&xn);
269 secp256k1_num_free(&gn);
270 secp256k1_num_free(&xf);
271 secp256k1_num_free(&gf);
272 secp256k1_num_free(&ae);
273 secp256k1_num_free(&ge);
276 void test_point_times_order(const secp256k1_gej_t *point) {
277 // either the point is not on the curve, or multiplying it by the order results in O
278 if (!secp256k1_gej_is_valid(point))
281 const secp256k1_num_t *order = &secp256k1_ge_consts->order;
282 secp256k1_num_t zero;
283 secp256k1_num_init(&zero);
284 secp256k1_num_set_int(&zero, 0);
286 secp256k1_ecmult(&res, point, order, order); // calc res = order * point + order * G;
287 assert(secp256k1_gej_is_infinity(&res));
288 secp256k1_num_free(&zero);
291 void run_point_times_order() {
292 secp256k1_fe_t x; secp256k1_fe_set_hex(&x, "02", 2);
293 for (int i=0; i<500; i++) {
294 secp256k1_ge_t p; secp256k1_ge_set_xo(&p, &x, 1);
295 secp256k1_gej_t j; secp256k1_gej_set_ge(&j, &p);
296 test_point_times_order(&j);
297 secp256k1_fe_sqr(&x, &x);
299 char c[65]; int cl=65;
300 secp256k1_fe_get_hex(c, &cl, &x);
301 assert(strcmp(c, "7603CB59B0EF6C63FE6084792A0C378CDB3233A80F8A9A09A877DEAD31B38C45") == 0);
304 void test_wnaf(const secp256k1_num_t *number, int w) {
305 secp256k1_num_t x, two, t;
306 secp256k1_num_init(&x);
307 secp256k1_num_init(&two);
308 secp256k1_num_init(&t);
309 secp256k1_num_set_int(&x, 0);
310 secp256k1_num_set_int(&two, 2);
312 int bits = secp256k1_ecmult_wnaf(wnaf, number, w);
314 for (int i=bits-1; i>=0; i--) {
315 secp256k1_num_mul(&x, &x, &two);
318 assert(zeroes == -1 || zeroes >= w-1); // check that distance between non-zero elements is at least w-1
320 assert((v & 1) == 1); // check non-zero elements are odd
321 assert(v <= (1 << (w-1)) - 1); // check range below
322 assert(v >= -(1 << (w-1)) - 1); // check range above
324 assert(zeroes != -1); // check that no unnecessary zero padding exists
327 secp256k1_num_set_int(&t, v);
328 secp256k1_num_add(&x, &x, &t);
330 assert(secp256k1_num_cmp(&x, number) == 0); // check that wnaf represents number
331 secp256k1_num_free(&x);
332 secp256k1_num_free(&two);
333 secp256k1_num_free(&t);
338 secp256k1_num_init(&n);
339 for (int i=0; i<count; i++) {
340 random_num_order(&n);
342 secp256k1_num_negate(&n);
343 test_wnaf(&n, 4+(i%10));
345 secp256k1_num_free(&n);
348 void random_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_num_t *key, const secp256k1_num_t *msg, int *recid) {
349 secp256k1_num_t nonce;
350 secp256k1_num_init(&nonce);
352 random_num_order_test(&nonce);
353 } while(!secp256k1_ecdsa_sig_sign(sig, key, msg, &nonce, recid));
354 secp256k1_num_free(&nonce);
357 void test_ecdsa_sign_verify() {
358 const secp256k1_ge_consts_t *c = secp256k1_ge_consts;
359 secp256k1_num_t msg, key;
360 secp256k1_num_init(&msg);
361 random_num_order_test(&msg);
362 secp256k1_num_init(&key);
363 random_num_order_test(&key);
364 secp256k1_gej_t pubj; secp256k1_ecmult_gen(&pubj, &key);
365 secp256k1_ge_t pub; secp256k1_ge_set_gej(&pub, &pubj);
366 secp256k1_ecdsa_sig_t sig;
367 secp256k1_ecdsa_sig_init(&sig);
368 random_sign(&sig, &key, &msg, NULL);
369 assert(secp256k1_ecdsa_sig_verify(&sig, &pub, &msg));
370 secp256k1_num_inc(&msg);
371 assert(!secp256k1_ecdsa_sig_verify(&sig, &pub, &msg));
372 secp256k1_ecdsa_sig_free(&sig);
373 secp256k1_num_free(&msg);
374 secp256k1_num_free(&key);
377 void run_ecdsa_sign_verify() {
378 for (int i=0; i<10*count; i++) {
379 test_ecdsa_sign_verify();
383 #ifdef ENABLE_OPENSSL_TESTS
384 EC_KEY *get_openssl_key(const secp256k1_num_t *key) {
385 unsigned char privkey[300];
387 int compr = secp256k1_rand32() & 1;
388 const unsigned char* pbegin = privkey;
389 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
390 assert(secp256k1_ecdsa_privkey_serialize(privkey, &privkeylen, key, compr));
391 assert(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
392 assert(EC_KEY_check_key(ec_key));
396 void test_ecdsa_openssl() {
397 const secp256k1_ge_consts_t *c = secp256k1_ge_consts;
398 secp256k1_num_t key, msg;
399 secp256k1_num_init(&msg);
400 unsigned char message[32];
401 secp256k1_rand256_test(message);
402 secp256k1_num_set_bin(&msg, message, 32);
403 secp256k1_num_init(&key);
404 random_num_order_test(&key);
406 secp256k1_ecmult_gen(&qj, &key);
408 secp256k1_ge_set_gej(&q, &qj);
409 EC_KEY *ec_key = get_openssl_key(&key);
411 unsigned char signature[80];
413 assert(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
414 secp256k1_ecdsa_sig_t sig;
415 secp256k1_ecdsa_sig_init(&sig);
416 assert(secp256k1_ecdsa_sig_parse(&sig, signature, sigsize));
417 assert(secp256k1_ecdsa_sig_verify(&sig, &q, &msg));
418 secp256k1_num_inc(&sig.r);
419 assert(!secp256k1_ecdsa_sig_verify(&sig, &q, &msg));
421 random_sign(&sig, &key, &msg, NULL);
423 assert(secp256k1_ecdsa_sig_serialize(signature, &sigsize, &sig));
424 assert(ECDSA_verify(0, message, sizeof(message), signature, sigsize, ec_key) == 1);
426 secp256k1_ecdsa_sig_free(&sig);
428 secp256k1_num_free(&key);
429 secp256k1_num_free(&msg);
432 void run_ecdsa_openssl() {
433 for (int i=0; i<10*count; i++) {
434 test_ecdsa_openssl();
439 int main(int argc, char **argv) {
441 count = strtol(argv[1], NULL, 0)*47;
443 printf("test count = %i\n", count);
446 secp256k1_fe_start();
447 secp256k1_ge_start();
448 secp256k1_ecmult_start();
451 run_num_smalltests();
455 run_point_times_order();
459 run_ecdsa_sign_verify();
460 #ifdef ENABLE_OPENSSL_TESTS
465 secp256k1_ecmult_stop();
projects / secp256k1.git / blob