1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
22 #ifdef ENABLE_OPENSSL_TESTS
23 #include "openssl/bn.h"
24 #include "openssl/ec.h"
25 #include "openssl/ecdsa.h"
26 #include "openssl/obj_mac.h"
27 # if OPENSSL_VERSION_NUMBER < 0x10100000L
28 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
32 #include "contrib/lax_der_parsing.c"
33 #include "contrib/lax_der_privatekey_parsing.c"
35 static int count = 64;
36 static secp256k1_context *ctx = NULL;
38 static void counting_illegal_callback_fn(const char* str, void* data) {
39 /* Dummy callback function that just counts. */
46 static void uncounting_illegal_callback_fn(const char* str, void* data) {
47 /* Dummy callback function that just counts (backwards). */
54 void random_field_element_test(secp256k1_fe *fe) {
56 unsigned char b32[32];
57 secp256k1_rand256_test(b32);
58 if (secp256k1_fe_set_b32(fe, b32)) {
64 void random_field_element_magnitude(secp256k1_fe *fe) {
66 int n = secp256k1_rand_int(9);
67 secp256k1_fe_normalize(fe);
71 secp256k1_fe_clear(&zero);
72 secp256k1_fe_negate(&zero, &zero, 0);
73 secp256k1_fe_mul_int(&zero, n - 1);
74 secp256k1_fe_add(fe, &zero);
76 CHECK(fe->magnitude == n);
80 void random_group_element_test(secp256k1_ge *ge) {
83 random_field_element_test(&fe);
84 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
85 secp256k1_fe_normalize(&ge->y);
91 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
94 random_field_element_test(&gej->z);
95 if (!secp256k1_fe_is_zero(&gej->z)) {
99 secp256k1_fe_sqr(&z2, &gej->z);
100 secp256k1_fe_mul(&z3, &z2, &gej->z);
101 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
102 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
103 gej->infinity = ge->infinity;
106 void random_scalar_order_test(secp256k1_scalar *num) {
108 unsigned char b32[32];
110 secp256k1_rand256_test(b32);
111 secp256k1_scalar_set_b32(num, b32, &overflow);
112 if (overflow || secp256k1_scalar_is_zero(num)) {
119 void random_scalar_order(secp256k1_scalar *num) {
121 unsigned char b32[32];
123 secp256k1_rand256(b32);
124 secp256k1_scalar_set_b32(num, b32, &overflow);
125 if (overflow || secp256k1_scalar_is_zero(num)) {
132 void random_scalar_order_b32(unsigned char *b32) {
133 secp256k1_scalar num;
134 random_scalar_order(&num);
135 secp256k1_scalar_get_b32(b32, &num);
138 void run_context_tests(int use_prealloc) {
139 secp256k1_pubkey pubkey;
140 secp256k1_pubkey zero_pubkey;
141 secp256k1_ecdsa_signature sig;
142 unsigned char ctmp[32];
145 secp256k1_context *none;
146 secp256k1_context *sign;
147 secp256k1_context *vrfy;
148 secp256k1_context *both;
149 void *none_prealloc = NULL;
150 void *sign_prealloc = NULL;
151 void *vrfy_prealloc = NULL;
152 void *both_prealloc = NULL;
156 secp256k1_scalar msg, key, nonce;
157 secp256k1_scalar sigr, sigs;
160 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
161 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
162 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
163 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
164 CHECK(none_prealloc != NULL);
165 CHECK(sign_prealloc != NULL);
166 CHECK(vrfy_prealloc != NULL);
167 CHECK(both_prealloc != NULL);
168 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
169 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
170 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
171 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
173 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
174 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
175 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
176 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
179 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
183 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
184 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
185 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
186 secp256k1_context_set_error_callback(sign, secp256k1_default_illegal_callback_fn, NULL);
187 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
188 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
190 /* check if sizes for cloning are consistent */
191 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
192 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
193 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
194 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
196 /*** clone and destroy all of them to make sure cloning was complete ***/
198 secp256k1_context *ctx_tmp;
201 /* clone into a non-preallocated context and then again into a new preallocated one. */
202 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
203 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
204 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
206 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
207 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
208 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
210 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
211 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
212 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
214 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
215 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
216 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
218 /* clone into a preallocated context and then again into a new non-preallocated one. */
221 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
222 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
223 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
226 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
227 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
228 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
231 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
232 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
233 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
236 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
237 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
238 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
243 /* Verify that the error callback makes it across the clone. */
244 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
245 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
246 /* And that it resets back to default. */
247 secp256k1_context_set_error_callback(sign, NULL, NULL);
248 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
250 /*** attempt to use them ***/
251 random_scalar_order_test(&msg);
252 random_scalar_order_test(&key);
253 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
254 secp256k1_ge_set_gej(&pub, &pubj);
256 /* Verify context-type checking illegal-argument errors. */
258 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
260 VG_UNDEF(&pubkey, sizeof(pubkey));
261 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
262 VG_CHECK(&pubkey, sizeof(pubkey));
263 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
265 VG_UNDEF(&sig, sizeof(sig));
266 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
267 VG_CHECK(&sig, sizeof(sig));
268 CHECK(ecount2 == 10);
269 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
270 CHECK(ecount2 == 11);
271 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
273 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
274 CHECK(ecount2 == 12);
275 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
277 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
278 CHECK(ecount2 == 13);
279 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
281 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
283 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
284 CHECK(ecount2 == 14);
285 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
287 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
289 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
291 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
293 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
294 CHECK(ecount2 == 14);
295 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
296 CHECK(ecount2 == 14);
297 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
298 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
300 /* obtain a working nonce */
302 random_scalar_order_test(&nonce);
303 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
306 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
307 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
310 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
311 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
315 secp256k1_context_preallocated_destroy(none);
316 secp256k1_context_preallocated_destroy(sign);
317 secp256k1_context_preallocated_destroy(vrfy);
318 secp256k1_context_preallocated_destroy(both);
324 secp256k1_context_destroy(none);
325 secp256k1_context_destroy(sign);
326 secp256k1_context_destroy(vrfy);
327 secp256k1_context_destroy(both);
329 /* Defined as no-op. */
330 secp256k1_context_destroy(NULL);
331 secp256k1_context_preallocated_destroy(NULL);
335 void run_scratch_tests(void) {
336 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
341 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
342 secp256k1_scratch_space *scratch;
343 secp256k1_scratch_space local_scratch;
345 /* Test public API */
346 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
347 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
349 scratch = secp256k1_scratch_space_create(none, 1000);
350 CHECK(scratch != NULL);
353 /* Test internal API */
354 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
355 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
356 CHECK(scratch->alloc_size == 0);
357 CHECK(scratch->alloc_size % ALIGNMENT == 0);
359 /* Allocating 500 bytes succeeds */
360 checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
361 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
362 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
363 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
364 CHECK(scratch->alloc_size != 0);
365 CHECK(scratch->alloc_size % ALIGNMENT == 0);
367 /* Allocating another 500 bytes fails */
368 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
369 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
370 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
371 CHECK(scratch->alloc_size != 0);
372 CHECK(scratch->alloc_size % ALIGNMENT == 0);
374 /* ...but it succeeds once we apply the checkpoint to undo it */
375 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
376 CHECK(scratch->alloc_size == 0);
377 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
378 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
379 CHECK(scratch->alloc_size != 0);
381 /* try to apply a bad checkpoint */
382 checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
383 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
385 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
387 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
390 /* try to use badly initialized scratch space */
391 secp256k1_scratch_space_destroy(none, scratch);
392 memset(&local_scratch, 0, sizeof(local_scratch));
393 scratch = &local_scratch;
394 CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
396 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
398 secp256k1_scratch_space_destroy(none, scratch);
402 secp256k1_scratch_space_destroy(none, NULL); /* no-op */
403 secp256k1_context_destroy(none);
406 /***** HASH TESTS *****/
408 void run_sha256_tests(void) {
409 static const char *inputs[8] = {
410 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
411 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
412 "For this sample, this 63-byte string will be used as input data",
413 "This is exactly 64 bytes long, not counting the terminating byte"
415 static const unsigned char outputs[8][32] = {
416 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
417 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
418 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
419 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
420 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
421 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
422 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
423 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
426 for (i = 0; i < 8; i++) {
427 unsigned char out[32];
428 secp256k1_sha256 hasher;
429 secp256k1_sha256_initialize(&hasher);
430 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
431 secp256k1_sha256_finalize(&hasher, out);
432 CHECK(memcmp(out, outputs[i], 32) == 0);
433 if (strlen(inputs[i]) > 0) {
434 int split = secp256k1_rand_int(strlen(inputs[i]));
435 secp256k1_sha256_initialize(&hasher);
436 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
437 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
438 secp256k1_sha256_finalize(&hasher, out);
439 CHECK(memcmp(out, outputs[i], 32) == 0);
444 void run_hmac_sha256_tests(void) {
445 static const char *keys[6] = {
446 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
448 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
449 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
450 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
451 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
453 static const char *inputs[6] = {
454 "\x48\x69\x20\x54\x68\x65\x72\x65",
455 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
456 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
457 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
458 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
459 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
461 static const unsigned char outputs[6][32] = {
462 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
463 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
464 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
465 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
466 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
467 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
470 for (i = 0; i < 6; i++) {
471 secp256k1_hmac_sha256 hasher;
472 unsigned char out[32];
473 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
474 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
475 secp256k1_hmac_sha256_finalize(&hasher, out);
476 CHECK(memcmp(out, outputs[i], 32) == 0);
477 if (strlen(inputs[i]) > 0) {
478 int split = secp256k1_rand_int(strlen(inputs[i]));
479 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
480 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
481 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
482 secp256k1_hmac_sha256_finalize(&hasher, out);
483 CHECK(memcmp(out, outputs[i], 32) == 0);
488 void run_rfc6979_hmac_sha256_tests(void) {
489 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
490 static const unsigned char out1[3][32] = {
491 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
492 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
493 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
496 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
497 static const unsigned char out2[3][32] = {
498 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
499 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
500 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
503 secp256k1_rfc6979_hmac_sha256 rng;
504 unsigned char out[32];
507 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
508 for (i = 0; i < 3; i++) {
509 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
510 CHECK(memcmp(out, out1[i], 32) == 0);
512 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
514 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
515 for (i = 0; i < 3; i++) {
516 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
517 CHECK(memcmp(out, out1[i], 32) != 0);
519 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
521 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
522 for (i = 0; i < 3; i++) {
523 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
524 CHECK(memcmp(out, out2[i], 32) == 0);
526 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
529 /***** RANDOM TESTS *****/
531 void test_rand_bits(int rand32, int bits) {
532 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
533 * get a false negative chance below once in a billion */
534 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
535 /* We try multiplying the results with various odd numbers, which shouldn't
536 * influence the uniform distribution modulo a power of 2. */
537 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
538 /* We only select up to 6 bits from the output to analyse */
539 unsigned int usebits = bits > 6 ? 6 : bits;
540 unsigned int maxshift = bits - usebits;
541 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
542 number, track all observed outcomes, one per bit in a uint64_t. */
543 uint64_t x[6][27] = {{0}};
544 unsigned int i, shift, m;
545 /* Multiply the output of all rand calls with the odd number m, which
546 should not change the uniformity of its distribution. */
547 for (i = 0; i < rounds[usebits]; i++) {
548 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
549 CHECK((((uint64_t)r) >> bits) == 0);
550 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
551 uint32_t rm = r * mults[m];
552 for (shift = 0; shift <= maxshift; shift++) {
553 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
557 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
558 for (shift = 0; shift <= maxshift; shift++) {
559 /* Test that the lower usebits bits of x[shift] are 1 */
560 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
565 /* Subrange must be a whole divisor of range, and at most 64 */
566 void test_rand_int(uint32_t range, uint32_t subrange) {
567 /* (1-1/subrange)^rounds < 1/10^9 */
568 int rounds = (subrange * 2073) / 100;
571 CHECK((range % subrange) == 0);
572 for (i = 0; i < rounds; i++) {
573 uint32_t r = secp256k1_rand_int(range);
576 x |= (((uint64_t)1) << r);
578 /* Test that the lower subrange bits of x are 1. */
579 CHECK(((~x) << (64 - subrange)) == 0);
582 void run_rand_bits(void) {
584 test_rand_bits(1, 32);
585 for (b = 1; b <= 32; b++) {
586 test_rand_bits(0, b);
590 void run_rand_int(void) {
591 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
592 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
594 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
595 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
596 test_rand_int(ms[m] * ss[s], ss[s]);
601 /***** NUM TESTS *****/
604 void random_num_negate(secp256k1_num *num) {
605 if (secp256k1_rand_bits(1)) {
606 secp256k1_num_negate(num);
610 void random_num_order_test(secp256k1_num *num) {
612 random_scalar_order_test(&sc);
613 secp256k1_scalar_get_num(num, &sc);
616 void random_num_order(secp256k1_num *num) {
618 random_scalar_order(&sc);
619 secp256k1_scalar_get_num(num, &sc);
622 void test_num_negate(void) {
625 random_num_order_test(&n1); /* n1 = R */
626 random_num_negate(&n1);
627 secp256k1_num_copy(&n2, &n1); /* n2 = R */
628 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
629 CHECK(secp256k1_num_is_zero(&n1));
630 secp256k1_num_copy(&n1, &n2); /* n1 = R */
631 secp256k1_num_negate(&n1); /* n1 = -R */
632 CHECK(!secp256k1_num_is_zero(&n1));
633 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
634 CHECK(secp256k1_num_is_zero(&n1));
635 secp256k1_num_copy(&n1, &n2); /* n1 = R */
636 secp256k1_num_negate(&n1); /* n1 = -R */
637 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
638 secp256k1_num_negate(&n1); /* n1 = R */
639 CHECK(secp256k1_num_eq(&n1, &n2));
642 void test_num_add_sub(void) {
647 secp256k1_num n1p2, n2p1, n1m2, n2m1;
648 random_num_order_test(&n1); /* n1 = R1 */
649 if (secp256k1_rand_bits(1)) {
650 random_num_negate(&n1);
652 random_num_order_test(&n2); /* n2 = R2 */
653 if (secp256k1_rand_bits(1)) {
654 random_num_negate(&n2);
656 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
657 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
658 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
659 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
660 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
661 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
662 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
663 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
664 CHECK(!secp256k1_num_eq(&n2m1, &n1));
665 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
666 CHECK(secp256k1_num_eq(&n2m1, &n1));
667 CHECK(!secp256k1_num_eq(&n2p1, &n1));
668 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
669 CHECK(secp256k1_num_eq(&n2p1, &n1));
672 secp256k1_scalar_set_int(&s, 1);
673 secp256k1_scalar_get_num(&n1, &s);
674 CHECK(secp256k1_num_is_one(&n1));
675 /* check that 2^n + 1 is never 1 */
676 secp256k1_scalar_get_num(&n2, &s);
677 for (i = 0; i < 250; ++i) {
678 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
679 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
680 CHECK(!secp256k1_num_is_one(&n1p2));
684 void test_num_mod(void) {
687 secp256k1_num order, n;
689 /* check that 0 mod anything is 0 */
690 random_scalar_order_test(&s);
691 secp256k1_scalar_get_num(&order, &s);
692 secp256k1_scalar_set_int(&s, 0);
693 secp256k1_scalar_get_num(&n, &s);
694 secp256k1_num_mod(&n, &order);
695 CHECK(secp256k1_num_is_zero(&n));
697 /* check that anything mod 1 is 0 */
698 secp256k1_scalar_set_int(&s, 1);
699 secp256k1_scalar_get_num(&order, &s);
700 secp256k1_scalar_get_num(&n, &s);
701 secp256k1_num_mod(&n, &order);
702 CHECK(secp256k1_num_is_zero(&n));
704 /* check that increasing the number past 2^256 does not break this */
705 random_scalar_order_test(&s);
706 secp256k1_scalar_get_num(&n, &s);
707 /* multiply by 2^8, which'll test this case with high probability */
708 for (i = 0; i < 8; ++i) {
709 secp256k1_num_add(&n, &n, &n);
711 secp256k1_num_mod(&n, &order);
712 CHECK(secp256k1_num_is_zero(&n));
715 void test_num_jacobi(void) {
716 secp256k1_scalar sqr;
717 secp256k1_scalar small;
718 secp256k1_scalar five; /* five is not a quadratic residue */
719 secp256k1_num order, n;
721 /* squares mod 5 are 1, 4 */
722 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
724 /* check some small values with 5 as the order */
725 secp256k1_scalar_set_int(&five, 5);
726 secp256k1_scalar_get_num(&order, &five);
727 for (i = 0; i < 10; ++i) {
728 secp256k1_scalar_set_int(&small, i);
729 secp256k1_scalar_get_num(&n, &small);
730 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
733 /** test large values with 5 as group order */
734 secp256k1_scalar_get_num(&order, &five);
735 /* we first need a scalar which is not a multiple of 5 */
738 random_scalar_order_test(&sqr);
739 secp256k1_scalar_get_num(&fiven, &five);
740 secp256k1_scalar_get_num(&n, &sqr);
741 secp256k1_num_mod(&n, &fiven);
742 } while (secp256k1_num_is_zero(&n));
743 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
744 * just multiply by two, i.e. add the number to itself */
745 if (secp256k1_num_jacobi(&n, &order) == -1) {
746 secp256k1_num_add(&n, &n, &n);
750 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
751 /* test nonresidue */
752 secp256k1_num_add(&n, &n, &n);
753 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
755 /** test with secp group order as order */
756 secp256k1_scalar_order_get_num(&order);
757 random_scalar_order_test(&sqr);
758 secp256k1_scalar_sqr(&sqr, &sqr);
760 secp256k1_scalar_get_num(&n, &sqr);
761 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
762 /* test nonresidue */
763 secp256k1_scalar_mul(&sqr, &sqr, &five);
764 secp256k1_scalar_get_num(&n, &sqr);
765 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
766 /* test multiple of the order*/
767 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
769 /* check one less than the order */
770 secp256k1_scalar_set_int(&small, 1);
771 secp256k1_scalar_get_num(&n, &small);
772 secp256k1_num_sub(&n, &order, &n);
773 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
776 void run_num_smalltests(void) {
778 for (i = 0; i < 100*count; i++) {
787 /***** SCALAR TESTS *****/
789 void scalar_test(void) {
794 secp256k1_num snum, s1num, s2num;
795 secp256k1_num order, half_order;
799 /* Set 's' to a random scalar, with value 'snum'. */
800 random_scalar_order_test(&s);
802 /* Set 's1' to a random scalar, with value 's1num'. */
803 random_scalar_order_test(&s1);
805 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
806 random_scalar_order_test(&s2);
807 secp256k1_scalar_get_b32(c, &s2);
810 secp256k1_scalar_get_num(&snum, &s);
811 secp256k1_scalar_get_num(&s1num, &s1);
812 secp256k1_scalar_get_num(&s2num, &s2);
814 secp256k1_scalar_order_get_num(&order);
816 secp256k1_num_shift(&half_order, 1);
821 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
823 secp256k1_scalar_set_int(&n, 0);
824 for (i = 0; i < 256; i += 4) {
827 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
828 for (j = 0; j < 4; j++) {
829 secp256k1_scalar_add(&n, &n, &n);
831 secp256k1_scalar_add(&n, &n, &t);
833 CHECK(secp256k1_scalar_eq(&n, &s));
837 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
840 secp256k1_scalar_set_int(&n, 0);
844 int now = secp256k1_rand_int(15) + 1;
848 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
849 for (j = 0; j < now; j++) {
850 secp256k1_scalar_add(&n, &n, &n);
852 secp256k1_scalar_add(&n, &n, &t);
855 CHECK(secp256k1_scalar_eq(&n, &s));
860 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
864 secp256k1_num_add(&rnum, &snum, &s2num);
865 secp256k1_num_mod(&rnum, &order);
866 secp256k1_scalar_add(&r, &s, &s2);
867 secp256k1_scalar_get_num(&r2num, &r);
868 CHECK(secp256k1_num_eq(&rnum, &r2num));
872 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
876 secp256k1_num_mul(&rnum, &snum, &s2num);
877 secp256k1_num_mod(&rnum, &order);
878 secp256k1_scalar_mul(&r, &s, &s2);
879 secp256k1_scalar_get_num(&r2num, &r);
880 CHECK(secp256k1_num_eq(&rnum, &r2num));
881 /* The result can only be zero if at least one of the factors was zero. */
882 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
883 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
884 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
885 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
889 secp256k1_scalar neg;
890 secp256k1_num negnum;
891 secp256k1_num negnum2;
892 /* Check that comparison with zero matches comparison with zero on the number. */
893 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
894 /* Check that comparison with the half order is equal to testing for high scalar. */
895 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
896 secp256k1_scalar_negate(&neg, &s);
897 secp256k1_num_sub(&negnum, &order, &snum);
898 secp256k1_num_mod(&negnum, &order);
899 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
900 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
901 /* Negating should change the high property, unless the value was already zero. */
902 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
903 secp256k1_scalar_get_num(&negnum2, &neg);
904 /* Negating a scalar should be equal to (order - n) mod order on the number. */
905 CHECK(secp256k1_num_eq(&negnum, &negnum2));
906 secp256k1_scalar_add(&neg, &neg, &s);
907 /* Adding a number to its negation should result in zero. */
908 CHECK(secp256k1_scalar_is_zero(&neg));
909 secp256k1_scalar_negate(&neg, &neg);
910 /* Negating zero should still result in zero. */
911 CHECK(secp256k1_scalar_is_zero(&neg));
915 /* Test secp256k1_scalar_mul_shift_var. */
920 unsigned char cone[1] = {0x01};
921 unsigned int shift = 256 + secp256k1_rand_int(257);
922 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
923 secp256k1_num_mul(&rnum, &s1num, &s2num);
924 secp256k1_num_shift(&rnum, shift - 1);
925 secp256k1_num_set_bin(&one, cone, 1);
926 secp256k1_num_add(&rnum, &rnum, &one);
927 secp256k1_num_shift(&rnum, 1);
928 secp256k1_scalar_get_num(&rnum2, &r);
929 CHECK(secp256k1_num_eq(&rnum, &rnum2));
933 /* test secp256k1_scalar_shr_int */
936 random_scalar_order_test(&r);
937 for (i = 0; i < 100; ++i) {
939 int shift = 1 + secp256k1_rand_int(15);
940 int expected = r.d[0] % (1 << shift);
941 low = secp256k1_scalar_shr_int(&r, shift);
942 CHECK(expected == low);
948 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
949 if (!secp256k1_scalar_is_zero(&s)) {
950 secp256k1_scalar inv;
952 secp256k1_num invnum;
953 secp256k1_num invnum2;
955 secp256k1_scalar_inverse(&inv, &s);
957 secp256k1_num_mod_inverse(&invnum, &snum, &order);
958 secp256k1_scalar_get_num(&invnum2, &inv);
959 CHECK(secp256k1_num_eq(&invnum, &invnum2));
961 secp256k1_scalar_mul(&inv, &inv, &s);
962 /* Multiplying a scalar with its inverse must result in one. */
963 CHECK(secp256k1_scalar_is_one(&inv));
964 secp256k1_scalar_inverse(&inv, &inv);
965 /* Inverting one must result in one. */
966 CHECK(secp256k1_scalar_is_one(&inv));
968 secp256k1_scalar_get_num(&invnum, &inv);
969 CHECK(secp256k1_num_is_one(&invnum));
975 /* Test commutativity of add. */
976 secp256k1_scalar r1, r2;
977 secp256k1_scalar_add(&r1, &s1, &s2);
978 secp256k1_scalar_add(&r2, &s2, &s1);
979 CHECK(secp256k1_scalar_eq(&r1, &r2));
983 secp256k1_scalar r1, r2;
987 int bit = secp256k1_rand_bits(8);
988 secp256k1_scalar_set_int(&b, 1);
989 CHECK(secp256k1_scalar_is_one(&b));
990 for (i = 0; i < bit; i++) {
991 secp256k1_scalar_add(&b, &b, &b);
995 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
996 /* No overflow happened. */
997 secp256k1_scalar_cadd_bit(&r2, bit, 1);
998 CHECK(secp256k1_scalar_eq(&r1, &r2));
999 /* cadd is a noop when flag is zero */
1000 secp256k1_scalar_cadd_bit(&r2, bit, 0);
1001 CHECK(secp256k1_scalar_eq(&r1, &r2));
1006 /* Test commutativity of mul. */
1007 secp256k1_scalar r1, r2;
1008 secp256k1_scalar_mul(&r1, &s1, &s2);
1009 secp256k1_scalar_mul(&r2, &s2, &s1);
1010 CHECK(secp256k1_scalar_eq(&r1, &r2));
1014 /* Test associativity of add. */
1015 secp256k1_scalar r1, r2;
1016 secp256k1_scalar_add(&r1, &s1, &s2);
1017 secp256k1_scalar_add(&r1, &r1, &s);
1018 secp256k1_scalar_add(&r2, &s2, &s);
1019 secp256k1_scalar_add(&r2, &s1, &r2);
1020 CHECK(secp256k1_scalar_eq(&r1, &r2));
1024 /* Test associativity of mul. */
1025 secp256k1_scalar r1, r2;
1026 secp256k1_scalar_mul(&r1, &s1, &s2);
1027 secp256k1_scalar_mul(&r1, &r1, &s);
1028 secp256k1_scalar_mul(&r2, &s2, &s);
1029 secp256k1_scalar_mul(&r2, &s1, &r2);
1030 CHECK(secp256k1_scalar_eq(&r1, &r2));
1034 /* Test distributitivity of mul over add. */
1035 secp256k1_scalar r1, r2, t;
1036 secp256k1_scalar_add(&r1, &s1, &s2);
1037 secp256k1_scalar_mul(&r1, &r1, &s);
1038 secp256k1_scalar_mul(&r2, &s1, &s);
1039 secp256k1_scalar_mul(&t, &s2, &s);
1040 secp256k1_scalar_add(&r2, &r2, &t);
1041 CHECK(secp256k1_scalar_eq(&r1, &r2));
1046 secp256k1_scalar r1, r2;
1047 secp256k1_scalar_sqr(&r1, &s1);
1048 secp256k1_scalar_mul(&r2, &s1, &s1);
1049 CHECK(secp256k1_scalar_eq(&r1, &r2));
1053 /* Test multiplicative identity. */
1054 secp256k1_scalar r1, v1;
1055 secp256k1_scalar_set_int(&v1,1);
1056 secp256k1_scalar_mul(&r1, &s1, &v1);
1057 CHECK(secp256k1_scalar_eq(&r1, &s1));
1061 /* Test additive identity. */
1062 secp256k1_scalar r1, v0;
1063 secp256k1_scalar_set_int(&v0,0);
1064 secp256k1_scalar_add(&r1, &s1, &v0);
1065 CHECK(secp256k1_scalar_eq(&r1, &s1));
1069 /* Test zero product property. */
1070 secp256k1_scalar r1, v0;
1071 secp256k1_scalar_set_int(&v0,0);
1072 secp256k1_scalar_mul(&r1, &s1, &v0);
1073 CHECK(secp256k1_scalar_eq(&r1, &v0));
1078 void run_scalar_set_b32_seckey_tests(void) {
1079 unsigned char b32[32];
1080 secp256k1_scalar s1;
1081 secp256k1_scalar s2;
1083 /* Usually set_b32 and set_b32_seckey give the same result */
1084 random_scalar_order_b32(b32);
1085 secp256k1_scalar_set_b32(&s1, b32, NULL);
1086 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1087 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1089 memset(b32, 0, sizeof(b32));
1090 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1091 memset(b32, 0xFF, sizeof(b32));
1092 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1095 void run_scalar_tests(void) {
1097 for (i = 0; i < 128 * count; i++) {
1100 for (i = 0; i < count; i++) {
1101 run_scalar_set_b32_seckey_tests();
1105 /* (-1)+1 should be zero. */
1106 secp256k1_scalar s, o;
1107 secp256k1_scalar_set_int(&s, 1);
1108 CHECK(secp256k1_scalar_is_one(&s));
1109 secp256k1_scalar_negate(&o, &s);
1110 secp256k1_scalar_add(&o, &o, &s);
1111 CHECK(secp256k1_scalar_is_zero(&o));
1112 secp256k1_scalar_negate(&o, &o);
1113 CHECK(secp256k1_scalar_is_zero(&o));
1116 #ifndef USE_NUM_NONE
1118 /* Test secp256k1_scalar_set_b32 boundary conditions */
1119 secp256k1_num order;
1120 secp256k1_scalar scalar;
1121 unsigned char bin[32];
1122 unsigned char bin_tmp[32];
1124 /* 2^256-1 - order */
1125 static const secp256k1_scalar all_ones_minus_order = SECP256K1_SCALAR_CONST(
1126 0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000001UL,
1127 0x45512319UL, 0x50B75FC4UL, 0x402DA173UL, 0x2FC9BEBEUL
1130 /* A scalar set to 0s should be 0. */
1132 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1133 CHECK(overflow == 0);
1134 CHECK(secp256k1_scalar_is_zero(&scalar));
1136 /* A scalar with value of the curve order should be 0. */
1137 secp256k1_scalar_order_get_num(&order);
1138 secp256k1_num_get_bin(bin, 32, &order);
1139 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1140 CHECK(overflow == 1);
1141 CHECK(secp256k1_scalar_is_zero(&scalar));
1143 /* A scalar with value of the curve order minus one should not overflow. */
1145 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1146 CHECK(overflow == 0);
1147 secp256k1_scalar_get_b32(bin_tmp, &scalar);
1148 CHECK(memcmp(bin, bin_tmp, 32) == 0);
1150 /* A scalar set to all 1s should overflow. */
1151 memset(bin, 0xFF, 32);
1152 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1153 CHECK(overflow == 1);
1154 CHECK(secp256k1_scalar_eq(&scalar, &all_ones_minus_order));
1159 /* Does check_overflow check catch all ones? */
1160 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1161 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1162 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1164 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1168 /* Static test vectors.
1169 * These were reduced from ~10^12 random vectors based on comparison-decision
1170 * and edge-case coverage on 32-bit and 64-bit implementations.
1171 * The responses were generated with Sage 5.9.
1176 secp256k1_scalar zz;
1177 secp256k1_scalar one;
1178 secp256k1_scalar r1;
1179 secp256k1_scalar r2;
1180 #if defined(USE_SCALAR_INV_NUM)
1181 secp256k1_scalar zzv;
1184 unsigned char chal[33][2][32] = {
1185 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1186 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1187 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1188 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1189 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1191 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1192 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1193 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1194 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1195 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1196 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1197 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1199 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1200 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1201 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1202 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1203 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1204 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1205 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1206 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1207 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1208 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1209 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1210 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1211 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1212 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1213 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1214 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1215 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1216 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1217 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1218 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1219 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1220 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1221 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1222 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1223 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1224 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1225 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1226 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1227 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1228 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1229 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1230 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1231 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1232 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1233 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1234 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1235 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1236 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1237 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1238 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1239 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1240 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1241 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1242 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1243 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1244 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1245 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1246 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1247 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1248 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1249 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1250 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1251 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1252 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1253 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1254 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1255 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1256 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1257 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1258 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1259 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1260 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1261 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1262 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1263 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1264 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1265 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1266 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1267 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1268 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1269 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1270 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1271 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1272 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1273 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1274 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1275 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1276 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1277 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1278 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1279 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1280 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1281 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1282 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1283 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1284 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1285 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1286 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1287 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1288 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1289 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1290 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1291 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1292 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1293 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1294 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1295 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1296 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1297 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1298 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1299 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1300 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1301 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1302 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1303 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1304 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1305 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1306 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1307 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1308 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1309 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1310 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1311 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1312 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1313 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1314 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1315 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1316 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1317 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1318 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1319 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1320 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1321 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1322 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1323 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1324 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1325 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1326 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1327 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1328 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1329 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1330 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1331 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1332 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1333 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1334 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1335 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1336 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1337 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1338 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1339 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1340 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1341 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1342 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1343 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1344 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1345 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1346 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1347 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1348 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1349 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1350 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1351 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1352 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1353 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1354 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1355 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1356 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1357 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1358 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1359 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1360 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1361 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1362 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1363 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1364 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1365 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1366 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1367 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1368 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1369 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1370 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1371 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1372 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1373 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1374 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1375 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1376 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1377 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1378 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1379 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1380 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1381 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1382 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1383 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1384 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1385 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1386 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1387 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1388 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1389 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1390 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1391 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1392 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1393 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1394 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1395 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1396 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1397 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1398 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1399 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1400 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1401 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1402 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1403 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1404 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1405 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1406 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1407 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1408 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1409 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1410 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1411 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1412 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1413 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1414 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1415 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1416 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1417 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1418 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1419 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1420 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1421 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1422 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1423 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1424 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1425 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1426 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1427 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1428 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1429 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1430 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1431 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1432 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1433 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1434 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1435 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1436 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1437 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1438 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1439 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1440 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1441 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1442 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1443 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1444 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1445 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1446 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1447 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1448 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1450 unsigned char res[33][2][32] = {
1451 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1452 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1453 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1454 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1455 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1456 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1457 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1458 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1459 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1460 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1461 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1462 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1463 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1464 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1465 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1466 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1467 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1468 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1469 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1470 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1471 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1472 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1473 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1474 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1475 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1476 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1477 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1478 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1479 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1480 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1481 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1482 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1483 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1484 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1485 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1486 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1487 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1488 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1489 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1490 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1491 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1492 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1493 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1494 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1495 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1496 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1497 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1498 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1499 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1500 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1501 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1502 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1503 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1504 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1505 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1506 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1507 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1508 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1509 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1510 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1511 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1512 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1513 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1514 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1515 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1516 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1517 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1518 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1519 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1520 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1521 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1522 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1523 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1524 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1525 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1526 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1527 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1528 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1529 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1530 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1531 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1532 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1533 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1534 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1535 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1536 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1537 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1538 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1539 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1540 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1541 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1542 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1543 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1544 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1545 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1546 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1547 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1548 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1549 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1550 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1551 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1552 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1553 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1554 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1555 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1556 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1557 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1558 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1559 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1560 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1561 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1562 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1563 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1564 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1565 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1566 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1567 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1568 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1569 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1570 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1571 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1572 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1573 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1574 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1575 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1576 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1577 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1578 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1579 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1580 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1581 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1582 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1583 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1584 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1585 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1586 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1587 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1588 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1589 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1590 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1591 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1592 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1593 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1594 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1595 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1596 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1597 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1598 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1599 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1600 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1601 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1602 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1603 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1604 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1605 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1606 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1607 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1608 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1609 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1610 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1611 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1612 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1613 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1614 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1615 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1616 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1617 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1618 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1619 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1620 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1621 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1622 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1623 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1624 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1625 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1626 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1627 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1628 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1629 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1630 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1631 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1632 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1633 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1634 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1635 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1636 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1637 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1638 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1639 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1640 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1641 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1642 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1643 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1644 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1645 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1646 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1647 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1648 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1649 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1650 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1651 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1652 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1653 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1654 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1655 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1656 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1657 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1658 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1659 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1660 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1661 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1662 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1663 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1664 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1665 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1666 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1667 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1668 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1669 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1670 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1671 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1672 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1673 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1674 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1675 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1676 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1677 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1678 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1679 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1680 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1681 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1682 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1683 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1684 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1685 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1686 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1687 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1688 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1689 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1690 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1691 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1692 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1693 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1694 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1695 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1696 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1697 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1698 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1699 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1700 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1701 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1702 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1703 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1704 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1705 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1706 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1707 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1708 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1709 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1710 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1711 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1712 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1713 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1714 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1716 secp256k1_scalar_set_int(&one, 1);
1717 for (i = 0; i < 33; i++) {
1718 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1720 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1722 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1724 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1726 secp256k1_scalar_mul(&z, &x, &y);
1727 CHECK(!secp256k1_scalar_check_overflow(&z));
1728 CHECK(secp256k1_scalar_eq(&r1, &z));
1729 if (!secp256k1_scalar_is_zero(&y)) {
1730 secp256k1_scalar_inverse(&zz, &y);
1731 CHECK(!secp256k1_scalar_check_overflow(&zz));
1732 #if defined(USE_SCALAR_INV_NUM)
1733 secp256k1_scalar_inverse_var(&zzv, &y);
1734 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1736 secp256k1_scalar_mul(&z, &z, &zz);
1737 CHECK(!secp256k1_scalar_check_overflow(&z));
1738 CHECK(secp256k1_scalar_eq(&x, &z));
1739 secp256k1_scalar_mul(&zz, &zz, &y);
1740 CHECK(!secp256k1_scalar_check_overflow(&zz));
1741 CHECK(secp256k1_scalar_eq(&one, &zz));
1743 secp256k1_scalar_mul(&z, &x, &x);
1744 CHECK(!secp256k1_scalar_check_overflow(&z));
1745 secp256k1_scalar_sqr(&zz, &x);
1746 CHECK(!secp256k1_scalar_check_overflow(&zz));
1747 CHECK(secp256k1_scalar_eq(&zz, &z));
1748 CHECK(secp256k1_scalar_eq(&r2, &zz));
1753 /***** FIELD TESTS *****/
1755 void random_fe(secp256k1_fe *x) {
1756 unsigned char bin[32];
1758 secp256k1_rand256(bin);
1759 if (secp256k1_fe_set_b32(x, bin)) {
1765 void random_fe_test(secp256k1_fe *x) {
1766 unsigned char bin[32];
1768 secp256k1_rand256_test(bin);
1769 if (secp256k1_fe_set_b32(x, bin)) {
1775 void random_fe_non_zero(secp256k1_fe *nz) {
1777 while (--tries >= 0) {
1779 secp256k1_fe_normalize(nz);
1780 if (!secp256k1_fe_is_zero(nz)) {
1784 /* Infinitesimal probability of spurious failure here */
1788 void random_fe_non_square(secp256k1_fe *ns) {
1790 random_fe_non_zero(ns);
1791 if (secp256k1_fe_sqrt(&r, ns)) {
1792 secp256k1_fe_negate(ns, ns, 1);
1796 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1797 secp256k1_fe an = *a;
1798 secp256k1_fe bn = *b;
1799 secp256k1_fe_normalize_weak(&an);
1800 secp256k1_fe_normalize_var(&bn);
1801 return secp256k1_fe_equal_var(&an, &bn);
1804 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1806 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1807 secp256k1_fe_mul(&x, a, ai);
1808 return check_fe_equal(&x, &one);
1811 void run_field_convert(void) {
1812 static const unsigned char b32[32] = {
1813 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1814 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1815 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1816 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1818 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1819 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1820 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1822 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1823 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1824 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1827 unsigned char b322[32];
1828 secp256k1_fe_storage fes2;
1829 /* Check conversions to fe. */
1830 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1831 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1832 secp256k1_fe_from_storage(&fe2, &fes);
1833 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1834 /* Check conversion from fe. */
1835 secp256k1_fe_get_b32(b322, &fe);
1836 CHECK(memcmp(b322, b32, 32) == 0);
1837 secp256k1_fe_to_storage(&fes2, &fe);
1838 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1841 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1842 secp256k1_fe t = *b;
1844 t.magnitude = a->magnitude;
1845 t.normalized = a->normalized;
1847 return memcmp(a, &t, sizeof(secp256k1_fe));
1850 void run_field_misc(void) {
1855 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1857 for (i = 0; i < 5*count; i++) {
1858 secp256k1_fe_storage xs, ys, zs;
1860 random_fe_non_zero(&y);
1861 /* Test the fe equality and comparison operations. */
1862 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1863 CHECK(secp256k1_fe_equal_var(&x, &x));
1865 secp256k1_fe_add(&z,&y);
1866 /* Test fe conditional move; z is not normalized here. */
1868 secp256k1_fe_cmov(&x, &z, 0);
1870 CHECK(x.normalized && x.magnitude == 1);
1872 secp256k1_fe_cmov(&x, &x, 1);
1873 CHECK(fe_memcmp(&x, &z) != 0);
1874 CHECK(fe_memcmp(&x, &q) == 0);
1875 secp256k1_fe_cmov(&q, &z, 1);
1877 CHECK(!q.normalized && q.magnitude == z.magnitude);
1879 CHECK(fe_memcmp(&q, &z) == 0);
1880 secp256k1_fe_normalize_var(&x);
1881 secp256k1_fe_normalize_var(&z);
1882 CHECK(!secp256k1_fe_equal_var(&x, &z));
1883 secp256k1_fe_normalize_var(&q);
1884 secp256k1_fe_cmov(&q, &z, (i&1));
1886 CHECK(q.normalized && q.magnitude == 1);
1888 for (j = 0; j < 6; j++) {
1889 secp256k1_fe_negate(&z, &z, j+1);
1890 secp256k1_fe_normalize_var(&q);
1891 secp256k1_fe_cmov(&q, &z, (j&1));
1893 CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
1896 secp256k1_fe_normalize_var(&z);
1897 /* Test storage conversion and conditional moves. */
1898 secp256k1_fe_to_storage(&xs, &x);
1899 secp256k1_fe_to_storage(&ys, &y);
1900 secp256k1_fe_to_storage(&zs, &z);
1901 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1902 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1903 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1904 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1905 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1906 secp256k1_fe_from_storage(&x, &xs);
1907 secp256k1_fe_from_storage(&y, &ys);
1908 secp256k1_fe_from_storage(&z, &zs);
1909 /* Test that mul_int, mul, and add agree. */
1910 secp256k1_fe_add(&y, &x);
1911 secp256k1_fe_add(&y, &x);
1913 secp256k1_fe_mul_int(&z, 3);
1914 CHECK(check_fe_equal(&y, &z));
1915 secp256k1_fe_add(&y, &x);
1916 secp256k1_fe_add(&z, &x);
1917 CHECK(check_fe_equal(&z, &y));
1919 secp256k1_fe_mul_int(&z, 5);
1920 secp256k1_fe_mul(&q, &x, &fe5);
1921 CHECK(check_fe_equal(&z, &q));
1922 secp256k1_fe_negate(&x, &x, 1);
1923 secp256k1_fe_add(&z, &x);
1924 secp256k1_fe_add(&q, &x);
1925 CHECK(check_fe_equal(&y, &z));
1926 CHECK(check_fe_equal(&q, &y));
1930 void run_field_inv(void) {
1931 secp256k1_fe x, xi, xii;
1933 for (i = 0; i < 10*count; i++) {
1934 random_fe_non_zero(&x);
1935 secp256k1_fe_inv(&xi, &x);
1936 CHECK(check_fe_inverse(&x, &xi));
1937 secp256k1_fe_inv(&xii, &xi);
1938 CHECK(check_fe_equal(&x, &xii));
1942 void run_field_inv_var(void) {
1943 secp256k1_fe x, xi, xii;
1945 for (i = 0; i < 10*count; i++) {
1946 random_fe_non_zero(&x);
1947 secp256k1_fe_inv_var(&xi, &x);
1948 CHECK(check_fe_inverse(&x, &xi));
1949 secp256k1_fe_inv_var(&xii, &xi);
1950 CHECK(check_fe_equal(&x, &xii));
1954 void run_field_inv_all_var(void) {
1955 secp256k1_fe x[16], xi[16], xii[16];
1957 /* Check it's safe to call for 0 elements */
1958 secp256k1_fe_inv_all_var(xi, x, 0);
1959 for (i = 0; i < count; i++) {
1961 size_t len = secp256k1_rand_int(15) + 1;
1962 for (j = 0; j < len; j++) {
1963 random_fe_non_zero(&x[j]);
1965 secp256k1_fe_inv_all_var(xi, x, len);
1966 for (j = 0; j < len; j++) {
1967 CHECK(check_fe_inverse(&x[j], &xi[j]));
1969 secp256k1_fe_inv_all_var(xii, xi, len);
1970 for (j = 0; j < len; j++) {
1971 CHECK(check_fe_equal(&x[j], &xii[j]));
1976 void run_sqr(void) {
1981 secp256k1_fe_set_int(&x, 1);
1982 secp256k1_fe_negate(&x, &x, 1);
1984 for (i = 1; i <= 512; ++i) {
1985 secp256k1_fe_mul_int(&x, 2);
1986 secp256k1_fe_normalize(&x);
1987 secp256k1_fe_sqr(&s, &x);
1992 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1993 secp256k1_fe r1, r2;
1994 int v = secp256k1_fe_sqrt(&r1, a);
1995 CHECK((v == 0) == (k == NULL));
1998 /* Check that the returned root is +/- the given known answer */
1999 secp256k1_fe_negate(&r2, &r1, 1);
2000 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2001 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
2002 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
2006 void run_sqrt(void) {
2007 secp256k1_fe ns, x, s, t;
2010 /* Check sqrt(0) is 0 */
2011 secp256k1_fe_set_int(&x, 0);
2012 secp256k1_fe_sqr(&s, &x);
2015 /* Check sqrt of small squares (and their negatives) */
2016 for (i = 1; i <= 100; i++) {
2017 secp256k1_fe_set_int(&x, i);
2018 secp256k1_fe_sqr(&s, &x);
2020 secp256k1_fe_negate(&t, &s, 1);
2021 test_sqrt(&t, NULL);
2024 /* Consistency checks for large random values */
2025 for (i = 0; i < 10; i++) {
2027 random_fe_non_square(&ns);
2028 for (j = 0; j < count; j++) {
2030 secp256k1_fe_sqr(&s, &x);
2032 secp256k1_fe_negate(&t, &s, 1);
2033 test_sqrt(&t, NULL);
2034 secp256k1_fe_mul(&t, &s, &ns);
2035 test_sqrt(&t, NULL);
2040 /***** GROUP TESTS *****/
2042 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
2043 CHECK(a->infinity == b->infinity);
2047 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2048 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2051 /* This compares jacobian points including their Z, not just their geometric meaning. */
2052 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
2056 ret &= a->infinity == b->infinity;
2057 if (ret && !a->infinity) {
2060 secp256k1_fe_normalize(&a2.x);
2061 secp256k1_fe_normalize(&a2.y);
2062 secp256k1_fe_normalize(&a2.z);
2063 secp256k1_fe_normalize(&b2.x);
2064 secp256k1_fe_normalize(&b2.y);
2065 secp256k1_fe_normalize(&b2.z);
2066 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2067 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2068 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2073 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2075 secp256k1_fe u1, u2, s1, s2;
2076 CHECK(a->infinity == b->infinity);
2080 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
2081 secp256k1_fe_sqr(&z2s, &b->z);
2082 secp256k1_fe_mul(&u1, &a->x, &z2s);
2083 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2084 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2085 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2086 CHECK(secp256k1_fe_equal_var(&u1, &u2));
2087 CHECK(secp256k1_fe_equal_var(&s1, &s2));
2090 void test_ge(void) {
2092 #ifdef USE_ENDOMORPHISM
2097 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
2098 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
2099 * All magnitudes are randomized.
2100 * All 17*17 combinations of points are added to each other, using all applicable methods.
2102 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
2104 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2105 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2106 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2108 secp256k1_fe zfi2, zfi3;
2110 secp256k1_gej_set_infinity(&gej[0]);
2111 secp256k1_ge_clear(&ge[0]);
2112 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
2113 for (i = 0; i < runs; i++) {
2116 random_group_element_test(&g);
2117 #ifdef USE_ENDOMORPHISM
2118 if (i >= runs - 2) {
2119 secp256k1_ge_mul_lambda(&g, &ge[1]);
2121 if (i >= runs - 1) {
2122 secp256k1_ge_mul_lambda(&g, &g);
2127 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2128 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2129 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2130 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2131 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2132 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
2133 for (j = 0; j < 4; j++) {
2134 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2135 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2136 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2137 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2138 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2142 /* Compute z inverses. */
2144 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2145 for (i = 0; i < 4 * runs + 1; i++) {
2147 /* The point at infinity does not have a meaningful z inverse. Any should do. */
2149 random_field_element_test(&zs[i]);
2150 } while(secp256k1_fe_is_zero(&zs[i]));
2155 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
2159 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2161 random_field_element_test(&zf);
2162 } while(secp256k1_fe_is_zero(&zf));
2163 random_field_element_magnitude(&zf);
2164 secp256k1_fe_inv_var(&zfi3, &zf);
2165 secp256k1_fe_sqr(&zfi2, &zfi3);
2166 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2168 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2170 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2171 /* Compute reference result using gej + gej (var). */
2172 secp256k1_gej refj, resj;
2175 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2176 /* Check Z ratio. */
2177 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2178 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2179 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2181 secp256k1_ge_set_gej_var(&ref, &refj);
2183 /* Test gej + ge with Z ratio result (var). */
2184 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2185 ge_equals_gej(&ref, &resj);
2186 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2187 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2188 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2191 /* Test gej + ge (var, with additional Z factor). */
2193 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2194 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2195 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2196 random_field_element_magnitude(&ge2_zfi.x);
2197 random_field_element_magnitude(&ge2_zfi.y);
2198 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2199 ge_equals_gej(&ref, &resj);
2202 /* Test gej + ge (const). */
2204 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2205 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2206 ge_equals_gej(&ref, &resj);
2209 /* Test doubling (var). */
2210 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2212 /* Normal doubling with Z ratio result. */
2213 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2214 ge_equals_gej(&ref, &resj);
2215 /* Check Z ratio. */
2216 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2217 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2218 /* Normal doubling. */
2219 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2220 ge_equals_gej(&ref, &resj);
2221 /* Constant-time doubling. */
2222 secp256k1_gej_double(&resj, &gej[i2]);
2223 ge_equals_gej(&ref, &resj);
2226 /* Test adding opposites. */
2227 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2228 CHECK(secp256k1_ge_is_infinity(&ref));
2231 /* Test adding infinity. */
2233 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2234 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2235 ge_equals_gej(&ref, &gej[i2]);
2238 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2239 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2240 ge_equals_gej(&ref, &gej[i1]);
2245 /* Test adding all points together in random order equals infinity. */
2247 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2248 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2249 for (i = 0; i < 4 * runs + 1; i++) {
2250 gej_shuffled[i] = gej[i];
2252 for (i = 0; i < 4 * runs + 1; i++) {
2253 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2255 secp256k1_gej t = gej_shuffled[i];
2256 gej_shuffled[i] = gej_shuffled[swap];
2257 gej_shuffled[swap] = t;
2260 for (i = 0; i < 4 * runs + 1; i++) {
2261 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2263 CHECK(secp256k1_gej_is_infinity(&sum));
2267 /* Test batch gej -> ge conversion with and without known z ratios. */
2269 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2270 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2271 for (i = 0; i < 4 * runs + 1; i++) {
2272 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2274 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2277 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2278 for (i = 0; i < 4 * runs + 1; i++) {
2280 random_fe_non_zero(&s);
2281 secp256k1_gej_rescale(&gej[i], &s);
2282 ge_equals_gej(&ge_set_all[i], &gej[i]);
2288 /* Test batch gej -> ge conversion with many infinities. */
2289 for (i = 0; i < 4 * runs + 1; i++) {
2290 random_group_element_test(&ge[i]);
2291 /* randomly set half the points to infinity */
2292 if(secp256k1_fe_is_odd(&ge[i].x)) {
2293 secp256k1_ge_set_infinity(&ge[i]);
2295 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2298 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2300 for (i = 0; i < 4 * runs + 1; i++) {
2301 ge_equals_gej(&ge[i], &gej[i]);
2309 void test_add_neg_y_diff_x(void) {
2310 /* The point of this test is to check that we can add two points
2311 * whose y-coordinates are negatives of each other but whose x
2312 * coordinates differ. If the x-coordinates were the same, these
2313 * points would be negatives of each other and their sum is
2314 * infinity. This is cool because it "covers up" any degeneracy
2315 * in the addition algorithm that would cause the xy coordinates
2316 * of the sum to be wrong (since infinity has no xy coordinates).
2317 * HOWEVER, if the x-coordinates are different, infinity is the
2318 * wrong answer, and such degeneracies are exposed. This is the
2319 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2320 * which this test is a regression test for.
2322 * These points were generated in sage as
2323 * # secp256k1 params
2324 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2325 * C = EllipticCurve ([F (0), F (7)])
2326 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2327 * N = FiniteField(G.order())
2329 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2331 * lam = (1 - x^3).roots()[1][0]
2333 * # random "bad pair"
2334 * P = C.random_element()
2336 * print " P: %x %x" % P.xy()
2337 * print " Q: %x %x" % Q.xy()
2338 * print "P + Q: %x %x" % (P + Q).xy()
2340 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2341 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2342 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2343 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2344 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2346 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2347 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2348 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2349 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2350 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2352 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2353 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2354 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2355 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2356 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2361 secp256k1_ge_set_gej(&b, &bj);
2363 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2364 secp256k1_ge_set_gej(&res, &resj);
2365 ge_equals_gej(&res, &sumj);
2367 secp256k1_gej_add_ge(&resj, &aj, &b);
2368 secp256k1_ge_set_gej(&res, &resj);
2369 ge_equals_gej(&res, &sumj);
2371 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2372 secp256k1_ge_set_gej(&res, &resj);
2373 ge_equals_gej(&res, &sumj);
2378 for (i = 0; i < count * 32; i++) {
2381 test_add_neg_y_diff_x();
2384 void test_ec_combine(void) {
2385 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2386 secp256k1_pubkey data[6];
2387 const secp256k1_pubkey* d[6];
2388 secp256k1_pubkey sd;
2389 secp256k1_pubkey sd2;
2393 for (i = 1; i <= 6; i++) {
2395 random_scalar_order_test(&s);
2396 secp256k1_scalar_add(&sum, &sum, &s);
2397 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2398 secp256k1_ge_set_gej(&Q, &Qj);
2399 secp256k1_pubkey_save(&data[i - 1], &Q);
2400 d[i - 1] = &data[i - 1];
2401 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2402 secp256k1_ge_set_gej(&Q, &Qj);
2403 secp256k1_pubkey_save(&sd, &Q);
2404 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2405 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2409 void run_ec_combine(void) {
2411 for (i = 0; i < count * 8; i++) {
2416 void test_group_decompress(const secp256k1_fe* x) {
2417 /* The input itself, normalized. */
2418 secp256k1_fe fex = *x;
2420 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2421 secp256k1_ge ge_quad, ge_even, ge_odd;
2422 secp256k1_gej gej_quad;
2423 /* Return values of the above calls. */
2424 int res_quad, res_even, res_odd;
2426 secp256k1_fe_normalize_var(&fex);
2428 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2429 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2430 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2432 CHECK(res_quad == res_even);
2433 CHECK(res_quad == res_odd);
2436 secp256k1_fe_normalize_var(&ge_quad.x);
2437 secp256k1_fe_normalize_var(&ge_odd.x);
2438 secp256k1_fe_normalize_var(&ge_even.x);
2439 secp256k1_fe_normalize_var(&ge_quad.y);
2440 secp256k1_fe_normalize_var(&ge_odd.y);
2441 secp256k1_fe_normalize_var(&ge_even.y);
2443 /* No infinity allowed. */
2444 CHECK(!ge_quad.infinity);
2445 CHECK(!ge_even.infinity);
2446 CHECK(!ge_odd.infinity);
2448 /* Check that the x coordinates check out. */
2449 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2450 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2451 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2453 /* Check that the Y coordinate result in ge_quad is a square. */
2454 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2456 /* Check odd/even Y in ge_odd, ge_even. */
2457 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2458 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2460 /* Check secp256k1_gej_has_quad_y_var. */
2461 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2462 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2464 random_fe_test(&fez);
2465 } while (secp256k1_fe_is_zero(&fez));
2466 secp256k1_gej_rescale(&gej_quad, &fez);
2467 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2468 secp256k1_gej_neg(&gej_quad, &gej_quad);
2469 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2471 random_fe_test(&fez);
2472 } while (secp256k1_fe_is_zero(&fez));
2473 secp256k1_gej_rescale(&gej_quad, &fez);
2474 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2475 secp256k1_gej_neg(&gej_quad, &gej_quad);
2476 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2480 void run_group_decompress(void) {
2482 for (i = 0; i < count * 4; i++) {
2484 random_fe_test(&fe);
2485 test_group_decompress(&fe);
2489 /***** ECMULT TESTS *****/
2491 void run_ecmult_chain(void) {
2492 /* random starting point A (on the curve) */
2493 secp256k1_gej a = SECP256K1_GEJ_CONST(
2494 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2495 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2496 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2497 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2499 /* two random initial factors xn and gn */
2500 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2501 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2502 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2504 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2505 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2506 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2508 /* two small multipliers to be applied to xn and gn in every iteration: */
2509 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2510 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2511 /* accumulators with the resulting coefficients to A and G */
2512 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2513 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2519 /* the point being computed */
2521 for (i = 0; i < 200*count; i++) {
2522 /* in each iteration, compute X = xn*X + gn*G; */
2523 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2524 /* also compute ae and ge: the actual accumulated factors for A and G */
2525 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2526 secp256k1_scalar_mul(&ae, &ae, &xn);
2527 secp256k1_scalar_mul(&ge, &ge, &xn);
2528 secp256k1_scalar_add(&ge, &ge, &gn);
2529 /* modify xn and gn */
2530 secp256k1_scalar_mul(&xn, &xn, &xf);
2531 secp256k1_scalar_mul(&gn, &gn, &gf);
2535 /* expected result after 19999 iterations */
2536 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2537 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2538 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2539 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2540 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2543 secp256k1_gej_neg(&rp, &rp);
2544 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2545 CHECK(secp256k1_gej_is_infinity(&rp));
2548 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2549 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2550 secp256k1_gej_neg(&x2, &x2);
2551 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2552 CHECK(secp256k1_gej_is_infinity(&x2));
2555 void test_point_times_order(const secp256k1_gej *point) {
2556 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2558 secp256k1_scalar nx;
2559 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2560 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2561 secp256k1_gej res1, res2;
2563 unsigned char pub[65];
2565 random_scalar_order_test(&x);
2566 secp256k1_scalar_negate(&nx, &x);
2567 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2568 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2569 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2570 CHECK(secp256k1_gej_is_infinity(&res1));
2571 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2572 secp256k1_ge_set_gej(&res3, &res1);
2573 CHECK(secp256k1_ge_is_infinity(&res3));
2574 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2575 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2577 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2578 /* check zero/one edge cases */
2579 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2580 secp256k1_ge_set_gej(&res3, &res1);
2581 CHECK(secp256k1_ge_is_infinity(&res3));
2582 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2583 secp256k1_ge_set_gej(&res3, &res1);
2584 ge_equals_gej(&res3, point);
2585 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2586 secp256k1_ge_set_gej(&res3, &res1);
2587 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2590 void run_point_times_order(void) {
2592 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2593 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2594 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2595 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2597 for (i = 0; i < 500; i++) {
2599 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2601 CHECK(secp256k1_ge_is_valid_var(&p));
2602 secp256k1_gej_set_ge(&j, &p);
2603 CHECK(secp256k1_gej_is_valid_var(&j));
2604 test_point_times_order(&j);
2606 secp256k1_fe_sqr(&x, &x);
2608 secp256k1_fe_normalize_var(&x);
2609 CHECK(secp256k1_fe_equal_var(&x, &xr));
2612 void ecmult_const_random_mult(void) {
2613 /* random starting point A (on the curve) */
2614 secp256k1_ge a = SECP256K1_GE_CONST(
2615 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2616 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2617 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2618 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2620 /* random initial factor xn */
2621 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2622 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2623 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2625 /* expected xn * A (from sage) */
2626 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2627 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2628 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2629 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2630 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2633 secp256k1_ecmult_const(&b, &a, &xn, 256);
2635 CHECK(secp256k1_ge_is_valid_var(&a));
2636 ge_equals_gej(&expected_b, &b);
2639 void ecmult_const_commutativity(void) {
2646 random_scalar_order_test(&a);
2647 random_scalar_order_test(&b);
2649 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2650 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2651 secp256k1_ge_set_gej(&mid1, &res1);
2652 secp256k1_ge_set_gej(&mid2, &res2);
2653 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2654 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2655 secp256k1_ge_set_gej(&mid1, &res1);
2656 secp256k1_ge_set_gej(&mid2, &res2);
2657 ge_equals_ge(&mid1, &mid2);
2660 void ecmult_const_mult_zero_one(void) {
2661 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2662 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2663 secp256k1_scalar negone;
2667 secp256k1_scalar_negate(&negone, &one);
2669 random_group_element_test(&point);
2670 secp256k1_ecmult_const(&res1, &point, &zero, 3);
2671 secp256k1_ge_set_gej(&res2, &res1);
2672 CHECK(secp256k1_ge_is_infinity(&res2));
2673 secp256k1_ecmult_const(&res1, &point, &one, 2);
2674 secp256k1_ge_set_gej(&res2, &res1);
2675 ge_equals_ge(&res2, &point);
2676 secp256k1_ecmult_const(&res1, &point, &negone, 256);
2677 secp256k1_gej_neg(&res1, &res1);
2678 secp256k1_ge_set_gej(&res2, &res1);
2679 ge_equals_ge(&res2, &point);
2682 void ecmult_const_chain_multiply(void) {
2683 /* Check known result (randomly generated test problem from sage) */
2684 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2685 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2686 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2688 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2689 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2690 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2691 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2692 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2694 secp256k1_gej point;
2698 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2699 for (i = 0; i < 100; ++i) {
2701 secp256k1_ge_set_gej(&tmp, &point);
2702 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2704 secp256k1_ge_set_gej(&res, &point);
2705 ge_equals_gej(&res, &expected_point);
2708 void run_ecmult_const_tests(void) {
2709 ecmult_const_mult_zero_one();
2710 ecmult_const_random_mult();
2711 ecmult_const_commutativity();
2712 ecmult_const_chain_multiply();
2716 secp256k1_scalar *sc;
2718 } ecmult_multi_data;
2720 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2721 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2722 *sc = data->sc[idx];
2723 *pt = data->pt[idx];
2727 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2735 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2737 secp256k1_scalar szero;
2738 secp256k1_scalar sc[32];
2739 secp256k1_ge pt[32];
2742 ecmult_multi_data data;
2746 secp256k1_scalar_set_int(&szero, 0);
2748 /* No points to multiply */
2749 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2751 /* Check 1- and 2-point multiplies against ecmult */
2752 for (ncount = 0; ncount < count; ncount++) {
2755 random_scalar_order(&sc[0]);
2756 random_scalar_order(&sc[1]);
2758 random_group_element_test(&ptg);
2759 secp256k1_gej_set_ge(&ptgj, &ptg);
2761 pt[1] = secp256k1_ge_const_g;
2764 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2765 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2766 secp256k1_gej_neg(&r2, &r2);
2767 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2768 CHECK(secp256k1_gej_is_infinity(&r));
2771 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2772 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2773 secp256k1_gej_neg(&r2, &r2);
2774 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2775 CHECK(secp256k1_gej_is_infinity(&r));
2777 /* Try to multiply 1 point, but callback returns false */
2778 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2781 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2782 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2783 secp256k1_gej_neg(&r2, &r2);
2784 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2785 CHECK(secp256k1_gej_is_infinity(&r));
2787 /* 2-point with G scalar */
2788 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2789 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2790 secp256k1_gej_neg(&r2, &r2);
2791 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2792 CHECK(secp256k1_gej_is_infinity(&r));
2795 /* Check infinite outputs of various forms */
2796 for (ncount = 0; ncount < count; ncount++) {
2799 size_t sizes[] = { 2, 10, 32 };
2801 for (j = 0; j < 3; j++) {
2802 for (i = 0; i < 32; i++) {
2803 random_scalar_order(&sc[i]);
2804 secp256k1_ge_set_infinity(&pt[i]);
2806 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2807 CHECK(secp256k1_gej_is_infinity(&r));
2810 for (j = 0; j < 3; j++) {
2811 for (i = 0; i < 32; i++) {
2812 random_group_element_test(&ptg);
2814 secp256k1_scalar_set_int(&sc[i], 0);
2816 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2817 CHECK(secp256k1_gej_is_infinity(&r));
2820 for (j = 0; j < 3; j++) {
2821 random_group_element_test(&ptg);
2822 for (i = 0; i < 16; i++) {
2823 random_scalar_order(&sc[2*i]);
2824 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2826 pt[2 * i + 1] = ptg;
2829 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2830 CHECK(secp256k1_gej_is_infinity(&r));
2832 random_scalar_order(&sc[0]);
2833 for (i = 0; i < 16; i++) {
2834 random_group_element_test(&ptg);
2839 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2842 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2843 CHECK(secp256k1_gej_is_infinity(&r));
2846 random_group_element_test(&ptg);
2847 secp256k1_scalar_set_int(&sc[0], 0);
2849 for (i = 1; i < 32; i++) {
2852 random_scalar_order(&sc[i]);
2853 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2854 secp256k1_scalar_negate(&sc[i], &sc[i]);
2857 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2858 CHECK(secp256k1_gej_is_infinity(&r));
2861 /* Check random points, constant scalar */
2862 for (ncount = 0; ncount < count; ncount++) {
2864 secp256k1_gej_set_infinity(&r);
2866 random_scalar_order(&sc[0]);
2867 for (i = 0; i < 20; i++) {
2870 random_group_element_test(&ptg);
2872 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2875 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2876 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2877 secp256k1_gej_neg(&r2, &r2);
2878 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2879 CHECK(secp256k1_gej_is_infinity(&r));
2882 /* Check random scalars, constant point */
2883 for (ncount = 0; ncount < count; ncount++) {
2887 secp256k1_scalar rs;
2888 secp256k1_scalar_set_int(&rs, 0);
2890 random_group_element_test(&ptg);
2891 for (i = 0; i < 20; i++) {
2892 random_scalar_order(&sc[i]);
2894 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2897 secp256k1_gej_set_ge(&p0j, &pt[0]);
2898 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
2899 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2900 secp256k1_gej_neg(&r2, &r2);
2901 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2902 CHECK(secp256k1_gej_is_infinity(&r));
2905 /* Sanity check that zero scalars don't cause problems */
2906 for (ncount = 0; ncount < 20; ncount++) {
2907 random_scalar_order(&sc[ncount]);
2908 random_group_element_test(&pt[ncount]);
2911 secp256k1_scalar_clear(&sc[0]);
2912 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2913 secp256k1_scalar_clear(&sc[1]);
2914 secp256k1_scalar_clear(&sc[2]);
2915 secp256k1_scalar_clear(&sc[3]);
2916 secp256k1_scalar_clear(&sc[4]);
2917 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2918 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
2919 CHECK(secp256k1_gej_is_infinity(&r));
2921 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2923 const size_t TOP = 8;
2929 random_group_element_test(&ptg);
2930 secp256k1_gej_set_ge(&ptgj, &ptg);
2932 for(t0i = 0; t0i < TOP; t0i++) {
2933 for(t1i = 0; t1i < TOP; t1i++) {
2934 secp256k1_gej t0p, t1p;
2935 secp256k1_scalar t0, t1;
2937 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2938 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2939 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2940 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2942 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2943 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2945 for(s0i = 0; s0i < TOP; s0i++) {
2946 for(s1i = 0; s1i < TOP; s1i++) {
2947 secp256k1_scalar tmp1, tmp2;
2948 secp256k1_gej expected, actual;
2950 secp256k1_ge_set_gej(&pt[0], &t0p);
2951 secp256k1_ge_set_gej(&pt[1], &t1p);
2953 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2954 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2955 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2956 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2958 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2959 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2960 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2962 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
2963 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
2964 secp256k1_gej_neg(&expected, &expected);
2965 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2966 CHECK(secp256k1_gej_is_infinity(&actual));
2974 void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
2975 secp256k1_scalar szero;
2976 secp256k1_scalar sc;
2979 ecmult_multi_data data;
2980 secp256k1_scratch *scratch_empty;
2982 random_group_element_test(&pt);
2983 random_scalar_order(&sc);
2986 secp256k1_scalar_set_int(&szero, 0);
2988 /* Try to multiply 1 point, but scratch space is empty.*/
2989 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
2990 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2991 secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
2994 void test_secp256k1_pippenger_bucket_window_inv(void) {
2997 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2998 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2999 #ifdef USE_ENDOMORPHISM
3000 /* Bucket_window of 8 is not used with endo */
3005 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
3006 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
3007 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
3013 * Probabilistically test the function returning the maximum number of possible points
3014 * for a given scratch space.
3016 void test_ecmult_multi_pippenger_max_points(void) {
3017 size_t scratch_size = secp256k1_rand_int(256);
3018 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
3019 secp256k1_scratch *scratch;
3020 size_t n_points_supported;
3021 int bucket_window = 0;
3023 for(; scratch_size < max_size; scratch_size+=256) {
3027 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
3028 CHECK(scratch != NULL);
3029 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
3030 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
3031 if (n_points_supported == 0) {
3032 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3035 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
3036 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
3037 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
3038 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
3039 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
3042 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
3043 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
3044 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3046 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
3049 void test_ecmult_multi_batch_size_helper(void) {
3050 size_t n_batches, n_batch_points, max_n_batch_points, n;
3052 max_n_batch_points = 0;
3054 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
3056 max_n_batch_points = 1;
3058 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3059 CHECK(n_batches == 0);
3060 CHECK(n_batch_points == 0);
3062 max_n_batch_points = 2;
3064 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3065 CHECK(n_batches == 3);
3066 CHECK(n_batch_points == 2);
3068 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
3069 n = ECMULT_MAX_POINTS_PER_BATCH;
3070 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3071 CHECK(n_batches == 1);
3072 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
3074 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
3075 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
3076 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3077 CHECK(n_batches == 2);
3078 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
3080 max_n_batch_points = 1;
3082 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3083 CHECK(n_batches == SIZE_MAX);
3084 CHECK(n_batch_points == 1);
3086 max_n_batch_points = 2;
3088 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3089 CHECK(n_batches == SIZE_MAX/2 + 1);
3090 CHECK(n_batch_points == 2);
3094 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
3095 * 1 <= i <= num points.
3097 void test_ecmult_multi_batching(void) {
3098 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
3099 secp256k1_scalar scG;
3100 secp256k1_scalar szero;
3101 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
3102 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3105 ecmult_multi_data data;
3107 secp256k1_scratch *scratch;
3109 secp256k1_gej_set_infinity(&r2);
3110 secp256k1_scalar_set_int(&szero, 0);
3112 /* Get random scalars and group elements and compute result */
3113 random_scalar_order(&scG);
3114 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3115 for(i = 0; i < n_points; i++) {
3118 random_group_element_test(&ptg);
3119 secp256k1_gej_set_ge(&ptgj, &ptg);
3121 random_scalar_order(&sc[i]);
3122 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3123 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
3127 secp256k1_gej_neg(&r2, &r2);
3129 /* Test with empty scratch space. It should compute the correct result using
3130 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
3131 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
3132 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3133 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3134 CHECK(secp256k1_gej_is_infinity(&r));
3135 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3137 /* Test with space for 1 point in pippenger. That's not enough because
3138 * ecmult_multi selects strauss which requires more memory. It should
3139 * therefore select the simple algorithm. */
3140 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3141 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3142 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3143 CHECK(secp256k1_gej_is_infinity(&r));
3144 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3146 for(i = 1; i <= n_points; i++) {
3147 if (i > ECMULT_PIPPENGER_THRESHOLD) {
3148 int bucket_window = secp256k1_pippenger_bucket_window(i);
3149 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
3150 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3152 size_t scratch_size = secp256k1_strauss_scratch_size(i);
3153 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3155 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3156 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3157 CHECK(secp256k1_gej_is_infinity(&r));
3158 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3164 void run_ecmult_multi_tests(void) {
3165 secp256k1_scratch *scratch;
3167 test_secp256k1_pippenger_bucket_window_inv();
3168 test_ecmult_multi_pippenger_max_points();
3169 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
3170 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3171 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
3172 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
3173 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
3174 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
3175 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
3176 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3178 /* Run test_ecmult_multi with space for exactly one point */
3179 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3180 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3181 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3183 test_ecmult_multi_batch_size_helper();
3184 test_ecmult_multi_batching();
3187 void test_wnaf(const secp256k1_scalar *number, int w) {
3188 secp256k1_scalar x, two, t;
3193 secp256k1_scalar_set_int(&x, 0);
3194 secp256k1_scalar_set_int(&two, 2);
3195 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
3197 for (i = bits-1; i >= 0; i--) {
3199 secp256k1_scalar_mul(&x, &x, &two);
3201 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
3203 CHECK((v & 1) == 1); /* check non-zero elements are odd */
3204 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3205 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
3207 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
3211 secp256k1_scalar_set_int(&t, v);
3213 secp256k1_scalar_set_int(&t, -v);
3214 secp256k1_scalar_negate(&t, &t);
3216 secp256k1_scalar_add(&x, &x, &t);
3218 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
3221 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3222 secp256k1_scalar neg1 = *number;
3223 secp256k1_scalar neg2 = *number;
3227 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3228 secp256k1_scalar_negate(&neg1, &neg1);
3231 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3232 CHECK(sign1 == sign2);
3233 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3236 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3237 secp256k1_scalar x, shift;
3238 int wnaf[256] = {0};
3242 secp256k1_scalar num = *number;
3243 secp256k1_scalar scalar_skew;
3245 secp256k1_scalar_set_int(&x, 0);
3246 secp256k1_scalar_set_int(&shift, 1 << w);
3247 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3248 #ifdef USE_ENDOMORPHISM
3249 for (i = 0; i < 16; ++i) {
3250 secp256k1_scalar_shr_int(&num, 8);
3254 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
3256 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3259 CHECK(v != 0); /* check nonzero */
3260 CHECK(v & 1); /* check parity */
3261 CHECK(v > -(1 << w)); /* check range above */
3262 CHECK(v < (1 << w)); /* check range below */
3264 secp256k1_scalar_mul(&x, &x, &shift);
3266 secp256k1_scalar_set_int(&t, v);
3268 secp256k1_scalar_set_int(&t, -v);
3269 secp256k1_scalar_negate(&t, &t);
3271 secp256k1_scalar_add(&x, &x, &t);
3273 /* Skew num because when encoding numbers as odd we use an offset */
3274 secp256k1_scalar_set_int(&scalar_skew, 1 << (skew == 2));
3275 secp256k1_scalar_add(&num, &num, &scalar_skew);
3276 CHECK(secp256k1_scalar_eq(&x, &num));
3279 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3280 secp256k1_scalar x, shift;
3281 int wnaf[256] = {0};
3284 secp256k1_scalar num = *number;
3286 secp256k1_scalar_set_int(&x, 0);
3287 secp256k1_scalar_set_int(&shift, 1 << w);
3288 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3289 #ifdef USE_ENDOMORPHISM
3290 for (i = 0; i < 16; ++i) {
3291 secp256k1_scalar_shr_int(&num, 8);
3294 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3296 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3299 CHECK(v == 0 || v & 1); /* check parity */
3300 CHECK(v > -(1 << w)); /* check range above */
3301 CHECK(v < (1 << w)); /* check range below */
3303 secp256k1_scalar_mul(&x, &x, &shift);
3305 secp256k1_scalar_set_int(&t, v);
3307 secp256k1_scalar_set_int(&t, -v);
3308 secp256k1_scalar_negate(&t, &t);
3310 secp256k1_scalar_add(&x, &x, &t);
3312 /* If skew is 1 then add 1 to num */
3313 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3314 CHECK(secp256k1_scalar_eq(&x, &num));
3317 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3319 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3321 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3322 CHECK(wnaf[i] == 0);
3324 for (i = 7; i >= 0; --i) {
3325 CHECK(wnaf[i] == wnaf_expected[i]);
3329 void test_fixed_wnaf_small(void) {
3331 int wnaf[256] = {0};
3334 secp256k1_scalar num;
3336 secp256k1_scalar_set_int(&num, 0);
3337 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3338 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3344 secp256k1_scalar_set_int(&num, 1);
3345 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3346 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3350 CHECK(wnaf[0] == 1);
3354 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3355 secp256k1_scalar_set_int(&num, 0xffffffff);
3356 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3357 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3361 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3362 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3363 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3364 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3368 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3369 secp256k1_scalar_set_int(&num, 0x01010101);
3370 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3371 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3375 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3376 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3377 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3378 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3383 void run_wnaf(void) {
3385 secp256k1_scalar n = {{0}};
3387 test_constant_wnaf(&n, 4);
3388 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3389 * have easier-to-diagnose failure modes */
3391 test_constant_wnaf(&n, 4);
3393 test_constant_wnaf(&n, 4);
3394 /* Test -1, because it's a special case in wnaf_const */
3395 n = secp256k1_scalar_one;
3396 secp256k1_scalar_negate(&n, &n);
3397 test_constant_wnaf(&n, 4);
3399 /* Test -2, which may not lead to overflows in wnaf_const */
3400 secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
3401 secp256k1_scalar_negate(&n, &n);
3402 test_constant_wnaf(&n, 4);
3404 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
3405 as corner cases of negation handling in wnaf_const */
3406 secp256k1_scalar_inverse(&n, &n);
3407 test_constant_wnaf(&n, 4);
3409 secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
3410 test_constant_wnaf(&n, 4);
3412 /* Test 0 for fixed wnaf */
3413 test_fixed_wnaf_small();
3415 for (i = 0; i < count; i++) {
3416 random_scalar_order(&n);
3417 test_wnaf(&n, 4+(i%10));
3418 test_constant_wnaf_negate(&n);
3419 test_constant_wnaf(&n, 4 + (i % 10));
3420 test_fixed_wnaf(&n, 4 + (i % 10));
3422 secp256k1_scalar_set_int(&n, 0);
3423 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3424 CHECK(secp256k1_scalar_is_zero(&n));
3425 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3426 CHECK(secp256k1_scalar_is_zero(&n));
3429 void test_ecmult_constants(void) {
3430 /* Test ecmult_gen() for [0..36) and [order-36..0). */
3436 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3437 for (i = 0; i < 36; i++ ) {
3438 secp256k1_scalar_set_int(&x, i);
3439 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3440 for (j = 0; j < i; j++) {
3442 ge_equals_gej(&secp256k1_ge_const_g, &r);
3444 secp256k1_gej_add_ge(&r, &r, &ng);
3446 CHECK(secp256k1_gej_is_infinity(&r));
3448 for (i = 1; i <= 36; i++ ) {
3449 secp256k1_scalar_set_int(&x, i);
3450 secp256k1_scalar_negate(&x, &x);
3451 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3452 for (j = 0; j < i; j++) {
3454 ge_equals_gej(&ng, &r);
3456 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3458 CHECK(secp256k1_gej_is_infinity(&r));
3462 void run_ecmult_constants(void) {
3463 test_ecmult_constants();
3466 void test_ecmult_gen_blind(void) {
3467 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3468 secp256k1_scalar key;
3470 unsigned char seed32[32];
3472 secp256k1_gej pgej2;
3475 random_scalar_order_test(&key);
3476 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3477 secp256k1_rand256(seed32);
3478 b = ctx->ecmult_gen_ctx.blind;
3479 i = ctx->ecmult_gen_ctx.initial;
3480 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3481 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3482 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3483 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3484 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3485 secp256k1_ge_set_gej(&pge, &pgej);
3486 ge_equals_gej(&pge, &pgej2);
3489 void test_ecmult_gen_blind_reset(void) {
3490 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3492 secp256k1_gej initial;
3493 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3494 b = ctx->ecmult_gen_ctx.blind;
3495 initial = ctx->ecmult_gen_ctx.initial;
3496 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3497 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3498 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3501 void run_ecmult_gen_blind(void) {
3503 test_ecmult_gen_blind_reset();
3504 for (i = 0; i < 10; i++) {
3505 test_ecmult_gen_blind();
3509 #ifdef USE_ENDOMORPHISM
3510 /***** ENDOMORPHISH TESTS *****/
3511 void test_scalar_split(void) {
3512 secp256k1_scalar full;
3513 secp256k1_scalar s1, slam;
3514 const unsigned char zero[32] = {0};
3515 unsigned char tmp[32];
3517 random_scalar_order_test(&full);
3518 secp256k1_scalar_split_lambda(&s1, &slam, &full);
3520 /* check that both are <= 128 bits in size */
3521 if (secp256k1_scalar_is_high(&s1)) {
3522 secp256k1_scalar_negate(&s1, &s1);
3524 if (secp256k1_scalar_is_high(&slam)) {
3525 secp256k1_scalar_negate(&slam, &slam);
3528 secp256k1_scalar_get_b32(tmp, &s1);
3529 CHECK(memcmp(zero, tmp, 16) == 0);
3530 secp256k1_scalar_get_b32(tmp, &slam);
3531 CHECK(memcmp(zero, tmp, 16) == 0);
3534 void run_endomorphism_tests(void) {
3535 test_scalar_split();
3539 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3540 unsigned char pubkeyc[65];
3541 secp256k1_pubkey pubkey;
3546 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3547 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3548 /* Smaller sizes are tested exhaustively elsewhere. */
3550 memcpy(&pubkeyc[1], input, 64);
3551 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3552 for (i = 0; i < 256; i++) {
3553 /* Try all type bytes. */
3558 /* What sign does this point have? */
3559 ysign = (input[63] & 1) + 2;
3560 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3561 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3562 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3563 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3564 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3565 if (xpass || ypass) {
3566 /* These cases must parse. */
3567 unsigned char pubkeyo[65];
3569 memset(&pubkey, 0, sizeof(pubkey));
3570 VG_UNDEF(&pubkey, sizeof(pubkey));
3572 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3573 VG_CHECK(&pubkey, sizeof(pubkey));
3575 VG_UNDEF(pubkeyo, 65);
3576 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3577 VG_CHECK(pubkeyo, outl);
3579 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3580 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3582 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3583 CHECK(pubkeyo[0] == ysign);
3584 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3585 memset(&pubkey, 0, sizeof(pubkey));
3586 VG_UNDEF(&pubkey, sizeof(pubkey));
3587 secp256k1_pubkey_save(&pubkey, &ge);
3588 VG_CHECK(&pubkey, sizeof(pubkey));
3590 VG_UNDEF(pubkeyo, 65);
3591 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3592 VG_CHECK(pubkeyo, outl);
3594 CHECK(pubkeyo[0] == 4);
3595 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3599 /* These cases must fail to parse. */
3600 memset(&pubkey, 0xfe, sizeof(pubkey));
3602 VG_UNDEF(&pubkey, sizeof(pubkey));
3603 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3604 VG_CHECK(&pubkey, sizeof(pubkey));
3606 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3611 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3614 void run_ec_pubkey_parse_test(void) {
3615 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3616 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3618 /* Point with leading and trailing zeros in x and y serialization. */
3619 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3620 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3621 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3622 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3625 /* Point with x equal to a 3rd root of unity.*/
3626 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3627 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3628 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3629 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3632 /* Point with largest x. (1/2) */
3633 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3634 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3635 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3636 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3639 /* Point with largest x. (2/2) */
3640 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3641 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3642 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3643 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3646 /* Point with smallest x. (1/2) */
3647 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3648 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3649 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3650 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3653 /* Point with smallest x. (2/2) */
3654 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3655 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3656 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3657 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3660 /* Point with largest y. (1/3) */
3661 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3662 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3663 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3664 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3667 /* Point with largest y. (2/3) */
3668 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3669 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3670 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3671 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3674 /* Point with largest y. (3/3) */
3675 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3676 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3677 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3678 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3681 /* Point with smallest y. (1/3) */
3682 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3683 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3684 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3685 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3688 /* Point with smallest y. (2/3) */
3689 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3690 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3691 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3695 /* Point with smallest y. (3/3) */
3696 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3697 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3698 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3699 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3702 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3703 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3705 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3706 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3707 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3708 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3709 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3712 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3713 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3714 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3715 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3716 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3719 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3720 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3721 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3722 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3723 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3726 /* x on curve, y is from y^2 = x^3 + 8. */
3727 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3728 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3729 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3730 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3733 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3734 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3736 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3737 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3738 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3739 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3740 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3743 /* Valid if x overflow ignored (x = 1 mod p). */
3744 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3745 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3746 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3747 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3750 /* Valid if x overflow ignored (x = 1 mod p). */
3751 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3752 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3753 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3754 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3757 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3758 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3759 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3760 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3761 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3764 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3765 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3766 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3767 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3768 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3771 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3772 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3773 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3774 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3775 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3778 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3779 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3780 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3781 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3782 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3785 const unsigned char pubkeyc[66] = {
3786 /* Serialization of G. */
3787 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3788 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3789 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3790 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3793 unsigned char sout[65];
3794 unsigned char shortkey[2];
3796 secp256k1_pubkey pubkey;
3802 /* Nothing should be reading this far into pubkeyc. */
3803 VG_UNDEF(&pubkeyc[65], 1);
3804 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3805 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3806 memset(&pubkey, 0xfe, sizeof(pubkey));
3808 VG_UNDEF(shortkey, 2);
3809 VG_UNDEF(&pubkey, sizeof(pubkey));
3810 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3811 VG_CHECK(&pubkey, sizeof(pubkey));
3813 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3815 /* Length one claimed, fail, zeroize, no illegal arg error. */
3816 for (i = 0; i < 256 ; i++) {
3817 memset(&pubkey, 0xfe, sizeof(pubkey));
3820 VG_UNDEF(&shortkey[1], 1);
3821 VG_UNDEF(&pubkey, sizeof(pubkey));
3822 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3823 VG_CHECK(&pubkey, sizeof(pubkey));
3825 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3828 /* Length two claimed, fail, zeroize, no illegal arg error. */
3829 for (i = 0; i < 65536 ; i++) {
3830 memset(&pubkey, 0xfe, sizeof(pubkey));
3832 shortkey[0] = i & 255;
3833 shortkey[1] = i >> 8;
3834 VG_UNDEF(&pubkey, sizeof(pubkey));
3835 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3836 VG_CHECK(&pubkey, sizeof(pubkey));
3838 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3841 memset(&pubkey, 0xfe, sizeof(pubkey));
3843 VG_UNDEF(&pubkey, sizeof(pubkey));
3844 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3845 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3846 VG_CHECK(&pubkey, sizeof(pubkey));
3848 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3850 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3851 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3853 /* NULL input string. Illegal arg and zeroize output. */
3854 memset(&pubkey, 0xfe, sizeof(pubkey));
3856 VG_UNDEF(&pubkey, sizeof(pubkey));
3857 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3858 VG_CHECK(&pubkey, sizeof(pubkey));
3860 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3862 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3863 memset(&pubkey, 0xfe, sizeof(pubkey));
3865 VG_UNDEF(&pubkey, sizeof(pubkey));
3866 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3867 VG_CHECK(&pubkey, sizeof(pubkey));
3869 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3871 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3872 memset(&pubkey, 0xfe, sizeof(pubkey));
3874 VG_UNDEF(&pubkey, sizeof(pubkey));
3875 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3876 VG_CHECK(&pubkey, sizeof(pubkey));
3878 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3881 memset(&pubkey, 0, sizeof(pubkey));
3883 VG_UNDEF(&pubkey, sizeof(pubkey));
3884 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3885 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
3886 VG_CHECK(&pubkey, sizeof(pubkey));
3888 VG_UNDEF(&ge, sizeof(ge));
3889 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3890 VG_CHECK(&ge.x, sizeof(ge.x));
3891 VG_CHECK(&ge.y, sizeof(ge.y));
3892 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3893 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3895 /* secp256k1_ec_pubkey_serialize illegal args. */
3898 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3901 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3905 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3910 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3915 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3919 /* Multiple illegal args. Should still set arg error only once. */
3922 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3924 /* Does the illegal arg callback actually change the behavior? */
3925 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3926 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3928 CHECK(ecount2 == 10);
3929 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3930 /* Try a bunch of prefabbed points with all possible encodings. */
3931 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3932 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3934 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3935 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3937 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3938 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3942 void run_eckey_edge_case_test(void) {
3943 const unsigned char orderc[32] = {
3944 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3945 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3946 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3947 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3949 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3950 unsigned char ctmp[33];
3951 unsigned char ctmp2[33];
3952 secp256k1_pubkey pubkey;
3953 secp256k1_pubkey pubkey2;
3954 secp256k1_pubkey pubkey_one;
3955 secp256k1_pubkey pubkey_negone;
3956 const secp256k1_pubkey *pubkeys[3];
3959 /* Group order is too large, reject. */
3960 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3961 VG_UNDEF(&pubkey, sizeof(pubkey));
3962 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3963 VG_CHECK(&pubkey, sizeof(pubkey));
3964 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3965 /* Maximum value is too large, reject. */
3966 memset(ctmp, 255, 32);
3967 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3968 memset(&pubkey, 1, sizeof(pubkey));
3969 VG_UNDEF(&pubkey, sizeof(pubkey));
3970 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3971 VG_CHECK(&pubkey, sizeof(pubkey));
3972 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3973 /* Zero is too small, reject. */
3974 memset(ctmp, 0, 32);
3975 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3976 memset(&pubkey, 1, sizeof(pubkey));
3977 VG_UNDEF(&pubkey, sizeof(pubkey));
3978 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3979 VG_CHECK(&pubkey, sizeof(pubkey));
3980 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3981 /* One must be accepted. */
3983 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3984 memset(&pubkey, 0, sizeof(pubkey));
3985 VG_UNDEF(&pubkey, sizeof(pubkey));
3986 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3987 VG_CHECK(&pubkey, sizeof(pubkey));
3988 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3989 pubkey_one = pubkey;
3990 /* Group order + 1 is too large, reject. */
3991 memcpy(ctmp, orderc, 32);
3993 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3994 memset(&pubkey, 1, sizeof(pubkey));
3995 VG_UNDEF(&pubkey, sizeof(pubkey));
3996 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3997 VG_CHECK(&pubkey, sizeof(pubkey));
3998 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3999 /* -1 must be accepted. */
4001 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4002 memset(&pubkey, 0, sizeof(pubkey));
4003 VG_UNDEF(&pubkey, sizeof(pubkey));
4004 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4005 VG_CHECK(&pubkey, sizeof(pubkey));
4006 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4007 pubkey_negone = pubkey;
4008 /* Tweak of zero leaves the value unchanged. */
4009 memset(ctmp2, 0, 32);
4010 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
4011 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
4012 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
4013 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4014 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4015 /* Multiply tweak of zero zeroizes the output. */
4016 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4017 CHECK(memcmp(zeros, ctmp, 32) == 0);
4018 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
4019 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
4020 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4021 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4022 seckey, the seckey is zeroized. */
4023 memcpy(ctmp, orderc, 32);
4024 memset(ctmp2, 0, 32);
4026 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
4027 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4028 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
4029 CHECK(memcmp(zeros, ctmp, 32) == 0);
4030 memcpy(ctmp, orderc, 32);
4031 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4032 CHECK(memcmp(zeros, ctmp, 32) == 0);
4033 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4034 tweak, the seckey is zeroized. */
4035 memcpy(ctmp, orderc, 32);
4037 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
4038 CHECK(memcmp(zeros, ctmp, 32) == 0);
4039 memcpy(ctmp, orderc, 32);
4041 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
4042 CHECK(memcmp(zeros, ctmp, 32) == 0);
4043 memcpy(ctmp, orderc, 32);
4045 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
4046 tweak, the pubkey is zeroized. */
4047 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
4048 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
4049 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4050 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
4051 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
4052 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4053 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
4054 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
4055 * case the pubkey is zeroized. */
4056 memcpy(ctmp, orderc, 32);
4058 memset(ctmp2, 0, 32);
4060 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
4061 CHECK(memcmp(zeros, ctmp2, 32) == 0);
4063 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4064 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
4065 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4066 /* Tweak computation wraps and results in a key of 1. */
4068 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
4069 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
4071 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4073 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
4074 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4075 /* Tweak mul * 2 = 1+1. */
4076 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4078 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
4079 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4080 /* Test argument errors. */
4082 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4084 /* Zeroize pubkey on parse error. */
4085 memset(&pubkey, 0, 32);
4086 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4088 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
4089 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4090 memset(&pubkey2, 0, 32);
4091 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
4093 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
4094 /* Plain argument errors. */
4096 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4098 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
4101 memset(ctmp2, 0, 32);
4103 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
4105 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
4108 memset(ctmp2, 0, 32);
4110 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4112 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
4115 memset(ctmp2, 0, 32);
4116 CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
4118 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
4121 memset(ctmp2, 0, 32);
4123 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
4125 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
4128 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
4130 memset(&pubkey, 1, sizeof(pubkey));
4131 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4133 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4134 /* secp256k1_ec_pubkey_combine tests. */
4136 pubkeys[0] = &pubkey_one;
4137 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
4138 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
4139 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
4140 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4141 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4142 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
4143 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4144 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4146 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4147 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4149 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4150 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4151 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4152 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4153 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4155 pubkeys[0] = &pubkey_negone;
4156 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4157 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4158 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4159 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4160 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4163 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4164 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4165 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4166 /* Result is infinity. */
4167 pubkeys[0] = &pubkey_one;
4168 pubkeys[1] = &pubkey_negone;
4169 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4170 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4171 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4172 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4173 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4175 /* Passes through infinity but comes out one. */
4176 pubkeys[2] = &pubkey_one;
4177 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4178 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4179 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4180 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4181 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4184 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4185 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4186 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4188 pubkeys[1] = &pubkey_one;
4189 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4190 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4191 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4192 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4193 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4195 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4198 void run_eckey_negate_test(void) {
4199 unsigned char seckey[32];
4200 unsigned char seckey_tmp[32];
4202 random_scalar_order_b32(seckey);
4203 memcpy(seckey_tmp, seckey, 32);
4205 /* Verify negation changes the key and changes it back */
4206 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4207 CHECK(memcmp(seckey, seckey_tmp, 32) != 0);
4208 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4209 CHECK(memcmp(seckey, seckey_tmp, 32) == 0);
4211 /* Check that privkey alias gives same result */
4212 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4213 CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
4214 CHECK(memcmp(seckey, seckey_tmp, 32) == 0);
4216 /* Negating all 0s fails */
4217 memset(seckey, 0, 32);
4218 memset(seckey_tmp, 0, 32);
4219 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4220 /* Check that seckey is not modified */
4221 CHECK(memcmp(seckey, seckey_tmp, 32) == 0);
4223 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
4224 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
4225 * doesn't just set seckey to a constant value in case of failure. */
4226 random_scalar_order_b32(seckey);
4227 memset(seckey, 0xFF, 16);
4228 memset(seckey_tmp, 0, 32);
4229 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4230 CHECK(memcmp(seckey, seckey_tmp, 32) == 0);
4233 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4234 secp256k1_scalar nonce;
4236 random_scalar_order_test(&nonce);
4237 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
4240 void test_ecdsa_sign_verify(void) {
4243 secp256k1_scalar one;
4244 secp256k1_scalar msg, key;
4245 secp256k1_scalar sigr, sigs;
4248 random_scalar_order_test(&msg);
4249 random_scalar_order_test(&key);
4250 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
4251 secp256k1_ge_set_gej(&pub, &pubj);
4252 getrec = secp256k1_rand_bits(1);
4253 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
4255 CHECK(recid >= 0 && recid < 4);
4257 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4258 secp256k1_scalar_set_int(&one, 1);
4259 secp256k1_scalar_add(&msg, &msg, &one);
4260 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4263 void run_ecdsa_sign_verify(void) {
4265 for (i = 0; i < 10*count; i++) {
4266 test_ecdsa_sign_verify();
4270 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
4271 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4275 memcpy(nonce32, data, 32);
4276 return (counter == 0);
4279 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4280 /* Dummy nonce generator that has a fatal error on the first counter value. */
4284 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
4287 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4288 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4290 memset(nonce32, counter==0 ? 0 : 255, 32);
4297 static const unsigned char order[] = {
4298 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4299 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4300 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4301 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4303 memcpy(nonce32, order, 32);
4309 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
4310 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
4314 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
4317 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4318 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4319 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4322 void test_ecdsa_end_to_end(void) {
4323 unsigned char extra[32] = {0x00};
4324 unsigned char privkey[32];
4325 unsigned char message[32];
4326 unsigned char privkey2[32];
4327 secp256k1_ecdsa_signature signature[6];
4328 secp256k1_scalar r, s;
4329 unsigned char sig[74];
4331 unsigned char pubkeyc[65];
4332 size_t pubkeyclen = 65;
4333 secp256k1_pubkey pubkey;
4334 secp256k1_pubkey pubkey_tmp;
4335 unsigned char seckey[300];
4336 size_t seckeylen = 300;
4338 /* Generate a random key and message. */
4340 secp256k1_scalar msg, key;
4341 random_scalar_order_test(&msg);
4342 random_scalar_order_test(&key);
4343 secp256k1_scalar_get_b32(privkey, &key);
4344 secp256k1_scalar_get_b32(message, &msg);
4347 /* Construct and verify corresponding public key. */
4348 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4349 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4351 /* Verify exporting and importing public key. */
4352 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4353 memset(&pubkey, 0, sizeof(pubkey));
4354 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4356 /* Verify negation changes the key and changes it back */
4357 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4358 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4359 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4360 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4361 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4363 /* Verify private key import and export. */
4364 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4365 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4366 CHECK(memcmp(privkey, privkey2, 32) == 0);
4368 /* Optionally tweak the keys using addition. */
4369 if (secp256k1_rand_int(3) == 0) {
4373 unsigned char rnd[32];
4374 unsigned char privkey_tmp[32];
4375 secp256k1_pubkey pubkey2;
4376 secp256k1_rand256_test(rnd);
4377 memcpy(privkey_tmp, privkey, 32);
4378 ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
4379 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4380 /* Check that privkey alias gives same result */
4381 ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
4382 CHECK(ret1 == ret2);
4383 CHECK(ret2 == ret3);
4387 CHECK(memcmp(privkey, privkey_tmp, 32) == 0);
4388 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4389 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4392 /* Optionally tweak the keys using multiplication. */
4393 if (secp256k1_rand_int(3) == 0) {
4397 unsigned char rnd[32];
4398 unsigned char privkey_tmp[32];
4399 secp256k1_pubkey pubkey2;
4400 secp256k1_rand256_test(rnd);
4401 memcpy(privkey_tmp, privkey, 32);
4402 ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
4403 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4404 /* Check that privkey alias gives same result */
4405 ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
4406 CHECK(ret1 == ret2);
4407 CHECK(ret2 == ret3);
4411 CHECK(memcmp(privkey, privkey_tmp, 32) == 0);
4412 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4413 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4417 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4418 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4419 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4421 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4424 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4425 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4426 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4427 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4428 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4429 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4430 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4431 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4433 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4434 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4435 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4436 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4437 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4438 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4439 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4440 secp256k1_scalar_negate(&s, &s);
4441 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4442 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4443 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4444 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4445 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4446 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4447 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4448 secp256k1_scalar_negate(&s, &s);
4449 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4450 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4451 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4452 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
4454 /* Serialize/parse DER and verify again */
4455 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4456 memset(&signature[0], 0, sizeof(signature[0]));
4457 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4458 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4459 /* Serialize/destroy/parse DER and verify again. */
4461 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4462 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
4463 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4464 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4467 void test_random_pubkeys(void) {
4470 unsigned char in[65];
4471 /* Generate some randomly sized pubkeys. */
4472 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4473 if (secp256k1_rand_bits(2) == 0) {
4474 len = secp256k1_rand_bits(6);
4477 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
4479 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
4481 if (secp256k1_rand_bits(3) == 0) {
4482 in[0] = secp256k1_rand_bits(8);
4485 secp256k1_rand256(&in[1]);
4488 secp256k1_rand256(&in[33]);
4490 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4491 unsigned char out[65];
4492 unsigned char firstb;
4496 /* If the pubkey can be parsed, it should round-trip... */
4497 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4499 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4500 /* ... except for the type of hybrid inputs. */
4501 if ((in[0] != 6) && (in[0] != 7)) {
4502 CHECK(in[0] == out[0]);
4505 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4507 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4508 ge_equals_ge(&elem,&elem2);
4509 /* Check that the X9.62 hybrid type is checked. */
4510 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
4511 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4512 if (firstb == 2 || firstb == 3) {
4513 if (in[0] == firstb + 4) {
4520 ge_equals_ge(&elem,&elem2);
4521 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4522 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4527 void run_random_pubkeys(void) {
4529 for (i = 0; i < 10*count; i++) {
4530 test_random_pubkeys();
4534 void run_ecdsa_end_to_end(void) {
4536 for (i = 0; i < 64*count; i++) {
4537 test_ecdsa_end_to_end();
4541 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4542 static const unsigned char zeroes[32] = {0};
4543 #ifdef ENABLE_OPENSSL_TESTS
4544 static const unsigned char max_scalar[32] = {
4545 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4546 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4547 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4548 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4554 secp256k1_ecdsa_signature sig_der;
4555 unsigned char roundtrip_der[2048];
4556 unsigned char compact_der[64];
4557 size_t len_der = 2048;
4558 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4560 secp256k1_ecdsa_signature sig_der_lax;
4561 unsigned char roundtrip_der_lax[2048];
4562 unsigned char compact_der_lax[64];
4563 size_t len_der_lax = 2048;
4564 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4566 #ifdef ENABLE_OPENSSL_TESTS
4567 ECDSA_SIG *sig_openssl;
4568 const BIGNUM *r = NULL, *s = NULL;
4569 const unsigned char *sigptr;
4570 unsigned char roundtrip_openssl[2048];
4571 int len_openssl = 2048;
4572 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4575 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4577 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4578 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4581 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4582 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4585 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4586 if (parsed_der_lax) {
4587 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4588 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4590 if (valid_der_lax) {
4591 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4592 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4595 if (certainly_der) {
4596 ret |= (!parsed_der) << 2;
4598 if (certainly_not_der) {
4599 ret |= (parsed_der) << 17;
4602 ret |= (!roundtrips_der) << 3;
4606 ret |= (!roundtrips_der_lax) << 12;
4607 ret |= (len_der != len_der_lax) << 13;
4608 ret |= ((len_der != len_der_lax) || (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
4610 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4612 ret |= (!parsed_der_lax) << 16;
4615 #ifdef ENABLE_OPENSSL_TESTS
4616 sig_openssl = ECDSA_SIG_new();
4618 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4619 if (parsed_openssl) {
4620 ECDSA_SIG_get0(sig_openssl, &r, &s);
4621 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4622 if (valid_openssl) {
4623 unsigned char tmp[32] = {0};
4624 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4625 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4627 if (valid_openssl) {
4628 unsigned char tmp[32] = {0};
4629 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4630 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4633 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4634 if (len_openssl <= 2048) {
4635 unsigned char *ptr = roundtrip_openssl;
4636 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4637 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4641 ECDSA_SIG_free(sig_openssl);
4643 ret |= (parsed_der && !parsed_openssl) << 4;
4644 ret |= (valid_der && !valid_openssl) << 5;
4645 ret |= (roundtrips_openssl && !parsed_der) << 6;
4646 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4647 if (roundtrips_openssl) {
4648 ret |= (len_der != (size_t)len_openssl) << 8;
4649 ret |= ((len_der != (size_t)len_openssl) || (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9;
4655 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4657 for (i = 0; i < ptrlen; i++) {
4658 int shift = ptrlen - 1 - i;
4662 ptr[i] = (val >> shift) & 0xFF;
4667 static void damage_array(unsigned char *sig, size_t *len) {
4669 int action = secp256k1_rand_bits(3);
4670 if (action < 1 && *len > 3) {
4671 /* Delete a byte. */
4672 pos = secp256k1_rand_int(*len);
4673 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4676 } else if (action < 2 && *len < 2048) {
4677 /* Insert a byte. */
4678 pos = secp256k1_rand_int(1 + *len);
4679 memmove(sig + pos + 1, sig + pos, *len - pos);
4680 sig[pos] = secp256k1_rand_bits(8);
4683 } else if (action < 4) {
4684 /* Modify a byte. */
4685 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4687 } else { /* action < 8 */
4689 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4694 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4696 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4697 size_t tlen, elen, glen;
4702 der = secp256k1_rand_bits(2) == 0;
4703 *certainly_der = der;
4704 *certainly_not_der = 0;
4705 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4707 for (n = 0; n < 2; n++) {
4708 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4709 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4710 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4711 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4712 CHECK(nlen[n] <= 232);
4713 /* The top bit of the number. */
4714 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4715 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4716 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4717 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4718 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4719 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4720 *certainly_not_der = 1;
4722 CHECK(nlen[n] + nzlen[n] <= 300);
4723 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4724 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4726 /* nlenlen[n] max 127 bytes */
4727 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4730 *certainly_not_der = 1;
4733 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4736 /* The total length of the data to go, so far */
4737 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4740 /* The length of the garbage inside the tuple. */
4741 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4743 *certainly_not_der = 1;
4748 /* The length of the garbage after the end of the tuple. */
4749 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4751 *certainly_not_der = 1;
4753 CHECK(tlen + glen <= 990);
4755 /* Write the tuple header. */
4756 sig[(*len)++] = 0x30;
4758 /* Indeterminate length */
4759 sig[(*len)++] = 0x80;
4760 *certainly_not_der = 1;
4762 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4764 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4767 *certainly_not_der = 1;
4771 /* Short length notation */
4772 sig[(*len)++] = tlen;
4774 /* Long length notation */
4775 sig[(*len)++] = 128 + tlenlen;
4776 assign_big_endian(sig + *len, tlenlen, tlen);
4782 CHECK(tlen + glen <= 1119);
4784 for (n = 0; n < 2; n++) {
4785 /* Write the integer header. */
4786 sig[(*len)++] = 0x02;
4787 if (nlenlen[n] == 0) {
4788 /* Short length notation */
4789 sig[(*len)++] = nlen[n] + nzlen[n];
4791 /* Long length notation. */
4792 sig[(*len)++] = 128 + nlenlen[n];
4793 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4796 /* Write zero padding */
4797 while (nzlen[n] > 0) {
4798 sig[(*len)++] = 0x00;
4801 if (nlen[n] == 32 && !nlow[n]) {
4802 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4804 for (i = 0; i < 16; i++) {
4805 sig[(*len)++] = 0xFF;
4809 /* Write first byte of number */
4811 sig[(*len)++] = nhbyte[n];
4814 /* Generate remaining random bytes of number */
4815 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4820 /* Generate random garbage inside tuple. */
4821 secp256k1_rand_bytes_test(sig + *len, elen);
4824 /* Generate end-of-contents bytes. */
4830 CHECK(tlen + glen <= 1121);
4832 /* Generate random garbage outside tuple. */
4833 secp256k1_rand_bytes_test(sig + *len, glen);
4836 CHECK(tlen <= 1121);
4837 CHECK(tlen == *len);
4840 void run_ecdsa_der_parse(void) {
4842 for (i = 0; i < 200 * count; i++) {
4843 unsigned char buffer[2048];
4845 int certainly_der = 0;
4846 int certainly_not_der = 0;
4847 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4848 CHECK(buflen <= 2048);
4849 for (j = 0; j < 16; j++) {
4852 damage_array(buffer, &buflen);
4853 /* We don't know anything anymore about the DERness of the result */
4855 certainly_not_der = 0;
4857 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4860 fprintf(stderr, "Failure %x on ", ret);
4861 for (k = 0; k < buflen; k++) {
4862 fprintf(stderr, "%02x ", buffer[k]);
4864 fprintf(stderr, "\n");
4871 /* Tests several edge cases. */
4872 void test_ecdsa_edge_cases(void) {
4874 secp256k1_ecdsa_signature sig;
4876 /* Test the case where ECDSA recomputes a point that is infinity. */
4880 secp256k1_scalar msg;
4881 secp256k1_scalar sr, ss;
4882 secp256k1_scalar_set_int(&ss, 1);
4883 secp256k1_scalar_negate(&ss, &ss);
4884 secp256k1_scalar_inverse(&ss, &ss);
4885 secp256k1_scalar_set_int(&sr, 1);
4886 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4887 secp256k1_ge_set_gej(&key, &keyj);
4889 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4892 /* Verify signature with r of zero fails. */
4894 const unsigned char pubkey_mods_zero[33] = {
4895 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4896 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4897 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4898 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4902 secp256k1_scalar msg;
4903 secp256k1_scalar sr, ss;
4904 secp256k1_scalar_set_int(&ss, 1);
4905 secp256k1_scalar_set_int(&msg, 0);
4906 secp256k1_scalar_set_int(&sr, 0);
4907 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4908 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4911 /* Verify signature with s of zero fails. */
4913 const unsigned char pubkey[33] = {
4914 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4915 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4916 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4917 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4921 secp256k1_scalar msg;
4922 secp256k1_scalar sr, ss;
4923 secp256k1_scalar_set_int(&ss, 0);
4924 secp256k1_scalar_set_int(&msg, 0);
4925 secp256k1_scalar_set_int(&sr, 1);
4926 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4927 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4930 /* Verify signature with message 0 passes. */
4932 const unsigned char pubkey[33] = {
4933 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4934 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4935 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4936 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4939 const unsigned char pubkey2[33] = {
4940 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4941 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4942 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4943 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4948 secp256k1_scalar msg;
4949 secp256k1_scalar sr, ss;
4950 secp256k1_scalar_set_int(&ss, 2);
4951 secp256k1_scalar_set_int(&msg, 0);
4952 secp256k1_scalar_set_int(&sr, 2);
4953 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4954 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4955 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4956 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4957 secp256k1_scalar_negate(&ss, &ss);
4958 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4959 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4960 secp256k1_scalar_set_int(&ss, 1);
4961 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4962 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4965 /* Verify signature with message 1 passes. */
4967 const unsigned char pubkey[33] = {
4968 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4969 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4970 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4971 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4974 const unsigned char pubkey2[33] = {
4975 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4976 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4977 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4978 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4981 const unsigned char csr[32] = {
4982 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4983 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4984 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4985 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4989 secp256k1_scalar msg;
4990 secp256k1_scalar sr, ss;
4991 secp256k1_scalar_set_int(&ss, 1);
4992 secp256k1_scalar_set_int(&msg, 1);
4993 secp256k1_scalar_set_b32(&sr, csr, NULL);
4994 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4995 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4996 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4997 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4998 secp256k1_scalar_negate(&ss, &ss);
4999 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5000 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5001 secp256k1_scalar_set_int(&ss, 2);
5002 secp256k1_scalar_inverse_var(&ss, &ss);
5003 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5004 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5007 /* Verify signature with message -1 passes. */
5009 const unsigned char pubkey[33] = {
5010 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
5011 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
5012 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
5013 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
5016 const unsigned char csr[32] = {
5017 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5018 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5019 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5020 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
5023 secp256k1_scalar msg;
5024 secp256k1_scalar sr, ss;
5025 secp256k1_scalar_set_int(&ss, 1);
5026 secp256k1_scalar_set_int(&msg, 1);
5027 secp256k1_scalar_negate(&msg, &msg);
5028 secp256k1_scalar_set_b32(&sr, csr, NULL);
5029 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5030 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5031 secp256k1_scalar_negate(&ss, &ss);
5032 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5033 secp256k1_scalar_set_int(&ss, 3);
5034 secp256k1_scalar_inverse_var(&ss, &ss);
5035 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5038 /* Signature where s would be zero. */
5040 secp256k1_pubkey pubkey;
5043 unsigned char signature[72];
5044 static const unsigned char nonce[32] = {
5045 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5046 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5047 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5048 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5050 static const unsigned char nonce2[32] = {
5051 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
5052 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
5053 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
5054 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
5056 const unsigned char key[32] = {
5057 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5058 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5059 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5060 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5062 unsigned char msg[32] = {
5063 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
5064 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
5065 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
5066 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
5069 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5070 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
5071 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
5073 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
5075 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
5077 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
5079 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
5081 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
5082 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
5083 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
5085 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
5087 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
5089 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
5091 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
5093 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
5094 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
5097 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
5099 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
5100 CHECK(ecount == 10);
5101 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
5102 CHECK(ecount == 11);
5103 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
5104 CHECK(ecount == 11);
5105 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
5106 CHECK(ecount == 12);
5107 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
5108 CHECK(ecount == 13);
5109 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
5110 CHECK(ecount == 13);
5112 /* Too little room for a signature does not fail via ARGCHECK. */
5113 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
5114 CHECK(ecount == 13);
5116 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
5118 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
5120 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
5122 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
5124 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
5126 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
5128 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
5130 memset(signature, 255, 64);
5131 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
5133 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5136 /* Nonce function corner cases. */
5137 for (t = 0; t < 2; t++) {
5138 static const unsigned char zero[32] = {0x00};
5140 unsigned char key[32];
5141 unsigned char msg[32];
5142 secp256k1_ecdsa_signature sig2;
5143 secp256k1_scalar sr[512], ss;
5144 const unsigned char *extra;
5145 extra = t == 0 ? NULL : zero;
5148 /* High key results in signature failure. */
5149 memset(key, 0xFF, 32);
5150 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5151 CHECK(is_empty_signature(&sig));
5152 /* Zero key results in signature failure. */
5154 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5155 CHECK(is_empty_signature(&sig));
5156 /* Nonce function failure results in signature failure. */
5158 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
5159 CHECK(is_empty_signature(&sig));
5160 /* The retry loop successfully makes its way to the first good value. */
5161 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
5162 CHECK(!is_empty_signature(&sig));
5163 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
5164 CHECK(!is_empty_signature(&sig2));
5165 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
5166 /* The default nonce function is deterministic. */
5167 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5168 CHECK(!is_empty_signature(&sig2));
5169 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
5170 /* The default nonce function changes output with different messages. */
5171 for(i = 0; i < 256; i++) {
5174 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5175 CHECK(!is_empty_signature(&sig2));
5176 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5177 for (j = 0; j < i; j++) {
5178 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5183 /* The default nonce function changes output with different keys. */
5184 for(i = 256; i < 512; i++) {
5187 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5188 CHECK(!is_empty_signature(&sig2));
5189 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5190 for (j = 0; j < i; j++) {
5191 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5198 /* Check that optional nonce arguments do not have equivalent effect. */
5199 const unsigned char zeros[32] = {0};
5200 unsigned char nonce[32];
5201 unsigned char nonce2[32];
5202 unsigned char nonce3[32];
5203 unsigned char nonce4[32];
5205 VG_UNDEF(nonce2,32);
5206 VG_UNDEF(nonce3,32);
5207 VG_UNDEF(nonce4,32);
5208 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
5210 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
5211 VG_CHECK(nonce2,32);
5212 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
5213 VG_CHECK(nonce3,32);
5214 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5215 VG_CHECK(nonce4,32);
5216 CHECK(memcmp(nonce, nonce2, 32) != 0);
5217 CHECK(memcmp(nonce, nonce3, 32) != 0);
5218 CHECK(memcmp(nonce, nonce4, 32) != 0);
5219 CHECK(memcmp(nonce2, nonce3, 32) != 0);
5220 CHECK(memcmp(nonce2, nonce4, 32) != 0);
5221 CHECK(memcmp(nonce3, nonce4, 32) != 0);
5225 /* Privkey export where pubkey is the point at infinity. */
5227 unsigned char privkey[300];
5228 unsigned char seckey[32] = {
5229 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5230 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5231 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5232 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5234 size_t outlen = 300;
5235 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
5237 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
5241 void run_ecdsa_edge_cases(void) {
5242 test_ecdsa_edge_cases();
5245 #ifdef ENABLE_OPENSSL_TESTS
5246 EC_KEY *get_openssl_key(const unsigned char *key32) {
5247 unsigned char privkey[300];
5249 const unsigned char* pbegin = privkey;
5250 int compr = secp256k1_rand_bits(1);
5251 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
5252 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
5253 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
5254 CHECK(EC_KEY_check_key(ec_key));
5258 void test_ecdsa_openssl(void) {
5261 secp256k1_scalar sigr, sigs;
5262 secp256k1_scalar one;
5263 secp256k1_scalar msg2;
5264 secp256k1_scalar key, msg;
5266 unsigned int sigsize = 80;
5267 size_t secp_sigsize = 80;
5268 unsigned char message[32];
5269 unsigned char signature[80];
5270 unsigned char key32[32];
5271 secp256k1_rand256_test(message);
5272 secp256k1_scalar_set_b32(&msg, message, NULL);
5273 random_scalar_order_test(&key);
5274 secp256k1_scalar_get_b32(key32, &key);
5275 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
5276 secp256k1_ge_set_gej(&q, &qj);
5277 ec_key = get_openssl_key(key32);
5278 CHECK(ec_key != NULL);
5279 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
5280 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
5281 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
5282 secp256k1_scalar_set_int(&one, 1);
5283 secp256k1_scalar_add(&msg2, &msg, &one);
5284 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
5286 random_sign(&sigr, &sigs, &key, &msg, NULL);
5287 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
5288 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
5290 EC_KEY_free(ec_key);
5293 void run_ecdsa_openssl(void) {
5295 for (i = 0; i < 10*count; i++) {
5296 test_ecdsa_openssl();
5301 #ifdef ENABLE_MODULE_ECDH
5302 # include "modules/ecdh/tests_impl.h"
5305 #ifdef ENABLE_MODULE_RECOVERY
5306 # include "modules/recovery/tests_impl.h"
5309 #ifdef ENABLE_MODULE_EXTRAKEYS
5310 # include "modules/extrakeys/tests_impl.h"
5313 #ifdef ENABLE_MODULE_SCHNORRSIG
5314 # include "modules/schnorrsig/tests_impl.h"
5317 void run_memczero_test(void) {
5318 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
5319 unsigned char buf2[sizeof(buf1)];
5321 /* memczero(..., ..., 0) is a noop. */
5322 memcpy(buf2, buf1, sizeof(buf1));
5323 memczero(buf1, sizeof(buf1), 0);
5324 CHECK(memcmp(buf1, buf2, sizeof(buf1)) == 0);
5326 /* memczero(..., ..., 1) zeros the buffer. */
5327 memset(buf2, 0, sizeof(buf2));
5328 memczero(buf1, sizeof(buf1) , 1);
5329 CHECK(memcmp(buf1, buf2, sizeof(buf1)) == 0);
5332 void int_cmov_test(void) {
5336 secp256k1_int_cmov(&r, &a, 0);
5337 CHECK(r == INT_MAX);
5340 secp256k1_int_cmov(&r, &a, 1);
5341 CHECK(r == INT_MAX);
5344 secp256k1_int_cmov(&r, &a, 1);
5348 secp256k1_int_cmov(&r, &a, 1);
5352 secp256k1_int_cmov(&r, &a, 0);
5357 void fe_cmov_test(void) {
5358 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5359 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5360 static const secp256k1_fe max = SECP256K1_FE_CONST(
5361 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5362 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5364 secp256k1_fe r = max;
5365 secp256k1_fe a = zero;
5367 secp256k1_fe_cmov(&r, &a, 0);
5368 CHECK(memcmp(&r, &max, sizeof(r)) == 0);
5371 secp256k1_fe_cmov(&r, &a, 1);
5372 CHECK(memcmp(&r, &max, sizeof(r)) == 0);
5375 secp256k1_fe_cmov(&r, &a, 1);
5376 CHECK(memcmp(&r, &zero, sizeof(r)) == 0);
5379 secp256k1_fe_cmov(&r, &a, 1);
5380 CHECK(memcmp(&r, &one, sizeof(r)) == 0);
5383 secp256k1_fe_cmov(&r, &a, 0);
5384 CHECK(memcmp(&r, &one, sizeof(r)) == 0);
5387 void fe_storage_cmov_test(void) {
5388 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5389 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5390 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
5391 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5392 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5394 secp256k1_fe_storage r = max;
5395 secp256k1_fe_storage a = zero;
5397 secp256k1_fe_storage_cmov(&r, &a, 0);
5398 CHECK(memcmp(&r, &max, sizeof(r)) == 0);
5401 secp256k1_fe_storage_cmov(&r, &a, 1);
5402 CHECK(memcmp(&r, &max, sizeof(r)) == 0);
5405 secp256k1_fe_storage_cmov(&r, &a, 1);
5406 CHECK(memcmp(&r, &zero, sizeof(r)) == 0);
5409 secp256k1_fe_storage_cmov(&r, &a, 1);
5410 CHECK(memcmp(&r, &one, sizeof(r)) == 0);
5413 secp256k1_fe_storage_cmov(&r, &a, 0);
5414 CHECK(memcmp(&r, &one, sizeof(r)) == 0);
5417 void scalar_cmov_test(void) {
5418 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5419 static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5420 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
5421 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5422 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5424 secp256k1_scalar r = max;
5425 secp256k1_scalar a = zero;
5427 secp256k1_scalar_cmov(&r, &a, 0);
5428 CHECK(memcmp(&r, &max, sizeof(r)) == 0);
5431 secp256k1_scalar_cmov(&r, &a, 1);
5432 CHECK(memcmp(&r, &max, sizeof(r)) == 0);
5435 secp256k1_scalar_cmov(&r, &a, 1);
5436 CHECK(memcmp(&r, &zero, sizeof(r)) == 0);
5439 secp256k1_scalar_cmov(&r, &a, 1);
5440 CHECK(memcmp(&r, &one, sizeof(r)) == 0);
5443 secp256k1_scalar_cmov(&r, &a, 0);
5444 CHECK(memcmp(&r, &one, sizeof(r)) == 0);
5447 void ge_storage_cmov_test(void) {
5448 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
5449 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
5450 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
5451 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5452 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5453 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5454 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5456 secp256k1_ge_storage r = max;
5457 secp256k1_ge_storage a = zero;
5459 secp256k1_ge_storage_cmov(&r, &a, 0);
5460 CHECK(memcmp(&r, &max, sizeof(r)) == 0);
5463 secp256k1_ge_storage_cmov(&r, &a, 1);
5464 CHECK(memcmp(&r, &max, sizeof(r)) == 0);
5467 secp256k1_ge_storage_cmov(&r, &a, 1);
5468 CHECK(memcmp(&r, &zero, sizeof(r)) == 0);
5471 secp256k1_ge_storage_cmov(&r, &a, 1);
5472 CHECK(memcmp(&r, &one, sizeof(r)) == 0);
5475 secp256k1_ge_storage_cmov(&r, &a, 0);
5476 CHECK(memcmp(&r, &one, sizeof(r)) == 0);
5479 void run_cmov_tests(void) {
5482 fe_storage_cmov_test();
5484 ge_storage_cmov_test();
5487 int main(int argc, char **argv) {
5488 unsigned char seed16[16] = {0};
5489 unsigned char run32[32] = {0};
5491 /* Disable buffering for stdout to improve reliability of getting
5492 * diagnostic information. Happens right at the start of main because
5493 * setbuf must be used before any other operation on the stream. */
5494 setbuf(stdout, NULL);
5495 /* Also disable buffering for stderr because it's not guaranteed that it's
5496 * unbuffered on all systems. */
5497 setbuf(stderr, NULL);
5499 /* find iteration count */
5501 count = strtol(argv[1], NULL, 0);
5504 /* find random seed */
5507 const char* ch = argv[2];
5508 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
5510 if ((sscanf(ch, "%2hx", &sh)) == 1) {
5519 FILE *frand = fopen("/dev/urandom", "r");
5520 if ((frand == NULL) || fread(&seed16, 1, sizeof(seed16), frand) != sizeof(seed16)) {
5521 uint64_t t = time(NULL) * (uint64_t)1337;
5522 fprintf(stderr, "WARNING: could not read 16 bytes from /dev/urandom; falling back to insecure PRNG\n");
5524 seed16[1] ^= t >> 8;
5525 seed16[2] ^= t >> 16;
5526 seed16[3] ^= t >> 24;
5527 seed16[4] ^= t >> 32;
5528 seed16[5] ^= t >> 40;
5529 seed16[6] ^= t >> 48;
5530 seed16[7] ^= t >> 56;
5536 secp256k1_rand_seed(seed16);
5538 printf("test count = %i\n", count);
5539 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
5542 run_context_tests(0);
5543 run_context_tests(1);
5544 run_scratch_tests();
5545 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5546 if (secp256k1_rand_bits(1)) {
5547 secp256k1_rand256(run32);
5548 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
5555 run_hmac_sha256_tests();
5556 run_rfc6979_hmac_sha256_tests();
5558 #ifndef USE_NUM_NONE
5560 run_num_smalltests();
5568 run_field_inv_var();
5569 run_field_inv_all_var();
5571 run_field_convert();
5577 run_group_decompress();
5581 run_point_times_order();
5583 run_ecmult_constants();
5584 run_ecmult_gen_blind();
5585 run_ecmult_const_tests();
5586 run_ecmult_multi_tests();
5589 /* endomorphism tests */
5590 #ifdef USE_ENDOMORPHISM
5591 run_endomorphism_tests();
5594 /* EC point parser test */
5595 run_ec_pubkey_parse_test();
5597 /* EC key edge cases */
5598 run_eckey_edge_case_test();
5600 /* EC key arithmetic test */
5601 run_eckey_negate_test();
5603 #ifdef ENABLE_MODULE_ECDH
5609 run_random_pubkeys();
5610 run_ecdsa_der_parse();
5611 run_ecdsa_sign_verify();
5612 run_ecdsa_end_to_end();
5613 run_ecdsa_edge_cases();
5614 #ifdef ENABLE_OPENSSL_TESTS
5615 run_ecdsa_openssl();
5618 #ifdef ENABLE_MODULE_RECOVERY
5619 /* ECDSA pubkey recovery tests */
5620 run_recovery_tests();
5623 #ifdef ENABLE_MODULE_EXTRAKEYS
5624 run_extrakeys_tests();
5627 #ifdef ENABLE_MODULE_SCHNORRSIG
5628 run_schnorrsig_tests();
5632 run_memczero_test();
5636 secp256k1_rand256(run32);
5637 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
5640 secp256k1_context_destroy(ctx);
5642 printf("no problems found\n");
projects / secp256k1.git / blob