1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
22 #ifdef ENABLE_OPENSSL_TESTS
23 #include "openssl/bn.h"
24 #include "openssl/ec.h"
25 #include "openssl/ecdsa.h"
26 #include "openssl/obj_mac.h"
27 # if OPENSSL_VERSION_NUMBER < 0x10100000L
28 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
32 #include "contrib/lax_der_parsing.c"
33 #include "contrib/lax_der_privatekey_parsing.c"
35 #if !defined(VG_CHECK)
36 # if defined(VALGRIND)
37 # include <valgrind/memcheck.h>
38 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
39 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
41 # define VG_UNDEF(x,y)
42 # define VG_CHECK(x,y)
46 static int count = 64;
47 static secp256k1_context *ctx = NULL;
49 static void counting_illegal_callback_fn(const char* str, void* data) {
50 /* Dummy callback function that just counts. */
57 static void uncounting_illegal_callback_fn(const char* str, void* data) {
58 /* Dummy callback function that just counts (backwards). */
65 void random_field_element_test(secp256k1_fe *fe) {
67 unsigned char b32[32];
68 secp256k1_rand256_test(b32);
69 if (secp256k1_fe_set_b32(fe, b32)) {
75 void random_field_element_magnitude(secp256k1_fe *fe) {
77 int n = secp256k1_rand_int(9);
78 secp256k1_fe_normalize(fe);
82 secp256k1_fe_clear(&zero);
83 secp256k1_fe_negate(&zero, &zero, 0);
84 secp256k1_fe_mul_int(&zero, n - 1);
85 secp256k1_fe_add(fe, &zero);
87 CHECK(fe->magnitude == n);
91 void random_group_element_test(secp256k1_ge *ge) {
94 random_field_element_test(&fe);
95 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
96 secp256k1_fe_normalize(&ge->y);
102 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
105 random_field_element_test(&gej->z);
106 if (!secp256k1_fe_is_zero(&gej->z)) {
110 secp256k1_fe_sqr(&z2, &gej->z);
111 secp256k1_fe_mul(&z3, &z2, &gej->z);
112 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
113 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
114 gej->infinity = ge->infinity;
117 void random_scalar_order_test(secp256k1_scalar *num) {
119 unsigned char b32[32];
121 secp256k1_rand256_test(b32);
122 secp256k1_scalar_set_b32(num, b32, &overflow);
123 if (overflow || secp256k1_scalar_is_zero(num)) {
130 void random_scalar_order(secp256k1_scalar *num) {
132 unsigned char b32[32];
134 secp256k1_rand256(b32);
135 secp256k1_scalar_set_b32(num, b32, &overflow);
136 if (overflow || secp256k1_scalar_is_zero(num)) {
143 void run_context_tests(int use_prealloc) {
144 secp256k1_pubkey pubkey;
145 secp256k1_pubkey zero_pubkey;
146 secp256k1_ecdsa_signature sig;
147 unsigned char ctmp[32];
150 secp256k1_context *none;
151 secp256k1_context *sign;
152 secp256k1_context *vrfy;
153 secp256k1_context *both;
154 void *none_prealloc = NULL;
155 void *sign_prealloc = NULL;
156 void *vrfy_prealloc = NULL;
157 void *both_prealloc = NULL;
161 secp256k1_scalar msg, key, nonce;
162 secp256k1_scalar sigr, sigs;
165 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
166 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
167 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
168 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
169 CHECK(none_prealloc != NULL);
170 CHECK(sign_prealloc != NULL);
171 CHECK(vrfy_prealloc != NULL);
172 CHECK(both_prealloc != NULL);
173 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
174 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
175 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
176 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
178 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
179 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
180 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
181 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
184 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
188 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
189 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
190 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
191 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
193 /* check if sizes for cloning are consistent */
194 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
195 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
196 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
197 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
199 /*** clone and destroy all of them to make sure cloning was complete ***/
201 secp256k1_context *ctx_tmp;
204 /* clone into a non-preallocated context and then again into a new preallocated one. */
205 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
206 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
207 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
209 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
210 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
211 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
213 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
214 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
215 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
217 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
218 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
219 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
221 /* clone into a preallocated context and then again into a new non-preallocated one. */
224 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
225 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
226 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
229 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
230 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
231 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
234 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
235 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
236 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
239 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
240 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
241 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
246 /* Verify that the error callback makes it across the clone. */
247 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
248 /* And that it resets back to default. */
249 secp256k1_context_set_error_callback(sign, NULL, NULL);
250 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
252 /*** attempt to use them ***/
253 random_scalar_order_test(&msg);
254 random_scalar_order_test(&key);
255 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
256 secp256k1_ge_set_gej(&pub, &pubj);
258 /* Verify context-type checking illegal-argument errors. */
260 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
262 VG_UNDEF(&pubkey, sizeof(pubkey));
263 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
264 VG_CHECK(&pubkey, sizeof(pubkey));
265 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
267 VG_UNDEF(&sig, sizeof(sig));
268 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
269 VG_CHECK(&sig, sizeof(sig));
270 CHECK(ecount2 == 10);
271 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
272 CHECK(ecount2 == 11);
273 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
275 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
276 CHECK(ecount2 == 12);
277 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
279 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
280 CHECK(ecount2 == 13);
281 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
283 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
285 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
286 CHECK(ecount2 == 14);
287 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
289 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
291 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
293 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
295 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
296 CHECK(ecount2 == 14);
297 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
298 CHECK(ecount2 == 14);
299 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
300 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
302 /* obtain a working nonce */
304 random_scalar_order_test(&nonce);
305 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
308 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
309 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
312 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
313 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
317 secp256k1_context_preallocated_destroy(none);
318 secp256k1_context_preallocated_destroy(sign);
319 secp256k1_context_preallocated_destroy(vrfy);
320 secp256k1_context_preallocated_destroy(both);
326 secp256k1_context_destroy(none);
327 secp256k1_context_destroy(sign);
328 secp256k1_context_destroy(vrfy);
329 secp256k1_context_destroy(both);
331 /* Defined as no-op. */
332 secp256k1_context_destroy(NULL);
333 secp256k1_context_preallocated_destroy(NULL);
337 void run_scratch_tests(void) {
338 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
343 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
344 secp256k1_scratch_space *scratch;
345 secp256k1_scratch_space local_scratch;
347 /* Test public API */
348 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
349 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
351 scratch = secp256k1_scratch_space_create(none, 1000);
352 CHECK(scratch != NULL);
355 /* Test internal API */
356 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
357 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
358 CHECK(scratch->alloc_size == 0);
359 CHECK(scratch->alloc_size % ALIGNMENT == 0);
361 /* Allocating 500 bytes succeeds */
362 checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
363 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
364 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
365 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
366 CHECK(scratch->alloc_size != 0);
367 CHECK(scratch->alloc_size % ALIGNMENT == 0);
369 /* Allocating another 500 bytes fails */
370 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
371 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
372 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
373 CHECK(scratch->alloc_size != 0);
374 CHECK(scratch->alloc_size % ALIGNMENT == 0);
376 /* ...but it succeeds once we apply the checkpoint to undo it */
377 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
378 CHECK(scratch->alloc_size == 0);
379 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
380 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
381 CHECK(scratch->alloc_size != 0);
383 /* try to apply a bad checkpoint */
384 checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
385 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
387 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
389 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
392 /* try to use badly initialized scratch space */
393 secp256k1_scratch_space_destroy(none, scratch);
394 memset(&local_scratch, 0, sizeof(local_scratch));
395 scratch = &local_scratch;
396 CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
398 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
400 secp256k1_scratch_space_destroy(none, scratch);
404 secp256k1_scratch_space_destroy(none, NULL); /* no-op */
405 secp256k1_context_destroy(none);
408 /***** HASH TESTS *****/
410 void run_sha256_tests(void) {
411 static const char *inputs[8] = {
412 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
413 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
414 "For this sample, this 63-byte string will be used as input data",
415 "This is exactly 64 bytes long, not counting the terminating byte"
417 static const unsigned char outputs[8][32] = {
418 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
419 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
420 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
421 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
422 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
423 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
424 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
425 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
428 for (i = 0; i < 8; i++) {
429 unsigned char out[32];
430 secp256k1_sha256 hasher;
431 secp256k1_sha256_initialize(&hasher);
432 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
433 secp256k1_sha256_finalize(&hasher, out);
434 CHECK(memcmp(out, outputs[i], 32) == 0);
435 if (strlen(inputs[i]) > 0) {
436 int split = secp256k1_rand_int(strlen(inputs[i]));
437 secp256k1_sha256_initialize(&hasher);
438 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
439 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
440 secp256k1_sha256_finalize(&hasher, out);
441 CHECK(memcmp(out, outputs[i], 32) == 0);
446 void run_hmac_sha256_tests(void) {
447 static const char *keys[6] = {
448 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
450 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
451 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
452 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
453 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
455 static const char *inputs[6] = {
456 "\x48\x69\x20\x54\x68\x65\x72\x65",
457 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
458 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
459 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
460 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
461 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
463 static const unsigned char outputs[6][32] = {
464 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
465 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
466 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
467 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
468 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
469 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
472 for (i = 0; i < 6; i++) {
473 secp256k1_hmac_sha256 hasher;
474 unsigned char out[32];
475 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
476 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
477 secp256k1_hmac_sha256_finalize(&hasher, out);
478 CHECK(memcmp(out, outputs[i], 32) == 0);
479 if (strlen(inputs[i]) > 0) {
480 int split = secp256k1_rand_int(strlen(inputs[i]));
481 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
482 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
483 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
484 secp256k1_hmac_sha256_finalize(&hasher, out);
485 CHECK(memcmp(out, outputs[i], 32) == 0);
490 void run_rfc6979_hmac_sha256_tests(void) {
491 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
492 static const unsigned char out1[3][32] = {
493 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
494 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
495 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
498 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
499 static const unsigned char out2[3][32] = {
500 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
501 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
502 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
505 secp256k1_rfc6979_hmac_sha256 rng;
506 unsigned char out[32];
509 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
510 for (i = 0; i < 3; i++) {
511 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
512 CHECK(memcmp(out, out1[i], 32) == 0);
514 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
516 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
517 for (i = 0; i < 3; i++) {
518 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
519 CHECK(memcmp(out, out1[i], 32) != 0);
521 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
523 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
524 for (i = 0; i < 3; i++) {
525 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
526 CHECK(memcmp(out, out2[i], 32) == 0);
528 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
531 /***** RANDOM TESTS *****/
533 void test_rand_bits(int rand32, int bits) {
534 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
535 * get a false negative chance below once in a billion */
536 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
537 /* We try multiplying the results with various odd numbers, which shouldn't
538 * influence the uniform distribution modulo a power of 2. */
539 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
540 /* We only select up to 6 bits from the output to analyse */
541 unsigned int usebits = bits > 6 ? 6 : bits;
542 unsigned int maxshift = bits - usebits;
543 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
544 number, track all observed outcomes, one per bit in a uint64_t. */
545 uint64_t x[6][27] = {{0}};
546 unsigned int i, shift, m;
547 /* Multiply the output of all rand calls with the odd number m, which
548 should not change the uniformity of its distribution. */
549 for (i = 0; i < rounds[usebits]; i++) {
550 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
551 CHECK((((uint64_t)r) >> bits) == 0);
552 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
553 uint32_t rm = r * mults[m];
554 for (shift = 0; shift <= maxshift; shift++) {
555 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
559 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
560 for (shift = 0; shift <= maxshift; shift++) {
561 /* Test that the lower usebits bits of x[shift] are 1 */
562 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
567 /* Subrange must be a whole divisor of range, and at most 64 */
568 void test_rand_int(uint32_t range, uint32_t subrange) {
569 /* (1-1/subrange)^rounds < 1/10^9 */
570 int rounds = (subrange * 2073) / 100;
573 CHECK((range % subrange) == 0);
574 for (i = 0; i < rounds; i++) {
575 uint32_t r = secp256k1_rand_int(range);
578 x |= (((uint64_t)1) << r);
580 /* Test that the lower subrange bits of x are 1. */
581 CHECK(((~x) << (64 - subrange)) == 0);
584 void run_rand_bits(void) {
586 test_rand_bits(1, 32);
587 for (b = 1; b <= 32; b++) {
588 test_rand_bits(0, b);
592 void run_rand_int(void) {
593 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
594 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
596 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
597 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
598 test_rand_int(ms[m] * ss[s], ss[s]);
603 /***** NUM TESTS *****/
606 void random_num_negate(secp256k1_num *num) {
607 if (secp256k1_rand_bits(1)) {
608 secp256k1_num_negate(num);
612 void random_num_order_test(secp256k1_num *num) {
614 random_scalar_order_test(&sc);
615 secp256k1_scalar_get_num(num, &sc);
618 void random_num_order(secp256k1_num *num) {
620 random_scalar_order(&sc);
621 secp256k1_scalar_get_num(num, &sc);
624 void test_num_negate(void) {
627 random_num_order_test(&n1); /* n1 = R */
628 random_num_negate(&n1);
629 secp256k1_num_copy(&n2, &n1); /* n2 = R */
630 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
631 CHECK(secp256k1_num_is_zero(&n1));
632 secp256k1_num_copy(&n1, &n2); /* n1 = R */
633 secp256k1_num_negate(&n1); /* n1 = -R */
634 CHECK(!secp256k1_num_is_zero(&n1));
635 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
636 CHECK(secp256k1_num_is_zero(&n1));
637 secp256k1_num_copy(&n1, &n2); /* n1 = R */
638 secp256k1_num_negate(&n1); /* n1 = -R */
639 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
640 secp256k1_num_negate(&n1); /* n1 = R */
641 CHECK(secp256k1_num_eq(&n1, &n2));
644 void test_num_add_sub(void) {
649 secp256k1_num n1p2, n2p1, n1m2, n2m1;
650 random_num_order_test(&n1); /* n1 = R1 */
651 if (secp256k1_rand_bits(1)) {
652 random_num_negate(&n1);
654 random_num_order_test(&n2); /* n2 = R2 */
655 if (secp256k1_rand_bits(1)) {
656 random_num_negate(&n2);
658 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
659 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
660 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
661 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
662 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
663 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
664 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
665 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
666 CHECK(!secp256k1_num_eq(&n2m1, &n1));
667 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
668 CHECK(secp256k1_num_eq(&n2m1, &n1));
669 CHECK(!secp256k1_num_eq(&n2p1, &n1));
670 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
671 CHECK(secp256k1_num_eq(&n2p1, &n1));
674 secp256k1_scalar_set_int(&s, 1);
675 secp256k1_scalar_get_num(&n1, &s);
676 CHECK(secp256k1_num_is_one(&n1));
677 /* check that 2^n + 1 is never 1 */
678 secp256k1_scalar_get_num(&n2, &s);
679 for (i = 0; i < 250; ++i) {
680 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
681 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
682 CHECK(!secp256k1_num_is_one(&n1p2));
686 void test_num_mod(void) {
689 secp256k1_num order, n;
691 /* check that 0 mod anything is 0 */
692 random_scalar_order_test(&s);
693 secp256k1_scalar_get_num(&order, &s);
694 secp256k1_scalar_set_int(&s, 0);
695 secp256k1_scalar_get_num(&n, &s);
696 secp256k1_num_mod(&n, &order);
697 CHECK(secp256k1_num_is_zero(&n));
699 /* check that anything mod 1 is 0 */
700 secp256k1_scalar_set_int(&s, 1);
701 secp256k1_scalar_get_num(&order, &s);
702 secp256k1_scalar_get_num(&n, &s);
703 secp256k1_num_mod(&n, &order);
704 CHECK(secp256k1_num_is_zero(&n));
706 /* check that increasing the number past 2^256 does not break this */
707 random_scalar_order_test(&s);
708 secp256k1_scalar_get_num(&n, &s);
709 /* multiply by 2^8, which'll test this case with high probability */
710 for (i = 0; i < 8; ++i) {
711 secp256k1_num_add(&n, &n, &n);
713 secp256k1_num_mod(&n, &order);
714 CHECK(secp256k1_num_is_zero(&n));
717 void test_num_jacobi(void) {
718 secp256k1_scalar sqr;
719 secp256k1_scalar small;
720 secp256k1_scalar five; /* five is not a quadratic residue */
721 secp256k1_num order, n;
723 /* squares mod 5 are 1, 4 */
724 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
726 /* check some small values with 5 as the order */
727 secp256k1_scalar_set_int(&five, 5);
728 secp256k1_scalar_get_num(&order, &five);
729 for (i = 0; i < 10; ++i) {
730 secp256k1_scalar_set_int(&small, i);
731 secp256k1_scalar_get_num(&n, &small);
732 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
735 /** test large values with 5 as group order */
736 secp256k1_scalar_get_num(&order, &five);
737 /* we first need a scalar which is not a multiple of 5 */
740 random_scalar_order_test(&sqr);
741 secp256k1_scalar_get_num(&fiven, &five);
742 secp256k1_scalar_get_num(&n, &sqr);
743 secp256k1_num_mod(&n, &fiven);
744 } while (secp256k1_num_is_zero(&n));
745 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
746 * just multiply by two, i.e. add the number to itself */
747 if (secp256k1_num_jacobi(&n, &order) == -1) {
748 secp256k1_num_add(&n, &n, &n);
752 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
753 /* test nonresidue */
754 secp256k1_num_add(&n, &n, &n);
755 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
757 /** test with secp group order as order */
758 secp256k1_scalar_order_get_num(&order);
759 random_scalar_order_test(&sqr);
760 secp256k1_scalar_sqr(&sqr, &sqr);
762 secp256k1_scalar_get_num(&n, &sqr);
763 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
764 /* test nonresidue */
765 secp256k1_scalar_mul(&sqr, &sqr, &five);
766 secp256k1_scalar_get_num(&n, &sqr);
767 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
768 /* test multiple of the order*/
769 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
771 /* check one less than the order */
772 secp256k1_scalar_set_int(&small, 1);
773 secp256k1_scalar_get_num(&n, &small);
774 secp256k1_num_sub(&n, &order, &n);
775 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
778 void run_num_smalltests(void) {
780 for (i = 0; i < 100*count; i++) {
789 /***** SCALAR TESTS *****/
791 void scalar_test(void) {
796 secp256k1_num snum, s1num, s2num;
797 secp256k1_num order, half_order;
801 /* Set 's' to a random scalar, with value 'snum'. */
802 random_scalar_order_test(&s);
804 /* Set 's1' to a random scalar, with value 's1num'. */
805 random_scalar_order_test(&s1);
807 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
808 random_scalar_order_test(&s2);
809 secp256k1_scalar_get_b32(c, &s2);
812 secp256k1_scalar_get_num(&snum, &s);
813 secp256k1_scalar_get_num(&s1num, &s1);
814 secp256k1_scalar_get_num(&s2num, &s2);
816 secp256k1_scalar_order_get_num(&order);
818 secp256k1_num_shift(&half_order, 1);
823 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
825 secp256k1_scalar_set_int(&n, 0);
826 for (i = 0; i < 256; i += 4) {
829 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
830 for (j = 0; j < 4; j++) {
831 secp256k1_scalar_add(&n, &n, &n);
833 secp256k1_scalar_add(&n, &n, &t);
835 CHECK(secp256k1_scalar_eq(&n, &s));
839 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
842 secp256k1_scalar_set_int(&n, 0);
846 int now = secp256k1_rand_int(15) + 1;
850 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
851 for (j = 0; j < now; j++) {
852 secp256k1_scalar_add(&n, &n, &n);
854 secp256k1_scalar_add(&n, &n, &t);
857 CHECK(secp256k1_scalar_eq(&n, &s));
862 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
866 secp256k1_num_add(&rnum, &snum, &s2num);
867 secp256k1_num_mod(&rnum, &order);
868 secp256k1_scalar_add(&r, &s, &s2);
869 secp256k1_scalar_get_num(&r2num, &r);
870 CHECK(secp256k1_num_eq(&rnum, &r2num));
874 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
878 secp256k1_num_mul(&rnum, &snum, &s2num);
879 secp256k1_num_mod(&rnum, &order);
880 secp256k1_scalar_mul(&r, &s, &s2);
881 secp256k1_scalar_get_num(&r2num, &r);
882 CHECK(secp256k1_num_eq(&rnum, &r2num));
883 /* The result can only be zero if at least one of the factors was zero. */
884 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
885 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
886 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
887 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
891 secp256k1_scalar neg;
892 secp256k1_num negnum;
893 secp256k1_num negnum2;
894 /* Check that comparison with zero matches comparison with zero on the number. */
895 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
896 /* Check that comparison with the half order is equal to testing for high scalar. */
897 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
898 secp256k1_scalar_negate(&neg, &s);
899 secp256k1_num_sub(&negnum, &order, &snum);
900 secp256k1_num_mod(&negnum, &order);
901 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
902 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
903 /* Negating should change the high property, unless the value was already zero. */
904 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
905 secp256k1_scalar_get_num(&negnum2, &neg);
906 /* Negating a scalar should be equal to (order - n) mod order on the number. */
907 CHECK(secp256k1_num_eq(&negnum, &negnum2));
908 secp256k1_scalar_add(&neg, &neg, &s);
909 /* Adding a number to its negation should result in zero. */
910 CHECK(secp256k1_scalar_is_zero(&neg));
911 secp256k1_scalar_negate(&neg, &neg);
912 /* Negating zero should still result in zero. */
913 CHECK(secp256k1_scalar_is_zero(&neg));
917 /* Test secp256k1_scalar_mul_shift_var. */
922 unsigned char cone[1] = {0x01};
923 unsigned int shift = 256 + secp256k1_rand_int(257);
924 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
925 secp256k1_num_mul(&rnum, &s1num, &s2num);
926 secp256k1_num_shift(&rnum, shift - 1);
927 secp256k1_num_set_bin(&one, cone, 1);
928 secp256k1_num_add(&rnum, &rnum, &one);
929 secp256k1_num_shift(&rnum, 1);
930 secp256k1_scalar_get_num(&rnum2, &r);
931 CHECK(secp256k1_num_eq(&rnum, &rnum2));
935 /* test secp256k1_scalar_shr_int */
938 random_scalar_order_test(&r);
939 for (i = 0; i < 100; ++i) {
941 int shift = 1 + secp256k1_rand_int(15);
942 int expected = r.d[0] % (1 << shift);
943 low = secp256k1_scalar_shr_int(&r, shift);
944 CHECK(expected == low);
950 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
951 if (!secp256k1_scalar_is_zero(&s)) {
952 secp256k1_scalar inv;
954 secp256k1_num invnum;
955 secp256k1_num invnum2;
957 secp256k1_scalar_inverse(&inv, &s);
959 secp256k1_num_mod_inverse(&invnum, &snum, &order);
960 secp256k1_scalar_get_num(&invnum2, &inv);
961 CHECK(secp256k1_num_eq(&invnum, &invnum2));
963 secp256k1_scalar_mul(&inv, &inv, &s);
964 /* Multiplying a scalar with its inverse must result in one. */
965 CHECK(secp256k1_scalar_is_one(&inv));
966 secp256k1_scalar_inverse(&inv, &inv);
967 /* Inverting one must result in one. */
968 CHECK(secp256k1_scalar_is_one(&inv));
970 secp256k1_scalar_get_num(&invnum, &inv);
971 CHECK(secp256k1_num_is_one(&invnum));
977 /* Test commutativity of add. */
978 secp256k1_scalar r1, r2;
979 secp256k1_scalar_add(&r1, &s1, &s2);
980 secp256k1_scalar_add(&r2, &s2, &s1);
981 CHECK(secp256k1_scalar_eq(&r1, &r2));
985 secp256k1_scalar r1, r2;
989 int bit = secp256k1_rand_bits(8);
990 secp256k1_scalar_set_int(&b, 1);
991 CHECK(secp256k1_scalar_is_one(&b));
992 for (i = 0; i < bit; i++) {
993 secp256k1_scalar_add(&b, &b, &b);
997 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
998 /* No overflow happened. */
999 secp256k1_scalar_cadd_bit(&r2, bit, 1);
1000 CHECK(secp256k1_scalar_eq(&r1, &r2));
1001 /* cadd is a noop when flag is zero */
1002 secp256k1_scalar_cadd_bit(&r2, bit, 0);
1003 CHECK(secp256k1_scalar_eq(&r1, &r2));
1008 /* Test commutativity of mul. */
1009 secp256k1_scalar r1, r2;
1010 secp256k1_scalar_mul(&r1, &s1, &s2);
1011 secp256k1_scalar_mul(&r2, &s2, &s1);
1012 CHECK(secp256k1_scalar_eq(&r1, &r2));
1016 /* Test associativity of add. */
1017 secp256k1_scalar r1, r2;
1018 secp256k1_scalar_add(&r1, &s1, &s2);
1019 secp256k1_scalar_add(&r1, &r1, &s);
1020 secp256k1_scalar_add(&r2, &s2, &s);
1021 secp256k1_scalar_add(&r2, &s1, &r2);
1022 CHECK(secp256k1_scalar_eq(&r1, &r2));
1026 /* Test associativity of mul. */
1027 secp256k1_scalar r1, r2;
1028 secp256k1_scalar_mul(&r1, &s1, &s2);
1029 secp256k1_scalar_mul(&r1, &r1, &s);
1030 secp256k1_scalar_mul(&r2, &s2, &s);
1031 secp256k1_scalar_mul(&r2, &s1, &r2);
1032 CHECK(secp256k1_scalar_eq(&r1, &r2));
1036 /* Test distributitivity of mul over add. */
1037 secp256k1_scalar r1, r2, t;
1038 secp256k1_scalar_add(&r1, &s1, &s2);
1039 secp256k1_scalar_mul(&r1, &r1, &s);
1040 secp256k1_scalar_mul(&r2, &s1, &s);
1041 secp256k1_scalar_mul(&t, &s2, &s);
1042 secp256k1_scalar_add(&r2, &r2, &t);
1043 CHECK(secp256k1_scalar_eq(&r1, &r2));
1048 secp256k1_scalar r1, r2;
1049 secp256k1_scalar_sqr(&r1, &s1);
1050 secp256k1_scalar_mul(&r2, &s1, &s1);
1051 CHECK(secp256k1_scalar_eq(&r1, &r2));
1055 /* Test multiplicative identity. */
1056 secp256k1_scalar r1, v1;
1057 secp256k1_scalar_set_int(&v1,1);
1058 secp256k1_scalar_mul(&r1, &s1, &v1);
1059 CHECK(secp256k1_scalar_eq(&r1, &s1));
1063 /* Test additive identity. */
1064 secp256k1_scalar r1, v0;
1065 secp256k1_scalar_set_int(&v0,0);
1066 secp256k1_scalar_add(&r1, &s1, &v0);
1067 CHECK(secp256k1_scalar_eq(&r1, &s1));
1071 /* Test zero product property. */
1072 secp256k1_scalar r1, v0;
1073 secp256k1_scalar_set_int(&v0,0);
1074 secp256k1_scalar_mul(&r1, &s1, &v0);
1075 CHECK(secp256k1_scalar_eq(&r1, &v0));
1080 void run_scalar_tests(void) {
1082 for (i = 0; i < 128 * count; i++) {
1087 /* (-1)+1 should be zero. */
1088 secp256k1_scalar s, o;
1089 secp256k1_scalar_set_int(&s, 1);
1090 CHECK(secp256k1_scalar_is_one(&s));
1091 secp256k1_scalar_negate(&o, &s);
1092 secp256k1_scalar_add(&o, &o, &s);
1093 CHECK(secp256k1_scalar_is_zero(&o));
1094 secp256k1_scalar_negate(&o, &o);
1095 CHECK(secp256k1_scalar_is_zero(&o));
1098 #ifndef USE_NUM_NONE
1100 /* A scalar with value of the curve order should be 0. */
1101 secp256k1_num order;
1102 secp256k1_scalar zero;
1103 unsigned char bin[32];
1105 secp256k1_scalar_order_get_num(&order);
1106 secp256k1_num_get_bin(bin, 32, &order);
1107 secp256k1_scalar_set_b32(&zero, bin, &overflow);
1108 CHECK(overflow == 1);
1109 CHECK(secp256k1_scalar_is_zero(&zero));
1114 /* Does check_overflow check catch all ones? */
1115 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1116 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1117 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1119 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1123 /* Static test vectors.
1124 * These were reduced from ~10^12 random vectors based on comparison-decision
1125 * and edge-case coverage on 32-bit and 64-bit implementations.
1126 * The responses were generated with Sage 5.9.
1131 secp256k1_scalar zz;
1132 secp256k1_scalar one;
1133 secp256k1_scalar r1;
1134 secp256k1_scalar r2;
1135 #if defined(USE_SCALAR_INV_NUM)
1136 secp256k1_scalar zzv;
1139 unsigned char chal[33][2][32] = {
1140 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1141 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1142 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1143 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1144 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1145 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1146 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1147 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1148 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1149 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1150 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1151 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1152 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1153 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1154 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1155 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1156 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1157 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1158 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1159 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1160 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1161 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1162 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1163 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1164 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1165 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1166 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1167 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1168 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1169 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1170 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1171 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1172 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1173 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1174 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1175 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1176 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1177 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1178 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1179 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1180 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1181 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1182 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1183 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1184 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1185 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1186 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1187 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1188 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1189 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1190 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1191 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1192 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1193 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1194 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1195 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1196 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1197 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1198 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1199 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1200 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1201 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1202 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1203 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1204 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1205 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1206 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1207 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1208 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1209 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1210 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1211 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1212 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1213 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1214 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1215 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1216 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1217 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1218 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1219 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1220 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1221 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1222 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1223 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1224 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1225 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1226 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1227 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1228 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1229 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1230 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1231 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1232 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1233 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1234 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1236 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1237 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1238 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1239 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1240 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1241 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1242 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1243 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1244 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1245 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1246 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1247 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1248 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1249 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1250 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1251 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1252 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1253 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1254 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1255 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1256 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1257 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1258 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1259 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1260 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1261 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1262 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1263 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1264 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1265 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1266 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1267 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1268 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1269 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1270 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1271 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1272 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1273 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1274 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1276 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1277 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1278 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1279 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1280 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1281 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1282 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1283 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1284 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1285 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1286 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1287 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1288 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1289 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1290 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1291 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1292 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1293 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1294 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1295 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1296 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1297 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1298 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1299 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1300 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1301 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1302 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1303 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1304 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1305 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1306 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1307 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1308 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1309 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1310 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1311 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1312 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1313 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1314 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1315 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1316 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1317 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1318 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1319 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1320 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1321 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1322 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1323 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1324 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1325 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1326 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1327 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1328 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1329 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1330 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1331 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1332 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1333 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1334 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1335 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1336 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1337 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1338 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1339 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1340 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1341 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1342 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1343 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1344 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1345 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1346 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1347 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1348 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1349 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1350 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1351 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1352 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1353 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1354 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1355 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1356 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1357 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1358 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1359 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1360 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1361 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1362 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1363 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1364 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1365 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1366 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1367 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1368 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1369 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1370 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1371 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1372 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1373 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1374 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1375 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1376 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1377 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1378 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1379 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1380 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1381 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1382 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1383 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1384 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1385 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1386 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1387 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1388 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1389 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1390 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1391 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1392 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1393 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1394 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1395 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1396 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1397 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1398 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1399 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1400 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1401 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1402 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1403 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1405 unsigned char res[33][2][32] = {
1406 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1407 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1408 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1409 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1410 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1411 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1412 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1413 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1414 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1415 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1416 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1417 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1418 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1419 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1420 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1421 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1422 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1423 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1424 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1425 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1426 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1427 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1428 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1429 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1430 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1431 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1432 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1433 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1434 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1435 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1436 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1437 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1438 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1439 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1440 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1441 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1442 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1443 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1444 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1445 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1446 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1447 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1448 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1449 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1450 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1451 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1452 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1453 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1454 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1455 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1456 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1457 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1458 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1459 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1460 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1461 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1462 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1463 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1464 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1465 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1466 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1467 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1468 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1469 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1470 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1471 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1472 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1473 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1474 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1475 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1476 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1477 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1478 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1479 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1480 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1481 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1482 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1483 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1484 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1485 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1486 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1487 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1488 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1489 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1490 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1491 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1492 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1493 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1494 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1495 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1496 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1497 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1498 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1499 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1500 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1501 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1502 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1503 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1504 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1505 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1506 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1507 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1508 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1509 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1510 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1511 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1512 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1513 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1514 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1515 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1516 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1517 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1518 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1519 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1520 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1521 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1522 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1523 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1524 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1525 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1526 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1527 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1528 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1529 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1530 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1531 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1532 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1533 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1534 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1535 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1536 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1537 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1538 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1539 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1540 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1541 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1542 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1543 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1544 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1545 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1546 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1547 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1548 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1549 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1550 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1551 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1552 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1553 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1554 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1555 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1556 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1557 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1558 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1559 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1560 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1561 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1562 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1563 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1564 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1565 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1566 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1567 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1568 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1569 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1570 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1571 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1572 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1573 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1574 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1575 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1578 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1579 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1580 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1581 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1582 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1583 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1584 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1585 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1586 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1587 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1588 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1589 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1590 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1591 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1592 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1593 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1594 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1595 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1596 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1597 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1598 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1599 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1600 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1601 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1602 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1603 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1604 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1605 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1606 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1607 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1608 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1609 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1610 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1611 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1612 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1613 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1614 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1615 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1616 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1617 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1618 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1619 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1620 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1621 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1622 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1623 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1624 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1625 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1626 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1627 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1628 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1629 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1630 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1631 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1632 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1633 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1634 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1635 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1636 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1637 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1638 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1639 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1640 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1641 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1642 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1643 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1644 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1645 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1646 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1647 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1648 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1649 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1650 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1651 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1652 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1653 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1654 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1655 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1656 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1657 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1658 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1659 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1660 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1661 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1662 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1663 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1664 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1665 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1666 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1667 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1668 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1669 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1671 secp256k1_scalar_set_int(&one, 1);
1672 for (i = 0; i < 33; i++) {
1673 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1675 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1677 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1679 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1681 secp256k1_scalar_mul(&z, &x, &y);
1682 CHECK(!secp256k1_scalar_check_overflow(&z));
1683 CHECK(secp256k1_scalar_eq(&r1, &z));
1684 if (!secp256k1_scalar_is_zero(&y)) {
1685 secp256k1_scalar_inverse(&zz, &y);
1686 CHECK(!secp256k1_scalar_check_overflow(&zz));
1687 #if defined(USE_SCALAR_INV_NUM)
1688 secp256k1_scalar_inverse_var(&zzv, &y);
1689 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1691 secp256k1_scalar_mul(&z, &z, &zz);
1692 CHECK(!secp256k1_scalar_check_overflow(&z));
1693 CHECK(secp256k1_scalar_eq(&x, &z));
1694 secp256k1_scalar_mul(&zz, &zz, &y);
1695 CHECK(!secp256k1_scalar_check_overflow(&zz));
1696 CHECK(secp256k1_scalar_eq(&one, &zz));
1698 secp256k1_scalar_mul(&z, &x, &x);
1699 CHECK(!secp256k1_scalar_check_overflow(&z));
1700 secp256k1_scalar_sqr(&zz, &x);
1701 CHECK(!secp256k1_scalar_check_overflow(&zz));
1702 CHECK(secp256k1_scalar_eq(&zz, &z));
1703 CHECK(secp256k1_scalar_eq(&r2, &zz));
1708 /***** FIELD TESTS *****/
1710 void random_fe(secp256k1_fe *x) {
1711 unsigned char bin[32];
1713 secp256k1_rand256(bin);
1714 if (secp256k1_fe_set_b32(x, bin)) {
1720 void random_fe_test(secp256k1_fe *x) {
1721 unsigned char bin[32];
1723 secp256k1_rand256_test(bin);
1724 if (secp256k1_fe_set_b32(x, bin)) {
1730 void random_fe_non_zero(secp256k1_fe *nz) {
1732 while (--tries >= 0) {
1734 secp256k1_fe_normalize(nz);
1735 if (!secp256k1_fe_is_zero(nz)) {
1739 /* Infinitesimal probability of spurious failure here */
1743 void random_fe_non_square(secp256k1_fe *ns) {
1745 random_fe_non_zero(ns);
1746 if (secp256k1_fe_sqrt(&r, ns)) {
1747 secp256k1_fe_negate(ns, ns, 1);
1751 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1752 secp256k1_fe an = *a;
1753 secp256k1_fe bn = *b;
1754 secp256k1_fe_normalize_weak(&an);
1755 secp256k1_fe_normalize_var(&bn);
1756 return secp256k1_fe_equal_var(&an, &bn);
1759 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1761 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1762 secp256k1_fe_mul(&x, a, ai);
1763 return check_fe_equal(&x, &one);
1766 void run_field_convert(void) {
1767 static const unsigned char b32[32] = {
1768 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1769 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1770 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1771 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1773 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1774 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1775 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1777 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1778 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1779 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1782 unsigned char b322[32];
1783 secp256k1_fe_storage fes2;
1784 /* Check conversions to fe. */
1785 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1786 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1787 secp256k1_fe_from_storage(&fe2, &fes);
1788 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1789 /* Check conversion from fe. */
1790 secp256k1_fe_get_b32(b322, &fe);
1791 CHECK(memcmp(b322, b32, 32) == 0);
1792 secp256k1_fe_to_storage(&fes2, &fe);
1793 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1796 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1797 secp256k1_fe t = *b;
1799 t.magnitude = a->magnitude;
1800 t.normalized = a->normalized;
1802 return memcmp(a, &t, sizeof(secp256k1_fe));
1805 void run_field_misc(void) {
1810 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1812 for (i = 0; i < 5*count; i++) {
1813 secp256k1_fe_storage xs, ys, zs;
1815 random_fe_non_zero(&y);
1816 /* Test the fe equality and comparison operations. */
1817 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1818 CHECK(secp256k1_fe_equal_var(&x, &x));
1820 secp256k1_fe_add(&z,&y);
1821 /* Test fe conditional move; z is not normalized here. */
1823 secp256k1_fe_cmov(&x, &z, 0);
1825 CHECK(!x.normalized && x.magnitude == z.magnitude);
1827 secp256k1_fe_cmov(&x, &x, 1);
1828 CHECK(fe_memcmp(&x, &z) != 0);
1829 CHECK(fe_memcmp(&x, &q) == 0);
1830 secp256k1_fe_cmov(&q, &z, 1);
1832 CHECK(!q.normalized && q.magnitude == z.magnitude);
1834 CHECK(fe_memcmp(&q, &z) == 0);
1835 secp256k1_fe_normalize_var(&x);
1836 secp256k1_fe_normalize_var(&z);
1837 CHECK(!secp256k1_fe_equal_var(&x, &z));
1838 secp256k1_fe_normalize_var(&q);
1839 secp256k1_fe_cmov(&q, &z, (i&1));
1841 CHECK(q.normalized && q.magnitude == 1);
1843 for (j = 0; j < 6; j++) {
1844 secp256k1_fe_negate(&z, &z, j+1);
1845 secp256k1_fe_normalize_var(&q);
1846 secp256k1_fe_cmov(&q, &z, (j&1));
1848 CHECK(!q.normalized && q.magnitude == (j+2));
1851 secp256k1_fe_normalize_var(&z);
1852 /* Test storage conversion and conditional moves. */
1853 secp256k1_fe_to_storage(&xs, &x);
1854 secp256k1_fe_to_storage(&ys, &y);
1855 secp256k1_fe_to_storage(&zs, &z);
1856 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1857 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1858 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1859 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1860 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1861 secp256k1_fe_from_storage(&x, &xs);
1862 secp256k1_fe_from_storage(&y, &ys);
1863 secp256k1_fe_from_storage(&z, &zs);
1864 /* Test that mul_int, mul, and add agree. */
1865 secp256k1_fe_add(&y, &x);
1866 secp256k1_fe_add(&y, &x);
1868 secp256k1_fe_mul_int(&z, 3);
1869 CHECK(check_fe_equal(&y, &z));
1870 secp256k1_fe_add(&y, &x);
1871 secp256k1_fe_add(&z, &x);
1872 CHECK(check_fe_equal(&z, &y));
1874 secp256k1_fe_mul_int(&z, 5);
1875 secp256k1_fe_mul(&q, &x, &fe5);
1876 CHECK(check_fe_equal(&z, &q));
1877 secp256k1_fe_negate(&x, &x, 1);
1878 secp256k1_fe_add(&z, &x);
1879 secp256k1_fe_add(&q, &x);
1880 CHECK(check_fe_equal(&y, &z));
1881 CHECK(check_fe_equal(&q, &y));
1885 void run_field_inv(void) {
1886 secp256k1_fe x, xi, xii;
1888 for (i = 0; i < 10*count; i++) {
1889 random_fe_non_zero(&x);
1890 secp256k1_fe_inv(&xi, &x);
1891 CHECK(check_fe_inverse(&x, &xi));
1892 secp256k1_fe_inv(&xii, &xi);
1893 CHECK(check_fe_equal(&x, &xii));
1897 void run_field_inv_var(void) {
1898 secp256k1_fe x, xi, xii;
1900 for (i = 0; i < 10*count; i++) {
1901 random_fe_non_zero(&x);
1902 secp256k1_fe_inv_var(&xi, &x);
1903 CHECK(check_fe_inverse(&x, &xi));
1904 secp256k1_fe_inv_var(&xii, &xi);
1905 CHECK(check_fe_equal(&x, &xii));
1909 void run_field_inv_all_var(void) {
1910 secp256k1_fe x[16], xi[16], xii[16];
1912 /* Check it's safe to call for 0 elements */
1913 secp256k1_fe_inv_all_var(xi, x, 0);
1914 for (i = 0; i < count; i++) {
1916 size_t len = secp256k1_rand_int(15) + 1;
1917 for (j = 0; j < len; j++) {
1918 random_fe_non_zero(&x[j]);
1920 secp256k1_fe_inv_all_var(xi, x, len);
1921 for (j = 0; j < len; j++) {
1922 CHECK(check_fe_inverse(&x[j], &xi[j]));
1924 secp256k1_fe_inv_all_var(xii, xi, len);
1925 for (j = 0; j < len; j++) {
1926 CHECK(check_fe_equal(&x[j], &xii[j]));
1931 void run_sqr(void) {
1936 secp256k1_fe_set_int(&x, 1);
1937 secp256k1_fe_negate(&x, &x, 1);
1939 for (i = 1; i <= 512; ++i) {
1940 secp256k1_fe_mul_int(&x, 2);
1941 secp256k1_fe_normalize(&x);
1942 secp256k1_fe_sqr(&s, &x);
1947 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1948 secp256k1_fe r1, r2;
1949 int v = secp256k1_fe_sqrt(&r1, a);
1950 CHECK((v == 0) == (k == NULL));
1953 /* Check that the returned root is +/- the given known answer */
1954 secp256k1_fe_negate(&r2, &r1, 1);
1955 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1956 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1957 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1961 void run_sqrt(void) {
1962 secp256k1_fe ns, x, s, t;
1965 /* Check sqrt(0) is 0 */
1966 secp256k1_fe_set_int(&x, 0);
1967 secp256k1_fe_sqr(&s, &x);
1970 /* Check sqrt of small squares (and their negatives) */
1971 for (i = 1; i <= 100; i++) {
1972 secp256k1_fe_set_int(&x, i);
1973 secp256k1_fe_sqr(&s, &x);
1975 secp256k1_fe_negate(&t, &s, 1);
1976 test_sqrt(&t, NULL);
1979 /* Consistency checks for large random values */
1980 for (i = 0; i < 10; i++) {
1982 random_fe_non_square(&ns);
1983 for (j = 0; j < count; j++) {
1985 secp256k1_fe_sqr(&s, &x);
1987 secp256k1_fe_negate(&t, &s, 1);
1988 test_sqrt(&t, NULL);
1989 secp256k1_fe_mul(&t, &s, &ns);
1990 test_sqrt(&t, NULL);
1995 /***** GROUP TESTS *****/
1997 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1998 CHECK(a->infinity == b->infinity);
2002 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2003 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2006 /* This compares jacobian points including their Z, not just their geometric meaning. */
2007 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
2011 ret &= a->infinity == b->infinity;
2012 if (ret && !a->infinity) {
2015 secp256k1_fe_normalize(&a2.x);
2016 secp256k1_fe_normalize(&a2.y);
2017 secp256k1_fe_normalize(&a2.z);
2018 secp256k1_fe_normalize(&b2.x);
2019 secp256k1_fe_normalize(&b2.y);
2020 secp256k1_fe_normalize(&b2.z);
2021 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2022 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2023 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2028 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2030 secp256k1_fe u1, u2, s1, s2;
2031 CHECK(a->infinity == b->infinity);
2035 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
2036 secp256k1_fe_sqr(&z2s, &b->z);
2037 secp256k1_fe_mul(&u1, &a->x, &z2s);
2038 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2039 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2040 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2041 CHECK(secp256k1_fe_equal_var(&u1, &u2));
2042 CHECK(secp256k1_fe_equal_var(&s1, &s2));
2045 void test_ge(void) {
2047 #ifdef USE_ENDOMORPHISM
2052 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
2053 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
2054 * All magnitudes are randomized.
2055 * All 17*17 combinations of points are added to each other, using all applicable methods.
2057 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
2059 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2060 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2061 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2063 secp256k1_fe zfi2, zfi3;
2065 secp256k1_gej_set_infinity(&gej[0]);
2066 secp256k1_ge_clear(&ge[0]);
2067 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
2068 for (i = 0; i < runs; i++) {
2071 random_group_element_test(&g);
2072 #ifdef USE_ENDOMORPHISM
2073 if (i >= runs - 2) {
2074 secp256k1_ge_mul_lambda(&g, &ge[1]);
2076 if (i >= runs - 1) {
2077 secp256k1_ge_mul_lambda(&g, &g);
2082 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2083 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2084 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2085 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2086 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2087 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
2088 for (j = 0; j < 4; j++) {
2089 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2090 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2091 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2092 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2093 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2097 /* Compute z inverses. */
2099 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2100 for (i = 0; i < 4 * runs + 1; i++) {
2102 /* The point at infinity does not have a meaningful z inverse. Any should do. */
2104 random_field_element_test(&zs[i]);
2105 } while(secp256k1_fe_is_zero(&zs[i]));
2110 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
2114 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2116 random_field_element_test(&zf);
2117 } while(secp256k1_fe_is_zero(&zf));
2118 random_field_element_magnitude(&zf);
2119 secp256k1_fe_inv_var(&zfi3, &zf);
2120 secp256k1_fe_sqr(&zfi2, &zfi3);
2121 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2123 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2125 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2126 /* Compute reference result using gej + gej (var). */
2127 secp256k1_gej refj, resj;
2130 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2131 /* Check Z ratio. */
2132 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2133 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2134 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2136 secp256k1_ge_set_gej_var(&ref, &refj);
2138 /* Test gej + ge with Z ratio result (var). */
2139 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2140 ge_equals_gej(&ref, &resj);
2141 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2142 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2143 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2146 /* Test gej + ge (var, with additional Z factor). */
2148 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2149 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2150 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2151 random_field_element_magnitude(&ge2_zfi.x);
2152 random_field_element_magnitude(&ge2_zfi.y);
2153 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2154 ge_equals_gej(&ref, &resj);
2157 /* Test gej + ge (const). */
2159 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2160 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2161 ge_equals_gej(&ref, &resj);
2164 /* Test doubling (var). */
2165 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2167 /* Normal doubling with Z ratio result. */
2168 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2169 ge_equals_gej(&ref, &resj);
2170 /* Check Z ratio. */
2171 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2172 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2173 /* Normal doubling. */
2174 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2175 ge_equals_gej(&ref, &resj);
2178 /* Test adding opposites. */
2179 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2180 CHECK(secp256k1_ge_is_infinity(&ref));
2183 /* Test adding infinity. */
2185 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2186 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2187 ge_equals_gej(&ref, &gej[i2]);
2190 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2191 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2192 ge_equals_gej(&ref, &gej[i1]);
2197 /* Test adding all points together in random order equals infinity. */
2199 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2200 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2201 for (i = 0; i < 4 * runs + 1; i++) {
2202 gej_shuffled[i] = gej[i];
2204 for (i = 0; i < 4 * runs + 1; i++) {
2205 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2207 secp256k1_gej t = gej_shuffled[i];
2208 gej_shuffled[i] = gej_shuffled[swap];
2209 gej_shuffled[swap] = t;
2212 for (i = 0; i < 4 * runs + 1; i++) {
2213 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2215 CHECK(secp256k1_gej_is_infinity(&sum));
2219 /* Test batch gej -> ge conversion with and without known z ratios. */
2221 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2222 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2223 for (i = 0; i < 4 * runs + 1; i++) {
2224 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2226 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2229 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2230 for (i = 0; i < 4 * runs + 1; i++) {
2232 random_fe_non_zero(&s);
2233 secp256k1_gej_rescale(&gej[i], &s);
2234 ge_equals_gej(&ge_set_all[i], &gej[i]);
2240 /* Test batch gej -> ge conversion with many infinities. */
2241 for (i = 0; i < 4 * runs + 1; i++) {
2242 random_group_element_test(&ge[i]);
2243 /* randomly set half the points to infinitiy */
2244 if(secp256k1_fe_is_odd(&ge[i].x)) {
2245 secp256k1_ge_set_infinity(&ge[i]);
2247 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2250 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2252 for (i = 0; i < 4 * runs + 1; i++) {
2253 ge_equals_gej(&ge[i], &gej[i]);
2261 void test_add_neg_y_diff_x(void) {
2262 /* The point of this test is to check that we can add two points
2263 * whose y-coordinates are negatives of each other but whose x
2264 * coordinates differ. If the x-coordinates were the same, these
2265 * points would be negatives of each other and their sum is
2266 * infinity. This is cool because it "covers up" any degeneracy
2267 * in the addition algorithm that would cause the xy coordinates
2268 * of the sum to be wrong (since infinity has no xy coordinates).
2269 * HOWEVER, if the x-coordinates are different, infinity is the
2270 * wrong answer, and such degeneracies are exposed. This is the
2271 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2272 * which this test is a regression test for.
2274 * These points were generated in sage as
2275 * # secp256k1 params
2276 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2277 * C = EllipticCurve ([F (0), F (7)])
2278 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2279 * N = FiniteField(G.order())
2281 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2283 * lam = (1 - x^3).roots()[1][0]
2285 * # random "bad pair"
2286 * P = C.random_element()
2288 * print " P: %x %x" % P.xy()
2289 * print " Q: %x %x" % Q.xy()
2290 * print "P + Q: %x %x" % (P + Q).xy()
2292 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2293 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2294 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2295 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2296 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2298 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2299 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2300 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2301 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2302 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2304 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2305 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2306 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2307 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2308 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2313 secp256k1_ge_set_gej(&b, &bj);
2315 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2316 secp256k1_ge_set_gej(&res, &resj);
2317 ge_equals_gej(&res, &sumj);
2319 secp256k1_gej_add_ge(&resj, &aj, &b);
2320 secp256k1_ge_set_gej(&res, &resj);
2321 ge_equals_gej(&res, &sumj);
2323 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2324 secp256k1_ge_set_gej(&res, &resj);
2325 ge_equals_gej(&res, &sumj);
2330 for (i = 0; i < count * 32; i++) {
2333 test_add_neg_y_diff_x();
2336 void test_ec_combine(void) {
2337 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2338 secp256k1_pubkey data[6];
2339 const secp256k1_pubkey* d[6];
2340 secp256k1_pubkey sd;
2341 secp256k1_pubkey sd2;
2345 for (i = 1; i <= 6; i++) {
2347 random_scalar_order_test(&s);
2348 secp256k1_scalar_add(&sum, &sum, &s);
2349 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2350 secp256k1_ge_set_gej(&Q, &Qj);
2351 secp256k1_pubkey_save(&data[i - 1], &Q);
2352 d[i - 1] = &data[i - 1];
2353 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2354 secp256k1_ge_set_gej(&Q, &Qj);
2355 secp256k1_pubkey_save(&sd, &Q);
2356 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2357 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2361 void run_ec_combine(void) {
2363 for (i = 0; i < count * 8; i++) {
2368 void test_group_decompress(const secp256k1_fe* x) {
2369 /* The input itself, normalized. */
2370 secp256k1_fe fex = *x;
2372 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2373 secp256k1_ge ge_quad, ge_even, ge_odd;
2374 secp256k1_gej gej_quad;
2375 /* Return values of the above calls. */
2376 int res_quad, res_even, res_odd;
2378 secp256k1_fe_normalize_var(&fex);
2380 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2381 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2382 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2384 CHECK(res_quad == res_even);
2385 CHECK(res_quad == res_odd);
2388 secp256k1_fe_normalize_var(&ge_quad.x);
2389 secp256k1_fe_normalize_var(&ge_odd.x);
2390 secp256k1_fe_normalize_var(&ge_even.x);
2391 secp256k1_fe_normalize_var(&ge_quad.y);
2392 secp256k1_fe_normalize_var(&ge_odd.y);
2393 secp256k1_fe_normalize_var(&ge_even.y);
2395 /* No infinity allowed. */
2396 CHECK(!ge_quad.infinity);
2397 CHECK(!ge_even.infinity);
2398 CHECK(!ge_odd.infinity);
2400 /* Check that the x coordinates check out. */
2401 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2402 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2403 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2405 /* Check that the Y coordinate result in ge_quad is a square. */
2406 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2408 /* Check odd/even Y in ge_odd, ge_even. */
2409 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2410 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2412 /* Check secp256k1_gej_has_quad_y_var. */
2413 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2414 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2416 random_fe_test(&fez);
2417 } while (secp256k1_fe_is_zero(&fez));
2418 secp256k1_gej_rescale(&gej_quad, &fez);
2419 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2420 secp256k1_gej_neg(&gej_quad, &gej_quad);
2421 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2423 random_fe_test(&fez);
2424 } while (secp256k1_fe_is_zero(&fez));
2425 secp256k1_gej_rescale(&gej_quad, &fez);
2426 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2427 secp256k1_gej_neg(&gej_quad, &gej_quad);
2428 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2432 void run_group_decompress(void) {
2434 for (i = 0; i < count * 4; i++) {
2436 random_fe_test(&fe);
2437 test_group_decompress(&fe);
2441 /***** ECMULT TESTS *****/
2443 void run_ecmult_chain(void) {
2444 /* random starting point A (on the curve) */
2445 secp256k1_gej a = SECP256K1_GEJ_CONST(
2446 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2447 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2448 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2449 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2451 /* two random initial factors xn and gn */
2452 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2453 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2454 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2456 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2457 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2458 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2460 /* two small multipliers to be applied to xn and gn in every iteration: */
2461 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2462 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2463 /* accumulators with the resulting coefficients to A and G */
2464 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2465 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2471 /* the point being computed */
2473 for (i = 0; i < 200*count; i++) {
2474 /* in each iteration, compute X = xn*X + gn*G; */
2475 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2476 /* also compute ae and ge: the actual accumulated factors for A and G */
2477 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2478 secp256k1_scalar_mul(&ae, &ae, &xn);
2479 secp256k1_scalar_mul(&ge, &ge, &xn);
2480 secp256k1_scalar_add(&ge, &ge, &gn);
2481 /* modify xn and gn */
2482 secp256k1_scalar_mul(&xn, &xn, &xf);
2483 secp256k1_scalar_mul(&gn, &gn, &gf);
2487 /* expected result after 19999 iterations */
2488 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2489 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2490 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2491 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2492 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2495 secp256k1_gej_neg(&rp, &rp);
2496 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2497 CHECK(secp256k1_gej_is_infinity(&rp));
2500 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2501 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2502 secp256k1_gej_neg(&x2, &x2);
2503 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2504 CHECK(secp256k1_gej_is_infinity(&x2));
2507 void test_point_times_order(const secp256k1_gej *point) {
2508 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2510 secp256k1_scalar nx;
2511 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2512 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2513 secp256k1_gej res1, res2;
2515 unsigned char pub[65];
2517 random_scalar_order_test(&x);
2518 secp256k1_scalar_negate(&nx, &x);
2519 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2520 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2521 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2522 CHECK(secp256k1_gej_is_infinity(&res1));
2523 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2524 secp256k1_ge_set_gej(&res3, &res1);
2525 CHECK(secp256k1_ge_is_infinity(&res3));
2526 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2527 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2529 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2530 /* check zero/one edge cases */
2531 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2532 secp256k1_ge_set_gej(&res3, &res1);
2533 CHECK(secp256k1_ge_is_infinity(&res3));
2534 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2535 secp256k1_ge_set_gej(&res3, &res1);
2536 ge_equals_gej(&res3, point);
2537 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2538 secp256k1_ge_set_gej(&res3, &res1);
2539 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2542 void run_point_times_order(void) {
2544 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2545 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2546 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2547 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2549 for (i = 0; i < 500; i++) {
2551 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2553 CHECK(secp256k1_ge_is_valid_var(&p));
2554 secp256k1_gej_set_ge(&j, &p);
2555 CHECK(secp256k1_gej_is_valid_var(&j));
2556 test_point_times_order(&j);
2558 secp256k1_fe_sqr(&x, &x);
2560 secp256k1_fe_normalize_var(&x);
2561 CHECK(secp256k1_fe_equal_var(&x, &xr));
2564 void ecmult_const_random_mult(void) {
2565 /* random starting point A (on the curve) */
2566 secp256k1_ge a = SECP256K1_GE_CONST(
2567 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2568 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2569 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2570 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2572 /* random initial factor xn */
2573 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2574 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2575 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2577 /* expected xn * A (from sage) */
2578 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2579 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2580 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2581 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2582 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2585 secp256k1_ecmult_const(&b, &a, &xn, 256);
2587 CHECK(secp256k1_ge_is_valid_var(&a));
2588 ge_equals_gej(&expected_b, &b);
2591 void ecmult_const_commutativity(void) {
2598 random_scalar_order_test(&a);
2599 random_scalar_order_test(&b);
2601 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2602 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2603 secp256k1_ge_set_gej(&mid1, &res1);
2604 secp256k1_ge_set_gej(&mid2, &res2);
2605 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2606 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2607 secp256k1_ge_set_gej(&mid1, &res1);
2608 secp256k1_ge_set_gej(&mid2, &res2);
2609 ge_equals_ge(&mid1, &mid2);
2612 void ecmult_const_mult_zero_one(void) {
2613 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2614 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2615 secp256k1_scalar negone;
2619 secp256k1_scalar_negate(&negone, &one);
2621 random_group_element_test(&point);
2622 secp256k1_ecmult_const(&res1, &point, &zero, 3);
2623 secp256k1_ge_set_gej(&res2, &res1);
2624 CHECK(secp256k1_ge_is_infinity(&res2));
2625 secp256k1_ecmult_const(&res1, &point, &one, 2);
2626 secp256k1_ge_set_gej(&res2, &res1);
2627 ge_equals_ge(&res2, &point);
2628 secp256k1_ecmult_const(&res1, &point, &negone, 256);
2629 secp256k1_gej_neg(&res1, &res1);
2630 secp256k1_ge_set_gej(&res2, &res1);
2631 ge_equals_ge(&res2, &point);
2634 void ecmult_const_chain_multiply(void) {
2635 /* Check known result (randomly generated test problem from sage) */
2636 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2637 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2638 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2640 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2641 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2642 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2643 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2644 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2646 secp256k1_gej point;
2650 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2651 for (i = 0; i < 100; ++i) {
2653 secp256k1_ge_set_gej(&tmp, &point);
2654 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2656 secp256k1_ge_set_gej(&res, &point);
2657 ge_equals_gej(&res, &expected_point);
2660 void run_ecmult_const_tests(void) {
2661 ecmult_const_mult_zero_one();
2662 ecmult_const_random_mult();
2663 ecmult_const_commutativity();
2664 ecmult_const_chain_multiply();
2668 secp256k1_scalar *sc;
2670 } ecmult_multi_data;
2672 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2673 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2674 *sc = data->sc[idx];
2675 *pt = data->pt[idx];
2679 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2687 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2689 secp256k1_scalar szero;
2690 secp256k1_scalar sc[32];
2691 secp256k1_ge pt[32];
2694 ecmult_multi_data data;
2698 secp256k1_scalar_set_int(&szero, 0);
2700 /* No points to multiply */
2701 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2703 /* Check 1- and 2-point multiplies against ecmult */
2704 for (ncount = 0; ncount < count; ncount++) {
2707 random_scalar_order(&sc[0]);
2708 random_scalar_order(&sc[1]);
2710 random_group_element_test(&ptg);
2711 secp256k1_gej_set_ge(&ptgj, &ptg);
2713 pt[1] = secp256k1_ge_const_g;
2716 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2717 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2718 secp256k1_gej_neg(&r2, &r2);
2719 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2720 CHECK(secp256k1_gej_is_infinity(&r));
2723 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2724 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2725 secp256k1_gej_neg(&r2, &r2);
2726 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2727 CHECK(secp256k1_gej_is_infinity(&r));
2729 /* Try to multiply 1 point, but callback returns false */
2730 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2733 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2734 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2735 secp256k1_gej_neg(&r2, &r2);
2736 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2737 CHECK(secp256k1_gej_is_infinity(&r));
2739 /* 2-point with G scalar */
2740 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2741 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2742 secp256k1_gej_neg(&r2, &r2);
2743 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2744 CHECK(secp256k1_gej_is_infinity(&r));
2747 /* Check infinite outputs of various forms */
2748 for (ncount = 0; ncount < count; ncount++) {
2751 size_t sizes[] = { 2, 10, 32 };
2753 for (j = 0; j < 3; j++) {
2754 for (i = 0; i < 32; i++) {
2755 random_scalar_order(&sc[i]);
2756 secp256k1_ge_set_infinity(&pt[i]);
2758 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2759 CHECK(secp256k1_gej_is_infinity(&r));
2762 for (j = 0; j < 3; j++) {
2763 for (i = 0; i < 32; i++) {
2764 random_group_element_test(&ptg);
2766 secp256k1_scalar_set_int(&sc[i], 0);
2768 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2769 CHECK(secp256k1_gej_is_infinity(&r));
2772 for (j = 0; j < 3; j++) {
2773 random_group_element_test(&ptg);
2774 for (i = 0; i < 16; i++) {
2775 random_scalar_order(&sc[2*i]);
2776 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2778 pt[2 * i + 1] = ptg;
2781 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2782 CHECK(secp256k1_gej_is_infinity(&r));
2784 random_scalar_order(&sc[0]);
2785 for (i = 0; i < 16; i++) {
2786 random_group_element_test(&ptg);
2791 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2794 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2795 CHECK(secp256k1_gej_is_infinity(&r));
2798 random_group_element_test(&ptg);
2799 secp256k1_scalar_set_int(&sc[0], 0);
2801 for (i = 1; i < 32; i++) {
2804 random_scalar_order(&sc[i]);
2805 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2806 secp256k1_scalar_negate(&sc[i], &sc[i]);
2809 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2810 CHECK(secp256k1_gej_is_infinity(&r));
2813 /* Check random points, constant scalar */
2814 for (ncount = 0; ncount < count; ncount++) {
2816 secp256k1_gej_set_infinity(&r);
2818 random_scalar_order(&sc[0]);
2819 for (i = 0; i < 20; i++) {
2822 random_group_element_test(&ptg);
2824 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2827 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2828 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2829 secp256k1_gej_neg(&r2, &r2);
2830 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2831 CHECK(secp256k1_gej_is_infinity(&r));
2834 /* Check random scalars, constant point */
2835 for (ncount = 0; ncount < count; ncount++) {
2839 secp256k1_scalar rs;
2840 secp256k1_scalar_set_int(&rs, 0);
2842 random_group_element_test(&ptg);
2843 for (i = 0; i < 20; i++) {
2844 random_scalar_order(&sc[i]);
2846 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2849 secp256k1_gej_set_ge(&p0j, &pt[0]);
2850 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
2851 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2852 secp256k1_gej_neg(&r2, &r2);
2853 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2854 CHECK(secp256k1_gej_is_infinity(&r));
2857 /* Sanity check that zero scalars don't cause problems */
2858 for (ncount = 0; ncount < 20; ncount++) {
2859 random_scalar_order(&sc[ncount]);
2860 random_group_element_test(&pt[ncount]);
2863 secp256k1_scalar_clear(&sc[0]);
2864 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2865 secp256k1_scalar_clear(&sc[1]);
2866 secp256k1_scalar_clear(&sc[2]);
2867 secp256k1_scalar_clear(&sc[3]);
2868 secp256k1_scalar_clear(&sc[4]);
2869 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2870 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
2871 CHECK(secp256k1_gej_is_infinity(&r));
2873 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2875 const size_t TOP = 8;
2881 random_group_element_test(&ptg);
2882 secp256k1_gej_set_ge(&ptgj, &ptg);
2884 for(t0i = 0; t0i < TOP; t0i++) {
2885 for(t1i = 0; t1i < TOP; t1i++) {
2886 secp256k1_gej t0p, t1p;
2887 secp256k1_scalar t0, t1;
2889 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2890 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2891 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2892 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2894 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2895 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2897 for(s0i = 0; s0i < TOP; s0i++) {
2898 for(s1i = 0; s1i < TOP; s1i++) {
2899 secp256k1_scalar tmp1, tmp2;
2900 secp256k1_gej expected, actual;
2902 secp256k1_ge_set_gej(&pt[0], &t0p);
2903 secp256k1_ge_set_gej(&pt[1], &t1p);
2905 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2906 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2907 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2908 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2910 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2911 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2912 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2914 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
2915 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
2916 secp256k1_gej_neg(&expected, &expected);
2917 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2918 CHECK(secp256k1_gej_is_infinity(&actual));
2926 void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
2927 secp256k1_scalar szero;
2928 secp256k1_scalar sc[32];
2929 secp256k1_ge pt[32];
2931 ecmult_multi_data data;
2932 secp256k1_scratch *scratch_empty;
2936 secp256k1_scalar_set_int(&szero, 0);
2938 /* Try to multiply 1 point, but scratch space is empty.*/
2939 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
2940 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2941 secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
2944 void test_secp256k1_pippenger_bucket_window_inv(void) {
2947 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2948 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2949 #ifdef USE_ENDOMORPHISM
2950 /* Bucket_window of 8 is not used with endo */
2955 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2956 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2957 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2963 * Probabilistically test the function returning the maximum number of possible points
2964 * for a given scratch space.
2966 void test_ecmult_multi_pippenger_max_points(void) {
2967 size_t scratch_size = secp256k1_rand_int(256);
2968 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
2969 secp256k1_scratch *scratch;
2970 size_t n_points_supported;
2971 int bucket_window = 0;
2973 for(; scratch_size < max_size; scratch_size+=256) {
2977 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
2978 CHECK(scratch != NULL);
2979 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
2980 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
2981 if (n_points_supported == 0) {
2982 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
2985 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
2986 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
2987 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
2988 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
2989 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
2992 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
2993 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
2994 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
2996 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
2999 void test_ecmult_multi_batch_size_helper(void) {
3000 size_t n_batches, n_batch_points, max_n_batch_points, n;
3002 max_n_batch_points = 0;
3004 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
3006 max_n_batch_points = 1;
3008 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3009 CHECK(n_batches == 0);
3010 CHECK(n_batch_points == 0);
3012 max_n_batch_points = 2;
3014 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3015 CHECK(n_batches == 3);
3016 CHECK(n_batch_points == 2);
3018 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
3019 n = ECMULT_MAX_POINTS_PER_BATCH;
3020 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3021 CHECK(n_batches == 1);
3022 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
3024 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
3025 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
3026 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3027 CHECK(n_batches == 2);
3028 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
3030 max_n_batch_points = 1;
3032 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3033 CHECK(n_batches == SIZE_MAX);
3034 CHECK(n_batch_points == 1);
3036 max_n_batch_points = 2;
3038 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3039 CHECK(n_batches == SIZE_MAX/2 + 1);
3040 CHECK(n_batch_points == 2);
3044 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
3045 * 1 <= i <= num points.
3047 void test_ecmult_multi_batching(void) {
3048 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
3049 secp256k1_scalar scG;
3050 secp256k1_scalar szero;
3051 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
3052 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3055 ecmult_multi_data data;
3057 secp256k1_scratch *scratch;
3059 secp256k1_gej_set_infinity(&r2);
3060 secp256k1_scalar_set_int(&szero, 0);
3062 /* Get random scalars and group elements and compute result */
3063 random_scalar_order(&scG);
3064 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3065 for(i = 0; i < n_points; i++) {
3068 random_group_element_test(&ptg);
3069 secp256k1_gej_set_ge(&ptgj, &ptg);
3071 random_scalar_order(&sc[i]);
3072 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3073 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
3077 secp256k1_gej_neg(&r2, &r2);
3079 /* Test with empty scratch space. It should compute the correct result using
3080 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
3081 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
3082 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3083 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3084 CHECK(secp256k1_gej_is_infinity(&r));
3085 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3087 /* Test with space for 1 point in pippenger. That's not enough because
3088 * ecmult_multi selects strauss which requires more memory. It should
3089 * therefore select the simple algorithm. */
3090 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3091 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3092 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3093 CHECK(secp256k1_gej_is_infinity(&r));
3094 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3096 for(i = 1; i <= n_points; i++) {
3097 if (i > ECMULT_PIPPENGER_THRESHOLD) {
3098 int bucket_window = secp256k1_pippenger_bucket_window(i);
3099 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
3100 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3102 size_t scratch_size = secp256k1_strauss_scratch_size(i);
3103 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3105 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3106 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3107 CHECK(secp256k1_gej_is_infinity(&r));
3108 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3114 void run_ecmult_multi_tests(void) {
3115 secp256k1_scratch *scratch;
3117 test_secp256k1_pippenger_bucket_window_inv();
3118 test_ecmult_multi_pippenger_max_points();
3119 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
3120 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3121 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
3122 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
3123 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
3124 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
3125 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
3126 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3128 /* Run test_ecmult_multi with space for exactly one point */
3129 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3130 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3131 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3133 test_ecmult_multi_batch_size_helper();
3134 test_ecmult_multi_batching();
3137 void test_wnaf(const secp256k1_scalar *number, int w) {
3138 secp256k1_scalar x, two, t;
3143 secp256k1_scalar_set_int(&x, 0);
3144 secp256k1_scalar_set_int(&two, 2);
3145 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
3147 for (i = bits-1; i >= 0; i--) {
3149 secp256k1_scalar_mul(&x, &x, &two);
3151 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
3153 CHECK((v & 1) == 1); /* check non-zero elements are odd */
3154 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3155 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
3157 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
3161 secp256k1_scalar_set_int(&t, v);
3163 secp256k1_scalar_set_int(&t, -v);
3164 secp256k1_scalar_negate(&t, &t);
3166 secp256k1_scalar_add(&x, &x, &t);
3168 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
3171 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3172 secp256k1_scalar neg1 = *number;
3173 secp256k1_scalar neg2 = *number;
3177 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3178 secp256k1_scalar_negate(&neg1, &neg1);
3181 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3182 CHECK(sign1 == sign2);
3183 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3186 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3187 secp256k1_scalar x, shift;
3188 int wnaf[256] = {0};
3192 secp256k1_scalar num = *number;
3194 secp256k1_scalar_set_int(&x, 0);
3195 secp256k1_scalar_set_int(&shift, 1 << w);
3196 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3197 #ifdef USE_ENDOMORPHISM
3198 for (i = 0; i < 16; ++i) {
3199 secp256k1_scalar_shr_int(&num, 8);
3203 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
3205 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3208 CHECK(v != 0); /* check nonzero */
3209 CHECK(v & 1); /* check parity */
3210 CHECK(v > -(1 << w)); /* check range above */
3211 CHECK(v < (1 << w)); /* check range below */
3213 secp256k1_scalar_mul(&x, &x, &shift);
3215 secp256k1_scalar_set_int(&t, v);
3217 secp256k1_scalar_set_int(&t, -v);
3218 secp256k1_scalar_negate(&t, &t);
3220 secp256k1_scalar_add(&x, &x, &t);
3222 /* Skew num because when encoding numbers as odd we use an offset */
3223 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
3224 CHECK(secp256k1_scalar_eq(&x, &num));
3227 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3228 secp256k1_scalar x, shift;
3229 int wnaf[256] = {0};
3232 secp256k1_scalar num = *number;
3234 secp256k1_scalar_set_int(&x, 0);
3235 secp256k1_scalar_set_int(&shift, 1 << w);
3236 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3237 #ifdef USE_ENDOMORPHISM
3238 for (i = 0; i < 16; ++i) {
3239 secp256k1_scalar_shr_int(&num, 8);
3242 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3244 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3247 CHECK(v == 0 || v & 1); /* check parity */
3248 CHECK(v > -(1 << w)); /* check range above */
3249 CHECK(v < (1 << w)); /* check range below */
3251 secp256k1_scalar_mul(&x, &x, &shift);
3253 secp256k1_scalar_set_int(&t, v);
3255 secp256k1_scalar_set_int(&t, -v);
3256 secp256k1_scalar_negate(&t, &t);
3258 secp256k1_scalar_add(&x, &x, &t);
3260 /* If skew is 1 then add 1 to num */
3261 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3262 CHECK(secp256k1_scalar_eq(&x, &num));
3265 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3267 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3269 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3270 CHECK(wnaf[i] == 0);
3272 for (i = 7; i >= 0; --i) {
3273 CHECK(wnaf[i] == wnaf_expected[i]);
3277 void test_fixed_wnaf_small(void) {
3279 int wnaf[256] = {0};
3282 secp256k1_scalar num;
3284 secp256k1_scalar_set_int(&num, 0);
3285 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3286 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3292 secp256k1_scalar_set_int(&num, 1);
3293 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3294 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3298 CHECK(wnaf[0] == 1);
3302 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3303 secp256k1_scalar_set_int(&num, 0xffffffff);
3304 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3305 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3309 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3310 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3311 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3312 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3316 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3317 secp256k1_scalar_set_int(&num, 0x01010101);
3318 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3319 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3323 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3324 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3325 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3326 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3331 void run_wnaf(void) {
3333 secp256k1_scalar n = {{0}};
3335 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3336 * have easier-to-diagnose failure modes */
3338 test_constant_wnaf(&n, 4);
3340 test_constant_wnaf(&n, 4);
3342 test_fixed_wnaf_small();
3344 for (i = 0; i < count; i++) {
3345 random_scalar_order(&n);
3346 test_wnaf(&n, 4+(i%10));
3347 test_constant_wnaf_negate(&n);
3348 test_constant_wnaf(&n, 4 + (i % 10));
3349 test_fixed_wnaf(&n, 4 + (i % 10));
3351 secp256k1_scalar_set_int(&n, 0);
3352 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3353 CHECK(secp256k1_scalar_is_zero(&n));
3354 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3355 CHECK(secp256k1_scalar_is_zero(&n));
3358 void test_ecmult_constants(void) {
3359 /* Test ecmult_gen() for [0..36) and [order-36..0). */
3365 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3366 for (i = 0; i < 36; i++ ) {
3367 secp256k1_scalar_set_int(&x, i);
3368 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3369 for (j = 0; j < i; j++) {
3371 ge_equals_gej(&secp256k1_ge_const_g, &r);
3373 secp256k1_gej_add_ge(&r, &r, &ng);
3375 CHECK(secp256k1_gej_is_infinity(&r));
3377 for (i = 1; i <= 36; i++ ) {
3378 secp256k1_scalar_set_int(&x, i);
3379 secp256k1_scalar_negate(&x, &x);
3380 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3381 for (j = 0; j < i; j++) {
3383 ge_equals_gej(&ng, &r);
3385 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3387 CHECK(secp256k1_gej_is_infinity(&r));
3391 void run_ecmult_constants(void) {
3392 test_ecmult_constants();
3395 void test_ecmult_gen_blind(void) {
3396 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3397 secp256k1_scalar key;
3399 unsigned char seed32[32];
3401 secp256k1_gej pgej2;
3404 random_scalar_order_test(&key);
3405 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3406 secp256k1_rand256(seed32);
3407 b = ctx->ecmult_gen_ctx.blind;
3408 i = ctx->ecmult_gen_ctx.initial;
3409 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3410 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3411 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3412 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3413 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3414 secp256k1_ge_set_gej(&pge, &pgej);
3415 ge_equals_gej(&pge, &pgej2);
3418 void test_ecmult_gen_blind_reset(void) {
3419 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3421 secp256k1_gej initial;
3422 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3423 b = ctx->ecmult_gen_ctx.blind;
3424 initial = ctx->ecmult_gen_ctx.initial;
3425 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3426 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3427 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3430 void run_ecmult_gen_blind(void) {
3432 test_ecmult_gen_blind_reset();
3433 for (i = 0; i < 10; i++) {
3434 test_ecmult_gen_blind();
3438 #ifdef USE_ENDOMORPHISM
3439 /***** ENDOMORPHISH TESTS *****/
3440 void test_scalar_split(void) {
3441 secp256k1_scalar full;
3442 secp256k1_scalar s1, slam;
3443 const unsigned char zero[32] = {0};
3444 unsigned char tmp[32];
3446 random_scalar_order_test(&full);
3447 secp256k1_scalar_split_lambda(&s1, &slam, &full);
3449 /* check that both are <= 128 bits in size */
3450 if (secp256k1_scalar_is_high(&s1)) {
3451 secp256k1_scalar_negate(&s1, &s1);
3453 if (secp256k1_scalar_is_high(&slam)) {
3454 secp256k1_scalar_negate(&slam, &slam);
3457 secp256k1_scalar_get_b32(tmp, &s1);
3458 CHECK(memcmp(zero, tmp, 16) == 0);
3459 secp256k1_scalar_get_b32(tmp, &slam);
3460 CHECK(memcmp(zero, tmp, 16) == 0);
3463 void run_endomorphism_tests(void) {
3464 test_scalar_split();
3468 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3469 unsigned char pubkeyc[65];
3470 secp256k1_pubkey pubkey;
3475 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3476 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3477 /* Smaller sizes are tested exhaustively elsewhere. */
3479 memcpy(&pubkeyc[1], input, 64);
3480 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3481 for (i = 0; i < 256; i++) {
3482 /* Try all type bytes. */
3487 /* What sign does this point have? */
3488 ysign = (input[63] & 1) + 2;
3489 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3490 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3491 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3492 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3493 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3494 if (xpass || ypass) {
3495 /* These cases must parse. */
3496 unsigned char pubkeyo[65];
3498 memset(&pubkey, 0, sizeof(pubkey));
3499 VG_UNDEF(&pubkey, sizeof(pubkey));
3501 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3502 VG_CHECK(&pubkey, sizeof(pubkey));
3504 VG_UNDEF(pubkeyo, 65);
3505 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3506 VG_CHECK(pubkeyo, outl);
3508 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3509 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3511 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3512 CHECK(pubkeyo[0] == ysign);
3513 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3514 memset(&pubkey, 0, sizeof(pubkey));
3515 VG_UNDEF(&pubkey, sizeof(pubkey));
3516 secp256k1_pubkey_save(&pubkey, &ge);
3517 VG_CHECK(&pubkey, sizeof(pubkey));
3519 VG_UNDEF(pubkeyo, 65);
3520 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3521 VG_CHECK(pubkeyo, outl);
3523 CHECK(pubkeyo[0] == 4);
3524 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3528 /* These cases must fail to parse. */
3529 memset(&pubkey, 0xfe, sizeof(pubkey));
3531 VG_UNDEF(&pubkey, sizeof(pubkey));
3532 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3533 VG_CHECK(&pubkey, sizeof(pubkey));
3535 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3540 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3543 void run_ec_pubkey_parse_test(void) {
3544 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3545 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3547 /* Point with leading and trailing zeros in x and y serialization. */
3548 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3549 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3550 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3551 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3554 /* Point with x equal to a 3rd root of unity.*/
3555 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3556 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3557 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3558 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3561 /* Point with largest x. (1/2) */
3562 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3563 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3564 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3565 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3568 /* Point with largest x. (2/2) */
3569 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3570 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3571 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3572 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3575 /* Point with smallest x. (1/2) */
3576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3578 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3579 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3582 /* Point with smallest x. (2/2) */
3583 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3584 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3585 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3586 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3589 /* Point with largest y. (1/3) */
3590 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3591 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3592 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3593 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3596 /* Point with largest y. (2/3) */
3597 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3598 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3599 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3600 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3603 /* Point with largest y. (3/3) */
3604 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3605 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3606 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3607 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3610 /* Point with smallest y. (1/3) */
3611 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3612 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3613 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3614 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3617 /* Point with smallest y. (2/3) */
3618 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3619 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3620 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3621 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3624 /* Point with smallest y. (3/3) */
3625 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3626 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3627 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3628 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3631 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3632 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3634 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3635 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3636 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3637 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3638 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3641 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3642 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3643 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3644 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3645 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3648 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3649 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3650 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3651 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3652 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3655 /* x on curve, y is from y^2 = x^3 + 8. */
3656 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3657 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3658 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3659 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3662 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3663 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3665 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3666 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3667 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3668 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3669 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3672 /* Valid if x overflow ignored (x = 1 mod p). */
3673 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3674 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3675 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3676 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3679 /* Valid if x overflow ignored (x = 1 mod p). */
3680 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3681 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3682 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3683 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3686 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3687 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3688 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3689 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3690 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3693 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3694 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3695 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3696 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3697 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3700 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3701 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3703 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3704 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3707 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3708 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3709 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3710 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3711 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3714 const unsigned char pubkeyc[66] = {
3715 /* Serialization of G. */
3716 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3717 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3718 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3719 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3722 unsigned char sout[65];
3723 unsigned char shortkey[2];
3725 secp256k1_pubkey pubkey;
3731 /* Nothing should be reading this far into pubkeyc. */
3732 VG_UNDEF(&pubkeyc[65], 1);
3733 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3734 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3735 memset(&pubkey, 0xfe, sizeof(pubkey));
3737 VG_UNDEF(shortkey, 2);
3738 VG_UNDEF(&pubkey, sizeof(pubkey));
3739 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3740 VG_CHECK(&pubkey, sizeof(pubkey));
3742 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3744 /* Length one claimed, fail, zeroize, no illegal arg error. */
3745 for (i = 0; i < 256 ; i++) {
3746 memset(&pubkey, 0xfe, sizeof(pubkey));
3749 VG_UNDEF(&shortkey[1], 1);
3750 VG_UNDEF(&pubkey, sizeof(pubkey));
3751 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3752 VG_CHECK(&pubkey, sizeof(pubkey));
3754 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3757 /* Length two claimed, fail, zeroize, no illegal arg error. */
3758 for (i = 0; i < 65536 ; i++) {
3759 memset(&pubkey, 0xfe, sizeof(pubkey));
3761 shortkey[0] = i & 255;
3762 shortkey[1] = i >> 8;
3763 VG_UNDEF(&pubkey, sizeof(pubkey));
3764 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3765 VG_CHECK(&pubkey, sizeof(pubkey));
3767 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3770 memset(&pubkey, 0xfe, sizeof(pubkey));
3772 VG_UNDEF(&pubkey, sizeof(pubkey));
3773 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3774 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3775 VG_CHECK(&pubkey, sizeof(pubkey));
3777 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3779 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3780 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3782 /* NULL input string. Illegal arg and zeroize output. */
3783 memset(&pubkey, 0xfe, sizeof(pubkey));
3785 VG_UNDEF(&pubkey, sizeof(pubkey));
3786 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3787 VG_CHECK(&pubkey, sizeof(pubkey));
3789 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3791 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3792 memset(&pubkey, 0xfe, sizeof(pubkey));
3794 VG_UNDEF(&pubkey, sizeof(pubkey));
3795 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3796 VG_CHECK(&pubkey, sizeof(pubkey));
3798 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3800 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3801 memset(&pubkey, 0xfe, sizeof(pubkey));
3803 VG_UNDEF(&pubkey, sizeof(pubkey));
3804 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3805 VG_CHECK(&pubkey, sizeof(pubkey));
3807 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3810 memset(&pubkey, 0, sizeof(pubkey));
3812 VG_UNDEF(&pubkey, sizeof(pubkey));
3813 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3814 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
3815 VG_CHECK(&pubkey, sizeof(pubkey));
3817 VG_UNDEF(&ge, sizeof(ge));
3818 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3819 VG_CHECK(&ge.x, sizeof(ge.x));
3820 VG_CHECK(&ge.y, sizeof(ge.y));
3821 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3822 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3824 /* secp256k1_ec_pubkey_serialize illegal args. */
3827 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3830 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3834 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3839 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3844 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3848 /* Multiple illegal args. Should still set arg error only once. */
3851 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3853 /* Does the illegal arg callback actually change the behavior? */
3854 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3855 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3857 CHECK(ecount2 == 10);
3858 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3859 /* Try a bunch of prefabbed points with all possible encodings. */
3860 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3861 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3863 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3864 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3866 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3867 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3871 void run_eckey_edge_case_test(void) {
3872 const unsigned char orderc[32] = {
3873 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3874 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3875 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3876 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3878 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3879 unsigned char ctmp[33];
3880 unsigned char ctmp2[33];
3881 secp256k1_pubkey pubkey;
3882 secp256k1_pubkey pubkey2;
3883 secp256k1_pubkey pubkey_one;
3884 secp256k1_pubkey pubkey_negone;
3885 const secp256k1_pubkey *pubkeys[3];
3888 /* Group order is too large, reject. */
3889 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3890 VG_UNDEF(&pubkey, sizeof(pubkey));
3891 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3892 VG_CHECK(&pubkey, sizeof(pubkey));
3893 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3894 /* Maximum value is too large, reject. */
3895 memset(ctmp, 255, 32);
3896 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3897 memset(&pubkey, 1, sizeof(pubkey));
3898 VG_UNDEF(&pubkey, sizeof(pubkey));
3899 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3900 VG_CHECK(&pubkey, sizeof(pubkey));
3901 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3902 /* Zero is too small, reject. */
3903 memset(ctmp, 0, 32);
3904 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3905 memset(&pubkey, 1, sizeof(pubkey));
3906 VG_UNDEF(&pubkey, sizeof(pubkey));
3907 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3908 VG_CHECK(&pubkey, sizeof(pubkey));
3909 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3910 /* One must be accepted. */
3912 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3913 memset(&pubkey, 0, sizeof(pubkey));
3914 VG_UNDEF(&pubkey, sizeof(pubkey));
3915 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3916 VG_CHECK(&pubkey, sizeof(pubkey));
3917 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3918 pubkey_one = pubkey;
3919 /* Group order + 1 is too large, reject. */
3920 memcpy(ctmp, orderc, 32);
3922 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3923 memset(&pubkey, 1, sizeof(pubkey));
3924 VG_UNDEF(&pubkey, sizeof(pubkey));
3925 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3926 VG_CHECK(&pubkey, sizeof(pubkey));
3927 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3928 /* -1 must be accepted. */
3930 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3931 memset(&pubkey, 0, sizeof(pubkey));
3932 VG_UNDEF(&pubkey, sizeof(pubkey));
3933 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3934 VG_CHECK(&pubkey, sizeof(pubkey));
3935 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3936 pubkey_negone = pubkey;
3937 /* Tweak of zero leaves the value unchanged. */
3938 memset(ctmp2, 0, 32);
3939 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3940 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3941 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3942 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3943 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3944 /* Multiply tweak of zero zeroizes the output. */
3945 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3946 CHECK(memcmp(zeros, ctmp, 32) == 0);
3947 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3948 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3949 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3950 /* Overflowing key tweak zeroizes. */
3951 memcpy(ctmp, orderc, 32);
3953 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3954 CHECK(memcmp(zeros, ctmp, 32) == 0);
3955 memcpy(ctmp, orderc, 32);
3957 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3958 CHECK(memcmp(zeros, ctmp, 32) == 0);
3959 memcpy(ctmp, orderc, 32);
3961 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3962 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3963 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3964 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3965 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3966 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3967 /* Private key tweaks results in a key of zero. */
3969 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3970 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3972 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3973 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3974 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3975 /* Tweak computation wraps and results in a key of 1. */
3977 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3978 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3980 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3982 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3983 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3984 /* Tweak mul * 2 = 1+1. */
3985 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3987 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3988 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3989 /* Test argument errors. */
3991 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3993 /* Zeroize pubkey on parse error. */
3994 memset(&pubkey, 0, 32);
3995 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3997 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3998 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3999 memset(&pubkey2, 0, 32);
4000 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
4002 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
4003 /* Plain argument errors. */
4005 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4007 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
4010 memset(ctmp2, 0, 32);
4012 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
4014 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
4017 memset(ctmp2, 0, 32);
4019 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4021 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
4024 memset(ctmp2, 0, 32);
4025 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
4027 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
4030 memset(ctmp2, 0, 32);
4032 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4034 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
4037 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
4039 memset(&pubkey, 1, sizeof(pubkey));
4040 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4042 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4043 /* secp256k1_ec_pubkey_combine tests. */
4045 pubkeys[0] = &pubkey_one;
4046 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
4047 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
4048 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
4049 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4050 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4051 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
4052 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4053 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4055 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4056 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4058 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4059 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4060 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4061 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4062 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4064 pubkeys[0] = &pubkey_negone;
4065 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4066 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4067 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4068 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4069 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4072 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4073 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4074 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4075 /* Result is infinity. */
4076 pubkeys[0] = &pubkey_one;
4077 pubkeys[1] = &pubkey_negone;
4078 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4079 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4080 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4081 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4082 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4084 /* Passes through infinity but comes out one. */
4085 pubkeys[2] = &pubkey_one;
4086 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4087 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4088 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4089 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4090 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4093 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4094 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4095 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4097 pubkeys[1] = &pubkey_one;
4098 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4099 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4100 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4101 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4102 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4104 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4107 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4108 secp256k1_scalar nonce;
4110 random_scalar_order_test(&nonce);
4111 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
4114 void test_ecdsa_sign_verify(void) {
4117 secp256k1_scalar one;
4118 secp256k1_scalar msg, key;
4119 secp256k1_scalar sigr, sigs;
4122 random_scalar_order_test(&msg);
4123 random_scalar_order_test(&key);
4124 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
4125 secp256k1_ge_set_gej(&pub, &pubj);
4126 getrec = secp256k1_rand_bits(1);
4127 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
4129 CHECK(recid >= 0 && recid < 4);
4131 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4132 secp256k1_scalar_set_int(&one, 1);
4133 secp256k1_scalar_add(&msg, &msg, &one);
4134 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4137 void run_ecdsa_sign_verify(void) {
4139 for (i = 0; i < 10*count; i++) {
4140 test_ecdsa_sign_verify();
4144 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
4145 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4149 memcpy(nonce32, data, 32);
4150 return (counter == 0);
4153 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4154 /* Dummy nonce generator that has a fatal error on the first counter value. */
4158 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
4161 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4162 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4164 memset(nonce32, counter==0 ? 0 : 255, 32);
4171 static const unsigned char order[] = {
4172 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4173 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4174 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4175 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4177 memcpy(nonce32, order, 32);
4183 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
4184 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
4188 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
4191 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4192 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4193 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4196 void test_ecdsa_end_to_end(void) {
4197 unsigned char extra[32] = {0x00};
4198 unsigned char privkey[32];
4199 unsigned char message[32];
4200 unsigned char privkey2[32];
4201 secp256k1_ecdsa_signature signature[6];
4202 secp256k1_scalar r, s;
4203 unsigned char sig[74];
4205 unsigned char pubkeyc[65];
4206 size_t pubkeyclen = 65;
4207 secp256k1_pubkey pubkey;
4208 secp256k1_pubkey pubkey_tmp;
4209 unsigned char seckey[300];
4210 size_t seckeylen = 300;
4212 /* Generate a random key and message. */
4214 secp256k1_scalar msg, key;
4215 random_scalar_order_test(&msg);
4216 random_scalar_order_test(&key);
4217 secp256k1_scalar_get_b32(privkey, &key);
4218 secp256k1_scalar_get_b32(message, &msg);
4221 /* Construct and verify corresponding public key. */
4222 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4223 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4225 /* Verify exporting and importing public key. */
4226 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4227 memset(&pubkey, 0, sizeof(pubkey));
4228 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4230 /* Verify negation changes the key and changes it back */
4231 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4232 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4233 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4234 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4235 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4237 /* Verify private key import and export. */
4238 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4239 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4240 CHECK(memcmp(privkey, privkey2, 32) == 0);
4242 /* Optionally tweak the keys using addition. */
4243 if (secp256k1_rand_int(3) == 0) {
4246 unsigned char rnd[32];
4247 secp256k1_pubkey pubkey2;
4248 secp256k1_rand256_test(rnd);
4249 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
4250 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4251 CHECK(ret1 == ret2);
4255 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4256 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4259 /* Optionally tweak the keys using multiplication. */
4260 if (secp256k1_rand_int(3) == 0) {
4263 unsigned char rnd[32];
4264 secp256k1_pubkey pubkey2;
4265 secp256k1_rand256_test(rnd);
4266 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
4267 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4268 CHECK(ret1 == ret2);
4272 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4273 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4277 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4278 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4279 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4281 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4284 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4285 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4286 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4287 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4288 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4289 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4290 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4291 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4293 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4294 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4295 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4296 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4297 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4298 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4299 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4300 secp256k1_scalar_negate(&s, &s);
4301 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4302 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4303 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4304 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4305 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4306 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4307 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4308 secp256k1_scalar_negate(&s, &s);
4309 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4310 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4311 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4312 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
4314 /* Serialize/parse DER and verify again */
4315 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4316 memset(&signature[0], 0, sizeof(signature[0]));
4317 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4318 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4319 /* Serialize/destroy/parse DER and verify again. */
4321 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4322 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
4323 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4324 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4327 void test_random_pubkeys(void) {
4330 unsigned char in[65];
4331 /* Generate some randomly sized pubkeys. */
4332 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4333 if (secp256k1_rand_bits(2) == 0) {
4334 len = secp256k1_rand_bits(6);
4337 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
4339 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
4341 if (secp256k1_rand_bits(3) == 0) {
4342 in[0] = secp256k1_rand_bits(8);
4345 secp256k1_rand256(&in[1]);
4348 secp256k1_rand256(&in[33]);
4350 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4351 unsigned char out[65];
4352 unsigned char firstb;
4356 /* If the pubkey can be parsed, it should round-trip... */
4357 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4359 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4360 /* ... except for the type of hybrid inputs. */
4361 if ((in[0] != 6) && (in[0] != 7)) {
4362 CHECK(in[0] == out[0]);
4365 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4367 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4368 ge_equals_ge(&elem,&elem2);
4369 /* Check that the X9.62 hybrid type is checked. */
4370 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
4371 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4372 if (firstb == 2 || firstb == 3) {
4373 if (in[0] == firstb + 4) {
4380 ge_equals_ge(&elem,&elem2);
4381 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4382 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4387 void run_random_pubkeys(void) {
4389 for (i = 0; i < 10*count; i++) {
4390 test_random_pubkeys();
4394 void run_ecdsa_end_to_end(void) {
4396 for (i = 0; i < 64*count; i++) {
4397 test_ecdsa_end_to_end();
4401 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4402 static const unsigned char zeroes[32] = {0};
4403 #ifdef ENABLE_OPENSSL_TESTS
4404 static const unsigned char max_scalar[32] = {
4405 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4406 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4407 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4408 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4414 secp256k1_ecdsa_signature sig_der;
4415 unsigned char roundtrip_der[2048];
4416 unsigned char compact_der[64];
4417 size_t len_der = 2048;
4418 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4420 secp256k1_ecdsa_signature sig_der_lax;
4421 unsigned char roundtrip_der_lax[2048];
4422 unsigned char compact_der_lax[64];
4423 size_t len_der_lax = 2048;
4424 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4426 #ifdef ENABLE_OPENSSL_TESTS
4427 ECDSA_SIG *sig_openssl;
4428 const BIGNUM *r = NULL, *s = NULL;
4429 const unsigned char *sigptr;
4430 unsigned char roundtrip_openssl[2048];
4431 int len_openssl = 2048;
4432 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4435 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4437 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4438 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4441 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4442 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4445 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4446 if (parsed_der_lax) {
4447 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4448 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4450 if (valid_der_lax) {
4451 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4452 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4455 if (certainly_der) {
4456 ret |= (!parsed_der) << 2;
4458 if (certainly_not_der) {
4459 ret |= (parsed_der) << 17;
4462 ret |= (!roundtrips_der) << 3;
4466 ret |= (!roundtrips_der_lax) << 12;
4467 ret |= (len_der != len_der_lax) << 13;
4468 ret |= ((len_der != len_der_lax) || (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
4470 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4472 ret |= (!parsed_der_lax) << 16;
4475 #ifdef ENABLE_OPENSSL_TESTS
4476 sig_openssl = ECDSA_SIG_new();
4478 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4479 if (parsed_openssl) {
4480 ECDSA_SIG_get0(sig_openssl, &r, &s);
4481 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4482 if (valid_openssl) {
4483 unsigned char tmp[32] = {0};
4484 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4485 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4487 if (valid_openssl) {
4488 unsigned char tmp[32] = {0};
4489 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4490 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4493 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4494 if (len_openssl <= 2048) {
4495 unsigned char *ptr = roundtrip_openssl;
4496 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4497 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4501 ECDSA_SIG_free(sig_openssl);
4503 ret |= (parsed_der && !parsed_openssl) << 4;
4504 ret |= (valid_der && !valid_openssl) << 5;
4505 ret |= (roundtrips_openssl && !parsed_der) << 6;
4506 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4507 if (roundtrips_openssl) {
4508 ret |= (len_der != (size_t)len_openssl) << 8;
4509 ret |= ((len_der != (size_t)len_openssl) || (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9;
4515 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4517 for (i = 0; i < ptrlen; i++) {
4518 int shift = ptrlen - 1 - i;
4522 ptr[i] = (val >> shift) & 0xFF;
4527 static void damage_array(unsigned char *sig, size_t *len) {
4529 int action = secp256k1_rand_bits(3);
4530 if (action < 1 && *len > 3) {
4531 /* Delete a byte. */
4532 pos = secp256k1_rand_int(*len);
4533 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4536 } else if (action < 2 && *len < 2048) {
4537 /* Insert a byte. */
4538 pos = secp256k1_rand_int(1 + *len);
4539 memmove(sig + pos + 1, sig + pos, *len - pos);
4540 sig[pos] = secp256k1_rand_bits(8);
4543 } else if (action < 4) {
4544 /* Modify a byte. */
4545 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4547 } else { /* action < 8 */
4549 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4554 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4556 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4557 size_t tlen, elen, glen;
4562 der = secp256k1_rand_bits(2) == 0;
4563 *certainly_der = der;
4564 *certainly_not_der = 0;
4565 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4567 for (n = 0; n < 2; n++) {
4568 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4569 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4570 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4571 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4572 CHECK(nlen[n] <= 232);
4573 /* The top bit of the number. */
4574 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4575 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4576 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4577 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4578 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4579 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4580 *certainly_not_der = 1;
4582 CHECK(nlen[n] + nzlen[n] <= 300);
4583 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4584 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4586 /* nlenlen[n] max 127 bytes */
4587 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4590 *certainly_not_der = 1;
4593 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4596 /* The total length of the data to go, so far */
4597 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4600 /* The length of the garbage inside the tuple. */
4601 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4603 *certainly_not_der = 1;
4608 /* The length of the garbage after the end of the tuple. */
4609 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4611 *certainly_not_der = 1;
4613 CHECK(tlen + glen <= 990);
4615 /* Write the tuple header. */
4616 sig[(*len)++] = 0x30;
4618 /* Indeterminate length */
4619 sig[(*len)++] = 0x80;
4620 *certainly_not_der = 1;
4622 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4624 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4627 *certainly_not_der = 1;
4631 /* Short length notation */
4632 sig[(*len)++] = tlen;
4634 /* Long length notation */
4635 sig[(*len)++] = 128 + tlenlen;
4636 assign_big_endian(sig + *len, tlenlen, tlen);
4642 CHECK(tlen + glen <= 1119);
4644 for (n = 0; n < 2; n++) {
4645 /* Write the integer header. */
4646 sig[(*len)++] = 0x02;
4647 if (nlenlen[n] == 0) {
4648 /* Short length notation */
4649 sig[(*len)++] = nlen[n] + nzlen[n];
4651 /* Long length notation. */
4652 sig[(*len)++] = 128 + nlenlen[n];
4653 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4656 /* Write zero padding */
4657 while (nzlen[n] > 0) {
4658 sig[(*len)++] = 0x00;
4661 if (nlen[n] == 32 && !nlow[n]) {
4662 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4664 for (i = 0; i < 16; i++) {
4665 sig[(*len)++] = 0xFF;
4669 /* Write first byte of number */
4671 sig[(*len)++] = nhbyte[n];
4674 /* Generate remaining random bytes of number */
4675 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4680 /* Generate random garbage inside tuple. */
4681 secp256k1_rand_bytes_test(sig + *len, elen);
4684 /* Generate end-of-contents bytes. */
4690 CHECK(tlen + glen <= 1121);
4692 /* Generate random garbage outside tuple. */
4693 secp256k1_rand_bytes_test(sig + *len, glen);
4696 CHECK(tlen <= 1121);
4697 CHECK(tlen == *len);
4700 void run_ecdsa_der_parse(void) {
4702 for (i = 0; i < 200 * count; i++) {
4703 unsigned char buffer[2048];
4705 int certainly_der = 0;
4706 int certainly_not_der = 0;
4707 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4708 CHECK(buflen <= 2048);
4709 for (j = 0; j < 16; j++) {
4712 damage_array(buffer, &buflen);
4713 /* We don't know anything anymore about the DERness of the result */
4715 certainly_not_der = 0;
4717 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4720 fprintf(stderr, "Failure %x on ", ret);
4721 for (k = 0; k < buflen; k++) {
4722 fprintf(stderr, "%02x ", buffer[k]);
4724 fprintf(stderr, "\n");
4731 /* Tests several edge cases. */
4732 void test_ecdsa_edge_cases(void) {
4734 secp256k1_ecdsa_signature sig;
4736 /* Test the case where ECDSA recomputes a point that is infinity. */
4740 secp256k1_scalar msg;
4741 secp256k1_scalar sr, ss;
4742 secp256k1_scalar_set_int(&ss, 1);
4743 secp256k1_scalar_negate(&ss, &ss);
4744 secp256k1_scalar_inverse(&ss, &ss);
4745 secp256k1_scalar_set_int(&sr, 1);
4746 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4747 secp256k1_ge_set_gej(&key, &keyj);
4749 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4752 /* Verify signature with r of zero fails. */
4754 const unsigned char pubkey_mods_zero[33] = {
4755 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4756 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4757 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4758 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4762 secp256k1_scalar msg;
4763 secp256k1_scalar sr, ss;
4764 secp256k1_scalar_set_int(&ss, 1);
4765 secp256k1_scalar_set_int(&msg, 0);
4766 secp256k1_scalar_set_int(&sr, 0);
4767 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4768 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4771 /* Verify signature with s of zero fails. */
4773 const unsigned char pubkey[33] = {
4774 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4775 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4777 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4781 secp256k1_scalar msg;
4782 secp256k1_scalar sr, ss;
4783 secp256k1_scalar_set_int(&ss, 0);
4784 secp256k1_scalar_set_int(&msg, 0);
4785 secp256k1_scalar_set_int(&sr, 1);
4786 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4787 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4790 /* Verify signature with message 0 passes. */
4792 const unsigned char pubkey[33] = {
4793 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4794 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4795 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4796 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4799 const unsigned char pubkey2[33] = {
4800 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4801 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4802 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4803 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4808 secp256k1_scalar msg;
4809 secp256k1_scalar sr, ss;
4810 secp256k1_scalar_set_int(&ss, 2);
4811 secp256k1_scalar_set_int(&msg, 0);
4812 secp256k1_scalar_set_int(&sr, 2);
4813 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4814 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4815 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4816 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4817 secp256k1_scalar_negate(&ss, &ss);
4818 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4819 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4820 secp256k1_scalar_set_int(&ss, 1);
4821 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4822 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4825 /* Verify signature with message 1 passes. */
4827 const unsigned char pubkey[33] = {
4828 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4829 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4830 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4831 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4834 const unsigned char pubkey2[33] = {
4835 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4836 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4837 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4838 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4841 const unsigned char csr[32] = {
4842 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4843 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4844 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4845 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4849 secp256k1_scalar msg;
4850 secp256k1_scalar sr, ss;
4851 secp256k1_scalar_set_int(&ss, 1);
4852 secp256k1_scalar_set_int(&msg, 1);
4853 secp256k1_scalar_set_b32(&sr, csr, NULL);
4854 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4855 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4856 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4857 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4858 secp256k1_scalar_negate(&ss, &ss);
4859 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4860 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4861 secp256k1_scalar_set_int(&ss, 2);
4862 secp256k1_scalar_inverse_var(&ss, &ss);
4863 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4864 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4867 /* Verify signature with message -1 passes. */
4869 const unsigned char pubkey[33] = {
4870 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4871 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4872 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4873 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4876 const unsigned char csr[32] = {
4877 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4878 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4879 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4880 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4883 secp256k1_scalar msg;
4884 secp256k1_scalar sr, ss;
4885 secp256k1_scalar_set_int(&ss, 1);
4886 secp256k1_scalar_set_int(&msg, 1);
4887 secp256k1_scalar_negate(&msg, &msg);
4888 secp256k1_scalar_set_b32(&sr, csr, NULL);
4889 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4890 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4891 secp256k1_scalar_negate(&ss, &ss);
4892 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4893 secp256k1_scalar_set_int(&ss, 3);
4894 secp256k1_scalar_inverse_var(&ss, &ss);
4895 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4898 /* Signature where s would be zero. */
4900 secp256k1_pubkey pubkey;
4903 unsigned char signature[72];
4904 static const unsigned char nonce[32] = {
4905 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4906 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4907 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4908 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4910 static const unsigned char nonce2[32] = {
4911 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4912 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4913 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4914 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4916 const unsigned char key[32] = {
4917 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4918 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4919 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4920 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4922 unsigned char msg[32] = {
4923 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4924 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4925 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4926 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4929 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4930 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4931 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4933 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4935 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4937 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4939 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4941 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4942 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4943 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4945 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4947 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4949 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4951 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4953 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4954 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4957 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4959 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4960 CHECK(ecount == 10);
4961 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4962 CHECK(ecount == 11);
4963 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4964 CHECK(ecount == 11);
4965 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4966 CHECK(ecount == 12);
4967 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4968 CHECK(ecount == 13);
4969 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4970 CHECK(ecount == 13);
4972 /* Too little room for a signature does not fail via ARGCHECK. */
4973 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
4974 CHECK(ecount == 13);
4976 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4978 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4980 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4982 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4984 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4986 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4988 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4990 memset(signature, 255, 64);
4991 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4993 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4996 /* Nonce function corner cases. */
4997 for (t = 0; t < 2; t++) {
4998 static const unsigned char zero[32] = {0x00};
5000 unsigned char key[32];
5001 unsigned char msg[32];
5002 secp256k1_ecdsa_signature sig2;
5003 secp256k1_scalar sr[512], ss;
5004 const unsigned char *extra;
5005 extra = t == 0 ? NULL : zero;
5008 /* High key results in signature failure. */
5009 memset(key, 0xFF, 32);
5010 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5011 CHECK(is_empty_signature(&sig));
5012 /* Zero key results in signature failure. */
5014 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5015 CHECK(is_empty_signature(&sig));
5016 /* Nonce function failure results in signature failure. */
5018 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
5019 CHECK(is_empty_signature(&sig));
5020 /* The retry loop successfully makes its way to the first good value. */
5021 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
5022 CHECK(!is_empty_signature(&sig));
5023 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
5024 CHECK(!is_empty_signature(&sig2));
5025 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
5026 /* The default nonce function is deterministic. */
5027 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5028 CHECK(!is_empty_signature(&sig2));
5029 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
5030 /* The default nonce function changes output with different messages. */
5031 for(i = 0; i < 256; i++) {
5034 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5035 CHECK(!is_empty_signature(&sig2));
5036 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5037 for (j = 0; j < i; j++) {
5038 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5043 /* The default nonce function changes output with different keys. */
5044 for(i = 256; i < 512; i++) {
5047 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5048 CHECK(!is_empty_signature(&sig2));
5049 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5050 for (j = 0; j < i; j++) {
5051 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5058 /* Check that optional nonce arguments do not have equivalent effect. */
5059 const unsigned char zeros[32] = {0};
5060 unsigned char nonce[32];
5061 unsigned char nonce2[32];
5062 unsigned char nonce3[32];
5063 unsigned char nonce4[32];
5065 VG_UNDEF(nonce2,32);
5066 VG_UNDEF(nonce3,32);
5067 VG_UNDEF(nonce4,32);
5068 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
5070 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
5071 VG_CHECK(nonce2,32);
5072 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
5073 VG_CHECK(nonce3,32);
5074 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5075 VG_CHECK(nonce4,32);
5076 CHECK(memcmp(nonce, nonce2, 32) != 0);
5077 CHECK(memcmp(nonce, nonce3, 32) != 0);
5078 CHECK(memcmp(nonce, nonce4, 32) != 0);
5079 CHECK(memcmp(nonce2, nonce3, 32) != 0);
5080 CHECK(memcmp(nonce2, nonce4, 32) != 0);
5081 CHECK(memcmp(nonce3, nonce4, 32) != 0);
5085 /* Privkey export where pubkey is the point at infinity. */
5087 unsigned char privkey[300];
5088 unsigned char seckey[32] = {
5089 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5090 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5091 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5092 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5094 size_t outlen = 300;
5095 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
5097 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
5101 void run_ecdsa_edge_cases(void) {
5102 test_ecdsa_edge_cases();
5105 #ifdef ENABLE_OPENSSL_TESTS
5106 EC_KEY *get_openssl_key(const unsigned char *key32) {
5107 unsigned char privkey[300];
5109 const unsigned char* pbegin = privkey;
5110 int compr = secp256k1_rand_bits(1);
5111 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
5112 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
5113 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
5114 CHECK(EC_KEY_check_key(ec_key));
5118 void test_ecdsa_openssl(void) {
5121 secp256k1_scalar sigr, sigs;
5122 secp256k1_scalar one;
5123 secp256k1_scalar msg2;
5124 secp256k1_scalar key, msg;
5126 unsigned int sigsize = 80;
5127 size_t secp_sigsize = 80;
5128 unsigned char message[32];
5129 unsigned char signature[80];
5130 unsigned char key32[32];
5131 secp256k1_rand256_test(message);
5132 secp256k1_scalar_set_b32(&msg, message, NULL);
5133 random_scalar_order_test(&key);
5134 secp256k1_scalar_get_b32(key32, &key);
5135 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
5136 secp256k1_ge_set_gej(&q, &qj);
5137 ec_key = get_openssl_key(key32);
5138 CHECK(ec_key != NULL);
5139 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
5140 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
5141 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
5142 secp256k1_scalar_set_int(&one, 1);
5143 secp256k1_scalar_add(&msg2, &msg, &one);
5144 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
5146 random_sign(&sigr, &sigs, &key, &msg, NULL);
5147 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
5148 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
5150 EC_KEY_free(ec_key);
5153 void run_ecdsa_openssl(void) {
5155 for (i = 0; i < 10*count; i++) {
5156 test_ecdsa_openssl();
5161 #ifdef ENABLE_MODULE_ECDH
5162 # include "modules/ecdh/tests_impl.h"
5165 #ifdef ENABLE_MODULE_RECOVERY
5166 # include "modules/recovery/tests_impl.h"
5169 int main(int argc, char **argv) {
5170 unsigned char seed16[16] = {0};
5171 unsigned char run32[32] = {0};
5172 /* find iteration count */
5174 count = strtol(argv[1], NULL, 0);
5177 /* find random seed */
5180 const char* ch = argv[2];
5181 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
5183 if (sscanf(ch, "%2hx", &sh)) {
5192 FILE *frand = fopen("/dev/urandom", "r");
5193 if ((frand == NULL) || fread(&seed16, 1, sizeof(seed16), frand) != sizeof(seed16)) {
5194 uint64_t t = time(NULL) * (uint64_t)1337;
5195 fprintf(stderr, "WARNING: could not read 16 bytes from /dev/urandom; falling back to insecure PRNG\n");
5197 seed16[1] ^= t >> 8;
5198 seed16[2] ^= t >> 16;
5199 seed16[3] ^= t >> 24;
5200 seed16[4] ^= t >> 32;
5201 seed16[5] ^= t >> 40;
5202 seed16[6] ^= t >> 48;
5203 seed16[7] ^= t >> 56;
5209 secp256k1_rand_seed(seed16);
5211 printf("test count = %i\n", count);
5212 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
5215 run_context_tests(0);
5216 run_context_tests(1);
5217 run_scratch_tests();
5218 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5219 if (secp256k1_rand_bits(1)) {
5220 secp256k1_rand256(run32);
5221 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
5228 run_hmac_sha256_tests();
5229 run_rfc6979_hmac_sha256_tests();
5231 #ifndef USE_NUM_NONE
5233 run_num_smalltests();
5241 run_field_inv_var();
5242 run_field_inv_all_var();
5244 run_field_convert();
5250 run_group_decompress();
5254 run_point_times_order();
5256 run_ecmult_constants();
5257 run_ecmult_gen_blind();
5258 run_ecmult_const_tests();
5259 run_ecmult_multi_tests();
5262 /* endomorphism tests */
5263 #ifdef USE_ENDOMORPHISM
5264 run_endomorphism_tests();
5267 /* EC point parser test */
5268 run_ec_pubkey_parse_test();
5270 /* EC key edge cases */
5271 run_eckey_edge_case_test();
5273 #ifdef ENABLE_MODULE_ECDH
5279 run_random_pubkeys();
5280 run_ecdsa_der_parse();
5281 run_ecdsa_sign_verify();
5282 run_ecdsa_end_to_end();
5283 run_ecdsa_edge_cases();
5284 #ifdef ENABLE_OPENSSL_TESTS
5285 run_ecdsa_openssl();
5288 #ifdef ENABLE_MODULE_RECOVERY
5289 /* ECDSA pubkey recovery tests */
5290 run_recovery_tests();
5293 secp256k1_rand256(run32);
5294 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
5297 secp256k1_context_destroy(ctx);
5299 printf("no problems found\n");
projects / secp256k1.git / blob