1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "testrand_impl.h"
21 #ifdef ENABLE_OPENSSL_TESTS
22 #include "openssl/bn.h"
23 #include "openssl/ec.h"
24 #include "openssl/ecdsa.h"
25 #include "openssl/obj_mac.h"
26 # if OPENSSL_VERSION_NUMBER < 0x10100000L
27 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
31 #include "contrib/lax_der_parsing.c"
32 #include "contrib/lax_der_privatekey_parsing.c"
34 #if !defined(VG_CHECK)
35 # if defined(VALGRIND)
36 # include <valgrind/memcheck.h>
37 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
38 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
40 # define VG_UNDEF(x,y)
41 # define VG_CHECK(x,y)
45 static int count = 64;
46 static secp256k1_context *ctx = NULL;
48 static void counting_illegal_callback_fn(const char* str, void* data) {
49 /* Dummy callback function that just counts. */
56 static void uncounting_illegal_callback_fn(const char* str, void* data) {
57 /* Dummy callback function that just counts (backwards). */
64 void random_field_element_test(secp256k1_fe *fe) {
66 unsigned char b32[32];
67 secp256k1_rand256_test(b32);
68 if (secp256k1_fe_set_b32(fe, b32)) {
74 void random_field_element_magnitude(secp256k1_fe *fe) {
76 int n = secp256k1_rand_int(9);
77 secp256k1_fe_normalize(fe);
81 secp256k1_fe_clear(&zero);
82 secp256k1_fe_negate(&zero, &zero, 0);
83 secp256k1_fe_mul_int(&zero, n - 1);
84 secp256k1_fe_add(fe, &zero);
85 VERIFY_CHECK(fe->magnitude == n);
88 void random_group_element_test(secp256k1_ge *ge) {
91 random_field_element_test(&fe);
92 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
93 secp256k1_fe_normalize(&ge->y);
99 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
102 random_field_element_test(&gej->z);
103 if (!secp256k1_fe_is_zero(&gej->z)) {
107 secp256k1_fe_sqr(&z2, &gej->z);
108 secp256k1_fe_mul(&z3, &z2, &gej->z);
109 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
110 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
111 gej->infinity = ge->infinity;
114 void random_scalar_order_test(secp256k1_scalar *num) {
116 unsigned char b32[32];
118 secp256k1_rand256_test(b32);
119 secp256k1_scalar_set_b32(num, b32, &overflow);
120 if (overflow || secp256k1_scalar_is_zero(num)) {
127 void random_scalar_order(secp256k1_scalar *num) {
129 unsigned char b32[32];
131 secp256k1_rand256(b32);
132 secp256k1_scalar_set_b32(num, b32, &overflow);
133 if (overflow || secp256k1_scalar_is_zero(num)) {
140 void run_context_tests(int use_prealloc) {
141 secp256k1_pubkey pubkey;
142 secp256k1_pubkey zero_pubkey;
143 secp256k1_ecdsa_signature sig;
144 unsigned char ctmp[32];
147 secp256k1_context *none;
148 secp256k1_context *sign;
149 secp256k1_context *vrfy;
150 secp256k1_context *both;
151 void *none_prealloc = NULL;
152 void *sign_prealloc = NULL;
153 void *vrfy_prealloc = NULL;
154 void *both_prealloc = NULL;
158 secp256k1_scalar msg, key, nonce;
159 secp256k1_scalar sigr, sigs;
162 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
163 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
164 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
165 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
166 CHECK(none_prealloc != NULL);
167 CHECK(sign_prealloc != NULL);
168 CHECK(vrfy_prealloc != NULL);
169 CHECK(both_prealloc != NULL);
170 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
171 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
172 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
173 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
175 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
176 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
177 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
178 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
181 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
185 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
186 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
187 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
188 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
190 /* check if sizes for cloning are consistent */
191 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
192 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
193 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
194 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
196 /*** clone and destroy all of them to make sure cloning was complete ***/
198 secp256k1_context *ctx_tmp;
201 /* clone into a non-preallocated context and then again into a new preallocated one. */
202 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
203 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
204 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
206 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
207 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
208 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
210 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
211 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
212 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
214 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
215 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
216 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
218 /* clone into a preallocated context and then again into a new non-preallocated one. */
221 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
222 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
223 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
226 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
227 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
228 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
231 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
232 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
233 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
236 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
237 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
238 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
243 /* Verify that the error callback makes it across the clone. */
244 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
245 /* And that it resets back to default. */
246 secp256k1_context_set_error_callback(sign, NULL, NULL);
247 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
249 /*** attempt to use them ***/
250 random_scalar_order_test(&msg);
251 random_scalar_order_test(&key);
252 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
253 secp256k1_ge_set_gej(&pub, &pubj);
255 /* Verify context-type checking illegal-argument errors. */
257 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
259 VG_UNDEF(&pubkey, sizeof(pubkey));
260 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
261 VG_CHECK(&pubkey, sizeof(pubkey));
262 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
264 VG_UNDEF(&sig, sizeof(sig));
265 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
266 VG_CHECK(&sig, sizeof(sig));
267 CHECK(ecount2 == 10);
268 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
269 CHECK(ecount2 == 11);
270 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
272 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
273 CHECK(ecount2 == 12);
274 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
276 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
277 CHECK(ecount2 == 13);
278 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
280 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
282 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
283 CHECK(ecount2 == 14);
284 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
286 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
288 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
290 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
292 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
293 CHECK(ecount2 == 14);
294 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
295 CHECK(ecount2 == 14);
296 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
297 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
299 /* obtain a working nonce */
301 random_scalar_order_test(&nonce);
302 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
305 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
306 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
309 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
310 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
314 secp256k1_context_preallocated_destroy(none);
315 secp256k1_context_preallocated_destroy(sign);
316 secp256k1_context_preallocated_destroy(vrfy);
317 secp256k1_context_preallocated_destroy(both);
323 secp256k1_context_destroy(none);
324 secp256k1_context_destroy(sign);
325 secp256k1_context_destroy(vrfy);
326 secp256k1_context_destroy(both);
328 /* Defined as no-op. */
329 secp256k1_context_destroy(NULL);
330 secp256k1_context_preallocated_destroy(NULL);
334 void run_scratch_tests(void) {
336 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
337 secp256k1_scratch_space *scratch;
339 /* Test public API */
340 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
342 scratch = secp256k1_scratch_space_create(none, 1000);
343 CHECK(scratch != NULL);
346 /* Test internal API */
347 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
348 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 1000);
350 /* Allocating 500 bytes with no frame fails */
351 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
352 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
354 /* ...but pushing a new stack frame does affect the max allocation */
355 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1 == 1));
356 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 500); /* 500 - ALIGNMENT */
357 CHECK(secp256k1_scratch_alloc(scratch, 500) != NULL);
358 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
360 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1) == 0);
362 /* ...and this effect is undone by popping the frame */
363 secp256k1_scratch_deallocate_frame(scratch);
364 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
365 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
368 secp256k1_scratch_space_destroy(scratch);
369 secp256k1_context_destroy(none);
372 /***** HASH TESTS *****/
374 void run_sha256_tests(void) {
375 static const char *inputs[8] = {
376 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
377 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
378 "For this sample, this 63-byte string will be used as input data",
379 "This is exactly 64 bytes long, not counting the terminating byte"
381 static const unsigned char outputs[8][32] = {
382 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
383 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
384 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
385 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
386 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
387 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
388 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
389 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
392 for (i = 0; i < 8; i++) {
393 unsigned char out[32];
394 secp256k1_sha256 hasher;
395 secp256k1_sha256_initialize(&hasher);
396 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
397 secp256k1_sha256_finalize(&hasher, out);
398 CHECK(memcmp(out, outputs[i], 32) == 0);
399 if (strlen(inputs[i]) > 0) {
400 int split = secp256k1_rand_int(strlen(inputs[i]));
401 secp256k1_sha256_initialize(&hasher);
402 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
403 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
404 secp256k1_sha256_finalize(&hasher, out);
405 CHECK(memcmp(out, outputs[i], 32) == 0);
410 void run_hmac_sha256_tests(void) {
411 static const char *keys[6] = {
412 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
414 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
415 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
416 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
417 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
419 static const char *inputs[6] = {
420 "\x48\x69\x20\x54\x68\x65\x72\x65",
421 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
422 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
423 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
424 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
425 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
427 static const unsigned char outputs[6][32] = {
428 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
429 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
430 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
431 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
432 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
433 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
436 for (i = 0; i < 6; i++) {
437 secp256k1_hmac_sha256 hasher;
438 unsigned char out[32];
439 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
440 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
441 secp256k1_hmac_sha256_finalize(&hasher, out);
442 CHECK(memcmp(out, outputs[i], 32) == 0);
443 if (strlen(inputs[i]) > 0) {
444 int split = secp256k1_rand_int(strlen(inputs[i]));
445 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
446 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
447 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
448 secp256k1_hmac_sha256_finalize(&hasher, out);
449 CHECK(memcmp(out, outputs[i], 32) == 0);
454 void run_rfc6979_hmac_sha256_tests(void) {
455 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
456 static const unsigned char out1[3][32] = {
457 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
458 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
459 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
462 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
463 static const unsigned char out2[3][32] = {
464 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
465 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
466 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
469 secp256k1_rfc6979_hmac_sha256 rng;
470 unsigned char out[32];
473 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
474 for (i = 0; i < 3; i++) {
475 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
476 CHECK(memcmp(out, out1[i], 32) == 0);
478 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
480 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
481 for (i = 0; i < 3; i++) {
482 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
483 CHECK(memcmp(out, out1[i], 32) != 0);
485 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
487 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
488 for (i = 0; i < 3; i++) {
489 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
490 CHECK(memcmp(out, out2[i], 32) == 0);
492 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
495 /***** RANDOM TESTS *****/
497 void test_rand_bits(int rand32, int bits) {
498 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
499 * get a false negative chance below once in a billion */
500 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
501 /* We try multiplying the results with various odd numbers, which shouldn't
502 * influence the uniform distribution modulo a power of 2. */
503 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
504 /* We only select up to 6 bits from the output to analyse */
505 unsigned int usebits = bits > 6 ? 6 : bits;
506 unsigned int maxshift = bits - usebits;
507 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
508 number, track all observed outcomes, one per bit in a uint64_t. */
509 uint64_t x[6][27] = {{0}};
510 unsigned int i, shift, m;
511 /* Multiply the output of all rand calls with the odd number m, which
512 should not change the uniformity of its distribution. */
513 for (i = 0; i < rounds[usebits]; i++) {
514 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
515 CHECK((((uint64_t)r) >> bits) == 0);
516 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
517 uint32_t rm = r * mults[m];
518 for (shift = 0; shift <= maxshift; shift++) {
519 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
523 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
524 for (shift = 0; shift <= maxshift; shift++) {
525 /* Test that the lower usebits bits of x[shift] are 1 */
526 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
531 /* Subrange must be a whole divisor of range, and at most 64 */
532 void test_rand_int(uint32_t range, uint32_t subrange) {
533 /* (1-1/subrange)^rounds < 1/10^9 */
534 int rounds = (subrange * 2073) / 100;
537 CHECK((range % subrange) == 0);
538 for (i = 0; i < rounds; i++) {
539 uint32_t r = secp256k1_rand_int(range);
542 x |= (((uint64_t)1) << r);
544 /* Test that the lower subrange bits of x are 1. */
545 CHECK(((~x) << (64 - subrange)) == 0);
548 void run_rand_bits(void) {
550 test_rand_bits(1, 32);
551 for (b = 1; b <= 32; b++) {
552 test_rand_bits(0, b);
556 void run_rand_int(void) {
557 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
558 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
560 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
561 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
562 test_rand_int(ms[m] * ss[s], ss[s]);
567 /***** NUM TESTS *****/
570 void random_num_negate(secp256k1_num *num) {
571 if (secp256k1_rand_bits(1)) {
572 secp256k1_num_negate(num);
576 void random_num_order_test(secp256k1_num *num) {
578 random_scalar_order_test(&sc);
579 secp256k1_scalar_get_num(num, &sc);
582 void random_num_order(secp256k1_num *num) {
584 random_scalar_order(&sc);
585 secp256k1_scalar_get_num(num, &sc);
588 void test_num_negate(void) {
591 random_num_order_test(&n1); /* n1 = R */
592 random_num_negate(&n1);
593 secp256k1_num_copy(&n2, &n1); /* n2 = R */
594 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
595 CHECK(secp256k1_num_is_zero(&n1));
596 secp256k1_num_copy(&n1, &n2); /* n1 = R */
597 secp256k1_num_negate(&n1); /* n1 = -R */
598 CHECK(!secp256k1_num_is_zero(&n1));
599 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
600 CHECK(secp256k1_num_is_zero(&n1));
601 secp256k1_num_copy(&n1, &n2); /* n1 = R */
602 secp256k1_num_negate(&n1); /* n1 = -R */
603 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
604 secp256k1_num_negate(&n1); /* n1 = R */
605 CHECK(secp256k1_num_eq(&n1, &n2));
608 void test_num_add_sub(void) {
613 secp256k1_num n1p2, n2p1, n1m2, n2m1;
614 random_num_order_test(&n1); /* n1 = R1 */
615 if (secp256k1_rand_bits(1)) {
616 random_num_negate(&n1);
618 random_num_order_test(&n2); /* n2 = R2 */
619 if (secp256k1_rand_bits(1)) {
620 random_num_negate(&n2);
622 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
623 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
624 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
625 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
626 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
627 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
628 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
629 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
630 CHECK(!secp256k1_num_eq(&n2m1, &n1));
631 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
632 CHECK(secp256k1_num_eq(&n2m1, &n1));
633 CHECK(!secp256k1_num_eq(&n2p1, &n1));
634 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
635 CHECK(secp256k1_num_eq(&n2p1, &n1));
638 secp256k1_scalar_set_int(&s, 1);
639 secp256k1_scalar_get_num(&n1, &s);
640 CHECK(secp256k1_num_is_one(&n1));
641 /* check that 2^n + 1 is never 1 */
642 secp256k1_scalar_get_num(&n2, &s);
643 for (i = 0; i < 250; ++i) {
644 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
645 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
646 CHECK(!secp256k1_num_is_one(&n1p2));
650 void test_num_mod(void) {
653 secp256k1_num order, n;
655 /* check that 0 mod anything is 0 */
656 random_scalar_order_test(&s);
657 secp256k1_scalar_get_num(&order, &s);
658 secp256k1_scalar_set_int(&s, 0);
659 secp256k1_scalar_get_num(&n, &s);
660 secp256k1_num_mod(&n, &order);
661 CHECK(secp256k1_num_is_zero(&n));
663 /* check that anything mod 1 is 0 */
664 secp256k1_scalar_set_int(&s, 1);
665 secp256k1_scalar_get_num(&order, &s);
666 secp256k1_scalar_get_num(&n, &s);
667 secp256k1_num_mod(&n, &order);
668 CHECK(secp256k1_num_is_zero(&n));
670 /* check that increasing the number past 2^256 does not break this */
671 random_scalar_order_test(&s);
672 secp256k1_scalar_get_num(&n, &s);
673 /* multiply by 2^8, which'll test this case with high probability */
674 for (i = 0; i < 8; ++i) {
675 secp256k1_num_add(&n, &n, &n);
677 secp256k1_num_mod(&n, &order);
678 CHECK(secp256k1_num_is_zero(&n));
681 void test_num_jacobi(void) {
682 secp256k1_scalar sqr;
683 secp256k1_scalar small;
684 secp256k1_scalar five; /* five is not a quadratic residue */
685 secp256k1_num order, n;
687 /* squares mod 5 are 1, 4 */
688 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
690 /* check some small values with 5 as the order */
691 secp256k1_scalar_set_int(&five, 5);
692 secp256k1_scalar_get_num(&order, &five);
693 for (i = 0; i < 10; ++i) {
694 secp256k1_scalar_set_int(&small, i);
695 secp256k1_scalar_get_num(&n, &small);
696 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
699 /** test large values with 5 as group order */
700 secp256k1_scalar_get_num(&order, &five);
701 /* we first need a scalar which is not a multiple of 5 */
704 random_scalar_order_test(&sqr);
705 secp256k1_scalar_get_num(&fiven, &five);
706 secp256k1_scalar_get_num(&n, &sqr);
707 secp256k1_num_mod(&n, &fiven);
708 } while (secp256k1_num_is_zero(&n));
709 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
710 * just multiply by two, i.e. add the number to itself */
711 if (secp256k1_num_jacobi(&n, &order) == -1) {
712 secp256k1_num_add(&n, &n, &n);
716 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
717 /* test nonresidue */
718 secp256k1_num_add(&n, &n, &n);
719 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
721 /** test with secp group order as order */
722 secp256k1_scalar_order_get_num(&order);
723 random_scalar_order_test(&sqr);
724 secp256k1_scalar_sqr(&sqr, &sqr);
726 secp256k1_scalar_get_num(&n, &sqr);
727 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
728 /* test nonresidue */
729 secp256k1_scalar_mul(&sqr, &sqr, &five);
730 secp256k1_scalar_get_num(&n, &sqr);
731 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
732 /* test multiple of the order*/
733 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
735 /* check one less than the order */
736 secp256k1_scalar_set_int(&small, 1);
737 secp256k1_scalar_get_num(&n, &small);
738 secp256k1_num_sub(&n, &order, &n);
739 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
742 void run_num_smalltests(void) {
744 for (i = 0; i < 100*count; i++) {
753 /***** SCALAR TESTS *****/
755 void scalar_test(void) {
760 secp256k1_num snum, s1num, s2num;
761 secp256k1_num order, half_order;
765 /* Set 's' to a random scalar, with value 'snum'. */
766 random_scalar_order_test(&s);
768 /* Set 's1' to a random scalar, with value 's1num'. */
769 random_scalar_order_test(&s1);
771 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
772 random_scalar_order_test(&s2);
773 secp256k1_scalar_get_b32(c, &s2);
776 secp256k1_scalar_get_num(&snum, &s);
777 secp256k1_scalar_get_num(&s1num, &s1);
778 secp256k1_scalar_get_num(&s2num, &s2);
780 secp256k1_scalar_order_get_num(&order);
782 secp256k1_num_shift(&half_order, 1);
787 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
789 secp256k1_scalar_set_int(&n, 0);
790 for (i = 0; i < 256; i += 4) {
793 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
794 for (j = 0; j < 4; j++) {
795 secp256k1_scalar_add(&n, &n, &n);
797 secp256k1_scalar_add(&n, &n, &t);
799 CHECK(secp256k1_scalar_eq(&n, &s));
803 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
806 secp256k1_scalar_set_int(&n, 0);
810 int now = secp256k1_rand_int(15) + 1;
814 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
815 for (j = 0; j < now; j++) {
816 secp256k1_scalar_add(&n, &n, &n);
818 secp256k1_scalar_add(&n, &n, &t);
821 CHECK(secp256k1_scalar_eq(&n, &s));
826 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
830 secp256k1_num_add(&rnum, &snum, &s2num);
831 secp256k1_num_mod(&rnum, &order);
832 secp256k1_scalar_add(&r, &s, &s2);
833 secp256k1_scalar_get_num(&r2num, &r);
834 CHECK(secp256k1_num_eq(&rnum, &r2num));
838 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
842 secp256k1_num_mul(&rnum, &snum, &s2num);
843 secp256k1_num_mod(&rnum, &order);
844 secp256k1_scalar_mul(&r, &s, &s2);
845 secp256k1_scalar_get_num(&r2num, &r);
846 CHECK(secp256k1_num_eq(&rnum, &r2num));
847 /* The result can only be zero if at least one of the factors was zero. */
848 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
849 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
850 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
851 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
855 secp256k1_scalar neg;
856 secp256k1_num negnum;
857 secp256k1_num negnum2;
858 /* Check that comparison with zero matches comparison with zero on the number. */
859 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
860 /* Check that comparison with the half order is equal to testing for high scalar. */
861 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
862 secp256k1_scalar_negate(&neg, &s);
863 secp256k1_num_sub(&negnum, &order, &snum);
864 secp256k1_num_mod(&negnum, &order);
865 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
866 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
867 /* Negating should change the high property, unless the value was already zero. */
868 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
869 secp256k1_scalar_get_num(&negnum2, &neg);
870 /* Negating a scalar should be equal to (order - n) mod order on the number. */
871 CHECK(secp256k1_num_eq(&negnum, &negnum2));
872 secp256k1_scalar_add(&neg, &neg, &s);
873 /* Adding a number to its negation should result in zero. */
874 CHECK(secp256k1_scalar_is_zero(&neg));
875 secp256k1_scalar_negate(&neg, &neg);
876 /* Negating zero should still result in zero. */
877 CHECK(secp256k1_scalar_is_zero(&neg));
881 /* Test secp256k1_scalar_mul_shift_var. */
886 unsigned char cone[1] = {0x01};
887 unsigned int shift = 256 + secp256k1_rand_int(257);
888 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
889 secp256k1_num_mul(&rnum, &s1num, &s2num);
890 secp256k1_num_shift(&rnum, shift - 1);
891 secp256k1_num_set_bin(&one, cone, 1);
892 secp256k1_num_add(&rnum, &rnum, &one);
893 secp256k1_num_shift(&rnum, 1);
894 secp256k1_scalar_get_num(&rnum2, &r);
895 CHECK(secp256k1_num_eq(&rnum, &rnum2));
899 /* test secp256k1_scalar_shr_int */
902 random_scalar_order_test(&r);
903 for (i = 0; i < 100; ++i) {
905 int shift = 1 + secp256k1_rand_int(15);
906 int expected = r.d[0] % (1 << shift);
907 low = secp256k1_scalar_shr_int(&r, shift);
908 CHECK(expected == low);
914 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
915 if (!secp256k1_scalar_is_zero(&s)) {
916 secp256k1_scalar inv;
918 secp256k1_num invnum;
919 secp256k1_num invnum2;
921 secp256k1_scalar_inverse(&inv, &s);
923 secp256k1_num_mod_inverse(&invnum, &snum, &order);
924 secp256k1_scalar_get_num(&invnum2, &inv);
925 CHECK(secp256k1_num_eq(&invnum, &invnum2));
927 secp256k1_scalar_mul(&inv, &inv, &s);
928 /* Multiplying a scalar with its inverse must result in one. */
929 CHECK(secp256k1_scalar_is_one(&inv));
930 secp256k1_scalar_inverse(&inv, &inv);
931 /* Inverting one must result in one. */
932 CHECK(secp256k1_scalar_is_one(&inv));
934 secp256k1_scalar_get_num(&invnum, &inv);
935 CHECK(secp256k1_num_is_one(&invnum));
941 /* Test commutativity of add. */
942 secp256k1_scalar r1, r2;
943 secp256k1_scalar_add(&r1, &s1, &s2);
944 secp256k1_scalar_add(&r2, &s2, &s1);
945 CHECK(secp256k1_scalar_eq(&r1, &r2));
949 secp256k1_scalar r1, r2;
953 int bit = secp256k1_rand_bits(8);
954 secp256k1_scalar_set_int(&b, 1);
955 CHECK(secp256k1_scalar_is_one(&b));
956 for (i = 0; i < bit; i++) {
957 secp256k1_scalar_add(&b, &b, &b);
961 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
962 /* No overflow happened. */
963 secp256k1_scalar_cadd_bit(&r2, bit, 1);
964 CHECK(secp256k1_scalar_eq(&r1, &r2));
965 /* cadd is a noop when flag is zero */
966 secp256k1_scalar_cadd_bit(&r2, bit, 0);
967 CHECK(secp256k1_scalar_eq(&r1, &r2));
972 /* Test commutativity of mul. */
973 secp256k1_scalar r1, r2;
974 secp256k1_scalar_mul(&r1, &s1, &s2);
975 secp256k1_scalar_mul(&r2, &s2, &s1);
976 CHECK(secp256k1_scalar_eq(&r1, &r2));
980 /* Test associativity of add. */
981 secp256k1_scalar r1, r2;
982 secp256k1_scalar_add(&r1, &s1, &s2);
983 secp256k1_scalar_add(&r1, &r1, &s);
984 secp256k1_scalar_add(&r2, &s2, &s);
985 secp256k1_scalar_add(&r2, &s1, &r2);
986 CHECK(secp256k1_scalar_eq(&r1, &r2));
990 /* Test associativity of mul. */
991 secp256k1_scalar r1, r2;
992 secp256k1_scalar_mul(&r1, &s1, &s2);
993 secp256k1_scalar_mul(&r1, &r1, &s);
994 secp256k1_scalar_mul(&r2, &s2, &s);
995 secp256k1_scalar_mul(&r2, &s1, &r2);
996 CHECK(secp256k1_scalar_eq(&r1, &r2));
1000 /* Test distributitivity of mul over add. */
1001 secp256k1_scalar r1, r2, t;
1002 secp256k1_scalar_add(&r1, &s1, &s2);
1003 secp256k1_scalar_mul(&r1, &r1, &s);
1004 secp256k1_scalar_mul(&r2, &s1, &s);
1005 secp256k1_scalar_mul(&t, &s2, &s);
1006 secp256k1_scalar_add(&r2, &r2, &t);
1007 CHECK(secp256k1_scalar_eq(&r1, &r2));
1012 secp256k1_scalar r1, r2;
1013 secp256k1_scalar_sqr(&r1, &s1);
1014 secp256k1_scalar_mul(&r2, &s1, &s1);
1015 CHECK(secp256k1_scalar_eq(&r1, &r2));
1019 /* Test multiplicative identity. */
1020 secp256k1_scalar r1, v1;
1021 secp256k1_scalar_set_int(&v1,1);
1022 secp256k1_scalar_mul(&r1, &s1, &v1);
1023 CHECK(secp256k1_scalar_eq(&r1, &s1));
1027 /* Test additive identity. */
1028 secp256k1_scalar r1, v0;
1029 secp256k1_scalar_set_int(&v0,0);
1030 secp256k1_scalar_add(&r1, &s1, &v0);
1031 CHECK(secp256k1_scalar_eq(&r1, &s1));
1035 /* Test zero product property. */
1036 secp256k1_scalar r1, v0;
1037 secp256k1_scalar_set_int(&v0,0);
1038 secp256k1_scalar_mul(&r1, &s1, &v0);
1039 CHECK(secp256k1_scalar_eq(&r1, &v0));
1044 void run_scalar_tests(void) {
1046 for (i = 0; i < 128 * count; i++) {
1051 /* (-1)+1 should be zero. */
1052 secp256k1_scalar s, o;
1053 secp256k1_scalar_set_int(&s, 1);
1054 CHECK(secp256k1_scalar_is_one(&s));
1055 secp256k1_scalar_negate(&o, &s);
1056 secp256k1_scalar_add(&o, &o, &s);
1057 CHECK(secp256k1_scalar_is_zero(&o));
1058 secp256k1_scalar_negate(&o, &o);
1059 CHECK(secp256k1_scalar_is_zero(&o));
1062 #ifndef USE_NUM_NONE
1064 /* A scalar with value of the curve order should be 0. */
1065 secp256k1_num order;
1066 secp256k1_scalar zero;
1067 unsigned char bin[32];
1069 secp256k1_scalar_order_get_num(&order);
1070 secp256k1_num_get_bin(bin, 32, &order);
1071 secp256k1_scalar_set_b32(&zero, bin, &overflow);
1072 CHECK(overflow == 1);
1073 CHECK(secp256k1_scalar_is_zero(&zero));
1078 /* Does check_overflow check catch all ones? */
1079 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1080 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1081 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1083 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1087 /* Static test vectors.
1088 * These were reduced from ~10^12 random vectors based on comparison-decision
1089 * and edge-case coverage on 32-bit and 64-bit implementations.
1090 * The responses were generated with Sage 5.9.
1095 secp256k1_scalar zz;
1096 secp256k1_scalar one;
1097 secp256k1_scalar r1;
1098 secp256k1_scalar r2;
1099 #if defined(USE_SCALAR_INV_NUM)
1100 secp256k1_scalar zzv;
1103 unsigned char chal[33][2][32] = {
1104 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1105 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1106 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1107 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1108 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1109 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1110 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1111 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1112 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1113 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1114 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1115 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1116 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1117 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1118 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1119 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1120 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1121 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1122 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1123 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1124 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1125 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1126 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1127 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1128 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1129 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1130 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1131 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1132 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1133 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1134 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1135 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1136 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1137 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1138 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1139 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1140 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1141 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1142 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1143 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1144 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1145 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1146 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1147 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1148 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1149 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1150 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1151 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1152 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1153 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1154 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1155 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1156 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1157 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1158 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1159 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1160 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1161 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1162 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1163 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1164 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1165 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1166 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1167 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1168 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1169 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1170 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1171 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1172 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1173 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1174 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1175 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1176 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1177 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1178 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1179 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1180 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1181 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1182 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1183 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1184 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1185 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1186 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1187 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1188 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1189 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1191 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1192 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1193 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1194 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1195 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1196 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1197 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1198 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1199 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1200 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1201 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1202 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1203 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1204 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1205 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1206 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1207 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1208 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1209 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1210 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1211 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1212 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1213 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1214 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1215 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1216 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1217 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1218 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1219 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1220 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1221 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1222 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1223 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1224 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1225 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1226 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1227 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1228 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1229 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1230 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1231 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1232 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1233 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1234 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1235 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1236 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1237 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1238 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1239 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1240 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1241 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1242 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1243 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1244 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1245 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1246 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1247 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1248 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1249 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1250 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1251 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1252 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1253 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1254 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1255 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1256 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1257 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1258 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1259 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1260 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1261 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1262 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1263 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1264 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1265 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1266 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1267 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1268 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1269 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1270 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1271 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1272 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1273 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1274 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1276 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1277 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1278 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1279 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1280 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1281 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1282 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1283 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1284 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1285 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1286 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1287 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1288 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1289 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1290 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1291 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1292 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1293 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1294 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1295 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1296 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1297 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1298 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1299 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1300 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1301 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1302 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1303 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1304 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1305 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1306 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1307 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1308 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1309 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1310 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1311 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1312 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1313 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1314 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1315 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1316 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1317 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1318 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1319 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1320 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1321 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1322 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1323 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1324 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1325 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1326 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1327 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1328 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1329 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1330 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1331 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1332 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1333 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1334 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1335 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1336 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1337 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1338 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1339 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1340 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1341 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1342 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1343 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1344 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1345 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1346 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1347 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1348 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1349 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1350 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1351 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1352 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1353 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1354 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1355 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1356 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1357 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1358 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1359 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1360 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1361 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1362 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1363 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1364 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1365 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1366 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1367 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1369 unsigned char res[33][2][32] = {
1370 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1371 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1372 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1373 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1374 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1375 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1376 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1377 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1378 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1379 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1380 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1381 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1382 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1383 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1384 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1385 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1386 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1387 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1388 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1389 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1390 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1391 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1392 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1393 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1394 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1395 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1396 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1397 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1398 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1399 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1400 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1401 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1402 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1403 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1404 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1405 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1406 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1407 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1408 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1409 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1410 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1411 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1412 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1413 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1414 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1415 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1416 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1417 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1418 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1419 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1420 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1421 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1422 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1423 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1424 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1425 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1426 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1427 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1428 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1429 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1430 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1431 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1432 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1433 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1434 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1435 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1436 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1437 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1438 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1439 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1440 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1441 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1442 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1443 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1444 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1445 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1446 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1447 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1448 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1449 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1450 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1451 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1452 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1453 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1454 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1455 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1456 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1457 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1458 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1459 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1460 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1461 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1462 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1463 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1464 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1465 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1466 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1467 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1468 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1469 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1470 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1471 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1472 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1473 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1474 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1475 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1476 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1477 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1478 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1479 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1480 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1481 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1482 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1483 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1484 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1485 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1486 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1487 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1488 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1489 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1490 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1491 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1492 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1493 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1494 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1495 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1496 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1497 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1498 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1499 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1500 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1501 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1502 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1503 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1504 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1505 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1506 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1507 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1508 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1509 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1510 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1511 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1512 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1513 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1514 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1515 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1516 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1517 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1518 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1519 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1520 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1521 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1522 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1523 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1524 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1525 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1526 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1527 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1528 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1529 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1530 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1531 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1532 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1533 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1534 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1535 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1536 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1537 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1538 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1539 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1540 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1541 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1542 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1543 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1544 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1545 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1546 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1547 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1548 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1549 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1550 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1551 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1552 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1553 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1554 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1555 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1556 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1557 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1558 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1559 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1560 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1561 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1562 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1563 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1564 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1565 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1566 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1567 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1568 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1569 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1570 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1571 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1572 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1573 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1574 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1575 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1578 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1579 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1580 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1581 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1582 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1583 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1584 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1585 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1586 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1587 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1588 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1589 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1590 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1591 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1592 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1593 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1594 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1595 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1596 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1597 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1598 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1599 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1600 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1601 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1602 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1603 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1604 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1605 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1606 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1607 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1608 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1609 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1610 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1611 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1612 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1613 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1614 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1615 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1616 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1617 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1618 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1619 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1620 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1621 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1622 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1623 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1624 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1625 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1626 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1627 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1628 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1629 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1630 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1631 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1632 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1633 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1635 secp256k1_scalar_set_int(&one, 1);
1636 for (i = 0; i < 33; i++) {
1637 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1639 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1641 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1643 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1645 secp256k1_scalar_mul(&z, &x, &y);
1646 CHECK(!secp256k1_scalar_check_overflow(&z));
1647 CHECK(secp256k1_scalar_eq(&r1, &z));
1648 if (!secp256k1_scalar_is_zero(&y)) {
1649 secp256k1_scalar_inverse(&zz, &y);
1650 CHECK(!secp256k1_scalar_check_overflow(&zz));
1651 #if defined(USE_SCALAR_INV_NUM)
1652 secp256k1_scalar_inverse_var(&zzv, &y);
1653 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1655 secp256k1_scalar_mul(&z, &z, &zz);
1656 CHECK(!secp256k1_scalar_check_overflow(&z));
1657 CHECK(secp256k1_scalar_eq(&x, &z));
1658 secp256k1_scalar_mul(&zz, &zz, &y);
1659 CHECK(!secp256k1_scalar_check_overflow(&zz));
1660 CHECK(secp256k1_scalar_eq(&one, &zz));
1662 secp256k1_scalar_mul(&z, &x, &x);
1663 CHECK(!secp256k1_scalar_check_overflow(&z));
1664 secp256k1_scalar_sqr(&zz, &x);
1665 CHECK(!secp256k1_scalar_check_overflow(&zz));
1666 CHECK(secp256k1_scalar_eq(&zz, &z));
1667 CHECK(secp256k1_scalar_eq(&r2, &zz));
1672 /***** FIELD TESTS *****/
1674 void random_fe(secp256k1_fe *x) {
1675 unsigned char bin[32];
1677 secp256k1_rand256(bin);
1678 if (secp256k1_fe_set_b32(x, bin)) {
1684 void random_fe_test(secp256k1_fe *x) {
1685 unsigned char bin[32];
1687 secp256k1_rand256_test(bin);
1688 if (secp256k1_fe_set_b32(x, bin)) {
1694 void random_fe_non_zero(secp256k1_fe *nz) {
1696 while (--tries >= 0) {
1698 secp256k1_fe_normalize(nz);
1699 if (!secp256k1_fe_is_zero(nz)) {
1703 /* Infinitesimal probability of spurious failure here */
1707 void random_fe_non_square(secp256k1_fe *ns) {
1709 random_fe_non_zero(ns);
1710 if (secp256k1_fe_sqrt(&r, ns)) {
1711 secp256k1_fe_negate(ns, ns, 1);
1715 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1716 secp256k1_fe an = *a;
1717 secp256k1_fe bn = *b;
1718 secp256k1_fe_normalize_weak(&an);
1719 secp256k1_fe_normalize_var(&bn);
1720 return secp256k1_fe_equal_var(&an, &bn);
1723 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1725 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1726 secp256k1_fe_mul(&x, a, ai);
1727 return check_fe_equal(&x, &one);
1730 void run_field_convert(void) {
1731 static const unsigned char b32[32] = {
1732 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1733 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1734 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1735 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1737 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1738 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1739 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1741 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1742 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1743 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1746 unsigned char b322[32];
1747 secp256k1_fe_storage fes2;
1748 /* Check conversions to fe. */
1749 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1750 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1751 secp256k1_fe_from_storage(&fe2, &fes);
1752 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1753 /* Check conversion from fe. */
1754 secp256k1_fe_get_b32(b322, &fe);
1755 CHECK(memcmp(b322, b32, 32) == 0);
1756 secp256k1_fe_to_storage(&fes2, &fe);
1757 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1760 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1761 secp256k1_fe t = *b;
1763 t.magnitude = a->magnitude;
1764 t.normalized = a->normalized;
1766 return memcmp(a, &t, sizeof(secp256k1_fe));
1769 void run_field_misc(void) {
1774 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1776 for (i = 0; i < 5*count; i++) {
1777 secp256k1_fe_storage xs, ys, zs;
1779 random_fe_non_zero(&y);
1780 /* Test the fe equality and comparison operations. */
1781 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1782 CHECK(secp256k1_fe_equal_var(&x, &x));
1784 secp256k1_fe_add(&z,&y);
1785 /* Test fe conditional move; z is not normalized here. */
1787 secp256k1_fe_cmov(&x, &z, 0);
1788 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
1789 secp256k1_fe_cmov(&x, &x, 1);
1790 CHECK(fe_memcmp(&x, &z) != 0);
1791 CHECK(fe_memcmp(&x, &q) == 0);
1792 secp256k1_fe_cmov(&q, &z, 1);
1793 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
1794 CHECK(fe_memcmp(&q, &z) == 0);
1795 secp256k1_fe_normalize_var(&x);
1796 secp256k1_fe_normalize_var(&z);
1797 CHECK(!secp256k1_fe_equal_var(&x, &z));
1798 secp256k1_fe_normalize_var(&q);
1799 secp256k1_fe_cmov(&q, &z, (i&1));
1800 VERIFY_CHECK(q.normalized && q.magnitude == 1);
1801 for (j = 0; j < 6; j++) {
1802 secp256k1_fe_negate(&z, &z, j+1);
1803 secp256k1_fe_normalize_var(&q);
1804 secp256k1_fe_cmov(&q, &z, (j&1));
1805 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1807 secp256k1_fe_normalize_var(&z);
1808 /* Test storage conversion and conditional moves. */
1809 secp256k1_fe_to_storage(&xs, &x);
1810 secp256k1_fe_to_storage(&ys, &y);
1811 secp256k1_fe_to_storage(&zs, &z);
1812 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1813 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1814 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1815 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1816 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1817 secp256k1_fe_from_storage(&x, &xs);
1818 secp256k1_fe_from_storage(&y, &ys);
1819 secp256k1_fe_from_storage(&z, &zs);
1820 /* Test that mul_int, mul, and add agree. */
1821 secp256k1_fe_add(&y, &x);
1822 secp256k1_fe_add(&y, &x);
1824 secp256k1_fe_mul_int(&z, 3);
1825 CHECK(check_fe_equal(&y, &z));
1826 secp256k1_fe_add(&y, &x);
1827 secp256k1_fe_add(&z, &x);
1828 CHECK(check_fe_equal(&z, &y));
1830 secp256k1_fe_mul_int(&z, 5);
1831 secp256k1_fe_mul(&q, &x, &fe5);
1832 CHECK(check_fe_equal(&z, &q));
1833 secp256k1_fe_negate(&x, &x, 1);
1834 secp256k1_fe_add(&z, &x);
1835 secp256k1_fe_add(&q, &x);
1836 CHECK(check_fe_equal(&y, &z));
1837 CHECK(check_fe_equal(&q, &y));
1841 void run_field_inv(void) {
1842 secp256k1_fe x, xi, xii;
1844 for (i = 0; i < 10*count; i++) {
1845 random_fe_non_zero(&x);
1846 secp256k1_fe_inv(&xi, &x);
1847 CHECK(check_fe_inverse(&x, &xi));
1848 secp256k1_fe_inv(&xii, &xi);
1849 CHECK(check_fe_equal(&x, &xii));
1853 void run_field_inv_var(void) {
1854 secp256k1_fe x, xi, xii;
1856 for (i = 0; i < 10*count; i++) {
1857 random_fe_non_zero(&x);
1858 secp256k1_fe_inv_var(&xi, &x);
1859 CHECK(check_fe_inverse(&x, &xi));
1860 secp256k1_fe_inv_var(&xii, &xi);
1861 CHECK(check_fe_equal(&x, &xii));
1865 void run_field_inv_all_var(void) {
1866 secp256k1_fe x[16], xi[16], xii[16];
1868 /* Check it's safe to call for 0 elements */
1869 secp256k1_fe_inv_all_var(xi, x, 0);
1870 for (i = 0; i < count; i++) {
1872 size_t len = secp256k1_rand_int(15) + 1;
1873 for (j = 0; j < len; j++) {
1874 random_fe_non_zero(&x[j]);
1876 secp256k1_fe_inv_all_var(xi, x, len);
1877 for (j = 0; j < len; j++) {
1878 CHECK(check_fe_inverse(&x[j], &xi[j]));
1880 secp256k1_fe_inv_all_var(xii, xi, len);
1881 for (j = 0; j < len; j++) {
1882 CHECK(check_fe_equal(&x[j], &xii[j]));
1887 void run_sqr(void) {
1892 secp256k1_fe_set_int(&x, 1);
1893 secp256k1_fe_negate(&x, &x, 1);
1895 for (i = 1; i <= 512; ++i) {
1896 secp256k1_fe_mul_int(&x, 2);
1897 secp256k1_fe_normalize(&x);
1898 secp256k1_fe_sqr(&s, &x);
1903 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1904 secp256k1_fe r1, r2;
1905 int v = secp256k1_fe_sqrt(&r1, a);
1906 CHECK((v == 0) == (k == NULL));
1909 /* Check that the returned root is +/- the given known answer */
1910 secp256k1_fe_negate(&r2, &r1, 1);
1911 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1912 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1913 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1917 void run_sqrt(void) {
1918 secp256k1_fe ns, x, s, t;
1921 /* Check sqrt(0) is 0 */
1922 secp256k1_fe_set_int(&x, 0);
1923 secp256k1_fe_sqr(&s, &x);
1926 /* Check sqrt of small squares (and their negatives) */
1927 for (i = 1; i <= 100; i++) {
1928 secp256k1_fe_set_int(&x, i);
1929 secp256k1_fe_sqr(&s, &x);
1931 secp256k1_fe_negate(&t, &s, 1);
1932 test_sqrt(&t, NULL);
1935 /* Consistency checks for large random values */
1936 for (i = 0; i < 10; i++) {
1938 random_fe_non_square(&ns);
1939 for (j = 0; j < count; j++) {
1941 secp256k1_fe_sqr(&s, &x);
1943 secp256k1_fe_negate(&t, &s, 1);
1944 test_sqrt(&t, NULL);
1945 secp256k1_fe_mul(&t, &s, &ns);
1946 test_sqrt(&t, NULL);
1951 /***** GROUP TESTS *****/
1953 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1954 CHECK(a->infinity == b->infinity);
1958 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
1959 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
1962 /* This compares jacobian points including their Z, not just their geometric meaning. */
1963 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1967 ret &= a->infinity == b->infinity;
1968 if (ret && !a->infinity) {
1971 secp256k1_fe_normalize(&a2.x);
1972 secp256k1_fe_normalize(&a2.y);
1973 secp256k1_fe_normalize(&a2.z);
1974 secp256k1_fe_normalize(&b2.x);
1975 secp256k1_fe_normalize(&b2.y);
1976 secp256k1_fe_normalize(&b2.z);
1977 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1978 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1979 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1984 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1986 secp256k1_fe u1, u2, s1, s2;
1987 CHECK(a->infinity == b->infinity);
1991 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
1992 secp256k1_fe_sqr(&z2s, &b->z);
1993 secp256k1_fe_mul(&u1, &a->x, &z2s);
1994 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1995 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1996 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1997 CHECK(secp256k1_fe_equal_var(&u1, &u2));
1998 CHECK(secp256k1_fe_equal_var(&s1, &s2));
2001 void test_ge(void) {
2003 #ifdef USE_ENDOMORPHISM
2008 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
2009 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
2010 * All magnitudes are randomized.
2011 * All 17*17 combinations of points are added to each other, using all applicable methods.
2013 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
2015 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2016 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2017 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2019 secp256k1_fe zfi2, zfi3;
2021 secp256k1_gej_set_infinity(&gej[0]);
2022 secp256k1_ge_clear(&ge[0]);
2023 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
2024 for (i = 0; i < runs; i++) {
2027 random_group_element_test(&g);
2028 #ifdef USE_ENDOMORPHISM
2029 if (i >= runs - 2) {
2030 secp256k1_ge_mul_lambda(&g, &ge[1]);
2032 if (i >= runs - 1) {
2033 secp256k1_ge_mul_lambda(&g, &g);
2038 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2039 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2040 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2041 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2042 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2043 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
2044 for (j = 0; j < 4; j++) {
2045 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2046 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2047 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2048 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2049 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2053 /* Compute z inverses. */
2055 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2056 for (i = 0; i < 4 * runs + 1; i++) {
2058 /* The point at infinity does not have a meaningful z inverse. Any should do. */
2060 random_field_element_test(&zs[i]);
2061 } while(secp256k1_fe_is_zero(&zs[i]));
2066 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
2070 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2072 random_field_element_test(&zf);
2073 } while(secp256k1_fe_is_zero(&zf));
2074 random_field_element_magnitude(&zf);
2075 secp256k1_fe_inv_var(&zfi3, &zf);
2076 secp256k1_fe_sqr(&zfi2, &zfi3);
2077 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2079 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2081 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2082 /* Compute reference result using gej + gej (var). */
2083 secp256k1_gej refj, resj;
2086 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2087 /* Check Z ratio. */
2088 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2089 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2090 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2092 secp256k1_ge_set_gej_var(&ref, &refj);
2094 /* Test gej + ge with Z ratio result (var). */
2095 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2096 ge_equals_gej(&ref, &resj);
2097 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2098 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2099 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2102 /* Test gej + ge (var, with additional Z factor). */
2104 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2105 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2106 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2107 random_field_element_magnitude(&ge2_zfi.x);
2108 random_field_element_magnitude(&ge2_zfi.y);
2109 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2110 ge_equals_gej(&ref, &resj);
2113 /* Test gej + ge (const). */
2115 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2116 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2117 ge_equals_gej(&ref, &resj);
2120 /* Test doubling (var). */
2121 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2123 /* Normal doubling with Z ratio result. */
2124 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2125 ge_equals_gej(&ref, &resj);
2126 /* Check Z ratio. */
2127 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2128 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2129 /* Normal doubling. */
2130 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2131 ge_equals_gej(&ref, &resj);
2134 /* Test adding opposites. */
2135 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2136 CHECK(secp256k1_ge_is_infinity(&ref));
2139 /* Test adding infinity. */
2141 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2142 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2143 ge_equals_gej(&ref, &gej[i2]);
2146 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2147 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2148 ge_equals_gej(&ref, &gej[i1]);
2153 /* Test adding all points together in random order equals infinity. */
2155 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2156 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2157 for (i = 0; i < 4 * runs + 1; i++) {
2158 gej_shuffled[i] = gej[i];
2160 for (i = 0; i < 4 * runs + 1; i++) {
2161 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2163 secp256k1_gej t = gej_shuffled[i];
2164 gej_shuffled[i] = gej_shuffled[swap];
2165 gej_shuffled[swap] = t;
2168 for (i = 0; i < 4 * runs + 1; i++) {
2169 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2171 CHECK(secp256k1_gej_is_infinity(&sum));
2175 /* Test batch gej -> ge conversion with and without known z ratios. */
2177 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2178 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2179 for (i = 0; i < 4 * runs + 1; i++) {
2180 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2182 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2185 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2186 for (i = 0; i < 4 * runs + 1; i++) {
2188 random_fe_non_zero(&s);
2189 secp256k1_gej_rescale(&gej[i], &s);
2190 ge_equals_gej(&ge_set_all[i], &gej[i]);
2196 /* Test batch gej -> ge conversion with many infinities. */
2197 for (i = 0; i < 4 * runs + 1; i++) {
2198 random_group_element_test(&ge[i]);
2199 /* randomly set half the points to infinitiy */
2200 if(secp256k1_fe_is_odd(&ge[i].x)) {
2201 secp256k1_ge_set_infinity(&ge[i]);
2203 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2206 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2208 for (i = 0; i < 4 * runs + 1; i++) {
2209 ge_equals_gej(&ge[i], &gej[i]);
2217 void test_add_neg_y_diff_x(void) {
2218 /* The point of this test is to check that we can add two points
2219 * whose y-coordinates are negatives of each other but whose x
2220 * coordinates differ. If the x-coordinates were the same, these
2221 * points would be negatives of each other and their sum is
2222 * infinity. This is cool because it "covers up" any degeneracy
2223 * in the addition algorithm that would cause the xy coordinates
2224 * of the sum to be wrong (since infinity has no xy coordinates).
2225 * HOWEVER, if the x-coordinates are different, infinity is the
2226 * wrong answer, and such degeneracies are exposed. This is the
2227 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2228 * which this test is a regression test for.
2230 * These points were generated in sage as
2231 * # secp256k1 params
2232 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2233 * C = EllipticCurve ([F (0), F (7)])
2234 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2235 * N = FiniteField(G.order())
2237 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2239 * lam = (1 - x^3).roots()[1][0]
2241 * # random "bad pair"
2242 * P = C.random_element()
2244 * print " P: %x %x" % P.xy()
2245 * print " Q: %x %x" % Q.xy()
2246 * print "P + Q: %x %x" % (P + Q).xy()
2248 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2249 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2250 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2251 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2252 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2254 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2255 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2256 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2257 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2258 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2260 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2261 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2262 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2263 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2264 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2269 secp256k1_ge_set_gej(&b, &bj);
2271 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2272 secp256k1_ge_set_gej(&res, &resj);
2273 ge_equals_gej(&res, &sumj);
2275 secp256k1_gej_add_ge(&resj, &aj, &b);
2276 secp256k1_ge_set_gej(&res, &resj);
2277 ge_equals_gej(&res, &sumj);
2279 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2280 secp256k1_ge_set_gej(&res, &resj);
2281 ge_equals_gej(&res, &sumj);
2286 for (i = 0; i < count * 32; i++) {
2289 test_add_neg_y_diff_x();
2292 void test_ec_combine(void) {
2293 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2294 secp256k1_pubkey data[6];
2295 const secp256k1_pubkey* d[6];
2296 secp256k1_pubkey sd;
2297 secp256k1_pubkey sd2;
2301 for (i = 1; i <= 6; i++) {
2303 random_scalar_order_test(&s);
2304 secp256k1_scalar_add(&sum, &sum, &s);
2305 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2306 secp256k1_ge_set_gej(&Q, &Qj);
2307 secp256k1_pubkey_save(&data[i - 1], &Q);
2308 d[i - 1] = &data[i - 1];
2309 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2310 secp256k1_ge_set_gej(&Q, &Qj);
2311 secp256k1_pubkey_save(&sd, &Q);
2312 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2313 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2317 void run_ec_combine(void) {
2319 for (i = 0; i < count * 8; i++) {
2324 void test_group_decompress(const secp256k1_fe* x) {
2325 /* The input itself, normalized. */
2326 secp256k1_fe fex = *x;
2328 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2329 secp256k1_ge ge_quad, ge_even, ge_odd;
2330 secp256k1_gej gej_quad;
2331 /* Return values of the above calls. */
2332 int res_quad, res_even, res_odd;
2334 secp256k1_fe_normalize_var(&fex);
2336 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2337 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2338 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2340 CHECK(res_quad == res_even);
2341 CHECK(res_quad == res_odd);
2344 secp256k1_fe_normalize_var(&ge_quad.x);
2345 secp256k1_fe_normalize_var(&ge_odd.x);
2346 secp256k1_fe_normalize_var(&ge_even.x);
2347 secp256k1_fe_normalize_var(&ge_quad.y);
2348 secp256k1_fe_normalize_var(&ge_odd.y);
2349 secp256k1_fe_normalize_var(&ge_even.y);
2351 /* No infinity allowed. */
2352 CHECK(!ge_quad.infinity);
2353 CHECK(!ge_even.infinity);
2354 CHECK(!ge_odd.infinity);
2356 /* Check that the x coordinates check out. */
2357 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2358 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2359 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2361 /* Check that the Y coordinate result in ge_quad is a square. */
2362 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2364 /* Check odd/even Y in ge_odd, ge_even. */
2365 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2366 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2368 /* Check secp256k1_gej_has_quad_y_var. */
2369 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2370 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2372 random_fe_test(&fez);
2373 } while (secp256k1_fe_is_zero(&fez));
2374 secp256k1_gej_rescale(&gej_quad, &fez);
2375 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2376 secp256k1_gej_neg(&gej_quad, &gej_quad);
2377 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2379 random_fe_test(&fez);
2380 } while (secp256k1_fe_is_zero(&fez));
2381 secp256k1_gej_rescale(&gej_quad, &fez);
2382 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2383 secp256k1_gej_neg(&gej_quad, &gej_quad);
2384 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2388 void run_group_decompress(void) {
2390 for (i = 0; i < count * 4; i++) {
2392 random_fe_test(&fe);
2393 test_group_decompress(&fe);
2397 /***** ECMULT TESTS *****/
2399 void run_ecmult_chain(void) {
2400 /* random starting point A (on the curve) */
2401 secp256k1_gej a = SECP256K1_GEJ_CONST(
2402 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2403 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2404 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2405 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2407 /* two random initial factors xn and gn */
2408 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2409 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2410 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2412 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2413 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2414 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2416 /* two small multipliers to be applied to xn and gn in every iteration: */
2417 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2418 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2419 /* accumulators with the resulting coefficients to A and G */
2420 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2421 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2427 /* the point being computed */
2429 for (i = 0; i < 200*count; i++) {
2430 /* in each iteration, compute X = xn*X + gn*G; */
2431 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2432 /* also compute ae and ge: the actual accumulated factors for A and G */
2433 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2434 secp256k1_scalar_mul(&ae, &ae, &xn);
2435 secp256k1_scalar_mul(&ge, &ge, &xn);
2436 secp256k1_scalar_add(&ge, &ge, &gn);
2437 /* modify xn and gn */
2438 secp256k1_scalar_mul(&xn, &xn, &xf);
2439 secp256k1_scalar_mul(&gn, &gn, &gf);
2443 /* expected result after 19999 iterations */
2444 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2445 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2446 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2447 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2448 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2451 secp256k1_gej_neg(&rp, &rp);
2452 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2453 CHECK(secp256k1_gej_is_infinity(&rp));
2456 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2457 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2458 secp256k1_gej_neg(&x2, &x2);
2459 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2460 CHECK(secp256k1_gej_is_infinity(&x2));
2463 void test_point_times_order(const secp256k1_gej *point) {
2464 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2466 secp256k1_scalar nx;
2467 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2468 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2469 secp256k1_gej res1, res2;
2471 unsigned char pub[65];
2473 random_scalar_order_test(&x);
2474 secp256k1_scalar_negate(&nx, &x);
2475 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2476 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2477 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2478 CHECK(secp256k1_gej_is_infinity(&res1));
2479 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2480 secp256k1_ge_set_gej(&res3, &res1);
2481 CHECK(secp256k1_ge_is_infinity(&res3));
2482 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2483 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2485 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2486 /* check zero/one edge cases */
2487 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2488 secp256k1_ge_set_gej(&res3, &res1);
2489 CHECK(secp256k1_ge_is_infinity(&res3));
2490 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2491 secp256k1_ge_set_gej(&res3, &res1);
2492 ge_equals_gej(&res3, point);
2493 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2494 secp256k1_ge_set_gej(&res3, &res1);
2495 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2498 void run_point_times_order(void) {
2500 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2501 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2502 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2503 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2505 for (i = 0; i < 500; i++) {
2507 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2509 CHECK(secp256k1_ge_is_valid_var(&p));
2510 secp256k1_gej_set_ge(&j, &p);
2511 CHECK(secp256k1_gej_is_valid_var(&j));
2512 test_point_times_order(&j);
2514 secp256k1_fe_sqr(&x, &x);
2516 secp256k1_fe_normalize_var(&x);
2517 CHECK(secp256k1_fe_equal_var(&x, &xr));
2520 void ecmult_const_random_mult(void) {
2521 /* random starting point A (on the curve) */
2522 secp256k1_ge a = SECP256K1_GE_CONST(
2523 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2524 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2525 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2526 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2528 /* random initial factor xn */
2529 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2530 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2531 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2533 /* expected xn * A (from sage) */
2534 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2535 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2536 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2537 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2538 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2541 secp256k1_ecmult_const(&b, &a, &xn, 256);
2543 CHECK(secp256k1_ge_is_valid_var(&a));
2544 ge_equals_gej(&expected_b, &b);
2547 void ecmult_const_commutativity(void) {
2554 random_scalar_order_test(&a);
2555 random_scalar_order_test(&b);
2557 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2558 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2559 secp256k1_ge_set_gej(&mid1, &res1);
2560 secp256k1_ge_set_gej(&mid2, &res2);
2561 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2562 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2563 secp256k1_ge_set_gej(&mid1, &res1);
2564 secp256k1_ge_set_gej(&mid2, &res2);
2565 ge_equals_ge(&mid1, &mid2);
2568 void ecmult_const_mult_zero_one(void) {
2569 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2570 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2571 secp256k1_scalar negone;
2575 secp256k1_scalar_negate(&negone, &one);
2577 random_group_element_test(&point);
2578 secp256k1_ecmult_const(&res1, &point, &zero, 3);
2579 secp256k1_ge_set_gej(&res2, &res1);
2580 CHECK(secp256k1_ge_is_infinity(&res2));
2581 secp256k1_ecmult_const(&res1, &point, &one, 2);
2582 secp256k1_ge_set_gej(&res2, &res1);
2583 ge_equals_ge(&res2, &point);
2584 secp256k1_ecmult_const(&res1, &point, &negone, 256);
2585 secp256k1_gej_neg(&res1, &res1);
2586 secp256k1_ge_set_gej(&res2, &res1);
2587 ge_equals_ge(&res2, &point);
2590 void ecmult_const_chain_multiply(void) {
2591 /* Check known result (randomly generated test problem from sage) */
2592 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2593 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2594 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2596 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2597 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2598 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2599 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2600 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2602 secp256k1_gej point;
2606 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2607 for (i = 0; i < 100; ++i) {
2609 secp256k1_ge_set_gej(&tmp, &point);
2610 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2612 secp256k1_ge_set_gej(&res, &point);
2613 ge_equals_gej(&res, &expected_point);
2616 void run_ecmult_const_tests(void) {
2617 ecmult_const_mult_zero_one();
2618 ecmult_const_random_mult();
2619 ecmult_const_commutativity();
2620 ecmult_const_chain_multiply();
2624 secp256k1_scalar *sc;
2626 } ecmult_multi_data;
2628 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2629 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2630 *sc = data->sc[idx];
2631 *pt = data->pt[idx];
2635 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2643 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2645 secp256k1_scalar szero;
2646 secp256k1_scalar sc[32];
2647 secp256k1_ge pt[32];
2650 ecmult_multi_data data;
2651 secp256k1_scratch *scratch_empty;
2655 secp256k1_scalar_set_int(&szero, 0);
2657 /* No points to multiply */
2658 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2660 /* Check 1- and 2-point multiplies against ecmult */
2661 for (ncount = 0; ncount < count; ncount++) {
2664 random_scalar_order(&sc[0]);
2665 random_scalar_order(&sc[1]);
2667 random_group_element_test(&ptg);
2668 secp256k1_gej_set_ge(&ptgj, &ptg);
2670 pt[1] = secp256k1_ge_const_g;
2673 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2674 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2675 secp256k1_gej_neg(&r2, &r2);
2676 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2677 CHECK(secp256k1_gej_is_infinity(&r));
2680 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2681 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2682 secp256k1_gej_neg(&r2, &r2);
2683 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2684 CHECK(secp256k1_gej_is_infinity(&r));
2686 /* Try to multiply 1 point, but scratch space is empty */
2687 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
2688 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2689 secp256k1_scratch_destroy(scratch_empty);
2691 /* Try to multiply 1 point, but callback returns false */
2692 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2695 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2696 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2697 secp256k1_gej_neg(&r2, &r2);
2698 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2699 CHECK(secp256k1_gej_is_infinity(&r));
2701 /* 2-point with G scalar */
2702 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2703 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2704 secp256k1_gej_neg(&r2, &r2);
2705 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2706 CHECK(secp256k1_gej_is_infinity(&r));
2709 /* Check infinite outputs of various forms */
2710 for (ncount = 0; ncount < count; ncount++) {
2713 size_t sizes[] = { 2, 10, 32 };
2715 for (j = 0; j < 3; j++) {
2716 for (i = 0; i < 32; i++) {
2717 random_scalar_order(&sc[i]);
2718 secp256k1_ge_set_infinity(&pt[i]);
2720 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2721 CHECK(secp256k1_gej_is_infinity(&r));
2724 for (j = 0; j < 3; j++) {
2725 for (i = 0; i < 32; i++) {
2726 random_group_element_test(&ptg);
2728 secp256k1_scalar_set_int(&sc[i], 0);
2730 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2731 CHECK(secp256k1_gej_is_infinity(&r));
2734 for (j = 0; j < 3; j++) {
2735 random_group_element_test(&ptg);
2736 for (i = 0; i < 16; i++) {
2737 random_scalar_order(&sc[2*i]);
2738 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2740 pt[2 * i + 1] = ptg;
2743 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2744 CHECK(secp256k1_gej_is_infinity(&r));
2746 random_scalar_order(&sc[0]);
2747 for (i = 0; i < 16; i++) {
2748 random_group_element_test(&ptg);
2753 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2756 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2757 CHECK(secp256k1_gej_is_infinity(&r));
2760 random_group_element_test(&ptg);
2761 secp256k1_scalar_set_int(&sc[0], 0);
2763 for (i = 1; i < 32; i++) {
2766 random_scalar_order(&sc[i]);
2767 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2768 secp256k1_scalar_negate(&sc[i], &sc[i]);
2771 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2772 CHECK(secp256k1_gej_is_infinity(&r));
2775 /* Check random points, constant scalar */
2776 for (ncount = 0; ncount < count; ncount++) {
2778 secp256k1_gej_set_infinity(&r);
2780 random_scalar_order(&sc[0]);
2781 for (i = 0; i < 20; i++) {
2784 random_group_element_test(&ptg);
2786 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2789 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2790 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2791 secp256k1_gej_neg(&r2, &r2);
2792 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2793 CHECK(secp256k1_gej_is_infinity(&r));
2796 /* Check random scalars, constant point */
2797 for (ncount = 0; ncount < count; ncount++) {
2801 secp256k1_scalar rs;
2802 secp256k1_scalar_set_int(&rs, 0);
2804 random_group_element_test(&ptg);
2805 for (i = 0; i < 20; i++) {
2806 random_scalar_order(&sc[i]);
2808 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2811 secp256k1_gej_set_ge(&p0j, &pt[0]);
2812 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
2813 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2814 secp256k1_gej_neg(&r2, &r2);
2815 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2816 CHECK(secp256k1_gej_is_infinity(&r));
2819 /* Sanity check that zero scalars don't cause problems */
2820 for (ncount = 0; ncount < 20; ncount++) {
2821 random_scalar_order(&sc[ncount]);
2822 random_group_element_test(&pt[ncount]);
2825 secp256k1_scalar_clear(&sc[0]);
2826 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2827 secp256k1_scalar_clear(&sc[1]);
2828 secp256k1_scalar_clear(&sc[2]);
2829 secp256k1_scalar_clear(&sc[3]);
2830 secp256k1_scalar_clear(&sc[4]);
2831 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2832 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
2833 CHECK(secp256k1_gej_is_infinity(&r));
2835 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2837 const size_t TOP = 8;
2843 random_group_element_test(&ptg);
2844 secp256k1_gej_set_ge(&ptgj, &ptg);
2846 for(t0i = 0; t0i < TOP; t0i++) {
2847 for(t1i = 0; t1i < TOP; t1i++) {
2848 secp256k1_gej t0p, t1p;
2849 secp256k1_scalar t0, t1;
2851 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2852 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2853 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2854 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2856 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2857 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2859 for(s0i = 0; s0i < TOP; s0i++) {
2860 for(s1i = 0; s1i < TOP; s1i++) {
2861 secp256k1_scalar tmp1, tmp2;
2862 secp256k1_gej expected, actual;
2864 secp256k1_ge_set_gej(&pt[0], &t0p);
2865 secp256k1_ge_set_gej(&pt[1], &t1p);
2867 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2868 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2869 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2870 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2872 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2873 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2874 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2876 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
2877 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
2878 secp256k1_gej_neg(&expected, &expected);
2879 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2880 CHECK(secp256k1_gej_is_infinity(&actual));
2888 void test_secp256k1_pippenger_bucket_window_inv(void) {
2891 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2892 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2893 #ifdef USE_ENDOMORPHISM
2894 /* Bucket_window of 8 is not used with endo */
2899 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2900 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2901 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2907 * Probabilistically test the function returning the maximum number of possible points
2908 * for a given scratch space.
2910 void test_ecmult_multi_pippenger_max_points(void) {
2911 size_t scratch_size = secp256k1_rand_int(256);
2912 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
2913 secp256k1_scratch *scratch;
2914 size_t n_points_supported;
2915 int bucket_window = 0;
2917 for(; scratch_size < max_size; scratch_size+=256) {
2918 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
2919 CHECK(scratch != NULL);
2920 n_points_supported = secp256k1_pippenger_max_points(scratch);
2921 if (n_points_supported == 0) {
2922 secp256k1_scratch_destroy(scratch);
2925 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
2926 CHECK(secp256k1_scratch_allocate_frame(scratch, secp256k1_pippenger_scratch_size(n_points_supported, bucket_window), PIPPENGER_SCRATCH_OBJECTS));
2927 secp256k1_scratch_deallocate_frame(scratch);
2928 secp256k1_scratch_destroy(scratch);
2930 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
2933 void test_ecmult_multi_batch_size_helper(void) {
2934 size_t n_batches, n_batch_points, max_n_batch_points, n;
2936 max_n_batch_points = 0;
2938 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
2940 max_n_batch_points = 1;
2942 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2943 CHECK(n_batches == 0);
2944 CHECK(n_batch_points == 0);
2946 max_n_batch_points = 2;
2948 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2949 CHECK(n_batches == 3);
2950 CHECK(n_batch_points == 2);
2952 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
2953 n = ECMULT_MAX_POINTS_PER_BATCH;
2954 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2955 CHECK(n_batches == 1);
2956 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
2958 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
2959 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
2960 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2961 CHECK(n_batches == 2);
2962 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
2964 max_n_batch_points = 1;
2966 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2967 CHECK(n_batches == SIZE_MAX);
2968 CHECK(n_batch_points == 1);
2970 max_n_batch_points = 2;
2972 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2973 CHECK(n_batches == SIZE_MAX/2 + 1);
2974 CHECK(n_batch_points == 2);
2978 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
2979 * 1 <= i <= num points.
2981 void test_ecmult_multi_batching(void) {
2982 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
2983 secp256k1_scalar scG;
2984 secp256k1_scalar szero;
2985 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
2986 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
2989 ecmult_multi_data data;
2991 secp256k1_scratch *scratch;
2993 secp256k1_gej_set_infinity(&r2);
2994 secp256k1_scalar_set_int(&szero, 0);
2996 /* Get random scalars and group elements and compute result */
2997 random_scalar_order(&scG);
2998 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
2999 for(i = 0; i < n_points; i++) {
3002 random_group_element_test(&ptg);
3003 secp256k1_gej_set_ge(&ptgj, &ptg);
3005 random_scalar_order(&sc[i]);
3006 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3007 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
3012 /* Test with empty scratch space */
3013 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
3014 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
3015 secp256k1_scratch_destroy(scratch);
3017 /* Test with space for 1 point in pippenger. That's not enough because
3018 * ecmult_multi selects strauss which requires more memory. */
3019 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3020 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
3021 secp256k1_scratch_destroy(scratch);
3023 secp256k1_gej_neg(&r2, &r2);
3024 for(i = 1; i <= n_points; i++) {
3025 if (i > ECMULT_PIPPENGER_THRESHOLD) {
3026 int bucket_window = secp256k1_pippenger_bucket_window(i);
3027 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
3028 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3030 size_t scratch_size = secp256k1_strauss_scratch_size(i);
3031 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3033 CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3034 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3035 CHECK(secp256k1_gej_is_infinity(&r));
3036 secp256k1_scratch_destroy(scratch);
3042 void run_ecmult_multi_tests(void) {
3043 secp256k1_scratch *scratch;
3045 test_secp256k1_pippenger_bucket_window_inv();
3046 test_ecmult_multi_pippenger_max_points();
3047 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
3048 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3049 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
3050 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
3051 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
3052 secp256k1_scratch_destroy(scratch);
3054 /* Run test_ecmult_multi with space for exactly one point */
3055 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3056 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3057 secp256k1_scratch_destroy(scratch);
3059 test_ecmult_multi_batch_size_helper();
3060 test_ecmult_multi_batching();
3063 void test_wnaf(const secp256k1_scalar *number, int w) {
3064 secp256k1_scalar x, two, t;
3069 secp256k1_scalar_set_int(&x, 0);
3070 secp256k1_scalar_set_int(&two, 2);
3071 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
3073 for (i = bits-1; i >= 0; i--) {
3075 secp256k1_scalar_mul(&x, &x, &two);
3077 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
3079 CHECK((v & 1) == 1); /* check non-zero elements are odd */
3080 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3081 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
3083 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
3087 secp256k1_scalar_set_int(&t, v);
3089 secp256k1_scalar_set_int(&t, -v);
3090 secp256k1_scalar_negate(&t, &t);
3092 secp256k1_scalar_add(&x, &x, &t);
3094 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
3097 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3098 secp256k1_scalar neg1 = *number;
3099 secp256k1_scalar neg2 = *number;
3103 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3104 secp256k1_scalar_negate(&neg1, &neg1);
3107 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3108 CHECK(sign1 == sign2);
3109 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3112 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3113 secp256k1_scalar x, shift;
3114 int wnaf[256] = {0};
3118 secp256k1_scalar num = *number;
3120 secp256k1_scalar_set_int(&x, 0);
3121 secp256k1_scalar_set_int(&shift, 1 << w);
3122 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3123 #ifdef USE_ENDOMORPHISM
3124 for (i = 0; i < 16; ++i) {
3125 secp256k1_scalar_shr_int(&num, 8);
3129 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
3131 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3134 CHECK(v != 0); /* check nonzero */
3135 CHECK(v & 1); /* check parity */
3136 CHECK(v > -(1 << w)); /* check range above */
3137 CHECK(v < (1 << w)); /* check range below */
3139 secp256k1_scalar_mul(&x, &x, &shift);
3141 secp256k1_scalar_set_int(&t, v);
3143 secp256k1_scalar_set_int(&t, -v);
3144 secp256k1_scalar_negate(&t, &t);
3146 secp256k1_scalar_add(&x, &x, &t);
3148 /* Skew num because when encoding numbers as odd we use an offset */
3149 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
3150 CHECK(secp256k1_scalar_eq(&x, &num));
3153 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3154 secp256k1_scalar x, shift;
3155 int wnaf[256] = {0};
3158 secp256k1_scalar num = *number;
3160 secp256k1_scalar_set_int(&x, 0);
3161 secp256k1_scalar_set_int(&shift, 1 << w);
3162 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3163 #ifdef USE_ENDOMORPHISM
3164 for (i = 0; i < 16; ++i) {
3165 secp256k1_scalar_shr_int(&num, 8);
3168 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3170 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3173 CHECK(v == 0 || v & 1); /* check parity */
3174 CHECK(v > -(1 << w)); /* check range above */
3175 CHECK(v < (1 << w)); /* check range below */
3177 secp256k1_scalar_mul(&x, &x, &shift);
3179 secp256k1_scalar_set_int(&t, v);
3181 secp256k1_scalar_set_int(&t, -v);
3182 secp256k1_scalar_negate(&t, &t);
3184 secp256k1_scalar_add(&x, &x, &t);
3186 /* If skew is 1 then add 1 to num */
3187 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3188 CHECK(secp256k1_scalar_eq(&x, &num));
3191 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3193 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3195 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3196 CHECK(wnaf[i] == 0);
3198 for (i = 7; i >= 0; --i) {
3199 CHECK(wnaf[i] == wnaf_expected[i]);
3203 void test_fixed_wnaf_small(void) {
3205 int wnaf[256] = {0};
3208 secp256k1_scalar num;
3210 secp256k1_scalar_set_int(&num, 0);
3211 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3212 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3218 secp256k1_scalar_set_int(&num, 1);
3219 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3220 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3224 CHECK(wnaf[0] == 1);
3228 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3229 secp256k1_scalar_set_int(&num, 0xffffffff);
3230 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3231 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3235 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3236 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3237 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3238 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3242 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3243 secp256k1_scalar_set_int(&num, 0x01010101);
3244 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3245 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3249 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3250 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3251 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3252 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3257 void run_wnaf(void) {
3259 secp256k1_scalar n = {{0}};
3261 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3262 * have easier-to-diagnose failure modes */
3264 test_constant_wnaf(&n, 4);
3266 test_constant_wnaf(&n, 4);
3268 test_fixed_wnaf_small();
3270 for (i = 0; i < count; i++) {
3271 random_scalar_order(&n);
3272 test_wnaf(&n, 4+(i%10));
3273 test_constant_wnaf_negate(&n);
3274 test_constant_wnaf(&n, 4 + (i % 10));
3275 test_fixed_wnaf(&n, 4 + (i % 10));
3277 secp256k1_scalar_set_int(&n, 0);
3278 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3279 CHECK(secp256k1_scalar_is_zero(&n));
3280 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3281 CHECK(secp256k1_scalar_is_zero(&n));
3284 void test_ecmult_constants(void) {
3285 /* Test ecmult_gen() for [0..36) and [order-36..0). */
3291 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3292 for (i = 0; i < 36; i++ ) {
3293 secp256k1_scalar_set_int(&x, i);
3294 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3295 for (j = 0; j < i; j++) {
3297 ge_equals_gej(&secp256k1_ge_const_g, &r);
3299 secp256k1_gej_add_ge(&r, &r, &ng);
3301 CHECK(secp256k1_gej_is_infinity(&r));
3303 for (i = 1; i <= 36; i++ ) {
3304 secp256k1_scalar_set_int(&x, i);
3305 secp256k1_scalar_negate(&x, &x);
3306 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3307 for (j = 0; j < i; j++) {
3309 ge_equals_gej(&ng, &r);
3311 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3313 CHECK(secp256k1_gej_is_infinity(&r));
3317 void run_ecmult_constants(void) {
3318 test_ecmult_constants();
3321 void test_ecmult_gen_blind(void) {
3322 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3323 secp256k1_scalar key;
3325 unsigned char seed32[32];
3327 secp256k1_gej pgej2;
3330 random_scalar_order_test(&key);
3331 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3332 secp256k1_rand256(seed32);
3333 b = ctx->ecmult_gen_ctx.blind;
3334 i = ctx->ecmult_gen_ctx.initial;
3335 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3336 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3337 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3338 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3339 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3340 secp256k1_ge_set_gej(&pge, &pgej);
3341 ge_equals_gej(&pge, &pgej2);
3344 void test_ecmult_gen_blind_reset(void) {
3345 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3347 secp256k1_gej initial;
3348 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3349 b = ctx->ecmult_gen_ctx.blind;
3350 initial = ctx->ecmult_gen_ctx.initial;
3351 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3352 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3353 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3356 void run_ecmult_gen_blind(void) {
3358 test_ecmult_gen_blind_reset();
3359 for (i = 0; i < 10; i++) {
3360 test_ecmult_gen_blind();
3364 #ifdef USE_ENDOMORPHISM
3365 /***** ENDOMORPHISH TESTS *****/
3366 void test_scalar_split(void) {
3367 secp256k1_scalar full;
3368 secp256k1_scalar s1, slam;
3369 const unsigned char zero[32] = {0};
3370 unsigned char tmp[32];
3372 random_scalar_order_test(&full);
3373 secp256k1_scalar_split_lambda(&s1, &slam, &full);
3375 /* check that both are <= 128 bits in size */
3376 if (secp256k1_scalar_is_high(&s1)) {
3377 secp256k1_scalar_negate(&s1, &s1);
3379 if (secp256k1_scalar_is_high(&slam)) {
3380 secp256k1_scalar_negate(&slam, &slam);
3383 secp256k1_scalar_get_b32(tmp, &s1);
3384 CHECK(memcmp(zero, tmp, 16) == 0);
3385 secp256k1_scalar_get_b32(tmp, &slam);
3386 CHECK(memcmp(zero, tmp, 16) == 0);
3389 void run_endomorphism_tests(void) {
3390 test_scalar_split();
3394 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3395 unsigned char pubkeyc[65];
3396 secp256k1_pubkey pubkey;
3401 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3402 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3403 /* Smaller sizes are tested exhaustively elsewhere. */
3405 memcpy(&pubkeyc[1], input, 64);
3406 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3407 for (i = 0; i < 256; i++) {
3408 /* Try all type bytes. */
3413 /* What sign does this point have? */
3414 ysign = (input[63] & 1) + 2;
3415 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3416 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3417 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3418 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3419 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3420 if (xpass || ypass) {
3421 /* These cases must parse. */
3422 unsigned char pubkeyo[65];
3424 memset(&pubkey, 0, sizeof(pubkey));
3425 VG_UNDEF(&pubkey, sizeof(pubkey));
3427 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3428 VG_CHECK(&pubkey, sizeof(pubkey));
3430 VG_UNDEF(pubkeyo, 65);
3431 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3432 VG_CHECK(pubkeyo, outl);
3434 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3435 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3437 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3438 CHECK(pubkeyo[0] == ysign);
3439 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3440 memset(&pubkey, 0, sizeof(pubkey));
3441 VG_UNDEF(&pubkey, sizeof(pubkey));
3442 secp256k1_pubkey_save(&pubkey, &ge);
3443 VG_CHECK(&pubkey, sizeof(pubkey));
3445 VG_UNDEF(pubkeyo, 65);
3446 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3447 VG_CHECK(pubkeyo, outl);
3449 CHECK(pubkeyo[0] == 4);
3450 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3454 /* These cases must fail to parse. */
3455 memset(&pubkey, 0xfe, sizeof(pubkey));
3457 VG_UNDEF(&pubkey, sizeof(pubkey));
3458 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3459 VG_CHECK(&pubkey, sizeof(pubkey));
3461 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3466 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3469 void run_ec_pubkey_parse_test(void) {
3470 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3471 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3473 /* Point with leading and trailing zeros in x and y serialization. */
3474 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3475 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3476 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3477 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3480 /* Point with x equal to a 3rd root of unity.*/
3481 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3482 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3483 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3484 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3487 /* Point with largest x. (1/2) */
3488 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3489 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3490 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3491 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3494 /* Point with largest x. (2/2) */
3495 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3496 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3497 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3498 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3501 /* Point with smallest x. (1/2) */
3502 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3503 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3504 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3505 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3508 /* Point with smallest x. (2/2) */
3509 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3510 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3511 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3512 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3515 /* Point with largest y. (1/3) */
3516 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3517 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3518 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3519 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3522 /* Point with largest y. (2/3) */
3523 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3524 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3525 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3526 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3529 /* Point with largest y. (3/3) */
3530 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3531 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3532 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3533 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3536 /* Point with smallest y. (1/3) */
3537 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3538 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3539 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3540 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3543 /* Point with smallest y. (2/3) */
3544 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3545 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3546 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3547 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3550 /* Point with smallest y. (3/3) */
3551 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3552 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3553 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3554 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3557 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3558 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3560 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3561 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3562 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3563 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3564 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3567 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3568 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3569 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3570 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3571 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3574 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3575 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3576 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3577 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3578 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3581 /* x on curve, y is from y^2 = x^3 + 8. */
3582 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3583 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3584 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3585 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3588 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3589 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3591 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3592 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3593 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3594 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3595 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3598 /* Valid if x overflow ignored (x = 1 mod p). */
3599 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3600 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3601 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3602 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3605 /* Valid if x overflow ignored (x = 1 mod p). */
3606 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3607 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3608 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3609 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3612 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3613 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3614 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3615 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3616 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3619 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3620 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3621 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3622 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3623 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3626 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3627 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3628 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3629 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3630 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3633 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3634 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3635 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3636 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3637 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3640 const unsigned char pubkeyc[66] = {
3641 /* Serialization of G. */
3642 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3643 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3644 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3645 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3648 unsigned char sout[65];
3649 unsigned char shortkey[2];
3651 secp256k1_pubkey pubkey;
3657 /* Nothing should be reading this far into pubkeyc. */
3658 VG_UNDEF(&pubkeyc[65], 1);
3659 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3660 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3661 memset(&pubkey, 0xfe, sizeof(pubkey));
3663 VG_UNDEF(shortkey, 2);
3664 VG_UNDEF(&pubkey, sizeof(pubkey));
3665 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3666 VG_CHECK(&pubkey, sizeof(pubkey));
3668 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3670 /* Length one claimed, fail, zeroize, no illegal arg error. */
3671 for (i = 0; i < 256 ; i++) {
3672 memset(&pubkey, 0xfe, sizeof(pubkey));
3675 VG_UNDEF(&shortkey[1], 1);
3676 VG_UNDEF(&pubkey, sizeof(pubkey));
3677 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3678 VG_CHECK(&pubkey, sizeof(pubkey));
3680 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3683 /* Length two claimed, fail, zeroize, no illegal arg error. */
3684 for (i = 0; i < 65536 ; i++) {
3685 memset(&pubkey, 0xfe, sizeof(pubkey));
3687 shortkey[0] = i & 255;
3688 shortkey[1] = i >> 8;
3689 VG_UNDEF(&pubkey, sizeof(pubkey));
3690 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3691 VG_CHECK(&pubkey, sizeof(pubkey));
3693 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3696 memset(&pubkey, 0xfe, sizeof(pubkey));
3698 VG_UNDEF(&pubkey, sizeof(pubkey));
3699 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3700 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3701 VG_CHECK(&pubkey, sizeof(pubkey));
3703 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3705 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3706 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3708 /* NULL input string. Illegal arg and zeroize output. */
3709 memset(&pubkey, 0xfe, sizeof(pubkey));
3711 VG_UNDEF(&pubkey, sizeof(pubkey));
3712 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3713 VG_CHECK(&pubkey, sizeof(pubkey));
3715 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3717 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3718 memset(&pubkey, 0xfe, sizeof(pubkey));
3720 VG_UNDEF(&pubkey, sizeof(pubkey));
3721 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3722 VG_CHECK(&pubkey, sizeof(pubkey));
3724 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3726 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3727 memset(&pubkey, 0xfe, sizeof(pubkey));
3729 VG_UNDEF(&pubkey, sizeof(pubkey));
3730 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3731 VG_CHECK(&pubkey, sizeof(pubkey));
3733 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3736 memset(&pubkey, 0, sizeof(pubkey));
3738 VG_UNDEF(&pubkey, sizeof(pubkey));
3739 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3740 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
3741 VG_CHECK(&pubkey, sizeof(pubkey));
3743 VG_UNDEF(&ge, sizeof(ge));
3744 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3745 VG_CHECK(&ge.x, sizeof(ge.x));
3746 VG_CHECK(&ge.y, sizeof(ge.y));
3747 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3748 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3750 /* secp256k1_ec_pubkey_serialize illegal args. */
3753 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3756 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3760 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3765 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3770 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3774 /* Multiple illegal args. Should still set arg error only once. */
3777 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3779 /* Does the illegal arg callback actually change the behavior? */
3780 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3781 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3783 CHECK(ecount2 == 10);
3784 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3785 /* Try a bunch of prefabbed points with all possible encodings. */
3786 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3787 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3789 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3790 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3792 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3793 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3797 void run_eckey_edge_case_test(void) {
3798 const unsigned char orderc[32] = {
3799 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3800 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3801 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3802 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3804 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3805 unsigned char ctmp[33];
3806 unsigned char ctmp2[33];
3807 secp256k1_pubkey pubkey;
3808 secp256k1_pubkey pubkey2;
3809 secp256k1_pubkey pubkey_one;
3810 secp256k1_pubkey pubkey_negone;
3811 const secp256k1_pubkey *pubkeys[3];
3814 /* Group order is too large, reject. */
3815 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3816 VG_UNDEF(&pubkey, sizeof(pubkey));
3817 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3818 VG_CHECK(&pubkey, sizeof(pubkey));
3819 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3820 /* Maximum value is too large, reject. */
3821 memset(ctmp, 255, 32);
3822 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3823 memset(&pubkey, 1, sizeof(pubkey));
3824 VG_UNDEF(&pubkey, sizeof(pubkey));
3825 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3826 VG_CHECK(&pubkey, sizeof(pubkey));
3827 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3828 /* Zero is too small, reject. */
3829 memset(ctmp, 0, 32);
3830 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3831 memset(&pubkey, 1, sizeof(pubkey));
3832 VG_UNDEF(&pubkey, sizeof(pubkey));
3833 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3834 VG_CHECK(&pubkey, sizeof(pubkey));
3835 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3836 /* One must be accepted. */
3838 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3839 memset(&pubkey, 0, sizeof(pubkey));
3840 VG_UNDEF(&pubkey, sizeof(pubkey));
3841 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3842 VG_CHECK(&pubkey, sizeof(pubkey));
3843 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3844 pubkey_one = pubkey;
3845 /* Group order + 1 is too large, reject. */
3846 memcpy(ctmp, orderc, 32);
3848 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3849 memset(&pubkey, 1, sizeof(pubkey));
3850 VG_UNDEF(&pubkey, sizeof(pubkey));
3851 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3852 VG_CHECK(&pubkey, sizeof(pubkey));
3853 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3854 /* -1 must be accepted. */
3856 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3857 memset(&pubkey, 0, sizeof(pubkey));
3858 VG_UNDEF(&pubkey, sizeof(pubkey));
3859 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3860 VG_CHECK(&pubkey, sizeof(pubkey));
3861 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3862 pubkey_negone = pubkey;
3863 /* Tweak of zero leaves the value unchanged. */
3864 memset(ctmp2, 0, 32);
3865 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3866 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3867 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3868 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3869 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3870 /* Multiply tweak of zero zeroizes the output. */
3871 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3872 CHECK(memcmp(zeros, ctmp, 32) == 0);
3873 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3874 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3875 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3876 /* Overflowing key tweak zeroizes. */
3877 memcpy(ctmp, orderc, 32);
3879 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3880 CHECK(memcmp(zeros, ctmp, 32) == 0);
3881 memcpy(ctmp, orderc, 32);
3883 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3884 CHECK(memcmp(zeros, ctmp, 32) == 0);
3885 memcpy(ctmp, orderc, 32);
3887 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3888 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3889 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3890 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3891 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3892 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3893 /* Private key tweaks results in a key of zero. */
3895 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3896 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3898 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3899 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3900 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3901 /* Tweak computation wraps and results in a key of 1. */
3903 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3904 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3906 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3908 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3909 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3910 /* Tweak mul * 2 = 1+1. */
3911 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3913 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3914 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3915 /* Test argument errors. */
3917 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3919 /* Zeroize pubkey on parse error. */
3920 memset(&pubkey, 0, 32);
3921 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3923 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3924 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3925 memset(&pubkey2, 0, 32);
3926 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3928 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3929 /* Plain argument errors. */
3931 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3933 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3936 memset(ctmp2, 0, 32);
3938 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3940 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3943 memset(ctmp2, 0, 32);
3945 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3947 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3950 memset(ctmp2, 0, 32);
3951 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3953 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3956 memset(ctmp2, 0, 32);
3958 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3960 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3963 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3965 memset(&pubkey, 1, sizeof(pubkey));
3966 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3968 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3969 /* secp256k1_ec_pubkey_combine tests. */
3971 pubkeys[0] = &pubkey_one;
3972 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3973 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3974 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3975 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3976 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3977 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3978 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3979 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3981 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3982 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3984 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3985 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3986 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3987 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3988 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3990 pubkeys[0] = &pubkey_negone;
3991 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3992 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3993 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3994 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3995 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3998 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3999 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4000 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4001 /* Result is infinity. */
4002 pubkeys[0] = &pubkey_one;
4003 pubkeys[1] = &pubkey_negone;
4004 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4005 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4006 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4007 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4008 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4010 /* Passes through infinity but comes out one. */
4011 pubkeys[2] = &pubkey_one;
4012 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4013 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4014 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4015 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4016 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4019 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4020 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4021 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4023 pubkeys[1] = &pubkey_one;
4024 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4025 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4026 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4027 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4028 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4030 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4033 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4034 secp256k1_scalar nonce;
4036 random_scalar_order_test(&nonce);
4037 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
4040 void test_ecdsa_sign_verify(void) {
4043 secp256k1_scalar one;
4044 secp256k1_scalar msg, key;
4045 secp256k1_scalar sigr, sigs;
4048 random_scalar_order_test(&msg);
4049 random_scalar_order_test(&key);
4050 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
4051 secp256k1_ge_set_gej(&pub, &pubj);
4052 getrec = secp256k1_rand_bits(1);
4053 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
4055 CHECK(recid >= 0 && recid < 4);
4057 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4058 secp256k1_scalar_set_int(&one, 1);
4059 secp256k1_scalar_add(&msg, &msg, &one);
4060 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4063 void run_ecdsa_sign_verify(void) {
4065 for (i = 0; i < 10*count; i++) {
4066 test_ecdsa_sign_verify();
4070 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
4071 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4075 memcpy(nonce32, data, 32);
4076 return (counter == 0);
4079 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4080 /* Dummy nonce generator that has a fatal error on the first counter value. */
4084 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
4087 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4088 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4090 memset(nonce32, counter==0 ? 0 : 255, 32);
4097 static const unsigned char order[] = {
4098 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4099 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4100 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4101 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4103 memcpy(nonce32, order, 32);
4109 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
4110 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
4114 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
4117 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4118 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4119 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4122 void test_ecdsa_end_to_end(void) {
4123 unsigned char extra[32] = {0x00};
4124 unsigned char privkey[32];
4125 unsigned char message[32];
4126 unsigned char privkey2[32];
4127 secp256k1_ecdsa_signature signature[6];
4128 secp256k1_scalar r, s;
4129 unsigned char sig[74];
4131 unsigned char pubkeyc[65];
4132 size_t pubkeyclen = 65;
4133 secp256k1_pubkey pubkey;
4134 secp256k1_pubkey pubkey_tmp;
4135 unsigned char seckey[300];
4136 size_t seckeylen = 300;
4138 /* Generate a random key and message. */
4140 secp256k1_scalar msg, key;
4141 random_scalar_order_test(&msg);
4142 random_scalar_order_test(&key);
4143 secp256k1_scalar_get_b32(privkey, &key);
4144 secp256k1_scalar_get_b32(message, &msg);
4147 /* Construct and verify corresponding public key. */
4148 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4149 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4151 /* Verify exporting and importing public key. */
4152 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4153 memset(&pubkey, 0, sizeof(pubkey));
4154 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4156 /* Verify negation changes the key and changes it back */
4157 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4158 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4159 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4160 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4161 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4163 /* Verify private key import and export. */
4164 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4165 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4166 CHECK(memcmp(privkey, privkey2, 32) == 0);
4168 /* Optionally tweak the keys using addition. */
4169 if (secp256k1_rand_int(3) == 0) {
4172 unsigned char rnd[32];
4173 secp256k1_pubkey pubkey2;
4174 secp256k1_rand256_test(rnd);
4175 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
4176 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4177 CHECK(ret1 == ret2);
4181 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4182 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4185 /* Optionally tweak the keys using multiplication. */
4186 if (secp256k1_rand_int(3) == 0) {
4189 unsigned char rnd[32];
4190 secp256k1_pubkey pubkey2;
4191 secp256k1_rand256_test(rnd);
4192 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
4193 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4194 CHECK(ret1 == ret2);
4198 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4199 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4203 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4204 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4205 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4207 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4210 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4211 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4212 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4213 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4214 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4215 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4216 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4217 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4219 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4220 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4221 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4222 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4223 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4224 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4225 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4226 secp256k1_scalar_negate(&s, &s);
4227 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4228 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4229 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4230 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4231 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4232 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4233 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4234 secp256k1_scalar_negate(&s, &s);
4235 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4236 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4237 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4238 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
4240 /* Serialize/parse DER and verify again */
4241 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4242 memset(&signature[0], 0, sizeof(signature[0]));
4243 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4244 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4245 /* Serialize/destroy/parse DER and verify again. */
4247 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4248 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
4249 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4250 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4253 void test_random_pubkeys(void) {
4256 unsigned char in[65];
4257 /* Generate some randomly sized pubkeys. */
4258 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4259 if (secp256k1_rand_bits(2) == 0) {
4260 len = secp256k1_rand_bits(6);
4263 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
4265 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
4267 if (secp256k1_rand_bits(3) == 0) {
4268 in[0] = secp256k1_rand_bits(8);
4271 secp256k1_rand256(&in[1]);
4274 secp256k1_rand256(&in[33]);
4276 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4277 unsigned char out[65];
4278 unsigned char firstb;
4282 /* If the pubkey can be parsed, it should round-trip... */
4283 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4285 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4286 /* ... except for the type of hybrid inputs. */
4287 if ((in[0] != 6) && (in[0] != 7)) {
4288 CHECK(in[0] == out[0]);
4291 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4293 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4294 ge_equals_ge(&elem,&elem2);
4295 /* Check that the X9.62 hybrid type is checked. */
4296 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
4297 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4298 if (firstb == 2 || firstb == 3) {
4299 if (in[0] == firstb + 4) {
4306 ge_equals_ge(&elem,&elem2);
4307 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4308 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4313 void run_random_pubkeys(void) {
4315 for (i = 0; i < 10*count; i++) {
4316 test_random_pubkeys();
4320 void run_ecdsa_end_to_end(void) {
4322 for (i = 0; i < 64*count; i++) {
4323 test_ecdsa_end_to_end();
4327 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4328 static const unsigned char zeroes[32] = {0};
4329 #ifdef ENABLE_OPENSSL_TESTS
4330 static const unsigned char max_scalar[32] = {
4331 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4332 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4333 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4334 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4340 secp256k1_ecdsa_signature sig_der;
4341 unsigned char roundtrip_der[2048];
4342 unsigned char compact_der[64];
4343 size_t len_der = 2048;
4344 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4346 secp256k1_ecdsa_signature sig_der_lax;
4347 unsigned char roundtrip_der_lax[2048];
4348 unsigned char compact_der_lax[64];
4349 size_t len_der_lax = 2048;
4350 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4352 #ifdef ENABLE_OPENSSL_TESTS
4353 ECDSA_SIG *sig_openssl;
4354 const BIGNUM *r = NULL, *s = NULL;
4355 const unsigned char *sigptr;
4356 unsigned char roundtrip_openssl[2048];
4357 int len_openssl = 2048;
4358 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4361 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4363 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4364 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4367 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4368 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4371 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4372 if (parsed_der_lax) {
4373 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4374 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4376 if (valid_der_lax) {
4377 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4378 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4381 if (certainly_der) {
4382 ret |= (!parsed_der) << 2;
4384 if (certainly_not_der) {
4385 ret |= (parsed_der) << 17;
4388 ret |= (!roundtrips_der) << 3;
4392 ret |= (!roundtrips_der_lax) << 12;
4393 ret |= (len_der != len_der_lax) << 13;
4394 ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
4396 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4398 ret |= (!parsed_der_lax) << 16;
4401 #ifdef ENABLE_OPENSSL_TESTS
4402 sig_openssl = ECDSA_SIG_new();
4404 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4405 if (parsed_openssl) {
4406 ECDSA_SIG_get0(sig_openssl, &r, &s);
4407 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4408 if (valid_openssl) {
4409 unsigned char tmp[32] = {0};
4410 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4411 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4413 if (valid_openssl) {
4414 unsigned char tmp[32] = {0};
4415 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4416 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4419 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4420 if (len_openssl <= 2048) {
4421 unsigned char *ptr = roundtrip_openssl;
4422 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4423 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4427 ECDSA_SIG_free(sig_openssl);
4429 ret |= (parsed_der && !parsed_openssl) << 4;
4430 ret |= (valid_der && !valid_openssl) << 5;
4431 ret |= (roundtrips_openssl && !parsed_der) << 6;
4432 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4433 if (roundtrips_openssl) {
4434 ret |= (len_der != (size_t)len_openssl) << 8;
4435 ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
4441 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4443 for (i = 0; i < ptrlen; i++) {
4444 int shift = ptrlen - 1 - i;
4448 ptr[i] = (val >> shift) & 0xFF;
4453 static void damage_array(unsigned char *sig, size_t *len) {
4455 int action = secp256k1_rand_bits(3);
4456 if (action < 1 && *len > 3) {
4457 /* Delete a byte. */
4458 pos = secp256k1_rand_int(*len);
4459 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4462 } else if (action < 2 && *len < 2048) {
4463 /* Insert a byte. */
4464 pos = secp256k1_rand_int(1 + *len);
4465 memmove(sig + pos + 1, sig + pos, *len - pos);
4466 sig[pos] = secp256k1_rand_bits(8);
4469 } else if (action < 4) {
4470 /* Modify a byte. */
4471 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4473 } else { /* action < 8 */
4475 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4480 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4482 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4483 size_t tlen, elen, glen;
4488 der = secp256k1_rand_bits(2) == 0;
4489 *certainly_der = der;
4490 *certainly_not_der = 0;
4491 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4493 for (n = 0; n < 2; n++) {
4494 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4495 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4496 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4497 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4498 CHECK(nlen[n] <= 232);
4499 /* The top bit of the number. */
4500 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4501 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4502 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4503 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4504 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4505 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4506 *certainly_not_der = 1;
4508 CHECK(nlen[n] + nzlen[n] <= 300);
4509 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4510 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4512 /* nlenlen[n] max 127 bytes */
4513 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4516 *certainly_not_der = 1;
4519 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4522 /* The total length of the data to go, so far */
4523 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4526 /* The length of the garbage inside the tuple. */
4527 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4529 *certainly_not_der = 1;
4534 /* The length of the garbage after the end of the tuple. */
4535 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4537 *certainly_not_der = 1;
4539 CHECK(tlen + glen <= 990);
4541 /* Write the tuple header. */
4542 sig[(*len)++] = 0x30;
4544 /* Indeterminate length */
4545 sig[(*len)++] = 0x80;
4546 *certainly_not_der = 1;
4548 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4550 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4553 *certainly_not_der = 1;
4557 /* Short length notation */
4558 sig[(*len)++] = tlen;
4560 /* Long length notation */
4561 sig[(*len)++] = 128 + tlenlen;
4562 assign_big_endian(sig + *len, tlenlen, tlen);
4568 CHECK(tlen + glen <= 1119);
4570 for (n = 0; n < 2; n++) {
4571 /* Write the integer header. */
4572 sig[(*len)++] = 0x02;
4573 if (nlenlen[n] == 0) {
4574 /* Short length notation */
4575 sig[(*len)++] = nlen[n] + nzlen[n];
4577 /* Long length notation. */
4578 sig[(*len)++] = 128 + nlenlen[n];
4579 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4582 /* Write zero padding */
4583 while (nzlen[n] > 0) {
4584 sig[(*len)++] = 0x00;
4587 if (nlen[n] == 32 && !nlow[n]) {
4588 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4590 for (i = 0; i < 16; i++) {
4591 sig[(*len)++] = 0xFF;
4595 /* Write first byte of number */
4597 sig[(*len)++] = nhbyte[n];
4600 /* Generate remaining random bytes of number */
4601 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4606 /* Generate random garbage inside tuple. */
4607 secp256k1_rand_bytes_test(sig + *len, elen);
4610 /* Generate end-of-contents bytes. */
4616 CHECK(tlen + glen <= 1121);
4618 /* Generate random garbage outside tuple. */
4619 secp256k1_rand_bytes_test(sig + *len, glen);
4622 CHECK(tlen <= 1121);
4623 CHECK(tlen == *len);
4626 void run_ecdsa_der_parse(void) {
4628 for (i = 0; i < 200 * count; i++) {
4629 unsigned char buffer[2048];
4631 int certainly_der = 0;
4632 int certainly_not_der = 0;
4633 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4634 CHECK(buflen <= 2048);
4635 for (j = 0; j < 16; j++) {
4638 damage_array(buffer, &buflen);
4639 /* We don't know anything anymore about the DERness of the result */
4641 certainly_not_der = 0;
4643 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4646 fprintf(stderr, "Failure %x on ", ret);
4647 for (k = 0; k < buflen; k++) {
4648 fprintf(stderr, "%02x ", buffer[k]);
4650 fprintf(stderr, "\n");
4657 /* Tests several edge cases. */
4658 void test_ecdsa_edge_cases(void) {
4660 secp256k1_ecdsa_signature sig;
4662 /* Test the case where ECDSA recomputes a point that is infinity. */
4666 secp256k1_scalar msg;
4667 secp256k1_scalar sr, ss;
4668 secp256k1_scalar_set_int(&ss, 1);
4669 secp256k1_scalar_negate(&ss, &ss);
4670 secp256k1_scalar_inverse(&ss, &ss);
4671 secp256k1_scalar_set_int(&sr, 1);
4672 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4673 secp256k1_ge_set_gej(&key, &keyj);
4675 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4678 /* Verify signature with r of zero fails. */
4680 const unsigned char pubkey_mods_zero[33] = {
4681 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4682 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4683 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4684 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4688 secp256k1_scalar msg;
4689 secp256k1_scalar sr, ss;
4690 secp256k1_scalar_set_int(&ss, 1);
4691 secp256k1_scalar_set_int(&msg, 0);
4692 secp256k1_scalar_set_int(&sr, 0);
4693 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4694 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4697 /* Verify signature with s of zero fails. */
4699 const unsigned char pubkey[33] = {
4700 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4701 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4703 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4707 secp256k1_scalar msg;
4708 secp256k1_scalar sr, ss;
4709 secp256k1_scalar_set_int(&ss, 0);
4710 secp256k1_scalar_set_int(&msg, 0);
4711 secp256k1_scalar_set_int(&sr, 1);
4712 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4713 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4716 /* Verify signature with message 0 passes. */
4718 const unsigned char pubkey[33] = {
4719 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4720 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4721 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4722 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4725 const unsigned char pubkey2[33] = {
4726 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4727 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4728 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4729 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4734 secp256k1_scalar msg;
4735 secp256k1_scalar sr, ss;
4736 secp256k1_scalar_set_int(&ss, 2);
4737 secp256k1_scalar_set_int(&msg, 0);
4738 secp256k1_scalar_set_int(&sr, 2);
4739 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4740 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4741 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4742 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4743 secp256k1_scalar_negate(&ss, &ss);
4744 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4745 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4746 secp256k1_scalar_set_int(&ss, 1);
4747 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4748 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4751 /* Verify signature with message 1 passes. */
4753 const unsigned char pubkey[33] = {
4754 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4755 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4756 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4757 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4760 const unsigned char pubkey2[33] = {
4761 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4762 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4763 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4764 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4767 const unsigned char csr[32] = {
4768 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4769 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4770 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4771 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4775 secp256k1_scalar msg;
4776 secp256k1_scalar sr, ss;
4777 secp256k1_scalar_set_int(&ss, 1);
4778 secp256k1_scalar_set_int(&msg, 1);
4779 secp256k1_scalar_set_b32(&sr, csr, NULL);
4780 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4781 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4782 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4783 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4784 secp256k1_scalar_negate(&ss, &ss);
4785 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4786 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4787 secp256k1_scalar_set_int(&ss, 2);
4788 secp256k1_scalar_inverse_var(&ss, &ss);
4789 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4790 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4793 /* Verify signature with message -1 passes. */
4795 const unsigned char pubkey[33] = {
4796 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4797 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4798 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4799 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4802 const unsigned char csr[32] = {
4803 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4804 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4805 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4806 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4809 secp256k1_scalar msg;
4810 secp256k1_scalar sr, ss;
4811 secp256k1_scalar_set_int(&ss, 1);
4812 secp256k1_scalar_set_int(&msg, 1);
4813 secp256k1_scalar_negate(&msg, &msg);
4814 secp256k1_scalar_set_b32(&sr, csr, NULL);
4815 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4816 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4817 secp256k1_scalar_negate(&ss, &ss);
4818 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4819 secp256k1_scalar_set_int(&ss, 3);
4820 secp256k1_scalar_inverse_var(&ss, &ss);
4821 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4824 /* Signature where s would be zero. */
4826 secp256k1_pubkey pubkey;
4829 unsigned char signature[72];
4830 static const unsigned char nonce[32] = {
4831 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4832 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4833 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4834 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4836 static const unsigned char nonce2[32] = {
4837 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4838 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4839 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4840 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4842 const unsigned char key[32] = {
4843 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4844 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4845 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4846 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4848 unsigned char msg[32] = {
4849 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4850 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4851 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4852 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4855 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4856 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4857 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4859 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4861 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4863 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4865 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4867 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4868 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4869 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4871 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4873 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4875 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4877 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4879 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4880 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4883 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4885 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4886 CHECK(ecount == 10);
4887 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4888 CHECK(ecount == 11);
4889 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4890 CHECK(ecount == 11);
4891 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4892 CHECK(ecount == 12);
4893 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4894 CHECK(ecount == 13);
4895 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4896 CHECK(ecount == 13);
4898 /* Too little room for a signature does not fail via ARGCHECK. */
4899 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
4900 CHECK(ecount == 13);
4902 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4904 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4906 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4908 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4910 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4912 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4914 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4916 memset(signature, 255, 64);
4917 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4919 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4922 /* Nonce function corner cases. */
4923 for (t = 0; t < 2; t++) {
4924 static const unsigned char zero[32] = {0x00};
4926 unsigned char key[32];
4927 unsigned char msg[32];
4928 secp256k1_ecdsa_signature sig2;
4929 secp256k1_scalar sr[512], ss;
4930 const unsigned char *extra;
4931 extra = t == 0 ? NULL : zero;
4934 /* High key results in signature failure. */
4935 memset(key, 0xFF, 32);
4936 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4937 CHECK(is_empty_signature(&sig));
4938 /* Zero key results in signature failure. */
4940 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4941 CHECK(is_empty_signature(&sig));
4942 /* Nonce function failure results in signature failure. */
4944 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
4945 CHECK(is_empty_signature(&sig));
4946 /* The retry loop successfully makes its way to the first good value. */
4947 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
4948 CHECK(!is_empty_signature(&sig));
4949 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
4950 CHECK(!is_empty_signature(&sig2));
4951 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4952 /* The default nonce function is deterministic. */
4953 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4954 CHECK(!is_empty_signature(&sig2));
4955 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4956 /* The default nonce function changes output with different messages. */
4957 for(i = 0; i < 256; i++) {
4960 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4961 CHECK(!is_empty_signature(&sig2));
4962 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4963 for (j = 0; j < i; j++) {
4964 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4969 /* The default nonce function changes output with different keys. */
4970 for(i = 256; i < 512; i++) {
4973 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4974 CHECK(!is_empty_signature(&sig2));
4975 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4976 for (j = 0; j < i; j++) {
4977 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4984 /* Check that optional nonce arguments do not have equivalent effect. */
4985 const unsigned char zeros[32] = {0};
4986 unsigned char nonce[32];
4987 unsigned char nonce2[32];
4988 unsigned char nonce3[32];
4989 unsigned char nonce4[32];
4991 VG_UNDEF(nonce2,32);
4992 VG_UNDEF(nonce3,32);
4993 VG_UNDEF(nonce4,32);
4994 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4996 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4997 VG_CHECK(nonce2,32);
4998 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
4999 VG_CHECK(nonce3,32);
5000 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5001 VG_CHECK(nonce4,32);
5002 CHECK(memcmp(nonce, nonce2, 32) != 0);
5003 CHECK(memcmp(nonce, nonce3, 32) != 0);
5004 CHECK(memcmp(nonce, nonce4, 32) != 0);
5005 CHECK(memcmp(nonce2, nonce3, 32) != 0);
5006 CHECK(memcmp(nonce2, nonce4, 32) != 0);
5007 CHECK(memcmp(nonce3, nonce4, 32) != 0);
5011 /* Privkey export where pubkey is the point at infinity. */
5013 unsigned char privkey[300];
5014 unsigned char seckey[32] = {
5015 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5016 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5017 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5018 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5020 size_t outlen = 300;
5021 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
5023 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
5027 void run_ecdsa_edge_cases(void) {
5028 test_ecdsa_edge_cases();
5031 #ifdef ENABLE_OPENSSL_TESTS
5032 EC_KEY *get_openssl_key(const unsigned char *key32) {
5033 unsigned char privkey[300];
5035 const unsigned char* pbegin = privkey;
5036 int compr = secp256k1_rand_bits(1);
5037 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
5038 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
5039 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
5040 CHECK(EC_KEY_check_key(ec_key));
5044 void test_ecdsa_openssl(void) {
5047 secp256k1_scalar sigr, sigs;
5048 secp256k1_scalar one;
5049 secp256k1_scalar msg2;
5050 secp256k1_scalar key, msg;
5052 unsigned int sigsize = 80;
5053 size_t secp_sigsize = 80;
5054 unsigned char message[32];
5055 unsigned char signature[80];
5056 unsigned char key32[32];
5057 secp256k1_rand256_test(message);
5058 secp256k1_scalar_set_b32(&msg, message, NULL);
5059 random_scalar_order_test(&key);
5060 secp256k1_scalar_get_b32(key32, &key);
5061 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
5062 secp256k1_ge_set_gej(&q, &qj);
5063 ec_key = get_openssl_key(key32);
5064 CHECK(ec_key != NULL);
5065 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
5066 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
5067 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
5068 secp256k1_scalar_set_int(&one, 1);
5069 secp256k1_scalar_add(&msg2, &msg, &one);
5070 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
5072 random_sign(&sigr, &sigs, &key, &msg, NULL);
5073 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
5074 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
5076 EC_KEY_free(ec_key);
5079 void run_ecdsa_openssl(void) {
5081 for (i = 0; i < 10*count; i++) {
5082 test_ecdsa_openssl();
5087 #ifdef ENABLE_MODULE_ECDH
5088 # include "modules/ecdh/tests_impl.h"
5091 #ifdef ENABLE_MODULE_RECOVERY
5092 # include "modules/recovery/tests_impl.h"
5095 int main(int argc, char **argv) {
5096 unsigned char seed16[16] = {0};
5097 unsigned char run32[32] = {0};
5098 /* find iteration count */
5100 count = strtol(argv[1], NULL, 0);
5103 /* find random seed */
5106 const char* ch = argv[2];
5107 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
5109 if (sscanf(ch, "%2hx", &sh)) {
5118 FILE *frand = fopen("/dev/urandom", "r");
5119 if ((frand == NULL) || fread(&seed16, 1, sizeof(seed16), frand) != sizeof(seed16)) {
5120 uint64_t t = time(NULL) * (uint64_t)1337;
5121 fprintf(stderr, "WARNING: could not read 16 bytes from /dev/urandom; falling back to insecure PRNG\n");
5123 seed16[1] ^= t >> 8;
5124 seed16[2] ^= t >> 16;
5125 seed16[3] ^= t >> 24;
5126 seed16[4] ^= t >> 32;
5127 seed16[5] ^= t >> 40;
5128 seed16[6] ^= t >> 48;
5129 seed16[7] ^= t >> 56;
5135 secp256k1_rand_seed(seed16);
5137 printf("test count = %i\n", count);
5138 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
5141 run_context_tests(0);
5142 run_context_tests(1);
5143 run_scratch_tests();
5144 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5145 if (secp256k1_rand_bits(1)) {
5146 secp256k1_rand256(run32);
5147 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
5154 run_hmac_sha256_tests();
5155 run_rfc6979_hmac_sha256_tests();
5157 #ifndef USE_NUM_NONE
5159 run_num_smalltests();
5167 run_field_inv_var();
5168 run_field_inv_all_var();
5170 run_field_convert();
5176 run_group_decompress();
5180 run_point_times_order();
5182 run_ecmult_constants();
5183 run_ecmult_gen_blind();
5184 run_ecmult_const_tests();
5185 run_ecmult_multi_tests();
5188 /* endomorphism tests */
5189 #ifdef USE_ENDOMORPHISM
5190 run_endomorphism_tests();
5193 /* EC point parser test */
5194 run_ec_pubkey_parse_test();
5196 /* EC key edge cases */
5197 run_eckey_edge_case_test();
5199 #ifdef ENABLE_MODULE_ECDH
5205 run_random_pubkeys();
5206 run_ecdsa_der_parse();
5207 run_ecdsa_sign_verify();
5208 run_ecdsa_end_to_end();
5209 run_ecdsa_edge_cases();
5210 #ifdef ENABLE_OPENSSL_TESTS
5211 run_ecdsa_openssl();
5214 #ifdef ENABLE_MODULE_RECOVERY
5215 /* ECDSA pubkey recovery tests */
5216 run_recovery_tests();
5219 secp256k1_rand256(run32);
5220 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
5223 secp256k1_context_destroy(ctx);
5225 printf("no problems found\n");
projects / secp256k1.git / blob