1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "testrand_impl.h"
21 #ifdef ENABLE_OPENSSL_TESTS
22 #include "openssl/bn.h"
23 #include "openssl/ec.h"
24 #include "openssl/ecdsa.h"
25 #include "openssl/obj_mac.h"
26 # if OPENSSL_VERSION_NUMBER < 0x10100000L
27 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
31 #include "contrib/lax_der_parsing.c"
32 #include "contrib/lax_der_privatekey_parsing.c"
34 #if !defined(VG_CHECK)
35 # if defined(VALGRIND)
36 # include <valgrind/memcheck.h>
37 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
38 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
40 # define VG_UNDEF(x,y)
41 # define VG_CHECK(x,y)
45 static int count = 64;
46 static secp256k1_context *ctx = NULL;
48 static void counting_illegal_callback_fn(const char* str, void* data) {
49 /* Dummy callback function that just counts. */
56 static void uncounting_illegal_callback_fn(const char* str, void* data) {
57 /* Dummy callback function that just counts (backwards). */
64 void random_field_element_test(secp256k1_fe *fe) {
66 unsigned char b32[32];
67 secp256k1_rand256_test(b32);
68 if (secp256k1_fe_set_b32(fe, b32)) {
74 void random_field_element_magnitude(secp256k1_fe *fe) {
76 int n = secp256k1_rand_int(9);
77 secp256k1_fe_normalize(fe);
81 secp256k1_fe_clear(&zero);
82 secp256k1_fe_negate(&zero, &zero, 0);
83 secp256k1_fe_mul_int(&zero, n - 1);
84 secp256k1_fe_add(fe, &zero);
85 VERIFY_CHECK(fe->magnitude == n);
88 void random_group_element_test(secp256k1_ge *ge) {
91 random_field_element_test(&fe);
92 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
93 secp256k1_fe_normalize(&ge->y);
99 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
102 random_field_element_test(&gej->z);
103 if (!secp256k1_fe_is_zero(&gej->z)) {
107 secp256k1_fe_sqr(&z2, &gej->z);
108 secp256k1_fe_mul(&z3, &z2, &gej->z);
109 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
110 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
111 gej->infinity = ge->infinity;
114 void random_scalar_order_test(secp256k1_scalar *num) {
116 unsigned char b32[32];
118 secp256k1_rand256_test(b32);
119 secp256k1_scalar_set_b32(num, b32, &overflow);
120 if (overflow || secp256k1_scalar_is_zero(num)) {
127 void random_scalar_order(secp256k1_scalar *num) {
129 unsigned char b32[32];
131 secp256k1_rand256(b32);
132 secp256k1_scalar_set_b32(num, b32, &overflow);
133 if (overflow || secp256k1_scalar_is_zero(num)) {
140 void run_context_tests(void) {
141 secp256k1_pubkey pubkey;
142 secp256k1_pubkey zero_pubkey;
143 secp256k1_ecdsa_signature sig;
144 unsigned char ctmp[32];
147 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
148 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
149 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
150 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
154 secp256k1_scalar msg, key, nonce;
155 secp256k1_scalar sigr, sigs;
157 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
161 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
162 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
163 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
164 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
166 /*** clone and destroy all of them to make sure cloning was complete ***/
168 secp256k1_context *ctx_tmp;
170 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp);
171 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp);
172 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp);
173 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp);
176 /* Verify that the error callback makes it across the clone. */
177 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
178 /* And that it resets back to default. */
179 secp256k1_context_set_error_callback(sign, NULL, NULL);
180 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
182 /*** attempt to use them ***/
183 random_scalar_order_test(&msg);
184 random_scalar_order_test(&key);
185 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
186 secp256k1_ge_set_gej(&pub, &pubj);
188 /* Verify context-type checking illegal-argument errors. */
190 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
192 VG_UNDEF(&pubkey, sizeof(pubkey));
193 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
194 VG_CHECK(&pubkey, sizeof(pubkey));
195 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
197 VG_UNDEF(&sig, sizeof(sig));
198 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
199 VG_CHECK(&sig, sizeof(sig));
200 CHECK(ecount2 == 10);
201 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
202 CHECK(ecount2 == 11);
203 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
205 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
206 CHECK(ecount2 == 12);
207 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
209 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
210 CHECK(ecount2 == 13);
211 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
213 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
215 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
216 CHECK(ecount2 == 14);
217 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
219 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
221 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 0);
223 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
224 CHECK(ecount2 == 14);
225 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
226 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
228 /* This shouldn't leak memory, due to already-set tests. */
229 secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL);
230 secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL);
232 /* obtain a working nonce */
234 random_scalar_order_test(&nonce);
235 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
238 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
239 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
242 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
243 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
246 secp256k1_context_destroy(none);
247 secp256k1_context_destroy(sign);
248 secp256k1_context_destroy(vrfy);
249 secp256k1_context_destroy(both);
250 /* Defined as no-op. */
251 secp256k1_context_destroy(NULL);
254 void run_scratch_tests(void) {
256 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
257 secp256k1_scratch_space *scratch;
259 /* Test public API */
260 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
261 scratch = secp256k1_scratch_space_create(none, 100, 10);
262 CHECK(scratch == NULL);
265 scratch = secp256k1_scratch_space_create(none, 100, 100);
266 CHECK(scratch != NULL);
268 secp256k1_scratch_space_destroy(scratch);
270 scratch = secp256k1_scratch_space_create(none, 100, 1000);
271 CHECK(scratch != NULL);
274 /* Test internal API */
275 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
276 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 1000);
277 CHECK(secp256k1_scratch_resize(scratch, 50, 1) == 1); /* no-op */
278 CHECK(secp256k1_scratch_resize(scratch, 200, 1) == 1);
279 CHECK(secp256k1_scratch_resize(scratch, 950, 1) == 1);
280 CHECK(secp256k1_scratch_resize(scratch, 1000, 1) == 0);
281 CHECK(secp256k1_scratch_resize(scratch, 2000, 1) == 0);
282 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
285 secp256k1_scratch_space_destroy(scratch);
286 secp256k1_context_destroy(none);
289 /***** HASH TESTS *****/
291 void run_sha256_tests(void) {
292 static const char *inputs[8] = {
293 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
294 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
295 "For this sample, this 63-byte string will be used as input data",
296 "This is exactly 64 bytes long, not counting the terminating byte"
298 static const unsigned char outputs[8][32] = {
299 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
300 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
301 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
302 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
303 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
304 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
305 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
306 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
309 for (i = 0; i < 8; i++) {
310 unsigned char out[32];
311 secp256k1_sha256 hasher;
312 secp256k1_sha256_initialize(&hasher);
313 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
314 secp256k1_sha256_finalize(&hasher, out);
315 CHECK(memcmp(out, outputs[i], 32) == 0);
316 if (strlen(inputs[i]) > 0) {
317 int split = secp256k1_rand_int(strlen(inputs[i]));
318 secp256k1_sha256_initialize(&hasher);
319 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
320 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
321 secp256k1_sha256_finalize(&hasher, out);
322 CHECK(memcmp(out, outputs[i], 32) == 0);
327 void run_hmac_sha256_tests(void) {
328 static const char *keys[6] = {
329 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
331 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
332 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
333 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
334 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
336 static const char *inputs[6] = {
337 "\x48\x69\x20\x54\x68\x65\x72\x65",
338 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
339 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
340 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
341 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
342 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
344 static const unsigned char outputs[6][32] = {
345 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
346 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
347 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
348 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
349 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
350 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
353 for (i = 0; i < 6; i++) {
354 secp256k1_hmac_sha256 hasher;
355 unsigned char out[32];
356 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
357 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
358 secp256k1_hmac_sha256_finalize(&hasher, out);
359 CHECK(memcmp(out, outputs[i], 32) == 0);
360 if (strlen(inputs[i]) > 0) {
361 int split = secp256k1_rand_int(strlen(inputs[i]));
362 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
363 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
364 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
365 secp256k1_hmac_sha256_finalize(&hasher, out);
366 CHECK(memcmp(out, outputs[i], 32) == 0);
371 void run_rfc6979_hmac_sha256_tests(void) {
372 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
373 static const unsigned char out1[3][32] = {
374 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
375 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
376 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
379 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
380 static const unsigned char out2[3][32] = {
381 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
382 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
383 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
386 secp256k1_rfc6979_hmac_sha256 rng;
387 unsigned char out[32];
390 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
391 for (i = 0; i < 3; i++) {
392 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
393 CHECK(memcmp(out, out1[i], 32) == 0);
395 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
397 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
398 for (i = 0; i < 3; i++) {
399 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
400 CHECK(memcmp(out, out1[i], 32) != 0);
402 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
404 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
405 for (i = 0; i < 3; i++) {
406 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
407 CHECK(memcmp(out, out2[i], 32) == 0);
409 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
412 /***** RANDOM TESTS *****/
414 void test_rand_bits(int rand32, int bits) {
415 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
416 * get a false negative chance below once in a billion */
417 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
418 /* We try multiplying the results with various odd numbers, which shouldn't
419 * influence the uniform distribution modulo a power of 2. */
420 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
421 /* We only select up to 6 bits from the output to analyse */
422 unsigned int usebits = bits > 6 ? 6 : bits;
423 unsigned int maxshift = bits - usebits;
424 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
425 number, track all observed outcomes, one per bit in a uint64_t. */
426 uint64_t x[6][27] = {{0}};
427 unsigned int i, shift, m;
428 /* Multiply the output of all rand calls with the odd number m, which
429 should not change the uniformity of its distribution. */
430 for (i = 0; i < rounds[usebits]; i++) {
431 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
432 CHECK((((uint64_t)r) >> bits) == 0);
433 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
434 uint32_t rm = r * mults[m];
435 for (shift = 0; shift <= maxshift; shift++) {
436 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
440 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
441 for (shift = 0; shift <= maxshift; shift++) {
442 /* Test that the lower usebits bits of x[shift] are 1 */
443 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
448 /* Subrange must be a whole divisor of range, and at most 64 */
449 void test_rand_int(uint32_t range, uint32_t subrange) {
450 /* (1-1/subrange)^rounds < 1/10^9 */
451 int rounds = (subrange * 2073) / 100;
454 CHECK((range % subrange) == 0);
455 for (i = 0; i < rounds; i++) {
456 uint32_t r = secp256k1_rand_int(range);
459 x |= (((uint64_t)1) << r);
461 /* Test that the lower subrange bits of x are 1. */
462 CHECK(((~x) << (64 - subrange)) == 0);
465 void run_rand_bits(void) {
467 test_rand_bits(1, 32);
468 for (b = 1; b <= 32; b++) {
469 test_rand_bits(0, b);
473 void run_rand_int(void) {
474 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
475 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
477 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
478 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
479 test_rand_int(ms[m] * ss[s], ss[s]);
484 /***** NUM TESTS *****/
487 void random_num_negate(secp256k1_num *num) {
488 if (secp256k1_rand_bits(1)) {
489 secp256k1_num_negate(num);
493 void random_num_order_test(secp256k1_num *num) {
495 random_scalar_order_test(&sc);
496 secp256k1_scalar_get_num(num, &sc);
499 void random_num_order(secp256k1_num *num) {
501 random_scalar_order(&sc);
502 secp256k1_scalar_get_num(num, &sc);
505 void test_num_negate(void) {
508 random_num_order_test(&n1); /* n1 = R */
509 random_num_negate(&n1);
510 secp256k1_num_copy(&n2, &n1); /* n2 = R */
511 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
512 CHECK(secp256k1_num_is_zero(&n1));
513 secp256k1_num_copy(&n1, &n2); /* n1 = R */
514 secp256k1_num_negate(&n1); /* n1 = -R */
515 CHECK(!secp256k1_num_is_zero(&n1));
516 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
517 CHECK(secp256k1_num_is_zero(&n1));
518 secp256k1_num_copy(&n1, &n2); /* n1 = R */
519 secp256k1_num_negate(&n1); /* n1 = -R */
520 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
521 secp256k1_num_negate(&n1); /* n1 = R */
522 CHECK(secp256k1_num_eq(&n1, &n2));
525 void test_num_add_sub(void) {
530 secp256k1_num n1p2, n2p1, n1m2, n2m1;
531 random_num_order_test(&n1); /* n1 = R1 */
532 if (secp256k1_rand_bits(1)) {
533 random_num_negate(&n1);
535 random_num_order_test(&n2); /* n2 = R2 */
536 if (secp256k1_rand_bits(1)) {
537 random_num_negate(&n2);
539 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
540 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
541 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
542 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
543 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
544 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
545 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
546 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
547 CHECK(!secp256k1_num_eq(&n2m1, &n1));
548 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
549 CHECK(secp256k1_num_eq(&n2m1, &n1));
550 CHECK(!secp256k1_num_eq(&n2p1, &n1));
551 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
552 CHECK(secp256k1_num_eq(&n2p1, &n1));
555 secp256k1_scalar_set_int(&s, 1);
556 secp256k1_scalar_get_num(&n1, &s);
557 CHECK(secp256k1_num_is_one(&n1));
558 /* check that 2^n + 1 is never 1 */
559 secp256k1_scalar_get_num(&n2, &s);
560 for (i = 0; i < 250; ++i) {
561 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
562 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
563 CHECK(!secp256k1_num_is_one(&n1p2));
567 void test_num_mod(void) {
570 secp256k1_num order, n;
572 /* check that 0 mod anything is 0 */
573 random_scalar_order_test(&s);
574 secp256k1_scalar_get_num(&order, &s);
575 secp256k1_scalar_set_int(&s, 0);
576 secp256k1_scalar_get_num(&n, &s);
577 secp256k1_num_mod(&n, &order);
578 CHECK(secp256k1_num_is_zero(&n));
580 /* check that anything mod 1 is 0 */
581 secp256k1_scalar_set_int(&s, 1);
582 secp256k1_scalar_get_num(&order, &s);
583 secp256k1_scalar_get_num(&n, &s);
584 secp256k1_num_mod(&n, &order);
585 CHECK(secp256k1_num_is_zero(&n));
587 /* check that increasing the number past 2^256 does not break this */
588 random_scalar_order_test(&s);
589 secp256k1_scalar_get_num(&n, &s);
590 /* multiply by 2^8, which'll test this case with high probability */
591 for (i = 0; i < 8; ++i) {
592 secp256k1_num_add(&n, &n, &n);
594 secp256k1_num_mod(&n, &order);
595 CHECK(secp256k1_num_is_zero(&n));
598 void test_num_jacobi(void) {
599 secp256k1_scalar sqr;
600 secp256k1_scalar small;
601 secp256k1_scalar five; /* five is not a quadratic residue */
602 secp256k1_num order, n;
604 /* squares mod 5 are 1, 4 */
605 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
607 /* check some small values with 5 as the order */
608 secp256k1_scalar_set_int(&five, 5);
609 secp256k1_scalar_get_num(&order, &five);
610 for (i = 0; i < 10; ++i) {
611 secp256k1_scalar_set_int(&small, i);
612 secp256k1_scalar_get_num(&n, &small);
613 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
616 /** test large values with 5 as group order */
617 secp256k1_scalar_get_num(&order, &five);
618 /* we first need a scalar which is not a multiple of 5 */
621 random_scalar_order_test(&sqr);
622 secp256k1_scalar_get_num(&fiven, &five);
623 secp256k1_scalar_get_num(&n, &sqr);
624 secp256k1_num_mod(&n, &fiven);
625 } while (secp256k1_num_is_zero(&n));
626 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
627 * just multiply by two, i.e. add the number to itself */
628 if (secp256k1_num_jacobi(&n, &order) == -1) {
629 secp256k1_num_add(&n, &n, &n);
633 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
634 /* test nonresidue */
635 secp256k1_num_add(&n, &n, &n);
636 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
638 /** test with secp group order as order */
639 secp256k1_scalar_order_get_num(&order);
640 random_scalar_order_test(&sqr);
641 secp256k1_scalar_sqr(&sqr, &sqr);
643 secp256k1_scalar_get_num(&n, &sqr);
644 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
645 /* test nonresidue */
646 secp256k1_scalar_mul(&sqr, &sqr, &five);
647 secp256k1_scalar_get_num(&n, &sqr);
648 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
649 /* test multiple of the order*/
650 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
652 /* check one less than the order */
653 secp256k1_scalar_set_int(&small, 1);
654 secp256k1_scalar_get_num(&n, &small);
655 secp256k1_num_sub(&n, &order, &n);
656 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
659 void run_num_smalltests(void) {
661 for (i = 0; i < 100*count; i++) {
670 /***** SCALAR TESTS *****/
672 void scalar_test(void) {
677 secp256k1_num snum, s1num, s2num;
678 secp256k1_num order, half_order;
682 /* Set 's' to a random scalar, with value 'snum'. */
683 random_scalar_order_test(&s);
685 /* Set 's1' to a random scalar, with value 's1num'. */
686 random_scalar_order_test(&s1);
688 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
689 random_scalar_order_test(&s2);
690 secp256k1_scalar_get_b32(c, &s2);
693 secp256k1_scalar_get_num(&snum, &s);
694 secp256k1_scalar_get_num(&s1num, &s1);
695 secp256k1_scalar_get_num(&s2num, &s2);
697 secp256k1_scalar_order_get_num(&order);
699 secp256k1_num_shift(&half_order, 1);
704 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
706 secp256k1_scalar_set_int(&n, 0);
707 for (i = 0; i < 256; i += 4) {
710 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
711 for (j = 0; j < 4; j++) {
712 secp256k1_scalar_add(&n, &n, &n);
714 secp256k1_scalar_add(&n, &n, &t);
716 CHECK(secp256k1_scalar_eq(&n, &s));
720 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
723 secp256k1_scalar_set_int(&n, 0);
727 int now = secp256k1_rand_int(15) + 1;
731 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
732 for (j = 0; j < now; j++) {
733 secp256k1_scalar_add(&n, &n, &n);
735 secp256k1_scalar_add(&n, &n, &t);
738 CHECK(secp256k1_scalar_eq(&n, &s));
743 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
747 secp256k1_num_add(&rnum, &snum, &s2num);
748 secp256k1_num_mod(&rnum, &order);
749 secp256k1_scalar_add(&r, &s, &s2);
750 secp256k1_scalar_get_num(&r2num, &r);
751 CHECK(secp256k1_num_eq(&rnum, &r2num));
755 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
759 secp256k1_num_mul(&rnum, &snum, &s2num);
760 secp256k1_num_mod(&rnum, &order);
761 secp256k1_scalar_mul(&r, &s, &s2);
762 secp256k1_scalar_get_num(&r2num, &r);
763 CHECK(secp256k1_num_eq(&rnum, &r2num));
764 /* The result can only be zero if at least one of the factors was zero. */
765 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
766 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
767 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
768 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
772 secp256k1_scalar neg;
773 secp256k1_num negnum;
774 secp256k1_num negnum2;
775 /* Check that comparison with zero matches comparison with zero on the number. */
776 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
777 /* Check that comparison with the half order is equal to testing for high scalar. */
778 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
779 secp256k1_scalar_negate(&neg, &s);
780 secp256k1_num_sub(&negnum, &order, &snum);
781 secp256k1_num_mod(&negnum, &order);
782 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
783 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
784 /* Negating should change the high property, unless the value was already zero. */
785 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
786 secp256k1_scalar_get_num(&negnum2, &neg);
787 /* Negating a scalar should be equal to (order - n) mod order on the number. */
788 CHECK(secp256k1_num_eq(&negnum, &negnum2));
789 secp256k1_scalar_add(&neg, &neg, &s);
790 /* Adding a number to its negation should result in zero. */
791 CHECK(secp256k1_scalar_is_zero(&neg));
792 secp256k1_scalar_negate(&neg, &neg);
793 /* Negating zero should still result in zero. */
794 CHECK(secp256k1_scalar_is_zero(&neg));
798 /* Test secp256k1_scalar_mul_shift_var. */
803 unsigned char cone[1] = {0x01};
804 unsigned int shift = 256 + secp256k1_rand_int(257);
805 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
806 secp256k1_num_mul(&rnum, &s1num, &s2num);
807 secp256k1_num_shift(&rnum, shift - 1);
808 secp256k1_num_set_bin(&one, cone, 1);
809 secp256k1_num_add(&rnum, &rnum, &one);
810 secp256k1_num_shift(&rnum, 1);
811 secp256k1_scalar_get_num(&rnum2, &r);
812 CHECK(secp256k1_num_eq(&rnum, &rnum2));
816 /* test secp256k1_scalar_shr_int */
819 random_scalar_order_test(&r);
820 for (i = 0; i < 100; ++i) {
822 int shift = 1 + secp256k1_rand_int(15);
823 int expected = r.d[0] % (1 << shift);
824 low = secp256k1_scalar_shr_int(&r, shift);
825 CHECK(expected == low);
831 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
832 if (!secp256k1_scalar_is_zero(&s)) {
833 secp256k1_scalar inv;
835 secp256k1_num invnum;
836 secp256k1_num invnum2;
838 secp256k1_scalar_inverse(&inv, &s);
840 secp256k1_num_mod_inverse(&invnum, &snum, &order);
841 secp256k1_scalar_get_num(&invnum2, &inv);
842 CHECK(secp256k1_num_eq(&invnum, &invnum2));
844 secp256k1_scalar_mul(&inv, &inv, &s);
845 /* Multiplying a scalar with its inverse must result in one. */
846 CHECK(secp256k1_scalar_is_one(&inv));
847 secp256k1_scalar_inverse(&inv, &inv);
848 /* Inverting one must result in one. */
849 CHECK(secp256k1_scalar_is_one(&inv));
851 secp256k1_scalar_get_num(&invnum, &inv);
852 CHECK(secp256k1_num_is_one(&invnum));
858 /* Test commutativity of add. */
859 secp256k1_scalar r1, r2;
860 secp256k1_scalar_add(&r1, &s1, &s2);
861 secp256k1_scalar_add(&r2, &s2, &s1);
862 CHECK(secp256k1_scalar_eq(&r1, &r2));
866 secp256k1_scalar r1, r2;
870 int bit = secp256k1_rand_bits(8);
871 secp256k1_scalar_set_int(&b, 1);
872 CHECK(secp256k1_scalar_is_one(&b));
873 for (i = 0; i < bit; i++) {
874 secp256k1_scalar_add(&b, &b, &b);
878 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
879 /* No overflow happened. */
880 secp256k1_scalar_cadd_bit(&r2, bit, 1);
881 CHECK(secp256k1_scalar_eq(&r1, &r2));
882 /* cadd is a noop when flag is zero */
883 secp256k1_scalar_cadd_bit(&r2, bit, 0);
884 CHECK(secp256k1_scalar_eq(&r1, &r2));
889 /* Test commutativity of mul. */
890 secp256k1_scalar r1, r2;
891 secp256k1_scalar_mul(&r1, &s1, &s2);
892 secp256k1_scalar_mul(&r2, &s2, &s1);
893 CHECK(secp256k1_scalar_eq(&r1, &r2));
897 /* Test associativity of add. */
898 secp256k1_scalar r1, r2;
899 secp256k1_scalar_add(&r1, &s1, &s2);
900 secp256k1_scalar_add(&r1, &r1, &s);
901 secp256k1_scalar_add(&r2, &s2, &s);
902 secp256k1_scalar_add(&r2, &s1, &r2);
903 CHECK(secp256k1_scalar_eq(&r1, &r2));
907 /* Test associativity of mul. */
908 secp256k1_scalar r1, r2;
909 secp256k1_scalar_mul(&r1, &s1, &s2);
910 secp256k1_scalar_mul(&r1, &r1, &s);
911 secp256k1_scalar_mul(&r2, &s2, &s);
912 secp256k1_scalar_mul(&r2, &s1, &r2);
913 CHECK(secp256k1_scalar_eq(&r1, &r2));
917 /* Test distributitivity of mul over add. */
918 secp256k1_scalar r1, r2, t;
919 secp256k1_scalar_add(&r1, &s1, &s2);
920 secp256k1_scalar_mul(&r1, &r1, &s);
921 secp256k1_scalar_mul(&r2, &s1, &s);
922 secp256k1_scalar_mul(&t, &s2, &s);
923 secp256k1_scalar_add(&r2, &r2, &t);
924 CHECK(secp256k1_scalar_eq(&r1, &r2));
929 secp256k1_scalar r1, r2;
930 secp256k1_scalar_sqr(&r1, &s1);
931 secp256k1_scalar_mul(&r2, &s1, &s1);
932 CHECK(secp256k1_scalar_eq(&r1, &r2));
936 /* Test multiplicative identity. */
937 secp256k1_scalar r1, v1;
938 secp256k1_scalar_set_int(&v1,1);
939 secp256k1_scalar_mul(&r1, &s1, &v1);
940 CHECK(secp256k1_scalar_eq(&r1, &s1));
944 /* Test additive identity. */
945 secp256k1_scalar r1, v0;
946 secp256k1_scalar_set_int(&v0,0);
947 secp256k1_scalar_add(&r1, &s1, &v0);
948 CHECK(secp256k1_scalar_eq(&r1, &s1));
952 /* Test zero product property. */
953 secp256k1_scalar r1, v0;
954 secp256k1_scalar_set_int(&v0,0);
955 secp256k1_scalar_mul(&r1, &s1, &v0);
956 CHECK(secp256k1_scalar_eq(&r1, &v0));
961 void run_scalar_tests(void) {
963 for (i = 0; i < 128 * count; i++) {
968 /* (-1)+1 should be zero. */
969 secp256k1_scalar s, o;
970 secp256k1_scalar_set_int(&s, 1);
971 CHECK(secp256k1_scalar_is_one(&s));
972 secp256k1_scalar_negate(&o, &s);
973 secp256k1_scalar_add(&o, &o, &s);
974 CHECK(secp256k1_scalar_is_zero(&o));
975 secp256k1_scalar_negate(&o, &o);
976 CHECK(secp256k1_scalar_is_zero(&o));
981 /* A scalar with value of the curve order should be 0. */
983 secp256k1_scalar zero;
984 unsigned char bin[32];
986 secp256k1_scalar_order_get_num(&order);
987 secp256k1_num_get_bin(bin, 32, &order);
988 secp256k1_scalar_set_b32(&zero, bin, &overflow);
989 CHECK(overflow == 1);
990 CHECK(secp256k1_scalar_is_zero(&zero));
995 /* Does check_overflow check catch all ones? */
996 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
997 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
998 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1000 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1004 /* Static test vectors.
1005 * These were reduced from ~10^12 random vectors based on comparison-decision
1006 * and edge-case coverage on 32-bit and 64-bit implementations.
1007 * The responses were generated with Sage 5.9.
1012 secp256k1_scalar zz;
1013 secp256k1_scalar one;
1014 secp256k1_scalar r1;
1015 secp256k1_scalar r2;
1016 #if defined(USE_SCALAR_INV_NUM)
1017 secp256k1_scalar zzv;
1020 unsigned char chal[33][2][32] = {
1021 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1022 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1023 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1024 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1025 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1026 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1027 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1028 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1029 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1030 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1031 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1032 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1033 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1034 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1035 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1036 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1037 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1038 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1039 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1040 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1041 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1042 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1043 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1044 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1045 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1046 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1047 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1048 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1049 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1050 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1051 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1052 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1053 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1054 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1055 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1056 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1057 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1058 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1059 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1060 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1061 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1062 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1063 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1064 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1065 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1066 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1067 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1068 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1069 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1070 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1071 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1072 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1073 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1074 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1075 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1076 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1077 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1078 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1079 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1080 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1081 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1082 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1083 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1084 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1085 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1086 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1087 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1088 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1089 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1090 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1091 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1092 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1093 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1094 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1095 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1096 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1097 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1098 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1099 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1100 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1101 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1102 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1103 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1104 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1105 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1106 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1107 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1108 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1109 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1110 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1111 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1112 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1113 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1114 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1115 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1116 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1117 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1118 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1119 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1120 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1121 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1122 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1123 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1124 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1125 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1126 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1127 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1128 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1129 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1130 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1131 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1132 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1133 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1134 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1135 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1136 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1137 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1138 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1139 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1140 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1141 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1142 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1143 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1144 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1145 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1146 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1147 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1148 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1149 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1150 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1151 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1152 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1153 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1154 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1155 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1156 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1157 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1158 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1159 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1160 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1161 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1162 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1163 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1164 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1165 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1166 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1167 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1168 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1169 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1170 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1171 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1172 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1173 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1174 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1175 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1176 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1177 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1178 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1179 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1180 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1181 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1182 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1183 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1184 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1185 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1186 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1187 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1188 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1189 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1192 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1193 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1194 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1195 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1196 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1197 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1198 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1199 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1200 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1201 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1202 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1203 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1204 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1205 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1206 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1207 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1208 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1209 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1210 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1211 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1212 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1213 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1214 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1215 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1216 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1217 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1218 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1219 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1220 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1221 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1222 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1223 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1224 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1225 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1226 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1227 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1228 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1229 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1230 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1231 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1232 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1233 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1234 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1235 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1236 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1237 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1238 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1239 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1240 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1241 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1242 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1243 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1244 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1245 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1246 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1247 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1248 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1249 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1250 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1251 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1252 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1253 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1254 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1255 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1256 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1257 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1258 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1259 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1260 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1261 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1262 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1263 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1264 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1265 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1266 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1267 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1268 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1269 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1270 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1271 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1272 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1273 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1274 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1275 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1276 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1277 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1278 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1279 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1280 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1281 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1282 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1283 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1284 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1286 unsigned char res[33][2][32] = {
1287 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1288 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1289 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1290 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1291 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1292 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1293 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1294 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1295 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1296 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1297 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1298 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1299 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1300 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1301 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1302 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1303 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1304 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1305 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1306 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1307 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1308 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1309 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1310 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1311 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1312 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1313 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1314 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1315 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1316 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1317 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1318 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1319 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1320 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1321 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1322 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1323 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1324 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1325 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1326 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1327 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1328 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1329 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1330 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1331 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1332 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1333 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1334 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1335 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1336 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1337 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1338 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1339 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1340 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1341 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1342 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1343 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1344 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1345 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1346 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1347 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1348 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1349 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1350 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1351 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1352 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1353 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1354 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1355 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1356 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1357 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1358 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1359 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1360 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1361 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1362 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1363 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1364 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1365 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1366 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1367 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1368 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1369 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1370 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1371 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1372 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1373 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1374 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1375 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1376 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1377 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1378 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1379 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1380 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1381 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1382 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1383 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1384 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1385 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1386 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1387 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1388 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1389 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1390 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1391 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1392 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1393 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1394 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1395 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1396 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1397 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1398 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1399 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1400 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1401 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1402 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1403 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1404 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1405 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1406 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1407 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1408 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1409 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1410 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1411 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1412 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1413 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1414 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1415 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1416 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1417 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1418 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1419 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1420 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1421 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1422 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1423 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1424 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1425 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1426 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1427 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1428 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1429 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1430 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1431 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1432 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1433 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1434 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1435 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1436 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1437 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1438 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1439 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1440 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1441 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1442 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1443 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1444 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1445 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1446 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1447 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1448 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1449 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1450 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1451 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1452 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1453 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1454 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1455 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1456 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1457 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1458 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1459 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1461 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1462 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1463 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1464 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1465 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1466 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1467 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1468 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1469 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1470 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1471 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1472 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1473 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1474 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1475 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1476 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1477 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1478 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1479 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1480 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1481 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1482 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1483 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1484 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1485 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1486 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1487 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1488 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1489 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1490 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1491 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1492 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1493 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1494 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1495 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1496 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1497 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1498 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1499 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1500 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1501 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1502 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1503 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1504 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1505 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1506 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1507 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1508 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1509 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1510 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1511 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1512 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1513 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1514 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1515 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1516 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1517 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1518 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1519 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1520 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1521 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1522 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1523 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1524 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1525 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1526 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1527 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1528 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1529 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1530 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1531 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1532 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1533 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1534 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1535 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1536 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1537 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1538 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1539 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1540 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1541 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1542 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1543 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1544 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1545 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1546 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1547 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1548 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1549 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1550 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1552 secp256k1_scalar_set_int(&one, 1);
1553 for (i = 0; i < 33; i++) {
1554 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1556 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1558 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1560 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1562 secp256k1_scalar_mul(&z, &x, &y);
1563 CHECK(!secp256k1_scalar_check_overflow(&z));
1564 CHECK(secp256k1_scalar_eq(&r1, &z));
1565 if (!secp256k1_scalar_is_zero(&y)) {
1566 secp256k1_scalar_inverse(&zz, &y);
1567 CHECK(!secp256k1_scalar_check_overflow(&zz));
1568 #if defined(USE_SCALAR_INV_NUM)
1569 secp256k1_scalar_inverse_var(&zzv, &y);
1570 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1572 secp256k1_scalar_mul(&z, &z, &zz);
1573 CHECK(!secp256k1_scalar_check_overflow(&z));
1574 CHECK(secp256k1_scalar_eq(&x, &z));
1575 secp256k1_scalar_mul(&zz, &zz, &y);
1576 CHECK(!secp256k1_scalar_check_overflow(&zz));
1577 CHECK(secp256k1_scalar_eq(&one, &zz));
1579 secp256k1_scalar_mul(&z, &x, &x);
1580 CHECK(!secp256k1_scalar_check_overflow(&z));
1581 secp256k1_scalar_sqr(&zz, &x);
1582 CHECK(!secp256k1_scalar_check_overflow(&zz));
1583 CHECK(secp256k1_scalar_eq(&zz, &z));
1584 CHECK(secp256k1_scalar_eq(&r2, &zz));
1589 /***** FIELD TESTS *****/
1591 void random_fe(secp256k1_fe *x) {
1592 unsigned char bin[32];
1594 secp256k1_rand256(bin);
1595 if (secp256k1_fe_set_b32(x, bin)) {
1601 void random_fe_test(secp256k1_fe *x) {
1602 unsigned char bin[32];
1604 secp256k1_rand256_test(bin);
1605 if (secp256k1_fe_set_b32(x, bin)) {
1611 void random_fe_non_zero(secp256k1_fe *nz) {
1613 while (--tries >= 0) {
1615 secp256k1_fe_normalize(nz);
1616 if (!secp256k1_fe_is_zero(nz)) {
1620 /* Infinitesimal probability of spurious failure here */
1624 void random_fe_non_square(secp256k1_fe *ns) {
1626 random_fe_non_zero(ns);
1627 if (secp256k1_fe_sqrt(&r, ns)) {
1628 secp256k1_fe_negate(ns, ns, 1);
1632 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1633 secp256k1_fe an = *a;
1634 secp256k1_fe bn = *b;
1635 secp256k1_fe_normalize_weak(&an);
1636 secp256k1_fe_normalize_var(&bn);
1637 return secp256k1_fe_equal_var(&an, &bn);
1640 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1642 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1643 secp256k1_fe_mul(&x, a, ai);
1644 return check_fe_equal(&x, &one);
1647 void run_field_convert(void) {
1648 static const unsigned char b32[32] = {
1649 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1650 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1651 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1652 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1654 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1655 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1656 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1658 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1659 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1660 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1663 unsigned char b322[32];
1664 secp256k1_fe_storage fes2;
1665 /* Check conversions to fe. */
1666 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1667 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1668 secp256k1_fe_from_storage(&fe2, &fes);
1669 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1670 /* Check conversion from fe. */
1671 secp256k1_fe_get_b32(b322, &fe);
1672 CHECK(memcmp(b322, b32, 32) == 0);
1673 secp256k1_fe_to_storage(&fes2, &fe);
1674 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1677 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1678 secp256k1_fe t = *b;
1680 t.magnitude = a->magnitude;
1681 t.normalized = a->normalized;
1683 return memcmp(a, &t, sizeof(secp256k1_fe));
1686 void run_field_misc(void) {
1691 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1693 for (i = 0; i < 5*count; i++) {
1694 secp256k1_fe_storage xs, ys, zs;
1696 random_fe_non_zero(&y);
1697 /* Test the fe equality and comparison operations. */
1698 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1699 CHECK(secp256k1_fe_equal_var(&x, &x));
1701 secp256k1_fe_add(&z,&y);
1702 /* Test fe conditional move; z is not normalized here. */
1704 secp256k1_fe_cmov(&x, &z, 0);
1705 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
1706 secp256k1_fe_cmov(&x, &x, 1);
1707 CHECK(fe_memcmp(&x, &z) != 0);
1708 CHECK(fe_memcmp(&x, &q) == 0);
1709 secp256k1_fe_cmov(&q, &z, 1);
1710 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
1711 CHECK(fe_memcmp(&q, &z) == 0);
1712 secp256k1_fe_normalize_var(&x);
1713 secp256k1_fe_normalize_var(&z);
1714 CHECK(!secp256k1_fe_equal_var(&x, &z));
1715 secp256k1_fe_normalize_var(&q);
1716 secp256k1_fe_cmov(&q, &z, (i&1));
1717 VERIFY_CHECK(q.normalized && q.magnitude == 1);
1718 for (j = 0; j < 6; j++) {
1719 secp256k1_fe_negate(&z, &z, j+1);
1720 secp256k1_fe_normalize_var(&q);
1721 secp256k1_fe_cmov(&q, &z, (j&1));
1722 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1724 secp256k1_fe_normalize_var(&z);
1725 /* Test storage conversion and conditional moves. */
1726 secp256k1_fe_to_storage(&xs, &x);
1727 secp256k1_fe_to_storage(&ys, &y);
1728 secp256k1_fe_to_storage(&zs, &z);
1729 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1730 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1731 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1732 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1733 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1734 secp256k1_fe_from_storage(&x, &xs);
1735 secp256k1_fe_from_storage(&y, &ys);
1736 secp256k1_fe_from_storage(&z, &zs);
1737 /* Test that mul_int, mul, and add agree. */
1738 secp256k1_fe_add(&y, &x);
1739 secp256k1_fe_add(&y, &x);
1741 secp256k1_fe_mul_int(&z, 3);
1742 CHECK(check_fe_equal(&y, &z));
1743 secp256k1_fe_add(&y, &x);
1744 secp256k1_fe_add(&z, &x);
1745 CHECK(check_fe_equal(&z, &y));
1747 secp256k1_fe_mul_int(&z, 5);
1748 secp256k1_fe_mul(&q, &x, &fe5);
1749 CHECK(check_fe_equal(&z, &q));
1750 secp256k1_fe_negate(&x, &x, 1);
1751 secp256k1_fe_add(&z, &x);
1752 secp256k1_fe_add(&q, &x);
1753 CHECK(check_fe_equal(&y, &z));
1754 CHECK(check_fe_equal(&q, &y));
1758 void run_field_inv(void) {
1759 secp256k1_fe x, xi, xii;
1761 for (i = 0; i < 10*count; i++) {
1762 random_fe_non_zero(&x);
1763 secp256k1_fe_inv(&xi, &x);
1764 CHECK(check_fe_inverse(&x, &xi));
1765 secp256k1_fe_inv(&xii, &xi);
1766 CHECK(check_fe_equal(&x, &xii));
1770 void run_field_inv_var(void) {
1771 secp256k1_fe x, xi, xii;
1773 for (i = 0; i < 10*count; i++) {
1774 random_fe_non_zero(&x);
1775 secp256k1_fe_inv_var(&xi, &x);
1776 CHECK(check_fe_inverse(&x, &xi));
1777 secp256k1_fe_inv_var(&xii, &xi);
1778 CHECK(check_fe_equal(&x, &xii));
1782 void run_field_inv_all_var(void) {
1783 secp256k1_fe x[16], xi[16], xii[16];
1785 /* Check it's safe to call for 0 elements */
1786 secp256k1_fe_inv_all_var(xi, x, 0);
1787 for (i = 0; i < count; i++) {
1789 size_t len = secp256k1_rand_int(15) + 1;
1790 for (j = 0; j < len; j++) {
1791 random_fe_non_zero(&x[j]);
1793 secp256k1_fe_inv_all_var(xi, x, len);
1794 for (j = 0; j < len; j++) {
1795 CHECK(check_fe_inverse(&x[j], &xi[j]));
1797 secp256k1_fe_inv_all_var(xii, xi, len);
1798 for (j = 0; j < len; j++) {
1799 CHECK(check_fe_equal(&x[j], &xii[j]));
1804 void run_sqr(void) {
1809 secp256k1_fe_set_int(&x, 1);
1810 secp256k1_fe_negate(&x, &x, 1);
1812 for (i = 1; i <= 512; ++i) {
1813 secp256k1_fe_mul_int(&x, 2);
1814 secp256k1_fe_normalize(&x);
1815 secp256k1_fe_sqr(&s, &x);
1820 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1821 secp256k1_fe r1, r2;
1822 int v = secp256k1_fe_sqrt(&r1, a);
1823 CHECK((v == 0) == (k == NULL));
1826 /* Check that the returned root is +/- the given known answer */
1827 secp256k1_fe_negate(&r2, &r1, 1);
1828 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1829 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1830 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1834 void run_sqrt(void) {
1835 secp256k1_fe ns, x, s, t;
1838 /* Check sqrt(0) is 0 */
1839 secp256k1_fe_set_int(&x, 0);
1840 secp256k1_fe_sqr(&s, &x);
1843 /* Check sqrt of small squares (and their negatives) */
1844 for (i = 1; i <= 100; i++) {
1845 secp256k1_fe_set_int(&x, i);
1846 secp256k1_fe_sqr(&s, &x);
1848 secp256k1_fe_negate(&t, &s, 1);
1849 test_sqrt(&t, NULL);
1852 /* Consistency checks for large random values */
1853 for (i = 0; i < 10; i++) {
1855 random_fe_non_square(&ns);
1856 for (j = 0; j < count; j++) {
1858 secp256k1_fe_sqr(&s, &x);
1860 secp256k1_fe_negate(&t, &s, 1);
1861 test_sqrt(&t, NULL);
1862 secp256k1_fe_mul(&t, &s, &ns);
1863 test_sqrt(&t, NULL);
1868 /***** GROUP TESTS *****/
1870 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1871 CHECK(a->infinity == b->infinity);
1875 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
1876 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
1879 /* This compares jacobian points including their Z, not just their geometric meaning. */
1880 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1884 ret &= a->infinity == b->infinity;
1885 if (ret && !a->infinity) {
1888 secp256k1_fe_normalize(&a2.x);
1889 secp256k1_fe_normalize(&a2.y);
1890 secp256k1_fe_normalize(&a2.z);
1891 secp256k1_fe_normalize(&b2.x);
1892 secp256k1_fe_normalize(&b2.y);
1893 secp256k1_fe_normalize(&b2.z);
1894 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1895 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1896 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1901 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1903 secp256k1_fe u1, u2, s1, s2;
1904 CHECK(a->infinity == b->infinity);
1908 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
1909 secp256k1_fe_sqr(&z2s, &b->z);
1910 secp256k1_fe_mul(&u1, &a->x, &z2s);
1911 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1912 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1913 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1914 CHECK(secp256k1_fe_equal_var(&u1, &u2));
1915 CHECK(secp256k1_fe_equal_var(&s1, &s2));
1918 void test_ge(void) {
1920 #ifdef USE_ENDOMORPHISM
1925 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
1926 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
1927 * All magnitudes are randomized.
1928 * All 17*17 combinations of points are added to each other, using all applicable methods.
1930 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
1932 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
1933 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
1934 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1936 secp256k1_fe zfi2, zfi3;
1938 secp256k1_gej_set_infinity(&gej[0]);
1939 secp256k1_ge_clear(&ge[0]);
1940 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
1941 for (i = 0; i < runs; i++) {
1944 random_group_element_test(&g);
1945 #ifdef USE_ENDOMORPHISM
1946 if (i >= runs - 2) {
1947 secp256k1_ge_mul_lambda(&g, &ge[1]);
1949 if (i >= runs - 1) {
1950 secp256k1_ge_mul_lambda(&g, &g);
1955 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
1956 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
1957 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
1958 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
1959 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
1960 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
1961 for (j = 0; j < 4; j++) {
1962 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
1963 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
1964 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
1965 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
1966 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
1970 /* Compute z inverses. */
1972 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1973 for (i = 0; i < 4 * runs + 1; i++) {
1975 /* The point at infinity does not have a meaningful z inverse. Any should do. */
1977 random_field_element_test(&zs[i]);
1978 } while(secp256k1_fe_is_zero(&zs[i]));
1983 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
1987 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1989 random_field_element_test(&zf);
1990 } while(secp256k1_fe_is_zero(&zf));
1991 random_field_element_magnitude(&zf);
1992 secp256k1_fe_inv_var(&zfi3, &zf);
1993 secp256k1_fe_sqr(&zfi2, &zfi3);
1994 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
1996 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
1998 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
1999 /* Compute reference result using gej + gej (var). */
2000 secp256k1_gej refj, resj;
2003 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2004 /* Check Z ratio. */
2005 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2006 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2007 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2009 secp256k1_ge_set_gej_var(&ref, &refj);
2011 /* Test gej + ge with Z ratio result (var). */
2012 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2013 ge_equals_gej(&ref, &resj);
2014 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2015 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2016 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2019 /* Test gej + ge (var, with additional Z factor). */
2021 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2022 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2023 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2024 random_field_element_magnitude(&ge2_zfi.x);
2025 random_field_element_magnitude(&ge2_zfi.y);
2026 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2027 ge_equals_gej(&ref, &resj);
2030 /* Test gej + ge (const). */
2032 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2033 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2034 ge_equals_gej(&ref, &resj);
2037 /* Test doubling (var). */
2038 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2040 /* Normal doubling with Z ratio result. */
2041 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2042 ge_equals_gej(&ref, &resj);
2043 /* Check Z ratio. */
2044 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2045 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2046 /* Normal doubling. */
2047 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2048 ge_equals_gej(&ref, &resj);
2051 /* Test adding opposites. */
2052 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2053 CHECK(secp256k1_ge_is_infinity(&ref));
2056 /* Test adding infinity. */
2058 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2059 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2060 ge_equals_gej(&ref, &gej[i2]);
2063 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2064 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2065 ge_equals_gej(&ref, &gej[i1]);
2070 /* Test adding all points together in random order equals infinity. */
2072 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2073 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2074 for (i = 0; i < 4 * runs + 1; i++) {
2075 gej_shuffled[i] = gej[i];
2077 for (i = 0; i < 4 * runs + 1; i++) {
2078 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2080 secp256k1_gej t = gej_shuffled[i];
2081 gej_shuffled[i] = gej_shuffled[swap];
2082 gej_shuffled[swap] = t;
2085 for (i = 0; i < 4 * runs + 1; i++) {
2086 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2088 CHECK(secp256k1_gej_is_infinity(&sum));
2092 /* Test batch gej -> ge conversion with and without known z ratios. */
2094 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2095 secp256k1_ge *ge_set_table = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2096 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2097 for (i = 0; i < 4 * runs + 1; i++) {
2098 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2100 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2103 secp256k1_ge_set_table_gej_var(ge_set_table, gej, zr, 4 * runs + 1);
2104 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1, &ctx->error_callback);
2105 for (i = 0; i < 4 * runs + 1; i++) {
2107 random_fe_non_zero(&s);
2108 secp256k1_gej_rescale(&gej[i], &s);
2109 ge_equals_gej(&ge_set_table[i], &gej[i]);
2110 ge_equals_gej(&ge_set_all[i], &gej[i]);
2122 void test_add_neg_y_diff_x(void) {
2123 /* The point of this test is to check that we can add two points
2124 * whose y-coordinates are negatives of each other but whose x
2125 * coordinates differ. If the x-coordinates were the same, these
2126 * points would be negatives of each other and their sum is
2127 * infinity. This is cool because it "covers up" any degeneracy
2128 * in the addition algorithm that would cause the xy coordinates
2129 * of the sum to be wrong (since infinity has no xy coordinates).
2130 * HOWEVER, if the x-coordinates are different, infinity is the
2131 * wrong answer, and such degeneracies are exposed. This is the
2132 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2133 * which this test is a regression test for.
2135 * These points were generated in sage as
2136 * # secp256k1 params
2137 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2138 * C = EllipticCurve ([F (0), F (7)])
2139 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2140 * N = FiniteField(G.order())
2142 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2144 * lam = (1 - x^3).roots()[1][0]
2146 * # random "bad pair"
2147 * P = C.random_element()
2149 * print " P: %x %x" % P.xy()
2150 * print " Q: %x %x" % Q.xy()
2151 * print "P + Q: %x %x" % (P + Q).xy()
2153 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2154 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2155 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2156 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2157 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2159 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2160 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2161 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2162 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2163 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2165 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2166 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2167 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2168 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2169 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2174 secp256k1_ge_set_gej(&b, &bj);
2176 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2177 secp256k1_ge_set_gej(&res, &resj);
2178 ge_equals_gej(&res, &sumj);
2180 secp256k1_gej_add_ge(&resj, &aj, &b);
2181 secp256k1_ge_set_gej(&res, &resj);
2182 ge_equals_gej(&res, &sumj);
2184 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2185 secp256k1_ge_set_gej(&res, &resj);
2186 ge_equals_gej(&res, &sumj);
2191 for (i = 0; i < count * 32; i++) {
2194 test_add_neg_y_diff_x();
2197 void test_ec_combine(void) {
2198 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2199 secp256k1_pubkey data[6];
2200 const secp256k1_pubkey* d[6];
2201 secp256k1_pubkey sd;
2202 secp256k1_pubkey sd2;
2206 for (i = 1; i <= 6; i++) {
2208 random_scalar_order_test(&s);
2209 secp256k1_scalar_add(&sum, &sum, &s);
2210 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2211 secp256k1_ge_set_gej(&Q, &Qj);
2212 secp256k1_pubkey_save(&data[i - 1], &Q);
2213 d[i - 1] = &data[i - 1];
2214 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2215 secp256k1_ge_set_gej(&Q, &Qj);
2216 secp256k1_pubkey_save(&sd, &Q);
2217 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2218 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2222 void run_ec_combine(void) {
2224 for (i = 0; i < count * 8; i++) {
2229 void test_group_decompress(const secp256k1_fe* x) {
2230 /* The input itself, normalized. */
2231 secp256k1_fe fex = *x;
2233 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2234 secp256k1_ge ge_quad, ge_even, ge_odd;
2235 secp256k1_gej gej_quad;
2236 /* Return values of the above calls. */
2237 int res_quad, res_even, res_odd;
2239 secp256k1_fe_normalize_var(&fex);
2241 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2242 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2243 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2245 CHECK(res_quad == res_even);
2246 CHECK(res_quad == res_odd);
2249 secp256k1_fe_normalize_var(&ge_quad.x);
2250 secp256k1_fe_normalize_var(&ge_odd.x);
2251 secp256k1_fe_normalize_var(&ge_even.x);
2252 secp256k1_fe_normalize_var(&ge_quad.y);
2253 secp256k1_fe_normalize_var(&ge_odd.y);
2254 secp256k1_fe_normalize_var(&ge_even.y);
2256 /* No infinity allowed. */
2257 CHECK(!ge_quad.infinity);
2258 CHECK(!ge_even.infinity);
2259 CHECK(!ge_odd.infinity);
2261 /* Check that the x coordinates check out. */
2262 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2263 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2264 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2266 /* Check that the Y coordinate result in ge_quad is a square. */
2267 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2269 /* Check odd/even Y in ge_odd, ge_even. */
2270 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2271 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2273 /* Check secp256k1_gej_has_quad_y_var. */
2274 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2275 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2277 random_fe_test(&fez);
2278 } while (secp256k1_fe_is_zero(&fez));
2279 secp256k1_gej_rescale(&gej_quad, &fez);
2280 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2281 secp256k1_gej_neg(&gej_quad, &gej_quad);
2282 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2284 random_fe_test(&fez);
2285 } while (secp256k1_fe_is_zero(&fez));
2286 secp256k1_gej_rescale(&gej_quad, &fez);
2287 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2288 secp256k1_gej_neg(&gej_quad, &gej_quad);
2289 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2293 void run_group_decompress(void) {
2295 for (i = 0; i < count * 4; i++) {
2297 random_fe_test(&fe);
2298 test_group_decompress(&fe);
2302 /***** ECMULT TESTS *****/
2304 void run_ecmult_chain(void) {
2305 /* random starting point A (on the curve) */
2306 secp256k1_gej a = SECP256K1_GEJ_CONST(
2307 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2308 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2309 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2310 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2312 /* two random initial factors xn and gn */
2313 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2314 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2315 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2317 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2318 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2319 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2321 /* two small multipliers to be applied to xn and gn in every iteration: */
2322 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2323 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2324 /* accumulators with the resulting coefficients to A and G */
2325 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2326 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2332 /* the point being computed */
2334 for (i = 0; i < 200*count; i++) {
2335 /* in each iteration, compute X = xn*X + gn*G; */
2336 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2337 /* also compute ae and ge: the actual accumulated factors for A and G */
2338 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2339 secp256k1_scalar_mul(&ae, &ae, &xn);
2340 secp256k1_scalar_mul(&ge, &ge, &xn);
2341 secp256k1_scalar_add(&ge, &ge, &gn);
2342 /* modify xn and gn */
2343 secp256k1_scalar_mul(&xn, &xn, &xf);
2344 secp256k1_scalar_mul(&gn, &gn, &gf);
2348 /* expected result after 19999 iterations */
2349 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2350 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2351 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2352 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2353 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2356 secp256k1_gej_neg(&rp, &rp);
2357 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2358 CHECK(secp256k1_gej_is_infinity(&rp));
2361 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2362 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2363 secp256k1_gej_neg(&x2, &x2);
2364 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2365 CHECK(secp256k1_gej_is_infinity(&x2));
2368 void test_point_times_order(const secp256k1_gej *point) {
2369 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2371 secp256k1_scalar nx;
2372 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2373 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2374 secp256k1_gej res1, res2;
2376 unsigned char pub[65];
2378 random_scalar_order_test(&x);
2379 secp256k1_scalar_negate(&nx, &x);
2380 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2381 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2382 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2383 CHECK(secp256k1_gej_is_infinity(&res1));
2384 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2385 secp256k1_ge_set_gej(&res3, &res1);
2386 CHECK(secp256k1_ge_is_infinity(&res3));
2387 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2388 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2390 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2391 /* check zero/one edge cases */
2392 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2393 secp256k1_ge_set_gej(&res3, &res1);
2394 CHECK(secp256k1_ge_is_infinity(&res3));
2395 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2396 secp256k1_ge_set_gej(&res3, &res1);
2397 ge_equals_gej(&res3, point);
2398 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2399 secp256k1_ge_set_gej(&res3, &res1);
2400 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2403 void run_point_times_order(void) {
2405 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2406 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2407 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2408 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2410 for (i = 0; i < 500; i++) {
2412 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2414 CHECK(secp256k1_ge_is_valid_var(&p));
2415 secp256k1_gej_set_ge(&j, &p);
2416 CHECK(secp256k1_gej_is_valid_var(&j));
2417 test_point_times_order(&j);
2419 secp256k1_fe_sqr(&x, &x);
2421 secp256k1_fe_normalize_var(&x);
2422 CHECK(secp256k1_fe_equal_var(&x, &xr));
2425 void ecmult_const_random_mult(void) {
2426 /* random starting point A (on the curve) */
2427 secp256k1_ge a = SECP256K1_GE_CONST(
2428 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2429 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2430 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2431 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2433 /* random initial factor xn */
2434 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2435 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2436 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2438 /* expected xn * A (from sage) */
2439 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2440 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2441 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2442 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2443 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2446 secp256k1_ecmult_const(&b, &a, &xn);
2448 CHECK(secp256k1_ge_is_valid_var(&a));
2449 ge_equals_gej(&expected_b, &b);
2452 void ecmult_const_commutativity(void) {
2459 random_scalar_order_test(&a);
2460 random_scalar_order_test(&b);
2462 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a);
2463 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b);
2464 secp256k1_ge_set_gej(&mid1, &res1);
2465 secp256k1_ge_set_gej(&mid2, &res2);
2466 secp256k1_ecmult_const(&res1, &mid1, &b);
2467 secp256k1_ecmult_const(&res2, &mid2, &a);
2468 secp256k1_ge_set_gej(&mid1, &res1);
2469 secp256k1_ge_set_gej(&mid2, &res2);
2470 ge_equals_ge(&mid1, &mid2);
2473 void ecmult_const_mult_zero_one(void) {
2474 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2475 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2476 secp256k1_scalar negone;
2480 secp256k1_scalar_negate(&negone, &one);
2482 random_group_element_test(&point);
2483 secp256k1_ecmult_const(&res1, &point, &zero);
2484 secp256k1_ge_set_gej(&res2, &res1);
2485 CHECK(secp256k1_ge_is_infinity(&res2));
2486 secp256k1_ecmult_const(&res1, &point, &one);
2487 secp256k1_ge_set_gej(&res2, &res1);
2488 ge_equals_ge(&res2, &point);
2489 secp256k1_ecmult_const(&res1, &point, &negone);
2490 secp256k1_gej_neg(&res1, &res1);
2491 secp256k1_ge_set_gej(&res2, &res1);
2492 ge_equals_ge(&res2, &point);
2495 void ecmult_const_chain_multiply(void) {
2496 /* Check known result (randomly generated test problem from sage) */
2497 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2498 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2499 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2501 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2502 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2503 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2504 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2505 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2507 secp256k1_gej point;
2511 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2512 for (i = 0; i < 100; ++i) {
2514 secp256k1_ge_set_gej(&tmp, &point);
2515 secp256k1_ecmult_const(&point, &tmp, &scalar);
2517 secp256k1_ge_set_gej(&res, &point);
2518 ge_equals_gej(&res, &expected_point);
2521 void run_ecmult_const_tests(void) {
2522 ecmult_const_mult_zero_one();
2523 ecmult_const_random_mult();
2524 ecmult_const_commutativity();
2525 ecmult_const_chain_multiply();
2529 secp256k1_scalar *sc;
2531 } ecmult_multi_data;
2533 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2534 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2535 *sc = data->sc[idx];
2536 *pt = data->pt[idx];
2540 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2548 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2550 secp256k1_scalar szero;
2551 secp256k1_scalar sc[32];
2552 secp256k1_ge pt[32];
2555 ecmult_multi_data data;
2556 secp256k1_scratch *scratch_empty;
2560 secp256k1_scalar_set_int(&szero, 0);
2561 secp256k1_scratch_reset(scratch);
2563 /* No points to multiply */
2564 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2566 /* Check 1- and 2-point multiplies against ecmult */
2567 for (ncount = 0; ncount < count; ncount++) {
2570 random_scalar_order(&sc[0]);
2571 random_scalar_order(&sc[1]);
2573 random_group_element_test(&ptg);
2574 secp256k1_gej_set_ge(&ptgj, &ptg);
2576 pt[1] = secp256k1_ge_const_g;
2579 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2580 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2581 secp256k1_gej_neg(&r2, &r2);
2582 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2583 CHECK(secp256k1_gej_is_infinity(&r));
2586 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2587 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2588 secp256k1_gej_neg(&r2, &r2);
2589 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2590 CHECK(secp256k1_gej_is_infinity(&r));
2592 /* Try to multiply 1 point, but scratch space is empty */
2593 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0, 0);
2594 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2595 secp256k1_scratch_destroy(scratch_empty);
2597 /* Try to multiply 1 point, but callback returns false */
2598 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2601 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2602 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2603 secp256k1_gej_neg(&r2, &r2);
2604 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2605 CHECK(secp256k1_gej_is_infinity(&r));
2607 /* 2-point with G scalar */
2608 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2609 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2610 secp256k1_gej_neg(&r2, &r2);
2611 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2612 CHECK(secp256k1_gej_is_infinity(&r));
2615 /* Check infinite outputs of various forms */
2616 for (ncount = 0; ncount < count; ncount++) {
2619 size_t sizes[] = { 2, 10, 32 };
2621 for (j = 0; j < 3; j++) {
2622 for (i = 0; i < 32; i++) {
2623 random_scalar_order(&sc[i]);
2624 secp256k1_ge_set_infinity(&pt[i]);
2626 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2627 CHECK(secp256k1_gej_is_infinity(&r));
2630 for (j = 0; j < 3; j++) {
2631 for (i = 0; i < 32; i++) {
2632 random_group_element_test(&ptg);
2634 secp256k1_scalar_set_int(&sc[i], 0);
2636 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2637 CHECK(secp256k1_gej_is_infinity(&r));
2640 for (j = 0; j < 3; j++) {
2641 random_group_element_test(&ptg);
2642 for (i = 0; i < 16; i++) {
2643 random_scalar_order(&sc[2*i]);
2644 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2646 pt[2 * i + 1] = ptg;
2649 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2650 CHECK(secp256k1_gej_is_infinity(&r));
2652 random_scalar_order(&sc[0]);
2653 for (i = 0; i < 16; i++) {
2654 random_group_element_test(&ptg);
2659 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2662 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2663 CHECK(secp256k1_gej_is_infinity(&r));
2666 random_group_element_test(&ptg);
2667 secp256k1_scalar_set_int(&sc[0], 0);
2669 for (i = 1; i < 32; i++) {
2672 random_scalar_order(&sc[i]);
2673 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2674 secp256k1_scalar_negate(&sc[i], &sc[i]);
2677 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2678 CHECK(secp256k1_gej_is_infinity(&r));
2681 /* Check random points, constant scalar */
2682 for (ncount = 0; ncount < count; ncount++) {
2684 secp256k1_gej_set_infinity(&r);
2686 random_scalar_order(&sc[0]);
2687 for (i = 0; i < 20; i++) {
2690 random_group_element_test(&ptg);
2692 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2695 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2696 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2697 secp256k1_gej_neg(&r2, &r2);
2698 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2699 CHECK(secp256k1_gej_is_infinity(&r));
2702 /* Check random scalars, constant point */
2703 for (ncount = 0; ncount < count; ncount++) {
2707 secp256k1_scalar rs;
2708 secp256k1_scalar_set_int(&rs, 0);
2710 random_group_element_test(&ptg);
2711 for (i = 0; i < 20; i++) {
2712 random_scalar_order(&sc[i]);
2714 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2717 secp256k1_gej_set_ge(&p0j, &pt[0]);
2718 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
2719 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2720 secp256k1_gej_neg(&r2, &r2);
2721 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2722 CHECK(secp256k1_gej_is_infinity(&r));
2725 /* Sanity check that zero scalars don't cause problems */
2726 secp256k1_scalar_clear(&sc[0]);
2727 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2728 secp256k1_scalar_clear(&sc[1]);
2729 secp256k1_scalar_clear(&sc[2]);
2730 secp256k1_scalar_clear(&sc[3]);
2731 secp256k1_scalar_clear(&sc[4]);
2732 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2733 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
2734 CHECK(secp256k1_gej_is_infinity(&r));
2736 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2738 const size_t TOP = 8;
2744 random_group_element_test(&ptg);
2745 secp256k1_gej_set_ge(&ptgj, &ptg);
2747 for(t0i = 0; t0i < TOP; t0i++) {
2748 for(t1i = 0; t1i < TOP; t1i++) {
2749 secp256k1_gej t0p, t1p;
2750 secp256k1_scalar t0, t1;
2752 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2753 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2754 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2755 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2757 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2758 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2760 for(s0i = 0; s0i < TOP; s0i++) {
2761 for(s1i = 0; s1i < TOP; s1i++) {
2762 secp256k1_scalar tmp1, tmp2;
2763 secp256k1_gej expected, actual;
2765 secp256k1_ge_set_gej(&pt[0], &t0p);
2766 secp256k1_ge_set_gej(&pt[1], &t1p);
2768 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2769 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2770 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2771 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2773 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2774 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2775 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2777 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
2778 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
2779 secp256k1_gej_neg(&expected, &expected);
2780 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2781 CHECK(secp256k1_gej_is_infinity(&actual));
2789 void test_secp256k1_pippenger_bucket_window_inv(void) {
2792 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2793 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2794 #ifdef USE_ENDOMORPHISM
2795 /* Bucket_window of 8 is not used with endo */
2800 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2801 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2802 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2808 * Probabilistically test the function returning the maximum number of possible points
2809 * for a given scratch space.
2811 void test_ecmult_multi_pippenger_max_points(void) {
2812 size_t scratch_size = secp256k1_rand_int(256);
2813 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
2814 secp256k1_scratch *scratch;
2815 size_t n_points_supported;
2816 int bucket_window = 0;
2818 for(; scratch_size < max_size; scratch_size+=256) {
2819 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, scratch_size);
2820 CHECK(scratch != NULL);
2821 n_points_supported = secp256k1_pippenger_max_points(scratch);
2822 if (n_points_supported == 0) {
2823 secp256k1_scratch_destroy(scratch);
2826 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
2827 CHECK(secp256k1_scratch_resize(scratch, secp256k1_pippenger_scratch_size(n_points_supported, bucket_window), PIPPENGER_SCRATCH_OBJECTS));
2828 secp256k1_scratch_destroy(scratch);
2830 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
2834 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
2835 * 1 <= i <= num points.
2837 void test_ecmult_multi_batching(void) {
2838 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
2839 secp256k1_scalar scG;
2840 secp256k1_scalar szero;
2841 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
2842 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
2845 ecmult_multi_data data;
2847 secp256k1_scratch *scratch;
2849 secp256k1_gej_set_infinity(&r2);
2850 secp256k1_scalar_set_int(&szero, 0);
2852 /* Get random scalars and group elements and compute result */
2853 random_scalar_order(&scG);
2854 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
2855 for(i = 0; i < n_points; i++) {
2858 random_group_element_test(&ptg);
2859 secp256k1_gej_set_ge(&ptgj, &ptg);
2861 random_scalar_order(&sc[i]);
2862 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
2863 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
2868 /* Test with empty scratch space */
2869 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, 0);
2870 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2871 secp256k1_scratch_destroy(scratch);
2873 /* Test with space for 1 point in pippenger. That's not enough because
2874 * ecmult_multi selects strauss which requires more memory. */
2875 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2876 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2877 secp256k1_scratch_destroy(scratch);
2879 secp256k1_gej_neg(&r2, &r2);
2880 for(i = 1; i <= n_points; i++) {
2881 if (i > ECMULT_PIPPENGER_THRESHOLD) {
2882 int bucket_window = secp256k1_pippenger_bucket_window(i);
2883 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
2884 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2886 size_t scratch_size = secp256k1_strauss_scratch_size(i);
2887 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2889 CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
2890 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2891 CHECK(secp256k1_gej_is_infinity(&r));
2892 secp256k1_scratch_destroy(scratch);
2898 void run_ecmult_multi_tests(void) {
2899 secp256k1_scratch *scratch;
2901 test_secp256k1_pippenger_bucket_window_inv();
2902 test_ecmult_multi_pippenger_max_points();
2903 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, 819200);
2904 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2905 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
2906 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
2907 secp256k1_scratch_destroy(scratch);
2909 /* Run test_ecmult_multi with space for exactly one point */
2910 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2911 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2912 secp256k1_scratch_destroy(scratch);
2914 test_ecmult_multi_batching();
2917 void test_wnaf(const secp256k1_scalar *number, int w) {
2918 secp256k1_scalar x, two, t;
2923 secp256k1_scalar_set_int(&x, 0);
2924 secp256k1_scalar_set_int(&two, 2);
2925 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
2927 for (i = bits-1; i >= 0; i--) {
2929 secp256k1_scalar_mul(&x, &x, &two);
2931 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
2933 CHECK((v & 1) == 1); /* check non-zero elements are odd */
2934 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
2935 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
2937 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
2941 secp256k1_scalar_set_int(&t, v);
2943 secp256k1_scalar_set_int(&t, -v);
2944 secp256k1_scalar_negate(&t, &t);
2946 secp256k1_scalar_add(&x, &x, &t);
2948 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
2951 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
2952 secp256k1_scalar neg1 = *number;
2953 secp256k1_scalar neg2 = *number;
2957 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
2958 secp256k1_scalar_negate(&neg1, &neg1);
2961 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
2962 CHECK(sign1 == sign2);
2963 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
2966 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
2967 secp256k1_scalar x, shift;
2968 int wnaf[256] = {0};
2971 secp256k1_scalar num = *number;
2973 secp256k1_scalar_set_int(&x, 0);
2974 secp256k1_scalar_set_int(&shift, 1 << w);
2975 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
2976 #ifdef USE_ENDOMORPHISM
2977 for (i = 0; i < 16; ++i) {
2978 secp256k1_scalar_shr_int(&num, 8);
2981 skew = secp256k1_wnaf_const(wnaf, num, w);
2983 for (i = WNAF_SIZE(w); i >= 0; --i) {
2986 CHECK(v != 0); /* check nonzero */
2987 CHECK(v & 1); /* check parity */
2988 CHECK(v > -(1 << w)); /* check range above */
2989 CHECK(v < (1 << w)); /* check range below */
2991 secp256k1_scalar_mul(&x, &x, &shift);
2993 secp256k1_scalar_set_int(&t, v);
2995 secp256k1_scalar_set_int(&t, -v);
2996 secp256k1_scalar_negate(&t, &t);
2998 secp256k1_scalar_add(&x, &x, &t);
3000 /* Skew num because when encoding numbers as odd we use an offset */
3001 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
3002 CHECK(secp256k1_scalar_eq(&x, &num));
3005 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3006 secp256k1_scalar x, shift;
3007 int wnaf[256] = {0};
3010 secp256k1_scalar num = *number;
3012 secp256k1_scalar_set_int(&x, 0);
3013 secp256k1_scalar_set_int(&shift, 1 << w);
3014 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3015 #ifdef USE_ENDOMORPHISM
3016 for (i = 0; i < 16; ++i) {
3017 secp256k1_scalar_shr_int(&num, 8);
3020 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3022 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3025 CHECK(v == 0 || v & 1); /* check parity */
3026 CHECK(v > -(1 << w)); /* check range above */
3027 CHECK(v < (1 << w)); /* check range below */
3029 secp256k1_scalar_mul(&x, &x, &shift);
3031 secp256k1_scalar_set_int(&t, v);
3033 secp256k1_scalar_set_int(&t, -v);
3034 secp256k1_scalar_negate(&t, &t);
3036 secp256k1_scalar_add(&x, &x, &t);
3038 /* If skew is 1 then add 1 to num */
3039 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3040 CHECK(secp256k1_scalar_eq(&x, &num));
3043 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3045 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3047 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3048 CHECK(wnaf[i] == 0);
3050 for (i = 7; i >= 0; --i) {
3051 CHECK(wnaf[i] == wnaf_expected[i]);
3055 void test_fixed_wnaf_small(void) {
3057 int wnaf[256] = {0};
3060 secp256k1_scalar num;
3062 secp256k1_scalar_set_int(&num, 0);
3063 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3064 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3070 secp256k1_scalar_set_int(&num, 1);
3071 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3072 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3076 CHECK(wnaf[0] == 1);
3080 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3081 secp256k1_scalar_set_int(&num, 0xffffffff);
3082 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3083 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3087 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3088 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3089 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3090 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3094 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3095 secp256k1_scalar_set_int(&num, 0x01010101);
3096 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3097 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3101 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3102 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3103 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3104 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3109 void run_wnaf(void) {
3111 secp256k1_scalar n = {{0}};
3113 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3114 * have easier-to-diagnose failure modes */
3116 test_constant_wnaf(&n, 4);
3118 test_constant_wnaf(&n, 4);
3120 test_fixed_wnaf_small();
3122 for (i = 0; i < count; i++) {
3123 random_scalar_order(&n);
3124 test_wnaf(&n, 4+(i%10));
3125 test_constant_wnaf_negate(&n);
3126 test_constant_wnaf(&n, 4 + (i % 10));
3127 test_fixed_wnaf(&n, 4 + (i % 10));
3129 secp256k1_scalar_set_int(&n, 0);
3130 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3131 CHECK(secp256k1_scalar_is_zero(&n));
3132 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3133 CHECK(secp256k1_scalar_is_zero(&n));
3136 void test_ecmult_constants(void) {
3137 /* Test ecmult_gen() for [0..36) and [order-36..0). */
3143 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3144 for (i = 0; i < 36; i++ ) {
3145 secp256k1_scalar_set_int(&x, i);
3146 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3147 for (j = 0; j < i; j++) {
3149 ge_equals_gej(&secp256k1_ge_const_g, &r);
3151 secp256k1_gej_add_ge(&r, &r, &ng);
3153 CHECK(secp256k1_gej_is_infinity(&r));
3155 for (i = 1; i <= 36; i++ ) {
3156 secp256k1_scalar_set_int(&x, i);
3157 secp256k1_scalar_negate(&x, &x);
3158 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3159 for (j = 0; j < i; j++) {
3161 ge_equals_gej(&ng, &r);
3163 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3165 CHECK(secp256k1_gej_is_infinity(&r));
3169 void run_ecmult_constants(void) {
3170 test_ecmult_constants();
3173 void test_ecmult_gen_blind(void) {
3174 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3175 secp256k1_scalar key;
3177 unsigned char seed32[32];
3179 secp256k1_gej pgej2;
3182 random_scalar_order_test(&key);
3183 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3184 secp256k1_rand256(seed32);
3185 b = ctx->ecmult_gen_ctx.blind;
3186 i = ctx->ecmult_gen_ctx.initial;
3187 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3188 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3189 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3190 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3191 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3192 secp256k1_ge_set_gej(&pge, &pgej);
3193 ge_equals_gej(&pge, &pgej2);
3196 void test_ecmult_gen_blind_reset(void) {
3197 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3199 secp256k1_gej initial;
3200 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3201 b = ctx->ecmult_gen_ctx.blind;
3202 initial = ctx->ecmult_gen_ctx.initial;
3203 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3204 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3205 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3208 void run_ecmult_gen_blind(void) {
3210 test_ecmult_gen_blind_reset();
3211 for (i = 0; i < 10; i++) {
3212 test_ecmult_gen_blind();
3216 #ifdef USE_ENDOMORPHISM
3217 /***** ENDOMORPHISH TESTS *****/
3218 void test_scalar_split(void) {
3219 secp256k1_scalar full;
3220 secp256k1_scalar s1, slam;
3221 const unsigned char zero[32] = {0};
3222 unsigned char tmp[32];
3224 random_scalar_order_test(&full);
3225 secp256k1_scalar_split_lambda(&s1, &slam, &full);
3227 /* check that both are <= 128 bits in size */
3228 if (secp256k1_scalar_is_high(&s1)) {
3229 secp256k1_scalar_negate(&s1, &s1);
3231 if (secp256k1_scalar_is_high(&slam)) {
3232 secp256k1_scalar_negate(&slam, &slam);
3235 secp256k1_scalar_get_b32(tmp, &s1);
3236 CHECK(memcmp(zero, tmp, 16) == 0);
3237 secp256k1_scalar_get_b32(tmp, &slam);
3238 CHECK(memcmp(zero, tmp, 16) == 0);
3241 void run_endomorphism_tests(void) {
3242 test_scalar_split();
3246 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3247 unsigned char pubkeyc[65];
3248 secp256k1_pubkey pubkey;
3253 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3254 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3255 /* Smaller sizes are tested exhaustively elsewhere. */
3257 memcpy(&pubkeyc[1], input, 64);
3258 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3259 for (i = 0; i < 256; i++) {
3260 /* Try all type bytes. */
3265 /* What sign does this point have? */
3266 ysign = (input[63] & 1) + 2;
3267 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3268 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3269 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3270 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3271 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3272 if (xpass || ypass) {
3273 /* These cases must parse. */
3274 unsigned char pubkeyo[65];
3276 memset(&pubkey, 0, sizeof(pubkey));
3277 VG_UNDEF(&pubkey, sizeof(pubkey));
3279 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3280 VG_CHECK(&pubkey, sizeof(pubkey));
3282 VG_UNDEF(pubkeyo, 65);
3283 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3284 VG_CHECK(pubkeyo, outl);
3286 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3287 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3289 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3290 CHECK(pubkeyo[0] == ysign);
3291 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3292 memset(&pubkey, 0, sizeof(pubkey));
3293 VG_UNDEF(&pubkey, sizeof(pubkey));
3294 secp256k1_pubkey_save(&pubkey, &ge);
3295 VG_CHECK(&pubkey, sizeof(pubkey));
3297 VG_UNDEF(pubkeyo, 65);
3298 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3299 VG_CHECK(pubkeyo, outl);
3301 CHECK(pubkeyo[0] == 4);
3302 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3306 /* These cases must fail to parse. */
3307 memset(&pubkey, 0xfe, sizeof(pubkey));
3309 VG_UNDEF(&pubkey, sizeof(pubkey));
3310 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3311 VG_CHECK(&pubkey, sizeof(pubkey));
3313 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3318 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3321 void run_ec_pubkey_parse_test(void) {
3322 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3323 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3325 /* Point with leading and trailing zeros in x and y serialization. */
3326 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3327 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3328 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3329 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3332 /* Point with x equal to a 3rd root of unity.*/
3333 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3334 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3335 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3336 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3339 /* Point with largest x. (1/2) */
3340 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3341 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3342 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3343 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3346 /* Point with largest x. (2/2) */
3347 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3348 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3349 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3350 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3353 /* Point with smallest x. (1/2) */
3354 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3355 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3356 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3357 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3360 /* Point with smallest x. (2/2) */
3361 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3362 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3363 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3364 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3367 /* Point with largest y. (1/3) */
3368 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3369 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3370 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3371 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3374 /* Point with largest y. (2/3) */
3375 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3376 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3377 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3378 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3381 /* Point with largest y. (3/3) */
3382 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3383 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3384 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3385 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3388 /* Point with smallest y. (1/3) */
3389 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3390 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3391 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3392 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3395 /* Point with smallest y. (2/3) */
3396 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3397 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3398 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3399 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3402 /* Point with smallest y. (3/3) */
3403 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3404 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3405 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3406 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3409 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3410 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3412 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3413 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3414 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3415 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3416 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3419 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3420 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3421 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3422 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3423 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3426 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3427 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3428 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3429 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3430 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3433 /* x on curve, y is from y^2 = x^3 + 8. */
3434 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3435 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3436 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3437 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3440 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3441 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3443 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3444 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3445 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3446 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3447 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3450 /* Valid if x overflow ignored (x = 1 mod p). */
3451 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3452 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3453 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3454 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3457 /* Valid if x overflow ignored (x = 1 mod p). */
3458 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3459 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3460 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3461 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3464 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3465 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3466 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3467 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3468 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3471 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3472 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3473 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3474 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3475 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3478 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3479 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3480 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3481 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3482 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3485 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3486 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3487 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3488 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3489 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3492 const unsigned char pubkeyc[66] = {
3493 /* Serialization of G. */
3494 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3495 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3496 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3497 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3500 unsigned char sout[65];
3501 unsigned char shortkey[2];
3503 secp256k1_pubkey pubkey;
3509 /* Nothing should be reading this far into pubkeyc. */
3510 VG_UNDEF(&pubkeyc[65], 1);
3511 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3512 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3513 memset(&pubkey, 0xfe, sizeof(pubkey));
3515 VG_UNDEF(shortkey, 2);
3516 VG_UNDEF(&pubkey, sizeof(pubkey));
3517 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3518 VG_CHECK(&pubkey, sizeof(pubkey));
3520 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3522 /* Length one claimed, fail, zeroize, no illegal arg error. */
3523 for (i = 0; i < 256 ; i++) {
3524 memset(&pubkey, 0xfe, sizeof(pubkey));
3527 VG_UNDEF(&shortkey[1], 1);
3528 VG_UNDEF(&pubkey, sizeof(pubkey));
3529 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3530 VG_CHECK(&pubkey, sizeof(pubkey));
3532 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3535 /* Length two claimed, fail, zeroize, no illegal arg error. */
3536 for (i = 0; i < 65536 ; i++) {
3537 memset(&pubkey, 0xfe, sizeof(pubkey));
3539 shortkey[0] = i & 255;
3540 shortkey[1] = i >> 8;
3541 VG_UNDEF(&pubkey, sizeof(pubkey));
3542 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3543 VG_CHECK(&pubkey, sizeof(pubkey));
3545 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3548 memset(&pubkey, 0xfe, sizeof(pubkey));
3550 VG_UNDEF(&pubkey, sizeof(pubkey));
3551 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3552 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3553 VG_CHECK(&pubkey, sizeof(pubkey));
3555 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3557 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3558 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3560 /* NULL input string. Illegal arg and zeroize output. */
3561 memset(&pubkey, 0xfe, sizeof(pubkey));
3563 VG_UNDEF(&pubkey, sizeof(pubkey));
3564 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3565 VG_CHECK(&pubkey, sizeof(pubkey));
3567 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3569 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3570 memset(&pubkey, 0xfe, sizeof(pubkey));
3572 VG_UNDEF(&pubkey, sizeof(pubkey));
3573 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3574 VG_CHECK(&pubkey, sizeof(pubkey));
3576 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3578 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3579 memset(&pubkey, 0xfe, sizeof(pubkey));
3581 VG_UNDEF(&pubkey, sizeof(pubkey));
3582 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3583 VG_CHECK(&pubkey, sizeof(pubkey));
3585 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3588 memset(&pubkey, 0, sizeof(pubkey));
3590 VG_UNDEF(&pubkey, sizeof(pubkey));
3591 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3592 VG_CHECK(&pubkey, sizeof(pubkey));
3594 VG_UNDEF(&ge, sizeof(ge));
3595 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3596 VG_CHECK(&ge.x, sizeof(ge.x));
3597 VG_CHECK(&ge.y, sizeof(ge.y));
3598 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3599 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3601 /* secp256k1_ec_pubkey_serialize illegal args. */
3604 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3607 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3611 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3616 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3621 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3625 /* Multiple illegal args. Should still set arg error only once. */
3628 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3630 /* Does the illegal arg callback actually change the behavior? */
3631 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3632 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3634 CHECK(ecount2 == 10);
3635 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3636 /* Try a bunch of prefabbed points with all possible encodings. */
3637 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3638 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3640 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3641 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3643 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3644 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3648 void run_eckey_edge_case_test(void) {
3649 const unsigned char orderc[32] = {
3650 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3651 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3652 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3653 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3655 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3656 unsigned char ctmp[33];
3657 unsigned char ctmp2[33];
3658 secp256k1_pubkey pubkey;
3659 secp256k1_pubkey pubkey2;
3660 secp256k1_pubkey pubkey_one;
3661 secp256k1_pubkey pubkey_negone;
3662 const secp256k1_pubkey *pubkeys[3];
3665 /* Group order is too large, reject. */
3666 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3667 VG_UNDEF(&pubkey, sizeof(pubkey));
3668 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3669 VG_CHECK(&pubkey, sizeof(pubkey));
3670 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3671 /* Maximum value is too large, reject. */
3672 memset(ctmp, 255, 32);
3673 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3674 memset(&pubkey, 1, sizeof(pubkey));
3675 VG_UNDEF(&pubkey, sizeof(pubkey));
3676 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3677 VG_CHECK(&pubkey, sizeof(pubkey));
3678 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3679 /* Zero is too small, reject. */
3680 memset(ctmp, 0, 32);
3681 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3682 memset(&pubkey, 1, sizeof(pubkey));
3683 VG_UNDEF(&pubkey, sizeof(pubkey));
3684 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3685 VG_CHECK(&pubkey, sizeof(pubkey));
3686 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3687 /* One must be accepted. */
3689 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3690 memset(&pubkey, 0, sizeof(pubkey));
3691 VG_UNDEF(&pubkey, sizeof(pubkey));
3692 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3693 VG_CHECK(&pubkey, sizeof(pubkey));
3694 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3695 pubkey_one = pubkey;
3696 /* Group order + 1 is too large, reject. */
3697 memcpy(ctmp, orderc, 32);
3699 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3700 memset(&pubkey, 1, sizeof(pubkey));
3701 VG_UNDEF(&pubkey, sizeof(pubkey));
3702 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3703 VG_CHECK(&pubkey, sizeof(pubkey));
3704 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3705 /* -1 must be accepted. */
3707 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3708 memset(&pubkey, 0, sizeof(pubkey));
3709 VG_UNDEF(&pubkey, sizeof(pubkey));
3710 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3711 VG_CHECK(&pubkey, sizeof(pubkey));
3712 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3713 pubkey_negone = pubkey;
3714 /* Tweak of zero leaves the value unchanged. */
3715 memset(ctmp2, 0, 32);
3716 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3717 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3718 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3719 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3720 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3721 /* Multiply tweak of zero zeroizes the output. */
3722 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3723 CHECK(memcmp(zeros, ctmp, 32) == 0);
3724 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3725 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3726 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3727 /* Overflowing key tweak zeroizes. */
3728 memcpy(ctmp, orderc, 32);
3730 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3731 CHECK(memcmp(zeros, ctmp, 32) == 0);
3732 memcpy(ctmp, orderc, 32);
3734 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3735 CHECK(memcmp(zeros, ctmp, 32) == 0);
3736 memcpy(ctmp, orderc, 32);
3738 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3739 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3740 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3741 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3742 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3743 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3744 /* Private key tweaks results in a key of zero. */
3746 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3747 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3749 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3750 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3751 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3752 /* Tweak computation wraps and results in a key of 1. */
3754 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3755 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3757 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3759 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3760 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3761 /* Tweak mul * 2 = 1+1. */
3762 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3764 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3765 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3766 /* Test argument errors. */
3768 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3770 /* Zeroize pubkey on parse error. */
3771 memset(&pubkey, 0, 32);
3772 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3774 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3775 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3776 memset(&pubkey2, 0, 32);
3777 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3779 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3780 /* Plain argument errors. */
3782 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3784 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3787 memset(ctmp2, 0, 32);
3789 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3791 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3794 memset(ctmp2, 0, 32);
3796 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3798 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3801 memset(ctmp2, 0, 32);
3802 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3804 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3807 memset(ctmp2, 0, 32);
3809 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3811 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3814 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3816 memset(&pubkey, 1, sizeof(pubkey));
3817 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3819 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3820 /* secp256k1_ec_pubkey_combine tests. */
3822 pubkeys[0] = &pubkey_one;
3823 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3824 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3825 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3826 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3827 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3828 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3829 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3830 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3832 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3833 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3835 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3836 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3837 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3838 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3839 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3841 pubkeys[0] = &pubkey_negone;
3842 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3843 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3844 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3845 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3846 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3849 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3850 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
3851 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3852 /* Result is infinity. */
3853 pubkeys[0] = &pubkey_one;
3854 pubkeys[1] = &pubkey_negone;
3855 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3856 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3857 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
3858 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3859 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3861 /* Passes through infinity but comes out one. */
3862 pubkeys[2] = &pubkey_one;
3863 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3864 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3865 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
3866 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3867 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3870 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3871 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
3872 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3874 pubkeys[1] = &pubkey_one;
3875 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3876 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3877 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
3878 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3879 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3881 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3884 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
3885 secp256k1_scalar nonce;
3887 random_scalar_order_test(&nonce);
3888 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
3891 void test_ecdsa_sign_verify(void) {
3894 secp256k1_scalar one;
3895 secp256k1_scalar msg, key;
3896 secp256k1_scalar sigr, sigs;
3899 random_scalar_order_test(&msg);
3900 random_scalar_order_test(&key);
3901 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
3902 secp256k1_ge_set_gej(&pub, &pubj);
3903 getrec = secp256k1_rand_bits(1);
3904 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
3906 CHECK(recid >= 0 && recid < 4);
3908 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3909 secp256k1_scalar_set_int(&one, 1);
3910 secp256k1_scalar_add(&msg, &msg, &one);
3911 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3914 void run_ecdsa_sign_verify(void) {
3916 for (i = 0; i < 10*count; i++) {
3917 test_ecdsa_sign_verify();
3921 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
3922 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3926 memcpy(nonce32, data, 32);
3927 return (counter == 0);
3930 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3931 /* Dummy nonce generator that has a fatal error on the first counter value. */
3935 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
3938 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3939 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
3941 memset(nonce32, counter==0 ? 0 : 255, 32);
3948 static const unsigned char order[] = {
3949 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
3950 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
3951 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
3952 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
3954 memcpy(nonce32, order, 32);
3960 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
3961 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
3965 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
3968 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
3969 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
3970 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
3973 void test_ecdsa_end_to_end(void) {
3974 unsigned char extra[32] = {0x00};
3975 unsigned char privkey[32];
3976 unsigned char message[32];
3977 unsigned char privkey2[32];
3978 secp256k1_ecdsa_signature signature[6];
3979 secp256k1_scalar r, s;
3980 unsigned char sig[74];
3982 unsigned char pubkeyc[65];
3983 size_t pubkeyclen = 65;
3984 secp256k1_pubkey pubkey;
3985 secp256k1_pubkey pubkey_tmp;
3986 unsigned char seckey[300];
3987 size_t seckeylen = 300;
3989 /* Generate a random key and message. */
3991 secp256k1_scalar msg, key;
3992 random_scalar_order_test(&msg);
3993 random_scalar_order_test(&key);
3994 secp256k1_scalar_get_b32(privkey, &key);
3995 secp256k1_scalar_get_b32(message, &msg);
3998 /* Construct and verify corresponding public key. */
3999 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4000 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4002 /* Verify exporting and importing public key. */
4003 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4004 memset(&pubkey, 0, sizeof(pubkey));
4005 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4007 /* Verify negation changes the key and changes it back */
4008 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4009 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4010 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4011 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4012 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4014 /* Verify private key import and export. */
4015 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4016 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4017 CHECK(memcmp(privkey, privkey2, 32) == 0);
4019 /* Optionally tweak the keys using addition. */
4020 if (secp256k1_rand_int(3) == 0) {
4023 unsigned char rnd[32];
4024 secp256k1_pubkey pubkey2;
4025 secp256k1_rand256_test(rnd);
4026 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
4027 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4028 CHECK(ret1 == ret2);
4032 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4033 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4036 /* Optionally tweak the keys using multiplication. */
4037 if (secp256k1_rand_int(3) == 0) {
4040 unsigned char rnd[32];
4041 secp256k1_pubkey pubkey2;
4042 secp256k1_rand256_test(rnd);
4043 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
4044 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4045 CHECK(ret1 == ret2);
4049 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4050 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4054 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4055 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4056 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4058 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4061 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4062 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4063 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4064 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4065 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4066 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4067 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4068 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4070 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4071 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4072 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4073 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4074 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4075 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4076 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4077 secp256k1_scalar_negate(&s, &s);
4078 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4079 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4080 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4081 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4082 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4083 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4084 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4085 secp256k1_scalar_negate(&s, &s);
4086 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4087 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4088 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4089 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
4091 /* Serialize/parse DER and verify again */
4092 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4093 memset(&signature[0], 0, sizeof(signature[0]));
4094 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4095 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4096 /* Serialize/destroy/parse DER and verify again. */
4098 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4099 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
4100 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4101 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4104 void test_random_pubkeys(void) {
4107 unsigned char in[65];
4108 /* Generate some randomly sized pubkeys. */
4109 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4110 if (secp256k1_rand_bits(2) == 0) {
4111 len = secp256k1_rand_bits(6);
4114 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
4116 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
4118 if (secp256k1_rand_bits(3) == 0) {
4119 in[0] = secp256k1_rand_bits(8);
4122 secp256k1_rand256(&in[1]);
4125 secp256k1_rand256(&in[33]);
4127 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4128 unsigned char out[65];
4129 unsigned char firstb;
4133 /* If the pubkey can be parsed, it should round-trip... */
4134 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4136 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4137 /* ... except for the type of hybrid inputs. */
4138 if ((in[0] != 6) && (in[0] != 7)) {
4139 CHECK(in[0] == out[0]);
4142 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4144 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4145 ge_equals_ge(&elem,&elem2);
4146 /* Check that the X9.62 hybrid type is checked. */
4147 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
4148 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4149 if (firstb == 2 || firstb == 3) {
4150 if (in[0] == firstb + 4) {
4157 ge_equals_ge(&elem,&elem2);
4158 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4159 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4164 void run_random_pubkeys(void) {
4166 for (i = 0; i < 10*count; i++) {
4167 test_random_pubkeys();
4171 void run_ecdsa_end_to_end(void) {
4173 for (i = 0; i < 64*count; i++) {
4174 test_ecdsa_end_to_end();
4178 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4179 static const unsigned char zeroes[32] = {0};
4180 #ifdef ENABLE_OPENSSL_TESTS
4181 static const unsigned char max_scalar[32] = {
4182 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4183 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4184 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4185 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4191 secp256k1_ecdsa_signature sig_der;
4192 unsigned char roundtrip_der[2048];
4193 unsigned char compact_der[64];
4194 size_t len_der = 2048;
4195 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4197 secp256k1_ecdsa_signature sig_der_lax;
4198 unsigned char roundtrip_der_lax[2048];
4199 unsigned char compact_der_lax[64];
4200 size_t len_der_lax = 2048;
4201 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4203 #ifdef ENABLE_OPENSSL_TESTS
4204 ECDSA_SIG *sig_openssl;
4205 const BIGNUM *r = NULL, *s = NULL;
4206 const unsigned char *sigptr;
4207 unsigned char roundtrip_openssl[2048];
4208 int len_openssl = 2048;
4209 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4212 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4214 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4215 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4218 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4219 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4222 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4223 if (parsed_der_lax) {
4224 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4225 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4227 if (valid_der_lax) {
4228 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4229 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4232 if (certainly_der) {
4233 ret |= (!parsed_der) << 2;
4235 if (certainly_not_der) {
4236 ret |= (parsed_der) << 17;
4239 ret |= (!roundtrips_der) << 3;
4243 ret |= (!roundtrips_der_lax) << 12;
4244 ret |= (len_der != len_der_lax) << 13;
4245 ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
4247 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4249 ret |= (!parsed_der_lax) << 16;
4252 #ifdef ENABLE_OPENSSL_TESTS
4253 sig_openssl = ECDSA_SIG_new();
4255 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4256 if (parsed_openssl) {
4257 ECDSA_SIG_get0(sig_openssl, &r, &s);
4258 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4259 if (valid_openssl) {
4260 unsigned char tmp[32] = {0};
4261 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4262 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4264 if (valid_openssl) {
4265 unsigned char tmp[32] = {0};
4266 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4267 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4270 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4271 if (len_openssl <= 2048) {
4272 unsigned char *ptr = roundtrip_openssl;
4273 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4274 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4278 ECDSA_SIG_free(sig_openssl);
4280 ret |= (parsed_der && !parsed_openssl) << 4;
4281 ret |= (valid_der && !valid_openssl) << 5;
4282 ret |= (roundtrips_openssl && !parsed_der) << 6;
4283 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4284 if (roundtrips_openssl) {
4285 ret |= (len_der != (size_t)len_openssl) << 8;
4286 ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
4292 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4294 for (i = 0; i < ptrlen; i++) {
4295 int shift = ptrlen - 1 - i;
4299 ptr[i] = (val >> shift) & 0xFF;
4304 static void damage_array(unsigned char *sig, size_t *len) {
4306 int action = secp256k1_rand_bits(3);
4307 if (action < 1 && *len > 3) {
4308 /* Delete a byte. */
4309 pos = secp256k1_rand_int(*len);
4310 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4313 } else if (action < 2 && *len < 2048) {
4314 /* Insert a byte. */
4315 pos = secp256k1_rand_int(1 + *len);
4316 memmove(sig + pos + 1, sig + pos, *len - pos);
4317 sig[pos] = secp256k1_rand_bits(8);
4320 } else if (action < 4) {
4321 /* Modify a byte. */
4322 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4324 } else { /* action < 8 */
4326 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4331 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4333 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4334 size_t tlen, elen, glen;
4339 der = secp256k1_rand_bits(2) == 0;
4340 *certainly_der = der;
4341 *certainly_not_der = 0;
4342 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4344 for (n = 0; n < 2; n++) {
4345 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4346 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4347 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4348 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4349 CHECK(nlen[n] <= 232);
4350 /* The top bit of the number. */
4351 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4352 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4353 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4354 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4355 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4356 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4357 *certainly_not_der = 1;
4359 CHECK(nlen[n] + nzlen[n] <= 300);
4360 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4361 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4363 /* nlenlen[n] max 127 bytes */
4364 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4367 *certainly_not_der = 1;
4370 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4373 /* The total length of the data to go, so far */
4374 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4377 /* The length of the garbage inside the tuple. */
4378 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4380 *certainly_not_der = 1;
4385 /* The length of the garbage after the end of the tuple. */
4386 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4388 *certainly_not_der = 1;
4390 CHECK(tlen + glen <= 990);
4392 /* Write the tuple header. */
4393 sig[(*len)++] = 0x30;
4395 /* Indeterminate length */
4396 sig[(*len)++] = 0x80;
4397 *certainly_not_der = 1;
4399 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4401 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4404 *certainly_not_der = 1;
4408 /* Short length notation */
4409 sig[(*len)++] = tlen;
4411 /* Long length notation */
4412 sig[(*len)++] = 128 + tlenlen;
4413 assign_big_endian(sig + *len, tlenlen, tlen);
4419 CHECK(tlen + glen <= 1119);
4421 for (n = 0; n < 2; n++) {
4422 /* Write the integer header. */
4423 sig[(*len)++] = 0x02;
4424 if (nlenlen[n] == 0) {
4425 /* Short length notation */
4426 sig[(*len)++] = nlen[n] + nzlen[n];
4428 /* Long length notation. */
4429 sig[(*len)++] = 128 + nlenlen[n];
4430 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4433 /* Write zero padding */
4434 while (nzlen[n] > 0) {
4435 sig[(*len)++] = 0x00;
4438 if (nlen[n] == 32 && !nlow[n]) {
4439 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4441 for (i = 0; i < 16; i++) {
4442 sig[(*len)++] = 0xFF;
4446 /* Write first byte of number */
4448 sig[(*len)++] = nhbyte[n];
4451 /* Generate remaining random bytes of number */
4452 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4457 /* Generate random garbage inside tuple. */
4458 secp256k1_rand_bytes_test(sig + *len, elen);
4461 /* Generate end-of-contents bytes. */
4467 CHECK(tlen + glen <= 1121);
4469 /* Generate random garbage outside tuple. */
4470 secp256k1_rand_bytes_test(sig + *len, glen);
4473 CHECK(tlen <= 1121);
4474 CHECK(tlen == *len);
4477 void run_ecdsa_der_parse(void) {
4479 for (i = 0; i < 200 * count; i++) {
4480 unsigned char buffer[2048];
4482 int certainly_der = 0;
4483 int certainly_not_der = 0;
4484 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4485 CHECK(buflen <= 2048);
4486 for (j = 0; j < 16; j++) {
4489 damage_array(buffer, &buflen);
4490 /* We don't know anything anymore about the DERness of the result */
4492 certainly_not_der = 0;
4494 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4497 fprintf(stderr, "Failure %x on ", ret);
4498 for (k = 0; k < buflen; k++) {
4499 fprintf(stderr, "%02x ", buffer[k]);
4501 fprintf(stderr, "\n");
4508 /* Tests several edge cases. */
4509 void test_ecdsa_edge_cases(void) {
4511 secp256k1_ecdsa_signature sig;
4513 /* Test the case where ECDSA recomputes a point that is infinity. */
4517 secp256k1_scalar msg;
4518 secp256k1_scalar sr, ss;
4519 secp256k1_scalar_set_int(&ss, 1);
4520 secp256k1_scalar_negate(&ss, &ss);
4521 secp256k1_scalar_inverse(&ss, &ss);
4522 secp256k1_scalar_set_int(&sr, 1);
4523 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4524 secp256k1_ge_set_gej(&key, &keyj);
4526 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4529 /* Verify signature with r of zero fails. */
4531 const unsigned char pubkey_mods_zero[33] = {
4532 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4533 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4534 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4535 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4539 secp256k1_scalar msg;
4540 secp256k1_scalar sr, ss;
4541 secp256k1_scalar_set_int(&ss, 1);
4542 secp256k1_scalar_set_int(&msg, 0);
4543 secp256k1_scalar_set_int(&sr, 0);
4544 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4545 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4548 /* Verify signature with s of zero fails. */
4550 const unsigned char pubkey[33] = {
4551 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4552 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4553 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4554 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4558 secp256k1_scalar msg;
4559 secp256k1_scalar sr, ss;
4560 secp256k1_scalar_set_int(&ss, 0);
4561 secp256k1_scalar_set_int(&msg, 0);
4562 secp256k1_scalar_set_int(&sr, 1);
4563 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4564 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4567 /* Verify signature with message 0 passes. */
4569 const unsigned char pubkey[33] = {
4570 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4571 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4572 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4573 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4576 const unsigned char pubkey2[33] = {
4577 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4578 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4579 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4580 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4585 secp256k1_scalar msg;
4586 secp256k1_scalar sr, ss;
4587 secp256k1_scalar_set_int(&ss, 2);
4588 secp256k1_scalar_set_int(&msg, 0);
4589 secp256k1_scalar_set_int(&sr, 2);
4590 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4591 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4592 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4593 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4594 secp256k1_scalar_negate(&ss, &ss);
4595 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4596 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4597 secp256k1_scalar_set_int(&ss, 1);
4598 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4599 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4602 /* Verify signature with message 1 passes. */
4604 const unsigned char pubkey[33] = {
4605 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4606 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4607 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4608 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4611 const unsigned char pubkey2[33] = {
4612 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4613 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4614 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4615 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4618 const unsigned char csr[32] = {
4619 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4620 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4621 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4622 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4626 secp256k1_scalar msg;
4627 secp256k1_scalar sr, ss;
4628 secp256k1_scalar_set_int(&ss, 1);
4629 secp256k1_scalar_set_int(&msg, 1);
4630 secp256k1_scalar_set_b32(&sr, csr, NULL);
4631 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4632 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4633 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4634 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4635 secp256k1_scalar_negate(&ss, &ss);
4636 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4637 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4638 secp256k1_scalar_set_int(&ss, 2);
4639 secp256k1_scalar_inverse_var(&ss, &ss);
4640 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4641 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4644 /* Verify signature with message -1 passes. */
4646 const unsigned char pubkey[33] = {
4647 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4648 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4649 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4650 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4653 const unsigned char csr[32] = {
4654 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4655 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4656 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4657 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4660 secp256k1_scalar msg;
4661 secp256k1_scalar sr, ss;
4662 secp256k1_scalar_set_int(&ss, 1);
4663 secp256k1_scalar_set_int(&msg, 1);
4664 secp256k1_scalar_negate(&msg, &msg);
4665 secp256k1_scalar_set_b32(&sr, csr, NULL);
4666 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4667 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4668 secp256k1_scalar_negate(&ss, &ss);
4669 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4670 secp256k1_scalar_set_int(&ss, 3);
4671 secp256k1_scalar_inverse_var(&ss, &ss);
4672 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4675 /* Signature where s would be zero. */
4677 secp256k1_pubkey pubkey;
4680 unsigned char signature[72];
4681 static const unsigned char nonce[32] = {
4682 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4683 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4684 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4685 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4687 static const unsigned char nonce2[32] = {
4688 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4689 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4690 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4691 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4693 const unsigned char key[32] = {
4694 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4695 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4696 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4697 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4699 unsigned char msg[32] = {
4700 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4701 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4702 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4703 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4706 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4707 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4708 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4710 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4712 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4714 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4716 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4718 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4719 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4720 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4722 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4724 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4726 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4728 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4730 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4731 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4734 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4736 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4737 CHECK(ecount == 10);
4738 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4739 CHECK(ecount == 11);
4740 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4741 CHECK(ecount == 11);
4742 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4743 CHECK(ecount == 12);
4744 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4745 CHECK(ecount == 13);
4746 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4747 CHECK(ecount == 13);
4749 /* Too little room for a signature does not fail via ARGCHECK. */
4750 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
4751 CHECK(ecount == 13);
4753 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4755 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4757 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4759 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4761 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4763 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4765 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4767 memset(signature, 255, 64);
4768 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4770 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4773 /* Nonce function corner cases. */
4774 for (t = 0; t < 2; t++) {
4775 static const unsigned char zero[32] = {0x00};
4777 unsigned char key[32];
4778 unsigned char msg[32];
4779 secp256k1_ecdsa_signature sig2;
4780 secp256k1_scalar sr[512], ss;
4781 const unsigned char *extra;
4782 extra = t == 0 ? NULL : zero;
4785 /* High key results in signature failure. */
4786 memset(key, 0xFF, 32);
4787 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4788 CHECK(is_empty_signature(&sig));
4789 /* Zero key results in signature failure. */
4791 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4792 CHECK(is_empty_signature(&sig));
4793 /* Nonce function failure results in signature failure. */
4795 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
4796 CHECK(is_empty_signature(&sig));
4797 /* The retry loop successfully makes its way to the first good value. */
4798 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
4799 CHECK(!is_empty_signature(&sig));
4800 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
4801 CHECK(!is_empty_signature(&sig2));
4802 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4803 /* The default nonce function is deterministic. */
4804 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4805 CHECK(!is_empty_signature(&sig2));
4806 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4807 /* The default nonce function changes output with different messages. */
4808 for(i = 0; i < 256; i++) {
4811 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4812 CHECK(!is_empty_signature(&sig2));
4813 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4814 for (j = 0; j < i; j++) {
4815 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4820 /* The default nonce function changes output with different keys. */
4821 for(i = 256; i < 512; i++) {
4824 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4825 CHECK(!is_empty_signature(&sig2));
4826 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4827 for (j = 0; j < i; j++) {
4828 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4835 /* Check that optional nonce arguments do not have equivalent effect. */
4836 const unsigned char zeros[32] = {0};
4837 unsigned char nonce[32];
4838 unsigned char nonce2[32];
4839 unsigned char nonce3[32];
4840 unsigned char nonce4[32];
4842 VG_UNDEF(nonce2,32);
4843 VG_UNDEF(nonce3,32);
4844 VG_UNDEF(nonce4,32);
4845 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4847 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4848 VG_CHECK(nonce2,32);
4849 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
4850 VG_CHECK(nonce3,32);
4851 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
4852 VG_CHECK(nonce4,32);
4853 CHECK(memcmp(nonce, nonce2, 32) != 0);
4854 CHECK(memcmp(nonce, nonce3, 32) != 0);
4855 CHECK(memcmp(nonce, nonce4, 32) != 0);
4856 CHECK(memcmp(nonce2, nonce3, 32) != 0);
4857 CHECK(memcmp(nonce2, nonce4, 32) != 0);
4858 CHECK(memcmp(nonce3, nonce4, 32) != 0);
4862 /* Privkey export where pubkey is the point at infinity. */
4864 unsigned char privkey[300];
4865 unsigned char seckey[32] = {
4866 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4867 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4868 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4869 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
4871 size_t outlen = 300;
4872 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
4874 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
4878 void run_ecdsa_edge_cases(void) {
4879 test_ecdsa_edge_cases();
4882 #ifdef ENABLE_OPENSSL_TESTS
4883 EC_KEY *get_openssl_key(const unsigned char *key32) {
4884 unsigned char privkey[300];
4886 const unsigned char* pbegin = privkey;
4887 int compr = secp256k1_rand_bits(1);
4888 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
4889 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
4890 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
4891 CHECK(EC_KEY_check_key(ec_key));
4895 void test_ecdsa_openssl(void) {
4898 secp256k1_scalar sigr, sigs;
4899 secp256k1_scalar one;
4900 secp256k1_scalar msg2;
4901 secp256k1_scalar key, msg;
4903 unsigned int sigsize = 80;
4904 size_t secp_sigsize = 80;
4905 unsigned char message[32];
4906 unsigned char signature[80];
4907 unsigned char key32[32];
4908 secp256k1_rand256_test(message);
4909 secp256k1_scalar_set_b32(&msg, message, NULL);
4910 random_scalar_order_test(&key);
4911 secp256k1_scalar_get_b32(key32, &key);
4912 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
4913 secp256k1_ge_set_gej(&q, &qj);
4914 ec_key = get_openssl_key(key32);
4915 CHECK(ec_key != NULL);
4916 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
4917 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
4918 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
4919 secp256k1_scalar_set_int(&one, 1);
4920 secp256k1_scalar_add(&msg2, &msg, &one);
4921 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
4923 random_sign(&sigr, &sigs, &key, &msg, NULL);
4924 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
4925 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
4927 EC_KEY_free(ec_key);
4930 void run_ecdsa_openssl(void) {
4932 for (i = 0; i < 10*count; i++) {
4933 test_ecdsa_openssl();
4938 #ifdef ENABLE_MODULE_ECDH
4939 # include "modules/ecdh/tests_impl.h"
4942 #ifdef ENABLE_MODULE_RECOVERY
4943 # include "modules/recovery/tests_impl.h"
4946 int main(int argc, char **argv) {
4947 unsigned char seed16[16] = {0};
4948 unsigned char run32[32] = {0};
4949 /* find iteration count */
4951 count = strtol(argv[1], NULL, 0);
4954 /* find random seed */
4957 const char* ch = argv[2];
4958 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
4960 if (sscanf(ch, "%2hx", &sh)) {
4969 FILE *frand = fopen("/dev/urandom", "r");
4970 if ((frand == NULL) || fread(&seed16, sizeof(seed16), 1, frand) != sizeof(seed16)) {
4971 uint64_t t = time(NULL) * (uint64_t)1337;
4973 seed16[1] ^= t >> 8;
4974 seed16[2] ^= t >> 16;
4975 seed16[3] ^= t >> 24;
4976 seed16[4] ^= t >> 32;
4977 seed16[5] ^= t >> 40;
4978 seed16[6] ^= t >> 48;
4979 seed16[7] ^= t >> 56;
4985 secp256k1_rand_seed(seed16);
4987 printf("test count = %i\n", count);
4988 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
4991 run_context_tests();
4992 run_scratch_tests();
4993 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
4994 if (secp256k1_rand_bits(1)) {
4995 secp256k1_rand256(run32);
4996 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
5003 run_hmac_sha256_tests();
5004 run_rfc6979_hmac_sha256_tests();
5006 #ifndef USE_NUM_NONE
5008 run_num_smalltests();
5016 run_field_inv_var();
5017 run_field_inv_all_var();
5019 run_field_convert();
5025 run_group_decompress();
5029 run_point_times_order();
5031 run_ecmult_constants();
5032 run_ecmult_gen_blind();
5033 run_ecmult_const_tests();
5034 run_ecmult_multi_tests();
5037 /* endomorphism tests */
5038 #ifdef USE_ENDOMORPHISM
5039 run_endomorphism_tests();
5042 /* EC point parser test */
5043 run_ec_pubkey_parse_test();
5045 /* EC key edge cases */
5046 run_eckey_edge_case_test();
5048 #ifdef ENABLE_MODULE_ECDH
5054 run_random_pubkeys();
5055 run_ecdsa_der_parse();
5056 run_ecdsa_sign_verify();
5057 run_ecdsa_end_to_end();
5058 run_ecdsa_edge_cases();
5059 #ifdef ENABLE_OPENSSL_TESTS
5060 run_ecdsa_openssl();
5063 #ifdef ENABLE_MODULE_RECOVERY
5064 /* ECDSA pubkey recovery tests */
5065 run_recovery_tests();
5068 secp256k1_rand256(run32);
5069 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
5072 secp256k1_context_destroy(ctx);
5074 printf("no problems found\n");
projects / secp256k1.git / blob