1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "testrand_impl.h"
21 #ifdef ENABLE_OPENSSL_TESTS
22 #include "openssl/bn.h"
23 #include "openssl/ec.h"
24 #include "openssl/ecdsa.h"
25 #include "openssl/obj_mac.h"
26 # if OPENSSL_VERSION_NUMBER < 0x10100000L
27 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
31 #include "contrib/lax_der_parsing.c"
32 #include "contrib/lax_der_privatekey_parsing.c"
34 #if !defined(VG_CHECK)
35 # if defined(VALGRIND)
36 # include <valgrind/memcheck.h>
37 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
38 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
40 # define VG_UNDEF(x,y)
41 # define VG_CHECK(x,y)
45 static int count = 64;
46 static secp256k1_context *ctx = NULL;
48 static void counting_illegal_callback_fn(const char* str, void* data) {
49 /* Dummy callback function that just counts. */
56 static void uncounting_illegal_callback_fn(const char* str, void* data) {
57 /* Dummy callback function that just counts (backwards). */
64 void random_field_element_test(secp256k1_fe *fe) {
66 unsigned char b32[32];
67 secp256k1_rand256_test(b32);
68 if (secp256k1_fe_set_b32(fe, b32)) {
74 void random_field_element_magnitude(secp256k1_fe *fe) {
76 int n = secp256k1_rand_int(9);
77 secp256k1_fe_normalize(fe);
81 secp256k1_fe_clear(&zero);
82 secp256k1_fe_negate(&zero, &zero, 0);
83 secp256k1_fe_mul_int(&zero, n - 1);
84 secp256k1_fe_add(fe, &zero);
85 VERIFY_CHECK(fe->magnitude == n);
88 void random_group_element_test(secp256k1_ge *ge) {
91 random_field_element_test(&fe);
92 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
93 secp256k1_fe_normalize(&ge->y);
99 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
102 random_field_element_test(&gej->z);
103 if (!secp256k1_fe_is_zero(&gej->z)) {
107 secp256k1_fe_sqr(&z2, &gej->z);
108 secp256k1_fe_mul(&z3, &z2, &gej->z);
109 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
110 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
111 gej->infinity = ge->infinity;
114 void random_scalar_order_test(secp256k1_scalar *num) {
116 unsigned char b32[32];
118 secp256k1_rand256_test(b32);
119 secp256k1_scalar_set_b32(num, b32, &overflow);
120 if (overflow || secp256k1_scalar_is_zero(num)) {
127 void random_scalar_order(secp256k1_scalar *num) {
129 unsigned char b32[32];
131 secp256k1_rand256(b32);
132 secp256k1_scalar_set_b32(num, b32, &overflow);
133 if (overflow || secp256k1_scalar_is_zero(num)) {
140 void run_context_tests(void) {
141 secp256k1_pubkey pubkey;
142 secp256k1_pubkey zero_pubkey;
143 secp256k1_ecdsa_signature sig;
144 unsigned char ctmp[32];
147 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
148 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
149 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
150 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
154 secp256k1_scalar msg, key, nonce;
155 secp256k1_scalar sigr, sigs;
157 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
161 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
162 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
163 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
164 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
166 /*** clone and destroy all of them to make sure cloning was complete ***/
168 secp256k1_context *ctx_tmp;
170 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp);
171 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp);
172 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp);
173 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp);
176 /* Verify that the error callback makes it across the clone. */
177 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
178 /* And that it resets back to default. */
179 secp256k1_context_set_error_callback(sign, NULL, NULL);
180 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
182 /*** attempt to use them ***/
183 random_scalar_order_test(&msg);
184 random_scalar_order_test(&key);
185 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
186 secp256k1_ge_set_gej(&pub, &pubj);
188 /* Verify context-type checking illegal-argument errors. */
190 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
192 VG_UNDEF(&pubkey, sizeof(pubkey));
193 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
194 VG_CHECK(&pubkey, sizeof(pubkey));
195 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
197 VG_UNDEF(&sig, sizeof(sig));
198 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
199 VG_CHECK(&sig, sizeof(sig));
200 CHECK(ecount2 == 10);
201 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
202 CHECK(ecount2 == 11);
203 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
205 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
206 CHECK(ecount2 == 12);
207 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
209 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
210 CHECK(ecount2 == 13);
211 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
213 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
215 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
216 CHECK(ecount2 == 14);
217 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
219 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
221 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 0);
223 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
224 CHECK(ecount2 == 14);
225 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
226 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
228 /* This shouldn't leak memory, due to already-set tests. */
229 secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL);
230 secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL);
232 /* obtain a working nonce */
234 random_scalar_order_test(&nonce);
235 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
238 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
239 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
242 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
243 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
246 secp256k1_context_destroy(none);
247 secp256k1_context_destroy(sign);
248 secp256k1_context_destroy(vrfy);
249 secp256k1_context_destroy(both);
250 /* Defined as no-op. */
251 secp256k1_context_destroy(NULL);
254 void run_scratch_tests(void) {
256 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
257 secp256k1_scratch_space *scratch;
259 /* Test public API */
260 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
262 scratch = secp256k1_scratch_space_create(none, 1000);
263 CHECK(scratch != NULL);
266 /* Test internal API */
267 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
268 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 1000);
270 /* Allocating 500 bytes with no frame fails */
271 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
272 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
274 /* ...but pushing a new stack frame does affect the max allocation */
275 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1 == 1));
276 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 500); /* 500 - ALIGNMENT */
277 CHECK(secp256k1_scratch_alloc(scratch, 500) != NULL);
278 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
280 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1) == 0);
282 /* ...and this effect is undone by popping the frame */
283 secp256k1_scratch_deallocate_frame(scratch);
284 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
285 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
288 secp256k1_scratch_space_destroy(scratch);
289 secp256k1_context_destroy(none);
292 /***** HASH TESTS *****/
294 void run_sha256_tests(void) {
295 static const char *inputs[8] = {
296 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
297 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
298 "For this sample, this 63-byte string will be used as input data",
299 "This is exactly 64 bytes long, not counting the terminating byte"
301 static const unsigned char outputs[8][32] = {
302 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
303 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
304 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
305 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
306 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
307 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
308 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
309 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
312 for (i = 0; i < 8; i++) {
313 unsigned char out[32];
314 secp256k1_sha256 hasher;
315 secp256k1_sha256_initialize(&hasher);
316 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
317 secp256k1_sha256_finalize(&hasher, out);
318 CHECK(memcmp(out, outputs[i], 32) == 0);
319 if (strlen(inputs[i]) > 0) {
320 int split = secp256k1_rand_int(strlen(inputs[i]));
321 secp256k1_sha256_initialize(&hasher);
322 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
323 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
324 secp256k1_sha256_finalize(&hasher, out);
325 CHECK(memcmp(out, outputs[i], 32) == 0);
330 void run_hmac_sha256_tests(void) {
331 static const char *keys[6] = {
332 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
334 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
335 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
336 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
337 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
339 static const char *inputs[6] = {
340 "\x48\x69\x20\x54\x68\x65\x72\x65",
341 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
342 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
343 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
344 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
345 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
347 static const unsigned char outputs[6][32] = {
348 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
349 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
350 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
351 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
352 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
353 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
356 for (i = 0; i < 6; i++) {
357 secp256k1_hmac_sha256 hasher;
358 unsigned char out[32];
359 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
360 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
361 secp256k1_hmac_sha256_finalize(&hasher, out);
362 CHECK(memcmp(out, outputs[i], 32) == 0);
363 if (strlen(inputs[i]) > 0) {
364 int split = secp256k1_rand_int(strlen(inputs[i]));
365 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
366 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
367 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
368 secp256k1_hmac_sha256_finalize(&hasher, out);
369 CHECK(memcmp(out, outputs[i], 32) == 0);
374 void run_rfc6979_hmac_sha256_tests(void) {
375 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
376 static const unsigned char out1[3][32] = {
377 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
378 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
379 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
382 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
383 static const unsigned char out2[3][32] = {
384 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
385 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
386 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
389 secp256k1_rfc6979_hmac_sha256 rng;
390 unsigned char out[32];
393 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
394 for (i = 0; i < 3; i++) {
395 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
396 CHECK(memcmp(out, out1[i], 32) == 0);
398 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
400 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
401 for (i = 0; i < 3; i++) {
402 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
403 CHECK(memcmp(out, out1[i], 32) != 0);
405 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
407 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
408 for (i = 0; i < 3; i++) {
409 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
410 CHECK(memcmp(out, out2[i], 32) == 0);
412 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
415 /***** RANDOM TESTS *****/
417 void test_rand_bits(int rand32, int bits) {
418 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
419 * get a false negative chance below once in a billion */
420 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
421 /* We try multiplying the results with various odd numbers, which shouldn't
422 * influence the uniform distribution modulo a power of 2. */
423 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
424 /* We only select up to 6 bits from the output to analyse */
425 unsigned int usebits = bits > 6 ? 6 : bits;
426 unsigned int maxshift = bits - usebits;
427 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
428 number, track all observed outcomes, one per bit in a uint64_t. */
429 uint64_t x[6][27] = {{0}};
430 unsigned int i, shift, m;
431 /* Multiply the output of all rand calls with the odd number m, which
432 should not change the uniformity of its distribution. */
433 for (i = 0; i < rounds[usebits]; i++) {
434 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
435 CHECK((((uint64_t)r) >> bits) == 0);
436 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
437 uint32_t rm = r * mults[m];
438 for (shift = 0; shift <= maxshift; shift++) {
439 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
443 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
444 for (shift = 0; shift <= maxshift; shift++) {
445 /* Test that the lower usebits bits of x[shift] are 1 */
446 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
451 /* Subrange must be a whole divisor of range, and at most 64 */
452 void test_rand_int(uint32_t range, uint32_t subrange) {
453 /* (1-1/subrange)^rounds < 1/10^9 */
454 int rounds = (subrange * 2073) / 100;
457 CHECK((range % subrange) == 0);
458 for (i = 0; i < rounds; i++) {
459 uint32_t r = secp256k1_rand_int(range);
462 x |= (((uint64_t)1) << r);
464 /* Test that the lower subrange bits of x are 1. */
465 CHECK(((~x) << (64 - subrange)) == 0);
468 void run_rand_bits(void) {
470 test_rand_bits(1, 32);
471 for (b = 1; b <= 32; b++) {
472 test_rand_bits(0, b);
476 void run_rand_int(void) {
477 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
478 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
480 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
481 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
482 test_rand_int(ms[m] * ss[s], ss[s]);
487 /***** NUM TESTS *****/
490 void random_num_negate(secp256k1_num *num) {
491 if (secp256k1_rand_bits(1)) {
492 secp256k1_num_negate(num);
496 void random_num_order_test(secp256k1_num *num) {
498 random_scalar_order_test(&sc);
499 secp256k1_scalar_get_num(num, &sc);
502 void random_num_order(secp256k1_num *num) {
504 random_scalar_order(&sc);
505 secp256k1_scalar_get_num(num, &sc);
508 void test_num_negate(void) {
511 random_num_order_test(&n1); /* n1 = R */
512 random_num_negate(&n1);
513 secp256k1_num_copy(&n2, &n1); /* n2 = R */
514 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
515 CHECK(secp256k1_num_is_zero(&n1));
516 secp256k1_num_copy(&n1, &n2); /* n1 = R */
517 secp256k1_num_negate(&n1); /* n1 = -R */
518 CHECK(!secp256k1_num_is_zero(&n1));
519 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
520 CHECK(secp256k1_num_is_zero(&n1));
521 secp256k1_num_copy(&n1, &n2); /* n1 = R */
522 secp256k1_num_negate(&n1); /* n1 = -R */
523 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
524 secp256k1_num_negate(&n1); /* n1 = R */
525 CHECK(secp256k1_num_eq(&n1, &n2));
528 void test_num_add_sub(void) {
533 secp256k1_num n1p2, n2p1, n1m2, n2m1;
534 random_num_order_test(&n1); /* n1 = R1 */
535 if (secp256k1_rand_bits(1)) {
536 random_num_negate(&n1);
538 random_num_order_test(&n2); /* n2 = R2 */
539 if (secp256k1_rand_bits(1)) {
540 random_num_negate(&n2);
542 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
543 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
544 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
545 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
546 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
547 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
548 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
549 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
550 CHECK(!secp256k1_num_eq(&n2m1, &n1));
551 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
552 CHECK(secp256k1_num_eq(&n2m1, &n1));
553 CHECK(!secp256k1_num_eq(&n2p1, &n1));
554 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
555 CHECK(secp256k1_num_eq(&n2p1, &n1));
558 secp256k1_scalar_set_int(&s, 1);
559 secp256k1_scalar_get_num(&n1, &s);
560 CHECK(secp256k1_num_is_one(&n1));
561 /* check that 2^n + 1 is never 1 */
562 secp256k1_scalar_get_num(&n2, &s);
563 for (i = 0; i < 250; ++i) {
564 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
565 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
566 CHECK(!secp256k1_num_is_one(&n1p2));
570 void test_num_mod(void) {
573 secp256k1_num order, n;
575 /* check that 0 mod anything is 0 */
576 random_scalar_order_test(&s);
577 secp256k1_scalar_get_num(&order, &s);
578 secp256k1_scalar_set_int(&s, 0);
579 secp256k1_scalar_get_num(&n, &s);
580 secp256k1_num_mod(&n, &order);
581 CHECK(secp256k1_num_is_zero(&n));
583 /* check that anything mod 1 is 0 */
584 secp256k1_scalar_set_int(&s, 1);
585 secp256k1_scalar_get_num(&order, &s);
586 secp256k1_scalar_get_num(&n, &s);
587 secp256k1_num_mod(&n, &order);
588 CHECK(secp256k1_num_is_zero(&n));
590 /* check that increasing the number past 2^256 does not break this */
591 random_scalar_order_test(&s);
592 secp256k1_scalar_get_num(&n, &s);
593 /* multiply by 2^8, which'll test this case with high probability */
594 for (i = 0; i < 8; ++i) {
595 secp256k1_num_add(&n, &n, &n);
597 secp256k1_num_mod(&n, &order);
598 CHECK(secp256k1_num_is_zero(&n));
601 void test_num_jacobi(void) {
602 secp256k1_scalar sqr;
603 secp256k1_scalar small;
604 secp256k1_scalar five; /* five is not a quadratic residue */
605 secp256k1_num order, n;
607 /* squares mod 5 are 1, 4 */
608 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
610 /* check some small values with 5 as the order */
611 secp256k1_scalar_set_int(&five, 5);
612 secp256k1_scalar_get_num(&order, &five);
613 for (i = 0; i < 10; ++i) {
614 secp256k1_scalar_set_int(&small, i);
615 secp256k1_scalar_get_num(&n, &small);
616 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
619 /** test large values with 5 as group order */
620 secp256k1_scalar_get_num(&order, &five);
621 /* we first need a scalar which is not a multiple of 5 */
624 random_scalar_order_test(&sqr);
625 secp256k1_scalar_get_num(&fiven, &five);
626 secp256k1_scalar_get_num(&n, &sqr);
627 secp256k1_num_mod(&n, &fiven);
628 } while (secp256k1_num_is_zero(&n));
629 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
630 * just multiply by two, i.e. add the number to itself */
631 if (secp256k1_num_jacobi(&n, &order) == -1) {
632 secp256k1_num_add(&n, &n, &n);
636 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
637 /* test nonresidue */
638 secp256k1_num_add(&n, &n, &n);
639 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
641 /** test with secp group order as order */
642 secp256k1_scalar_order_get_num(&order);
643 random_scalar_order_test(&sqr);
644 secp256k1_scalar_sqr(&sqr, &sqr);
646 secp256k1_scalar_get_num(&n, &sqr);
647 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
648 /* test nonresidue */
649 secp256k1_scalar_mul(&sqr, &sqr, &five);
650 secp256k1_scalar_get_num(&n, &sqr);
651 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
652 /* test multiple of the order*/
653 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
655 /* check one less than the order */
656 secp256k1_scalar_set_int(&small, 1);
657 secp256k1_scalar_get_num(&n, &small);
658 secp256k1_num_sub(&n, &order, &n);
659 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
662 void run_num_smalltests(void) {
664 for (i = 0; i < 100*count; i++) {
673 /***** SCALAR TESTS *****/
675 void scalar_test(void) {
680 secp256k1_num snum, s1num, s2num;
681 secp256k1_num order, half_order;
685 /* Set 's' to a random scalar, with value 'snum'. */
686 random_scalar_order_test(&s);
688 /* Set 's1' to a random scalar, with value 's1num'. */
689 random_scalar_order_test(&s1);
691 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
692 random_scalar_order_test(&s2);
693 secp256k1_scalar_get_b32(c, &s2);
696 secp256k1_scalar_get_num(&snum, &s);
697 secp256k1_scalar_get_num(&s1num, &s1);
698 secp256k1_scalar_get_num(&s2num, &s2);
700 secp256k1_scalar_order_get_num(&order);
702 secp256k1_num_shift(&half_order, 1);
707 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
709 secp256k1_scalar_set_int(&n, 0);
710 for (i = 0; i < 256; i += 4) {
713 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
714 for (j = 0; j < 4; j++) {
715 secp256k1_scalar_add(&n, &n, &n);
717 secp256k1_scalar_add(&n, &n, &t);
719 CHECK(secp256k1_scalar_eq(&n, &s));
723 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
726 secp256k1_scalar_set_int(&n, 0);
730 int now = secp256k1_rand_int(15) + 1;
734 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
735 for (j = 0; j < now; j++) {
736 secp256k1_scalar_add(&n, &n, &n);
738 secp256k1_scalar_add(&n, &n, &t);
741 CHECK(secp256k1_scalar_eq(&n, &s));
746 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
750 secp256k1_num_add(&rnum, &snum, &s2num);
751 secp256k1_num_mod(&rnum, &order);
752 secp256k1_scalar_add(&r, &s, &s2);
753 secp256k1_scalar_get_num(&r2num, &r);
754 CHECK(secp256k1_num_eq(&rnum, &r2num));
758 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
762 secp256k1_num_mul(&rnum, &snum, &s2num);
763 secp256k1_num_mod(&rnum, &order);
764 secp256k1_scalar_mul(&r, &s, &s2);
765 secp256k1_scalar_get_num(&r2num, &r);
766 CHECK(secp256k1_num_eq(&rnum, &r2num));
767 /* The result can only be zero if at least one of the factors was zero. */
768 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
769 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
770 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
771 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
775 secp256k1_scalar neg;
776 secp256k1_num negnum;
777 secp256k1_num negnum2;
778 /* Check that comparison with zero matches comparison with zero on the number. */
779 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
780 /* Check that comparison with the half order is equal to testing for high scalar. */
781 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
782 secp256k1_scalar_negate(&neg, &s);
783 secp256k1_num_sub(&negnum, &order, &snum);
784 secp256k1_num_mod(&negnum, &order);
785 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
786 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
787 /* Negating should change the high property, unless the value was already zero. */
788 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
789 secp256k1_scalar_get_num(&negnum2, &neg);
790 /* Negating a scalar should be equal to (order - n) mod order on the number. */
791 CHECK(secp256k1_num_eq(&negnum, &negnum2));
792 secp256k1_scalar_add(&neg, &neg, &s);
793 /* Adding a number to its negation should result in zero. */
794 CHECK(secp256k1_scalar_is_zero(&neg));
795 secp256k1_scalar_negate(&neg, &neg);
796 /* Negating zero should still result in zero. */
797 CHECK(secp256k1_scalar_is_zero(&neg));
801 /* Test secp256k1_scalar_mul_shift_var. */
806 unsigned char cone[1] = {0x01};
807 unsigned int shift = 256 + secp256k1_rand_int(257);
808 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
809 secp256k1_num_mul(&rnum, &s1num, &s2num);
810 secp256k1_num_shift(&rnum, shift - 1);
811 secp256k1_num_set_bin(&one, cone, 1);
812 secp256k1_num_add(&rnum, &rnum, &one);
813 secp256k1_num_shift(&rnum, 1);
814 secp256k1_scalar_get_num(&rnum2, &r);
815 CHECK(secp256k1_num_eq(&rnum, &rnum2));
819 /* test secp256k1_scalar_shr_int */
822 random_scalar_order_test(&r);
823 for (i = 0; i < 100; ++i) {
825 int shift = 1 + secp256k1_rand_int(15);
826 int expected = r.d[0] % (1 << shift);
827 low = secp256k1_scalar_shr_int(&r, shift);
828 CHECK(expected == low);
834 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
835 if (!secp256k1_scalar_is_zero(&s)) {
836 secp256k1_scalar inv;
838 secp256k1_num invnum;
839 secp256k1_num invnum2;
841 secp256k1_scalar_inverse(&inv, &s);
843 secp256k1_num_mod_inverse(&invnum, &snum, &order);
844 secp256k1_scalar_get_num(&invnum2, &inv);
845 CHECK(secp256k1_num_eq(&invnum, &invnum2));
847 secp256k1_scalar_mul(&inv, &inv, &s);
848 /* Multiplying a scalar with its inverse must result in one. */
849 CHECK(secp256k1_scalar_is_one(&inv));
850 secp256k1_scalar_inverse(&inv, &inv);
851 /* Inverting one must result in one. */
852 CHECK(secp256k1_scalar_is_one(&inv));
854 secp256k1_scalar_get_num(&invnum, &inv);
855 CHECK(secp256k1_num_is_one(&invnum));
861 /* Test commutativity of add. */
862 secp256k1_scalar r1, r2;
863 secp256k1_scalar_add(&r1, &s1, &s2);
864 secp256k1_scalar_add(&r2, &s2, &s1);
865 CHECK(secp256k1_scalar_eq(&r1, &r2));
869 secp256k1_scalar r1, r2;
873 int bit = secp256k1_rand_bits(8);
874 secp256k1_scalar_set_int(&b, 1);
875 CHECK(secp256k1_scalar_is_one(&b));
876 for (i = 0; i < bit; i++) {
877 secp256k1_scalar_add(&b, &b, &b);
881 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
882 /* No overflow happened. */
883 secp256k1_scalar_cadd_bit(&r2, bit, 1);
884 CHECK(secp256k1_scalar_eq(&r1, &r2));
885 /* cadd is a noop when flag is zero */
886 secp256k1_scalar_cadd_bit(&r2, bit, 0);
887 CHECK(secp256k1_scalar_eq(&r1, &r2));
892 /* Test commutativity of mul. */
893 secp256k1_scalar r1, r2;
894 secp256k1_scalar_mul(&r1, &s1, &s2);
895 secp256k1_scalar_mul(&r2, &s2, &s1);
896 CHECK(secp256k1_scalar_eq(&r1, &r2));
900 /* Test associativity of add. */
901 secp256k1_scalar r1, r2;
902 secp256k1_scalar_add(&r1, &s1, &s2);
903 secp256k1_scalar_add(&r1, &r1, &s);
904 secp256k1_scalar_add(&r2, &s2, &s);
905 secp256k1_scalar_add(&r2, &s1, &r2);
906 CHECK(secp256k1_scalar_eq(&r1, &r2));
910 /* Test associativity of mul. */
911 secp256k1_scalar r1, r2;
912 secp256k1_scalar_mul(&r1, &s1, &s2);
913 secp256k1_scalar_mul(&r1, &r1, &s);
914 secp256k1_scalar_mul(&r2, &s2, &s);
915 secp256k1_scalar_mul(&r2, &s1, &r2);
916 CHECK(secp256k1_scalar_eq(&r1, &r2));
920 /* Test distributitivity of mul over add. */
921 secp256k1_scalar r1, r2, t;
922 secp256k1_scalar_add(&r1, &s1, &s2);
923 secp256k1_scalar_mul(&r1, &r1, &s);
924 secp256k1_scalar_mul(&r2, &s1, &s);
925 secp256k1_scalar_mul(&t, &s2, &s);
926 secp256k1_scalar_add(&r2, &r2, &t);
927 CHECK(secp256k1_scalar_eq(&r1, &r2));
932 secp256k1_scalar r1, r2;
933 secp256k1_scalar_sqr(&r1, &s1);
934 secp256k1_scalar_mul(&r2, &s1, &s1);
935 CHECK(secp256k1_scalar_eq(&r1, &r2));
939 /* Test multiplicative identity. */
940 secp256k1_scalar r1, v1;
941 secp256k1_scalar_set_int(&v1,1);
942 secp256k1_scalar_mul(&r1, &s1, &v1);
943 CHECK(secp256k1_scalar_eq(&r1, &s1));
947 /* Test additive identity. */
948 secp256k1_scalar r1, v0;
949 secp256k1_scalar_set_int(&v0,0);
950 secp256k1_scalar_add(&r1, &s1, &v0);
951 CHECK(secp256k1_scalar_eq(&r1, &s1));
955 /* Test zero product property. */
956 secp256k1_scalar r1, v0;
957 secp256k1_scalar_set_int(&v0,0);
958 secp256k1_scalar_mul(&r1, &s1, &v0);
959 CHECK(secp256k1_scalar_eq(&r1, &v0));
964 void run_scalar_tests(void) {
966 for (i = 0; i < 128 * count; i++) {
971 /* (-1)+1 should be zero. */
972 secp256k1_scalar s, o;
973 secp256k1_scalar_set_int(&s, 1);
974 CHECK(secp256k1_scalar_is_one(&s));
975 secp256k1_scalar_negate(&o, &s);
976 secp256k1_scalar_add(&o, &o, &s);
977 CHECK(secp256k1_scalar_is_zero(&o));
978 secp256k1_scalar_negate(&o, &o);
979 CHECK(secp256k1_scalar_is_zero(&o));
984 /* A scalar with value of the curve order should be 0. */
986 secp256k1_scalar zero;
987 unsigned char bin[32];
989 secp256k1_scalar_order_get_num(&order);
990 secp256k1_num_get_bin(bin, 32, &order);
991 secp256k1_scalar_set_b32(&zero, bin, &overflow);
992 CHECK(overflow == 1);
993 CHECK(secp256k1_scalar_is_zero(&zero));
998 /* Does check_overflow check catch all ones? */
999 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1000 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1001 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1003 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1007 /* Static test vectors.
1008 * These were reduced from ~10^12 random vectors based on comparison-decision
1009 * and edge-case coverage on 32-bit and 64-bit implementations.
1010 * The responses were generated with Sage 5.9.
1015 secp256k1_scalar zz;
1016 secp256k1_scalar one;
1017 secp256k1_scalar r1;
1018 secp256k1_scalar r2;
1019 #if defined(USE_SCALAR_INV_NUM)
1020 secp256k1_scalar zzv;
1023 unsigned char chal[33][2][32] = {
1024 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1025 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1026 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1027 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1028 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1029 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1030 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1031 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1032 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1033 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1034 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1035 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1036 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1037 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1038 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1039 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1040 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1041 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1042 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1043 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1044 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1045 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1046 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1047 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1048 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1049 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1050 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1051 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1052 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1053 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1054 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1055 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1056 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1057 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1058 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1059 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1060 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1061 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1062 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1063 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1064 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1065 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1066 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1067 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1068 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1069 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1070 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1071 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1072 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1073 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1074 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1075 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1076 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1077 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1078 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1079 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1080 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1081 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1082 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1083 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1084 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1085 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1086 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1087 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1088 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1089 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1090 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1091 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1092 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1093 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1094 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1095 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1096 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1097 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1098 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1099 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1100 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1101 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1102 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1103 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1104 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1105 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1106 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1107 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1108 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1109 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1110 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1111 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1112 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1113 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1114 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1115 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1116 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1117 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1118 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1119 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1120 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1121 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1123 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1124 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1125 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1126 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1127 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1128 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1129 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1130 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1131 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1132 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1133 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1134 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1135 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1136 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1137 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1138 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1139 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1140 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1141 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1142 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1143 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1144 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1145 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1146 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1147 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1148 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1149 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1150 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1151 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1152 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1153 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1154 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1155 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1156 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1157 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1158 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1159 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1160 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1161 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1162 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1163 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1164 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1165 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1166 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1167 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1168 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1169 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1170 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1171 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1172 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1173 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1174 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1175 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1176 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1177 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1178 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1179 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1180 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1181 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1182 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1183 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1184 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1185 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1186 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1187 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1188 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1189 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1190 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1191 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1192 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1194 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1195 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1196 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1197 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1199 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1200 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1201 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1202 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1203 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1204 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1205 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1206 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1207 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1208 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1209 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1210 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1211 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1212 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1213 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1214 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1215 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1216 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1217 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1218 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1219 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1220 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1221 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1222 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1223 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1224 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1225 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1226 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1227 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1228 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1229 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1230 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1231 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1232 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1233 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1234 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1235 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1236 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1237 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1238 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1239 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1240 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1241 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1242 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1243 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1244 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1245 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1246 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1247 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1248 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1249 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1250 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1251 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1252 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1253 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1254 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1255 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1256 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1257 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1258 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1259 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1260 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1261 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1262 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1263 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1264 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1265 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1266 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1267 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1268 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1269 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1270 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1271 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1272 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1273 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1274 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1275 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1276 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1277 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1278 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1279 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1280 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1281 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1282 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1283 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1284 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1285 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1286 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1287 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1289 unsigned char res[33][2][32] = {
1290 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1291 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1292 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1293 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1294 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1295 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1296 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1297 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1298 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1299 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1300 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1301 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1302 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1303 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1304 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1305 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1306 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1307 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1308 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1309 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1310 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1311 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1312 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1313 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1314 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1315 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1316 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1317 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1318 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1319 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1320 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1321 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1322 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1323 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1324 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1325 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1326 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1327 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1328 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1329 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1330 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1331 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1332 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1333 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1334 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1335 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1336 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1337 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1338 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1339 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1340 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1341 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1342 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1343 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1344 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1345 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1346 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1347 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1348 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1349 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1350 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1351 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1352 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1353 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1354 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1355 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1356 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1357 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1358 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1359 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1360 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1361 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1362 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1363 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1364 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1365 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1366 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1367 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1368 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1369 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1370 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1371 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1372 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1373 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1374 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1375 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1376 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1377 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1378 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1379 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1380 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1381 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1382 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1383 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1384 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1385 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1386 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1387 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1388 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1389 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1390 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1391 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1392 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1393 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1394 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1395 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1396 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1397 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1398 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1399 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1400 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1401 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1402 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1403 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1404 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1405 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1406 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1407 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1408 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1409 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1410 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1411 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1412 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1413 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1414 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1415 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1416 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1417 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1418 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1419 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1420 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1421 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1422 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1423 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1424 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1425 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1426 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1427 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1428 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1429 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1430 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1431 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1432 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1433 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1434 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1435 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1436 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1437 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1438 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1439 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1440 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1441 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1442 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1443 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1444 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1445 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1446 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1447 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1448 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1449 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1450 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1451 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1452 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1453 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1454 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1455 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1456 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1457 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1458 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1459 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1461 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1462 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1463 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1464 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1465 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1466 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1467 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1468 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1469 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1470 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1471 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1472 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1473 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1474 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1475 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1476 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1477 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1478 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1479 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1480 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1481 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1482 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1483 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1484 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1485 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1486 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1487 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1488 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1489 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1490 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1491 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1492 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1493 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1494 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1495 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1497 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1498 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1499 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1500 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1501 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1502 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1503 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1504 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1505 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1506 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1507 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1508 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1509 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1510 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1511 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1512 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1513 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1514 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1515 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1516 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1517 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1518 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1519 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1520 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1521 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1522 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1523 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1524 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1525 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1526 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1527 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1528 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1529 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1530 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1531 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1532 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1533 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1534 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1535 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1536 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1537 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1538 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1539 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1540 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1541 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1542 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1543 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1544 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1545 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1546 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1547 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1548 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1549 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1550 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1551 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1552 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1553 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1555 secp256k1_scalar_set_int(&one, 1);
1556 for (i = 0; i < 33; i++) {
1557 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1559 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1561 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1563 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1565 secp256k1_scalar_mul(&z, &x, &y);
1566 CHECK(!secp256k1_scalar_check_overflow(&z));
1567 CHECK(secp256k1_scalar_eq(&r1, &z));
1568 if (!secp256k1_scalar_is_zero(&y)) {
1569 secp256k1_scalar_inverse(&zz, &y);
1570 CHECK(!secp256k1_scalar_check_overflow(&zz));
1571 #if defined(USE_SCALAR_INV_NUM)
1572 secp256k1_scalar_inverse_var(&zzv, &y);
1573 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1575 secp256k1_scalar_mul(&z, &z, &zz);
1576 CHECK(!secp256k1_scalar_check_overflow(&z));
1577 CHECK(secp256k1_scalar_eq(&x, &z));
1578 secp256k1_scalar_mul(&zz, &zz, &y);
1579 CHECK(!secp256k1_scalar_check_overflow(&zz));
1580 CHECK(secp256k1_scalar_eq(&one, &zz));
1582 secp256k1_scalar_mul(&z, &x, &x);
1583 CHECK(!secp256k1_scalar_check_overflow(&z));
1584 secp256k1_scalar_sqr(&zz, &x);
1585 CHECK(!secp256k1_scalar_check_overflow(&zz));
1586 CHECK(secp256k1_scalar_eq(&zz, &z));
1587 CHECK(secp256k1_scalar_eq(&r2, &zz));
1592 /***** FIELD TESTS *****/
1594 void random_fe(secp256k1_fe *x) {
1595 unsigned char bin[32];
1597 secp256k1_rand256(bin);
1598 if (secp256k1_fe_set_b32(x, bin)) {
1604 void random_fe_test(secp256k1_fe *x) {
1605 unsigned char bin[32];
1607 secp256k1_rand256_test(bin);
1608 if (secp256k1_fe_set_b32(x, bin)) {
1614 void random_fe_non_zero(secp256k1_fe *nz) {
1616 while (--tries >= 0) {
1618 secp256k1_fe_normalize(nz);
1619 if (!secp256k1_fe_is_zero(nz)) {
1623 /* Infinitesimal probability of spurious failure here */
1627 void random_fe_non_square(secp256k1_fe *ns) {
1629 random_fe_non_zero(ns);
1630 if (secp256k1_fe_sqrt(&r, ns)) {
1631 secp256k1_fe_negate(ns, ns, 1);
1635 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1636 secp256k1_fe an = *a;
1637 secp256k1_fe bn = *b;
1638 secp256k1_fe_normalize_weak(&an);
1639 secp256k1_fe_normalize_var(&bn);
1640 return secp256k1_fe_equal_var(&an, &bn);
1643 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1645 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1646 secp256k1_fe_mul(&x, a, ai);
1647 return check_fe_equal(&x, &one);
1650 void run_field_convert(void) {
1651 static const unsigned char b32[32] = {
1652 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1653 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1654 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1655 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1657 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1658 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1659 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1661 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1662 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1663 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1666 unsigned char b322[32];
1667 secp256k1_fe_storage fes2;
1668 /* Check conversions to fe. */
1669 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1670 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1671 secp256k1_fe_from_storage(&fe2, &fes);
1672 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1673 /* Check conversion from fe. */
1674 secp256k1_fe_get_b32(b322, &fe);
1675 CHECK(memcmp(b322, b32, 32) == 0);
1676 secp256k1_fe_to_storage(&fes2, &fe);
1677 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1680 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1681 secp256k1_fe t = *b;
1683 t.magnitude = a->magnitude;
1684 t.normalized = a->normalized;
1686 return memcmp(a, &t, sizeof(secp256k1_fe));
1689 void run_field_misc(void) {
1694 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1696 for (i = 0; i < 5*count; i++) {
1697 secp256k1_fe_storage xs, ys, zs;
1699 random_fe_non_zero(&y);
1700 /* Test the fe equality and comparison operations. */
1701 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1702 CHECK(secp256k1_fe_equal_var(&x, &x));
1704 secp256k1_fe_add(&z,&y);
1705 /* Test fe conditional move; z is not normalized here. */
1707 secp256k1_fe_cmov(&x, &z, 0);
1708 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
1709 secp256k1_fe_cmov(&x, &x, 1);
1710 CHECK(fe_memcmp(&x, &z) != 0);
1711 CHECK(fe_memcmp(&x, &q) == 0);
1712 secp256k1_fe_cmov(&q, &z, 1);
1713 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
1714 CHECK(fe_memcmp(&q, &z) == 0);
1715 secp256k1_fe_normalize_var(&x);
1716 secp256k1_fe_normalize_var(&z);
1717 CHECK(!secp256k1_fe_equal_var(&x, &z));
1718 secp256k1_fe_normalize_var(&q);
1719 secp256k1_fe_cmov(&q, &z, (i&1));
1720 VERIFY_CHECK(q.normalized && q.magnitude == 1);
1721 for (j = 0; j < 6; j++) {
1722 secp256k1_fe_negate(&z, &z, j+1);
1723 secp256k1_fe_normalize_var(&q);
1724 secp256k1_fe_cmov(&q, &z, (j&1));
1725 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1727 secp256k1_fe_normalize_var(&z);
1728 /* Test storage conversion and conditional moves. */
1729 secp256k1_fe_to_storage(&xs, &x);
1730 secp256k1_fe_to_storage(&ys, &y);
1731 secp256k1_fe_to_storage(&zs, &z);
1732 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1733 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1734 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1735 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1736 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1737 secp256k1_fe_from_storage(&x, &xs);
1738 secp256k1_fe_from_storage(&y, &ys);
1739 secp256k1_fe_from_storage(&z, &zs);
1740 /* Test that mul_int, mul, and add agree. */
1741 secp256k1_fe_add(&y, &x);
1742 secp256k1_fe_add(&y, &x);
1744 secp256k1_fe_mul_int(&z, 3);
1745 CHECK(check_fe_equal(&y, &z));
1746 secp256k1_fe_add(&y, &x);
1747 secp256k1_fe_add(&z, &x);
1748 CHECK(check_fe_equal(&z, &y));
1750 secp256k1_fe_mul_int(&z, 5);
1751 secp256k1_fe_mul(&q, &x, &fe5);
1752 CHECK(check_fe_equal(&z, &q));
1753 secp256k1_fe_negate(&x, &x, 1);
1754 secp256k1_fe_add(&z, &x);
1755 secp256k1_fe_add(&q, &x);
1756 CHECK(check_fe_equal(&y, &z));
1757 CHECK(check_fe_equal(&q, &y));
1761 void run_field_inv(void) {
1762 secp256k1_fe x, xi, xii;
1764 for (i = 0; i < 10*count; i++) {
1765 random_fe_non_zero(&x);
1766 secp256k1_fe_inv(&xi, &x);
1767 CHECK(check_fe_inverse(&x, &xi));
1768 secp256k1_fe_inv(&xii, &xi);
1769 CHECK(check_fe_equal(&x, &xii));
1773 void run_field_inv_var(void) {
1774 secp256k1_fe x, xi, xii;
1776 for (i = 0; i < 10*count; i++) {
1777 random_fe_non_zero(&x);
1778 secp256k1_fe_inv_var(&xi, &x);
1779 CHECK(check_fe_inverse(&x, &xi));
1780 secp256k1_fe_inv_var(&xii, &xi);
1781 CHECK(check_fe_equal(&x, &xii));
1785 void run_field_inv_all_var(void) {
1786 secp256k1_fe x[16], xi[16], xii[16];
1788 /* Check it's safe to call for 0 elements */
1789 secp256k1_fe_inv_all_var(xi, x, 0);
1790 for (i = 0; i < count; i++) {
1792 size_t len = secp256k1_rand_int(15) + 1;
1793 for (j = 0; j < len; j++) {
1794 random_fe_non_zero(&x[j]);
1796 secp256k1_fe_inv_all_var(xi, x, len);
1797 for (j = 0; j < len; j++) {
1798 CHECK(check_fe_inverse(&x[j], &xi[j]));
1800 secp256k1_fe_inv_all_var(xii, xi, len);
1801 for (j = 0; j < len; j++) {
1802 CHECK(check_fe_equal(&x[j], &xii[j]));
1807 void run_sqr(void) {
1812 secp256k1_fe_set_int(&x, 1);
1813 secp256k1_fe_negate(&x, &x, 1);
1815 for (i = 1; i <= 512; ++i) {
1816 secp256k1_fe_mul_int(&x, 2);
1817 secp256k1_fe_normalize(&x);
1818 secp256k1_fe_sqr(&s, &x);
1823 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1824 secp256k1_fe r1, r2;
1825 int v = secp256k1_fe_sqrt(&r1, a);
1826 CHECK((v == 0) == (k == NULL));
1829 /* Check that the returned root is +/- the given known answer */
1830 secp256k1_fe_negate(&r2, &r1, 1);
1831 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1832 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1833 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1837 void run_sqrt(void) {
1838 secp256k1_fe ns, x, s, t;
1841 /* Check sqrt(0) is 0 */
1842 secp256k1_fe_set_int(&x, 0);
1843 secp256k1_fe_sqr(&s, &x);
1846 /* Check sqrt of small squares (and their negatives) */
1847 for (i = 1; i <= 100; i++) {
1848 secp256k1_fe_set_int(&x, i);
1849 secp256k1_fe_sqr(&s, &x);
1851 secp256k1_fe_negate(&t, &s, 1);
1852 test_sqrt(&t, NULL);
1855 /* Consistency checks for large random values */
1856 for (i = 0; i < 10; i++) {
1858 random_fe_non_square(&ns);
1859 for (j = 0; j < count; j++) {
1861 secp256k1_fe_sqr(&s, &x);
1863 secp256k1_fe_negate(&t, &s, 1);
1864 test_sqrt(&t, NULL);
1865 secp256k1_fe_mul(&t, &s, &ns);
1866 test_sqrt(&t, NULL);
1871 /***** GROUP TESTS *****/
1873 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1874 CHECK(a->infinity == b->infinity);
1878 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
1879 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
1882 /* This compares jacobian points including their Z, not just their geometric meaning. */
1883 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1887 ret &= a->infinity == b->infinity;
1888 if (ret && !a->infinity) {
1891 secp256k1_fe_normalize(&a2.x);
1892 secp256k1_fe_normalize(&a2.y);
1893 secp256k1_fe_normalize(&a2.z);
1894 secp256k1_fe_normalize(&b2.x);
1895 secp256k1_fe_normalize(&b2.y);
1896 secp256k1_fe_normalize(&b2.z);
1897 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1898 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1899 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1904 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1906 secp256k1_fe u1, u2, s1, s2;
1907 CHECK(a->infinity == b->infinity);
1911 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
1912 secp256k1_fe_sqr(&z2s, &b->z);
1913 secp256k1_fe_mul(&u1, &a->x, &z2s);
1914 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1915 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1916 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1917 CHECK(secp256k1_fe_equal_var(&u1, &u2));
1918 CHECK(secp256k1_fe_equal_var(&s1, &s2));
1921 void test_ge(void) {
1923 #ifdef USE_ENDOMORPHISM
1928 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
1929 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
1930 * All magnitudes are randomized.
1931 * All 17*17 combinations of points are added to each other, using all applicable methods.
1933 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
1935 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
1936 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
1937 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1939 secp256k1_fe zfi2, zfi3;
1941 secp256k1_gej_set_infinity(&gej[0]);
1942 secp256k1_ge_clear(&ge[0]);
1943 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
1944 for (i = 0; i < runs; i++) {
1947 random_group_element_test(&g);
1948 #ifdef USE_ENDOMORPHISM
1949 if (i >= runs - 2) {
1950 secp256k1_ge_mul_lambda(&g, &ge[1]);
1952 if (i >= runs - 1) {
1953 secp256k1_ge_mul_lambda(&g, &g);
1958 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
1959 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
1960 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
1961 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
1962 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
1963 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
1964 for (j = 0; j < 4; j++) {
1965 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
1966 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
1967 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
1968 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
1969 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
1973 /* Compute z inverses. */
1975 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1976 for (i = 0; i < 4 * runs + 1; i++) {
1978 /* The point at infinity does not have a meaningful z inverse. Any should do. */
1980 random_field_element_test(&zs[i]);
1981 } while(secp256k1_fe_is_zero(&zs[i]));
1986 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
1990 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1992 random_field_element_test(&zf);
1993 } while(secp256k1_fe_is_zero(&zf));
1994 random_field_element_magnitude(&zf);
1995 secp256k1_fe_inv_var(&zfi3, &zf);
1996 secp256k1_fe_sqr(&zfi2, &zfi3);
1997 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
1999 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2001 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2002 /* Compute reference result using gej + gej (var). */
2003 secp256k1_gej refj, resj;
2006 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2007 /* Check Z ratio. */
2008 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2009 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2010 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2012 secp256k1_ge_set_gej_var(&ref, &refj);
2014 /* Test gej + ge with Z ratio result (var). */
2015 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2016 ge_equals_gej(&ref, &resj);
2017 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2018 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2019 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2022 /* Test gej + ge (var, with additional Z factor). */
2024 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2025 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2026 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2027 random_field_element_magnitude(&ge2_zfi.x);
2028 random_field_element_magnitude(&ge2_zfi.y);
2029 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2030 ge_equals_gej(&ref, &resj);
2033 /* Test gej + ge (const). */
2035 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2036 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2037 ge_equals_gej(&ref, &resj);
2040 /* Test doubling (var). */
2041 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2043 /* Normal doubling with Z ratio result. */
2044 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2045 ge_equals_gej(&ref, &resj);
2046 /* Check Z ratio. */
2047 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2048 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2049 /* Normal doubling. */
2050 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2051 ge_equals_gej(&ref, &resj);
2054 /* Test adding opposites. */
2055 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2056 CHECK(secp256k1_ge_is_infinity(&ref));
2059 /* Test adding infinity. */
2061 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2062 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2063 ge_equals_gej(&ref, &gej[i2]);
2066 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2067 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2068 ge_equals_gej(&ref, &gej[i1]);
2073 /* Test adding all points together in random order equals infinity. */
2075 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2076 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2077 for (i = 0; i < 4 * runs + 1; i++) {
2078 gej_shuffled[i] = gej[i];
2080 for (i = 0; i < 4 * runs + 1; i++) {
2081 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2083 secp256k1_gej t = gej_shuffled[i];
2084 gej_shuffled[i] = gej_shuffled[swap];
2085 gej_shuffled[swap] = t;
2088 for (i = 0; i < 4 * runs + 1; i++) {
2089 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2091 CHECK(secp256k1_gej_is_infinity(&sum));
2095 /* Test batch gej -> ge conversion with and without known z ratios. */
2097 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2098 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2099 for (i = 0; i < 4 * runs + 1; i++) {
2100 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2102 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2105 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2106 for (i = 0; i < 4 * runs + 1; i++) {
2108 random_fe_non_zero(&s);
2109 secp256k1_gej_rescale(&gej[i], &s);
2110 ge_equals_gej(&ge_set_all[i], &gej[i]);
2116 /* Test batch gej -> ge conversion with many infinities. */
2117 for (i = 0; i < 4 * runs + 1; i++) {
2118 random_group_element_test(&ge[i]);
2119 /* randomly set half the points to infinitiy */
2120 if(secp256k1_fe_is_odd(&ge[i].x)) {
2121 secp256k1_ge_set_infinity(&ge[i]);
2123 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2126 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2128 for (i = 0; i < 4 * runs + 1; i++) {
2129 ge_equals_gej(&ge[i], &gej[i]);
2137 void test_add_neg_y_diff_x(void) {
2138 /* The point of this test is to check that we can add two points
2139 * whose y-coordinates are negatives of each other but whose x
2140 * coordinates differ. If the x-coordinates were the same, these
2141 * points would be negatives of each other and their sum is
2142 * infinity. This is cool because it "covers up" any degeneracy
2143 * in the addition algorithm that would cause the xy coordinates
2144 * of the sum to be wrong (since infinity has no xy coordinates).
2145 * HOWEVER, if the x-coordinates are different, infinity is the
2146 * wrong answer, and such degeneracies are exposed. This is the
2147 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2148 * which this test is a regression test for.
2150 * These points were generated in sage as
2151 * # secp256k1 params
2152 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2153 * C = EllipticCurve ([F (0), F (7)])
2154 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2155 * N = FiniteField(G.order())
2157 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2159 * lam = (1 - x^3).roots()[1][0]
2161 * # random "bad pair"
2162 * P = C.random_element()
2164 * print " P: %x %x" % P.xy()
2165 * print " Q: %x %x" % Q.xy()
2166 * print "P + Q: %x %x" % (P + Q).xy()
2168 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2169 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2170 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2171 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2172 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2174 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2175 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2176 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2177 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2178 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2180 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2181 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2182 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2183 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2184 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2189 secp256k1_ge_set_gej(&b, &bj);
2191 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2192 secp256k1_ge_set_gej(&res, &resj);
2193 ge_equals_gej(&res, &sumj);
2195 secp256k1_gej_add_ge(&resj, &aj, &b);
2196 secp256k1_ge_set_gej(&res, &resj);
2197 ge_equals_gej(&res, &sumj);
2199 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2200 secp256k1_ge_set_gej(&res, &resj);
2201 ge_equals_gej(&res, &sumj);
2206 for (i = 0; i < count * 32; i++) {
2209 test_add_neg_y_diff_x();
2212 void test_ec_combine(void) {
2213 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2214 secp256k1_pubkey data[6];
2215 const secp256k1_pubkey* d[6];
2216 secp256k1_pubkey sd;
2217 secp256k1_pubkey sd2;
2221 for (i = 1; i <= 6; i++) {
2223 random_scalar_order_test(&s);
2224 secp256k1_scalar_add(&sum, &sum, &s);
2225 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2226 secp256k1_ge_set_gej(&Q, &Qj);
2227 secp256k1_pubkey_save(&data[i - 1], &Q);
2228 d[i - 1] = &data[i - 1];
2229 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2230 secp256k1_ge_set_gej(&Q, &Qj);
2231 secp256k1_pubkey_save(&sd, &Q);
2232 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2233 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2237 void run_ec_combine(void) {
2239 for (i = 0; i < count * 8; i++) {
2244 void test_group_decompress(const secp256k1_fe* x) {
2245 /* The input itself, normalized. */
2246 secp256k1_fe fex = *x;
2248 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2249 secp256k1_ge ge_quad, ge_even, ge_odd;
2250 secp256k1_gej gej_quad;
2251 /* Return values of the above calls. */
2252 int res_quad, res_even, res_odd;
2254 secp256k1_fe_normalize_var(&fex);
2256 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2257 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2258 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2260 CHECK(res_quad == res_even);
2261 CHECK(res_quad == res_odd);
2264 secp256k1_fe_normalize_var(&ge_quad.x);
2265 secp256k1_fe_normalize_var(&ge_odd.x);
2266 secp256k1_fe_normalize_var(&ge_even.x);
2267 secp256k1_fe_normalize_var(&ge_quad.y);
2268 secp256k1_fe_normalize_var(&ge_odd.y);
2269 secp256k1_fe_normalize_var(&ge_even.y);
2271 /* No infinity allowed. */
2272 CHECK(!ge_quad.infinity);
2273 CHECK(!ge_even.infinity);
2274 CHECK(!ge_odd.infinity);
2276 /* Check that the x coordinates check out. */
2277 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2278 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2279 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2281 /* Check that the Y coordinate result in ge_quad is a square. */
2282 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2284 /* Check odd/even Y in ge_odd, ge_even. */
2285 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2286 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2288 /* Check secp256k1_gej_has_quad_y_var. */
2289 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2290 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2292 random_fe_test(&fez);
2293 } while (secp256k1_fe_is_zero(&fez));
2294 secp256k1_gej_rescale(&gej_quad, &fez);
2295 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2296 secp256k1_gej_neg(&gej_quad, &gej_quad);
2297 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2299 random_fe_test(&fez);
2300 } while (secp256k1_fe_is_zero(&fez));
2301 secp256k1_gej_rescale(&gej_quad, &fez);
2302 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2303 secp256k1_gej_neg(&gej_quad, &gej_quad);
2304 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2308 void run_group_decompress(void) {
2310 for (i = 0; i < count * 4; i++) {
2312 random_fe_test(&fe);
2313 test_group_decompress(&fe);
2317 /***** ECMULT TESTS *****/
2319 void run_ecmult_chain(void) {
2320 /* random starting point A (on the curve) */
2321 secp256k1_gej a = SECP256K1_GEJ_CONST(
2322 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2323 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2324 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2325 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2327 /* two random initial factors xn and gn */
2328 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2329 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2330 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2332 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2333 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2334 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2336 /* two small multipliers to be applied to xn and gn in every iteration: */
2337 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2338 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2339 /* accumulators with the resulting coefficients to A and G */
2340 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2341 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2347 /* the point being computed */
2349 for (i = 0; i < 200*count; i++) {
2350 /* in each iteration, compute X = xn*X + gn*G; */
2351 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2352 /* also compute ae and ge: the actual accumulated factors for A and G */
2353 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2354 secp256k1_scalar_mul(&ae, &ae, &xn);
2355 secp256k1_scalar_mul(&ge, &ge, &xn);
2356 secp256k1_scalar_add(&ge, &ge, &gn);
2357 /* modify xn and gn */
2358 secp256k1_scalar_mul(&xn, &xn, &xf);
2359 secp256k1_scalar_mul(&gn, &gn, &gf);
2363 /* expected result after 19999 iterations */
2364 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2365 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2366 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2367 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2368 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2371 secp256k1_gej_neg(&rp, &rp);
2372 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2373 CHECK(secp256k1_gej_is_infinity(&rp));
2376 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2377 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2378 secp256k1_gej_neg(&x2, &x2);
2379 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2380 CHECK(secp256k1_gej_is_infinity(&x2));
2383 void test_point_times_order(const secp256k1_gej *point) {
2384 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2386 secp256k1_scalar nx;
2387 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2388 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2389 secp256k1_gej res1, res2;
2391 unsigned char pub[65];
2393 random_scalar_order_test(&x);
2394 secp256k1_scalar_negate(&nx, &x);
2395 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2396 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2397 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2398 CHECK(secp256k1_gej_is_infinity(&res1));
2399 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2400 secp256k1_ge_set_gej(&res3, &res1);
2401 CHECK(secp256k1_ge_is_infinity(&res3));
2402 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2403 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2405 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2406 /* check zero/one edge cases */
2407 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2408 secp256k1_ge_set_gej(&res3, &res1);
2409 CHECK(secp256k1_ge_is_infinity(&res3));
2410 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2411 secp256k1_ge_set_gej(&res3, &res1);
2412 ge_equals_gej(&res3, point);
2413 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2414 secp256k1_ge_set_gej(&res3, &res1);
2415 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2418 void run_point_times_order(void) {
2420 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2421 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2422 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2423 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2425 for (i = 0; i < 500; i++) {
2427 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2429 CHECK(secp256k1_ge_is_valid_var(&p));
2430 secp256k1_gej_set_ge(&j, &p);
2431 CHECK(secp256k1_gej_is_valid_var(&j));
2432 test_point_times_order(&j);
2434 secp256k1_fe_sqr(&x, &x);
2436 secp256k1_fe_normalize_var(&x);
2437 CHECK(secp256k1_fe_equal_var(&x, &xr));
2440 void ecmult_const_random_mult(void) {
2441 /* random starting point A (on the curve) */
2442 secp256k1_ge a = SECP256K1_GE_CONST(
2443 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2444 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2445 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2446 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2448 /* random initial factor xn */
2449 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2450 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2451 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2453 /* expected xn * A (from sage) */
2454 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2455 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2456 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2457 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2458 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2461 secp256k1_ecmult_const(&b, &a, &xn, 256);
2463 CHECK(secp256k1_ge_is_valid_var(&a));
2464 ge_equals_gej(&expected_b, &b);
2467 void ecmult_const_commutativity(void) {
2474 random_scalar_order_test(&a);
2475 random_scalar_order_test(&b);
2477 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2478 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2479 secp256k1_ge_set_gej(&mid1, &res1);
2480 secp256k1_ge_set_gej(&mid2, &res2);
2481 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2482 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2483 secp256k1_ge_set_gej(&mid1, &res1);
2484 secp256k1_ge_set_gej(&mid2, &res2);
2485 ge_equals_ge(&mid1, &mid2);
2488 void ecmult_const_mult_zero_one(void) {
2489 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2490 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2491 secp256k1_scalar negone;
2495 secp256k1_scalar_negate(&negone, &one);
2497 random_group_element_test(&point);
2498 secp256k1_ecmult_const(&res1, &point, &zero, 3);
2499 secp256k1_ge_set_gej(&res2, &res1);
2500 CHECK(secp256k1_ge_is_infinity(&res2));
2501 secp256k1_ecmult_const(&res1, &point, &one, 2);
2502 secp256k1_ge_set_gej(&res2, &res1);
2503 ge_equals_ge(&res2, &point);
2504 secp256k1_ecmult_const(&res1, &point, &negone, 256);
2505 secp256k1_gej_neg(&res1, &res1);
2506 secp256k1_ge_set_gej(&res2, &res1);
2507 ge_equals_ge(&res2, &point);
2510 void ecmult_const_chain_multiply(void) {
2511 /* Check known result (randomly generated test problem from sage) */
2512 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2513 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2514 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2516 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2517 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2518 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2519 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2520 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2522 secp256k1_gej point;
2526 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2527 for (i = 0; i < 100; ++i) {
2529 secp256k1_ge_set_gej(&tmp, &point);
2530 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2532 secp256k1_ge_set_gej(&res, &point);
2533 ge_equals_gej(&res, &expected_point);
2536 void run_ecmult_const_tests(void) {
2537 ecmult_const_mult_zero_one();
2538 ecmult_const_random_mult();
2539 ecmult_const_commutativity();
2540 ecmult_const_chain_multiply();
2544 secp256k1_scalar *sc;
2546 } ecmult_multi_data;
2548 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2549 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2550 *sc = data->sc[idx];
2551 *pt = data->pt[idx];
2555 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2563 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2565 secp256k1_scalar szero;
2566 secp256k1_scalar sc[32];
2567 secp256k1_ge pt[32];
2570 ecmult_multi_data data;
2571 secp256k1_scratch *scratch_empty;
2575 secp256k1_scalar_set_int(&szero, 0);
2577 /* No points to multiply */
2578 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2580 /* Check 1- and 2-point multiplies against ecmult */
2581 for (ncount = 0; ncount < count; ncount++) {
2584 random_scalar_order(&sc[0]);
2585 random_scalar_order(&sc[1]);
2587 random_group_element_test(&ptg);
2588 secp256k1_gej_set_ge(&ptgj, &ptg);
2590 pt[1] = secp256k1_ge_const_g;
2593 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2594 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2595 secp256k1_gej_neg(&r2, &r2);
2596 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2597 CHECK(secp256k1_gej_is_infinity(&r));
2600 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2601 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2602 secp256k1_gej_neg(&r2, &r2);
2603 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2604 CHECK(secp256k1_gej_is_infinity(&r));
2606 /* Try to multiply 1 point, but scratch space is empty */
2607 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
2608 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2609 secp256k1_scratch_destroy(scratch_empty);
2611 /* Try to multiply 1 point, but callback returns false */
2612 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2615 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2616 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2617 secp256k1_gej_neg(&r2, &r2);
2618 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2619 CHECK(secp256k1_gej_is_infinity(&r));
2621 /* 2-point with G scalar */
2622 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2623 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2624 secp256k1_gej_neg(&r2, &r2);
2625 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2626 CHECK(secp256k1_gej_is_infinity(&r));
2629 /* Check infinite outputs of various forms */
2630 for (ncount = 0; ncount < count; ncount++) {
2633 size_t sizes[] = { 2, 10, 32 };
2635 for (j = 0; j < 3; j++) {
2636 for (i = 0; i < 32; i++) {
2637 random_scalar_order(&sc[i]);
2638 secp256k1_ge_set_infinity(&pt[i]);
2640 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2641 CHECK(secp256k1_gej_is_infinity(&r));
2644 for (j = 0; j < 3; j++) {
2645 for (i = 0; i < 32; i++) {
2646 random_group_element_test(&ptg);
2648 secp256k1_scalar_set_int(&sc[i], 0);
2650 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2651 CHECK(secp256k1_gej_is_infinity(&r));
2654 for (j = 0; j < 3; j++) {
2655 random_group_element_test(&ptg);
2656 for (i = 0; i < 16; i++) {
2657 random_scalar_order(&sc[2*i]);
2658 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2660 pt[2 * i + 1] = ptg;
2663 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2664 CHECK(secp256k1_gej_is_infinity(&r));
2666 random_scalar_order(&sc[0]);
2667 for (i = 0; i < 16; i++) {
2668 random_group_element_test(&ptg);
2673 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2676 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2677 CHECK(secp256k1_gej_is_infinity(&r));
2680 random_group_element_test(&ptg);
2681 secp256k1_scalar_set_int(&sc[0], 0);
2683 for (i = 1; i < 32; i++) {
2686 random_scalar_order(&sc[i]);
2687 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2688 secp256k1_scalar_negate(&sc[i], &sc[i]);
2691 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2692 CHECK(secp256k1_gej_is_infinity(&r));
2695 /* Check random points, constant scalar */
2696 for (ncount = 0; ncount < count; ncount++) {
2698 secp256k1_gej_set_infinity(&r);
2700 random_scalar_order(&sc[0]);
2701 for (i = 0; i < 20; i++) {
2704 random_group_element_test(&ptg);
2706 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2709 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2710 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2711 secp256k1_gej_neg(&r2, &r2);
2712 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2713 CHECK(secp256k1_gej_is_infinity(&r));
2716 /* Check random scalars, constant point */
2717 for (ncount = 0; ncount < count; ncount++) {
2721 secp256k1_scalar rs;
2722 secp256k1_scalar_set_int(&rs, 0);
2724 random_group_element_test(&ptg);
2725 for (i = 0; i < 20; i++) {
2726 random_scalar_order(&sc[i]);
2728 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2731 secp256k1_gej_set_ge(&p0j, &pt[0]);
2732 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
2733 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2734 secp256k1_gej_neg(&r2, &r2);
2735 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2736 CHECK(secp256k1_gej_is_infinity(&r));
2739 /* Sanity check that zero scalars don't cause problems */
2740 for (ncount = 0; ncount < 20; ncount++) {
2741 random_scalar_order(&sc[ncount]);
2742 random_group_element_test(&pt[ncount]);
2745 secp256k1_scalar_clear(&sc[0]);
2746 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2747 secp256k1_scalar_clear(&sc[1]);
2748 secp256k1_scalar_clear(&sc[2]);
2749 secp256k1_scalar_clear(&sc[3]);
2750 secp256k1_scalar_clear(&sc[4]);
2751 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2752 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
2753 CHECK(secp256k1_gej_is_infinity(&r));
2755 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2757 const size_t TOP = 8;
2763 random_group_element_test(&ptg);
2764 secp256k1_gej_set_ge(&ptgj, &ptg);
2766 for(t0i = 0; t0i < TOP; t0i++) {
2767 for(t1i = 0; t1i < TOP; t1i++) {
2768 secp256k1_gej t0p, t1p;
2769 secp256k1_scalar t0, t1;
2771 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2772 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2773 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2774 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2776 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2777 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2779 for(s0i = 0; s0i < TOP; s0i++) {
2780 for(s1i = 0; s1i < TOP; s1i++) {
2781 secp256k1_scalar tmp1, tmp2;
2782 secp256k1_gej expected, actual;
2784 secp256k1_ge_set_gej(&pt[0], &t0p);
2785 secp256k1_ge_set_gej(&pt[1], &t1p);
2787 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2788 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2789 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2790 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2792 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2793 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2794 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2796 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
2797 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
2798 secp256k1_gej_neg(&expected, &expected);
2799 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2800 CHECK(secp256k1_gej_is_infinity(&actual));
2808 void test_secp256k1_pippenger_bucket_window_inv(void) {
2811 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2812 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2813 #ifdef USE_ENDOMORPHISM
2814 /* Bucket_window of 8 is not used with endo */
2819 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2820 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2821 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2827 * Probabilistically test the function returning the maximum number of possible points
2828 * for a given scratch space.
2830 void test_ecmult_multi_pippenger_max_points(void) {
2831 size_t scratch_size = secp256k1_rand_int(256);
2832 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
2833 secp256k1_scratch *scratch;
2834 size_t n_points_supported;
2835 int bucket_window = 0;
2837 for(; scratch_size < max_size; scratch_size+=256) {
2838 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
2839 CHECK(scratch != NULL);
2840 n_points_supported = secp256k1_pippenger_max_points(scratch);
2841 if (n_points_supported == 0) {
2842 secp256k1_scratch_destroy(scratch);
2845 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
2846 CHECK(secp256k1_scratch_allocate_frame(scratch, secp256k1_pippenger_scratch_size(n_points_supported, bucket_window), PIPPENGER_SCRATCH_OBJECTS));
2847 secp256k1_scratch_deallocate_frame(scratch);
2848 secp256k1_scratch_destroy(scratch);
2850 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
2854 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
2855 * 1 <= i <= num points.
2857 void test_ecmult_multi_batching(void) {
2858 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
2859 secp256k1_scalar scG;
2860 secp256k1_scalar szero;
2861 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
2862 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
2865 ecmult_multi_data data;
2867 secp256k1_scratch *scratch;
2869 secp256k1_gej_set_infinity(&r2);
2870 secp256k1_scalar_set_int(&szero, 0);
2872 /* Get random scalars and group elements and compute result */
2873 random_scalar_order(&scG);
2874 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
2875 for(i = 0; i < n_points; i++) {
2878 random_group_element_test(&ptg);
2879 secp256k1_gej_set_ge(&ptgj, &ptg);
2881 random_scalar_order(&sc[i]);
2882 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
2883 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
2888 /* Test with empty scratch space */
2889 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
2890 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2891 secp256k1_scratch_destroy(scratch);
2893 /* Test with space for 1 point in pippenger. That's not enough because
2894 * ecmult_multi selects strauss which requires more memory. */
2895 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2896 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2897 secp256k1_scratch_destroy(scratch);
2899 secp256k1_gej_neg(&r2, &r2);
2900 for(i = 1; i <= n_points; i++) {
2901 if (i > ECMULT_PIPPENGER_THRESHOLD) {
2902 int bucket_window = secp256k1_pippenger_bucket_window(i);
2903 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
2904 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2906 size_t scratch_size = secp256k1_strauss_scratch_size(i);
2907 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2909 CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
2910 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2911 CHECK(secp256k1_gej_is_infinity(&r));
2912 secp256k1_scratch_destroy(scratch);
2918 void run_ecmult_multi_tests(void) {
2919 secp256k1_scratch *scratch;
2921 test_secp256k1_pippenger_bucket_window_inv();
2922 test_ecmult_multi_pippenger_max_points();
2923 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
2924 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2925 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
2926 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
2927 secp256k1_scratch_destroy(scratch);
2929 /* Run test_ecmult_multi with space for exactly one point */
2930 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2931 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2932 secp256k1_scratch_destroy(scratch);
2934 test_ecmult_multi_batching();
2937 void test_wnaf(const secp256k1_scalar *number, int w) {
2938 secp256k1_scalar x, two, t;
2943 secp256k1_scalar_set_int(&x, 0);
2944 secp256k1_scalar_set_int(&two, 2);
2945 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
2947 for (i = bits-1; i >= 0; i--) {
2949 secp256k1_scalar_mul(&x, &x, &two);
2951 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
2953 CHECK((v & 1) == 1); /* check non-zero elements are odd */
2954 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
2955 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
2957 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
2961 secp256k1_scalar_set_int(&t, v);
2963 secp256k1_scalar_set_int(&t, -v);
2964 secp256k1_scalar_negate(&t, &t);
2966 secp256k1_scalar_add(&x, &x, &t);
2968 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
2971 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
2972 secp256k1_scalar neg1 = *number;
2973 secp256k1_scalar neg2 = *number;
2977 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
2978 secp256k1_scalar_negate(&neg1, &neg1);
2981 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
2982 CHECK(sign1 == sign2);
2983 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
2986 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
2987 secp256k1_scalar x, shift;
2988 int wnaf[256] = {0};
2992 secp256k1_scalar num = *number;
2994 secp256k1_scalar_set_int(&x, 0);
2995 secp256k1_scalar_set_int(&shift, 1 << w);
2996 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
2997 #ifdef USE_ENDOMORPHISM
2998 for (i = 0; i < 16; ++i) {
2999 secp256k1_scalar_shr_int(&num, 8);
3003 skew = secp256k1_wnaf_const(wnaf, num, w, bits);
3005 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3008 CHECK(v != 0); /* check nonzero */
3009 CHECK(v & 1); /* check parity */
3010 CHECK(v > -(1 << w)); /* check range above */
3011 CHECK(v < (1 << w)); /* check range below */
3013 secp256k1_scalar_mul(&x, &x, &shift);
3015 secp256k1_scalar_set_int(&t, v);
3017 secp256k1_scalar_set_int(&t, -v);
3018 secp256k1_scalar_negate(&t, &t);
3020 secp256k1_scalar_add(&x, &x, &t);
3022 /* Skew num because when encoding numbers as odd we use an offset */
3023 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
3024 CHECK(secp256k1_scalar_eq(&x, &num));
3027 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3028 secp256k1_scalar x, shift;
3029 int wnaf[256] = {0};
3032 secp256k1_scalar num = *number;
3034 secp256k1_scalar_set_int(&x, 0);
3035 secp256k1_scalar_set_int(&shift, 1 << w);
3036 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3037 #ifdef USE_ENDOMORPHISM
3038 for (i = 0; i < 16; ++i) {
3039 secp256k1_scalar_shr_int(&num, 8);
3042 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3044 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3047 CHECK(v == 0 || v & 1); /* check parity */
3048 CHECK(v > -(1 << w)); /* check range above */
3049 CHECK(v < (1 << w)); /* check range below */
3051 secp256k1_scalar_mul(&x, &x, &shift);
3053 secp256k1_scalar_set_int(&t, v);
3055 secp256k1_scalar_set_int(&t, -v);
3056 secp256k1_scalar_negate(&t, &t);
3058 secp256k1_scalar_add(&x, &x, &t);
3060 /* If skew is 1 then add 1 to num */
3061 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3062 CHECK(secp256k1_scalar_eq(&x, &num));
3065 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3067 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3069 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3070 CHECK(wnaf[i] == 0);
3072 for (i = 7; i >= 0; --i) {
3073 CHECK(wnaf[i] == wnaf_expected[i]);
3077 void test_fixed_wnaf_small(void) {
3079 int wnaf[256] = {0};
3082 secp256k1_scalar num;
3084 secp256k1_scalar_set_int(&num, 0);
3085 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3086 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3092 secp256k1_scalar_set_int(&num, 1);
3093 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3094 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3098 CHECK(wnaf[0] == 1);
3102 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3103 secp256k1_scalar_set_int(&num, 0xffffffff);
3104 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3105 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3109 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3110 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3111 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3112 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3116 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3117 secp256k1_scalar_set_int(&num, 0x01010101);
3118 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3119 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3123 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3124 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3125 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3126 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3131 void run_wnaf(void) {
3133 secp256k1_scalar n = {{0}};
3135 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3136 * have easier-to-diagnose failure modes */
3138 test_constant_wnaf(&n, 4);
3140 test_constant_wnaf(&n, 4);
3142 test_fixed_wnaf_small();
3144 for (i = 0; i < count; i++) {
3145 random_scalar_order(&n);
3146 test_wnaf(&n, 4+(i%10));
3147 test_constant_wnaf_negate(&n);
3148 test_constant_wnaf(&n, 4 + (i % 10));
3149 test_fixed_wnaf(&n, 4 + (i % 10));
3151 secp256k1_scalar_set_int(&n, 0);
3152 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3153 CHECK(secp256k1_scalar_is_zero(&n));
3154 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3155 CHECK(secp256k1_scalar_is_zero(&n));
3158 void test_ecmult_constants(void) {
3159 /* Test ecmult_gen() for [0..36) and [order-36..0). */
3165 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3166 for (i = 0; i < 36; i++ ) {
3167 secp256k1_scalar_set_int(&x, i);
3168 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3169 for (j = 0; j < i; j++) {
3171 ge_equals_gej(&secp256k1_ge_const_g, &r);
3173 secp256k1_gej_add_ge(&r, &r, &ng);
3175 CHECK(secp256k1_gej_is_infinity(&r));
3177 for (i = 1; i <= 36; i++ ) {
3178 secp256k1_scalar_set_int(&x, i);
3179 secp256k1_scalar_negate(&x, &x);
3180 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3181 for (j = 0; j < i; j++) {
3183 ge_equals_gej(&ng, &r);
3185 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3187 CHECK(secp256k1_gej_is_infinity(&r));
3191 void run_ecmult_constants(void) {
3192 test_ecmult_constants();
3195 void test_ecmult_gen_blind(void) {
3196 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3197 secp256k1_scalar key;
3199 unsigned char seed32[32];
3201 secp256k1_gej pgej2;
3204 random_scalar_order_test(&key);
3205 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3206 secp256k1_rand256(seed32);
3207 b = ctx->ecmult_gen_ctx.blind;
3208 i = ctx->ecmult_gen_ctx.initial;
3209 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3210 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3211 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3212 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3213 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3214 secp256k1_ge_set_gej(&pge, &pgej);
3215 ge_equals_gej(&pge, &pgej2);
3218 void test_ecmult_gen_blind_reset(void) {
3219 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3221 secp256k1_gej initial;
3222 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3223 b = ctx->ecmult_gen_ctx.blind;
3224 initial = ctx->ecmult_gen_ctx.initial;
3225 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3226 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3227 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3230 void run_ecmult_gen_blind(void) {
3232 test_ecmult_gen_blind_reset();
3233 for (i = 0; i < 10; i++) {
3234 test_ecmult_gen_blind();
3238 #ifdef USE_ENDOMORPHISM
3239 /***** ENDOMORPHISH TESTS *****/
3240 void test_scalar_split(void) {
3241 secp256k1_scalar full;
3242 secp256k1_scalar s1, slam;
3243 const unsigned char zero[32] = {0};
3244 unsigned char tmp[32];
3246 random_scalar_order_test(&full);
3247 secp256k1_scalar_split_lambda(&s1, &slam, &full);
3249 /* check that both are <= 128 bits in size */
3250 if (secp256k1_scalar_is_high(&s1)) {
3251 secp256k1_scalar_negate(&s1, &s1);
3253 if (secp256k1_scalar_is_high(&slam)) {
3254 secp256k1_scalar_negate(&slam, &slam);
3257 secp256k1_scalar_get_b32(tmp, &s1);
3258 CHECK(memcmp(zero, tmp, 16) == 0);
3259 secp256k1_scalar_get_b32(tmp, &slam);
3260 CHECK(memcmp(zero, tmp, 16) == 0);
3263 void run_endomorphism_tests(void) {
3264 test_scalar_split();
3268 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3269 unsigned char pubkeyc[65];
3270 secp256k1_pubkey pubkey;
3275 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3276 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3277 /* Smaller sizes are tested exhaustively elsewhere. */
3279 memcpy(&pubkeyc[1], input, 64);
3280 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3281 for (i = 0; i < 256; i++) {
3282 /* Try all type bytes. */
3287 /* What sign does this point have? */
3288 ysign = (input[63] & 1) + 2;
3289 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3290 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3291 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3292 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3293 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3294 if (xpass || ypass) {
3295 /* These cases must parse. */
3296 unsigned char pubkeyo[65];
3298 memset(&pubkey, 0, sizeof(pubkey));
3299 VG_UNDEF(&pubkey, sizeof(pubkey));
3301 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3302 VG_CHECK(&pubkey, sizeof(pubkey));
3304 VG_UNDEF(pubkeyo, 65);
3305 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3306 VG_CHECK(pubkeyo, outl);
3308 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3309 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3311 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3312 CHECK(pubkeyo[0] == ysign);
3313 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3314 memset(&pubkey, 0, sizeof(pubkey));
3315 VG_UNDEF(&pubkey, sizeof(pubkey));
3316 secp256k1_pubkey_save(&pubkey, &ge);
3317 VG_CHECK(&pubkey, sizeof(pubkey));
3319 VG_UNDEF(pubkeyo, 65);
3320 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3321 VG_CHECK(pubkeyo, outl);
3323 CHECK(pubkeyo[0] == 4);
3324 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3328 /* These cases must fail to parse. */
3329 memset(&pubkey, 0xfe, sizeof(pubkey));
3331 VG_UNDEF(&pubkey, sizeof(pubkey));
3332 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3333 VG_CHECK(&pubkey, sizeof(pubkey));
3335 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3340 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3343 void run_ec_pubkey_parse_test(void) {
3344 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3345 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3347 /* Point with leading and trailing zeros in x and y serialization. */
3348 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3349 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3350 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3351 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3354 /* Point with x equal to a 3rd root of unity.*/
3355 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3356 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3357 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3358 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3361 /* Point with largest x. (1/2) */
3362 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3363 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3364 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3365 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3368 /* Point with largest x. (2/2) */
3369 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3370 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3371 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3372 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3375 /* Point with smallest x. (1/2) */
3376 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3377 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3378 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3379 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3382 /* Point with smallest x. (2/2) */
3383 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3384 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3385 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3386 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3389 /* Point with largest y. (1/3) */
3390 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3391 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3392 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3393 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3396 /* Point with largest y. (2/3) */
3397 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3398 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3399 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3400 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3403 /* Point with largest y. (3/3) */
3404 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3405 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3406 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3407 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3410 /* Point with smallest y. (1/3) */
3411 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3412 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3413 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3414 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3417 /* Point with smallest y. (2/3) */
3418 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3419 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3420 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3421 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3424 /* Point with smallest y. (3/3) */
3425 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3426 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3427 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3428 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3431 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3432 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3434 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3435 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3436 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3437 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3438 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3441 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3442 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3443 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3444 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3445 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3448 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3449 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3450 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3451 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3452 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3455 /* x on curve, y is from y^2 = x^3 + 8. */
3456 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3457 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3458 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3459 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3462 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3463 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3465 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3466 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3467 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3468 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3469 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3472 /* Valid if x overflow ignored (x = 1 mod p). */
3473 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3474 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3475 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3476 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3479 /* Valid if x overflow ignored (x = 1 mod p). */
3480 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3481 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3482 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3483 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3486 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3487 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3488 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3489 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3490 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3493 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3494 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3495 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3496 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3497 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3500 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3501 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3502 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3503 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3504 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3507 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3508 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3509 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3510 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3511 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3514 const unsigned char pubkeyc[66] = {
3515 /* Serialization of G. */
3516 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3517 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3518 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3519 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3522 unsigned char sout[65];
3523 unsigned char shortkey[2];
3525 secp256k1_pubkey pubkey;
3531 /* Nothing should be reading this far into pubkeyc. */
3532 VG_UNDEF(&pubkeyc[65], 1);
3533 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3534 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3535 memset(&pubkey, 0xfe, sizeof(pubkey));
3537 VG_UNDEF(shortkey, 2);
3538 VG_UNDEF(&pubkey, sizeof(pubkey));
3539 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3540 VG_CHECK(&pubkey, sizeof(pubkey));
3542 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3544 /* Length one claimed, fail, zeroize, no illegal arg error. */
3545 for (i = 0; i < 256 ; i++) {
3546 memset(&pubkey, 0xfe, sizeof(pubkey));
3549 VG_UNDEF(&shortkey[1], 1);
3550 VG_UNDEF(&pubkey, sizeof(pubkey));
3551 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3552 VG_CHECK(&pubkey, sizeof(pubkey));
3554 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3557 /* Length two claimed, fail, zeroize, no illegal arg error. */
3558 for (i = 0; i < 65536 ; i++) {
3559 memset(&pubkey, 0xfe, sizeof(pubkey));
3561 shortkey[0] = i & 255;
3562 shortkey[1] = i >> 8;
3563 VG_UNDEF(&pubkey, sizeof(pubkey));
3564 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3565 VG_CHECK(&pubkey, sizeof(pubkey));
3567 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3570 memset(&pubkey, 0xfe, sizeof(pubkey));
3572 VG_UNDEF(&pubkey, sizeof(pubkey));
3573 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3574 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3575 VG_CHECK(&pubkey, sizeof(pubkey));
3577 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3579 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3580 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3582 /* NULL input string. Illegal arg and zeroize output. */
3583 memset(&pubkey, 0xfe, sizeof(pubkey));
3585 VG_UNDEF(&pubkey, sizeof(pubkey));
3586 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3587 VG_CHECK(&pubkey, sizeof(pubkey));
3589 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3591 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3592 memset(&pubkey, 0xfe, sizeof(pubkey));
3594 VG_UNDEF(&pubkey, sizeof(pubkey));
3595 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3596 VG_CHECK(&pubkey, sizeof(pubkey));
3598 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3600 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3601 memset(&pubkey, 0xfe, sizeof(pubkey));
3603 VG_UNDEF(&pubkey, sizeof(pubkey));
3604 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3605 VG_CHECK(&pubkey, sizeof(pubkey));
3607 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3610 memset(&pubkey, 0, sizeof(pubkey));
3612 VG_UNDEF(&pubkey, sizeof(pubkey));
3613 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3614 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
3615 VG_CHECK(&pubkey, sizeof(pubkey));
3617 VG_UNDEF(&ge, sizeof(ge));
3618 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3619 VG_CHECK(&ge.x, sizeof(ge.x));
3620 VG_CHECK(&ge.y, sizeof(ge.y));
3621 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3622 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3624 /* secp256k1_ec_pubkey_serialize illegal args. */
3627 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3630 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3634 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3639 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3644 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3648 /* Multiple illegal args. Should still set arg error only once. */
3651 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3653 /* Does the illegal arg callback actually change the behavior? */
3654 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3655 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3657 CHECK(ecount2 == 10);
3658 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3659 /* Try a bunch of prefabbed points with all possible encodings. */
3660 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3661 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3663 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3664 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3666 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3667 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3671 void run_eckey_edge_case_test(void) {
3672 const unsigned char orderc[32] = {
3673 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3674 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3675 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3676 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3678 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3679 unsigned char ctmp[33];
3680 unsigned char ctmp2[33];
3681 secp256k1_pubkey pubkey;
3682 secp256k1_pubkey pubkey2;
3683 secp256k1_pubkey pubkey_one;
3684 secp256k1_pubkey pubkey_negone;
3685 const secp256k1_pubkey *pubkeys[3];
3688 /* Group order is too large, reject. */
3689 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3690 VG_UNDEF(&pubkey, sizeof(pubkey));
3691 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3692 VG_CHECK(&pubkey, sizeof(pubkey));
3693 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3694 /* Maximum value is too large, reject. */
3695 memset(ctmp, 255, 32);
3696 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3697 memset(&pubkey, 1, sizeof(pubkey));
3698 VG_UNDEF(&pubkey, sizeof(pubkey));
3699 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3700 VG_CHECK(&pubkey, sizeof(pubkey));
3701 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3702 /* Zero is too small, reject. */
3703 memset(ctmp, 0, 32);
3704 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3705 memset(&pubkey, 1, sizeof(pubkey));
3706 VG_UNDEF(&pubkey, sizeof(pubkey));
3707 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3708 VG_CHECK(&pubkey, sizeof(pubkey));
3709 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3710 /* One must be accepted. */
3712 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3713 memset(&pubkey, 0, sizeof(pubkey));
3714 VG_UNDEF(&pubkey, sizeof(pubkey));
3715 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3716 VG_CHECK(&pubkey, sizeof(pubkey));
3717 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3718 pubkey_one = pubkey;
3719 /* Group order + 1 is too large, reject. */
3720 memcpy(ctmp, orderc, 32);
3722 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3723 memset(&pubkey, 1, sizeof(pubkey));
3724 VG_UNDEF(&pubkey, sizeof(pubkey));
3725 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3726 VG_CHECK(&pubkey, sizeof(pubkey));
3727 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3728 /* -1 must be accepted. */
3730 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3731 memset(&pubkey, 0, sizeof(pubkey));
3732 VG_UNDEF(&pubkey, sizeof(pubkey));
3733 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3734 VG_CHECK(&pubkey, sizeof(pubkey));
3735 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3736 pubkey_negone = pubkey;
3737 /* Tweak of zero leaves the value unchanged. */
3738 memset(ctmp2, 0, 32);
3739 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3740 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3741 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3742 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3743 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3744 /* Multiply tweak of zero zeroizes the output. */
3745 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3746 CHECK(memcmp(zeros, ctmp, 32) == 0);
3747 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3748 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3749 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3750 /* Overflowing key tweak zeroizes. */
3751 memcpy(ctmp, orderc, 32);
3753 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3754 CHECK(memcmp(zeros, ctmp, 32) == 0);
3755 memcpy(ctmp, orderc, 32);
3757 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3758 CHECK(memcmp(zeros, ctmp, 32) == 0);
3759 memcpy(ctmp, orderc, 32);
3761 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3762 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3763 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3764 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3765 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3766 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3767 /* Private key tweaks results in a key of zero. */
3769 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3770 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3772 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3773 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3774 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3775 /* Tweak computation wraps and results in a key of 1. */
3777 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3778 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3780 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3782 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3783 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3784 /* Tweak mul * 2 = 1+1. */
3785 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3787 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3788 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3789 /* Test argument errors. */
3791 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3793 /* Zeroize pubkey on parse error. */
3794 memset(&pubkey, 0, 32);
3795 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3797 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3798 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3799 memset(&pubkey2, 0, 32);
3800 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3802 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3803 /* Plain argument errors. */
3805 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3807 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3810 memset(ctmp2, 0, 32);
3812 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3814 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3817 memset(ctmp2, 0, 32);
3819 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3821 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3824 memset(ctmp2, 0, 32);
3825 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3827 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3830 memset(ctmp2, 0, 32);
3832 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3834 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3837 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3839 memset(&pubkey, 1, sizeof(pubkey));
3840 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3842 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3843 /* secp256k1_ec_pubkey_combine tests. */
3845 pubkeys[0] = &pubkey_one;
3846 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3847 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3848 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3849 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3850 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3851 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3852 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3853 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3855 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3856 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3858 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3859 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3860 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3861 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3862 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3864 pubkeys[0] = &pubkey_negone;
3865 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3866 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3867 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3868 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3869 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3872 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3873 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
3874 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3875 /* Result is infinity. */
3876 pubkeys[0] = &pubkey_one;
3877 pubkeys[1] = &pubkey_negone;
3878 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3879 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3880 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
3881 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3882 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3884 /* Passes through infinity but comes out one. */
3885 pubkeys[2] = &pubkey_one;
3886 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3887 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3888 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
3889 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3890 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3893 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3894 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
3895 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3897 pubkeys[1] = &pubkey_one;
3898 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3899 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3900 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
3901 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3902 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3904 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3907 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
3908 secp256k1_scalar nonce;
3910 random_scalar_order_test(&nonce);
3911 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
3914 void test_ecdsa_sign_verify(void) {
3917 secp256k1_scalar one;
3918 secp256k1_scalar msg, key;
3919 secp256k1_scalar sigr, sigs;
3922 random_scalar_order_test(&msg);
3923 random_scalar_order_test(&key);
3924 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
3925 secp256k1_ge_set_gej(&pub, &pubj);
3926 getrec = secp256k1_rand_bits(1);
3927 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
3929 CHECK(recid >= 0 && recid < 4);
3931 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3932 secp256k1_scalar_set_int(&one, 1);
3933 secp256k1_scalar_add(&msg, &msg, &one);
3934 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3937 void run_ecdsa_sign_verify(void) {
3939 for (i = 0; i < 10*count; i++) {
3940 test_ecdsa_sign_verify();
3944 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
3945 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3949 memcpy(nonce32, data, 32);
3950 return (counter == 0);
3953 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3954 /* Dummy nonce generator that has a fatal error on the first counter value. */
3958 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
3961 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3962 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
3964 memset(nonce32, counter==0 ? 0 : 255, 32);
3971 static const unsigned char order[] = {
3972 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
3973 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
3974 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
3975 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
3977 memcpy(nonce32, order, 32);
3983 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
3984 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
3988 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
3991 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
3992 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
3993 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
3996 void test_ecdsa_end_to_end(void) {
3997 unsigned char extra[32] = {0x00};
3998 unsigned char privkey[32];
3999 unsigned char message[32];
4000 unsigned char privkey2[32];
4001 secp256k1_ecdsa_signature signature[6];
4002 secp256k1_scalar r, s;
4003 unsigned char sig[74];
4005 unsigned char pubkeyc[65];
4006 size_t pubkeyclen = 65;
4007 secp256k1_pubkey pubkey;
4008 secp256k1_pubkey pubkey_tmp;
4009 unsigned char seckey[300];
4010 size_t seckeylen = 300;
4012 /* Generate a random key and message. */
4014 secp256k1_scalar msg, key;
4015 random_scalar_order_test(&msg);
4016 random_scalar_order_test(&key);
4017 secp256k1_scalar_get_b32(privkey, &key);
4018 secp256k1_scalar_get_b32(message, &msg);
4021 /* Construct and verify corresponding public key. */
4022 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4023 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4025 /* Verify exporting and importing public key. */
4026 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4027 memset(&pubkey, 0, sizeof(pubkey));
4028 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4030 /* Verify negation changes the key and changes it back */
4031 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4032 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4033 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4034 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4035 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4037 /* Verify private key import and export. */
4038 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4039 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4040 CHECK(memcmp(privkey, privkey2, 32) == 0);
4042 /* Optionally tweak the keys using addition. */
4043 if (secp256k1_rand_int(3) == 0) {
4046 unsigned char rnd[32];
4047 secp256k1_pubkey pubkey2;
4048 secp256k1_rand256_test(rnd);
4049 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
4050 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4051 CHECK(ret1 == ret2);
4055 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4056 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4059 /* Optionally tweak the keys using multiplication. */
4060 if (secp256k1_rand_int(3) == 0) {
4063 unsigned char rnd[32];
4064 secp256k1_pubkey pubkey2;
4065 secp256k1_rand256_test(rnd);
4066 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
4067 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4068 CHECK(ret1 == ret2);
4072 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4073 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4077 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4078 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4079 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4081 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4084 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4085 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4086 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4087 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4088 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4089 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4090 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4091 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4093 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4094 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4095 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4096 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4097 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4098 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4099 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4100 secp256k1_scalar_negate(&s, &s);
4101 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4102 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4103 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4104 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4105 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4106 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4107 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4108 secp256k1_scalar_negate(&s, &s);
4109 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4110 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4111 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4112 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
4114 /* Serialize/parse DER and verify again */
4115 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4116 memset(&signature[0], 0, sizeof(signature[0]));
4117 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4118 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4119 /* Serialize/destroy/parse DER and verify again. */
4121 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4122 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
4123 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4124 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4127 void test_random_pubkeys(void) {
4130 unsigned char in[65];
4131 /* Generate some randomly sized pubkeys. */
4132 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4133 if (secp256k1_rand_bits(2) == 0) {
4134 len = secp256k1_rand_bits(6);
4137 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
4139 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
4141 if (secp256k1_rand_bits(3) == 0) {
4142 in[0] = secp256k1_rand_bits(8);
4145 secp256k1_rand256(&in[1]);
4148 secp256k1_rand256(&in[33]);
4150 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4151 unsigned char out[65];
4152 unsigned char firstb;
4156 /* If the pubkey can be parsed, it should round-trip... */
4157 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4159 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4160 /* ... except for the type of hybrid inputs. */
4161 if ((in[0] != 6) && (in[0] != 7)) {
4162 CHECK(in[0] == out[0]);
4165 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4167 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4168 ge_equals_ge(&elem,&elem2);
4169 /* Check that the X9.62 hybrid type is checked. */
4170 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
4171 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4172 if (firstb == 2 || firstb == 3) {
4173 if (in[0] == firstb + 4) {
4180 ge_equals_ge(&elem,&elem2);
4181 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4182 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4187 void run_random_pubkeys(void) {
4189 for (i = 0; i < 10*count; i++) {
4190 test_random_pubkeys();
4194 void run_ecdsa_end_to_end(void) {
4196 for (i = 0; i < 64*count; i++) {
4197 test_ecdsa_end_to_end();
4201 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4202 static const unsigned char zeroes[32] = {0};
4203 #ifdef ENABLE_OPENSSL_TESTS
4204 static const unsigned char max_scalar[32] = {
4205 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4206 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4207 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4208 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4214 secp256k1_ecdsa_signature sig_der;
4215 unsigned char roundtrip_der[2048];
4216 unsigned char compact_der[64];
4217 size_t len_der = 2048;
4218 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4220 secp256k1_ecdsa_signature sig_der_lax;
4221 unsigned char roundtrip_der_lax[2048];
4222 unsigned char compact_der_lax[64];
4223 size_t len_der_lax = 2048;
4224 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4226 #ifdef ENABLE_OPENSSL_TESTS
4227 ECDSA_SIG *sig_openssl;
4228 const BIGNUM *r = NULL, *s = NULL;
4229 const unsigned char *sigptr;
4230 unsigned char roundtrip_openssl[2048];
4231 int len_openssl = 2048;
4232 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4235 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4237 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4238 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4241 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4242 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4245 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4246 if (parsed_der_lax) {
4247 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4248 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4250 if (valid_der_lax) {
4251 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4252 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4255 if (certainly_der) {
4256 ret |= (!parsed_der) << 2;
4258 if (certainly_not_der) {
4259 ret |= (parsed_der) << 17;
4262 ret |= (!roundtrips_der) << 3;
4266 ret |= (!roundtrips_der_lax) << 12;
4267 ret |= (len_der != len_der_lax) << 13;
4268 ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
4270 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4272 ret |= (!parsed_der_lax) << 16;
4275 #ifdef ENABLE_OPENSSL_TESTS
4276 sig_openssl = ECDSA_SIG_new();
4278 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4279 if (parsed_openssl) {
4280 ECDSA_SIG_get0(sig_openssl, &r, &s);
4281 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4282 if (valid_openssl) {
4283 unsigned char tmp[32] = {0};
4284 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4285 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4287 if (valid_openssl) {
4288 unsigned char tmp[32] = {0};
4289 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4290 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4293 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4294 if (len_openssl <= 2048) {
4295 unsigned char *ptr = roundtrip_openssl;
4296 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4297 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4301 ECDSA_SIG_free(sig_openssl);
4303 ret |= (parsed_der && !parsed_openssl) << 4;
4304 ret |= (valid_der && !valid_openssl) << 5;
4305 ret |= (roundtrips_openssl && !parsed_der) << 6;
4306 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4307 if (roundtrips_openssl) {
4308 ret |= (len_der != (size_t)len_openssl) << 8;
4309 ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
4315 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4317 for (i = 0; i < ptrlen; i++) {
4318 int shift = ptrlen - 1 - i;
4322 ptr[i] = (val >> shift) & 0xFF;
4327 static void damage_array(unsigned char *sig, size_t *len) {
4329 int action = secp256k1_rand_bits(3);
4330 if (action < 1 && *len > 3) {
4331 /* Delete a byte. */
4332 pos = secp256k1_rand_int(*len);
4333 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4336 } else if (action < 2 && *len < 2048) {
4337 /* Insert a byte. */
4338 pos = secp256k1_rand_int(1 + *len);
4339 memmove(sig + pos + 1, sig + pos, *len - pos);
4340 sig[pos] = secp256k1_rand_bits(8);
4343 } else if (action < 4) {
4344 /* Modify a byte. */
4345 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4347 } else { /* action < 8 */
4349 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4354 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4356 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4357 size_t tlen, elen, glen;
4362 der = secp256k1_rand_bits(2) == 0;
4363 *certainly_der = der;
4364 *certainly_not_der = 0;
4365 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4367 for (n = 0; n < 2; n++) {
4368 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4369 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4370 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4371 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4372 CHECK(nlen[n] <= 232);
4373 /* The top bit of the number. */
4374 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4375 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4376 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4377 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4378 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4379 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4380 *certainly_not_der = 1;
4382 CHECK(nlen[n] + nzlen[n] <= 300);
4383 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4384 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4386 /* nlenlen[n] max 127 bytes */
4387 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4390 *certainly_not_der = 1;
4393 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4396 /* The total length of the data to go, so far */
4397 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4400 /* The length of the garbage inside the tuple. */
4401 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4403 *certainly_not_der = 1;
4408 /* The length of the garbage after the end of the tuple. */
4409 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4411 *certainly_not_der = 1;
4413 CHECK(tlen + glen <= 990);
4415 /* Write the tuple header. */
4416 sig[(*len)++] = 0x30;
4418 /* Indeterminate length */
4419 sig[(*len)++] = 0x80;
4420 *certainly_not_der = 1;
4422 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4424 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4427 *certainly_not_der = 1;
4431 /* Short length notation */
4432 sig[(*len)++] = tlen;
4434 /* Long length notation */
4435 sig[(*len)++] = 128 + tlenlen;
4436 assign_big_endian(sig + *len, tlenlen, tlen);
4442 CHECK(tlen + glen <= 1119);
4444 for (n = 0; n < 2; n++) {
4445 /* Write the integer header. */
4446 sig[(*len)++] = 0x02;
4447 if (nlenlen[n] == 0) {
4448 /* Short length notation */
4449 sig[(*len)++] = nlen[n] + nzlen[n];
4451 /* Long length notation. */
4452 sig[(*len)++] = 128 + nlenlen[n];
4453 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4456 /* Write zero padding */
4457 while (nzlen[n] > 0) {
4458 sig[(*len)++] = 0x00;
4461 if (nlen[n] == 32 && !nlow[n]) {
4462 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4464 for (i = 0; i < 16; i++) {
4465 sig[(*len)++] = 0xFF;
4469 /* Write first byte of number */
4471 sig[(*len)++] = nhbyte[n];
4474 /* Generate remaining random bytes of number */
4475 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4480 /* Generate random garbage inside tuple. */
4481 secp256k1_rand_bytes_test(sig + *len, elen);
4484 /* Generate end-of-contents bytes. */
4490 CHECK(tlen + glen <= 1121);
4492 /* Generate random garbage outside tuple. */
4493 secp256k1_rand_bytes_test(sig + *len, glen);
4496 CHECK(tlen <= 1121);
4497 CHECK(tlen == *len);
4500 void run_ecdsa_der_parse(void) {
4502 for (i = 0; i < 200 * count; i++) {
4503 unsigned char buffer[2048];
4505 int certainly_der = 0;
4506 int certainly_not_der = 0;
4507 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4508 CHECK(buflen <= 2048);
4509 for (j = 0; j < 16; j++) {
4512 damage_array(buffer, &buflen);
4513 /* We don't know anything anymore about the DERness of the result */
4515 certainly_not_der = 0;
4517 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4520 fprintf(stderr, "Failure %x on ", ret);
4521 for (k = 0; k < buflen; k++) {
4522 fprintf(stderr, "%02x ", buffer[k]);
4524 fprintf(stderr, "\n");
4531 /* Tests several edge cases. */
4532 void test_ecdsa_edge_cases(void) {
4534 secp256k1_ecdsa_signature sig;
4536 /* Test the case where ECDSA recomputes a point that is infinity. */
4540 secp256k1_scalar msg;
4541 secp256k1_scalar sr, ss;
4542 secp256k1_scalar_set_int(&ss, 1);
4543 secp256k1_scalar_negate(&ss, &ss);
4544 secp256k1_scalar_inverse(&ss, &ss);
4545 secp256k1_scalar_set_int(&sr, 1);
4546 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4547 secp256k1_ge_set_gej(&key, &keyj);
4549 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4552 /* Verify signature with r of zero fails. */
4554 const unsigned char pubkey_mods_zero[33] = {
4555 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4556 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4557 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4558 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4562 secp256k1_scalar msg;
4563 secp256k1_scalar sr, ss;
4564 secp256k1_scalar_set_int(&ss, 1);
4565 secp256k1_scalar_set_int(&msg, 0);
4566 secp256k1_scalar_set_int(&sr, 0);
4567 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4568 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4571 /* Verify signature with s of zero fails. */
4573 const unsigned char pubkey[33] = {
4574 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4575 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4581 secp256k1_scalar msg;
4582 secp256k1_scalar sr, ss;
4583 secp256k1_scalar_set_int(&ss, 0);
4584 secp256k1_scalar_set_int(&msg, 0);
4585 secp256k1_scalar_set_int(&sr, 1);
4586 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4587 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4590 /* Verify signature with message 0 passes. */
4592 const unsigned char pubkey[33] = {
4593 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4594 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4595 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4596 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4599 const unsigned char pubkey2[33] = {
4600 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4601 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4602 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4603 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4608 secp256k1_scalar msg;
4609 secp256k1_scalar sr, ss;
4610 secp256k1_scalar_set_int(&ss, 2);
4611 secp256k1_scalar_set_int(&msg, 0);
4612 secp256k1_scalar_set_int(&sr, 2);
4613 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4614 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4615 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4616 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4617 secp256k1_scalar_negate(&ss, &ss);
4618 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4619 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4620 secp256k1_scalar_set_int(&ss, 1);
4621 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4622 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4625 /* Verify signature with message 1 passes. */
4627 const unsigned char pubkey[33] = {
4628 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4629 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4630 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4631 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4634 const unsigned char pubkey2[33] = {
4635 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4636 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4637 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4638 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4641 const unsigned char csr[32] = {
4642 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4643 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4644 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4645 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4649 secp256k1_scalar msg;
4650 secp256k1_scalar sr, ss;
4651 secp256k1_scalar_set_int(&ss, 1);
4652 secp256k1_scalar_set_int(&msg, 1);
4653 secp256k1_scalar_set_b32(&sr, csr, NULL);
4654 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4655 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4656 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4657 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4658 secp256k1_scalar_negate(&ss, &ss);
4659 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4660 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4661 secp256k1_scalar_set_int(&ss, 2);
4662 secp256k1_scalar_inverse_var(&ss, &ss);
4663 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4664 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4667 /* Verify signature with message -1 passes. */
4669 const unsigned char pubkey[33] = {
4670 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4671 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4672 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4673 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4676 const unsigned char csr[32] = {
4677 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4678 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4679 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4680 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4683 secp256k1_scalar msg;
4684 secp256k1_scalar sr, ss;
4685 secp256k1_scalar_set_int(&ss, 1);
4686 secp256k1_scalar_set_int(&msg, 1);
4687 secp256k1_scalar_negate(&msg, &msg);
4688 secp256k1_scalar_set_b32(&sr, csr, NULL);
4689 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4690 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4691 secp256k1_scalar_negate(&ss, &ss);
4692 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4693 secp256k1_scalar_set_int(&ss, 3);
4694 secp256k1_scalar_inverse_var(&ss, &ss);
4695 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4698 /* Signature where s would be zero. */
4700 secp256k1_pubkey pubkey;
4703 unsigned char signature[72];
4704 static const unsigned char nonce[32] = {
4705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4708 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4710 static const unsigned char nonce2[32] = {
4711 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4712 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4713 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4714 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4716 const unsigned char key[32] = {
4717 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4718 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4719 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4720 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4722 unsigned char msg[32] = {
4723 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4724 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4725 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4726 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4729 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4730 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4731 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4733 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4735 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4737 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4739 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4741 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4742 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4743 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4745 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4747 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4749 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4751 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4753 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4754 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4757 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4759 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4760 CHECK(ecount == 10);
4761 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4762 CHECK(ecount == 11);
4763 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4764 CHECK(ecount == 11);
4765 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4766 CHECK(ecount == 12);
4767 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4768 CHECK(ecount == 13);
4769 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4770 CHECK(ecount == 13);
4772 /* Too little room for a signature does not fail via ARGCHECK. */
4773 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
4774 CHECK(ecount == 13);
4776 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4778 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4780 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4782 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4784 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4786 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4788 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4790 memset(signature, 255, 64);
4791 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4793 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4796 /* Nonce function corner cases. */
4797 for (t = 0; t < 2; t++) {
4798 static const unsigned char zero[32] = {0x00};
4800 unsigned char key[32];
4801 unsigned char msg[32];
4802 secp256k1_ecdsa_signature sig2;
4803 secp256k1_scalar sr[512], ss;
4804 const unsigned char *extra;
4805 extra = t == 0 ? NULL : zero;
4808 /* High key results in signature failure. */
4809 memset(key, 0xFF, 32);
4810 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4811 CHECK(is_empty_signature(&sig));
4812 /* Zero key results in signature failure. */
4814 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4815 CHECK(is_empty_signature(&sig));
4816 /* Nonce function failure results in signature failure. */
4818 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
4819 CHECK(is_empty_signature(&sig));
4820 /* The retry loop successfully makes its way to the first good value. */
4821 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
4822 CHECK(!is_empty_signature(&sig));
4823 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
4824 CHECK(!is_empty_signature(&sig2));
4825 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4826 /* The default nonce function is deterministic. */
4827 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4828 CHECK(!is_empty_signature(&sig2));
4829 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4830 /* The default nonce function changes output with different messages. */
4831 for(i = 0; i < 256; i++) {
4834 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4835 CHECK(!is_empty_signature(&sig2));
4836 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4837 for (j = 0; j < i; j++) {
4838 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4843 /* The default nonce function changes output with different keys. */
4844 for(i = 256; i < 512; i++) {
4847 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4848 CHECK(!is_empty_signature(&sig2));
4849 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4850 for (j = 0; j < i; j++) {
4851 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4858 /* Check that optional nonce arguments do not have equivalent effect. */
4859 const unsigned char zeros[32] = {0};
4860 unsigned char nonce[32];
4861 unsigned char nonce2[32];
4862 unsigned char nonce3[32];
4863 unsigned char nonce4[32];
4865 VG_UNDEF(nonce2,32);
4866 VG_UNDEF(nonce3,32);
4867 VG_UNDEF(nonce4,32);
4868 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4870 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4871 VG_CHECK(nonce2,32);
4872 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
4873 VG_CHECK(nonce3,32);
4874 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
4875 VG_CHECK(nonce4,32);
4876 CHECK(memcmp(nonce, nonce2, 32) != 0);
4877 CHECK(memcmp(nonce, nonce3, 32) != 0);
4878 CHECK(memcmp(nonce, nonce4, 32) != 0);
4879 CHECK(memcmp(nonce2, nonce3, 32) != 0);
4880 CHECK(memcmp(nonce2, nonce4, 32) != 0);
4881 CHECK(memcmp(nonce3, nonce4, 32) != 0);
4885 /* Privkey export where pubkey is the point at infinity. */
4887 unsigned char privkey[300];
4888 unsigned char seckey[32] = {
4889 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4890 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4891 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4892 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
4894 size_t outlen = 300;
4895 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
4897 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
4901 void run_ecdsa_edge_cases(void) {
4902 test_ecdsa_edge_cases();
4905 #ifdef ENABLE_OPENSSL_TESTS
4906 EC_KEY *get_openssl_key(const unsigned char *key32) {
4907 unsigned char privkey[300];
4909 const unsigned char* pbegin = privkey;
4910 int compr = secp256k1_rand_bits(1);
4911 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
4912 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
4913 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
4914 CHECK(EC_KEY_check_key(ec_key));
4918 void test_ecdsa_openssl(void) {
4921 secp256k1_scalar sigr, sigs;
4922 secp256k1_scalar one;
4923 secp256k1_scalar msg2;
4924 secp256k1_scalar key, msg;
4926 unsigned int sigsize = 80;
4927 size_t secp_sigsize = 80;
4928 unsigned char message[32];
4929 unsigned char signature[80];
4930 unsigned char key32[32];
4931 secp256k1_rand256_test(message);
4932 secp256k1_scalar_set_b32(&msg, message, NULL);
4933 random_scalar_order_test(&key);
4934 secp256k1_scalar_get_b32(key32, &key);
4935 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
4936 secp256k1_ge_set_gej(&q, &qj);
4937 ec_key = get_openssl_key(key32);
4938 CHECK(ec_key != NULL);
4939 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
4940 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
4941 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
4942 secp256k1_scalar_set_int(&one, 1);
4943 secp256k1_scalar_add(&msg2, &msg, &one);
4944 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
4946 random_sign(&sigr, &sigs, &key, &msg, NULL);
4947 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
4948 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
4950 EC_KEY_free(ec_key);
4953 void run_ecdsa_openssl(void) {
4955 for (i = 0; i < 10*count; i++) {
4956 test_ecdsa_openssl();
4961 #ifdef ENABLE_MODULE_ECDH
4962 # include "modules/ecdh/tests_impl.h"
4965 #ifdef ENABLE_MODULE_RECOVERY
4966 # include "modules/recovery/tests_impl.h"
4969 int main(int argc, char **argv) {
4970 unsigned char seed16[16] = {0};
4971 unsigned char run32[32] = {0};
4972 /* find iteration count */
4974 count = strtol(argv[1], NULL, 0);
4977 /* find random seed */
4980 const char* ch = argv[2];
4981 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
4983 if (sscanf(ch, "%2hx", &sh)) {
4992 FILE *frand = fopen("/dev/urandom", "r");
4993 if ((frand == NULL) || fread(&seed16, sizeof(seed16), 1, frand) != sizeof(seed16)) {
4994 uint64_t t = time(NULL) * (uint64_t)1337;
4996 seed16[1] ^= t >> 8;
4997 seed16[2] ^= t >> 16;
4998 seed16[3] ^= t >> 24;
4999 seed16[4] ^= t >> 32;
5000 seed16[5] ^= t >> 40;
5001 seed16[6] ^= t >> 48;
5002 seed16[7] ^= t >> 56;
5008 secp256k1_rand_seed(seed16);
5010 printf("test count = %i\n", count);
5011 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
5014 run_context_tests();
5015 run_scratch_tests();
5016 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5017 if (secp256k1_rand_bits(1)) {
5018 secp256k1_rand256(run32);
5019 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
5026 run_hmac_sha256_tests();
5027 run_rfc6979_hmac_sha256_tests();
5029 #ifndef USE_NUM_NONE
5031 run_num_smalltests();
5039 run_field_inv_var();
5040 run_field_inv_all_var();
5042 run_field_convert();
5048 run_group_decompress();
5052 run_point_times_order();
5054 run_ecmult_constants();
5055 run_ecmult_gen_blind();
5056 run_ecmult_const_tests();
5057 run_ecmult_multi_tests();
5060 /* endomorphism tests */
5061 #ifdef USE_ENDOMORPHISM
5062 run_endomorphism_tests();
5065 /* EC point parser test */
5066 run_ec_pubkey_parse_test();
5068 /* EC key edge cases */
5069 run_eckey_edge_case_test();
5071 #ifdef ENABLE_MODULE_ECDH
5077 run_random_pubkeys();
5078 run_ecdsa_der_parse();
5079 run_ecdsa_sign_verify();
5080 run_ecdsa_end_to_end();
5081 run_ecdsa_edge_cases();
5082 #ifdef ENABLE_OPENSSL_TESTS
5083 run_ecdsa_openssl();
5086 #ifdef ENABLE_MODULE_RECOVERY
5087 /* ECDSA pubkey recovery tests */
5088 run_recovery_tests();
5091 secp256k1_rand256(run32);
5092 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
5095 secp256k1_context_destroy(ctx);
5097 printf("no problems found\n");
projects / secp256k1.git / blob