1 // Copyright (c) 2013 Pieter Wuille
2 // Distributed under the MIT/X11 software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
5 #if defined HAVE_CONFIG_H
6 #include "libsecp256k1-config.h"
12 #include "secp256k1.c"
13 #include "testrand_impl.h"
15 #ifdef ENABLE_OPENSSL_TESTS
16 #include "openssl/bn.h"
17 #include "openssl/ec.h"
18 #include "openssl/ecdsa.h"
19 #include "openssl/obj_mac.h"
22 static int count = 64;
24 /***** NUM TESTS *****/
26 void random_num_negate(secp256k1_num_t *num) {
27 if (secp256k1_rand32() & 1)
28 secp256k1_num_negate(num);
31 void random_field_element_test(secp256k1_fe_t *fe) {
33 unsigned char b32[32];
34 secp256k1_rand256_test(b32);
36 secp256k1_num_set_bin(&num, b32, 32);
37 if (secp256k1_num_cmp(&num, &secp256k1_fe_consts->p) >= 0)
39 secp256k1_fe_set_b32(fe, b32);
44 void random_field_element_magnitude(secp256k1_fe_t *fe) {
45 secp256k1_fe_normalize(fe);
46 int n = secp256k1_rand32() % 4;
47 for (int i = 0; i < n; i++) {
48 secp256k1_fe_negate(fe, fe, 1 + 2*i);
49 secp256k1_fe_negate(fe, fe, 2 + 2*i);
53 void random_group_element_test(secp256k1_ge_t *ge) {
56 random_field_element_test(&fe);
57 if (secp256k1_ge_set_xo(ge, &fe, secp256k1_rand32() & 1))
62 void random_group_element_jacobian_test(secp256k1_gej_t *gej, const secp256k1_ge_t *ge) {
64 random_field_element_test(&gej->z);
65 if (!secp256k1_fe_is_zero(&gej->z)) {
69 secp256k1_fe_t z2; secp256k1_fe_sqr(&z2, &gej->z);
70 secp256k1_fe_t z3; secp256k1_fe_mul(&z3, &z2, &gej->z);
71 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
72 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
73 gej->infinity = ge->infinity;
76 void random_num_order_test(secp256k1_num_t *num) {
78 unsigned char b32[32];
79 secp256k1_rand256_test(b32);
80 secp256k1_num_set_bin(num, b32, 32);
81 if (secp256k1_num_is_zero(num))
83 if (secp256k1_num_cmp(num, &secp256k1_ge_consts->order) >= 0)
89 void random_scalar_order_test(secp256k1_scalar_t *num) {
91 unsigned char b32[32];
92 secp256k1_rand256_test(b32);
94 secp256k1_scalar_set_b32(num, b32, &overflow);
95 if (overflow || secp256k1_scalar_is_zero(num))
101 void random_num_order(secp256k1_num_t *num) {
103 unsigned char b32[32];
104 secp256k1_rand256(b32);
105 secp256k1_num_set_bin(num, b32, 32);
106 if (secp256k1_num_is_zero(num))
108 if (secp256k1_num_cmp(num, &secp256k1_ge_consts->order) >= 0)
114 void test_num_copy_inc_cmp(void) {
115 secp256k1_num_t n1,n2;
116 random_num_order(&n1);
117 secp256k1_num_copy(&n2, &n1);
118 CHECK(secp256k1_num_eq(&n1, &n2));
119 CHECK(secp256k1_num_eq(&n2, &n1));
120 secp256k1_num_inc(&n2);
121 CHECK(!secp256k1_num_eq(&n1, &n2));
122 CHECK(!secp256k1_num_eq(&n2, &n1));
126 void test_num_get_set_hex(void) {
127 secp256k1_num_t n1,n2;
128 random_num_order_test(&n1);
130 secp256k1_num_get_hex(c, 64, &n1);
131 secp256k1_num_set_hex(&n2, c, 64);
132 CHECK(secp256k1_num_eq(&n1, &n2));
133 for (int i=0; i<64; i++) {
134 // check whether the lower 4 bits correspond to the last hex character
135 int low1 = secp256k1_num_shift(&n1, 4);
137 int low2 = ((lowh>>6)*9+(lowh-'0'))&15;
139 // shift bits off the hex representation, and compare
142 secp256k1_num_set_hex(&n2, c, 64);
143 CHECK(secp256k1_num_eq(&n1, &n2));
147 void test_num_get_set_bin(void) {
148 secp256k1_num_t n1,n2;
149 random_num_order_test(&n1);
151 secp256k1_num_get_bin(c, 32, &n1);
152 secp256k1_num_set_bin(&n2, c, 32);
153 CHECK(secp256k1_num_eq(&n1, &n2));
154 for (int i=0; i<32; i++) {
155 // check whether the lower 8 bits correspond to the last byte
156 int low1 = secp256k1_num_shift(&n1, 8);
159 // shift bits off the byte representation, and compare
162 secp256k1_num_set_bin(&n2, c, 32);
163 CHECK(secp256k1_num_eq(&n1, &n2));
167 void run_num_int(void) {
169 for (int i=-255; i<256; i++) {
170 unsigned char c1[3] = {};
172 unsigned char c2[3] = {0x11,0x22,0x33};
173 secp256k1_num_set_int(&n1, i);
174 secp256k1_num_get_bin(c2, 3, &n1);
175 CHECK(memcmp(c1, c2, 3) == 0);
179 void test_num_negate(void) {
182 random_num_order_test(&n1); // n1 = R
183 random_num_negate(&n1);
184 secp256k1_num_copy(&n2, &n1); // n2 = R
185 secp256k1_num_sub(&n1, &n2, &n1); // n1 = n2-n1 = 0
186 CHECK(secp256k1_num_is_zero(&n1));
187 secp256k1_num_copy(&n1, &n2); // n1 = R
188 secp256k1_num_negate(&n1); // n1 = -R
189 CHECK(!secp256k1_num_is_zero(&n1));
190 secp256k1_num_add(&n1, &n2, &n1); // n1 = n2+n1 = 0
191 CHECK(secp256k1_num_is_zero(&n1));
192 secp256k1_num_copy(&n1, &n2); // n1 = R
193 secp256k1_num_negate(&n1); // n1 = -R
194 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
195 secp256k1_num_negate(&n1); // n1 = R
196 CHECK(secp256k1_num_eq(&n1, &n2));
199 void test_num_add_sub(void) {
200 int r = secp256k1_rand32();
203 random_num_order_test(&n1); // n1 = R1
205 random_num_negate(&n1);
207 random_num_order_test(&n2); // n2 = R2
209 random_num_negate(&n2);
211 secp256k1_num_t n1p2, n2p1, n1m2, n2m1;
212 secp256k1_num_add(&n1p2, &n1, &n2); // n1p2 = R1 + R2
213 secp256k1_num_add(&n2p1, &n2, &n1); // n2p1 = R2 + R1
214 secp256k1_num_sub(&n1m2, &n1, &n2); // n1m2 = R1 - R2
215 secp256k1_num_sub(&n2m1, &n2, &n1); // n2m1 = R2 - R1
216 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
217 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
218 secp256k1_num_negate(&n2m1); // n2m1 = -R2 + R1
219 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
220 CHECK(!secp256k1_num_eq(&n2m1, &n1));
221 secp256k1_num_add(&n2m1, &n2m1, &n2); // n2m1 = -R2 + R1 + R2 = R1
222 CHECK(secp256k1_num_eq(&n2m1, &n1));
223 CHECK(!secp256k1_num_eq(&n2p1, &n1));
224 secp256k1_num_sub(&n2p1, &n2p1, &n2); // n2p1 = R2 + R1 - R2 = R1
225 CHECK(secp256k1_num_eq(&n2p1, &n1));
228 void run_num_smalltests(void) {
229 for (int i=0; i<100*count; i++) {
230 test_num_copy_inc_cmp();
231 test_num_get_set_hex();
232 test_num_get_set_bin();
239 /***** SCALAR TESTS *****/
241 int secp256k1_scalar_eq(const secp256k1_scalar_t *s1, const secp256k1_scalar_t *s2) {
242 secp256k1_scalar_t t;
243 secp256k1_scalar_negate(&t, s2);
244 secp256k1_scalar_add(&t, &t, s1);
245 int ret = secp256k1_scalar_is_zero(&t);
249 void scalar_test(void) {
252 // Set 's' to a random scalar, with value 'snum'.
253 secp256k1_rand256_test(c);
254 secp256k1_scalar_t s;
255 secp256k1_scalar_set_b32(&s, c, NULL);
256 secp256k1_num_t snum;
257 secp256k1_num_set_bin(&snum, c, 32);
258 secp256k1_num_mod(&snum, &secp256k1_ge_consts->order);
260 // Set 's1' to a random scalar, with value 's1num'.
261 secp256k1_rand256_test(c);
262 secp256k1_scalar_t s1;
263 secp256k1_scalar_set_b32(&s1, c, NULL);
264 secp256k1_num_t s1num;
265 secp256k1_num_set_bin(&s1num, c, 32);
266 secp256k1_num_mod(&s1num, &secp256k1_ge_consts->order);
268 // Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'.
269 secp256k1_rand256_test(c);
270 secp256k1_scalar_t s2;
272 secp256k1_scalar_set_b32(&s2, c, &overflow);
273 secp256k1_num_t s2num;
274 secp256k1_num_set_bin(&s2num, c, 32);
275 secp256k1_num_mod(&s2num, &secp256k1_ge_consts->order);
278 // Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it.
279 secp256k1_num_t n, t, m;
280 secp256k1_num_set_int(&n, 0);
281 secp256k1_num_set_int(&m, 16);
282 for (int i = 0; i < 256; i += 4) {
283 secp256k1_num_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
284 secp256k1_num_mul(&n, &n, &m);
285 secp256k1_num_add(&n, &n, &t);
287 CHECK(secp256k1_num_eq(&n, &snum));
291 // Test that get_b32 returns the same as get_bin on the number.
292 unsigned char r1[32];
293 secp256k1_scalar_get_b32(r1, &s2);
294 unsigned char r2[32];
295 secp256k1_num_get_bin(r2, 32, &s2num);
296 CHECK(memcmp(r1, r2, 32) == 0);
297 // If no overflow occurred when assigning, it should also be equal to the original byte array.
298 CHECK((memcmp(r1, c, 32) == 0) == (overflow == 0));
302 // Test that adding the scalars together is equal to adding their numbers together modulo the order.
303 secp256k1_num_t rnum;
304 secp256k1_num_add(&rnum, &snum, &s2num);
305 secp256k1_num_mod(&rnum, &secp256k1_ge_consts->order);
306 secp256k1_scalar_t r;
307 secp256k1_scalar_add(&r, &s, &s2);
308 secp256k1_num_t r2num;
309 secp256k1_scalar_get_num(&r2num, &r);
310 CHECK(secp256k1_num_eq(&rnum, &r2num));
314 // Test that multipying the scalars is equal to multiplying their numbers modulo the order.
315 secp256k1_num_t rnum;
316 secp256k1_num_mul(&rnum, &snum, &s2num);
317 secp256k1_num_mod(&rnum, &secp256k1_ge_consts->order);
318 secp256k1_scalar_t r;
319 secp256k1_scalar_mul(&r, &s, &s2);
320 secp256k1_num_t r2num;
321 secp256k1_scalar_get_num(&r2num, &r);
322 CHECK(secp256k1_num_eq(&rnum, &r2num));
323 // The result can only be zero if at least one of the factors was zero.
324 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
325 // The results can only be equal to one of the factors if that factor was zero, or the other factor was one.
326 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
327 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
331 // Check that comparison with zero matches comparison with zero on the number.
332 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
333 // Check that comparison with the half order is equal to testing for high scalar.
334 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &secp256k1_ge_consts->half_order) > 0));
335 secp256k1_scalar_t neg;
336 secp256k1_scalar_negate(&neg, &s);
337 secp256k1_num_t negnum;
338 secp256k1_num_sub(&negnum, &secp256k1_ge_consts->order, &snum);
339 secp256k1_num_mod(&negnum, &secp256k1_ge_consts->order);
340 // Check that comparison with the half order is equal to testing for high scalar after negation.
341 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &secp256k1_ge_consts->half_order) > 0));
342 // Negating should change the high property, unless the value was already zero.
343 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
344 secp256k1_num_t negnum2;
345 secp256k1_scalar_get_num(&negnum2, &neg);
346 // Negating a scalar should be equal to (order - n) mod order on the number.
347 CHECK(secp256k1_num_eq(&negnum, &negnum2));
348 secp256k1_scalar_add(&neg, &neg, &s);
349 // Adding a number to its negation should result in zero.
350 CHECK(secp256k1_scalar_is_zero(&neg));
351 secp256k1_scalar_negate(&neg, &neg);
352 // Negating zero should still result in zero.
353 CHECK(secp256k1_scalar_is_zero(&neg));
357 // Test that scalar inverses are equal to the inverse of their number modulo the order.
358 if (!secp256k1_scalar_is_zero(&s)) {
359 secp256k1_scalar_t inv;
360 secp256k1_scalar_inverse(&inv, &s);
361 secp256k1_num_t invnum;
362 secp256k1_num_mod_inverse(&invnum, &snum, &secp256k1_ge_consts->order);
363 secp256k1_num_t invnum2;
364 secp256k1_scalar_get_num(&invnum2, &inv);
365 CHECK(secp256k1_num_eq(&invnum, &invnum2));
366 secp256k1_scalar_mul(&inv, &inv, &s);
367 // Multiplying a scalar with its inverse must result in one.
368 CHECK(secp256k1_scalar_is_one(&inv));
369 secp256k1_scalar_inverse(&inv, &inv);
370 // Inverting one must result in one.
371 CHECK(secp256k1_scalar_is_one(&inv));
376 // Test commutativity of add.
377 secp256k1_scalar_t r1, r2;
378 secp256k1_scalar_add(&r1, &s1, &s2);
379 secp256k1_scalar_add(&r2, &s2, &s1);
380 CHECK(secp256k1_scalar_eq(&r1, &r2));
384 // Test commutativity of mul.
385 secp256k1_scalar_t r1, r2;
386 secp256k1_scalar_mul(&r1, &s1, &s2);
387 secp256k1_scalar_mul(&r2, &s2, &s1);
388 CHECK(secp256k1_scalar_eq(&r1, &r2));
392 // Test associativity of add.
393 secp256k1_scalar_t r1, r2;
394 secp256k1_scalar_add(&r1, &s1, &s2);
395 secp256k1_scalar_add(&r1, &r1, &s);
396 secp256k1_scalar_add(&r2, &s2, &s);
397 secp256k1_scalar_add(&r2, &s1, &r2);
398 CHECK(secp256k1_scalar_eq(&r1, &r2));
402 // Test associativity of mul.
403 secp256k1_scalar_t r1, r2;
404 secp256k1_scalar_mul(&r1, &s1, &s2);
405 secp256k1_scalar_mul(&r1, &r1, &s);
406 secp256k1_scalar_mul(&r2, &s2, &s);
407 secp256k1_scalar_mul(&r2, &s1, &r2);
408 CHECK(secp256k1_scalar_eq(&r1, &r2));
412 // Test distributitivity of mul over add.
413 secp256k1_scalar_t r1, r2, t;
414 secp256k1_scalar_add(&r1, &s1, &s2);
415 secp256k1_scalar_mul(&r1, &r1, &s);
416 secp256k1_scalar_mul(&r2, &s1, &s);
417 secp256k1_scalar_mul(&t, &s2, &s);
418 secp256k1_scalar_add(&r2, &r2, &t);
419 CHECK(secp256k1_scalar_eq(&r1, &r2));
424 secp256k1_scalar_t r1, r2;
425 secp256k1_scalar_sqr(&r1, &s1);
426 secp256k1_scalar_mul(&r2, &s1, &s1);
427 CHECK(secp256k1_scalar_eq(&r1, &r2));
431 void run_scalar_tests(void) {
432 for (int i = 0; i < 128 * count; i++) {
437 /***** FIELD TESTS *****/
439 void random_fe(secp256k1_fe_t *x) {
440 unsigned char bin[32];
441 secp256k1_rand256(bin);
442 secp256k1_fe_set_b32(x, bin);
445 void random_fe_non_zero(secp256k1_fe_t *nz) {
447 while (--tries >= 0) {
449 secp256k1_fe_normalize(nz);
450 if (!secp256k1_fe_is_zero(nz))
453 // Infinitesimal probability of spurious failure here
457 void random_fe_non_square(secp256k1_fe_t *ns) {
458 random_fe_non_zero(ns);
460 if (secp256k1_fe_sqrt(&r, ns)) {
461 secp256k1_fe_negate(ns, ns, 1);
465 int check_fe_equal(const secp256k1_fe_t *a, const secp256k1_fe_t *b) {
466 secp256k1_fe_t an = *a; secp256k1_fe_normalize(&an);
467 secp256k1_fe_t bn = *b; secp256k1_fe_normalize(&bn);
468 return secp256k1_fe_equal(&an, &bn);
471 int check_fe_inverse(const secp256k1_fe_t *a, const secp256k1_fe_t *ai) {
472 secp256k1_fe_t x; secp256k1_fe_mul(&x, a, ai);
473 secp256k1_fe_t one; secp256k1_fe_set_int(&one, 1);
474 return check_fe_equal(&x, &one);
477 void run_field_inv(void) {
478 secp256k1_fe_t x, xi, xii;
479 for (int i=0; i<10*count; i++) {
480 random_fe_non_zero(&x);
481 secp256k1_fe_inv(&xi, &x);
482 CHECK(check_fe_inverse(&x, &xi));
483 secp256k1_fe_inv(&xii, &xi);
484 CHECK(check_fe_equal(&x, &xii));
488 void run_field_inv_var(void) {
489 secp256k1_fe_t x, xi, xii;
490 for (int i=0; i<10*count; i++) {
491 random_fe_non_zero(&x);
492 secp256k1_fe_inv_var(&xi, &x);
493 CHECK(check_fe_inverse(&x, &xi));
494 secp256k1_fe_inv_var(&xii, &xi);
495 CHECK(check_fe_equal(&x, &xii));
499 void run_field_inv_all(void) {
500 secp256k1_fe_t x[16], xi[16], xii[16];
501 // Check it's safe to call for 0 elements
502 secp256k1_fe_inv_all(0, xi, x);
503 for (int i=0; i<count; i++) {
504 size_t len = (secp256k1_rand32() & 15) + 1;
505 for (size_t j=0; j<len; j++)
506 random_fe_non_zero(&x[j]);
507 secp256k1_fe_inv_all(len, xi, x);
508 for (size_t j=0; j<len; j++)
509 CHECK(check_fe_inverse(&x[j], &xi[j]));
510 secp256k1_fe_inv_all(len, xii, xi);
511 for (size_t j=0; j<len; j++)
512 CHECK(check_fe_equal(&x[j], &xii[j]));
516 void run_field_inv_all_var(void) {
517 secp256k1_fe_t x[16], xi[16], xii[16];
518 // Check it's safe to call for 0 elements
519 secp256k1_fe_inv_all_var(0, xi, x);
520 for (int i=0; i<count; i++) {
521 size_t len = (secp256k1_rand32() & 15) + 1;
522 for (size_t j=0; j<len; j++)
523 random_fe_non_zero(&x[j]);
524 secp256k1_fe_inv_all_var(len, xi, x);
525 for (size_t j=0; j<len; j++)
526 CHECK(check_fe_inverse(&x[j], &xi[j]));
527 secp256k1_fe_inv_all_var(len, xii, xi);
528 for (size_t j=0; j<len; j++)
529 CHECK(check_fe_equal(&x[j], &xii[j]));
537 secp256k1_fe_set_int(&x, 1);
538 secp256k1_fe_negate(&x, &x, 1);
540 for (int i=1; i<=512; ++i) {
541 secp256k1_fe_mul_int(&x, 2);
542 secp256k1_fe_normalize(&x);
543 secp256k1_fe_sqr(&s, &x);
548 void test_sqrt(const secp256k1_fe_t *a, const secp256k1_fe_t *k) {
549 secp256k1_fe_t r1, r2;
550 int v = secp256k1_fe_sqrt(&r1, a);
551 CHECK((v == 0) == (k == NULL));
554 // Check that the returned root is +/- the given known answer
555 secp256k1_fe_negate(&r2, &r1, 1);
556 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
557 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
558 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
562 void run_sqrt(void) {
563 secp256k1_fe_t ns, x, s, t;
565 // Check sqrt(0) is 0
566 secp256k1_fe_set_int(&x, 0);
567 secp256k1_fe_sqr(&s, &x);
570 // Check sqrt of small squares (and their negatives)
571 for (int i=1; i<=100; i++) {
572 secp256k1_fe_set_int(&x, i);
573 secp256k1_fe_sqr(&s, &x);
575 secp256k1_fe_negate(&t, &s, 1);
579 // Consistency checks for large random values
580 for (int i=0; i<10; i++) {
581 random_fe_non_square(&ns);
582 for (int j=0; j<count; j++) {
584 secp256k1_fe_sqr(&s, &x);
586 secp256k1_fe_negate(&t, &s, 1);
588 secp256k1_fe_mul(&t, &s, &ns);
594 /***** GROUP TESTS *****/
596 int ge_equals_ge(const secp256k1_ge_t *a, const secp256k1_ge_t *b) {
597 if (a->infinity && b->infinity)
599 return check_fe_equal(&a->x, &b->x) && check_fe_equal(&a->y, &b->y);
602 void ge_equals_gej(const secp256k1_ge_t *a, const secp256k1_gej_t *b) {
604 secp256k1_gej_t bj = *b;
605 secp256k1_ge_set_gej_var(&bb, &bj);
606 CHECK(ge_equals_ge(a, &bb));
609 void gej_equals_gej(const secp256k1_gej_t *a, const secp256k1_gej_t *b) {
610 secp256k1_ge_t aa, bb;
611 secp256k1_gej_t aj = *a, bj = *b;
612 secp256k1_ge_set_gej_var(&aa, &aj);
613 secp256k1_ge_set_gej_var(&bb, &bj);
614 CHECK(ge_equals_ge(&aa, &bb));
618 secp256k1_ge_t a, b, i, n;
619 random_group_element_test(&a);
620 random_group_element_test(&b);
622 secp256k1_fe_normalize(&a.y);
623 secp256k1_fe_negate(&n.y, &a.y, 1);
624 secp256k1_ge_set_infinity(&i);
625 random_field_element_magnitude(&a.x);
626 random_field_element_magnitude(&a.y);
627 random_field_element_magnitude(&b.x);
628 random_field_element_magnitude(&b.y);
629 random_field_element_magnitude(&n.x);
630 random_field_element_magnitude(&n.y);
632 secp256k1_gej_t aj, bj, ij, nj;
633 random_group_element_jacobian_test(&aj, &a);
634 random_group_element_jacobian_test(&bj, &b);
635 secp256k1_gej_set_infinity(&ij);
636 random_group_element_jacobian_test(&nj, &n);
637 random_field_element_magnitude(&aj.x);
638 random_field_element_magnitude(&aj.y);
639 random_field_element_magnitude(&aj.z);
640 random_field_element_magnitude(&bj.x);
641 random_field_element_magnitude(&bj.y);
642 random_field_element_magnitude(&bj.z);
643 random_field_element_magnitude(&nj.x);
644 random_field_element_magnitude(&nj.y);
645 random_field_element_magnitude(&nj.z);
648 secp256k1_gej_t aaj; secp256k1_gej_add_var(&aaj, &aj, &aj);
649 secp256k1_gej_t abj; secp256k1_gej_add_var(&abj, &aj, &bj);
650 secp256k1_gej_t aij; secp256k1_gej_add_var(&aij, &aj, &ij);
651 secp256k1_gej_t anj; secp256k1_gej_add_var(&anj, &aj, &nj);
652 secp256k1_gej_t iaj; secp256k1_gej_add_var(&iaj, &ij, &aj);
653 secp256k1_gej_t iij; secp256k1_gej_add_var(&iij, &ij, &ij);
656 secp256k1_gej_t aa; secp256k1_gej_add_ge_var(&aa, &aj, &a);
657 secp256k1_gej_t ab; secp256k1_gej_add_ge_var(&ab, &aj, &b);
658 secp256k1_gej_t ai; secp256k1_gej_add_ge_var(&ai, &aj, &i);
659 secp256k1_gej_t an; secp256k1_gej_add_ge_var(&an, &aj, &n);
660 secp256k1_gej_t ia; secp256k1_gej_add_ge_var(&ia, &ij, &a);
661 secp256k1_gej_t ii; secp256k1_gej_add_ge_var(&ii, &ij, &i);
663 // const gej + ge adds
664 secp256k1_gej_t aac; secp256k1_gej_add_ge(&aac, &aj, &a);
665 secp256k1_gej_t abc; secp256k1_gej_add_ge(&abc, &aj, &b);
666 secp256k1_gej_t anc; secp256k1_gej_add_ge(&anc, &aj, &n);
667 secp256k1_gej_t iac; secp256k1_gej_add_ge(&iac, &ij, &a);
669 CHECK(secp256k1_gej_is_infinity(&an));
670 CHECK(secp256k1_gej_is_infinity(&anj));
671 CHECK(secp256k1_gej_is_infinity(&anc));
672 gej_equals_gej(&aa, &aaj);
673 gej_equals_gej(&aa, &aac);
674 gej_equals_gej(&ab, &abj);
675 gej_equals_gej(&ab, &abc);
676 gej_equals_gej(&an, &anj);
677 gej_equals_gej(&an, &anc);
678 gej_equals_gej(&ia, &iaj);
679 gej_equals_gej(&ai, &aij);
680 gej_equals_gej(&ii, &iij);
681 ge_equals_gej(&a, &ai);
682 ge_equals_gej(&a, &ai);
683 ge_equals_gej(&a, &iaj);
684 ge_equals_gej(&a, &iaj);
685 ge_equals_gej(&a, &iac);
689 for (int i = 0; i < 2000*count; i++) {
694 /***** ECMULT TESTS *****/
696 void run_ecmult_chain(void) {
697 // random starting point A (on the curve)
698 secp256k1_fe_t ax; secp256k1_fe_set_hex(&ax, "8b30bbe9ae2a990696b22f670709dff3727fd8bc04d3362c6c7bf458e2846004", 64);
699 secp256k1_fe_t ay; secp256k1_fe_set_hex(&ay, "a357ae915c4a65281309edf20504740f0eb3343990216b4f81063cb65f2f7e0f", 64);
700 secp256k1_gej_t a; secp256k1_gej_set_xy(&a, &ax, &ay);
701 // two random initial factors xn and gn
703 secp256k1_num_set_hex(&xn, "84cc5452f7fde1edb4d38a8ce9b1b84ccef31f146e569be9705d357a42985407", 64);
705 secp256k1_num_set_hex(&gn, "a1e58d22553dcd42b23980625d4c57a96e9323d42b3152e5ca2c3990edc7c9de", 64);
706 // two small multipliers to be applied to xn and gn in every iteration:
708 secp256k1_num_set_hex(&xf, "1337", 4);
710 secp256k1_num_set_hex(&gf, "7113", 4);
711 // accumulators with the resulting coefficients to A and G
713 secp256k1_num_set_int(&ae, 1);
715 secp256k1_num_set_int(&ge, 0);
716 // the point being computed
717 secp256k1_gej_t x = a;
718 const secp256k1_num_t *order = &secp256k1_ge_consts->order;
719 for (int i=0; i<200*count; i++) {
720 // in each iteration, compute X = xn*X + gn*G;
721 secp256k1_ecmult(&x, &x, &xn, &gn);
722 // also compute ae and ge: the actual accumulated factors for A and G
723 // if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G)
724 secp256k1_num_mod_mul(&ae, &ae, &xn, order);
725 secp256k1_num_mod_mul(&ge, &ge, &xn, order);
726 secp256k1_num_add(&ge, &ge, &gn);
727 secp256k1_num_mod(&ge, order);
729 secp256k1_num_mod_mul(&xn, &xn, &xf, order);
730 secp256k1_num_mod_mul(&gn, &gn, &gf, order);
734 char res[132]; int resl = 132;
735 secp256k1_gej_get_hex(res, &resl, &x);
736 CHECK(strcmp(res, "(D6E96687F9B10D092A6F35439D86CEBEA4535D0D409F53586440BD74B933E830,B95CBCA2C77DA786539BE8FD53354D2D3B4F566AE658045407ED6015EE1B2A88)") == 0);
739 // redo the computation, but directly with the resulting ae and ge coefficients:
740 secp256k1_gej_t x2; secp256k1_ecmult(&x2, &a, &ae, &ge);
741 char res[132]; int resl = 132;
742 char res2[132]; int resl2 = 132;
743 secp256k1_gej_get_hex(res, &resl, &x);
744 secp256k1_gej_get_hex(res2, &resl2, &x2);
745 CHECK(strcmp(res, res2) == 0);
746 CHECK(strlen(res) == 131);
749 void test_point_times_order(const secp256k1_gej_t *point) {
750 // multiplying a point by the order results in O
751 const secp256k1_num_t *order = &secp256k1_ge_consts->order;
752 secp256k1_num_t zero;
753 secp256k1_num_set_int(&zero, 0);
755 secp256k1_ecmult(&res, point, order, order); // calc res = order * point + order * G;
756 CHECK(secp256k1_gej_is_infinity(&res));
759 void run_point_times_order(void) {
760 secp256k1_fe_t x; secp256k1_fe_set_hex(&x, "02", 2);
761 for (int i=0; i<500; i++) {
763 if (secp256k1_ge_set_xo(&p, &x, 1)) {
764 CHECK(secp256k1_ge_is_valid(&p));
766 secp256k1_gej_set_ge(&j, &p);
767 CHECK(secp256k1_gej_is_valid(&j));
768 test_point_times_order(&j);
770 secp256k1_fe_sqr(&x, &x);
772 char c[65]; int cl=65;
773 secp256k1_fe_get_hex(c, &cl, &x);
774 CHECK(strcmp(c, "7603CB59B0EF6C63FE6084792A0C378CDB3233A80F8A9A09A877DEAD31B38C45") == 0);
777 void test_wnaf(const secp256k1_num_t *number, int w) {
778 secp256k1_num_t x, two, t;
779 secp256k1_num_set_int(&x, 0);
780 secp256k1_num_set_int(&two, 2);
782 int bits = secp256k1_ecmult_wnaf(wnaf, number, w);
784 for (int i=bits-1; i>=0; i--) {
785 secp256k1_num_mul(&x, &x, &two);
788 CHECK(zeroes == -1 || zeroes >= w-1); // check that distance between non-zero elements is at least w-1
790 CHECK((v & 1) == 1); // check non-zero elements are odd
791 CHECK(v <= (1 << (w-1)) - 1); // check range below
792 CHECK(v >= -(1 << (w-1)) - 1); // check range above
794 CHECK(zeroes != -1); // check that no unnecessary zero padding exists
797 secp256k1_num_set_int(&t, v);
798 secp256k1_num_add(&x, &x, &t);
800 CHECK(secp256k1_num_eq(&x, number)); // check that wnaf represents number
803 void run_wnaf(void) {
805 for (int i=0; i<count; i++) {
806 random_num_order(&n);
808 secp256k1_num_negate(&n);
809 test_wnaf(&n, 4+(i%10));
813 void random_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_scalar_t *key, const secp256k1_scalar_t *msg, int *recid) {
814 secp256k1_scalar_t nonce;
816 random_scalar_order_test(&nonce);
817 } while(!secp256k1_ecdsa_sig_sign(sig, key, msg, &nonce, recid));
820 void test_ecdsa_sign_verify(void) {
821 secp256k1_scalar_t msg, key;
822 random_scalar_order_test(&msg);
823 random_scalar_order_test(&key);
824 secp256k1_gej_t pubj; secp256k1_ecmult_gen(&pubj, &key);
825 secp256k1_ge_t pub; secp256k1_ge_set_gej(&pub, &pubj);
826 secp256k1_ecdsa_sig_t sig;
827 random_sign(&sig, &key, &msg, NULL);
828 secp256k1_num_t msg_num;
829 secp256k1_scalar_get_num(&msg_num, &msg);
830 CHECK(secp256k1_ecdsa_sig_verify(&sig, &pub, &msg_num));
831 secp256k1_num_inc(&msg_num);
832 CHECK(!secp256k1_ecdsa_sig_verify(&sig, &pub, &msg_num));
835 void run_ecdsa_sign_verify(void) {
836 for (int i=0; i<10*count; i++) {
837 test_ecdsa_sign_verify();
841 void test_ecdsa_end_to_end(void) {
842 unsigned char privkey[32];
843 unsigned char message[32];
845 // Generate a random key and message.
847 secp256k1_num_t msg, key;
848 random_num_order_test(&msg);
849 random_num_order_test(&key);
850 secp256k1_num_get_bin(privkey, 32, &key);
851 secp256k1_num_get_bin(message, 32, &msg);
854 // Construct and verify corresponding public key.
855 CHECK(secp256k1_ec_seckey_verify(privkey) == 1);
856 unsigned char pubkey[65]; int pubkeylen = 65;
857 CHECK(secp256k1_ec_pubkey_create(pubkey, &pubkeylen, privkey, secp256k1_rand32() % 2) == 1);
858 CHECK(secp256k1_ec_pubkey_verify(pubkey, pubkeylen));
860 // Verify private key import and export.
861 unsigned char seckey[300]; int seckeylen = 300;
862 CHECK(secp256k1_ec_privkey_export(privkey, seckey, &seckeylen, secp256k1_rand32() % 2) == 1);
863 unsigned char privkey2[32];
864 CHECK(secp256k1_ec_privkey_import(privkey2, seckey, seckeylen) == 1);
865 CHECK(memcmp(privkey, privkey2, 32) == 0);
867 // Optionally tweak the keys using addition.
868 if (secp256k1_rand32() % 3 == 0) {
869 unsigned char rnd[32];
870 secp256k1_rand256_test(rnd);
871 int ret1 = secp256k1_ec_privkey_tweak_add(privkey, rnd);
872 int ret2 = secp256k1_ec_pubkey_tweak_add(pubkey, pubkeylen, rnd);
874 if (ret1 == 0) return;
875 unsigned char pubkey2[65]; int pubkeylen2 = 65;
876 CHECK(secp256k1_ec_pubkey_create(pubkey2, &pubkeylen2, privkey, pubkeylen == 33) == 1);
877 CHECK(memcmp(pubkey, pubkey2, pubkeylen) == 0);
880 // Optionally tweak the keys using multiplication.
881 if (secp256k1_rand32() % 3 == 0) {
882 unsigned char rnd[32];
883 secp256k1_rand256_test(rnd);
884 int ret1 = secp256k1_ec_privkey_tweak_mul(privkey, rnd);
885 int ret2 = secp256k1_ec_pubkey_tweak_mul(pubkey, pubkeylen, rnd);
887 if (ret1 == 0) return;
888 unsigned char pubkey2[65]; int pubkeylen2 = 65;
889 CHECK(secp256k1_ec_pubkey_create(pubkey2, &pubkeylen2, privkey, pubkeylen == 33) == 1);
890 CHECK(memcmp(pubkey, pubkey2, pubkeylen) == 0);
894 unsigned char signature[72]; int signaturelen = 72;
896 unsigned char rnd[32];
897 secp256k1_rand256_test(rnd);
898 if (secp256k1_ecdsa_sign(message, 32, signature, &signaturelen, privkey, rnd) == 1) {
903 CHECK(secp256k1_ecdsa_verify(message, 32, signature, signaturelen, pubkey, pubkeylen) == 1);
904 // Destroy signature and verify again.
905 signature[signaturelen - 1 - secp256k1_rand32() % 20] += 1 + (secp256k1_rand32() % 255);
906 CHECK(secp256k1_ecdsa_verify(message, 32, signature, signaturelen, pubkey, pubkeylen) != 1);
909 unsigned char csignature[64]; int recid = 0;
911 unsigned char rnd[32];
912 secp256k1_rand256_test(rnd);
913 if (secp256k1_ecdsa_sign_compact(message, 32, csignature, privkey, rnd, &recid) == 1) {
918 unsigned char recpubkey[65]; int recpubkeylen = 0;
919 CHECK(secp256k1_ecdsa_recover_compact(message, 32, csignature, recpubkey, &recpubkeylen, pubkeylen == 33, recid) == 1);
920 CHECK(recpubkeylen == pubkeylen);
921 CHECK(memcmp(pubkey, recpubkey, pubkeylen) == 0);
922 // Destroy signature and verify again.
923 csignature[secp256k1_rand32() % 64] += 1 + (secp256k1_rand32() % 255);
924 CHECK(secp256k1_ecdsa_recover_compact(message, 32, csignature, recpubkey, &recpubkeylen, pubkeylen == 33, recid) != 1 ||
925 memcmp(pubkey, recpubkey, pubkeylen) != 0);
926 CHECK(recpubkeylen == pubkeylen);
930 void run_ecdsa_end_to_end(void) {
931 for (int i=0; i<64*count; i++) {
932 test_ecdsa_end_to_end();
937 #ifdef ENABLE_OPENSSL_TESTS
938 EC_KEY *get_openssl_key(const secp256k1_scalar_t *key) {
939 unsigned char privkey[300];
941 int compr = secp256k1_rand32() & 1;
942 const unsigned char* pbegin = privkey;
943 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
944 CHECK(secp256k1_eckey_privkey_serialize(privkey, &privkeylen, key, compr));
945 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
946 CHECK(EC_KEY_check_key(ec_key));
950 void test_ecdsa_openssl(void) {
951 secp256k1_scalar_t key, msg;
952 unsigned char message[32];
953 secp256k1_rand256_test(message);
954 secp256k1_scalar_set_b32(&msg, message, NULL);
955 random_scalar_order_test(&key);
957 secp256k1_ecmult_gen(&qj, &key);
959 secp256k1_ge_set_gej(&q, &qj);
960 EC_KEY *ec_key = get_openssl_key(&key);
962 unsigned char signature[80];
963 unsigned int sigsize = 80;
964 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
965 secp256k1_ecdsa_sig_t sig;
966 CHECK(secp256k1_ecdsa_sig_parse(&sig, signature, sigsize));
967 secp256k1_num_t msg_num;
968 secp256k1_scalar_get_num(&msg_num, &msg);
969 CHECK(secp256k1_ecdsa_sig_verify(&sig, &q, &msg_num));
970 secp256k1_num_inc(&sig.r);
971 CHECK(!secp256k1_ecdsa_sig_verify(&sig, &q, &msg_num));
973 random_sign(&sig, &key, &msg, NULL);
974 int secp_sigsize = 80;
975 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sig));
976 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
981 void run_ecdsa_openssl(void) {
982 for (int i=0; i<10*count; i++) {
983 test_ecdsa_openssl();
988 int main(int argc, char **argv) {
989 // find iteration count
991 count = strtol(argv[1], NULL, 0);
997 seed = strtoull(argv[2], NULL, 0);
999 FILE *frand = fopen("/dev/urandom", "r");
1000 if (!frand || !fread(&seed, sizeof(seed), 1, frand)) {
1001 seed = time(NULL) * 1337;
1005 secp256k1_rand_seed(seed);
1007 printf("test count = %i\n", count);
1008 printf("random seed = %llu\n", (unsigned long long)seed);
1011 secp256k1_start(SECP256K1_START_SIGN | SECP256K1_START_VERIFY);
1014 run_num_smalltests();
1021 run_field_inv_var();
1022 run_field_inv_all();
1023 run_field_inv_all_var();
1032 run_point_times_order();
1036 run_ecdsa_sign_verify();
1037 run_ecdsa_end_to_end();
1038 #ifdef ENABLE_OPENSSL_TESTS
1039 run_ecdsa_openssl();
1042 printf("random run = %llu\n", (unsigned long long)secp256k1_rand32() + ((unsigned long long)secp256k1_rand32() << 32));
projects / secp256k1.git / blob