1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "testrand_impl.h"
21 #ifdef ENABLE_OPENSSL_TESTS
22 #include "openssl/bn.h"
23 #include "openssl/ec.h"
24 #include "openssl/ecdsa.h"
25 #include "openssl/obj_mac.h"
26 # if OPENSSL_VERSION_NUMBER < 0x10100000L
27 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
31 #include "contrib/lax_der_parsing.c"
32 #include "contrib/lax_der_privatekey_parsing.c"
34 #if !defined(VG_CHECK)
35 # if defined(VALGRIND)
36 # include <valgrind/memcheck.h>
37 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
38 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
40 # define VG_UNDEF(x,y)
41 # define VG_CHECK(x,y)
45 static int count = 64;
46 static secp256k1_context *ctx = NULL;
48 static void counting_illegal_callback_fn(const char* str, void* data) {
49 /* Dummy callback function that just counts. */
56 static void uncounting_illegal_callback_fn(const char* str, void* data) {
57 /* Dummy callback function that just counts (backwards). */
64 void random_field_element_test(secp256k1_fe *fe) {
66 unsigned char b32[32];
67 secp256k1_rand256_test(b32);
68 if (secp256k1_fe_set_b32(fe, b32)) {
74 void random_field_element_magnitude(secp256k1_fe *fe) {
76 int n = secp256k1_rand_int(9);
77 secp256k1_fe_normalize(fe);
81 secp256k1_fe_clear(&zero);
82 secp256k1_fe_negate(&zero, &zero, 0);
83 secp256k1_fe_mul_int(&zero, n - 1);
84 secp256k1_fe_add(fe, &zero);
85 VERIFY_CHECK(fe->magnitude == n);
88 void random_group_element_test(secp256k1_ge *ge) {
91 random_field_element_test(&fe);
92 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
93 secp256k1_fe_normalize(&ge->y);
99 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
102 random_field_element_test(&gej->z);
103 if (!secp256k1_fe_is_zero(&gej->z)) {
107 secp256k1_fe_sqr(&z2, &gej->z);
108 secp256k1_fe_mul(&z3, &z2, &gej->z);
109 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
110 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
111 gej->infinity = ge->infinity;
114 void random_scalar_order_test(secp256k1_scalar *num) {
116 unsigned char b32[32];
118 secp256k1_rand256_test(b32);
119 secp256k1_scalar_set_b32(num, b32, &overflow);
120 if (overflow || secp256k1_scalar_is_zero(num)) {
127 void random_scalar_order(secp256k1_scalar *num) {
129 unsigned char b32[32];
131 secp256k1_rand256(b32);
132 secp256k1_scalar_set_b32(num, b32, &overflow);
133 if (overflow || secp256k1_scalar_is_zero(num)) {
140 void run_context_tests(void) {
141 secp256k1_pubkey pubkey;
142 secp256k1_pubkey zero_pubkey;
143 secp256k1_ecdsa_signature sig;
144 unsigned char ctmp[32];
147 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
148 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
149 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
150 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
154 secp256k1_scalar msg, key, nonce;
155 secp256k1_scalar sigr, sigs;
157 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
161 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
162 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
163 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
164 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
166 /*** clone and destroy all of them to make sure cloning was complete ***/
168 secp256k1_context *ctx_tmp;
170 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp);
171 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp);
172 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp);
173 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp);
176 /* Verify that the error callback makes it across the clone. */
177 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
178 /* And that it resets back to default. */
179 secp256k1_context_set_error_callback(sign, NULL, NULL);
180 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
182 /*** attempt to use them ***/
183 random_scalar_order_test(&msg);
184 random_scalar_order_test(&key);
185 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
186 secp256k1_ge_set_gej(&pub, &pubj);
188 /* Verify context-type checking illegal-argument errors. */
190 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
192 VG_UNDEF(&pubkey, sizeof(pubkey));
193 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
194 VG_CHECK(&pubkey, sizeof(pubkey));
195 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
197 VG_UNDEF(&sig, sizeof(sig));
198 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
199 VG_CHECK(&sig, sizeof(sig));
200 CHECK(ecount2 == 10);
201 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
202 CHECK(ecount2 == 11);
203 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
205 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
206 CHECK(ecount2 == 12);
207 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
209 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
210 CHECK(ecount2 == 13);
211 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
213 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
215 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
216 CHECK(ecount2 == 14);
217 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
219 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
221 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 0);
223 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
224 CHECK(ecount2 == 14);
225 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
226 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
228 /* This shouldn't leak memory, due to already-set tests. */
229 secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL);
230 secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL);
232 /* obtain a working nonce */
234 random_scalar_order_test(&nonce);
235 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
238 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
239 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
242 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
243 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
246 secp256k1_context_destroy(none);
247 secp256k1_context_destroy(sign);
248 secp256k1_context_destroy(vrfy);
249 secp256k1_context_destroy(both);
250 /* Defined as no-op. */
251 secp256k1_context_destroy(NULL);
254 void run_scratch_tests(void) {
256 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
257 secp256k1_scratch_space *scratch;
259 /* Test public API */
260 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
261 scratch = secp256k1_scratch_space_create(none, 100, 10);
262 CHECK(scratch == NULL);
265 scratch = secp256k1_scratch_space_create(none, 100, 100);
266 CHECK(scratch != NULL);
268 secp256k1_scratch_space_destroy(scratch);
270 scratch = secp256k1_scratch_space_create(none, 100, 1000);
271 CHECK(scratch != NULL);
274 /* Test internal API */
275 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
276 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 1000);
277 CHECK(secp256k1_scratch_resize(scratch, 50, 1) == 1); /* no-op */
278 CHECK(secp256k1_scratch_resize(scratch, 200, 1) == 1);
279 CHECK(secp256k1_scratch_resize(scratch, 950, 1) == 1);
280 CHECK(secp256k1_scratch_resize(scratch, 1000, 1) == 0);
281 CHECK(secp256k1_scratch_resize(scratch, 2000, 1) == 0);
282 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
285 secp256k1_scratch_space_destroy(scratch);
286 secp256k1_context_destroy(none);
289 /***** HASH TESTS *****/
291 void run_sha256_tests(void) {
292 static const char *inputs[8] = {
293 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
294 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
295 "For this sample, this 63-byte string will be used as input data",
296 "This is exactly 64 bytes long, not counting the terminating byte"
298 static const unsigned char outputs[8][32] = {
299 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
300 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
301 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
302 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
303 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
304 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
305 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
306 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
309 for (i = 0; i < 8; i++) {
310 unsigned char out[32];
311 secp256k1_sha256 hasher;
312 secp256k1_sha256_initialize(&hasher);
313 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
314 secp256k1_sha256_finalize(&hasher, out);
315 CHECK(memcmp(out, outputs[i], 32) == 0);
316 if (strlen(inputs[i]) > 0) {
317 int split = secp256k1_rand_int(strlen(inputs[i]));
318 secp256k1_sha256_initialize(&hasher);
319 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
320 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
321 secp256k1_sha256_finalize(&hasher, out);
322 CHECK(memcmp(out, outputs[i], 32) == 0);
327 void run_hmac_sha256_tests(void) {
328 static const char *keys[6] = {
329 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
331 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
332 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
333 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
334 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
336 static const char *inputs[6] = {
337 "\x48\x69\x20\x54\x68\x65\x72\x65",
338 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
339 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
340 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
341 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
342 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
344 static const unsigned char outputs[6][32] = {
345 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
346 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
347 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
348 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
349 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
350 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
353 for (i = 0; i < 6; i++) {
354 secp256k1_hmac_sha256 hasher;
355 unsigned char out[32];
356 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
357 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
358 secp256k1_hmac_sha256_finalize(&hasher, out);
359 CHECK(memcmp(out, outputs[i], 32) == 0);
360 if (strlen(inputs[i]) > 0) {
361 int split = secp256k1_rand_int(strlen(inputs[i]));
362 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
363 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
364 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
365 secp256k1_hmac_sha256_finalize(&hasher, out);
366 CHECK(memcmp(out, outputs[i], 32) == 0);
371 void run_rfc6979_hmac_sha256_tests(void) {
372 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
373 static const unsigned char out1[3][32] = {
374 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
375 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
376 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
379 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
380 static const unsigned char out2[3][32] = {
381 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
382 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
383 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
386 secp256k1_rfc6979_hmac_sha256 rng;
387 unsigned char out[32];
390 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
391 for (i = 0; i < 3; i++) {
392 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
393 CHECK(memcmp(out, out1[i], 32) == 0);
395 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
397 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
398 for (i = 0; i < 3; i++) {
399 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
400 CHECK(memcmp(out, out1[i], 32) != 0);
402 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
404 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
405 for (i = 0; i < 3; i++) {
406 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
407 CHECK(memcmp(out, out2[i], 32) == 0);
409 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
412 /***** RANDOM TESTS *****/
414 void test_rand_bits(int rand32, int bits) {
415 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
416 * get a false negative chance below once in a billion */
417 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
418 /* We try multiplying the results with various odd numbers, which shouldn't
419 * influence the uniform distribution modulo a power of 2. */
420 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
421 /* We only select up to 6 bits from the output to analyse */
422 unsigned int usebits = bits > 6 ? 6 : bits;
423 unsigned int maxshift = bits - usebits;
424 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
425 number, track all observed outcomes, one per bit in a uint64_t. */
426 uint64_t x[6][27] = {{0}};
427 unsigned int i, shift, m;
428 /* Multiply the output of all rand calls with the odd number m, which
429 should not change the uniformity of its distribution. */
430 for (i = 0; i < rounds[usebits]; i++) {
431 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
432 CHECK((((uint64_t)r) >> bits) == 0);
433 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
434 uint32_t rm = r * mults[m];
435 for (shift = 0; shift <= maxshift; shift++) {
436 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
440 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
441 for (shift = 0; shift <= maxshift; shift++) {
442 /* Test that the lower usebits bits of x[shift] are 1 */
443 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
448 /* Subrange must be a whole divisor of range, and at most 64 */
449 void test_rand_int(uint32_t range, uint32_t subrange) {
450 /* (1-1/subrange)^rounds < 1/10^9 */
451 int rounds = (subrange * 2073) / 100;
454 CHECK((range % subrange) == 0);
455 for (i = 0; i < rounds; i++) {
456 uint32_t r = secp256k1_rand_int(range);
459 x |= (((uint64_t)1) << r);
461 /* Test that the lower subrange bits of x are 1. */
462 CHECK(((~x) << (64 - subrange)) == 0);
465 void run_rand_bits(void) {
467 test_rand_bits(1, 32);
468 for (b = 1; b <= 32; b++) {
469 test_rand_bits(0, b);
473 void run_rand_int(void) {
474 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
475 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
477 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
478 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
479 test_rand_int(ms[m] * ss[s], ss[s]);
484 /***** NUM TESTS *****/
487 void random_num_negate(secp256k1_num *num) {
488 if (secp256k1_rand_bits(1)) {
489 secp256k1_num_negate(num);
493 void random_num_order_test(secp256k1_num *num) {
495 random_scalar_order_test(&sc);
496 secp256k1_scalar_get_num(num, &sc);
499 void random_num_order(secp256k1_num *num) {
501 random_scalar_order(&sc);
502 secp256k1_scalar_get_num(num, &sc);
505 void test_num_negate(void) {
508 random_num_order_test(&n1); /* n1 = R */
509 random_num_negate(&n1);
510 secp256k1_num_copy(&n2, &n1); /* n2 = R */
511 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
512 CHECK(secp256k1_num_is_zero(&n1));
513 secp256k1_num_copy(&n1, &n2); /* n1 = R */
514 secp256k1_num_negate(&n1); /* n1 = -R */
515 CHECK(!secp256k1_num_is_zero(&n1));
516 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
517 CHECK(secp256k1_num_is_zero(&n1));
518 secp256k1_num_copy(&n1, &n2); /* n1 = R */
519 secp256k1_num_negate(&n1); /* n1 = -R */
520 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
521 secp256k1_num_negate(&n1); /* n1 = R */
522 CHECK(secp256k1_num_eq(&n1, &n2));
525 void test_num_add_sub(void) {
530 secp256k1_num n1p2, n2p1, n1m2, n2m1;
531 random_num_order_test(&n1); /* n1 = R1 */
532 if (secp256k1_rand_bits(1)) {
533 random_num_negate(&n1);
535 random_num_order_test(&n2); /* n2 = R2 */
536 if (secp256k1_rand_bits(1)) {
537 random_num_negate(&n2);
539 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
540 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
541 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
542 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
543 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
544 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
545 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
546 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
547 CHECK(!secp256k1_num_eq(&n2m1, &n1));
548 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
549 CHECK(secp256k1_num_eq(&n2m1, &n1));
550 CHECK(!secp256k1_num_eq(&n2p1, &n1));
551 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
552 CHECK(secp256k1_num_eq(&n2p1, &n1));
555 secp256k1_scalar_set_int(&s, 1);
556 secp256k1_scalar_get_num(&n1, &s);
557 CHECK(secp256k1_num_is_one(&n1));
558 /* check that 2^n + 1 is never 1 */
559 secp256k1_scalar_get_num(&n2, &s);
560 for (i = 0; i < 250; ++i) {
561 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
562 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
563 CHECK(!secp256k1_num_is_one(&n1p2));
567 void test_num_mod(void) {
570 secp256k1_num order, n;
572 /* check that 0 mod anything is 0 */
573 random_scalar_order_test(&s);
574 secp256k1_scalar_get_num(&order, &s);
575 secp256k1_scalar_set_int(&s, 0);
576 secp256k1_scalar_get_num(&n, &s);
577 secp256k1_num_mod(&n, &order);
578 CHECK(secp256k1_num_is_zero(&n));
580 /* check that anything mod 1 is 0 */
581 secp256k1_scalar_set_int(&s, 1);
582 secp256k1_scalar_get_num(&order, &s);
583 secp256k1_scalar_get_num(&n, &s);
584 secp256k1_num_mod(&n, &order);
585 CHECK(secp256k1_num_is_zero(&n));
587 /* check that increasing the number past 2^256 does not break this */
588 random_scalar_order_test(&s);
589 secp256k1_scalar_get_num(&n, &s);
590 /* multiply by 2^8, which'll test this case with high probability */
591 for (i = 0; i < 8; ++i) {
592 secp256k1_num_add(&n, &n, &n);
594 secp256k1_num_mod(&n, &order);
595 CHECK(secp256k1_num_is_zero(&n));
598 void test_num_jacobi(void) {
599 secp256k1_scalar sqr;
600 secp256k1_scalar small;
601 secp256k1_scalar five; /* five is not a quadratic residue */
602 secp256k1_num order, n;
604 /* squares mod 5 are 1, 4 */
605 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
607 /* check some small values with 5 as the order */
608 secp256k1_scalar_set_int(&five, 5);
609 secp256k1_scalar_get_num(&order, &five);
610 for (i = 0; i < 10; ++i) {
611 secp256k1_scalar_set_int(&small, i);
612 secp256k1_scalar_get_num(&n, &small);
613 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
616 /** test large values with 5 as group order */
617 secp256k1_scalar_get_num(&order, &five);
618 /* we first need a scalar which is not a multiple of 5 */
621 random_scalar_order_test(&sqr);
622 secp256k1_scalar_get_num(&fiven, &five);
623 secp256k1_scalar_get_num(&n, &sqr);
624 secp256k1_num_mod(&n, &fiven);
625 } while (secp256k1_num_is_zero(&n));
626 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
627 * just multiply by two, i.e. add the number to itself */
628 if (secp256k1_num_jacobi(&n, &order) == -1) {
629 secp256k1_num_add(&n, &n, &n);
633 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
634 /* test nonresidue */
635 secp256k1_num_add(&n, &n, &n);
636 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
638 /** test with secp group order as order */
639 secp256k1_scalar_order_get_num(&order);
640 random_scalar_order_test(&sqr);
641 secp256k1_scalar_sqr(&sqr, &sqr);
643 secp256k1_scalar_get_num(&n, &sqr);
644 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
645 /* test nonresidue */
646 secp256k1_scalar_mul(&sqr, &sqr, &five);
647 secp256k1_scalar_get_num(&n, &sqr);
648 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
649 /* test multiple of the order*/
650 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
652 /* check one less than the order */
653 secp256k1_scalar_set_int(&small, 1);
654 secp256k1_scalar_get_num(&n, &small);
655 secp256k1_num_sub(&n, &order, &n);
656 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
659 void run_num_smalltests(void) {
661 for (i = 0; i < 100*count; i++) {
670 /***** SCALAR TESTS *****/
672 void scalar_test(void) {
677 secp256k1_num snum, s1num, s2num;
678 secp256k1_num order, half_order;
682 /* Set 's' to a random scalar, with value 'snum'. */
683 random_scalar_order_test(&s);
685 /* Set 's1' to a random scalar, with value 's1num'. */
686 random_scalar_order_test(&s1);
688 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
689 random_scalar_order_test(&s2);
690 secp256k1_scalar_get_b32(c, &s2);
693 secp256k1_scalar_get_num(&snum, &s);
694 secp256k1_scalar_get_num(&s1num, &s1);
695 secp256k1_scalar_get_num(&s2num, &s2);
697 secp256k1_scalar_order_get_num(&order);
699 secp256k1_num_shift(&half_order, 1);
704 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
706 secp256k1_scalar_set_int(&n, 0);
707 for (i = 0; i < 256; i += 4) {
710 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
711 for (j = 0; j < 4; j++) {
712 secp256k1_scalar_add(&n, &n, &n);
714 secp256k1_scalar_add(&n, &n, &t);
716 CHECK(secp256k1_scalar_eq(&n, &s));
720 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
723 secp256k1_scalar_set_int(&n, 0);
727 int now = secp256k1_rand_int(15) + 1;
731 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
732 for (j = 0; j < now; j++) {
733 secp256k1_scalar_add(&n, &n, &n);
735 secp256k1_scalar_add(&n, &n, &t);
738 CHECK(secp256k1_scalar_eq(&n, &s));
743 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
747 secp256k1_num_add(&rnum, &snum, &s2num);
748 secp256k1_num_mod(&rnum, &order);
749 secp256k1_scalar_add(&r, &s, &s2);
750 secp256k1_scalar_get_num(&r2num, &r);
751 CHECK(secp256k1_num_eq(&rnum, &r2num));
755 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
759 secp256k1_num_mul(&rnum, &snum, &s2num);
760 secp256k1_num_mod(&rnum, &order);
761 secp256k1_scalar_mul(&r, &s, &s2);
762 secp256k1_scalar_get_num(&r2num, &r);
763 CHECK(secp256k1_num_eq(&rnum, &r2num));
764 /* The result can only be zero if at least one of the factors was zero. */
765 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
766 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
767 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
768 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
772 secp256k1_scalar neg;
773 secp256k1_num negnum;
774 secp256k1_num negnum2;
775 /* Check that comparison with zero matches comparison with zero on the number. */
776 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
777 /* Check that comparison with the half order is equal to testing for high scalar. */
778 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
779 secp256k1_scalar_negate(&neg, &s);
780 secp256k1_num_sub(&negnum, &order, &snum);
781 secp256k1_num_mod(&negnum, &order);
782 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
783 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
784 /* Negating should change the high property, unless the value was already zero. */
785 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
786 secp256k1_scalar_get_num(&negnum2, &neg);
787 /* Negating a scalar should be equal to (order - n) mod order on the number. */
788 CHECK(secp256k1_num_eq(&negnum, &negnum2));
789 secp256k1_scalar_add(&neg, &neg, &s);
790 /* Adding a number to its negation should result in zero. */
791 CHECK(secp256k1_scalar_is_zero(&neg));
792 secp256k1_scalar_negate(&neg, &neg);
793 /* Negating zero should still result in zero. */
794 CHECK(secp256k1_scalar_is_zero(&neg));
798 /* Test secp256k1_scalar_mul_shift_var. */
803 unsigned char cone[1] = {0x01};
804 unsigned int shift = 256 + secp256k1_rand_int(257);
805 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
806 secp256k1_num_mul(&rnum, &s1num, &s2num);
807 secp256k1_num_shift(&rnum, shift - 1);
808 secp256k1_num_set_bin(&one, cone, 1);
809 secp256k1_num_add(&rnum, &rnum, &one);
810 secp256k1_num_shift(&rnum, 1);
811 secp256k1_scalar_get_num(&rnum2, &r);
812 CHECK(secp256k1_num_eq(&rnum, &rnum2));
816 /* test secp256k1_scalar_shr_int */
819 random_scalar_order_test(&r);
820 for (i = 0; i < 100; ++i) {
822 int shift = 1 + secp256k1_rand_int(15);
823 int expected = r.d[0] % (1 << shift);
824 low = secp256k1_scalar_shr_int(&r, shift);
825 CHECK(expected == low);
831 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
832 if (!secp256k1_scalar_is_zero(&s)) {
833 secp256k1_scalar inv;
835 secp256k1_num invnum;
836 secp256k1_num invnum2;
838 secp256k1_scalar_inverse(&inv, &s);
840 secp256k1_num_mod_inverse(&invnum, &snum, &order);
841 secp256k1_scalar_get_num(&invnum2, &inv);
842 CHECK(secp256k1_num_eq(&invnum, &invnum2));
844 secp256k1_scalar_mul(&inv, &inv, &s);
845 /* Multiplying a scalar with its inverse must result in one. */
846 CHECK(secp256k1_scalar_is_one(&inv));
847 secp256k1_scalar_inverse(&inv, &inv);
848 /* Inverting one must result in one. */
849 CHECK(secp256k1_scalar_is_one(&inv));
851 secp256k1_scalar_get_num(&invnum, &inv);
852 CHECK(secp256k1_num_is_one(&invnum));
858 /* Test commutativity of add. */
859 secp256k1_scalar r1, r2;
860 secp256k1_scalar_add(&r1, &s1, &s2);
861 secp256k1_scalar_add(&r2, &s2, &s1);
862 CHECK(secp256k1_scalar_eq(&r1, &r2));
866 secp256k1_scalar r1, r2;
870 int bit = secp256k1_rand_bits(8);
871 secp256k1_scalar_set_int(&b, 1);
872 CHECK(secp256k1_scalar_is_one(&b));
873 for (i = 0; i < bit; i++) {
874 secp256k1_scalar_add(&b, &b, &b);
878 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
879 /* No overflow happened. */
880 secp256k1_scalar_cadd_bit(&r2, bit, 1);
881 CHECK(secp256k1_scalar_eq(&r1, &r2));
882 /* cadd is a noop when flag is zero */
883 secp256k1_scalar_cadd_bit(&r2, bit, 0);
884 CHECK(secp256k1_scalar_eq(&r1, &r2));
889 /* Test commutativity of mul. */
890 secp256k1_scalar r1, r2;
891 secp256k1_scalar_mul(&r1, &s1, &s2);
892 secp256k1_scalar_mul(&r2, &s2, &s1);
893 CHECK(secp256k1_scalar_eq(&r1, &r2));
897 /* Test associativity of add. */
898 secp256k1_scalar r1, r2;
899 secp256k1_scalar_add(&r1, &s1, &s2);
900 secp256k1_scalar_add(&r1, &r1, &s);
901 secp256k1_scalar_add(&r2, &s2, &s);
902 secp256k1_scalar_add(&r2, &s1, &r2);
903 CHECK(secp256k1_scalar_eq(&r1, &r2));
907 /* Test associativity of mul. */
908 secp256k1_scalar r1, r2;
909 secp256k1_scalar_mul(&r1, &s1, &s2);
910 secp256k1_scalar_mul(&r1, &r1, &s);
911 secp256k1_scalar_mul(&r2, &s2, &s);
912 secp256k1_scalar_mul(&r2, &s1, &r2);
913 CHECK(secp256k1_scalar_eq(&r1, &r2));
917 /* Test distributitivity of mul over add. */
918 secp256k1_scalar r1, r2, t;
919 secp256k1_scalar_add(&r1, &s1, &s2);
920 secp256k1_scalar_mul(&r1, &r1, &s);
921 secp256k1_scalar_mul(&r2, &s1, &s);
922 secp256k1_scalar_mul(&t, &s2, &s);
923 secp256k1_scalar_add(&r2, &r2, &t);
924 CHECK(secp256k1_scalar_eq(&r1, &r2));
929 secp256k1_scalar r1, r2;
930 secp256k1_scalar_sqr(&r1, &s1);
931 secp256k1_scalar_mul(&r2, &s1, &s1);
932 CHECK(secp256k1_scalar_eq(&r1, &r2));
936 /* Test multiplicative identity. */
937 secp256k1_scalar r1, v1;
938 secp256k1_scalar_set_int(&v1,1);
939 secp256k1_scalar_mul(&r1, &s1, &v1);
940 CHECK(secp256k1_scalar_eq(&r1, &s1));
944 /* Test additive identity. */
945 secp256k1_scalar r1, v0;
946 secp256k1_scalar_set_int(&v0,0);
947 secp256k1_scalar_add(&r1, &s1, &v0);
948 CHECK(secp256k1_scalar_eq(&r1, &s1));
952 /* Test zero product property. */
953 secp256k1_scalar r1, v0;
954 secp256k1_scalar_set_int(&v0,0);
955 secp256k1_scalar_mul(&r1, &s1, &v0);
956 CHECK(secp256k1_scalar_eq(&r1, &v0));
961 void run_scalar_tests(void) {
963 for (i = 0; i < 128 * count; i++) {
968 /* (-1)+1 should be zero. */
969 secp256k1_scalar s, o;
970 secp256k1_scalar_set_int(&s, 1);
971 CHECK(secp256k1_scalar_is_one(&s));
972 secp256k1_scalar_negate(&o, &s);
973 secp256k1_scalar_add(&o, &o, &s);
974 CHECK(secp256k1_scalar_is_zero(&o));
975 secp256k1_scalar_negate(&o, &o);
976 CHECK(secp256k1_scalar_is_zero(&o));
981 /* A scalar with value of the curve order should be 0. */
983 secp256k1_scalar zero;
984 unsigned char bin[32];
986 secp256k1_scalar_order_get_num(&order);
987 secp256k1_num_get_bin(bin, 32, &order);
988 secp256k1_scalar_set_b32(&zero, bin, &overflow);
989 CHECK(overflow == 1);
990 CHECK(secp256k1_scalar_is_zero(&zero));
995 /* Does check_overflow check catch all ones? */
996 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
997 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
998 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1000 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1004 /* Static test vectors.
1005 * These were reduced from ~10^12 random vectors based on comparison-decision
1006 * and edge-case coverage on 32-bit and 64-bit implementations.
1007 * The responses were generated with Sage 5.9.
1012 secp256k1_scalar zz;
1013 secp256k1_scalar one;
1014 secp256k1_scalar r1;
1015 secp256k1_scalar r2;
1016 #if defined(USE_SCALAR_INV_NUM)
1017 secp256k1_scalar zzv;
1020 unsigned char chal[33][2][32] = {
1021 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1022 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1023 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1024 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1025 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1026 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1027 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1028 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1029 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1030 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1031 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1032 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1033 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1034 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1035 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1036 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1037 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1038 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1039 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1040 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1041 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1042 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1043 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1044 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1045 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1046 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1047 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1048 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1049 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1050 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1051 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1052 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1053 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1054 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1055 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1056 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1057 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1058 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1059 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1060 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1061 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1062 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1063 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1064 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1065 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1066 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1067 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1068 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1069 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1070 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1071 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1072 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1073 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1074 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1075 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1076 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1077 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1078 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1079 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1080 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1081 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1082 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1083 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1084 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1085 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1086 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1087 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1088 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1089 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1090 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1091 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1092 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1093 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1094 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1095 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1096 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1097 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1098 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1099 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1100 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1101 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1102 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1103 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1104 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1105 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1106 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1107 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1108 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1109 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1110 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1111 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1112 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1113 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1114 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1115 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1116 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1117 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1118 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1119 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1120 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1121 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1122 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1123 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1124 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1125 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1126 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1127 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1128 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1129 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1130 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1131 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1132 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1133 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1134 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1135 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1136 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1137 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1138 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1139 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1140 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1141 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1142 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1143 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1144 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1145 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1146 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1147 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1148 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1149 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1150 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1151 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1152 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1153 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1154 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1155 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1156 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1157 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1158 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1159 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1160 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1161 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1162 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1163 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1164 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1165 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1166 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1167 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1168 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1169 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1170 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1171 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1172 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1173 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1174 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1175 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1176 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1177 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1178 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1179 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1180 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1181 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1182 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1183 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1184 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1185 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1186 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1187 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1188 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1189 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1192 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1193 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1194 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1195 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1196 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1197 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1198 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1199 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1200 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1201 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1202 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1203 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1204 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1205 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1206 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1207 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1208 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1209 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1210 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1211 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1212 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1213 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1214 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1215 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1216 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1217 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1218 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1219 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1220 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1221 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1222 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1223 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1224 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1225 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1226 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1227 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1228 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1229 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1230 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1231 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1232 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1233 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1234 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1235 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1236 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1237 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1238 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1239 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1240 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1241 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1242 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1243 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1244 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1245 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1246 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1247 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1248 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1249 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1250 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1251 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1252 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1253 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1254 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1255 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1256 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1257 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1258 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1259 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1260 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1261 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1262 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1263 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1264 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1265 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1266 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1267 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1268 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1269 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1270 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1271 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1272 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1273 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1274 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1275 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1276 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1277 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1278 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1279 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1280 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1281 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1282 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1283 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1284 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1286 unsigned char res[33][2][32] = {
1287 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1288 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1289 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1290 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1291 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1292 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1293 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1294 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1295 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1296 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1297 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1298 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1299 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1300 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1301 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1302 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1303 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1304 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1305 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1306 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1307 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1308 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1309 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1310 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1311 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1312 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1313 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1314 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1315 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1316 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1317 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1318 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1319 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1320 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1321 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1322 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1323 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1324 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1325 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1326 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1327 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1328 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1329 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1330 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1331 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1332 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1333 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1334 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1335 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1336 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1337 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1338 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1339 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1340 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1341 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1342 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1343 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1344 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1345 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1346 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1347 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1348 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1349 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1350 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1351 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1352 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1353 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1354 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1355 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1356 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1357 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1358 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1359 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1360 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1361 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1362 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1363 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1364 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1365 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1366 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1367 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1368 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1369 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1370 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1371 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1372 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1373 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1374 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1375 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1376 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1377 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1378 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1379 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1380 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1381 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1382 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1383 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1384 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1385 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1386 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1387 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1388 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1389 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1390 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1391 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1392 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1393 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1394 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1395 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1396 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1397 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1398 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1399 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1400 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1401 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1402 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1403 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1404 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1405 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1406 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1407 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1408 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1409 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1410 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1411 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1412 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1413 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1414 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1415 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1416 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1417 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1418 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1419 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1420 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1421 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1422 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1423 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1424 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1425 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1426 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1427 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1428 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1429 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1430 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1431 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1432 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1433 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1434 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1435 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1436 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1437 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1438 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1439 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1440 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1441 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1442 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1443 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1444 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1445 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1446 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1447 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1448 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1449 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1450 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1451 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1452 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1453 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1454 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1455 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1456 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1457 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1458 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1459 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1461 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1462 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1463 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1464 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1465 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1466 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1467 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1468 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1469 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1470 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1471 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1472 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1473 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1474 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1475 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1476 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1477 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1478 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1479 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1480 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1481 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1482 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1483 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1484 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1485 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1486 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1487 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1488 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1489 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1490 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1491 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1492 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1493 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1494 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1495 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1496 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1497 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1498 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1499 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1500 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1501 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1502 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1503 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1504 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1505 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1506 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1507 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1508 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1509 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1510 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1511 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1512 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1513 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1514 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1515 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1516 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1517 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1518 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1519 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1520 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1521 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1522 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1523 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1524 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1525 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1526 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1527 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1528 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1529 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1530 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1531 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1532 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1533 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1534 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1535 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1536 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1537 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1538 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1539 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1540 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1541 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1542 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1543 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1544 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1545 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1546 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1547 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1548 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1549 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1550 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1552 secp256k1_scalar_set_int(&one, 1);
1553 for (i = 0; i < 33; i++) {
1554 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1556 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1558 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1560 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1562 secp256k1_scalar_mul(&z, &x, &y);
1563 CHECK(!secp256k1_scalar_check_overflow(&z));
1564 CHECK(secp256k1_scalar_eq(&r1, &z));
1565 if (!secp256k1_scalar_is_zero(&y)) {
1566 secp256k1_scalar_inverse(&zz, &y);
1567 CHECK(!secp256k1_scalar_check_overflow(&zz));
1568 #if defined(USE_SCALAR_INV_NUM)
1569 secp256k1_scalar_inverse_var(&zzv, &y);
1570 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1572 secp256k1_scalar_mul(&z, &z, &zz);
1573 CHECK(!secp256k1_scalar_check_overflow(&z));
1574 CHECK(secp256k1_scalar_eq(&x, &z));
1575 secp256k1_scalar_mul(&zz, &zz, &y);
1576 CHECK(!secp256k1_scalar_check_overflow(&zz));
1577 CHECK(secp256k1_scalar_eq(&one, &zz));
1579 secp256k1_scalar_mul(&z, &x, &x);
1580 CHECK(!secp256k1_scalar_check_overflow(&z));
1581 secp256k1_scalar_sqr(&zz, &x);
1582 CHECK(!secp256k1_scalar_check_overflow(&zz));
1583 CHECK(secp256k1_scalar_eq(&zz, &z));
1584 CHECK(secp256k1_scalar_eq(&r2, &zz));
1589 /***** FIELD TESTS *****/
1591 void random_fe(secp256k1_fe *x) {
1592 unsigned char bin[32];
1594 secp256k1_rand256(bin);
1595 if (secp256k1_fe_set_b32(x, bin)) {
1601 void random_fe_test(secp256k1_fe *x) {
1602 unsigned char bin[32];
1604 secp256k1_rand256_test(bin);
1605 if (secp256k1_fe_set_b32(x, bin)) {
1611 void random_fe_non_zero(secp256k1_fe *nz) {
1613 while (--tries >= 0) {
1615 secp256k1_fe_normalize(nz);
1616 if (!secp256k1_fe_is_zero(nz)) {
1620 /* Infinitesimal probability of spurious failure here */
1624 void random_fe_non_square(secp256k1_fe *ns) {
1626 random_fe_non_zero(ns);
1627 if (secp256k1_fe_sqrt(&r, ns)) {
1628 secp256k1_fe_negate(ns, ns, 1);
1632 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1633 secp256k1_fe an = *a;
1634 secp256k1_fe bn = *b;
1635 secp256k1_fe_normalize_weak(&an);
1636 secp256k1_fe_normalize_var(&bn);
1637 return secp256k1_fe_equal_var(&an, &bn);
1640 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1642 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1643 secp256k1_fe_mul(&x, a, ai);
1644 return check_fe_equal(&x, &one);
1647 void run_field_convert(void) {
1648 static const unsigned char b32[32] = {
1649 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1650 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1651 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1652 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1654 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1655 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1656 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1658 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1659 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1660 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1663 unsigned char b322[32];
1664 secp256k1_fe_storage fes2;
1665 /* Check conversions to fe. */
1666 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1667 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1668 secp256k1_fe_from_storage(&fe2, &fes);
1669 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1670 /* Check conversion from fe. */
1671 secp256k1_fe_get_b32(b322, &fe);
1672 CHECK(memcmp(b322, b32, 32) == 0);
1673 secp256k1_fe_to_storage(&fes2, &fe);
1674 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1677 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1678 secp256k1_fe t = *b;
1680 t.magnitude = a->magnitude;
1681 t.normalized = a->normalized;
1683 return memcmp(a, &t, sizeof(secp256k1_fe));
1686 void run_field_misc(void) {
1691 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1693 for (i = 0; i < 5*count; i++) {
1694 secp256k1_fe_storage xs, ys, zs;
1696 random_fe_non_zero(&y);
1697 /* Test the fe equality and comparison operations. */
1698 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1699 CHECK(secp256k1_fe_equal_var(&x, &x));
1701 secp256k1_fe_add(&z,&y);
1702 /* Test fe conditional move; z is not normalized here. */
1704 secp256k1_fe_cmov(&x, &z, 0);
1705 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
1706 secp256k1_fe_cmov(&x, &x, 1);
1707 CHECK(fe_memcmp(&x, &z) != 0);
1708 CHECK(fe_memcmp(&x, &q) == 0);
1709 secp256k1_fe_cmov(&q, &z, 1);
1710 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
1711 CHECK(fe_memcmp(&q, &z) == 0);
1712 secp256k1_fe_normalize_var(&x);
1713 secp256k1_fe_normalize_var(&z);
1714 CHECK(!secp256k1_fe_equal_var(&x, &z));
1715 secp256k1_fe_normalize_var(&q);
1716 secp256k1_fe_cmov(&q, &z, (i&1));
1717 VERIFY_CHECK(q.normalized && q.magnitude == 1);
1718 for (j = 0; j < 6; j++) {
1719 secp256k1_fe_negate(&z, &z, j+1);
1720 secp256k1_fe_normalize_var(&q);
1721 secp256k1_fe_cmov(&q, &z, (j&1));
1722 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1724 secp256k1_fe_normalize_var(&z);
1725 /* Test storage conversion and conditional moves. */
1726 secp256k1_fe_to_storage(&xs, &x);
1727 secp256k1_fe_to_storage(&ys, &y);
1728 secp256k1_fe_to_storage(&zs, &z);
1729 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1730 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1731 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1732 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1733 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1734 secp256k1_fe_from_storage(&x, &xs);
1735 secp256k1_fe_from_storage(&y, &ys);
1736 secp256k1_fe_from_storage(&z, &zs);
1737 /* Test that mul_int, mul, and add agree. */
1738 secp256k1_fe_add(&y, &x);
1739 secp256k1_fe_add(&y, &x);
1741 secp256k1_fe_mul_int(&z, 3);
1742 CHECK(check_fe_equal(&y, &z));
1743 secp256k1_fe_add(&y, &x);
1744 secp256k1_fe_add(&z, &x);
1745 CHECK(check_fe_equal(&z, &y));
1747 secp256k1_fe_mul_int(&z, 5);
1748 secp256k1_fe_mul(&q, &x, &fe5);
1749 CHECK(check_fe_equal(&z, &q));
1750 secp256k1_fe_negate(&x, &x, 1);
1751 secp256k1_fe_add(&z, &x);
1752 secp256k1_fe_add(&q, &x);
1753 CHECK(check_fe_equal(&y, &z));
1754 CHECK(check_fe_equal(&q, &y));
1758 void run_field_inv(void) {
1759 secp256k1_fe x, xi, xii;
1761 for (i = 0; i < 10*count; i++) {
1762 random_fe_non_zero(&x);
1763 secp256k1_fe_inv(&xi, &x);
1764 CHECK(check_fe_inverse(&x, &xi));
1765 secp256k1_fe_inv(&xii, &xi);
1766 CHECK(check_fe_equal(&x, &xii));
1770 void run_field_inv_var(void) {
1771 secp256k1_fe x, xi, xii;
1773 for (i = 0; i < 10*count; i++) {
1774 random_fe_non_zero(&x);
1775 secp256k1_fe_inv_var(&xi, &x);
1776 CHECK(check_fe_inverse(&x, &xi));
1777 secp256k1_fe_inv_var(&xii, &xi);
1778 CHECK(check_fe_equal(&x, &xii));
1782 void run_field_inv_all_var(void) {
1783 secp256k1_fe x[16], xi[16], xii[16];
1785 /* Check it's safe to call for 0 elements */
1786 secp256k1_fe_inv_all_var(xi, x, 0);
1787 for (i = 0; i < count; i++) {
1789 size_t len = secp256k1_rand_int(15) + 1;
1790 for (j = 0; j < len; j++) {
1791 random_fe_non_zero(&x[j]);
1793 secp256k1_fe_inv_all_var(xi, x, len);
1794 for (j = 0; j < len; j++) {
1795 CHECK(check_fe_inverse(&x[j], &xi[j]));
1797 secp256k1_fe_inv_all_var(xii, xi, len);
1798 for (j = 0; j < len; j++) {
1799 CHECK(check_fe_equal(&x[j], &xii[j]));
1804 void run_sqr(void) {
1809 secp256k1_fe_set_int(&x, 1);
1810 secp256k1_fe_negate(&x, &x, 1);
1812 for (i = 1; i <= 512; ++i) {
1813 secp256k1_fe_mul_int(&x, 2);
1814 secp256k1_fe_normalize(&x);
1815 secp256k1_fe_sqr(&s, &x);
1820 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1821 secp256k1_fe r1, r2;
1822 int v = secp256k1_fe_sqrt(&r1, a);
1823 CHECK((v == 0) == (k == NULL));
1826 /* Check that the returned root is +/- the given known answer */
1827 secp256k1_fe_negate(&r2, &r1, 1);
1828 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1829 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1830 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1834 void run_sqrt(void) {
1835 secp256k1_fe ns, x, s, t;
1838 /* Check sqrt(0) is 0 */
1839 secp256k1_fe_set_int(&x, 0);
1840 secp256k1_fe_sqr(&s, &x);
1843 /* Check sqrt of small squares (and their negatives) */
1844 for (i = 1; i <= 100; i++) {
1845 secp256k1_fe_set_int(&x, i);
1846 secp256k1_fe_sqr(&s, &x);
1848 secp256k1_fe_negate(&t, &s, 1);
1849 test_sqrt(&t, NULL);
1852 /* Consistency checks for large random values */
1853 for (i = 0; i < 10; i++) {
1855 random_fe_non_square(&ns);
1856 for (j = 0; j < count; j++) {
1858 secp256k1_fe_sqr(&s, &x);
1860 secp256k1_fe_negate(&t, &s, 1);
1861 test_sqrt(&t, NULL);
1862 secp256k1_fe_mul(&t, &s, &ns);
1863 test_sqrt(&t, NULL);
1868 /***** GROUP TESTS *****/
1870 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1871 CHECK(a->infinity == b->infinity);
1875 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
1876 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
1879 /* This compares jacobian points including their Z, not just their geometric meaning. */
1880 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1884 ret &= a->infinity == b->infinity;
1885 if (ret && !a->infinity) {
1888 secp256k1_fe_normalize(&a2.x);
1889 secp256k1_fe_normalize(&a2.y);
1890 secp256k1_fe_normalize(&a2.z);
1891 secp256k1_fe_normalize(&b2.x);
1892 secp256k1_fe_normalize(&b2.y);
1893 secp256k1_fe_normalize(&b2.z);
1894 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1895 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1896 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1901 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1903 secp256k1_fe u1, u2, s1, s2;
1904 CHECK(a->infinity == b->infinity);
1908 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
1909 secp256k1_fe_sqr(&z2s, &b->z);
1910 secp256k1_fe_mul(&u1, &a->x, &z2s);
1911 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1912 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1913 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1914 CHECK(secp256k1_fe_equal_var(&u1, &u2));
1915 CHECK(secp256k1_fe_equal_var(&s1, &s2));
1918 void test_ge(void) {
1920 #ifdef USE_ENDOMORPHISM
1925 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
1926 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
1927 * All magnitudes are randomized.
1928 * All 17*17 combinations of points are added to each other, using all applicable methods.
1930 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
1932 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
1933 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
1934 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1936 secp256k1_fe zfi2, zfi3;
1938 secp256k1_gej_set_infinity(&gej[0]);
1939 secp256k1_ge_clear(&ge[0]);
1940 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
1941 for (i = 0; i < runs; i++) {
1944 random_group_element_test(&g);
1945 #ifdef USE_ENDOMORPHISM
1946 if (i >= runs - 2) {
1947 secp256k1_ge_mul_lambda(&g, &ge[1]);
1949 if (i >= runs - 1) {
1950 secp256k1_ge_mul_lambda(&g, &g);
1955 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
1956 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
1957 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
1958 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
1959 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
1960 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
1961 for (j = 0; j < 4; j++) {
1962 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
1963 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
1964 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
1965 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
1966 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
1970 /* Compute z inverses. */
1972 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1973 for (i = 0; i < 4 * runs + 1; i++) {
1975 /* The point at infinity does not have a meaningful z inverse. Any should do. */
1977 random_field_element_test(&zs[i]);
1978 } while(secp256k1_fe_is_zero(&zs[i]));
1983 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
1987 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1989 random_field_element_test(&zf);
1990 } while(secp256k1_fe_is_zero(&zf));
1991 random_field_element_magnitude(&zf);
1992 secp256k1_fe_inv_var(&zfi3, &zf);
1993 secp256k1_fe_sqr(&zfi2, &zfi3);
1994 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
1996 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
1998 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
1999 /* Compute reference result using gej + gej (var). */
2000 secp256k1_gej refj, resj;
2003 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2004 /* Check Z ratio. */
2005 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2006 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2007 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2009 secp256k1_ge_set_gej_var(&ref, &refj);
2011 /* Test gej + ge with Z ratio result (var). */
2012 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2013 ge_equals_gej(&ref, &resj);
2014 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2015 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2016 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2019 /* Test gej + ge (var, with additional Z factor). */
2021 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2022 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2023 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2024 random_field_element_magnitude(&ge2_zfi.x);
2025 random_field_element_magnitude(&ge2_zfi.y);
2026 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2027 ge_equals_gej(&ref, &resj);
2030 /* Test gej + ge (const). */
2032 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2033 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2034 ge_equals_gej(&ref, &resj);
2037 /* Test doubling (var). */
2038 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2040 /* Normal doubling with Z ratio result. */
2041 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2042 ge_equals_gej(&ref, &resj);
2043 /* Check Z ratio. */
2044 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2045 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2046 /* Normal doubling. */
2047 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2048 ge_equals_gej(&ref, &resj);
2051 /* Test adding opposites. */
2052 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2053 CHECK(secp256k1_ge_is_infinity(&ref));
2056 /* Test adding infinity. */
2058 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2059 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2060 ge_equals_gej(&ref, &gej[i2]);
2063 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2064 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2065 ge_equals_gej(&ref, &gej[i1]);
2070 /* Test adding all points together in random order equals infinity. */
2072 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2073 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2074 for (i = 0; i < 4 * runs + 1; i++) {
2075 gej_shuffled[i] = gej[i];
2077 for (i = 0; i < 4 * runs + 1; i++) {
2078 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2080 secp256k1_gej t = gej_shuffled[i];
2081 gej_shuffled[i] = gej_shuffled[swap];
2082 gej_shuffled[swap] = t;
2085 for (i = 0; i < 4 * runs + 1; i++) {
2086 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2088 CHECK(secp256k1_gej_is_infinity(&sum));
2092 /* Test batch gej -> ge conversion with and without known z ratios. */
2094 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2095 secp256k1_ge *ge_set_table = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2096 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2097 for (i = 0; i < 4 * runs + 1; i++) {
2098 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2100 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2103 secp256k1_ge_set_table_gej_var(ge_set_table, gej, zr, 4 * runs + 1);
2104 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1, &ctx->error_callback);
2105 for (i = 0; i < 4 * runs + 1; i++) {
2107 random_fe_non_zero(&s);
2108 secp256k1_gej_rescale(&gej[i], &s);
2109 ge_equals_gej(&ge_set_table[i], &gej[i]);
2110 ge_equals_gej(&ge_set_all[i], &gej[i]);
2122 void test_add_neg_y_diff_x(void) {
2123 /* The point of this test is to check that we can add two points
2124 * whose y-coordinates are negatives of each other but whose x
2125 * coordinates differ. If the x-coordinates were the same, these
2126 * points would be negatives of each other and their sum is
2127 * infinity. This is cool because it "covers up" any degeneracy
2128 * in the addition algorithm that would cause the xy coordinates
2129 * of the sum to be wrong (since infinity has no xy coordinates).
2130 * HOWEVER, if the x-coordinates are different, infinity is the
2131 * wrong answer, and such degeneracies are exposed. This is the
2132 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2133 * which this test is a regression test for.
2135 * These points were generated in sage as
2136 * # secp256k1 params
2137 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2138 * C = EllipticCurve ([F (0), F (7)])
2139 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2140 * N = FiniteField(G.order())
2142 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2144 * lam = (1 - x^3).roots()[1][0]
2146 * # random "bad pair"
2147 * P = C.random_element()
2149 * print " P: %x %x" % P.xy()
2150 * print " Q: %x %x" % Q.xy()
2151 * print "P + Q: %x %x" % (P + Q).xy()
2153 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2154 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2155 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2156 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2157 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2159 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2160 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2161 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2162 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2163 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2165 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2166 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2167 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2168 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2169 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2174 secp256k1_ge_set_gej(&b, &bj);
2176 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2177 secp256k1_ge_set_gej(&res, &resj);
2178 ge_equals_gej(&res, &sumj);
2180 secp256k1_gej_add_ge(&resj, &aj, &b);
2181 secp256k1_ge_set_gej(&res, &resj);
2182 ge_equals_gej(&res, &sumj);
2184 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2185 secp256k1_ge_set_gej(&res, &resj);
2186 ge_equals_gej(&res, &sumj);
2191 for (i = 0; i < count * 32; i++) {
2194 test_add_neg_y_diff_x();
2197 void test_ec_combine(void) {
2198 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2199 secp256k1_pubkey data[6];
2200 const secp256k1_pubkey* d[6];
2201 secp256k1_pubkey sd;
2202 secp256k1_pubkey sd2;
2206 for (i = 1; i <= 6; i++) {
2208 random_scalar_order_test(&s);
2209 secp256k1_scalar_add(&sum, &sum, &s);
2210 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2211 secp256k1_ge_set_gej(&Q, &Qj);
2212 secp256k1_pubkey_save(&data[i - 1], &Q);
2213 d[i - 1] = &data[i - 1];
2214 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2215 secp256k1_ge_set_gej(&Q, &Qj);
2216 secp256k1_pubkey_save(&sd, &Q);
2217 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2218 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2222 void run_ec_combine(void) {
2224 for (i = 0; i < count * 8; i++) {
2229 void test_group_decompress(const secp256k1_fe* x) {
2230 /* The input itself, normalized. */
2231 secp256k1_fe fex = *x;
2233 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2234 secp256k1_ge ge_quad, ge_even, ge_odd;
2235 secp256k1_gej gej_quad;
2236 /* Return values of the above calls. */
2237 int res_quad, res_even, res_odd;
2239 secp256k1_fe_normalize_var(&fex);
2241 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2242 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2243 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2245 CHECK(res_quad == res_even);
2246 CHECK(res_quad == res_odd);
2249 secp256k1_fe_normalize_var(&ge_quad.x);
2250 secp256k1_fe_normalize_var(&ge_odd.x);
2251 secp256k1_fe_normalize_var(&ge_even.x);
2252 secp256k1_fe_normalize_var(&ge_quad.y);
2253 secp256k1_fe_normalize_var(&ge_odd.y);
2254 secp256k1_fe_normalize_var(&ge_even.y);
2256 /* No infinity allowed. */
2257 CHECK(!ge_quad.infinity);
2258 CHECK(!ge_even.infinity);
2259 CHECK(!ge_odd.infinity);
2261 /* Check that the x coordinates check out. */
2262 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2263 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2264 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2266 /* Check that the Y coordinate result in ge_quad is a square. */
2267 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2269 /* Check odd/even Y in ge_odd, ge_even. */
2270 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2271 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2273 /* Check secp256k1_gej_has_quad_y_var. */
2274 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2275 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2277 random_fe_test(&fez);
2278 } while (secp256k1_fe_is_zero(&fez));
2279 secp256k1_gej_rescale(&gej_quad, &fez);
2280 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2281 secp256k1_gej_neg(&gej_quad, &gej_quad);
2282 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2284 random_fe_test(&fez);
2285 } while (secp256k1_fe_is_zero(&fez));
2286 secp256k1_gej_rescale(&gej_quad, &fez);
2287 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2288 secp256k1_gej_neg(&gej_quad, &gej_quad);
2289 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2293 void run_group_decompress(void) {
2295 for (i = 0; i < count * 4; i++) {
2297 random_fe_test(&fe);
2298 test_group_decompress(&fe);
2302 /***** ECMULT TESTS *****/
2304 void run_ecmult_chain(void) {
2305 /* random starting point A (on the curve) */
2306 secp256k1_gej a = SECP256K1_GEJ_CONST(
2307 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2308 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2309 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2310 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2312 /* two random initial factors xn and gn */
2313 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2314 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2315 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2317 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2318 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2319 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2321 /* two small multipliers to be applied to xn and gn in every iteration: */
2322 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2323 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2324 /* accumulators with the resulting coefficients to A and G */
2325 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2326 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2332 /* the point being computed */
2334 for (i = 0; i < 200*count; i++) {
2335 /* in each iteration, compute X = xn*X + gn*G; */
2336 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2337 /* also compute ae and ge: the actual accumulated factors for A and G */
2338 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2339 secp256k1_scalar_mul(&ae, &ae, &xn);
2340 secp256k1_scalar_mul(&ge, &ge, &xn);
2341 secp256k1_scalar_add(&ge, &ge, &gn);
2342 /* modify xn and gn */
2343 secp256k1_scalar_mul(&xn, &xn, &xf);
2344 secp256k1_scalar_mul(&gn, &gn, &gf);
2348 /* expected result after 19999 iterations */
2349 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2350 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2351 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2352 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2353 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2356 secp256k1_gej_neg(&rp, &rp);
2357 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2358 CHECK(secp256k1_gej_is_infinity(&rp));
2361 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2362 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2363 secp256k1_gej_neg(&x2, &x2);
2364 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2365 CHECK(secp256k1_gej_is_infinity(&x2));
2368 void test_point_times_order(const secp256k1_gej *point) {
2369 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2371 secp256k1_scalar nx;
2372 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2373 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2374 secp256k1_gej res1, res2;
2376 unsigned char pub[65];
2378 random_scalar_order_test(&x);
2379 secp256k1_scalar_negate(&nx, &x);
2380 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2381 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2382 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2383 CHECK(secp256k1_gej_is_infinity(&res1));
2384 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2385 secp256k1_ge_set_gej(&res3, &res1);
2386 CHECK(secp256k1_ge_is_infinity(&res3));
2387 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2388 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2390 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2391 /* check zero/one edge cases */
2392 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2393 secp256k1_ge_set_gej(&res3, &res1);
2394 CHECK(secp256k1_ge_is_infinity(&res3));
2395 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2396 secp256k1_ge_set_gej(&res3, &res1);
2397 ge_equals_gej(&res3, point);
2398 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2399 secp256k1_ge_set_gej(&res3, &res1);
2400 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2403 void run_point_times_order(void) {
2405 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2406 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2407 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2408 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2410 for (i = 0; i < 500; i++) {
2412 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2414 CHECK(secp256k1_ge_is_valid_var(&p));
2415 secp256k1_gej_set_ge(&j, &p);
2416 CHECK(secp256k1_gej_is_valid_var(&j));
2417 test_point_times_order(&j);
2419 secp256k1_fe_sqr(&x, &x);
2421 secp256k1_fe_normalize_var(&x);
2422 CHECK(secp256k1_fe_equal_var(&x, &xr));
2425 void ecmult_const_random_mult(void) {
2426 /* random starting point A (on the curve) */
2427 secp256k1_ge a = SECP256K1_GE_CONST(
2428 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2429 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2430 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2431 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2433 /* random initial factor xn */
2434 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2435 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2436 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2438 /* expected xn * A (from sage) */
2439 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2440 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2441 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2442 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2443 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2446 secp256k1_ecmult_const(&b, &a, &xn);
2448 CHECK(secp256k1_ge_is_valid_var(&a));
2449 ge_equals_gej(&expected_b, &b);
2452 void ecmult_const_commutativity(void) {
2459 random_scalar_order_test(&a);
2460 random_scalar_order_test(&b);
2462 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a);
2463 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b);
2464 secp256k1_ge_set_gej(&mid1, &res1);
2465 secp256k1_ge_set_gej(&mid2, &res2);
2466 secp256k1_ecmult_const(&res1, &mid1, &b);
2467 secp256k1_ecmult_const(&res2, &mid2, &a);
2468 secp256k1_ge_set_gej(&mid1, &res1);
2469 secp256k1_ge_set_gej(&mid2, &res2);
2470 ge_equals_ge(&mid1, &mid2);
2473 void ecmult_const_mult_zero_one(void) {
2474 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2475 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2476 secp256k1_scalar negone;
2480 secp256k1_scalar_negate(&negone, &one);
2482 random_group_element_test(&point);
2483 secp256k1_ecmult_const(&res1, &point, &zero);
2484 secp256k1_ge_set_gej(&res2, &res1);
2485 CHECK(secp256k1_ge_is_infinity(&res2));
2486 secp256k1_ecmult_const(&res1, &point, &one);
2487 secp256k1_ge_set_gej(&res2, &res1);
2488 ge_equals_ge(&res2, &point);
2489 secp256k1_ecmult_const(&res1, &point, &negone);
2490 secp256k1_gej_neg(&res1, &res1);
2491 secp256k1_ge_set_gej(&res2, &res1);
2492 ge_equals_ge(&res2, &point);
2495 void ecmult_const_chain_multiply(void) {
2496 /* Check known result (randomly generated test problem from sage) */
2497 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2498 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2499 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2501 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2502 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2503 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2504 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2505 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2507 secp256k1_gej point;
2511 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2512 for (i = 0; i < 100; ++i) {
2514 secp256k1_ge_set_gej(&tmp, &point);
2515 secp256k1_ecmult_const(&point, &tmp, &scalar);
2517 secp256k1_ge_set_gej(&res, &point);
2518 ge_equals_gej(&res, &expected_point);
2521 void run_ecmult_const_tests(void) {
2522 ecmult_const_mult_zero_one();
2523 ecmult_const_random_mult();
2524 ecmult_const_commutativity();
2525 ecmult_const_chain_multiply();
2529 secp256k1_scalar *sc;
2531 } ecmult_multi_data;
2533 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2534 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2535 *sc = data->sc[idx];
2536 *pt = data->pt[idx];
2540 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2548 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2550 secp256k1_scalar szero;
2551 secp256k1_scalar sc[32];
2552 secp256k1_ge pt[32];
2555 ecmult_multi_data data;
2556 secp256k1_scratch *scratch_empty;
2560 secp256k1_scalar_set_int(&szero, 0);
2561 secp256k1_scratch_reset(scratch);
2563 /* No points to multiply */
2564 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2566 /* Check 1- and 2-point multiplies against ecmult */
2567 for (ncount = 0; ncount < count; ncount++) {
2570 random_scalar_order(&sc[0]);
2571 random_scalar_order(&sc[1]);
2573 random_group_element_test(&ptg);
2574 secp256k1_gej_set_ge(&ptgj, &ptg);
2576 pt[1] = secp256k1_ge_const_g;
2579 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2580 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2581 secp256k1_gej_neg(&r2, &r2);
2582 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2583 CHECK(secp256k1_gej_is_infinity(&r));
2586 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2587 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2588 secp256k1_gej_neg(&r2, &r2);
2589 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2590 CHECK(secp256k1_gej_is_infinity(&r));
2592 /* Try to multiply 1 point, but scratch space is empty */
2593 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0, 0);
2594 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2595 secp256k1_scratch_destroy(scratch_empty);
2597 /* Try to multiply 1 point, but callback returns false */
2598 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2601 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2602 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2603 secp256k1_gej_neg(&r2, &r2);
2604 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2605 CHECK(secp256k1_gej_is_infinity(&r));
2607 /* 2-point with G scalar */
2608 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2609 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2610 secp256k1_gej_neg(&r2, &r2);
2611 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2612 CHECK(secp256k1_gej_is_infinity(&r));
2615 /* Check infinite outputs of various forms */
2616 for (ncount = 0; ncount < count; ncount++) {
2619 size_t sizes[] = { 2, 10, 32 };
2621 for (j = 0; j < 3; j++) {
2622 for (i = 0; i < 32; i++) {
2623 random_scalar_order(&sc[i]);
2624 secp256k1_ge_set_infinity(&pt[i]);
2626 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2627 CHECK(secp256k1_gej_is_infinity(&r));
2630 for (j = 0; j < 3; j++) {
2631 for (i = 0; i < 32; i++) {
2632 random_group_element_test(&ptg);
2634 secp256k1_scalar_set_int(&sc[i], 0);
2636 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2637 CHECK(secp256k1_gej_is_infinity(&r));
2640 for (j = 0; j < 3; j++) {
2641 random_group_element_test(&ptg);
2642 for (i = 0; i < 16; i++) {
2643 random_scalar_order(&sc[2*i]);
2644 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2646 pt[2 * i + 1] = ptg;
2649 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2650 CHECK(secp256k1_gej_is_infinity(&r));
2652 random_scalar_order(&sc[0]);
2653 for (i = 0; i < 16; i++) {
2654 random_group_element_test(&ptg);
2659 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2662 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2663 CHECK(secp256k1_gej_is_infinity(&r));
2666 random_group_element_test(&ptg);
2667 secp256k1_scalar_set_int(&sc[0], 0);
2669 for (i = 1; i < 32; i++) {
2672 random_scalar_order(&sc[i]);
2673 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2674 secp256k1_scalar_negate(&sc[i], &sc[i]);
2677 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2678 CHECK(secp256k1_gej_is_infinity(&r));
2681 /* Check random points, constant scalar */
2682 for (ncount = 0; ncount < count; ncount++) {
2684 secp256k1_gej_set_infinity(&r);
2686 random_scalar_order(&sc[0]);
2687 for (i = 0; i < 20; i++) {
2690 random_group_element_test(&ptg);
2692 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2695 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2696 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2697 secp256k1_gej_neg(&r2, &r2);
2698 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2699 CHECK(secp256k1_gej_is_infinity(&r));
2702 /* Check random scalars, constant point */
2703 for (ncount = 0; ncount < count; ncount++) {
2707 secp256k1_scalar rs;
2708 secp256k1_scalar_set_int(&rs, 0);
2710 random_group_element_test(&ptg);
2711 for (i = 0; i < 20; i++) {
2712 random_scalar_order(&sc[i]);
2714 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2717 secp256k1_gej_set_ge(&p0j, &pt[0]);
2718 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
2719 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2720 secp256k1_gej_neg(&r2, &r2);
2721 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2722 CHECK(secp256k1_gej_is_infinity(&r));
2725 /* Sanity check that zero scalars don't cause problems */
2726 secp256k1_scalar_clear(&sc[0]);
2727 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2728 secp256k1_scalar_clear(&sc[1]);
2729 secp256k1_scalar_clear(&sc[2]);
2730 secp256k1_scalar_clear(&sc[3]);
2731 secp256k1_scalar_clear(&sc[4]);
2732 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2733 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
2734 CHECK(secp256k1_gej_is_infinity(&r));
2736 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2738 const size_t TOP = 8;
2744 random_group_element_test(&ptg);
2745 secp256k1_gej_set_ge(&ptgj, &ptg);
2747 for(t0i = 0; t0i < TOP; t0i++) {
2748 for(t1i = 0; t1i < TOP; t1i++) {
2749 secp256k1_gej t0p, t1p;
2750 secp256k1_scalar t0, t1;
2752 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2753 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2754 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2755 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2757 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2758 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2760 for(s0i = 0; s0i < TOP; s0i++) {
2761 for(s1i = 0; s1i < TOP; s1i++) {
2762 secp256k1_scalar tmp1, tmp2;
2763 secp256k1_gej expected, actual;
2765 secp256k1_ge_set_gej(&pt[0], &t0p);
2766 secp256k1_ge_set_gej(&pt[1], &t1p);
2768 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2769 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2770 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2771 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2773 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2774 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2775 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2777 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
2778 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
2779 secp256k1_gej_neg(&expected, &expected);
2780 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2781 CHECK(secp256k1_gej_is_infinity(&actual));
2789 void test_secp256k1_pippenger_bucket_window_inv(void) {
2792 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2793 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2794 #ifdef USE_ENDOMORPHISM
2795 /* Bucket_window of 8 is not used with endo */
2800 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2801 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2802 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2808 * Probabilistically test the function returning the maximum number of possible points
2809 * for a given scratch space.
2811 void test_ecmult_multi_pippenger_max_points(void) {
2812 size_t scratch_size = secp256k1_rand_int(256);
2813 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
2814 secp256k1_scratch *scratch;
2815 size_t n_points_supported;
2816 int bucket_window = 0;
2818 for(; scratch_size < max_size; scratch_size+=256) {
2819 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, scratch_size);
2820 CHECK(scratch != NULL);
2821 n_points_supported = secp256k1_pippenger_max_points(scratch);
2822 if (n_points_supported == 0) {
2823 secp256k1_scratch_destroy(scratch);
2826 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
2827 CHECK(secp256k1_scratch_resize(scratch, secp256k1_pippenger_scratch_size(n_points_supported, bucket_window), PIPPENGER_SCRATCH_OBJECTS));
2828 secp256k1_scratch_destroy(scratch);
2830 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
2834 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
2835 * 1 <= i <= num points.
2837 void test_ecmult_multi_batching(void) {
2838 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
2839 secp256k1_scalar scG;
2840 secp256k1_scalar szero;
2841 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
2842 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
2845 ecmult_multi_data data;
2847 secp256k1_scratch *scratch;
2849 secp256k1_gej_set_infinity(&r2);
2850 secp256k1_scalar_set_int(&szero, 0);
2852 /* Get random scalars and group elements and compute result */
2853 random_scalar_order(&scG);
2854 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
2855 for(i = 0; i < n_points; i++) {
2858 random_group_element_test(&ptg);
2859 secp256k1_gej_set_ge(&ptgj, &ptg);
2861 random_scalar_order(&sc[i]);
2862 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
2863 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
2868 /* Test with empty scratch space */
2869 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, 0);
2870 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2871 secp256k1_scratch_destroy(scratch);
2873 /* Test with space for 1 point in pippenger. That's not enough because
2874 * ecmult_multi selects strauss which requires more memory. */
2875 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2876 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2877 secp256k1_scratch_destroy(scratch);
2879 secp256k1_gej_neg(&r2, &r2);
2880 for(i = 1; i <= n_points; i++) {
2881 if (i > ECMULT_PIPPENGER_THRESHOLD) {
2882 int bucket_window = secp256k1_pippenger_bucket_window(i);
2883 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
2884 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2886 size_t scratch_size = secp256k1_strauss_scratch_size(i);
2887 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2889 CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
2890 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2891 CHECK(secp256k1_gej_is_infinity(&r));
2892 secp256k1_scratch_destroy(scratch);
2898 void run_ecmult_multi_tests(void) {
2899 secp256k1_scratch *scratch;
2901 test_secp256k1_pippenger_bucket_window_inv();
2902 test_ecmult_multi_pippenger_max_points();
2903 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, 819200);
2904 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2905 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
2906 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
2907 secp256k1_scratch_destroy(scratch);
2909 /* Run test_ecmult_multi with space for exactly one point */
2910 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2911 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2912 secp256k1_scratch_destroy(scratch);
2914 test_ecmult_multi_batching();
2917 void test_wnaf(const secp256k1_scalar *number, int w) {
2918 secp256k1_scalar x, two, t;
2923 secp256k1_scalar_set_int(&x, 0);
2924 secp256k1_scalar_set_int(&two, 2);
2925 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
2927 for (i = bits-1; i >= 0; i--) {
2929 secp256k1_scalar_mul(&x, &x, &two);
2931 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
2933 CHECK((v & 1) == 1); /* check non-zero elements are odd */
2934 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
2935 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
2937 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
2941 secp256k1_scalar_set_int(&t, v);
2943 secp256k1_scalar_set_int(&t, -v);
2944 secp256k1_scalar_negate(&t, &t);
2946 secp256k1_scalar_add(&x, &x, &t);
2948 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
2951 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
2952 secp256k1_scalar neg1 = *number;
2953 secp256k1_scalar neg2 = *number;
2957 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
2958 secp256k1_scalar_negate(&neg1, &neg1);
2961 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
2962 CHECK(sign1 == sign2);
2963 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
2966 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
2967 secp256k1_scalar x, shift;
2968 int wnaf[256] = {0};
2971 secp256k1_scalar num = *number;
2973 secp256k1_scalar_set_int(&x, 0);
2974 secp256k1_scalar_set_int(&shift, 1 << w);
2975 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
2976 #ifdef USE_ENDOMORPHISM
2977 for (i = 0; i < 16; ++i) {
2978 secp256k1_scalar_shr_int(&num, 8);
2981 skew = secp256k1_wnaf_const(wnaf, num, w);
2983 for (i = WNAF_SIZE(w); i >= 0; --i) {
2986 CHECK(v != 0); /* check nonzero */
2987 CHECK(v & 1); /* check parity */
2988 CHECK(v > -(1 << w)); /* check range above */
2989 CHECK(v < (1 << w)); /* check range below */
2991 secp256k1_scalar_mul(&x, &x, &shift);
2993 secp256k1_scalar_set_int(&t, v);
2995 secp256k1_scalar_set_int(&t, -v);
2996 secp256k1_scalar_negate(&t, &t);
2998 secp256k1_scalar_add(&x, &x, &t);
3000 /* Skew num because when encoding numbers as odd we use an offset */
3001 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
3002 CHECK(secp256k1_scalar_eq(&x, &num));
3005 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3006 secp256k1_scalar x, shift;
3007 int wnaf[256] = {0};
3010 secp256k1_scalar num = *number;
3012 secp256k1_scalar_set_int(&x, 0);
3013 secp256k1_scalar_set_int(&shift, 1 << w);
3014 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3015 #ifdef USE_ENDOMORPHISM
3016 for (i = 0; i < 16; ++i) {
3017 secp256k1_scalar_shr_int(&num, 8);
3020 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3022 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3025 CHECK(v != 0); /* check nonzero */
3026 CHECK(v & 1); /* check parity */
3027 CHECK(v > -(1 << w)); /* check range above */
3028 CHECK(v < (1 << w)); /* check range below */
3030 secp256k1_scalar_mul(&x, &x, &shift);
3032 secp256k1_scalar_set_int(&t, v);
3034 secp256k1_scalar_set_int(&t, -v);
3035 secp256k1_scalar_negate(&t, &t);
3037 secp256k1_scalar_add(&x, &x, &t);
3039 /* If skew is 1 then add 1 to num */
3040 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3041 CHECK(secp256k1_scalar_eq(&x, &num));
3044 void test_fixed_wnaf_zero(int w) {
3045 int wnaf[256] = {0};
3048 secp256k1_scalar num;
3050 secp256k1_scalar_set_int(&num, 0);
3051 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3053 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3060 void run_wnaf(void) {
3062 secp256k1_scalar n = {{0}};
3064 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3065 * have easier-to-diagnose failure modes */
3067 test_constant_wnaf(&n, 4);
3069 test_constant_wnaf(&n, 4);
3071 test_fixed_wnaf_zero(4);
3073 for (i = 0; i < count; i++) {
3074 random_scalar_order(&n);
3075 test_wnaf(&n, 4+(i%10));
3076 test_constant_wnaf_negate(&n);
3077 test_constant_wnaf(&n, 4 + (i % 10));
3078 test_fixed_wnaf(&n, 4 + (i % 10));
3080 secp256k1_scalar_set_int(&n, 0);
3081 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3082 CHECK(secp256k1_scalar_is_zero(&n));
3083 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3084 CHECK(secp256k1_scalar_is_zero(&n));
3087 void test_ecmult_constants(void) {
3088 /* Test ecmult_gen() for [0..36) and [order-36..0). */
3094 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3095 for (i = 0; i < 36; i++ ) {
3096 secp256k1_scalar_set_int(&x, i);
3097 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3098 for (j = 0; j < i; j++) {
3100 ge_equals_gej(&secp256k1_ge_const_g, &r);
3102 secp256k1_gej_add_ge(&r, &r, &ng);
3104 CHECK(secp256k1_gej_is_infinity(&r));
3106 for (i = 1; i <= 36; i++ ) {
3107 secp256k1_scalar_set_int(&x, i);
3108 secp256k1_scalar_negate(&x, &x);
3109 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3110 for (j = 0; j < i; j++) {
3112 ge_equals_gej(&ng, &r);
3114 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3116 CHECK(secp256k1_gej_is_infinity(&r));
3120 void run_ecmult_constants(void) {
3121 test_ecmult_constants();
3124 void test_ecmult_gen_blind(void) {
3125 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3126 secp256k1_scalar key;
3128 unsigned char seed32[32];
3130 secp256k1_gej pgej2;
3133 random_scalar_order_test(&key);
3134 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3135 secp256k1_rand256(seed32);
3136 b = ctx->ecmult_gen_ctx.blind;
3137 i = ctx->ecmult_gen_ctx.initial;
3138 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3139 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3140 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3141 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3142 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3143 secp256k1_ge_set_gej(&pge, &pgej);
3144 ge_equals_gej(&pge, &pgej2);
3147 void test_ecmult_gen_blind_reset(void) {
3148 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3150 secp256k1_gej initial;
3151 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3152 b = ctx->ecmult_gen_ctx.blind;
3153 initial = ctx->ecmult_gen_ctx.initial;
3154 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3155 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3156 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3159 void run_ecmult_gen_blind(void) {
3161 test_ecmult_gen_blind_reset();
3162 for (i = 0; i < 10; i++) {
3163 test_ecmult_gen_blind();
3167 #ifdef USE_ENDOMORPHISM
3168 /***** ENDOMORPHISH TESTS *****/
3169 void test_scalar_split(void) {
3170 secp256k1_scalar full;
3171 secp256k1_scalar s1, slam;
3172 const unsigned char zero[32] = {0};
3173 unsigned char tmp[32];
3175 random_scalar_order_test(&full);
3176 secp256k1_scalar_split_lambda(&s1, &slam, &full);
3178 /* check that both are <= 128 bits in size */
3179 if (secp256k1_scalar_is_high(&s1)) {
3180 secp256k1_scalar_negate(&s1, &s1);
3182 if (secp256k1_scalar_is_high(&slam)) {
3183 secp256k1_scalar_negate(&slam, &slam);
3186 secp256k1_scalar_get_b32(tmp, &s1);
3187 CHECK(memcmp(zero, tmp, 16) == 0);
3188 secp256k1_scalar_get_b32(tmp, &slam);
3189 CHECK(memcmp(zero, tmp, 16) == 0);
3192 void run_endomorphism_tests(void) {
3193 test_scalar_split();
3197 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3198 unsigned char pubkeyc[65];
3199 secp256k1_pubkey pubkey;
3204 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3205 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3206 /* Smaller sizes are tested exhaustively elsewhere. */
3208 memcpy(&pubkeyc[1], input, 64);
3209 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3210 for (i = 0; i < 256; i++) {
3211 /* Try all type bytes. */
3216 /* What sign does this point have? */
3217 ysign = (input[63] & 1) + 2;
3218 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3219 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3220 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3221 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3222 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3223 if (xpass || ypass) {
3224 /* These cases must parse. */
3225 unsigned char pubkeyo[65];
3227 memset(&pubkey, 0, sizeof(pubkey));
3228 VG_UNDEF(&pubkey, sizeof(pubkey));
3230 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3231 VG_CHECK(&pubkey, sizeof(pubkey));
3233 VG_UNDEF(pubkeyo, 65);
3234 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3235 VG_CHECK(pubkeyo, outl);
3237 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3238 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3240 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3241 CHECK(pubkeyo[0] == ysign);
3242 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3243 memset(&pubkey, 0, sizeof(pubkey));
3244 VG_UNDEF(&pubkey, sizeof(pubkey));
3245 secp256k1_pubkey_save(&pubkey, &ge);
3246 VG_CHECK(&pubkey, sizeof(pubkey));
3248 VG_UNDEF(pubkeyo, 65);
3249 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3250 VG_CHECK(pubkeyo, outl);
3252 CHECK(pubkeyo[0] == 4);
3253 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3257 /* These cases must fail to parse. */
3258 memset(&pubkey, 0xfe, sizeof(pubkey));
3260 VG_UNDEF(&pubkey, sizeof(pubkey));
3261 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3262 VG_CHECK(&pubkey, sizeof(pubkey));
3264 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3269 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3272 void run_ec_pubkey_parse_test(void) {
3273 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3274 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3276 /* Point with leading and trailing zeros in x and y serialization. */
3277 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3278 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3279 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3280 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3283 /* Point with x equal to a 3rd root of unity.*/
3284 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3285 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3286 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3287 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3290 /* Point with largest x. (1/2) */
3291 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3292 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3293 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3294 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3297 /* Point with largest x. (2/2) */
3298 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3299 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3300 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3301 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3304 /* Point with smallest x. (1/2) */
3305 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3306 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3307 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3308 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3311 /* Point with smallest x. (2/2) */
3312 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3313 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3314 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3315 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3318 /* Point with largest y. (1/3) */
3319 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3320 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3321 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3322 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3325 /* Point with largest y. (2/3) */
3326 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3327 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3328 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3329 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3332 /* Point with largest y. (3/3) */
3333 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3334 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3335 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3336 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3339 /* Point with smallest y. (1/3) */
3340 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3341 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3342 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3343 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3346 /* Point with smallest y. (2/3) */
3347 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3348 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3349 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3350 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3353 /* Point with smallest y. (3/3) */
3354 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3355 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3356 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3357 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3360 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3361 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3363 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3364 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3365 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3366 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3367 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3370 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3371 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3372 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3373 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3374 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3377 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3378 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3379 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3380 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3381 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3384 /* x on curve, y is from y^2 = x^3 + 8. */
3385 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3386 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3387 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3388 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3391 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3392 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3394 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3395 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3396 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3397 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3398 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3401 /* Valid if x overflow ignored (x = 1 mod p). */
3402 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3403 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3404 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3405 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3408 /* Valid if x overflow ignored (x = 1 mod p). */
3409 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3410 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3411 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3412 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3415 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3416 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3417 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3418 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3419 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3422 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3423 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3424 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3425 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3426 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3429 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3430 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3431 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3432 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3433 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3436 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3437 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3438 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3439 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3440 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3443 const unsigned char pubkeyc[66] = {
3444 /* Serialization of G. */
3445 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3446 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3447 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3448 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3451 unsigned char sout[65];
3452 unsigned char shortkey[2];
3454 secp256k1_pubkey pubkey;
3460 /* Nothing should be reading this far into pubkeyc. */
3461 VG_UNDEF(&pubkeyc[65], 1);
3462 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3463 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3464 memset(&pubkey, 0xfe, sizeof(pubkey));
3466 VG_UNDEF(shortkey, 2);
3467 VG_UNDEF(&pubkey, sizeof(pubkey));
3468 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3469 VG_CHECK(&pubkey, sizeof(pubkey));
3471 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3473 /* Length one claimed, fail, zeroize, no illegal arg error. */
3474 for (i = 0; i < 256 ; i++) {
3475 memset(&pubkey, 0xfe, sizeof(pubkey));
3478 VG_UNDEF(&shortkey[1], 1);
3479 VG_UNDEF(&pubkey, sizeof(pubkey));
3480 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3481 VG_CHECK(&pubkey, sizeof(pubkey));
3483 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3486 /* Length two claimed, fail, zeroize, no illegal arg error. */
3487 for (i = 0; i < 65536 ; i++) {
3488 memset(&pubkey, 0xfe, sizeof(pubkey));
3490 shortkey[0] = i & 255;
3491 shortkey[1] = i >> 8;
3492 VG_UNDEF(&pubkey, sizeof(pubkey));
3493 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3494 VG_CHECK(&pubkey, sizeof(pubkey));
3496 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3499 memset(&pubkey, 0xfe, sizeof(pubkey));
3501 VG_UNDEF(&pubkey, sizeof(pubkey));
3502 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3503 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3504 VG_CHECK(&pubkey, sizeof(pubkey));
3506 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3508 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3509 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3511 /* NULL input string. Illegal arg and zeroize output. */
3512 memset(&pubkey, 0xfe, sizeof(pubkey));
3514 VG_UNDEF(&pubkey, sizeof(pubkey));
3515 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3516 VG_CHECK(&pubkey, sizeof(pubkey));
3518 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3520 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3521 memset(&pubkey, 0xfe, sizeof(pubkey));
3523 VG_UNDEF(&pubkey, sizeof(pubkey));
3524 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3525 VG_CHECK(&pubkey, sizeof(pubkey));
3527 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3529 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3530 memset(&pubkey, 0xfe, sizeof(pubkey));
3532 VG_UNDEF(&pubkey, sizeof(pubkey));
3533 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3534 VG_CHECK(&pubkey, sizeof(pubkey));
3536 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3539 memset(&pubkey, 0, sizeof(pubkey));
3541 VG_UNDEF(&pubkey, sizeof(pubkey));
3542 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3543 VG_CHECK(&pubkey, sizeof(pubkey));
3545 VG_UNDEF(&ge, sizeof(ge));
3546 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3547 VG_CHECK(&ge.x, sizeof(ge.x));
3548 VG_CHECK(&ge.y, sizeof(ge.y));
3549 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3550 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3552 /* secp256k1_ec_pubkey_serialize illegal args. */
3555 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3558 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3562 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3567 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3572 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3576 /* Multiple illegal args. Should still set arg error only once. */
3579 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3581 /* Does the illegal arg callback actually change the behavior? */
3582 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3583 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3585 CHECK(ecount2 == 10);
3586 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3587 /* Try a bunch of prefabbed points with all possible encodings. */
3588 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3589 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3591 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3592 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3594 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3595 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3599 void run_eckey_edge_case_test(void) {
3600 const unsigned char orderc[32] = {
3601 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3602 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3603 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3604 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3606 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3607 unsigned char ctmp[33];
3608 unsigned char ctmp2[33];
3609 secp256k1_pubkey pubkey;
3610 secp256k1_pubkey pubkey2;
3611 secp256k1_pubkey pubkey_one;
3612 secp256k1_pubkey pubkey_negone;
3613 const secp256k1_pubkey *pubkeys[3];
3616 /* Group order is too large, reject. */
3617 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3618 VG_UNDEF(&pubkey, sizeof(pubkey));
3619 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3620 VG_CHECK(&pubkey, sizeof(pubkey));
3621 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3622 /* Maximum value is too large, reject. */
3623 memset(ctmp, 255, 32);
3624 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3625 memset(&pubkey, 1, sizeof(pubkey));
3626 VG_UNDEF(&pubkey, sizeof(pubkey));
3627 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3628 VG_CHECK(&pubkey, sizeof(pubkey));
3629 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3630 /* Zero is too small, reject. */
3631 memset(ctmp, 0, 32);
3632 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3633 memset(&pubkey, 1, sizeof(pubkey));
3634 VG_UNDEF(&pubkey, sizeof(pubkey));
3635 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3636 VG_CHECK(&pubkey, sizeof(pubkey));
3637 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3638 /* One must be accepted. */
3640 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3641 memset(&pubkey, 0, sizeof(pubkey));
3642 VG_UNDEF(&pubkey, sizeof(pubkey));
3643 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3644 VG_CHECK(&pubkey, sizeof(pubkey));
3645 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3646 pubkey_one = pubkey;
3647 /* Group order + 1 is too large, reject. */
3648 memcpy(ctmp, orderc, 32);
3650 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3651 memset(&pubkey, 1, sizeof(pubkey));
3652 VG_UNDEF(&pubkey, sizeof(pubkey));
3653 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3654 VG_CHECK(&pubkey, sizeof(pubkey));
3655 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3656 /* -1 must be accepted. */
3658 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3659 memset(&pubkey, 0, sizeof(pubkey));
3660 VG_UNDEF(&pubkey, sizeof(pubkey));
3661 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3662 VG_CHECK(&pubkey, sizeof(pubkey));
3663 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3664 pubkey_negone = pubkey;
3665 /* Tweak of zero leaves the value unchanged. */
3666 memset(ctmp2, 0, 32);
3667 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3668 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3669 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3670 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3671 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3672 /* Multiply tweak of zero zeroizes the output. */
3673 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3674 CHECK(memcmp(zeros, ctmp, 32) == 0);
3675 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3676 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3677 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3678 /* Overflowing key tweak zeroizes. */
3679 memcpy(ctmp, orderc, 32);
3681 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3682 CHECK(memcmp(zeros, ctmp, 32) == 0);
3683 memcpy(ctmp, orderc, 32);
3685 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3686 CHECK(memcmp(zeros, ctmp, 32) == 0);
3687 memcpy(ctmp, orderc, 32);
3689 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3690 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3691 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3692 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3693 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3694 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3695 /* Private key tweaks results in a key of zero. */
3697 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3698 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3700 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3701 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3702 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3703 /* Tweak computation wraps and results in a key of 1. */
3705 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3706 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3708 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3710 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3711 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3712 /* Tweak mul * 2 = 1+1. */
3713 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3715 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3716 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3717 /* Test argument errors. */
3719 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3721 /* Zeroize pubkey on parse error. */
3722 memset(&pubkey, 0, 32);
3723 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3725 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3726 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3727 memset(&pubkey2, 0, 32);
3728 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3730 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3731 /* Plain argument errors. */
3733 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3735 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3738 memset(ctmp2, 0, 32);
3740 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3742 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3745 memset(ctmp2, 0, 32);
3747 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3749 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3752 memset(ctmp2, 0, 32);
3753 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3755 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3758 memset(ctmp2, 0, 32);
3760 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3762 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3765 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3767 memset(&pubkey, 1, sizeof(pubkey));
3768 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3770 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3771 /* secp256k1_ec_pubkey_combine tests. */
3773 pubkeys[0] = &pubkey_one;
3774 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3775 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3776 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3777 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3778 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3779 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3780 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3781 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3783 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3784 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3786 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3787 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3788 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3789 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3790 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3792 pubkeys[0] = &pubkey_negone;
3793 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3794 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3795 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3796 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3797 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3800 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3801 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
3802 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3803 /* Result is infinity. */
3804 pubkeys[0] = &pubkey_one;
3805 pubkeys[1] = &pubkey_negone;
3806 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3807 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3808 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
3809 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3810 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3812 /* Passes through infinity but comes out one. */
3813 pubkeys[2] = &pubkey_one;
3814 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3815 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3816 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
3817 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3818 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3821 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3822 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
3823 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3825 pubkeys[1] = &pubkey_one;
3826 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3827 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3828 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
3829 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3830 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3832 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3835 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
3836 secp256k1_scalar nonce;
3838 random_scalar_order_test(&nonce);
3839 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
3842 void test_ecdsa_sign_verify(void) {
3845 secp256k1_scalar one;
3846 secp256k1_scalar msg, key;
3847 secp256k1_scalar sigr, sigs;
3850 random_scalar_order_test(&msg);
3851 random_scalar_order_test(&key);
3852 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
3853 secp256k1_ge_set_gej(&pub, &pubj);
3854 getrec = secp256k1_rand_bits(1);
3855 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
3857 CHECK(recid >= 0 && recid < 4);
3859 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3860 secp256k1_scalar_set_int(&one, 1);
3861 secp256k1_scalar_add(&msg, &msg, &one);
3862 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3865 void run_ecdsa_sign_verify(void) {
3867 for (i = 0; i < 10*count; i++) {
3868 test_ecdsa_sign_verify();
3872 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
3873 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3877 memcpy(nonce32, data, 32);
3878 return (counter == 0);
3881 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3882 /* Dummy nonce generator that has a fatal error on the first counter value. */
3886 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
3889 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3890 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
3892 memset(nonce32, counter==0 ? 0 : 255, 32);
3899 static const unsigned char order[] = {
3900 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
3901 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
3902 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
3903 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
3905 memcpy(nonce32, order, 32);
3911 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
3912 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
3916 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
3919 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
3920 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
3921 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
3924 void test_ecdsa_end_to_end(void) {
3925 unsigned char extra[32] = {0x00};
3926 unsigned char privkey[32];
3927 unsigned char message[32];
3928 unsigned char privkey2[32];
3929 secp256k1_ecdsa_signature signature[6];
3930 secp256k1_scalar r, s;
3931 unsigned char sig[74];
3933 unsigned char pubkeyc[65];
3934 size_t pubkeyclen = 65;
3935 secp256k1_pubkey pubkey;
3936 secp256k1_pubkey pubkey_tmp;
3937 unsigned char seckey[300];
3938 size_t seckeylen = 300;
3940 /* Generate a random key and message. */
3942 secp256k1_scalar msg, key;
3943 random_scalar_order_test(&msg);
3944 random_scalar_order_test(&key);
3945 secp256k1_scalar_get_b32(privkey, &key);
3946 secp256k1_scalar_get_b32(message, &msg);
3949 /* Construct and verify corresponding public key. */
3950 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
3951 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
3953 /* Verify exporting and importing public key. */
3954 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
3955 memset(&pubkey, 0, sizeof(pubkey));
3956 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3958 /* Verify negation changes the key and changes it back */
3959 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
3960 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
3961 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
3962 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
3963 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
3965 /* Verify private key import and export. */
3966 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
3967 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
3968 CHECK(memcmp(privkey, privkey2, 32) == 0);
3970 /* Optionally tweak the keys using addition. */
3971 if (secp256k1_rand_int(3) == 0) {
3974 unsigned char rnd[32];
3975 secp256k1_pubkey pubkey2;
3976 secp256k1_rand256_test(rnd);
3977 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
3978 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
3979 CHECK(ret1 == ret2);
3983 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
3984 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3987 /* Optionally tweak the keys using multiplication. */
3988 if (secp256k1_rand_int(3) == 0) {
3991 unsigned char rnd[32];
3992 secp256k1_pubkey pubkey2;
3993 secp256k1_rand256_test(rnd);
3994 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
3995 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
3996 CHECK(ret1 == ret2);
4000 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4001 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4005 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4006 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4007 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4009 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4012 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4013 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4014 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4015 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4016 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4017 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4018 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4019 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4021 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4022 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4023 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4024 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4025 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4026 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4027 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4028 secp256k1_scalar_negate(&s, &s);
4029 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4030 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4031 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4032 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4033 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4034 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4035 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4036 secp256k1_scalar_negate(&s, &s);
4037 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4038 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4039 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4040 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
4042 /* Serialize/parse DER and verify again */
4043 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4044 memset(&signature[0], 0, sizeof(signature[0]));
4045 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4046 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4047 /* Serialize/destroy/parse DER and verify again. */
4049 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4050 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
4051 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4052 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4055 void test_random_pubkeys(void) {
4058 unsigned char in[65];
4059 /* Generate some randomly sized pubkeys. */
4060 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4061 if (secp256k1_rand_bits(2) == 0) {
4062 len = secp256k1_rand_bits(6);
4065 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
4067 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
4069 if (secp256k1_rand_bits(3) == 0) {
4070 in[0] = secp256k1_rand_bits(8);
4073 secp256k1_rand256(&in[1]);
4076 secp256k1_rand256(&in[33]);
4078 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4079 unsigned char out[65];
4080 unsigned char firstb;
4084 /* If the pubkey can be parsed, it should round-trip... */
4085 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4087 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4088 /* ... except for the type of hybrid inputs. */
4089 if ((in[0] != 6) && (in[0] != 7)) {
4090 CHECK(in[0] == out[0]);
4093 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4095 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4096 ge_equals_ge(&elem,&elem2);
4097 /* Check that the X9.62 hybrid type is checked. */
4098 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
4099 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4100 if (firstb == 2 || firstb == 3) {
4101 if (in[0] == firstb + 4) {
4108 ge_equals_ge(&elem,&elem2);
4109 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4110 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4115 void run_random_pubkeys(void) {
4117 for (i = 0; i < 10*count; i++) {
4118 test_random_pubkeys();
4122 void run_ecdsa_end_to_end(void) {
4124 for (i = 0; i < 64*count; i++) {
4125 test_ecdsa_end_to_end();
4129 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4130 static const unsigned char zeroes[32] = {0};
4131 #ifdef ENABLE_OPENSSL_TESTS
4132 static const unsigned char max_scalar[32] = {
4133 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4134 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4135 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4136 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4142 secp256k1_ecdsa_signature sig_der;
4143 unsigned char roundtrip_der[2048];
4144 unsigned char compact_der[64];
4145 size_t len_der = 2048;
4146 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4148 secp256k1_ecdsa_signature sig_der_lax;
4149 unsigned char roundtrip_der_lax[2048];
4150 unsigned char compact_der_lax[64];
4151 size_t len_der_lax = 2048;
4152 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4154 #ifdef ENABLE_OPENSSL_TESTS
4155 ECDSA_SIG *sig_openssl;
4156 const BIGNUM *r = NULL, *s = NULL;
4157 const unsigned char *sigptr;
4158 unsigned char roundtrip_openssl[2048];
4159 int len_openssl = 2048;
4160 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4163 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4165 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4166 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4169 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4170 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4173 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4174 if (parsed_der_lax) {
4175 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4176 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4178 if (valid_der_lax) {
4179 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4180 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4183 if (certainly_der) {
4184 ret |= (!parsed_der) << 2;
4186 if (certainly_not_der) {
4187 ret |= (parsed_der) << 17;
4190 ret |= (!roundtrips_der) << 3;
4194 ret |= (!roundtrips_der_lax) << 12;
4195 ret |= (len_der != len_der_lax) << 13;
4196 ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
4198 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4200 ret |= (!parsed_der_lax) << 16;
4203 #ifdef ENABLE_OPENSSL_TESTS
4204 sig_openssl = ECDSA_SIG_new();
4206 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4207 if (parsed_openssl) {
4208 ECDSA_SIG_get0(sig_openssl, &r, &s);
4209 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4210 if (valid_openssl) {
4211 unsigned char tmp[32] = {0};
4212 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4213 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4215 if (valid_openssl) {
4216 unsigned char tmp[32] = {0};
4217 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4218 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4221 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4222 if (len_openssl <= 2048) {
4223 unsigned char *ptr = roundtrip_openssl;
4224 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4225 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4229 ECDSA_SIG_free(sig_openssl);
4231 ret |= (parsed_der && !parsed_openssl) << 4;
4232 ret |= (valid_der && !valid_openssl) << 5;
4233 ret |= (roundtrips_openssl && !parsed_der) << 6;
4234 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4235 if (roundtrips_openssl) {
4236 ret |= (len_der != (size_t)len_openssl) << 8;
4237 ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
4243 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4245 for (i = 0; i < ptrlen; i++) {
4246 int shift = ptrlen - 1 - i;
4250 ptr[i] = (val >> shift) & 0xFF;
4255 static void damage_array(unsigned char *sig, size_t *len) {
4257 int action = secp256k1_rand_bits(3);
4258 if (action < 1 && *len > 3) {
4259 /* Delete a byte. */
4260 pos = secp256k1_rand_int(*len);
4261 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4264 } else if (action < 2 && *len < 2048) {
4265 /* Insert a byte. */
4266 pos = secp256k1_rand_int(1 + *len);
4267 memmove(sig + pos + 1, sig + pos, *len - pos);
4268 sig[pos] = secp256k1_rand_bits(8);
4271 } else if (action < 4) {
4272 /* Modify a byte. */
4273 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4275 } else { /* action < 8 */
4277 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4282 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4284 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4285 size_t tlen, elen, glen;
4290 der = secp256k1_rand_bits(2) == 0;
4291 *certainly_der = der;
4292 *certainly_not_der = 0;
4293 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4295 for (n = 0; n < 2; n++) {
4296 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4297 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4298 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4299 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4300 CHECK(nlen[n] <= 232);
4301 /* The top bit of the number. */
4302 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4303 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4304 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4305 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4306 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4307 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4308 *certainly_not_der = 1;
4310 CHECK(nlen[n] + nzlen[n] <= 300);
4311 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4312 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4314 /* nlenlen[n] max 127 bytes */
4315 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4318 *certainly_not_der = 1;
4321 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4324 /* The total length of the data to go, so far */
4325 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4328 /* The length of the garbage inside the tuple. */
4329 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4331 *certainly_not_der = 1;
4336 /* The length of the garbage after the end of the tuple. */
4337 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4339 *certainly_not_der = 1;
4341 CHECK(tlen + glen <= 990);
4343 /* Write the tuple header. */
4344 sig[(*len)++] = 0x30;
4346 /* Indeterminate length */
4347 sig[(*len)++] = 0x80;
4348 *certainly_not_der = 1;
4350 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4352 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4355 *certainly_not_der = 1;
4359 /* Short length notation */
4360 sig[(*len)++] = tlen;
4362 /* Long length notation */
4363 sig[(*len)++] = 128 + tlenlen;
4364 assign_big_endian(sig + *len, tlenlen, tlen);
4370 CHECK(tlen + glen <= 1119);
4372 for (n = 0; n < 2; n++) {
4373 /* Write the integer header. */
4374 sig[(*len)++] = 0x02;
4375 if (nlenlen[n] == 0) {
4376 /* Short length notation */
4377 sig[(*len)++] = nlen[n] + nzlen[n];
4379 /* Long length notation. */
4380 sig[(*len)++] = 128 + nlenlen[n];
4381 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4384 /* Write zero padding */
4385 while (nzlen[n] > 0) {
4386 sig[(*len)++] = 0x00;
4389 if (nlen[n] == 32 && !nlow[n]) {
4390 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4392 for (i = 0; i < 16; i++) {
4393 sig[(*len)++] = 0xFF;
4397 /* Write first byte of number */
4399 sig[(*len)++] = nhbyte[n];
4402 /* Generate remaining random bytes of number */
4403 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4408 /* Generate random garbage inside tuple. */
4409 secp256k1_rand_bytes_test(sig + *len, elen);
4412 /* Generate end-of-contents bytes. */
4418 CHECK(tlen + glen <= 1121);
4420 /* Generate random garbage outside tuple. */
4421 secp256k1_rand_bytes_test(sig + *len, glen);
4424 CHECK(tlen <= 1121);
4425 CHECK(tlen == *len);
4428 void run_ecdsa_der_parse(void) {
4430 for (i = 0; i < 200 * count; i++) {
4431 unsigned char buffer[2048];
4433 int certainly_der = 0;
4434 int certainly_not_der = 0;
4435 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4436 CHECK(buflen <= 2048);
4437 for (j = 0; j < 16; j++) {
4440 damage_array(buffer, &buflen);
4441 /* We don't know anything anymore about the DERness of the result */
4443 certainly_not_der = 0;
4445 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4448 fprintf(stderr, "Failure %x on ", ret);
4449 for (k = 0; k < buflen; k++) {
4450 fprintf(stderr, "%02x ", buffer[k]);
4452 fprintf(stderr, "\n");
4459 /* Tests several edge cases. */
4460 void test_ecdsa_edge_cases(void) {
4462 secp256k1_ecdsa_signature sig;
4464 /* Test the case where ECDSA recomputes a point that is infinity. */
4468 secp256k1_scalar msg;
4469 secp256k1_scalar sr, ss;
4470 secp256k1_scalar_set_int(&ss, 1);
4471 secp256k1_scalar_negate(&ss, &ss);
4472 secp256k1_scalar_inverse(&ss, &ss);
4473 secp256k1_scalar_set_int(&sr, 1);
4474 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4475 secp256k1_ge_set_gej(&key, &keyj);
4477 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4480 /* Verify signature with r of zero fails. */
4482 const unsigned char pubkey_mods_zero[33] = {
4483 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4484 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4485 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4486 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4490 secp256k1_scalar msg;
4491 secp256k1_scalar sr, ss;
4492 secp256k1_scalar_set_int(&ss, 1);
4493 secp256k1_scalar_set_int(&msg, 0);
4494 secp256k1_scalar_set_int(&sr, 0);
4495 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4496 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4499 /* Verify signature with s of zero fails. */
4501 const unsigned char pubkey[33] = {
4502 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4503 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4504 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4505 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4509 secp256k1_scalar msg;
4510 secp256k1_scalar sr, ss;
4511 secp256k1_scalar_set_int(&ss, 0);
4512 secp256k1_scalar_set_int(&msg, 0);
4513 secp256k1_scalar_set_int(&sr, 1);
4514 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4515 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4518 /* Verify signature with message 0 passes. */
4520 const unsigned char pubkey[33] = {
4521 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4522 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4523 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4527 const unsigned char pubkey2[33] = {
4528 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4529 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4530 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4531 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4536 secp256k1_scalar msg;
4537 secp256k1_scalar sr, ss;
4538 secp256k1_scalar_set_int(&ss, 2);
4539 secp256k1_scalar_set_int(&msg, 0);
4540 secp256k1_scalar_set_int(&sr, 2);
4541 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4542 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4543 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4544 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4545 secp256k1_scalar_negate(&ss, &ss);
4546 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4547 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4548 secp256k1_scalar_set_int(&ss, 1);
4549 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4550 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4553 /* Verify signature with message 1 passes. */
4555 const unsigned char pubkey[33] = {
4556 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4557 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4558 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4559 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4562 const unsigned char pubkey2[33] = {
4563 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4564 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4565 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4566 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4569 const unsigned char csr[32] = {
4570 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4571 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4572 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4573 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4577 secp256k1_scalar msg;
4578 secp256k1_scalar sr, ss;
4579 secp256k1_scalar_set_int(&ss, 1);
4580 secp256k1_scalar_set_int(&msg, 1);
4581 secp256k1_scalar_set_b32(&sr, csr, NULL);
4582 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4583 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4584 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4585 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4586 secp256k1_scalar_negate(&ss, &ss);
4587 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4588 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4589 secp256k1_scalar_set_int(&ss, 2);
4590 secp256k1_scalar_inverse_var(&ss, &ss);
4591 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4592 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4595 /* Verify signature with message -1 passes. */
4597 const unsigned char pubkey[33] = {
4598 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4599 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4600 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4601 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4604 const unsigned char csr[32] = {
4605 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4606 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4607 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4608 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4611 secp256k1_scalar msg;
4612 secp256k1_scalar sr, ss;
4613 secp256k1_scalar_set_int(&ss, 1);
4614 secp256k1_scalar_set_int(&msg, 1);
4615 secp256k1_scalar_negate(&msg, &msg);
4616 secp256k1_scalar_set_b32(&sr, csr, NULL);
4617 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4618 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4619 secp256k1_scalar_negate(&ss, &ss);
4620 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4621 secp256k1_scalar_set_int(&ss, 3);
4622 secp256k1_scalar_inverse_var(&ss, &ss);
4623 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4626 /* Signature where s would be zero. */
4628 secp256k1_pubkey pubkey;
4631 unsigned char signature[72];
4632 static const unsigned char nonce[32] = {
4633 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4634 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4635 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4636 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4638 static const unsigned char nonce2[32] = {
4639 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4640 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4641 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4642 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4644 const unsigned char key[32] = {
4645 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4646 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4647 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4648 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4650 unsigned char msg[32] = {
4651 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4652 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4653 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4654 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4657 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4658 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4659 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4661 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4663 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4665 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4667 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4669 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4670 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4671 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4673 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4675 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4677 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4679 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4681 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4682 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4685 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4687 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4688 CHECK(ecount == 10);
4689 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4690 CHECK(ecount == 11);
4691 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4692 CHECK(ecount == 11);
4693 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4694 CHECK(ecount == 12);
4695 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4696 CHECK(ecount == 13);
4697 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4698 CHECK(ecount == 13);
4700 /* Too little room for a signature does not fail via ARGCHECK. */
4701 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
4702 CHECK(ecount == 13);
4704 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4706 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4708 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4710 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4712 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4714 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4716 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4718 memset(signature, 255, 64);
4719 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4721 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4724 /* Nonce function corner cases. */
4725 for (t = 0; t < 2; t++) {
4726 static const unsigned char zero[32] = {0x00};
4728 unsigned char key[32];
4729 unsigned char msg[32];
4730 secp256k1_ecdsa_signature sig2;
4731 secp256k1_scalar sr[512], ss;
4732 const unsigned char *extra;
4733 extra = t == 0 ? NULL : zero;
4736 /* High key results in signature failure. */
4737 memset(key, 0xFF, 32);
4738 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4739 CHECK(is_empty_signature(&sig));
4740 /* Zero key results in signature failure. */
4742 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4743 CHECK(is_empty_signature(&sig));
4744 /* Nonce function failure results in signature failure. */
4746 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
4747 CHECK(is_empty_signature(&sig));
4748 /* The retry loop successfully makes its way to the first good value. */
4749 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
4750 CHECK(!is_empty_signature(&sig));
4751 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
4752 CHECK(!is_empty_signature(&sig2));
4753 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4754 /* The default nonce function is deterministic. */
4755 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4756 CHECK(!is_empty_signature(&sig2));
4757 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4758 /* The default nonce function changes output with different messages. */
4759 for(i = 0; i < 256; i++) {
4762 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4763 CHECK(!is_empty_signature(&sig2));
4764 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4765 for (j = 0; j < i; j++) {
4766 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4771 /* The default nonce function changes output with different keys. */
4772 for(i = 256; i < 512; i++) {
4775 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4776 CHECK(!is_empty_signature(&sig2));
4777 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4778 for (j = 0; j < i; j++) {
4779 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4786 /* Check that optional nonce arguments do not have equivalent effect. */
4787 const unsigned char zeros[32] = {0};
4788 unsigned char nonce[32];
4789 unsigned char nonce2[32];
4790 unsigned char nonce3[32];
4791 unsigned char nonce4[32];
4793 VG_UNDEF(nonce2,32);
4794 VG_UNDEF(nonce3,32);
4795 VG_UNDEF(nonce4,32);
4796 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4798 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4799 VG_CHECK(nonce2,32);
4800 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
4801 VG_CHECK(nonce3,32);
4802 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
4803 VG_CHECK(nonce4,32);
4804 CHECK(memcmp(nonce, nonce2, 32) != 0);
4805 CHECK(memcmp(nonce, nonce3, 32) != 0);
4806 CHECK(memcmp(nonce, nonce4, 32) != 0);
4807 CHECK(memcmp(nonce2, nonce3, 32) != 0);
4808 CHECK(memcmp(nonce2, nonce4, 32) != 0);
4809 CHECK(memcmp(nonce3, nonce4, 32) != 0);
4813 /* Privkey export where pubkey is the point at infinity. */
4815 unsigned char privkey[300];
4816 unsigned char seckey[32] = {
4817 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4818 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4819 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4820 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
4822 size_t outlen = 300;
4823 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
4825 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
4829 void run_ecdsa_edge_cases(void) {
4830 test_ecdsa_edge_cases();
4833 #ifdef ENABLE_OPENSSL_TESTS
4834 EC_KEY *get_openssl_key(const unsigned char *key32) {
4835 unsigned char privkey[300];
4837 const unsigned char* pbegin = privkey;
4838 int compr = secp256k1_rand_bits(1);
4839 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
4840 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
4841 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
4842 CHECK(EC_KEY_check_key(ec_key));
4846 void test_ecdsa_openssl(void) {
4849 secp256k1_scalar sigr, sigs;
4850 secp256k1_scalar one;
4851 secp256k1_scalar msg2;
4852 secp256k1_scalar key, msg;
4854 unsigned int sigsize = 80;
4855 size_t secp_sigsize = 80;
4856 unsigned char message[32];
4857 unsigned char signature[80];
4858 unsigned char key32[32];
4859 secp256k1_rand256_test(message);
4860 secp256k1_scalar_set_b32(&msg, message, NULL);
4861 random_scalar_order_test(&key);
4862 secp256k1_scalar_get_b32(key32, &key);
4863 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
4864 secp256k1_ge_set_gej(&q, &qj);
4865 ec_key = get_openssl_key(key32);
4866 CHECK(ec_key != NULL);
4867 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
4868 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
4869 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
4870 secp256k1_scalar_set_int(&one, 1);
4871 secp256k1_scalar_add(&msg2, &msg, &one);
4872 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
4874 random_sign(&sigr, &sigs, &key, &msg, NULL);
4875 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
4876 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
4878 EC_KEY_free(ec_key);
4881 void run_ecdsa_openssl(void) {
4883 for (i = 0; i < 10*count; i++) {
4884 test_ecdsa_openssl();
4889 #ifdef ENABLE_MODULE_ECDH
4890 # include "modules/ecdh/tests_impl.h"
4893 #ifdef ENABLE_MODULE_RECOVERY
4894 # include "modules/recovery/tests_impl.h"
4897 int main(int argc, char **argv) {
4898 unsigned char seed16[16] = {0};
4899 unsigned char run32[32] = {0};
4900 /* find iteration count */
4902 count = strtol(argv[1], NULL, 0);
4905 /* find random seed */
4908 const char* ch = argv[2];
4909 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
4911 if (sscanf(ch, "%2hx", &sh)) {
4920 FILE *frand = fopen("/dev/urandom", "r");
4921 if ((frand == NULL) || fread(&seed16, sizeof(seed16), 1, frand) != sizeof(seed16)) {
4922 uint64_t t = time(NULL) * (uint64_t)1337;
4924 seed16[1] ^= t >> 8;
4925 seed16[2] ^= t >> 16;
4926 seed16[3] ^= t >> 24;
4927 seed16[4] ^= t >> 32;
4928 seed16[5] ^= t >> 40;
4929 seed16[6] ^= t >> 48;
4930 seed16[7] ^= t >> 56;
4934 secp256k1_rand_seed(seed16);
4936 printf("test count = %i\n", count);
4937 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
4940 run_context_tests();
4941 run_scratch_tests();
4942 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
4943 if (secp256k1_rand_bits(1)) {
4944 secp256k1_rand256(run32);
4945 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
4952 run_hmac_sha256_tests();
4953 run_rfc6979_hmac_sha256_tests();
4955 #ifndef USE_NUM_NONE
4957 run_num_smalltests();
4965 run_field_inv_var();
4966 run_field_inv_all_var();
4968 run_field_convert();
4974 run_group_decompress();
4978 run_point_times_order();
4980 run_ecmult_constants();
4981 run_ecmult_gen_blind();
4982 run_ecmult_const_tests();
4983 run_ecmult_multi_tests();
4986 /* endomorphism tests */
4987 #ifdef USE_ENDOMORPHISM
4988 run_endomorphism_tests();
4991 /* EC point parser test */
4992 run_ec_pubkey_parse_test();
4994 /* EC key edge cases */
4995 run_eckey_edge_case_test();
4997 #ifdef ENABLE_MODULE_ECDH
5003 run_random_pubkeys();
5004 run_ecdsa_der_parse();
5005 run_ecdsa_sign_verify();
5006 run_ecdsa_end_to_end();
5007 run_ecdsa_edge_cases();
5008 #ifdef ENABLE_OPENSSL_TESTS
5009 run_ecdsa_openssl();
5012 #ifdef ENABLE_MODULE_RECOVERY
5013 /* ECDSA pubkey recovery tests */
5014 run_recovery_tests();
5017 secp256k1_rand256(run32);
5018 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
5021 secp256k1_context_destroy(ctx);
5023 printf("no problems found\n");
projects / secp256k1.git / blob