Git Repo - secp256k1.git/commit

author	Andrew Poelstra <[email protected]>
	Thu, 17 Sep 2015 23:54:52 +0000 (18:54 -0500)
committer	Andrew Poelstra <[email protected]>
	Fri, 25 Nov 2016 20:45:29 +0000 (20:45 +0000)
commit	20b8877be1554b7584e85ff577e4fca8e5e9a76c
tree	c6f54cebc3df81db5771249b35404d660a484779	tree \| snapshot
parent	80773a6b74cb102aa9f9b25228e7456aeef6d314	commit \| diff

Add exhaustive test for group functions on a low-order subgroup

We observe that when changing the b-value in the elliptic curve formula
`y^2 = x^3 + ax + b`, the group law is unchanged. Therefore our functions
for secp256k1 will be correct if and only if they are correct when applied
to the curve defined by `y^2 = x^3 + 4` defined over the same field. This
curve has a point P of order 199.

This commit adds a test which computes the subgroup generated by P and
exhaustively checks that addition of every pair of points gives the correct
result.

Unfortunately we cannot test const-time scalar multiplication by the same
mechanism. The reason is that these ecmult functions both compute a wNAF
representation of the scalar, and this representation is tied to the order
of the group.

Testing with the incomplete version of gej_add_ge (found in 5de4c5dff^)
shows that this detects the incompleteness when adding P - 106P, which
is exactly what we expected since 106 is a cube root of 1 mod 199.

.gitignore		diff \| blob \| blame \| history
Makefile.am		diff \| blob \| blame \| history
configure.ac		diff \| blob \| blame \| history
src/ecmult_impl.h		diff \| blob \| blame \| history
src/field.h		diff \| blob \| blame \| history
src/group_impl.h		diff \| blob \| blame \| history
src/tests_exhaustive.c	[new file with mode: 0644]	blob