PRCYCoin  2.0.0.7rc1
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2013, 2014 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10 
11 #include <stdio.h>
12 #include <stdlib.h>
13 
14 #include "secp256k1.c"
15 #include "testrand_impl.h"
16 
17 #ifdef ENABLE_OPENSSL_TESTS
18 #include "openssl/bn.h"
19 #include "openssl/ec.h"
20 #include "openssl/ecdsa.h"
21 #include "openssl/obj_mac.h"
22 #endif
23 
24 static int count = 64;
25 
26 void random_field_element_test(secp256k1_fe_t *fe) {
27  do {
28  unsigned char b32[32];
29  secp256k1_rand256_test(b32);
30  if (secp256k1_fe_set_b32(fe, b32)) {
31  break;
32  }
33  } while(1);
34 }
35 
36 void random_field_element_magnitude(secp256k1_fe_t *fe) {
37  secp256k1_fe_normalize(fe);
38  int n = secp256k1_rand32() % 4;
39  for (int i = 0; i < n; i++) {
40  secp256k1_fe_negate(fe, fe, 1 + 2*i);
41  secp256k1_fe_negate(fe, fe, 2 + 2*i);
42  }
43 }
44 
45 void random_group_element_test(secp256k1_ge_t *ge) {
46  secp256k1_fe_t fe;
47  do {
48  random_field_element_test(&fe);
49  if (secp256k1_ge_set_xo(ge, &fe, secp256k1_rand32() & 1))
50  break;
51  } while(1);
52 }
53 
54 void random_group_element_jacobian_test(secp256k1_gej_t *gej, const secp256k1_ge_t *ge) {
55  do {
56  random_field_element_test(&gej->z);
57  if (!secp256k1_fe_is_zero(&gej->z)) {
58  break;
59  }
60  } while(1);
61  secp256k1_fe_t z2; secp256k1_fe_sqr(&z2, &gej->z);
62  secp256k1_fe_t z3; secp256k1_fe_mul(&z3, &z2, &gej->z);
63  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
64  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
65  gej->infinity = ge->infinity;
66 }
67 
68 void random_scalar_order_test(secp256k1_scalar_t *num) {
69  do {
70  unsigned char b32[32];
71  secp256k1_rand256_test(b32);
72  int overflow = 0;
73  secp256k1_scalar_set_b32(num, b32, &overflow);
74  if (overflow || secp256k1_scalar_is_zero(num))
75  continue;
76  break;
77  } while(1);
78 }
79 
80 void random_scalar_order(secp256k1_scalar_t *num) {
81  do {
82  unsigned char b32[32];
83  secp256k1_rand256(b32);
84  int overflow = 0;
85  secp256k1_scalar_set_b32(num, b32, &overflow);
86  if (overflow || secp256k1_scalar_is_zero(num))
87  continue;
88  break;
89  } while(1);
90 }
91 
92 /***** NUM TESTS *****/
93 
94 #ifndef USE_NUM_NONE
95 void random_num_negate(secp256k1_num_t *num) {
96  if (secp256k1_rand32() & 1)
97  secp256k1_num_negate(num);
98 }
99 
100 void random_num_order_test(secp256k1_num_t *num) {
101  secp256k1_scalar_t sc;
102  random_scalar_order_test(&sc);
103  secp256k1_scalar_get_num(num, &sc);
104 }
105 
106 void random_num_order(secp256k1_num_t *num) {
107  secp256k1_scalar_t sc;
108  random_scalar_order(&sc);
109  secp256k1_scalar_get_num(num, &sc);
110 }
111 
112 void test_num_negate(void) {
113  secp256k1_num_t n1;
114  secp256k1_num_t n2;
115  random_num_order_test(&n1); /* n1 = R */
116  random_num_negate(&n1);
117  secp256k1_num_copy(&n2, &n1); /* n2 = R */
118  secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
119  CHECK(secp256k1_num_is_zero(&n1));
120  secp256k1_num_copy(&n1, &n2); /* n1 = R */
121  secp256k1_num_negate(&n1); /* n1 = -R */
122  CHECK(!secp256k1_num_is_zero(&n1));
123  secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
124  CHECK(secp256k1_num_is_zero(&n1));
125  secp256k1_num_copy(&n1, &n2); /* n1 = R */
126  secp256k1_num_negate(&n1); /* n1 = -R */
127  CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
128  secp256k1_num_negate(&n1); /* n1 = R */
129  CHECK(secp256k1_num_eq(&n1, &n2));
130 }
131 
132 void test_num_add_sub(void) {
133  int r = secp256k1_rand32();
134  secp256k1_num_t n1;
135  secp256k1_num_t n2;
136  random_num_order_test(&n1); /* n1 = R1 */
137  if (r & 1) {
138  random_num_negate(&n1);
139  }
140  random_num_order_test(&n2); /* n2 = R2 */
141  if (r & 2) {
142  random_num_negate(&n2);
143  }
144  secp256k1_num_t n1p2, n2p1, n1m2, n2m1;
145  secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
146  secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
147  secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
148  secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
149  CHECK(secp256k1_num_eq(&n1p2, &n2p1));
150  CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
151  secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
152  CHECK(secp256k1_num_eq(&n2m1, &n1m2));
153  CHECK(!secp256k1_num_eq(&n2m1, &n1));
154  secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
155  CHECK(secp256k1_num_eq(&n2m1, &n1));
156  CHECK(!secp256k1_num_eq(&n2p1, &n1));
157  secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
158  CHECK(secp256k1_num_eq(&n2p1, &n1));
159 }
160 
161 void run_num_smalltests(void) {
162  for (int i=0; i<100*count; i++) {
163  test_num_negate();
164  test_num_add_sub();
165  }
166 }
167 #endif
168 
169 /***** SCALAR TESTS *****/
170 
171 void scalar_test(void) {
172  unsigned char c[32];
173 
174  /* Set 's' to a random scalar, with value 'snum'. */
175  secp256k1_scalar_t s;
176  random_scalar_order_test(&s);
177 
178  /* Set 's1' to a random scalar, with value 's1num'. */
179  secp256k1_scalar_t s1;
180  random_scalar_order_test(&s1);
181 
182  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
183  secp256k1_scalar_t s2;
184  random_scalar_order_test(&s2);
185  secp256k1_scalar_get_b32(c, &s2);
186 
187 #ifndef USE_NUM_NONE
188  secp256k1_num_t snum, s1num, s2num;
189  secp256k1_scalar_get_num(&snum, &s);
190  secp256k1_scalar_get_num(&s1num, &s1);
191  secp256k1_scalar_get_num(&s2num, &s2);
192 
193  secp256k1_num_t order;
194  secp256k1_scalar_order_get_num(&order);
195  secp256k1_num_t half_order = order;
196  secp256k1_num_shift(&half_order, 1);
197 #endif
198 
199  {
200  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
201  secp256k1_scalar_t n;
202  secp256k1_scalar_set_int(&n, 0);
203  for (int i = 0; i < 256; i += 4) {
204  secp256k1_scalar_t t;
205  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
206  for (int j = 0; j < 4; j++) {
207  secp256k1_scalar_add(&n, &n, &n);
208  }
209  secp256k1_scalar_add(&n, &n, &t);
210  }
211  CHECK(secp256k1_scalar_eq(&n, &s));
212  }
213 
214  {
215  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
216  secp256k1_scalar_t n;
217  secp256k1_scalar_set_int(&n, 0);
218  int i = 0;
219  while (i < 256) {
220  int now = (secp256k1_rand32() % 15) + 1;
221  if (now + i > 256) {
222  now = 256 - i;
223  }
224  secp256k1_scalar_t t;
225  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
226  for (int j = 0; j < now; j++) {
227  secp256k1_scalar_add(&n, &n, &n);
228  }
229  secp256k1_scalar_add(&n, &n, &t);
230  i += now;
231  }
232  CHECK(secp256k1_scalar_eq(&n, &s));
233  }
234 
235 #ifndef USE_NUM_NONE
236  {
237  /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
238  secp256k1_num_t rnum;
239  secp256k1_num_add(&rnum, &snum, &s2num);
240  secp256k1_num_mod(&rnum, &order);
241  secp256k1_scalar_t r;
242  secp256k1_scalar_add(&r, &s, &s2);
243  secp256k1_num_t r2num;
244  secp256k1_scalar_get_num(&r2num, &r);
245  CHECK(secp256k1_num_eq(&rnum, &r2num));
246  }
247 
248  {
249  /* Test that multipying the scalars is equal to multiplying their numbers modulo the order. */
250  secp256k1_num_t rnum;
251  secp256k1_num_mul(&rnum, &snum, &s2num);
252  secp256k1_num_mod(&rnum, &order);
253  secp256k1_scalar_t r;
254  secp256k1_scalar_mul(&r, &s, &s2);
255  secp256k1_num_t r2num;
256  secp256k1_scalar_get_num(&r2num, &r);
257  CHECK(secp256k1_num_eq(&rnum, &r2num));
258  /* The result can only be zero if at least one of the factors was zero. */
259  CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
260  /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
261  CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
262  CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
263  }
264 
265  {
266  /* Check that comparison with zero matches comparison with zero on the number. */
267  CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
268  /* Check that comparison with the half order is equal to testing for high scalar. */
269  CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
270  secp256k1_scalar_t neg;
271  secp256k1_scalar_negate(&neg, &s);
272  secp256k1_num_t negnum;
273  secp256k1_num_sub(&negnum, &order, &snum);
274  secp256k1_num_mod(&negnum, &order);
275  /* Check that comparison with the half order is equal to testing for high scalar after negation. */
276  CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
277  /* Negating should change the high property, unless the value was already zero. */
278  CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
279  secp256k1_num_t negnum2;
280  secp256k1_scalar_get_num(&negnum2, &neg);
281  /* Negating a scalar should be equal to (order - n) mod order on the number. */
282  CHECK(secp256k1_num_eq(&negnum, &negnum2));
283  secp256k1_scalar_add(&neg, &neg, &s);
284  /* Adding a number to its negation should result in zero. */
285  CHECK(secp256k1_scalar_is_zero(&neg));
286  secp256k1_scalar_negate(&neg, &neg);
287  /* Negating zero should still result in zero. */
288  CHECK(secp256k1_scalar_is_zero(&neg));
289  }
290 
291  {
292  /* Test secp256k1_scalar_mul_shift_var. */
293  secp256k1_scalar_t r;
294  unsigned int shift = 256 + (secp256k1_rand32() % 257);
295  secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
296  secp256k1_num_t rnum;
297  secp256k1_num_mul(&rnum, &s1num, &s2num);
298  secp256k1_num_shift(&rnum, shift - 1);
299  secp256k1_num_t one;
300  unsigned char cone[1] = {0x01};
301  secp256k1_num_set_bin(&one, cone, 1);
302  secp256k1_num_add(&rnum, &rnum, &one);
303  secp256k1_num_shift(&rnum, 1);
304  secp256k1_num_t rnum2;
305  secp256k1_scalar_get_num(&rnum2, &r);
306  CHECK(secp256k1_num_eq(&rnum, &rnum2));
307  }
308 #endif
309 
310  {
311  /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
312  if (!secp256k1_scalar_is_zero(&s)) {
313  secp256k1_scalar_t inv;
314  secp256k1_scalar_inverse(&inv, &s);
315 #ifndef USE_NUM_NONE
316  secp256k1_num_t invnum;
317  secp256k1_num_mod_inverse(&invnum, &snum, &order);
318  secp256k1_num_t invnum2;
319  secp256k1_scalar_get_num(&invnum2, &inv);
320  CHECK(secp256k1_num_eq(&invnum, &invnum2));
321 #endif
322  secp256k1_scalar_mul(&inv, &inv, &s);
323  /* Multiplying a scalar with its inverse must result in one. */
324  CHECK(secp256k1_scalar_is_one(&inv));
325  secp256k1_scalar_inverse(&inv, &inv);
326  /* Inverting one must result in one. */
327  CHECK(secp256k1_scalar_is_one(&inv));
328  }
329  }
330 
331  {
332  /* Test commutativity of add. */
333  secp256k1_scalar_t r1, r2;
334  secp256k1_scalar_add(&r1, &s1, &s2);
335  secp256k1_scalar_add(&r2, &s2, &s1);
336  CHECK(secp256k1_scalar_eq(&r1, &r2));
337  }
338 
339  {
340  /* Test add_bit. */
341  int bit = secp256k1_rand32() % 256;
342  secp256k1_scalar_t b;
343  secp256k1_scalar_set_int(&b, 1);
344  CHECK(secp256k1_scalar_is_one(&b));
345  for (int i = 0; i < bit; i++) {
346  secp256k1_scalar_add(&b, &b, &b);
347  }
348  secp256k1_scalar_t r1 = s1, r2 = s1;
349  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
350  /* No overflow happened. */
351  secp256k1_scalar_add_bit(&r2, bit);
352  CHECK(secp256k1_scalar_eq(&r1, &r2));
353  }
354  }
355 
356  {
357  /* Test commutativity of mul. */
358  secp256k1_scalar_t r1, r2;
359  secp256k1_scalar_mul(&r1, &s1, &s2);
360  secp256k1_scalar_mul(&r2, &s2, &s1);
361  CHECK(secp256k1_scalar_eq(&r1, &r2));
362  }
363 
364  {
365  /* Test associativity of add. */
366  secp256k1_scalar_t r1, r2;
367  secp256k1_scalar_add(&r1, &s1, &s2);
368  secp256k1_scalar_add(&r1, &r1, &s);
369  secp256k1_scalar_add(&r2, &s2, &s);
370  secp256k1_scalar_add(&r2, &s1, &r2);
371  CHECK(secp256k1_scalar_eq(&r1, &r2));
372  }
373 
374  {
375  /* Test associativity of mul. */
376  secp256k1_scalar_t r1, r2;
377  secp256k1_scalar_mul(&r1, &s1, &s2);
378  secp256k1_scalar_mul(&r1, &r1, &s);
379  secp256k1_scalar_mul(&r2, &s2, &s);
380  secp256k1_scalar_mul(&r2, &s1, &r2);
381  CHECK(secp256k1_scalar_eq(&r1, &r2));
382  }
383 
384  {
385  /* Test distributitivity of mul over add. */
386  secp256k1_scalar_t r1, r2, t;
387  secp256k1_scalar_add(&r1, &s1, &s2);
388  secp256k1_scalar_mul(&r1, &r1, &s);
389  secp256k1_scalar_mul(&r2, &s1, &s);
390  secp256k1_scalar_mul(&t, &s2, &s);
391  secp256k1_scalar_add(&r2, &r2, &t);
392  CHECK(secp256k1_scalar_eq(&r1, &r2));
393  }
394 
395  {
396  /* Test square. */
397  secp256k1_scalar_t r1, r2;
398  secp256k1_scalar_sqr(&r1, &s1);
399  secp256k1_scalar_mul(&r2, &s1, &s1);
400  CHECK(secp256k1_scalar_eq(&r1, &r2));
401  }
402 
403 }
404 
405 void run_scalar_tests(void) {
406  for (int i = 0; i < 128 * count; i++) {
407  scalar_test();
408  }
409 
410  {
411  /* (-1)+1 should be zero. */
412  secp256k1_scalar_t s, o;
413  secp256k1_scalar_set_int(&s, 1);
414  secp256k1_scalar_negate(&o, &s);
415  secp256k1_scalar_add(&o, &o, &s);
416  CHECK(secp256k1_scalar_is_zero(&o));
417  }
418 
419 #ifndef USE_NUM_NONE
420  {
421  /* A scalar with value of the curve order should be 0. */
422  secp256k1_num_t order;
423  secp256k1_scalar_order_get_num(&order);
424  unsigned char bin[32];
425  secp256k1_num_get_bin(bin, 32, &order);
426  secp256k1_scalar_t zero;
427  int overflow = 0;
428  secp256k1_scalar_set_b32(&zero, bin, &overflow);
429  CHECK(overflow == 1);
430  CHECK(secp256k1_scalar_is_zero(&zero));
431  }
432 #endif
433 }
434 
435 /***** FIELD TESTS *****/
436 
437 void random_fe(secp256k1_fe_t *x) {
438  unsigned char bin[32];
439  do {
440  secp256k1_rand256(bin);
441  if (secp256k1_fe_set_b32(x, bin)) {
442  return;
443  }
444  } while(1);
445 }
446 
447 void random_fe_non_zero(secp256k1_fe_t *nz) {
448  int tries = 10;
449  while (--tries >= 0) {
450  random_fe(nz);
451  secp256k1_fe_normalize(nz);
452  if (!secp256k1_fe_is_zero(nz))
453  break;
454  }
455  /* Infinitesimal probability of spurious failure here */
456  CHECK(tries >= 0);
457 }
458 
459 void random_fe_non_square(secp256k1_fe_t *ns) {
460  random_fe_non_zero(ns);
461  secp256k1_fe_t r;
462  if (secp256k1_fe_sqrt(&r, ns)) {
463  secp256k1_fe_negate(ns, ns, 1);
464  }
465 }
466 
467 int check_fe_equal(const secp256k1_fe_t *a, const secp256k1_fe_t *b) {
468  secp256k1_fe_t an = *a; secp256k1_fe_normalize(&an);
469  secp256k1_fe_t bn = *b; secp256k1_fe_normalize(&bn);
470  return secp256k1_fe_equal(&an, &bn);
471 }
472 
473 int check_fe_inverse(const secp256k1_fe_t *a, const secp256k1_fe_t *ai) {
474  secp256k1_fe_t x; secp256k1_fe_mul(&x, a, ai);
475  secp256k1_fe_t one; secp256k1_fe_set_int(&one, 1);
476  return check_fe_equal(&x, &one);
477 }
478 
479 void run_field_inv(void) {
480  secp256k1_fe_t x, xi, xii;
481  for (int i=0; i<10*count; i++) {
482  random_fe_non_zero(&x);
483  secp256k1_fe_inv(&xi, &x);
484  CHECK(check_fe_inverse(&x, &xi));
485  secp256k1_fe_inv(&xii, &xi);
486  CHECK(check_fe_equal(&x, &xii));
487  }
488 }
489 
490 void run_field_inv_var(void) {
491  secp256k1_fe_t x, xi, xii;
492  for (int i=0; i<10*count; i++) {
493  random_fe_non_zero(&x);
494  secp256k1_fe_inv_var(&xi, &x);
495  CHECK(check_fe_inverse(&x, &xi));
496  secp256k1_fe_inv_var(&xii, &xi);
497  CHECK(check_fe_equal(&x, &xii));
498  }
499 }
500 
501 void run_field_inv_all(void) {
502  secp256k1_fe_t x[16], xi[16], xii[16];
503  /* Check it's safe to call for 0 elements */
504  secp256k1_fe_inv_all(0, xi, x);
505  for (int i=0; i<count; i++) {
506  size_t len = (secp256k1_rand32() & 15) + 1;
507  for (size_t j=0; j<len; j++)
508  random_fe_non_zero(&x[j]);
509  secp256k1_fe_inv_all(len, xi, x);
510  for (size_t j=0; j<len; j++)
511  CHECK(check_fe_inverse(&x[j], &xi[j]));
512  secp256k1_fe_inv_all(len, xii, xi);
513  for (size_t j=0; j<len; j++)
514  CHECK(check_fe_equal(&x[j], &xii[j]));
515  }
516 }
517 
518 void run_field_inv_all_var(void) {
519  secp256k1_fe_t x[16], xi[16], xii[16];
520  /* Check it's safe to call for 0 elements */
521  secp256k1_fe_inv_all_var(0, xi, x);
522  for (int i=0; i<count; i++) {
523  size_t len = (secp256k1_rand32() & 15) + 1;
524  for (size_t j=0; j<len; j++)
525  random_fe_non_zero(&x[j]);
526  secp256k1_fe_inv_all_var(len, xi, x);
527  for (size_t j=0; j<len; j++)
528  CHECK(check_fe_inverse(&x[j], &xi[j]));
529  secp256k1_fe_inv_all_var(len, xii, xi);
530  for (size_t j=0; j<len; j++)
531  CHECK(check_fe_equal(&x[j], &xii[j]));
532  }
533 }
534 
535 void run_sqr(void) {
536  secp256k1_fe_t x, s;
537 
538  {
539  secp256k1_fe_set_int(&x, 1);
540  secp256k1_fe_negate(&x, &x, 1);
541 
542  for (int i=1; i<=512; ++i) {
543  secp256k1_fe_mul_int(&x, 2);
544  secp256k1_fe_normalize(&x);
545  secp256k1_fe_sqr(&s, &x);
546  }
547  }
548 }
549 
550 void test_sqrt(const secp256k1_fe_t *a, const secp256k1_fe_t *k) {
551  secp256k1_fe_t r1, r2;
552  int v = secp256k1_fe_sqrt(&r1, a);
553  CHECK((v == 0) == (k == NULL));
554 
555  if (k != NULL) {
556  /* Check that the returned root is +/- the given known answer */
557  secp256k1_fe_negate(&r2, &r1, 1);
558  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
559  secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
560  CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
561  }
562 }
563 
564 void run_sqrt(void) {
565  secp256k1_fe_t ns, x, s, t;
566 
567  /* Check sqrt(0) is 0 */
568  secp256k1_fe_set_int(&x, 0);
569  secp256k1_fe_sqr(&s, &x);
570  test_sqrt(&s, &x);
571 
572  /* Check sqrt of small squares (and their negatives) */
573  for (int i=1; i<=100; i++) {
574  secp256k1_fe_set_int(&x, i);
575  secp256k1_fe_sqr(&s, &x);
576  test_sqrt(&s, &x);
577  secp256k1_fe_negate(&t, &s, 1);
578  test_sqrt(&t, NULL);
579  }
580 
581  /* Consistency checks for large random values */
582  for (int i=0; i<10; i++) {
583  random_fe_non_square(&ns);
584  for (int j=0; j<count; j++) {
585  random_fe(&x);
586  secp256k1_fe_sqr(&s, &x);
587  test_sqrt(&s, &x);
588  secp256k1_fe_negate(&t, &s, 1);
589  test_sqrt(&t, NULL);
590  secp256k1_fe_mul(&t, &s, &ns);
591  test_sqrt(&t, NULL);
592  }
593  }
594 }
595 
596 /***** GROUP TESTS *****/
597 
598 int ge_equals_ge(const secp256k1_ge_t *a, const secp256k1_ge_t *b) {
599  if (a->infinity && b->infinity)
600  return 1;
601  return check_fe_equal(&a->x, &b->x) && check_fe_equal(&a->y, &b->y);
602 }
603 
604 void ge_equals_gej(const secp256k1_ge_t *a, const secp256k1_gej_t *b) {
605  secp256k1_ge_t bb;
606  secp256k1_gej_t bj = *b;
607  secp256k1_ge_set_gej_var(&bb, &bj);
608  CHECK(ge_equals_ge(a, &bb));
609 }
610 
611 void gej_equals_gej(const secp256k1_gej_t *a, const secp256k1_gej_t *b) {
612  secp256k1_ge_t aa, bb;
613  secp256k1_gej_t aj = *a, bj = *b;
614  secp256k1_ge_set_gej_var(&aa, &aj);
615  secp256k1_ge_set_gej_var(&bb, &bj);
616  CHECK(ge_equals_ge(&aa, &bb));
617 }
618 
619 void test_ge(void) {
620  char ca[135];
621  char cb[68];
622  int rlen;
623  secp256k1_ge_t a, b, i, n;
624  random_group_element_test(&a);
625  random_group_element_test(&b);
626  rlen = sizeof(ca);
627  secp256k1_ge_get_hex(ca,&rlen,&a);
628  CHECK(rlen > 4 && rlen <= (int)sizeof(ca));
629  rlen = sizeof(cb);
630  secp256k1_ge_get_hex(cb,&rlen,&b); /* Intentionally undersized buffer. */
631  n = a;
632  secp256k1_fe_normalize(&a.y);
633  secp256k1_fe_negate(&n.y, &a.y, 1);
634  secp256k1_ge_set_infinity(&i);
635  random_field_element_magnitude(&a.x);
636  random_field_element_magnitude(&a.y);
637  random_field_element_magnitude(&b.x);
638  random_field_element_magnitude(&b.y);
639  random_field_element_magnitude(&n.x);
640  random_field_element_magnitude(&n.y);
641 
642  secp256k1_gej_t aj, bj, ij, nj;
643  random_group_element_jacobian_test(&aj, &a);
644  random_group_element_jacobian_test(&bj, &b);
645  secp256k1_gej_set_infinity(&ij);
646  random_group_element_jacobian_test(&nj, &n);
647  random_field_element_magnitude(&aj.x);
648  random_field_element_magnitude(&aj.y);
649  random_field_element_magnitude(&aj.z);
650  random_field_element_magnitude(&bj.x);
651  random_field_element_magnitude(&bj.y);
652  random_field_element_magnitude(&bj.z);
653  random_field_element_magnitude(&nj.x);
654  random_field_element_magnitude(&nj.y);
655  random_field_element_magnitude(&nj.z);
656 
657  /* gej + gej adds */
658  secp256k1_gej_t aaj; secp256k1_gej_add_var(&aaj, &aj, &aj);
659  secp256k1_gej_t abj; secp256k1_gej_add_var(&abj, &aj, &bj);
660  secp256k1_gej_t aij; secp256k1_gej_add_var(&aij, &aj, &ij);
661  secp256k1_gej_t anj; secp256k1_gej_add_var(&anj, &aj, &nj);
662  secp256k1_gej_t iaj; secp256k1_gej_add_var(&iaj, &ij, &aj);
663  secp256k1_gej_t iij; secp256k1_gej_add_var(&iij, &ij, &ij);
664 
665  /* gej + ge adds */
666  secp256k1_gej_t aa; secp256k1_gej_add_ge_var(&aa, &aj, &a);
667  secp256k1_gej_t ab; secp256k1_gej_add_ge_var(&ab, &aj, &b);
668  secp256k1_gej_t ai; secp256k1_gej_add_ge_var(&ai, &aj, &i);
669  secp256k1_gej_t an; secp256k1_gej_add_ge_var(&an, &aj, &n);
670  secp256k1_gej_t ia; secp256k1_gej_add_ge_var(&ia, &ij, &a);
671  secp256k1_gej_t ii; secp256k1_gej_add_ge_var(&ii, &ij, &i);
672 
673  /* const gej + ge adds */
674  secp256k1_gej_t aac; secp256k1_gej_add_ge(&aac, &aj, &a);
675  secp256k1_gej_t abc; secp256k1_gej_add_ge(&abc, &aj, &b);
676  secp256k1_gej_t anc; secp256k1_gej_add_ge(&anc, &aj, &n);
677  secp256k1_gej_t iac; secp256k1_gej_add_ge(&iac, &ij, &a);
678 
679  CHECK(secp256k1_gej_is_infinity(&an));
680  CHECK(secp256k1_gej_is_infinity(&anj));
681  CHECK(secp256k1_gej_is_infinity(&anc));
682  gej_equals_gej(&aa, &aaj);
683  gej_equals_gej(&aa, &aac);
684  gej_equals_gej(&ab, &abj);
685  gej_equals_gej(&ab, &abc);
686  gej_equals_gej(&an, &anj);
687  gej_equals_gej(&an, &anc);
688  gej_equals_gej(&ia, &iaj);
689  gej_equals_gej(&ai, &aij);
690  gej_equals_gej(&ii, &iij);
691  ge_equals_gej(&a, &ai);
692  ge_equals_gej(&a, &ai);
693  ge_equals_gej(&a, &iaj);
694  ge_equals_gej(&a, &iaj);
695  ge_equals_gej(&a, &iac);
696 }
697 
698 void run_ge(void) {
699  for (int i = 0; i < 2000*count; i++) {
700  test_ge();
701  }
702 }
703 
704 /***** ECMULT TESTS *****/
705 
706 void run_ecmult_chain(void) {
707  /* random starting point A (on the curve) */
708  secp256k1_fe_t ax; VERIFY_CHECK(secp256k1_fe_set_hex(&ax, "8b30bbe9ae2a990696b22f670709dff3727fd8bc04d3362c6c7bf458e2846004", 64));
709  secp256k1_fe_t ay; VERIFY_CHECK(secp256k1_fe_set_hex(&ay, "a357ae915c4a65281309edf20504740f0eb3343990216b4f81063cb65f2f7e0f", 64));
710  secp256k1_gej_t a; secp256k1_gej_set_xy(&a, &ax, &ay);
711  /* two random initial factors xn and gn */
712  static const unsigned char xni[32] = {
713  0x84, 0xcc, 0x54, 0x52, 0xf7, 0xfd, 0xe1, 0xed,
714  0xb4, 0xd3, 0x8a, 0x8c, 0xe9, 0xb1, 0xb8, 0x4c,
715  0xce, 0xf3, 0x1f, 0x14, 0x6e, 0x56, 0x9b, 0xe9,
716  0x70, 0x5d, 0x35, 0x7a, 0x42, 0x98, 0x54, 0x07
717  };
718  secp256k1_scalar_t xn;
719  secp256k1_scalar_set_b32(&xn, xni, NULL);
720  static const unsigned char gni[32] = {
721  0xa1, 0xe5, 0x8d, 0x22, 0x55, 0x3d, 0xcd, 0x42,
722  0xb2, 0x39, 0x80, 0x62, 0x5d, 0x4c, 0x57, 0xa9,
723  0x6e, 0x93, 0x23, 0xd4, 0x2b, 0x31, 0x52, 0xe5,
724  0xca, 0x2c, 0x39, 0x90, 0xed, 0xc7, 0xc9, 0xde
725  };
726  secp256k1_scalar_t gn;
727  secp256k1_scalar_set_b32(&gn, gni, NULL);
728  /* two small multipliers to be applied to xn and gn in every iteration: */
729  static const unsigned char xfi[32] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0x13,0x37};
730  secp256k1_scalar_t xf;
731  secp256k1_scalar_set_b32(&xf, xfi, NULL);
732  static const unsigned char gfi[32] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0x71,0x13};
733  secp256k1_scalar_t gf;
734  secp256k1_scalar_set_b32(&gf, gfi, NULL);
735  /* accumulators with the resulting coefficients to A and G */
736  secp256k1_scalar_t ae;
737  secp256k1_scalar_set_int(&ae, 1);
738  secp256k1_scalar_t ge;
739  secp256k1_scalar_set_int(&ge, 0);
740  /* the point being computed */
741  secp256k1_gej_t x = a;
742  for (int i=0; i<200*count; i++) {
743  /* in each iteration, compute X = xn*X + gn*G; */
744  secp256k1_ecmult(&x, &x, &xn, &gn);
745  /* also compute ae and ge: the actual accumulated factors for A and G */
746  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
747  secp256k1_scalar_mul(&ae, &ae, &xn);
748  secp256k1_scalar_mul(&ge, &ge, &xn);
749  secp256k1_scalar_add(&ge, &ge, &gn);
750  /* modify xn and gn */
751  secp256k1_scalar_mul(&xn, &xn, &xf);
752  secp256k1_scalar_mul(&gn, &gn, &gf);
753 
754  /* verify */
755  if (i == 53574) {
756  char res[132]; int resl = 132;
757  secp256k1_gej_get_hex(res, &resl, &x);
758  CHECK(strcmp(res, "(D6E96687F9B10D092A6F35439D86CEBEA4535D0D409F53586440BD74B933E830,B95CBCA2C77DA786539BE8FD53354D2D3B4F566AE658045407ED6015EE1B2A88)") == 0);
759  }
760  }
761  /* redo the computation, but directly with the resulting ae and ge coefficients: */
762  secp256k1_gej_t x2; secp256k1_ecmult(&x2, &a, &ae, &ge);
763  char res[132]; int resl = 132;
764  char res2[132]; int resl2 = 132;
765  secp256k1_gej_get_hex(res, &resl, &x);
766  secp256k1_gej_get_hex(res2, &resl2, &x2);
767  CHECK(strcmp(res, res2) == 0);
768  CHECK(strlen(res) == 131);
769 }
770 
771 void test_point_times_order(const secp256k1_gej_t *point) {
772  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
773  secp256k1_scalar_t x;
774  random_scalar_order_test(&x);
775  secp256k1_scalar_t nx;
776  secp256k1_scalar_negate(&nx, &x);
777  secp256k1_gej_t res1, res2;
778  secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
779  secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
780  secp256k1_gej_add_var(&res1, &res1, &res2);
781  CHECK(secp256k1_gej_is_infinity(&res1));
782  CHECK(secp256k1_gej_is_valid(&res1) == 0);
783  secp256k1_ge_t res3;
784  secp256k1_ge_set_gej(&res3, &res1);
785  CHECK(secp256k1_ge_is_infinity(&res3));
786  CHECK(secp256k1_ge_is_valid(&res3) == 0);
787 }
788 
789 void run_point_times_order(void) {
790  secp256k1_fe_t x; VERIFY_CHECK(secp256k1_fe_set_hex(&x, "02", 2));
791  for (int i=0; i<500; i++) {
792  secp256k1_ge_t p;
793  if (secp256k1_ge_set_xo(&p, &x, 1)) {
794  CHECK(secp256k1_ge_is_valid(&p));
795  secp256k1_gej_t j;
796  secp256k1_gej_set_ge(&j, &p);
797  CHECK(secp256k1_gej_is_valid(&j));
798  test_point_times_order(&j);
799  }
800  secp256k1_fe_sqr(&x, &x);
801  }
802  char c[65]; int cl=65;
803  secp256k1_fe_get_hex(c, &cl, &x);
804  CHECK(strcmp(c, "7603CB59B0EF6C63FE6084792A0C378CDB3233A80F8A9A09A877DEAD31B38C45") == 0);
805 }
806 
807 void test_wnaf(const secp256k1_scalar_t *number, int w) {
808  secp256k1_scalar_t x, two, t;
809  secp256k1_scalar_set_int(&x, 0);
810  secp256k1_scalar_set_int(&two, 2);
811  int wnaf[256];
812  int bits = secp256k1_ecmult_wnaf(wnaf, number, w);
813  CHECK(bits <= 256);
814  int zeroes = -1;
815  for (int i=bits-1; i>=0; i--) {
816  secp256k1_scalar_mul(&x, &x, &two);
817  int v = wnaf[i];
818  if (v) {
819  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
820  zeroes=0;
821  CHECK((v & 1) == 1); /* check non-zero elements are odd */
822  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
823  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
824  } else {
825  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
826  zeroes++;
827  }
828  if (v >= 0) {
829  secp256k1_scalar_set_int(&t, v);
830  } else {
831  secp256k1_scalar_set_int(&t, -v);
832  secp256k1_scalar_negate(&t, &t);
833  }
834  secp256k1_scalar_add(&x, &x, &t);
835  }
836  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
837 }
838 
839 void run_wnaf(void) {
840  secp256k1_scalar_t n;
841  for (int i=0; i<count; i++) {
842  random_scalar_order(&n);
843  if (i % 1)
844  secp256k1_scalar_negate(&n, &n);
845  test_wnaf(&n, 4+(i%10));
846  }
847 }
848 
849 void random_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_scalar_t *key, const secp256k1_scalar_t *msg, int *recid) {
850  secp256k1_scalar_t nonce;
851  do {
852  random_scalar_order_test(&nonce);
853  } while(!secp256k1_ecdsa_sig_sign(sig, key, msg, &nonce, recid));
854 }
855 
856 void test_ecdsa_sign_verify(void) {
857  int recid;
858  int getrec;
859  secp256k1_scalar_t msg, key;
860  random_scalar_order_test(&msg);
861  random_scalar_order_test(&key);
862  secp256k1_gej_t pubj; secp256k1_ecmult_gen(&pubj, &key);
863  secp256k1_ge_t pub; secp256k1_ge_set_gej(&pub, &pubj);
864  secp256k1_ecdsa_sig_t sig;
865  getrec = secp256k1_rand32()&1;
866  random_sign(&sig, &key, &msg, getrec?&recid:NULL);
867  if (getrec) CHECK(recid >= 0 && recid < 4);
868  CHECK(secp256k1_ecdsa_sig_verify(&sig, &pub, &msg));
869  secp256k1_scalar_t one;
870  secp256k1_scalar_set_int(&one, 1);
871  secp256k1_scalar_add(&msg, &msg, &one);
872  CHECK(!secp256k1_ecdsa_sig_verify(&sig, &pub, &msg));
873 }
874 
875 void run_ecdsa_sign_verify(void) {
876  for (int i=0; i<10*count; i++) {
877  test_ecdsa_sign_verify();
878  }
879 }
880 
881 void test_ecdsa_end_to_end(void) {
882  unsigned char privkey[32];
883  unsigned char message[32];
884 
885  /* Generate a random key and message. */
886  {
887  secp256k1_scalar_t msg, key;
888  random_scalar_order_test(&msg);
889  random_scalar_order_test(&key);
890  secp256k1_scalar_get_b32(privkey, &key);
891  secp256k1_scalar_get_b32(message, &msg);
892  }
893 
894  /* Construct and verify corresponding public key. */
895  CHECK(secp256k1_ec_seckey_verify(privkey) == 1);
896  unsigned char pubkey[65]; int pubkeylen = 65;
897  CHECK(secp256k1_ec_pubkey_create(pubkey, &pubkeylen, privkey, secp256k1_rand32() % 2) == 1);
898  CHECK(secp256k1_ec_pubkey_verify(pubkey, pubkeylen));
899 
900  /* Verify private key import and export. */
901  unsigned char seckey[300]; int seckeylen = 300;
902  CHECK(secp256k1_ec_privkey_export(privkey, seckey, &seckeylen, secp256k1_rand32() % 2) == 1);
903  unsigned char privkey2[32];
904  CHECK(secp256k1_ec_privkey_import(privkey2, seckey, seckeylen) == 1);
905  CHECK(memcmp(privkey, privkey2, 32) == 0);
906 
907  /* Optionally tweak the keys using addition. */
908  if (secp256k1_rand32() % 3 == 0) {
909  unsigned char rnd[32];
910  secp256k1_rand256_test(rnd);
911  int ret1 = secp256k1_ec_privkey_tweak_add(privkey, rnd);
912  int ret2 = secp256k1_ec_pubkey_tweak_add(pubkey, pubkeylen, rnd);
913  CHECK(ret1 == ret2);
914  if (ret1 == 0) return;
915  unsigned char pubkey2[65]; int pubkeylen2 = 65;
916  CHECK(secp256k1_ec_pubkey_create(pubkey2, &pubkeylen2, privkey, pubkeylen == 33) == 1);
917  CHECK(memcmp(pubkey, pubkey2, pubkeylen) == 0);
918  }
919 
920  /* Optionally tweak the keys using multiplication. */
921  if (secp256k1_rand32() % 3 == 0) {
922  unsigned char rnd[32];
923  secp256k1_rand256_test(rnd);
924  int ret1 = secp256k1_ec_privkey_tweak_mul(privkey, rnd);
925  int ret2 = secp256k1_ec_pubkey_tweak_mul(pubkey, pubkeylen, rnd);
926  CHECK(ret1 == ret2);
927  if (ret1 == 0) return;
928  unsigned char pubkey2[65]; int pubkeylen2 = 65;
929  CHECK(secp256k1_ec_pubkey_create(pubkey2, &pubkeylen2, privkey, pubkeylen == 33) == 1);
930  CHECK(memcmp(pubkey, pubkey2, pubkeylen) == 0);
931  }
932 
933  /* Sign. */
934  unsigned char signature[72]; int signaturelen = 72;
935  while(1) {
936  unsigned char rnd[32];
937  secp256k1_rand256_test(rnd);
938  if (secp256k1_ecdsa_sign(message, 32, signature, &signaturelen, privkey, rnd) == 1) {
939  break;
940  }
941  }
942  /* Verify. */
943  CHECK(secp256k1_ecdsa_verify(message, 32, signature, signaturelen, pubkey, pubkeylen) == 1);
944  /* Destroy signature and verify again. */
945  signature[signaturelen - 1 - secp256k1_rand32() % 20] += 1 + (secp256k1_rand32() % 255);
946  CHECK(secp256k1_ecdsa_verify(message, 32, signature, signaturelen, pubkey, pubkeylen) != 1);
947 
948  /* Compact sign. */
949  unsigned char csignature[64]; int recid = 0;
950  while(1) {
951  unsigned char rnd[32];
952  secp256k1_rand256_test(rnd);
953  if (secp256k1_ecdsa_sign_compact(message, 32, csignature, privkey, rnd, &recid) == 1) {
954  break;
955  }
956  }
957  /* Recover. */
958  unsigned char recpubkey[65]; int recpubkeylen = 0;
959  CHECK(secp256k1_ecdsa_recover_compact(message, 32, csignature, recpubkey, &recpubkeylen, pubkeylen == 33, recid) == 1);
960  CHECK(recpubkeylen == pubkeylen);
961  CHECK(memcmp(pubkey, recpubkey, pubkeylen) == 0);
962  /* Destroy signature and verify again. */
963  csignature[secp256k1_rand32() % 64] += 1 + (secp256k1_rand32() % 255);
964  CHECK(secp256k1_ecdsa_recover_compact(message, 32, csignature, recpubkey, &recpubkeylen, pubkeylen == 33, recid) != 1 ||
965  memcmp(pubkey, recpubkey, pubkeylen) != 0);
966  CHECK(recpubkeylen == pubkeylen);
967 
968 }
969 
970 void run_ecdsa_end_to_end(void) {
971  for (int i=0; i<64*count; i++) {
972  test_ecdsa_end_to_end();
973  }
974 }
975 
976 /* Tests several edge cases. */
977 void test_ecdsa_edge_cases(void) {
978  const unsigned char msg32[32] = {
979  'T', 'h', 'i', 's', ' ', 'i', 's', ' ',
980  'a', ' ', 'v', 'e', 'r', 'y', ' ', 's',
981  'e', 'c', 'r', 'e', 't', ' ', 'm', 'e',
982  's', 's', 'a', 'g', 'e', '.', '.', '.'
983  };
984  const unsigned char sig64[64] = {
985  /* Generated by signing the above message with nonce 'This is the nonce we will use...'
986  * and secret key 0 (which is not valid), resulting in recid 0. */
987  0x67, 0xCB, 0x28, 0x5F, 0x9C, 0xD1, 0x94, 0xE8,
988  0x40, 0xD6, 0x29, 0x39, 0x7A, 0xF5, 0x56, 0x96,
989  0x62, 0xFD, 0xE4, 0x46, 0x49, 0x99, 0x59, 0x63,
990  0x17, 0x9A, 0x7D, 0xD1, 0x7B, 0xD2, 0x35, 0x32,
991  0x4B, 0x1B, 0x7D, 0xF3, 0x4C, 0xE1, 0xF6, 0x8E,
992  0x69, 0x4F, 0xF6, 0xF1, 0x1A, 0xC7, 0x51, 0xDD,
993  0x7D, 0xD7, 0x3E, 0x38, 0x7E, 0xE4, 0xFC, 0x86,
994  0x6E, 0x1B, 0xE8, 0xEC, 0xC7, 0xDD, 0x95, 0x57
995  };
996  unsigned char pubkey[65];
997  int pubkeylen = 65;
998  CHECK(!secp256k1_ecdsa_recover_compact(msg32, 32, sig64, pubkey, &pubkeylen, 0, 0));
999  CHECK(secp256k1_ecdsa_recover_compact(msg32, 32, sig64, pubkey, &pubkeylen, 0, 1));
1000  CHECK(!secp256k1_ecdsa_recover_compact(msg32, 32, sig64, pubkey, &pubkeylen, 0, 2));
1001  CHECK(!secp256k1_ecdsa_recover_compact(msg32, 32, sig64, pubkey, &pubkeylen, 0, 3));
1002 
1003  /* signature (r,s) = (4,4), which can be recovered with all 4 recids. */
1004  const unsigned char sigb64[64] = {
1005  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1006  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1007  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1008  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1009  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1010  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1011  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1012  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1013  };
1014  unsigned char pubkeyb[33];
1015  int pubkeyblen = 33;
1016  for (int recid = 0; recid < 4; recid++) {
1017  /* (4,4) encoded in DER. */
1018  unsigned char sigbder[8] = {0x30, 0x06, 0x02, 0x01, 0x04, 0x02, 0x01, 0x04};
1019  /* (order + r,4) encoded in DER. */
1020  unsigned char sigbderlong[40] = {
1021  0x30, 0x26, 0x02, 0x21, 0x00, 0xFF, 0xFF, 0xFF,
1022  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
1023  0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC,
1024  0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E,
1025  0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04
1026  };
1027  CHECK(secp256k1_ecdsa_recover_compact(msg32, 32, sigb64, pubkeyb, &pubkeyblen, 1, recid));
1028  CHECK(secp256k1_ecdsa_verify(msg32, 32, sigbder, sizeof(sigbder), pubkeyb, pubkeyblen) == 1);
1029  for (int recid2 = 0; recid2 < 4; recid2++) {
1030  unsigned char pubkey2b[33];
1031  int pubkey2blen = 33;
1032  CHECK(secp256k1_ecdsa_recover_compact(msg32, 32, sigb64, pubkey2b, &pubkey2blen, 1, recid2));
1033  /* Verifying with (order + r,4) should always fail. */
1034  CHECK(secp256k1_ecdsa_verify(msg32, 32, sigbderlong, sizeof(sigbderlong), pubkey2b, pubkey2blen) != 1);
1035  }
1036  /* Damage signature. */
1037  sigbder[7]++;
1038  CHECK(secp256k1_ecdsa_verify(msg32, 32, sigbder, sizeof(sigbder), pubkeyb, pubkeyblen) == 0);
1039  }
1040 
1041  /* Test the case where ECDSA recomputes a point that is infinity. */
1042  {
1043  secp256k1_ecdsa_sig_t sig;
1044  secp256k1_scalar_set_int(&sig.s, 1);
1045  secp256k1_scalar_negate(&sig.s, &sig.s);
1046  secp256k1_scalar_inverse(&sig.s, &sig.s);
1047  secp256k1_scalar_set_int(&sig.r, 1);
1048  secp256k1_gej_t keyj;
1049  secp256k1_ecmult_gen(&keyj, &sig.r);
1050  secp256k1_ge_t key;
1051  secp256k1_ge_set_gej(&key, &keyj);
1052  secp256k1_scalar_t msg = sig.s;
1053  CHECK(secp256k1_ecdsa_sig_verify(&sig, &key, &msg) == 0);
1054  }
1055 
1056  /* Test r/s equal to zero */
1057  {
1058  /* (1,1) encoded in DER. */
1059  unsigned char sigcder[8] = {0x30, 0x06, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01};
1060  unsigned char sigc64[64] = {
1061  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1062  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1063  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1064  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1065  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1066  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1067  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1068  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1069  };
1070  unsigned char pubkeyc[65];
1071  int pubkeyclen = 65;
1072  CHECK(secp256k1_ecdsa_recover_compact(msg32, 32, sigc64, pubkeyc, &pubkeyclen, 0, 0) == 1);
1073  CHECK(secp256k1_ecdsa_verify(msg32, 32, sigcder, sizeof(sigcder), pubkeyc, pubkeyclen) == 1);
1074  sigcder[4] = 0;
1075  sigc64[31] = 0;
1076  CHECK(secp256k1_ecdsa_recover_compact(msg32, 32, sigc64, pubkeyb, &pubkeyblen, 1, 0) == 0);
1077  CHECK(secp256k1_ecdsa_verify(msg32, 32, sigcder, sizeof(sigcder), pubkeyc, pubkeyclen) == 0);
1078  sigcder[4] = 1;
1079  sigcder[7] = 0;
1080  sigc64[31] = 1;
1081  sigc64[63] = 0;
1082  CHECK(secp256k1_ecdsa_recover_compact(msg32, 32, sigc64, pubkeyb, &pubkeyblen, 1, 0) == 0);
1083  CHECK(secp256k1_ecdsa_verify(msg32, 32, sigcder, sizeof(sigcder), pubkeyc, pubkeyclen) == 0);
1084  }
1085 }
1086 
1087 void run_ecdsa_edge_cases(void) {
1088  test_ecdsa_edge_cases();
1089 }
1090 
1091 #ifdef ENABLE_OPENSSL_TESTS
1092 EC_KEY *get_openssl_key(const secp256k1_scalar_t *key) {
1093  unsigned char privkey[300];
1094  int privkeylen;
1095  int compr = secp256k1_rand32() & 1;
1096  const unsigned char* pbegin = privkey;
1097  EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
1098  CHECK(secp256k1_eckey_privkey_serialize(privkey, &privkeylen, key, compr));
1099  CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
1100  CHECK(EC_KEY_check_key(ec_key));
1101  return ec_key;
1102 }
1103 
1104 void test_ecdsa_openssl(void) {
1105  secp256k1_scalar_t key, msg;
1106  unsigned char message[32];
1107  secp256k1_rand256_test(message);
1108  secp256k1_scalar_set_b32(&msg, message, NULL);
1109  random_scalar_order_test(&key);
1110  secp256k1_gej_t qj;
1111  secp256k1_ecmult_gen(&qj, &key);
1112  secp256k1_ge_t q;
1113  secp256k1_ge_set_gej(&q, &qj);
1114  EC_KEY *ec_key = get_openssl_key(&key);
1115  CHECK(ec_key);
1116  unsigned char signature[80];
1117  unsigned int sigsize = 80;
1118  CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
1119  secp256k1_ecdsa_sig_t sig;
1120  CHECK(secp256k1_ecdsa_sig_parse(&sig, signature, sigsize));
1121  CHECK(secp256k1_ecdsa_sig_verify(&sig, &q, &msg));
1122  secp256k1_scalar_t one;
1123  secp256k1_scalar_set_int(&one, 1);
1124  secp256k1_scalar_t msg2;
1125  secp256k1_scalar_add(&msg2, &msg, &one);
1126  CHECK(!secp256k1_ecdsa_sig_verify(&sig, &q, &msg2));
1127 
1128  random_sign(&sig, &key, &msg, NULL);
1129  int secp_sigsize = 80;
1130  CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sig));
1131  CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
1132 
1133  EC_KEY_free(ec_key);
1134 }
1135 
1136 void run_ecdsa_openssl(void) {
1137  for (int i=0; i<10*count; i++) {
1138  test_ecdsa_openssl();
1139  }
1140 }
1141 #endif
1142 
1143 int main(int argc, char **argv) {
1144  /* find iteration count */
1145  if (argc > 1) {
1146  count = strtol(argv[1], NULL, 0);
1147  }
1148 
1149  /* find random seed */
1150  uint64_t seed;
1151  if (argc > 2) {
1152  seed = strtoull(argv[2], NULL, 0);
1153  } else {
1154  FILE *frand = fopen("/dev/urandom", "r");
1155  if (!frand || !fread(&seed, sizeof(seed), 1, frand)) {
1156  seed = time(NULL) * 1337;
1157  }
1158  fclose(frand);
1159  }
1160  secp256k1_rand_seed(seed);
1161 
1162  printf("test count = %i\n", count);
1163  printf("random seed = %llu\n", (unsigned long long)seed);
1164 
1165  /* initialize */
1166  secp256k1_start(SECP256K1_START_SIGN | SECP256K1_START_VERIFY);
1167 
1168  /* initializing a second time shouldn't cause any harm or memory leaks. */
1169  secp256k1_start(SECP256K1_START_SIGN | SECP256K1_START_VERIFY);
1170 
1171  /* Likewise, re-running the internal init functions should be harmless. */
1172  secp256k1_fe_start();
1173  secp256k1_ge_start();
1174  secp256k1_scalar_start();
1175  secp256k1_ecdsa_start();
1176 
1177 #ifndef USE_NUM_NONE
1178  /* num tests */
1179  run_num_smalltests();
1180 #endif
1181 
1182  /* scalar tests */
1183  run_scalar_tests();
1184 
1185  /* field tests */
1186  run_field_inv();
1187  run_field_inv_var();
1188  run_field_inv_all();
1189  run_field_inv_all_var();
1190  run_sqr();
1191  run_sqrt();
1192 
1193  /* group tests */
1194  run_ge();
1195 
1196  /* ecmult tests */
1197  run_wnaf();
1198  run_point_times_order();
1199  run_ecmult_chain();
1200 
1201  /* ecdsa tests */
1202  run_ecdsa_sign_verify();
1203  run_ecdsa_end_to_end();
1204  run_ecdsa_edge_cases();
1205 #ifdef ENABLE_OPENSSL_TESTS
1206  run_ecdsa_openssl();
1207 #endif
1208 
1209  printf("random run = %llu\n", (unsigned long long)secp256k1_rand32() + ((unsigned long long)secp256k1_rand32() << 32));
1210 
1211  /* shutdown */
1212  secp256k1_stop();
1213 
1214  /* shutting down twice shouldn't cause any double frees. */
1215  secp256k1_stop();
1216 
1217  /* Same for the internal shutdown functions. */
1218  secp256k1_fe_stop();
1219  secp256k1_ge_stop();
1220  secp256k1_scalar_stop();
1221  secp256k1_ecdsa_stop();
1222  return 0;
1223 }
test_point_times_order
void test_point_times_order(const secp256k1_gej_t *point)
Definition: tests.c:771
secp256k1_start
void secp256k1_start(unsigned int flags)
Initialize the library.
Definition: secp256k1.c:21
secp256k1_ec_pubkey_verify
SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_verify(const unsigned char *pubkey, int pubkeylen) SECP256K1_ARG_NONNULL(1)
Just validate a public key.
Definition: secp256k1.c:184
random_fe_non_zero
void random_fe_non_zero(secp256k1_fe_t *nz)
Definition: tests.c:447
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:61
run_ecdsa_end_to_end
void run_ecdsa_end_to_end(void)
Definition: tests.c:970
secp256k1_ec_seckey_verify
SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const unsigned char *seckey) SECP256K1_ARG_NONNULL(1)
Verify an ECDSA secret key.
Definition: secp256k1.c:173
random_field_element_magnitude
void random_field_element_magnitude(secp256k1_fe_t *fe)
Definition: tests.c:36
b
void const uint64_t * b
Definition: field_5x52_asm_impl.h:10
secp256k1_gej_t
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:21
fsbridge::fopen
FILE * fopen(const fs::path &p, const char *mode)
Definition: fs.cpp:13
secp256k1_ec_privkey_tweak_mul
SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(unsigned char *seckey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Tweak a private key by multiplying it with tweak.
Definition: secp256k1.c:262
run_sqr
void run_sqr(void)
Definition: tests.c:535
check_fe_inverse
int check_fe_inverse(const secp256k1_fe_t *a, const secp256k1_fe_t *ai)
Definition: tests.c:473
test_ge
void test_ge(void)
Definition: tests.c:619
test_sqrt
void test_sqrt(const secp256k1_fe_t *a, const secp256k1_fe_t *k)
Definition: tests.c:550
random_group_element_jacobian_test
void random_group_element_jacobian_test(secp256k1_gej_t *gej, const secp256k1_ge_t *ge)
Definition: tests.c:54
tinyformat::printf
void printf(const char *fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:975
random_fe
void random_fe(secp256k1_fe_t *x)
Definition: tests.c:437
run_ecdsa_sign_verify
void run_ecdsa_sign_verify(void)
Definition: tests.c:875
ge_equals_ge
int ge_equals_ge(const secp256k1_ge_t *a, const secp256k1_ge_t *b)
Definition: tests.c:598
random_num_order
void random_num_order(secp256k1_num_t *num)
Definition: tests.c:106
run_scalar_tests
void run_scalar_tests(void)
Definition: tests.c:405
secp256k1_ge_t::infinity
int infinity
Definition: group.h:21
SECP256K1_START_VERIFY
#define SECP256K1_START_VERIFY
Flags to pass to secp256k1_start.
Definition: secp256k1.h:45
secp256k1_ge_t::y
secp256k1_fe_t y
Definition: group.h:20
run_point_times_order
void run_point_times_order(void)
Definition: tests.c:789
secp256k1_num_t
Definition: num_gmp.h:14
testrand_impl.h
random_scalar_order_test
void random_scalar_order_test(secp256k1_scalar_t *num)
Definition: tests.c:68
check_fe_equal
int check_fe_equal(const secp256k1_fe_t *a, const secp256k1_fe_t *b)
Definition: tests.c:467
ge_equals_gej
void ge_equals_gej(const secp256k1_ge_t *a, const secp256k1_gej_t *b)
Definition: tests.c:604
r
void const uint64_t uint64_t * r
Definition: field_5x52_asm_impl.h:10
run_ecmult_chain
void run_ecmult_chain(void)
Definition: tests.c:706
run_num_smalltests
void run_num_smalltests(void)
Definition: tests.c:161
random_num_negate
void random_num_negate(secp256k1_num_t *num)
Definition: tests.c:95
random_scalar_order
void random_scalar_order(secp256k1_scalar_t *num)
Definition: tests.c:80
test_ecdsa_sign_verify
void test_ecdsa_sign_verify(void)
Definition: tests.c:856
test_num_negate
void test_num_negate(void)
Definition: tests.c:112
secp256k1_ecdsa_recover_compact
SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover_compact(const unsigned char *msg, int msglen, const unsigned char *sig64, unsigned char *pubkey, int *pubkeylen, int compressed, int recid) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Recover an ECDSA public key from a compact signature.
Definition: secp256k1.c:141
secp256k1_ecdsa_sign_compact
SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_sign_compact(const unsigned char *msg, int msglen, unsigned char *sig64, const unsigned char *seckey, const unsigned char *nonce, int *recid) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Create a compact ECDSA signature (64 byte + recovery id).
Definition: secp256k1.c:108
random_fe_non_square
void random_fe_non_square(secp256k1_fe_t *ns)
Definition: tests.c:459
secp256k1_ec_pubkey_create
SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(unsigned char *pubkey, int *pubkeylen, const unsigned char *seckey, int compressed) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:191
secp256k1_ecdsa_sign
SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_sign(const unsigned char *msg, int msglen, unsigned char *sig, int *siglen, const unsigned char *seckey, const unsigned char *nonce) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6)
Create an ECDSA signature.
Definition: secp256k1.c:75
secp256k1_fe_t
Definition: field_10x26.h:12
secp256k1.c
secp256k1_gej_t::infinity
int infinity
Definition: group.h:25
secp256k1_ec_pubkey_tweak_mul
SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(unsigned char *pubkey, int pubkeylen, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it with tweak.
Definition: secp256k1.c:281
run_sqrt
void run_sqrt(void)
Definition: tests.c:564
secp256k1_gej_t::z
secp256k1_fe_t z
Definition: group.h:24
run_ge
void run_ge(void)
Definition: tests.c:698
secp256k1_ec_privkey_import
SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_import(unsigned char *seckey, const unsigned char *privkey, int privkeylen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Import a private key in DER format.
Definition: secp256k1.c:318
run_field_inv_all_var
void run_field_inv_all_var(void)
Definition: tests.c:518
test_wnaf
void test_wnaf(const secp256k1_scalar_t *number, int w)
Definition: tests.c:807
secp256k1_ecdsa_verify
SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const unsigned char *msg, int msglen, const unsigned char *sig, int siglen, const unsigned char *pubkey, int pubkeylen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Verify an ECDSA signature.
Definition: secp256k1.c:43
run_field_inv
void run_field_inv(void)
Definition: tests.c:479
gej_equals_gej
void gej_equals_gej(const secp256k1_gej_t *a, const secp256k1_gej_t *b)
Definition: tests.c:611
random_sign
void random_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_scalar_t *key, const secp256k1_scalar_t *msg, int *recid)
Definition: tests.c:849
test_ecdsa_end_to_end
void test_ecdsa_end_to_end(void)
Definition: tests.c:881
main
int main(int argc, char **argv)
Definition: tests.c:1143
random_field_element_test
void random_field_element_test(secp256k1_fe_t *fe)
Definition: tests.c:26
SECP256K1_START_SIGN
#define SECP256K1_START_SIGN
Definition: secp256k1.h:46
secp256k1_gej_t::x
secp256k1_fe_t x
Definition: group.h:22
test_num_add_sub
void test_num_add_sub(void)
Definition: tests.c:132
scalar_test
void scalar_test(void)
Definition: tests.c:171
random_num_order_test
void random_num_order_test(secp256k1_num_t *num)
Definition: tests.c:100
key
CKey key
Definition: bip38tooldialog.cpp:173
random_group_element_test
void random_group_element_test(secp256k1_ge_t *ge)
Definition: tests.c:45
secp256k1_ec_privkey_tweak_add
SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(unsigned char *seckey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Tweak a private key by adding tweak to it.
Definition: secp256k1.c:217
secp256k1_gej_t::y
secp256k1_fe_t y
Definition: group.h:23
run_field_inv_all
void run_field_inv_all(void)
Definition: tests.c:501
secp256k1_ec_pubkey_tweak_add
SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(unsigned char *pubkey, int pubkeylen, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:237
secp256k1_stop
void secp256k1_stop(void)
Free all memory associated with this library.
Definition: secp256k1.c:34
secp256k1_ge_t::x
secp256k1_fe_t x
Definition: group.h:19
secp256k1_ec_privkey_export
SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_export(const unsigned char *seckey, unsigned char *privkey, int *privkeylen, int compressed) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Export a private key in DER format.
Definition: secp256k1.c:306
test_ecdsa_edge_cases
void test_ecdsa_edge_cases(void)
Definition: tests.c:977
run_ecdsa_edge_cases
void run_ecdsa_edge_cases(void)
Definition: tests.c:1087
secp256k1_ecdsa_sig_t::r
secp256k1_scalar_t r
Definition: ecdsa.h:17
secp256k1_ecdsa_sig_t::s
secp256k1_scalar_t s
Definition: ecdsa.h:17
run_wnaf
void run_wnaf(void)
Definition: tests.c:839
secp256k1_scalar_t
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_ge_t
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:14
CHECK
#define CHECK(cond)
Definition: util.h:43
secp256k1_ecdsa_sig_t
Definition: ecdsa.h:16
run_field_inv_var
void run_field_inv_var(void)
Definition: tests.c:490
Generated on Tue Apr 28 2026 00:02:59 for PRCYCoin by   doxygen 1.8.17