Bitcoin Core 31.99.0
P2P Digital Currency
tests_exhaustive.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2016 Andrew Poelstra *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#include <stdio.h>
8#include <stdlib.h>
9#include <time.h>
10
11#ifndef EXHAUSTIVE_TEST_ORDER
12/* see group_impl.h for allowable values */
13#define EXHAUSTIVE_TEST_ORDER 13
14#endif
15
16/* These values of B are all values in [1, 8] that result in a curve with even order. */
17#define EXHAUSTIVE_TEST_CURVE_HAS_EVEN_ORDER (SECP256K1_B == 1 || SECP256K1_B == 6 || SECP256K1_B == 8)
18
19#ifdef USE_EXTERNAL_DEFAULT_CALLBACKS
20 #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in exhaustive_tests.")
21 #undef USE_EXTERNAL_DEFAULT_CALLBACKS
22#endif
23#include "secp256k1.c"
24
25#include "../include/secp256k1.h"
26#include "assumptions.h"
27#include "group.h"
28#include "testrand_impl.h"
29#include "ecmult_compute_table_impl.h"
30#include "ecmult_gen_compute_table_impl.h"
31#include "testutil.h"
32#include "util.h"
33
34#if defined(__GNUC__)
35# pragma GCC diagnostic push
36# pragma GCC diagnostic warning "-Wunused-function"
37#endif
38
39static int count = 2;
40
41static uint32_t num_cores = 1;
42static uint32_t this_core = 0;
43
44SECP256K1_INLINE static int skip_section(uint64_t* iter) {
45 if (num_cores == 1) return 0;
46 *iter += 0xe7037ed1a0b428dbULL;
47 return ((((uint32_t)*iter ^ (*iter >> 32)) * num_cores) >> 32) != this_core;
48}
49
50static int secp256k1_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32,
51 const unsigned char *key32, const unsigned char *algo16,
52 void *data, unsigned int attempt) {
53 secp256k1_scalar s;
54 int *idata = data;
55 (void)msg32;
56 (void)key32;
57 (void)algo16;
58 /* Some nonces cannot be used because they'd cause s and/or r to be zero.
59 * The signing function has retry logic here that just re-calls the nonce
60 * function with an increased `attempt`. So if attempt > 0 this means we
61 * need to change the nonce to avoid an infinite loop. */
62 if (attempt > 0) {
63 *idata = (*idata + 1) % EXHAUSTIVE_TEST_ORDER;
64 }
65 secp256k1_scalar_set_int(&s, *idata);
66 secp256k1_scalar_get_b32(nonce32, &s);
67 return 1;
68}
69
70static void test_exhaustive_endomorphism(const secp256k1_ge *group) {
71 int i;
72 for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
73 secp256k1_ge res;
74 secp256k1_ge_mul_lambda(&res, &group[i]);
75 CHECK(secp256k1_ge_eq_var(&group[i * EXHAUSTIVE_TEST_LAMBDA % EXHAUSTIVE_TEST_ORDER], &res));
76 }
77}
78
79static void test_exhaustive_addition(const secp256k1_ge *group, const secp256k1_gej *groupj) {
80 int i, j;
81 uint64_t iter = 0;
82
83 /* Sanity-check (and check infinity functions) */
84 CHECK(secp256k1_ge_is_infinity(&group[0]));
85 CHECK(secp256k1_gej_is_infinity(&groupj[0]));
86 for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) {
87 CHECK(!secp256k1_ge_is_infinity(&group[i]));
88 CHECK(!secp256k1_gej_is_infinity(&groupj[i]));
89 }
90
91 /* Check all addition formulae */
92 for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) {
93 secp256k1_fe fe_inv;
94 if (skip_section(&iter)) continue;
95 secp256k1_fe_inv(&fe_inv, &groupj[j].z);
96 for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
97 secp256k1_ge zless_gej;
98 secp256k1_gej tmp;
99 /* add_var */
100 secp256k1_gej_add_var(&tmp, &groupj[i], &groupj[j], NULL);
101 CHECK(secp256k1_gej_eq_ge_var(&tmp, &group[(i + j) % EXHAUSTIVE_TEST_ORDER]));
102 /* add_ge */
103 if (j > 0) {
104 secp256k1_gej_add_ge(&tmp, &groupj[i], &group[j]);
105 CHECK(secp256k1_gej_eq_ge_var(&tmp, &group[(i + j) % EXHAUSTIVE_TEST_ORDER]));
106 }
107 /* add_ge_var */
108 secp256k1_gej_add_ge_var(&tmp, &groupj[i], &group[j], NULL);
109 CHECK(secp256k1_gej_eq_ge_var(&tmp, &group[(i + j) % EXHAUSTIVE_TEST_ORDER]));
110 /* add_zinv_var */
111 if (secp256k1_gej_is_infinity(&groupj[j])) {
112 secp256k1_ge_set_infinity(&zless_gej);
113 } else {
114 secp256k1_ge_set_xy(&zless_gej, &groupj[j].x, &groupj[j].y);
115 }
116 secp256k1_gej_add_zinv_var(&tmp, &groupj[i], &zless_gej, &fe_inv);
117 CHECK(secp256k1_gej_eq_ge_var(&tmp, &group[(i + j) % EXHAUSTIVE_TEST_ORDER]));
118 }
119 }
120
121 /* Check doubling */
122 for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
123 secp256k1_gej tmp;
124 secp256k1_gej_double(&tmp, &groupj[i]);
125 CHECK(secp256k1_gej_eq_ge_var(&tmp, &group[(2 * i) % EXHAUSTIVE_TEST_ORDER]));
126 secp256k1_gej_double_var(&tmp, &groupj[i], NULL);
127 CHECK(secp256k1_gej_eq_ge_var(&tmp, &group[(2 * i) % EXHAUSTIVE_TEST_ORDER]));
128 }
129
130 /* Check negation */
131 for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) {
132 secp256k1_ge tmp;
133 secp256k1_gej tmpj;
134 secp256k1_ge_neg(&tmp, &group[i]);
135 CHECK(secp256k1_ge_eq_var(&tmp, &group[EXHAUSTIVE_TEST_ORDER - i]));
136 secp256k1_gej_neg(&tmpj, &groupj[i]);
137 CHECK(secp256k1_gej_eq_ge_var(&tmpj, &group[EXHAUSTIVE_TEST_ORDER - i]));
138 }
139}
140
141static void test_exhaustive_ecmult(const secp256k1_ge *group, const secp256k1_gej *groupj) {
142 int i, j, r_log;
143 uint64_t iter = 0;
144 for (r_log = 1; r_log < EXHAUSTIVE_TEST_ORDER; r_log++) {
145 for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) {
146 if (skip_section(&iter)) continue;
147 for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
148 secp256k1_gej tmp;
149 secp256k1_scalar na, ng;
150 secp256k1_scalar_set_int(&na, i);
151 secp256k1_scalar_set_int(&ng, j);
152
153 secp256k1_ecmult(&tmp, &groupj[r_log], &na, &ng);
154 CHECK(secp256k1_gej_eq_ge_var(&tmp, &group[(i * r_log + j) % EXHAUSTIVE_TEST_ORDER]));
155 }
156 }
157 }
158
159 for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) {
160 for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
161 int ret;
162 secp256k1_gej tmp;
163 secp256k1_fe xn, xd, tmpf;
164 secp256k1_scalar ng;
165
166 if (skip_section(&iter)) continue;
167
168 secp256k1_scalar_set_int(&ng, j);
169
170 /* Test secp256k1_ecmult_const. */
171 secp256k1_ecmult_const(&tmp, &group[i], &ng);
172 CHECK(secp256k1_gej_eq_ge_var(&tmp, &group[(i * j) % EXHAUSTIVE_TEST_ORDER]));
173
174 if (i != 0 && j != 0) {
175 /* Test secp256k1_ecmult_const_xonly with all curve X coordinates, and xd=NULL. */
176 ret = secp256k1_ecmult_const_xonly(&tmpf, &group[i].x, NULL, &ng, 0);
177 CHECK(ret);
178 CHECK(secp256k1_fe_equal(&tmpf, &group[(i * j) % EXHAUSTIVE_TEST_ORDER].x));
179
180 /* Test secp256k1_ecmult_const_xonly with all curve X coordinates, with random xd. */
181 testutil_random_fe_non_zero(&xd);
182 secp256k1_fe_mul(&xn, &xd, &group[i].x);
183 ret = secp256k1_ecmult_const_xonly(&tmpf, &xn, &xd, &ng, 0);
184 CHECK(ret);
185 CHECK(secp256k1_fe_equal(&tmpf, &group[(i * j) % EXHAUSTIVE_TEST_ORDER].x));
186 }
187 }
188 }
189}
190
191typedef struct {
192 secp256k1_scalar sc[2];
193 secp256k1_ge pt[2];
194} ecmult_multi_data;
195
196static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
197 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
198 *sc = data->sc[idx];
199 *pt = data->pt[idx];
200 return 1;
201}
202
203static void test_exhaustive_ecmult_multi(const secp256k1_context *ctx, const secp256k1_ge *group) {
204 int i, j, k, x, y;
205 uint64_t iter = 0;
206 secp256k1_scratch *scratch = secp256k1_scratch_create(&ctx->error_callback, 4096);
207 for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
208 for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) {
209 for (k = 0; k < EXHAUSTIVE_TEST_ORDER; k++) {
210 for (x = 0; x < EXHAUSTIVE_TEST_ORDER; x++) {
211 if (skip_section(&iter)) continue;
212 for (y = 0; y < EXHAUSTIVE_TEST_ORDER; y++) {
213 secp256k1_gej tmp;
214 secp256k1_scalar g_sc;
215 ecmult_multi_data data;
216
217 secp256k1_scalar_set_int(&data.sc[0], i);
218 secp256k1_scalar_set_int(&data.sc[1], j);
219 secp256k1_scalar_set_int(&g_sc, k);
220 data.pt[0] = group[x];
221 data.pt[1] = group[y];
222
223 secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &tmp, &g_sc, ecmult_multi_callback, &data, 2);
224 CHECK(secp256k1_gej_eq_ge_var(&tmp, &group[(i * x + j * y + k) % EXHAUSTIVE_TEST_ORDER]));
225 }
226 }
227 }
228 }
229 }
230 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
231}
232
233static void r_from_k(secp256k1_scalar *r, const secp256k1_ge *group, int k, int* overflow) {
234 secp256k1_fe x;
235 unsigned char x_bin[32];
236 k %= EXHAUSTIVE_TEST_ORDER;
237 x = group[k].x;
238 secp256k1_fe_normalize(&x);
239 secp256k1_fe_get_b32(x_bin, &x);
240 secp256k1_scalar_set_b32(r, x_bin, overflow);
241}
242
243static void test_exhaustive_verify(const secp256k1_context *ctx, const secp256k1_ge *group) {
244 int s, r, msg, key;
245 uint64_t iter = 0;
246 for (s = 1; s < EXHAUSTIVE_TEST_ORDER; s++) {
247 for (r = 1; r < EXHAUSTIVE_TEST_ORDER; r++) {
248 for (msg = 1; msg < EXHAUSTIVE_TEST_ORDER; msg++) {
249 for (key = 1; key < EXHAUSTIVE_TEST_ORDER; key++) {
250 secp256k1_ge nonconst_ge;
251 secp256k1_ecdsa_signature sig;
252 secp256k1_pubkey pk;
253 secp256k1_scalar sk_s, msg_s, r_s, s_s;
254 secp256k1_scalar s_times_k_s, msg_plus_r_times_sk_s;
255 int k, should_verify;
256 unsigned char msg32[32];
257
258 if (skip_section(&iter)) continue;
259
260 secp256k1_scalar_set_int(&s_s, s);
261 secp256k1_scalar_set_int(&r_s, r);
262 secp256k1_scalar_set_int(&msg_s, msg);
263 secp256k1_scalar_set_int(&sk_s, key);
264
265 /* Verify by hand */
266 /* Run through every k value that gives us this r and check that *one* works.
267 * Note there could be none, there could be multiple, ECDSA is weird. */
268 should_verify = 0;
269 for (k = 0; k < EXHAUSTIVE_TEST_ORDER; k++) {
270 secp256k1_scalar check_x_s;
271 r_from_k(&check_x_s, group, k, NULL);
272 if (r_s == check_x_s) {
273 secp256k1_scalar_set_int(&s_times_k_s, k);
274 secp256k1_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s);
275 secp256k1_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s);
276 secp256k1_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s);
277 should_verify |= secp256k1_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s);
278 }
279 }
280 /* nb we have a "high s" rule */
281 should_verify &= !secp256k1_scalar_is_high(&s_s);
282
283 /* Verify by calling verify */
284 secp256k1_ecdsa_signature_save(&sig, &r_s, &s_s);
285 memcpy(&nonconst_ge, &group[sk_s], sizeof(nonconst_ge));
286 secp256k1_pubkey_save(&pk, &nonconst_ge);
287 secp256k1_scalar_get_b32(msg32, &msg_s);
288 CHECK(should_verify ==
289 secp256k1_ecdsa_verify(ctx, &sig, msg32, &pk));
290 }
291 }
292 }
293 }
294}
295
296static void test_exhaustive_sign(const secp256k1_context *ctx, const secp256k1_ge *group) {
297 int i, j, k;
298 uint64_t iter = 0;
299
300 /* Loop */
301 for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) { /* message */
302 for (j = 1; j < EXHAUSTIVE_TEST_ORDER; j++) { /* key */
303 if (skip_section(&iter)) continue;
304 for (k = 1; k < EXHAUSTIVE_TEST_ORDER; k++) { /* nonce */
305 const int starting_k = k;
306 int ret;
307 secp256k1_ecdsa_signature sig;
308 secp256k1_scalar sk, msg, r, s, expected_r;
309 unsigned char sk32[32], msg32[32];
310 secp256k1_scalar_set_int(&msg, i);
311 secp256k1_scalar_set_int(&sk, j);
312 secp256k1_scalar_get_b32(sk32, &sk);
313 secp256k1_scalar_get_b32(msg32, &msg);
314
315 ret = secp256k1_ecdsa_sign(ctx, &sig, msg32, sk32, secp256k1_nonce_function_smallint, &k);
316 CHECK(ret == 1);
317
318 secp256k1_ecdsa_signature_load(ctx, &r, &s, &sig);
319 /* Note that we compute expected_r *after* signing -- this is important
320 * because our nonce-computing function function might change k during
321 * signing. */
322 r_from_k(&expected_r, group, k, NULL);
323 CHECK(r == expected_r);
324 CHECK((k * s) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER ||
325 (k * (EXHAUSTIVE_TEST_ORDER - s)) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER);
326
327 /* Overflow means we've tried every possible nonce */
328 if (k < starting_k) {
329 break;
330 }
331 }
332 }
333 }
334
335 /* We would like to verify zero-knowledge here by counting how often every
336 * possible (s, r) tuple appears, but because the group order is larger
337 * than the field order, when coercing the x-values to scalar values, some
338 * appear more often than others, so we are actually not zero-knowledge.
339 * (This effect also appears in the real code, but the difference is on the
340 * order of 1/2^128th the field order, so the deviation is not useful to a
341 * computationally bounded attacker.)
342 */
343}
344
345#ifdef ENABLE_MODULE_ECDH
346#include "modules/ecdh/tests_exhaustive_impl.h"
347#endif
348
349#ifdef ENABLE_MODULE_RECOVERY
350#include "modules/recovery/tests_exhaustive_impl.h"
351#endif
352
353#ifdef ENABLE_MODULE_EXTRAKEYS
354#include "modules/extrakeys/tests_exhaustive_impl.h"
355#endif
356
357#ifdef ENABLE_MODULE_SCHNORRSIG
358#include "modules/schnorrsig/tests_exhaustive_impl.h"
359#endif
360
361#ifdef ENABLE_MODULE_ELLSWIFT
362#include "modules/ellswift/tests_exhaustive_impl.h"
363#endif
364
365int main(int argc, char** argv) {
366 int i;
367 secp256k1_gej groupj[EXHAUSTIVE_TEST_ORDER];
368 secp256k1_ge group[EXHAUSTIVE_TEST_ORDER];
369 unsigned char rand32[32];
370 secp256k1_context *ctx;
371
372 /* Disable buffering for stdout to improve reliability of getting
373 * diagnostic information. Happens right at the start of main because
374 * setbuf must be used before any other operation on the stream. */
375 setbuf(stdout, NULL);
376 /* Also disable buffering for stderr because it's not guaranteed that it's
377 * unbuffered on all systems. */
378 setbuf(stderr, NULL);
379
380 printf("Exhaustive tests for order %lu\n", (unsigned long)EXHAUSTIVE_TEST_ORDER);
381
382 /* find iteration count */
383 if (argc > 1) {
384 count = strtol(argv[1], NULL, 0);
385 }
386 printf("test count = %i\n", count);
387
388 /* find random seed */
389 testrand_init(argc > 2 ? argv[2] : NULL);
390
391 /* set up split processing */
392 if (argc > 4) {
393 num_cores = strtol(argv[3], NULL, 0);
394 this_core = strtol(argv[4], NULL, 0);
395 if (num_cores < 1 || this_core >= num_cores) {
396 fprintf(stderr, "Usage: %s [count] [seed] [numcores] [thiscore]\n", argv[0]);
397 return EXIT_FAILURE;
398 }
399 printf("running tests for core %lu (out of [0..%lu])\n", (unsigned long)this_core, (unsigned long)num_cores - 1);
400 }
401
402 /* Recreate the ecmult{,_gen} tables using the right generator (as selected via EXHAUSTIVE_TEST_ORDER) */
403 secp256k1_ecmult_gen_compute_table(&secp256k1_ecmult_gen_prec_table[0][0], &secp256k1_ge_const_g, COMB_BLOCKS, COMB_TEETH, COMB_SPACING);
404 secp256k1_ecmult_compute_two_tables(secp256k1_pre_g, secp256k1_pre_g_128, WINDOW_G, &secp256k1_ge_const_g);
405
406 while (count--) {
407 /* Build context */
408 ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
409 testrand256(rand32);
410 CHECK(secp256k1_context_randomize(ctx, rand32));
411
412 /* Generate the entire group */
413 secp256k1_gej_set_infinity(&groupj[0]);
414 secp256k1_ge_set_gej(&group[0], &groupj[0]);
415 for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) {
416 secp256k1_gej_add_ge(&groupj[i], &groupj[i - 1], &secp256k1_ge_const_g);
417 secp256k1_ge_set_gej(&group[i], &groupj[i]);
418 if (count != 0) {
419 /* Set a different random z-value for each Jacobian point, except z=1
420 is used in the last iteration. */
421 secp256k1_fe z;
422 testutil_random_fe(&z);
423 secp256k1_gej_rescale(&groupj[i], &z);
424 }
425
426 /* Verify against ecmult_gen */
427 {
428 secp256k1_scalar scalar_i;
429 secp256k1_ge generated;
430
431 secp256k1_scalar_set_int(&scalar_i, i);
432 secp256k1_ecmult_gen_ge(&ctx->ecmult_gen_ctx, &generated, &scalar_i);
433
434 CHECK(!secp256k1_ge_is_infinity(&group[i]));
435 CHECK(secp256k1_ge_eq_var(&group[i], &generated));
436 }
437 }
438
439 /* Run the tests */
440 test_exhaustive_endomorphism(group);
441 test_exhaustive_addition(group, groupj);
442 test_exhaustive_ecmult(group, groupj);
443 test_exhaustive_ecmult_multi(ctx, group);
444 test_exhaustive_sign(ctx, group);
445 test_exhaustive_verify(ctx, group);
446
447#ifdef ENABLE_MODULE_ECDH
448 test_exhaustive_ecdh(ctx, group);
449#endif
450#ifdef ENABLE_MODULE_RECOVERY
451 test_exhaustive_recovery(ctx, group);
452#endif
453#ifdef ENABLE_MODULE_EXTRAKEYS
454 test_exhaustive_extrakeys(ctx, group);
455#endif
456#ifdef ENABLE_MODULE_SCHNORRSIG
457 test_exhaustive_schnorrsig(ctx);
458#endif
459#ifdef ENABLE_MODULE_ELLSWIFT
460 /* The ellswift algorithm does have additional edge cases when operating on
461 * curves of even order, which are not included in the code as secp256k1 is
462 * of odd order. Skip the ellswift tests if the used exhaustive tests curve
463 * is even-ordered accordingly. */
464 #if !EXHAUSTIVE_TEST_CURVE_HAS_EVEN_ORDER
465 test_exhaustive_ellswift(ctx, group);
466 #endif
467#endif
468
469 secp256k1_context_destroy(ctx);
470 }
471
472 printf("no problems found\n");
473 return EXIT_SUCCESS;
474}
475
476#if defined(__GNUC__)
477# pragma GCC diagnostic pop
478#endif
ret
int ret
Definition: bitcoin-cli.cpp:1691
EXIT_SUCCESS
return EXIT_SUCCESS
Definition: bitcoin-wallet.cpp:131
tests_exhaustive_impl.h
test_exhaustive_ecdh
static void test_exhaustive_ecdh(const secp256k1_context *ctx, const secp256k1_ge *group)
Definition: tests_exhaustive_impl.h:12
secp256k1_ecmult_multi_var
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
secp256k1_ecmult
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
secp256k1_ecmult_compute_two_tables
static void secp256k1_ecmult_compute_two_tables(secp256k1_ge_storage *table, secp256k1_ge_storage *table_128, int window_g, const secp256k1_ge *gen)
ecmult_compute_table_impl.h
secp256k1_ecmult_const_xonly
static int secp256k1_ecmult_const_xonly(secp256k1_fe *r, const secp256k1_fe *n, const secp256k1_fe *d, const secp256k1_scalar *q, int known_on_curve)
Same as secp256k1_ecmult_const, but takes in an x coordinate of the base point only,...
secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q)
Multiply: R = q*A (in constant-time for q)
COMB_SPACING
#define COMB_SPACING
Definition: ecmult_gen.h:79
COMB_BLOCKS
#define COMB_BLOCKS
Definition: ecmult_gen.h:67
COMB_TEETH
#define COMB_TEETH
Definition: ecmult_gen.h:73
secp256k1_ecmult_gen_ge
static void secp256k1_ecmult_gen_ge(const secp256k1_ecmult_gen_context *ctx, secp256k1_ge *r, const secp256k1_scalar *a)
secp256k1_ecmult_gen_compute_table
static void secp256k1_ecmult_gen_compute_table(secp256k1_ge_storage *table, const secp256k1_ge *gen, int blocks, int teeth, int spacing)
ecmult_gen_compute_table_impl.h
tests_exhaustive_impl.h
test_exhaustive_ellswift
static void test_exhaustive_ellswift(const secp256k1_context *ctx, const secp256k1_ge *group)
Definition: tests_exhaustive_impl.h:12
tests_exhaustive_impl.h
test_exhaustive_extrakeys
static void test_exhaustive_extrakeys(const secp256k1_context *ctx, const secp256k1_ge *group)
Definition: tests_exhaustive_impl.h:13
secp256k1_fe_mul
#define secp256k1_fe_mul
Definition: field.h:93
secp256k1_fe_get_b32
#define secp256k1_fe_get_b32
Definition: field.h:89
secp256k1_fe_inv
#define secp256k1_fe_inv
Definition: field.h:98
secp256k1_fe_normalize
#define secp256k1_fe_normalize
Definition: field.h:78
secp256k1_fe_equal
static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Determine whether two field elements are equal.
secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
secp256k1_ge_mul_lambda
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_ge_set_xy
static void secp256k1_ge_set_xy(secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y)
Set a group element equal to the point with given X and Y coordinates.
secp256k1_ge_eq_var
static int secp256k1_ge_eq_var(const secp256k1_ge *a, const secp256k1_ge *b)
Check two group elements (affine) for equality in variable time.
secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
secp256k1_gej_eq_ge_var
static int secp256k1_gej_eq_ge_var(const secp256k1_gej *a, const secp256k1_ge *b)
Check two group elements (jacobian and affine) for equality in variable time.
secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
secp256k1_gej_rescale
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_ge_set_infinity
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
secp256k1_gej_double
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:72
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
test_vectors_musig2_generate.s
tuple s
Definition: test_vectors_musig2_generate.py:72
test_vectors_musig2_generate.data
data
Definition: test_vectors_musig2_generate.py:98
tests_wycheproof_generate_ecdh.sk
sk
Definition: tests_wycheproof_generate_ecdh.py:101
tests_wycheproof_generate_ecdh.pk
def pk
Definition: tests_wycheproof_generate_ecdh.py:115
tests_wycheproof_generate_ecdsa.msg
msg
Definition: tests_wycheproof_generate_ecdsa.py:52
tests_wycheproof_generate_ecdsa.group
group
Definition: tests_wycheproof_generate_ecdsa.py:32
tinyformat::printf
void printf(FormatStringCheck< sizeof...(Args)> fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1096
secp256k1_pre_g_128
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:8236
secp256k1_pre_g
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:16
WINDOW_G
#define WINDOW_G
Definition: precomputed_ecmult.c:15
secp256k1_ecmult_gen_prec_table
const secp256k1_ge_storage secp256k1_ecmult_gen_prec_table[COMB_BLOCKS][COMB_POINTS]
Definition: precomputed_ecmult_gen.c:10
tests_exhaustive_impl.h
test_exhaustive_recovery
static void test_exhaustive_recovery(const secp256k1_context *ctx, const secp256k1_ge *group)
Definition: tests_exhaustive_impl.h:143
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_set_int
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
tests_exhaustive_impl.h
test_exhaustive_schnorrsig
static void test_exhaustive_schnorrsig(const secp256k1_context *ctx)
Definition: tests_exhaustive_impl.h:186
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
SECP256K1_INLINE
#define SECP256K1_INLINE
Definition: util.h:54
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:386
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:265
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:372
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:190
secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:779
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:144
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:601
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:215
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:477
ecmult_multi_data
Definition: tests.c:4855
secp256k1_context_struct
Definition: secp256k1.c:61
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:65
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:62
secp256k1_ecdsa_signature
Opaque data structure that holds a parsed ECDSA signature.
Definition: secp256k1.h:75
secp256k1_fe
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:62
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_scratch_space_struct
Definition: scratch.h:12
testrand256
static void testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
testrand_init
static void testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL.
testrand_impl.h
test_exhaustive_verify
static void test_exhaustive_verify(const secp256k1_context *ctx, const secp256k1_ge *group)
Definition: tests_exhaustive.c:243
test_exhaustive_endomorphism
static void test_exhaustive_endomorphism(const secp256k1_ge *group)
Definition: tests_exhaustive.c:70
test_exhaustive_ecmult
static void test_exhaustive_ecmult(const secp256k1_ge *group, const secp256k1_gej *groupj)
Definition: tests_exhaustive.c:141
this_core
static uint32_t this_core
Definition: tests_exhaustive.c:42
skip_section
static SECP256K1_INLINE int skip_section(uint64_t *iter)
Definition: tests_exhaustive.c:44
main
int main(int argc, char **argv)
Definition: tests_exhaustive.c:365
r_from_k
static void r_from_k(secp256k1_scalar *r, const secp256k1_ge *group, int k, int *overflow)
Definition: tests_exhaustive.c:233
test_exhaustive_ecmult_multi
static void test_exhaustive_ecmult_multi(const secp256k1_context *ctx, const secp256k1_ge *group)
Definition: tests_exhaustive.c:203
test_exhaustive_sign
static void test_exhaustive_sign(const secp256k1_context *ctx, const secp256k1_ge *group)
Definition: tests_exhaustive.c:296
num_cores
static uint32_t num_cores
Definition: tests_exhaustive.c:41
ecmult_multi_callback
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests_exhaustive.c:196
count
static int count
Definition: tests_exhaustive.c:39
test_exhaustive_addition
static void test_exhaustive_addition(const secp256k1_ge *group, const secp256k1_gej *groupj)
Definition: tests_exhaustive.c:79
EXHAUSTIVE_TEST_ORDER
#define EXHAUSTIVE_TEST_ORDER
Definition: tests_exhaustive.c:13
secp256k1_nonce_function_smallint
static int secp256k1_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
Definition: tests_exhaustive.c:50
testutil_random_fe_non_zero
static void testutil_random_fe_non_zero(secp256k1_fe *nz)
Definition: testutil.h:41
testutil_random_fe
static void testutil_random_fe(secp256k1_fe *x)
Definition: testutil.h:31
Generated on Sun Jun 21 2026 20:06:51 for Bitcoin Core by doxygen 1.9.4