Bitcoin Core  27.99.0
P2P Digital Currency
tests_exhaustive.c
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2016 Andrew Poelstra *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #include <stdio.h>
8 #include <stdlib.h>
9 #include <time.h>
10 
11 #ifndef EXHAUSTIVE_TEST_ORDER
12 /* see group_impl.h for allowable values */
13 #define EXHAUSTIVE_TEST_ORDER 13
14 #endif
15 
16 /* These values of B are all values in [1, 8] that result in a curve with even order. */
17 #define EXHAUSTIVE_TEST_CURVE_HAS_EVEN_ORDER (SECP256K1_B == 1 || SECP256K1_B == 6 || SECP256K1_B == 8)
18 
19 #ifdef USE_EXTERNAL_DEFAULT_CALLBACKS
20  #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in exhaustive_tests.")
21  #undef USE_EXTERNAL_DEFAULT_CALLBACKS
22 #endif
23 #include "secp256k1.c"
24 
25 #include "../include/secp256k1.h"
26 #include "assumptions.h"
27 #include "group.h"
28 #include "testrand_impl.h"
31 #include "testutil.h"
32 #include "util.h"
33 
34 static int count = 2;
35 
36 static uint32_t num_cores = 1;
37 static uint32_t this_core = 0;
38 
39 SECP256K1_INLINE static int skip_section(uint64_t* iter) {
40  if (num_cores == 1) return 0;
41  *iter += 0xe7037ed1a0b428dbULL;
42  return ((((uint32_t)*iter ^ (*iter >> 32)) * num_cores) >> 32) != this_core;
43 }
44 
45 static int secp256k1_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32,
46  const unsigned char *key32, const unsigned char *algo16,
47  void *data, unsigned int attempt) {
49  int *idata = data;
50  (void)msg32;
51  (void)key32;
52  (void)algo16;
53  /* Some nonces cannot be used because they'd cause s and/or r to be zero.
54  * The signing function has retry logic here that just re-calls the nonce
55  * function with an increased `attempt`. So if attempt > 0 this means we
56  * need to change the nonce to avoid an infinite loop. */
57  if (attempt > 0) {
58  *idata = (*idata + 1) % EXHAUSTIVE_TEST_ORDER;
59  }
60  secp256k1_scalar_set_int(&s, *idata);
61  secp256k1_scalar_get_b32(nonce32, &s);
62  return 1;
63 }
64 
66  int i;
67  for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
68  secp256k1_ge res;
69  secp256k1_ge_mul_lambda(&res, &group[i]);
70  CHECK(secp256k1_ge_eq_var(&group[i * EXHAUSTIVE_TEST_LAMBDA % EXHAUSTIVE_TEST_ORDER], &res));
71  }
72 }
73 
74 static void test_exhaustive_addition(const secp256k1_ge *group, const secp256k1_gej *groupj) {
75  int i, j;
76  uint64_t iter = 0;
77 
78  /* Sanity-check (and check infinity functions) */
80  CHECK(secp256k1_gej_is_infinity(&groupj[0]));
81  for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) {
83  CHECK(!secp256k1_gej_is_infinity(&groupj[i]));
84  }
85 
86  /* Check all addition formulae */
87  for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) {
88  secp256k1_fe fe_inv;
89  if (skip_section(&iter)) continue;
90  secp256k1_fe_inv(&fe_inv, &groupj[j].z);
91  for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
92  secp256k1_ge zless_gej;
93  secp256k1_gej tmp;
94  /* add_var */
95  secp256k1_gej_add_var(&tmp, &groupj[i], &groupj[j], NULL);
97  /* add_ge */
98  if (j > 0) {
99  secp256k1_gej_add_ge(&tmp, &groupj[i], &group[j]);
101  }
102  /* add_ge_var */
103  secp256k1_gej_add_ge_var(&tmp, &groupj[i], &group[j], NULL);
105  /* add_zinv_var */
106  zless_gej.infinity = groupj[j].infinity;
107  zless_gej.x = groupj[j].x;
108  zless_gej.y = groupj[j].y;
109  secp256k1_gej_add_zinv_var(&tmp, &groupj[i], &zless_gej, &fe_inv);
111  }
112  }
113 
114  /* Check doubling */
115  for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
116  secp256k1_gej tmp;
117  secp256k1_gej_double(&tmp, &groupj[i]);
119  secp256k1_gej_double_var(&tmp, &groupj[i], NULL);
121  }
122 
123  /* Check negation */
124  for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) {
125  secp256k1_ge tmp;
126  secp256k1_gej tmpj;
127  secp256k1_ge_neg(&tmp, &group[i]);
129  secp256k1_gej_neg(&tmpj, &groupj[i]);
131  }
132 }
133 
134 static void test_exhaustive_ecmult(const secp256k1_ge *group, const secp256k1_gej *groupj) {
135  int i, j, r_log;
136  uint64_t iter = 0;
137  for (r_log = 1; r_log < EXHAUSTIVE_TEST_ORDER; r_log++) {
138  for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) {
139  if (skip_section(&iter)) continue;
140  for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
141  secp256k1_gej tmp;
142  secp256k1_scalar na, ng;
143  secp256k1_scalar_set_int(&na, i);
144  secp256k1_scalar_set_int(&ng, j);
145 
146  secp256k1_ecmult(&tmp, &groupj[r_log], &na, &ng);
147  CHECK(secp256k1_gej_eq_ge_var(&tmp, &group[(i * r_log + j) % EXHAUSTIVE_TEST_ORDER]));
148  }
149  }
150  }
151 
152  for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) {
153  for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
154  int ret;
155  secp256k1_gej tmp;
156  secp256k1_fe xn, xd, tmpf;
157  secp256k1_scalar ng;
158 
159  if (skip_section(&iter)) continue;
160 
161  secp256k1_scalar_set_int(&ng, j);
162 
163  /* Test secp256k1_ecmult_const. */
164  secp256k1_ecmult_const(&tmp, &group[i], &ng);
166 
167  if (i != 0 && j != 0) {
168  /* Test secp256k1_ecmult_const_xonly with all curve X coordinates, and xd=NULL. */
169  ret = secp256k1_ecmult_const_xonly(&tmpf, &group[i].x, NULL, &ng, 0);
170  CHECK(ret);
171  CHECK(secp256k1_fe_equal(&tmpf, &group[(i * j) % EXHAUSTIVE_TEST_ORDER].x));
172 
173  /* Test secp256k1_ecmult_const_xonly with all curve X coordinates, with random xd. */
174  random_fe_non_zero(&xd);
175  secp256k1_fe_mul(&xn, &xd, &group[i].x);
176  ret = secp256k1_ecmult_const_xonly(&tmpf, &xn, &xd, &ng, 0);
177  CHECK(ret);
178  CHECK(secp256k1_fe_equal(&tmpf, &group[(i * j) % EXHAUSTIVE_TEST_ORDER].x));
179  }
180  }
181  }
182 }
183 
184 typedef struct {
188 
189 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
190  ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
191  *sc = data->sc[idx];
192  *pt = data->pt[idx];
193  return 1;
194 }
195 
197  int i, j, k, x, y;
198  uint64_t iter = 0;
200  for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
201  for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) {
202  for (k = 0; k < EXHAUSTIVE_TEST_ORDER; k++) {
203  for (x = 0; x < EXHAUSTIVE_TEST_ORDER; x++) {
204  if (skip_section(&iter)) continue;
205  for (y = 0; y < EXHAUSTIVE_TEST_ORDER; y++) {
206  secp256k1_gej tmp;
207  secp256k1_scalar g_sc;
208  ecmult_multi_data data;
209 
210  secp256k1_scalar_set_int(&data.sc[0], i);
211  secp256k1_scalar_set_int(&data.sc[1], j);
212  secp256k1_scalar_set_int(&g_sc, k);
213  data.pt[0] = group[x];
214  data.pt[1] = group[y];
215 
216  secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &tmp, &g_sc, ecmult_multi_callback, &data, 2);
217  CHECK(secp256k1_gej_eq_ge_var(&tmp, &group[(i * x + j * y + k) % EXHAUSTIVE_TEST_ORDER]));
218  }
219  }
220  }
221  }
222  }
224 }
225 
226 static void r_from_k(secp256k1_scalar *r, const secp256k1_ge *group, int k, int* overflow) {
227  secp256k1_fe x;
228  unsigned char x_bin[32];
230  x = group[k].x;
232  secp256k1_fe_get_b32(x_bin, &x);
233  secp256k1_scalar_set_b32(r, x_bin, overflow);
234 }
235 
237  int s, r, msg, key;
238  uint64_t iter = 0;
239  for (s = 1; s < EXHAUSTIVE_TEST_ORDER; s++) {
240  for (r = 1; r < EXHAUSTIVE_TEST_ORDER; r++) {
241  for (msg = 1; msg < EXHAUSTIVE_TEST_ORDER; msg++) {
242  for (key = 1; key < EXHAUSTIVE_TEST_ORDER; key++) {
243  secp256k1_ge nonconst_ge;
246  secp256k1_scalar sk_s, msg_s, r_s, s_s;
247  secp256k1_scalar s_times_k_s, msg_plus_r_times_sk_s;
248  int k, should_verify;
249  unsigned char msg32[32];
250 
251  if (skip_section(&iter)) continue;
252 
253  secp256k1_scalar_set_int(&s_s, s);
254  secp256k1_scalar_set_int(&r_s, r);
255  secp256k1_scalar_set_int(&msg_s, msg);
256  secp256k1_scalar_set_int(&sk_s, key);
257 
258  /* Verify by hand */
259  /* Run through every k value that gives us this r and check that *one* works.
260  * Note there could be none, there could be multiple, ECDSA is weird. */
261  should_verify = 0;
262  for (k = 0; k < EXHAUSTIVE_TEST_ORDER; k++) {
263  secp256k1_scalar check_x_s;
264  r_from_k(&check_x_s, group, k, NULL);
265  if (r_s == check_x_s) {
266  secp256k1_scalar_set_int(&s_times_k_s, k);
267  secp256k1_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s);
268  secp256k1_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s);
269  secp256k1_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s);
270  should_verify |= secp256k1_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s);
271  }
272  }
273  /* nb we have a "high s" rule */
274  should_verify &= !secp256k1_scalar_is_high(&s_s);
275 
276  /* Verify by calling verify */
277  secp256k1_ecdsa_signature_save(&sig, &r_s, &s_s);
278  memcpy(&nonconst_ge, &group[sk_s], sizeof(nonconst_ge));
279  secp256k1_pubkey_save(&pk, &nonconst_ge);
280  secp256k1_scalar_get_b32(msg32, &msg_s);
281  CHECK(should_verify ==
282  secp256k1_ecdsa_verify(ctx, &sig, msg32, &pk));
283  }
284  }
285  }
286  }
287 }
288 
289 static void test_exhaustive_sign(const secp256k1_context *ctx, const secp256k1_ge *group) {
290  int i, j, k;
291  uint64_t iter = 0;
292 
293  /* Loop */
294  for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) { /* message */
295  for (j = 1; j < EXHAUSTIVE_TEST_ORDER; j++) { /* key */
296  if (skip_section(&iter)) continue;
297  for (k = 1; k < EXHAUSTIVE_TEST_ORDER; k++) { /* nonce */
298  const int starting_k = k;
299  int ret;
301  secp256k1_scalar sk, msg, r, s, expected_r;
302  unsigned char sk32[32], msg32[32];
304  secp256k1_scalar_set_int(&sk, j);
305  secp256k1_scalar_get_b32(sk32, &sk);
306  secp256k1_scalar_get_b32(msg32, &msg);
307 
308  ret = secp256k1_ecdsa_sign(ctx, &sig, msg32, sk32, secp256k1_nonce_function_smallint, &k);
309  CHECK(ret == 1);
310 
311  secp256k1_ecdsa_signature_load(ctx, &r, &s, &sig);
312  /* Note that we compute expected_r *after* signing -- this is important
313  * because our nonce-computing function function might change k during
314  * signing. */
315  r_from_k(&expected_r, group, k, NULL);
316  CHECK(r == expected_r);
317  CHECK((k * s) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER ||
319 
320  /* Overflow means we've tried every possible nonce */
321  if (k < starting_k) {
322  break;
323  }
324  }
325  }
326  }
327 
328  /* We would like to verify zero-knowledge here by counting how often every
329  * possible (s, r) tuple appears, but because the group order is larger
330  * than the field order, when coercing the x-values to scalar values, some
331  * appear more often than others, so we are actually not zero-knowledge.
332  * (This effect also appears in the real code, but the difference is on the
333  * order of 1/2^128th the field order, so the deviation is not useful to a
334  * computationally bounded attacker.)
335  */
336 }
337 
338 #ifdef ENABLE_MODULE_RECOVERY
340 #endif
341 
342 #ifdef ENABLE_MODULE_EXTRAKEYS
344 #endif
345 
346 #ifdef ENABLE_MODULE_SCHNORRSIG
348 #endif
349 
350 #ifdef ENABLE_MODULE_ELLSWIFT
352 #endif
353 
354 int main(int argc, char** argv) {
355  int i;
358  unsigned char rand32[32];
359  secp256k1_context *ctx;
360 
361  /* Disable buffering for stdout to improve reliability of getting
362  * diagnostic information. Happens right at the start of main because
363  * setbuf must be used before any other operation on the stream. */
364  setbuf(stdout, NULL);
365  /* Also disable buffering for stderr because it's not guaranteed that it's
366  * unbuffered on all systems. */
367  setbuf(stderr, NULL);
368 
369  printf("Exhaustive tests for order %lu\n", (unsigned long)EXHAUSTIVE_TEST_ORDER);
370 
371  /* find iteration count */
372  if (argc > 1) {
373  count = strtol(argv[1], NULL, 0);
374  }
375  printf("test count = %i\n", count);
376 
377  /* find random seed */
378  secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
379 
380  /* set up split processing */
381  if (argc > 4) {
382  num_cores = strtol(argv[3], NULL, 0);
383  this_core = strtol(argv[4], NULL, 0);
384  if (num_cores < 1 || this_core >= num_cores) {
385  fprintf(stderr, "Usage: %s [count] [seed] [numcores] [thiscore]\n", argv[0]);
386  return 1;
387  }
388  printf("running tests for core %lu (out of [0..%lu])\n", (unsigned long)this_core, (unsigned long)num_cores - 1);
389  }
390 
391  /* Recreate the ecmult{,_gen} tables using the right generator (as selected via EXHAUSTIVE_TEST_ORDER) */
394 
395  while (count--) {
396  /* Build context */
398  secp256k1_testrand256(rand32);
399  CHECK(secp256k1_context_randomize(ctx, rand32));
400 
401  /* Generate the entire group */
402  secp256k1_gej_set_infinity(&groupj[0]);
403  secp256k1_ge_set_gej(&group[0], &groupj[0]);
404  for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) {
405  secp256k1_gej_add_ge(&groupj[i], &groupj[i - 1], &secp256k1_ge_const_g);
406  secp256k1_ge_set_gej(&group[i], &groupj[i]);
407  if (count != 0) {
408  /* Set a different random z-value for each Jacobian point, except z=1
409  is used in the last iteration. */
410  secp256k1_fe z;
411  random_fe(&z);
412  secp256k1_gej_rescale(&groupj[i], &z);
413  }
414 
415  /* Verify against ecmult_gen */
416  {
417  secp256k1_scalar scalar_i;
418  secp256k1_gej generatedj;
419  secp256k1_ge generated;
420 
421  secp256k1_scalar_set_int(&scalar_i, i);
422  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &generatedj, &scalar_i);
423  secp256k1_ge_set_gej(&generated, &generatedj);
424 
425  CHECK(group[i].infinity == 0);
426  CHECK(generated.infinity == 0);
427  CHECK(secp256k1_fe_equal(&generated.x, &group[i].x));
428  CHECK(secp256k1_fe_equal(&generated.y, &group[i].y));
429  }
430  }
431 
432  /* Run the tests */
435  test_exhaustive_ecmult(group, groupj);
439 
440 #ifdef ENABLE_MODULE_RECOVERY
442 #endif
443 #ifdef ENABLE_MODULE_EXTRAKEYS
445 #endif
446 #ifdef ENABLE_MODULE_SCHNORRSIG
448 #endif
449 #ifdef ENABLE_MODULE_ELLSWIFT
450  /* The ellswift algorithm does have additional edge cases when operating on
451  * curves of even order, which are not included in the code as secp256k1 is
452  * of odd order. Skip the ellswift tests if the used exhaustive tests curve
453  * is even-ordered accordingly. */
454  #if !EXHAUSTIVE_TEST_CURVE_HAS_EVEN_ORDER
456  #endif
457 #endif
458 
460  }
461 
463 
464  printf("no problems found\n");
465  return 0;
466 }
int ret
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
static void secp256k1_ecmult_compute_two_tables(secp256k1_ge_storage *table, secp256k1_ge_storage *table_128, int window_g, const secp256k1_ge *gen)
static int secp256k1_ecmult_const_xonly(secp256k1_fe *r, const secp256k1_fe *n, const secp256k1_fe *d, const secp256k1_scalar *q, int known_on_curve)
Same as secp256k1_ecmult_const, but takes in an x coordinate of the base point only,...
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q)
Multiply: R = q*A (in constant-time for q)
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
#define ECMULT_GEN_PREC_BITS
Definition: ecmult_gen.h:14
static void secp256k1_ecmult_gen_compute_table(secp256k1_ge_storage *table, const secp256k1_ge *gen, int bits)
static void test_exhaustive_ellswift(const secp256k1_context *ctx, const secp256k1_ge *group)
static void test_exhaustive_extrakeys(const secp256k1_context *ctx, const secp256k1_ge *group)
#define secp256k1_fe_mul
Definition: field.h:94
#define secp256k1_fe_get_b32
Definition: field.h:90
#define secp256k1_fe_inv
Definition: field.h:99
#define secp256k1_fe_normalize
Definition: field.h:78
static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Determine whether two field elements are equal.
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
static int secp256k1_ge_eq_var(const secp256k1_ge *a, const secp256k1_ge *b)
Check two group elements (affine) for equality in variable time.
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
static int secp256k1_gej_eq_ge_var(const secp256k1_gej *a, const secp256k1_ge *b)
Check two group elements (jacobian and affine) for equality in variable time.
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:70
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
void printf(const char *fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1077
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
#define WINDOW_G
const secp256k1_ge_storage secp256k1_ecmult_gen_prec_table[ECMULT_GEN_PREC_N(ECMULT_GEN_PREC_BITS)][ECMULT_GEN_PREC_G(ECMULT_GEN_PREC_BITS)]
static void test_exhaustive_recovery(const secp256k1_context *ctx, const secp256k1_ge *group)
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
static void test_exhaustive_schnorrsig(const secp256k1_context *ctx)
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
#define SECP256K1_INLINE
Definition: util.h:48
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:353
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:258
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:339
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:186
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:750
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:558
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:205
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:140
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:444
secp256k1_scalar * sc
Definition: tests.c:4622
secp256k1_ge * pt
Definition: tests.c:4623
secp256k1_callback error_callback
Definition: secp256k1.c:63
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:61
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:87
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
int infinity
Definition: group.h:19
secp256k1_fe x
Definition: group.h:17
secp256k1_fe y
Definition: group.h:18
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_fe y
Definition: group.h:30
secp256k1_fe x
Definition: group.h:29
int infinity
Definition: group.h:32
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:74
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
static void secp256k1_testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL.
static void secp256k1_testrand_finish(void)
Print final test information.
static void test_exhaustive_verify(const secp256k1_context *ctx, const secp256k1_ge *group)
static void test_exhaustive_endomorphism(const secp256k1_ge *group)
static void test_exhaustive_ecmult(const secp256k1_ge *group, const secp256k1_gej *groupj)
static uint32_t this_core
static SECP256K1_INLINE int skip_section(uint64_t *iter)
int main(int argc, char **argv)
static void r_from_k(secp256k1_scalar *r, const secp256k1_ge *group, int k, int *overflow)
static void test_exhaustive_ecmult_multi(const secp256k1_context *ctx, const secp256k1_ge *group)
static void test_exhaustive_sign(const secp256k1_context *ctx, const secp256k1_ge *group)
static uint32_t num_cores
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
static int count
static void test_exhaustive_addition(const secp256k1_ge *group, const secp256k1_gej *groupj)
#define EXHAUSTIVE_TEST_ORDER
static int secp256k1_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
static void random_fe(secp256k1_fe *x)
Definition: testutil.h:13
static void random_fe_non_zero(secp256k1_fe *nz)
Definition: testutil.h:23