tests__exhaustive_8c_source.html

 /***********************************************************************
  * Copyright (c) 2016 Andrew Poelstra                                 *
  * Distributed under the MIT software license, see the accompanying   *
  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
  **********************************************************************/

 #if defined HAVE_CONFIG_H
 #include "libsecp256k1-config.h"
 #endif

 #include <stdio.h>
 #include <stdlib.h>

 #include <time.h>

 #undef USE_ECMULT_STATIC_PRECOMPUTATION

 #ifndef EXHAUSTIVE_TEST_ORDER
 /* see group_impl.h for allowable values */
 #define EXHAUSTIVE_TEST_ORDER 13
 #endif

 #include "include/secp256k1.h"
 #include "assumptions.h"
 #include "group.h"
 #include "secp256k1.c"
 #include "testrand_impl.h"

 static int count = 2;

 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
     CHECK(a->infinity == b->infinity);
     if (a->infinity) {
         return;
     }
     CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
     CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
 }

 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
     secp256k1_fe z2s;
     secp256k1_fe u1, u2, s1, s2;
     CHECK(a->infinity == b->infinity);
     if (a->infinity) {
         return;
     }
     /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
     secp256k1_fe_sqr(&z2s, &b->z);
     secp256k1_fe_mul(&u1, &a->x, &z2s);
     u2 = b->x; secp256k1_fe_normalize_weak(&u2);
     secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
     s2 = b->y; secp256k1_fe_normalize_weak(&s2);
     CHECK(secp256k1_fe_equal_var(&u1, &u2));
     CHECK(secp256k1_fe_equal_var(&s1, &s2));
 }

 void random_fe(secp256k1_fe *x) {
     unsigned char bin[32];
     do {
         secp256k1_testrand256(bin);
         if (secp256k1_fe_set_b32(x, bin)) {
             return;
         }
     } while(1);
 }
 static uint32_t num_cores = 1;
 static uint32_t this_core = 0;

 SECP256K1_INLINE static int skip_section(uint64_t* iter) {
     if (num_cores == 1) return 0;
     *iter += 0xe7037ed1a0b428dbULL;
     return ((((uint32_t)*iter ^ (*iter >> 32)) * num_cores) >> 32) != this_core;
 }

 int secp256k1_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32,
                                       const unsigned char *key32, const unsigned char *algo16,
                                       void *data, unsigned int attempt) {
     secp256k1_scalar s;
     int *idata = data;
     (void)msg32;
     (void)key32;
     (void)algo16;
     /* Some nonces cannot be used because they'd cause s and/or r to be zero.
      * The signing function has retry logic here that just re-calls the nonce
      * function with an increased `attempt`. So if attempt > 0 this means we
      * need to change the nonce to avoid an infinite loop. */
     if (attempt > 0) {
         *idata = (*idata + 1) % EXHAUSTIVE_TEST_ORDER;
     }
     secp256k1_scalar_set_int(&s, *idata);
     secp256k1_scalar_get_b32(nonce32, &s);
     return 1;
 }

 void test_exhaustive_endomorphism(const secp256k1_ge *group) {
     int i;
     for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
         secp256k1_ge res;
         secp256k1_ge_mul_lambda(&res, &group[i]);
         ge_equals_ge(&group[i * EXHAUSTIVE_TEST_LAMBDA % EXHAUSTIVE_TEST_ORDER], &res);
     }
 }

 void test_exhaustive_addition(const secp256k1_ge *group, const secp256k1_gej *groupj) {
     int i, j;
     uint64_t iter = 0;

     /* Sanity-check (and check infinity functions) */
     CHECK(secp256k1_ge_is_infinity(&group[0]));
     CHECK(secp256k1_gej_is_infinity(&groupj[0]));
     for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) {
         CHECK(!secp256k1_ge_is_infinity(&group[i]));
         CHECK(!secp256k1_gej_is_infinity(&groupj[i]));
     }

     /* Check all addition formulae */
     for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) {
         secp256k1_fe fe_inv;
         if (skip_section(&iter)) continue;
         secp256k1_fe_inv(&fe_inv, &groupj[j].z);
         for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
             secp256k1_ge zless_gej;
             secp256k1_gej tmp;
             /* add_var */
             secp256k1_gej_add_var(&tmp, &groupj[i], &groupj[j], NULL);
             ge_equals_gej(&group[(i + j) % EXHAUSTIVE_TEST_ORDER], &tmp);
             /* add_ge */
             if (j > 0) {
                 secp256k1_gej_add_ge(&tmp, &groupj[i], &group[j]);
                 ge_equals_gej(&group[(i + j) % EXHAUSTIVE_TEST_ORDER], &tmp);
             }
             /* add_ge_var */
             secp256k1_gej_add_ge_var(&tmp, &groupj[i], &group[j], NULL);
             ge_equals_gej(&group[(i + j) % EXHAUSTIVE_TEST_ORDER], &tmp);
             /* add_zinv_var */
             zless_gej.infinity = groupj[j].infinity;
             zless_gej.x = groupj[j].x;
             zless_gej.y = groupj[j].y;
             secp256k1_gej_add_zinv_var(&tmp, &groupj[i], &zless_gej, &fe_inv);
             ge_equals_gej(&group[(i + j) % EXHAUSTIVE_TEST_ORDER], &tmp);
         }
     }

     /* Check doubling */
     for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
         secp256k1_gej tmp;
         secp256k1_gej_double(&tmp, &groupj[i]);
         ge_equals_gej(&group[(2 * i) % EXHAUSTIVE_TEST_ORDER], &tmp);
         secp256k1_gej_double_var(&tmp, &groupj[i], NULL);
         ge_equals_gej(&group[(2 * i) % EXHAUSTIVE_TEST_ORDER], &tmp);
     }

     /* Check negation */
     for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) {
         secp256k1_ge tmp;
         secp256k1_gej tmpj;
         secp256k1_ge_neg(&tmp, &group[i]);
         ge_equals_ge(&group[EXHAUSTIVE_TEST_ORDER - i], &tmp);
         secp256k1_gej_neg(&tmpj, &groupj[i]);
         ge_equals_gej(&group[EXHAUSTIVE_TEST_ORDER - i], &tmpj);
     }
 }

 void test_exhaustive_ecmult(const secp256k1_context *ctx, const secp256k1_ge *group, const secp256k1_gej *groupj) {
     int i, j, r_log;
     uint64_t iter = 0;
     for (r_log = 1; r_log < EXHAUSTIVE_TEST_ORDER; r_log++) {
         for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) {
             if (skip_section(&iter)) continue;
             for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
                 secp256k1_gej tmp;
                 secp256k1_scalar na, ng;
                 secp256k1_scalar_set_int(&na, i);
                 secp256k1_scalar_set_int(&ng, j);

                 secp256k1_ecmult(&ctx->ecmult_ctx, &tmp, &groupj[r_log], &na, &ng);
                 ge_equals_gej(&group[(i * r_log + j) % EXHAUSTIVE_TEST_ORDER], &tmp);

                 if (i > 0) {
                     secp256k1_ecmult_const(&tmp, &group[i], &ng, 256);
                     ge_equals_gej(&group[(i * j) % EXHAUSTIVE_TEST_ORDER], &tmp);
                 }
             }
         }
     }
 }

 typedef struct {
     secp256k1_scalar sc[2];
     secp256k1_ge pt[2];
 } ecmult_multi_data;

 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
     ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
     *sc = data->sc[idx];
     *pt = data->pt[idx];
     return 1;
 }

 void test_exhaustive_ecmult_multi(const secp256k1_context *ctx, const secp256k1_ge *group) {
     int i, j, k, x, y;
     uint64_t iter = 0;
     secp256k1_scratch *scratch = secp256k1_scratch_create(&ctx->error_callback, 4096);
     for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
         for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) {
             for (k = 0; k < EXHAUSTIVE_TEST_ORDER; k++) {
                 for (x = 0; x < EXHAUSTIVE_TEST_ORDER; x++) {
                     if (skip_section(&iter)) continue;
                     for (y = 0; y < EXHAUSTIVE_TEST_ORDER; y++) {
                         secp256k1_gej tmp;
                         secp256k1_scalar g_sc;
                         ecmult_multi_data data;

                         secp256k1_scalar_set_int(&data.sc[0], i);
                         secp256k1_scalar_set_int(&data.sc[1], j);
                         secp256k1_scalar_set_int(&g_sc, k);
                         data.pt[0] = group[x];
                         data.pt[1] = group[y];

                         secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &tmp, &g_sc, ecmult_multi_callback, &data, 2);
                         ge_equals_gej(&group[(i * x + j * y + k) % EXHAUSTIVE_TEST_ORDER], &tmp);
                     }
                 }
             }
         }
     }
     secp256k1_scratch_destroy(&ctx->error_callback, scratch);
 }

 void r_from_k(secp256k1_scalar *r, const secp256k1_ge *group, int k, int* overflow) {
     secp256k1_fe x;
     unsigned char x_bin[32];
     k %= EXHAUSTIVE_TEST_ORDER;
     x = group[k].x;
     secp256k1_fe_normalize(&x);
     secp256k1_fe_get_b32(x_bin, &x);
     secp256k1_scalar_set_b32(r, x_bin, overflow);
 }

 void test_exhaustive_verify(const secp256k1_context *ctx, const secp256k1_ge *group) {
     int s, r, msg, key;
     uint64_t iter = 0;
     for (s = 1; s < EXHAUSTIVE_TEST_ORDER; s++) {
         for (r = 1; r < EXHAUSTIVE_TEST_ORDER; r++) {
             for (msg = 1; msg < EXHAUSTIVE_TEST_ORDER; msg++) {
                 for (key = 1; key < EXHAUSTIVE_TEST_ORDER; key++) {
                     secp256k1_ge nonconst_ge;
                     secp256k1_ecdsa_signature sig;
                     secp256k1_pubkey pk;
                     secp256k1_scalar sk_s, msg_s, r_s, s_s;
                     secp256k1_scalar s_times_k_s, msg_plus_r_times_sk_s;
                     int k, should_verify;
                     unsigned char msg32[32];

                     if (skip_section(&iter)) continue;

                     secp256k1_scalar_set_int(&s_s, s);
                     secp256k1_scalar_set_int(&r_s, r);
                     secp256k1_scalar_set_int(&msg_s, msg);
                     secp256k1_scalar_set_int(&sk_s, key);

                     /* Verify by hand */
                     /* Run through every k value that gives us this r and check that *one* works.
                      * Note there could be none, there could be multiple, ECDSA is weird. */
                     should_verify = 0;
                     for (k = 0; k < EXHAUSTIVE_TEST_ORDER; k++) {
                         secp256k1_scalar check_x_s;
                         r_from_k(&check_x_s, group, k, NULL);
                         if (r_s == check_x_s) {
                             secp256k1_scalar_set_int(&s_times_k_s, k);
                             secp256k1_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s);
                             secp256k1_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s);
                             secp256k1_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s);
                             should_verify |= secp256k1_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s);
                         }
                     }
                     /* nb we have a "high s" rule */
                     should_verify &= !secp256k1_scalar_is_high(&s_s);

                     /* Verify by calling verify */
                     secp256k1_ecdsa_signature_save(&sig, &r_s, &s_s);
                     memcpy(&nonconst_ge, &group[sk_s], sizeof(nonconst_ge));
                     secp256k1_pubkey_save(&pk, &nonconst_ge);
                     secp256k1_scalar_get_b32(msg32, &msg_s);
                     CHECK(should_verify ==
                           secp256k1_ecdsa_verify(ctx, &sig, msg32, &pk));
                 }
             }
         }
     }
 }

 void test_exhaustive_sign(const secp256k1_context *ctx, const secp256k1_ge *group) {
     int i, j, k;
     uint64_t iter = 0;

     /* Loop */
     for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) {  /* message */
         for (j = 1; j < EXHAUSTIVE_TEST_ORDER; j++) {  /* key */
             if (skip_section(&iter)) continue;
             for (k = 1; k < EXHAUSTIVE_TEST_ORDER; k++) {  /* nonce */
                 const int starting_k = k;
                 secp256k1_ecdsa_signature sig;
                 secp256k1_scalar sk, msg, r, s, expected_r;
                 unsigned char sk32[32], msg32[32];
                 secp256k1_scalar_set_int(&msg, i);
                 secp256k1_scalar_set_int(&sk, j);
                 secp256k1_scalar_get_b32(sk32, &sk);
                 secp256k1_scalar_get_b32(msg32, &msg);

                 secp256k1_ecdsa_sign(ctx, &sig, msg32, sk32, secp256k1_nonce_function_smallint, &k);

                 secp256k1_ecdsa_signature_load(ctx, &r, &s, &sig);
                 /* Note that we compute expected_r *after* signing -- this is important
                  * because our nonce-computing function function might change k during
                  * signing. */
                 r_from_k(&expected_r, group, k, NULL);
                 CHECK(r == expected_r);
                 CHECK((k * s) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER ||
                       (k * (EXHAUSTIVE_TEST_ORDER - s)) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER);

                 /* Overflow means we've tried every possible nonce */
                 if (k < starting_k) {
                     break;
                 }
             }
         }
     }

     /* We would like to verify zero-knowledge here by counting how often every
      * possible (s, r) tuple appears, but because the group order is larger
      * than the field order, when coercing the x-values to scalar values, some
      * appear more often than others, so we are actually not zero-knowledge.
      * (This effect also appears in the real code, but the difference is on the
      * order of 1/2^128th the field order, so the deviation is not useful to a
      * computationally bounded attacker.)
      */
 }

 #ifdef ENABLE_MODULE_RECOVERY
 #include "src/modules/recovery/tests_exhaustive_impl.h"
 #endif

 #ifdef ENABLE_MODULE_EXTRAKEYS
 #include "src/modules/extrakeys/tests_exhaustive_impl.h"
 #endif

 #ifdef ENABLE_MODULE_SCHNORRSIG
 #include "src/modules/schnorrsig/tests_exhaustive_impl.h"
 #endif

 int main(int argc, char** argv) {
     int i;
     secp256k1_gej groupj[EXHAUSTIVE_TEST_ORDER];
     secp256k1_ge group[EXHAUSTIVE_TEST_ORDER];
     unsigned char rand32[32];
     secp256k1_context *ctx;

     /* Disable buffering for stdout to improve reliability of getting
      * diagnostic information. Happens right at the start of main because
      * setbuf must be used before any other operation on the stream. */
     setbuf(stdout, NULL);
     /* Also disable buffering for stderr because it's not guaranteed that it's
      * unbuffered on all systems. */
     setbuf(stderr, NULL);

     printf("Exhaustive tests for order %lu\n", (unsigned long)EXHAUSTIVE_TEST_ORDER);

     /* find iteration count */
     if (argc > 1) {
         count = strtol(argv[1], NULL, 0);
     }
     printf("test count = %i\n", count);

     /* find random seed */
     secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);

     /* set up split processing */
     if (argc > 4) {
         num_cores = strtol(argv[3], NULL, 0);
         this_core = strtol(argv[4], NULL, 0);
         if (num_cores < 1 || this_core >= num_cores) {
             fprintf(stderr, "Usage: %s [count] [seed] [numcores] [thiscore]\n", argv[0]);
             return 1;
         }
         printf("running tests for core %lu (out of [0..%lu])\n", (unsigned long)this_core, (unsigned long)num_cores - 1);
     }

     while (count--) {
         /* Build context */
         ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
         secp256k1_testrand256(rand32);
         CHECK(secp256k1_context_randomize(ctx, rand32));

         /* Generate the entire group */
         secp256k1_gej_set_infinity(&groupj[0]);
         secp256k1_ge_set_gej(&group[0], &groupj[0]);
         for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) {
             secp256k1_gej_add_ge(&groupj[i], &groupj[i - 1], &secp256k1_ge_const_g);
             secp256k1_ge_set_gej(&group[i], &groupj[i]);
             if (count != 0) {
                 /* Set a different random z-value for each Jacobian point, except z=1
                    is used in the last iteration. */
                 secp256k1_fe z;
                 random_fe(&z);
                 secp256k1_gej_rescale(&groupj[i], &z);
             }

             /* Verify against ecmult_gen */
             {
                 secp256k1_scalar scalar_i;
                 secp256k1_gej generatedj;
                 secp256k1_ge generated;

                 secp256k1_scalar_set_int(&scalar_i, i);
                 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &generatedj, &scalar_i);
                 secp256k1_ge_set_gej(&generated, &generatedj);

                 CHECK(group[i].infinity == 0);
                 CHECK(generated.infinity == 0);
                 CHECK(secp256k1_fe_equal_var(&generated.x, &group[i].x));
                 CHECK(secp256k1_fe_equal_var(&generated.y, &group[i].y));
             }
         }

         /* Run the tests */
         test_exhaustive_endomorphism(group);
         test_exhaustive_addition(group, groupj);
         test_exhaustive_ecmult(ctx, group, groupj);
         test_exhaustive_ecmult_multi(ctx, group);
         test_exhaustive_sign(ctx, group);
         test_exhaustive_verify(ctx, group);

 #ifdef ENABLE_MODULE_RECOVERY
         test_exhaustive_recovery(ctx, group);
 #endif
 #ifdef ENABLE_MODULE_EXTRAKEYS
         test_exhaustive_extrakeys(ctx, group);
 #endif
 #ifdef ENABLE_MODULE_SCHNORRSIG
         test_exhaustive_schnorrsig(ctx);
 #endif

         secp256k1_context_destroy(ctx);
     }

     secp256k1_testrand_finish();

     printf("no problems found\n");
     return 0;
 }
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.

secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).

secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.

test_exhaustive_ecmult_multi
void test_exhaustive_ecmult_multi(const secp256k1_context *ctx, const secp256k1_ge *group)
Definition: tests_exhaustive.c:203

secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.

test_exhaustive_addition
void test_exhaustive_addition(const secp256k1_ge *group, const secp256k1_gej *groupj)
Definition: tests_exhaustive.c:107

secp256k1_fe
Definition: field_10x26.h:12

ecmult_multi_data::pt
secp256k1_ge * pt
Definition: tests.c:2836

secp256k1_ecmult_multi_var
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, const secp256k1_ecmult_context *ctx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.

secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.

secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.

secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)

secp256k1_fe_mul
static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe *SECP256K1_RESTRICT b)
Sets a field element to be the product of two others.

secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.

secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)

secp256k1_gej::x
secp256k1_fe x
Definition: group.h:25

main
int main(int argc, char **argv)
Definition: tests_exhaustive.c:355

libsecp256k1-config.h

secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:728

time.h

group.h

ge_equals_ge
void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b)
stolen from tests.c
Definition: tests_exhaustive.c:32

skip_section
static SECP256K1_INLINE int skip_section(uint64_t *iter)
Definition: tests_exhaustive.c:72

test_exhaustive_recovery
static void test_exhaustive_recovery(const secp256k1_context *ctx, const secp256k1_ge *group)
Definition: tests_exhaustive_impl.h:144

secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)

secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:263

secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b&#39;s Z coordinate passed as bzinv)...

testrand_impl.h

r_from_k
void r_from_k(secp256k1_scalar *r, const secp256k1_ge *group, int k, int *overflow)
Definition: tests_exhaustive.c:233

secp256k1_ecmult
static void secp256k1_ecmult(const secp256k1_ecmult_context *ctx, secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.

test_exhaustive_schnorrsig
static void test_exhaustive_schnorrsig(const secp256k1_context *ctx)
Definition: tests_exhaustive_impl.h:178

secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.

secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:24

secp256k1_context_struct
Definition: secp256k1.c:70

SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:171

secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:332

secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.

secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).

secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.

secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:195

ecmult_multi_data
Definition: tests.c:2834

secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Generator for secp256k1, value &#39;g&#39; defined in "Standards for Efficient Cryptography" (SEC2) 2...
Definition: group_impl.h:53

num_cores
static uint32_t num_cores
END stolen from tests.c.
Definition: tests_exhaustive.c:69

test_exhaustive_endomorphism
void test_exhaustive_endomorphism(const secp256k1_ge *group)
Definition: tests_exhaustive.c:98

SECP256K1_INLINE
#define SECP256K1_INLINE
Definition: secp256k1.h:124

secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q, int bits)
Multiply: R = q*A (in constant-time) Here bits should be set to the maximum bitlength of the absolute...

secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:72

secp256k1_testrand_init
static void secp256k1_testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL...

ctx
static secp256k1_context * ctx
Definition: tests.c:36

secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:534

secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.

secp256k1_gej::infinity
int infinity
Definition: group.h:28

secp256k1_gej_double
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.

secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.

test_exhaustive_ecmult
void test_exhaustive_ecmult(const secp256k1_context *ctx, const secp256k1_ge *group, const secp256k1_gej *groupj)
Definition: tests_exhaustive.c:167

test_exhaustive_sign
void test_exhaustive_sign(const secp256k1_context *ctx, const secp256k1_ge *group)
Definition: tests_exhaustive.c:296

secp256k1_context_struct::ecmult_ctx
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:71

this_core
static uint32_t this_core
Definition: tests_exhaustive.c:70

secp256k1_ge
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:14

secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:80

secp256k1_ge::x
secp256k1_fe x
Definition: group.h:15

secp256k1_fe_normalize_weak
static void secp256k1_fe_normalize_weak(secp256k1_fe *r)
Weakly normalize a field element: reduce its magnitude to 1, but don&#39;t fully normalize.

secp256k1.c

CHECK
#define CHECK(cond)
Definition: util.h:53

secp256k1_ge_mul_lambda
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast...

secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13

secp256k1_ge::infinity
int infinity
Definition: group.h:17

secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:318

tests_exhaustive_impl.h

secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.

secp256k1_fe_sqr
static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a)
Sets a field element to be the square of another.

secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.

SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:170

secp256k1_fe_equal_var
static int secp256k1_fe_equal_var(const secp256k1_fe *a, const secp256k1_fe *b)
Same as secp256k1_fe_equal, but may be variable time.

secp256k1.h

test_exhaustive_extrakeys
static void test_exhaustive_extrakeys(const secp256k1_context *ctx, const secp256k1_ge *group)
Definition: tests_exhaustive_impl.h:13

secp256k1_gej_rescale
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.

secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).

EXHAUSTIVE_TEST_ORDER
#define EXHAUSTIVE_TEST_ORDER
Definition: tests_exhaustive.c:20

secp256k1_scalar_set_int
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.

secp256k1_gej::z
secp256k1_fe z
Definition: group.h:27

memcpy
void * memcpy(void *a, const void *b, size_t c)
Definition: glibc_compat.cpp:14

secp256k1_fe_normalize
static void secp256k1_fe_normalize(secp256k1_fe *r)
Field element module.

test_exhaustive_verify
void test_exhaustive_verify(const secp256k1_context *ctx, const secp256k1_ge *group)
Definition: tests_exhaustive.c:243

ecmult_multi_data::sc
secp256k1_scalar * sc
Definition: tests.c:2835

secp256k1_fe_get_b32
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.

secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).

assumptions.h

count
static int count
Definition: tests_exhaustive.c:29

secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:74

tests_exhaustive_impl.h

ecmult_multi_callback
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests_exhaustive.c:196

secp256k1_scratch_space_struct
Definition: scratch.h:12

random_fe
void random_fe(secp256k1_fe *x)
Definition: tests_exhaustive.c:58

secp256k1_gej::y
secp256k1_fe y
Definition: group.h:26

secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)

tinyformat::printf
void printf(const char *fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1079

secp256k1_nonce_function_smallint
int secp256k1_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
Definition: tests_exhaustive.c:78

ge_equals_gej
void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b)
Definition: tests_exhaustive.c:41

secp256k1_ge::y
secp256k1_fe y
Definition: group.h:16

tests_exhaustive_impl.h

secp256k1_fe_inv
static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *a)
Sets a field element to be the (modular) inverse of another.

secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:151

secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:67

secp256k1_testrand_finish
static void secp256k1_testrand_finish(void)
Print final test information.

secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:423