2013-03-10 21:25:19 +01:00
|
|
|
#include <assert.h>
|
|
|
|
|
2013-04-01 07:52:58 +02:00
|
|
|
#include "num.c"
|
|
|
|
#include "field.c"
|
|
|
|
#include "group.c"
|
|
|
|
#include "ecmult.c"
|
|
|
|
#include "ecdsa.c"
|
2013-03-10 21:25:19 +01:00
|
|
|
|
2013-03-24 10:38:35 +01:00
|
|
|
// #define COUNT 2
|
|
|
|
#define COUNT 100
|
|
|
|
|
2013-03-11 01:19:24 +01:00
|
|
|
void test_run_ecmult_chain() {
|
2013-03-10 22:23:33 +01:00
|
|
|
// random starting point A (on the curve)
|
2013-03-30 22:32:16 +01:00
|
|
|
secp256k1_fe_t ax; secp256k1_fe_set_hex(&ax, "8b30bbe9ae2a990696b22f670709dff3727fd8bc04d3362c6c7bf458e2846004", 64);
|
|
|
|
secp256k1_fe_t ay; secp256k1_fe_set_hex(&ay, "a357ae915c4a65281309edf20504740f0eb3343990216b4f81063cb65f2f7e0f", 64);
|
2013-03-31 17:02:52 +02:00
|
|
|
secp256k1_gej_t a; secp256k1_gej_set_xy(&a, &ax, &ay);
|
2013-03-10 22:23:33 +01:00
|
|
|
// two random initial factors xn and gn
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_t xn;
|
|
|
|
secp256k1_num_init(&xn);
|
|
|
|
secp256k1_num_set_hex(&xn, "84cc5452f7fde1edb4d38a8ce9b1b84ccef31f146e569be9705d357a42985407", 64);
|
|
|
|
secp256k1_num_t gn;
|
|
|
|
secp256k1_num_init(&gn);
|
|
|
|
secp256k1_num_set_hex(&gn, "a1e58d22553dcd42b23980625d4c57a96e9323d42b3152e5ca2c3990edc7c9de", 64);
|
2013-03-10 22:23:33 +01:00
|
|
|
// two small multipliers to be applied to xn and gn in every iteration:
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_t xf;
|
|
|
|
secp256k1_num_init(&xf);
|
|
|
|
secp256k1_num_set_hex(&xf, "1337", 4);
|
|
|
|
secp256k1_num_t gf;
|
|
|
|
secp256k1_num_init(&gf);
|
|
|
|
secp256k1_num_set_hex(&gf, "7113", 4);
|
2013-03-10 22:23:33 +01:00
|
|
|
// accumulators with the resulting coefficients to A and G
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_t ae;
|
|
|
|
secp256k1_num_init(&ae);
|
|
|
|
secp256k1_num_set_int(&ae, 1);
|
|
|
|
secp256k1_num_t ge;
|
|
|
|
secp256k1_num_init(&ge);
|
|
|
|
secp256k1_num_set_int(&ge, 0);
|
2013-03-10 22:23:33 +01:00
|
|
|
// the point being computed
|
2013-03-31 17:02:52 +02:00
|
|
|
secp256k1_gej_t x = a;
|
|
|
|
const secp256k1_num_t *order = &secp256k1_ge_consts->order;
|
2013-03-24 10:38:35 +01:00
|
|
|
for (int i=0; i<200*COUNT; i++) {
|
2013-03-10 21:41:54 +01:00
|
|
|
// in each iteration, compute X = xn*X + gn*G;
|
2013-04-01 06:29:30 +02:00
|
|
|
secp256k1_ecmult(&x, &x, &xn, &gn);
|
2013-03-10 21:41:54 +01:00
|
|
|
// also compute ae and ge: the actual accumulated factors for A and G
|
|
|
|
// if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G)
|
2013-03-31 17:02:52 +02:00
|
|
|
secp256k1_num_mod_mul(&ae, &ae, &xn, order);
|
|
|
|
secp256k1_num_mod_mul(&ge, &ge, &xn, order);
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_add(&ge, &ge, &gn);
|
2013-03-31 17:02:52 +02:00
|
|
|
secp256k1_num_mod(&ge, &ge, order);
|
2013-03-10 21:41:54 +01:00
|
|
|
// modify xn and gn
|
2013-03-31 17:02:52 +02:00
|
|
|
secp256k1_num_mod_mul(&xn, &xn, &xf, order);
|
|
|
|
secp256k1_num_mod_mul(&gn, &gn, &gf, order);
|
2013-03-10 21:25:19 +01:00
|
|
|
}
|
2013-03-31 17:02:52 +02:00
|
|
|
char res[132]; int resl = 132;
|
|
|
|
secp256k1_gej_get_hex(res, &resl, &x);
|
2013-03-24 10:38:35 +01:00
|
|
|
if (COUNT == 100) {
|
2013-03-31 17:02:52 +02:00
|
|
|
assert(strcmp(res, "(D6E96687F9B10D092A6F35439D86CEBEA4535D0D409F53586440BD74B933E830,B95CBCA2C77DA786539BE8FD53354D2D3B4F566AE658045407ED6015EE1B2A88)") == 0);
|
2013-03-24 10:38:35 +01:00
|
|
|
}
|
2013-03-10 21:41:54 +01:00
|
|
|
// redo the computation, but directly with the resulting ae and ge coefficients:
|
2013-04-01 06:29:30 +02:00
|
|
|
secp256k1_gej_t x2; secp256k1_ecmult(&x2, &a, &ae, &ge);
|
2013-03-31 17:02:52 +02:00
|
|
|
char res2[132]; int resl2 = 132;
|
|
|
|
secp256k1_gej_get_hex(res2, &resl2, &x2);
|
|
|
|
assert(strcmp(res, res2) == 0);
|
|
|
|
assert(strlen(res) == 131);
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_free(&xn);
|
|
|
|
secp256k1_num_free(&gn);
|
|
|
|
secp256k1_num_free(&xf);
|
|
|
|
secp256k1_num_free(&gf);
|
|
|
|
secp256k1_num_free(&ae);
|
|
|
|
secp256k1_num_free(&ge);
|
2013-03-10 21:25:19 +01:00
|
|
|
}
|
|
|
|
|
2013-04-01 07:52:58 +02:00
|
|
|
void test_point_times_order(const secp256k1_gej_t *point) {
|
2013-03-11 01:19:24 +01:00
|
|
|
// either the point is not on the curve, or multiplying it by the order results in O
|
2013-04-01 07:52:58 +02:00
|
|
|
if (!secp256k1_gej_is_valid(point))
|
2013-03-11 01:19:24 +01:00
|
|
|
return;
|
|
|
|
|
2013-03-31 17:02:52 +02:00
|
|
|
const secp256k1_num_t *order = &secp256k1_ge_consts->order;
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_t zero;
|
|
|
|
secp256k1_num_init(&zero);
|
|
|
|
secp256k1_num_set_int(&zero, 0);
|
2013-03-31 17:02:52 +02:00
|
|
|
secp256k1_gej_t res;
|
2013-04-01 07:52:58 +02:00
|
|
|
secp256k1_ecmult(&res, point, order, order); // calc res = order * point + order * G;
|
2013-03-31 17:02:52 +02:00
|
|
|
assert(secp256k1_gej_is_infinity(&res));
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_free(&zero);
|
2013-03-11 01:19:24 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
void test_run_point_times_order() {
|
2013-03-30 22:32:16 +01:00
|
|
|
secp256k1_fe_t x; secp256k1_fe_set_hex(&x, "02", 2);
|
2013-03-11 01:19:24 +01:00
|
|
|
for (int i=0; i<500; i++) {
|
2013-04-01 07:52:58 +02:00
|
|
|
secp256k1_gej_t j; secp256k1_gej_set_xo(&j, &x, 1);
|
|
|
|
test_point_times_order(&j);
|
2013-03-30 22:32:16 +01:00
|
|
|
secp256k1_fe_sqr(&x, &x);
|
2013-03-11 01:19:24 +01:00
|
|
|
}
|
2013-03-30 22:32:16 +01:00
|
|
|
char c[65]; int cl=65;
|
|
|
|
secp256k1_fe_get_hex(c, &cl, &x);
|
|
|
|
assert(strcmp(c, "7603CB59B0EF6C63FE6084792A0C378CDB3233A80F8A9A09A877DEAD31B38C45") == 0);
|
2013-03-11 01:19:24 +01:00
|
|
|
}
|
|
|
|
|
2013-04-01 07:52:58 +02:00
|
|
|
void test_wnaf(const secp256k1_num_t *number, int w) {
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_t x, two, t;
|
|
|
|
secp256k1_num_init(&x);
|
|
|
|
secp256k1_num_init(&two);
|
|
|
|
secp256k1_num_init(&t);
|
|
|
|
secp256k1_num_set_int(&x, 0);
|
|
|
|
secp256k1_num_set_int(&two, 2);
|
2013-04-01 06:29:30 +02:00
|
|
|
int wnaf[1024];
|
2013-04-01 07:52:58 +02:00
|
|
|
int bits = secp256k1_ecmult_wnaf(wnaf, number, w);
|
2013-03-11 01:19:24 +01:00
|
|
|
int zeroes = -1;
|
2013-04-01 06:29:30 +02:00
|
|
|
for (int i=bits-1; i>=0; i--) {
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_mul(&x, &x, &two);
|
2013-04-01 06:29:30 +02:00
|
|
|
int v = wnaf[i];
|
2013-03-11 01:19:24 +01:00
|
|
|
if (v) {
|
|
|
|
assert(zeroes == -1 || zeroes >= w-1); // check that distance between non-zero elements is at least w-1
|
|
|
|
zeroes=0;
|
|
|
|
assert((v & 1) == 1); // check non-zero elements are odd
|
|
|
|
assert(v <= (1 << (w-1)) - 1); // check range below
|
|
|
|
assert(v >= -(1 << (w-1)) - 1); // check range above
|
|
|
|
} else {
|
|
|
|
assert(zeroes != -1); // check that no unnecessary zero padding exists
|
|
|
|
zeroes++;
|
|
|
|
}
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_set_int(&t, v);
|
|
|
|
secp256k1_num_add(&x, &x, &t);
|
2013-03-11 01:19:24 +01:00
|
|
|
}
|
2013-04-01 07:52:58 +02:00
|
|
|
assert(secp256k1_num_cmp(&x, number) == 0); // check that wnaf represents number
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_free(&x);
|
|
|
|
secp256k1_num_free(&two);
|
|
|
|
secp256k1_num_free(&t);
|
2013-03-11 01:19:24 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
void test_run_wnaf() {
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_t range, min, n;
|
|
|
|
secp256k1_num_init(&range);
|
|
|
|
secp256k1_num_init(&min);
|
|
|
|
secp256k1_num_init(&n);
|
|
|
|
secp256k1_num_set_hex(&range, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 256);
|
|
|
|
secp256k1_num_copy(&min, &range);
|
|
|
|
secp256k1_num_shift(&min, 1);
|
|
|
|
secp256k1_num_negate(&min);
|
|
|
|
for (int i=0; i<COUNT; i++) {
|
|
|
|
secp256k1_num_set_rand(&n, &range);
|
|
|
|
secp256k1_num_add(&n, &n, &min);
|
2013-04-01 07:52:58 +02:00
|
|
|
test_wnaf(&n, 4+(i%10));
|
2013-03-11 01:19:24 +01:00
|
|
|
}
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_free(&range);
|
|
|
|
secp256k1_num_free(&min);
|
|
|
|
secp256k1_num_free(&n);
|
2013-03-11 01:19:24 +01:00
|
|
|
}
|
2013-03-10 21:25:19 +01:00
|
|
|
|
2013-03-18 02:41:01 +01:00
|
|
|
void test_ecdsa_sign_verify() {
|
2013-04-01 07:52:58 +02:00
|
|
|
const secp256k1_ge_consts_t *c = secp256k1_ge_consts;
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_t msg, key, nonce;
|
|
|
|
secp256k1_num_init(&msg);
|
2013-04-01 07:52:58 +02:00
|
|
|
secp256k1_num_set_rand(&msg, &c->order);
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_init(&key);
|
2013-04-01 07:52:58 +02:00
|
|
|
secp256k1_num_set_rand(&key, &c->order);
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_init(&nonce);
|
2013-04-01 06:29:30 +02:00
|
|
|
secp256k1_gej_t pub; secp256k1_ecmult_gen(&pub, &key);
|
2013-04-01 07:21:05 +02:00
|
|
|
secp256k1_ecdsa_sig_t sig;
|
|
|
|
secp256k1_ecdsa_sig_init(&sig);
|
2013-03-18 02:41:01 +01:00
|
|
|
do {
|
2013-04-01 07:52:58 +02:00
|
|
|
secp256k1_num_set_rand(&nonce, &c->order);
|
2013-04-01 07:21:05 +02:00
|
|
|
} while(!secp256k1_ecdsa_sig_sign(&sig, &key, &msg, &nonce));
|
|
|
|
assert(secp256k1_ecdsa_sig_verify(&sig, &pub, &msg));
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_inc(&msg);
|
2013-04-01 07:21:05 +02:00
|
|
|
assert(!secp256k1_ecdsa_sig_verify(&sig, &pub, &msg));
|
|
|
|
secp256k1_ecdsa_sig_free(&sig);
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_free(&msg);
|
|
|
|
secp256k1_num_free(&key);
|
|
|
|
secp256k1_num_free(&nonce);
|
2013-03-18 02:41:01 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
void test_run_ecdsa_sign_verify() {
|
2013-03-24 10:38:35 +01:00
|
|
|
for (int i=0; i<10*COUNT; i++) {
|
2013-03-18 02:41:01 +01:00
|
|
|
test_ecdsa_sign_verify();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-03-10 21:25:19 +01:00
|
|
|
int main(void) {
|
2013-03-24 10:38:35 +01:00
|
|
|
secp256k1_num_start();
|
2013-03-30 22:32:16 +01:00
|
|
|
secp256k1_fe_start();
|
2013-03-31 17:02:52 +02:00
|
|
|
secp256k1_ge_start();
|
2013-04-01 06:29:30 +02:00
|
|
|
secp256k1_ecmult_start();
|
2013-03-24 10:38:35 +01:00
|
|
|
|
2013-03-11 01:19:24 +01:00
|
|
|
test_run_wnaf();
|
|
|
|
test_run_point_times_order();
|
|
|
|
test_run_ecmult_chain();
|
2013-03-18 02:41:01 +01:00
|
|
|
test_run_ecdsa_sign_verify();
|
2013-03-30 22:32:16 +01:00
|
|
|
|
2013-04-01 06:29:30 +02:00
|
|
|
secp256k1_ecmult_stop();
|
2013-03-31 17:02:52 +02:00
|
|
|
secp256k1_ge_stop();
|
2013-03-30 22:32:16 +01:00
|
|
|
secp256k1_fe_stop();
|
2013-03-31 17:02:52 +02:00
|
|
|
secp256k1_num_stop();
|
2013-03-10 21:25:19 +01:00
|
|
|
return 0;
|
|
|
|
}
|