Merge pull request #89

501d58f Get rid of {num,scalar,ecdsa_sig}_{init,free} (Pieter Wuille)
This commit is contained in:
Pieter Wuille 2014-11-03 01:40:12 -08:00
commit 47ebd6b7fa
No known key found for this signature in database
GPG key ID: 57896D2FF8F0B657
12 changed files with 1 additions and 271 deletions

View file

@ -25,8 +25,6 @@ int main() {
};
secp256k1_ge_start();
secp256k1_scalar_t base, x;
secp256k1_scalar_init(&base);
secp256k1_scalar_init(&x);
secp256k1_scalar_set_b32(&base, init, NULL);
secp256k1_scalar_set_b32(&x, init, NULL);
for (int i=0; i<1000000; i++) {
@ -36,7 +34,5 @@ int main() {
unsigned char res[32];
secp256k1_scalar_get_b32(res, &x);
CHECK(memcmp(res, fini, 32) == 0);
secp256k1_scalar_free(&base);
secp256k1_scalar_free(&x);
return 0;
}

View file

@ -11,9 +11,6 @@ typedef struct {
secp256k1_num_t r, s;
} secp256k1_ecdsa_sig_t;
void static secp256k1_ecdsa_sig_init(secp256k1_ecdsa_sig_t *r);
void static secp256k1_ecdsa_sig_free(secp256k1_ecdsa_sig_t *r);
int static secp256k1_ecdsa_sig_parse(secp256k1_ecdsa_sig_t *r, const unsigned char *sig, int size);
int static secp256k1_ecdsa_sig_serialize(unsigned char *sig, int *size, const secp256k1_ecdsa_sig_t *a);
int static secp256k1_ecdsa_sig_verify(const secp256k1_ecdsa_sig_t *sig, const secp256k1_ge_t *pubkey, const secp256k1_num_t *message);

View file

@ -12,16 +12,6 @@
#include "ecmult_gen.h"
#include "ecdsa.h"
void static secp256k1_ecdsa_sig_init(secp256k1_ecdsa_sig_t *r) {
secp256k1_num_init(&r->r);
secp256k1_num_init(&r->s);
}
void static secp256k1_ecdsa_sig_free(secp256k1_ecdsa_sig_t *r) {
secp256k1_num_free(&r->r);
secp256k1_num_free(&r->s);
}
int static secp256k1_ecdsa_sig_parse(secp256k1_ecdsa_sig_t *r, const unsigned char *sig, int size) {
if (sig[0] != 0x30) return 0;
int lenr = sig[3];
@ -158,20 +148,16 @@ int static secp256k1_ecdsa_sig_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_
secp256k1_fe_get_b32(b, &r.x);
int overflow = 0;
secp256k1_scalar_t sigr;
secp256k1_scalar_init(&sigr);
secp256k1_scalar_set_b32(&sigr, b, &overflow);
if (recid)
*recid = (overflow ? 2 : 0) | (secp256k1_fe_is_odd(&r.y) ? 1 : 0);
secp256k1_scalar_t n;
secp256k1_scalar_init(&n);
secp256k1_scalar_mul(&n, &sigr, seckey);
secp256k1_scalar_add(&n, &n, message);
secp256k1_scalar_t sigs;
secp256k1_scalar_init(&sigs);
secp256k1_scalar_inverse(&sigs, nonce);
secp256k1_scalar_mul(&sigs, &sigs, &n);
secp256k1_scalar_clear(&n);
secp256k1_scalar_free(&n);
secp256k1_gej_clear(&rp);
secp256k1_ge_clear(&r);
if (secp256k1_scalar_is_zero(&sigs))
@ -183,8 +169,6 @@ int static secp256k1_ecdsa_sig_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_
}
secp256k1_scalar_get_num(&sig->s, &sigs);
secp256k1_scalar_get_num(&sig->r, &sigr);
secp256k1_scalar_free(&sigs);
secp256k1_scalar_free(&sigr);
return 1;
}

View file

@ -117,7 +117,6 @@ static int secp256k1_ecmult_wnaf(int *wnaf, const secp256k1_num_t *a, int w) {
int ret = 0;
int zeroes = 0;
secp256k1_num_t x;
secp256k1_num_init(&x);
secp256k1_num_copy(&x, a);
int sign = 1;
if (secp256k1_num_is_neg(&x)) {
@ -142,7 +141,6 @@ static int secp256k1_ecmult_wnaf(int *wnaf, const secp256k1_num_t *a, int w) {
}
zeroes = w-1;
}
secp256k1_num_free(&x);
return ret;
}
@ -151,8 +149,6 @@ void static secp256k1_ecmult(secp256k1_gej_t *r, const secp256k1_gej_t *a, const
#ifdef USE_ENDOMORPHISM
secp256k1_num_t na_1, na_lam;
secp256k1_num_init(&na_1);
secp256k1_num_init(&na_lam);
// split na into na_1 and na_lam (where na = na_1 + na_lam*lambda, and na_1 and na_lam are ~128 bit)
secp256k1_gej_split_exp(&na_1, &na_lam, na);
@ -179,8 +175,6 @@ void static secp256k1_ecmult(secp256k1_gej_t *r, const secp256k1_gej_t *a, const
// Splitted G factors.
secp256k1_num_t ng_1, ng_128;
secp256k1_num_init(&ng_1);
secp256k1_num_init(&ng_128);
// split ng into ng_1 and ng_128 (where gn = gn_1 + gn_128*2^128, and gn_1 and gn_128 are ~128 bit)
secp256k1_num_split(&ng_1, &ng_128, ng, 128);
@ -222,13 +216,6 @@ void static secp256k1_ecmult(secp256k1_gej_t *r, const secp256k1_gej_t *a, const
secp256k1_gej_add_ge(r, r, &tmpa);
}
}
#ifdef USE_ENDOMORPHISM
secp256k1_num_free(&na_1);
secp256k1_num_free(&na_lam);
#endif
secp256k1_num_free(&ng_1);
secp256k1_num_free(&ng_128);
}
#endif

View file

@ -205,11 +205,9 @@ void static secp256k1_fe_inv_var(secp256k1_fe_t *r, const secp256k1_fe_t *a) {
secp256k1_fe_normalize(&c);
secp256k1_fe_get_b32(b, &c);
secp256k1_num_t n;
secp256k1_num_init(&n);
secp256k1_num_set_bin(&n, b, 32);
secp256k1_num_mod_inverse(&n, &n, &secp256k1_fe_consts->p);
secp256k1_num_get_bin(b, 32, &n);
secp256k1_num_free(&n);
secp256k1_fe_set_b32(r, b);
#else
#error "Please select field inverse implementation"
@ -274,7 +272,6 @@ void static secp256k1_fe_start(void) {
if (secp256k1_fe_consts == NULL) {
secp256k1_fe_inner_start();
secp256k1_fe_consts_t *ret = (secp256k1_fe_consts_t*)malloc(sizeof(secp256k1_fe_consts_t));
secp256k1_num_init(&ret->p);
secp256k1_num_set_bin(&ret->p, secp256k1_fe_consts_p, sizeof(secp256k1_fe_consts_p));
secp256k1_fe_consts = ret;
}
@ -283,7 +280,6 @@ void static secp256k1_fe_start(void) {
void static secp256k1_fe_stop(void) {
if (secp256k1_fe_consts != NULL) {
secp256k1_fe_consts_t *c = (secp256k1_fe_consts_t*)secp256k1_fe_consts;
secp256k1_num_free(&c->p);
free((void*)c);
secp256k1_fe_consts = NULL;
secp256k1_fe_inner_stop();

View file

@ -327,12 +327,6 @@ void static secp256k1_gej_split_exp(secp256k1_num_t *r1, secp256k1_num_t *r2, co
const secp256k1_ge_consts_t *c = secp256k1_ge_consts;
secp256k1_num_t bnc1, bnc2, bnt1, bnt2, bnn2;
secp256k1_num_init(&bnc1);
secp256k1_num_init(&bnc2);
secp256k1_num_init(&bnt1);
secp256k1_num_init(&bnt2);
secp256k1_num_init(&bnn2);
secp256k1_num_copy(&bnn2, &c->order);
secp256k1_num_shift(&bnn2, 1);
@ -351,12 +345,6 @@ void static secp256k1_gej_split_exp(secp256k1_num_t *r1, secp256k1_num_t *r2, co
secp256k1_num_mul(&bnt1, &bnc1, &c->b1);
secp256k1_num_mul(&bnt2, &bnc2, &c->a1b2);
secp256k1_num_sub(r2, &bnt1, &bnt2);
secp256k1_num_free(&bnc1);
secp256k1_num_free(&bnc2);
secp256k1_num_free(&bnt1);
secp256k1_num_free(&bnt2);
secp256k1_num_free(&bnn2);
}
#endif
@ -410,16 +398,10 @@ void static secp256k1_ge_start(void) {
#endif
if (secp256k1_ge_consts == NULL) {
secp256k1_ge_consts_t *ret = (secp256k1_ge_consts_t*)malloc(sizeof(secp256k1_ge_consts_t));
secp256k1_num_init(&ret->order);
secp256k1_num_init(&ret->half_order);
secp256k1_num_set_bin(&ret->order, secp256k1_ge_consts_order, sizeof(secp256k1_ge_consts_order));
secp256k1_num_copy(&ret->half_order, &ret->order);
secp256k1_num_shift(&ret->half_order, 1);
#ifdef USE_ENDOMORPHISM
secp256k1_num_init(&ret->lambda);
secp256k1_num_init(&ret->a1b2);
secp256k1_num_init(&ret->a2);
secp256k1_num_init(&ret->b1);
secp256k1_num_set_bin(&ret->lambda, secp256k1_ge_consts_lambda, sizeof(secp256k1_ge_consts_lambda));
secp256k1_num_set_bin(&ret->a1b2, secp256k1_ge_consts_a1b2, sizeof(secp256k1_ge_consts_a1b2));
secp256k1_num_set_bin(&ret->a2, secp256k1_ge_consts_a2, sizeof(secp256k1_ge_consts_a2));
@ -437,14 +419,6 @@ void static secp256k1_ge_start(void) {
void static secp256k1_ge_stop(void) {
if (secp256k1_ge_consts != NULL) {
secp256k1_ge_consts_t *c = (secp256k1_ge_consts_t*)secp256k1_ge_consts;
secp256k1_num_free(&c->order);
secp256k1_num_free(&c->half_order);
#ifdef USE_ENDOMORPHISM
secp256k1_num_free(&c->lambda);
secp256k1_num_free(&c->a1b2);
secp256k1_num_free(&c->a2);
secp256k1_num_free(&c->b1);
#endif
free((void*)c);
secp256k1_ge_consts = NULL;
}

View file

@ -15,15 +15,9 @@
#error "Please select num implementation"
#endif
/** Initialize a number. */
void static secp256k1_num_init(secp256k1_num_t *r);
/** Clear a number to prevent the leak of sensitive data. */
void static secp256k1_num_clear(secp256k1_num_t *r);
/** Free a number. */
void static secp256k1_num_free(secp256k1_num_t *r);
/** Copy a number. */
void static secp256k1_num_copy(secp256k1_num_t *r, const secp256k1_num_t *a);

View file

@ -303,6 +303,7 @@ void static secp256k1_num_set_hex(secp256k1_num_t *r, const char *a, int alen) {
num[i] = cvt[(unsigned char)a[i]];
}
r->limbs = mpn_set_str(r->data, num, alen, 16);
r->neg = 0;
while (r->limbs > 1 && r->data[r->limbs-1] == 0) r->limbs--;
}

View file

@ -12,15 +12,9 @@ typedef struct {
secp256k1_num_t n;
} secp256k1_scalar_t;
/** Initialize a scalar. */
void static secp256k1_scalar_init(secp256k1_scalar_t *r);
/** Clear a scalar to prevent the leak of sensitive data. */
void static secp256k1_scalar_clear(secp256k1_scalar_t *r);
/** Free a scalar. */
void static secp256k1_scalar_free(secp256k1_scalar_t *r);
/** Access bits from a scalar. */
int static secp256k1_scalar_get_bits(const secp256k1_scalar_t *a, int offset, int count);

View file

@ -11,18 +11,10 @@
#include "group.h"
void static secp256k1_scalar_init(secp256k1_scalar_t *r) {
secp256k1_num_init(&r->n);
}
void static secp256k1_scalar_clear(secp256k1_scalar_t *r) {
secp256k1_num_clear(&r->n);
}
void static secp256k1_scalar_free(secp256k1_scalar_t *r) {
secp256k1_num_free(&r->n);
}
int static secp256k1_scalar_get_bits(const secp256k1_scalar_t *a, int offset, int count) {
return secp256k1_num_get_bits(&a->n, offset, count);
}

View file

@ -42,9 +42,7 @@ int secp256k1_ecdsa_verify(const unsigned char *msg, int msglen, const unsigned
int ret = -3;
secp256k1_num_t m;
secp256k1_num_init(&m);
secp256k1_ecdsa_sig_t s;
secp256k1_ecdsa_sig_init(&s);
secp256k1_ge_t q;
secp256k1_num_set_bin(&m, msg, msglen);
@ -62,8 +60,6 @@ int secp256k1_ecdsa_verify(const unsigned char *msg, int msglen, const unsigned
}
ret = 1;
end:
secp256k1_ecdsa_sig_free(&s);
secp256k1_num_free(&m);
return ret;
}
@ -77,9 +73,6 @@ int secp256k1_ecdsa_sign(const unsigned char *message, int messagelen, unsigned
DEBUG_CHECK(nonce != NULL);
secp256k1_scalar_t sec, non, msg;
secp256k1_scalar_init(&sec);
secp256k1_scalar_init(&non);
secp256k1_scalar_init(&msg);
secp256k1_scalar_set_b32(&sec, seckey, NULL);
int overflow = 0;
secp256k1_scalar_set_b32(&non, nonce, &overflow);
@ -91,20 +84,15 @@ int secp256k1_ecdsa_sign(const unsigned char *message, int messagelen, unsigned
}
int ret = !secp256k1_scalar_is_zero(&non) && !overflow;
secp256k1_ecdsa_sig_t sig;
secp256k1_ecdsa_sig_init(&sig);
if (ret) {
ret = secp256k1_ecdsa_sig_sign(&sig, &sec, &msg, &non, NULL);
}
if (ret) {
secp256k1_ecdsa_sig_serialize(signature, signaturelen, &sig);
}
secp256k1_ecdsa_sig_free(&sig);
secp256k1_scalar_clear(&msg);
secp256k1_scalar_clear(&non);
secp256k1_scalar_clear(&sec);
secp256k1_scalar_free(&msg);
secp256k1_scalar_free(&non);
secp256k1_scalar_free(&sec);
return ret;
}
@ -117,9 +105,6 @@ int secp256k1_ecdsa_sign_compact(const unsigned char *message, int messagelen, u
DEBUG_CHECK(nonce != NULL);
secp256k1_scalar_t sec, non, msg;
secp256k1_scalar_init(&sec);
secp256k1_scalar_init(&non);
secp256k1_scalar_init(&msg);
secp256k1_scalar_set_b32(&sec, seckey, NULL);
int overflow = 0;
secp256k1_scalar_set_b32(&non, nonce, &overflow);
@ -131,7 +116,6 @@ int secp256k1_ecdsa_sign_compact(const unsigned char *message, int messagelen, u
}
int ret = !secp256k1_scalar_is_zero(&non) && !overflow;
secp256k1_ecdsa_sig_t sig;
secp256k1_ecdsa_sig_init(&sig);
if (ret) {
ret = secp256k1_ecdsa_sig_sign(&sig, &sec, &msg, &non, recid);
}
@ -139,13 +123,9 @@ int secp256k1_ecdsa_sign_compact(const unsigned char *message, int messagelen, u
secp256k1_num_get_bin(sig64, 32, &sig.r);
secp256k1_num_get_bin(sig64 + 32, 32, &sig.s);
}
secp256k1_ecdsa_sig_free(&sig);
secp256k1_scalar_clear(&msg);
secp256k1_scalar_clear(&non);
secp256k1_scalar_clear(&sec);
secp256k1_scalar_free(&msg);
secp256k1_scalar_free(&non);
secp256k1_scalar_free(&sec);
return ret;
}
@ -160,9 +140,7 @@ int secp256k1_ecdsa_recover_compact(const unsigned char *msg, int msglen, const
int ret = 0;
secp256k1_num_t m;
secp256k1_num_init(&m);
secp256k1_ecdsa_sig_t sig;
secp256k1_ecdsa_sig_init(&sig);
secp256k1_num_set_bin(&sig.r, sig64, 32);
secp256k1_num_set_bin(&sig.s, sig64 + 32, 32);
secp256k1_num_set_bin(&m, msg, msglen);
@ -172,8 +150,6 @@ int secp256k1_ecdsa_recover_compact(const unsigned char *msg, int msglen, const
secp256k1_eckey_pubkey_serialize(&q, pubkey, pubkeylen, compressed);
ret = 1;
}
secp256k1_ecdsa_sig_free(&sig);
secp256k1_num_free(&m);
return ret;
}
@ -181,12 +157,10 @@ int secp256k1_ec_seckey_verify(const unsigned char *seckey) {
DEBUG_CHECK(seckey != NULL);
secp256k1_scalar_t sec;
secp256k1_scalar_init(&sec);
int overflow;
secp256k1_scalar_set_b32(&sec, seckey, &overflow);
int ret = !secp256k1_scalar_is_zero(&sec) && !overflow;
secp256k1_scalar_clear(&sec);
secp256k1_scalar_free(&sec);
return ret;
}
@ -204,12 +178,10 @@ int secp256k1_ec_pubkey_create(unsigned char *pubkey, int *pubkeylen, const unsi
DEBUG_CHECK(seckey != NULL);
secp256k1_scalar_t sec;
secp256k1_scalar_init(&sec);
secp256k1_scalar_set_b32(&sec, seckey, NULL);
secp256k1_gej_t pj;
secp256k1_ecmult_gen(&pj, &sec);
secp256k1_scalar_clear(&sec);
secp256k1_scalar_free(&sec);
secp256k1_ge_t p;
secp256k1_ge_set_gej(&p, &pj);
secp256k1_eckey_pubkey_serialize(&p, pubkey, pubkeylen, compressed);
@ -232,11 +204,9 @@ int secp256k1_ec_privkey_tweak_add(unsigned char *seckey, const unsigned char *t
DEBUG_CHECK(tweak != NULL);
secp256k1_scalar_t term;
secp256k1_scalar_init(&term);
int overflow = 0;
secp256k1_scalar_set_b32(&term, tweak, &overflow);
secp256k1_scalar_t sec;
secp256k1_scalar_init(&sec);
secp256k1_scalar_set_b32(&sec, seckey, NULL);
int ret = secp256k1_eckey_privkey_tweak_add(&sec, &term) && !overflow;
@ -246,8 +216,6 @@ int secp256k1_ec_privkey_tweak_add(unsigned char *seckey, const unsigned char *t
secp256k1_scalar_clear(&sec);
secp256k1_scalar_clear(&term);
secp256k1_scalar_free(&sec);
secp256k1_scalar_free(&term);
return ret;
}
@ -257,7 +225,6 @@ int secp256k1_ec_pubkey_tweak_add(unsigned char *pubkey, int pubkeylen, const un
DEBUG_CHECK(tweak != NULL);
secp256k1_num_t term;
secp256k1_num_init(&term);
secp256k1_num_set_bin(&term, tweak, 32);
secp256k1_ge_t p;
int ret = secp256k1_eckey_pubkey_parse(&p, pubkey, pubkeylen);
@ -270,7 +237,6 @@ int secp256k1_ec_pubkey_tweak_add(unsigned char *pubkey, int pubkeylen, const un
VERIFY_CHECK(pubkeylen == oldlen);
}
secp256k1_num_free(&term);
return ret;
}
@ -279,11 +245,9 @@ int secp256k1_ec_privkey_tweak_mul(unsigned char *seckey, const unsigned char *t
DEBUG_CHECK(tweak != NULL);
secp256k1_scalar_t factor;
secp256k1_scalar_init(&factor);
int overflow = 0;
secp256k1_scalar_set_b32(&factor, tweak, &overflow);
secp256k1_scalar_t sec;
secp256k1_scalar_init(&sec);
secp256k1_scalar_set_b32(&sec, seckey, NULL);
int ret = secp256k1_eckey_privkey_tweak_mul(&sec, &factor) && !overflow;
if (ret) {
@ -292,8 +256,6 @@ int secp256k1_ec_privkey_tweak_mul(unsigned char *seckey, const unsigned char *t
secp256k1_scalar_clear(&sec);
secp256k1_scalar_clear(&factor);
secp256k1_scalar_free(&sec);
secp256k1_scalar_free(&factor);
return ret;
}
@ -303,7 +265,6 @@ int secp256k1_ec_pubkey_tweak_mul(unsigned char *pubkey, int pubkeylen, const un
DEBUG_CHECK(tweak != NULL);
secp256k1_num_t factor;
secp256k1_num_init(&factor);
secp256k1_num_set_bin(&factor, tweak, 32);
secp256k1_ge_t p;
int ret = secp256k1_eckey_pubkey_parse(&p, pubkey, pubkeylen);
@ -316,7 +277,6 @@ int secp256k1_ec_pubkey_tweak_mul(unsigned char *pubkey, int pubkeylen, const un
VERIFY_CHECK(pubkeylen == oldlen);
}
secp256k1_num_free(&factor);
return ret;
}
@ -326,11 +286,9 @@ int secp256k1_ec_privkey_export(const unsigned char *seckey, unsigned char *priv
DEBUG_CHECK(privkeylen != NULL);
secp256k1_scalar_t key;
secp256k1_scalar_init(&key);
secp256k1_scalar_set_b32(&key, seckey, NULL);
int ret = secp256k1_eckey_privkey_serialize(privkey, privkeylen, &key, compressed);
secp256k1_scalar_clear(&key);
secp256k1_scalar_free(&key);
return ret;
}
@ -339,11 +297,9 @@ int secp256k1_ec_privkey_import(unsigned char *seckey, const unsigned char *priv
DEBUG_CHECK(privkey != NULL);
secp256k1_scalar_t key;
secp256k1_scalar_init(&key);
int ret = secp256k1_eckey_privkey_parse(&key, privkey, privkeylen);
if (ret)
secp256k1_scalar_get_b32(seckey, &key);
secp256k1_scalar_clear(&key);
secp256k1_scalar_free(&key);
return ret;
}

View file

@ -68,8 +68,6 @@ void random_num_order(secp256k1_num_t *num) {
void test_num_copy_inc_cmp() {
secp256k1_num_t n1,n2;
secp256k1_num_init(&n1);
secp256k1_num_init(&n2);
random_num_order(&n1);
secp256k1_num_copy(&n2, &n1);
CHECK(secp256k1_num_eq(&n1, &n2));
@ -77,15 +75,11 @@ void test_num_copy_inc_cmp() {
secp256k1_num_inc(&n2);
CHECK(!secp256k1_num_eq(&n1, &n2));
CHECK(!secp256k1_num_eq(&n2, &n1));
secp256k1_num_free(&n1);
secp256k1_num_free(&n2);
}
void test_num_get_set_hex() {
secp256k1_num_t n1,n2;
secp256k1_num_init(&n1);
secp256k1_num_init(&n2);
random_num_order_test(&n1);
char c[64];
secp256k1_num_get_hex(c, 64, &n1);
@ -103,14 +97,10 @@ void test_num_get_set_hex() {
secp256k1_num_set_hex(&n2, c, 64);
CHECK(secp256k1_num_eq(&n1, &n2));
}
secp256k1_num_free(&n2);
secp256k1_num_free(&n1);
}
void test_num_get_set_bin() {
secp256k1_num_t n1,n2;
secp256k1_num_init(&n1);
secp256k1_num_init(&n2);
random_num_order_test(&n1);
unsigned char c[32];
secp256k1_num_get_bin(c, 32, &n1);
@ -127,13 +117,10 @@ void test_num_get_set_bin() {
secp256k1_num_set_bin(&n2, c, 32);
CHECK(secp256k1_num_eq(&n1, &n2));
}
secp256k1_num_free(&n2);
secp256k1_num_free(&n1);
}
void run_num_int() {
secp256k1_num_t n1;
secp256k1_num_init(&n1);
for (int i=-255; i<256; i++) {
unsigned char c1[3] = {};
c1[2] = abs(i);
@ -142,14 +129,11 @@ void run_num_int() {
secp256k1_num_get_bin(c2, 3, &n1);
CHECK(memcmp(c1, c2, 3) == 0);
}
secp256k1_num_free(&n1);
}
void test_num_negate() {
secp256k1_num_t n1;
secp256k1_num_t n2;
secp256k1_num_init(&n1);
secp256k1_num_init(&n2);
random_num_order_test(&n1); // n1 = R
random_num_negate(&n1);
secp256k1_num_copy(&n2, &n1); // n2 = R
@ -165,16 +149,12 @@ void test_num_negate() {
CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
secp256k1_num_negate(&n1); // n1 = R
CHECK(secp256k1_num_eq(&n1, &n2));
secp256k1_num_free(&n2);
secp256k1_num_free(&n1);
}
void test_num_add_sub() {
int r = secp256k1_rand32();
secp256k1_num_t n1;
secp256k1_num_t n2;
secp256k1_num_init(&n1);
secp256k1_num_init(&n2);
random_num_order_test(&n1); // n1 = R1
if (r & 1) {
random_num_negate(&n1);
@ -184,10 +164,6 @@ void test_num_add_sub() {
random_num_negate(&n2);
}
secp256k1_num_t n1p2, n2p1, n1m2, n2m1;
secp256k1_num_init(&n1p2);
secp256k1_num_init(&n2p1);
secp256k1_num_init(&n1m2);
secp256k1_num_init(&n2m1);
secp256k1_num_add(&n1p2, &n1, &n2); // n1p2 = R1 + R2
secp256k1_num_add(&n2p1, &n2, &n1); // n2p1 = R2 + R1
secp256k1_num_sub(&n1m2, &n1, &n2); // n1m2 = R1 - R2
@ -202,12 +178,6 @@ void test_num_add_sub() {
CHECK(!secp256k1_num_eq(&n2p1, &n1));
secp256k1_num_sub(&n2p1, &n2p1, &n2); // n2p1 = R2 + R1 - R2 = R1
CHECK(secp256k1_num_eq(&n2p1, &n1));
secp256k1_num_free(&n2m1);
secp256k1_num_free(&n1m2);
secp256k1_num_free(&n2p1);
secp256k1_num_free(&n1p2);
secp256k1_num_free(&n2);
secp256k1_num_free(&n1);
}
void run_num_smalltests() {
@ -225,11 +195,9 @@ void run_num_smalltests() {
int secp256k1_scalar_eq(const secp256k1_scalar_t *s1, const secp256k1_scalar_t *s2) {
secp256k1_scalar_t t;
secp256k1_scalar_init(&t);
secp256k1_scalar_negate(&t, s2);
secp256k1_scalar_add(&t, &t, s1);
int ret = secp256k1_scalar_is_zero(&t);
secp256k1_scalar_free(&t);
return ret;
}
@ -239,40 +207,31 @@ void scalar_test(void) {
// Set 's' to a random scalar, with value 'snum'.
secp256k1_rand256_test(c);
secp256k1_scalar_t s;
secp256k1_scalar_init(&s);
secp256k1_scalar_set_b32(&s, c, NULL);
secp256k1_num_t snum;
secp256k1_num_init(&snum);
secp256k1_num_set_bin(&snum, c, 32);
secp256k1_num_mod(&snum, &secp256k1_ge_consts->order);
// Set 's1' to a random scalar, with value 's1num'.
secp256k1_rand256_test(c);
secp256k1_scalar_t s1;
secp256k1_scalar_init(&s1);
secp256k1_scalar_set_b32(&s1, c, NULL);
secp256k1_num_t s1num;
secp256k1_num_init(&s1num);
secp256k1_num_set_bin(&s1num, c, 32);
secp256k1_num_mod(&s1num, &secp256k1_ge_consts->order);
// Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'.
secp256k1_rand256_test(c);
secp256k1_scalar_t s2;
secp256k1_scalar_init(&s2);
int overflow = 0;
secp256k1_scalar_set_b32(&s2, c, &overflow);
secp256k1_num_t s2num;
secp256k1_num_init(&s2num);
secp256k1_num_set_bin(&s2num, c, 32);
secp256k1_num_mod(&s2num, &secp256k1_ge_consts->order);
{
// Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it.
secp256k1_num_t n, t, m;
secp256k1_num_init(&n);
secp256k1_num_init(&t);
secp256k1_num_init(&m);
secp256k1_num_set_int(&n, 0);
secp256k1_num_set_int(&m, 16);
for (int i = 0; i < 256; i += 4) {
@ -281,9 +240,6 @@ void scalar_test(void) {
secp256k1_num_add(&n, &n, &t);
}
CHECK(secp256k1_num_eq(&n, &snum));
secp256k1_num_free(&m);
secp256k1_num_free(&t);
secp256k1_num_free(&n);
}
{
@ -300,32 +256,23 @@ void scalar_test(void) {
{
// Test that adding the scalars together is equal to adding their numbers together modulo the order.
secp256k1_num_t rnum;
secp256k1_num_init(&rnum);
secp256k1_num_add(&rnum, &snum, &s2num);
secp256k1_num_mod(&rnum, &secp256k1_ge_consts->order);
secp256k1_scalar_t r;
secp256k1_scalar_init(&r);
secp256k1_scalar_add(&r, &s, &s2);
secp256k1_num_t r2num;
secp256k1_num_init(&r2num);
secp256k1_scalar_get_num(&r2num, &r);
CHECK(secp256k1_num_eq(&rnum, &r2num));
secp256k1_num_free(&r2num);
secp256k1_num_free(&rnum);
secp256k1_scalar_free(&r);
}
{
// Test that multipying the scalars is equal to multiplying their numbers modulo the order.
secp256k1_num_t rnum;
secp256k1_num_init(&rnum);
secp256k1_num_mul(&rnum, &snum, &s2num);
secp256k1_num_mod(&rnum, &secp256k1_ge_consts->order);
secp256k1_scalar_t r;
secp256k1_scalar_init(&r);
secp256k1_scalar_mul(&r, &s, &s2);
secp256k1_num_t r2num;
secp256k1_num_init(&r2num);
secp256k1_scalar_get_num(&r2num, &r);
CHECK(secp256k1_num_eq(&rnum, &r2num));
// The result can only be zero if at least one of the factors was zero.
@ -333,9 +280,6 @@ void scalar_test(void) {
// The results can only be equal to one of the factors if that factor was zero, or the other factor was one.
CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
secp256k1_num_free(&r2num);
secp256k1_num_free(&rnum);
secp256k1_scalar_free(&r);
}
{
@ -344,10 +288,8 @@ void scalar_test(void) {
// Check that comparison with the half order is equal to testing for high scalar.
CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &secp256k1_ge_consts->half_order) > 0));
secp256k1_scalar_t neg;
secp256k1_scalar_init(&neg);
secp256k1_scalar_negate(&neg, &s);
secp256k1_num_t negnum;
secp256k1_num_init(&negnum);
secp256k1_num_sub(&negnum, &secp256k1_ge_consts->order, &snum);
secp256k1_num_mod(&negnum, &secp256k1_ge_consts->order);
// Check that comparison with the half order is equal to testing for high scalar after negation.
@ -355,7 +297,6 @@ void scalar_test(void) {
// Negating should change the high property, unless the value was already zero.
CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
secp256k1_num_t negnum2;
secp256k1_num_init(&negnum2);
secp256k1_scalar_get_num(&negnum2, &neg);
// Negating a scalar should be equal to (order - n) mod order on the number.
CHECK(secp256k1_num_eq(&negnum, &negnum2));
@ -365,22 +306,16 @@ void scalar_test(void) {
secp256k1_scalar_negate(&neg, &neg);
// Negating zero should still result in zero.
CHECK(secp256k1_scalar_is_zero(&neg));
secp256k1_num_free(&negnum);
secp256k1_num_free(&negnum2);
secp256k1_scalar_free(&neg);
}
{
// Test that scalar inverses are equal to the inverse of their number modulo the order.
if (!secp256k1_scalar_is_zero(&s)) {
secp256k1_scalar_t inv;
secp256k1_scalar_init(&inv);
secp256k1_scalar_inverse(&inv, &s);
secp256k1_num_t invnum;
secp256k1_num_init(&invnum);
secp256k1_num_mod_inverse(&invnum, &snum, &secp256k1_ge_consts->order);
secp256k1_num_t invnum2;
secp256k1_num_init(&invnum2);
secp256k1_scalar_get_num(&invnum2, &inv);
CHECK(secp256k1_num_eq(&invnum, &invnum2));
secp256k1_scalar_mul(&inv, &inv, &s);
@ -389,87 +324,55 @@ void scalar_test(void) {
secp256k1_scalar_inverse(&inv, &inv);
// Inverting one must result in one.
CHECK(secp256k1_scalar_is_one(&inv));
secp256k1_num_free(&invnum);
secp256k1_num_free(&invnum2);
secp256k1_scalar_free(&inv);
}
}
{
// Test commutativity of add.
secp256k1_scalar_t r1, r2;
secp256k1_scalar_init(&r1);
secp256k1_scalar_init(&r2);
secp256k1_scalar_add(&r1, &s1, &s2);
secp256k1_scalar_add(&r2, &s2, &s1);
CHECK(secp256k1_scalar_eq(&r1, &r2));
secp256k1_scalar_free(&r1);
secp256k1_scalar_free(&r2);
}
{
// Test commutativity of mul.
secp256k1_scalar_t r1, r2;
secp256k1_scalar_init(&r1);
secp256k1_scalar_init(&r2);
secp256k1_scalar_mul(&r1, &s1, &s2);
secp256k1_scalar_mul(&r2, &s2, &s1);
CHECK(secp256k1_scalar_eq(&r1, &r2));
secp256k1_scalar_free(&r1);
secp256k1_scalar_free(&r2);
}
{
// Test associativity of add.
secp256k1_scalar_t r1, r2;
secp256k1_scalar_init(&r1);
secp256k1_scalar_init(&r2);
secp256k1_scalar_add(&r1, &s1, &s2);
secp256k1_scalar_add(&r1, &r1, &s);
secp256k1_scalar_add(&r2, &s2, &s);
secp256k1_scalar_add(&r2, &s1, &r2);
CHECK(secp256k1_scalar_eq(&r1, &r2));
secp256k1_scalar_free(&r1);
secp256k1_scalar_free(&r2);
}
{
// Test associativity of mul.
secp256k1_scalar_t r1, r2;
secp256k1_scalar_init(&r1);
secp256k1_scalar_init(&r2);
secp256k1_scalar_mul(&r1, &s1, &s2);
secp256k1_scalar_mul(&r1, &r1, &s);
secp256k1_scalar_mul(&r2, &s2, &s);
secp256k1_scalar_mul(&r2, &s1, &r2);
CHECK(secp256k1_scalar_eq(&r1, &r2));
secp256k1_scalar_free(&r1);
secp256k1_scalar_free(&r2);
}
{
// Test distributitivity of mul over add.
secp256k1_scalar_t r1, r2, t;
secp256k1_scalar_init(&r1);
secp256k1_scalar_init(&r2);
secp256k1_scalar_init(&t);
secp256k1_scalar_add(&r1, &s1, &s2);
secp256k1_scalar_mul(&r1, &r1, &s);
secp256k1_scalar_mul(&r2, &s1, &s);
secp256k1_scalar_mul(&t, &s2, &s);
secp256k1_scalar_add(&r2, &r2, &t);
CHECK(secp256k1_scalar_eq(&r1, &r2));
secp256k1_scalar_free(&r1);
secp256k1_scalar_free(&r2);
secp256k1_scalar_free(&t);
}
secp256k1_num_free(&snum);
secp256k1_scalar_free(&s);
secp256k1_num_free(&s1num);
secp256k1_scalar_free(&s1);
secp256k1_num_free(&s2num);
secp256k1_scalar_free(&s2);
}
void run_scalar_tests(void) {
@ -644,24 +547,18 @@ void run_ecmult_chain() {
secp256k1_gej_t a; secp256k1_gej_set_xy(&a, &ax, &ay);
// two random initial factors xn and gn
secp256k1_num_t xn;
secp256k1_num_init(&xn);
secp256k1_num_set_hex(&xn, "84cc5452f7fde1edb4d38a8ce9b1b84ccef31f146e569be9705d357a42985407", 64);
secp256k1_num_t gn;
secp256k1_num_init(&gn);
secp256k1_num_set_hex(&gn, "a1e58d22553dcd42b23980625d4c57a96e9323d42b3152e5ca2c3990edc7c9de", 64);
// two small multipliers to be applied to xn and gn in every iteration:
secp256k1_num_t xf;
secp256k1_num_init(&xf);
secp256k1_num_set_hex(&xf, "1337", 4);
secp256k1_num_t gf;
secp256k1_num_init(&gf);
secp256k1_num_set_hex(&gf, "7113", 4);
// accumulators with the resulting coefficients to A and G
secp256k1_num_t ae;
secp256k1_num_init(&ae);
secp256k1_num_set_int(&ae, 1);
secp256k1_num_t ge;
secp256k1_num_init(&ge);
secp256k1_num_set_int(&ge, 0);
// the point being computed
secp256k1_gej_t x = a;
@ -694,24 +591,16 @@ void run_ecmult_chain() {
secp256k1_gej_get_hex(res2, &resl2, &x2);
CHECK(strcmp(res, res2) == 0);
CHECK(strlen(res) == 131);
secp256k1_num_free(&xn);
secp256k1_num_free(&gn);
secp256k1_num_free(&xf);
secp256k1_num_free(&gf);
secp256k1_num_free(&ae);
secp256k1_num_free(&ge);
}
void test_point_times_order(const secp256k1_gej_t *point) {
// multiplying a point by the order results in O
const secp256k1_num_t *order = &secp256k1_ge_consts->order;
secp256k1_num_t zero;
secp256k1_num_init(&zero);
secp256k1_num_set_int(&zero, 0);
secp256k1_gej_t res;
secp256k1_ecmult(&res, point, order, order); // calc res = order * point + order * G;
CHECK(secp256k1_gej_is_infinity(&res));
secp256k1_num_free(&zero);
}
void run_point_times_order() {
@ -734,9 +623,6 @@ void run_point_times_order() {
void test_wnaf(const secp256k1_num_t *number, int w) {
secp256k1_num_t x, two, t;
secp256k1_num_init(&x);
secp256k1_num_init(&two);
secp256k1_num_init(&t);
secp256k1_num_set_int(&x, 0);
secp256k1_num_set_int(&two, 2);
int wnaf[257];
@ -759,54 +645,39 @@ void test_wnaf(const secp256k1_num_t *number, int w) {
secp256k1_num_add(&x, &x, &t);
}
CHECK(secp256k1_num_eq(&x, number)); // check that wnaf represents number
secp256k1_num_free(&x);
secp256k1_num_free(&two);
secp256k1_num_free(&t);
}
void run_wnaf() {
secp256k1_num_t n;
secp256k1_num_init(&n);
for (int i=0; i<count; i++) {
random_num_order(&n);
if (i % 1)
secp256k1_num_negate(&n);
test_wnaf(&n, 4+(i%10));
}
secp256k1_num_free(&n);
}
void random_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_scalar_t *key, const secp256k1_scalar_t *msg, int *recid) {
secp256k1_scalar_t nonce;
secp256k1_scalar_init(&nonce);
do {
random_scalar_order_test(&nonce);
} while(!secp256k1_ecdsa_sig_sign(sig, key, msg, &nonce, recid));
secp256k1_scalar_free(&nonce);
}
void test_ecdsa_sign_verify() {
const secp256k1_ge_consts_t *c = secp256k1_ge_consts;
secp256k1_scalar_t msg, key;
secp256k1_scalar_init(&msg);
random_scalar_order_test(&msg);
secp256k1_scalar_init(&key);
random_scalar_order_test(&key);
secp256k1_gej_t pubj; secp256k1_ecmult_gen(&pubj, &key);
secp256k1_ge_t pub; secp256k1_ge_set_gej(&pub, &pubj);
secp256k1_ecdsa_sig_t sig;
secp256k1_ecdsa_sig_init(&sig);
random_sign(&sig, &key, &msg, NULL);
secp256k1_num_t msg_num;
secp256k1_num_init(&msg_num);
secp256k1_scalar_get_num(&msg_num, &msg);
CHECK(secp256k1_ecdsa_sig_verify(&sig, &pub, &msg_num));
secp256k1_num_inc(&msg_num);
CHECK(!secp256k1_ecdsa_sig_verify(&sig, &pub, &msg_num));
secp256k1_ecdsa_sig_free(&sig);
secp256k1_num_free(&msg_num);
secp256k1_scalar_free(&msg);
secp256k1_scalar_free(&key);
}
void run_ecdsa_sign_verify() {
@ -822,14 +693,10 @@ void test_ecdsa_end_to_end() {
// Generate a random key and message.
{
secp256k1_num_t msg, key;
secp256k1_num_init(&msg);
random_num_order_test(&msg);
secp256k1_num_init(&key);
random_num_order_test(&key);
secp256k1_num_get_bin(privkey, 32, &key);
secp256k1_num_get_bin(message, 32, &msg);
secp256k1_num_free(&msg);
secp256k1_num_free(&key);
}
// Construct and verify corresponding public key.
@ -931,11 +798,9 @@ EC_KEY *get_openssl_key(const secp256k1_scalar_t *key) {
void test_ecdsa_openssl() {
const secp256k1_ge_consts_t *c = secp256k1_ge_consts;
secp256k1_scalar_t key, msg;
secp256k1_scalar_init(&msg);
unsigned char message[32];
secp256k1_rand256_test(message);
secp256k1_scalar_set_b32(&msg, message, NULL);
secp256k1_scalar_init(&key);
random_scalar_order_test(&key);
secp256k1_gej_t qj;
secp256k1_ecmult_gen(&qj, &key);
@ -947,25 +812,19 @@ void test_ecdsa_openssl() {
int sigsize = 80;
CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
secp256k1_ecdsa_sig_t sig;
secp256k1_ecdsa_sig_init(&sig);
CHECK(secp256k1_ecdsa_sig_parse(&sig, signature, sigsize));
secp256k1_num_t msg_num;
secp256k1_num_init(&msg_num);
secp256k1_scalar_get_num(&msg_num, &msg);
CHECK(secp256k1_ecdsa_sig_verify(&sig, &q, &msg_num));
secp256k1_num_inc(&sig.r);
CHECK(!secp256k1_ecdsa_sig_verify(&sig, &q, &msg_num));
secp256k1_num_free(&msg_num);
random_sign(&sig, &key, &msg, NULL);
sigsize = 80;
CHECK(secp256k1_ecdsa_sig_serialize(signature, &sigsize, &sig));
CHECK(ECDSA_verify(0, message, sizeof(message), signature, sigsize, ec_key) == 1);
secp256k1_ecdsa_sig_free(&sig);
EC_KEY_free(ec_key);
secp256k1_scalar_free(&key);
secp256k1_scalar_free(&msg);
}
void run_ecdsa_openssl() {