Changeset View
Changeset View
Standalone View
Standalone View
src/secp256k1/src/tests_exhaustive.c
Show First 20 Lines • Show All 209 Lines • ▼ Show 20 Lines | for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) { | ||||
} | } | ||||
} | } | ||||
} | } | ||||
} | } | ||||
} | } | ||||
secp256k1_scratch_destroy(&ctx->error_callback, scratch); | secp256k1_scratch_destroy(&ctx->error_callback, scratch); | ||||
} | } | ||||
void r_from_k(secp256k1_scalar *r, const secp256k1_ge *group, int k) { | void r_from_k(secp256k1_scalar *r, const secp256k1_ge *group, int k, int* overflow) { | ||||
secp256k1_fe x; | secp256k1_fe x; | ||||
unsigned char x_bin[32]; | unsigned char x_bin[32]; | ||||
k %= EXHAUSTIVE_TEST_ORDER; | k %= EXHAUSTIVE_TEST_ORDER; | ||||
x = group[k].x; | x = group[k].x; | ||||
secp256k1_fe_normalize(&x); | secp256k1_fe_normalize(&x); | ||||
secp256k1_fe_get_b32(x_bin, &x); | secp256k1_fe_get_b32(x_bin, &x); | ||||
secp256k1_scalar_set_b32(r, x_bin, NULL); | secp256k1_scalar_set_b32(r, x_bin, overflow); | ||||
} | } | ||||
void test_exhaustive_verify(const secp256k1_context *ctx, const secp256k1_ge *group) { | void test_exhaustive_verify(const secp256k1_context *ctx, const secp256k1_ge *group) { | ||||
int s, r, msg, key; | int s, r, msg, key; | ||||
for (s = 1; s < EXHAUSTIVE_TEST_ORDER; s++) { | for (s = 1; s < EXHAUSTIVE_TEST_ORDER; s++) { | ||||
for (r = 1; r < EXHAUSTIVE_TEST_ORDER; r++) { | for (r = 1; r < EXHAUSTIVE_TEST_ORDER; r++) { | ||||
for (msg = 1; msg < EXHAUSTIVE_TEST_ORDER; msg++) { | for (msg = 1; msg < EXHAUSTIVE_TEST_ORDER; msg++) { | ||||
for (key = 1; key < EXHAUSTIVE_TEST_ORDER; key++) { | for (key = 1; key < EXHAUSTIVE_TEST_ORDER; key++) { | ||||
Show All 11 Lines | for (s = 1; s < EXHAUSTIVE_TEST_ORDER; s++) { | ||||
secp256k1_scalar_set_int(&sk_s, key); | secp256k1_scalar_set_int(&sk_s, key); | ||||
/* Verify by hand */ | /* Verify by hand */ | ||||
/* Run through every k value that gives us this r and check that *one* works. | /* Run through every k value that gives us this r and check that *one* works. | ||||
* Note there could be none, there could be multiple, ECDSA is weird. */ | * Note there could be none, there could be multiple, ECDSA is weird. */ | ||||
should_verify = 0; | should_verify = 0; | ||||
for (k = 0; k < EXHAUSTIVE_TEST_ORDER; k++) { | for (k = 0; k < EXHAUSTIVE_TEST_ORDER; k++) { | ||||
secp256k1_scalar check_x_s; | secp256k1_scalar check_x_s; | ||||
r_from_k(&check_x_s, group, k); | r_from_k(&check_x_s, group, k, NULL); | ||||
if (r_s == check_x_s) { | if (r_s == check_x_s) { | ||||
secp256k1_scalar_set_int(&s_times_k_s, k); | secp256k1_scalar_set_int(&s_times_k_s, k); | ||||
secp256k1_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s); | secp256k1_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s); | ||||
secp256k1_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s); | secp256k1_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s); | ||||
secp256k1_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s); | secp256k1_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s); | ||||
should_verify |= secp256k1_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s); | should_verify |= secp256k1_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s); | ||||
} | } | ||||
} | } | ||||
Show All 30 Lines | for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) { /* message */ | ||||
secp256k1_scalar_get_b32(msg32, &msg); | secp256k1_scalar_get_b32(msg32, &msg); | ||||
secp256k1_ecdsa_sign(ctx, &sig, msg32, sk32, secp256k1_nonce_function_smallint, &k); | secp256k1_ecdsa_sign(ctx, &sig, msg32, sk32, secp256k1_nonce_function_smallint, &k); | ||||
secp256k1_ecdsa_signature_load(ctx, &r, &s, &sig); | secp256k1_ecdsa_signature_load(ctx, &r, &s, &sig); | ||||
/* Note that we compute expected_r *after* signing -- this is important | /* Note that we compute expected_r *after* signing -- this is important | ||||
* because our nonce-computing function function might change k during | * because our nonce-computing function function might change k during | ||||
* signing. */ | * signing. */ | ||||
r_from_k(&expected_r, group, k); | r_from_k(&expected_r, group, k, NULL); | ||||
CHECK(r == expected_r); | CHECK(r == expected_r); | ||||
CHECK((k * s) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER || | CHECK((k * s) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER || | ||||
(k * (EXHAUSTIVE_TEST_ORDER - s)) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER); | (k * (EXHAUSTIVE_TEST_ORDER - s)) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER); | ||||
/* Overflow means we've tried every possible nonce */ | /* Overflow means we've tried every possible nonce */ | ||||
if (k < starting_k) { | if (k < starting_k) { | ||||
break; | break; | ||||
} | } | ||||
▲ Show 20 Lines • Show All 74 Lines • Show Last 20 Lines |