github.com/klaytn/klaytn@v1.12.1/crypto/secp256k1/libsecp256k1/src/tests_exhaustive.c (about)

     1  /***********************************************************************
     2   * Copyright (c) 2016 Andrew Poelstra                                 *
     3   * Distributed under the MIT software license, see the accompanying   *
     4   * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
     5   **********************************************************************/
     6  
     7  #if defined HAVE_CONFIG_H
     8  #include "libsecp256k1-config.h"
     9  #endif
    10  
    11  #include <stdio.h>
    12  #include <stdlib.h>
    13  
    14  #include <time.h>
    15  
    16  #undef USE_ECMULT_STATIC_PRECOMPUTATION
    17  
    18  #ifndef EXHAUSTIVE_TEST_ORDER
    19  /* see group_impl.h for allowable values */
    20  #define EXHAUSTIVE_TEST_ORDER 13
    21  #define EXHAUSTIVE_TEST_LAMBDA 9   /* cube root of 1 mod 13 */
    22  #endif
    23  
    24  #include "include/secp256k1.h"
    25  #include "group.h"
    26  #include "secp256k1.c"
    27  #include "testrand_impl.h"
    28  
    29  #ifdef ENABLE_MODULE_RECOVERY
    30  #include "src/modules/recovery/main_impl.h"
    31  #include "include/secp256k1_recovery.h"
    32  #endif
    33  
    34  /** stolen from tests.c */
    35  void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
    36      CHECK(a->infinity == b->infinity);
    37      if (a->infinity) {
    38          return;
    39      }
    40      CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
    41      CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
    42  }
    43  
    44  void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
    45      secp256k1_fe z2s;
    46      secp256k1_fe u1, u2, s1, s2;
    47      CHECK(a->infinity == b->infinity);
    48      if (a->infinity) {
    49          return;
    50      }
    51      /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
    52      secp256k1_fe_sqr(&z2s, &b->z);
    53      secp256k1_fe_mul(&u1, &a->x, &z2s);
    54      u2 = b->x; secp256k1_fe_normalize_weak(&u2);
    55      secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
    56      s2 = b->y; secp256k1_fe_normalize_weak(&s2);
    57      CHECK(secp256k1_fe_equal_var(&u1, &u2));
    58      CHECK(secp256k1_fe_equal_var(&s1, &s2));
    59  }
    60  
    61  void random_fe(secp256k1_fe *x) {
    62      unsigned char bin[32];
    63      do {
    64          secp256k1_rand256(bin);
    65          if (secp256k1_fe_set_b32(x, bin)) {
    66              return;
    67          }
    68      } while(1);
    69  }
    70  /** END stolen from tests.c */
    71  
    72  int secp256k1_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32,
    73                                        const unsigned char *key32, const unsigned char *algo16,
    74                                        void *data, unsigned int attempt) {
    75      secp256k1_scalar s;
    76      int *idata = data;
    77      (void)msg32;
    78      (void)key32;
    79      (void)algo16;
    80      /* Some nonces cannot be used because they'd cause s and/or r to be zero.
    81       * The signing function has retry logic here that just re-calls the nonce
    82       * function with an increased `attempt`. So if attempt > 0 this means we
    83       * need to change the nonce to avoid an infinite loop. */
    84      if (attempt > 0) {
    85          *idata = (*idata + 1) % EXHAUSTIVE_TEST_ORDER;
    86      }
    87      secp256k1_scalar_set_int(&s, *idata);
    88      secp256k1_scalar_get_b32(nonce32, &s);
    89      return 1;
    90  }
    91  
    92  #ifdef USE_ENDOMORPHISM
    93  void test_exhaustive_endomorphism(const secp256k1_ge *group, int order) {
    94      int i;
    95      for (i = 0; i < order; i++) {
    96          secp256k1_ge res;
    97          secp256k1_ge_mul_lambda(&res, &group[i]);
    98          ge_equals_ge(&group[i * EXHAUSTIVE_TEST_LAMBDA % EXHAUSTIVE_TEST_ORDER], &res);
    99      }
   100  }
   101  #endif
   102  
   103  void test_exhaustive_addition(const secp256k1_ge *group, const secp256k1_gej *groupj, int order) {
   104      int i, j;
   105  
   106      /* Sanity-check (and check infinity functions) */
   107      CHECK(secp256k1_ge_is_infinity(&group[0]));
   108      CHECK(secp256k1_gej_is_infinity(&groupj[0]));
   109      for (i = 1; i < order; i++) {
   110          CHECK(!secp256k1_ge_is_infinity(&group[i]));
   111          CHECK(!secp256k1_gej_is_infinity(&groupj[i]));
   112      }
   113  
   114      /* Check all addition formulae */
   115      for (j = 0; j < order; j++) {
   116          secp256k1_fe fe_inv;
   117          secp256k1_fe_inv(&fe_inv, &groupj[j].z);
   118          for (i = 0; i < order; i++) {
   119              secp256k1_ge zless_gej;
   120              secp256k1_gej tmp;
   121              /* add_var */
   122              secp256k1_gej_add_var(&tmp, &groupj[i], &groupj[j], NULL);
   123              ge_equals_gej(&group[(i + j) % order], &tmp);
   124              /* add_ge */
   125              if (j > 0) {
   126                  secp256k1_gej_add_ge(&tmp, &groupj[i], &group[j]);
   127                  ge_equals_gej(&group[(i + j) % order], &tmp);
   128              }
   129              /* add_ge_var */
   130              secp256k1_gej_add_ge_var(&tmp, &groupj[i], &group[j], NULL);
   131              ge_equals_gej(&group[(i + j) % order], &tmp);
   132              /* add_zinv_var */
   133              zless_gej.infinity = groupj[j].infinity;
   134              zless_gej.x = groupj[j].x;
   135              zless_gej.y = groupj[j].y;
   136              secp256k1_gej_add_zinv_var(&tmp, &groupj[i], &zless_gej, &fe_inv);
   137              ge_equals_gej(&group[(i + j) % order], &tmp);
   138          }
   139      }
   140  
   141      /* Check doubling */
   142      for (i = 0; i < order; i++) {
   143          secp256k1_gej tmp;
   144          if (i > 0) {
   145              secp256k1_gej_double_nonzero(&tmp, &groupj[i], NULL);
   146              ge_equals_gej(&group[(2 * i) % order], &tmp);
   147          }
   148          secp256k1_gej_double_var(&tmp, &groupj[i], NULL);
   149          ge_equals_gej(&group[(2 * i) % order], &tmp);
   150      }
   151  
   152      /* Check negation */
   153      for (i = 1; i < order; i++) {
   154          secp256k1_ge tmp;
   155          secp256k1_gej tmpj;
   156          secp256k1_ge_neg(&tmp, &group[i]);
   157          ge_equals_ge(&group[order - i], &tmp);
   158          secp256k1_gej_neg(&tmpj, &groupj[i]);
   159          ge_equals_gej(&group[order - i], &tmpj);
   160      }
   161  }
   162  
   163  void test_exhaustive_ecmult(const secp256k1_context *ctx, const secp256k1_ge *group, const secp256k1_gej *groupj, int order) {
   164      int i, j, r_log;
   165      for (r_log = 1; r_log < order; r_log++) {
   166          for (j = 0; j < order; j++) {
   167              for (i = 0; i < order; i++) {
   168                  secp256k1_gej tmp;
   169                  secp256k1_scalar na, ng;
   170                  secp256k1_scalar_set_int(&na, i);
   171                  secp256k1_scalar_set_int(&ng, j);
   172  
   173                  secp256k1_ecmult(&ctx->ecmult_ctx, &tmp, &groupj[r_log], &na, &ng);
   174                  ge_equals_gej(&group[(i * r_log + j) % order], &tmp);
   175  
   176                  if (i > 0) {
   177                      secp256k1_ecmult_const(&tmp, &group[i], &ng);
   178                      ge_equals_gej(&group[(i * j) % order], &tmp);
   179                  }
   180              }
   181          }
   182      }
   183  }
   184  
   185  void r_from_k(secp256k1_scalar *r, const secp256k1_ge *group, int k) {
   186      secp256k1_fe x;
   187      unsigned char x_bin[32];
   188      k %= EXHAUSTIVE_TEST_ORDER;
   189      x = group[k].x;
   190      secp256k1_fe_normalize(&x);
   191      secp256k1_fe_get_b32(x_bin, &x);
   192      secp256k1_scalar_set_b32(r, x_bin, NULL);
   193  }
   194  
   195  void test_exhaustive_verify(const secp256k1_context *ctx, const secp256k1_ge *group, int order) {
   196      int s, r, msg, key;
   197      for (s = 1; s < order; s++) {
   198          for (r = 1; r < order; r++) {
   199              for (msg = 1; msg < order; msg++) {
   200                  for (key = 1; key < order; key++) {
   201                      secp256k1_ge nonconst_ge;
   202                      secp256k1_ecdsa_signature sig;
   203                      secp256k1_pubkey pk;
   204                      secp256k1_scalar sk_s, msg_s, r_s, s_s;
   205                      secp256k1_scalar s_times_k_s, msg_plus_r_times_sk_s;
   206                      int k, should_verify;
   207                      unsigned char msg32[32];
   208  
   209                      secp256k1_scalar_set_int(&s_s, s);
   210                      secp256k1_scalar_set_int(&r_s, r);
   211                      secp256k1_scalar_set_int(&msg_s, msg);
   212                      secp256k1_scalar_set_int(&sk_s, key);
   213  
   214                      /* Verify by hand */
   215                      /* Run through every k value that gives us this r and check that *one* works.
   216                       * Note there could be none, there could be multiple, ECDSA is weird. */
   217                      should_verify = 0;
   218                      for (k = 0; k < order; k++) {
   219                          secp256k1_scalar check_x_s;
   220                          r_from_k(&check_x_s, group, k);
   221                          if (r_s == check_x_s) {
   222                              secp256k1_scalar_set_int(&s_times_k_s, k);
   223                              secp256k1_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s);
   224                              secp256k1_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s);
   225                              secp256k1_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s);
   226                              should_verify |= secp256k1_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s);
   227                          }
   228                      }
   229                      /* nb we have a "high s" rule */
   230                      should_verify &= !secp256k1_scalar_is_high(&s_s);
   231  
   232                      /* Verify by calling verify */
   233                      secp256k1_ecdsa_signature_save(&sig, &r_s, &s_s);
   234                      memcpy(&nonconst_ge, &group[sk_s], sizeof(nonconst_ge));
   235                      secp256k1_pubkey_save(&pk, &nonconst_ge);
   236                      secp256k1_scalar_get_b32(msg32, &msg_s);
   237                      CHECK(should_verify ==
   238                            secp256k1_ecdsa_verify(ctx, &sig, msg32, &pk));
   239                  }
   240              }
   241          }
   242      }
   243  }
   244  
   245  void test_exhaustive_sign(const secp256k1_context *ctx, const secp256k1_ge *group, int order) {
   246      int i, j, k;
   247  
   248      /* Loop */
   249      for (i = 1; i < order; i++) {  /* message */
   250          for (j = 1; j < order; j++) {  /* key */
   251              for (k = 1; k < order; k++) {  /* nonce */
   252                  const int starting_k = k;
   253                  secp256k1_ecdsa_signature sig;
   254                  secp256k1_scalar sk, msg, r, s, expected_r;
   255                  unsigned char sk32[32], msg32[32];
   256                  secp256k1_scalar_set_int(&msg, i);
   257                  secp256k1_scalar_set_int(&sk, j);
   258                  secp256k1_scalar_get_b32(sk32, &sk);
   259                  secp256k1_scalar_get_b32(msg32, &msg);
   260  
   261                  secp256k1_ecdsa_sign(ctx, &sig, msg32, sk32, secp256k1_nonce_function_smallint, &k);
   262  
   263                  secp256k1_ecdsa_signature_load(ctx, &r, &s, &sig);
   264                  /* Note that we compute expected_r *after* signing -- this is important
   265                   * because our nonce-computing function function might change k during
   266                   * signing. */
   267                  r_from_k(&expected_r, group, k);
   268                  CHECK(r == expected_r);
   269                  CHECK((k * s) % order == (i + r * j) % order ||
   270                        (k * (EXHAUSTIVE_TEST_ORDER - s)) % order == (i + r * j) % order);
   271  
   272                  /* Overflow means we've tried every possible nonce */
   273                  if (k < starting_k) {
   274                      break;
   275                  }
   276              }
   277          }
   278      }
   279  
   280      /* We would like to verify zero-knowledge here by counting how often every
   281       * possible (s, r) tuple appears, but because the group order is larger
   282       * than the field order, when coercing the x-values to scalar values, some
   283       * appear more often than others, so we are actually not zero-knowledge.
   284       * (This effect also appears in the real code, but the difference is on the
   285       * order of 1/2^128th the field order, so the deviation is not useful to a
   286       * computationally bounded attacker.)
   287       */
   288  }
   289  
   290  #ifdef ENABLE_MODULE_RECOVERY
   291  void test_exhaustive_recovery_sign(const secp256k1_context *ctx, const secp256k1_ge *group, int order) {
   292      int i, j, k;
   293  
   294      /* Loop */
   295      for (i = 1; i < order; i++) {  /* message */
   296          for (j = 1; j < order; j++) {  /* key */
   297              for (k = 1; k < order; k++) {  /* nonce */
   298                  const int starting_k = k;
   299                  secp256k1_fe r_dot_y_normalized;
   300                  secp256k1_ecdsa_recoverable_signature rsig;
   301                  secp256k1_ecdsa_signature sig;
   302                  secp256k1_scalar sk, msg, r, s, expected_r;
   303                  unsigned char sk32[32], msg32[32];
   304                  int expected_recid;
   305                  int recid;
   306                  secp256k1_scalar_set_int(&msg, i);
   307                  secp256k1_scalar_set_int(&sk, j);
   308                  secp256k1_scalar_get_b32(sk32, &sk);
   309                  secp256k1_scalar_get_b32(msg32, &msg);
   310  
   311                  secp256k1_ecdsa_sign_recoverable(ctx, &rsig, msg32, sk32, secp256k1_nonce_function_smallint, &k);
   312  
   313                  /* Check directly */
   314                  secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, &rsig);
   315                  r_from_k(&expected_r, group, k);
   316                  CHECK(r == expected_r);
   317                  CHECK((k * s) % order == (i + r * j) % order ||
   318                        (k * (EXHAUSTIVE_TEST_ORDER - s)) % order == (i + r * j) % order);
   319                  /* In computing the recid, there is an overflow condition that is disabled in
   320                   * scalar_low_impl.h `secp256k1_scalar_set_b32` because almost every r.y value
   321                   * will exceed the group order, and our signing code always holds out for r
   322                   * values that don't overflow, so with a proper overflow check the tests would
   323                   * loop indefinitely. */
   324                  r_dot_y_normalized = group[k].y;
   325                  secp256k1_fe_normalize(&r_dot_y_normalized);
   326                  /* Also the recovery id is flipped depending if we hit the low-s branch */
   327                  if ((k * s) % order == (i + r * j) % order) {
   328                      expected_recid = secp256k1_fe_is_odd(&r_dot_y_normalized) ? 1 : 0;
   329                  } else {
   330                      expected_recid = secp256k1_fe_is_odd(&r_dot_y_normalized) ? 0 : 1;
   331                  }
   332                  CHECK(recid == expected_recid);
   333  
   334                  /* Convert to a standard sig then check */
   335                  secp256k1_ecdsa_recoverable_signature_convert(ctx, &sig, &rsig);
   336                  secp256k1_ecdsa_signature_load(ctx, &r, &s, &sig);
   337                  /* Note that we compute expected_r *after* signing -- this is important
   338                   * because our nonce-computing function function might change k during
   339                   * signing. */
   340                  r_from_k(&expected_r, group, k);
   341                  CHECK(r == expected_r);
   342                  CHECK((k * s) % order == (i + r * j) % order ||
   343                        (k * (EXHAUSTIVE_TEST_ORDER - s)) % order == (i + r * j) % order);
   344  
   345                  /* Overflow means we've tried every possible nonce */
   346                  if (k < starting_k) {
   347                      break;
   348                  }
   349              }
   350          }
   351      }
   352  }
   353  
   354  void test_exhaustive_recovery_verify(const secp256k1_context *ctx, const secp256k1_ge *group, int order) {
   355      /* This is essentially a copy of test_exhaustive_verify, with recovery added */
   356      int s, r, msg, key;
   357      for (s = 1; s < order; s++) {
   358          for (r = 1; r < order; r++) {
   359              for (msg = 1; msg < order; msg++) {
   360                  for (key = 1; key < order; key++) {
   361                      secp256k1_ge nonconst_ge;
   362                      secp256k1_ecdsa_recoverable_signature rsig;
   363                      secp256k1_ecdsa_signature sig;
   364                      secp256k1_pubkey pk;
   365                      secp256k1_scalar sk_s, msg_s, r_s, s_s;
   366                      secp256k1_scalar s_times_k_s, msg_plus_r_times_sk_s;
   367                      int recid = 0;
   368                      int k, should_verify;
   369                      unsigned char msg32[32];
   370  
   371                      secp256k1_scalar_set_int(&s_s, s);
   372                      secp256k1_scalar_set_int(&r_s, r);
   373                      secp256k1_scalar_set_int(&msg_s, msg);
   374                      secp256k1_scalar_set_int(&sk_s, key);
   375                      secp256k1_scalar_get_b32(msg32, &msg_s);
   376  
   377                      /* Verify by hand */
   378                      /* Run through every k value that gives us this r and check that *one* works.
   379                       * Note there could be none, there could be multiple, ECDSA is weird. */
   380                      should_verify = 0;
   381                      for (k = 0; k < order; k++) {
   382                          secp256k1_scalar check_x_s;
   383                          r_from_k(&check_x_s, group, k);
   384                          if (r_s == check_x_s) {
   385                              secp256k1_scalar_set_int(&s_times_k_s, k);
   386                              secp256k1_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s);
   387                              secp256k1_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s);
   388                              secp256k1_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s);
   389                              should_verify |= secp256k1_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s);
   390                          }
   391                      }
   392                      /* nb we have a "high s" rule */
   393                      should_verify &= !secp256k1_scalar_is_high(&s_s);
   394  
   395                      /* We would like to try recovering the pubkey and checking that it matches,
   396                       * but pubkey recovery is impossible in the exhaustive tests (the reason
   397                       * being that there are 12 nonzero r values, 12 nonzero points, and no
   398                       * overlap between the sets, so there are no valid signatures). */
   399  
   400                      /* Verify by converting to a standard signature and calling verify */
   401                      secp256k1_ecdsa_recoverable_signature_save(&rsig, &r_s, &s_s, recid);
   402                      secp256k1_ecdsa_recoverable_signature_convert(ctx, &sig, &rsig);
   403                      memcpy(&nonconst_ge, &group[sk_s], sizeof(nonconst_ge));
   404                      secp256k1_pubkey_save(&pk, &nonconst_ge);
   405                      CHECK(should_verify ==
   406                            secp256k1_ecdsa_verify(ctx, &sig, msg32, &pk));
   407                  }
   408              }
   409          }
   410      }
   411  }
   412  #endif
   413  
   414  int main(void) {
   415      int i;
   416      secp256k1_gej groupj[EXHAUSTIVE_TEST_ORDER];
   417      secp256k1_ge group[EXHAUSTIVE_TEST_ORDER];
   418  
   419      /* Build context */
   420      secp256k1_context *ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
   421  
   422      /* TODO set z = 1, then do num_tests runs with random z values */
   423  
   424      /* Generate the entire group */
   425      secp256k1_gej_set_infinity(&groupj[0]);
   426      secp256k1_ge_set_gej(&group[0], &groupj[0]);
   427      for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) {
   428          /* Set a different random z-value for each Jacobian point */
   429          secp256k1_fe z;
   430          random_fe(&z);
   431  
   432          secp256k1_gej_add_ge(&groupj[i], &groupj[i - 1], &secp256k1_ge_const_g);
   433          secp256k1_ge_set_gej(&group[i], &groupj[i]);
   434          secp256k1_gej_rescale(&groupj[i], &z);
   435  
   436          /* Verify against ecmult_gen */
   437          {
   438              secp256k1_scalar scalar_i;
   439              secp256k1_gej generatedj;
   440              secp256k1_ge generated;
   441  
   442              secp256k1_scalar_set_int(&scalar_i, i);
   443              secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &generatedj, &scalar_i);
   444              secp256k1_ge_set_gej(&generated, &generatedj);
   445  
   446              CHECK(group[i].infinity == 0);
   447              CHECK(generated.infinity == 0);
   448              CHECK(secp256k1_fe_equal_var(&generated.x, &group[i].x));
   449              CHECK(secp256k1_fe_equal_var(&generated.y, &group[i].y));
   450          }
   451      }
   452  
   453      /* Run the tests */
   454  #ifdef USE_ENDOMORPHISM
   455      test_exhaustive_endomorphism(group, EXHAUSTIVE_TEST_ORDER);
   456  #endif
   457      test_exhaustive_addition(group, groupj, EXHAUSTIVE_TEST_ORDER);
   458      test_exhaustive_ecmult(ctx, group, groupj, EXHAUSTIVE_TEST_ORDER);
   459      test_exhaustive_sign(ctx, group, EXHAUSTIVE_TEST_ORDER);
   460      test_exhaustive_verify(ctx, group, EXHAUSTIVE_TEST_ORDER);
   461  
   462  #ifdef ENABLE_MODULE_RECOVERY
   463      test_exhaustive_recovery_sign(ctx, group, EXHAUSTIVE_TEST_ORDER);
   464      test_exhaustive_recovery_verify(ctx, group, EXHAUSTIVE_TEST_ORDER);
   465  #endif
   466  
   467      secp256k1_context_destroy(ctx);
   468      return 0;
   469  }
   470