github.com/snowblossomcoin/go-ethereum@v1.9.25/crypto/secp256k1/libsecp256k1/src/tests_exhaustive.c (about) 1 /*********************************************************************** 2 * Copyright (c) 2016 Andrew Poelstra * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.* 5 **********************************************************************/ 6 7 #if defined HAVE_CONFIG_H 8 #include "libsecp256k1-config.h" 9 #endif 10 11 #include <stdio.h> 12 #include <stdlib.h> 13 14 #include <time.h> 15 16 #undef USE_ECMULT_STATIC_PRECOMPUTATION 17 18 #ifndef EXHAUSTIVE_TEST_ORDER 19 /* see group_impl.h for allowable values */ 20 #define EXHAUSTIVE_TEST_ORDER 13 21 #define EXHAUSTIVE_TEST_LAMBDA 9 /* cube root of 1 mod 13 */ 22 #endif 23 24 #include "include/secp256k1.h" 25 #include "group.h" 26 #include "secp256k1.c" 27 #include "testrand_impl.h" 28 29 #ifdef ENABLE_MODULE_RECOVERY 30 #include "src/modules/recovery/main_impl.h" 31 #include "include/secp256k1_recovery.h" 32 #endif 33 34 /** stolen from tests.c */ 35 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) { 36 CHECK(a->infinity == b->infinity); 37 if (a->infinity) { 38 return; 39 } 40 CHECK(secp256k1_fe_equal_var(&a->x, &b->x)); 41 CHECK(secp256k1_fe_equal_var(&a->y, &b->y)); 42 } 43 44 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) { 45 secp256k1_fe z2s; 46 secp256k1_fe u1, u2, s1, s2; 47 CHECK(a->infinity == b->infinity); 48 if (a->infinity) { 49 return; 50 } 51 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */ 52 secp256k1_fe_sqr(&z2s, &b->z); 53 secp256k1_fe_mul(&u1, &a->x, &z2s); 54 u2 = b->x; secp256k1_fe_normalize_weak(&u2); 55 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z); 56 s2 = b->y; secp256k1_fe_normalize_weak(&s2); 57 CHECK(secp256k1_fe_equal_var(&u1, &u2)); 58 CHECK(secp256k1_fe_equal_var(&s1, &s2)); 59 } 60 61 void random_fe(secp256k1_fe *x) { 62 unsigned char bin[32]; 63 do { 64 secp256k1_rand256(bin); 65 if (secp256k1_fe_set_b32(x, bin)) { 66 return; 67 } 68 } while(1); 69 } 70 /** END stolen from tests.c */ 71 72 int secp256k1_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32, 73 const unsigned char *key32, const unsigned char *algo16, 74 void *data, unsigned int attempt) { 75 secp256k1_scalar s; 76 int *idata = data; 77 (void)msg32; 78 (void)key32; 79 (void)algo16; 80 /* Some nonces cannot be used because they'd cause s and/or r to be zero. 81 * The signing function has retry logic here that just re-calls the nonce 82 * function with an increased `attempt`. So if attempt > 0 this means we 83 * need to change the nonce to avoid an infinite loop. */ 84 if (attempt > 0) { 85 *idata = (*idata + 1) % EXHAUSTIVE_TEST_ORDER; 86 } 87 secp256k1_scalar_set_int(&s, *idata); 88 secp256k1_scalar_get_b32(nonce32, &s); 89 return 1; 90 } 91 92 #ifdef USE_ENDOMORPHISM 93 void test_exhaustive_endomorphism(const secp256k1_ge *group, int order) { 94 int i; 95 for (i = 0; i < order; i++) { 96 secp256k1_ge res; 97 secp256k1_ge_mul_lambda(&res, &group[i]); 98 ge_equals_ge(&group[i * EXHAUSTIVE_TEST_LAMBDA % EXHAUSTIVE_TEST_ORDER], &res); 99 } 100 } 101 #endif 102 103 void test_exhaustive_addition(const secp256k1_ge *group, const secp256k1_gej *groupj, int order) { 104 int i, j; 105 106 /* Sanity-check (and check infinity functions) */ 107 CHECK(secp256k1_ge_is_infinity(&group[0])); 108 CHECK(secp256k1_gej_is_infinity(&groupj[0])); 109 for (i = 1; i < order; i++) { 110 CHECK(!secp256k1_ge_is_infinity(&group[i])); 111 CHECK(!secp256k1_gej_is_infinity(&groupj[i])); 112 } 113 114 /* Check all addition formulae */ 115 for (j = 0; j < order; j++) { 116 secp256k1_fe fe_inv; 117 secp256k1_fe_inv(&fe_inv, &groupj[j].z); 118 for (i = 0; i < order; i++) { 119 secp256k1_ge zless_gej; 120 secp256k1_gej tmp; 121 /* add_var */ 122 secp256k1_gej_add_var(&tmp, &groupj[i], &groupj[j], NULL); 123 ge_equals_gej(&group[(i + j) % order], &tmp); 124 /* add_ge */ 125 if (j > 0) { 126 secp256k1_gej_add_ge(&tmp, &groupj[i], &group[j]); 127 ge_equals_gej(&group[(i + j) % order], &tmp); 128 } 129 /* add_ge_var */ 130 secp256k1_gej_add_ge_var(&tmp, &groupj[i], &group[j], NULL); 131 ge_equals_gej(&group[(i + j) % order], &tmp); 132 /* add_zinv_var */ 133 zless_gej.infinity = groupj[j].infinity; 134 zless_gej.x = groupj[j].x; 135 zless_gej.y = groupj[j].y; 136 secp256k1_gej_add_zinv_var(&tmp, &groupj[i], &zless_gej, &fe_inv); 137 ge_equals_gej(&group[(i + j) % order], &tmp); 138 } 139 } 140 141 /* Check doubling */ 142 for (i = 0; i < order; i++) { 143 secp256k1_gej tmp; 144 if (i > 0) { 145 secp256k1_gej_double_nonzero(&tmp, &groupj[i], NULL); 146 ge_equals_gej(&group[(2 * i) % order], &tmp); 147 } 148 secp256k1_gej_double_var(&tmp, &groupj[i], NULL); 149 ge_equals_gej(&group[(2 * i) % order], &tmp); 150 } 151 152 /* Check negation */ 153 for (i = 1; i < order; i++) { 154 secp256k1_ge tmp; 155 secp256k1_gej tmpj; 156 secp256k1_ge_neg(&tmp, &group[i]); 157 ge_equals_ge(&group[order - i], &tmp); 158 secp256k1_gej_neg(&tmpj, &groupj[i]); 159 ge_equals_gej(&group[order - i], &tmpj); 160 } 161 } 162 163 void test_exhaustive_ecmult(const secp256k1_context *ctx, const secp256k1_ge *group, const secp256k1_gej *groupj, int order) { 164 int i, j, r_log; 165 for (r_log = 1; r_log < order; r_log++) { 166 for (j = 0; j < order; j++) { 167 for (i = 0; i < order; i++) { 168 secp256k1_gej tmp; 169 secp256k1_scalar na, ng; 170 secp256k1_scalar_set_int(&na, i); 171 secp256k1_scalar_set_int(&ng, j); 172 173 secp256k1_ecmult(&ctx->ecmult_ctx, &tmp, &groupj[r_log], &na, &ng); 174 ge_equals_gej(&group[(i * r_log + j) % order], &tmp); 175 176 if (i > 0) { 177 secp256k1_ecmult_const(&tmp, &group[i], &ng); 178 ge_equals_gej(&group[(i * j) % order], &tmp); 179 } 180 } 181 } 182 } 183 } 184 185 void r_from_k(secp256k1_scalar *r, const secp256k1_ge *group, int k) { 186 secp256k1_fe x; 187 unsigned char x_bin[32]; 188 k %= EXHAUSTIVE_TEST_ORDER; 189 x = group[k].x; 190 secp256k1_fe_normalize(&x); 191 secp256k1_fe_get_b32(x_bin, &x); 192 secp256k1_scalar_set_b32(r, x_bin, NULL); 193 } 194 195 void test_exhaustive_verify(const secp256k1_context *ctx, const secp256k1_ge *group, int order) { 196 int s, r, msg, key; 197 for (s = 1; s < order; s++) { 198 for (r = 1; r < order; r++) { 199 for (msg = 1; msg < order; msg++) { 200 for (key = 1; key < order; key++) { 201 secp256k1_ge nonconst_ge; 202 secp256k1_ecdsa_signature sig; 203 secp256k1_pubkey pk; 204 secp256k1_scalar sk_s, msg_s, r_s, s_s; 205 secp256k1_scalar s_times_k_s, msg_plus_r_times_sk_s; 206 int k, should_verify; 207 unsigned char msg32[32]; 208 209 secp256k1_scalar_set_int(&s_s, s); 210 secp256k1_scalar_set_int(&r_s, r); 211 secp256k1_scalar_set_int(&msg_s, msg); 212 secp256k1_scalar_set_int(&sk_s, key); 213 214 /* Verify by hand */ 215 /* Run through every k value that gives us this r and check that *one* works. 216 * Note there could be none, there could be multiple, ECDSA is weird. */ 217 should_verify = 0; 218 for (k = 0; k < order; k++) { 219 secp256k1_scalar check_x_s; 220 r_from_k(&check_x_s, group, k); 221 if (r_s == check_x_s) { 222 secp256k1_scalar_set_int(&s_times_k_s, k); 223 secp256k1_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s); 224 secp256k1_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s); 225 secp256k1_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s); 226 should_verify |= secp256k1_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s); 227 } 228 } 229 /* nb we have a "high s" rule */ 230 should_verify &= !secp256k1_scalar_is_high(&s_s); 231 232 /* Verify by calling verify */ 233 secp256k1_ecdsa_signature_save(&sig, &r_s, &s_s); 234 memcpy(&nonconst_ge, &group[sk_s], sizeof(nonconst_ge)); 235 secp256k1_pubkey_save(&pk, &nonconst_ge); 236 secp256k1_scalar_get_b32(msg32, &msg_s); 237 CHECK(should_verify == 238 secp256k1_ecdsa_verify(ctx, &sig, msg32, &pk)); 239 } 240 } 241 } 242 } 243 } 244 245 void test_exhaustive_sign(const secp256k1_context *ctx, const secp256k1_ge *group, int order) { 246 int i, j, k; 247 248 /* Loop */ 249 for (i = 1; i < order; i++) { /* message */ 250 for (j = 1; j < order; j++) { /* key */ 251 for (k = 1; k < order; k++) { /* nonce */ 252 const int starting_k = k; 253 secp256k1_ecdsa_signature sig; 254 secp256k1_scalar sk, msg, r, s, expected_r; 255 unsigned char sk32[32], msg32[32]; 256 secp256k1_scalar_set_int(&msg, i); 257 secp256k1_scalar_set_int(&sk, j); 258 secp256k1_scalar_get_b32(sk32, &sk); 259 secp256k1_scalar_get_b32(msg32, &msg); 260 261 secp256k1_ecdsa_sign(ctx, &sig, msg32, sk32, secp256k1_nonce_function_smallint, &k); 262 263 secp256k1_ecdsa_signature_load(ctx, &r, &s, &sig); 264 /* Note that we compute expected_r *after* signing -- this is important 265 * because our nonce-computing function function might change k during 266 * signing. */ 267 r_from_k(&expected_r, group, k); 268 CHECK(r == expected_r); 269 CHECK((k * s) % order == (i + r * j) % order || 270 (k * (EXHAUSTIVE_TEST_ORDER - s)) % order == (i + r * j) % order); 271 272 /* Overflow means we've tried every possible nonce */ 273 if (k < starting_k) { 274 break; 275 } 276 } 277 } 278 } 279 280 /* We would like to verify zero-knowledge here by counting how often every 281 * possible (s, r) tuple appears, but because the group order is larger 282 * than the field order, when coercing the x-values to scalar values, some 283 * appear more often than others, so we are actually not zero-knowledge. 284 * (This effect also appears in the real code, but the difference is on the 285 * order of 1/2^128th the field order, so the deviation is not useful to a 286 * computationally bounded attacker.) 287 */ 288 } 289 290 #ifdef ENABLE_MODULE_RECOVERY 291 void test_exhaustive_recovery_sign(const secp256k1_context *ctx, const secp256k1_ge *group, int order) { 292 int i, j, k; 293 294 /* Loop */ 295 for (i = 1; i < order; i++) { /* message */ 296 for (j = 1; j < order; j++) { /* key */ 297 for (k = 1; k < order; k++) { /* nonce */ 298 const int starting_k = k; 299 secp256k1_fe r_dot_y_normalized; 300 secp256k1_ecdsa_recoverable_signature rsig; 301 secp256k1_ecdsa_signature sig; 302 secp256k1_scalar sk, msg, r, s, expected_r; 303 unsigned char sk32[32], msg32[32]; 304 int expected_recid; 305 int recid; 306 secp256k1_scalar_set_int(&msg, i); 307 secp256k1_scalar_set_int(&sk, j); 308 secp256k1_scalar_get_b32(sk32, &sk); 309 secp256k1_scalar_get_b32(msg32, &msg); 310 311 secp256k1_ecdsa_sign_recoverable(ctx, &rsig, msg32, sk32, secp256k1_nonce_function_smallint, &k); 312 313 /* Check directly */ 314 secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, &rsig); 315 r_from_k(&expected_r, group, k); 316 CHECK(r == expected_r); 317 CHECK((k * s) % order == (i + r * j) % order || 318 (k * (EXHAUSTIVE_TEST_ORDER - s)) % order == (i + r * j) % order); 319 /* In computing the recid, there is an overflow condition that is disabled in 320 * scalar_low_impl.h `secp256k1_scalar_set_b32` because almost every r.y value 321 * will exceed the group order, and our signing code always holds out for r 322 * values that don't overflow, so with a proper overflow check the tests would 323 * loop indefinitely. */ 324 r_dot_y_normalized = group[k].y; 325 secp256k1_fe_normalize(&r_dot_y_normalized); 326 /* Also the recovery id is flipped depending if we hit the low-s branch */ 327 if ((k * s) % order == (i + r * j) % order) { 328 expected_recid = secp256k1_fe_is_odd(&r_dot_y_normalized) ? 1 : 0; 329 } else { 330 expected_recid = secp256k1_fe_is_odd(&r_dot_y_normalized) ? 0 : 1; 331 } 332 CHECK(recid == expected_recid); 333 334 /* Convert to a standard sig then check */ 335 secp256k1_ecdsa_recoverable_signature_convert(ctx, &sig, &rsig); 336 secp256k1_ecdsa_signature_load(ctx, &r, &s, &sig); 337 /* Note that we compute expected_r *after* signing -- this is important 338 * because our nonce-computing function function might change k during 339 * signing. */ 340 r_from_k(&expected_r, group, k); 341 CHECK(r == expected_r); 342 CHECK((k * s) % order == (i + r * j) % order || 343 (k * (EXHAUSTIVE_TEST_ORDER - s)) % order == (i + r * j) % order); 344 345 /* Overflow means we've tried every possible nonce */ 346 if (k < starting_k) { 347 break; 348 } 349 } 350 } 351 } 352 } 353 354 void test_exhaustive_recovery_verify(const secp256k1_context *ctx, const secp256k1_ge *group, int order) { 355 /* This is essentially a copy of test_exhaustive_verify, with recovery added */ 356 int s, r, msg, key; 357 for (s = 1; s < order; s++) { 358 for (r = 1; r < order; r++) { 359 for (msg = 1; msg < order; msg++) { 360 for (key = 1; key < order; key++) { 361 secp256k1_ge nonconst_ge; 362 secp256k1_ecdsa_recoverable_signature rsig; 363 secp256k1_ecdsa_signature sig; 364 secp256k1_pubkey pk; 365 secp256k1_scalar sk_s, msg_s, r_s, s_s; 366 secp256k1_scalar s_times_k_s, msg_plus_r_times_sk_s; 367 int recid = 0; 368 int k, should_verify; 369 unsigned char msg32[32]; 370 371 secp256k1_scalar_set_int(&s_s, s); 372 secp256k1_scalar_set_int(&r_s, r); 373 secp256k1_scalar_set_int(&msg_s, msg); 374 secp256k1_scalar_set_int(&sk_s, key); 375 secp256k1_scalar_get_b32(msg32, &msg_s); 376 377 /* Verify by hand */ 378 /* Run through every k value that gives us this r and check that *one* works. 379 * Note there could be none, there could be multiple, ECDSA is weird. */ 380 should_verify = 0; 381 for (k = 0; k < order; k++) { 382 secp256k1_scalar check_x_s; 383 r_from_k(&check_x_s, group, k); 384 if (r_s == check_x_s) { 385 secp256k1_scalar_set_int(&s_times_k_s, k); 386 secp256k1_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s); 387 secp256k1_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s); 388 secp256k1_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s); 389 should_verify |= secp256k1_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s); 390 } 391 } 392 /* nb we have a "high s" rule */ 393 should_verify &= !secp256k1_scalar_is_high(&s_s); 394 395 /* We would like to try recovering the pubkey and checking that it matches, 396 * but pubkey recovery is impossible in the exhaustive tests (the reason 397 * being that there are 12 nonzero r values, 12 nonzero points, and no 398 * overlap between the sets, so there are no valid signatures). */ 399 400 /* Verify by converting to a standard signature and calling verify */ 401 secp256k1_ecdsa_recoverable_signature_save(&rsig, &r_s, &s_s, recid); 402 secp256k1_ecdsa_recoverable_signature_convert(ctx, &sig, &rsig); 403 memcpy(&nonconst_ge, &group[sk_s], sizeof(nonconst_ge)); 404 secp256k1_pubkey_save(&pk, &nonconst_ge); 405 CHECK(should_verify == 406 secp256k1_ecdsa_verify(ctx, &sig, msg32, &pk)); 407 } 408 } 409 } 410 } 411 } 412 #endif 413 414 int main(void) { 415 int i; 416 secp256k1_gej groupj[EXHAUSTIVE_TEST_ORDER]; 417 secp256k1_ge group[EXHAUSTIVE_TEST_ORDER]; 418 419 /* Build context */ 420 secp256k1_context *ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); 421 422 /* TODO set z = 1, then do num_tests runs with random z values */ 423 424 /* Generate the entire group */ 425 secp256k1_gej_set_infinity(&groupj[0]); 426 secp256k1_ge_set_gej(&group[0], &groupj[0]); 427 for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) { 428 /* Set a different random z-value for each Jacobian point */ 429 secp256k1_fe z; 430 random_fe(&z); 431 432 secp256k1_gej_add_ge(&groupj[i], &groupj[i - 1], &secp256k1_ge_const_g); 433 secp256k1_ge_set_gej(&group[i], &groupj[i]); 434 secp256k1_gej_rescale(&groupj[i], &z); 435 436 /* Verify against ecmult_gen */ 437 { 438 secp256k1_scalar scalar_i; 439 secp256k1_gej generatedj; 440 secp256k1_ge generated; 441 442 secp256k1_scalar_set_int(&scalar_i, i); 443 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &generatedj, &scalar_i); 444 secp256k1_ge_set_gej(&generated, &generatedj); 445 446 CHECK(group[i].infinity == 0); 447 CHECK(generated.infinity == 0); 448 CHECK(secp256k1_fe_equal_var(&generated.x, &group[i].x)); 449 CHECK(secp256k1_fe_equal_var(&generated.y, &group[i].y)); 450 } 451 } 452 453 /* Run the tests */ 454 #ifdef USE_ENDOMORPHISM 455 test_exhaustive_endomorphism(group, EXHAUSTIVE_TEST_ORDER); 456 #endif 457 test_exhaustive_addition(group, groupj, EXHAUSTIVE_TEST_ORDER); 458 test_exhaustive_ecmult(ctx, group, groupj, EXHAUSTIVE_TEST_ORDER); 459 test_exhaustive_sign(ctx, group, EXHAUSTIVE_TEST_ORDER); 460 test_exhaustive_verify(ctx, group, EXHAUSTIVE_TEST_ORDER); 461 462 #ifdef ENABLE_MODULE_RECOVERY 463 test_exhaustive_recovery_sign(ctx, group, EXHAUSTIVE_TEST_ORDER); 464 test_exhaustive_recovery_verify(ctx, group, EXHAUSTIVE_TEST_ORDER); 465 #endif 466 467 secp256k1_context_destroy(ctx); 468 return 0; 469 } 470