ECDH tests for additional curves.

3 files changed, 170 insertions, 22 deletions

diff --git a/ChangeLog b/ChangeLog
index 639ad9a0..e581120d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,10 @@
 2014-08-24  Niels Möller  <nisse@lysator.liu.se>
 
 	* testsuite/ecdh-test.c: Test ecc_point_mul and ecc_point_mul_g,
-	using test data generated by ecc-ref.gp.
+	using test data generated by ecc-ref.gp. Tests for all curves
+	except curve25519, which doesn't yet work with the general
+	ecc_point interface.
+
 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecdh-test.c.
 
 	* misc/ecc-ref.gp: Script to generate ECDH test data.
diff --git a/misc/ecc-ref.gp b/misc/ecc-ref.gp
index 2af41755..7ef73259 100644
--- a/misc/ecc-ref.gp
+++ b/misc/ecc-ref.gp
@@ -9,22 +9,113 @@ out(apriv, A, bpriv, B, S) = print(	\
   "/* b_y */ \"", component(B[2], 2), "\",\n",	\
   "/* s_x */ \"", component(S[1], 2), "\",\n",	\
   "/* s_y */ \"", component(S[2], 2), "\",");
-				   
+
 p192 = 2^192 - 2^64 - 1;
 b192 = 2455155546008943817740293915197451784769108058161191238065;
-g192 = Mod([602046282375688656758213480587526111916698976636884684818, \
+g = Mod([602046282375688656758213480587526111916698976636884684818, \
 	    174050332293622031404857552280219410364023488927386650641], p192);
 secp192 = ellinit(Mod([0,0,0,-3, b192], p192));
-q192 = 6277101735386680763835789423176059013767194773182842284081;
-if (ellorder(secp192, g192) != q192, error("secp192 parameter error"));
-
-a192 = 1+random(q192-1);
-b192 = 1+random(q192-1);
-A192 = ellpow(secp192, g192, a192);
-B192 = ellpow(secp192, g192, b192);
-S192 = ellpow(secp192, A192, b192);
-if (S192 != ellpow(secp192, B192, a192), error("secp192 dh error"));
+q = 6277101735386680763835789423176059013767194773182842284081;
+if (ellpow(secp192, g, q) != [0], error("secp192 parameter error"));
+
+a = 1+random(q-1);
+b = 1+random(q-1);
+A = ellpow(secp192, g, a);
+B = ellpow(secp192, g, b);
+S = ellpow(secp192, A, b);
+if (S != ellpow(secp192, B, a), error("secp192 dh error"));
 print("secp192");
-out(a192, A192, b192, B192, S192);
+out(a, A, b, B, S);
+
+p224 = 2^224 - 2^96 + 1;
+b224 = 18958286285566608000408668544493926415504680968679321075787234672564;
+g = Mod([19277929113566293071110308034699488026831934219452440156649784352033,\
+	 19926808758034470970197974370888749184205991990603949537637343198772], p224);
+
+secp224 = ellinit(Mod([0,0,0,-3, b224], p224));
+q = 26959946667150639794667015087019625940457807714424391721682722368061;
+if (ellpow(secp224, g, q) != [0], error("secp224 parameter error"));
+
+a = 1+random(q-1);
+b = 1+random(q-1);
+A = ellpow(secp224, g, a);
+B = ellpow(secp224, g, b);
+S = ellpow(secp224, A, b);
+if (S != ellpow(secp224, B, a), error("secp224 dh error"));
+print("secp224");
+out(a, A, b, B, S);
+
+p256 = 2^256 - 2^224 + 2^192 + 2^96 - 1;
+b256 = 41058363725152142129326129780047268409114441015993725554835256314039467401291;
+g = Mod([48439561293906451759052585252797914202762949526041747995844080717082404635286,\
+	 36134250956749795798585127919587881956611106672985015071877198253568414405109], p256);
+
+secp256 = ellinit(Mod([0,0,0,-3, b256], p256));
+q = 115792089210356248762697446949407573529996955224135760342422259061068512044369;
+if (ellpow(secp256, g, q) != [0], error("secp256 parameter error"));
+
+a = 1+random(q-1);
+b = 1+random(q-1);
+A = ellpow(secp256, g, a);
+B = ellpow(secp256, g, b);
+S = ellpow(secp256, A, b);
+if (S != ellpow(secp256, B, a), error("secp256 dh error"));
+print("secp256");
+out(a, A, b, B, S);
+
+p384 = 2^384 - 2^128 - 2^96 + 2^32 - 1;
+b384 = 27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575;
+g = Mod([26247035095799689268623156744566981891852923491109213387815615900925518854738050089022388053975719786650872476732087,\
+	 8325710961489029985546751289520108179287853048861315594709205902480503199884419224438643760392947333078086511627871], p384);
+
+secp384 = ellinit(Mod([0,0,0,-3, b384], p384));
+q = 39402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643;
+if (ellpow(secp384, g, q) != [0], error("secp384 parameter error"));
+
+a = 1+random(q-1);
+b = 1+random(q-1);
+A = ellpow(secp384, g, a);
+B = ellpow(secp384, g, b);
+S = ellpow(secp384, A, b);
+if (S != ellpow(secp384, B, a), error("secp384 dh error"));
+print("secp384");
+out(a, A, b, B, S);
+
+p521 = 2^521 - 1;
+b521 = 1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984;
+g = Mod([2661740802050217063228768716723360960729859168756973147706671368418802944996427808491545080627771902352094241225065558662157113545570916814161637315895999846,\
+	 3757180025770020463545507224491183603594455134769762486694567779615544477440556316691234405012945539562144444537289428522585666729196580810124344277578376784], p521);
+
+secp521 = ellinit(Mod([0,0,0,-3, b521], p521));
+q = 6864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532963996371363321113864768612440380340372808892707005449;
+if (ellpow(secp521, g, q) != [0], error("secp521 parameter error"));
+
+a = 1+random(q-1);
+b = 1+random(q-1);
+A = ellpow(secp521, g, a);
+B = ellpow(secp521, g, b);
+S = ellpow(secp521, A, b);
+if (S != ellpow(secp521, B, a), error("secp521 dh error"));
+print("secp521");
+out(a, A, b, B, S);
+
+p25519 = 2^255 - 19;
+b25519 = 486662;
+x = Mod(9, p25519);
+y = sqrt(x^3 + b25519*x^2 + x);
+g = [x, y];
+
+curve25519 = ellinit(Mod([0, b25519, 0, 1, 0], p25519));
+q = 2^252 + 27742317777372353535851937790883648493;
+if (ellpow(curve25519, g, q) != [0], error("curve25519 parameter error"));
+
+a = 1+random(q-1);
+b = 1+random(q-1);
+A = ellpow(curve25519, g, a);
+B = ellpow(curve25519, g, b);
+S = ellpow(curve25519, A, b);
+if (S != ellpow(curve25519, B, a), error("curve25519 dh error"));
+print("curve25519");
+out(a, A, b, B, S);
 
 quit
diff --git a/testsuite/ecdh-test.c b/testsuite/ecdh-test.c
index ed61e44c..76102130 100644
--- a/testsuite/ecdh-test.c
+++ b/testsuite/ecdh-test.c
@@ -54,7 +54,7 @@ set_scalar (struct ecc_scalar *s,
 }
 
 static void
-check_point (const char *label,
+check_point (const char *name, const char *label,
 	     const struct ecc_point *P,
 	     const struct ecc_point *R)
 {
@@ -69,9 +69,9 @@ check_point (const char *label,
   ecc_point_get (R, rx, ry);
 
   /* FIXME: Should have a public point compare function */
-  if (mpz_cmp (px, rx) != 0 ||  mpz_cmp (py, ry) != 0)
+  if (mpz_cmp (px, rx) != 0 || mpz_cmp (py, ry) != 0)
     {
-      fprintf (stderr, "Failed %s\np_x = ", label);
+      fprintf (stderr, "Failed %s %s\np_x = ", name, label);
       mpz_out_str (stderr, 10, px);
       fprintf (stderr, "\nr_x = ");
       mpz_out_str (stderr, 10, rx);
@@ -89,7 +89,7 @@ check_point (const char *label,
 }
 
 static void
-test_dh (const struct ecc_curve *ecc,
+test_dh (const char *name, const struct ecc_curve *ecc,
 	 const char *a_priv, const char *ax, const char *ay,
 	 const char *b_priv, const char *bx, const char *by,
 	 const char *sx, const char *sy)
@@ -113,16 +113,16 @@ test_dh (const struct ecc_curve *ecc,
   ecc_point_init (&T, ecc);
 
   ecc_point_mul_g (&T, &A_priv);
-  check_point ("a g", &T, &A);
+  check_point (name, "a g", &T, &A);
 
   ecc_point_mul (&T, &B_priv, &T);
-  check_point ("b (a g)", &T, &S);
+  check_point (name, "b (a g)", &T, &S);
 
   ecc_point_mul_g (&T, &B_priv);
-  check_point ("b g", &T, &B);
+  check_point (name, "b g", &T, &B);
 
   ecc_point_mul (&T, &A_priv,  &T);
-  check_point ("a (b g)", &T, &S);
+  check_point (name, "a (b g)", &T, &S);
 
   ecc_scalar_clear (&A_priv);
   ecc_scalar_clear (&B_priv);
@@ -136,7 +136,7 @@ test_dh (const struct ecc_curve *ecc,
 void
 test_main(void)
 {
-  test_dh (&nettle_secp_192r1,
+  test_dh ("secp-192r1", &nettle_secp_192r1,
 	   "3406157206141798348095184987208239421004566462391397236532",
 	   "1050363442265225480786760666329560655512990381040021438562",
 	   "5298249600854377235107392014200406283816103564916230704184",
@@ -145,4 +145,58 @@ test_main(void)
 	   "293088185788565313717816218507714888251468410990708684573",
 	   "149293809021051532782730990145509724807636529827149481690",
 	   "2891131861147398318714693938158856874319184314120776776192");
+
+  test_dh ("secp-224r1", &nettle_secp_224r1,
+	   "1321072106881784386340709783538698930880431939595776773514895067682",
+	   "6768311794185371282972144247871764855860666277647541840973645586477",
+	   "2880077809069104378181313860274147139049600284805670362929579614547",
+	   "13934723037778859565852601874354272638301919827851286722006496784914",
+	   "373124771833407982305885866158843810218322878380632071540538232035",
+	   "24223309755162432227459925493224336241652868856405241018762887667883",
+	   "8330362698029245839097779050425944245826040430538860338085968752913",
+	   "24167244512472228715617822000878192535267113543393576038737592837010");	   
+
+  test_dh ("secp-256r1", &nettle_secp_256r1,
+	   "94731533361265297353914491124013058635674217345912524033267198103710636378786",
+	   "22441589863306126152768848344973918725077248391248404659242620344938484650846",
+	   "8673475622926171928656873398933611700804732317466515884933832073457396747355",
+	   "97657865959185011849283028361556797595752581630732610898393589042714626616209",
+	   "18453500628354973083413728373777272885280811435138222441593126858566687017580",
+	   "14365748655141740924607822284126054269177292284541187981786689038777833170313",
+	   "102958799567030688009123101477538973715497039396202015119148334812951370853564",
+	   "29188877854984806245046208182450375893010623119030341548941791125497546766367");
+
+  test_dh ("secp-384r1", &nettle_secp_384r1,
+	   "39086550219018474560700767788227987514008150214902287969462741484831311917159729009715909108606822193356890811565070",
+	   "15536343869384820642787280162462493474000839389760580357050317691132784247078954166759523572989472049798969369413707",
+	   "23268351460749985365652822073294615614961429585671989812206213135127969284347174876010177880230302801199500921999966",
+	   "36869963309577906178833120963925446333578086292605692048464445726274368063284094788012795873582576522541658781990645",
+	   "6571571183519639697971973492227725184968062063941037806786906539419849188357322949908539215960508669158121817812397",
+	   "36555212611228586427448926841660565534959679681904941933188284044726925984417589749068550977832780023128545833460008",
+	   "27780263733159299625371532605243698753833039933618994121416145881861678645978369807598146716869504289033472077532789",
+	   "12327518461490664021199432424728005314646140038116972426756705356672414772151215711157356913456651047992140493843405");
+
+  test_dh ("secp-521r1", &nettle_secp_521r1,
+	   "1177787298234877762125077260641419691552146813662613924864132680693789861345339466386194840381422980702458955378518702648732728796955434922249345867267377826",
+	   "3168153642368000846168628288850857848098131369578410603904155841373678828215434925507474033105518841999665785152501356092020415699294327720257651796364374116",
+	   "278603899104240796379373331240296114411332466119196525390128418935585486485808560319073463912513286987331907013829243645911963547435764718505394265715321106",
+	   "4632844957395758597246278843156350179301194123641664447791935593091018103746003967476919616681982477804041933745387575872964923485212972039478646226080044590",
+	   "3278857364905061449863537070675297207767865967146919975942590789168732752489407699106980407552332044280575891715425195464227794423128203118286002006478070253",
+	   "4488572162727491199625798812850846214916160870437505769058530973184916706326908828109446998319674522651965593412129100088877891410841200092694907512496020182",
+	   "2126311732129869456512627735193938710331935978955001830871465201548004444073866677974896970734635601049909886616595755762740651165670628002084824920216966370",
+	   "4803556648772727869384704240411011976585308117802975396033423138930126997561438092192867119930177133880625991019440171972612468402200399449807843995563872782");
+#if 0
+  /* NOTE: This isn't quite the standard way to do curve25519
+     diffie-hellman, but it tests that the ecc_point interface works
+     also with curve25519. FIXME: Which it doesn't yet do. */
+  test_dh ("curve25519", &nettle_curve25519,
+	   "238301186166219052901200372289459967515481170332211409964804596991365959539",
+	   "16689431791973914300519294566135927090340942991104989847654071982531922134636",
+	   "20308418066388251043787233144732111482161260158474210903552303016733832642783",
+	   "3795950278952272509684177709511717492358770264218705926196469999516028451559",
+	   "33748673775975978547568270043630771161978032265709185964960751948965332685487",
+	   "45040108202870901856797106334440548809561721639881101469282515918034252408802",
+	   "12684624775789228333626692483521764247362476074160626230698999100180553618972",
+	   "22635121008463339848034566659860493350277619617839914078958064757823336329514");
+#endif
 }