Analysis of P256 test vectors based on evmone implementation #2194
Description
Intro
Analyze EEST test coverage of the evmone's implementation of p256_verify to find and contribute missing test cases.
Issues discovered
- 1. "invalid_curve_attack" vectors are ineffective. Fixed in feat(tests): add correct P256 precompile tests for invalid point #2179.
- 2. The final check
R.x == r mod nhas missing MC/DC coverage. Fixed in feat(tests): add test case with invalid P256 with x1 above N #2217.
- 3. Ineffective tests for checks of
r != 0ands != 0. Fixed in feat(tests): add test cases for P256 with zero h, r, s #2216. - 4. Ineffective tests for checks of
r < Nands < N. Fixed in feat(tests): add test cases for P256 for r,s above N #2230. - 5. Missing test cases for boundary values of valid
s(note that this is impractical to create a valid signature for arbitraryr). Fixed in feat(tests): add test cases for P256 input s special values #2215. - 6. Missing test cases for boundary and "special" hash values. Fixed in feat(tests): add test cases for P256 input hash special values #2203.
- 7. Missing test case for point doubling in
u1*G + u2*Q. Fixed in feat(tests): add test case for point doubling in P256 #2218. - 8. Inefficient tests for
x >= Pandy >= P. Fixed in feat(tests): add tests for P256 with x,y out of range #2237. - 9. Inefficient test for
Q == 0. Fixed in feat(tests): add test case for P256 with Q at infinity #2235. - 10. Missing positive test with Q with x-coordinate being 0. Fixed in feat(tests): add test case for P256 where
Q.xis zero #2221. - 11. Missing test case with
r==2**256-1(just for completeness). Fixed in feat(tests): add test case for P256 with r max value #2229. - 12. Add test case for
R==0, see example. Fixed in feat(tests): add more tests for P256 where R is at infinity #2238.