2026-03-25 14:36:36 +00:00

53 KiB

Raw Permalink Blame History

UltrafastSecp256k1 -- Full Audit Coverage

Version: v3.22.0 Audit Runner: unified_audit_runner Verdict: AUDIT-READY -- 56/56 modules passed Total Checks: ~1,000,000+ (audit) + 1.3M+ (nightly differential) Runtime: ~36.5 seconds (X64, Clang 21.1.0, Release)

Summary

Metric	Value
Audit Sections	8
Audit Modules	56 (55 + dedicated C ABI thread stress)
Exploit PoC Tests	78 tests across 14 attack categories (`audit/test_exploit_*.cpp`)
Audit assertions	~1,000,000+ (parser fuzz 530K, CT deep 120K, field Fp 264K, ZK ~1.5K, ...)
Nightly differential	~1,300,000+ additional random checks (daily)
CI Workflows	23 GitHub Actions workflows
CI Build Matrix	17 configurations, 7 architectures, 5 OSes
Sanitizers	ASan+UBSan, TSan, Valgrind memcheck + dedicated C ABI thread stress
Fuzzing	3 libFuzzer harnesses + 530K deterministic
Static Analysis	CodeQL, SonarCloud, clang-tidy, -Werror
Language Bindings	12 (Python, C#, Rust, Node, PHP, Go, Java, Swift, RN, Ruby, Dart, C API)
Supply Chain	OpenSSF Scorecard, harden-runner, pinned actions, Dependency Review
Real failures	0
Platforms tested	X64, ARM64, RISC-V, macOS, Windows, iOS, Android, WASM, ROCm

Coverage Interpretation

This document should not be read as a claim that raw module counts or raw assertion counts alone are enough to eliminate every possible defect.

The intended standard is stronger:

Major failure classes should each map to one or more deterministic audit surfaces.
Gaps should be named explicitly instead of hidden behind aggregate numbers.
New subsystems should extend the class-coverage map, not only the assertion total.

In practice, the self-audit target is near-total coverage of known problem classes with explicit residual-risk accounting for anything not yet converted into a deterministic check.

Section 1/8: Mathematical Invariants (Fp, Zn, Group Laws) -- 15/15 PASS

[1/55] SEC2 v2.0 Specification Oracle -- 13 checks

Verifies that all library curve constants exactly match the published SEC 2 v2.0 specification:

SPEC-1: p ≡ 0 (mod p) — field prime encoding correct
SPEC-2: n ≡ 0 (mod n) — group order encoding correct
SPEC-3/4: Gx, Gy match SEC2 byte-for-byte (hex cross-check)
SPEC-5: G lies on the curve — y² = x³ + 7 (mod p)
SPEC-6: (n−1)·G = −G — group order arithmetic
SPEC-7: p ≡ 3 (mod 4) — square root formula precondition
SPEC-8/9: 2·G ≠ G, 2·G ≠ ∞ — no degenerate generator
SPEC-10: G + (−G) = ∞ — inverse closure
SPEC-11: curve parameter b = 7
SPEC-12/13: cross-representation consistency

[2/55] Post-Operation Invariant Monitor -- ~5,000 checks

Continuous on-curve and normalization monitoring across all operation types:

INV-1: Post-point-add on-curve (500 random pairs, fast + CT)
INV-2: Post-scalar-mul on-curve (500 random scalars + 200 CT)
INV-3: Field element normalization after every operation (1000)
INV-4: Scalar range [1, n−1] after derivation (500)
INV-5: GLV reconstruction: k₁ + k₂·λ = k (mod n) (200)
INV-6: Serialization round-trip identity (200)
INV-7: ECDSA signatures verify against their own pubkey (100)
INV-8: Schnorr signatures verify against their own pubkey (100)
INV-9: Infinity propagation: P + (−P) = ∞, ∞ + P = P (50)
INV-10: Negation: P + (−P) = ∞ for 100 random points

[3/55] Field Fp Deep Audit -- 264,622 checks

11 sub-tests covering the full finite field GF(p) where p = 2^256 - 2^32 - 977:

Addition: a + b mod p, commutativity, associativity, identity (0), inverse
Subtraction: a - b mod p, consistency with addition
Multiplication: a * b mod p, commutativity, associativity, distributivity
Squaring: a^2 == a * a, consistency
Reduction: values >= p are reduced correctly, canonical form
Canonical check: normalized representation verification
Limb boundary: cross-limb carry propagation correctness
Inversion: a * a^{-1} == 1 mod p (Fermat's little theorem)
Square root: sqrt(a^2) == +-a, Euler criterion
Batch inverse: Montgomery's trick batch inversion
Random stress: randomized field operations

[4/55] Scalar Zn Deep Audit -- 93,215 checks

8 sub-tests covering the scalar field Z_n where n is the secp256k1 group order:

Mod n: reduction modulo group order
Overflow detection: values >= n handled correctly
Edge cases: 0, 1, n-1, n, n+1
Arithmetic: add, sub, mul, negate mod n
Inversion: a * a^{-1} == 1 mod n
GLV decomposition: k = k1 + k2 * lambda mod n (endomorphism split)
High-bit patterns: scalars with MSB set
Negation: a + (-a) == 0 mod n

[5/55] Point Operations Deep Audit -- 116,124 checks

11 sub-tests covering elliptic curve group operations:

Infinity: O + P == P, P + O == P, O + O == O
Jacobian addition: P + Q in Jacobian coordinates
Doubling: 2P == P + P
Self-addition: P + P via add vs dbl
Inverse addition: P + (-P) == O
Affine conversion: Jacobian -> Affine -> Jacobian roundtrip
Scalar multiplication: k * G for known k values
k*G test vectors: verified against published test vectors
ECDSA integration: sign/verify with computed points
Schnorr integration: BIP-340 sign/verify with computed points
100K stress test: 100,000 random scalar multiplications

[6/55] Field & Scalar Arithmetic -- 4,237 checks

Field mul, sqr, add, sub, normalize operations
Scalar NAF (Non-Adjacent Form) encoding
Scalar wNAF (windowed NAF) encoding
Cross-verification between representations

[7/55] Arithmetic Correctness -- 7 suites, 55 checks

k*G computed via 3 independent methods (must agree)
P1 + P2 point addition
k*Q arbitrary base point
Random large scalar multiplication
Distributive law: k*(P+Q) == kP + kQ

[8/55] Scalar Multiplication -- 319 checks

Known k*G vectors (published test data)
fast::scalar_mul vs generic::scalar_mul equivalence
Large scalar values (near n)
Repeated addition: k*G == G + G + ... + G (k times)
Doubling chain: 2^k * G
Point addition consistency
k*Q arbitrary base point
Random kQ == (k1k2)*G
Distributive law
Edge cases (k=0, k=1, k=n-1)

[9/55] Exhaustive Algebraic Verification -- 5,399 checks

14 sub-tests with exhaustive enumeration:

Closure: k*G on curve for k=1..256
Additive consistency: k*G + G == (k+1)*G for k=1..256
Homomorphism: aG + bG == (a+b)*G for 1,024 (a,b) pairs
Scalar mul vs iterated add: scalar_mul(k) == G+G+...+G for k=1..256
Scalar associativity: k*(lG) == (kl)*G
Addition axioms: associativity, commutativity, identity, inverse
Doubling: 2*P == P + P
Curve order: n*G == O, (n-1)*G == -G
Scalar arithmetic exhaustive: 1,089 pairs for N=128
CT consistency: ct::scalar_mul vs fast::scalar_mul for k=1..64
Negation properties
In-place ops: next/prev/dbl_inplace vs immutable equivalents
Pippenger MSM: multi-scalar multiplication correctness
Comb generator: comb_mul(k) vs k*G

[10/55] Comprehensive 500+ Suite -- 12,023 checks (10 skipped)

29 categories covering the entire API surface:

Category	What it tests
FieldArith	Field add, sub, mul, sqr, neg, half
FieldConversions	bytes <-> limbs <-> hex roundtrips
FieldEdgeCases	0, 1, p-1, p, max limb values
FieldInverse	Fermat, extended Euclidean, batch
FieldBranchless	All field ops produce identical results regardless of input patterns
FieldOptimal	Optimal representation dispatch (normalized vs lazy)
FieldRepresentations	ASM/platform-specific field ops match generic
ScalarArith	4,225 small-range pairs verified
ScalarConversions	bytes <-> limbs <-> hex
ScalarEdgeCases	0, 1, n-1, n, max values
ScalarNAF/wNAF	NAF and windowed NAF encoding correctness
PointBasic	G, 2G, infinity, on-curve checks
PointScalarMul	kG, kP for various k
PointInplace	In-place add/dbl/negate/next/prev
PointPrecomputed	Precomputed table scalar mul
PointSerialization	Compressed/uncompressed SEC1 roundtrip
PointEdgeCases	Infinity, negation, self-add
CTOps	Constant-time primitive operations
CTField	CT field add/sub/mul/sqr/inv
CTScalar	CT scalar add/sub/neg/cmov
CTPoint	CT point add/dbl/scalar_mul
GLV	GLV endomorphism decomposition + recombination
MSM	Multi-scalar multiplication (Pippenger/Straus)
CombGen	Comb-based generator multiplication
BatchInverse	Montgomery's trick batch inverse
ECDSA	Sign, verify, compact/DER encoding
Schnorr	BIP-340 sign, verify, x-only pubkey
ECDH	Diffie-Hellman shared secret
Recovery	ECDSA public key recovery from signature
Extras	SHA-256/512, batch affine add, batch verify, homomorphism, precompute

[11/55] ECC Property-Based Invariants -- 89 checks

Group law axioms verified with random points:

Identity: P + O == P (5 tests)
Inverse: P + (-P) == O (6 tests)
Negate involution: -(-P) == P (6 tests)
Commutativity: P + Q == Q + P (8 pairs)
Associativity: (P + Q) + R == P + (Q + R) (5 triples)
Double consistency: 2*P == P + P (6 points)
Scalar ring: (a + b)G == aG + b*G (8 pairs)
Scalar associativity: (ab)G == a(bG) (8 pairs)
Distributivity: k*(P + Q) == kP + kQ (8 triples)
Generator order: nG == O, (n-1)G == -G, 1G == G, 0G == O
Subtraction: P - Q == P + (-Q) (5 pairs)
Small k*G: k*G == G+G+...+G for k=1..8
In-place ops: add_inplace, dbl_inplace, negate_inplace, next_inplace, prev_inplace
Dual scalar mul: aG + bP (5 tests)

[12/55] Affine Batch Addition -- 548 checks

Empty batch handling
Precompute 64 G-multiples table
batch_add_affine_x correctness (128 additions)
batch_add_affine_xy correctness (64 XY results)
Bidirectional batch add (32 pairs)
Y-parity extraction (32 values)
Arbitrary point multiples table (16 points)
Negate table (16 points)
Large batch benchmark: 1,024 points -- 237.5 ns/point, 4.21 Mpoints/s

[13/55] Carry Chain Stress -- 247 checks

Limb boundary and carry propagation edge cases:

All-ones limb pattern (2^256 - 1)
Single-limb maximum patterns
Cross-limb boundary carry patterns
Values near the prime p (reduction boundary)
Maximum intermediate values (carry chain stress)
Scalar carry propagation near group order n
Point arithmetic carry propagation

[14/55] FieldElement52 (5x52 Lazy-Reduction) -- 267 checks

Cross-verification of the 5x52-bit limb representation against the reference 4x64:

Conversion roundtrip: 4x64 -> 5x52 -> 4x64
Zero / One constants
Addition (100 pairs), lazy addition chains
Negation
Multiplication (100 pairs), squaring
Multiplication chains (repeated squaring)
Mixed operations (add + mul + square chains)
Half operation
Normalization edge cases
Commutativity and associativity

[15/55] FieldElement26 (10x26 Lazy-Reduction) -- 269 checks

Same as FieldElement52 tests plus:

Multiplication after lazy additions (no intermediate normalize)

Section 2/8: Constant-Time & Side-Channel Analysis -- 5/5 PASS

[16/55] CT Deep Audit -- 120,651 checks

13 sub-tests with massive differential testing:

CT mask generation -- 12 checks
CT cmov / cswap -- 30,000 operations (10K iterations)
CT table lookup (256-bit) -- 30,000 lookups
CT field ops vs fast:: differential -- 81,000 comparisons (10K iterations)
CT scalar ops vs fast:: differential -- 111,000 comparisons (10K iterations)
CT scalar cmov/cswap -- 1K iterations
CT field cmov/cswap/select -- 1K iterations
CT is_zero / eq comparisons -- edge case coverage
CT scalar_mul vs fast:: scalar_mul -- 1K random scalars
CT complete addition vs fast add -- 1K random point pairs
CT byte-level utilities -- memcpy_if, memswap_if, memzero
CT generator_mul vs fast -- 500 random scalars
Timing variance sanity check -- rudimentary timing ratio (informational only)

[17/55] Constant-Time Layer Tests -- 60 checks

Focused functional tests for the CT API:

Field arithmetic: add, sub, mul, sqr, neg, inv, normalize
Field conditional: cmov (mask=0/all-ones), cswap, select, cneg, is_zero, eq
Scalar arithmetic: add, sub, neg
Scalar conditional: cmov, bit access, window extraction
Complete addition: G+2G=3G, G+G=2G, G+O=G, O+G=G, O+O=O, G+(-G)=O
CT scalar_mul: 1G, 2G, 7G, 0xDEADBEEFG, 0*G
CT generator_mul: generator_mul(42) == fast 42*G
On-curve check: G and 12345*G
Point equality: G==G, G!=42*G, O==O, G!=O
CT + fast mixing: fast(100G) -> ct(7P) == 700*G
CT ECDSA: sign r/s matches fast, signature verifies, zero key returns zero sig
CT Schnorr: keypair matches fast, sign r/s matches fast, signature verifies, pubkey(1)==G.x

[18/55] FAST == CT Equivalence -- 320 checks

Systematic equivalence verification between fast:: and ct:: layers:

Boundary + 64 random ct::generator_mul vs fast
64 random ct::scalar_mul(P, k) vs fast
Boundary edge scalars (0, 1, n-1)
32 random ECDSA signatures: CT == FAST
32 random Schnorr signatures: CT == FAST
Schnorr pubkey CT == FAST (boundary + random)
CT group law invariants

[19/55] Side-Channel Dudect Smoke -- 34 checks

Statistical timing analysis using Welch's t-test (|t| < 4.5 threshold):

[1] CT Primitives: | Operation | |t| | Result | |-----------|-----|--------| | is_zero_mask | 0.98 | OK | | bool_to_mask | 0.40 | OK | | cmov256 | 0.65 | OK | | cswap256 | 1.00 | OK | | ct_lookup_256 | 0.99 | OK | | ct_equal | 0.31 | OK |

[2] CT Field: | Operation | |t| | Result | |-----------|-----|--------| | field_add | 4.79 | OK | | field_mul | 0.18 | OK | | field_sqr | 0.41 | OK | | field_inv | 2.01 | OK | | field_cmov | 0.14 | OK | | field_is_zero | 3.99 | OK |

[3] CT Scalar: | Operation | |t| | Result | |-----------|-----|--------| | scalar_add | 1.12 | OK | | scalar_sub | 6.39 | OK | | scalar_cmov | 0.48 | OK | | scalar_is_zero | 0.82 | OK | | scalar_bit | 1.40 | OK | | scalar_window | 1.74 | OK |

[4] CT Point: | Operation | |t| | Result | |-----------|-----|--------| | complete_add (P+O vs P+Q) | 0.95 | OK | | complete_add (P+P vs P+Q) | 1.01 | OK | | scalar_mul (k=1 vs random) | 0.95 | OK | | scalar_mul (k=n-1 vs random) | 0.93 | OK | | generator_mul (low vs high HW) | 0.45 | OK | | point_tbl_lookup (0 vs 15) | 1.05 | OK |

[5] CT Byte Utilities: | Operation | |t| | Result | |-----------|-----|--------| | ct_memcpy_if | 1.00 | OK | | ct_memswap_if | 1.28 | OK | | ct_memzero | 0.61 | OK | | ct_compare | 0.14 | OK |

[6] Control test: fast::scalar_mul |t| = 31.22 (NOT CT -- expected, confirms the test detects leaks)

[7] Valgrind CLASSIFY/DECLASSIFY: All ct:: operations correctly classified as secret-independent.

[8] ASM inspection: Verifies ct:: code uses cmov/cmovne/cmove (branchless) instead of jz/jnz (branches).

[20/55] CT scalar_mul vs Fast Diagnostic -- PASS

Diagnostic timing comparison between CT and fast scalar multiplication paths.

Section 3/8: Differential & Cross-Library Testing -- 3/3 PASS

[21/55] Differential Correctness -- 13,007 checks

8 sub-tests with large-scale randomized differential testing:

Public key derivation: 1,000 random private keys -> pubkey, 5,002 checks
ECDSA sign + verify: 1,000 rounds internal consistency
Schnorr (BIP-340) sign + verify: 1,000 rounds internal consistency
Point arithmetic identities: algebraic law verification
Scalar arithmetic: mod n correctness
Field arithmetic: mod p correctness
ECDSA signature serialization roundtrip: compact <-> DER
BIP-340 known test vectors: official Bitcoin test vectors

[22/55] Fiat-Crypto Reference Vectors -- 647 checks

Golden vectors from Fiat-Crypto / Sage computer algebra:

Field multiplication golden vectors
Field squaring golden vectors
Field inversion golden vectors
Field add/sub boundary vectors
Scalar arithmetic golden vectors (group order n)
Point arithmetic golden vectors
Algebraic identity verification (100 rounds)
Serialization round-trip consistency

[23/55] Cross-Platform KAT -- 24 checks

Known Answer Tests that must produce identical results on all platforms:

Field arithmetic KAT
Scalar arithmetic KAT
Point operation KAT
ECDSA KAT (RFC 6979 deterministic)
Schnorr KAT (BIP-340 deterministic)
Serialization consistency KAT

Section 4/8: Standard Test Vectors (BIP-340, RFC-6979, BIP-32) -- 5/5 PASS

[24/55] BIP-340 Official Vectors -- 27 checks

Full coverage of the official Bitcoin BIP-340 Schnorr signature test vectors:

V0-V3 (sign + verify): pubkey matches, signature matches, verification passes, our signature verifies (4 vectors x 4 checks = 16)
V4 (verify-only): valid signature
V5: public key not on curve -> reject
V6: R has odd Y -> reject
V7: negated message -> reject
V8: negated s -> reject
V9: R at infinity -> reject
V10: R at infinity (x=1) -> reject
V11: R.x not on curve -> reject
V12: R.x == p -> reject
V13: s == n -> reject
V14: pk >= p -> reject

[25/55] BIP-32 Official Vectors TV1-TV5 -- 90 checks

Complete BIP-32 HD key derivation test vector coverage:

TV1: Master key + 5 derivation levels (m, m/0', m/0'/1, m/0'/1/2', m/0'/1/2'/2, m/0'/1/2'/2/1000000000) -- chain_code, priv_key, pub_key at each level
TV2: Master + 5 levels with hardened indices (2147483647')
TV3: Leading zeros retention
TV4: Leading zeros with hardened children
TV5: Serialization format (78 bytes, version bytes xprv/xpub, depth, parent fingerprint, child number, chain code, key prefix)
Public derivation consistency: Private and public derivation yield same pubkey and chain codes

[26/55] RFC 6979 Deterministic ECDSA -- 35 checks

6 nonce generation vectors: Various private keys and messages
7 ECDSA signature vectors (r + s): Including d=1, d=n-1, d=69ec, small d, tiny d
5 verify roundtrips: verify(sign(msg, priv), pub) == true
5 wrong message rejections: verify with wrong message == false
Determinism: Same (key, msg) -> identical signature
Low-S: All signatures satisfy BIP-62 low-S requirement

[27/55] FROST Reference KAT Vectors -- 9 sub-tests

Lagrange coefficient mathematical properties
FROST DKG determinism with fixed seeds
FROST DKG Feldman VSS commitment verification
FROST 2-of-3 full signing -> BIP-340 verification
FROST 3-of-5 full signing -> BIP-340 verification
Lagrange coefficients consistency across 10 subsets
Pinned KAT: DKG group key determinism
Pinned KAT: Full signing round-trip determinism
FROST DKG secret reconstruction via Lagrange interpolation

[51/55] KAT: All Operations -- ~42 checks

Known-answer tests for operations not fully covered by BIP-340 / RFC-6979 / BIP-32 vectors:

KAT-1..4: ECDH commutativity — ecdh(k₁, k₂·G) == ecdh(k₂, k₁·G) for pairs (1,2), (1,7), (2,7); ecdh vs ecdh_xonly differ
KAT-5..8: WIF encode/decode — privkey=1 → KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qYjgd9M7rFU73NUBBy9s (mainnet compressed), testnet, uncompressed variants
KAT-9..12: P2PKH — privkey=1 → 1BgGZ9tcN4rm9KBzDn7KprQz87SZ26SAMH; two distinct keys produce distinct addresses
KAT-13..16: P2WPKH — privkey=1 → bc1qw508d6qejxtdg4y5r3zarvary0c5xw7kv8f3t4; starts with "bc1q"
KAT-17..20: P2TR format checks — starts with "bc1p" (mainnet) / "tb1p" (testnet); two keys differ
KAT-21..25: Taproot output key + taproot_verify round-trip + merkle_root changes output key
KAT-26..30: DER encoding round-trip + format check (starts 0x30)
KAT-31..34: SHA-256 NIST vectors ("abc", ""), Hash160(""), Hash160(G_compressed) = 751e76e8...
KAT-35..38: ECDH commutativity for keys 3,5 and 11,13
KAT-39..42: Pubkey arithmetic — (G+2G)−2G=G, G+G=2G, tweak_add(G,1)=2G, tweak_mul(G,7)=7G

Section 5/8: Fuzzing & Adversarial Attack Resilience -- 4/4 PASS

[28/55] Adversarial Fuzz -- 15,461 checks

10 sub-tests targeting malformed/adversarial inputs:

Malformed public key rejection (3 checks)
Invalid ECDSA signatures (4 checks)
Invalid Schnorr signatures (4 checks)
Oversized scalars (4 checks)
Boundary field elements (4 checks)
ECDSA recovery edge cases (1,000 rounds, 4,750 checks)
Random operation sequence (10,000 random ops, 1,692 checks)
DER encoding round-trip (1,000 rounds, 3,000 checks)
Schnorr signature byte round-trip (1,000 rounds, 2,000 checks)
Signature normalization / low-S (1,000 rounds, 4,000 checks)

[29/55] Parser Fuzz -- 530,018 checks

High-volume random input fuzzing with crash detection:

DER parsing: random bytes -- 100,000 random inputs, 0 accepted, 0 crashes
DER parsing: adversarial inputs -- targeted malformation
DER round-trip -- 50,000 compact -> DER -> compact roundtrips
Schnorr verify: random inputs -- 100,000 random inputs, 0 accepted, 0 crashes
Schnorr round-trip -- 10,000 sign -> verify roundtrips
Random privkey -> pubkey -- 10,000 random keys
Pubkey round-trip -- 10,000 create -> parse roundtrips
Pubkey parse: adversarial inputs -- targeted malformation
ECDSA verify: random garbage -- 50,000 random inputs, 0 accepted, 0 crashes

[30/55] Address/BIP32/FFI Boundary Fuzz -- 13 sub-tests

P2PKH address fuzz (Base58Check)
P2WPKH address fuzz (Bech32)
P2TR address fuzz (Bech32m)
WIF encode/decode fuzz
BIP32 master key from seed fuzz
BIP32 path parser fuzz
BIP32 derive (single-step) fuzz
FFI context lifecycle stress
FFI ECDSA sign/verify boundary fuzz
FFI Schnorr sign/verify boundary fuzz
FFI ECDH + tweaking boundary fuzz
FFI Taproot output key boundary fuzz
FFI error inspection

[31/55] Fault Injection Simulation -- 610 checks

Verifying that single-bit faults are always detected:

Scalar fault injection: bit-flip in k -> wrong k*G (500/500 detected)
Point coordinate fault injection (500/500)
ECDSA signature fault injection: r-fault 200/200, msg-fault 200/200, s-fault 200/200
Schnorr signature fault injection (200/200)
CT operations fault resilience: 1,000/1,000 single-bit differences detected
Cascading fault simulation: multi-step scalar_mul (100/100)
Point addition fault injection (300/300)
GLV decomposition fault resilience (200/200)

Section 6/8: Protocol Security (ECDSA, Schnorr, MuSig2, FROST) -- 9/9 PASS

[32/55] ECDSA + Schnorr -- 22 checks

SHA-256 NIST vectors ("abc", empty string)
Scalar::inverse correctness (7 * 7^{-1} == 1, random, inverse(0)==0)
Scalar::negate (a + (-a) == 0, negate(0)==0)
ECDSA: sign/verify, low-S (BIP-62), wrong message/key rejection, compact encoding, DER encoding
ECDSA determinism (RFC 6979)
Tagged hash (BIP-340): determinism, different tags -> different hashes
Schnorr BIP-340: sign/verify, wrong message rejection, roundtrip

[33/55] BIP-32 HD Derivation -- 28 checks

HMAC-SHA512 (RFC 4231 TC2)
Master key generation (depth=0, chain code, private key match TV1)
Child derivation (m/0' depth=1, chain code matches)
Path derivation (m/0'/1, m/0'/1/2', empty path fails, invalid prefix fails)
Serialization (78 bytes, xprv version, depth, fingerprint)
Seed validation (< 16 bytes rejected, 16 and 64 accepted)

[34/55] MuSig2 -- 19 checks

Key aggregation: valid point, deterministic, differs from individual keys
Nonce generation: non-zero secrets, valid R1/R2, different extra -> different nonce
2-of-2 signing: partial sig 1/2 verify, final MuSig2 sig verifies as standard Schnorr
3-of-3 signing: agg key valid, partial sig 0/1/2 verify, MuSig2 sig verifies as Schnorr
Single-signer edge case: agg key valid, partial verify OK, valid Schnorr sig

[35/55] ECDH + Recovery + Taproot -- 76 checks

ECDH: Basic key exchange, x-only variant, raw x-coordinate, zero private key edge, infinity public key edge
Recovery: Basic sign + recover, multiple different private keys, compact 65-byte serialization, wrong recovery ID, invalid signature (zero r/s)
Taproot: TapTweak hash, output key derivation, private key tweaking, commitment verification, leaf and branch hashes, Merkle tree construction, Merkle proof verification, full flow (key-path + script-path)
CT Utils: Constant-time equality, zero check, compare, secure memory zeroing, conditional copy and swap
Wycheproof: ECDSA edge cases, Schnorr edge cases, recovery edge cases

[36/55] v4 Features (Pedersen/FROST/Adaptor/Address/SP) -- 90 checks

Pedersen Commitments: generator H, commit/verify roundtrip, wrong value/blinding fails, homomorphic addition, balance proof, switch commitment, serialization (compressed prefix, 33 bytes), zero-value commitment
FROST: Lagrange coefficients (l1=2, l2=-1, interpolation), key generation (poly degree, share count, 3 participants, group keys match), 2-of-3 signing
Schnorr Adaptor: R_hat valid, pre-signature valid, adapted sig valid Schnorr, extract secret matches
ECDSA Adaptor: R_hat valid, r nonzero, adaptor verify, adapted ECDSA nonzero, extract secret matches
Identity adaptor: edge case
Base58Check: encode, leading ones, decode, size, roundtrip
Bech32/Bech32m: encode, prefix bc1/bc1p, decode, witness version 0/1, program 20/32 bytes
HASH160: deterministic, different inputs
P2PKH: starts with 1, valid length, testnet prefix
P2WPKH: bc1q prefix, testnet tb1q, decode, version 0, 20-byte program
P2TR: bc1p prefix, decode, version 1, 32-byte program
WIF: compressed (K/L prefix), uncompressed (5 prefix), testnet, roundtrip
Address consistency: deterministic, different keys -> different addresses
Silent Payments: scan/spend key valid, address encoded with prefix, output key derivation, tweak nonzero, detection (1 and 3 outputs), derived key matches

[37/55] Coins Layer -- 32 checks

CurveContext: secp256k1_default(), with_generator(custom), derive_public_key, effective_generator
CoinParams: 27 coins defined, Bitcoin/Ethereum values, find_by_ticker + find_by_coin_type
Keccak-256: empty string, "abc", incremental == one-shot
Ethereum: address format (0x + 40 hex), EIP-55 checksum verify, case sensitivity
Coin addresses: Bitcoin P2PKH(1), P2WPKH(bc1q), Litecoin(ltc1q), Dogecoin(D), Ethereum(EIP-55), Dash(X), Dogecoin P2WPKH(empty -- no SegWit)
WIF per-coin: Bitcoin(K/L), Litecoin(T)
BIP-44 HD: Bitcoin taproot(m/86'/0'/0'/0/0), Ethereum(m/44'/60'/0'/0/0), best_purpose selection, seed -> key, seed -> BTC address, seed -> ETH address
Custom generator: coin_derive with custom G, deterministic derivation
Full pipeline: same key -> different addresses per coin

[38/55] MuSig2 + FROST Protocol Suite -- 975 checks

15 sub-tests with protocol-level verification:

MuSig2 key aggregation determinism (273 checks)
MuSig2 key aggregation ordering matters
MuSig2 key aggregation duplicate keys
MuSig2 full round-trip: 2 signers
MuSig2 full round-trip: 3 signers
MuSig2 full round-trip: 5 signers
MuSig2 wrong partial sig fails verify
MuSig2 bit-flip invalidates final signature
FROST DKG 2-of-3
FROST DKG 3-of-5
FROST signing 2-of-3
FROST signing 3-of-5
FROST different 2-of-3 subsets all valid
FROST bit-flip invalidates signature
FROST wrong partial sig fails verify

[39/55] MuSig2 + FROST Adversarial -- 316 checks

9 sub-tests targeting protocol-level attacks:

Rogue-key resistance: Attacker cannot bias aggregated key
Key coefficient depends on full group: Changing group changes coefficients
Different messages -> different signatures (100 rounds)
Nonce binding: Fresh nonces -> different R values (60 rounds)
Fault injection: Wrong key in partial sign detected
Malicious participant -- bad DKG share: Detected and rejected
Malicious participant -- bad partial sig: Detected and rejected
Message binding: Different messages -> different signatures (40 rounds)
Signer set binding: Same key, different subsets -> different results

[40/55] Integration -- 13,811 checks

10 sub-tests for cross-protocol integration:

ECDH key exchange symmetry (1,000 rounds, 4,001 checks)
Schnorr batch verification
ECDSA batch verification
ECDSA sign -> recover -> verify (1,000 rounds)
Schnorr individual vs batch (500 rounds)
Fast vs CT integration cross-check (500 rounds)
Combined ECDH + ECDSA protocol flow (100 rounds)
Multi-key consistency (point addition, 200 rounds)
Schnorr/ECDSA key consistency (200 rounds)
Stress: mixed protocol ops (5,000 rounds, 100% success)

[41/55] ZK Proofs Audit -- ~1,500 checks

7 sub-sections covering the full ZK proof layer (secp256k1::zk):

ZK-1 Knowledge Proof (standard G): round-trip prove/verify (100 iterations), wrong-pubkey rejection (100), tampered-rx rejection (50), tampered-s rejection (50), wrong-message rejection (100)
ZK-2 Knowledge Proof (arbitrary base): round-trip prove/verify (50 iterations), arbitrary-base proof rejected by standard verifier, wrong-base rejection (50)
ZK-3 DLEQ Proof: round-trip prove/verify (100 iterations), swapped P/Q rejection (100), wrong-Q rejection (100), tampered-challenge rejection (50)
ZK-4 Range Proof (Bulletproof 64-bit): boundary values 0, 1, 2³¹, 2³²−1, 2³², 2⁶³−1, 2⁶³, 2⁶⁴−1; random values (20); tampered-commitment rejection (15)
ZK-5 Serialization: KnowledgeProof serialize/deserialize (30); DLEQProof serialize/deserialize (30); corrupted-byte rejection
ZK-6 Pedersen Homomorphism: C(v1,r1)+C(v2,r2) == C(v1+v2, r1+r2) (30 iterations); wrong-blinding gives different point
ZK-7 Batch Range Verify: all-valid batch passes; single-invalid-proof causes full batch failure

Source: audit/audit_zk.cpp | Added: v3.22.0

Section 7/8: ABI & Memory Safety -- 9/9 PASS

[42/55] Cross-ABI / FFI Round-Trip Tests -- 28 sub-tests

Complete round-trip coverage through the ufsecp_* C API boundary (28 sections):

Context lifecycle, key generation (compressed/uncompressed/x-only), ECDSA sign→verify→DER encode/decode, recoverable signatures, Schnorr/BIP-340, ECDH variants, BIP-32 derivation, address generation (P2PKH/P2WPKH/P2TR), WIF encode/decode, hashing (SHA-256, Hash160, tagged hash), Taproot, key tweaks, cross-context verification, pubkey arithmetic, batch verify, ZK proofs, multi-scalar, multi-coin wallet, Bitcoin message signing, MuSig2, adaptor signatures.

All tests go through the C ABI (ufsecp_*) verifying the FFI layer correctly marshals data without corruption.

[43/55] Security Hardening -- 17,309 checks

10 sub-tests covering defensive security:

Zero / identity key handling (5 checks)
Secret zeroization (ct_memzero verification)
Bit-flip resilience on signatures (1,000 rounds)
Message bit-flip detection (1,000 rounds)
Nonce determinism (RFC 6979 compliance)
Serialization round-trip integrity
Compact recovery serialization (1,000 rounds)
Double operations idempotency
Cross-algorithm consistency (ECDSA/Schnorr same key)
High-S detection (3,000 rounds)

[44/55] Debug Invariant Assertions -- 372 checks

6 sub-tests verifying internal consistency invariants:

Field element normalization invariant
Point on-curve invariant
Scalar validity invariant
Debug assertion macro integration
Full computation chain with invariant checks
Debug counter accumulation (11 invariant checks tracked)

[45/55] ABI Version Gate -- 12 checks

Compile-time ABI compatibility verification ensuring header and library versions match.

[46/55] C ABI Negative Contract Tests -- ~150 checks

Systematic negative testing of all 50+ ufsecp_* C API functions for correct error propagation. Every function must return the documented error code (never crash, never silently succeed) when called with:

NULL required pointers → UFSECP_ERR_NULL_ARG
Zero private key (= 0 mod n) → UFSECP_ERR_BAD_KEY
Key equal to group order (= 0 mod n) → UFSECP_ERR_BAD_KEY
All-zero / off-curve public key → UFSECP_ERR_BAD_PUBKEY or error
All-zero signature (R = 0) → UFSECP_ERR_BAD_SIG or UFSECP_ERR_VERIFY_FAIL
Wrong public key in verify → UFSECP_ERR_VERIFY_FAIL
Truncated / garbage DER → UFSECP_ERR_BAD_INPUT
Output buffer too small → UFSECP_ERR_BUF_TOO_SMALL
BIP-32 seed length < 16 bytes → UFSECP_ERR_BAD_INPUT

Covers 12 function groups: context, seckey, pubkey, ECDSA, Schnorr, ECDH, hashing, addresses, WIF, BIP-32, Taproot, pubkey arithmetic.

[52/55] Secure Memory Erasure Verification -- 25 checks

Verifies secp256k1::detail::secure_erase() actually zeroes memory and that the zeroing survives compiler dead-store elimination optimisations (volatile-pointer readback test):

SE-1..8: Heap buffers of sizes 1, 2, 4, 8, 16, 32, 64, 128 bytes zeroed correctly
SE-9..12: Stack buffers (32-byte, 64-byte), std::array<uint8_t,32>, scalar-sized struct
SE-13..14: Zero-length erase is safe; 256-byte heap buffer zeroed
SE-15..20: Signing path nonce determinism — same (key, msg) → identical ECDSA sig twice (proves nonce state is erased and re-derived, not leaked or reused)
SE-21..24: 0xA5 and 0xFF sentinel patterns survive until erase call, then zero
SE-25: Schnorr BIP-340 nonce determinism (aux=0)

[53/55] CT Namespace Discipline (Source-Level Scan) -- ~20 checks

Source-level static analysis verifying every code path handling secret data uses secp256k1::ct:: (constant-time) operations and not secp256k1::fast:: (variable-time):

Opens cpu/src/ct_sign.cpp, ecdh.cpp, bip32.cpp, taproot.cpp, musig2.cpp at runtime
Strips C++ comments before scanning to eliminate false positives in comment text
Required patterns: ct::generator_mul, ct::scalar_inverse, secure_erase, ct::scalar_mul, secp256k1/ct/
Prohibited patterns: fast::generator_mul, fast::scalar_mul, fast::point_mul
Structural checks: ct_sign.cpp must not #include "secp256k1/fast.hpp"; must include detail/secure_erase.hpp; ecdh.cpp must include ct/point.hpp and call secure_erase
Advisory skip (not hard fail) when source tree is absent (binary-only deployment)

[54/55] RFC 6979 Nonce Uniqueness Monitor -- 30 checks

Comprehensive verification of nonce determinism, uniqueness, and isolation:

NU-1..6: ECDSA RFC 6979 determinism — same (key=1, msg[i]) → identical sig across 3 calls
NU-7..12: ECDSA r-value uniqueness — 6 distinct messages with same key → 6 distinct r values
NU-13..17: ECDSA key isolation — 5 different keys, same message → 5 distinct r values
NU-18..21: Schnorr BIP-340 determinism — aux_rand=0, 4 messages, each stable across 3 calls
NU-22..25: Schnorr R.x uniqueness — 4 distinct messages → 4 distinct R.x commitments
NU-26..28: Hedged Schnorr — 3 different aux_rand bytes → 3 different R values (BIP-340 randomness)
NU-29: ECDSA r ≠ Schnorr R.x for same (key, msg) — different nonce derivation paths
NU-30: 5-key × 5-msg matrix — 25 ECDSA signatures → 25 pairwise distinct r values

[55/55] Public Parse Path Strictness Audit -- ~60 checks

Systematically verifies that every public parse/decode function rejects ALL malformed inputs with the correct documented error code — never silently accepting corrupt data. This directly addresses the "Parsing and Validation Unification" engineering requirement.

PS-1..16: ufsecp_pubkey_parse (compressed) — all-zero, all-0xFF, x=0, prefix 0x01/0x05, truncated (32-byte, 1-byte, 0-byte), NULL, parity-flip
PS-17..22: ufsecp_seckey_verify — scalar=0, scalar=n, scalar=n+1, scalar=0xFF×32; scalar=1 and scalar=n−1 accepted
PS-23..30: ufsecp_ecdsa_sig_from_der — all-zero, wrong tag (0x00, 0x31), truncated, inflated length, zero-length, NULL; valid DER round-trips
PS-31..36: ufsecp_wif_decode — NULL, empty string, single char, corrupted checksum, garbage WIF-length; valid WIF decodes to correct key
PS-37..40: ufsecp_bip32_master — NULL seed, 15-byte seed (<16 BIP-32 minimum), zero-length; 32-byte seed accepted
PS-41..48: ufsecp_pubkey_parse (uncompressed, 65-byte) — all-zero, x=0/y=0, x=G.x/y=0 (off-curve), prefix 0x05/0x06 (hybrid), truncated; valid uncompressed round-trips
PS-49..53: ufsecp_pubkey_xonly — NULL, x=0, x=p (field prime), x=2 (not on curve); valid compressed → x-only extraction correct

Section 8/8: Performance Validation & Regression -- 4/4 PASS

[47/55] Accelerated Hashing -- 877 checks

Hardware-accelerated hash function validation:

Feature detection: SHA-NI, AVX2, AVX-512
SHA-256: NIST known vectors, sha256_33, sha256_32 correctness
RIPEMD-160: Known vectors, ripemd160_32 correctness
Hash160: Pipeline correctness (SHA-256 + RIPEMD-160)
Double-SHA256: Correctness
Batch operations: Batch hash correctness
SHA-NI vs scalar cross-check: Hardware vs software must match
Benchmark: SHA-NI 49.1 ns vs scalar 364.6 ns (7.4x speedup), batch Hash160 1.92 Mkeys/s

[48/55] SIMD Batch Operations -- 8 checks

Runtime detection (AVX-512 / AVX2)
Batch field add, sub, mul, square
Batch field inverse (Montgomery's trick)
Single element batch inverse
Batch inverse with explicit scratch buffer

[49/55] Multi-Scalar & Batch Verify -- 16 checks

Shamir's trick: shamir(7,G,13,5G)==72G, zero scalar edges
Multi-scalar mul: 1 point, 3 points (2G+6G+15G=23G), 0 points=infinity, G+(-G)=infinity
Schnorr batch: 5 valid pass, individual agrees, corrupted sig#2 detected, identify finds #2, empty=true, single entry
ECDSA batch: 4 valid pass, corrupted sig#1 detected, identify finds #1

[50/55] Performance Smoke -- PASS

Sign/verify roundtrip timing sanity check.

Additional CTest Targets (Outside Unified Audit)

These tests run as separate CTest executables and are included in the 24/24 CTest pass:

Target	What it tests
`secp256k1_doubling_equivalence`	dbl(P) == add(P, P) for many points
`secp256k1_add_jacobian_vs_affine`	Jacobian addition matches affine addition
`secp256k1_generator_vs_generic_small`	generator_mul(k) matches generic scalar_mul(G, k) for small k

Unified Audit Platform Results

Platform	Compiler	Tests	Result
X64 (Windows)	Clang 21.1.0	24/24 CTest, 55/55 audit	ALL PASS
ARM64 (QEMU)	Cross-compiled	24/24 CTest	ALL PASS
RISC-V (QEMU)	Cross-compiled	24/24 CTest	ALL PASS
RISC-V (Mars HW, JH7110 U74)	Clang 21.1.8	55/55 unified audit	ALL PASS

See Full Platform Matrix below for all 16 CI configurations.

How to Run

# Configure
cmake -S Secp256K1fast -B build_rel -G Ninja -DCMAKE_BUILD_TYPE=Release

# Build
cmake --build build_rel -j

# Run all CTest targets
ctest --test-dir build_rel --output-on-failure

# Run unified audit only
./build_rel/audit/unified_audit_runner

CI/CD Pipeline -- Full Infrastructure

23 GitHub Actions Workflows

#	Workflow	Trigger	What it does
1	CI	push/PR dev,main	Core build+test matrix, including ARM64 + RISC-V cross-build/QEMU smoke
2	Security Audit	push main, weekly	-Werror, ASan+UBSan, Valgrind, dudect smoke
3	Nightly	daily 03:00 UTC	Extended differential (1.3M+ checks), longer dudect, sanitizer expansion
4	Audit Report	push/manual	`unified_audit_runner` structured report
5	CT Verification	push/PR	ct-verif formal pass
6	CT ARM64	push/PR	Native ARM64 dudect
7	Valgrind CT	push/PR	CT taint analysis
8	Bindings	push/PR	binding compile + smoke coverage
9	Benchmark Dashboard	push	benchmark publication
10	Bench Regression	push/PR	perf regression gate
11	CodeQL	push/PR/weekly	GitHub SAST
12	SonarCloud	push/PR	static analysis + quality hotspots
13	Clang-Tidy	push/PR	static analysis
14	CPPCheck	push/PR	static analysis
15	ClusterFuzz-Lite	push	continuous fuzzing integration
16	Mutation	scheduled	mutation score checks
17	Dependency Review	PRs	vulnerable dependency scan
18	OpenSSF Scorecard	weekly	supply-chain security score
19	Docs	push main	docs publication
20	Packaging	push/PR	package validation
21	Release	release tags	signed multi-platform artifacts
22	Preflight	PR	fast pre-merge smoke gate
23	Discord Commits	push	commit notifications

CI Build Matrix (ci.yml)

Platform	Compiler	Configs	Tests
Linux x64	gcc-13	Debug, Release	CTest (all except ct_sidechannel)
Linux x64	clang-17	Debug, Release	CTest (all except ct_sidechannel)
Linux ARM64	aarch64-linux-gnu-g++-13	Release (cross)	QEMU smoke: `run_selftest smoke`, `test_bip324_standalone`, `bench_kP`, `bench_bip324`
Linux RISC-V 64	riscv64-linux-gnu-g++-13	Release (cross)	QEMU smoke: `run_selftest smoke`, `test_bip324_standalone`, `bench_kP`, `bench_bip324`
Windows x64	MSVC 2022	Release	CTest
macOS ARM64	Apple Clang	Release	CTest + Metal GPU benchmarks
iOS	Xcode	OS, SIMULATOR	Static library build
iOS XCFramework	Xcode	Universal	XCFramework artifact
ROCm/HIP	hipcc (gfx906-gfx1100)	Release	CPU tests (compile-check GPU)
WASM	Emscripten 3.1.51	Release	Node.js benchmark
Android	NDK r27c	arm64-v8a, armeabi-v7a, x86_64	Binary verification + JNI; ARM64 also verifies `bench_kP` + `bench_bip324` outputs exist
Sanitizers	clang-17	ASan+UBSan	CTest under sanitizers
Sanitizers	clang-17	TSan	CTest under thread sanitizer
Coverage	clang-17	Debug + profiling	LLVM source-based coverage -> Codecov

Total CI matrix: 17 configurations across 7 operating systems / architectures.

Sanitizer Testing (CRITICAL)

ASan + UBSan (ci.yml + security-audit.yml)

Compiler: clang-17 with -fsanitize=address,undefined -fno-sanitize-recover=all
Options: ASAN_OPTIONS=detect_leaks=1:halt_on_error=1, UBSAN_OPTIONS=halt_on_error=1:print_stacktrace=1
Scope: All CTest targets (excluding ct_sidechannel timing test)
Runs on: Every push to dev/main + every PR

TSan -- Thread Sanitizer (ci.yml)

Compiler: clang-17 with -fsanitize=thread
Scope: All CTest targets
Purpose: Detect data races in potential multi-threaded usage

Valgrind Memcheck (security-audit.yml)

Tool: Valgrind with --leak-check=full --error-exitcode=1
Leak detection: definite, indirect, possible (all three)
Suppressions: Custom valgrind.supp file
Post-check: Grep for ERROR SUMMARY: [1-9] and definitely lost: [1-9]
Runs on: Every push to main + weekly

-Werror Build (security-audit.yml)

Compiler: gcc-13 with -Werror -Wall -Wextra -Wpedantic -Wconversion -Wshadow
Purpose: Zero compiler warnings enforced

Coverage-Guided Fuzzing (libFuzzer)

3 libFuzzer harnesses in cpu/fuzz/:

Harness	Target	Input Size	Invariants Checked
`fuzz_field`	FieldElement arithmetic	64 bytes (2 x 32B)	add/sub roundtrip, mul-by-1 identity, aa==square, ainv(a)==1
`fuzz_scalar`	Scalar arithmetic	64 bytes (2 x 32B)	add/sub roundtrip, mul-by-1, a-a==0, a+0==a, distributive law
`fuzz_point`	Point operations	32 bytes (1 scalar)	on-curve, compressed/uncompressed roundtrip, P+(-P)==O, dbl==add(P,P)

Build: clang++ -fsanitize=fuzzer,address -O2 -std=c++20 Run: ./fuzz_field -max_len=64 -runs=10000000

All harnesses use __builtin_trap() on invariant violation (instant crash -> corpus saved).

Plus deterministic pseudo-fuzz tests in audit/ (built with -DSECP256K1_BUILD_FUZZ_TESTS=ON):

test_fuzz_parsers: DER parser, Schnorr verify, pubkey parse -- 530K+ random inputs
test_fuzz_address_bip32_ffi: Address/BIP32/FFI boundary fuzz -- 13 sub-tests

Nightly Extended Testing (nightly.yml)

Runs daily at 03:00 UTC with configurable parameters:

Test	Default	Duration
Extended Differential	100x multiplier (~1.3M random checks)	up to 60 min
dudect Full Statistical	1800s timeout (30 min)	up to 45 min

Extended Differential: Same as audit module [22/55] but with 100x more random cases. dudect Full: No DUDECT_SMOKE define -- runs full statistical analysis with larger sample sizes.

Static Analysis

Tool	Scope	Frequency
CodeQL	C/C++ SAST (security-and-quality)	Every push + weekly
SonarCloud	Static analysis + coverage metrics	Every push/PR
clang-tidy-17	Lint + modernize checks	Every push to dev/main (cpu/)
-Werror build	gcc-13 with Wpedantic, Wconversion, Wshadow	Every push to main

Bindings CI (12 Languages)

C API builds as shared library on Linux/macOS/Windows, then each binding is compile-checked:

Binding	Tool	Check Type
Python	py_compile + pyflakes	Syntax + lint
C# (.NET 8)	dotnet build	Full compile
Rust	cargo check + clippy	Type-check + lint
Node.js	node --check + tsc	Syntax + TypeScript types
PHP 8.3	php -l	Syntax check
Go 1.22	go vet + go build	Vet + syntax
Java 21 (JNI)	javac + gcc -fsyntax-only	Class compile + JNI bridge syntax
Swift	swift build + swiftc -typecheck	Compile + type check
React Native	node --check + javac	JS syntax + Android Java
Ruby 3.3	ruby -c + gem build	Syntax + gemspec
Dart	dart pub get + dart analyze	Dependencies + analysis

Supply Chain Security

Mechanism	Tool
Runner hardening	step-security/harden-runner (egress audit) on ALL CI jobs
Pinned actions	Every `uses:` action has SHA-pinned commit hash
Dependency review	actions/dependency-review-action on all PRs
OpenSSF Scorecard	Weekly analysis + SARIF upload to GitHub Security
SBOM generation	Part of release pipeline

Performance Benchmarks (benchmark.yml)

Platform	Config	Tool
Linux (ubuntu-latest)	Release, ASM=ON	bench_unified -> JSON -> github-action-benchmark
Windows (windows-latest)	Release, MSVC	bench_unified -> summary

Dashboard: GitHub Pages (gh-pages branch)
Alert threshold: 150% (warns if >50% slower than baseline)
Tracking: Continuous on every push to dev/main

Release Pipeline (release.yml)

Multi-platform release on tag push:

Artifact	Platform	Format
Desktop binaries	Linux x64, macOS ARM64, Windows x64	.tar.gz / .zip
Static library	All 3 platforms	libfastsecp256k1.a / .lib
Shared library (C API)	All 3 platforms	.so / .dylib / .dll
iOS XCFramework	iOS + Simulator	.xcframework
Android AAR	arm64-v8a, armeabi-v7a, x86_64	.aar
WASM	Browser/Node.js	.wasm + .js + .mjs
Python wheel	Linux/macOS/Windows	.whl
.NET NuGet	Cross-platform	.nupkg
Rust crate	Cross-platform	crates.io publish
npm package	Cross-platform	npm publish
Ruby gem	Cross-platform	.gem
Dart package	Cross-platform	pub.dev publish
Linux packages	amd64, arm64	.deb + .rpm

Packaging (packaging.yml)

Format	Architectures	Repo
.deb	amd64, arm64	GitHub Pages APT repository
.rpm	x86_64	Attached to GitHub Release

APT install: sudo apt install libufsecp-dev

Audit Gap Analysis

What IS Covered

Category	Status	Evidence
Mathematical correctness (Fp, Zn, Group)	COVERED	55/55 audit modules, 1M+ checks
Constant-time layer + equivalence	COVERED	dudect smoke + full, CT deep, ASM inspection, Valgrind CLASSIFY/DECLASSIFY
Standard test vectors (BIP-340/32, RFC 6979, FROST)	COVERED	Official vectors verified
Randomized differential testing	COVERED	13K+ checks (CI) + 1.3M (nightly)
Fiat-Crypto reference vectors	COVERED	Golden vectors from computer algebra
Cross-platform KAT	COVERED	X64, ARM64, RISC-V all identical
Parser/adversarial fuzzing (deterministic)	COVERED	530K+ random inputs, 0 crashes
Coverage-guided fuzzing	COVERED	3 libFuzzer harnesses (field, scalar, point) + ASan
Fault injection simulation	COVERED	610+ single-bit fault checks
Protocol security (ECDSA, Schnorr, MuSig2, FROST)	COVERED	Full protocol suites + adversarial
ASan + UBSan	COVERED	CI on every push (clang-17)
TSan	COVERED	CI on every push (clang-17)
Valgrind memcheck	COVERED	security-audit.yml weekly + on push
Static analysis (CodeQL, SonarCloud, clang-tidy)	COVERED	3 tools on every push
Code coverage (Codecov)	COVERED	LLVM source-based profiling
Misuse/abuse tests (null ctx, invalid lengths, FFI)	COVERED	Module [31/55] + [42/55]
Multi-platform build (17 configurations)	COVERED	CI matrix
Supply-chain hardening	COVERED	Pinned actions, harden-runner, Scorecard, Dependency Review
Performance regression tracking	COVERED	Benchmark dashboard with alerts
Language bindings (12 languages)	COVERED	Bindings CI on every push

What Is NOT Yet Covered (Future Work)

Category	Status	Notes
Cross-library differential (vs bitcoin-core/libsecp256k1)	NOT YET	Would be strongest credibility signal for external auditors; nightly has `test_cross_libsecp256k1` but not in unified runner
GPU correctness audit	DEFERRED	Separate report when GPU side is complete
GPU memory safety (compute-sanitizer)	DEFERRED	Separate report
Reproducible build proof	NOT YET	Two independent machines -> identical binary hash
SBOM (CycloneDX/SPDX)	PARTIAL	Generated in release pipeline
Deep dudect (perf counters, cache probes)	PARTIAL	dudect full runs nightly; perf stat / cache analysis not automated

Full Platform Matrix

Platform	Architecture	Compiler	Build	Test	Sanitizers	Fuzz
Linux	x86_64	gcc-13	Debug+Release	CTest 24/24	-	-
Linux	x86_64	clang-17	Debug+Release	CTest 24/24	ASan+UBSan, TSan	libFuzzer
Linux	aarch64	aarch64-g++-13	Release (cross)	Binary verify	-	-
Windows	x86_64	MSVC 2022	Release	CTest 24/24	-	-
macOS	ARM64	Apple Clang	Release	CTest + Metal	-	-
iOS	ARM64	Xcode	Release	Static lib	-	-
iOS Simulator	x86_64/ARM64	Xcode	Release	Static lib	-	-
Android	arm64-v8a	NDK r27c	Release	Binary verify	-	-
Android	armeabi-v7a	NDK r27c	Release	Binary verify	-	-
Android	x86_64	NDK r27c	Release	Binary verify	-	-
ROCm/HIP	gfx906-gfx1100	hipcc	Release	CPU tests	-	-
WASM	wasm32	Emscripten 3.1.51	Release	Node.js bench	-	-
X64 Local	x86_64	Clang 21.1.0	Release	55/55 audit	-	-
ARM64 Local	aarch64	Cross (QEMU)	Release	24/24 CTest	-	-
RISC-V Local	rv64gc	Cross (QEMU)	Release	24/24 CTest	-	-
RISC-V HW	JH7110 U74	Clang 21.1.8	Release	55/55 audit	-	-

Total: 16 platform/compiler combinations, 7 architectures, 5 operating systems.

How to Run

# Configure
cmake -S Secp256K1fast -B build_rel -G Ninja -DCMAKE_BUILD_TYPE=Release

# Build
cmake --build build_rel -j

# Run all CTest targets
ctest --test-dir build_rel --output-on-failure

# Run unified audit only
./build_rel/audit/unified_audit_runner

# Run libFuzzer harnesses (requires clang)
cd cpu/fuzz
clang++ -fsanitize=fuzzer,address -O2 -std=c++20 \
  -I ../include fuzz_field.cpp ../src/field.cpp -o fuzz_field
./fuzz_field -max_len=64 -runs=10000000

# Run with sanitizers
cmake -S . -B build/asan -DCMAKE_BUILD_TYPE=Debug \
  -DCMAKE_CXX_COMPILER=clang++-17 \
  -DCMAKE_CXX_FLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer" \
  -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address,undefined" \
  -DSECP256K1_BUILD_TESTS=ON
cmake --build build/asan -j
ctest --test-dir build/asan --output-on-failure

# Run Valgrind
valgrind --leak-check=full --error-exitcode=1 ./build_rel/audit/unified_audit_runner

Generated from unified_audit_runner v3.14.0 output + CI workflow analysis on 2026-02-25.

53 KiB Raw Permalink Blame History Unescape Escape

UltrafastSecp256k1 -- Full Audit Coverage

Summary

Coverage Interpretation

Section 1/8: Mathematical Invariants (Fp, Zn, Group Laws) -- 15/15 PASS

[1/55] SEC2 v2.0 Specification Oracle -- 13 checks

[2/55] Post-Operation Invariant Monitor -- ~5,000 checks

[3/55] Field Fp Deep Audit -- 264,622 checks

[4/55] Scalar Zn Deep Audit -- 93,215 checks

[5/55] Point Operations Deep Audit -- 116,124 checks

[6/55] Field & Scalar Arithmetic -- 4,237 checks

[7/55] Arithmetic Correctness -- 7 suites, 55 checks

[8/55] Scalar Multiplication -- 319 checks

[9/55] Exhaustive Algebraic Verification -- 5,399 checks

[10/55] Comprehensive 500+ Suite -- 12,023 checks (10 skipped)

[11/55] ECC Property-Based Invariants -- 89 checks

[12/55] Affine Batch Addition -- 548 checks

[13/55] Carry Chain Stress -- 247 checks

[14/55] FieldElement52 (5x52 Lazy-Reduction) -- 267 checks

[15/55] FieldElement26 (10x26 Lazy-Reduction) -- 269 checks

Section 2/8: Constant-Time & Side-Channel Analysis -- 5/5 PASS

[16/55] CT Deep Audit -- 120,651 checks

[17/55] Constant-Time Layer Tests -- 60 checks

[18/55] FAST == CT Equivalence -- 320 checks

[19/55] Side-Channel Dudect Smoke -- 34 checks

[20/55] CT scalar_mul vs Fast Diagnostic -- PASS

Section 3/8: Differential & Cross-Library Testing -- 3/3 PASS

[21/55] Differential Correctness -- 13,007 checks

[22/55] Fiat-Crypto Reference Vectors -- 647 checks

[23/55] Cross-Platform KAT -- 24 checks

Section 4/8: Standard Test Vectors (BIP-340, RFC-6979, BIP-32) -- 5/5 PASS

[24/55] BIP-340 Official Vectors -- 27 checks

[25/55] BIP-32 Official Vectors TV1-TV5 -- 90 checks

[26/55] RFC 6979 Deterministic ECDSA -- 35 checks

[27/55] FROST Reference KAT Vectors -- 9 sub-tests

[51/55] KAT: All Operations -- ~42 checks

Section 5/8: Fuzzing & Adversarial Attack Resilience -- 4/4 PASS

[28/55] Adversarial Fuzz -- 15,461 checks

[29/55] Parser Fuzz -- 530,018 checks

[30/55] Address/BIP32/FFI Boundary Fuzz -- 13 sub-tests

[31/55] Fault Injection Simulation -- 610 checks

Section 6/8: Protocol Security (ECDSA, Schnorr, MuSig2, FROST) -- 9/9 PASS

[32/55] ECDSA + Schnorr -- 22 checks

[33/55] BIP-32 HD Derivation -- 28 checks

[34/55] MuSig2 -- 19 checks

[35/55] ECDH + Recovery + Taproot -- 76 checks

[36/55] v4 Features (Pedersen/FROST/Adaptor/Address/SP) -- 90 checks

[37/55] Coins Layer -- 32 checks

[38/55] MuSig2 + FROST Protocol Suite -- 975 checks

[39/55] MuSig2 + FROST Adversarial -- 316 checks

[40/55] Integration -- 13,811 checks

[41/55] ZK Proofs Audit -- ~1,500 checks

Section 7/8: ABI & Memory Safety -- 9/9 PASS

[42/55] Cross-ABI / FFI Round-Trip Tests -- 28 sub-tests

[43/55] Security Hardening -- 17,309 checks

[44/55] Debug Invariant Assertions -- 372 checks

[45/55] ABI Version Gate -- 12 checks

[46/55] C ABI Negative Contract Tests -- ~150 checks

[52/55] Secure Memory Erasure Verification -- 25 checks

[53/55] CT Namespace Discipline (Source-Level Scan) -- ~20 checks

[54/55] RFC 6979 Nonce Uniqueness Monitor -- 30 checks

[55/55] Public Parse Path Strictness Audit -- ~60 checks

Section 8/8: Performance Validation & Regression -- 4/4 PASS

[47/55] Accelerated Hashing -- 877 checks

[48/55] SIMD Batch Operations -- 8 checks

[49/55] Multi-Scalar & Batch Verify -- 16 checks

[50/55] Performance Smoke -- PASS

Additional CTest Targets (Outside Unified Audit)

Unified Audit Platform Results

How to Run

CI/CD Pipeline -- Full Infrastructure

23 GitHub Actions Workflows

CI Build Matrix (ci.yml)

Sanitizer Testing (CRITICAL)

ASan + UBSan (ci.yml + security-audit.yml)

TSan -- Thread Sanitizer (ci.yml)

Valgrind Memcheck (security-audit.yml)

-Werror Build (security-audit.yml)

Coverage-Guided Fuzzing (libFuzzer)

Nightly Extended Testing (nightly.yml)

53 KiB

Raw Permalink Blame History