Bitcoin ABC 0.33.6
P2P Digital Currency
tests.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#include <stdio.h>
8#include <stdlib.h>
9#include <string.h>
10
11#include <time.h>
12
13#ifdef USE_EXTERNAL_DEFAULT_CALLBACKS
14 #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.")
15 #undef USE_EXTERNAL_DEFAULT_CALLBACKS
16#endif
17#if defined(VERIFY) && defined(COVERAGE)
18 #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.")
19#endif
20#include "secp256k1.c"
21
22#include "../include/secp256k1.h"
23#include "../include/secp256k1_preallocated.h"
24#include "testrand_impl.h"
25#include "checkmem.h"
26#include "util.h"
27
28#include "../contrib/lax_der_parsing.c"
29#include "../contrib/lax_der_privatekey_parsing.c"
30
31#include "modinv32_impl.h"
32#ifdef SECP256K1_WIDEMUL_INT128
33#include "modinv64_impl.h"
34#include "int128_impl.h"
35#endif
36
37#define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
38
39static int COUNT = 64;
40static secp256k1_context *CTX = NULL;
41static secp256k1_context *STATIC_CTX = NULL;
42
43static int all_bytes_equal(const void* s, unsigned char value, size_t n) {
44 const unsigned char *p = s;
45 size_t i;
46
47 for (i = 0; i < n; i++) {
48 if (p[i] != value) {
49 return 0;
50 }
51 }
52 return 1;
53}
54
55/* TODO Use CHECK_ILLEGAL(_VOID) everywhere and get rid of the uncounting callback */
56/* CHECK that expr_or_stmt calls the illegal callback of ctx exactly once
57 *
58 * For checking functions that use ARG_CHECK_VOID */
59#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) do { \
60 int32_t _calls_to_illegal_callback = 0; \
61 secp256k1_callback _saved_illegal_cb = ctx->illegal_callback; \
62 secp256k1_context_set_illegal_callback(ctx, \
63 counting_illegal_callback_fn, &_calls_to_illegal_callback); \
64 { expr_or_stmt; } \
65 ctx->illegal_callback = _saved_illegal_cb; \
66 CHECK(_calls_to_illegal_callback == 1); \
67} while(0);
68
69/* CHECK that expr calls the illegal callback of ctx exactly once and that expr == 0
70 *
71 * For checking functions that use ARG_CHECK */
72#define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0))
73
74static void counting_illegal_callback_fn(const char* str, void* data) {
75 /* Dummy callback function that just counts. */
76 int32_t *p;
77 (void)str;
78 p = data;
79 CHECK(*p != INT32_MAX);
80 (*p)++;
81}
82
83static void uncounting_illegal_callback_fn(const char* str, void* data) {
84 /* Dummy callback function that just counts (backwards). */
85 int32_t *p;
86 (void)str;
87 p = data;
88 CHECK(*p != INT32_MIN);
89 (*p)--;
90}
91
92static void random_field_element_magnitude(secp256k1_fe *fe, int m) {
93 secp256k1_fe zero;
94 int n = secp256k1_testrand_int(m + 1);
95 secp256k1_fe_normalize(fe);
96 if (n == 0) {
97 return;
98 }
99 secp256k1_fe_clear(&zero);
100 secp256k1_fe_negate(&zero, &zero, 0);
101 secp256k1_fe_mul_int_unchecked(&zero, n - 1);
102 secp256k1_fe_add(fe, &zero);
103#ifdef VERIFY
104 CHECK(fe->magnitude == n);
105#endif
106}
107
108static void random_fe_test(secp256k1_fe *x) {
109 unsigned char bin[32];
110 do {
111 secp256k1_testrand256_test(bin);
112 if (secp256k1_fe_set_b32_limit(x, bin)) {
113 return;
114 }
115 } while(1);
116}
117
118static void random_fe_non_zero_test(secp256k1_fe *fe) {
119 do {
120 random_fe_test(fe);
121 } while(secp256k1_fe_is_zero(fe));
122}
123
124static void random_fe_magnitude(secp256k1_fe *fe) {
125 random_field_element_magnitude(fe, 8);
126}
127
128static void random_ge_x_magnitude(secp256k1_ge *ge) {
129 random_field_element_magnitude(&ge->x, SECP256K1_GE_X_MAGNITUDE_MAX);
130}
131
132static void random_ge_y_magnitude(secp256k1_ge *ge) {
133 random_field_element_magnitude(&ge->y, SECP256K1_GE_Y_MAGNITUDE_MAX);
134}
135
136static void random_gej_x_magnitude(secp256k1_gej *gej) {
137 random_field_element_magnitude(&gej->x, SECP256K1_GEJ_X_MAGNITUDE_MAX);
138}
139
140static void random_gej_y_magnitude(secp256k1_gej *gej) {
141 random_field_element_magnitude(&gej->y, SECP256K1_GEJ_Y_MAGNITUDE_MAX);
142}
143
144static void random_gej_z_magnitude(secp256k1_gej *gej) {
145 random_field_element_magnitude(&gej->z, SECP256K1_GEJ_Z_MAGNITUDE_MAX);
146}
147
148static void random_group_element_test(secp256k1_ge *ge) {
149 secp256k1_fe fe;
150 do {
151 random_fe_test(&fe);
152 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
153 secp256k1_fe_normalize(&ge->y);
154 break;
155 }
156 } while(1);
157 ge->infinity = 0;
158}
159
160static void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
161 secp256k1_fe z2, z3;
162 random_fe_non_zero_test(&gej->z);
163 secp256k1_fe_sqr(&z2, &gej->z);
164 secp256k1_fe_mul(&z3, &z2, &gej->z);
165 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
166 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
167 gej->infinity = ge->infinity;
168}
169
170static void random_gej_test(secp256k1_gej *gej) {
171 secp256k1_ge ge;
172 random_group_element_test(&ge);
173 random_group_element_jacobian_test(gej, &ge);
174}
175
176static void random_scalar_order_test(secp256k1_scalar *num) {
177 do {
178 unsigned char b32[32];
179 int overflow = 0;
180 secp256k1_testrand256_test(b32);
181 secp256k1_scalar_set_b32(num, b32, &overflow);
182 if (overflow || secp256k1_scalar_is_zero(num)) {
183 continue;
184 }
185 break;
186 } while(1);
187}
188
189static void random_scalar_order(secp256k1_scalar *num) {
190 do {
191 unsigned char b32[32];
192 int overflow = 0;
193 secp256k1_testrand256(b32);
194 secp256k1_scalar_set_b32(num, b32, &overflow);
195 if (overflow || secp256k1_scalar_is_zero(num)) {
196 continue;
197 }
198 break;
199 } while(1);
200}
201
202static void random_scalar_order_b32(unsigned char *b32) {
203 secp256k1_scalar num;
204 random_scalar_order(&num);
205 secp256k1_scalar_get_b32(b32, &num);
206}
207
208static void run_xoshiro256pp_tests(void) {
209 {
210 size_t i;
211 /* Sanity check that we run before the actual seeding. */
212 for (i = 0; i < sizeof(secp256k1_test_state)/sizeof(secp256k1_test_state[0]); i++) {
213 CHECK(secp256k1_test_state[i] == 0);
214 }
215 }
216 {
217 int i;
218 unsigned char buf32[32];
219 unsigned char seed16[16] = {
220 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
221 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
222 };
223 unsigned char buf32_expected[32] = {
224 0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0,
225 0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36,
226 0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF,
227 0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30,
228 };
229 secp256k1_testrand_seed(seed16);
230 for (i = 0; i < 17; i++) {
231 secp256k1_testrand256(buf32);
232 }
233 CHECK(secp256k1_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0);
234 }
235}
236
237static void run_selftest_tests(void) {
238 /* Test public API */
239 secp256k1_selftest();
240}
241
242static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b) {
243 return a->built == b->built
244 && secp256k1_scalar_eq(&a->blind, &b->blind)
245 && secp256k1_gej_eq_var(&a->initial, &b->initial);
246}
247
248static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {
249 return a->declassify == b->declassify
250 && ecmult_gen_context_eq(&a->ecmult_gen_ctx, &b->ecmult_gen_ctx)
251 && a->illegal_callback.fn == b->illegal_callback.fn
252 && a->illegal_callback.data == b->illegal_callback.data
253 && a->error_callback.fn == b->error_callback.fn
254 && a->error_callback.data == b->error_callback.data;
255}
256
257static void run_deprecated_context_flags_test(void) {
258 /* Check that a context created with any of the flags in the flags array is
259 * identical to the NONE context. */
260 unsigned int flags[] = { SECP256K1_CONTEXT_SIGN,
261 SECP256K1_CONTEXT_VERIFY,
262 SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY };
263 secp256k1_context *none_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
264 int i;
265 for (i = 0; i < (int)(sizeof(flags)/sizeof(flags[0])); i++) {
266 secp256k1_context *tmp_ctx;
267 CHECK(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE) == secp256k1_context_preallocated_size(flags[i]));
268 tmp_ctx = secp256k1_context_create(flags[i]);
269 CHECK(context_eq(none_ctx, tmp_ctx));
270 secp256k1_context_destroy(tmp_ctx);
271 }
272 secp256k1_context_destroy(none_ctx);
273}
274
275static void run_ec_illegal_argument_tests(void) {
276 int ecount = 0;
277 int ecount2 = 10;
278 secp256k1_pubkey pubkey;
279 secp256k1_pubkey zero_pubkey;
280 secp256k1_ecdsa_signature sig;
281 unsigned char ctmp[32];
282
283 /* Setup */
284 secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
285 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount2);
286 memset(ctmp, 1, 32);
287 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
288
289 /* Verify context-type checking illegal-argument errors. */
290 CHECK(secp256k1_ec_pubkey_create(STATIC_CTX, &pubkey, ctmp) == 0);
291 CHECK(ecount == 1);
292 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
293 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
294 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
295 CHECK(secp256k1_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL) == 0);
296 CHECK(ecount == 2);
297 SECP256K1_CHECKMEM_UNDEFINE(&sig, sizeof(sig));
298 CHECK(secp256k1_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1);
299 SECP256K1_CHECKMEM_CHECK(&sig, sizeof(sig));
300 CHECK(ecount2 == 10);
301 CHECK(secp256k1_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1);
302 CHECK(ecount2 == 10);
303 CHECK(secp256k1_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1);
304 CHECK(ecount == 2);
305 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1);
306 CHECK(ecount2 == 10);
307 CHECK(secp256k1_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1);
308 CHECK(ecount == 2);
309 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1);
310 CHECK(ecount2 == 10);
311 CHECK(secp256k1_ec_pubkey_negate(STATIC_CTX, &pubkey) == 1);
312 CHECK(ecount == 2);
313 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey) == 1);
314 CHECK(ecount == 2);
315 CHECK(secp256k1_ec_pubkey_negate(STATIC_CTX, &zero_pubkey) == 0);
316 CHECK(ecount == 3);
317 CHECK(secp256k1_ec_pubkey_negate(CTX, NULL) == 0);
318 CHECK(ecount2 == 11);
319 CHECK(secp256k1_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1);
320 CHECK(ecount == 3);
321
322 /* Clean up */
323 secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
324 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
325}
326
327static void run_static_context_tests(int use_prealloc) {
328 /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */
329 CHECK(secp256k1_context_no_precomp == secp256k1_context_static);
330
331 {
332 unsigned char seed[32] = {0x17};
333
334 /* Randomizing secp256k1_context_static is not supported. */
335 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, seed));
336 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, NULL));
337
338 /* Destroying or cloning secp256k1_context_static is not supported. */
339 if (use_prealloc) {
340 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone_size(STATIC_CTX));
341 {
342 secp256k1_context *my_static_ctx = malloc(sizeof(*STATIC_CTX));
343 CHECK(my_static_ctx != NULL);
344 memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx));
345 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone(STATIC_CTX, my_static_ctx));
346 CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx)));
347 free(my_static_ctx);
348 }
349 CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_preallocated_destroy(STATIC_CTX));
350 } else {
351 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_clone(STATIC_CTX));
352 CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_destroy(STATIC_CTX));
353 }
354 }
355
356 {
357 /* Verify that setting and resetting illegal callback works */
358 int32_t dummy = 0;
359 secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &dummy);
360 CHECK(STATIC_CTX->illegal_callback.fn == counting_illegal_callback_fn);
361 CHECK(STATIC_CTX->illegal_callback.data == &dummy);
362 secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
363 CHECK(STATIC_CTX->illegal_callback.fn == secp256k1_default_illegal_callback_fn);
364 CHECK(STATIC_CTX->illegal_callback.data == NULL);
365 }
366}
367
368static void run_proper_context_tests(int use_prealloc) {
369 int32_t dummy = 0;
370 secp256k1_context *my_ctx, *my_ctx_fresh;
371 void *my_ctx_prealloc = NULL;
372 unsigned char seed[32] = {0x17};
373
374 secp256k1_gej pubj;
375 secp256k1_ge pub;
376 secp256k1_scalar msg, key, nonce;
377 secp256k1_scalar sigr, sigs;
378
379 /* Fresh reference context for comparison */
380 my_ctx_fresh = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
381
382 if (use_prealloc) {
383 my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
384 CHECK(my_ctx_prealloc != NULL);
385 my_ctx = secp256k1_context_preallocated_create(my_ctx_prealloc, SECP256K1_CONTEXT_NONE);
386 } else {
387 my_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
388 }
389
390 /* Randomize and reset randomization */
391 CHECK(context_eq(my_ctx, my_ctx_fresh));
392 CHECK(secp256k1_context_randomize(my_ctx, seed) == 1);
393 CHECK(!context_eq(my_ctx, my_ctx_fresh));
394 CHECK(secp256k1_context_randomize(my_ctx, NULL) == 1);
395 CHECK(context_eq(my_ctx, my_ctx_fresh));
396
397 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
398 secp256k1_context_set_error_callback(my_ctx, secp256k1_default_illegal_callback_fn, NULL);
399 CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn);
400 CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn);
401
402 /* check if sizes for cloning are consistent */
403 CHECK(secp256k1_context_preallocated_clone_size(my_ctx) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
404
405 /*** clone and destroy all of them to make sure cloning was complete ***/
406 {
407 secp256k1_context *ctx_tmp;
408
409 if (use_prealloc) {
410 /* clone into a non-preallocated context and then again into a new preallocated one. */
411 ctx_tmp = my_ctx;
412 my_ctx = secp256k1_context_clone(my_ctx);
413 CHECK(context_eq(ctx_tmp, my_ctx));
414 secp256k1_context_preallocated_destroy(ctx_tmp);
415
416 free(my_ctx_prealloc);
417 my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
418 CHECK(my_ctx_prealloc != NULL);
419 ctx_tmp = my_ctx;
420 my_ctx = secp256k1_context_preallocated_clone(my_ctx, my_ctx_prealloc);
421 CHECK(context_eq(ctx_tmp, my_ctx));
422 secp256k1_context_destroy(ctx_tmp);
423 } else {
424 /* clone into a preallocated context and then again into a new non-preallocated one. */
425 void *prealloc_tmp;
426
427 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
428 CHECK(prealloc_tmp != NULL);
429 ctx_tmp = my_ctx;
430 my_ctx = secp256k1_context_preallocated_clone(my_ctx, prealloc_tmp);
431 CHECK(context_eq(ctx_tmp, my_ctx));
432 secp256k1_context_destroy(ctx_tmp);
433
434 ctx_tmp = my_ctx;
435 my_ctx = secp256k1_context_clone(my_ctx);
436 CHECK(context_eq(ctx_tmp, my_ctx));
437 secp256k1_context_preallocated_destroy(ctx_tmp);
438 free(prealloc_tmp);
439 }
440 }
441
442 /* Verify that the error callback makes it across the clone. */
443 CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn);
444 CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn);
445 /* And that it resets back to default. */
446 secp256k1_context_set_error_callback(my_ctx, NULL, NULL);
447 CHECK(my_ctx->error_callback.fn == secp256k1_default_error_callback_fn);
448 CHECK(context_eq(my_ctx, my_ctx_fresh));
449
450 /* Verify that setting and resetting illegal callback works */
451 secp256k1_context_set_illegal_callback(my_ctx, counting_illegal_callback_fn, &dummy);
452 CHECK(my_ctx->illegal_callback.fn == counting_illegal_callback_fn);
453 CHECK(my_ctx->illegal_callback.data == &dummy);
454 secp256k1_context_set_illegal_callback(my_ctx, NULL, NULL);
455 CHECK(my_ctx->illegal_callback.fn == secp256k1_default_illegal_callback_fn);
456 CHECK(my_ctx->illegal_callback.data == NULL);
457 CHECK(context_eq(my_ctx, my_ctx_fresh));
458
459 /*** attempt to use them ***/
460 random_scalar_order_test(&msg);
461 random_scalar_order_test(&key);
462 secp256k1_ecmult_gen(&my_ctx->ecmult_gen_ctx, &pubj, &key);
463 secp256k1_ge_set_gej(&pub, &pubj);
464
465 /* obtain a working nonce */
466 do {
467 random_scalar_order_test(&nonce);
468 } while(!secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
469
470 /* try signing */
471 CHECK(secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
472
473 /* try verifying */
474 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
475
476 /* cleanup */
477 if (use_prealloc) {
478 secp256k1_context_preallocated_destroy(my_ctx);
479 free(my_ctx_prealloc);
480 } else {
481 secp256k1_context_destroy(my_ctx);
482 }
483 secp256k1_context_destroy(my_ctx_fresh);
484
485 /* Defined as no-op. */
486 secp256k1_context_destroy(NULL);
487 secp256k1_context_preallocated_destroy(NULL);
488}
489
490static void run_scratch_tests(void) {
491 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
492
493 int32_t ecount = 0;
494 size_t checkpoint;
495 size_t checkpoint_2;
496 secp256k1_scratch_space *scratch;
497 secp256k1_scratch_space local_scratch;
498
499 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
500 secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount);
501
502 /* Test public API */
503 scratch = secp256k1_scratch_space_create(CTX, 1000);
504 CHECK(scratch != NULL);
505 CHECK(ecount == 0);
506
507 /* Test internal API */
508 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000);
509 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
510 CHECK(scratch->alloc_size == 0);
511 CHECK(scratch->alloc_size % ALIGNMENT == 0);
512
513 /* Allocating 500 bytes succeeds */
514 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
515 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
516 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
517 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
518 CHECK(scratch->alloc_size != 0);
519 CHECK(scratch->alloc_size % ALIGNMENT == 0);
520
521 /* Allocating another 501 bytes fails */
522 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL);
523 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
524 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
525 CHECK(scratch->alloc_size != 0);
526 CHECK(scratch->alloc_size % ALIGNMENT == 0);
527
528 /* ...but it succeeds once we apply the checkpoint to undo it */
529 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
530 CHECK(scratch->alloc_size == 0);
531 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000);
532 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
533 CHECK(scratch->alloc_size != 0);
534
535 /* try to apply a bad checkpoint */
536 checkpoint_2 = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
537 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
538 CHECK(ecount == 0);
539 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
540 CHECK(ecount == 1);
541 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
542 CHECK(ecount == 2);
543
544 /* try to use badly initialized scratch space */
545 secp256k1_scratch_space_destroy(CTX, scratch);
546 memset(&local_scratch, 0, sizeof(local_scratch));
547 scratch = &local_scratch;
548 CHECK(!secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0));
549 CHECK(ecount == 3);
550 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) == NULL);
551 CHECK(ecount == 4);
552 secp256k1_scratch_space_destroy(CTX, scratch);
553 CHECK(ecount == 5);
554
555 /* Test that large integers do not wrap around in a bad way */
556 scratch = secp256k1_scratch_space_create(CTX, 1000);
557 /* Try max allocation with a large number of objects. Only makes sense if
558 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
559 * space. */
560 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
561 /* Try allocating SIZE_MAX to test wrap around which only happens if
562 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
563 * space is too small. */
564 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL);
565 secp256k1_scratch_space_destroy(CTX, scratch);
566
567 /* cleanup */
568 secp256k1_scratch_space_destroy(CTX, NULL); /* no-op */
569
570 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
571 secp256k1_context_set_error_callback(CTX, NULL, NULL);
572}
573
574static void run_ctz_tests(void) {
575 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
576 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
577 int shift;
578 unsigned i;
579 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
580 for (shift = 0; shift < 32; ++shift) {
581 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
582 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
583 }
584 }
585 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
586 for (shift = 0; shift < 64; ++shift) {
587 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
588 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
589 }
590 }
591}
592
593/***** HASH TESTS *****/
594
595static void run_sha256_known_output_tests(void) {
596 static const char *inputs[] = {
597 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
598 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
599 "For this sample, this 63-byte string will be used as input data",
600 "This is exactly 64 bytes long, not counting the terminating byte",
601 "aaaaa",
602 };
603 static const unsigned int repeat[] = {
604 1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
605 };
606 static const unsigned char outputs[][32] = {
607 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
608 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
609 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
610 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
611 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
612 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
613 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
614 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
615 {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
616 };
617 unsigned int i, ninputs;
618
619 /* Skip last input vector for low iteration counts */
620 ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
621 CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
622
623 for (i = 0; i < ninputs; i++) {
624 unsigned char out[32];
625 secp256k1_sha256 hasher;
626 unsigned int j;
627 /* 1. Run: simply write the input bytestrings */
628 j = repeat[i];
629 secp256k1_sha256_initialize(&hasher);
630 while (j > 0) {
631 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
632 j--;
633 }
634 secp256k1_sha256_finalize(&hasher, out);
635 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
636 /* 2. Run: split the input bytestrings randomly before writing */
637 if (strlen(inputs[i]) > 0) {
638 int split = secp256k1_testrand_int(strlen(inputs[i]));
639 secp256k1_sha256_initialize(&hasher);
640 j = repeat[i];
641 while (j > 0) {
642 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
643 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
644 j--;
645 }
646 secp256k1_sha256_finalize(&hasher, out);
647 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
648 }
649 }
650}
651
696static void run_sha256_counter_tests(void) {
697 static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
698 static const secp256k1_sha256 midstates[] = {
699 {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
700 {0x00}, 0xfffc0},
701 {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
702 {0x00}, 0x1fffc0},
703 {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
704 {0x00}, 0x3fffc0},
705 {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
706 {0x00}, 0x7fffc0},
707 {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
708 {0x00}, 0xffffc0},
709 {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
710 {0x00}, 0x1ffffc0},
711 {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
712 {0x00}, 0x3ffffc0},
713 {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
714 {0x00}, 0x7ffffc0},
715 {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
716 {0x00}, 0xfffffc0},
717 {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
718 {0x00}, 0x1fffffc0},
719 {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
720 {0x00}, 0x3fffffc0},
721 {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
722 {0x00}, 0x7fffffc0},
723 {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
724 {0x00}, 0xffffffc0},
725 {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
726 {0x00}, 0x1ffffffc0},
727 };
728 static const unsigned char outputs[][32] = {
729 {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
730 {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
731 {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
732 {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
733 {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
734 {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
735 {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
736 {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
737 {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
738 {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
739 {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
740 {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
741 {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
742 {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
743 };
744 unsigned int i;
745 for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
746 unsigned char out[32];
747 secp256k1_sha256 hasher = midstates[i];
748 secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
749 secp256k1_sha256_finalize(&hasher, out);
750 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
751 }
752}
753
754/* Tests for the equality of two sha256 structs. This function only produces a
755 * correct result if an integer multiple of 64 many bytes have been written
756 * into the hash functions. This function is used by some module tests. */
757static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
758 /* Is buffer fully consumed? */
759 CHECK((sha1->bytes & 0x3F) == 0);
760
761 CHECK(sha1->bytes == sha2->bytes);
762 CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
763}
764
765static void run_hmac_sha256_tests(void) {
766 static const char *keys[6] = {
767 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
768 "\x4a\x65\x66\x65",
769 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
770 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
771 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
772 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
773 };
774 static const char *inputs[6] = {
775 "\x48\x69\x20\x54\x68\x65\x72\x65",
776 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
777 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
778 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
779 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
780 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
781 };
782 static const unsigned char outputs[6][32] = {
783 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
784 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
785 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
786 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
787 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
788 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
789 };
790 int i;
791 for (i = 0; i < 6; i++) {
792 secp256k1_hmac_sha256 hasher;
793 unsigned char out[32];
794 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
795 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
796 secp256k1_hmac_sha256_finalize(&hasher, out);
797 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
798 if (strlen(inputs[i]) > 0) {
799 int split = secp256k1_testrand_int(strlen(inputs[i]));
800 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
801 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
802 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
803 secp256k1_hmac_sha256_finalize(&hasher, out);
804 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
805 }
806 }
807}
808
809static void run_rfc6979_hmac_sha256_tests(void) {
810 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
811 static const unsigned char out1[3][32] = {
812 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
813 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
814 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
815 };
816
817 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
818 static const unsigned char out2[3][32] = {
819 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
820 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
821 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
822 };
823
824 secp256k1_rfc6979_hmac_sha256 rng;
825 unsigned char out[32];
826 int i;
827
828 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
829 for (i = 0; i < 3; i++) {
830 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
831 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
832 }
833 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
834
835 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
836 for (i = 0; i < 3; i++) {
837 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
838 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
839 }
840 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
841
842 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
843 for (i = 0; i < 3; i++) {
844 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
845 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
846 }
847 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
848}
849
850static void run_tagged_sha256_tests(void) {
851 int ecount = 0;
852 unsigned char tag[32] = { 0 };
853 unsigned char msg[32] = { 0 };
854 unsigned char hash32[32];
855 unsigned char hash_expected[32] = {
856 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
857 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
858 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
859 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
860 };
861
862 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
863
864 /* API test */
865 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
866 CHECK(secp256k1_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg)) == 0);
867 CHECK(ecount == 1);
868 CHECK(secp256k1_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg)) == 0);
869 CHECK(ecount == 2);
870 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0) == 0);
871 CHECK(ecount == 3);
872
873 /* Static test vector */
874 memcpy(tag, "tag", 3);
875 memcpy(msg, "msg", 3);
876 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1);
877 CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
878}
879
880/***** MODINV TESTS *****/
881
882/* Compute the modular inverse of (odd) x mod 2^64. */
883static uint64_t modinv2p64(uint64_t x) {
884 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
885 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
886 * why. Start with L=0, for which it is true for every odd x that
887 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
888 int l;
889 uint64_t w = 1;
890 CHECK(x & 1);
891 for (l = 0; l < 6; ++l) w *= (2 - w*x);
892 return w;
893}
894
895
896/* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity.
897 *
898 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
899 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
900static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
901 uint16_t mul[32];
902 uint64_t c = 0;
903 int i, j;
904 int m_bitlen = 0;
905 int mul_bitlen = 0;
906
907 if (b != NULL) {
908 /* Compute the product of a and b, and put it in mul. */
909 for (i = 0; i < 32; ++i) {
910 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
911 c += (uint64_t)a[j] * b[i - j];
912 }
913 mul[i] = c & 0xFFFF;
914 c >>= 16;
915 }
916 CHECK(c == 0);
917
918 /* compute the highest set bit in mul */
919 for (i = 511; i >= 0; --i) {
920 if ((mul[i >> 4] >> (i & 15)) & 1) {
921 mul_bitlen = i;
922 break;
923 }
924 }
925 } else {
926 /* if b==NULL, set mul=a. */
927 memcpy(mul, a, 32);
928 memset(mul + 16, 0, 32);
929 /* compute the highest set bit in mul */
930 for (i = 255; i >= 0; --i) {
931 if ((mul[i >> 4] >> (i & 15)) & 1) {
932 mul_bitlen = i;
933 break;
934 }
935 }
936 }
937
938 if (m) {
939 /* Compute the highest set bit in m. */
940 for (i = 255; i >= 0; --i) {
941 if ((m[i >> 4] >> (i & 15)) & 1) {
942 m_bitlen = i;
943 break;
944 }
945 }
946
947 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
948 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
949 uint16_t mul2[32];
950 int64_t cs;
951
952 /* Compute mul2 = mul - m<<i. */
953 cs = 0; /* accumulator */
954 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
955 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
956 uint16_t sub = 0;
957 int p;
958 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
959 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
960 if (bitpos >= 0 && bitpos < 256) {
961 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
962 }
963 }
964 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
965 cs += mul[j];
966 cs -= sub;
967 mul2[j] = (cs & 0xFFFF);
968 cs >>= 16;
969 }
970 /* If remainder of subtraction is 0, set mul = mul2. */
971 if (cs == 0) {
972 memcpy(mul, mul2, sizeof(mul));
973 }
974 }
975 /* Sanity check: test that all limbs higher than m's highest are zero */
976 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
977 CHECK(mul[i] == 0);
978 }
979 }
980 memcpy(out, mul, 32);
981}
982
983/* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
984static void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
985 int i;
986 memset(out->v, 0, sizeof(out->v));
987 for (i = 0; i < 256; ++i) {
988 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
989 }
990}
991
992/* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
993static void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
994 int i;
995 memset(out, 0, 32);
996 for (i = 0; i < 256; ++i) {
997 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
998 }
999}
1000
1001/* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
1002static void mutate_sign_signed30(secp256k1_modinv32_signed30* x) {
1003 int i;
1004 for (i = 0; i < 16; ++i) {
1005 int pos = secp256k1_testrand_bits(3);
1006 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
1007 x->v[pos] -= 0x40000000;
1008 x->v[pos + 1] += 1;
1009 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
1010 x->v[pos] += 0x40000000;
1011 x->v[pos + 1] -= 1;
1012 }
1013 }
1014}
1015
1016/* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
1017static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1018 uint16_t tmp[16];
1019 secp256k1_modinv32_signed30 x;
1020 secp256k1_modinv32_modinfo m;
1021 int i, vartime, nonzero;
1022
1023 uint16_to_signed30(&x, in);
1024 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
1025 uint16_to_signed30(&m.modulus, mod);
1026
1027 /* compute 1/modulus mod 2^30 */
1028 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
1029 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
1030
1031 /* Test secp256k1_jacobi32_maybe_var. */
1032 if (nonzero) {
1033 int jac;
1034 uint16_t sqr[16], negone[16];
1035 mulmod256(sqr, in, in, mod);
1036 uint16_to_signed30(&x, sqr);
1037 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1038 jac = secp256k1_jacobi32_maybe_var(&x, &m);
1039 CHECK(jac == 0 || jac == 1);
1040 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1041 * jacobi symbols if and only if (mod % 4) == 3. */
1042 negone[0] = mod[0] - 1;
1043 for (i = 1; i < 16; ++i) negone[i] = mod[i];
1044 mulmod256(sqr, sqr, negone, mod);
1045 uint16_to_signed30(&x, sqr);
1046 jac = secp256k1_jacobi32_maybe_var(&x, &m);
1047 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1048 }
1049
1050 uint16_to_signed30(&x, in);
1051 mutate_sign_signed30(&m.modulus);
1052 for (vartime = 0; vartime < 2; ++vartime) {
1053 /* compute inverse */
1054 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1055
1056 /* produce output */
1057 signed30_to_uint16(out, &x);
1058
1059 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1060 mulmod256(tmp, out, in, mod);
1061 CHECK(tmp[0] == nonzero);
1062 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1063
1064 /* invert again */
1065 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1066
1067 /* check if the result is equal to the input */
1068 signed30_to_uint16(tmp, &x);
1069 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1070 }
1071}
1072
1073#ifdef SECP256K1_WIDEMUL_INT128
1074/* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
1075static void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
1076 int i;
1077 memset(out->v, 0, sizeof(out->v));
1078 for (i = 0; i < 256; ++i) {
1079 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
1080 }
1081}
1082
1083/* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
1084static void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
1085 int i;
1086 memset(out, 0, 32);
1087 for (i = 0; i < 256; ++i) {
1088 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
1089 }
1090}
1091
1092/* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
1093static void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
1094 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1095 int i;
1096 for (i = 0; i < 8; ++i) {
1097 int pos = secp256k1_testrand_bits(2);
1098 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
1099 x->v[pos] -= (M62 + 1);
1100 x->v[pos + 1] += 1;
1101 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1102 x->v[pos] += (M62 + 1);
1103 x->v[pos + 1] -= 1;
1104 }
1105 }
1106}
1107
1108/* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1109static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1110 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1111 uint16_t tmp[16];
1112 secp256k1_modinv64_signed62 x;
1113 secp256k1_modinv64_modinfo m;
1114 int i, vartime, nonzero;
1115
1116 uint16_to_signed62(&x, in);
1117 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1118 uint16_to_signed62(&m.modulus, mod);
1119
1120 /* compute 1/modulus mod 2^62 */
1121 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1122 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1123
1124 /* Test secp256k1_jacobi64_maybe_var. */
1125 if (nonzero) {
1126 int jac;
1127 uint16_t sqr[16], negone[16];
1128 mulmod256(sqr, in, in, mod);
1129 uint16_to_signed62(&x, sqr);
1130 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1131 jac = secp256k1_jacobi64_maybe_var(&x, &m);
1132 CHECK(jac == 0 || jac == 1);
1133 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1134 * jacobi symbols if and only if (mod % 4) == 3. */
1135 negone[0] = mod[0] - 1;
1136 for (i = 1; i < 16; ++i) negone[i] = mod[i];
1137 mulmod256(sqr, sqr, negone, mod);
1138 uint16_to_signed62(&x, sqr);
1139 jac = secp256k1_jacobi64_maybe_var(&x, &m);
1140 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1141 }
1142
1143 uint16_to_signed62(&x, in);
1144 mutate_sign_signed62(&m.modulus);
1145 for (vartime = 0; vartime < 2; ++vartime) {
1146 /* compute inverse */
1147 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1148
1149 /* produce output */
1150 signed62_to_uint16(out, &x);
1151
1152 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1153 mulmod256(tmp, out, in, mod);
1154 CHECK(tmp[0] == nonzero);
1155 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1156
1157 /* invert again */
1158 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1159
1160 /* check if the result is equal to the input */
1161 signed62_to_uint16(tmp, &x);
1162 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1163 }
1164}
1165#endif
1166
1167/* test if a and b are coprime */
1168static int coprime(const uint16_t* a, const uint16_t* b) {
1169 uint16_t x[16], y[16], t[16];
1170 int i;
1171 int iszero;
1172 memcpy(x, a, 32);
1173 memcpy(y, b, 32);
1174
1175 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1176 while (1) {
1177 iszero = 1;
1178 for (i = 0; i < 16; ++i) {
1179 if (x[i] != 0) {
1180 iszero = 0;
1181 break;
1182 }
1183 }
1184 if (iszero) break;
1185 mulmod256(t, y, NULL, x);
1186 memcpy(y, x, 32);
1187 memcpy(x, t, 32);
1188 }
1189
1190 /* return whether y=1 */
1191 if (y[0] != 1) return 0;
1192 for (i = 1; i < 16; ++i) {
1193 if (y[i] != 0) return 0;
1194 }
1195 return 1;
1196}
1197
1198static void run_modinv_tests(void) {
1199 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1200 static const uint16_t CASES[][3][16] = {
1201 /* Test cases triggering edge cases in divsteps */
1202
1203 /* Test case known to need 713 divsteps */
1204 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1205 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1206 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1207 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1208 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1209 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1210 /* Test case known to need 589 divsteps, reaching delta=-140 and
1211 delta=141. */
1212 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1213 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1214 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1215 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1216 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1217 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1218 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1219 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1220 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1221 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1222 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1223 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1224 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1225 /* example needing 713 divsteps; delta=-2..3 */
1226 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1227 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1228 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1229 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1230 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1231 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1232 /* example needing 713 divsteps; delta=-2..3 */
1233 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1234 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1235 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1236 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1237 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1238 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1239 /* example needing 713 divsteps; delta=-2..3 */
1240 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1241 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1242 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1243 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1244 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1245 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1246 /* example reaching delta=-64..65; 661 divsteps */
1247 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1248 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1249 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1250 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1251 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1252 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1253 /* example reaching delta=-64..65; 661 divsteps */
1254 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1255 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1256 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1257 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1258 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1259 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1260 /* example reaching delta=-64..65; 661 divsteps */
1261 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1262 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1263 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1264 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1265 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1266 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1267 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1268 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1269 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1270 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1271 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1272 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1273 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1274 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1275 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1276 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1277 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1278 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1279 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1280 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1281 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1282 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1283 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1284 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1285 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1286 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1287 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1288 /* example doing 446 (f,g/2) steps; 523 divsteps */
1289 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1290 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1291 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1292 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1293 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1294 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1295 /* example doing 446 (f,g/2) steps; 523 divsteps */
1296 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1297 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1298 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1299 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1300 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1301 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1302 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1303 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1304 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1305 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1306 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1307 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1308 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1309 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1310 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1311 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1312 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1313 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1314 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1315 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1316 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1317 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1318 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1319 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1320 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1321 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1322 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1323 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1324 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1325 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1326 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1327 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1328 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1329 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1330
1331 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1332
1333 /* example needing 590 divsteps; delta=-5/2..7/2 */
1334 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1335 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1336 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1337 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1338 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1339 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1340 /* example needing 590 divsteps; delta=-3/2..5/2 */
1341 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1342 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1343 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1344 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1345 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1346 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1347 /* example needing 590 divsteps; delta=-3/2..5/2 */
1348 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1349 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1350 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1351 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1352 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1353 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1354 /* example needing 590 divsteps; delta=-5/2..7/2 */
1355 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1356 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1357 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1358 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1359 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1360 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1361 /* example needing 590 divsteps; delta=-3/2..5/2 */
1362 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1363 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1364 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1365 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1366 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1367 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1368 /* example reaching delta=-127/2..129/2; 571 divsteps */
1369 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1370 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1371 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1372 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1373 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1374 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1375 /* example reaching delta=-127/2..129/2; 571 divsteps */
1376 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1377 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1378 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1379 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1380 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1381 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1382 /* example reaching delta=-127/2..129/2; 571 divsteps */
1383 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1384 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1385 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1386 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1387 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1388 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1389 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1390 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1391 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1392 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1393 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1394 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1395 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1396 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1397 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1398 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1399 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1400 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1401 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1402 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1403 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1404 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1405 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1406 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1407 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1408 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1409 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1410 /* example doing 453 (f,g/2) steps; 514 divsteps */
1411 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1412 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1413 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1414 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1415 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1416 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1417 /* example doing 453 (f,g/2) steps; 514 divsteps */
1418 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1419 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1420 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1421 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1422 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1423 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1424 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1425 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1426 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1427 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1428 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1429 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1430 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1431 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1432 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1433 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1434 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1435 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1436 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1437 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1438 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1439 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1440 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1441 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1442 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1443 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1444 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1445 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1446 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1447 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1448 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1449 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1450 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1451 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1452
1453 /* Test cases with the group order as modulus. */
1454
1455 /* Test case with the group order as modulus, needing 635 divsteps. */
1456 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1457 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1458 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1459 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1460 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1461 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1462 /* example with group size as modulus needing 631 divsteps */
1463 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1464 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1465 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1466 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1467 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1468 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1469 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1470 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1471 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1472 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1473 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1474 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1475 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1476 /* Test case with the group size as modulus, needing 981 divsteps with
1477 broken eta handling. */
1478 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1479 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1480 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1481 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1482 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1483 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1484 /* Test case with the group size as modulus, input = 0. */
1485 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1486 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1487 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1488 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1489 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1490 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1491 /* Test case with the group size as modulus, input = 1. */
1492 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1493 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1494 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1495 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1496 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1497 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1498 /* Test case with the group size as modulus, input = 2. */
1499 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1500 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1501 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1502 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1503 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1504 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1505 /* Test case with the group size as modulus, input = group - 1. */
1506 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1507 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1508 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1509 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1510 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1511 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1512
1513 /* Test cases with the field size as modulus. */
1514
1515 /* Test case with the field size as modulus, needing 637 divsteps. */
1516 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1517 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1518 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1519 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1520 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1521 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1522 /* example with field size as modulus needing 637 divsteps */
1523 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1524 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1525 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1526 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1527 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1528 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1529 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1530 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1531 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1532 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1533 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1534 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1535 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1536 /* Test case with the field size as modulus, needing 935 divsteps with
1537 broken eta handling. */
1538 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1539 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1540 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1541 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1542 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1543 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1544 /* Test case with the field size as modulus, input = 0. */
1545 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1546 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1547 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1548 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1549 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1550 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1551 /* Test case with the field size as modulus, input = 1. */
1552 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1553 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1554 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1555 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1556 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1557 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1558 /* Test case with the field size as modulus, input = 2. */
1559 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1560 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1561 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1562 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1563 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1564 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1565 /* Test case with the field size as modulus, input = field - 1. */
1566 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1567 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1568 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1569 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1570 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1571 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1572
1573 /* Selected from a large number of random inputs to reach small/large
1574 * d/e values in various configurations. */
1575 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1576 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1577 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1578 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1579 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1580 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1581 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1582 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1583 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1584 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1585 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1586 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1587 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1588 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1589 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1590 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1591 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1592 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1593 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1594 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1595 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1596 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1597 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1598 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1599 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1600 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1601 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1602 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1603 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1604 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1605 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1606 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1607 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1608 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1609 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1610 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1611 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1612 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1613 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1614 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1615 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1616 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1617 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1618 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1619 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1620 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1621 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1622 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1623 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1624 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1625 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1626 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1627 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1628 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1629 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1630 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1631 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1632 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1633 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1634 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1635 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1636 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1637 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1638 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1639 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1640 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1641 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1642 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1643 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1644 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1645 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1646 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1647 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1648 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1649 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1650 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1651 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1652 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1653 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1654 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1655 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1656 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1657 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1658 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1659 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1660 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1661 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1662 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1663 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1664 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1665 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1666 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1667 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1668 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1669 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1670 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1671 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1672 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1673 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1674 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1675 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1676 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1677 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1678 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1679 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1680 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1681 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1682 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1683 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1684 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1685 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1686 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1687 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1688 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1689 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1690 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1691 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1692 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1693 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1694 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1695 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1696 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1697 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1698 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1699 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1700 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1701 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1702 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1703 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1704 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1705 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1706 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1707 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1708 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1709 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1710 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1711 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1712 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1713 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1714 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1715 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1716 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1717 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1718 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1719 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1720 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1721 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1722 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1723 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1724 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1725 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1726 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1727 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1728 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1729 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1730 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1731 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1732 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1733 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1734 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1735 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1736 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1737 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1738 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1739 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1740 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1741 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1742 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1743 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1744 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1745 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1746 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1747 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1748 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1749 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1750 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1751 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1752 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1753 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1754 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1755 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1756 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1757 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1758 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1759 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1760 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1761 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1762 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1763 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1764 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1765 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1766 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1767 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1768 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1769 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1770 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1771 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1772 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1773 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1774 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1775 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1776 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1777 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1778 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1779 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1780 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1781 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1782 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1783 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1784 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1785 };
1786
1787 int i, j, ok;
1788
1789 /* Test known inputs/outputs */
1790 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1791 uint16_t out[16];
1792 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1793 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1794#ifdef SECP256K1_WIDEMUL_INT128
1795 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1796 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1797#endif
1798 }
1799
1800 for (i = 0; i < 100 * COUNT; ++i) {
1801 /* 256-bit numbers in 16-uint16_t's notation */
1802 static const uint16_t ZERO[16] = {0};
1803 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1804 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1805 uint16_t id[16]; /* the inverse of xd mod md */
1806
1807 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1808 do {
1809 /* generate random xd and md (with many subsequent 0s and 1s) */
1810 secp256k1_testrand256_test((unsigned char*)xd);
1811 secp256k1_testrand256_test((unsigned char*)md);
1812 md[0] |= 1; /* modulus must be odd */
1813 /* If modulus is 1, find another one. */
1814 ok = md[0] != 1;
1815 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1816 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1817 } while (!(ok && coprime(xd, md)));
1818
1819 test_modinv32_uint16(id, xd, md);
1820#ifdef SECP256K1_WIDEMUL_INT128
1821 test_modinv64_uint16(id, xd, md);
1822#endif
1823
1824 /* In a few cases, also test with input=0 */
1825 if (i < COUNT) {
1826 test_modinv32_uint16(id, ZERO, md);
1827#ifdef SECP256K1_WIDEMUL_INT128
1828 test_modinv64_uint16(id, ZERO, md);
1829#endif
1830 }
1831 }
1832}
1833
1834/***** INT128 TESTS *****/
1835
1836#ifdef SECP256K1_WIDEMUL_INT128
1837/* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */
1838static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) {
1839 int i;
1840 uint32_t carry = 0;
1841 for (i = 0; i < 16; ++i) {
1842 carry += a[i];
1843 carry += b[i];
1844 out[i] = carry;
1845 carry >>= 16;
1846 }
1847}
1848
1849/* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */
1850static void neg256(uint16_t* out, const uint16_t* a) {
1851 int i;
1852 uint32_t carry = 1;
1853 for (i = 0; i < 16; ++i) {
1854 carry += (uint16_t)~a[i];
1855 out[i] = carry;
1856 carry >>= 16;
1857 }
1858}
1859
1860/* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */
1861static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) {
1862 uint16_t sign = sign_extend && (a[15] >> 15);
1863 int i, j;
1864 for (i = 15; i >= 0; --i) {
1865 uint16_t v = 0;
1866 for (j = 0; j < 16; ++j) {
1867 int frompos = i*16 + j + n;
1868 if (frompos >= 256) {
1869 v |= sign << j;
1870 } else {
1871 v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j;
1872 }
1873 }
1874 out[i] = v;
1875 }
1876}
1877
1878/* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1879static void load256u64(uint16_t* out, uint64_t v, int is_signed) {
1880 int i;
1881 uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0;
1882 for (i = 0; i < 4; ++i) {
1883 out[i] = v >> (16 * i);
1884 }
1885 for (i = 4; i < 16; ++i) {
1886 out[i] = sign;
1887 }
1888}
1889
1890/* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1891static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) {
1892 int i;
1893 uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0;
1894 for (i = 0; i < 4; ++i) {
1895 out[i] = lo >> (16 * i);
1896 }
1897 for (i = 4; i < 8; ++i) {
1898 out[i] = hi >> (16 * (i - 4));
1899 }
1900 for (i = 8; i < 16; ++i) {
1901 out[i] = sign;
1902 }
1903}
1904
1905/* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */
1906static int int256is127(const uint16_t* v) {
1907 int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000);
1908 int i;
1909 for (i = 8; i < 16; ++i) {
1910 if (v[i] != 0) all_0 = 0;
1911 if (v[i] != 0xffff) all_1 = 0;
1912 }
1913 return all_0 || all_1;
1914}
1915
1916static void load256u128(uint16_t* out, const secp256k1_uint128* v) {
1917 uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v);
1918 load256two64(out, hi, lo, 0);
1919}
1920
1921static void load256i128(uint16_t* out, const secp256k1_int128* v) {
1922 uint64_t lo;
1923 int64_t hi;
1924 secp256k1_int128 c = *v;
1925 lo = secp256k1_i128_to_u64(&c);
1926 secp256k1_i128_rshift(&c, 64);
1927 hi = secp256k1_i128_to_i64(&c);
1928 load256two64(out, hi, lo, 1);
1929}
1930
1931static void run_int128_test_case(void) {
1932 unsigned char buf[32];
1933 uint64_t v[4];
1934 secp256k1_int128 swa, swz;
1935 secp256k1_uint128 uwa, uwz;
1936 uint64_t ub, uc;
1937 int64_t sb, sc;
1938 uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32];
1939 uint16_t rub[16], ruc[16], rsb[16], rsc[16];
1940 int i;
1941
1942 /* Generate 32-byte random value. */
1943 secp256k1_testrand256_test(buf);
1944 /* Convert into 4 64-bit integers. */
1945 for (i = 0; i < 4; ++i) {
1946 uint64_t vi = 0;
1947 int j;
1948 for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j];
1949 v[i] = vi;
1950 }
1951 /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */
1952 secp256k1_u128_load(&uwa, v[1], v[0]);
1953 secp256k1_i128_load(&swa, v[1], v[0]);
1954 ub = v[2];
1955 sb = v[2];
1956 uc = v[3];
1957 sc = v[3];
1958 /* Load those also into 16-bit array representations. */
1959 load256u128(ruwa, &uwa);
1960 load256i128(rswa, &swa);
1961 load256u64(rub, ub, 0);
1962 load256u64(rsb, sb, 1);
1963 load256u64(ruc, uc, 0);
1964 load256u64(rsc, sc, 1);
1965 /* test secp256k1_u128_mul */
1966 mulmod256(ruwr, rub, ruc, NULL);
1967 secp256k1_u128_mul(&uwz, ub, uc);
1968 load256u128(ruwz, &uwz);
1969 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1970 /* test secp256k1_u128_accum_mul */
1971 mulmod256(ruwr, rub, ruc, NULL);
1972 add256(ruwr, ruwr, ruwa);
1973 uwz = uwa;
1974 secp256k1_u128_accum_mul(&uwz, ub, uc);
1975 load256u128(ruwz, &uwz);
1976 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1977 /* test secp256k1_u128_accum_u64 */
1978 add256(ruwr, rub, ruwa);
1979 uwz = uwa;
1980 secp256k1_u128_accum_u64(&uwz, ub);
1981 load256u128(ruwz, &uwz);
1982 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1983 /* test secp256k1_u128_rshift */
1984 rshift256(ruwr, ruwa, uc % 128, 0);
1985 uwz = uwa;
1986 secp256k1_u128_rshift(&uwz, uc % 128);
1987 load256u128(ruwz, &uwz);
1988 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1989 /* test secp256k1_u128_to_u64 */
1990 CHECK(secp256k1_u128_to_u64(&uwa) == v[0]);
1991 /* test secp256k1_u128_hi_u64 */
1992 CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]);
1993 /* test secp256k1_u128_from_u64 */
1994 secp256k1_u128_from_u64(&uwz, ub);
1995 load256u128(ruwz, &uwz);
1996 CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0);
1997 /* test secp256k1_u128_check_bits */
1998 {
1999 int uwa_bits = 0;
2000 int j;
2001 for (j = 0; j < 128; ++j) {
2002 if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j;
2003 }
2004 for (j = 0; j < 128; ++j) {
2005 CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j));
2006 }
2007 }
2008 /* test secp256k1_i128_mul */
2009 mulmod256(rswr, rsb, rsc, NULL);
2010 secp256k1_i128_mul(&swz, sb, sc);
2011 load256i128(rswz, &swz);
2012 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2013 /* test secp256k1_i128_accum_mul */
2014 mulmod256(rswr, rsb, rsc, NULL);
2015 add256(rswr, rswr, rswa);
2016 if (int256is127(rswr)) {
2017 swz = swa;
2018 secp256k1_i128_accum_mul(&swz, sb, sc);
2019 load256i128(rswz, &swz);
2020 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2021 }
2022 /* test secp256k1_i128_det */
2023 {
2024 uint16_t rsd[16], rse[16], rst[32];
2025 int64_t sd = v[0], se = v[1];
2026 load256u64(rsd, sd, 1);
2027 load256u64(rse, se, 1);
2028 mulmod256(rst, rsc, rsd, NULL);
2029 neg256(rst, rst);
2030 mulmod256(rswr, rsb, rse, NULL);
2031 add256(rswr, rswr, rst);
2032 secp256k1_i128_det(&swz, sb, sc, sd, se);
2033 load256i128(rswz, &swz);
2034 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2035 }
2036 /* test secp256k1_i128_rshift */
2037 rshift256(rswr, rswa, uc % 127, 1);
2038 swz = swa;
2039 secp256k1_i128_rshift(&swz, uc % 127);
2040 load256i128(rswz, &swz);
2041 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2042 /* test secp256k1_i128_to_u64 */
2043 CHECK(secp256k1_i128_to_u64(&swa) == v[0]);
2044 /* test secp256k1_i128_from_i64 */
2045 secp256k1_i128_from_i64(&swz, sb);
2046 load256i128(rswz, &swz);
2047 CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0);
2048 /* test secp256k1_i128_to_i64 */
2049 CHECK(secp256k1_i128_to_i64(&swz) == sb);
2050 /* test secp256k1_i128_eq_var */
2051 {
2052 int expect = (uc & 1);
2053 swz = swa;
2054 if (!expect) {
2055 /* Make sure swz != swa */
2056 uint64_t v0c = v[0], v1c = v[1];
2057 if (ub & 64) {
2058 v1c ^= (((uint64_t)1) << (ub & 63));
2059 } else {
2060 v0c ^= (((uint64_t)1) << (ub & 63));
2061 }
2062 secp256k1_i128_load(&swz, v1c, v0c);
2063 }
2064 CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect);
2065 }
2066 /* test secp256k1_i128_check_pow2 (sign == 1) */
2067 {
2068 int expect = (uc & 1);
2069 int pos = ub % 127;
2070 if (expect) {
2071 /* If expect==1, set swz to exactly 2^pos. */
2072 uint64_t hi = 0;
2073 uint64_t lo = 0;
2074 if (pos >= 64) {
2075 hi = (((uint64_t)1) << (pos & 63));
2076 } else {
2077 lo = (((uint64_t)1) << (pos & 63));
2078 }
2079 secp256k1_i128_load(&swz, hi, lo);
2080 } else {
2081 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */
2082 if (pos >= 64) {
2083 if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1;
2084 } else {
2085 if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1;
2086 }
2087 swz = swa;
2088 }
2089 CHECK(secp256k1_i128_check_pow2(&swz, pos, 1) == expect);
2090 }
2091 /* test secp256k1_i128_check_pow2 (sign == -1) */
2092 {
2093 int expect = (uc & 1);
2094 int pos = ub % 127;
2095 if (expect) {
2096 /* If expect==1, set swz to exactly -2^pos. */
2097 uint64_t hi = ~(uint64_t)0;
2098 uint64_t lo = ~(uint64_t)0;
2099 if (pos >= 64) {
2100 hi <<= (pos & 63);
2101 lo = 0;
2102 } else {
2103 lo <<= (pos & 63);
2104 }
2105 secp256k1_i128_load(&swz, hi, lo);
2106 } else {
2107 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */
2108 if (pos >= 64) {
2109 if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1;
2110 } else {
2111 if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1;
2112 }
2113 swz = swa;
2114 }
2115 CHECK(secp256k1_i128_check_pow2(&swz, pos, -1) == expect);
2116 }
2117}
2118
2119static void run_int128_tests(void) {
2120 { /* secp256k1_u128_accum_mul */
2121 secp256k1_uint128 res;
2122
2123 /* Check secp256k1_u128_accum_mul overflow */
2124 secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX);
2125 secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX);
2126 CHECK(secp256k1_u128_to_u64(&res) == 2);
2127 CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U);
2128 }
2129 { /* secp256k1_u128_accum_mul */
2130 secp256k1_int128 res;
2131
2132 /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */
2133 secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX);
2134 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX);
2135 CHECK(secp256k1_i128_to_u64(&res) == 2);
2136 secp256k1_i128_accum_mul(&res, 4, 9223372036854775807);
2137 secp256k1_i128_accum_mul(&res, 1, 1);
2138 CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX);
2139 secp256k1_i128_rshift(&res, 64);
2140 CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX);
2141
2142 /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */
2143 secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN);
2144 CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN);
2145 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN);
2146 CHECK(secp256k1_i128_to_u64(&res) == 0);
2147 secp256k1_i128_accum_mul(&res, 2, INT64_MIN);
2148 CHECK(secp256k1_i128_to_u64(&res) == 0);
2149 secp256k1_i128_rshift(&res, 64);
2150 CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN);
2151 }
2152 {
2153 /* Randomized tests. */
2154 int i;
2155 for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case();
2156 }
2157}
2158#endif
2159
2160/***** SCALAR TESTS *****/
2161
2162static void scalar_test(void) {
2163 secp256k1_scalar s;
2164 secp256k1_scalar s1;
2165 secp256k1_scalar s2;
2166 unsigned char c[32];
2167
2168 /* Set 's' to a random scalar, with value 'snum'. */
2169 random_scalar_order_test(&s);
2170
2171 /* Set 's1' to a random scalar, with value 's1num'. */
2172 random_scalar_order_test(&s1);
2173
2174 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
2175 random_scalar_order_test(&s2);
2176 secp256k1_scalar_get_b32(c, &s2);
2177
2178 {
2179 int i;
2180 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
2181 secp256k1_scalar n;
2182 secp256k1_scalar_set_int(&n, 0);
2183 for (i = 0; i < 256; i += 4) {
2184 secp256k1_scalar t;
2185 int j;
2186 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
2187 for (j = 0; j < 4; j++) {
2188 secp256k1_scalar_add(&n, &n, &n);
2189 }
2190 secp256k1_scalar_add(&n, &n, &t);
2191 }
2192 CHECK(secp256k1_scalar_eq(&n, &s));
2193 }
2194
2195 {
2196 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
2197 secp256k1_scalar n;
2198 int i = 0;
2199 secp256k1_scalar_set_int(&n, 0);
2200 while (i < 256) {
2201 secp256k1_scalar t;
2202 int j;
2203 int now = secp256k1_testrand_int(15) + 1;
2204 if (now + i > 256) {
2205 now = 256 - i;
2206 }
2207 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
2208 for (j = 0; j < now; j++) {
2209 secp256k1_scalar_add(&n, &n, &n);
2210 }
2211 secp256k1_scalar_add(&n, &n, &t);
2212 i += now;
2213 }
2214 CHECK(secp256k1_scalar_eq(&n, &s));
2215 }
2216
2217 {
2218 /* test secp256k1_scalar_shr_int */
2219 secp256k1_scalar r;
2220 int i;
2221 random_scalar_order_test(&r);
2222 for (i = 0; i < 100; ++i) {
2223 int low;
2224 int shift = 1 + secp256k1_testrand_int(15);
2225 int expected = r.d[0] % (1 << shift);
2226 low = secp256k1_scalar_shr_int(&r, shift);
2227 CHECK(expected == low);
2228 }
2229 }
2230
2231 {
2232 /* Test commutativity of add. */
2233 secp256k1_scalar r1, r2;
2234 secp256k1_scalar_add(&r1, &s1, &s2);
2235 secp256k1_scalar_add(&r2, &s2, &s1);
2236 CHECK(secp256k1_scalar_eq(&r1, &r2));
2237 }
2238
2239 {
2240 secp256k1_scalar r1, r2;
2241 secp256k1_scalar b;
2242 int i;
2243 /* Test add_bit. */
2244 int bit = secp256k1_testrand_bits(8);
2245 secp256k1_scalar_set_int(&b, 1);
2246 CHECK(secp256k1_scalar_is_one(&b));
2247 for (i = 0; i < bit; i++) {
2248 secp256k1_scalar_add(&b, &b, &b);
2249 }
2250 r1 = s1;
2251 r2 = s1;
2252 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
2253 /* No overflow happened. */
2254 secp256k1_scalar_cadd_bit(&r2, bit, 1);
2255 CHECK(secp256k1_scalar_eq(&r1, &r2));
2256 /* cadd is a noop when flag is zero */
2257 secp256k1_scalar_cadd_bit(&r2, bit, 0);
2258 CHECK(secp256k1_scalar_eq(&r1, &r2));
2259 }
2260 }
2261
2262 {
2263 /* Test commutativity of mul. */
2264 secp256k1_scalar r1, r2;
2265 secp256k1_scalar_mul(&r1, &s1, &s2);
2266 secp256k1_scalar_mul(&r2, &s2, &s1);
2267 CHECK(secp256k1_scalar_eq(&r1, &r2));
2268 }
2269
2270 {
2271 /* Test associativity of add. */
2272 secp256k1_scalar r1, r2;
2273 secp256k1_scalar_add(&r1, &s1, &s2);
2274 secp256k1_scalar_add(&r1, &r1, &s);
2275 secp256k1_scalar_add(&r2, &s2, &s);
2276 secp256k1_scalar_add(&r2, &s1, &r2);
2277 CHECK(secp256k1_scalar_eq(&r1, &r2));
2278 }
2279
2280 {
2281 /* Test associativity of mul. */
2282 secp256k1_scalar r1, r2;
2283 secp256k1_scalar_mul(&r1, &s1, &s2);
2284 secp256k1_scalar_mul(&r1, &r1, &s);
2285 secp256k1_scalar_mul(&r2, &s2, &s);
2286 secp256k1_scalar_mul(&r2, &s1, &r2);
2287 CHECK(secp256k1_scalar_eq(&r1, &r2));
2288 }
2289
2290 {
2291 /* Test distributitivity of mul over add. */
2292 secp256k1_scalar r1, r2, t;
2293 secp256k1_scalar_add(&r1, &s1, &s2);
2294 secp256k1_scalar_mul(&r1, &r1, &s);
2295 secp256k1_scalar_mul(&r2, &s1, &s);
2296 secp256k1_scalar_mul(&t, &s2, &s);
2297 secp256k1_scalar_add(&r2, &r2, &t);
2298 CHECK(secp256k1_scalar_eq(&r1, &r2));
2299 }
2300
2301 {
2302 /* Test multiplicative identity. */
2303 secp256k1_scalar r1;
2304 secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_one);
2305 CHECK(secp256k1_scalar_eq(&r1, &s1));
2306 }
2307
2308 {
2309 /* Test additive identity. */
2310 secp256k1_scalar r1;
2311 secp256k1_scalar_add(&r1, &s1, &secp256k1_scalar_zero);
2312 CHECK(secp256k1_scalar_eq(&r1, &s1));
2313 }
2314
2315 {
2316 /* Test zero product property. */
2317 secp256k1_scalar r1;
2318 secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_zero);
2319 CHECK(secp256k1_scalar_eq(&r1, &secp256k1_scalar_zero));
2320 }
2321
2322}
2323
2324static void run_scalar_set_b32_seckey_tests(void) {
2325 unsigned char b32[32];
2326 secp256k1_scalar s1;
2327 secp256k1_scalar s2;
2328
2329 /* Usually set_b32 and set_b32_seckey give the same result */
2330 random_scalar_order_b32(b32);
2331 secp256k1_scalar_set_b32(&s1, b32, NULL);
2332 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
2333 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
2334
2335 memset(b32, 0, sizeof(b32));
2336 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2337 memset(b32, 0xFF, sizeof(b32));
2338 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2339}
2340
2341static void run_scalar_tests(void) {
2342 int i;
2343 for (i = 0; i < 128 * COUNT; i++) {
2344 scalar_test();
2345 }
2346 for (i = 0; i < COUNT; i++) {
2347 run_scalar_set_b32_seckey_tests();
2348 }
2349
2350 {
2351 /* Check that the scalar constants secp256k1_scalar_zero and
2352 secp256k1_scalar_one contain the expected values. */
2353 secp256k1_scalar zero, one;
2354
2355 CHECK(secp256k1_scalar_is_zero(&secp256k1_scalar_zero));
2356 secp256k1_scalar_set_int(&zero, 0);
2357 CHECK(secp256k1_scalar_eq(&zero, &secp256k1_scalar_zero));
2358
2359 CHECK(secp256k1_scalar_is_one(&secp256k1_scalar_one));
2360 secp256k1_scalar_set_int(&one, 1);
2361 CHECK(secp256k1_scalar_eq(&one, &secp256k1_scalar_one));
2362 }
2363
2364 {
2365 /* (-1)+1 should be zero. */
2366 secp256k1_scalar o;
2367 secp256k1_scalar_negate(&o, &secp256k1_scalar_one);
2368 secp256k1_scalar_add(&o, &o, &secp256k1_scalar_one);
2369 CHECK(secp256k1_scalar_is_zero(&o));
2370 secp256k1_scalar_negate(&o, &o);
2371 CHECK(secp256k1_scalar_is_zero(&o));
2372 }
2373
2374 {
2375 /* Does check_overflow check catch all ones? */
2376 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
2377 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2378 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2379 );
2380 CHECK(secp256k1_scalar_check_overflow(&overflowed));
2381 }
2382
2383 {
2384 /* Static test vectors.
2385 * These were reduced from ~10^12 random vectors based on comparison-decision
2386 * and edge-case coverage on 32-bit and 64-bit implementations.
2387 * The responses were generated with Sage 5.9.
2388 */
2389 secp256k1_scalar x;
2390 secp256k1_scalar y;
2391 secp256k1_scalar z;
2392 secp256k1_scalar zz;
2393 secp256k1_scalar r1;
2394 secp256k1_scalar r2;
2395 secp256k1_scalar zzv;
2396 int overflow;
2397 unsigned char chal[33][2][32] = {
2398 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2399 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2400 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2401 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2402 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2403 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2404 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2405 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2406 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2407 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2408 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2409 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2410 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2411 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2412 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2413 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2414 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2415 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2416 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2417 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2418 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2419 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2420 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2421 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2422 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2423 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2424 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2425 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2426 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2427 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2428 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2429 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2430 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2431 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2432 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2433 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2434 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2435 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2436 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2437 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2438 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2439 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2440 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2441 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2442 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2443 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2444 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2445 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2446 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2447 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2448 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2449 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2450 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2451 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2452 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2453 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2454 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2455 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2456 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2457 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2458 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2459 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2460 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2461 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2462 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2463 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2464 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2465 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2466 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2467 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2468 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2469 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2470 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2471 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2472 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2473 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2474 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2475 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2476 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2477 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2478 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2479 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2480 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2481 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2482 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2483 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2484 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2485 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2486 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2487 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2488 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2489 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2490 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2491 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2492 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2493 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2494 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2495 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2497 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2498 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2499 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2500 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2501 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2502 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2503 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2504 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2505 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2506 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2507 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2508 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2509 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2510 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2511 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2512 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2513 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2514 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2515 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2516 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2517 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2518 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2519 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2520 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2521 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2522 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2523 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2524 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2525 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2526 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2527 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2528 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2529 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2530 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2531 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2532 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2533 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2534 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2535 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2536 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2537 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2538 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2539 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2540 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2541 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2542 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2543 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2544 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2545 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2546 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2547 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2548 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2549 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2550 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2551 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2552 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2553 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2554 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2555 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2556 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2557 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2558 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2559 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2560 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2561 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2562 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2563 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2564 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2565 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2566 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2567 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2568 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2569 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2570 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2571 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2572 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2573 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2574 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2575 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2576 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2577 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2578 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2579 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2580 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2581 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2582 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2583 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2584 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2585 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2586 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2587 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2588 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2589 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2590 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2591 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2592 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2593 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2594 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2595 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2596 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2597 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2598 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2599 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2600 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2601 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2602 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2603 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2604 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2605 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2606 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2607 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2608 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2609 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2610 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2611 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2612 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2613 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2614 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2615 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2616 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2617 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2618 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2619 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2620 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2621 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2622 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2623 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2624 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2625 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2626 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2627 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2628 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2629 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2630 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2631 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2632 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2633 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2634 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2635 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2636 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2637 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2638 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2639 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2640 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2641 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2642 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2643 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2644 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2645 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2646 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2647 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2648 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2649 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2650 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2651 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2652 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2653 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2654 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2655 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2656 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2657 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2658 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2659 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2660 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2661 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2662 };
2663 unsigned char res[33][2][32] = {
2664 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2665 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2666 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2667 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2668 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2669 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2670 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2671 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2672 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2673 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2674 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2675 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2676 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2677 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2678 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2679 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2680 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2681 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2682 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2683 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2684 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2685 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2686 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2687 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2688 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2689 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2690 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2691 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2692 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2693 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2694 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2695 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2696 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2697 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2698 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2699 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2700 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2701 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2702 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2703 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2704 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2705 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2706 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2707 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2708 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2709 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2710 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2711 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2712 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2713 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2714 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2715 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2716 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2717 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2718 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2719 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2720 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2721 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2722 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2723 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2724 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2725 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2726 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2727 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2728 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2729 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2730 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2731 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2732 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2733 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2734 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2735 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2736 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2737 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2738 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2739 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2740 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2741 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2742 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2743 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2744 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2745 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2746 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2747 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2748 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2749 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2750 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2751 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2752 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2753 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2754 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2755 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2756 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2757 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2758 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2759 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2760 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2761 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2762 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2763 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2764 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2765 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2766 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2767 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2768 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2769 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2770 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2771 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2772 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2773 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2774 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2775 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2776 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2777 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2778 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2779 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2780 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2781 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2782 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2783 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2784 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2785 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2786 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2787 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2788 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2789 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2790 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2791 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2792 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2793 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2794 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2795 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2796 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2797 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2798 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2799 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2800 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2801 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2802 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2803 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2804 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2805 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2806 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2807 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2808 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2809 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2810 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2811 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2812 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2813 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2814 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2815 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2816 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2817 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2818 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2819 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2820 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2821 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2822 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2823 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2824 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2825 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2826 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2827 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2828 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2829 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2830 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2831 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2832 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2833 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2834 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2835 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2836 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2837 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2838 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2839 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2840 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2841 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2842 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2843 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2844 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2845 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2846 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2847 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2848 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2849 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2850 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2851 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2852 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2853 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2854 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2855 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2856 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2857 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2858 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2859 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2860 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2861 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2862 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2863 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2864 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2865 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2866 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2867 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2868 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2869 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2870 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2871 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2872 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2873 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2874 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2875 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2876 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2877 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2878 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2879 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2880 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2881 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2882 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2883 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2884 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2885 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2886 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2887 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2888 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2889 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2890 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2891 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2892 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2893 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2894 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2895 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2896 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2897 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2898 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2899 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2900 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2901 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2902 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2903 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2904 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2905 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2906 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2907 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2908 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2909 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2910 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2911 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2912 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2913 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2914 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2915 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2916 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2917 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2918 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2919 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2920 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2921 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2922 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2923 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2924 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2925 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2926 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2927 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2928 };
2929 for (i = 0; i < 33; i++) {
2930 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2931 CHECK(!overflow);
2932 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2933 CHECK(!overflow);
2934 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2935 CHECK(!overflow);
2936 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2937 CHECK(!overflow);
2938 secp256k1_scalar_mul(&z, &x, &y);
2939 CHECK(!secp256k1_scalar_check_overflow(&z));
2940 CHECK(secp256k1_scalar_eq(&r1, &z));
2941 if (!secp256k1_scalar_is_zero(&y)) {
2942 secp256k1_scalar_inverse(&zz, &y);
2943 CHECK(!secp256k1_scalar_check_overflow(&zz));
2944 secp256k1_scalar_inverse_var(&zzv, &y);
2945 CHECK(secp256k1_scalar_eq(&zzv, &zz));
2946 secp256k1_scalar_mul(&z, &z, &zz);
2947 CHECK(!secp256k1_scalar_check_overflow(&z));
2948 CHECK(secp256k1_scalar_eq(&x, &z));
2949 secp256k1_scalar_mul(&zz, &zz, &y);
2950 CHECK(!secp256k1_scalar_check_overflow(&zz));
2951 CHECK(secp256k1_scalar_eq(&secp256k1_scalar_one, &zz));
2952 }
2953 }
2954 }
2955}
2956
2957/***** FIELD TESTS *****/
2958
2959static void random_fe(secp256k1_fe *x) {
2960 unsigned char bin[32];
2961 do {
2962 secp256k1_testrand256(bin);
2963 if (secp256k1_fe_set_b32_limit(x, bin)) {
2964 return;
2965 }
2966 } while(1);
2967}
2968
2969static void random_fe_non_zero(secp256k1_fe *nz) {
2970 int tries = 10;
2971 while (--tries >= 0) {
2972 random_fe(nz);
2973 secp256k1_fe_normalize(nz);
2974 if (!secp256k1_fe_is_zero(nz)) {
2975 break;
2976 }
2977 }
2978 /* Infinitesimal probability of spurious failure here */
2979 CHECK(tries >= 0);
2980}
2981
2982static void random_fe_non_square(secp256k1_fe *ns) {
2983 secp256k1_fe r;
2984 random_fe_non_zero(ns);
2985 if (secp256k1_fe_sqrt(&r, ns)) {
2986 secp256k1_fe_negate(ns, ns, 1);
2987 }
2988}
2989
2990static int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2991 secp256k1_fe an = *a;
2992 secp256k1_fe bn = *b;
2993 secp256k1_fe_normalize_weak(&an);
2994 return secp256k1_fe_equal(&an, &bn);
2995}
2996
2997static void run_field_convert(void) {
2998 static const unsigned char b32[32] = {
2999 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
3000 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
3001 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
3002 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
3003 };
3004 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
3005 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
3006 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
3007 );
3008 static const secp256k1_fe fe = SECP256K1_FE_CONST(
3009 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
3010 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
3011 );
3012 secp256k1_fe fe2;
3013 unsigned char b322[32];
3014 secp256k1_fe_storage fes2;
3015 /* Check conversions to fe. */
3016 CHECK(secp256k1_fe_set_b32_limit(&fe2, b32));
3017 CHECK(secp256k1_fe_equal(&fe, &fe2));
3018 secp256k1_fe_from_storage(&fe2, &fes);
3019 CHECK(secp256k1_fe_equal(&fe, &fe2));
3020 /* Check conversion from fe. */
3021 secp256k1_fe_get_b32(b322, &fe);
3022 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
3023 secp256k1_fe_to_storage(&fes2, &fe);
3024 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
3025}
3026
3027static void run_field_be32_overflow(void) {
3028 {
3029 static const unsigned char zero_overflow[32] = {
3030 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3031 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3032 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3033 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
3034 };
3035 static const unsigned char zero[32] = { 0x00 };
3036 unsigned char out[32];
3037 secp256k1_fe fe;
3038 CHECK(secp256k1_fe_set_b32_limit(&fe, zero_overflow) == 0);
3039 secp256k1_fe_set_b32_mod(&fe, zero_overflow);
3040 CHECK(secp256k1_fe_normalizes_to_zero(&fe) == 1);
3041 secp256k1_fe_normalize(&fe);
3042 CHECK(secp256k1_fe_is_zero(&fe) == 1);
3043 secp256k1_fe_get_b32(out, &fe);
3044 CHECK(secp256k1_memcmp_var(out, zero, 32) == 0);
3045 }
3046 {
3047 static const unsigned char one_overflow[32] = {
3048 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3049 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3050 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3051 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30,
3052 };
3053 static const unsigned char one[32] = {
3054 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3055 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3056 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3057 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3058 };
3059 unsigned char out[32];
3060 secp256k1_fe fe;
3061 CHECK(secp256k1_fe_set_b32_limit(&fe, one_overflow) == 0);
3062 secp256k1_fe_set_b32_mod(&fe, one_overflow);
3063 secp256k1_fe_normalize(&fe);
3064 CHECK(secp256k1_fe_cmp_var(&fe, &secp256k1_fe_one) == 0);
3065 secp256k1_fe_get_b32(out, &fe);
3066 CHECK(secp256k1_memcmp_var(out, one, 32) == 0);
3067 }
3068 {
3069 static const unsigned char ff_overflow[32] = {
3070 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3071 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3072 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3073 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3074 };
3075 static const unsigned char ff[32] = {
3076 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3077 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3078 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3079 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0,
3080 };
3081 unsigned char out[32];
3082 secp256k1_fe fe;
3083 const secp256k1_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0);
3084 CHECK(secp256k1_fe_set_b32_limit(&fe, ff_overflow) == 0);
3085 secp256k1_fe_set_b32_mod(&fe, ff_overflow);
3086 secp256k1_fe_normalize(&fe);
3087 CHECK(secp256k1_fe_cmp_var(&fe, &fe_ff) == 0);
3088 secp256k1_fe_get_b32(out, &fe);
3089 CHECK(secp256k1_memcmp_var(out, ff, 32) == 0);
3090 }
3091}
3092
3093/* Returns true if two field elements have the same representation. */
3094static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
3095 int ret = 1;
3096 /* Compare the struct member that holds the limbs. */
3097 ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
3098 return ret;
3099}
3100
3101static void run_field_half(void) {
3102 secp256k1_fe t, u;
3103 int m;
3104
3105 /* Check magnitude 0 input */
3106 secp256k1_fe_get_bounds(&t, 0);
3107 secp256k1_fe_half(&t);
3108#ifdef VERIFY
3109 CHECK(t.magnitude == 1);
3110 CHECK(t.normalized == 0);
3111#endif
3112 CHECK(secp256k1_fe_normalizes_to_zero(&t));
3113
3114 /* Check non-zero magnitudes in the supported range */
3115 for (m = 1; m < 32; m++) {
3116 /* Check max-value input */
3117 secp256k1_fe_get_bounds(&t, m);
3118
3119 u = t;
3120 secp256k1_fe_half(&u);
3121#ifdef VERIFY
3122 CHECK(u.magnitude == (m >> 1) + 1);
3123 CHECK(u.normalized == 0);
3124#endif
3125 secp256k1_fe_normalize_weak(&u);
3126 secp256k1_fe_add(&u, &u);
3127 CHECK(check_fe_equal(&t, &u));
3128
3129 /* Check worst-case input: ensure the LSB is 1 so that P will be added,
3130 * which will also cause all carries to be 1, since all limbs that can
3131 * generate a carry are initially even and all limbs of P are odd in
3132 * every existing field implementation. */
3133 secp256k1_fe_get_bounds(&t, m);
3134 CHECK(t.n[0] > 0);
3135 CHECK((t.n[0] & 1) == 0);
3136 --t.n[0];
3137
3138 u = t;
3139 secp256k1_fe_half(&u);
3140#ifdef VERIFY
3141 CHECK(u.magnitude == (m >> 1) + 1);
3142 CHECK(u.normalized == 0);
3143#endif
3144 secp256k1_fe_normalize_weak(&u);
3145 secp256k1_fe_add(&u, &u);
3146 CHECK(check_fe_equal(&t, &u));
3147 }
3148}
3149
3150static void run_field_misc(void) {
3151 secp256k1_fe x;
3152 secp256k1_fe y;
3153 secp256k1_fe z;
3154 secp256k1_fe q;
3155 int v;
3156 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3157 int i, j;
3158 for (i = 0; i < 1000 * COUNT; i++) {
3159 secp256k1_fe_storage xs, ys, zs;
3160 if (i & 1) {
3161 random_fe(&x);
3162 } else {
3163 random_fe_test(&x);
3164 }
3165 random_fe_non_zero(&y);
3166 v = secp256k1_testrand_bits(15);
3167 /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */
3168 secp256k1_fe_set_int(&q, v); /* q = v */
3169 z = x; /* z = x */
3170 secp256k1_fe_add(&z, &q); /* z = x+v */
3171 q = x; /* q = x */
3172 secp256k1_fe_add_int(&q, v); /* q = x+v */
3173 CHECK(check_fe_equal(&q, &z));
3174 /* Test the fe equality and comparison operations. */
3175 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
3176 CHECK(secp256k1_fe_equal(&x, &x));
3177 z = x;
3178 secp256k1_fe_add(&z,&y);
3179 /* Test fe conditional move; z is not normalized here. */
3180 q = x;
3181 secp256k1_fe_cmov(&x, &z, 0);
3182#ifdef VERIFY
3183 CHECK(!x.normalized);
3184 CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude));
3185 CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude));
3186#endif
3187 x = q;
3188 secp256k1_fe_cmov(&x, &x, 1);
3189 CHECK(!fe_identical(&x, &z));
3190 CHECK(fe_identical(&x, &q));
3191 secp256k1_fe_cmov(&q, &z, 1);
3192#ifdef VERIFY
3193 CHECK(!q.normalized);
3194 CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude));
3195 CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude));
3196#endif
3197 CHECK(fe_identical(&q, &z));
3198 q = z;
3199 secp256k1_fe_normalize_var(&x);
3200 secp256k1_fe_normalize_var(&z);
3201 CHECK(!secp256k1_fe_equal(&x, &z));
3202 secp256k1_fe_normalize_var(&q);
3203 secp256k1_fe_cmov(&q, &z, (i&1));
3204#ifdef VERIFY
3205 CHECK(q.normalized && q.magnitude == 1);
3206#endif
3207 for (j = 0; j < 6; j++) {
3208 secp256k1_fe_negate_unchecked(&z, &z, j+1);
3209 secp256k1_fe_normalize_var(&q);
3210 secp256k1_fe_cmov(&q, &z, (j&1));
3211#ifdef VERIFY
3212 CHECK(!q.normalized && q.magnitude == z.magnitude);
3213#endif
3214 }
3215 secp256k1_fe_normalize_var(&z);
3216 /* Test storage conversion and conditional moves. */
3217 secp256k1_fe_to_storage(&xs, &x);
3218 secp256k1_fe_to_storage(&ys, &y);
3219 secp256k1_fe_to_storage(&zs, &z);
3220 secp256k1_fe_storage_cmov(&zs, &xs, 0);
3221 secp256k1_fe_storage_cmov(&zs, &zs, 1);
3222 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
3223 secp256k1_fe_storage_cmov(&ys, &xs, 1);
3224 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
3225 secp256k1_fe_from_storage(&x, &xs);
3226 secp256k1_fe_from_storage(&y, &ys);
3227 secp256k1_fe_from_storage(&z, &zs);
3228 /* Test that mul_int, mul, and add agree. */
3229 secp256k1_fe_add(&y, &x);
3230 secp256k1_fe_add(&y, &x);
3231 z = x;
3232 secp256k1_fe_mul_int(&z, 3);
3233 CHECK(check_fe_equal(&y, &z));
3234 secp256k1_fe_add(&y, &x);
3235 secp256k1_fe_add(&z, &x);
3236 CHECK(check_fe_equal(&z, &y));
3237 z = x;
3238 secp256k1_fe_mul_int(&z, 5);
3239 secp256k1_fe_mul(&q, &x, &fe5);
3240 CHECK(check_fe_equal(&z, &q));
3241 secp256k1_fe_negate(&x, &x, 1);
3242 secp256k1_fe_add(&z, &x);
3243 secp256k1_fe_add(&q, &x);
3244 CHECK(check_fe_equal(&y, &z));
3245 CHECK(check_fe_equal(&q, &y));
3246 /* Check secp256k1_fe_half. */
3247 z = x;
3248 secp256k1_fe_half(&z);
3249 secp256k1_fe_add(&z, &z);
3250 CHECK(check_fe_equal(&x, &z));
3251 secp256k1_fe_add(&z, &z);
3252 secp256k1_fe_half(&z);
3253 CHECK(check_fe_equal(&x, &z));
3254 }
3255}
3256
3257static void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
3258{
3259 secp256k1_fe c, an, bn;
3260 /* Variables in BE 32-byte format. */
3261 unsigned char a32[32], b32[32], c32[32];
3262 /* Variables in LE 16x uint16_t format. */
3263 uint16_t a16[16], b16[16], c16[16];
3264 /* Field modulus in LE 16x uint16_t format. */
3265 static const uint16_t m16[16] = {
3266 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3267 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3268 };
3269 uint16_t t16[32];
3270 int i;
3271
3272 /* Compute C = A * B in fe format. */
3273 c = *a;
3274 if (use_sqr) {
3275 secp256k1_fe_sqr(&c, &c);
3276 } else {
3277 secp256k1_fe_mul(&c, &c, b);
3278 }
3279
3280 /* Convert A, B, C into LE 16x uint16_t format. */
3281 an = *a;
3282 bn = *b;
3283 secp256k1_fe_normalize_var(&c);
3284 secp256k1_fe_normalize_var(&an);
3285 secp256k1_fe_normalize_var(&bn);
3286 secp256k1_fe_get_b32(a32, &an);
3287 secp256k1_fe_get_b32(b32, &bn);
3288 secp256k1_fe_get_b32(c32, &c);
3289 for (i = 0; i < 16; ++i) {
3290 a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
3291 b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
3292 c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
3293 }
3294 /* Compute T = A * B in LE 16x uint16_t format. */
3295 mulmod256(t16, a16, b16, m16);
3296 /* Compare */
3297 CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
3298}
3299
3300static void run_fe_mul(void) {
3301 int i;
3302 for (i = 0; i < 100 * COUNT; ++i) {
3303 secp256k1_fe a, b, c, d;
3304 random_fe(&a);
3305 random_fe_magnitude(&a);
3306 random_fe(&b);
3307 random_fe_magnitude(&b);
3308 random_fe_test(&c);
3309 random_fe_magnitude(&c);
3310 random_fe_test(&d);
3311 random_fe_magnitude(&d);
3312 test_fe_mul(&a, &a, 1);
3313 test_fe_mul(&c, &c, 1);
3314 test_fe_mul(&a, &b, 0);
3315 test_fe_mul(&a, &c, 0);
3316 test_fe_mul(&c, &b, 0);
3317 test_fe_mul(&c, &d, 0);
3318 }
3319}
3320
3321static void run_sqr(void) {
3322 secp256k1_fe x, s;
3323
3324 {
3325 int i;
3326 secp256k1_fe_set_int(&x, 1);
3327 secp256k1_fe_negate(&x, &x, 1);
3328
3329 for (i = 1; i <= 512; ++i) {
3330 secp256k1_fe_mul_int(&x, 2);
3331 secp256k1_fe_normalize(&x);
3332 secp256k1_fe_sqr(&s, &x);
3333 }
3334 }
3335}
3336
3337static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
3338 secp256k1_fe r1, r2;
3339 int v = secp256k1_fe_sqrt(&r1, a);
3340 CHECK((v == 0) == (k == NULL));
3341
3342 if (k != NULL) {
3343 /* Check that the returned root is +/- the given known answer */
3344 secp256k1_fe_negate(&r2, &r1, 1);
3345 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
3346 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
3347 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
3348 }
3349}
3350
3351static void run_sqrt(void) {
3352 secp256k1_fe ns, x, s, t;
3353 int i;
3354
3355 /* Check sqrt(0) is 0 */
3356 secp256k1_fe_set_int(&x, 0);
3357 secp256k1_fe_sqr(&s, &x);
3358 test_sqrt(&s, &x);
3359
3360 /* Check sqrt of small squares (and their negatives) */
3361 for (i = 1; i <= 100; i++) {
3362 secp256k1_fe_set_int(&x, i);
3363 secp256k1_fe_sqr(&s, &x);
3364 test_sqrt(&s, &x);
3365 secp256k1_fe_negate(&t, &s, 1);
3366 test_sqrt(&t, NULL);
3367 }
3368
3369 /* Consistency checks for large random values */
3370 for (i = 0; i < 10; i++) {
3371 int j;
3372 random_fe_non_square(&ns);
3373 for (j = 0; j < COUNT; j++) {
3374 random_fe(&x);
3375 secp256k1_fe_sqr(&s, &x);
3376 CHECK(secp256k1_fe_is_square_var(&s));
3377 test_sqrt(&s, &x);
3378 secp256k1_fe_negate(&t, &s, 1);
3379 CHECK(!secp256k1_fe_is_square_var(&t));
3380 test_sqrt(&t, NULL);
3381 secp256k1_fe_mul(&t, &s, &ns);
3382 test_sqrt(&t, NULL);
3383 }
3384 }
3385}
3386
3387/***** FIELD/SCALAR INVERSE TESTS *****/
3388
3389static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST(
3390 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
3391 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
3392);
3393
3394static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST(
3395 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
3396 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
3397);
3398
3399/* These tests test the following identities:
3400 *
3401 * for x==0: 1/x == 0
3402 * for x!=0: x*(1/x) == 1
3403 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
3404 */
3405
3406static void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var)
3407{
3408 secp256k1_scalar l, r, t;
3409
3410 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
3411 if (out) *out = l;
3412 if (secp256k1_scalar_is_zero(x)) {
3413 CHECK(secp256k1_scalar_is_zero(&l));
3414 return;
3415 }
3416 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
3417 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
3418 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
3419 if (secp256k1_scalar_is_zero(&r)) return;
3420 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
3421 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
3422 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
3423 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
3424 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3425 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
3426}
3427
3428static void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
3429{
3430 secp256k1_fe l, r, t;
3431
3432 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
3433 if (out) *out = l;
3434 t = *x; /* t = x */
3435 if (secp256k1_fe_normalizes_to_zero_var(&t)) {
3436 CHECK(secp256k1_fe_normalizes_to_zero(&l));
3437 return;
3438 }
3439 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
3440 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3441 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3442 r = *x; /* r = x */
3443 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
3444 if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
3445 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
3446 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3447 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3448 secp256k1_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */
3449 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3450 CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
3451}
3452
3453static void run_inverse_tests(void)
3454{
3455 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3456 static const secp256k1_fe fe_cases[][2] = {
3457 /* 0 */
3458 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3459 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3460 /* 1 */
3461 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3462 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3463 /* -1 */
3464 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3465 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3466 /* 2 */
3467 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3468 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3469 /* 2**128 */
3470 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3471 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3472 /* Input known to need 637 divsteps */
3473 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3474 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3475 /* Input known to need 567 divsteps starting with delta=1/2. */
3476 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3477 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3478 /* Input known to need 566 divsteps starting with delta=1/2. */
3479 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3480 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3481 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3482 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3483 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3484 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3485 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3486 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3487 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3488 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3489 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3490 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3491 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3492 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3493 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3494 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3495 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3496 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3497 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3498 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3499 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3500 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3501 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3502 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3503 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3504 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3505 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3506 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3507 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3508 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3509 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3510 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3511 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3512 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3513 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3514 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3515 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3516 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3517 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3518 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3519 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3520 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3521 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3522 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3523 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3524 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3525 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3526 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3527 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3528 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3529 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3530 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3531 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3532 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3533 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3534 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3535 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3536 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3537 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3538 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3539 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3540 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3541 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3542 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3543 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3544 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3545 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3546 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3547 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3548 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3549 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3550 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3551 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3552 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3553 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3554 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3555 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3556 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3557 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3558 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3559 };
3560 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3561 static const secp256k1_scalar scalar_cases[][2] = {
3562 /* 0 */
3563 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3564 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3565 /* 1 */
3566 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3567 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3568 /* -1 */
3569 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3570 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3571 /* 2 */
3572 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3573 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3574 /* 2**128 */
3575 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3576 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3577 /* Input known to need 635 divsteps */
3578 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3579 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3580 /* Input known to need 566 divsteps starting with delta=1/2. */
3581 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3582 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3583 /* Input known to need 565 divsteps starting with delta=1/2. */
3584 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3585 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3586 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3587 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3588 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3589 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3590 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3591 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3592 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3593 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3594 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3595 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3596 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3597 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3598 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3599 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3600 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3601 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3602 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3603 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3604 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3605 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3606 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3607 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3608 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3609 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3610 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3611 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3612 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3613 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3614 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3615 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3616 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3617 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3618 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3619 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3620 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3621 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3622 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3623 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3624 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3625 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3626 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3627 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3628 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3629 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3630 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3631 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3632 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3633 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3634 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3635 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3636 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3637 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3638 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3639 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3640 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3641 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3642 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3643 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3644 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3645 };
3646 int i, var, testrand;
3647 unsigned char b32[32];
3648 secp256k1_fe x_fe;
3649 secp256k1_scalar x_scalar;
3650 memset(b32, 0, sizeof(b32));
3651 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3652 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3653 for (var = 0; var <= 1; ++var) {
3654 test_inverse_field(&x_fe, &fe_cases[i][0], var);
3655 check_fe_equal(&x_fe, &fe_cases[i][1]);
3656 test_inverse_field(&x_fe, &fe_cases[i][1], var);
3657 check_fe_equal(&x_fe, &fe_cases[i][0]);
3658 }
3659 }
3660 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3661 for (var = 0; var <= 1; ++var) {
3662 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3663 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3664 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3665 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3666 }
3667 }
3668 /* Test inputs 0..999 and their respective negations. */
3669 for (i = 0; i < 1000; ++i) {
3670 b32[31] = i & 0xff;
3671 b32[30] = (i >> 8) & 0xff;
3672 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3673 secp256k1_fe_set_b32_mod(&x_fe, b32);
3674 for (var = 0; var <= 1; ++var) {
3675 test_inverse_scalar(NULL, &x_scalar, var);
3676 test_inverse_field(NULL, &x_fe, var);
3677 }
3678 secp256k1_scalar_negate(&x_scalar, &x_scalar);
3679 secp256k1_fe_negate(&x_fe, &x_fe, 1);
3680 for (var = 0; var <= 1; ++var) {
3681 test_inverse_scalar(NULL, &x_scalar, var);
3682 test_inverse_field(NULL, &x_fe, var);
3683 }
3684 }
3685 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3686 for (testrand = 0; testrand <= 1; ++testrand) {
3687 for (i = 0; i < 64 * COUNT; ++i) {
3688 (testrand ? secp256k1_testrand256_test : secp256k1_testrand256)(b32);
3689 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3690 secp256k1_fe_set_b32_mod(&x_fe, b32);
3691 for (var = 0; var <= 1; ++var) {
3692 test_inverse_scalar(NULL, &x_scalar, var);
3693 test_inverse_field(NULL, &x_fe, var);
3694 }
3695 }
3696 }
3697}
3698
3699/***** GROUP TESTS *****/
3700
3701static void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
3702 CHECK(a->infinity == b->infinity);
3703 if (a->infinity) {
3704 return;
3705 }
3706 CHECK(secp256k1_fe_equal(&a->x, &b->x));
3707 CHECK(secp256k1_fe_equal(&a->y, &b->y));
3708}
3709
3710/* This compares jacobian points including their Z, not just their geometric meaning. */
3711static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3712 secp256k1_gej a2;
3713 secp256k1_gej b2;
3714 int ret = 1;
3715 ret &= a->infinity == b->infinity;
3716 if (ret && !a->infinity) {
3717 a2 = *a;
3718 b2 = *b;
3719 secp256k1_fe_normalize(&a2.x);
3720 secp256k1_fe_normalize(&a2.y);
3721 secp256k1_fe_normalize(&a2.z);
3722 secp256k1_fe_normalize(&b2.x);
3723 secp256k1_fe_normalize(&b2.y);
3724 secp256k1_fe_normalize(&b2.z);
3725 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3726 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3727 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3728 }
3729 return ret;
3730}
3731
3732static void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
3733 secp256k1_fe z2s;
3734 secp256k1_fe u1, u2, s1, s2;
3735 CHECK(a->infinity == b->infinity);
3736 if (a->infinity) {
3737 return;
3738 }
3739 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
3740 secp256k1_fe_sqr(&z2s, &b->z);
3741 secp256k1_fe_mul(&u1, &a->x, &z2s);
3742 u2 = b->x;
3743 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
3744 s2 = b->y;
3745 CHECK(secp256k1_fe_equal(&u1, &u2));
3746 CHECK(secp256k1_fe_equal(&s1, &s2));
3747}
3748
3749static void test_ge(void) {
3750 int i, i1;
3751 int runs = 6;
3752 /* 25 points are used:
3753 * - infinity
3754 * - for each of four random points p1 p2 p3 p4, we add the point, its
3755 * negation, and then those two again but with randomized Z coordinate.
3756 * - The same is then done for lambda*p1 and lambda^2*p1.
3757 */
3758 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3759 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3760 secp256k1_fe zf, r;
3761 secp256k1_fe zfi2, zfi3;
3762
3763 secp256k1_gej_set_infinity(&gej[0]);
3764 secp256k1_ge_clear(&ge[0]);
3765 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3766 for (i = 0; i < runs; i++) {
3767 int j;
3768 secp256k1_ge g;
3769 random_group_element_test(&g);
3770 if (i >= runs - 2) {
3771 secp256k1_ge_mul_lambda(&g, &ge[1]);
3772 }
3773 if (i >= runs - 1) {
3774 secp256k1_ge_mul_lambda(&g, &g);
3775 }
3776 ge[1 + 4 * i] = g;
3777 ge[2 + 4 * i] = g;
3778 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3779 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3780 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3781 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3782 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3783 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3784 for (j = 0; j < 4; j++) {
3785 random_ge_x_magnitude(&ge[1 + j + 4 * i]);
3786 random_ge_y_magnitude(&ge[1 + j + 4 * i]);
3787 random_gej_x_magnitude(&gej[1 + j + 4 * i]);
3788 random_gej_y_magnitude(&gej[1 + j + 4 * i]);
3789 random_gej_z_magnitude(&gej[1 + j + 4 * i]);
3790 }
3791 }
3792
3793 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3794 random_fe_non_zero_test(&zf);
3795 random_fe_magnitude(&zf);
3796 secp256k1_fe_inv_var(&zfi3, &zf);
3797 secp256k1_fe_sqr(&zfi2, &zfi3);
3798 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3799
3800 /* Generate random r */
3801 random_fe_non_zero_test(&r);
3802
3803 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3804 int i2;
3805 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3806 /* Compute reference result using gej + gej (var). */
3807 secp256k1_gej refj, resj;
3808 secp256k1_ge ref;
3809 secp256k1_fe zr;
3810 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3811 /* Check Z ratio. */
3812 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3813 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3814 CHECK(secp256k1_fe_equal(&zrz, &refj.z));
3815 }
3816 secp256k1_ge_set_gej_var(&ref, &refj);
3817
3818 /* Test gej + ge with Z ratio result (var). */
3819 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3820 ge_equals_gej(&ref, &resj);
3821 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3822 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3823 CHECK(secp256k1_fe_equal(&zrz, &resj.z));
3824 }
3825
3826 /* Test gej + ge (var, with additional Z factor). */
3827 {
3828 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3829 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3830 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3831 random_ge_x_magnitude(&ge2_zfi);
3832 random_ge_y_magnitude(&ge2_zfi);
3833 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3834 ge_equals_gej(&ref, &resj);
3835 }
3836
3837 /* Test gej + ge (const). */
3838 if (i2 != 0) {
3839 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3840 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3841 ge_equals_gej(&ref, &resj);
3842 }
3843
3844 /* Test doubling (var). */
3845 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3846 secp256k1_fe zr2;
3847 /* Normal doubling with Z ratio result. */
3848 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3849 ge_equals_gej(&ref, &resj);
3850 /* Check Z ratio. */
3851 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3852 CHECK(secp256k1_fe_equal(&zr2, &resj.z));
3853 /* Normal doubling. */
3854 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3855 ge_equals_gej(&ref, &resj);
3856 /* Constant-time doubling. */
3857 secp256k1_gej_double(&resj, &gej[i2]);
3858 ge_equals_gej(&ref, &resj);
3859 }
3860
3861 /* Test adding opposites. */
3862 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3863 CHECK(secp256k1_ge_is_infinity(&ref));
3864 }
3865
3866 /* Test adding infinity. */
3867 if (i1 == 0) {
3868 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3869 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3870 ge_equals_gej(&ref, &gej[i2]);
3871 }
3872 if (i2 == 0) {
3873 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3874 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3875 ge_equals_gej(&ref, &gej[i1]);
3876 }
3877 }
3878 }
3879
3880 /* Test adding all points together in random order equals infinity. */
3881 {
3882 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
3883 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3884 for (i = 0; i < 4 * runs + 1; i++) {
3885 gej_shuffled[i] = gej[i];
3886 }
3887 for (i = 0; i < 4 * runs + 1; i++) {
3888 int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3889 if (swap != i) {
3890 secp256k1_gej t = gej_shuffled[i];
3891 gej_shuffled[i] = gej_shuffled[swap];
3892 gej_shuffled[swap] = t;
3893 }
3894 }
3895 for (i = 0; i < 4 * runs + 1; i++) {
3896 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3897 }
3898 CHECK(secp256k1_gej_is_infinity(&sum));
3899 free(gej_shuffled);
3900 }
3901
3902 /* Test batch gej -> ge conversion without known z ratios. */
3903 {
3904 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3905 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3906 for (i = 0; i < 4 * runs + 1; i++) {
3907 secp256k1_fe s;
3908 random_fe_non_zero(&s);
3909 secp256k1_gej_rescale(&gej[i], &s);
3910 ge_equals_gej(&ge_set_all[i], &gej[i]);
3911 }
3912 free(ge_set_all);
3913 }
3914
3915 /* Test that all elements have X coordinates on the curve. */
3916 for (i = 1; i < 4 * runs + 1; i++) {
3917 secp256k1_fe n;
3918 CHECK(secp256k1_ge_x_on_curve_var(&ge[i].x));
3919 /* And the same holds after random rescaling. */
3920 secp256k1_fe_mul(&n, &zf, &ge[i].x);
3921 CHECK(secp256k1_ge_x_frac_on_curve_var(&n, &zf));
3922 }
3923
3924 /* Test correspondence of secp256k1_ge_x{,_frac}_on_curve_var with ge_set_xo. */
3925 {
3926 secp256k1_fe n;
3927 secp256k1_ge q;
3928 int ret_on_curve, ret_frac_on_curve, ret_set_xo;
3929 secp256k1_fe_mul(&n, &zf, &r);
3930 ret_on_curve = secp256k1_ge_x_on_curve_var(&r);
3931 ret_frac_on_curve = secp256k1_ge_x_frac_on_curve_var(&n, &zf);
3932 ret_set_xo = secp256k1_ge_set_xo_var(&q, &r, 0);
3933 CHECK(ret_on_curve == ret_frac_on_curve);
3934 CHECK(ret_on_curve == ret_set_xo);
3935 if (ret_set_xo) CHECK(secp256k1_fe_equal(&r, &q.x));
3936 }
3937
3938 /* Test batch gej -> ge conversion with many infinities. */
3939 for (i = 0; i < 4 * runs + 1; i++) {
3940 int odd;
3941 random_group_element_test(&ge[i]);
3942 odd = secp256k1_fe_is_odd(&ge[i].x);
3943 CHECK(odd == 0 || odd == 1);
3944 /* randomly set half the points to infinity */
3945 if (odd == i % 2) {
3946 secp256k1_ge_set_infinity(&ge[i]);
3947 }
3948 secp256k1_gej_set_ge(&gej[i], &ge[i]);
3949 }
3950 /* batch convert */
3951 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3952 /* check result */
3953 for (i = 0; i < 4 * runs + 1; i++) {
3954 ge_equals_gej(&ge[i], &gej[i]);
3955 }
3956
3957 /* Test batch gej -> ge conversion with all infinities. */
3958 for (i = 0; i < 4 * runs + 1; i++) {
3959 secp256k1_gej_set_infinity(&gej[i]);
3960 }
3961 /* batch convert */
3962 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3963 /* check result */
3964 for (i = 0; i < 4 * runs + 1; i++) {
3965 CHECK(secp256k1_ge_is_infinity(&ge[i]));
3966 }
3967
3968 free(ge);
3969 free(gej);
3970}
3971
3972static void test_intialized_inf(void) {
3973 secp256k1_ge p;
3974 secp256k1_gej pj, npj, infj1, infj2, infj3;
3975 secp256k1_fe zinv;
3976
3977 /* Test that adding P+(-P) results in a fully initialized infinity*/
3978 random_group_element_test(&p);
3979 secp256k1_gej_set_ge(&pj, &p);
3980 secp256k1_gej_neg(&npj, &pj);
3981
3982 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3983 CHECK(secp256k1_gej_is_infinity(&infj1));
3984 CHECK(secp256k1_fe_is_zero(&infj1.x));
3985 CHECK(secp256k1_fe_is_zero(&infj1.y));
3986 CHECK(secp256k1_fe_is_zero(&infj1.z));
3987
3988 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3989 CHECK(secp256k1_gej_is_infinity(&infj2));
3990 CHECK(secp256k1_fe_is_zero(&infj2.x));
3991 CHECK(secp256k1_fe_is_zero(&infj2.y));
3992 CHECK(secp256k1_fe_is_zero(&infj2.z));
3993
3994 secp256k1_fe_set_int(&zinv, 1);
3995 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3996 CHECK(secp256k1_gej_is_infinity(&infj3));
3997 CHECK(secp256k1_fe_is_zero(&infj3.x));
3998 CHECK(secp256k1_fe_is_zero(&infj3.y));
3999 CHECK(secp256k1_fe_is_zero(&infj3.z));
4000
4001
4002}
4003
4004static void test_add_neg_y_diff_x(void) {
4005 /* The point of this test is to check that we can add two points
4006 * whose y-coordinates are negatives of each other but whose x
4007 * coordinates differ. If the x-coordinates were the same, these
4008 * points would be negatives of each other and their sum is
4009 * infinity. This is cool because it "covers up" any degeneracy
4010 * in the addition algorithm that would cause the xy coordinates
4011 * of the sum to be wrong (since infinity has no xy coordinates).
4012 * HOWEVER, if the x-coordinates are different, infinity is the
4013 * wrong answer, and such degeneracies are exposed. This is the
4014 * root of https://github.com/bitcoin-core/secp256k1/issues/257
4015 * which this test is a regression test for.
4016 *
4017 * These points were generated in sage as
4018 *
4019 * load("secp256k1_params.sage")
4020 *
4021 * # random "bad pair"
4022 * P = C.random_element()
4023 * Q = -int(LAMBDA) * P
4024 * print(" P: %x %x" % P.xy())
4025 * print(" Q: %x %x" % Q.xy())
4026 * print("P + Q: %x %x" % (P + Q).xy())
4027 */
4028 secp256k1_gej aj = SECP256K1_GEJ_CONST(
4029 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
4030 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
4031 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
4032 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
4033 );
4034 secp256k1_gej bj = SECP256K1_GEJ_CONST(
4035 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
4036 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
4037 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
4038 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
4039 );
4040 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
4041 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
4042 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
4043 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
4044 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
4045 );
4046 secp256k1_ge b;
4047 secp256k1_gej resj;
4048 secp256k1_ge res;
4049 secp256k1_ge_set_gej(&b, &bj);
4050
4051 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
4052 secp256k1_ge_set_gej(&res, &resj);
4053 ge_equals_gej(&res, &sumj);
4054
4055 secp256k1_gej_add_ge(&resj, &aj, &b);
4056 secp256k1_ge_set_gej(&res, &resj);
4057 ge_equals_gej(&res, &sumj);
4058
4059 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
4060 secp256k1_ge_set_gej(&res, &resj);
4061 ge_equals_gej(&res, &sumj);
4062}
4063
4064static void run_ge(void) {
4065 int i;
4066 for (i = 0; i < COUNT * 32; i++) {
4067 test_ge();
4068 }
4069 test_add_neg_y_diff_x();
4070 test_intialized_inf();
4071}
4072
4073static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
4074 secp256k1_gej t = *a;
4075 secp256k1_gej_cmov(&t, b, 0);
4076 CHECK(gej_xyz_equals_gej(&t, a));
4077 secp256k1_gej_cmov(&t, b, 1);
4078 CHECK(gej_xyz_equals_gej(&t, b));
4079}
4080
4081static void run_gej(void) {
4082 int i;
4083 secp256k1_gej a, b;
4084
4085 /* Tests for secp256k1_gej_cmov */
4086 for (i = 0; i < COUNT; i++) {
4087 secp256k1_gej_set_infinity(&a);
4088 secp256k1_gej_set_infinity(&b);
4089 test_gej_cmov(&a, &b);
4090
4091 random_gej_test(&a);
4092 test_gej_cmov(&a, &b);
4093 test_gej_cmov(&b, &a);
4094
4095 b = a;
4096 test_gej_cmov(&a, &b);
4097
4098 random_gej_test(&b);
4099 test_gej_cmov(&a, &b);
4100 test_gej_cmov(&b, &a);
4101 }
4102
4103 /* Tests for secp256k1_gej_eq_var */
4104 for (i = 0; i < COUNT; i++) {
4105 secp256k1_fe fe;
4106 random_gej_test(&a);
4107 random_gej_test(&b);
4108 CHECK(!secp256k1_gej_eq_var(&a, &b));
4109
4110 b = a;
4111 random_fe_non_zero_test(&fe);
4112 secp256k1_gej_rescale(&a, &fe);
4113 CHECK(secp256k1_gej_eq_var(&a, &b));
4114 }
4115}
4116
4117static void test_ec_combine(void) {
4118 secp256k1_scalar sum = secp256k1_scalar_zero;
4119 secp256k1_pubkey data[6];
4120 const secp256k1_pubkey* d[6];
4121 secp256k1_pubkey sd;
4122 secp256k1_pubkey sd2;
4123 secp256k1_gej Qj;
4124 secp256k1_ge Q;
4125 int i;
4126 for (i = 1; i <= 6; i++) {
4127 secp256k1_scalar s;
4128 random_scalar_order_test(&s);
4129 secp256k1_scalar_add(&sum, &sum, &s);
4130 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &s);
4131 secp256k1_ge_set_gej(&Q, &Qj);
4132 secp256k1_pubkey_save(&data[i - 1], &Q);
4133 d[i - 1] = &data[i - 1];
4134 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &sum);
4135 secp256k1_ge_set_gej(&Q, &Qj);
4136 secp256k1_pubkey_save(&sd, &Q);
4137 CHECK(secp256k1_ec_pubkey_combine(CTX, &sd2, d, i) == 1);
4138 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
4139 }
4140}
4141
4142static void run_ec_combine(void) {
4143 int i;
4144 for (i = 0; i < COUNT * 8; i++) {
4145 test_ec_combine();
4146 }
4147}
4148
4149static void test_group_decompress(const secp256k1_fe* x) {
4150 /* The input itself, normalized. */
4151 secp256k1_fe fex = *x;
4152 secp256k1_fe fez;
4153 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
4154 secp256k1_ge ge_quad, ge_even, ge_odd;
4155 secp256k1_gej gej_quad;
4156 /* Return values of the above calls. */
4157 int res_quad, res_even, res_odd;
4158
4159 secp256k1_fe_normalize_var(&fex);
4160
4161 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
4162 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
4163 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
4164
4165 CHECK(res_quad == res_even);
4166 CHECK(res_quad == res_odd);
4167
4168 if (res_quad) {
4169 secp256k1_fe_normalize_var(&ge_quad.x);
4170 secp256k1_fe_normalize_var(&ge_odd.x);
4171 secp256k1_fe_normalize_var(&ge_even.x);
4172 secp256k1_fe_normalize_var(&ge_quad.y);
4173 secp256k1_fe_normalize_var(&ge_odd.y);
4174 secp256k1_fe_normalize_var(&ge_even.y);
4175
4176 /* No infinity allowed. */
4177 CHECK(!ge_quad.infinity);
4178 CHECK(!ge_even.infinity);
4179 CHECK(!ge_odd.infinity);
4180
4181 /* Check that the x coordinates check out. */
4182 CHECK(secp256k1_fe_equal(&ge_quad.x, x));
4183 CHECK(secp256k1_fe_equal(&ge_even.x, x));
4184 CHECK(secp256k1_fe_equal(&ge_odd.x, x));
4185
4186 /* Check that the Y coordinate result in ge_quad is a square. */
4187 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
4188
4189 /* Check odd/even Y in ge_odd, ge_even. */
4190 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
4191 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
4192
4193 /* Check secp256k1_gej_has_quad_y_var. */
4194 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
4195 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
4196 do {
4197 random_fe_test(&fez);
4198 } while (secp256k1_fe_is_zero(&fez));
4199 secp256k1_gej_rescale(&gej_quad, &fez);
4200 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
4201 secp256k1_gej_neg(&gej_quad, &gej_quad);
4202 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
4203 do {
4204 random_fe_test(&fez);
4205 } while (secp256k1_fe_is_zero(&fez));
4206 secp256k1_gej_rescale(&gej_quad, &fez);
4207 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
4208 secp256k1_gej_neg(&gej_quad, &gej_quad);
4209 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
4210 }
4211}
4212
4213static void run_group_decompress(void) {
4214 int i;
4215 for (i = 0; i < COUNT * 4; i++) {
4216 secp256k1_fe fe;
4217 random_fe_test(&fe);
4218 test_group_decompress(&fe);
4219 }
4220}
4221
4222/***** ECMULT TESTS *****/
4223
4224static void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
4225 /* Tests the pre_g / pre_g_128 tables for consistency.
4226 * For independent verification we take a "geometric" approach to verification.
4227 * We check that every entry is on-curve.
4228 * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
4229 * (1) p, gg, and -q are colinear.
4230 * (2) p, gg, and -q are all distinct.
4231 * where gg is twice the generator, where the generator is the first table entry.
4232 *
4233 * Checking the table's generators are correct is done in run_ecmult_pre_g.
4234 */
4235 secp256k1_gej g2;
4236 secp256k1_ge p, q, gg;
4237 secp256k1_fe dpx, dpy, dqx, dqy;
4238 size_t i;
4239
4240 CHECK(0 < n);
4241
4242 secp256k1_ge_from_storage(&p, &pre_g[0]);
4243 CHECK(secp256k1_ge_is_valid_var(&p));
4244
4245 secp256k1_gej_set_ge(&g2, &p);
4246 secp256k1_gej_double_var(&g2, &g2, NULL);
4247 secp256k1_ge_set_gej_var(&gg, &g2);
4248 for (i = 1; i < n; ++i) {
4249 secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
4250 secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
4251 /* Check that p is not equal to gg */
4252 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dpx) || !secp256k1_fe_normalizes_to_zero_var(&dpy));
4253
4254 secp256k1_ge_from_storage(&q, &pre_g[i]);
4255 CHECK(secp256k1_ge_is_valid_var(&q));
4256
4257 secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x);
4258 dqy = q.y; secp256k1_fe_add(&dqy, &gg.y);
4259 /* Check that -q is not equal to gg */
4260 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dqx) || !secp256k1_fe_normalizes_to_zero_var(&dqy));
4261
4262 /* Check that -q is not equal to p */
4263 CHECK(!secp256k1_fe_equal(&dpx, &dqx) || !secp256k1_fe_equal(&dpy, &dqy));
4264
4265 /* Check that p, -q and gg are colinear */
4266 secp256k1_fe_mul(&dpx, &dpx, &dqy);
4267 secp256k1_fe_mul(&dpy, &dpy, &dqx);
4268 CHECK(secp256k1_fe_equal(&dpx, &dpy));
4269
4270 p = q;
4271 }
4272}
4273
4274static void run_ecmult_pre_g(void) {
4275 secp256k1_ge_storage gs;
4276 secp256k1_gej gj;
4277 secp256k1_ge g;
4278 size_t i;
4279
4280 /* Check that the pre_g and pre_g_128 tables are consistent. */
4281 test_pre_g_table(secp256k1_pre_g, ECMULT_TABLE_SIZE(WINDOW_G));
4282 test_pre_g_table(secp256k1_pre_g_128, ECMULT_TABLE_SIZE(WINDOW_G));
4283
4284 /* Check the first entry from the pre_g table. */
4285 secp256k1_ge_to_storage(&gs, &secp256k1_ge_const_g);
4286 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
4287
4288 /* Check the first entry from the pre_g_128 table. */
4289 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
4290 for (i = 0; i < 128; ++i) {
4291 secp256k1_gej_double_var(&gj, &gj, NULL);
4292 }
4293 secp256k1_ge_set_gej(&g, &gj);
4294 secp256k1_ge_to_storage(&gs, &g);
4295 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
4296}
4297
4298static void run_ecmult_chain(void) {
4299 /* random starting point A (on the curve) */
4300 secp256k1_gej a = SECP256K1_GEJ_CONST(
4301 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
4302 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
4303 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
4304 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
4305 );
4306 /* two random initial factors xn and gn */
4307 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4308 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
4309 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
4310 );
4311 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
4312 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
4313 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
4314 );
4315 /* two small multipliers to be applied to xn and gn in every iteration: */
4316 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
4317 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
4318 /* accumulators with the resulting coefficients to A and G */
4319 secp256k1_scalar ae = secp256k1_scalar_one;
4320 secp256k1_scalar ge = secp256k1_scalar_zero;
4321 /* actual points */
4322 secp256k1_gej x;
4323 secp256k1_gej x2;
4324 int i;
4325
4326 /* the point being computed */
4327 x = a;
4328 for (i = 0; i < 200*COUNT; i++) {
4329 /* in each iteration, compute X = xn*X + gn*G; */
4330 secp256k1_ecmult(&x, &x, &xn, &gn);
4331 /* also compute ae and ge: the actual accumulated factors for A and G */
4332 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
4333 secp256k1_scalar_mul(&ae, &ae, &xn);
4334 secp256k1_scalar_mul(&ge, &ge, &xn);
4335 secp256k1_scalar_add(&ge, &ge, &gn);
4336 /* modify xn and gn */
4337 secp256k1_scalar_mul(&xn, &xn, &xf);
4338 secp256k1_scalar_mul(&gn, &gn, &gf);
4339
4340 /* verify */
4341 if (i == 19999) {
4342 /* expected result after 19999 iterations */
4343 secp256k1_gej rp = SECP256K1_GEJ_CONST(
4344 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
4345 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
4346 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
4347 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
4348 );
4349 CHECK(secp256k1_gej_eq_var(&rp, &x));
4350 }
4351 }
4352 /* redo the computation, but directly with the resulting ae and ge coefficients: */
4353 secp256k1_ecmult(&x2, &a, &ae, &ge);
4354 CHECK(secp256k1_gej_eq_var(&x, &x2));
4355}
4356
4357static void test_point_times_order(const secp256k1_gej *point) {
4358 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
4359 secp256k1_scalar x;
4360 secp256k1_scalar nx;
4361 secp256k1_gej res1, res2;
4362 secp256k1_ge res3;
4363 unsigned char pub[65];
4364 size_t psize = 65;
4365 random_scalar_order_test(&x);
4366 secp256k1_scalar_negate(&nx, &x);
4367 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
4368 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4369 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
4370 CHECK(secp256k1_gej_is_infinity(&res1));
4371 secp256k1_ge_set_gej(&res3, &res1);
4372 CHECK(secp256k1_ge_is_infinity(&res3));
4373 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
4374 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
4375 psize = 65;
4376 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
4377 /* check zero/one edge cases */
4378 secp256k1_ecmult(&res1, point, &secp256k1_scalar_zero, &secp256k1_scalar_zero);
4379 secp256k1_ge_set_gej(&res3, &res1);
4380 CHECK(secp256k1_ge_is_infinity(&res3));
4381 secp256k1_ecmult(&res1, point, &secp256k1_scalar_one, &secp256k1_scalar_zero);
4382 secp256k1_ge_set_gej(&res3, &res1);
4383 ge_equals_gej(&res3, point);
4384 secp256k1_ecmult(&res1, point, &secp256k1_scalar_zero, &secp256k1_scalar_one);
4385 secp256k1_ge_set_gej(&res3, &res1);
4386 ge_equals_ge(&res3, &secp256k1_ge_const_g);
4387}
4388
4389/* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
4390 *
4391 * They are computed as:
4392 * - For a in [-2, -1, 0, 1, 2]:
4393 * - For b in [-3, -1, 1, 3]:
4394 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
4395 */
4396static const secp256k1_scalar scalars_near_split_bounds[20] = {
4397 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
4398 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
4399 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
4400 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
4401 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
4402 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
4403 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
4404 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
4405 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
4406 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
4407 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
4408 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
4409 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
4410 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
4411 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
4412 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
4413 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
4414 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
4415 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
4416 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
4417};
4418
4419static void test_ecmult_target(const secp256k1_scalar* target, int mode) {
4420 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
4421 secp256k1_scalar n1, n2;
4422 secp256k1_ge p;
4423 secp256k1_gej pj, p1j, p2j, ptj;
4424
4425 /* Generate random n1,n2 such that n1+n2 = -target. */
4426 random_scalar_order_test(&n1);
4427 secp256k1_scalar_add(&n2, &n1, target);
4428 secp256k1_scalar_negate(&n2, &n2);
4429
4430 /* Generate a random input point. */
4431 if (mode != 0) {
4432 random_group_element_test(&p);
4433 secp256k1_gej_set_ge(&pj, &p);
4434 }
4435
4436 /* EC multiplications */
4437 if (mode == 0) {
4438 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p1j, &n1);
4439 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p2j, &n2);
4440 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &ptj, target);
4441 } else if (mode == 1) {
4442 secp256k1_ecmult(&p1j, &pj, &n1, &secp256k1_scalar_zero);
4443 secp256k1_ecmult(&p2j, &pj, &n2, &secp256k1_scalar_zero);
4444 secp256k1_ecmult(&ptj, &pj, target, &secp256k1_scalar_zero);
4445 } else {
4446 secp256k1_ecmult_const(&p1j, &p, &n1);
4447 secp256k1_ecmult_const(&p2j, &p, &n2);
4448 secp256k1_ecmult_const(&ptj, &p, target);
4449 }
4450
4451 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
4452 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
4453 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
4454 CHECK(secp256k1_gej_is_infinity(&ptj));
4455}
4456
4457static void run_ecmult_near_split_bound(void) {
4458 int i;
4459 unsigned j;
4460 for (i = 0; i < 4*COUNT; ++i) {
4461 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
4462 test_ecmult_target(&scalars_near_split_bounds[j], 0);
4463 test_ecmult_target(&scalars_near_split_bounds[j], 1);
4464 test_ecmult_target(&scalars_near_split_bounds[j], 2);
4465 }
4466 }
4467}
4468
4469static void run_point_times_order(void) {
4470 int i;
4471 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
4472 static const secp256k1_fe xr = SECP256K1_FE_CONST(
4473 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
4474 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
4475 );
4476 for (i = 0; i < 500; i++) {
4477 secp256k1_ge p;
4478 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
4479 secp256k1_gej j;
4480 CHECK(secp256k1_ge_is_valid_var(&p));
4481 secp256k1_gej_set_ge(&j, &p);
4482 test_point_times_order(&j);
4483 }
4484 secp256k1_fe_sqr(&x, &x);
4485 }
4486 secp256k1_fe_normalize_var(&x);
4487 CHECK(secp256k1_fe_equal(&x, &xr));
4488}
4489
4490static void ecmult_const_random_mult(void) {
4491 /* random starting point A (on the curve) */
4492 secp256k1_ge a = SECP256K1_GE_CONST(
4493 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4494 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4495 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4496 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4497 );
4498 /* random initial factor xn */
4499 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4500 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4501 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4502 );
4503 /* expected xn * A (from sage) */
4504 secp256k1_ge expected_b = SECP256K1_GE_CONST(
4505 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4506 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4507 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4508 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4509 );
4510 secp256k1_gej b;
4511 secp256k1_ecmult_const(&b, &a, &xn);
4512
4513 CHECK(secp256k1_ge_is_valid_var(&a));
4514 ge_equals_gej(&expected_b, &b);
4515}
4516
4517static void ecmult_const_commutativity(void) {
4518 secp256k1_scalar a;
4519 secp256k1_scalar b;
4520 secp256k1_gej res1;
4521 secp256k1_gej res2;
4522 secp256k1_ge mid1;
4523 secp256k1_ge mid2;
4524 random_scalar_order_test(&a);
4525 random_scalar_order_test(&b);
4526
4527 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a);
4528 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b);
4529 secp256k1_ge_set_gej(&mid1, &res1);
4530 secp256k1_ge_set_gej(&mid2, &res2);
4531 secp256k1_ecmult_const(&res1, &mid1, &b);
4532 secp256k1_ecmult_const(&res2, &mid2, &a);
4533 secp256k1_ge_set_gej(&mid1, &res1);
4534 secp256k1_ge_set_gej(&mid2, &res2);
4535 ge_equals_ge(&mid1, &mid2);
4536}
4537
4538static void ecmult_const_mult_zero_one(void) {
4539 secp256k1_scalar negone;
4540 secp256k1_gej res1;
4541 secp256k1_ge res2;
4542 secp256k1_ge point;
4543 secp256k1_scalar_negate(&negone, &secp256k1_scalar_one);
4544
4545 random_group_element_test(&point);
4546 secp256k1_ecmult_const(&res1, &point, &secp256k1_scalar_zero);
4547 secp256k1_ge_set_gej(&res2, &res1);
4548 CHECK(secp256k1_ge_is_infinity(&res2));
4549 secp256k1_ecmult_const(&res1, &point, &secp256k1_scalar_one);
4550 secp256k1_ge_set_gej(&res2, &res1);
4551 ge_equals_ge(&res2, &point);
4552 secp256k1_ecmult_const(&res1, &point, &negone);
4553 secp256k1_gej_neg(&res1, &res1);
4554 secp256k1_ge_set_gej(&res2, &res1);
4555 ge_equals_ge(&res2, &point);
4556}
4557
4558static void ecmult_const_mult_xonly(void) {
4559 int i;
4560
4561 /* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */
4562 for (i = 0; i < 2*COUNT; ++i) {
4563 secp256k1_ge base;
4564 secp256k1_gej basej, resj;
4565 secp256k1_fe n, d, resx, v;
4566 secp256k1_scalar q;
4567 int res;
4568 /* Random base point. */
4569 random_group_element_test(&base);
4570 /* Random scalar to multiply it with. */
4571 random_scalar_order_test(&q);
4572 /* If i is odd, n=d*base.x for random non-zero d */
4573 if (i & 1) {
4574 random_fe_non_zero_test(&d);
4575 secp256k1_fe_mul(&n, &base.x, &d);
4576 } else {
4577 n = base.x;
4578 }
4579 /* Perform x-only multiplication. */
4580 res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2);
4581 CHECK(res);
4582 /* Perform normal multiplication. */
4583 secp256k1_gej_set_ge(&basej, &base);
4584 secp256k1_ecmult(&resj, &basej, &q, NULL);
4585 /* Check that resj's X coordinate corresponds with resx. */
4586 secp256k1_fe_sqr(&v, &resj.z);
4587 secp256k1_fe_mul(&v, &v, &resx);
4588 CHECK(check_fe_equal(&v, &resj.x));
4589 }
4590
4591 /* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */
4592 for (i = 0; i < 2*COUNT; ++i) {
4593 secp256k1_fe x, n, d, r;
4594 int res;
4595 secp256k1_scalar q;
4596 random_scalar_order_test(&q);
4597 /* Generate random X coordinate not on the curve. */
4598 do {
4599 random_fe_test(&x);
4600 } while (secp256k1_ge_x_on_curve_var(&x));
4601 /* If i is odd, n=d*x for random non-zero d. */
4602 if (i & 1) {
4603 random_fe_non_zero_test(&d);
4604 secp256k1_fe_mul(&n, &x, &d);
4605 } else {
4606 n = x;
4607 }
4608 res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0);
4609 CHECK(res == 0);
4610 }
4611}
4612
4613static void ecmult_const_chain_multiply(void) {
4614 /* Check known result (randomly generated test problem from sage) */
4615 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
4616 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4617 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4618 );
4619 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4620 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4621 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4622 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4623 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4624 );
4625 secp256k1_gej point;
4626 secp256k1_ge res;
4627 int i;
4628
4629 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
4630 for (i = 0; i < 100; ++i) {
4631 secp256k1_ge tmp;
4632 secp256k1_ge_set_gej(&tmp, &point);
4633 secp256k1_ecmult_const(&point, &tmp, &scalar);
4634 }
4635 secp256k1_ge_set_gej(&res, &point);
4636 ge_equals_gej(&res, &expected_point);
4637}
4638
4639static void run_ecmult_const_tests(void) {
4640 ecmult_const_mult_zero_one();
4641 ecmult_const_random_mult();
4642 ecmult_const_commutativity();
4643 ecmult_const_chain_multiply();
4644 ecmult_const_mult_xonly();
4645}
4646
4647typedef struct {
4648 secp256k1_scalar *sc;
4649 secp256k1_ge *pt;
4650} ecmult_multi_data;
4651
4652static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4653 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4654 *sc = data->sc[idx];
4655 *pt = data->pt[idx];
4656 return 1;
4657}
4658
4659static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4660 (void)sc;
4661 (void)pt;
4662 (void)idx;
4663 (void)cbdata;
4664 return 0;
4665}
4666
4667static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
4668 int ncount;
4669 secp256k1_scalar sc[32];
4670 secp256k1_ge pt[32];
4671 secp256k1_gej r;
4672 secp256k1_gej r2;
4673 ecmult_multi_data data;
4674
4675 data.sc = sc;
4676 data.pt = pt;
4677
4678 /* No points to multiply */
4679 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4680
4681 /* Check 1- and 2-point multiplies against ecmult */
4682 for (ncount = 0; ncount < COUNT; ncount++) {
4683 secp256k1_ge ptg;
4684 secp256k1_gej ptgj;
4685 random_scalar_order(&sc[0]);
4686 random_scalar_order(&sc[1]);
4687
4688 random_group_element_test(&ptg);
4689 secp256k1_gej_set_ge(&ptgj, &ptg);
4690 pt[0] = ptg;
4691 pt[1] = secp256k1_ge_const_g;
4692
4693 /* only G scalar */
4694 secp256k1_ecmult(&r2, &ptgj, &secp256k1_scalar_zero, &sc[0]);
4695 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4696 CHECK(secp256k1_gej_eq_var(&r, &r2));
4697
4698 /* 1-point */
4699 secp256k1_ecmult(&r2, &ptgj, &sc[0], &secp256k1_scalar_zero);
4700 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
4701 CHECK(secp256k1_gej_eq_var(&r, &r2));
4702
4703 /* Try to multiply 1 point, but callback returns false */
4704 CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_false_callback, &data, 1));
4705
4706 /* 2-point */
4707 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4708 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4709 CHECK(secp256k1_gej_eq_var(&r, &r2));
4710
4711 /* 2-point with G scalar */
4712 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4713 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4714 CHECK(secp256k1_gej_eq_var(&r, &r2));
4715 }
4716
4717 /* Check infinite outputs of various forms */
4718 for (ncount = 0; ncount < COUNT; ncount++) {
4719 secp256k1_ge ptg;
4720 size_t i, j;
4721 size_t sizes[] = { 2, 10, 32 };
4722
4723 for (j = 0; j < 3; j++) {
4724 for (i = 0; i < 32; i++) {
4725 random_scalar_order(&sc[i]);
4726 secp256k1_ge_set_infinity(&pt[i]);
4727 }
4728 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4729 CHECK(secp256k1_gej_is_infinity(&r));
4730 }
4731
4732 for (j = 0; j < 3; j++) {
4733 for (i = 0; i < 32; i++) {
4734 random_group_element_test(&ptg);
4735 pt[i] = ptg;
4736 secp256k1_scalar_set_int(&sc[i], 0);
4737 }
4738 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4739 CHECK(secp256k1_gej_is_infinity(&r));
4740 }
4741
4742 for (j = 0; j < 3; j++) {
4743 random_group_element_test(&ptg);
4744 for (i = 0; i < 16; i++) {
4745 random_scalar_order(&sc[2*i]);
4746 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4747 pt[2 * i] = ptg;
4748 pt[2 * i + 1] = ptg;
4749 }
4750
4751 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4752 CHECK(secp256k1_gej_is_infinity(&r));
4753
4754 random_scalar_order(&sc[0]);
4755 for (i = 0; i < 16; i++) {
4756 random_group_element_test(&ptg);
4757
4758 sc[2*i] = sc[0];
4759 sc[2*i+1] = sc[0];
4760 pt[2 * i] = ptg;
4761 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4762 }
4763
4764 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4765 CHECK(secp256k1_gej_is_infinity(&r));
4766 }
4767
4768 random_group_element_test(&ptg);
4769 secp256k1_scalar_set_int(&sc[0], 0);
4770 pt[0] = ptg;
4771 for (i = 1; i < 32; i++) {
4772 pt[i] = ptg;
4773
4774 random_scalar_order(&sc[i]);
4775 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4776 secp256k1_scalar_negate(&sc[i], &sc[i]);
4777 }
4778
4779 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 32));
4780 CHECK(secp256k1_gej_is_infinity(&r));
4781 }
4782
4783 /* Check random points, constant scalar */
4784 for (ncount = 0; ncount < COUNT; ncount++) {
4785 size_t i;
4786 secp256k1_gej_set_infinity(&r);
4787
4788 random_scalar_order(&sc[0]);
4789 for (i = 0; i < 20; i++) {
4790 secp256k1_ge ptg;
4791 sc[i] = sc[0];
4792 random_group_element_test(&ptg);
4793 pt[i] = ptg;
4794 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4795 }
4796
4797 secp256k1_ecmult(&r2, &r, &sc[0], &secp256k1_scalar_zero);
4798 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4799 CHECK(secp256k1_gej_eq_var(&r, &r2));
4800 }
4801
4802 /* Check random scalars, constant point */
4803 for (ncount = 0; ncount < COUNT; ncount++) {
4804 size_t i;
4805 secp256k1_ge ptg;
4806 secp256k1_gej p0j;
4807 secp256k1_scalar rs;
4808 secp256k1_scalar_set_int(&rs, 0);
4809
4810 random_group_element_test(&ptg);
4811 for (i = 0; i < 20; i++) {
4812 random_scalar_order(&sc[i]);
4813 pt[i] = ptg;
4814 secp256k1_scalar_add(&rs, &rs, &sc[i]);
4815 }
4816
4817 secp256k1_gej_set_ge(&p0j, &pt[0]);
4818 secp256k1_ecmult(&r2, &p0j, &rs, &secp256k1_scalar_zero);
4819 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4820 CHECK(secp256k1_gej_eq_var(&r, &r2));
4821 }
4822
4823 /* Sanity check that zero scalars don't cause problems */
4824 for (ncount = 0; ncount < 20; ncount++) {
4825 random_scalar_order(&sc[ncount]);
4826 random_group_element_test(&pt[ncount]);
4827 }
4828 secp256k1_scalar_clear(&sc[0]);
4829 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4830 secp256k1_scalar_clear(&sc[1]);
4831 secp256k1_scalar_clear(&sc[2]);
4832 secp256k1_scalar_clear(&sc[3]);
4833 secp256k1_scalar_clear(&sc[4]);
4834 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 6));
4835 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 5));
4836 CHECK(secp256k1_gej_is_infinity(&r));
4837
4838 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4839 {
4840 const size_t TOP = 8;
4841 size_t s0i, s1i;
4842 size_t t0i, t1i;
4843 secp256k1_ge ptg;
4844 secp256k1_gej ptgj;
4845
4846 random_group_element_test(&ptg);
4847 secp256k1_gej_set_ge(&ptgj, &ptg);
4848
4849 for(t0i = 0; t0i < TOP; t0i++) {
4850 for(t1i = 0; t1i < TOP; t1i++) {
4851 secp256k1_gej t0p, t1p;
4852 secp256k1_scalar t0, t1;
4853
4854 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4855 secp256k1_scalar_cond_negate(&t0, t0i & 1);
4856 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4857 secp256k1_scalar_cond_negate(&t1, t1i & 1);
4858
4859 secp256k1_ecmult(&t0p, &ptgj, &t0, &secp256k1_scalar_zero);
4860 secp256k1_ecmult(&t1p, &ptgj, &t1, &secp256k1_scalar_zero);
4861
4862 for(s0i = 0; s0i < TOP; s0i++) {
4863 for(s1i = 0; s1i < TOP; s1i++) {
4864 secp256k1_scalar tmp1, tmp2;
4865 secp256k1_gej expected, actual;
4866
4867 secp256k1_ge_set_gej(&pt[0], &t0p);
4868 secp256k1_ge_set_gej(&pt[1], &t1p);
4869
4870 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4871 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4872 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4873 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4874
4875 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4876 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4877 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4878
4879 secp256k1_ecmult(&expected, &ptgj, &tmp1, &secp256k1_scalar_zero);
4880 CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4881 CHECK(secp256k1_gej_eq_var(&actual, &expected));
4882 }
4883 }
4884 }
4885 }
4886 }
4887}
4888
4889static int test_ecmult_multi_random(secp256k1_scratch *scratch) {
4890 /* Large random test for ecmult_multi_* functions which exercises:
4891 * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4892 * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4893 * - Including or excluding an nonzero a*G term (or such a term at all).
4894 * - Final expected result equal to infinity or not (roughly 50%).
4895 * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4896 */
4897
4898 /* These 4 variables define the eventual input to the ecmult_multi function.
4899 * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4900 * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4901 * which form its normal inputs. */
4902 int filled = 0;
4903 secp256k1_scalar g_scalar = secp256k1_scalar_zero;
4904 secp256k1_scalar scalars[128];
4905 secp256k1_gej gejs[128];
4906 /* The expected result, and the computed result. */
4907 secp256k1_gej expected, computed;
4908 /* Temporaries. */
4909 secp256k1_scalar sc_tmp;
4910 secp256k1_ge ge_tmp;
4911 /* Variables needed for the actual input to ecmult_multi. */
4912 secp256k1_ge ges[128];
4913 ecmult_multi_data data;
4914
4915 int i;
4916 /* Which multiplication function to use */
4917 int fn = secp256k1_testrand_int(3);
4918 secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var :
4919 fn == 1 ? secp256k1_ecmult_strauss_batch_single :
4920 secp256k1_ecmult_pippenger_batch_single;
4921 /* Simulate exponentially distributed num. */
4922 int num_bits = 2 + secp256k1_testrand_int(6);
4923 /* Number of (scalar, point) inputs (excluding g). */
4924 int num = secp256k1_testrand_int((1 << num_bits) + 1);
4925 /* Number of those which are nonzero. */
4926 int num_nonzero = secp256k1_testrand_int(num + 1);
4927 /* Whether we're aiming to create an input with nonzero expected result. */
4928 int nonzero_result = secp256k1_testrand_bits(1);
4929 /* Whether we will provide nonzero g multiplicand. In some cases our hand
4930 * is forced here based on num_nonzero and nonzero_result. */
4931 int g_nonzero = num_nonzero == 0 ? nonzero_result :
4932 num_nonzero == 1 && !nonzero_result ? 1 :
4933 (int)secp256k1_testrand_bits(1);
4934 /* Which g_scalar pointer to pass into ecmult_multi(). */
4935 const secp256k1_scalar* g_scalar_ptr = (g_nonzero || secp256k1_testrand_bits(1)) ? &g_scalar : NULL;
4936 /* How many EC multiplications were performed in this function. */
4937 int mults = 0;
4938 /* How many randomization steps to apply to the input list. */
4939 int rands = (int)secp256k1_testrand_bits(3);
4940 if (rands > num_nonzero) rands = num_nonzero;
4941
4942 secp256k1_gej_set_infinity(&expected);
4943 secp256k1_gej_set_infinity(&gejs[0]);
4944 secp256k1_scalar_set_int(&scalars[0], 0);
4945
4946 if (g_nonzero) {
4947 /* If g_nonzero, set g_scalar to nonzero value r. */
4948 random_scalar_order_test(&g_scalar);
4949 if (!nonzero_result) {
4950 /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
4951 CHECK(num_nonzero > filled);
4952 random_scalar_order_test(&sc_tmp);
4953 secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
4954 secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
4955 secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
4956 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
4957 ++filled;
4958 ++mults;
4959 }
4960 }
4961
4962 if (nonzero_result && filled < num_nonzero) {
4963 /* If a nonzero result is desired, and there is space, add a random nonzero term. */
4964 random_scalar_order_test(&scalars[filled]);
4965 random_group_element_test(&ge_tmp);
4966 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4967 ++filled;
4968 }
4969
4970 if (nonzero_result) {
4971 /* Compute the expected result using normal ecmult. */
4972 CHECK(filled <= 1);
4973 secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
4974 mults += filled + g_nonzero;
4975 }
4976
4977 /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
4978 CHECK(filled <= 1 + !nonzero_result);
4979 CHECK(filled <= num_nonzero);
4980
4981 /* Add entries to scalars,gejs so that there are num of them. All the added entries
4982 * either have scalar=0 or point=infinity, so these do not change the expected result. */
4983 while (filled < num) {
4984 if (secp256k1_testrand_bits(1)) {
4985 secp256k1_gej_set_infinity(&gejs[filled]);
4986 random_scalar_order_test(&scalars[filled]);
4987 } else {
4988 secp256k1_scalar_set_int(&scalars[filled], 0);
4989 random_group_element_test(&ge_tmp);
4990 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4991 }
4992 ++filled;
4993 }
4994
4995 /* Now perform cheapish transformations on gejs and scalars, for indices
4996 * 0..num_nonzero-1, which do not change the expected result, but may
4997 * convert some of them to be both non-0-scalar and non-infinity-point. */
4998 for (i = 0; i < rands; ++i) {
4999 int j;
5000 secp256k1_scalar v, iv;
5001 /* Shuffle the entries. */
5002 for (j = 0; j < num_nonzero; ++j) {
5003 int k = secp256k1_testrand_int(num_nonzero - j);
5004 if (k != 0) {
5005 secp256k1_gej gej = gejs[j];
5006 secp256k1_scalar sc = scalars[j];
5007 gejs[j] = gejs[j + k];
5008 scalars[j] = scalars[j + k];
5009 gejs[j + k] = gej;
5010 scalars[j + k] = sc;
5011 }
5012 }
5013 /* Perturb all consecutive pairs of inputs:
5014 * a*P + b*Q -> (a+b)*P + b*(Q-P). */
5015 for (j = 0; j + 1 < num_nonzero; j += 2) {
5016 secp256k1_gej gej;
5017 secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
5018 secp256k1_gej_neg(&gej, &gejs[j]);
5019 secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
5020 }
5021 /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
5022 CHECK(num_nonzero >= 1);
5023 random_scalar_order_test(&v);
5024 secp256k1_scalar_inverse(&iv, &v);
5025 secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
5026 secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
5027 ++mults;
5028 }
5029
5030 /* Shuffle all entries (0..num-1). */
5031 for (i = 0; i < num; ++i) {
5032 int j = secp256k1_testrand_int(num - i);
5033 if (j != 0) {
5034 secp256k1_gej gej = gejs[i];
5035 secp256k1_scalar sc = scalars[i];
5036 gejs[i] = gejs[i + j];
5037 scalars[i] = scalars[i + j];
5038 gejs[i + j] = gej;
5039 scalars[i + j] = sc;
5040 }
5041 }
5042
5043 /* Compute affine versions of all inputs. */
5044 secp256k1_ge_set_all_gej_var(ges, gejs, filled);
5045 /* Invoke ecmult_multi code. */
5046 data.sc = scalars;
5047 data.pt = ges;
5048 CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
5049 mults += num_nonzero + g_nonzero;
5050 /* Compare with expected result. */
5051 CHECK(secp256k1_gej_eq_var(&computed, &expected));
5052 return mults;
5053}
5054
5055static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
5056 secp256k1_scalar sc;
5057 secp256k1_ge pt;
5058 secp256k1_gej r;
5059 ecmult_multi_data data;
5060 secp256k1_scratch *scratch_empty;
5061
5062 random_group_element_test(&pt);
5063 random_scalar_order(&sc);
5064 data.sc = &sc;
5065 data.pt = &pt;
5066
5067 /* Try to multiply 1 point, but scratch space is empty.*/
5068 scratch_empty = secp256k1_scratch_create(&CTX->error_callback, 0);
5069 CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
5070 secp256k1_scratch_destroy(&CTX->error_callback, scratch_empty);
5071}
5072
5073static void test_secp256k1_pippenger_bucket_window_inv(void) {
5074 int i;
5075
5076 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
5077 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
5078 /* Bucket_window of 8 is not used with endo */
5079 if (i == 8) {
5080 continue;
5081 }
5082 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
5083 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
5084 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
5085 }
5086 }
5087}
5088
5093static void test_ecmult_multi_pippenger_max_points(void) {
5094 size_t scratch_size = secp256k1_testrand_bits(8);
5095 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
5096 secp256k1_scratch *scratch;
5097 size_t n_points_supported;
5098 int bucket_window = 0;
5099
5100 for(; scratch_size < max_size; scratch_size+=256) {
5101 size_t i;
5102 size_t total_alloc;
5103 size_t checkpoint;
5104 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size);
5105 CHECK(scratch != NULL);
5106 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
5107 n_points_supported = secp256k1_pippenger_max_points(&CTX->error_callback, scratch);
5108 if (n_points_supported == 0) {
5109 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5110 continue;
5111 }
5112 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
5113 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
5114 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
5115 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
5116 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 1));
5117 total_alloc--;
5118 }
5119 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, total_alloc));
5120 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
5121 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5122 }
5123 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
5124}
5125
5126static void test_ecmult_multi_batch_size_helper(void) {
5127 size_t n_batches, n_batch_points, max_n_batch_points, n;
5128
5129 max_n_batch_points = 0;
5130 n = 1;
5131 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
5132
5133 max_n_batch_points = 1;
5134 n = 0;
5135 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5136 CHECK(n_batches == 0);
5137 CHECK(n_batch_points == 0);
5138
5139 max_n_batch_points = 2;
5140 n = 5;
5141 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5142 CHECK(n_batches == 3);
5143 CHECK(n_batch_points == 2);
5144
5145 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
5146 n = ECMULT_MAX_POINTS_PER_BATCH;
5147 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5148 CHECK(n_batches == 1);
5149 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
5150
5151 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
5152 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
5153 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5154 CHECK(n_batches == 2);
5155 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
5156
5157 max_n_batch_points = 1;
5158 n = SIZE_MAX;
5159 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5160 CHECK(n_batches == SIZE_MAX);
5161 CHECK(n_batch_points == 1);
5162
5163 max_n_batch_points = 2;
5164 n = SIZE_MAX;
5165 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5166 CHECK(n_batches == SIZE_MAX/2 + 1);
5167 CHECK(n_batch_points == 2);
5168}
5169
5174static void test_ecmult_multi_batching(void) {
5175 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
5176 secp256k1_scalar scG;
5177 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_scalar) * n_points);
5178 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * n_points);
5179 secp256k1_gej r;
5180 secp256k1_gej r2;
5181 ecmult_multi_data data;
5182 int i;
5183 secp256k1_scratch *scratch;
5184
5185 secp256k1_gej_set_infinity(&r2);
5186
5187 /* Get random scalars and group elements and compute result */
5188 random_scalar_order(&scG);
5189 secp256k1_ecmult(&r2, &r2, &secp256k1_scalar_zero, &scG);
5190 for(i = 0; i < n_points; i++) {
5191 secp256k1_ge ptg;
5192 secp256k1_gej ptgj;
5193 random_group_element_test(&ptg);
5194 secp256k1_gej_set_ge(&ptgj, &ptg);
5195 pt[i] = ptg;
5196 random_scalar_order(&sc[i]);
5197 secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
5198 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
5199 }
5200 data.sc = sc;
5201 data.pt = pt;
5202 secp256k1_gej_neg(&r2, &r2);
5203
5204 /* Test with empty scratch space. It should compute the correct result using
5205 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
5206 scratch = secp256k1_scratch_create(&CTX->error_callback, 0);
5207 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5208 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5209 CHECK(secp256k1_gej_is_infinity(&r));
5210 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5211
5212 /* Test with space for 1 point in pippenger. That's not enough because
5213 * ecmult_multi selects strauss which requires more memory. It should
5214 * therefore select the simple algorithm. */
5215 scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
5216 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5217 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5218 CHECK(secp256k1_gej_is_infinity(&r));
5219 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5220
5221 for(i = 1; i <= n_points; i++) {
5222 if (i > ECMULT_PIPPENGER_THRESHOLD) {
5223 int bucket_window = secp256k1_pippenger_bucket_window(i);
5224 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
5225 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
5226 } else {
5227 size_t scratch_size = secp256k1_strauss_scratch_size(i);
5228 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
5229 }
5230 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5231 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5232 CHECK(secp256k1_gej_is_infinity(&r));
5233 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5234 }
5235 free(sc);
5236 free(pt);
5237}
5238
5239static void run_ecmult_multi_tests(void) {
5240 secp256k1_scratch *scratch;
5241 int64_t todo = (int64_t)320 * COUNT;
5242
5243 test_secp256k1_pippenger_bucket_window_inv();
5244 test_ecmult_multi_pippenger_max_points();
5245 scratch = secp256k1_scratch_create(&CTX->error_callback, 819200);
5246 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
5247 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
5248 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
5249 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
5250 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
5251 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
5252 while (todo > 0) {
5253 todo -= test_ecmult_multi_random(scratch);
5254 }
5255 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5256
5257 /* Run test_ecmult_multi with space for exactly one point */
5258 scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
5259 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
5260 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5261
5262 test_ecmult_multi_batch_size_helper();
5263 test_ecmult_multi_batching();
5264}
5265
5266static void test_wnaf(const secp256k1_scalar *number, int w) {
5267 secp256k1_scalar x, two, t;
5268 int wnaf[256];
5269 int zeroes = -1;
5270 int i;
5271 int bits;
5272 secp256k1_scalar_set_int(&x, 0);
5273 secp256k1_scalar_set_int(&two, 2);
5274 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
5275 CHECK(bits <= 256);
5276 for (i = bits-1; i >= 0; i--) {
5277 int v = wnaf[i];
5278 secp256k1_scalar_mul(&x, &x, &two);
5279 if (v) {
5280 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
5281 zeroes=0;
5282 CHECK((v & 1) == 1); /* check non-zero elements are odd */
5283 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
5284 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
5285 } else {
5286 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
5287 zeroes++;
5288 }
5289 if (v >= 0) {
5290 secp256k1_scalar_set_int(&t, v);
5291 } else {
5292 secp256k1_scalar_set_int(&t, -v);
5293 secp256k1_scalar_negate(&t, &t);
5294 }
5295 secp256k1_scalar_add(&x, &x, &t);
5296 }
5297 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
5298}
5299
5300static void test_constant_wnaf_negate(const secp256k1_scalar *number) {
5301 secp256k1_scalar neg1 = *number;
5302 secp256k1_scalar neg2 = *number;
5303 int sign1 = 1;
5304 int sign2 = 1;
5305
5306 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
5307 secp256k1_scalar_negate(&neg1, &neg1);
5308 sign1 = -1;
5309 }
5310 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
5311 CHECK(sign1 == sign2);
5312 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
5313}
5314
5315static void test_constant_wnaf(const secp256k1_scalar *number, int w) {
5316 secp256k1_scalar x, shift;
5317 int wnaf[256] = {0};
5318 int i;
5319 int skew;
5320 int bits = 256;
5321 secp256k1_scalar num = *number;
5322 secp256k1_scalar scalar_skew;
5323
5324 secp256k1_scalar_set_int(&x, 0);
5325 secp256k1_scalar_set_int(&shift, 1 << w);
5326 for (i = 0; i < 16; ++i) {
5327 secp256k1_scalar_shr_int(&num, 8);
5328 }
5329 bits = 128;
5330 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
5331
5332 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
5333 secp256k1_scalar t;
5334 int v = wnaf[i];
5335 CHECK(v != 0); /* check nonzero */
5336 CHECK(v & 1); /* check parity */
5337 CHECK(v > -(1 << w)); /* check range above */
5338 CHECK(v < (1 << w)); /* check range below */
5339
5340 secp256k1_scalar_mul(&x, &x, &shift);
5341 if (v >= 0) {
5342 secp256k1_scalar_set_int(&t, v);
5343 } else {
5344 secp256k1_scalar_set_int(&t, -v);
5345 secp256k1_scalar_negate(&t, &t);
5346 }
5347 secp256k1_scalar_add(&x, &x, &t);
5348 }
5349 /* Skew num because when encoding numbers as odd we use an offset */
5350 secp256k1_scalar_set_int(&scalar_skew, skew);
5351 secp256k1_scalar_add(&num, &num, &scalar_skew);
5352 CHECK(secp256k1_scalar_eq(&x, &num));
5353}
5354
5355static void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
5356 secp256k1_scalar x, shift;
5357 int wnaf[256] = {0};
5358 int i;
5359 int skew;
5360 secp256k1_scalar num = *number;
5361
5362 secp256k1_scalar_set_int(&x, 0);
5363 secp256k1_scalar_set_int(&shift, 1 << w);
5364 for (i = 0; i < 16; ++i) {
5365 secp256k1_scalar_shr_int(&num, 8);
5366 }
5367 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5368
5369 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5370 secp256k1_scalar t;
5371 int v = wnaf[i];
5372 CHECK(v == 0 || v & 1); /* check parity */
5373 CHECK(v > -(1 << w)); /* check range above */
5374 CHECK(v < (1 << w)); /* check range below */
5375
5376 secp256k1_scalar_mul(&x, &x, &shift);
5377 if (v >= 0) {
5378 secp256k1_scalar_set_int(&t, v);
5379 } else {
5380 secp256k1_scalar_set_int(&t, -v);
5381 secp256k1_scalar_negate(&t, &t);
5382 }
5383 secp256k1_scalar_add(&x, &x, &t);
5384 }
5385 /* If skew is 1 then add 1 to num */
5386 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
5387 CHECK(secp256k1_scalar_eq(&x, &num));
5388}
5389
5390/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
5391 * rest is 0.*/
5392static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
5393 int i;
5394 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
5395 CHECK(wnaf[i] == 0);
5396 }
5397 for (i = 7; i >= 0; --i) {
5398 CHECK(wnaf[i] == wnaf_expected[i]);
5399 }
5400}
5401
5402static void test_fixed_wnaf_small(void) {
5403 int w = 4;
5404 int wnaf[256] = {0};
5405 int i;
5406 int skew;
5407 secp256k1_scalar num;
5408
5409 secp256k1_scalar_set_int(&num, 0);
5410 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5411 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5412 int v = wnaf[i];
5413 CHECK(v == 0);
5414 }
5415 CHECK(skew == 0);
5416
5417 secp256k1_scalar_set_int(&num, 1);
5418 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5419 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
5420 int v = wnaf[i];
5421 CHECK(v == 0);
5422 }
5423 CHECK(wnaf[0] == 1);
5424 CHECK(skew == 0);
5425
5426 {
5427 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
5428 secp256k1_scalar_set_int(&num, 0xffffffff);
5429 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5430 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5431 CHECK(skew == 0);
5432 }
5433 {
5434 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
5435 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
5436 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5437 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5438 CHECK(skew == 1);
5439 }
5440 {
5441 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
5442 secp256k1_scalar_set_int(&num, 0x01010101);
5443 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5444 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5445 CHECK(skew == 0);
5446 }
5447 {
5448 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
5449 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
5450 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5451 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5452 CHECK(skew == 0);
5453 }
5454}
5455
5456static void run_wnaf(void) {
5457 int i;
5458 secp256k1_scalar n = {{0}};
5459
5460 test_constant_wnaf(&n, 4);
5461 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
5462 * have easier-to-diagnose failure modes */
5463 n.d[0] = 1;
5464 test_constant_wnaf(&n, 4);
5465 n.d[0] = 2;
5466 test_constant_wnaf(&n, 4);
5467 /* Test -1, because it's a special case in wnaf_const */
5468 n = secp256k1_scalar_one;
5469 secp256k1_scalar_negate(&n, &n);
5470 test_constant_wnaf(&n, 4);
5471
5472 /* Test -2, which may not lead to overflows in wnaf_const */
5473 secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
5474 secp256k1_scalar_negate(&n, &n);
5475 test_constant_wnaf(&n, 4);
5476
5477 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
5478 as corner cases of negation handling in wnaf_const */
5479 secp256k1_scalar_inverse(&n, &n);
5480 test_constant_wnaf(&n, 4);
5481
5482 secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
5483 test_constant_wnaf(&n, 4);
5484
5485 /* Test 0 for fixed wnaf */
5486 test_fixed_wnaf_small();
5487 /* Random tests */
5488 for (i = 0; i < COUNT; i++) {
5489 random_scalar_order(&n);
5490 test_wnaf(&n, 4+(i%10));
5491 test_constant_wnaf_negate(&n);
5492 test_constant_wnaf(&n, 4 + (i % 10));
5493 test_fixed_wnaf(&n, 4 + (i % 10));
5494 }
5495 secp256k1_scalar_set_int(&n, 0);
5496 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
5497 CHECK(secp256k1_scalar_is_zero(&n));
5498 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
5499 CHECK(secp256k1_scalar_is_zero(&n));
5500}
5501
5502static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
5503 const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
5504 *sc = *indata;
5505 *pt = secp256k1_ge_const_g;
5506 CHECK(idx == 0);
5507 return 1;
5508}
5509
5510static void test_ecmult_accumulate(secp256k1_sha256* acc, const secp256k1_scalar* x, secp256k1_scratch* scratch) {
5511 /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */
5512 secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj;
5513 secp256k1_ge r;
5514 unsigned char bytes[65];
5515 size_t size = 65;
5516 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
5517 secp256k1_gej_set_infinity(&infj);
5518 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &rj1, x);
5519 secp256k1_ecmult(&rj2, &gj, x, &secp256k1_scalar_zero);
5520 secp256k1_ecmult(&rj3, &infj, &secp256k1_scalar_zero, x);
5521 secp256k1_ecmult_multi_var(NULL, scratch, &rj4, x, NULL, NULL, 0);
5522 secp256k1_ecmult_multi_var(NULL, scratch, &rj5, &secp256k1_scalar_zero, test_ecmult_accumulate_cb, (void*)x, 1);
5523 secp256k1_ecmult_const(&rj6, &secp256k1_ge_const_g, x);
5524 secp256k1_ge_set_gej_var(&r, &rj1);
5525 ge_equals_gej(&r, &rj2);
5526 ge_equals_gej(&r, &rj3);
5527 ge_equals_gej(&r, &rj4);
5528 ge_equals_gej(&r, &rj5);
5529 ge_equals_gej(&r, &rj6);
5530 if (secp256k1_ge_is_infinity(&r)) {
5531 /* Store infinity as 0x00 */
5532 const unsigned char zerobyte[1] = {0};
5533 secp256k1_sha256_write(acc, zerobyte, 1);
5534 } else {
5535 /* Store other points using their uncompressed serialization. */
5536 secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0);
5537 CHECK(size == 65);
5538 secp256k1_sha256_write(acc, bytes, size);
5539 }
5540}
5541
5542static void test_ecmult_constants_2bit(void) {
5543 /* Using test_ecmult_accumulate, test ecmult for:
5544 * - For i in 0..36:
5545 * - Key i
5546 * - Key -i
5547 * - For i in 0..255:
5548 * - For j in 1..255 (only odd values):
5549 * - Key (j*2^i) mod order
5550 */
5551 secp256k1_scalar x;
5552 secp256k1_sha256 acc;
5553 unsigned char b32[32];
5554 int i, j;
5555 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536);
5556
5557 /* Expected hash of all the computed points; created with an independent
5558 * implementation. */
5559 static const unsigned char expected32[32] = {
5560 0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
5561 0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
5562 0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
5563 0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
5564 };
5565 secp256k1_sha256_initialize(&acc);
5566 for (i = 0; i <= 36; ++i) {
5567 secp256k1_scalar_set_int(&x, i);
5568 test_ecmult_accumulate(&acc, &x, scratch);
5569 secp256k1_scalar_negate(&x, &x);
5570 test_ecmult_accumulate(&acc, &x, scratch);
5571 };
5572 for (i = 0; i < 256; ++i) {
5573 for (j = 1; j < 256; j += 2) {
5574 int k;
5575 secp256k1_scalar_set_int(&x, j);
5576 for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
5577 test_ecmult_accumulate(&acc, &x, scratch);
5578 }
5579 }
5580 secp256k1_sha256_finalize(&acc, b32);
5581 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5582
5583 secp256k1_scratch_space_destroy(CTX, scratch);
5584}
5585
5586static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
5587 /* Using test_ecmult_accumulate, test ecmult for:
5588 * - Key 0
5589 * - Key 1
5590 * - Key -1
5591 * - For i in range(iter):
5592 * - Key SHA256(LE32(prefix) || LE16(i))
5593 */
5594 secp256k1_scalar x;
5595 secp256k1_sha256 acc;
5596 unsigned char b32[32];
5597 unsigned char inp[6];
5598 size_t i;
5599 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536);
5600
5601 inp[0] = prefix & 0xFF;
5602 inp[1] = (prefix >> 8) & 0xFF;
5603 inp[2] = (prefix >> 16) & 0xFF;
5604 inp[3] = (prefix >> 24) & 0xFF;
5605 secp256k1_sha256_initialize(&acc);
5606 secp256k1_scalar_set_int(&x, 0);
5607 test_ecmult_accumulate(&acc, &x, scratch);
5608 secp256k1_scalar_set_int(&x, 1);
5609 test_ecmult_accumulate(&acc, &x, scratch);
5610 secp256k1_scalar_negate(&x, &x);
5611 test_ecmult_accumulate(&acc, &x, scratch);
5612
5613 for (i = 0; i < iter; ++i) {
5614 secp256k1_sha256 gen;
5615 inp[4] = i & 0xff;
5616 inp[5] = (i >> 8) & 0xff;
5617 secp256k1_sha256_initialize(&gen);
5618 secp256k1_sha256_write(&gen, inp, sizeof(inp));
5619 secp256k1_sha256_finalize(&gen, b32);
5620 secp256k1_scalar_set_b32(&x, b32, NULL);
5621 test_ecmult_accumulate(&acc, &x, scratch);
5622 }
5623 secp256k1_sha256_finalize(&acc, b32);
5624 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5625
5626 secp256k1_scratch_space_destroy(CTX, scratch);
5627}
5628
5629static void run_ecmult_constants(void) {
5630 /* Expected hashes of all points in the tests below. Computed using an
5631 * independent implementation. */
5632 static const unsigned char expected32_6bit20[32] = {
5633 0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5634 0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5635 0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5636 0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5637 };
5638 static const unsigned char expected32_8bit8[32] = {
5639 0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5640 0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5641 0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5642 0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5643 };
5644 /* For every combination of 6 bit positions out of 256, restricted to
5645 * 20-bit windows (i.e., the first and last bit position are no more than
5646 * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5647 * this test. */
5648 CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5649 test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5650 }
5651
5652 /* For every combination of 8 consecutive bit positions, all 256 bit
5653 * patterns occur in the input scalars used in this test. */
5654 CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5655 test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5656 }
5657
5658 CONDITIONAL_TEST(35, "test_ecmult_constants_2bit") {
5659 test_ecmult_constants_2bit();
5660 }
5661}
5662
5663static void test_ecmult_gen_blind(void) {
5664 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5665 secp256k1_scalar key;
5666 secp256k1_scalar b;
5667 unsigned char seed32[32];
5668 secp256k1_gej pgej;
5669 secp256k1_gej pgej2;
5670 secp256k1_gej i;
5671 secp256k1_ge pge;
5672 random_scalar_order_test(&key);
5673 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej, &key);
5674 secp256k1_testrand256(seed32);
5675 b = CTX->ecmult_gen_ctx.blind;
5676 i = CTX->ecmult_gen_ctx.initial;
5677 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, seed32);
5678 CHECK(!secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.blind));
5679 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej2, &key);
5680 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5681 CHECK(!gej_xyz_equals_gej(&i, &CTX->ecmult_gen_ctx.initial));
5682 secp256k1_ge_set_gej(&pge, &pgej);
5683 ge_equals_gej(&pge, &pgej2);
5684}
5685
5686static void test_ecmult_gen_blind_reset(void) {
5687 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5688 secp256k1_scalar b;
5689 secp256k1_gej initial;
5690 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, 0);
5691 b = CTX->ecmult_gen_ctx.blind;
5692 initial = CTX->ecmult_gen_ctx.initial;
5693 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, 0);
5694 CHECK(secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.blind));
5695 CHECK(gej_xyz_equals_gej(&initial, &CTX->ecmult_gen_ctx.initial));
5696}
5697
5698static void run_ecmult_gen_blind(void) {
5699 int i;
5700 test_ecmult_gen_blind_reset();
5701 for (i = 0; i < 10; i++) {
5702 test_ecmult_gen_blind();
5703 }
5704}
5705
5706/***** ENDOMORPHISH TESTS *****/
5707static void test_scalar_split(const secp256k1_scalar* full) {
5708 secp256k1_scalar s, s1, slam;
5709 const unsigned char zero[32] = {0};
5710 unsigned char tmp[32];
5711
5712 secp256k1_scalar_split_lambda(&s1, &slam, full);
5713
5714 /* check slam*lambda + s1 == full */
5715 secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
5716 secp256k1_scalar_add(&s, &s, &s1);
5717 CHECK(secp256k1_scalar_eq(&s, full));
5718
5719 /* check that both are <= 128 bits in size */
5720 if (secp256k1_scalar_is_high(&s1)) {
5721 secp256k1_scalar_negate(&s1, &s1);
5722 }
5723 if (secp256k1_scalar_is_high(&slam)) {
5724 secp256k1_scalar_negate(&slam, &slam);
5725 }
5726
5727 secp256k1_scalar_get_b32(tmp, &s1);
5728 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5729 secp256k1_scalar_get_b32(tmp, &slam);
5730 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5731}
5732
5733
5734static void run_endomorphism_tests(void) {
5735 unsigned i;
5736 static secp256k1_scalar s;
5737 test_scalar_split(&secp256k1_scalar_zero);
5738 test_scalar_split(&secp256k1_scalar_one);
5739 secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
5740 test_scalar_split(&s);
5741 test_scalar_split(&secp256k1_const_lambda);
5742 secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
5743 test_scalar_split(&s);
5744
5745 for (i = 0; i < 100U * COUNT; ++i) {
5746 secp256k1_scalar full;
5747 random_scalar_order_test(&full);
5748 test_scalar_split(&full);
5749 }
5750 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
5751 test_scalar_split(&scalars_near_split_bounds[i]);
5752 }
5753}
5754
5755static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5756 unsigned char pubkeyc[65];
5757 secp256k1_pubkey pubkey;
5758 secp256k1_ge ge;
5759 size_t pubkeyclen;
5760 int32_t ecount;
5761 ecount = 0;
5762 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
5763 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5764 /* Smaller sizes are tested exhaustively elsewhere. */
5765 int32_t i;
5766 memcpy(&pubkeyc[1], input, 64);
5767 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5768 for (i = 0; i < 256; i++) {
5769 /* Try all type bytes. */
5770 int xpass;
5771 int ypass;
5772 int ysign;
5773 pubkeyc[0] = i;
5774 /* What sign does this point have? */
5775 ysign = (input[63] & 1) + 2;
5776 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5777 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5778 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5779 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5780 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5781 if (xpass || ypass) {
5782 /* These cases must parse. */
5783 unsigned char pubkeyo[65];
5784 size_t outl;
5785 memset(&pubkey, 0, sizeof(pubkey));
5786 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5787 ecount = 0;
5788 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
5789 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5790 outl = 65;
5791 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5792 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5793 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5794 CHECK(outl == 33);
5795 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5796 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5797 if (ypass) {
5798 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5799 CHECK(pubkeyo[0] == ysign);
5800 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
5801 memset(&pubkey, 0, sizeof(pubkey));
5802 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5803 secp256k1_pubkey_save(&pubkey, &ge);
5804 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5805 outl = 65;
5806 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5807 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5808 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5809 CHECK(outl == 65);
5810 CHECK(pubkeyo[0] == 4);
5811 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5812 }
5813 CHECK(ecount == 0);
5814 } else {
5815 /* These cases must fail to parse. */
5816 memset(&pubkey, 0xfe, sizeof(pubkey));
5817 ecount = 0;
5818 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5819 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 0);
5820 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5821 CHECK(ecount == 0);
5822 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
5823 CHECK(ecount == 1);
5824 }
5825 }
5826 }
5827 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
5828}
5829
5830static void run_ec_pubkey_parse_test(void) {
5831#define SECP256K1_EC_PARSE_TEST_NVALID (12)
5832 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5833 {
5834 /* Point with leading and trailing zeros in x and y serialization. */
5835 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5836 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5837 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5838 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5839 },
5840 {
5841 /* Point with x equal to a 3rd root of unity.*/
5842 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5843 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5844 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5845 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5846 },
5847 {
5848 /* Point with largest x. (1/2) */
5849 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5850 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5851 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5852 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5853 },
5854 {
5855 /* Point with largest x. (2/2) */
5856 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5857 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5858 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5859 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5860 },
5861 {
5862 /* Point with smallest x. (1/2) */
5863 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5864 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5865 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5866 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5867 },
5868 {
5869 /* Point with smallest x. (2/2) */
5870 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5871 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5872 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5873 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5874 },
5875 {
5876 /* Point with largest y. (1/3) */
5877 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5878 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5879 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5880 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5881 },
5882 {
5883 /* Point with largest y. (2/3) */
5884 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5885 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5886 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5887 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5888 },
5889 {
5890 /* Point with largest y. (3/3) */
5891 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5892 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5893 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5894 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5895 },
5896 {
5897 /* Point with smallest y. (1/3) */
5898 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5899 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5900 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5901 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5902 },
5903 {
5904 /* Point with smallest y. (2/3) */
5905 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5906 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5907 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5908 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5909 },
5910 {
5911 /* Point with smallest y. (3/3) */
5912 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5913 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5914 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5915 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
5916 }
5917 };
5918#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
5919 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
5920 {
5921 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
5922 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5923 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5924 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5925 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5926 },
5927 {
5928 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
5929 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5930 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5931 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5932 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5933 },
5934 {
5935 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
5936 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5937 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5938 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5939 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5940 },
5941 {
5942 /* x on curve, y is from y^2 = x^3 + 8. */
5943 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5944 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5945 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5946 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
5947 }
5948 };
5949#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
5950 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
5951 {
5952 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
5953 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
5954 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
5955 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5956 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5957 },
5958 {
5959 /* Valid if x overflow ignored (x = 1 mod p). */
5960 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5961 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5962 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5963 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5964 },
5965 {
5966 /* Valid if x overflow ignored (x = 1 mod p). */
5967 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5968 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5969 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5970 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5971 },
5972 {
5973 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5974 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5975 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5976 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
5977 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
5978 },
5979 {
5980 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5981 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5982 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5983 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
5984 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
5985 },
5986 {
5987 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5988 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5989 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5990 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
5991 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
5992 },
5993 {
5994 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5995 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5996 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5997 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
5998 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
5999 }
6000 };
6001 const unsigned char pubkeyc[66] = {
6002 /* Serialization of G. */
6003 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
6004 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
6005 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
6006 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
6007 0xB8, 0x00
6008 };
6009 unsigned char sout[65];
6010 unsigned char shortkey[2];
6011 secp256k1_ge ge;
6012 secp256k1_pubkey pubkey;
6013 size_t len;
6014 int32_t i;
6015 int32_t ecount;
6016 int32_t ecount2;
6017 ecount = 0;
6018 /* Nothing should be reading this far into pubkeyc. */
6019 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[65], 1);
6020 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
6021 /* Zero length claimed, fail, zeroize, no illegal arg error. */
6022 memset(&pubkey, 0xfe, sizeof(pubkey));
6023 ecount = 0;
6024 SECP256K1_CHECKMEM_UNDEFINE(shortkey, 2);
6025 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6026 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 0) == 0);
6027 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6028 CHECK(ecount == 0);
6029 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6030 CHECK(ecount == 1);
6031 /* Length one claimed, fail, zeroize, no illegal arg error. */
6032 for (i = 0; i < 256 ; i++) {
6033 memset(&pubkey, 0xfe, sizeof(pubkey));
6034 ecount = 0;
6035 shortkey[0] = i;
6036 SECP256K1_CHECKMEM_UNDEFINE(&shortkey[1], 1);
6037 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6038 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 1) == 0);
6039 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6040 CHECK(ecount == 0);
6041 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6042 CHECK(ecount == 1);
6043 }
6044 /* Length two claimed, fail, zeroize, no illegal arg error. */
6045 for (i = 0; i < 65536 ; i++) {
6046 memset(&pubkey, 0xfe, sizeof(pubkey));
6047 ecount = 0;
6048 shortkey[0] = i & 255;
6049 shortkey[1] = i >> 8;
6050 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6051 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 2) == 0);
6052 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6053 CHECK(ecount == 0);
6054 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6055 CHECK(ecount == 1);
6056 }
6057 memset(&pubkey, 0xfe, sizeof(pubkey));
6058 ecount = 0;
6059 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6060 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
6061 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 33) == 0);
6062 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6063 CHECK(ecount == 0);
6064 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6065 CHECK(ecount == 1);
6066 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
6067 CHECK(secp256k1_ec_pubkey_parse(CTX, NULL, pubkeyc, 65) == 0);
6068 CHECK(ecount == 2);
6069 /* NULL input string. Illegal arg and zeroize output. */
6070 memset(&pubkey, 0xfe, sizeof(pubkey));
6071 ecount = 0;
6072 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6073 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, NULL, 65) == 0);
6074 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6075 CHECK(ecount == 1);
6076 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6077 CHECK(ecount == 2);
6078 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
6079 memset(&pubkey, 0xfe, sizeof(pubkey));
6080 ecount = 0;
6081 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6082 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 64) == 0);
6083 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6084 CHECK(ecount == 0);
6085 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6086 CHECK(ecount == 1);
6087 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
6088 memset(&pubkey, 0xfe, sizeof(pubkey));
6089 ecount = 0;
6090 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6091 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 66) == 0);
6092 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6093 CHECK(ecount == 0);
6094 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6095 CHECK(ecount == 1);
6096 /* Valid parse. */
6097 memset(&pubkey, 0, sizeof(pubkey));
6098 ecount = 0;
6099 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6100 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 65) == 1);
6101 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, pubkeyc, 65) == 1);
6102 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6103 CHECK(ecount == 0);
6104 SECP256K1_CHECKMEM_UNDEFINE(&ge, sizeof(ge));
6105 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
6106 SECP256K1_CHECKMEM_CHECK(&ge.x, sizeof(ge.x));
6107 SECP256K1_CHECKMEM_CHECK(&ge.y, sizeof(ge.y));
6108 SECP256K1_CHECKMEM_CHECK(&ge.infinity, sizeof(ge.infinity));
6109 ge_equals_ge(&secp256k1_ge_const_g, &ge);
6110 CHECK(ecount == 0);
6111 /* secp256k1_ec_pubkey_serialize illegal args. */
6112 ecount = 0;
6113 len = 65;
6114 CHECK(secp256k1_ec_pubkey_serialize(CTX, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
6115 CHECK(ecount == 1);
6116 CHECK(len == 0);
6117 CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
6118 CHECK(ecount == 2);
6119 len = 65;
6120 SECP256K1_CHECKMEM_UNDEFINE(sout, 65);
6121 CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
6122 SECP256K1_CHECKMEM_CHECK(sout, 65);
6123 CHECK(ecount == 3);
6124 CHECK(len == 0);
6125 len = 65;
6126 CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, ~0) == 0);
6127 CHECK(ecount == 4);
6128 CHECK(len == 0);
6129 len = 65;
6130 SECP256K1_CHECKMEM_UNDEFINE(sout, 65);
6131 CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
6132 SECP256K1_CHECKMEM_CHECK(sout, 65);
6133 CHECK(ecount == 4);
6134 CHECK(len == 65);
6135 /* Multiple illegal args. Should still set arg error only once. */
6136 ecount = 0;
6137 ecount2 = 11;
6138 CHECK(secp256k1_ec_pubkey_parse(CTX, NULL, NULL, 65) == 0);
6139 CHECK(ecount == 1);
6140 /* Does the illegal arg callback actually change the behavior? */
6141 secp256k1_context_set_illegal_callback(CTX, uncounting_illegal_callback_fn, &ecount2);
6142 CHECK(secp256k1_ec_pubkey_parse(CTX, NULL, NULL, 65) == 0);
6143 CHECK(ecount == 1);
6144 CHECK(ecount2 == 10);
6145 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
6146 /* Try a bunch of prefabbed points with all possible encodings. */
6147 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
6148 ec_pubkey_parse_pointtest(valid[i], 1, 1);
6149 }
6150 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
6151 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
6152 }
6153 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
6154 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
6155 }
6156}
6157
6158static void run_eckey_edge_case_test(void) {
6159 const unsigned char orderc[32] = {
6160 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6161 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
6162 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
6163 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
6164 };
6165 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
6166 unsigned char ctmp[33];
6167 unsigned char ctmp2[33];
6168 secp256k1_pubkey pubkey;
6169 secp256k1_pubkey pubkey2;
6170 secp256k1_pubkey pubkey_one;
6171 secp256k1_pubkey pubkey_negone;
6172 const secp256k1_pubkey *pubkeys[3];
6173 size_t len;
6174 int32_t ecount;
6175 /* Group order is too large, reject. */
6176 CHECK(secp256k1_ec_seckey_verify(CTX, orderc) == 0);
6177 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6178 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, orderc) == 0);
6179 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6180 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6181 /* Maximum value is too large, reject. */
6182 memset(ctmp, 255, 32);
6183 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6184 memset(&pubkey, 1, sizeof(pubkey));
6185 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6186 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6187 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6188 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6189 /* Zero is too small, reject. */
6190 memset(ctmp, 0, 32);
6191 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6192 memset(&pubkey, 1, sizeof(pubkey));
6193 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6194 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6195 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6196 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6197 /* One must be accepted. */
6198 ctmp[31] = 0x01;
6199 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6200 memset(&pubkey, 0, sizeof(pubkey));
6201 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6202 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6203 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6204 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6205 pubkey_one = pubkey;
6206 /* Group order + 1 is too large, reject. */
6207 memcpy(ctmp, orderc, 32);
6208 ctmp[31] = 0x42;
6209 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6210 memset(&pubkey, 1, sizeof(pubkey));
6211 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6212 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6213 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6214 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6215 /* -1 must be accepted. */
6216 ctmp[31] = 0x40;
6217 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6218 memset(&pubkey, 0, sizeof(pubkey));
6219 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6220 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6221 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6222 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6223 pubkey_negone = pubkey;
6224 /* Tweak of zero leaves the value unchanged. */
6225 memset(ctmp2, 0, 32);
6226 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 1);
6227 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
6228 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
6229 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6230 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6231 /* Multiply tweak of zero zeroizes the output. */
6232 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6233 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6234 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp2) == 0);
6235 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6236 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6237 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6238 seckey, the seckey is zeroized. */
6239 memcpy(ctmp, orderc, 32);
6240 memset(ctmp2, 0, 32);
6241 ctmp2[31] = 0x01;
6242 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp2) == 1);
6243 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6244 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 0);
6245 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6246 memcpy(ctmp, orderc, 32);
6247 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6248 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6249 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6250 tweak, the seckey is zeroized. */
6251 memcpy(ctmp, orderc, 32);
6252 ctmp[31] = 0x40;
6253 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, orderc) == 0);
6254 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6255 memcpy(ctmp, orderc, 32);
6256 ctmp[31] = 0x40;
6257 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, orderc) == 0);
6258 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6259 memcpy(ctmp, orderc, 32);
6260 ctmp[31] = 0x40;
6261 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
6262 tweak, the pubkey is zeroized. */
6263 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, orderc) == 0);
6264 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6265 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6266 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, orderc) == 0);
6267 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6268 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6269 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
6270 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
6271 * case the pubkey is zeroized. */
6272 memcpy(ctmp, orderc, 32);
6273 ctmp[31] = 0x40;
6274 memset(ctmp2, 0, 32);
6275 ctmp2[31] = 1;
6276 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 0);
6277 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
6278 ctmp2[31] = 1;
6279 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0);
6280 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6281 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6282 /* Tweak computation wraps and results in a key of 1. */
6283 ctmp2[31] = 2;
6284 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 1);
6285 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
6286 ctmp2[31] = 2;
6287 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6288 ctmp2[31] = 1;
6289 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, ctmp2) == 1);
6290 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6291 /* Tweak mul * 2 = 1+1. */
6292 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6293 ctmp2[31] = 2;
6294 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 1);
6295 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6296 /* Test argument errors. */
6297 ecount = 0;
6298 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
6299 CHECK(ecount == 0);
6300 /* Zeroize pubkey on parse error. */
6301 memset(&pubkey, 0, 32);
6302 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0);
6303 CHECK(ecount == 1);
6304 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6305 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6306 memset(&pubkey2, 0, 32);
6307 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 0);
6308 CHECK(ecount == 2);
6309 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
6310 /* Plain argument errors. */
6311 ecount = 0;
6312 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6313 CHECK(ecount == 0);
6314 CHECK(secp256k1_ec_seckey_verify(CTX, NULL) == 0);
6315 CHECK(ecount == 1);
6316 ecount = 0;
6317 memset(ctmp2, 0, 32);
6318 ctmp2[31] = 4;
6319 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, NULL, ctmp2) == 0);
6320 CHECK(ecount == 1);
6321 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, NULL) == 0);
6322 CHECK(ecount == 2);
6323 ecount = 0;
6324 memset(ctmp2, 0, 32);
6325 ctmp2[31] = 4;
6326 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, NULL, ctmp2) == 0);
6327 CHECK(ecount == 1);
6328 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, NULL) == 0);
6329 CHECK(ecount == 2);
6330 ecount = 0;
6331 memset(ctmp2, 0, 32);
6332 CHECK(secp256k1_ec_seckey_tweak_add(CTX, NULL, ctmp2) == 0);
6333 CHECK(ecount == 1);
6334 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, NULL) == 0);
6335 CHECK(ecount == 2);
6336 ecount = 0;
6337 memset(ctmp2, 0, 32);
6338 ctmp2[31] = 1;
6339 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, NULL, ctmp2) == 0);
6340 CHECK(ecount == 1);
6341 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, NULL) == 0);
6342 CHECK(ecount == 2);
6343 ecount = 0;
6344 CHECK(secp256k1_ec_pubkey_create(CTX, NULL, ctmp) == 0);
6345 CHECK(ecount == 1);
6346 memset(&pubkey, 1, sizeof(pubkey));
6347 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, NULL) == 0);
6348 CHECK(ecount == 2);
6349 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6350 /* secp256k1_ec_pubkey_combine tests. */
6351 ecount = 0;
6352 pubkeys[0] = &pubkey_one;
6353 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[0], sizeof(secp256k1_pubkey *));
6354 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[1], sizeof(secp256k1_pubkey *));
6355 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[2], sizeof(secp256k1_pubkey *));
6356 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6357 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6358 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 0) == 0);
6359 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6360 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6361 CHECK(ecount == 1);
6362 CHECK(secp256k1_ec_pubkey_combine(CTX, NULL, pubkeys, 1) == 0);
6363 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6364 CHECK(ecount == 2);
6365 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6366 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6367 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, NULL, 1) == 0);
6368 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6369 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6370 CHECK(ecount == 3);
6371 pubkeys[0] = &pubkey_negone;
6372 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6373 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6374 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 1) == 1);
6375 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6376 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6377 CHECK(ecount == 3);
6378 len = 33;
6379 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6380 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
6381 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6382 /* Result is infinity. */
6383 pubkeys[0] = &pubkey_one;
6384 pubkeys[1] = &pubkey_negone;
6385 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6386 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6387 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 0);
6388 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6389 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6390 CHECK(ecount == 3);
6391 /* Passes through infinity but comes out one. */
6392 pubkeys[2] = &pubkey_one;
6393 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6394 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6395 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 3) == 1);
6396 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6397 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6398 CHECK(ecount == 3);
6399 len = 33;
6400 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6401 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
6402 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6403 /* Adds to two. */
6404 pubkeys[1] = &pubkey_one;
6405 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6406 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6407 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 1);
6408 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6409 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6410 CHECK(ecount == 3);
6411 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
6412}
6413
6414static void run_eckey_negate_test(void) {
6415 unsigned char seckey[32];
6416 unsigned char seckey_tmp[32];
6417
6418 random_scalar_order_b32(seckey);
6419 memcpy(seckey_tmp, seckey, 32);
6420
6421 /* Verify negation changes the key and changes it back */
6422 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6423 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
6424 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6425 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6426
6427 /* Check that privkey alias gives same result */
6428 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6429 CHECK(secp256k1_ec_privkey_negate(CTX, seckey_tmp) == 1);
6430 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6431
6432 /* Negating all 0s fails */
6433 memset(seckey, 0, 32);
6434 memset(seckey_tmp, 0, 32);
6435 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6436 /* Check that seckey is not modified */
6437 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6438
6439 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
6440 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
6441 * doesn't just set seckey to a constant value in case of failure. */
6442 random_scalar_order_b32(seckey);
6443 memset(seckey, 0xFF, 16);
6444 memset(seckey_tmp, 0, 32);
6445 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6446 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6447}
6448
6449static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
6450 secp256k1_scalar nonce;
6451 do {
6452 random_scalar_order_test(&nonce);
6453 } while(!secp256k1_ecdsa_sig_sign(&CTX->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
6454}
6455
6456static void test_ecdsa_sign_verify(void) {
6457 secp256k1_gej pubj;
6458 secp256k1_ge pub;
6459 secp256k1_scalar one;
6460 secp256k1_scalar msg, key;
6461 secp256k1_scalar sigr, sigs;
6462 int getrec;
6463 int recid;
6464 random_scalar_order_test(&msg);
6465 random_scalar_order_test(&key);
6466 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pubj, &key);
6467 secp256k1_ge_set_gej(&pub, &pubj);
6468 getrec = secp256k1_testrand_bits(1);
6469 /* The specific way in which this conditional is written sidesteps a potential bug in clang.
6470 See the commit messages of the commit that introduced this comment for details. */
6471 if (getrec) {
6472 random_sign(&sigr, &sigs, &key, &msg, &recid);
6473 CHECK(recid >= 0 && recid < 4);
6474 } else {
6475 random_sign(&sigr, &sigs, &key, &msg, NULL);
6476 }
6477 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6478 secp256k1_scalar_set_int(&one, 1);
6479 secp256k1_scalar_add(&msg, &msg, &one);
6480 CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6481}
6482
6483static void run_ecdsa_sign_verify(void) {
6484 int i;
6485 for (i = 0; i < 10*COUNT; i++) {
6486 test_ecdsa_sign_verify();
6487 }
6488}
6489
6491static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6492 (void)msg32;
6493 (void)key32;
6494 (void)algo16;
6495 memcpy(nonce32, data, 32);
6496 return (counter == 0);
6497}
6498
6499static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6500 /* Dummy nonce generator that has a fatal error on the first counter value. */
6501 if (counter == 0) {
6502 return 0;
6503 }
6504 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
6505}
6506
6507static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6508 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
6509 if (counter < 3) {
6510 memset(nonce32, counter==0 ? 0 : 255, 32);
6511 if (counter == 2) {
6512 nonce32[31]--;
6513 }
6514 return 1;
6515 }
6516 if (counter < 5) {
6517 static const unsigned char order[] = {
6518 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6519 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6520 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6521 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
6522 };
6523 memcpy(nonce32, order, 32);
6524 if (counter == 4) {
6525 nonce32[31]++;
6526 }
6527 return 1;
6528 }
6529 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
6530 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
6531 if (counter > 5) {
6532 return 0;
6533 }
6534 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
6535}
6536
6537static int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
6538 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
6539 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
6540}
6541
6542static void test_ecdsa_end_to_end(void) {
6543 unsigned char extra[32] = {0x00};
6544 unsigned char privkey[32];
6545 unsigned char message[32];
6546 unsigned char privkey2[32];
6547 secp256k1_ecdsa_signature signature[6];
6548 secp256k1_scalar r, s;
6549 unsigned char sig[74];
6550 size_t siglen = 74;
6551 unsigned char pubkeyc[65];
6552 size_t pubkeyclen = 65;
6553 secp256k1_pubkey pubkey;
6554 secp256k1_pubkey pubkey_tmp;
6555 unsigned char seckey[300];
6556 size_t seckeylen = 300;
6557
6558 /* Generate a random key and message. */
6559 {
6560 secp256k1_scalar msg, key;
6561 random_scalar_order_test(&msg);
6562 random_scalar_order_test(&key);
6563 secp256k1_scalar_get_b32(privkey, &key);
6564 secp256k1_scalar_get_b32(message, &msg);
6565 }
6566
6567 /* Construct and verify corresponding public key. */
6568 CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
6569 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
6570
6571 /* Verify exporting and importing public key. */
6572 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
6573 memset(&pubkey, 0, sizeof(pubkey));
6574 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
6575
6576 /* Verify negation changes the key and changes it back */
6577 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
6578 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6579 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
6580 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6581 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
6582
6583 /* Verify private key import and export. */
6584 CHECK(ec_privkey_export_der(CTX, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
6585 CHECK(ec_privkey_import_der(CTX, privkey2, seckey, seckeylen) == 1);
6586 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
6587
6588 /* Optionally tweak the keys using addition. */
6589 if (secp256k1_testrand_int(3) == 0) {
6590 int ret1;
6591 int ret2;
6592 int ret3;
6593 unsigned char rnd[32];
6594 unsigned char privkey_tmp[32];
6595 secp256k1_pubkey pubkey2;
6596 secp256k1_testrand256_test(rnd);
6597 memcpy(privkey_tmp, privkey, 32);
6598 ret1 = secp256k1_ec_seckey_tweak_add(CTX, privkey, rnd);
6599 ret2 = secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, rnd);
6600 /* Check that privkey alias gives same result */
6601 ret3 = secp256k1_ec_privkey_tweak_add(CTX, privkey_tmp, rnd);
6602 CHECK(ret1 == ret2);
6603 CHECK(ret2 == ret3);
6604 if (ret1 == 0) {
6605 return;
6606 }
6607 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6608 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6609 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6610 }
6611
6612 /* Optionally tweak the keys using multiplication. */
6613 if (secp256k1_testrand_int(3) == 0) {
6614 int ret1;
6615 int ret2;
6616 int ret3;
6617 unsigned char rnd[32];
6618 unsigned char privkey_tmp[32];
6619 secp256k1_pubkey pubkey2;
6620 secp256k1_testrand256_test(rnd);
6621 memcpy(privkey_tmp, privkey, 32);
6622 ret1 = secp256k1_ec_seckey_tweak_mul(CTX, privkey, rnd);
6623 ret2 = secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, rnd);
6624 /* Check that privkey alias gives same result */
6625 ret3 = secp256k1_ec_privkey_tweak_mul(CTX, privkey_tmp, rnd);
6626 CHECK(ret1 == ret2);
6627 CHECK(ret2 == ret3);
6628 if (ret1 == 0) {
6629 return;
6630 }
6631 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6632 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6633 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6634 }
6635
6636 /* Sign. */
6637 CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1);
6638 CHECK(secp256k1_ecdsa_sign(CTX, &signature[4], message, privkey, NULL, NULL) == 1);
6639 CHECK(secp256k1_ecdsa_sign(CTX, &signature[1], message, privkey, NULL, extra) == 1);
6640 extra[31] = 1;
6641 CHECK(secp256k1_ecdsa_sign(CTX, &signature[2], message, privkey, NULL, extra) == 1);
6642 extra[31] = 0;
6643 extra[0] = 1;
6644 CHECK(secp256k1_ecdsa_sign(CTX, &signature[3], message, privkey, NULL, extra) == 1);
6645 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6646 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6647 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6648 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6649 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6650 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6651 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6652 /* Verify. */
6653 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6654 CHECK(secp256k1_ecdsa_verify(CTX, &signature[1], message, &pubkey) == 1);
6655 CHECK(secp256k1_ecdsa_verify(CTX, &signature[2], message, &pubkey) == 1);
6656 CHECK(secp256k1_ecdsa_verify(CTX, &signature[3], message, &pubkey) == 1);
6657 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6658 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[0]));
6659 secp256k1_ecdsa_signature_load(CTX, &r, &s, &signature[0]);
6660 secp256k1_scalar_negate(&s, &s);
6661 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6662 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 0);
6663 CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6664 CHECK(secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6665 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6666 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6667 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6668 secp256k1_scalar_negate(&s, &s);
6669 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6670 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6671 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6672 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
6673
6674 /* Serialize/parse DER and verify again */
6675 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6676 memset(&signature[0], 0, sizeof(signature[0]));
6677 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 1);
6678 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6679 /* Serialize/destroy/parse DER and verify again. */
6680 siglen = 74;
6681 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6682 sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
6683 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 0 ||
6684 secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 0);
6685}
6686
6687static void test_random_pubkeys(void) {
6688 secp256k1_ge elem;
6689 secp256k1_ge elem2;
6690 unsigned char in[65];
6691 /* Generate some randomly sized pubkeys. */
6692 size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
6693 if (secp256k1_testrand_bits(2) == 0) {
6694 len = secp256k1_testrand_bits(6);
6695 }
6696 if (len == 65) {
6697 in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
6698 } else {
6699 in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
6700 }
6701 if (secp256k1_testrand_bits(3) == 0) {
6702 in[0] = secp256k1_testrand_bits(8);
6703 }
6704 if (len > 1) {
6705 secp256k1_testrand256(&in[1]);
6706 }
6707 if (len > 33) {
6708 secp256k1_testrand256(&in[33]);
6709 }
6710 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
6711 unsigned char out[65];
6712 unsigned char firstb;
6713 int res;
6714 size_t size = len;
6715 firstb = in[0];
6716 /* If the pubkey can be parsed, it should round-trip... */
6717 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
6718 CHECK(size == len);
6719 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
6720 /* ... except for the type of hybrid inputs. */
6721 if ((in[0] != 6) && (in[0] != 7)) {
6722 CHECK(in[0] == out[0]);
6723 }
6724 size = 65;
6725 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
6726 CHECK(size == 65);
6727 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
6728 ge_equals_ge(&elem,&elem2);
6729 /* Check that the X9.62 hybrid type is checked. */
6730 in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
6731 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
6732 if (firstb == 2 || firstb == 3) {
6733 if (in[0] == firstb + 4) {
6734 CHECK(res);
6735 } else {
6736 CHECK(!res);
6737 }
6738 }
6739 if (res) {
6740 ge_equals_ge(&elem,&elem2);
6741 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
6742 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
6743 }
6744 }
6745}
6746
6747static void run_pubkey_comparison(void) {
6748 unsigned char pk1_ser[33] = {
6749 0x02,
6750 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6751 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6752 };
6753 const unsigned char pk2_ser[33] = {
6754 0x02,
6755 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6756 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6757 };
6758 secp256k1_pubkey pk1;
6759 secp256k1_pubkey pk2;
6760 int32_t ecount = 0;
6761
6762 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6763 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6764
6765 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
6766 CHECK(secp256k1_ec_pubkey_cmp(CTX, NULL, &pk2) < 0);
6767 CHECK(ecount == 1);
6768 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, NULL) > 0);
6769 CHECK(ecount == 2);
6770 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6771 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6772 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk1) == 0);
6773 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk2) == 0);
6774 CHECK(ecount == 2);
6775 {
6776 secp256k1_pubkey pk_tmp;
6777 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6778 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk2) < 0);
6779 CHECK(ecount == 3);
6780 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk_tmp) == 0);
6781 CHECK(ecount == 5);
6782 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk_tmp) > 0);
6783 CHECK(ecount == 6);
6784 }
6785
6786 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
6787
6788 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6789 * an uncompressed encoding, these would have the opposite ordering */
6790 pk1_ser[0] = 3;
6791 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6792 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6793 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6794}
6795
6796static void run_random_pubkeys(void) {
6797 int i;
6798 for (i = 0; i < 10*COUNT; i++) {
6799 test_random_pubkeys();
6800 }
6801}
6802
6803static void run_ecdsa_end_to_end(void) {
6804 int i;
6805 for (i = 0; i < 64*COUNT; i++) {
6806 test_ecdsa_end_to_end();
6807 }
6808}
6809
6810static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
6811 static const unsigned char zeroes[32] = {0};
6812
6813 int ret = 0;
6814
6815 secp256k1_ecdsa_signature sig_der;
6816 unsigned char roundtrip_der[2048];
6817 unsigned char compact_der[64];
6818 size_t len_der = 2048;
6819 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
6820
6821 secp256k1_ecdsa_signature sig_der_lax;
6822 unsigned char roundtrip_der_lax[2048];
6823 unsigned char compact_der_lax[64];
6824 size_t len_der_lax = 2048;
6825 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
6826
6827 parsed_der = secp256k1_ecdsa_signature_parse_der(CTX, &sig_der, sig, siglen);
6828 if (parsed_der) {
6829 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der, &sig_der)) << 0;
6830 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
6831 }
6832 if (valid_der) {
6833 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der, &len_der, &sig_der)) << 1;
6834 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
6835 }
6836
6837 parsed_der_lax = ecdsa_signature_parse_der_lax(CTX, &sig_der_lax, sig, siglen);
6838 if (parsed_der_lax) {
6839 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der_lax, &sig_der_lax)) << 10;
6840 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
6841 }
6842 if (valid_der_lax) {
6843 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
6844 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
6845 }
6846
6847 if (certainly_der) {
6848 ret |= (!parsed_der) << 2;
6849 }
6850 if (certainly_not_der) {
6851 ret |= (parsed_der) << 17;
6852 }
6853 if (valid_der) {
6854 ret |= (!roundtrips_der) << 3;
6855 }
6856
6857 if (valid_der) {
6858 ret |= (!roundtrips_der_lax) << 12;
6859 ret |= (len_der != len_der_lax) << 13;
6860 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
6861 }
6862 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
6863 if (parsed_der) {
6864 ret |= (!parsed_der_lax) << 16;
6865 }
6866
6867 return ret;
6868}
6869
6870static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
6871 size_t i;
6872 for (i = 0; i < ptrlen; i++) {
6873 int shift = ptrlen - 1 - i;
6874 if (shift >= 4) {
6875 ptr[i] = 0;
6876 } else {
6877 ptr[i] = (val >> shift) & 0xFF;
6878 }
6879 }
6880}
6881
6882static void damage_array(unsigned char *sig, size_t *len) {
6883 int pos;
6884 int action = secp256k1_testrand_bits(3);
6885 if (action < 1 && *len > 3) {
6886 /* Delete a byte. */
6887 pos = secp256k1_testrand_int(*len);
6888 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
6889 (*len)--;
6890 return;
6891 } else if (action < 2 && *len < 2048) {
6892 /* Insert a byte. */
6893 pos = secp256k1_testrand_int(1 + *len);
6894 memmove(sig + pos + 1, sig + pos, *len - pos);
6895 sig[pos] = secp256k1_testrand_bits(8);
6896 (*len)++;
6897 return;
6898 } else if (action < 4) {
6899 /* Modify a byte. */
6900 sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
6901 return;
6902 } else { /* action < 8 */
6903 /* Modify a bit. */
6904 sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
6905 return;
6906 }
6907}
6908
6909static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
6910 int der;
6911 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
6912 size_t tlen, elen, glen;
6913 int indet;
6914 int n;
6915
6916 *len = 0;
6917 der = secp256k1_testrand_bits(2) == 0;
6918 *certainly_der = der;
6919 *certainly_not_der = 0;
6920 indet = der ? 0 : secp256k1_testrand_int(10) == 0;
6921
6922 for (n = 0; n < 2; n++) {
6923 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
6924 nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
6925 /* The length of the number in bytes (the first byte of which will always be nonzero) */
6926 nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_bits(3) / 8;
6927 CHECK(nlen[n] <= 232);
6928 /* The top bit of the number. */
6929 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
6930 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
6931 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
6932 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
6933 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_bits(3) / 8);
6934 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
6935 *certainly_not_der = 1;
6936 }
6937 CHECK(nlen[n] + nzlen[n] <= 300);
6938 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
6939 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
6940 if (!der) {
6941 /* nlenlen[n] max 127 bytes */
6942 int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6943 nlenlen[n] += add;
6944 if (add != 0) {
6945 *certainly_not_der = 1;
6946 }
6947 }
6948 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
6949 }
6950
6951 /* The total length of the data to go, so far */
6952 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
6953 CHECK(tlen <= 856);
6954
6955 /* The length of the garbage inside the tuple. */
6956 elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_bits(3) / 8;
6957 if (elen != 0) {
6958 *certainly_not_der = 1;
6959 }
6960 tlen += elen;
6961 CHECK(tlen <= 980);
6962
6963 /* The length of the garbage after the end of the tuple. */
6964 glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_bits(3) / 8;
6965 if (glen != 0) {
6966 *certainly_not_der = 1;
6967 }
6968 CHECK(tlen + glen <= 990);
6969
6970 /* Write the tuple header. */
6971 sig[(*len)++] = 0x30;
6972 if (indet) {
6973 /* Indeterminate length */
6974 sig[(*len)++] = 0x80;
6975 *certainly_not_der = 1;
6976 } else {
6977 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
6978 if (!der) {
6979 int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6980 tlenlen += add;
6981 if (add != 0) {
6982 *certainly_not_der = 1;
6983 }
6984 }
6985 if (tlenlen == 0) {
6986 /* Short length notation */
6987 sig[(*len)++] = tlen;
6988 } else {
6989 /* Long length notation */
6990 sig[(*len)++] = 128 + tlenlen;
6991 assign_big_endian(sig + *len, tlenlen, tlen);
6992 *len += tlenlen;
6993 }
6994 tlen += tlenlen;
6995 }
6996 tlen += 2;
6997 CHECK(tlen + glen <= 1119);
6998
6999 for (n = 0; n < 2; n++) {
7000 /* Write the integer header. */
7001 sig[(*len)++] = 0x02;
7002 if (nlenlen[n] == 0) {
7003 /* Short length notation */
7004 sig[(*len)++] = nlen[n] + nzlen[n];
7005 } else {
7006 /* Long length notation. */
7007 sig[(*len)++] = 128 + nlenlen[n];
7008 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
7009 *len += nlenlen[n];
7010 }
7011 /* Write zero padding */
7012 while (nzlen[n] > 0) {
7013 sig[(*len)++] = 0x00;
7014 nzlen[n]--;
7015 }
7016 if (nlen[n] == 32 && !nlow[n]) {
7017 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
7018 int i;
7019 for (i = 0; i < 16; i++) {
7020 sig[(*len)++] = 0xFF;
7021 }
7022 nlen[n] -= 16;
7023 }
7024 /* Write first byte of number */
7025 if (nlen[n] > 0) {
7026 sig[(*len)++] = nhbyte[n];
7027 nlen[n]--;
7028 }
7029 /* Generate remaining random bytes of number */
7030 secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
7031 *len += nlen[n];
7032 nlen[n] = 0;
7033 }
7034
7035 /* Generate random garbage inside tuple. */
7036 secp256k1_testrand_bytes_test(sig + *len, elen);
7037 *len += elen;
7038
7039 /* Generate end-of-contents bytes. */
7040 if (indet) {
7041 sig[(*len)++] = 0;
7042 sig[(*len)++] = 0;
7043 tlen += 2;
7044 }
7045 CHECK(tlen + glen <= 1121);
7046
7047 /* Generate random garbage outside tuple. */
7048 secp256k1_testrand_bytes_test(sig + *len, glen);
7049 *len += glen;
7050 tlen += glen;
7051 CHECK(tlen <= 1121);
7052 CHECK(tlen == *len);
7053}
7054
7055static void run_ecdsa_der_parse(void) {
7056 int i,j;
7057 for (i = 0; i < 200 * COUNT; i++) {
7058 unsigned char buffer[2048];
7059 size_t buflen = 0;
7060 int certainly_der = 0;
7061 int certainly_not_der = 0;
7062 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
7063 CHECK(buflen <= 2048);
7064 for (j = 0; j < 16; j++) {
7065 int ret = 0;
7066 if (j > 0) {
7067 damage_array(buffer, &buflen);
7068 /* We don't know anything anymore about the DERness of the result */
7069 certainly_der = 0;
7070 certainly_not_der = 0;
7071 }
7072 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
7073 if (ret != 0) {
7074 size_t k;
7075 fprintf(stderr, "Failure %x on ", ret);
7076 for (k = 0; k < buflen; k++) {
7077 fprintf(stderr, "%02x ", buffer[k]);
7078 }
7079 fprintf(stderr, "\n");
7080 }
7081 CHECK(ret == 0);
7082 }
7083 }
7084}
7085
7086/* Tests several edge cases. */
7087static void test_ecdsa_edge_cases(void) {
7088 int t;
7089 secp256k1_ecdsa_signature sig;
7090
7091 /* Test the case where ECDSA recomputes a point that is infinity. */
7092 {
7093 secp256k1_gej keyj;
7094 secp256k1_ge key;
7095 secp256k1_scalar msg;
7096 secp256k1_scalar sr, ss;
7097 secp256k1_scalar_set_int(&ss, 1);
7098 secp256k1_scalar_negate(&ss, &ss);
7099 secp256k1_scalar_inverse(&ss, &ss);
7100 secp256k1_scalar_set_int(&sr, 1);
7101 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &keyj, &sr);
7102 secp256k1_ge_set_gej(&key, &keyj);
7103 msg = ss;
7104 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7105 }
7106
7107 /* Verify signature with r of zero fails. */
7108 {
7109 const unsigned char pubkey_mods_zero[33] = {
7110 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7111 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7112 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7113 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7114 0x41
7115 };
7116 secp256k1_ge key;
7117 secp256k1_scalar msg;
7118 secp256k1_scalar sr, ss;
7119 secp256k1_scalar_set_int(&ss, 1);
7120 secp256k1_scalar_set_int(&msg, 0);
7121 secp256k1_scalar_set_int(&sr, 0);
7122 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
7123 CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
7124 }
7125
7126 /* Verify signature with s of zero fails. */
7127 {
7128 const unsigned char pubkey[33] = {
7129 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7130 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7131 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7132 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7133 0x01
7134 };
7135 secp256k1_ge key;
7136 secp256k1_scalar msg;
7137 secp256k1_scalar sr, ss;
7138 secp256k1_scalar_set_int(&ss, 0);
7139 secp256k1_scalar_set_int(&msg, 0);
7140 secp256k1_scalar_set_int(&sr, 1);
7141 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7142 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7143 }
7144
7145 /* Verify signature with message 0 passes. */
7146 {
7147 const unsigned char pubkey[33] = {
7148 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7149 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7150 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7151 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7152 0x02
7153 };
7154 const unsigned char pubkey2[33] = {
7155 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7156 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7157 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7158 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7159 0x43
7160 };
7161 secp256k1_ge key;
7162 secp256k1_ge key2;
7163 secp256k1_scalar msg;
7164 secp256k1_scalar sr, ss;
7165 secp256k1_scalar_set_int(&ss, 2);
7166 secp256k1_scalar_set_int(&msg, 0);
7167 secp256k1_scalar_set_int(&sr, 2);
7168 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7169 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7170 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7171 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7172 secp256k1_scalar_negate(&ss, &ss);
7173 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7174 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7175 secp256k1_scalar_set_int(&ss, 1);
7176 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7177 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7178 }
7179
7180 /* Verify signature with message 1 passes. */
7181 {
7182 const unsigned char pubkey[33] = {
7183 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
7184 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
7185 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
7186 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
7187 0x25
7188 };
7189 const unsigned char pubkey2[33] = {
7190 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
7191 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
7192 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
7193 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
7194 0x62
7195 };
7196 const unsigned char csr[32] = {
7197 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7199 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7200 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
7201 };
7202 secp256k1_ge key;
7203 secp256k1_ge key2;
7204 secp256k1_scalar msg;
7205 secp256k1_scalar sr, ss;
7206 secp256k1_scalar_set_int(&ss, 1);
7207 secp256k1_scalar_set_int(&msg, 1);
7208 secp256k1_scalar_set_b32(&sr, csr, NULL);
7209 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7210 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7211 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7212 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7213 secp256k1_scalar_negate(&ss, &ss);
7214 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7215 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7216 secp256k1_scalar_set_int(&ss, 2);
7217 secp256k1_scalar_inverse_var(&ss, &ss);
7218 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7219 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7220 }
7221
7222 /* Verify signature with message -1 passes. */
7223 {
7224 const unsigned char pubkey[33] = {
7225 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
7226 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
7227 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
7228 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
7229 0xf1
7230 };
7231 const unsigned char csr[32] = {
7232 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7233 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7234 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7235 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
7236 };
7237 secp256k1_ge key;
7238 secp256k1_scalar msg;
7239 secp256k1_scalar sr, ss;
7240 secp256k1_scalar_set_int(&ss, 1);
7241 secp256k1_scalar_set_int(&msg, 1);
7242 secp256k1_scalar_negate(&msg, &msg);
7243 secp256k1_scalar_set_b32(&sr, csr, NULL);
7244 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7245 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7246 secp256k1_scalar_negate(&ss, &ss);
7247 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7248 secp256k1_scalar_set_int(&ss, 3);
7249 secp256k1_scalar_inverse_var(&ss, &ss);
7250 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7251 }
7252
7253 /* Signature where s would be zero. */
7254 {
7255 secp256k1_pubkey pubkey;
7256 size_t siglen;
7257 int32_t ecount;
7258 unsigned char signature[72];
7259 static const unsigned char nonce[32] = {
7260 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7261 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7262 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7263 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7264 };
7265 static const unsigned char nonce2[32] = {
7266 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
7267 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
7268 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
7269 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
7270 };
7271 const unsigned char key[32] = {
7272 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7273 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7274 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7276 };
7277 unsigned char msg[32] = {
7278 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
7279 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
7280 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
7281 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
7282 };
7283 ecount = 0;
7284 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
7285 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
7286 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
7287 msg[31] = 0xaa;
7288 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
7289 CHECK(ecount == 0);
7290 CHECK(secp256k1_ecdsa_sign(CTX, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
7291 CHECK(ecount == 1);
7292 CHECK(secp256k1_ecdsa_sign(CTX, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
7293 CHECK(ecount == 2);
7294 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
7295 CHECK(ecount == 3);
7296 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
7297 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, key) == 1);
7298 CHECK(secp256k1_ecdsa_verify(CTX, NULL, msg, &pubkey) == 0);
7299 CHECK(ecount == 4);
7300 CHECK(secp256k1_ecdsa_verify(CTX, &sig, NULL, &pubkey) == 0);
7301 CHECK(ecount == 5);
7302 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, NULL) == 0);
7303 CHECK(ecount == 6);
7304 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1);
7305 CHECK(ecount == 6);
7306 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, NULL) == 0);
7307 CHECK(ecount == 7);
7308 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
7309 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 0);
7310 CHECK(ecount == 8);
7311 siglen = 72;
7312 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, NULL, &siglen, &sig) == 0);
7313 CHECK(ecount == 9);
7314 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, NULL, &sig) == 0);
7315 CHECK(ecount == 10);
7316 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, NULL) == 0);
7317 CHECK(ecount == 11);
7318 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 1);
7319 CHECK(ecount == 11);
7320 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, NULL, signature, siglen) == 0);
7321 CHECK(ecount == 12);
7322 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, NULL, siglen) == 0);
7323 CHECK(ecount == 13);
7324 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, signature, siglen) == 1);
7325 CHECK(ecount == 13);
7326 siglen = 10;
7327 /* Too little room for a signature does not fail via ARGCHECK. */
7328 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 0);
7329 CHECK(ecount == 13);
7330 ecount = 0;
7331 CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, NULL) == 0);
7332 CHECK(ecount == 1);
7333 CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, NULL, &sig) == 0);
7334 CHECK(ecount == 2);
7335 CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, signature, NULL) == 0);
7336 CHECK(ecount == 3);
7337 CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, signature, &sig) == 1);
7338 CHECK(ecount == 3);
7339 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, NULL, signature) == 0);
7340 CHECK(ecount == 4);
7341 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, NULL) == 0);
7342 CHECK(ecount == 5);
7343 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 1);
7344 CHECK(ecount == 5);
7345 memset(signature, 255, 64);
7346 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 0);
7347 CHECK(ecount == 5);
7348 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
7349 }
7350
7351 /* Nonce function corner cases. */
7352 for (t = 0; t < 2; t++) {
7353 static const unsigned char zero[32] = {0x00};
7354 int i;
7355 unsigned char key[32];
7356 unsigned char msg[32];
7357 secp256k1_ecdsa_signature sig2;
7358 secp256k1_scalar sr[512], ss;
7359 const unsigned char *extra;
7360 extra = t == 0 ? NULL : zero;
7361 memset(msg, 0, 32);
7362 msg[31] = 1;
7363 /* High key results in signature failure. */
7364 memset(key, 0xFF, 32);
7365 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7366 CHECK(is_empty_signature(&sig));
7367 /* Zero key results in signature failure. */
7368 memset(key, 0, 32);
7369 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7370 CHECK(is_empty_signature(&sig));
7371 /* Nonce function failure results in signature failure. */
7372 key[31] = 1;
7373 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_fail, extra) == 0);
7374 CHECK(is_empty_signature(&sig));
7375 /* The retry loop successfully makes its way to the first good value. */
7376 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_retry, extra) == 1);
7377 CHECK(!is_empty_signature(&sig));
7378 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
7379 CHECK(!is_empty_signature(&sig2));
7380 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7381 /* The default nonce function is deterministic. */
7382 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7383 CHECK(!is_empty_signature(&sig2));
7384 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7385 /* The default nonce function changes output with different messages. */
7386 for(i = 0; i < 256; i++) {
7387 int j;
7388 msg[0] = i;
7389 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7390 CHECK(!is_empty_signature(&sig2));
7391 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7392 for (j = 0; j < i; j++) {
7393 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7394 }
7395 }
7396 msg[0] = 0;
7397 msg[31] = 2;
7398 /* The default nonce function changes output with different keys. */
7399 for(i = 256; i < 512; i++) {
7400 int j;
7401 key[0] = i - 256;
7402 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7403 CHECK(!is_empty_signature(&sig2));
7404 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7405 for (j = 0; j < i; j++) {
7406 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7407 }
7408 }
7409 key[0] = 0;
7410 }
7411
7412 {
7413 /* Check that optional nonce arguments do not have equivalent effect. */
7414 const unsigned char zeros[32] = {0};
7415 unsigned char nonce[32];
7416 unsigned char nonce2[32];
7417 unsigned char nonce3[32];
7418 unsigned char nonce4[32];
7419 SECP256K1_CHECKMEM_UNDEFINE(nonce,32);
7420 SECP256K1_CHECKMEM_UNDEFINE(nonce2,32);
7421 SECP256K1_CHECKMEM_UNDEFINE(nonce3,32);
7422 SECP256K1_CHECKMEM_UNDEFINE(nonce4,32);
7423 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
7424 SECP256K1_CHECKMEM_CHECK(nonce,32);
7425 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
7426 SECP256K1_CHECKMEM_CHECK(nonce2,32);
7427 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
7428 SECP256K1_CHECKMEM_CHECK(nonce3,32);
7429 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
7430 SECP256K1_CHECKMEM_CHECK(nonce4,32);
7431 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
7432 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
7433 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
7434 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
7435 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
7436 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
7437 }
7438
7439
7440 /* Privkey export where pubkey is the point at infinity. */
7441 {
7442 unsigned char privkey[300];
7443 unsigned char seckey[32] = {
7444 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7445 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
7446 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
7447 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
7448 };
7449 size_t outlen = 300;
7450 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 0));
7451 outlen = 300;
7452 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 1));
7453 }
7454}
7455
7456static void run_ecdsa_edge_cases(void) {
7457 test_ecdsa_edge_cases();
7458}
7459
7464static void test_ecdsa_wycheproof(void) {
7465 #include "wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.h"
7466
7467 int t;
7468 for (t = 0; t < SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS; t++) {
7469 secp256k1_ecdsa_signature signature;
7470 secp256k1_sha256 hasher;
7471 secp256k1_pubkey pubkey;
7472 const unsigned char *msg, *sig, *pk;
7473 unsigned char out[32] = {0};
7474 int actual_verify = 0;
7475
7476 memset(&pubkey, 0, sizeof(pubkey));
7477 pk = &wycheproof_ecdsa_public_keys[testvectors[t].pk_offset];
7478 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pk, 65) == 1);
7479
7480 secp256k1_sha256_initialize(&hasher);
7481 msg = &wycheproof_ecdsa_messages[testvectors[t].msg_offset];
7482 secp256k1_sha256_write(&hasher, msg, testvectors[t].msg_len);
7483 secp256k1_sha256_finalize(&hasher, out);
7484
7485 sig = &wycheproof_ecdsa_signatures[testvectors[t].sig_offset];
7486 if (secp256k1_ecdsa_signature_parse_der(CTX, &signature, sig, testvectors[t].sig_len) == 1) {
7487 actual_verify = secp256k1_ecdsa_verify(CTX, (const secp256k1_ecdsa_signature *)&signature, out, &pubkey);
7488 }
7489 CHECK(testvectors[t].expected_verify == actual_verify);
7490 }
7491}
7492
7493/* Tests cases from Wycheproof test suite. */
7494static void run_ecdsa_wycheproof(void) {
7495 test_ecdsa_wycheproof();
7496}
7497
7498#ifdef ENABLE_MODULE_ECDH
7499# include "modules/ecdh/tests_impl.h"
7500#endif
7501
7502#ifdef ENABLE_MODULE_MULTISET
7503# include "modules/multiset/tests_impl.h"
7504#endif
7505
7506#ifdef ENABLE_MODULE_RECOVERY
7507# include "modules/recovery/tests_impl.h"
7508#endif
7509
7510#ifdef ENABLE_MODULE_SCHNORR
7511# include "modules/schnorr/tests_impl.h"
7512#endif
7513
7514#ifdef ENABLE_MODULE_EXTRAKEYS
7515# include "modules/extrakeys/tests_impl.h"
7516#endif
7517
7518#ifdef ENABLE_MODULE_SCHNORRSIG
7519# include "modules/schnorrsig/tests_impl.h"
7520#endif
7521
7522#ifdef ENABLE_MODULE_ELLSWIFT
7523# include "modules/ellswift/tests_impl.h"
7524#endif
7525
7526static void run_secp256k1_memczero_test(void) {
7527 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
7528 unsigned char buf2[sizeof(buf1)];
7529
7530 /* secp256k1_memczero(..., ..., 0) is a noop. */
7531 memcpy(buf2, buf1, sizeof(buf1));
7532 secp256k1_memczero(buf1, sizeof(buf1), 0);
7533 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7534
7535 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
7536 memset(buf2, 0, sizeof(buf2));
7537 secp256k1_memczero(buf1, sizeof(buf1) , 1);
7538 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7539}
7540
7541static void run_secp256k1_byteorder_tests(void) {
7542 {
7543 const uint32_t x = 0xFF03AB45;
7544 const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45};
7545 unsigned char buf[4];
7546 uint32_t x_;
7547
7548 secp256k1_write_be32(buf, x);
7549 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7550
7551 x_ = secp256k1_read_be32(buf);
7552 CHECK(x == x_);
7553 }
7554
7555 {
7556 const uint64_t x = 0xCAFE0123BEEF4567;
7557 const unsigned char x_be[8] = {0xCA, 0xFE, 0x01, 0x23, 0xBE, 0xEF, 0x45, 0x67};
7558 unsigned char buf[8];
7559 uint64_t x_;
7560
7561 secp256k1_write_be64(buf, x);
7562 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7563
7564 x_ = secp256k1_read_be64(buf);
7565 CHECK(x == x_);
7566 }
7567}
7568
7569static void int_cmov_test(void) {
7570 int r = INT_MAX;
7571 int a = 0;
7572
7573 secp256k1_int_cmov(&r, &a, 0);
7574 CHECK(r == INT_MAX);
7575
7576 r = 0; a = INT_MAX;
7577 secp256k1_int_cmov(&r, &a, 1);
7578 CHECK(r == INT_MAX);
7579
7580 a = 0;
7581 secp256k1_int_cmov(&r, &a, 1);
7582 CHECK(r == 0);
7583
7584 a = 1;
7585 secp256k1_int_cmov(&r, &a, 1);
7586 CHECK(r == 1);
7587
7588 r = 1; a = 0;
7589 secp256k1_int_cmov(&r, &a, 0);
7590 CHECK(r == 1);
7591
7592}
7593
7594static void fe_cmov_test(void) {
7595 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7596 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7597 static const secp256k1_fe max = SECP256K1_FE_CONST(
7598 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7599 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7600 );
7601 secp256k1_fe r = max;
7602 secp256k1_fe a = zero;
7603
7604 secp256k1_fe_cmov(&r, &a, 0);
7605 CHECK(fe_identical(&r, &max));
7606
7607 r = zero; a = max;
7608 secp256k1_fe_cmov(&r, &a, 1);
7609 CHECK(fe_identical(&r, &max));
7610
7611 a = zero;
7612 secp256k1_fe_cmov(&r, &a, 1);
7613 CHECK(fe_identical(&r, &zero));
7614
7615 a = one;
7616 secp256k1_fe_cmov(&r, &a, 1);
7617 CHECK(fe_identical(&r, &one));
7618
7619 r = one; a = zero;
7620 secp256k1_fe_cmov(&r, &a, 0);
7621 CHECK(fe_identical(&r, &one));
7622}
7623
7624static void fe_storage_cmov_test(void) {
7625 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7626 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7627 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
7628 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7629 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7630 );
7631 secp256k1_fe_storage r = max;
7632 secp256k1_fe_storage a = zero;
7633
7634 secp256k1_fe_storage_cmov(&r, &a, 0);
7635 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7636
7637 r = zero; a = max;
7638 secp256k1_fe_storage_cmov(&r, &a, 1);
7639 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7640
7641 a = zero;
7642 secp256k1_fe_storage_cmov(&r, &a, 1);
7643 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7644
7645 a = one;
7646 secp256k1_fe_storage_cmov(&r, &a, 1);
7647 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7648
7649 r = one; a = zero;
7650 secp256k1_fe_storage_cmov(&r, &a, 0);
7651 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7652}
7653
7654static void scalar_cmov_test(void) {
7655 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
7656 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
7657 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL
7658 );
7659 secp256k1_scalar r = max;
7660 secp256k1_scalar a = secp256k1_scalar_zero;
7661
7662 secp256k1_scalar_cmov(&r, &a, 0);
7663 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7664
7665 r = secp256k1_scalar_zero; a = max;
7666 secp256k1_scalar_cmov(&r, &a, 1);
7667 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7668
7669 a = secp256k1_scalar_zero;
7670 secp256k1_scalar_cmov(&r, &a, 1);
7671 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_zero, sizeof(r)) == 0);
7672
7673 a = secp256k1_scalar_one;
7674 secp256k1_scalar_cmov(&r, &a, 1);
7675 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7676
7677 r = secp256k1_scalar_one; a = secp256k1_scalar_zero;
7678 secp256k1_scalar_cmov(&r, &a, 0);
7679 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7680}
7681
7682static void ge_storage_cmov_test(void) {
7683 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7684 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7685 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
7686 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7687 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7688 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7689 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7690 );
7691 secp256k1_ge_storage r = max;
7692 secp256k1_ge_storage a = zero;
7693
7694 secp256k1_ge_storage_cmov(&r, &a, 0);
7695 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7696
7697 r = zero; a = max;
7698 secp256k1_ge_storage_cmov(&r, &a, 1);
7699 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7700
7701 a = zero;
7702 secp256k1_ge_storage_cmov(&r, &a, 1);
7703 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7704
7705 a = one;
7706 secp256k1_ge_storage_cmov(&r, &a, 1);
7707 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7708
7709 r = one; a = zero;
7710 secp256k1_ge_storage_cmov(&r, &a, 0);
7711 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7712}
7713
7714static void run_cmov_tests(void) {
7715 int_cmov_test();
7716 fe_cmov_test();
7717 fe_storage_cmov_test();
7718 scalar_cmov_test();
7719 ge_storage_cmov_test();
7720}
7721
7722int main(int argc, char **argv) {
7723 /* Disable buffering for stdout to improve reliability of getting
7724 * diagnostic information. Happens right at the start of main because
7725 * setbuf must be used before any other operation on the stream. */
7726 setbuf(stdout, NULL);
7727 /* Also disable buffering for stderr because it's not guaranteed that it's
7728 * unbuffered on all systems. */
7729 setbuf(stderr, NULL);
7730
7731 /* find iteration count */
7732 if (argc > 1) {
7733 COUNT = strtol(argv[1], NULL, 0);
7734 } else {
7735 const char* env = getenv("SECP256K1_TEST_ITERS");
7736 if (env && strlen(env) > 0) {
7737 COUNT = strtol(env, NULL, 0);
7738 }
7739 }
7740 if (COUNT <= 0) {
7741 fputs("An iteration count of 0 or less is not allowed.\n", stderr);
7742 return EXIT_FAILURE;
7743 }
7744 printf("test count = %i\n", COUNT);
7745
7746 /* run test RNG tests (must run before we really initialize the test RNG) */
7747 run_xoshiro256pp_tests();
7748
7749 /* find random seed */
7750 secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
7751
7752 /*** Setup test environment ***/
7753
7754 /* Create a global context available to all tests */
7755 CTX = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
7756 /* Randomize the context only with probability 15/16
7757 to make sure we test without context randomization from time to time.
7758 TODO Reconsider this when recalibrating the tests. */
7759 if (secp256k1_testrand_bits(4)) {
7760 unsigned char rand32[32];
7761 secp256k1_testrand256(rand32);
7762 CHECK(secp256k1_context_randomize(CTX, rand32));
7763 }
7764 /* Make a writable copy of secp256k1_context_static in order to test the effect of API functions
7765 that write to the context. The API does not support cloning the static context, so we use
7766 memcpy instead. The user is not supposed to copy a context but we should still ensure that
7767 the API functions handle copies of the static context gracefully. */
7768 STATIC_CTX = malloc(sizeof(*secp256k1_context_static));
7769 CHECK(STATIC_CTX != NULL);
7770 memcpy(STATIC_CTX, secp256k1_context_static, sizeof(secp256k1_context));
7771 CHECK(!secp256k1_context_is_proper(STATIC_CTX));
7772
7773 /*** Run actual tests ***/
7774
7775 /* selftest tests */
7776 run_selftest_tests();
7777
7778 /* context tests */
7779 run_proper_context_tests(0); run_proper_context_tests(1);
7780 run_static_context_tests(0); run_static_context_tests(1);
7781 run_deprecated_context_flags_test();
7782
7783 /* scratch tests */
7784 run_scratch_tests();
7785
7786 /* integer arithmetic tests */
7787#ifdef SECP256K1_WIDEMUL_INT128
7788 run_int128_tests();
7789#endif
7790 run_ctz_tests();
7791 run_modinv_tests();
7792 run_inverse_tests();
7793
7794 /* hash tests */
7795 run_sha256_known_output_tests();
7796 run_sha256_counter_tests();
7797 run_hmac_sha256_tests();
7798 run_rfc6979_hmac_sha256_tests();
7799 run_tagged_sha256_tests();
7800
7801 /* scalar tests */
7802 run_scalar_tests();
7803
7804 /* field tests */
7805 run_field_half();
7806 run_field_misc();
7807 run_field_convert();
7808 run_field_be32_overflow();
7809 run_fe_mul();
7810 run_sqr();
7811 run_sqrt();
7812
7813 /* group tests */
7814 run_ge();
7815 run_gej();
7816 run_group_decompress();
7817
7818 /* ecmult tests */
7819 run_ecmult_pre_g();
7820 run_wnaf();
7821 run_point_times_order();
7822 run_ecmult_near_split_bound();
7823 run_ecmult_chain();
7824 run_ecmult_constants();
7825 run_ecmult_gen_blind();
7826 run_ecmult_const_tests();
7827 run_ecmult_multi_tests();
7828 run_ec_combine();
7829
7830 /* endomorphism tests */
7831 run_endomorphism_tests();
7832
7833 /* EC point parser test */
7834 run_ec_pubkey_parse_test();
7835
7836 /* EC key edge cases */
7837 run_eckey_edge_case_test();
7838
7839 /* EC key arithmetic test */
7840 run_eckey_negate_test();
7841
7842#ifdef ENABLE_MODULE_ECDH
7843 /* ecdh tests */
7844 run_ecdh_tests();
7845#endif
7846
7847 /* ecdsa tests */
7848 run_ec_illegal_argument_tests();
7849 run_pubkey_comparison();
7850 run_random_pubkeys();
7851 run_ecdsa_der_parse();
7852 run_ecdsa_sign_verify();
7853 run_ecdsa_end_to_end();
7854 run_ecdsa_edge_cases();
7855 run_ecdsa_wycheproof();
7856
7857#ifdef ENABLE_MODULE_MULTISET
7858 run_multiset_tests();
7859#endif
7860
7861#ifdef ENABLE_MODULE_RECOVERY
7862 /* ECDSA pubkey recovery tests */
7863 run_recovery_tests();
7864#endif
7865
7866#ifdef ENABLE_MODULE_SCHNORR
7867 /* Schnorr signature tests */
7868 run_schnorr_tests();
7869#endif
7870
7871#ifdef ENABLE_MODULE_EXTRAKEYS
7872 run_extrakeys_tests();
7873#endif
7874
7875#ifdef ENABLE_MODULE_SCHNORRSIG
7876 run_schnorrsig_tests();
7877#endif
7878
7879#ifdef ENABLE_MODULE_ELLSWIFT
7880 run_ellswift_tests();
7881#endif
7882
7883 /* util tests */
7884 run_secp256k1_memczero_test();
7885 run_secp256k1_byteorder_tests();
7886
7887 run_cmov_tests();
7888
7889 /*** Tear down test environment ***/
7890 free(STATIC_CTX);
7891 secp256k1_context_destroy(CTX);
7892
7893 secp256k1_testrand_finish();
7894
7895 printf("no problems found\n");
7896 return 0;
7897}
flags
int flags
Definition: bitcoin-tx.cpp:546
SECP256K1_CHECKMEM_UNDEFINE
#define SECP256K1_CHECKMEM_UNDEFINE(p, len)
Definition: checkmem.h:76
SECP256K1_CHECKMEM_CHECK
#define SECP256K1_CHECKMEM_CHECK(p, len)
Definition: checkmem.h:78
tests_impl.h
run_ecdh_tests
static void run_ecdh_tests(void)
Definition: tests_impl.h:158
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
ecdsa_secp256k1_sha256_bitcoin_test.h
wycheproof_ecdsa_signatures
static const unsigned char wycheproof_ecdsa_signatures[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:173
wycheproof_ecdsa_public_keys
static const unsigned char wycheproof_ecdsa_public_keys[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:73
wycheproof_ecdsa_messages
static const unsigned char wycheproof_ecdsa_messages[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:13
SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
#define SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:2
testvectors
static const wycheproof_ecdsa_testvector testvectors[SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:636
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
secp256k1_ecmult_multi_var
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
ECMULT_TABLE_SIZE
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult.h:41
secp256k1_ecmult
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
secp256k1_ecmult_const_xonly
static int secp256k1_ecmult_const_xonly(secp256k1_fe *r, const secp256k1_fe *n, const secp256k1_fe *d, const secp256k1_scalar *q, int known_on_curve)
Same as secp256k1_ecmult_const, but takes in an x coordinate of the base point only,...
secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q)
Multiply: R = q*A (in constant-time for q)
secp256k1_wnaf_const
static int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w, int size)
Convert a number to WNAF notation.
Definition: ecmult_const_impl.h:67
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
STRAUSS_SCRATCH_OBJECTS
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:50
secp256k1_pippenger_bucket_window_inv
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:602
secp256k1_pippenger_max_points
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space.
Definition: ecmult_impl.h:732
WNAF_SIZE
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:46
secp256k1_ecmult_strauss_batch_single
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:398
secp256k1_wnaf_fixed
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:413
secp256k1_ecmult_wnaf
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:159
secp256k1_strauss_scratch_size
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:353
ECMULT_PIPPENGER_THRESHOLD
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:55
secp256k1_pippenger_bucket_window
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:573
secp256k1_ecmult_pippenger_batch_single
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:723
ECMULT_MAX_POINTS_PER_BATCH
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:57
PIPPENGER_MAX_BUCKET_WINDOW
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:52
PIPPENGER_SCRATCH_OBJECTS
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:49
secp256k1_ecmult_multi_batch_size_helper
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:793
secp256k1_pippenger_scratch_size
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:640
WNAF_SIZE_BITS
#define WNAF_SIZE_BITS(bits, w)
Definition: ecmult_impl.h:45
secp256k1_ecmult_multi_func
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:811
tests_impl.h
run_ellswift_tests
void run_ellswift_tests(void)
Definition: tests_impl.h:179
sum
volatile double sum
Definition: examples.cpp:10
tests_impl.h
run_extrakeys_tests
static void run_extrakeys_tests(void)
Definition: tests_impl.h:553
secp256k1_fe_cmov
#define secp256k1_fe_cmov
Definition: field.h:96
secp256k1_fe_is_quad_var
static int secp256k1_fe_is_quad_var(const secp256k1_fe *a)
Checks whether a field element is a quadratic residue.
secp256k1_fe_negate
#define secp256k1_fe_negate(r, a, m)
Negate a field element.
Definition: field.h:215
secp256k1_fe_mul_int
#define secp256k1_fe_mul_int(r, a)
Multiply a field element with a small integer.
Definition: field.h:237
secp256k1_fe_normalizes_to_zero_var
#define secp256k1_fe_normalizes_to_zero_var
Definition: field.h:82
secp256k1_fe_cmp_var
#define secp256k1_fe_cmp_var
Definition: field.h:87
secp256k1_fe_normalize_weak
#define secp256k1_fe_normalize_weak
Definition: field.h:79
secp256k1_fe_is_odd
#define secp256k1_fe_is_odd
Definition: field.h:86
secp256k1_fe_mul
#define secp256k1_fe_mul
Definition: field.h:94
secp256k1_fe_one
static const secp256k1_fe secp256k1_fe_one
Definition: field.h:68
secp256k1_fe_sqrt
static int secp256k1_fe_sqrt(secp256k1_fe *SECP256K1_RESTRICT r, const secp256k1_fe *SECP256K1_RESTRICT a)
Compute a square root of a field element.
secp256k1_fe_add
#define secp256k1_fe_add
Definition: field.h:93
secp256k1_fe_clear
#define secp256k1_fe_clear
Definition: field.h:84
secp256k1_fe_normalize_var
#define secp256k1_fe_normalize_var
Definition: field.h:80
secp256k1_fe_half
#define secp256k1_fe_half
Definition: field.h:102
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
This expands to an initializer for a secp256k1_fe valued sum((i*32) * d_i, i=0..7) mod p.
Definition: field.h:66
secp256k1_fe_to_storage
#define secp256k1_fe_to_storage
Definition: field.h:97
secp256k1_fe_inv_var
#define secp256k1_fe_inv_var
Definition: field.h:100
secp256k1_fe_is_zero
#define secp256k1_fe_is_zero
Definition: field.h:85
secp256k1_fe_mul_int_unchecked
#define secp256k1_fe_mul_int_unchecked
Definition: field.h:92
secp256k1_fe_set_b32_limit
#define secp256k1_fe_set_b32_limit
Definition: field.h:89
secp256k1_fe_is_square_var
#define secp256k1_fe_is_square_var
Definition: field.h:104
secp256k1_fe_get_bounds
#define secp256k1_fe_get_bounds
Definition: field.h:101
secp256k1_fe_from_storage
#define secp256k1_fe_from_storage
Definition: field.h:98
secp256k1_fe_set_b32_mod
#define secp256k1_fe_set_b32_mod
Definition: field.h:88
secp256k1_fe_negate_unchecked
#define secp256k1_fe_negate_unchecked
Definition: field.h:91
secp256k1_fe_get_b32
#define secp256k1_fe_get_b32
Definition: field.h:90
secp256k1_fe_normalizes_to_zero
#define secp256k1_fe_normalizes_to_zero
Definition: field.h:81
secp256k1_fe_inv
#define secp256k1_fe_inv
Definition: field.h:99
secp256k1_fe_sqr
#define secp256k1_fe_sqr
Definition: field.h:95
secp256k1_fe_normalize
#define secp256k1_fe_normalize
Definition: field.h:78
secp256k1_fe_equal
static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Determine whether two field elements are equal.
secp256k1_fe_storage_cmov
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_fe_add_int
#define secp256k1_fe_add_int
Definition: field.h:103
secp256k1_fe_set_int
#define secp256k1_fe_set_int
Definition: field.h:83
SECP256K1_FE_STORAGE_CONST
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:54
SECP256K1_GEJ_CONST_INFINITY
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:36
SECP256K1_GE_STORAGE_CONST
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:43
secp256k1_gej_eq_var
static int secp256k1_gej_eq_var(const secp256k1_gej *a, const secp256k1_gej *b)
Check two group elements (jacobian) for equality in variable time.
secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
secp256k1_ge_mul_lambda
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
SECP256K1_GE_X_MAGNITUDE_MAX
#define SECP256K1_GE_X_MAGNITUDE_MAX
Maximum allowed magnitudes for group element coordinates in affine (x, y) and jacobian (x,...
Definition: group.h:49
secp256k1_ge_set_xo_var
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
secp256k1_ge_x_on_curve_var
static int secp256k1_ge_x_on_curve_var(const secp256k1_fe *x)
Determine whether x is a valid X coordinate on the curve.
secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
SECP256K1_GEJ_Y_MAGNITUDE_MAX
#define SECP256K1_GEJ_Y_MAGNITUDE_MAX
Definition: group.h:52
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
secp256k1_ge_is_valid_var
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
secp256k1_ge_from_storage
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
secp256k1_gej_rescale
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
secp256k1_ge_x_frac_on_curve_var
static int secp256k1_ge_x_frac_on_curve_var(const secp256k1_fe *xn, const secp256k1_fe *xd)
Determine whether fraction xn/xd is a valid X coordinate on the curve (xd != 0).
secp256k1_ge_storage_cmov
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ge_set_xquad
static int secp256k1_ge_set_xquad(secp256k1_ge *r, const secp256k1_fe *x)
Set a group element (affine) equal to the point with the given X coordinate and a Y coordinate that i...
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
SECP256K1_GE_Y_MAGNITUDE_MAX
#define SECP256K1_GE_Y_MAGNITUDE_MAX
Definition: group.h:50
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_ge_set_infinity
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
secp256k1_ge_set_all_gej_var
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set a batch of group elements equal to the inputs given in jacobian coordinates.
secp256k1_gej_double
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
secp256k1_ge_to_storage
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
SECP256K1_GE_CONST
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:22
secp256k1_gej_cmov
static void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_gej_has_quad_y_var
static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a)
Check whether a group element's y coordinate is a quadratic residue.
SECP256K1_GEJ_Z_MAGNITUDE_MAX
#define SECP256K1_GEJ_Z_MAGNITUDE_MAX
Definition: group.h:53
SECP256K1_GEJ_CONST
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:35
secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
SECP256K1_GEJ_X_MAGNITUDE_MAX
#define SECP256K1_GEJ_X_MAGNITUDE_MAX
Definition: group.h:51
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:70
int128_impl.h
secp256k1_int128
int128_t secp256k1_int128
Definition: int128_native.h:17
secp256k1_i128_load
static SECP256K1_INLINE void secp256k1_i128_load(secp256k1_int128 *r, int64_t hi, uint64_t lo)
Definition: int128_native_impl.h:45
secp256k1_i128_det
static SECP256K1_INLINE void secp256k1_i128_det(secp256k1_int128 *r, int64_t a, int64_t b, int64_t c, int64_t d)
Definition: int128_native_impl.h:59
secp256k1_u128_check_bits
static SECP256K1_INLINE int secp256k1_u128_check_bits(const secp256k1_uint128 *r, unsigned int n)
Definition: int128_native_impl.h:40
secp256k1_i128_rshift
static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int n)
Definition: int128_native_impl.h:66
secp256k1_u128_hi_u64
static SECP256K1_INLINE uint64_t secp256k1_u128_hi_u64(const secp256k1_uint128 *a)
Definition: int128_native_impl.h:32
secp256k1_i128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:71
secp256k1_i128_from_i64
static SECP256K1_INLINE void secp256k1_i128_from_i64(secp256k1_int128 *r, int64_t a)
Definition: int128_native_impl.h:80
secp256k1_u128_from_u64
static SECP256K1_INLINE void secp256k1_u128_from_u64(secp256k1_uint128 *r, uint64_t a)
Definition: int128_native_impl.h:36
secp256k1_i128_eq_var
static SECP256K1_INLINE int secp256k1_i128_eq_var(const secp256k1_int128 *a, const secp256k1_int128 *b)
Definition: int128_native_impl.h:84
secp256k1_i128_to_i64
static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:75
secp256k1_i128_mul
static SECP256K1_INLINE void secp256k1_i128_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:49
secp256k1_u128_rshift
static SECP256K1_INLINE void secp256k1_u128_rshift(secp256k1_uint128 *r, unsigned int n)
Definition: int128_native_impl.h:23
secp256k1_i128_check_pow2
static SECP256K1_INLINE int secp256k1_i128_check_pow2(const secp256k1_int128 *r, unsigned int n, int sign)
Definition: int128_native_impl.h:88
secp256k1_u128_accum_u64
static SECP256K1_INLINE void secp256k1_u128_accum_u64(secp256k1_uint128 *r, uint64_t a)
Definition: int128_native_impl.h:19
secp256k1_i128_accum_mul
static SECP256K1_INLINE void secp256k1_i128_accum_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:53
secp256k1_u128_accum_mul
static SECP256K1_INLINE void secp256k1_u128_accum_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
Definition: int128_native_impl.h:15
secp256k1_u128_load
static SECP256K1_INLINE void secp256k1_u128_load(secp256k1_uint128 *r, uint64_t hi, uint64_t lo)
Definition: int128_native_impl.h:7
secp256k1_u128_mul
static SECP256K1_INLINE void secp256k1_u128_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
Definition: int128_native_impl.h:11
secp256k1_u128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_u128_to_u64(const secp256k1_uint128 *a)
Definition: int128_native_impl.h:28
ec_privkey_export_der
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
Definition: lax_der_privatekey_parsing.c:55
ec_privkey_import_der
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
Definition: lax_der_privatekey_parsing.c:11
cs
static void pool cs
Definition: mempool_eviction.cpp:13
secp256k1_modinv32_var
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_modinv32
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_jacobi32_maybe_var
static int secp256k1_jacobi32_maybe_var(const secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
modinv32_impl.h
secp256k1_modinv64
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_modinv64_var
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_jacobi64_maybe_var
static int secp256k1_jacobi64_maybe_var(const secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
modinv64_impl.h
tests_impl.h
run_multiset_tests
static void run_multiset_tests(void)
Definition: tests_impl.h:336
sha1
Internal SHA-1 implementation.
Definition: sha1.cpp:14
tests_wycheproof_generate.msg
def msg
Definition: tests_wycheproof_generate.py:56
tests_wycheproof_generate.pk
def pk
Definition: tests_wycheproof_generate.py:69
tests_wycheproof_generate.expected_verify
int expected_verify
Definition: tests_wycheproof_generate.py:46
tests_wycheproof_generate.out
string out
Definition: tests_wycheproof_generate.py:28
tinyformat::printf
void printf(const char *fmt, const Args &...args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1126
secp256k1_pre_g_128
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:8236
secp256k1_pre_g
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:16
WINDOW_G
#define WINDOW_G
Definition: precomputed_ecmult.c:15
sig
SchnorrSig sig
Definition: processor.cpp:537
ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature *sig, const uint8_t *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:36
tests_impl.h
run_recovery_tests
static void run_recovery_tests(void)
Definition: tests_impl.h:361
prefix
const char * prefix
Definition: rest.cpp:813
secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_set_b32_seckey
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
secp256k1_scalar_is_even
static int secp256k1_scalar_is_even(const secp256k1_scalar *a)
Check whether a scalar, considered as an nonnegative integer, is even.
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
secp256k1_scalar_set_int
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
secp256k1_scalar_inverse_var
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
secp256k1_scalar_get_bits
static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
secp256k1_scalar_is_one
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_scalar_split_lambda
static void secp256k1_scalar_split_lambda(secp256k1_scalar *SECP256K1_RESTRICT r1, secp256k1_scalar *SECP256K1_RESTRICT r2, const secp256k1_scalar *SECP256K1_RESTRICT k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
secp256k1_scalar_get_bits_var
static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
secp256k1_scalar_cadd_bit
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
secp256k1_scalar_shr_int
static int secp256k1_scalar_shr_int(secp256k1_scalar *r, int n)
Shift a scalar right by some amount strictly between 0 and 16, returning the low bits that were shift...
SECP256K1_SCALAR_CONST
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
secp256k1_scalar_check_overflow
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
Definition: scalar_4x64_impl.h:68
secp256k1_scalar_zero
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
secp256k1_const_lambda
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is:
Definition: scalar_impl.h:81
tests_impl.h
run_schnorr_tests
static void run_schnorr_tests(void)
Definition: tests_impl.h:512
tests_impl.h
run_schnorrsig_tests
static void run_schnorrsig_tests(void)
Definition: tests_impl.h:854
secp256k1_scratch_apply_checkpoint
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
secp256k1_scratch_max_allocation
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
secp256k1_scratch_alloc
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
secp256k1_scratch_checkpoint
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
secp256k1_hmac_sha256_finalize
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
secp256k1_hmac_sha256_initialize
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
secp256k1_hmac_sha256_write
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_ctz64_var
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:328
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:217
secp256k1_int_cmov
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:231
ALIGNMENT
#define ALIGNMENT
Definition: util.h:161
secp256k1_default_error_callback_fn
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: util.h:82
secp256k1_read_be32
static SECP256K1_INLINE uint32_t secp256k1_read_be32(const unsigned char *p)
Definition: util.h:346
secp256k1_ctz32_var
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:310
secp256k1_write_be32
static SECP256K1_INLINE void secp256k1_write_be32(unsigned char *p, uint32_t x)
Definition: util.h:354
secp256k1_write_be64
static SECP256K1_INLINE void secp256k1_write_be64(unsigned char *p, uint64_t x)
Definition: util.h:374
secp256k1_default_illegal_callback_fn
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:77
secp256k1_ctz64_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:299
CHECK
#define CHECK(cond)
Definition: util.h:128
secp256k1_ctz32_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:287
secp256k1_read_be64
static SECP256K1_INLINE uint64_t secp256k1_read_be64(const unsigned char *p)
Definition: util.h:362
checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:147
secp256k1_memczero
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:198
secp256k1_scratch_space_destroy
static void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Definition: secp256k1.c:227
secp256k1_context_is_proper
static int secp256k1_context_is_proper(const secp256k1_context *ctx)
Definition: secp256k1.c:81
secp256k1_context_no_precomp
const secp256k1_context * secp256k1_context_no_precomp
Definition: secp256k1.c:74
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:353
secp256k1_scratch_space_create
static secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Definition: secp256k1.c:222
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:239
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:258
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:465
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:339
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:186
secp256k1_ec_seckey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:704
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:196
secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:751
secp256k1_ec_pubkey_combine
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:761
secp256k1_ec_seckey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:614
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:379
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:290
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:210
secp256k1_ec_pubkey_cmp
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:313
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:573
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:140
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:198
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:558
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:272
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:192
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:363
secp256k1_selftest
SECP256K1_API void secp256k1_selftest(void)
Perform basic self tests (to be used in conjunction with secp256k1_context_static)
Definition: secp256k1.c:85
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:596
secp256k1_tagged_sha256
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:787
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:202
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:444
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:425
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:162
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:687
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:203
secp256k1_ecdsa_signature_serialize_der
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:400
secp256k1_ec_pubkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:633
secp256k1_ec_privkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_add instead")
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:676
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Deprecated context flags.
Definition: secp256k1.h:195
secp256k1_ec_privkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_negate instead")
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:629
secp256k1_ec_seckey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:660
secp256k1_ec_pubkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:728
secp256k1_ecdsa_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:412
secp256k1_context_static
SECP256K1_API const secp256k1_context * secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:223
secp256k1_ec_privkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_mul instead")
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:724
secp256k1_context_preallocated_clone_size
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:111
secp256k1_context_preallocated_destroy
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:175
secp256k1_context_preallocated_create
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:117
secp256k1_context_preallocated_size
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:91
secp256k1_context_preallocated_clone
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:151
ecmult_multi_data
Definition: tests.c:4647
ecmult_multi_data::sc
secp256k1_scalar * sc
Definition: tests.c:4648
ecmult_multi_data::pt
secp256k1_ge * pt
Definition: tests.c:4649
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:68
secp256k1_callback::data
const void * data
Definition: util.h:69
secp256k1_context_struct
Definition: secp256k1.c:60
secp256k1_context_struct::illegal_callback
secp256k1_callback illegal_callback
Definition: secp256k1.c:62
secp256k1_context_struct::declassify
int declassify
Definition: secp256k1.c:64
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:63
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:61
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:74
secp256k1_ecmult_gen_context
Definition: ecmult_gen.h:31
secp256k1_ecmult_gen_context::initial
secp256k1_gej initial
Definition: ecmult_gen.h:37
secp256k1_ecmult_gen_context::built
int built
Definition: ecmult_gen.h:33
secp256k1_ecmult_gen_context::blind
secp256k1_scalar blind
Definition: ecmult_gen.h:36
secp256k1_fe_storage
Definition: field_10x26.h:50
secp256k1_fe
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
secp256k1_fe::n
uint32_t n[10]
Definition: field_10x26.h:22
secp256k1_ge_storage
Definition: group.h:38
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_ge::infinity
int infinity
Definition: group.h:19
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:17
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:18
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_gej::y
secp256k1_fe y
Definition: group.h:30
secp256k1_gej::x
secp256k1_fe x
Definition: group.h:29
secp256k1_gej::infinity
int infinity
Definition: group.h:32
secp256k1_gej::z
secp256k1_fe z
Definition: group.h:31
secp256k1_hmac_sha256
Definition: hash.h:23
secp256k1_modinv32_modinfo
Definition: modinv32.h:19
secp256k1_modinv32_modinfo::modulus_inv30
uint32_t modulus_inv30
Definition: modinv32.h:24
secp256k1_modinv32_modinfo::modulus
secp256k1_modinv32_signed30 modulus
Definition: modinv32.h:21
secp256k1_modinv32_signed30
Definition: modinv32.h:15
secp256k1_modinv32_signed30::v
int32_t v[9]
Definition: modinv32.h:16
secp256k1_modinv64_modinfo
Definition: modinv64.h:23
secp256k1_modinv64_modinfo::modulus_inv62
uint64_t modulus_inv62
Definition: modinv64.h:28
secp256k1_modinv64_modinfo::modulus
secp256k1_modinv64_signed62 modulus
Definition: modinv64.h:25
secp256k1_modinv64_signed62
Definition: modinv64.h:19
secp256k1_modinv64_signed62::v
int64_t v[5]
Definition: modinv64.h:20
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:31
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_scalar::d
uint64_t d[4]
Definition: scalar_4x64.h:14
secp256k1_scratch_space_struct
Definition: scratch.h:12
secp256k1_scratch_space_struct::alloc_size
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
secp256k1_sha256
Definition: hash.h:13
secp256k1_sha256::bytes
uint64_t bytes
Definition: hash.h:16
secp256k1_sha256::s
uint32_t s[8]
Definition: hash.h:14
secp256k1_uint128
Definition: int128_struct.h:7
wycheproof_ecdsa_testvector::sig_offset
size_t sig_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:8
wycheproof_ecdsa_testvector::msg_offset
size_t msg_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:6
wycheproof_ecdsa_testvector::pk_offset
size_t pk_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:5
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_testrand_seed
static SECP256K1_INLINE void secp256k1_testrand_seed(const unsigned char *seed16)
Seed the pseudorandom number generator for testing.
secp256k1_testrand_init
static void secp256k1_testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL.
secp256k1_testrand_finish
static void secp256k1_testrand_finish(void)
Print final test information.
secp256k1_testrand256_test
static void secp256k1_testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_impl.h
secp256k1_test_state
static uint64_t secp256k1_test_state[4]
Definition: testrand_impl.h:18
run_random_pubkeys
static void run_random_pubkeys(void)
Definition: tests.c:6796
CHECK_ILLEGAL_VOID
#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt)
Definition: tests.c:59
test_wnaf
static void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5266
run_inverse_tests
static void run_inverse_tests(void)
Definition: tests.c:3453
mutate_sign_signed30
static void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:1002
ec_pubkey_parse_pointtest
static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:5755
test_ecdsa_sign_verify
static void test_ecdsa_sign_verify(void)
Definition: tests.c:6456
test_ge
static void test_ge(void)
Definition: tests.c:3749
ge_equals_ge
static void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b)
Definition: tests.c:3701
random_gej_x_magnitude
static void random_gej_x_magnitude(secp256k1_gej *gej)
Definition: tests.c:136
run_pubkey_comparison
static void run_pubkey_comparison(void)
Definition: tests.c:6747
run_ecdsa_sign_verify
static void run_ecdsa_sign_verify(void)
Definition: tests.c:6483
run_field_misc
static void run_field_misc(void)
Definition: tests.c:3150
test_ecmult_gen_blind_reset
static void test_ecmult_gen_blind_reset(void)
Definition: tests.c:5686
random_field_element_magnitude
static void random_field_element_magnitude(secp256k1_fe *fe, int m)
Definition: tests.c:92
run_ec_pubkey_parse_test
static void run_ec_pubkey_parse_test(void)
Definition: tests.c:5830
run_static_context_tests
static void run_static_context_tests(int use_prealloc)
Definition: tests.c:327
random_sign
static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:6449
nonce_function_test_fail
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6499
nonce_function_test_retry
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6507
SECP256K1_EC_PARSE_TEST_NINVALID
#define SECP256K1_EC_PARSE_TEST_NINVALID
test_ecmult_multi_random
static int test_ecmult_multi_random(secp256k1_scratch *scratch)
Definition: tests.c:4889
COUNT
static int COUNT
Definition: tests.c:39
mulmod256
static void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:900
random_fe_non_zero_test
static void random_fe_non_zero_test(secp256k1_fe *fe)
Definition: tests.c:118
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:72
gej_xyz_equals_gej
static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3711
ecmult_gen_context_eq
static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b)
Definition: tests.c:242
run_tagged_sha256_tests
static void run_tagged_sha256_tests(void)
Definition: tests.c:850
run_sha256_counter_tests
static void run_sha256_counter_tests(void)
SHA256 counter tests.
Definition: tests.c:696
random_scalar_order_b32
static void random_scalar_order_b32(unsigned char *b32)
Definition: tests.c:202
random_group_element_jacobian_test
static void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:160
test_fixed_wnaf_small_helper
static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:5392
ge_equals_gej
static void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b)
Definition: tests.c:3732
all_bytes_equal
static int all_bytes_equal(const void *s, unsigned char value, size_t n)
Definition: tests.c:43
test_intialized_inf
static void test_intialized_inf(void)
Definition: tests.c:3972
test_fixed_wnaf_small
static void test_fixed_wnaf_small(void)
Definition: tests.c:5402
main
int main(int argc, char **argv)
Definition: tests.c:7722
run_ecmult_const_tests
static void run_ecmult_const_tests(void)
Definition: tests.c:4639
test_constant_wnaf
static void test_constant_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5315
fe_identical
static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:3094
SECP256K1_EC_PARSE_TEST_NVALID
#define SECP256K1_EC_PARSE_TEST_NVALID
run_eckey_edge_case_test
static void run_eckey_edge_case_test(void)
Definition: tests.c:6158
random_fe_non_square
static void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:2982
run_secp256k1_byteorder_tests
static void run_secp256k1_byteorder_tests(void)
Definition: tests.c:7541
run_ecmult_constants
static void run_ecmult_constants(void)
Definition: tests.c:5629
run_field_be32_overflow
static void run_field_be32_overflow(void)
Definition: tests.c:3027
test_modinv32_uint16
static void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:1017
run_ecmult_chain
static void run_ecmult_chain(void)
Definition: tests.c:4298
test_inverse_field
static void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:3428
run_ec_combine
static void run_ec_combine(void)
Definition: tests.c:4142
run_deprecated_context_flags_test
static void run_deprecated_context_flags_test(void)
Definition: tests.c:257
CTX
static secp256k1_context * CTX
Definition: tests.c:40
run_point_times_order
static void run_point_times_order(void)
Definition: tests.c:4469
random_group_element_test
static void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:148
random_ber_signature
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:6909
CONDITIONAL_TEST
#define CONDITIONAL_TEST(cnt, nam)
Definition: tests.c:37
ecmult_const_commutativity
static void ecmult_const_commutativity(void)
Definition: tests.c:4517
int_cmov_test
static void int_cmov_test(void)
Definition: tests.c:7569
test_add_neg_y_diff_x
static void test_add_neg_y_diff_x(void)
Definition: tests.c:4004
test_ecmult_accumulate
static void test_ecmult_accumulate(secp256k1_sha256 *acc, const secp256k1_scalar *x, secp256k1_scratch *scratch)
Definition: tests.c:5510
test_point_times_order
static void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:4357
assign_big_endian
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:6870
run_hmac_sha256_tests
static void run_hmac_sha256_tests(void)
Definition: tests.c:765
test_ecmult_multi_batch_single
static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:5055
random_gej_test
static void random_gej_test(secp256k1_gej *gej)
Definition: tests.c:170
signed30_to_uint16
static void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:993
is_empty_signature
static int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:6537
run_field_half
static void run_field_half(void)
Definition: tests.c:3101
run_eckey_negate_test
static void run_eckey_negate_test(void)
Definition: tests.c:6414
scalar_test
static void scalar_test(void)
Definition: tests.c:2162
run_scalar_set_b32_seckey_tests
static void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:2324
test_ecmult_multi
static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4667
precomputed_nonce_function
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted.
Definition: tests.c:6491
run_gej
static void run_gej(void)
Definition: tests.c:4081
random_fe
static void random_fe(secp256k1_fe *x)
Definition: tests.c:2959
random_fe_non_zero
static void random_fe_non_zero(secp256k1_fe *nz)
Definition: tests.c:2969
run_ge
static void run_ge(void)
Definition: tests.c:4064
ge_storage_cmov_test
static void ge_storage_cmov_test(void)
Definition: tests.c:7682
scalar_minus_one
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:3389
fe_storage_cmov_test
static void fe_storage_cmov_test(void)
Definition: tests.c:7624
test_ec_combine
static void test_ec_combine(void)
Definition: tests.c:4117
random_gej_y_magnitude
static void random_gej_y_magnitude(secp256k1_gej *gej)
Definition: tests.c:140
test_secp256k1_pippenger_bucket_window_inv
static void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:5073
run_ctz_tests
static void run_ctz_tests(void)
Definition: tests.c:574
test_ecmult_multi_pippenger_max_points
static void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:5093
run_scalar_tests
static void run_scalar_tests(void)
Definition: tests.c:2341
test_constant_wnaf_negate
static void test_constant_wnaf_negate(const secp256k1_scalar *number)
Definition: tests.c:5300
test_random_pubkeys
static void test_random_pubkeys(void)
Definition: tests.c:6687
random_fe_test
static void random_fe_test(secp256k1_fe *x)
Definition: tests.c:108
test_gej_cmov
static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:4073
random_ge_y_magnitude
static void random_ge_y_magnitude(secp256k1_ge *ge)
Definition: tests.c:132
test_sqrt
static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:3337
scalar_cmov_test
static void scalar_cmov_test(void)
Definition: tests.c:7654
random_ge_x_magnitude
static void random_ge_x_magnitude(secp256k1_ge *ge)
Definition: tests.c:128
run_ecmult_gen_blind
static void run_ecmult_gen_blind(void)
Definition: tests.c:5698
test_ecdsa_end_to_end
static void test_ecdsa_end_to_end(void)
Definition: tests.c:6542
run_sha256_known_output_tests
static void run_sha256_known_output_tests(void)
Definition: tests.c:595
test_ecmult_target
static void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:4419
random_gej_z_magnitude
static void random_gej_z_magnitude(secp256k1_gej *gej)
Definition: tests.c:144
random_scalar_order
static void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:189
run_ecdsa_end_to_end
static void run_ecdsa_end_to_end(void)
Definition: tests.c:6803
ecmult_multi_callback
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4652
ecmult_const_mult_xonly
static void ecmult_const_mult_xonly(void)
Definition: tests.c:4558
run_proper_context_tests
static void run_proper_context_tests(int use_prealloc)
Definition: tests.c:368
random_fe_magnitude
static void random_fe_magnitude(secp256k1_fe *fe)
Definition: tests.c:124
test_fe_mul
static void test_fe_mul(const secp256k1_fe *a, const secp256k1_fe *b, int use_sqr)
Definition: tests.c:3257
test_group_decompress
static void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:4149
test_ecmult_constants_2bit
static void test_ecmult_constants_2bit(void)
Definition: tests.c:5542
run_cmov_tests
static void run_cmov_tests(void)
Definition: tests.c:7714
run_ecdsa_der_parse
static void run_ecdsa_der_parse(void)
Definition: tests.c:7055
ecmult_const_random_mult
static void ecmult_const_random_mult(void)
Definition: tests.c:4490
test_scalar_split
static void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:5707
run_field_convert
static void run_field_convert(void)
Definition: tests.c:2997
test_ecdsa_der_parse
static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:6810
run_ec_illegal_argument_tests
static void run_ec_illegal_argument_tests(void)
Definition: tests.c:275
run_ecdsa_wycheproof
static void run_ecdsa_wycheproof(void)
Definition: tests.c:7494
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:74
test_ecmult_constants_sha
static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char *expected32)
Definition: tests.c:5586
test_ecmult_multi_batching
static void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:5174
uncounting_illegal_callback_fn
static void uncounting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:83
run_sqrt
static void run_sqrt(void)
Definition: tests.c:3351
run_modinv_tests
static void run_modinv_tests(void)
Definition: tests.c:1198
scalars_near_split_bounds
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:4396
uint16_to_signed30
static void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:984
run_xoshiro256pp_tests
static void run_xoshiro256pp_tests(void)
Definition: tests.c:208
run_wnaf
static void run_wnaf(void)
Definition: tests.c:5456
run_ecmult_multi_tests
static void run_ecmult_multi_tests(void)
Definition: tests.c:5239
run_selftest_tests
static void run_selftest_tests(void)
Definition: tests.c:237
coprime
static int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:1168
run_sqr
static void run_sqr(void)
Definition: tests.c:3321
context_eq
static int context_eq(const secp256k1_context *a, const secp256k1_context *b)
Definition: tests.c:248
test_ecmult_multi_batch_size_helper
static void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:5126
random_scalar_order_test
static void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:176
check_fe_equal
static int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2990
run_endomorphism_tests
static void run_endomorphism_tests(void)
Definition: tests.c:5734
run_scratch_tests
static void run_scratch_tests(void)
Definition: tests.c:490
test_ecdsa_wycheproof
static void test_ecdsa_wycheproof(void)
Wycheproof tests.
Definition: tests.c:7464
run_ecmult_near_split_bound
static void run_ecmult_near_split_bound(void)
Definition: tests.c:4457
run_ecdsa_edge_cases
static void run_ecdsa_edge_cases(void)
Definition: tests.c:7456
fe_cmov_test
static void fe_cmov_test(void)
Definition: tests.c:7594
run_group_decompress
static void run_group_decompress(void)
Definition: tests.c:4213
ecmult_const_mult_zero_one
static void ecmult_const_mult_zero_one(void)
Definition: tests.c:4538
test_ecmult_accumulate_cb
static int test_ecmult_accumulate_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data)
Definition: tests.c:5502
test_ecdsa_edge_cases
static void test_ecdsa_edge_cases(void)
Definition: tests.c:7087
ecmult_const_chain_multiply
static void ecmult_const_chain_multiply(void)
Definition: tests.c:4613
run_ecmult_pre_g
static void run_ecmult_pre_g(void)
Definition: tests.c:4274
ecmult_multi_false_callback
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4659
test_sha256_eq
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:757
test_pre_g_table
static void test_pre_g_table(const secp256k1_ge_storage *pre_g, size_t n)
Definition: tests.c:4224
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:41
test_fixed_wnaf
static void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5355
test_inverse_scalar
static void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:3406
test_ecmult_gen_blind
static void test_ecmult_gen_blind(void)
Definition: tests.c:5663
run_secp256k1_memczero_test
static void run_secp256k1_memczero_test(void)
Definition: tests.c:7526
run_fe_mul
static void run_fe_mul(void)
Definition: tests.c:3300
SECP256K1_EC_PARSE_TEST_NXVALID
#define SECP256K1_EC_PARSE_TEST_NXVALID
damage_array
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:6882
fe_minus_one
static const secp256k1_fe fe_minus_one
Definition: tests.c:3394
run_rfc6979_hmac_sha256_tests
static void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:809
modinv2p64
static uint64_t modinv2p64(uint64_t x)
Definition: tests.c:883
expect
#define expect(bit)
Definition: univalue_read.cpp:283
Generated on Tue Jun 23 2026 16:59:49 for Bitcoin ABC by doxygen 1.9.4