Bitcoin ABC 0.31.8
P2P Digital Currency
tests.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#if defined HAVE_CONFIG_H
8#include "libsecp256k1-config.h"
9#endif
10
11#include <stdio.h>
12#include <stdlib.h>
13#include <string.h>
14
15#include <time.h>
16
17#include "secp256k1.c"
18#include "include/secp256k1.h"
20#include "testrand_impl.h"
21#include "util.h"
22
25
26#include "modinv32_impl.h"
27#ifdef SECP256K1_WIDEMUL_INT128
28#include "modinv64_impl.h"
29#endif
30
31static int count = 64;
32static secp256k1_context *ctx = NULL;
33
34static void counting_illegal_callback_fn(const char* str, void* data) {
35 /* Dummy callback function that just counts. */
36 int32_t *p;
37 (void)str;
38 p = data;
39 (*p)++;
40}
41
42static void uncounting_illegal_callback_fn(const char* str, void* data) {
43 /* Dummy callback function that just counts (backwards). */
44 int32_t *p;
45 (void)str;
46 p = data;
47 (*p)--;
48}
49
51 do {
52 unsigned char b32[32];
54 if (secp256k1_fe_set_b32(fe, b32)) {
55 break;
56 }
57 } while(1);
58}
59
61 secp256k1_fe zero;
62 int n = secp256k1_testrand_int(9);
64 if (n == 0) {
65 return;
66 }
67 secp256k1_fe_clear(&zero);
68 secp256k1_fe_negate(&zero, &zero, 0);
69 secp256k1_fe_mul_int(&zero, n - 1);
70 secp256k1_fe_add(fe, &zero);
71#ifdef VERIFY
72 CHECK(fe->magnitude == n);
73#endif
74}
75
77 secp256k1_fe fe;
78 do {
82 break;
83 }
84 } while(1);
85 ge->infinity = 0;
86}
87
89 secp256k1_fe z2, z3;
90 do {
92 if (!secp256k1_fe_is_zero(&gej->z)) {
93 break;
94 }
95 } while(1);
96 secp256k1_fe_sqr(&z2, &gej->z);
97 secp256k1_fe_mul(&z3, &z2, &gej->z);
98 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
99 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
100 gej->infinity = ge->infinity;
101}
102
104 do {
105 unsigned char b32[32];
106 int overflow = 0;
108 secp256k1_scalar_set_b32(num, b32, &overflow);
109 if (overflow || secp256k1_scalar_is_zero(num)) {
110 continue;
111 }
112 break;
113 } while(1);
114}
115
117 do {
118 unsigned char b32[32];
119 int overflow = 0;
121 secp256k1_scalar_set_b32(num, b32, &overflow);
122 if (overflow || secp256k1_scalar_is_zero(num)) {
123 continue;
124 }
125 break;
126 } while(1);
127}
128
129void random_scalar_order_b32(unsigned char *b32) {
132 secp256k1_scalar_get_b32(b32, &num);
133}
134
135void run_context_tests(int use_prealloc) {
136 secp256k1_pubkey pubkey;
137 secp256k1_pubkey zero_pubkey;
139 unsigned char ctmp[32];
140 int32_t ecount;
141 int32_t ecount2;
142 secp256k1_context *none;
143 secp256k1_context *sign;
144 secp256k1_context *vrfy;
145 secp256k1_context *both;
146 void *none_prealloc = NULL;
147 void *sign_prealloc = NULL;
148 void *vrfy_prealloc = NULL;
149 void *both_prealloc = NULL;
150
151 secp256k1_gej pubj;
152 secp256k1_ge pub;
153 secp256k1_scalar msg, key, nonce;
154 secp256k1_scalar sigr, sigs;
155
156 if (use_prealloc) {
161 CHECK(none_prealloc != NULL);
162 CHECK(sign_prealloc != NULL);
163 CHECK(vrfy_prealloc != NULL);
164 CHECK(both_prealloc != NULL);
169 } else {
174 }
175
176 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
177
178 ecount = 0;
179 ecount2 = 10;
182 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
184 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
186
187 /* check if sizes for cloning are consistent */
192
193 /*** clone and destroy all of them to make sure cloning was complete ***/
194 {
195 secp256k1_context *ctx_tmp;
196
197 if (use_prealloc) {
198 /* clone into a non-preallocated context and then again into a new preallocated one. */
199 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
200 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
201 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
202
203 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
204 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
205 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
206
207 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
208 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
209 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
210
211 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
212 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
213 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
214 } else {
215 /* clone into a preallocated context and then again into a new non-preallocated one. */
216 void *prealloc_tmp;
217
218 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
219 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
220 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
221 free(prealloc_tmp);
222
223 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
224 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
225 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
226 free(prealloc_tmp);
227
228 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
229 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
230 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
231 free(prealloc_tmp);
232
233 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
234 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
235 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
236 free(prealloc_tmp);
237 }
238 }
239
240 /* Verify that the error callback makes it across the clone. */
241 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
243 /* And that it resets back to default. */
244 secp256k1_context_set_error_callback(sign, NULL, NULL);
245 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
246
247 /*** attempt to use them ***/
250 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
251 secp256k1_ge_set_gej(&pub, &pubj);
252
253 /* Verify context-type checking illegal-argument errors. */
254 memset(ctmp, 1, 32);
255 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
256 CHECK(ecount == 1);
257 VG_UNDEF(&pubkey, sizeof(pubkey));
258 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
259 VG_CHECK(&pubkey, sizeof(pubkey));
260 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
261 CHECK(ecount == 2);
262 VG_UNDEF(&sig, sizeof(sig));
263 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
264 VG_CHECK(&sig, sizeof(sig));
265 CHECK(ecount2 == 10);
266 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
267 CHECK(ecount2 == 11);
268 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
269 CHECK(ecount == 2);
270 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
271 CHECK(ecount2 == 12);
272 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
273 CHECK(ecount == 2);
274 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
275 CHECK(ecount2 == 13);
276 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
277 CHECK(ecount == 2);
278 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
279 CHECK(ecount == 2);
280 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
281 CHECK(ecount2 == 14);
282 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
283 CHECK(ecount == 3);
284 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
285 CHECK(ecount == 3);
286 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
287 CHECK(ecount == 3);
288 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
289 CHECK(ecount == 3);
290 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
291 CHECK(ecount2 == 14);
292 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
293 CHECK(ecount2 == 14);
296
297 /* obtain a working nonce */
298 do {
300 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
301
302 /* try signing */
303 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
304 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
305
306 /* try verifying */
307 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
308 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
309
310 /* cleanup */
311 if (use_prealloc) {
316 free(none_prealloc);
317 free(sign_prealloc);
318 free(vrfy_prealloc);
319 free(both_prealloc);
320 } else {
325 }
326 /* Defined as no-op. */
329
330}
331
333 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
334
335 int32_t ecount = 0;
336 size_t checkpoint;
337 size_t checkpoint_2;
340 secp256k1_scratch_space local_scratch;
341
342 /* Test public API */
345
346 scratch = secp256k1_scratch_space_create(none, 1000);
347 CHECK(scratch != NULL);
348 CHECK(ecount == 0);
349
350 /* Test internal API */
351 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
352 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
353 CHECK(scratch->alloc_size == 0);
354 CHECK(scratch->alloc_size % ALIGNMENT == 0);
355
356 /* Allocating 500 bytes succeeds */
357 checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
358 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
359 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
360 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
361 CHECK(scratch->alloc_size != 0);
362 CHECK(scratch->alloc_size % ALIGNMENT == 0);
363
364 /* Allocating another 501 bytes fails */
365 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
366 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
367 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
368 CHECK(scratch->alloc_size != 0);
369 CHECK(scratch->alloc_size % ALIGNMENT == 0);
370
371 /* ...but it succeeds once we apply the checkpoint to undo it */
372 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
373 CHECK(scratch->alloc_size == 0);
374 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
375 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
376 CHECK(scratch->alloc_size != 0);
377
378 /* try to apply a bad checkpoint */
379 checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
380 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
381 CHECK(ecount == 0);
382 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
383 CHECK(ecount == 1);
384 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
385 CHECK(ecount == 2);
386
387 /* try to use badly initialized scratch space */
388 secp256k1_scratch_space_destroy(none, scratch);
389 memset(&local_scratch, 0, sizeof(local_scratch));
390 scratch = &local_scratch;
392 CHECK(ecount == 3);
393 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
394 CHECK(ecount == 4);
395 secp256k1_scratch_space_destroy(none, scratch);
396 CHECK(ecount == 5);
397
398 /* Test that large integers do not wrap around in a bad way */
399 scratch = secp256k1_scratch_space_create(none, 1000);
400 /* Try max allocation with a large number of objects. Only makes sense if
401 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
402 * space. */
403 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
404 /* Try allocating SIZE_MAX to test wrap around which only happens if
405 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
406 * space is too small. */
407 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
408 secp256k1_scratch_space_destroy(none, scratch);
409
410 /* cleanup */
411 secp256k1_scratch_space_destroy(none, NULL); /* no-op */
413}
414
415void run_ctz_tests(void) {
416 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
417 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
418 int shift;
419 unsigned i;
420 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
421 for (shift = 0; shift < 32; ++shift) {
422 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
423 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
424 }
425 }
426 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
427 for (shift = 0; shift < 64; ++shift) {
428 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
429 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
430 }
431 }
432}
433
434/***** HASH TESTS *****/
435
437 static const char *inputs[8] = {
438 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
439 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
440 "For this sample, this 63-byte string will be used as input data",
441 "This is exactly 64 bytes long, not counting the terminating byte"
442 };
443 static const unsigned char outputs[8][32] = {
444 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
445 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
446 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
447 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
448 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
449 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
450 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
451 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
452 };
453 int i;
454 for (i = 0; i < 8; i++) {
455 unsigned char out[32];
456 secp256k1_sha256 hasher;
458 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
459 secp256k1_sha256_finalize(&hasher, out);
460 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
461 if (strlen(inputs[i]) > 0) {
462 int split = secp256k1_testrand_int(strlen(inputs[i]));
464 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
465 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
466 secp256k1_sha256_finalize(&hasher, out);
467 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
468 }
469 }
470}
471
473 static const char *keys[6] = {
474 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
475 "\x4a\x65\x66\x65",
476 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
477 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
478 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
479 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
480 };
481 static const char *inputs[6] = {
482 "\x48\x69\x20\x54\x68\x65\x72\x65",
483 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
484 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
485 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
486 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
487 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
488 };
489 static const unsigned char outputs[6][32] = {
490 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
491 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
492 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
493 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
494 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
495 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
496 };
497 int i;
498 for (i = 0; i < 6; i++) {
500 unsigned char out[32];
501 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
502 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
503 secp256k1_hmac_sha256_finalize(&hasher, out);
504 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
505 if (strlen(inputs[i]) > 0) {
506 int split = secp256k1_testrand_int(strlen(inputs[i]));
507 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
508 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
509 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
510 secp256k1_hmac_sha256_finalize(&hasher, out);
511 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
512 }
513 }
514}
515
517 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
518 static const unsigned char out1[3][32] = {
519 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
520 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
521 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
522 };
523
524 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
525 static const unsigned char out2[3][32] = {
526 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
527 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
528 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
529 };
530
532 unsigned char out[32];
533 int i;
534
536 for (i = 0; i < 3; i++) {
538 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
539 }
541
543 for (i = 0; i < 3; i++) {
545 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
546 }
548
550 for (i = 0; i < 3; i++) {
552 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
553 }
555}
556
558 int ecount = 0;
560 unsigned char tag[32] = { 0 };
561 unsigned char msg[32] = { 0 };
562 unsigned char hash32[32];
563 unsigned char hash_expected[32] = {
564 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
565 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
566 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
567 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
568 };
569
571
572 /* API test */
573 CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
574 CHECK(secp256k1_tagged_sha256(none, NULL, tag, sizeof(tag), msg, sizeof(msg)) == 0);
575 CHECK(ecount == 1);
576 CHECK(secp256k1_tagged_sha256(none, hash32, NULL, 0, msg, sizeof(msg)) == 0);
577 CHECK(ecount == 2);
578 CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), NULL, 0) == 0);
579 CHECK(ecount == 3);
580
581 /* Static test vector */
582 memcpy(tag, "tag", 3);
583 memcpy(msg, "msg", 3);
584 CHECK(secp256k1_tagged_sha256(none, hash32, tag, 3, msg, 3) == 1);
585 CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
587}
588
589/***** RANDOM TESTS *****/
590
591void test_rand_bits(int rand32, int bits) {
592 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
593 * get a false negative chance below once in a billion */
594 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
595 /* We try multiplying the results with various odd numbers, which shouldn't
596 * influence the uniform distribution modulo a power of 2. */
597 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
598 /* We only select up to 6 bits from the output to analyse */
599 unsigned int usebits = bits > 6 ? 6 : bits;
600 unsigned int maxshift = bits - usebits;
601 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
602 number, track all observed outcomes, one per bit in a uint64_t. */
603 uint64_t x[6][27] = {{0}};
604 unsigned int i, shift, m;
605 /* Multiply the output of all rand calls with the odd number m, which
606 should not change the uniformity of its distribution. */
607 for (i = 0; i < rounds[usebits]; i++) {
608 uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
609 CHECK((((uint64_t)r) >> bits) == 0);
610 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
611 uint32_t rm = r * mults[m];
612 for (shift = 0; shift <= maxshift; shift++) {
613 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
614 }
615 }
616 }
617 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
618 for (shift = 0; shift <= maxshift; shift++) {
619 /* Test that the lower usebits bits of x[shift] are 1 */
620 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
621 }
622 }
623}
624
625/* Subrange must be a whole divisor of range, and at most 64 */
626void test_rand_int(uint32_t range, uint32_t subrange) {
627 /* (1-1/subrange)^rounds < 1/10^9 */
628 int rounds = (subrange * 2073) / 100;
629 int i;
630 uint64_t x = 0;
631 CHECK((range % subrange) == 0);
632 for (i = 0; i < rounds; i++) {
633 uint32_t r = secp256k1_testrand_int(range);
634 CHECK(r < range);
635 r = r % subrange;
636 x |= (((uint64_t)1) << r);
637 }
638 /* Test that the lower subrange bits of x are 1. */
639 CHECK(((~x) << (64 - subrange)) == 0);
640}
641
642void run_rand_bits(void) {
643 size_t b;
644 test_rand_bits(1, 32);
645 for (b = 1; b <= 32; b++) {
646 test_rand_bits(0, b);
647 }
648}
649
650void run_rand_int(void) {
651 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
652 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
653 unsigned int m, s;
654 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
655 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
656 test_rand_int(ms[m] * ss[s], ss[s]);
657 }
658 }
659}
660
661/***** MODINV TESTS *****/
662
663/* Compute the modular inverse of (odd) x mod 2^64. */
664uint64_t modinv2p64(uint64_t x) {
665 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
666 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
667 * why. Start with L=0, for which it is true for every odd x that
668 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
669 int l;
670 uint64_t w = 1;
671 CHECK(x & 1);
672 for (l = 0; l < 6; ++l) w *= (2 - w*x);
673 return w;
674}
675
676/* compute out = (a*b) mod m; if b=NULL, treat b=1.
677 *
678 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
679 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
680void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
681 uint16_t mul[32];
682 uint64_t c = 0;
683 int i, j;
684 int m_bitlen = 0;
685 int mul_bitlen = 0;
686
687 if (b != NULL) {
688 /* Compute the product of a and b, and put it in mul. */
689 for (i = 0; i < 32; ++i) {
690 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
691 c += (uint64_t)a[j] * b[i - j];
692 }
693 mul[i] = c & 0xFFFF;
694 c >>= 16;
695 }
696 CHECK(c == 0);
697
698 /* compute the highest set bit in mul */
699 for (i = 511; i >= 0; --i) {
700 if ((mul[i >> 4] >> (i & 15)) & 1) {
701 mul_bitlen = i;
702 break;
703 }
704 }
705 } else {
706 /* if b==NULL, set mul=a. */
707 memcpy(mul, a, 32);
708 memset(mul + 16, 0, 32);
709 /* compute the highest set bit in mul */
710 for (i = 255; i >= 0; --i) {
711 if ((mul[i >> 4] >> (i & 15)) & 1) {
712 mul_bitlen = i;
713 break;
714 }
715 }
716 }
717
718 /* Compute the highest set bit in m. */
719 for (i = 255; i >= 0; --i) {
720 if ((m[i >> 4] >> (i & 15)) & 1) {
721 m_bitlen = i;
722 break;
723 }
724 }
725
726 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
727 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
728 uint16_t mul2[32];
729 int64_t cs;
730
731 /* Compute mul2 = mul - m<<i. */
732 cs = 0; /* accumulator */
733 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
734 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
735 uint16_t sub = 0;
736 int p;
737 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
738 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
739 if (bitpos >= 0 && bitpos < 256) {
740 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
741 }
742 }
743 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
744 cs += mul[j];
745 cs -= sub;
746 mul2[j] = (cs & 0xFFFF);
747 cs >>= 16;
748 }
749 /* If remainder of subtraction is 0, set mul = mul2. */
750 if (cs == 0) {
751 memcpy(mul, mul2, sizeof(mul));
752 }
753 }
754 /* Sanity check: test that all limbs higher than m's highest are zero */
755 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
756 CHECK(mul[i] == 0);
757 }
758 memcpy(out, mul, 32);
759}
760
761/* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
762void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
763 int i;
764 memset(out->v, 0, sizeof(out->v));
765 for (i = 0; i < 256; ++i) {
766 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
767 }
768}
769
770/* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
771void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
772 int i;
773 memset(out, 0, 32);
774 for (i = 0; i < 256; ++i) {
775 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
776 }
777}
778
779/* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
781 int i;
782 for (i = 0; i < 16; ++i) {
783 int pos = secp256k1_testrand_int(8);
784 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
785 x->v[pos] -= 0x40000000;
786 x->v[pos + 1] += 1;
787 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
788 x->v[pos] += 0x40000000;
789 x->v[pos + 1] -= 1;
790 }
791 }
792}
793
794/* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
795void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
796 uint16_t tmp[16];
799 int i, vartime, nonzero;
800
801 uint16_to_signed30(&x, in);
802 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
805
806 /* compute 1/modulus mod 2^30 */
807 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
808 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
809
810 for (vartime = 0; vartime < 2; ++vartime) {
811 /* compute inverse */
812 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
813
814 /* produce output */
815 signed30_to_uint16(out, &x);
816
817 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
818 mulmod256(tmp, out, in, mod);
819 CHECK(tmp[0] == nonzero);
820 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
821
822 /* invert again */
823 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
824
825 /* check if the result is equal to the input */
826 signed30_to_uint16(tmp, &x);
827 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
828 }
829}
830
831#ifdef SECP256K1_WIDEMUL_INT128
832/* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
833void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
834 int i;
835 memset(out->v, 0, sizeof(out->v));
836 for (i = 0; i < 256; ++i) {
837 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
838 }
839}
840
841/* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
842void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
843 int i;
844 memset(out, 0, 32);
845 for (i = 0; i < 256; ++i) {
846 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
847 }
848}
849
850/* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
851void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
852 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
853 int i;
854 for (i = 0; i < 8; ++i) {
855 int pos = secp256k1_testrand_int(4);
856 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
857 x->v[pos] -= (M62 + 1);
858 x->v[pos + 1] += 1;
859 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
860 x->v[pos] += (M62 + 1);
861 x->v[pos + 1] -= 1;
862 }
863 }
864}
865
866/* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
867void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
868 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
869 uint16_t tmp[16];
872 int i, vartime, nonzero;
873
874 uint16_to_signed62(&x, in);
875 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
876 uint16_to_signed62(&m.modulus, mod);
877 mutate_sign_signed62(&m.modulus);
878
879 /* compute 1/modulus mod 2^62 */
880 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
881 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
882
883 for (vartime = 0; vartime < 2; ++vartime) {
884 /* compute inverse */
885 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
886
887 /* produce output */
888 signed62_to_uint16(out, &x);
889
890 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
891 mulmod256(tmp, out, in, mod);
892 CHECK(tmp[0] == nonzero);
893 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
894
895 /* invert again */
896 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
897
898 /* check if the result is equal to the input */
899 signed62_to_uint16(tmp, &x);
900 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
901 }
902}
903#endif
904
905/* test if a and b are coprime */
906int coprime(const uint16_t* a, const uint16_t* b) {
907 uint16_t x[16], y[16], t[16];
908 int i;
909 int iszero;
910 memcpy(x, a, 32);
911 memcpy(y, b, 32);
912
913 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
914 while (1) {
915 iszero = 1;
916 for (i = 0; i < 16; ++i) {
917 if (x[i] != 0) {
918 iszero = 0;
919 break;
920 }
921 }
922 if (iszero) break;
923 mulmod256(t, y, NULL, x);
924 memcpy(y, x, 32);
925 memcpy(x, t, 32);
926 }
927
928 /* return whether y=1 */
929 if (y[0] != 1) return 0;
930 for (i = 1; i < 16; ++i) {
931 if (y[i] != 0) return 0;
932 }
933 return 1;
934}
935
937 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
938 static const uint16_t CASES[][3][16] = {
939 /* Test cases triggering edge cases in divsteps */
940
941 /* Test case known to need 713 divsteps */
942 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
943 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
944 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
945 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
946 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
947 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
948 /* Test case known to need 589 divsteps, reaching delta=-140 and
949 delta=141. */
950 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
951 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
952 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
953 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
954 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
955 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
956 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
957 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
958 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
959 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
960 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
961 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
962 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
963 /* example needing 713 divsteps; delta=-2..3 */
964 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
965 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
966 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
967 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
968 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
969 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
970 /* example needing 713 divsteps; delta=-2..3 */
971 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
972 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
973 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
974 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
975 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
976 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
977 /* example needing 713 divsteps; delta=-2..3 */
978 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
979 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
980 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
981 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
982 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
983 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
984 /* example reaching delta=-64..65; 661 divsteps */
985 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
986 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
987 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
988 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
989 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
990 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
991 /* example reaching delta=-64..65; 661 divsteps */
992 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
993 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
994 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
995 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
996 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
997 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
998 /* example reaching delta=-64..65; 661 divsteps */
999 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1000 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1001 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1002 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1003 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1004 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1005 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1006 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1007 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1008 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1009 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1010 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1011 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1012 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1013 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1014 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1015 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1016 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1017 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1018 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1019 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1020 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1021 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1022 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1023 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1024 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1025 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1026 /* example doing 446 (f,g/2) steps; 523 divsteps */
1027 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1028 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1029 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1030 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1031 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1032 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1033 /* example doing 446 (f,g/2) steps; 523 divsteps */
1034 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1035 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1036 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1037 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1038 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1039 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1040 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1041 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1042 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1043 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1044 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1045 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1046 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1047 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1048 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1049 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1050 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1051 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1052 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1053 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1054 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1055 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1056 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1057 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1058 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1059 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1060 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1061 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1062 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1063 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1064 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1065 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1066 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1067 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1068
1069 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1070
1071 /* example needing 590 divsteps; delta=-5/2..7/2 */
1072 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1073 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1074 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1075 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1076 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1077 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1078 /* example needing 590 divsteps; delta=-3/2..5/2 */
1079 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1080 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1081 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1082 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1083 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1084 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1085 /* example needing 590 divsteps; delta=-3/2..5/2 */
1086 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1087 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1088 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1089 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1090 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1091 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1092 /* example needing 590 divsteps; delta=-5/2..7/2 */
1093 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1094 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1095 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1096 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1097 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1098 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1099 /* example needing 590 divsteps; delta=-3/2..5/2 */
1100 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1101 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1102 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1103 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1104 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1105 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1106 /* example reaching delta=-127/2..129/2; 571 divsteps */
1107 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1108 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1109 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1110 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1111 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1112 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1113 /* example reaching delta=-127/2..129/2; 571 divsteps */
1114 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1115 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1116 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1117 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1118 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1119 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1120 /* example reaching delta=-127/2..129/2; 571 divsteps */
1121 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1122 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1123 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1124 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1125 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1126 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1127 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1128 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1129 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1130 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1131 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1132 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1133 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1134 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1135 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1136 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1137 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1138 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1139 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1140 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1141 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1142 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1143 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1144 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1145 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1146 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1147 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1148 /* example doing 453 (f,g/2) steps; 514 divsteps */
1149 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1150 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1151 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1152 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1153 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1154 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1155 /* example doing 453 (f,g/2) steps; 514 divsteps */
1156 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1157 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1158 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1159 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1160 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1161 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1162 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1163 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1164 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1165 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1166 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1167 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1168 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1169 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1170 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1171 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1172 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1173 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1174 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1175 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1176 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1177 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1178 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1179 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1180 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1181 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1182 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1183 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1184 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1185 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1186 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1187 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1188 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1189 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1190
1191 /* Test cases with the group order as modulus. */
1192
1193 /* Test case with the group order as modulus, needing 635 divsteps. */
1194 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1195 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1196 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1197 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1198 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1199 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1200 /* example with group size as modulus needing 631 divsteps */
1201 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1202 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1203 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1204 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1205 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1206 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1207 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1208 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1209 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1210 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1211 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1212 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1213 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1214 /* Test case with the group size as modulus, needing 981 divsteps with
1215 broken eta handling. */
1216 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1217 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1218 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1219 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1220 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1221 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1222 /* Test case with the group size as modulus, input = 0. */
1223 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1224 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1225 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1226 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1227 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1228 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1229 /* Test case with the group size as modulus, input = 1. */
1230 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1231 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1232 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1233 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1234 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1235 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1236 /* Test case with the group size as modulus, input = 2. */
1237 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1238 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1239 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1240 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1241 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1242 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1243 /* Test case with the group size as modulus, input = group - 1. */
1244 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1245 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1246 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1247 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1248 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1249 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1250
1251 /* Test cases with the field size as modulus. */
1252
1253 /* Test case with the field size as modulus, needing 637 divsteps. */
1254 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1255 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1256 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1257 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1258 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1259 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1260 /* example with field size as modulus needing 637 divsteps */
1261 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1262 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1263 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1264 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1265 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1266 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1267 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1268 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1269 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1270 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1271 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1272 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1273 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1274 /* Test case with the field size as modulus, needing 935 divsteps with
1275 broken eta handling. */
1276 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1277 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1278 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1279 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1280 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1281 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1282 /* Test case with the field size as modulus, input = 0. */
1283 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1284 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1285 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1286 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1287 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1288 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1289 /* Test case with the field size as modulus, input = 1. */
1290 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1291 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1292 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1293 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1294 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1295 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1296 /* Test case with the field size as modulus, input = 2. */
1297 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1298 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1299 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1300 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1301 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1302 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1303 /* Test case with the field size as modulus, input = field - 1. */
1304 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1305 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1306 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1307 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1308 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1309 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1310
1311 /* Selected from a large number of random inputs to reach small/large
1312 * d/e values in various configurations. */
1313 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1314 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1315 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1316 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1317 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1318 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1319 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1320 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1321 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1322 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1323 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1324 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1325 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1326 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1327 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1328 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1329 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1330 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1331 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1332 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1333 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1334 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1335 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1336 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1337 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1338 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1339 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1340 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1341 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1342 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1343 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1344 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1345 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1346 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1347 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1348 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1349 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1350 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1351 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1352 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1353 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1354 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1355 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1356 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1357 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1358 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1359 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1360 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1361 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1362 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1363 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1364 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1365 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1366 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1367 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1368 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1369 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1370 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1371 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1372 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1373 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1374 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1375 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1376 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1377 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1378 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1379 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1380 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1381 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1382 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1383 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1384 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1385 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1386 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1387 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1388 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1389 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1390 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1391 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1392 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1393 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1394 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1395 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1396 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1397 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1398 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1399 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1400 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1401 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1402 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1403 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1404 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1405 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1406 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1407 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1408 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1409 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1410 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1411 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1412 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1413 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1414 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1415 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1416 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1417 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1418 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1419 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1420 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1421 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1422 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1423 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1424 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1425 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1426 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1427 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1428 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1429 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1430 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1431 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1432 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1433 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1434 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1435 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1436 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1437 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1438 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1439 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1440 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1441 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1442 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1443 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1444 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1445 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1446 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1447 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1448 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1449 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1450 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1451 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1452 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1453 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1454 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1455 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1456 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1457 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1458 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1459 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1460 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1461 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1462 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1463 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1464 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1465 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1466 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1467 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1468 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1469 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1470 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1471 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1472 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1473 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1474 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1475 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1476 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1477 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1478 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1479 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1480 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1481 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1482 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1483 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1484 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1485 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1486 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1487 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1488 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1489 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1490 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1491 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1492 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1493 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1494 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1495 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1496 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1497 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1498 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1499 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1500 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1501 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1502 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1503 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1504 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1505 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1506 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1507 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1508 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1509 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1510 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1511 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1512 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1513 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1514 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1515 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1516 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1517 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1518 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1519 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1520 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1521 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1522 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1523 };
1524
1525 int i, j, ok;
1526
1527 /* Test known inputs/outputs */
1528 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1529 uint16_t out[16];
1530 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1531 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1532#ifdef SECP256K1_WIDEMUL_INT128
1533 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1534 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1535#endif
1536 }
1537
1538 for (i = 0; i < 100 * count; ++i) {
1539 /* 256-bit numbers in 16-uint16_t's notation */
1540 static const uint16_t ZERO[16] = {0};
1541 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1542 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1543 uint16_t id[16]; /* the inverse of xd mod md */
1544
1545 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1546 do {
1547 /* generate random xd and md (with many subsequent 0s and 1s) */
1548 secp256k1_testrand256_test((unsigned char*)xd);
1549 secp256k1_testrand256_test((unsigned char*)md);
1550 md[0] |= 1; /* modulus must be odd */
1551 /* If modulus is 1, find another one. */
1552 ok = md[0] != 1;
1553 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1554 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1555 } while (!(ok && coprime(xd, md)));
1556
1557 test_modinv32_uint16(id, xd, md);
1558#ifdef SECP256K1_WIDEMUL_INT128
1559 test_modinv64_uint16(id, xd, md);
1560#endif
1561
1562 /* In a few cases, also test with input=0 */
1563 if (i < count) {
1564 test_modinv32_uint16(id, ZERO, md);
1565#ifdef SECP256K1_WIDEMUL_INT128
1566 test_modinv64_uint16(id, ZERO, md);
1567#endif
1568 }
1569 }
1570}
1571
1572/***** SCALAR TESTS *****/
1573
1574
1575void scalar_test(void) {
1579 unsigned char c[32];
1580
1581 /* Set 's' to a random scalar, with value 'snum'. */
1583
1584 /* Set 's1' to a random scalar, with value 's1num'. */
1586
1587 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
1590
1591 {
1592 int i;
1593 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
1596 for (i = 0; i < 256; i += 4) {
1598 int j;
1599 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
1600 for (j = 0; j < 4; j++) {
1601 secp256k1_scalar_add(&n, &n, &n);
1602 }
1603 secp256k1_scalar_add(&n, &n, &t);
1604 }
1605 CHECK(secp256k1_scalar_eq(&n, &s));
1606 }
1607
1608 {
1609 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
1611 int i = 0;
1613 while (i < 256) {
1615 int j;
1616 int now = secp256k1_testrand_int(15) + 1;
1617 if (now + i > 256) {
1618 now = 256 - i;
1619 }
1620 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
1621 for (j = 0; j < now; j++) {
1622 secp256k1_scalar_add(&n, &n, &n);
1623 }
1624 secp256k1_scalar_add(&n, &n, &t);
1625 i += now;
1626 }
1627 CHECK(secp256k1_scalar_eq(&n, &s));
1628 }
1629
1630 {
1631 /* test secp256k1_scalar_shr_int */
1633 int i;
1635 for (i = 0; i < 100; ++i) {
1636 int low;
1637 int shift = 1 + secp256k1_testrand_int(15);
1638 int expected = r.d[0] % (1 << shift);
1639 low = secp256k1_scalar_shr_int(&r, shift);
1640 CHECK(expected == low);
1641 }
1642 }
1643
1644 {
1645 /* Test commutativity of add. */
1646 secp256k1_scalar r1, r2;
1647 secp256k1_scalar_add(&r1, &s1, &s2);
1648 secp256k1_scalar_add(&r2, &s2, &s1);
1649 CHECK(secp256k1_scalar_eq(&r1, &r2));
1650 }
1651
1652 {
1653 secp256k1_scalar r1, r2;
1655 int i;
1656 /* Test add_bit. */
1657 int bit = secp256k1_testrand_bits(8);
1660 for (i = 0; i < bit; i++) {
1661 secp256k1_scalar_add(&b, &b, &b);
1662 }
1663 r1 = s1;
1664 r2 = s1;
1665 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1666 /* No overflow happened. */
1667 secp256k1_scalar_cadd_bit(&r2, bit, 1);
1668 CHECK(secp256k1_scalar_eq(&r1, &r2));
1669 /* cadd is a noop when flag is zero */
1670 secp256k1_scalar_cadd_bit(&r2, bit, 0);
1671 CHECK(secp256k1_scalar_eq(&r1, &r2));
1672 }
1673 }
1674
1675 {
1676 /* Test commutativity of mul. */
1677 secp256k1_scalar r1, r2;
1678 secp256k1_scalar_mul(&r1, &s1, &s2);
1679 secp256k1_scalar_mul(&r2, &s2, &s1);
1680 CHECK(secp256k1_scalar_eq(&r1, &r2));
1681 }
1682
1683 {
1684 /* Test associativity of add. */
1685 secp256k1_scalar r1, r2;
1686 secp256k1_scalar_add(&r1, &s1, &s2);
1687 secp256k1_scalar_add(&r1, &r1, &s);
1688 secp256k1_scalar_add(&r2, &s2, &s);
1689 secp256k1_scalar_add(&r2, &s1, &r2);
1690 CHECK(secp256k1_scalar_eq(&r1, &r2));
1691 }
1692
1693 {
1694 /* Test associativity of mul. */
1695 secp256k1_scalar r1, r2;
1696 secp256k1_scalar_mul(&r1, &s1, &s2);
1697 secp256k1_scalar_mul(&r1, &r1, &s);
1698 secp256k1_scalar_mul(&r2, &s2, &s);
1699 secp256k1_scalar_mul(&r2, &s1, &r2);
1700 CHECK(secp256k1_scalar_eq(&r1, &r2));
1701 }
1702
1703 {
1704 /* Test distributitivity of mul over add. */
1705 secp256k1_scalar r1, r2, t;
1706 secp256k1_scalar_add(&r1, &s1, &s2);
1707 secp256k1_scalar_mul(&r1, &r1, &s);
1708 secp256k1_scalar_mul(&r2, &s1, &s);
1709 secp256k1_scalar_mul(&t, &s2, &s);
1710 secp256k1_scalar_add(&r2, &r2, &t);
1711 CHECK(secp256k1_scalar_eq(&r1, &r2));
1712 }
1713
1714 {
1715 /* Test multiplicative identity. */
1716 secp256k1_scalar r1, v1;
1718 secp256k1_scalar_mul(&r1, &s1, &v1);
1719 CHECK(secp256k1_scalar_eq(&r1, &s1));
1720 }
1721
1722 {
1723 /* Test additive identity. */
1724 secp256k1_scalar r1, v0;
1726 secp256k1_scalar_add(&r1, &s1, &v0);
1727 CHECK(secp256k1_scalar_eq(&r1, &s1));
1728 }
1729
1730 {
1731 /* Test zero product property. */
1732 secp256k1_scalar r1, v0;
1734 secp256k1_scalar_mul(&r1, &s1, &v0);
1735 CHECK(secp256k1_scalar_eq(&r1, &v0));
1736 }
1737
1738}
1739
1741 unsigned char b32[32];
1744
1745 /* Usually set_b32 and set_b32_seckey give the same result */
1747 secp256k1_scalar_set_b32(&s1, b32, NULL);
1748 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1749 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1750
1751 memset(b32, 0, sizeof(b32));
1752 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1753 memset(b32, 0xFF, sizeof(b32));
1754 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1755}
1756
1758 int i;
1759 for (i = 0; i < 128 * count; i++) {
1760 scalar_test();
1761 }
1762 for (i = 0; i < count; i++) {
1764 }
1765
1766 {
1767 /* (-1)+1 should be zero. */
1768 secp256k1_scalar s, o;
1772 secp256k1_scalar_add(&o, &o, &s);
1776 }
1777
1778 {
1779 /* Does check_overflow check catch all ones? */
1780 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1781 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1782 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1783 );
1785 }
1786
1787 {
1788 /* Static test vectors.
1789 * These were reduced from ~10^12 random vectors based on comparison-decision
1790 * and edge-case coverage on 32-bit and 64-bit implementations.
1791 * The responses were generated with Sage 5.9.
1792 */
1797 secp256k1_scalar one;
1800 secp256k1_scalar zzv;
1801 int overflow;
1802 unsigned char chal[33][2][32] = {
1803 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1804 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1805 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1806 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1807 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1808 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1809 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1810 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1811 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1812 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1813 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1814 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1815 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1816 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1817 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1818 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1819 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1820 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1821 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1822 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1823 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1824 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1825 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1826 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1827 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1828 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1829 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1830 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1831 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1832 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1833 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1834 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1835 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1836 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1837 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1838 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1839 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1840 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1841 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1842 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1843 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1844 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1845 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1846 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1847 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1848 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1849 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1850 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1851 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1852 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1853 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1854 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1855 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1856 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1857 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1858 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1859 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1860 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1861 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1862 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1863 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1864 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1865 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1866 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1867 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1868 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1869 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1870 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1871 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1872 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1873 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1874 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1875 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1876 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1877 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1878 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1879 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1880 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1881 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1882 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1883 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1884 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1885 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1886 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1887 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1888 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1889 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1890 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1891 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1892 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1893 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1894 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1895 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1896 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1897 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1898 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1899 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1900 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1901 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1902 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1903 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1904 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1905 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1906 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1907 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1908 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1909 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1910 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1911 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1912 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1913 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1914 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1915 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1916 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1917 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1918 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1919 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1920 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1921 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1922 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1923 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1924 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1925 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1926 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1927 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1928 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1929 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1930 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1931 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1932 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1933 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1934 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1935 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1936 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1937 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1938 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1939 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1940 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1941 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1942 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1943 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1944 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1945 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1946 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1947 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1948 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1949 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1950 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1951 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1952 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1953 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1954 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1955 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1956 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1957 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1958 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1959 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1960 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1961 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1962 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1963 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1964 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1965 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1966 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1967 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1968 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1969 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1970 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1971 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1972 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1973 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1974 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1975 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1976 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1977 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1978 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1979 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1980 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1981 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1982 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1983 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1984 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1985 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1986 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1987 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1988 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1989 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1990 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1991 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1992 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1993 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1994 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1995 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1996 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1997 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1998 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1999 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2000 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2001 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2002 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2003 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2004 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2005 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2006 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2007 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2008 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2009 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2010 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2011 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2012 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2013 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2014 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2015 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2016 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2017 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2018 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2019 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2020 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2021 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2022 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2023 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2024 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2025 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2026 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2027 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2028 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2029 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2030 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2031 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2032 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2033 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2034 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2035 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2036 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2037 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2038 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2039 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2040 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2041 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2042 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2043 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2044 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2045 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2046 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2047 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2048 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2049 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2050 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2051 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2052 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2053 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2054 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2055 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2056 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2057 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2058 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2059 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2060 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2061 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2062 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2063 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2064 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2065 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2066 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2067 };
2068 unsigned char res[33][2][32] = {
2069 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2070 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2071 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2072 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2073 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2074 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2075 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2076 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2077 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2078 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2079 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2080 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2081 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2082 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2083 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2084 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2085 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2086 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2087 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2088 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2089 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2090 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2091 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2092 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2093 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2094 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2095 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2096 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2097 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2098 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2099 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2100 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2101 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2102 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2103 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2104 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2105 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2106 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2107 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2108 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2109 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2110 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2111 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2112 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2113 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2114 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2115 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2116 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2117 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2118 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2119 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2120 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2121 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2122 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2123 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2124 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2125 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2126 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2127 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2128 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2129 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2130 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2131 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2132 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2133 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2134 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2135 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2136 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2137 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2138 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2139 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2140 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2141 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2142 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2143 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2144 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2145 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2146 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2147 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2148 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2149 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2150 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2151 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2152 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2153 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2154 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2155 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2156 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2157 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2158 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2159 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2160 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2161 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2162 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2163 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2164 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2165 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2166 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2167 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2168 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2169 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2170 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2171 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2172 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2173 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2174 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2175 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2176 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2177 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2178 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2179 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2180 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2181 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2182 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2183 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2184 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2185 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2186 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2187 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2188 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2189 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2190 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2191 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2192 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2193 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2194 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2195 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2196 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2197 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2198 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2199 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2200 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2201 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2202 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2203 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2204 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2205 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2206 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2207 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2208 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2209 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2210 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2211 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2212 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2213 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2214 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2215 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2216 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2217 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2218 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2219 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2220 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2221 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2222 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2223 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2224 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2225 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2226 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2227 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2228 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2229 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2230 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2231 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2232 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2233 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2234 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2236 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2237 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2238 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2239 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2240 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2241 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2242 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2243 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2244 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2245 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2246 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2247 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2248 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2249 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2250 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2251 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2252 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2253 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2254 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2255 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2256 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2257 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2258 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2259 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2260 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2261 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2262 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2263 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2264 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2265 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2266 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2267 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2268 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2269 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2270 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2271 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2272 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2273 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2274 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2276 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2277 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2278 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2279 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2280 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2281 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2282 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2283 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2284 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2285 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2286 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2287 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2288 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2289 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2290 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2291 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2292 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2293 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2294 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2295 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2296 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2297 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2298 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2299 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2300 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2301 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2302 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2303 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2304 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2305 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2306 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2307 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2308 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2309 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2310 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2311 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2312 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2313 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2314 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2315 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2316 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2317 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2318 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2319 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2320 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2321 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2322 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2323 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2324 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2325 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2326 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2327 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2328 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2329 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2330 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2331 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2332 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2333 };
2334 secp256k1_scalar_set_int(&one, 1);
2335 for (i = 0; i < 33; i++) {
2336 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2337 CHECK(!overflow);
2338 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2339 CHECK(!overflow);
2340 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2341 CHECK(!overflow);
2342 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2343 CHECK(!overflow);
2344 secp256k1_scalar_mul(&z, &x, &y);
2346 CHECK(secp256k1_scalar_eq(&r1, &z));
2347 if (!secp256k1_scalar_is_zero(&y)) {
2348 secp256k1_scalar_inverse(&zz, &y);
2351 CHECK(secp256k1_scalar_eq(&zzv, &zz));
2352 secp256k1_scalar_mul(&z, &z, &zz);
2354 CHECK(secp256k1_scalar_eq(&x, &z));
2355 secp256k1_scalar_mul(&zz, &zz, &y);
2357 CHECK(secp256k1_scalar_eq(&one, &zz));
2358 }
2359 }
2360 }
2361}
2362
2363/***** FIELD TESTS *****/
2364
2366 unsigned char bin[32];
2367 do {
2369 if (secp256k1_fe_set_b32(x, bin)) {
2370 return;
2371 }
2372 } while(1);
2373}
2374
2376 unsigned char bin[32];
2377 do {
2379 if (secp256k1_fe_set_b32(x, bin)) {
2380 return;
2381 }
2382 } while(1);
2383}
2384
2386 int tries = 10;
2387 while (--tries >= 0) {
2388 random_fe(nz);
2390 if (!secp256k1_fe_is_zero(nz)) {
2391 break;
2392 }
2393 }
2394 /* Infinitesimal probability of spurious failure here */
2395 CHECK(tries >= 0);
2396}
2397
2399 secp256k1_fe r;
2401 if (secp256k1_fe_sqrt(&r, ns)) {
2402 secp256k1_fe_negate(ns, ns, 1);
2403 }
2404}
2405
2407 secp256k1_fe an = *a;
2408 secp256k1_fe bn = *b;
2411 return secp256k1_fe_equal_var(&an, &bn);
2412}
2413
2415 static const unsigned char b32[32] = {
2416 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2417 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2418 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2419 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2420 };
2422 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2423 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2424 );
2425 static const secp256k1_fe fe = SECP256K1_FE_CONST(
2426 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2427 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2428 );
2429 secp256k1_fe fe2;
2430 unsigned char b322[32];
2432 /* Check conversions to fe. */
2433 CHECK(secp256k1_fe_set_b32(&fe2, b32));
2434 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2435 secp256k1_fe_from_storage(&fe2, &fes);
2436 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2437 /* Check conversion from fe. */
2438 secp256k1_fe_get_b32(b322, &fe);
2439 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2440 secp256k1_fe_to_storage(&fes2, &fe);
2441 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2442}
2443
2445 secp256k1_fe t = *b;
2446#ifdef VERIFY
2447 t.magnitude = a->magnitude;
2448 t.normalized = a->normalized;
2449#endif
2450 return secp256k1_memcmp_var(a, &t, sizeof(secp256k1_fe));
2451}
2452
2453void run_field_misc(void) {
2454 secp256k1_fe x;
2455 secp256k1_fe y;
2456 secp256k1_fe z;
2457 secp256k1_fe q;
2458 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
2459 int i, j;
2460 for (i = 0; i < 5*count; i++) {
2461 secp256k1_fe_storage xs, ys, zs;
2462 random_fe(&x);
2464 /* Test the fe equality and comparison operations. */
2465 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
2467 z = x;
2468 secp256k1_fe_add(&z,&y);
2469 /* Test fe conditional move; z is not normalized here. */
2470 q = x;
2471 secp256k1_fe_cmov(&x, &z, 0);
2472#ifdef VERIFY
2473 CHECK(x.normalized && x.magnitude == 1);
2474#endif
2475 secp256k1_fe_cmov(&x, &x, 1);
2476 CHECK(fe_secp256k1_memcmp_var(&x, &z) != 0);
2477 CHECK(fe_secp256k1_memcmp_var(&x, &q) == 0);
2478 secp256k1_fe_cmov(&q, &z, 1);
2479#ifdef VERIFY
2480 CHECK(!q.normalized && q.magnitude == z.magnitude);
2481#endif
2482 CHECK(fe_secp256k1_memcmp_var(&q, &z) == 0);
2485 CHECK(!secp256k1_fe_equal_var(&x, &z));
2487 secp256k1_fe_cmov(&q, &z, (i&1));
2488#ifdef VERIFY
2489 CHECK(q.normalized && q.magnitude == 1);
2490#endif
2491 for (j = 0; j < 6; j++) {
2492 secp256k1_fe_negate(&z, &z, j+1);
2494 secp256k1_fe_cmov(&q, &z, (j&1));
2495#ifdef VERIFY
2496 CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
2497#endif
2498 }
2500 /* Test storage conversion and conditional moves. */
2501 secp256k1_fe_to_storage(&xs, &x);
2502 secp256k1_fe_to_storage(&ys, &y);
2503 secp256k1_fe_to_storage(&zs, &z);
2504 secp256k1_fe_storage_cmov(&zs, &xs, 0);
2505 secp256k1_fe_storage_cmov(&zs, &zs, 1);
2506 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
2507 secp256k1_fe_storage_cmov(&ys, &xs, 1);
2508 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
2512 /* Test that mul_int, mul, and add agree. */
2513 secp256k1_fe_add(&y, &x);
2514 secp256k1_fe_add(&y, &x);
2515 z = x;
2516 secp256k1_fe_mul_int(&z, 3);
2517 CHECK(check_fe_equal(&y, &z));
2518 secp256k1_fe_add(&y, &x);
2519 secp256k1_fe_add(&z, &x);
2520 CHECK(check_fe_equal(&z, &y));
2521 z = x;
2522 secp256k1_fe_mul_int(&z, 5);
2523 secp256k1_fe_mul(&q, &x, &fe5);
2524 CHECK(check_fe_equal(&z, &q));
2525 secp256k1_fe_negate(&x, &x, 1);
2526 secp256k1_fe_add(&z, &x);
2527 secp256k1_fe_add(&q, &x);
2528 CHECK(check_fe_equal(&y, &z));
2529 CHECK(check_fe_equal(&q, &y));
2530 }
2531}
2532
2533void run_sqr(void) {
2534 secp256k1_fe x, s;
2535
2536 {
2537 int i;
2538 secp256k1_fe_set_int(&x, 1);
2539 secp256k1_fe_negate(&x, &x, 1);
2540
2541 for (i = 1; i <= 512; ++i) {
2542 secp256k1_fe_mul_int(&x, 2);
2544 secp256k1_fe_sqr(&s, &x);
2545 }
2546 }
2547}
2548
2549void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
2550 secp256k1_fe r1, r2;
2551 int v = secp256k1_fe_sqrt(&r1, a);
2552 CHECK((v == 0) == (k == NULL));
2553
2554 if (k != NULL) {
2555 /* Check that the returned root is +/- the given known answer */
2556 secp256k1_fe_negate(&r2, &r1, 1);
2557 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2560 }
2561}
2562
2563void run_sqrt(void) {
2564 secp256k1_fe ns, x, s, t;
2565 int i;
2566
2567 /* Check sqrt(0) is 0 */
2568 secp256k1_fe_set_int(&x, 0);
2569 secp256k1_fe_sqr(&s, &x);
2570 test_sqrt(&s, &x);
2571
2572 /* Check sqrt of small squares (and their negatives) */
2573 for (i = 1; i <= 100; i++) {
2574 secp256k1_fe_set_int(&x, i);
2575 secp256k1_fe_sqr(&s, &x);
2576 test_sqrt(&s, &x);
2577 secp256k1_fe_negate(&t, &s, 1);
2578 test_sqrt(&t, NULL);
2579 }
2580
2581 /* Consistency checks for large random values */
2582 for (i = 0; i < 10; i++) {
2583 int j;
2585 for (j = 0; j < count; j++) {
2586 random_fe(&x);
2587 secp256k1_fe_sqr(&s, &x);
2588 test_sqrt(&s, &x);
2589 secp256k1_fe_negate(&t, &s, 1);
2590 test_sqrt(&t, NULL);
2591 secp256k1_fe_mul(&t, &s, &ns);
2592 test_sqrt(&t, NULL);
2593 }
2594 }
2595}
2596
2597/***** FIELD/SCALAR INVERSE TESTS *****/
2598
2600 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
2601 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
2602);
2603
2605 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
2606 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
2607);
2608
2609/* These tests test the following identities:
2610 *
2611 * for x==0: 1/x == 0
2612 * for x!=0: x*(1/x) == 1
2613 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
2614 */
2615
2617{
2618 secp256k1_scalar l, r, t;
2619
2620 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&l, x); /* l = 1/x */
2621 if (out) *out = l;
2622 if (secp256k1_scalar_is_zero(x)) {
2624 return;
2625 }
2626 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
2627 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
2628 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
2629 if (secp256k1_scalar_is_zero(&r)) return;
2630 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&r, &r); /* r = 1/(x-1) */
2631 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
2632 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&l, &l); /* l = 1/(1/x-1) */
2633 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
2634 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2635 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
2636}
2637
2638void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
2639{
2640 secp256k1_fe l, r, t;
2641
2642 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
2643 if (out) *out = l;
2644 t = *x; /* t = x */
2647 return;
2648 }
2649 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
2650 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
2651 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
2652 r = *x; /* r = x */
2653 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
2655 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
2656 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
2657 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
2658 secp256k1_fe_add(&l, &secp256k1_fe_one); /* l = 1/(1/x-1)+1 */
2659 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2661}
2662
2664{
2665 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
2666 static const secp256k1_fe fe_cases[][2] = {
2667 /* 0 */
2668 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2669 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2670 /* 1 */
2671 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2672 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2673 /* -1 */
2674 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
2675 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
2676 /* 2 */
2677 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2678 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
2679 /* 2**128 */
2680 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2681 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
2682 /* Input known to need 637 divsteps */
2683 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
2684 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
2685 /* Input known to need 567 divsteps starting with delta=1/2. */
2686 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
2687 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
2688 /* Input known to need 566 divsteps starting with delta=1/2. */
2689 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
2690 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
2691 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
2692 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
2693 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
2694 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
2695 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
2696 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
2697 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
2698 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
2699 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
2700 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
2701 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
2702 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
2703 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
2704 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
2705 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
2706 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
2707 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
2708 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
2709 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
2710 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
2711 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
2712 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
2713 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
2714 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
2715 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
2716 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
2717 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
2718 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
2719 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
2720 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
2721 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
2722 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
2723 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
2724 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
2725 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
2726 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
2727 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
2728 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
2729 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
2730 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
2731 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
2732 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
2733 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
2734 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
2735 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
2736 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
2737 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
2738 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
2739 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
2740 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
2741 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
2742 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
2743 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
2744 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
2745 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
2746 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
2747 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
2748 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
2749 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
2750 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
2751 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
2752 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
2753 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
2754 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
2755 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
2756 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
2757 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
2758 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
2759 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
2760 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
2761 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
2762 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
2763 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
2764 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
2765 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
2766 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
2767 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
2768 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
2769 };
2770 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
2771 static const secp256k1_scalar scalar_cases[][2] = {
2772 /* 0 */
2773 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2774 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2775 /* 1 */
2776 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2777 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2778 /* -1 */
2779 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
2780 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
2781 /* 2 */
2782 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2783 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
2784 /* 2**128 */
2785 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2786 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
2787 /* Input known to need 635 divsteps */
2788 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
2789 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
2790 /* Input known to need 566 divsteps starting with delta=1/2. */
2791 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
2792 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
2793 /* Input known to need 565 divsteps starting with delta=1/2. */
2794 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
2795 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
2796 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
2797 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
2798 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
2799 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
2800 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
2801 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
2802 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
2803 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
2804 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
2805 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
2806 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
2807 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
2808 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
2809 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
2810 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
2811 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
2812 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
2813 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
2814 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
2815 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
2816 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
2817 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
2818 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
2819 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
2820 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
2821 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
2822 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
2823 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
2824 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
2825 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
2826 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
2827 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
2828 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
2829 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
2830 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
2831 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
2832 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
2833 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
2834 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
2835 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
2836 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
2837 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
2838 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
2839 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
2840 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
2841 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
2842 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
2843 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
2844 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
2845 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
2846 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
2847 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
2848 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
2849 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
2850 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
2851 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
2852 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
2853 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
2854 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
2855 };
2856 int i, var, testrand;
2857 unsigned char b32[32];
2858 secp256k1_fe x_fe;
2859 secp256k1_scalar x_scalar;
2860 memset(b32, 0, sizeof(b32));
2861 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
2862 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
2863 for (var = 0; var <= 1; ++var) {
2864 test_inverse_field(&x_fe, &fe_cases[i][0], var);
2865 check_fe_equal(&x_fe, &fe_cases[i][1]);
2866 test_inverse_field(&x_fe, &fe_cases[i][1], var);
2867 check_fe_equal(&x_fe, &fe_cases[i][0]);
2868 }
2869 }
2870 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
2871 for (var = 0; var <= 1; ++var) {
2872 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
2873 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
2874 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
2875 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
2876 }
2877 }
2878 /* Test inputs 0..999 and their respective negations. */
2879 for (i = 0; i < 1000; ++i) {
2880 b32[31] = i & 0xff;
2881 b32[30] = (i >> 8) & 0xff;
2882 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
2883 secp256k1_fe_set_b32(&x_fe, b32);
2884 for (var = 0; var <= 1; ++var) {
2885 test_inverse_scalar(NULL, &x_scalar, var);
2886 test_inverse_field(NULL, &x_fe, var);
2887 }
2888 secp256k1_scalar_negate(&x_scalar, &x_scalar);
2889 secp256k1_fe_negate(&x_fe, &x_fe, 1);
2890 for (var = 0; var <= 1; ++var) {
2891 test_inverse_scalar(NULL, &x_scalar, var);
2892 test_inverse_field(NULL, &x_fe, var);
2893 }
2894 }
2895 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
2896 for (testrand = 0; testrand <= 1; ++testrand) {
2897 for (i = 0; i < 64 * count; ++i) {
2899 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
2900 secp256k1_fe_set_b32(&x_fe, b32);
2901 for (var = 0; var <= 1; ++var) {
2902 test_inverse_scalar(NULL, &x_scalar, var);
2903 test_inverse_field(NULL, &x_fe, var);
2904 }
2905 }
2906 }
2907}
2908
2909/***** GROUP TESTS *****/
2910
2911void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
2912 CHECK(a->infinity == b->infinity);
2913 if (a->infinity) {
2914 return;
2915 }
2916 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2917 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2918}
2919
2920/* This compares jacobian points including their Z, not just their geometric meaning. */
2922 secp256k1_gej a2;
2923 secp256k1_gej b2;
2924 int ret = 1;
2925 ret &= a->infinity == b->infinity;
2926 if (ret && !a->infinity) {
2927 a2 = *a;
2928 b2 = *b;
2935 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2936 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2937 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2938 }
2939 return ret;
2940}
2941
2942void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2943 secp256k1_fe z2s;
2944 secp256k1_fe u1, u2, s1, s2;
2945 CHECK(a->infinity == b->infinity);
2946 if (a->infinity) {
2947 return;
2948 }
2949 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
2950 secp256k1_fe_sqr(&z2s, &b->z);
2951 secp256k1_fe_mul(&u1, &a->x, &z2s);
2952 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2953 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2954 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2955 CHECK(secp256k1_fe_equal_var(&u1, &u2));
2956 CHECK(secp256k1_fe_equal_var(&s1, &s2));
2957}
2958
2959void test_ge(void) {
2960 int i, i1;
2961 int runs = 6;
2962 /* 25 points are used:
2963 * - infinity
2964 * - for each of four random points p1 p2 p3 p4, we add the point, its
2965 * negation, and then those two again but with randomized Z coordinate.
2966 * - The same is then done for lambda*p1 and lambda^2*p1.
2967 */
2968 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2969 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2970 secp256k1_fe zf;
2971 secp256k1_fe zfi2, zfi3;
2972
2974 secp256k1_ge_clear(&ge[0]);
2975 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
2976 for (i = 0; i < runs; i++) {
2977 int j;
2978 secp256k1_ge g;
2980 if (i >= runs - 2) {
2981 secp256k1_ge_mul_lambda(&g, &ge[1]);
2982 }
2983 if (i >= runs - 1) {
2985 }
2986 ge[1 + 4 * i] = g;
2987 ge[2 + 4 * i] = g;
2988 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2989 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2990 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2991 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2992 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2993 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
2994 for (j = 0; j < 4; j++) {
2995 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2996 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2997 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2998 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2999 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
3000 }
3001 }
3002
3003 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3004 do {
3006 } while(secp256k1_fe_is_zero(&zf));
3008 secp256k1_fe_inv_var(&zfi3, &zf);
3009 secp256k1_fe_sqr(&zfi2, &zfi3);
3010 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3011
3012 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3013 int i2;
3014 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3015 /* Compute reference result using gej + gej (var). */
3016 secp256k1_gej refj, resj;
3017 secp256k1_ge ref;
3018 secp256k1_fe zr;
3019 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3020 /* Check Z ratio. */
3021 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3022 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3023 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
3024 }
3025 secp256k1_ge_set_gej_var(&ref, &refj);
3026
3027 /* Test gej + ge with Z ratio result (var). */
3028 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3029 ge_equals_gej(&ref, &resj);
3030 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3031 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3032 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
3033 }
3034
3035 /* Test gej + ge (var, with additional Z factor). */
3036 {
3037 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3038 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3039 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3042 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3043 ge_equals_gej(&ref, &resj);
3044 }
3045
3046 /* Test gej + ge (const). */
3047 if (i2 != 0) {
3048 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3049 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3050 ge_equals_gej(&ref, &resj);
3051 }
3052
3053 /* Test doubling (var). */
3054 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3055 secp256k1_fe zr2;
3056 /* Normal doubling with Z ratio result. */
3057 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3058 ge_equals_gej(&ref, &resj);
3059 /* Check Z ratio. */
3060 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3061 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
3062 /* Normal doubling. */
3063 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3064 ge_equals_gej(&ref, &resj);
3065 /* Constant-time doubling. */
3066 secp256k1_gej_double(&resj, &gej[i2]);
3067 ge_equals_gej(&ref, &resj);
3068 }
3069
3070 /* Test adding opposites. */
3071 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3073 }
3074
3075 /* Test adding infinity. */
3076 if (i1 == 0) {
3079 ge_equals_gej(&ref, &gej[i2]);
3080 }
3081 if (i2 == 0) {
3084 ge_equals_gej(&ref, &gej[i1]);
3085 }
3086 }
3087 }
3088
3089 /* Test adding all points together in random order equals infinity. */
3090 {
3092 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3093 for (i = 0; i < 4 * runs + 1; i++) {
3094 gej_shuffled[i] = gej[i];
3095 }
3096 for (i = 0; i < 4 * runs + 1; i++) {
3097 int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3098 if (swap != i) {
3099 secp256k1_gej t = gej_shuffled[i];
3100 gej_shuffled[i] = gej_shuffled[swap];
3101 gej_shuffled[swap] = t;
3102 }
3103 }
3104 for (i = 0; i < 4 * runs + 1; i++) {
3105 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3106 }
3108 free(gej_shuffled);
3109 }
3110
3111 /* Test batch gej -> ge conversion without known z ratios. */
3112 {
3113 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3114 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3115 for (i = 0; i < 4 * runs + 1; i++) {
3116 secp256k1_fe s;
3118 secp256k1_gej_rescale(&gej[i], &s);
3119 ge_equals_gej(&ge_set_all[i], &gej[i]);
3120 }
3121 free(ge_set_all);
3122 }
3123
3124 /* Test batch gej -> ge conversion with many infinities. */
3125 for (i = 0; i < 4 * runs + 1; i++) {
3127 /* randomly set half the points to infinity */
3128 if(secp256k1_fe_is_odd(&ge[i].x)) {
3130 }
3131 secp256k1_gej_set_ge(&gej[i], &ge[i]);
3132 }
3133 /* batch invert */
3134 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3135 /* check result */
3136 for (i = 0; i < 4 * runs + 1; i++) {
3137 ge_equals_gej(&ge[i], &gej[i]);
3138 }
3139
3140 free(ge);
3141 free(gej);
3142}
3143
3144
3146 secp256k1_ge p;
3147 secp256k1_gej pj, npj, infj1, infj2, infj3;
3148 secp256k1_fe zinv;
3149
3150 /* Test that adding P+(-P) results in a fully initalized infinity*/
3152 secp256k1_gej_set_ge(&pj, &p);
3153 secp256k1_gej_neg(&npj, &pj);
3154
3155 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3157 CHECK(secp256k1_fe_is_zero(&infj1.x));
3158 CHECK(secp256k1_fe_is_zero(&infj1.y));
3159 CHECK(secp256k1_fe_is_zero(&infj1.z));
3160
3161 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3163 CHECK(secp256k1_fe_is_zero(&infj2.x));
3164 CHECK(secp256k1_fe_is_zero(&infj2.y));
3165 CHECK(secp256k1_fe_is_zero(&infj2.z));
3166
3167 secp256k1_fe_set_int(&zinv, 1);
3168 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3170 CHECK(secp256k1_fe_is_zero(&infj3.x));
3171 CHECK(secp256k1_fe_is_zero(&infj3.y));
3172 CHECK(secp256k1_fe_is_zero(&infj3.z));
3173
3174
3175}
3176
3178 /* The point of this test is to check that we can add two points
3179 * whose y-coordinates are negatives of each other but whose x
3180 * coordinates differ. If the x-coordinates were the same, these
3181 * points would be negatives of each other and their sum is
3182 * infinity. This is cool because it "covers up" any degeneracy
3183 * in the addition algorithm that would cause the xy coordinates
3184 * of the sum to be wrong (since infinity has no xy coordinates).
3185 * HOWEVER, if the x-coordinates are different, infinity is the
3186 * wrong answer, and such degeneracies are exposed. This is the
3187 * root of https://github.com/bitcoin-core/secp256k1/issues/257
3188 * which this test is a regression test for.
3189 *
3190 * These points were generated in sage as
3191 * # secp256k1 params
3192 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
3193 * C = EllipticCurve ([F (0), F (7)])
3194 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
3195 * N = FiniteField(G.order())
3196 *
3197 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
3198 * x = polygen(N)
3199 * lam = (1 - x^3).roots()[1][0]
3200 *
3201 * # random "bad pair"
3202 * P = C.random_element()
3203 * Q = -int(lam) * P
3204 * print " P: %x %x" % P.xy()
3205 * print " Q: %x %x" % Q.xy()
3206 * print "P + Q: %x %x" % (P + Q).xy()
3207 */
3209 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3210 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3211 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3212 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3213 );
3215 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
3216 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
3217 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
3218 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
3219 );
3221 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
3222 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
3223 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
3224 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
3225 );
3226 secp256k1_ge b;
3227 secp256k1_gej resj;
3228 secp256k1_ge res;
3229 secp256k1_ge_set_gej(&b, &bj);
3230
3231 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
3232 secp256k1_ge_set_gej(&res, &resj);
3233 ge_equals_gej(&res, &sumj);
3234
3235 secp256k1_gej_add_ge(&resj, &aj, &b);
3236 secp256k1_ge_set_gej(&res, &resj);
3237 ge_equals_gej(&res, &sumj);
3238
3239 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
3240 secp256k1_ge_set_gej(&res, &resj);
3241 ge_equals_gej(&res, &sumj);
3242}
3243
3244void run_ge(void) {
3245 int i;
3246 for (i = 0; i < count * 32; i++) {
3247 test_ge();
3248 }
3251}
3252
3254 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3255 secp256k1_pubkey data[6];
3256 const secp256k1_pubkey* d[6];
3258 secp256k1_pubkey sd2;
3259 secp256k1_gej Qj;
3260 secp256k1_ge Q;
3261 int i;
3262 for (i = 1; i <= 6; i++) {
3267 secp256k1_ge_set_gej(&Q, &Qj);
3268 secp256k1_pubkey_save(&data[i - 1], &Q);
3269 d[i - 1] = &data[i - 1];
3271 secp256k1_ge_set_gej(&Q, &Qj);
3272 secp256k1_pubkey_save(&sd, &Q);
3273 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
3274 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
3275 }
3276}
3277
3278void run_ec_combine(void) {
3279 int i;
3280 for (i = 0; i < count * 8; i++) {
3282 }
3283}
3284
3286 /* The input itself, normalized. */
3287 secp256k1_fe fex = *x;
3288 secp256k1_fe fez;
3289 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
3290 secp256k1_ge ge_quad, ge_even, ge_odd;
3291 secp256k1_gej gej_quad;
3292 /* Return values of the above calls. */
3293 int res_quad, res_even, res_odd;
3294
3296
3297 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
3298 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
3299 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
3300
3301 CHECK(res_quad == res_even);
3302 CHECK(res_quad == res_odd);
3303
3304 if (res_quad) {
3305 secp256k1_fe_normalize_var(&ge_quad.x);
3307 secp256k1_fe_normalize_var(&ge_even.x);
3308 secp256k1_fe_normalize_var(&ge_quad.y);
3310 secp256k1_fe_normalize_var(&ge_even.y);
3311
3312 /* No infinity allowed. */
3313 CHECK(!ge_quad.infinity);
3314 CHECK(!ge_even.infinity);
3315 CHECK(!ge_odd.infinity);
3316
3317 /* Check that the x coordinates check out. */
3318 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
3319 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
3320 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
3321
3322 /* Check that the Y coordinate result in ge_quad is a square. */
3323 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
3324
3325 /* Check odd/even Y in ge_odd, ge_even. */
3326 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
3327 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
3328
3329 /* Check secp256k1_gej_has_quad_y_var. */
3330 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
3332 do {
3333 random_fe_test(&fez);
3334 } while (secp256k1_fe_is_zero(&fez));
3335 secp256k1_gej_rescale(&gej_quad, &fez);
3337 secp256k1_gej_neg(&gej_quad, &gej_quad);
3339 do {
3340 random_fe_test(&fez);
3341 } while (secp256k1_fe_is_zero(&fez));
3342 secp256k1_gej_rescale(&gej_quad, &fez);
3344 secp256k1_gej_neg(&gej_quad, &gej_quad);
3346 }
3347}
3348
3350 int i;
3351 for (i = 0; i < count * 4; i++) {
3352 secp256k1_fe fe;
3353 random_fe_test(&fe);
3355 }
3356}
3357
3358/***** ECMULT TESTS *****/
3359
3361 /* random starting point A (on the curve) */
3363 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
3364 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
3365 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
3366 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
3367 );
3368 /* two random initial factors xn and gn */
3370 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
3371 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
3372 );
3374 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
3375 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
3376 );
3377 /* two small multipliers to be applied to xn and gn in every iteration: */
3378 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
3379 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
3380 /* accumulators with the resulting coefficients to A and G */
3381 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3382 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3383 /* actual points */
3384 secp256k1_gej x;
3385 secp256k1_gej x2;
3386 int i;
3387
3388 /* the point being computed */
3389 x = a;
3390 for (i = 0; i < 200*count; i++) {
3391 /* in each iteration, compute X = xn*X + gn*G; */
3392 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
3393 /* also compute ae and ge: the actual accumulated factors for A and G */
3394 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
3395 secp256k1_scalar_mul(&ae, &ae, &xn);
3396 secp256k1_scalar_mul(&ge, &ge, &xn);
3397 secp256k1_scalar_add(&ge, &ge, &gn);
3398 /* modify xn and gn */
3399 secp256k1_scalar_mul(&xn, &xn, &xf);
3400 secp256k1_scalar_mul(&gn, &gn, &gf);
3401
3402 /* verify */
3403 if (i == 19999) {
3404 /* expected result after 19999 iterations */
3406 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
3407 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
3408 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
3409 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
3410 );
3411
3412 secp256k1_gej_neg(&rp, &rp);
3413 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
3415 }
3416 }
3417 /* redo the computation, but directly with the resulting ae and ge coefficients: */
3418 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
3419 secp256k1_gej_neg(&x2, &x2);
3420 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
3422}
3423
3425 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
3428 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3429 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3430 secp256k1_gej res1, res2;
3431 secp256k1_ge res3;
3432 unsigned char pub[65];
3433 size_t psize = 65;
3435 secp256k1_scalar_negate(&nx, &x);
3436 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
3437 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
3438 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
3440 secp256k1_ge_set_gej(&res3, &res1);
3442 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
3443 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
3444 psize = 65;
3445 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
3446 /* check zero/one edge cases */
3447 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
3448 secp256k1_ge_set_gej(&res3, &res1);
3450 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
3451 secp256k1_ge_set_gej(&res3, &res1);
3452 ge_equals_gej(&res3, point);
3453 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
3454 secp256k1_ge_set_gej(&res3, &res1);
3456}
3457
3458/* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
3459 *
3460 * They are computed as:
3461 * - For a in [-2, -1, 0, 1, 2]:
3462 * - For b in [-3, -1, 1, 3]:
3463 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
3464 */
3466 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
3467 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
3468 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
3469 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
3470 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
3471 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
3472 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
3473 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
3474 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
3475 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
3476 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
3477 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
3478 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
3479 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
3480 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
3481 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
3482 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
3483 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
3484 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
3485 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
3486};
3487
3488void test_ecmult_target(const secp256k1_scalar* target, int mode) {
3489 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
3490 secp256k1_scalar n1, n2;
3491 secp256k1_ge p;
3492 secp256k1_gej pj, p1j, p2j, ptj;
3493 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3494
3495 /* Generate random n1,n2 such that n1+n2 = -target. */
3497 secp256k1_scalar_add(&n2, &n1, target);
3498 secp256k1_scalar_negate(&n2, &n2);
3499
3500 /* Generate a random input point. */
3501 if (mode != 0) {
3503 secp256k1_gej_set_ge(&pj, &p);
3504 }
3505
3506 /* EC multiplications */
3507 if (mode == 0) {
3510 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
3511 } else if (mode == 1) {
3512 secp256k1_ecmult(&ctx->ecmult_ctx, &p1j, &pj, &n1, &zero);
3513 secp256k1_ecmult(&ctx->ecmult_ctx, &p2j, &pj, &n2, &zero);
3514 secp256k1_ecmult(&ctx->ecmult_ctx, &ptj, &pj, target, &zero);
3515 } else {
3516 secp256k1_ecmult_const(&p1j, &p, &n1, 256);
3517 secp256k1_ecmult_const(&p2j, &p, &n2, 256);
3518 secp256k1_ecmult_const(&ptj, &p, target, 256);
3519 }
3520
3521 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
3522 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
3523 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
3525}
3526
3528 int i;
3529 unsigned j;
3530 for (i = 0; i < 4*count; ++i) {
3531 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
3535 }
3536 }
3537}
3538
3540 int i;
3541 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
3542 static const secp256k1_fe xr = SECP256K1_FE_CONST(
3543 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
3544 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
3545 );
3546 for (i = 0; i < 500; i++) {
3547 secp256k1_ge p;
3548 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
3549 secp256k1_gej j;
3551 secp256k1_gej_set_ge(&j, &p);
3553 }
3554 secp256k1_fe_sqr(&x, &x);
3555 }
3557 CHECK(secp256k1_fe_equal_var(&x, &xr));
3558}
3559
3561 /* random starting point A (on the curve) */
3563 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
3564 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
3565 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
3566 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
3567 );
3568 /* random initial factor xn */
3570 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
3571 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
3572 );
3573 /* expected xn * A (from sage) */
3574 secp256k1_ge expected_b = SECP256K1_GE_CONST(
3575 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
3576 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
3577 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
3578 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
3579 );
3580 secp256k1_gej b;
3581 secp256k1_ecmult_const(&b, &a, &xn, 256);
3582
3584 ge_equals_gej(&expected_b, &b);
3585}
3586
3590 secp256k1_gej res1;
3591 secp256k1_gej res2;
3592 secp256k1_ge mid1;
3593 secp256k1_ge mid2;
3596
3599 secp256k1_ge_set_gej(&mid1, &res1);
3600 secp256k1_ge_set_gej(&mid2, &res2);
3601 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
3602 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
3603 secp256k1_ge_set_gej(&mid1, &res1);
3604 secp256k1_ge_set_gej(&mid2, &res2);
3605 ge_equals_ge(&mid1, &mid2);
3606}
3607
3609 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3610 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3611 secp256k1_scalar negone;
3612 secp256k1_gej res1;
3613 secp256k1_ge res2;
3614 secp256k1_ge point;
3615 secp256k1_scalar_negate(&negone, &one);
3616
3618 secp256k1_ecmult_const(&res1, &point, &zero, 3);
3619 secp256k1_ge_set_gej(&res2, &res1);
3621 secp256k1_ecmult_const(&res1, &point, &one, 2);
3622 secp256k1_ge_set_gej(&res2, &res1);
3623 ge_equals_ge(&res2, &point);
3624 secp256k1_ecmult_const(&res1, &point, &negone, 256);
3625 secp256k1_gej_neg(&res1, &res1);
3626 secp256k1_ge_set_gej(&res2, &res1);
3627 ge_equals_ge(&res2, &point);
3628}
3629
3631 /* Check known result (randomly generated test problem from sage) */
3633 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
3634 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
3635 );
3636 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
3637 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
3638 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
3639 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
3640 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
3641 );
3642 secp256k1_gej point;
3643 secp256k1_ge res;
3644 int i;
3645
3647 for (i = 0; i < 100; ++i) {
3648 secp256k1_ge tmp;
3649 secp256k1_ge_set_gej(&tmp, &point);
3650 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
3651 }
3652 secp256k1_ge_set_gej(&res, &point);
3653 ge_equals_gej(&res, &expected_point);
3654}
3655
3661}
3662
3663typedef struct {
3667
3668static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
3669 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
3670 *sc = data->sc[idx];
3671 *pt = data->pt[idx];
3672 return 1;
3673}
3674
3675static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
3676 (void)sc;
3677 (void)pt;
3678 (void)idx;
3679 (void)cbdata;
3680 return 0;
3681}
3682
3684 int ncount;
3685 secp256k1_scalar szero;
3686 secp256k1_scalar sc[32];
3687 secp256k1_ge pt[32];
3688 secp256k1_gej r;
3689 secp256k1_gej r2;
3690 ecmult_multi_data data;
3691
3692 data.sc = sc;
3693 data.pt = pt;
3694 secp256k1_scalar_set_int(&szero, 0);
3695
3696 /* No points to multiply */
3697 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
3698
3699 /* Check 1- and 2-point multiplies against ecmult */
3700 for (ncount = 0; ncount < count; ncount++) {
3701 secp256k1_ge ptg;
3702 secp256k1_gej ptgj;
3703 random_scalar_order(&sc[0]);
3704 random_scalar_order(&sc[1]);
3705
3707 secp256k1_gej_set_ge(&ptgj, &ptg);
3708 pt[0] = ptg;
3709 pt[1] = secp256k1_ge_const_g;
3710
3711 /* only G scalar */
3712 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
3713 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
3714 secp256k1_gej_neg(&r2, &r2);
3715 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3717
3718 /* 1-point */
3719 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
3720 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
3721 secp256k1_gej_neg(&r2, &r2);
3722 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3724
3725 /* Try to multiply 1 point, but callback returns false */
3726 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
3727
3728 /* 2-point */
3729 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
3730 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
3731 secp256k1_gej_neg(&r2, &r2);
3732 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3734
3735 /* 2-point with G scalar */
3736 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
3737 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
3738 secp256k1_gej_neg(&r2, &r2);
3739 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3741 }
3742
3743 /* Check infinite outputs of various forms */
3744 for (ncount = 0; ncount < count; ncount++) {
3745 secp256k1_ge ptg;
3746 size_t i, j;
3747 size_t sizes[] = { 2, 10, 32 };
3748
3749 for (j = 0; j < 3; j++) {
3750 for (i = 0; i < 32; i++) {
3751 random_scalar_order(&sc[i]);
3753 }
3754 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3756 }
3757
3758 for (j = 0; j < 3; j++) {
3759 for (i = 0; i < 32; i++) {
3761 pt[i] = ptg;
3762 secp256k1_scalar_set_int(&sc[i], 0);
3763 }
3764 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3766 }
3767
3768 for (j = 0; j < 3; j++) {
3770 for (i = 0; i < 16; i++) {
3771 random_scalar_order(&sc[2*i]);
3772 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
3773 pt[2 * i] = ptg;
3774 pt[2 * i + 1] = ptg;
3775 }
3776
3777 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3779
3780 random_scalar_order(&sc[0]);
3781 for (i = 0; i < 16; i++) {
3783
3784 sc[2*i] = sc[0];
3785 sc[2*i+1] = sc[0];
3786 pt[2 * i] = ptg;
3787 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
3788 }
3789
3790 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3792 }
3793
3795 secp256k1_scalar_set_int(&sc[0], 0);
3796 pt[0] = ptg;
3797 for (i = 1; i < 32; i++) {
3798 pt[i] = ptg;
3799
3800 random_scalar_order(&sc[i]);
3801 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
3802 secp256k1_scalar_negate(&sc[i], &sc[i]);
3803 }
3804
3805 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
3807 }
3808
3809 /* Check random points, constant scalar */
3810 for (ncount = 0; ncount < count; ncount++) {
3811 size_t i;
3813
3814 random_scalar_order(&sc[0]);
3815 for (i = 0; i < 20; i++) {
3816 secp256k1_ge ptg;
3817 sc[i] = sc[0];
3819 pt[i] = ptg;
3820 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
3821 }
3822
3823 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
3824 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3825 secp256k1_gej_neg(&r2, &r2);
3826 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3828 }
3829
3830 /* Check random scalars, constant point */
3831 for (ncount = 0; ncount < count; ncount++) {
3832 size_t i;
3833 secp256k1_ge ptg;
3834 secp256k1_gej p0j;
3837
3839 for (i = 0; i < 20; i++) {
3840 random_scalar_order(&sc[i]);
3841 pt[i] = ptg;
3842 secp256k1_scalar_add(&rs, &rs, &sc[i]);
3843 }
3844
3845 secp256k1_gej_set_ge(&p0j, &pt[0]);
3846 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
3847 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3848 secp256k1_gej_neg(&r2, &r2);
3849 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3851 }
3852
3853 /* Sanity check that zero scalars don't cause problems */
3854 for (ncount = 0; ncount < 20; ncount++) {
3855 random_scalar_order(&sc[ncount]);
3856 random_group_element_test(&pt[ncount]);
3857 }
3858 secp256k1_scalar_clear(&sc[0]);
3859 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3860 secp256k1_scalar_clear(&sc[1]);
3861 secp256k1_scalar_clear(&sc[2]);
3862 secp256k1_scalar_clear(&sc[3]);
3863 secp256k1_scalar_clear(&sc[4]);
3864 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
3865 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
3867
3868 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
3869 {
3870 const size_t TOP = 8;
3871 size_t s0i, s1i;
3872 size_t t0i, t1i;
3873 secp256k1_ge ptg;
3874 secp256k1_gej ptgj;
3875
3877 secp256k1_gej_set_ge(&ptgj, &ptg);
3878
3879 for(t0i = 0; t0i < TOP; t0i++) {
3880 for(t1i = 0; t1i < TOP; t1i++) {
3881 secp256k1_gej t0p, t1p;
3882 secp256k1_scalar t0, t1;
3883
3884 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
3885 secp256k1_scalar_cond_negate(&t0, t0i & 1);
3886 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
3887 secp256k1_scalar_cond_negate(&t1, t1i & 1);
3888
3889 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
3890 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
3891
3892 for(s0i = 0; s0i < TOP; s0i++) {
3893 for(s1i = 0; s1i < TOP; s1i++) {
3894 secp256k1_scalar tmp1, tmp2;
3895 secp256k1_gej expected, actual;
3896
3897 secp256k1_ge_set_gej(&pt[0], &t0p);
3898 secp256k1_ge_set_gej(&pt[1], &t1p);
3899
3900 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
3901 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
3902 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
3903 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
3904
3905 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
3906 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
3907 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
3908
3909 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
3910 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
3911 secp256k1_gej_neg(&expected, &expected);
3912 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
3914 }
3915 }
3916 }
3917 }
3918 }
3919}
3920
3922 secp256k1_scalar szero;
3924 secp256k1_ge pt;
3925 secp256k1_gej r;
3926 ecmult_multi_data data;
3927 secp256k1_scratch *scratch_empty;
3928
3931 data.sc = &sc;
3932 data.pt = &pt;
3933 secp256k1_scalar_set_int(&szero, 0);
3934
3935 /* Try to multiply 1 point, but scratch space is empty.*/
3936 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
3937 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
3939}
3940
3942 int i;
3943
3945 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
3946 /* Bucket_window of 8 is not used with endo */
3947 if (i == 8) {
3948 continue;
3949 }
3951 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
3953 }
3954 }
3955}
3956
3962 size_t scratch_size = secp256k1_testrand_int(256);
3964 secp256k1_scratch *scratch;
3965 size_t n_points_supported;
3966 int bucket_window = 0;
3967
3968 for(; scratch_size < max_size; scratch_size+=256) {
3969 size_t i;
3970 size_t total_alloc;
3971 size_t checkpoint;
3972 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
3973 CHECK(scratch != NULL);
3974 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
3975 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
3976 if (n_points_supported == 0) {
3978 continue;
3979 }
3980 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
3981 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
3982 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
3983 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
3985 total_alloc--;
3986 }
3987 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
3990 }
3991 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
3992}
3993
3995 size_t n_batches, n_batch_points, max_n_batch_points, n;
3996
3997 max_n_batch_points = 0;
3998 n = 1;
3999 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
4000
4001 max_n_batch_points = 1;
4002 n = 0;
4003 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4004 CHECK(n_batches == 0);
4005 CHECK(n_batch_points == 0);
4006
4007 max_n_batch_points = 2;
4008 n = 5;
4009 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4010 CHECK(n_batches == 3);
4011 CHECK(n_batch_points == 2);
4012
4013 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
4015 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4016 CHECK(n_batches == 1);
4017 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
4018
4019 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
4021 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4022 CHECK(n_batches == 2);
4023 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
4024
4025 max_n_batch_points = 1;
4026 n = SIZE_MAX;
4027 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4028 CHECK(n_batches == SIZE_MAX);
4029 CHECK(n_batch_points == 1);
4030
4031 max_n_batch_points = 2;
4032 n = SIZE_MAX;
4033 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4034 CHECK(n_batches == SIZE_MAX/2 + 1);
4035 CHECK(n_batch_points == 2);
4036}
4037
4043 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
4044 secp256k1_scalar scG;
4045 secp256k1_scalar szero;
4048 secp256k1_gej r;
4049 secp256k1_gej r2;
4050 ecmult_multi_data data;
4051 int i;
4052 secp256k1_scratch *scratch;
4053
4055 secp256k1_scalar_set_int(&szero, 0);
4056
4057 /* Get random scalars and group elements and compute result */
4058 random_scalar_order(&scG);
4059 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
4060 for(i = 0; i < n_points; i++) {
4061 secp256k1_ge ptg;
4062 secp256k1_gej ptgj;
4064 secp256k1_gej_set_ge(&ptgj, &ptg);
4065 pt[i] = ptg;
4066 random_scalar_order(&sc[i]);
4067 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
4068 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
4069 }
4070 data.sc = sc;
4071 data.pt = pt;
4072 secp256k1_gej_neg(&r2, &r2);
4073
4074 /* Test with empty scratch space. It should compute the correct result using
4075 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
4077 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4078 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4081
4082 /* Test with space for 1 point in pippenger. That's not enough because
4083 * ecmult_multi selects strauss which requires more memory. It should
4084 * therefore select the simple algorithm. */
4086 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4087 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4090
4091 for(i = 1; i <= n_points; i++) {
4093 int bucket_window = secp256k1_pippenger_bucket_window(i);
4094 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
4096 } else {
4097 size_t scratch_size = secp256k1_strauss_scratch_size(i);
4099 }
4100 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4101 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4104 }
4105 free(sc);
4106 free(pt);
4107}
4108
4110 secp256k1_scratch *scratch;
4111
4114 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
4122
4123 /* Run test_ecmult_multi with space for exactly one point */
4127
4130}
4131
4132void test_wnaf(const secp256k1_scalar *number, int w) {
4133 secp256k1_scalar x, two, t;
4134 int wnaf[256];
4135 int zeroes = -1;
4136 int i;
4137 int bits;
4139 secp256k1_scalar_set_int(&two, 2);
4140 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
4141 CHECK(bits <= 256);
4142 for (i = bits-1; i >= 0; i--) {
4143 int v = wnaf[i];
4144 secp256k1_scalar_mul(&x, &x, &two);
4145 if (v) {
4146 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4147 zeroes=0;
4148 CHECK((v & 1) == 1); /* check non-zero elements are odd */
4149 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
4150 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4151 } else {
4152 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4153 zeroes++;
4154 }
4155 if (v >= 0) {
4157 } else {
4160 }
4161 secp256k1_scalar_add(&x, &x, &t);
4162 }
4163 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4164}
4165
4167 secp256k1_scalar neg1 = *number;
4168 secp256k1_scalar neg2 = *number;
4169 int sign1 = 1;
4170 int sign2 = 1;
4171
4172 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
4173 secp256k1_scalar_negate(&neg1, &neg1);
4174 sign1 = -1;
4175 }
4177 CHECK(sign1 == sign2);
4178 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
4179}
4180
4181void test_constant_wnaf(const secp256k1_scalar *number, int w) {
4182 secp256k1_scalar x, shift;
4183 int wnaf[256] = {0};
4184 int i;
4185 int skew;
4186 int bits = 256;
4187 secp256k1_scalar num = *number;
4188 secp256k1_scalar scalar_skew;
4189
4191 secp256k1_scalar_set_int(&shift, 1 << w);
4192 for (i = 0; i < 16; ++i) {
4193 secp256k1_scalar_shr_int(&num, 8);
4194 }
4195 bits = 128;
4196 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
4197
4198 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
4200 int v = wnaf[i];
4201 CHECK(v != 0); /* check nonzero */
4202 CHECK(v & 1); /* check parity */
4203 CHECK(v > -(1 << w)); /* check range above */
4204 CHECK(v < (1 << w)); /* check range below */
4205
4206 secp256k1_scalar_mul(&x, &x, &shift);
4207 if (v >= 0) {
4209 } else {
4212 }
4213 secp256k1_scalar_add(&x, &x, &t);
4214 }
4215 /* Skew num because when encoding numbers as odd we use an offset */
4216 secp256k1_scalar_set_int(&scalar_skew, 1 << (skew == 2));
4217 secp256k1_scalar_add(&num, &num, &scalar_skew);
4218 CHECK(secp256k1_scalar_eq(&x, &num));
4219}
4220
4221void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
4222 secp256k1_scalar x, shift;
4223 int wnaf[256] = {0};
4224 int i;
4225 int skew;
4226 secp256k1_scalar num = *number;
4227
4229 secp256k1_scalar_set_int(&shift, 1 << w);
4230 for (i = 0; i < 16; ++i) {
4231 secp256k1_scalar_shr_int(&num, 8);
4232 }
4233 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4234
4235 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
4237 int v = wnaf[i];
4238 CHECK(v == 0 || v & 1); /* check parity */
4239 CHECK(v > -(1 << w)); /* check range above */
4240 CHECK(v < (1 << w)); /* check range below */
4241
4242 secp256k1_scalar_mul(&x, &x, &shift);
4243 if (v >= 0) {
4245 } else {
4248 }
4249 secp256k1_scalar_add(&x, &x, &t);
4250 }
4251 /* If skew is 1 then add 1 to num */
4252 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
4253 CHECK(secp256k1_scalar_eq(&x, &num));
4254}
4255
4256/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
4257 * rest is 0.*/
4258void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
4259 int i;
4260 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
4261 CHECK(wnaf[i] == 0);
4262 }
4263 for (i = 7; i >= 0; --i) {
4264 CHECK(wnaf[i] == wnaf_expected[i]);
4265 }
4266}
4267
4269 int w = 4;
4270 int wnaf[256] = {0};
4271 int i;
4272 int skew;
4273 secp256k1_scalar num;
4274
4275 secp256k1_scalar_set_int(&num, 0);
4276 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4277 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
4278 int v = wnaf[i];
4279 CHECK(v == 0);
4280 }
4281 CHECK(skew == 0);
4282
4283 secp256k1_scalar_set_int(&num, 1);
4284 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4285 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
4286 int v = wnaf[i];
4287 CHECK(v == 0);
4288 }
4289 CHECK(wnaf[0] == 1);
4290 CHECK(skew == 0);
4291
4292 {
4293 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
4294 secp256k1_scalar_set_int(&num, 0xffffffff);
4295 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4296 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4297 CHECK(skew == 0);
4298 }
4299 {
4300 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
4301 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
4302 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4303 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4304 CHECK(skew == 1);
4305 }
4306 {
4307 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
4308 secp256k1_scalar_set_int(&num, 0x01010101);
4309 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4310 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4311 CHECK(skew == 0);
4312 }
4313 {
4314 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
4315 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
4316 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4317 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4318 CHECK(skew == 0);
4319 }
4320}
4321
4322void run_wnaf(void) {
4323 int i;
4324 secp256k1_scalar n = {{0}};
4325
4326 test_constant_wnaf(&n, 4);
4327 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
4328 * have easier-to-diagnose failure modes */
4329 n.d[0] = 1;
4330 test_constant_wnaf(&n, 4);
4331 n.d[0] = 2;
4332 test_constant_wnaf(&n, 4);
4333 /* Test -1, because it's a special case in wnaf_const */
4336 test_constant_wnaf(&n, 4);
4337
4338 /* Test -2, which may not lead to overflows in wnaf_const */
4341 test_constant_wnaf(&n, 4);
4342
4343 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
4344 as corner cases of negation handling in wnaf_const */
4346 test_constant_wnaf(&n, 4);
4347
4349 test_constant_wnaf(&n, 4);
4350
4351 /* Test 0 for fixed wnaf */
4353 /* Random tests */
4354 for (i = 0; i < count; i++) {
4356 test_wnaf(&n, 4+(i%10));
4358 test_constant_wnaf(&n, 4 + (i % 10));
4359 test_fixed_wnaf(&n, 4 + (i % 10));
4360 }
4362 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
4366}
4367
4369 /* Test ecmult_gen() for [0..36) and [order-36..0). */
4371 secp256k1_gej r;
4372 secp256k1_ge ng;
4373 int i;
4374 int j;
4376 for (i = 0; i < 36; i++ ) {
4379 for (j = 0; j < i; j++) {
4380 if (j == i - 1) {
4382 }
4383 secp256k1_gej_add_ge(&r, &r, &ng);
4384 }
4386 }
4387 for (i = 1; i <= 36; i++ ) {
4391 for (j = 0; j < i; j++) {
4392 if (j == i - 1) {
4393 ge_equals_gej(&ng, &r);
4394 }
4396 }
4398 }
4399}
4400
4403}
4404
4406 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
4407 secp256k1_scalar key;
4409 unsigned char seed32[32];
4410 secp256k1_gej pgej;
4411 secp256k1_gej pgej2;
4412 secp256k1_gej i;
4413 secp256k1_ge pge;
4415 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
4416 secp256k1_testrand256(seed32);
4421 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
4422 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
4424 secp256k1_ge_set_gej(&pge, &pgej);
4425 ge_equals_gej(&pge, &pgej2);
4426}
4427
4429 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
4431 secp256k1_gej initial;
4434 initial = ctx->ecmult_gen_ctx.initial;
4438}
4439
4441 int i;
4443 for (i = 0; i < 10; i++) {
4445 }
4446}
4447
4448/***** ENDOMORPHISH TESTS *****/
4450 secp256k1_scalar s, s1, slam;
4451 const unsigned char zero[32] = {0};
4452 unsigned char tmp[32];
4453
4454 secp256k1_scalar_split_lambda(&s1, &slam, full);
4455
4456 /* check slam*lambda + s1 == full */
4458 secp256k1_scalar_add(&s, &s, &s1);
4459 CHECK(secp256k1_scalar_eq(&s, full));
4460
4461 /* check that both are <= 128 bits in size */
4462 if (secp256k1_scalar_is_high(&s1)) {
4463 secp256k1_scalar_negate(&s1, &s1);
4464 }
4465 if (secp256k1_scalar_is_high(&slam)) {
4466 secp256k1_scalar_negate(&slam, &slam);
4467 }
4468
4469 secp256k1_scalar_get_b32(tmp, &s1);
4470 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
4471 secp256k1_scalar_get_b32(tmp, &slam);
4472 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
4473}
4474
4475
4477 unsigned i;
4478 static secp256k1_scalar s;
4486
4487 for (i = 0; i < 100U * count; ++i) {
4488 secp256k1_scalar full;
4490 test_scalar_split(&full);
4491 }
4492 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
4494 }
4495}
4496
4497void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
4498 unsigned char pubkeyc[65];
4499 secp256k1_pubkey pubkey;
4500 secp256k1_ge ge;
4501 size_t pubkeyclen;
4502 int32_t ecount;
4503 ecount = 0;
4505 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
4506 /* Smaller sizes are tested exhaustively elsewhere. */
4507 int32_t i;
4508 memcpy(&pubkeyc[1], input, 64);
4509 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
4510 for (i = 0; i < 256; i++) {
4511 /* Try all type bytes. */
4512 int xpass;
4513 int ypass;
4514 int ysign;
4515 pubkeyc[0] = i;
4516 /* What sign does this point have? */
4517 ysign = (input[63] & 1) + 2;
4518 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
4519 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
4520 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
4521 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
4522 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
4523 if (xpass || ypass) {
4524 /* These cases must parse. */
4525 unsigned char pubkeyo[65];
4526 size_t outl;
4527 memset(&pubkey, 0, sizeof(pubkey));
4528 VG_UNDEF(&pubkey, sizeof(pubkey));
4529 ecount = 0;
4530 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4531 VG_CHECK(&pubkey, sizeof(pubkey));
4532 outl = 65;
4533 VG_UNDEF(pubkeyo, 65);
4534 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4535 VG_CHECK(pubkeyo, outl);
4536 CHECK(outl == 33);
4537 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
4538 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
4539 if (ypass) {
4540 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
4541 CHECK(pubkeyo[0] == ysign);
4542 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
4543 memset(&pubkey, 0, sizeof(pubkey));
4544 VG_UNDEF(&pubkey, sizeof(pubkey));
4545 secp256k1_pubkey_save(&pubkey, &ge);
4546 VG_CHECK(&pubkey, sizeof(pubkey));
4547 outl = 65;
4548 VG_UNDEF(pubkeyo, 65);
4549 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
4550 VG_CHECK(pubkeyo, outl);
4551 CHECK(outl == 65);
4552 CHECK(pubkeyo[0] == 4);
4553 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
4554 }
4555 CHECK(ecount == 0);
4556 } else {
4557 /* These cases must fail to parse. */
4558 memset(&pubkey, 0xfe, sizeof(pubkey));
4559 ecount = 0;
4560 VG_UNDEF(&pubkey, sizeof(pubkey));
4561 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
4562 VG_CHECK(&pubkey, sizeof(pubkey));
4563 CHECK(ecount == 0);
4564 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4565 CHECK(ecount == 1);
4566 }
4567 }
4568 }
4570}
4571
4573#define SECP256K1_EC_PARSE_TEST_NVALID (12)
4574 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
4575 {
4576 /* Point with leading and trailing zeros in x and y serialization. */
4577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
4578 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4579 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
4580 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
4581 },
4582 {
4583 /* Point with x equal to a 3rd root of unity.*/
4584 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
4585 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
4586 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4587 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4588 },
4589 {
4590 /* Point with largest x. (1/2) */
4591 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4592 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
4593 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
4594 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
4595 },
4596 {
4597 /* Point with largest x. (2/2) */
4598 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4599 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
4600 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
4601 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
4602 },
4603 {
4604 /* Point with smallest x. (1/2) */
4605 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4606 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4607 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4608 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4609 },
4610 {
4611 /* Point with smallest x. (2/2) */
4612 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4613 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4614 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
4615 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
4616 },
4617 {
4618 /* Point with largest y. (1/3) */
4619 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4620 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4621 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4622 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4623 },
4624 {
4625 /* Point with largest y. (2/3) */
4626 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4627 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4628 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4629 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4630 },
4631 {
4632 /* Point with largest y. (3/3) */
4633 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4634 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4635 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4636 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4637 },
4638 {
4639 /* Point with smallest y. (1/3) */
4640 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4641 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4642 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4643 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4644 },
4645 {
4646 /* Point with smallest y. (2/3) */
4647 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4648 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4649 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4650 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4651 },
4652 {
4653 /* Point with smallest y. (3/3) */
4654 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4655 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4656 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4657 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
4658 }
4659 };
4660#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
4661 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
4662 {
4663 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
4664 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4665 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4666 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4667 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4668 },
4669 {
4670 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
4671 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4672 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4673 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4674 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4675 },
4676 {
4677 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
4678 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4679 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4680 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4681 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4682 },
4683 {
4684 /* x on curve, y is from y^2 = x^3 + 8. */
4685 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4686 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4687 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4688 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
4689 }
4690 };
4691#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
4692 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
4693 {
4694 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
4695 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
4696 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
4697 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4698 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4699 },
4700 {
4701 /* Valid if x overflow ignored (x = 1 mod p). */
4702 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4703 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4704 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4705 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4706 },
4707 {
4708 /* Valid if x overflow ignored (x = 1 mod p). */
4709 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4710 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4711 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
4712 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
4713 },
4714 {
4715 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
4716 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4717 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4718 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
4719 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
4720 },
4721 {
4722 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
4723 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4724 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4725 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
4726 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
4727 },
4728 {
4729 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
4730 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4731 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4732 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
4733 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
4734 },
4735 {
4736 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
4737 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4738 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4739 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
4740 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
4741 }
4742 };
4743 const unsigned char pubkeyc[66] = {
4744 /* Serialization of G. */
4745 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
4746 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
4747 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
4748 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
4749 0xB8, 0x00
4750 };
4751 unsigned char sout[65];
4752 unsigned char shortkey[2];
4753 secp256k1_ge ge;
4754 secp256k1_pubkey pubkey;
4755 size_t len;
4756 int32_t i;
4757 int32_t ecount;
4758 int32_t ecount2;
4759 ecount = 0;
4760 /* Nothing should be reading this far into pubkeyc. */
4761 VG_UNDEF(&pubkeyc[65], 1);
4763 /* Zero length claimed, fail, zeroize, no illegal arg error. */
4764 memset(&pubkey, 0xfe, sizeof(pubkey));
4765 ecount = 0;
4766 VG_UNDEF(shortkey, 2);
4767 VG_UNDEF(&pubkey, sizeof(pubkey));
4768 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
4769 VG_CHECK(&pubkey, sizeof(pubkey));
4770 CHECK(ecount == 0);
4771 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4772 CHECK(ecount == 1);
4773 /* Length one claimed, fail, zeroize, no illegal arg error. */
4774 for (i = 0; i < 256 ; i++) {
4775 memset(&pubkey, 0xfe, sizeof(pubkey));
4776 ecount = 0;
4777 shortkey[0] = i;
4778 VG_UNDEF(&shortkey[1], 1);
4779 VG_UNDEF(&pubkey, sizeof(pubkey));
4780 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
4781 VG_CHECK(&pubkey, sizeof(pubkey));
4782 CHECK(ecount == 0);
4783 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4784 CHECK(ecount == 1);
4785 }
4786 /* Length two claimed, fail, zeroize, no illegal arg error. */
4787 for (i = 0; i < 65536 ; i++) {
4788 memset(&pubkey, 0xfe, sizeof(pubkey));
4789 ecount = 0;
4790 shortkey[0] = i & 255;
4791 shortkey[1] = i >> 8;
4792 VG_UNDEF(&pubkey, sizeof(pubkey));
4793 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
4794 VG_CHECK(&pubkey, sizeof(pubkey));
4795 CHECK(ecount == 0);
4796 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4797 CHECK(ecount == 1);
4798 }
4799 memset(&pubkey, 0xfe, sizeof(pubkey));
4800 ecount = 0;
4801 VG_UNDEF(&pubkey, sizeof(pubkey));
4802 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
4803 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
4804 VG_CHECK(&pubkey, sizeof(pubkey));
4805 CHECK(ecount == 0);
4806 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4807 CHECK(ecount == 1);
4808 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
4809 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
4810 CHECK(ecount == 2);
4811 /* NULL input string. Illegal arg and zeroize output. */
4812 memset(&pubkey, 0xfe, sizeof(pubkey));
4813 ecount = 0;
4814 VG_UNDEF(&pubkey, sizeof(pubkey));
4815 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
4816 VG_CHECK(&pubkey, sizeof(pubkey));
4817 CHECK(ecount == 1);
4818 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4819 CHECK(ecount == 2);
4820 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
4821 memset(&pubkey, 0xfe, sizeof(pubkey));
4822 ecount = 0;
4823 VG_UNDEF(&pubkey, sizeof(pubkey));
4824 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
4825 VG_CHECK(&pubkey, sizeof(pubkey));
4826 CHECK(ecount == 0);
4827 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4828 CHECK(ecount == 1);
4829 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
4830 memset(&pubkey, 0xfe, sizeof(pubkey));
4831 ecount = 0;
4832 VG_UNDEF(&pubkey, sizeof(pubkey));
4833 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
4834 VG_CHECK(&pubkey, sizeof(pubkey));
4835 CHECK(ecount == 0);
4836 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4837 CHECK(ecount == 1);
4838 /* Valid parse. */
4839 memset(&pubkey, 0, sizeof(pubkey));
4840 ecount = 0;
4841 VG_UNDEF(&pubkey, sizeof(pubkey));
4842 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
4844 VG_CHECK(&pubkey, sizeof(pubkey));
4845 CHECK(ecount == 0);
4846 VG_UNDEF(&ge, sizeof(ge));
4847 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
4848 VG_CHECK(&ge.x, sizeof(ge.x));
4849 VG_CHECK(&ge.y, sizeof(ge.y));
4850 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
4852 CHECK(ecount == 0);
4853 /* secp256k1_ec_pubkey_serialize illegal args. */
4854 ecount = 0;
4855 len = 65;
4857 CHECK(ecount == 1);
4858 CHECK(len == 0);
4860 CHECK(ecount == 2);
4861 len = 65;
4862 VG_UNDEF(sout, 65);
4864 VG_CHECK(sout, 65);
4865 CHECK(ecount == 3);
4866 CHECK(len == 0);
4867 len = 65;
4868 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
4869 CHECK(ecount == 4);
4870 CHECK(len == 0);
4871 len = 65;
4872 VG_UNDEF(sout, 65);
4874 VG_CHECK(sout, 65);
4875 CHECK(ecount == 4);
4876 CHECK(len == 65);
4877 /* Multiple illegal args. Should still set arg error only once. */
4878 ecount = 0;
4879 ecount2 = 11;
4880 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4881 CHECK(ecount == 1);
4882 /* Does the illegal arg callback actually change the behavior? */
4884 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4885 CHECK(ecount == 1);
4886 CHECK(ecount2 == 10);
4888 /* Try a bunch of prefabbed points with all possible encodings. */
4889 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
4890 ec_pubkey_parse_pointtest(valid[i], 1, 1);
4891 }
4892 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
4893 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
4894 }
4895 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
4896 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
4897 }
4898}
4899
4901 const unsigned char orderc[32] = {
4902 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4903 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4904 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4905 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
4906 };
4907 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
4908 unsigned char ctmp[33];
4909 unsigned char ctmp2[33];
4910 secp256k1_pubkey pubkey;
4911 secp256k1_pubkey pubkey2;
4912 secp256k1_pubkey pubkey_one;
4913 secp256k1_pubkey pubkey_negone;
4914 const secp256k1_pubkey *pubkeys[3];
4915 size_t len;
4916 int32_t ecount;
4917 /* Group order is too large, reject. */
4918 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
4919 VG_UNDEF(&pubkey, sizeof(pubkey));
4920 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
4921 VG_CHECK(&pubkey, sizeof(pubkey));
4922 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4923 /* Maximum value is too large, reject. */
4924 memset(ctmp, 255, 32);
4926 memset(&pubkey, 1, sizeof(pubkey));
4927 VG_UNDEF(&pubkey, sizeof(pubkey));
4928 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4929 VG_CHECK(&pubkey, sizeof(pubkey));
4930 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4931 /* Zero is too small, reject. */
4932 memset(ctmp, 0, 32);
4934 memset(&pubkey, 1, sizeof(pubkey));
4935 VG_UNDEF(&pubkey, sizeof(pubkey));
4936 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4937 VG_CHECK(&pubkey, sizeof(pubkey));
4938 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4939 /* One must be accepted. */
4940 ctmp[31] = 0x01;
4942 memset(&pubkey, 0, sizeof(pubkey));
4943 VG_UNDEF(&pubkey, sizeof(pubkey));
4944 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4945 VG_CHECK(&pubkey, sizeof(pubkey));
4946 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4947 pubkey_one = pubkey;
4948 /* Group order + 1 is too large, reject. */
4949 memcpy(ctmp, orderc, 32);
4950 ctmp[31] = 0x42;
4952 memset(&pubkey, 1, sizeof(pubkey));
4953 VG_UNDEF(&pubkey, sizeof(pubkey));
4954 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4955 VG_CHECK(&pubkey, sizeof(pubkey));
4956 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4957 /* -1 must be accepted. */
4958 ctmp[31] = 0x40;
4960 memset(&pubkey, 0, sizeof(pubkey));
4961 VG_UNDEF(&pubkey, sizeof(pubkey));
4962 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4963 VG_CHECK(&pubkey, sizeof(pubkey));
4964 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4965 pubkey_negone = pubkey;
4966 /* Tweak of zero leaves the value unchanged. */
4967 memset(ctmp2, 0, 32);
4968 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
4969 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
4970 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
4971 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4972 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4973 /* Multiply tweak of zero zeroizes the output. */
4974 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4975 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4976 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
4977 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4978 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4979 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4980 seckey, the seckey is zeroized. */
4981 memcpy(ctmp, orderc, 32);
4982 memset(ctmp2, 0, 32);
4983 ctmp2[31] = 0x01;
4984 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
4986 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
4987 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4988 memcpy(ctmp, orderc, 32);
4989 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4990 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4991 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4992 tweak, the seckey is zeroized. */
4993 memcpy(ctmp, orderc, 32);
4994 ctmp[31] = 0x40;
4995 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
4996 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4997 memcpy(ctmp, orderc, 32);
4998 ctmp[31] = 0x40;
4999 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
5000 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5001 memcpy(ctmp, orderc, 32);
5002 ctmp[31] = 0x40;
5003 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
5004 tweak, the pubkey is zeroized. */
5005 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
5006 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5007 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5008 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
5009 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5010 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5011 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
5012 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
5013 * case the pubkey is zeroized. */
5014 memcpy(ctmp, orderc, 32);
5015 ctmp[31] = 0x40;
5016 memset(ctmp2, 0, 32);
5017 ctmp2[31] = 1;
5018 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
5019 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
5020 ctmp2[31] = 1;
5021 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
5022 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5023 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5024 /* Tweak computation wraps and results in a key of 1. */
5025 ctmp2[31] = 2;
5026 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
5027 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
5028 ctmp2[31] = 2;
5029 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5030 ctmp2[31] = 1;
5031 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
5032 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5033 /* Tweak mul * 2 = 1+1. */
5034 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5035 ctmp2[31] = 2;
5036 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
5037 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5038 /* Test argument errors. */
5039 ecount = 0;
5041 CHECK(ecount == 0);
5042 /* Zeroize pubkey on parse error. */
5043 memset(&pubkey, 0, 32);
5044 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
5045 CHECK(ecount == 1);
5046 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5047 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5048 memset(&pubkey2, 0, 32);
5049 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
5050 CHECK(ecount == 2);
5051 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
5052 /* Plain argument errors. */
5053 ecount = 0;
5055 CHECK(ecount == 0);
5057 CHECK(ecount == 1);
5058 ecount = 0;
5059 memset(ctmp2, 0, 32);
5060 ctmp2[31] = 4;
5061 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
5062 CHECK(ecount == 1);
5063 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
5064 CHECK(ecount == 2);
5065 ecount = 0;
5066 memset(ctmp2, 0, 32);
5067 ctmp2[31] = 4;
5068 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
5069 CHECK(ecount == 1);
5070 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
5071 CHECK(ecount == 2);
5072 ecount = 0;
5073 memset(ctmp2, 0, 32);
5074 CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
5075 CHECK(ecount == 1);
5076 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
5077 CHECK(ecount == 2);
5078 ecount = 0;
5079 memset(ctmp2, 0, 32);
5080 ctmp2[31] = 1;
5081 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
5082 CHECK(ecount == 1);
5083 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
5084 CHECK(ecount == 2);
5085 ecount = 0;
5086 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
5087 CHECK(ecount == 1);
5088 memset(&pubkey, 1, sizeof(pubkey));
5089 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
5090 CHECK(ecount == 2);
5091 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5092 /* secp256k1_ec_pubkey_combine tests. */
5093 ecount = 0;
5094 pubkeys[0] = &pubkey_one;
5095 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
5096 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
5097 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
5098 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5099 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5100 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
5101 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5102 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5103 CHECK(ecount == 1);
5104 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
5105 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5106 CHECK(ecount == 2);
5107 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5108 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5109 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
5110 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5111 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5112 CHECK(ecount == 3);
5113 pubkeys[0] = &pubkey_negone;
5114 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5115 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5116 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
5117 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5118 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5119 CHECK(ecount == 3);
5120 len = 33;
5122 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
5123 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
5124 /* Result is infinity. */
5125 pubkeys[0] = &pubkey_one;
5126 pubkeys[1] = &pubkey_negone;
5127 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5128 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5129 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
5130 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5131 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5132 CHECK(ecount == 3);
5133 /* Passes through infinity but comes out one. */
5134 pubkeys[2] = &pubkey_one;
5135 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5136 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5137 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
5138 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5139 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5140 CHECK(ecount == 3);
5141 len = 33;
5143 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
5144 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
5145 /* Adds to two. */
5146 pubkeys[1] = &pubkey_one;
5147 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5148 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5149 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
5150 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5151 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5152 CHECK(ecount == 3);
5154}
5155
5157 unsigned char seckey[32];
5158 unsigned char seckey_tmp[32];
5159
5161 memcpy(seckey_tmp, seckey, 32);
5162
5163 /* Verify negation changes the key and changes it back */
5164 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
5165 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
5166 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
5167 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5168
5169 /* Check that privkey alias gives same result */
5170 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
5171 CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
5172 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5173
5174 /* Negating all 0s fails */
5175 memset(seckey, 0, 32);
5176 memset(seckey_tmp, 0, 32);
5177 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
5178 /* Check that seckey is not modified */
5179 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5180
5181 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
5182 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
5183 * doesn't just set seckey to a constant value in case of failure. */
5185 memset(seckey, 0xFF, 16);
5186 memset(seckey_tmp, 0, 32);
5187 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
5188 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5189}
5190
5191void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
5192 secp256k1_scalar nonce;
5193 do {
5195 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
5196}
5197
5199 secp256k1_gej pubj;
5200 secp256k1_ge pub;
5201 secp256k1_scalar one;
5202 secp256k1_scalar msg, key;
5203 secp256k1_scalar sigr, sigs;
5204 int getrec;
5205 int recid;
5208 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
5209 secp256k1_ge_set_gej(&pub, &pubj);
5210 getrec = secp256k1_testrand_bits(1);
5211 /* The specific way in which this conditional is written sidesteps a potential bug in clang.
5212 See the commit messages of the commit that introduced this comment for details. */
5213 if (getrec) {
5214 random_sign(&sigr, &sigs, &key, &msg, &recid);
5215 CHECK(recid >= 0 && recid < 4);
5216 } else {
5217 random_sign(&sigr, &sigs, &key, &msg, NULL);
5218 }
5219 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
5220 secp256k1_scalar_set_int(&one, 1);
5221 secp256k1_scalar_add(&msg, &msg, &one);
5222 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
5223}
5224
5226 int i;
5227 for (i = 0; i < 10*count; i++) {
5229 }
5230}
5231
5233static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
5234 (void)msg32;
5235 (void)key32;
5236 (void)algo16;
5237 memcpy(nonce32, data, 32);
5238 return (counter == 0);
5239}
5240
5241static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
5242 /* Dummy nonce generator that has a fatal error on the first counter value. */
5243 if (counter == 0) {
5244 return 0;
5245 }
5246 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
5247}
5248
5249static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
5250 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
5251 if (counter < 3) {
5252 memset(nonce32, counter==0 ? 0 : 255, 32);
5253 if (counter == 2) {
5254 nonce32[31]--;
5255 }
5256 return 1;
5257 }
5258 if (counter < 5) {
5259 static const unsigned char order[] = {
5260 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
5261 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
5262 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
5263 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
5264 };
5265 memcpy(nonce32, order, 32);
5266 if (counter == 4) {
5267 nonce32[31]++;
5268 }
5269 return 1;
5270 }
5271 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
5272 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
5273 if (counter > 5) {
5274 return 0;
5275 }
5276 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
5277}
5278
5280 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
5281 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
5282}
5283
5285 unsigned char extra[32] = {0x00};
5286 unsigned char privkey[32];
5287 unsigned char message[32];
5288 unsigned char privkey2[32];
5289 secp256k1_ecdsa_signature signature[6];
5290 secp256k1_scalar r, s;
5291 unsigned char sig[74];
5292 size_t siglen = 74;
5293 unsigned char pubkeyc[65];
5294 size_t pubkeyclen = 65;
5295 secp256k1_pubkey pubkey;
5296 secp256k1_pubkey pubkey_tmp;
5297 unsigned char seckey[300];
5298 size_t seckeylen = 300;
5299
5300 /* Generate a random key and message. */
5301 {
5302 secp256k1_scalar msg, key;
5305 secp256k1_scalar_get_b32(privkey, &key);
5306 secp256k1_scalar_get_b32(message, &msg);
5307 }
5308
5309 /* Construct and verify corresponding public key. */
5310 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
5311 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
5312
5313 /* Verify exporting and importing public key. */
5315 memset(&pubkey, 0, sizeof(pubkey));
5316 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
5317
5318 /* Verify negation changes the key and changes it back */
5319 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
5320 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
5321 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
5322 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
5323 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
5324
5325 /* Verify private key import and export. */
5326 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
5327 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
5328 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
5329
5330 /* Optionally tweak the keys using addition. */
5331 if (secp256k1_testrand_int(3) == 0) {
5332 int ret1;
5333 int ret2;
5334 int ret3;
5335 unsigned char rnd[32];
5336 unsigned char privkey_tmp[32];
5337 secp256k1_pubkey pubkey2;
5339 memcpy(privkey_tmp, privkey, 32);
5340 ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
5341 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
5342 /* Check that privkey alias gives same result */
5343 ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
5344 CHECK(ret1 == ret2);
5345 CHECK(ret2 == ret3);
5346 if (ret1 == 0) {
5347 return;
5348 }
5349 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
5350 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
5351 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5352 }
5353
5354 /* Optionally tweak the keys using multiplication. */
5355 if (secp256k1_testrand_int(3) == 0) {
5356 int ret1;
5357 int ret2;
5358 int ret3;
5359 unsigned char rnd[32];
5360 unsigned char privkey_tmp[32];
5361 secp256k1_pubkey pubkey2;
5363 memcpy(privkey_tmp, privkey, 32);
5364 ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
5365 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
5366 /* Check that privkey alias gives same result */
5367 ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
5368 CHECK(ret1 == ret2);
5369 CHECK(ret2 == ret3);
5370 if (ret1 == 0) {
5371 return;
5372 }
5373 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
5374 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
5375 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5376 }
5377
5378 /* Sign. */
5379 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
5380 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
5381 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
5382 extra[31] = 1;
5383 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
5384 extra[31] = 0;
5385 extra[0] = 1;
5386 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
5387 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
5388 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
5389 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
5390 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
5391 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
5392 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
5393 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
5394 /* Verify. */
5395 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
5396 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
5397 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
5398 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
5399 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
5400 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
5401 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
5403 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
5404 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
5405 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
5406 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
5407 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
5408 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
5409 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
5411 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
5412 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
5413 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
5414 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
5415
5416 /* Serialize/parse DER and verify again */
5417 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
5418 memset(&signature[0], 0, sizeof(signature[0]));
5419 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
5420 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
5421 /* Serialize/destroy/parse DER and verify again. */
5422 siglen = 74;
5423 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
5425 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
5426 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
5427}
5428
5430 secp256k1_ge elem;
5431 secp256k1_ge elem2;
5432 unsigned char in[65];
5433 /* Generate some randomly sized pubkeys. */
5434 size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
5435 if (secp256k1_testrand_bits(2) == 0) {
5436 len = secp256k1_testrand_bits(6);
5437 }
5438 if (len == 65) {
5439 in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
5440 } else {
5441 in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
5442 }
5443 if (secp256k1_testrand_bits(3) == 0) {
5444 in[0] = secp256k1_testrand_bits(8);
5445 }
5446 if (len > 1) {
5447 secp256k1_testrand256(&in[1]);
5448 }
5449 if (len > 33) {
5450 secp256k1_testrand256(&in[33]);
5451 }
5452 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
5453 unsigned char out[65];
5454 unsigned char firstb;
5455 int res;
5456 size_t size = len;
5457 firstb = in[0];
5458 /* If the pubkey can be parsed, it should round-trip... */
5459 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
5460 CHECK(size == len);
5461 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
5462 /* ... except for the type of hybrid inputs. */
5463 if ((in[0] != 6) && (in[0] != 7)) {
5464 CHECK(in[0] == out[0]);
5465 }
5466 size = 65;
5467 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
5468 CHECK(size == 65);
5469 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
5470 ge_equals_ge(&elem,&elem2);
5471 /* Check that the X9.62 hybrid type is checked. */
5472 in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
5473 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
5474 if (firstb == 2 || firstb == 3) {
5475 if (in[0] == firstb + 4) {
5476 CHECK(res);
5477 } else {
5478 CHECK(!res);
5479 }
5480 }
5481 if (res) {
5482 ge_equals_ge(&elem,&elem2);
5483 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
5484 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
5485 }
5486 }
5487}
5488
5490 unsigned char pk1_ser[33] = {
5491 0x02,
5492 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
5493 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
5494 };
5495 const unsigned char pk2_ser[33] = {
5496 0x02,
5497 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
5498 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
5499 };
5500 secp256k1_pubkey pk1;
5501 secp256k1_pubkey pk2;
5502 int32_t ecount = 0;
5503
5504 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
5505 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
5506
5508 CHECK(secp256k1_ec_pubkey_cmp(ctx, NULL, &pk2) < 0);
5509 CHECK(ecount == 1);
5510 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, NULL) > 0);
5511 CHECK(ecount == 2);
5512 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0);
5513 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0);
5514 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk1) == 0);
5515 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk2) == 0);
5516 CHECK(ecount == 2);
5517 {
5518 secp256k1_pubkey pk_tmp;
5519 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
5520 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk_tmp, &pk2) < 0);
5521 CHECK(ecount == 3);
5522 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk_tmp, &pk_tmp) == 0);
5523 CHECK(ecount == 5);
5524 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk_tmp) > 0);
5525 CHECK(ecount == 6);
5526 }
5527
5529
5530 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
5531 * an uncompressed encoding, these would have the opposite ordering */
5532 pk1_ser[0] = 3;
5533 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
5534 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0);
5535 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0);
5536}
5537
5539 int i;
5540 for (i = 0; i < 10*count; i++) {
5542 }
5543}
5544
5546 int i;
5547 for (i = 0; i < 64*count; i++) {
5549 }
5550}
5551
5552int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
5553 static const unsigned char zeroes[32] = {0};
5554
5555 int ret = 0;
5556
5558 unsigned char roundtrip_der[2048];
5559 unsigned char compact_der[64];
5560 size_t len_der = 2048;
5561 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
5562
5563 secp256k1_ecdsa_signature sig_der_lax;
5564 unsigned char roundtrip_der_lax[2048];
5565 unsigned char compact_der_lax[64];
5566 size_t len_der_lax = 2048;
5567 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
5568
5569 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
5570 if (parsed_der) {
5571 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
5572 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
5573 }
5574 if (valid_der) {
5575 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
5576 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
5577 }
5578
5579 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
5580 if (parsed_der_lax) {
5581 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
5582 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
5583 }
5584 if (valid_der_lax) {
5585 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
5586 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
5587 }
5588
5589 if (certainly_der) {
5590 ret |= (!parsed_der) << 2;
5591 }
5592 if (certainly_not_der) {
5593 ret |= (parsed_der) << 17;
5594 }
5595 if (valid_der) {
5596 ret |= (!roundtrips_der) << 3;
5597 }
5598
5599 if (valid_der) {
5600 ret |= (!roundtrips_der_lax) << 12;
5601 ret |= (len_der != len_der_lax) << 13;
5602 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
5603 }
5604 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
5605 if (parsed_der) {
5606 ret |= (!parsed_der_lax) << 16;
5607 }
5608
5609 return ret;
5610}
5611
5612static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
5613 size_t i;
5614 for (i = 0; i < ptrlen; i++) {
5615 int shift = ptrlen - 1 - i;
5616 if (shift >= 4) {
5617 ptr[i] = 0;
5618 } else {
5619 ptr[i] = (val >> shift) & 0xFF;
5620 }
5621 }
5622}
5623
5624static void damage_array(unsigned char *sig, size_t *len) {
5625 int pos;
5626 int action = secp256k1_testrand_bits(3);
5627 if (action < 1 && *len > 3) {
5628 /* Delete a byte. */
5629 pos = secp256k1_testrand_int(*len);
5630 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
5631 (*len)--;
5632 return;
5633 } else if (action < 2 && *len < 2048) {
5634 /* Insert a byte. */
5635 pos = secp256k1_testrand_int(1 + *len);
5636 memmove(sig + pos + 1, sig + pos, *len - pos);
5637 sig[pos] = secp256k1_testrand_bits(8);
5638 (*len)++;
5639 return;
5640 } else if (action < 4) {
5641 /* Modify a byte. */
5643 return;
5644 } else { /* action < 8 */
5645 /* Modify a bit. */
5647 return;
5648 }
5649}
5650
5651static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
5652 int der;
5653 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
5654 size_t tlen, elen, glen;
5655 int indet;
5656 int n;
5657
5658 *len = 0;
5659 der = secp256k1_testrand_bits(2) == 0;
5660 *certainly_der = der;
5661 *certainly_not_der = 0;
5662 indet = der ? 0 : secp256k1_testrand_int(10) == 0;
5663
5664 for (n = 0; n < 2; n++) {
5665 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
5666 nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
5667 /* The length of the number in bytes (the first byte of which will always be nonzero) */
5668 nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_int(8) / 8;
5669 CHECK(nlen[n] <= 232);
5670 /* The top bit of the number. */
5671 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
5672 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
5673 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
5674 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
5675 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_int(8) / 8);
5676 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
5677 *certainly_not_der = 1;
5678 }
5679 CHECK(nlen[n] + nzlen[n] <= 300);
5680 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
5681 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
5682 if (!der) {
5683 /* nlenlen[n] max 127 bytes */
5684 int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
5685 nlenlen[n] += add;
5686 if (add != 0) {
5687 *certainly_not_der = 1;
5688 }
5689 }
5690 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
5691 }
5692
5693 /* The total length of the data to go, so far */
5694 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
5695 CHECK(tlen <= 856);
5696
5697 /* The length of the garbage inside the tuple. */
5698 elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_int(8) / 8;
5699 if (elen != 0) {
5700 *certainly_not_der = 1;
5701 }
5702 tlen += elen;
5703 CHECK(tlen <= 980);
5704
5705 /* The length of the garbage after the end of the tuple. */
5706 glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_int(8) / 8;
5707 if (glen != 0) {
5708 *certainly_not_der = 1;
5709 }
5710 CHECK(tlen + glen <= 990);
5711
5712 /* Write the tuple header. */
5713 sig[(*len)++] = 0x30;
5714 if (indet) {
5715 /* Indeterminate length */
5716 sig[(*len)++] = 0x80;
5717 *certainly_not_der = 1;
5718 } else {
5719 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
5720 if (!der) {
5721 int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
5722 tlenlen += add;
5723 if (add != 0) {
5724 *certainly_not_der = 1;
5725 }
5726 }
5727 if (tlenlen == 0) {
5728 /* Short length notation */
5729 sig[(*len)++] = tlen;
5730 } else {
5731 /* Long length notation */
5732 sig[(*len)++] = 128 + tlenlen;
5733 assign_big_endian(sig + *len, tlenlen, tlen);
5734 *len += tlenlen;
5735 }
5736 tlen += tlenlen;
5737 }
5738 tlen += 2;
5739 CHECK(tlen + glen <= 1119);
5740
5741 for (n = 0; n < 2; n++) {
5742 /* Write the integer header. */
5743 sig[(*len)++] = 0x02;
5744 if (nlenlen[n] == 0) {
5745 /* Short length notation */
5746 sig[(*len)++] = nlen[n] + nzlen[n];
5747 } else {
5748 /* Long length notation. */
5749 sig[(*len)++] = 128 + nlenlen[n];
5750 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
5751 *len += nlenlen[n];
5752 }
5753 /* Write zero padding */
5754 while (nzlen[n] > 0) {
5755 sig[(*len)++] = 0x00;
5756 nzlen[n]--;
5757 }
5758 if (nlen[n] == 32 && !nlow[n]) {
5759 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
5760 int i;
5761 for (i = 0; i < 16; i++) {
5762 sig[(*len)++] = 0xFF;
5763 }
5764 nlen[n] -= 16;
5765 }
5766 /* Write first byte of number */
5767 if (nlen[n] > 0) {
5768 sig[(*len)++] = nhbyte[n];
5769 nlen[n]--;
5770 }
5771 /* Generate remaining random bytes of number */
5772 secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
5773 *len += nlen[n];
5774 nlen[n] = 0;
5775 }
5776
5777 /* Generate random garbage inside tuple. */
5778 secp256k1_testrand_bytes_test(sig + *len, elen);
5779 *len += elen;
5780
5781 /* Generate end-of-contents bytes. */
5782 if (indet) {
5783 sig[(*len)++] = 0;
5784 sig[(*len)++] = 0;
5785 tlen += 2;
5786 }
5787 CHECK(tlen + glen <= 1121);
5788
5789 /* Generate random garbage outside tuple. */
5790 secp256k1_testrand_bytes_test(sig + *len, glen);
5791 *len += glen;
5792 tlen += glen;
5793 CHECK(tlen <= 1121);
5794 CHECK(tlen == *len);
5795}
5796
5798 int i,j;
5799 for (i = 0; i < 200 * count; i++) {
5800 unsigned char buffer[2048];
5801 size_t buflen = 0;
5802 int certainly_der = 0;
5803 int certainly_not_der = 0;
5804 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
5805 CHECK(buflen <= 2048);
5806 for (j = 0; j < 16; j++) {
5807 int ret = 0;
5808 if (j > 0) {
5809 damage_array(buffer, &buflen);
5810 /* We don't know anything anymore about the DERness of the result */
5811 certainly_der = 0;
5812 certainly_not_der = 0;
5813 }
5814 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
5815 if (ret != 0) {
5816 size_t k;
5817 fprintf(stderr, "Failure %x on ", ret);
5818 for (k = 0; k < buflen; k++) {
5819 fprintf(stderr, "%02x ", buffer[k]);
5820 }
5821 fprintf(stderr, "\n");
5822 }
5823 CHECK(ret == 0);
5824 }
5825 }
5826}
5827
5828/* Tests several edge cases. */
5830 int t;
5832
5833 /* Test the case where ECDSA recomputes a point that is infinity. */
5834 {
5835 secp256k1_gej keyj;
5836 secp256k1_ge key;
5837 secp256k1_scalar msg;
5838 secp256k1_scalar sr, ss;
5840 secp256k1_scalar_negate(&ss, &ss);
5841 secp256k1_scalar_inverse(&ss, &ss);
5844 secp256k1_ge_set_gej(&key, &keyj);
5845 msg = ss;
5846 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5847 }
5848
5849 /* Verify signature with r of zero fails. */
5850 {
5851 const unsigned char pubkey_mods_zero[33] = {
5852 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5853 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5854 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5855 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5856 0x41
5857 };
5858 secp256k1_ge key;
5859 secp256k1_scalar msg;
5860 secp256k1_scalar sr, ss;
5862 secp256k1_scalar_set_int(&msg, 0);
5864 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
5865 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5866 }
5867
5868 /* Verify signature with s of zero fails. */
5869 {
5870 const unsigned char pubkey[33] = {
5871 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5872 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5873 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5874 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5875 0x01
5876 };
5877 secp256k1_ge key;
5878 secp256k1_scalar msg;
5879 secp256k1_scalar sr, ss;
5881 secp256k1_scalar_set_int(&msg, 0);
5883 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5884 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5885 }
5886
5887 /* Verify signature with message 0 passes. */
5888 {
5889 const unsigned char pubkey[33] = {
5890 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5891 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5892 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5893 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5894 0x02
5895 };
5896 const unsigned char pubkey2[33] = {
5897 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5898 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5899 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5900 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5901 0x43
5902 };
5903 secp256k1_ge key;
5904 secp256k1_ge key2;
5905 secp256k1_scalar msg;
5906 secp256k1_scalar sr, ss;
5908 secp256k1_scalar_set_int(&msg, 0);
5910 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5911 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5912 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5913 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5914 secp256k1_scalar_negate(&ss, &ss);
5915 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5916 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5918 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5919 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5920 }
5921
5922 /* Verify signature with message 1 passes. */
5923 {
5924 const unsigned char pubkey[33] = {
5925 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
5926 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
5927 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
5928 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
5929 0x25
5930 };
5931 const unsigned char pubkey2[33] = {
5932 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
5933 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
5934 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
5935 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
5936 0x62
5937 };
5938 const unsigned char csr[32] = {
5939 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5940 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5941 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5942 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
5943 };
5944 secp256k1_ge key;
5945 secp256k1_ge key2;
5946 secp256k1_scalar msg;
5947 secp256k1_scalar sr, ss;
5949 secp256k1_scalar_set_int(&msg, 1);
5950 secp256k1_scalar_set_b32(&sr, csr, NULL);
5951 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5952 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5953 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5954 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5955 secp256k1_scalar_negate(&ss, &ss);
5956 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5957 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5960 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5961 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5962 }
5963
5964 /* Verify signature with message -1 passes. */
5965 {
5966 const unsigned char pubkey[33] = {
5967 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
5968 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
5969 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
5970 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
5971 0xf1
5972 };
5973 const unsigned char csr[32] = {
5974 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5975 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5976 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5977 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
5978 };
5979 secp256k1_ge key;
5980 secp256k1_scalar msg;
5981 secp256k1_scalar sr, ss;
5983 secp256k1_scalar_set_int(&msg, 1);
5984 secp256k1_scalar_negate(&msg, &msg);
5985 secp256k1_scalar_set_b32(&sr, csr, NULL);
5986 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5987 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5988 secp256k1_scalar_negate(&ss, &ss);
5989 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5992 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5993 }
5994
5995 /* Signature where s would be zero. */
5996 {
5997 secp256k1_pubkey pubkey;
5998 size_t siglen;
5999 int32_t ecount;
6000 unsigned char signature[72];
6001 static const unsigned char nonce[32] = {
6002 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6003 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6004 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6005 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6006 };
6007 static const unsigned char nonce2[32] = {
6008 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6009 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6010 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6011 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
6012 };
6013 const unsigned char key[32] = {
6014 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6015 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6016 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6017 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6018 };
6019 unsigned char msg[32] = {
6020 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
6021 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
6022 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
6023 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
6024 };
6025 ecount = 0;
6027 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
6028 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
6029 msg[31] = 0xaa;
6030 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
6031 CHECK(ecount == 0);
6032 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
6033 CHECK(ecount == 1);
6034 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
6035 CHECK(ecount == 2);
6036 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
6037 CHECK(ecount == 3);
6038 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
6039 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
6040 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
6041 CHECK(ecount == 4);
6042 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
6043 CHECK(ecount == 5);
6044 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
6045 CHECK(ecount == 6);
6046 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
6047 CHECK(ecount == 6);
6048 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
6049 CHECK(ecount == 7);
6050 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
6051 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
6052 CHECK(ecount == 8);
6053 siglen = 72;
6054 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
6055 CHECK(ecount == 9);
6056 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
6057 CHECK(ecount == 10);
6058 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
6059 CHECK(ecount == 11);
6060 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
6061 CHECK(ecount == 11);
6062 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
6063 CHECK(ecount == 12);
6064 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
6065 CHECK(ecount == 13);
6066 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
6067 CHECK(ecount == 13);
6068 siglen = 10;
6069 /* Too little room for a signature does not fail via ARGCHECK. */
6070 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
6071 CHECK(ecount == 13);
6072 ecount = 0;
6074 CHECK(ecount == 1);
6076 CHECK(ecount == 2);
6078 CHECK(ecount == 3);
6080 CHECK(ecount == 3);
6081 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
6082 CHECK(ecount == 4);
6084 CHECK(ecount == 5);
6086 CHECK(ecount == 5);
6087 memset(signature, 255, 64);
6089 CHECK(ecount == 5);
6091 }
6092
6093 /* Nonce function corner cases. */
6094 for (t = 0; t < 2; t++) {
6095 static const unsigned char zero[32] = {0x00};
6096 int i;
6097 unsigned char key[32];
6098 unsigned char msg[32];
6100 secp256k1_scalar sr[512], ss;
6101 const unsigned char *extra;
6102 extra = t == 0 ? NULL : zero;
6103 memset(msg, 0, 32);
6104 msg[31] = 1;
6105 /* High key results in signature failure. */
6106 memset(key, 0xFF, 32);
6107 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
6109 /* Zero key results in signature failure. */
6110 memset(key, 0, 32);
6111 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
6113 /* Nonce function failure results in signature failure. */
6114 key[31] = 1;
6115 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
6117 /* The retry loop successfully makes its way to the first good value. */
6118 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
6120 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
6121 CHECK(!is_empty_signature(&sig2));
6122 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
6123 /* The default nonce function is deterministic. */
6124 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
6125 CHECK(!is_empty_signature(&sig2));
6126 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
6127 /* The default nonce function changes output with different messages. */
6128 for(i = 0; i < 256; i++) {
6129 int j;
6130 msg[0] = i;
6131 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
6132 CHECK(!is_empty_signature(&sig2));
6133 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
6134 for (j = 0; j < i; j++) {
6135 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
6136 }
6137 }
6138 msg[0] = 0;
6139 msg[31] = 2;
6140 /* The default nonce function changes output with different keys. */
6141 for(i = 256; i < 512; i++) {
6142 int j;
6143 key[0] = i - 256;
6144 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
6145 CHECK(!is_empty_signature(&sig2));
6146 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
6147 for (j = 0; j < i; j++) {
6148 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
6149 }
6150 }
6151 key[0] = 0;
6152 }
6153
6154 {
6155 /* Check that optional nonce arguments do not have equivalent effect. */
6156 const unsigned char zeros[32] = {0};
6157 unsigned char nonce[32];
6158 unsigned char nonce2[32];
6159 unsigned char nonce3[32];
6160 unsigned char nonce4[32];
6161 VG_UNDEF(nonce,32);
6162 VG_UNDEF(nonce2,32);
6163 VG_UNDEF(nonce3,32);
6164 VG_UNDEF(nonce4,32);
6165 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
6166 VG_CHECK(nonce,32);
6167 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
6168 VG_CHECK(nonce2,32);
6169 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
6170 VG_CHECK(nonce3,32);
6171 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
6172 VG_CHECK(nonce4,32);
6173 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
6174 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
6175 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
6176 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
6177 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
6178 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
6179 }
6180
6181
6182 /* Privkey export where pubkey is the point at infinity. */
6183 {
6184 unsigned char privkey[300];
6185 unsigned char seckey[32] = {
6186 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6187 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
6188 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
6189 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
6190 };
6191 size_t outlen = 300;
6192 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
6193 outlen = 300;
6194 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
6195 }
6196}
6197
6200}
6201
6202#ifdef ENABLE_MODULE_ECDH
6203# include "modules/ecdh/tests_impl.h"
6204#endif
6205
6206#ifdef ENABLE_MODULE_MULTISET
6208#endif
6209
6210#ifdef ENABLE_MODULE_RECOVERY
6212#endif
6213
6214#ifdef ENABLE_MODULE_SCHNORR
6216#endif
6217
6218#ifdef ENABLE_MODULE_EXTRAKEYS
6220#endif
6221
6222#ifdef ENABLE_MODULE_SCHNORRSIG
6224#endif
6225
6227 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
6228 unsigned char buf2[sizeof(buf1)];
6229
6230 /* secp256k1_memczero(..., ..., 0) is a noop. */
6231 memcpy(buf2, buf1, sizeof(buf1));
6232 secp256k1_memczero(buf1, sizeof(buf1), 0);
6233 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
6234
6235 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
6236 memset(buf2, 0, sizeof(buf2));
6237 secp256k1_memczero(buf1, sizeof(buf1) , 1);
6238 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
6239}
6240
6241void int_cmov_test(void) {
6242 int r = INT_MAX;
6243 int a = 0;
6244
6245 secp256k1_int_cmov(&r, &a, 0);
6246 CHECK(r == INT_MAX);
6247
6248 r = 0; a = INT_MAX;
6249 secp256k1_int_cmov(&r, &a, 1);
6250 CHECK(r == INT_MAX);
6251
6252 a = 0;
6253 secp256k1_int_cmov(&r, &a, 1);
6254 CHECK(r == 0);
6255
6256 a = 1;
6257 secp256k1_int_cmov(&r, &a, 1);
6258 CHECK(r == 1);
6259
6260 r = 1; a = 0;
6261 secp256k1_int_cmov(&r, &a, 0);
6262 CHECK(r == 1);
6263
6264}
6265
6266void fe_cmov_test(void) {
6267 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
6268 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
6269 static const secp256k1_fe max = SECP256K1_FE_CONST(
6270 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6271 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
6272 );
6273 secp256k1_fe r = max;
6274 secp256k1_fe a = zero;
6275
6276 secp256k1_fe_cmov(&r, &a, 0);
6277 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6278
6279 r = zero; a = max;
6280 secp256k1_fe_cmov(&r, &a, 1);
6281 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6282
6283 a = zero;
6284 secp256k1_fe_cmov(&r, &a, 1);
6285 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
6286
6287 a = one;
6288 secp256k1_fe_cmov(&r, &a, 1);
6289 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6290
6291 r = one; a = zero;
6292 secp256k1_fe_cmov(&r, &a, 0);
6293 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6294}
6295
6297 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
6298 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
6300 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6301 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
6302 );
6303 secp256k1_fe_storage r = max;
6304 secp256k1_fe_storage a = zero;
6305
6306 secp256k1_fe_storage_cmov(&r, &a, 0);
6307 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6308
6309 r = zero; a = max;
6310 secp256k1_fe_storage_cmov(&r, &a, 1);
6311 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6312
6313 a = zero;
6314 secp256k1_fe_storage_cmov(&r, &a, 1);
6315 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
6316
6317 a = one;
6318 secp256k1_fe_storage_cmov(&r, &a, 1);
6319 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6320
6321 r = one; a = zero;
6322 secp256k1_fe_storage_cmov(&r, &a, 0);
6323 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6324}
6325
6327 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
6328 static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
6329 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
6330 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6331 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
6332 );
6333 secp256k1_scalar r = max;
6334 secp256k1_scalar a = zero;
6335
6336 secp256k1_scalar_cmov(&r, &a, 0);
6337 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6338
6339 r = zero; a = max;
6340 secp256k1_scalar_cmov(&r, &a, 1);
6341 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6342
6343 a = zero;
6344 secp256k1_scalar_cmov(&r, &a, 1);
6345 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
6346
6347 a = one;
6348 secp256k1_scalar_cmov(&r, &a, 1);
6349 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6350
6351 r = one; a = zero;
6352 secp256k1_scalar_cmov(&r, &a, 0);
6353 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6354}
6355
6357 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
6358 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
6360 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6361 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6362 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6363 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
6364 );
6365 secp256k1_ge_storage r = max;
6366 secp256k1_ge_storage a = zero;
6367
6368 secp256k1_ge_storage_cmov(&r, &a, 0);
6369 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6370
6371 r = zero; a = max;
6372 secp256k1_ge_storage_cmov(&r, &a, 1);
6373 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6374
6375 a = zero;
6376 secp256k1_ge_storage_cmov(&r, &a, 1);
6377 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
6378
6379 a = one;
6380 secp256k1_ge_storage_cmov(&r, &a, 1);
6381 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6382
6383 r = one; a = zero;
6384 secp256k1_ge_storage_cmov(&r, &a, 0);
6385 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6386}
6387
6388void run_cmov_tests(void) {
6389 int_cmov_test();
6390 fe_cmov_test();
6394}
6395
6396int main(int argc, char **argv) {
6397 /* Disable buffering for stdout to improve reliability of getting
6398 * diagnostic information. Happens right at the start of main because
6399 * setbuf must be used before any other operation on the stream. */
6400 setbuf(stdout, NULL);
6401 /* Also disable buffering for stderr because it's not guaranteed that it's
6402 * unbuffered on all systems. */
6403 setbuf(stderr, NULL);
6404
6405 /* find iteration count */
6406 if (argc > 1) {
6407 count = strtol(argv[1], NULL, 0);
6408 } else {
6409 const char* env = getenv("SECP256K1_TEST_ITERS");
6410 if (env && strlen(env) > 0) {
6411 count = strtol(env, NULL, 0);
6412 }
6413 }
6414 if (count <= 0) {
6415 fputs("An iteration count of 0 or less is not allowed.\n", stderr);
6416 return EXIT_FAILURE;
6417 }
6418 printf("test count = %i\n", count);
6419
6420 /* find random seed */
6421 secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
6422
6423 /* initialize */
6428 if (secp256k1_testrand_bits(1)) {
6429 unsigned char rand32[32];
6430 secp256k1_testrand256(rand32);
6432 }
6433
6434 run_rand_bits();
6435 run_rand_int();
6436
6437 run_ctz_tests();
6440
6445
6446 /* scalar tests */
6448
6449 /* field tests */
6452 run_sqr();
6453 run_sqrt();
6454
6455 /* group tests */
6456 run_ge();
6458
6459 /* ecmult tests */
6460 run_wnaf();
6469
6470 /* endomorphism tests */
6472
6473 /* EC point parser test */
6475
6476 /* EC key edge cases */
6478
6479 /* EC key arithmetic test */
6481
6482#ifdef ENABLE_MODULE_ECDH
6483 /* ecdh tests */
6485#endif
6486
6487 /* ecdsa tests */
6494
6495#ifdef ENABLE_MODULE_MULTISET
6497#endif
6498
6499#ifdef ENABLE_MODULE_RECOVERY
6500 /* ECDSA pubkey recovery tests */
6502#endif
6503
6504#ifdef ENABLE_MODULE_SCHNORR
6505 /* Schnorr signature tests */
6507#endif
6508
6509#ifdef ENABLE_MODULE_EXTRAKEYS
6511#endif
6512
6513#ifdef ENABLE_MODULE_SCHNORRSIG
6515#endif
6516
6517 /* util tests */
6519
6521
6523
6524 /* shutdown */
6526
6527 printf("no problems found\n");
6528 return 0;
6529}
void run_ecdh_tests(void)
Definition: tests_impl.h:126
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
static void secp256k1_ecmult(const secp256k1_ecmult_context *ctx, secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, const secp256k1_ecmult_context *ctx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q, int bits)
Multiply: R = q*A (in constant-time) Here bits should be set to the maximum bitlength of the absolute...
static int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w, int size)
Convert a number to WNAF notation.
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:71
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:825
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space.
Definition: ecmult_impl.h:953
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:64
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:636
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:377
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, const secp256k1_ecmult_context *actx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:944
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:577
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:76
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:796
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:78
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:73
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:70
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:1016
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:863
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, const secp256k1_ecmult_context *, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:1034
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, const secp256k1_ecmult_context *actx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:621
#define WNAF_SIZE_BITS(bits, w)
Definition: ecmult_impl.h:63
volatile double sum
Definition: examples.cpp:10
void run_extrakeys_tests(void)
Definition: tests_impl.h:574
static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *a)
Potentially faster version of secp256k1_fe_inv, without constant-time guarantee.
static void secp256k1_fe_normalize_weak(secp256k1_fe *r)
Weakly normalize a field element: reduce its magnitude to 1, but don't fully normalize.
static int secp256k1_fe_is_quad_var(const secp256k1_fe *a)
Checks whether a field element is a quadratic residue.
static int secp256k1_fe_equal_var(const secp256k1_fe *a, const secp256k1_fe *b)
Same as secp256k1_fe_equal, but may be variable time.
static int secp256k1_fe_sqrt(secp256k1_fe *r, const secp256k1_fe *a)
If a has a square root, it is computed in r and 1 is returned.
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
static void secp256k1_fe_clear(secp256k1_fe *a)
Sets a field element equal to zero, initializing all fields.
static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *a)
Sets a field element to be the (modular) inverse of another.
static void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_fe_mul_int(secp256k1_fe *r, int a)
Multiplies the passed field element with a small integer constant.
static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m)
Set a field element equal to the additive inverse of another.
static int secp256k1_fe_is_odd(const secp256k1_fe *a)
Check the "oddness" of a field element.
static void secp256k1_fe_set_int(secp256k1_fe *r, int a)
Set a field element equal to a small integer.
static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe *SECP256K1_RESTRICT b)
Sets a field element to be the product of two others.
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
Verify whether a field element is zero.
static void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a)
Convert a field element back from the storage type.
static int secp256k1_fe_normalizes_to_zero_var(secp256k1_fe *r)
Verify whether a field element represents zero i.e.
static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a)
Sets a field element to be the square of another.
static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a)
Adds a field element to another.
static void secp256k1_fe_normalize(secp256k1_fe *r)
Field element module.
static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a)
Convert a field element to the storage type.
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
static int secp256k1_fe_normalizes_to_zero(secp256k1_fe *r)
Verify whether a field element represents zero i.e.
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b)
Compare two field elements.
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:40
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:47
static const secp256k1_fe secp256k1_fe_one
Definition: field_impl.h:143
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:31
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:38
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static int secp256k1_ge_set_xquad(secp256k1_ge *r, const secp256k1_fe *x)
Set a group element (affine) equal to the point with the given X coordinate and a Y coordinate that i...
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set a batch of group elements equal to the inputs given in jacobian coordinates.
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:19
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a)
Check whether a group element's y coordinate is a quadratic residue.
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:30
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static const secp256k1_ge secp256k1_ge_const_g
Generator for secp256k1, value 'g' defined in "Standards for Efficient Cryptography" (SEC2) 2....
Definition: group_impl.h:52
int ec_privkey_export_der(const secp256k1_context *ctx, uint8_t *privkey, size_t *privkeylen, const uint8_t *key32, bool compressed)
This serializes to a DER encoding of the ECPrivateKey type from section C.4 of SEC 1 http://www....
Definition: key.cpp:101
int ec_privkey_import_der(const secp256k1_context *ctx, uint8_t *out32, const uint8_t *privkey, size_t privkeylen)
These functions are taken from the libsecp256k1 distribution and are very ugly.
Definition: key.cpp:40
static void pool cs
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
void run_multiset_tests(void)
Definition: tests_impl.h:336
void printf(const char *fmt, const Args &...args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1126
SchnorrSig sig
Definition: processor.cpp:521
int ecdsa_signature_parse_der_lax(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const uint8_t *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:28
void run_recovery_tests(void)
Definition: tests_impl.h:381
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
static int secp256k1_scalar_is_even(const secp256k1_scalar *a)
Check whether a scalar, considered as an nonnegative integer, is even.
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
static int secp256k1_scalar_shr_int(secp256k1_scalar *r, int n)
Shift a scalar right by some amount strictly between 0 and 16, returning the low bits that were shift...
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:32
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:31
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is:
Definition: scalar_impl.h:64
void run_schnorr_tests(void)
Definition: tests_impl.h:512
void run_schnorrsig_tests(void)
Definition: tests_impl.h:877
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:327
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:224
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:238
#define VG_CHECK(x, y)
Definition: util.h:80
#define ALIGNMENT
Definition: util.h:113
#define VG_UNDEF(x, y)
Definition: util.h:79
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:309
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:298
#define CHECK(cond)
Definition: util.h:53
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:286
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:91
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:205
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:359
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:245
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:264
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: secp256k1.c:44
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:472
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:345
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:708
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:174
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t size) SECP256K1_ARG_NONNULL(1)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:221
SECP256K1_API const secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:84
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:756
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:617
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:385
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:296
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:212
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:319
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:576
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:152
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:203
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:561
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:764
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:278
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:176
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:369
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:632
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:599
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:788
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:179
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:450
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:431
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:177
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:690
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:679
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:180
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:728
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:406
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:636
SECP256K1_API void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:226
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:173
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:663
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:732
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:196
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:418
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:188
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:106
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:118
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:86
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:163
secp256k1_scalar * sc
Definition: tests.c:3664
secp256k1_ge * pt
Definition: tests.c:3665
void(* fn)(const char *text, void *data)
Definition: util.h:20
secp256k1_callback error_callback
Definition: secp256k1.c:73
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:71
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:70
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:83
secp256k1_scalar blind
Definition: ecmult_gen.h:34
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:13
int infinity
Definition: group.h:16
secp256k1_fe x
Definition: group.h:14
secp256k1_fe y
Definition: group.h:15
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:23
secp256k1_fe y
Definition: group.h:25
secp256k1_fe x
Definition: group.h:24
int infinity
Definition: group.h:27
secp256k1_fe z
Definition: group.h:26
secp256k1_modinv32_signed30 modulus
Definition: modinv32.h:25
secp256k1_modinv64_signed62 modulus
Definition: modinv64.h:29
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:70
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
uint64_t d[4]
Definition: scalar_4x64.h:14
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
static uint32_t secp256k1_testrand32(void)
Generate a pseudorandom number in the range [0..2**32-1].
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
static void secp256k1_testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL.
static void secp256k1_testrand_finish(void)
Print final test information.
static void secp256k1_testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
static uint32_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:4042
void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:116
void run_group_decompress(void)
Definition: tests.c:3349
void run_random_pubkeys(void)
Definition: tests.c:5538
static secp256k1_context * ctx
Definition: tests.c:32
void scalar_test(void)
Definition: tests.c:1575
void test_intialized_inf(void)
Definition: tests.c:3145
void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:3488
void fe_cmov_test(void)
Definition: tests.c:6266
void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:2638
void run_modinv_tests(void)
Definition: tests.c:936
int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:5552
void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:3994
void run_ec_pubkey_parse_test(void)
Definition: tests.c:4572
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:5241
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:5249
#define SECP256K1_EC_PARSE_TEST_NINVALID
void run_endomorphism_tests(void)
Definition: tests.c:4476
void run_sha256_tests(void)
Definition: tests.c:436
void ecmult_const_random_mult(void)
Definition: tests.c:3560
void test_ge(void)
Definition: tests.c:2959
void run_eckey_edge_case_test(void)
Definition: tests.c:4900
void test_ecmult_gen_blind_reset(void)
Definition: tests.c:4428
void run_ec_combine(void)
Definition: tests.c:3278
int main(int argc, char **argv)
Definition: tests.c:6396
void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:3941
void run_cmov_tests(void)
Definition: tests.c:6388
void run_field_convert(void)
Definition: tests.c:2414
void test_ecdsa_end_to_end(void)
Definition: tests.c:5284
#define SECP256K1_EC_PARSE_TEST_NVALID
void run_field_misc(void)
Definition: tests.c:2453
void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:2549
void random_field_element_magnitude(secp256k1_fe *fe)
Definition: tests.c:60
void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:680
void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:103
void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:3424
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:5651
void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:3683
void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:5191
void int_cmov_test(void)
Definition: tests.c:6241
void run_ctz_tests(void)
Definition: tests.c:415
void ecmult_const_chain_multiply(void)
Definition: tests.c:3630
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:5612
void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:76
void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:795
void scalar_cmov_test(void)
Definition: tests.c:6326
void run_hmac_sha256_tests(void)
Definition: tests.c:472
void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b)
Definition: tests.c:2911
void test_rand_int(uint32_t range, uint32_t subrange)
Definition: tests.c:626
void run_rand_int(void)
Definition: tests.c:650
void random_fe_test(secp256k1_fe *x)
Definition: tests.c:2375
void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b)
Definition: tests.c:2942
void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:4132
int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:5279
void random_fe_non_zero(secp256k1_fe *nz)
Definition: tests.c:2385
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted.
Definition: tests.c:5233
void test_add_neg_y_diff_x(void)
Definition: tests.c:3177
void run_ecdsa_sign_verify(void)
Definition: tests.c:5225
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:2599
void run_rand_bits(void)
Definition: tests.c:642
void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:88
int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:906
void run_ecmult_constants(void)
Definition: tests.c:4401
void random_scalar_order_b32(unsigned char *b32)
Definition: tests.c:129
void run_pubkey_comparison(void)
Definition: tests.c:5489
int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:2921
void test_random_pubkeys(void)
Definition: tests.c:5429
void run_sqrt(void)
Definition: tests.c:2563
void test_ecdsa_sign_verify(void)
Definition: tests.c:5198
void ge_storage_cmov_test(void)
Definition: tests.c:6356
void run_inverse_tests(void)
Definition: tests.c:2663
void run_ge(void)
Definition: tests.c:3244
void ecmult_const_mult_zero_one(void)
Definition: tests.c:3608
void test_ecmult_constants(void)
Definition: tests.c:4368
void run_ecdsa_end_to_end(void)
Definition: tests.c:5545
void ecmult_const_commutativity(void)
Definition: tests.c:3587
void test_constant_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:4181
void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:4497
void test_ecmult_gen_blind(void)
Definition: tests.c:4405
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:3668
void fe_storage_cmov_test(void)
Definition: tests.c:6296
void run_ecmult_near_split_bound(void)
Definition: tests.c:3527
void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:4221
void test_ecdsa_edge_cases(void)
Definition: tests.c:5829
void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:2616
void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:3285
void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:4258
void run_ecmult_gen_blind(void)
Definition: tests.c:4440
void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:1740
void run_secp256k1_memczero_test(void)
Definition: tests.c:6226
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:34
void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:2398
void run_point_times_order(void)
Definition: tests.c:3539
static void uncounting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:42
void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:4449
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:3465
void run_eckey_negate_test(void)
Definition: tests.c:5156
void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:762
static int count
Definition: tests.c:31
void random_fe(secp256k1_fe *x)
Definition: tests.c:2365
void test_fixed_wnaf_small(void)
Definition: tests.c:4268
void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:3961
void run_ecmult_multi_tests(void)
Definition: tests.c:4109
void run_ecdsa_edge_cases(void)
Definition: tests.c:6198
void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:3921
int fe_secp256k1_memcmp_var(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2444
void test_constant_wnaf_negate(const secp256k1_scalar *number)
Definition: tests.c:4166
void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:516
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:3675
void run_tagged_sha256_tests(void)
Definition: tests.c:557
int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2406
void run_sqr(void)
Definition: tests.c:2533
void run_ecmult_chain(void)
Definition: tests.c:3360
void run_ecdsa_der_parse(void)
Definition: tests.c:5797
void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:780
uint64_t modinv2p64(uint64_t x)
Definition: tests.c:664
void random_field_element_test(secp256k1_fe *fe)
Definition: tests.c:50
void run_wnaf(void)
Definition: tests.c:4322
void run_scratch_tests(void)
Definition: tests.c:332
void run_context_tests(int use_prealloc)
Definition: tests.c:135
void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:771
void test_ec_combine(void)
Definition: tests.c:3253
void run_ecmult_const_tests(void)
Definition: tests.c:3656
#define SECP256K1_EC_PARSE_TEST_NXVALID
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:5624
void test_rand_bits(int rand32, int bits)
Definition: tests.c:591
void run_scalar_tests(void)
Definition: tests.c:1757
static const secp256k1_fe fe_minus_one
Definition: tests.c:2604