Bitcoin ABC 0.32.8
P2P Digital Currency
tests.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#if defined HAVE_CONFIG_H
8#include "libsecp256k1-config.h"
9#endif
10
11#include <stdio.h>
12#include <stdlib.h>
13#include <string.h>
14
15#include <time.h>
16
17#include "secp256k1.c"
18#include "../include/secp256k1.h"
19#include "../include/secp256k1_preallocated.h"
20#include "testrand_impl.h"
21#include "util.h"
22
23#include "../contrib/lax_der_parsing.c"
24#include "../contrib/lax_der_privatekey_parsing.c"
25
26#include "modinv32_impl.h"
27#ifdef SECP256K1_WIDEMUL_INT128
28#include "modinv64_impl.h"
29#endif
30
31#define CONDITIONAL_TEST(cnt, nam) if (count < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
32
33static int count = 64;
34static secp256k1_context *ctx = NULL;
35
36static void counting_illegal_callback_fn(const char* str, void* data) {
37 /* Dummy callback function that just counts. */
38 int32_t *p;
39 (void)str;
40 p = data;
41 (*p)++;
42}
43
44static void uncounting_illegal_callback_fn(const char* str, void* data) {
45 /* Dummy callback function that just counts (backwards). */
46 int32_t *p;
47 (void)str;
48 p = data;
49 (*p)--;
50}
51
52void random_field_element_test(secp256k1_fe *fe) {
53 do {
54 unsigned char b32[32];
55 secp256k1_testrand256_test(b32);
56 if (secp256k1_fe_set_b32(fe, b32)) {
57 break;
58 }
59 } while(1);
60}
61
62void random_field_element_magnitude(secp256k1_fe *fe) {
63 secp256k1_fe zero;
64 int n = secp256k1_testrand_int(9);
65 secp256k1_fe_normalize(fe);
66 if (n == 0) {
67 return;
68 }
69 secp256k1_fe_clear(&zero);
70 secp256k1_fe_negate(&zero, &zero, 0);
71 secp256k1_fe_mul_int(&zero, n - 1);
72 secp256k1_fe_add(fe, &zero);
73#ifdef VERIFY
74 CHECK(fe->magnitude == n);
75#endif
76}
77
78void random_group_element_test(secp256k1_ge *ge) {
79 secp256k1_fe fe;
80 do {
81 random_field_element_test(&fe);
82 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
83 secp256k1_fe_normalize(&ge->y);
84 break;
85 }
86 } while(1);
87 ge->infinity = 0;
88}
89
90void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
91 secp256k1_fe z2, z3;
92 do {
93 random_field_element_test(&gej->z);
94 if (!secp256k1_fe_is_zero(&gej->z)) {
95 break;
96 }
97 } while(1);
98 secp256k1_fe_sqr(&z2, &gej->z);
99 secp256k1_fe_mul(&z3, &z2, &gej->z);
100 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
101 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
102 gej->infinity = ge->infinity;
103}
104
105void random_gej_test(secp256k1_gej *gej) {
106 secp256k1_ge ge;
107 random_group_element_test(&ge);
108 random_group_element_jacobian_test(gej, &ge);
109}
110
111void random_scalar_order_test(secp256k1_scalar *num) {
112 do {
113 unsigned char b32[32];
114 int overflow = 0;
115 secp256k1_testrand256_test(b32);
116 secp256k1_scalar_set_b32(num, b32, &overflow);
117 if (overflow || secp256k1_scalar_is_zero(num)) {
118 continue;
119 }
120 break;
121 } while(1);
122}
123
124void random_scalar_order(secp256k1_scalar *num) {
125 do {
126 unsigned char b32[32];
127 int overflow = 0;
128 secp256k1_testrand256(b32);
129 secp256k1_scalar_set_b32(num, b32, &overflow);
130 if (overflow || secp256k1_scalar_is_zero(num)) {
131 continue;
132 }
133 break;
134 } while(1);
135}
136
137void random_scalar_order_b32(unsigned char *b32) {
138 secp256k1_scalar num;
139 random_scalar_order(&num);
140 secp256k1_scalar_get_b32(b32, &num);
141}
142
143void run_context_tests(int use_prealloc) {
144 secp256k1_pubkey pubkey;
145 secp256k1_pubkey zero_pubkey;
146 secp256k1_ecdsa_signature sig;
147 unsigned char ctmp[32];
148 int32_t ecount;
149 int32_t ecount2;
150 secp256k1_context *none;
151 secp256k1_context *sign;
152 secp256k1_context *vrfy;
153 secp256k1_context *both;
154 secp256k1_context *sttc;
155 void *none_prealloc = NULL;
156 void *sign_prealloc = NULL;
157 void *vrfy_prealloc = NULL;
158 void *both_prealloc = NULL;
159 void *sttc_prealloc = NULL;
160
161 secp256k1_gej pubj;
162 secp256k1_ge pub;
163 secp256k1_scalar msg, key, nonce;
164 secp256k1_scalar sigr, sigs;
165
166 if (use_prealloc) {
167 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
168 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
169 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
170 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
171 sttc_prealloc = malloc(secp256k1_context_preallocated_clone_size(secp256k1_context_no_precomp));
172 CHECK(none_prealloc != NULL);
173 CHECK(sign_prealloc != NULL);
174 CHECK(vrfy_prealloc != NULL);
175 CHECK(both_prealloc != NULL);
176 CHECK(sttc_prealloc != NULL);
177 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
178 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
179 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
180 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
181 sttc = secp256k1_context_preallocated_clone(secp256k1_context_no_precomp, sttc_prealloc);
182 } else {
183 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
184 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
185 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
186 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
187 sttc = secp256k1_context_clone(secp256k1_context_no_precomp);
188 }
189
190 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
191
192 ecount = 0;
193 ecount2 = 10;
194 secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
195 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
196 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
197 secp256k1_context_set_error_callback(sign, secp256k1_default_illegal_callback_fn, NULL);
198 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
199 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
200
201 /* check if sizes for cloning are consistent */
202 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
203 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
204 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
205 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
206 CHECK(secp256k1_context_preallocated_clone_size(sttc) >= sizeof(secp256k1_context));
207
208 /*** clone and destroy all of them to make sure cloning was complete ***/
209 {
210 secp256k1_context *ctx_tmp;
211
212 if (use_prealloc) {
213 /* clone into a non-preallocated context and then again into a new preallocated one. */
214 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
215 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
216 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
217
218 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
219 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
220 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
221
222 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
223 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
224 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
225
226 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
227 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
228 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
229 } else {
230 /* clone into a preallocated context and then again into a new non-preallocated one. */
231 void *prealloc_tmp;
232
233 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
234 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
235 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
236 free(prealloc_tmp);
237
238 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
239 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
240 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
241 free(prealloc_tmp);
242
243 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
244 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
245 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
246 free(prealloc_tmp);
247
248 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
249 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
250 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
251 free(prealloc_tmp);
252 }
253 }
254
255 /* Verify that the error callback makes it across the clone. */
256 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
257 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
258 /* And that it resets back to default. */
259 secp256k1_context_set_error_callback(sign, NULL, NULL);
260 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
261
262 /*** attempt to use them ***/
263 random_scalar_order_test(&msg);
264 random_scalar_order_test(&key);
265 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
266 secp256k1_ge_set_gej(&pub, &pubj);
267
268 /* Verify context-type checking illegal-argument errors. */
269 memset(ctmp, 1, 32);
270 CHECK(secp256k1_ec_pubkey_create(sttc, &pubkey, ctmp) == 0);
271 CHECK(ecount == 1);
272 VG_UNDEF(&pubkey, sizeof(pubkey));
273 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
274 VG_CHECK(&pubkey, sizeof(pubkey));
275 CHECK(secp256k1_ecdsa_sign(sttc, &sig, ctmp, ctmp, NULL, NULL) == 0);
276 CHECK(ecount == 2);
277 VG_UNDEF(&sig, sizeof(sig));
278 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
279 VG_CHECK(&sig, sizeof(sig));
280 CHECK(ecount2 == 10);
281 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 1);
282 CHECK(ecount2 == 10);
283 CHECK(secp256k1_ecdsa_verify(sttc, &sig, ctmp, &pubkey) == 1);
284 CHECK(ecount == 2);
285 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 1);
286 CHECK(ecount2 == 10);
287 CHECK(secp256k1_ec_pubkey_tweak_add(sttc, &pubkey, ctmp) == 1);
288 CHECK(ecount == 2);
289 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 1);
290 CHECK(ecount2 == 10);
291 CHECK(secp256k1_ec_pubkey_negate(sttc, &pubkey) == 1);
292 CHECK(ecount == 2);
293 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
294 CHECK(ecount == 2);
295 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
296 CHECK(ecount2 == 11);
297 CHECK(secp256k1_ec_pubkey_negate(sttc, &zero_pubkey) == 0);
298 CHECK(ecount == 3);
299 CHECK(secp256k1_ec_pubkey_tweak_mul(sttc, &pubkey, ctmp) == 1);
300 CHECK(ecount == 3);
301 CHECK(secp256k1_context_randomize(sttc, ctmp) == 1);
302 CHECK(ecount == 3);
303 CHECK(secp256k1_context_randomize(sttc, NULL) == 1);
304 CHECK(ecount == 3);
305 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
306 CHECK(ecount2 == 11);
307 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
308 CHECK(ecount2 == 11);
309 secp256k1_context_set_illegal_callback(sttc, NULL, NULL);
310 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
311
312 /* obtain a working nonce */
313 do {
314 random_scalar_order_test(&nonce);
315 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
316
317 /* try signing */
318 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
319 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
320
321 /* try verifying */
322 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
323 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
324
325 /* cleanup */
326 if (use_prealloc) {
327 secp256k1_context_preallocated_destroy(none);
328 secp256k1_context_preallocated_destroy(sign);
329 secp256k1_context_preallocated_destroy(vrfy);
330 secp256k1_context_preallocated_destroy(both);
331 secp256k1_context_preallocated_destroy(sttc);
332 free(none_prealloc);
333 free(sign_prealloc);
334 free(vrfy_prealloc);
335 free(both_prealloc);
336 free(sttc_prealloc);
337 } else {
338 secp256k1_context_destroy(none);
339 secp256k1_context_destroy(sign);
340 secp256k1_context_destroy(vrfy);
341 secp256k1_context_destroy(both);
342 secp256k1_context_destroy(sttc);
343 }
344 /* Defined as no-op. */
345 secp256k1_context_destroy(NULL);
346 secp256k1_context_preallocated_destroy(NULL);
347
348}
349
350void run_scratch_tests(void) {
351 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
352
353 int32_t ecount = 0;
354 size_t checkpoint;
355 size_t checkpoint_2;
356 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
357 secp256k1_scratch_space *scratch;
358 secp256k1_scratch_space local_scratch;
359
360 /* Test public API */
361 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
362 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
363
364 scratch = secp256k1_scratch_space_create(none, 1000);
365 CHECK(scratch != NULL);
366 CHECK(ecount == 0);
367
368 /* Test internal API */
369 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
370 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
371 CHECK(scratch->alloc_size == 0);
372 CHECK(scratch->alloc_size % ALIGNMENT == 0);
373
374 /* Allocating 500 bytes succeeds */
375 checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
376 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
377 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
378 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
379 CHECK(scratch->alloc_size != 0);
380 CHECK(scratch->alloc_size % ALIGNMENT == 0);
381
382 /* Allocating another 501 bytes fails */
383 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
384 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
385 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
386 CHECK(scratch->alloc_size != 0);
387 CHECK(scratch->alloc_size % ALIGNMENT == 0);
388
389 /* ...but it succeeds once we apply the checkpoint to undo it */
390 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
391 CHECK(scratch->alloc_size == 0);
392 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
393 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
394 CHECK(scratch->alloc_size != 0);
395
396 /* try to apply a bad checkpoint */
397 checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
398 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
399 CHECK(ecount == 0);
400 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
401 CHECK(ecount == 1);
402 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
403 CHECK(ecount == 2);
404
405 /* try to use badly initialized scratch space */
406 secp256k1_scratch_space_destroy(none, scratch);
407 memset(&local_scratch, 0, sizeof(local_scratch));
408 scratch = &local_scratch;
409 CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
410 CHECK(ecount == 3);
411 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
412 CHECK(ecount == 4);
413 secp256k1_scratch_space_destroy(none, scratch);
414 CHECK(ecount == 5);
415
416 /* Test that large integers do not wrap around in a bad way */
417 scratch = secp256k1_scratch_space_create(none, 1000);
418 /* Try max allocation with a large number of objects. Only makes sense if
419 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
420 * space. */
421 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
422 /* Try allocating SIZE_MAX to test wrap around which only happens if
423 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
424 * space is too small. */
425 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
426 secp256k1_scratch_space_destroy(none, scratch);
427
428 /* cleanup */
429 secp256k1_scratch_space_destroy(none, NULL); /* no-op */
430 secp256k1_context_destroy(none);
431}
432
433void run_ctz_tests(void) {
434 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
435 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
436 int shift;
437 unsigned i;
438 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
439 for (shift = 0; shift < 32; ++shift) {
440 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
441 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
442 }
443 }
444 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
445 for (shift = 0; shift < 64; ++shift) {
446 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
447 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
448 }
449 }
450}
451
452/***** HASH TESTS *****/
453
454void run_sha256_known_output_tests(void) {
455 static const char *inputs[] = {
456 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
457 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
458 "For this sample, this 63-byte string will be used as input data",
459 "This is exactly 64 bytes long, not counting the terminating byte",
460 "aaaaa",
461 };
462 static const unsigned int repeat[] = {
463 1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
464 };
465 static const unsigned char outputs[][32] = {
466 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
467 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
468 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
469 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
470 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
471 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
472 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
473 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
474 {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
475 };
476 unsigned int i, ninputs;
477
478 /* Skip last input vector for low iteration counts */
479 ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
480 CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
481
482 for (i = 0; i < ninputs; i++) {
483 unsigned char out[32];
484 secp256k1_sha256 hasher;
485 unsigned int j;
486 /* 1. Run: simply write the input bytestrings */
487 j = repeat[i];
488 secp256k1_sha256_initialize(&hasher);
489 while (j > 0) {
490 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
491 j--;
492 }
493 secp256k1_sha256_finalize(&hasher, out);
494 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
495 /* 2. Run: split the input bytestrings randomly before writing */
496 if (strlen(inputs[i]) > 0) {
497 int split = secp256k1_testrand_int(strlen(inputs[i]));
498 secp256k1_sha256_initialize(&hasher);
499 j = repeat[i];
500 while (j > 0) {
501 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
502 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
503 j--;
504 }
505 secp256k1_sha256_finalize(&hasher, out);
506 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
507 }
508 }
509}
510
555void run_sha256_counter_tests(void) {
556 static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
557 static const secp256k1_sha256 midstates[] = {
558 {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
559 {0x00}, 0xfffc0},
560 {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
561 {0x00}, 0x1fffc0},
562 {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
563 {0x00}, 0x3fffc0},
564 {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
565 {0x00}, 0x7fffc0},
566 {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
567 {0x00}, 0xffffc0},
568 {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
569 {0x00}, 0x1ffffc0},
570 {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
571 {0x00}, 0x3ffffc0},
572 {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
573 {0x00}, 0x7ffffc0},
574 {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
575 {0x00}, 0xfffffc0},
576 {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
577 {0x00}, 0x1fffffc0},
578 {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
579 {0x00}, 0x3fffffc0},
580 {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
581 {0x00}, 0x7fffffc0},
582 {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
583 {0x00}, 0xffffffc0},
584 {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
585 {0x00}, 0x1ffffffc0},
586 };
587 static const unsigned char outputs[][32] = {
588 {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
589 {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
590 {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
591 {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
592 {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
593 {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
594 {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
595 {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
596 {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
597 {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
598 {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
599 {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
600 {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
601 {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
602 };
603 unsigned int i;
604 for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
605 unsigned char out[32];
606 secp256k1_sha256 hasher = midstates[i];
607 secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
608 secp256k1_sha256_finalize(&hasher, out);
609 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
610 }
611}
612
613void run_hmac_sha256_tests(void) {
614 static const char *keys[6] = {
615 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
616 "\x4a\x65\x66\x65",
617 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
618 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
619 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
620 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
621 };
622 static const char *inputs[6] = {
623 "\x48\x69\x20\x54\x68\x65\x72\x65",
624 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
625 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
626 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
627 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
628 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
629 };
630 static const unsigned char outputs[6][32] = {
631 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
632 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
633 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
634 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
635 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
636 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
637 };
638 int i;
639 for (i = 0; i < 6; i++) {
640 secp256k1_hmac_sha256 hasher;
641 unsigned char out[32];
642 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
643 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
644 secp256k1_hmac_sha256_finalize(&hasher, out);
645 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
646 if (strlen(inputs[i]) > 0) {
647 int split = secp256k1_testrand_int(strlen(inputs[i]));
648 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
649 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
650 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
651 secp256k1_hmac_sha256_finalize(&hasher, out);
652 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
653 }
654 }
655}
656
657void run_rfc6979_hmac_sha256_tests(void) {
658 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
659 static const unsigned char out1[3][32] = {
660 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
661 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
662 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
663 };
664
665 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
666 static const unsigned char out2[3][32] = {
667 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
668 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
669 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
670 };
671
672 secp256k1_rfc6979_hmac_sha256 rng;
673 unsigned char out[32];
674 int i;
675
676 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
677 for (i = 0; i < 3; i++) {
678 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
679 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
680 }
681 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
682
683 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
684 for (i = 0; i < 3; i++) {
685 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
686 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
687 }
688 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
689
690 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
691 for (i = 0; i < 3; i++) {
692 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
693 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
694 }
695 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
696}
697
698void run_tagged_sha256_tests(void) {
699 int ecount = 0;
700 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
701 unsigned char tag[32] = { 0 };
702 unsigned char msg[32] = { 0 };
703 unsigned char hash32[32];
704 unsigned char hash_expected[32] = {
705 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
706 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
707 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
708 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
709 };
710
711 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
712
713 /* API test */
714 CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
715 CHECK(secp256k1_tagged_sha256(none, NULL, tag, sizeof(tag), msg, sizeof(msg)) == 0);
716 CHECK(ecount == 1);
717 CHECK(secp256k1_tagged_sha256(none, hash32, NULL, 0, msg, sizeof(msg)) == 0);
718 CHECK(ecount == 2);
719 CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), NULL, 0) == 0);
720 CHECK(ecount == 3);
721
722 /* Static test vector */
723 memcpy(tag, "tag", 3);
724 memcpy(msg, "msg", 3);
725 CHECK(secp256k1_tagged_sha256(none, hash32, tag, 3, msg, 3) == 1);
726 CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
727 secp256k1_context_destroy(none);
728}
729
730/***** RANDOM TESTS *****/
731
732void test_rand_bits(int rand32, int bits) {
733 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
734 * get a false negative chance below once in a billion */
735 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
736 /* We try multiplying the results with various odd numbers, which shouldn't
737 * influence the uniform distribution modulo a power of 2. */
738 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
739 /* We only select up to 6 bits from the output to analyse */
740 unsigned int usebits = bits > 6 ? 6 : bits;
741 unsigned int maxshift = bits - usebits;
742 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
743 number, track all observed outcomes, one per bit in a uint64_t. */
744 uint64_t x[6][27] = {{0}};
745 unsigned int i, shift, m;
746 /* Multiply the output of all rand calls with the odd number m, which
747 should not change the uniformity of its distribution. */
748 for (i = 0; i < rounds[usebits]; i++) {
749 uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
750 CHECK((((uint64_t)r) >> bits) == 0);
751 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
752 uint32_t rm = r * mults[m];
753 for (shift = 0; shift <= maxshift; shift++) {
754 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
755 }
756 }
757 }
758 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
759 for (shift = 0; shift <= maxshift; shift++) {
760 /* Test that the lower usebits bits of x[shift] are 1 */
761 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
762 }
763 }
764}
765
766/* Subrange must be a whole divisor of range, and at most 64 */
767void test_rand_int(uint32_t range, uint32_t subrange) {
768 /* (1-1/subrange)^rounds < 1/10^9 */
769 int rounds = (subrange * 2073) / 100;
770 int i;
771 uint64_t x = 0;
772 CHECK((range % subrange) == 0);
773 for (i = 0; i < rounds; i++) {
774 uint32_t r = secp256k1_testrand_int(range);
775 CHECK(r < range);
776 r = r % subrange;
777 x |= (((uint64_t)1) << r);
778 }
779 /* Test that the lower subrange bits of x are 1. */
780 CHECK(((~x) << (64 - subrange)) == 0);
781}
782
783void run_rand_bits(void) {
784 size_t b;
785 test_rand_bits(1, 32);
786 for (b = 1; b <= 32; b++) {
787 test_rand_bits(0, b);
788 }
789}
790
791void run_rand_int(void) {
792 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
793 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
794 unsigned int m, s;
795 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
796 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
797 test_rand_int(ms[m] * ss[s], ss[s]);
798 }
799 }
800}
801
802/***** MODINV TESTS *****/
803
804/* Compute the modular inverse of (odd) x mod 2^64. */
805uint64_t modinv2p64(uint64_t x) {
806 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
807 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
808 * why. Start with L=0, for which it is true for every odd x that
809 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
810 int l;
811 uint64_t w = 1;
812 CHECK(x & 1);
813 for (l = 0; l < 6; ++l) w *= (2 - w*x);
814 return w;
815}
816
817/* compute out = (a*b) mod m; if b=NULL, treat b=1.
818 *
819 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
820 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
821void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
822 uint16_t mul[32];
823 uint64_t c = 0;
824 int i, j;
825 int m_bitlen = 0;
826 int mul_bitlen = 0;
827
828 if (b != NULL) {
829 /* Compute the product of a and b, and put it in mul. */
830 for (i = 0; i < 32; ++i) {
831 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
832 c += (uint64_t)a[j] * b[i - j];
833 }
834 mul[i] = c & 0xFFFF;
835 c >>= 16;
836 }
837 CHECK(c == 0);
838
839 /* compute the highest set bit in mul */
840 for (i = 511; i >= 0; --i) {
841 if ((mul[i >> 4] >> (i & 15)) & 1) {
842 mul_bitlen = i;
843 break;
844 }
845 }
846 } else {
847 /* if b==NULL, set mul=a. */
848 memcpy(mul, a, 32);
849 memset(mul + 16, 0, 32);
850 /* compute the highest set bit in mul */
851 for (i = 255; i >= 0; --i) {
852 if ((mul[i >> 4] >> (i & 15)) & 1) {
853 mul_bitlen = i;
854 break;
855 }
856 }
857 }
858
859 /* Compute the highest set bit in m. */
860 for (i = 255; i >= 0; --i) {
861 if ((m[i >> 4] >> (i & 15)) & 1) {
862 m_bitlen = i;
863 break;
864 }
865 }
866
867 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
868 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
869 uint16_t mul2[32];
870 int64_t cs;
871
872 /* Compute mul2 = mul - m<<i. */
873 cs = 0; /* accumulator */
874 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
875 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
876 uint16_t sub = 0;
877 int p;
878 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
879 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
880 if (bitpos >= 0 && bitpos < 256) {
881 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
882 }
883 }
884 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
885 cs += mul[j];
886 cs -= sub;
887 mul2[j] = (cs & 0xFFFF);
888 cs >>= 16;
889 }
890 /* If remainder of subtraction is 0, set mul = mul2. */
891 if (cs == 0) {
892 memcpy(mul, mul2, sizeof(mul));
893 }
894 }
895 /* Sanity check: test that all limbs higher than m's highest are zero */
896 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
897 CHECK(mul[i] == 0);
898 }
899 memcpy(out, mul, 32);
900}
901
902/* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
903void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
904 int i;
905 memset(out->v, 0, sizeof(out->v));
906 for (i = 0; i < 256; ++i) {
907 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
908 }
909}
910
911/* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
912void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
913 int i;
914 memset(out, 0, 32);
915 for (i = 0; i < 256; ++i) {
916 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
917 }
918}
919
920/* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
921void mutate_sign_signed30(secp256k1_modinv32_signed30* x) {
922 int i;
923 for (i = 0; i < 16; ++i) {
924 int pos = secp256k1_testrand_bits(3);
925 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
926 x->v[pos] -= 0x40000000;
927 x->v[pos + 1] += 1;
928 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
929 x->v[pos] += 0x40000000;
930 x->v[pos + 1] -= 1;
931 }
932 }
933}
934
935/* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
936void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
937 uint16_t tmp[16];
938 secp256k1_modinv32_signed30 x;
939 secp256k1_modinv32_modinfo m;
940 int i, vartime, nonzero;
941
942 uint16_to_signed30(&x, in);
943 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
944 uint16_to_signed30(&m.modulus, mod);
945 mutate_sign_signed30(&m.modulus);
946
947 /* compute 1/modulus mod 2^30 */
948 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
949 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
950
951 for (vartime = 0; vartime < 2; ++vartime) {
952 /* compute inverse */
953 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
954
955 /* produce output */
956 signed30_to_uint16(out, &x);
957
958 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
959 mulmod256(tmp, out, in, mod);
960 CHECK(tmp[0] == nonzero);
961 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
962
963 /* invert again */
964 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
965
966 /* check if the result is equal to the input */
967 signed30_to_uint16(tmp, &x);
968 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
969 }
970}
971
972#ifdef SECP256K1_WIDEMUL_INT128
973/* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
974void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
975 int i;
976 memset(out->v, 0, sizeof(out->v));
977 for (i = 0; i < 256; ++i) {
978 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
979 }
980}
981
982/* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
983void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
984 int i;
985 memset(out, 0, 32);
986 for (i = 0; i < 256; ++i) {
987 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
988 }
989}
990
991/* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
992void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
993 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
994 int i;
995 for (i = 0; i < 8; ++i) {
996 int pos = secp256k1_testrand_bits(2);
997 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
998 x->v[pos] -= (M62 + 1);
999 x->v[pos + 1] += 1;
1000 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1001 x->v[pos] += (M62 + 1);
1002 x->v[pos + 1] -= 1;
1003 }
1004 }
1005}
1006
1007/* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1008void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1009 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1010 uint16_t tmp[16];
1011 secp256k1_modinv64_signed62 x;
1012 secp256k1_modinv64_modinfo m;
1013 int i, vartime, nonzero;
1014
1015 uint16_to_signed62(&x, in);
1016 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1017 uint16_to_signed62(&m.modulus, mod);
1018 mutate_sign_signed62(&m.modulus);
1019
1020 /* compute 1/modulus mod 2^62 */
1021 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1022 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1023
1024 for (vartime = 0; vartime < 2; ++vartime) {
1025 /* compute inverse */
1026 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1027
1028 /* produce output */
1029 signed62_to_uint16(out, &x);
1030
1031 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1032 mulmod256(tmp, out, in, mod);
1033 CHECK(tmp[0] == nonzero);
1034 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1035
1036 /* invert again */
1037 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1038
1039 /* check if the result is equal to the input */
1040 signed62_to_uint16(tmp, &x);
1041 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1042 }
1043}
1044#endif
1045
1046/* test if a and b are coprime */
1047int coprime(const uint16_t* a, const uint16_t* b) {
1048 uint16_t x[16], y[16], t[16];
1049 int i;
1050 int iszero;
1051 memcpy(x, a, 32);
1052 memcpy(y, b, 32);
1053
1054 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1055 while (1) {
1056 iszero = 1;
1057 for (i = 0; i < 16; ++i) {
1058 if (x[i] != 0) {
1059 iszero = 0;
1060 break;
1061 }
1062 }
1063 if (iszero) break;
1064 mulmod256(t, y, NULL, x);
1065 memcpy(y, x, 32);
1066 memcpy(x, t, 32);
1067 }
1068
1069 /* return whether y=1 */
1070 if (y[0] != 1) return 0;
1071 for (i = 1; i < 16; ++i) {
1072 if (y[i] != 0) return 0;
1073 }
1074 return 1;
1075}
1076
1077void run_modinv_tests(void) {
1078 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1079 static const uint16_t CASES[][3][16] = {
1080 /* Test cases triggering edge cases in divsteps */
1081
1082 /* Test case known to need 713 divsteps */
1083 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1084 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1085 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1086 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1087 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1088 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1089 /* Test case known to need 589 divsteps, reaching delta=-140 and
1090 delta=141. */
1091 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1092 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1093 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1094 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1095 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1096 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1097 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1098 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1099 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1100 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1101 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1102 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1103 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1104 /* example needing 713 divsteps; delta=-2..3 */
1105 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1106 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1107 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1108 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1109 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1110 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1111 /* example needing 713 divsteps; delta=-2..3 */
1112 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1113 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1114 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1115 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1116 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1117 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1118 /* example needing 713 divsteps; delta=-2..3 */
1119 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1120 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1121 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1122 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1123 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1124 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1125 /* example reaching delta=-64..65; 661 divsteps */
1126 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1127 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1128 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1129 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1130 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1131 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1132 /* example reaching delta=-64..65; 661 divsteps */
1133 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1134 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1135 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1136 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1137 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1138 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1139 /* example reaching delta=-64..65; 661 divsteps */
1140 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1141 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1142 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1143 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1144 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1145 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1146 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1147 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1148 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1149 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1150 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1151 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1152 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1153 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1154 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1155 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1156 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1157 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1158 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1159 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1160 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1161 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1162 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1163 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1164 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1165 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1166 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1167 /* example doing 446 (f,g/2) steps; 523 divsteps */
1168 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1169 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1170 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1171 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1172 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1173 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1174 /* example doing 446 (f,g/2) steps; 523 divsteps */
1175 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1176 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1177 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1178 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1179 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1180 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1181 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1182 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1183 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1184 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1185 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1186 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1187 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1188 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1189 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1190 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1191 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1192 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1193 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1194 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1195 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1196 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1197 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1198 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1199 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1200 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1201 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1202 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1203 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1204 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1205 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1206 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1207 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1208 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1209
1210 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1211
1212 /* example needing 590 divsteps; delta=-5/2..7/2 */
1213 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1214 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1215 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1216 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1217 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1218 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1219 /* example needing 590 divsteps; delta=-3/2..5/2 */
1220 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1221 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1222 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1223 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1224 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1225 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1226 /* example needing 590 divsteps; delta=-3/2..5/2 */
1227 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1228 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1229 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1230 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1231 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1232 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1233 /* example needing 590 divsteps; delta=-5/2..7/2 */
1234 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1235 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1236 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1237 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1238 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1239 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1240 /* example needing 590 divsteps; delta=-3/2..5/2 */
1241 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1242 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1243 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1244 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1245 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1246 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1247 /* example reaching delta=-127/2..129/2; 571 divsteps */
1248 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1249 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1250 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1251 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1252 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1253 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1254 /* example reaching delta=-127/2..129/2; 571 divsteps */
1255 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1256 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1257 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1258 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1259 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1260 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1261 /* example reaching delta=-127/2..129/2; 571 divsteps */
1262 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1263 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1264 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1265 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1266 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1267 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1268 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1269 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1270 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1271 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1272 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1273 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1274 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1275 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1276 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1277 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1278 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1279 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1280 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1281 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1282 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1283 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1284 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1285 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1286 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1287 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1288 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1289 /* example doing 453 (f,g/2) steps; 514 divsteps */
1290 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1291 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1292 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1293 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1294 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1295 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1296 /* example doing 453 (f,g/2) steps; 514 divsteps */
1297 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1298 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1299 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1300 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1301 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1302 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1303 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1304 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1305 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1306 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1307 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1308 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1309 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1310 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1311 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1312 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1313 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1314 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1315 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1316 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1317 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1318 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1319 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1320 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1321 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1322 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1323 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1324 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1325 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1326 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1327 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1328 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1329 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1330 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1331
1332 /* Test cases with the group order as modulus. */
1333
1334 /* Test case with the group order as modulus, needing 635 divsteps. */
1335 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1336 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1337 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1338 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1339 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1340 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1341 /* example with group size as modulus needing 631 divsteps */
1342 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1343 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1344 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1345 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1346 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1347 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1348 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1349 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1350 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1351 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1352 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1353 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1354 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1355 /* Test case with the group size as modulus, needing 981 divsteps with
1356 broken eta handling. */
1357 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1358 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1359 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1360 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1361 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1362 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1363 /* Test case with the group size as modulus, input = 0. */
1364 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1365 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1366 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1367 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1368 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1369 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1370 /* Test case with the group size as modulus, input = 1. */
1371 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1372 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1373 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1374 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1375 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1376 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1377 /* Test case with the group size as modulus, input = 2. */
1378 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1379 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1380 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1381 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1382 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1383 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1384 /* Test case with the group size as modulus, input = group - 1. */
1385 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1386 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1387 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1388 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1389 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1390 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1391
1392 /* Test cases with the field size as modulus. */
1393
1394 /* Test case with the field size as modulus, needing 637 divsteps. */
1395 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1396 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1397 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1398 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1399 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1400 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1401 /* example with field size as modulus needing 637 divsteps */
1402 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1403 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1404 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1405 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1406 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1407 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1408 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1409 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1410 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1411 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1412 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1413 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1414 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1415 /* Test case with the field size as modulus, needing 935 divsteps with
1416 broken eta handling. */
1417 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1418 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1419 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1420 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1421 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1422 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1423 /* Test case with the field size as modulus, input = 0. */
1424 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1425 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1426 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1427 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1428 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1429 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1430 /* Test case with the field size as modulus, input = 1. */
1431 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1432 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1433 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1434 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1435 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1436 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1437 /* Test case with the field size as modulus, input = 2. */
1438 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1439 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1440 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1441 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1442 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1443 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1444 /* Test case with the field size as modulus, input = field - 1. */
1445 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1446 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1447 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1448 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1449 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1450 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1451
1452 /* Selected from a large number of random inputs to reach small/large
1453 * d/e values in various configurations. */
1454 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1455 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1456 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1457 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1458 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1459 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1460 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1461 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1462 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1463 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1464 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1465 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1466 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1467 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1468 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1469 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1470 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1471 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1472 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1473 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1474 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1475 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1476 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1477 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1478 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1479 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1480 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1481 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1482 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1483 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1484 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1485 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1486 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1487 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1488 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1489 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1490 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1491 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1492 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1493 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1494 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1495 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1496 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1497 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1498 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1499 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1500 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1501 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1502 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1503 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1504 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1505 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1506 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1507 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1508 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1509 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1510 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1511 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1512 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1513 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1514 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1515 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1516 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1517 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1518 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1519 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1520 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1521 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1522 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1523 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1524 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1525 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1526 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1527 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1528 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1529 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1530 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1531 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1532 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1533 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1534 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1535 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1536 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1537 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1538 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1539 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1540 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1541 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1542 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1543 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1544 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1545 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1546 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1547 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1548 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1549 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1550 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1551 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1552 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1553 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1554 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1555 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1556 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1557 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1558 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1559 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1560 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1561 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1562 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1563 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1564 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1565 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1566 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1567 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1568 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1569 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1570 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1571 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1572 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1573 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1574 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1575 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1576 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1577 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1578 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1579 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1580 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1581 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1582 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1583 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1584 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1585 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1586 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1587 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1588 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1589 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1590 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1591 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1592 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1593 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1594 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1595 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1596 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1597 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1598 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1599 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1600 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1601 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1602 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1603 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1604 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1605 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1606 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1607 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1608 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1609 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1610 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1611 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1612 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1613 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1614 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1615 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1616 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1617 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1618 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1619 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1620 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1621 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1622 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1623 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1624 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1625 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1626 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1627 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1628 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1629 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1630 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1631 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1632 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1633 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1634 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1635 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1636 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1637 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1638 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1639 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1640 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1641 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1642 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1643 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1644 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1645 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1646 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1647 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1648 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1649 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1650 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1651 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1652 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1653 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1654 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1655 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1656 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1657 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1658 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1659 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1660 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1661 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1662 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1663 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1664 };
1665
1666 int i, j, ok;
1667
1668 /* Test known inputs/outputs */
1669 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1670 uint16_t out[16];
1671 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1672 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1673#ifdef SECP256K1_WIDEMUL_INT128
1674 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1675 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1676#endif
1677 }
1678
1679 for (i = 0; i < 100 * count; ++i) {
1680 /* 256-bit numbers in 16-uint16_t's notation */
1681 static const uint16_t ZERO[16] = {0};
1682 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1683 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1684 uint16_t id[16]; /* the inverse of xd mod md */
1685
1686 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1687 do {
1688 /* generate random xd and md (with many subsequent 0s and 1s) */
1689 secp256k1_testrand256_test((unsigned char*)xd);
1690 secp256k1_testrand256_test((unsigned char*)md);
1691 md[0] |= 1; /* modulus must be odd */
1692 /* If modulus is 1, find another one. */
1693 ok = md[0] != 1;
1694 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1695 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1696 } while (!(ok && coprime(xd, md)));
1697
1698 test_modinv32_uint16(id, xd, md);
1699#ifdef SECP256K1_WIDEMUL_INT128
1700 test_modinv64_uint16(id, xd, md);
1701#endif
1702
1703 /* In a few cases, also test with input=0 */
1704 if (i < count) {
1705 test_modinv32_uint16(id, ZERO, md);
1706#ifdef SECP256K1_WIDEMUL_INT128
1707 test_modinv64_uint16(id, ZERO, md);
1708#endif
1709 }
1710 }
1711}
1712
1713/***** SCALAR TESTS *****/
1714
1715
1716void scalar_test(void) {
1717 secp256k1_scalar s;
1718 secp256k1_scalar s1;
1719 secp256k1_scalar s2;
1720 unsigned char c[32];
1721
1722 /* Set 's' to a random scalar, with value 'snum'. */
1723 random_scalar_order_test(&s);
1724
1725 /* Set 's1' to a random scalar, with value 's1num'. */
1726 random_scalar_order_test(&s1);
1727
1728 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
1729 random_scalar_order_test(&s2);
1730 secp256k1_scalar_get_b32(c, &s2);
1731
1732 {
1733 int i;
1734 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
1735 secp256k1_scalar n;
1736 secp256k1_scalar_set_int(&n, 0);
1737 for (i = 0; i < 256; i += 4) {
1738 secp256k1_scalar t;
1739 int j;
1740 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
1741 for (j = 0; j < 4; j++) {
1742 secp256k1_scalar_add(&n, &n, &n);
1743 }
1744 secp256k1_scalar_add(&n, &n, &t);
1745 }
1746 CHECK(secp256k1_scalar_eq(&n, &s));
1747 }
1748
1749 {
1750 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
1751 secp256k1_scalar n;
1752 int i = 0;
1753 secp256k1_scalar_set_int(&n, 0);
1754 while (i < 256) {
1755 secp256k1_scalar t;
1756 int j;
1757 int now = secp256k1_testrand_int(15) + 1;
1758 if (now + i > 256) {
1759 now = 256 - i;
1760 }
1761 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
1762 for (j = 0; j < now; j++) {
1763 secp256k1_scalar_add(&n, &n, &n);
1764 }
1765 secp256k1_scalar_add(&n, &n, &t);
1766 i += now;
1767 }
1768 CHECK(secp256k1_scalar_eq(&n, &s));
1769 }
1770
1771 {
1772 /* test secp256k1_scalar_shr_int */
1773 secp256k1_scalar r;
1774 int i;
1775 random_scalar_order_test(&r);
1776 for (i = 0; i < 100; ++i) {
1777 int low;
1778 int shift = 1 + secp256k1_testrand_int(15);
1779 int expected = r.d[0] % (1 << shift);
1780 low = secp256k1_scalar_shr_int(&r, shift);
1781 CHECK(expected == low);
1782 }
1783 }
1784
1785 {
1786 /* Test commutativity of add. */
1787 secp256k1_scalar r1, r2;
1788 secp256k1_scalar_add(&r1, &s1, &s2);
1789 secp256k1_scalar_add(&r2, &s2, &s1);
1790 CHECK(secp256k1_scalar_eq(&r1, &r2));
1791 }
1792
1793 {
1794 secp256k1_scalar r1, r2;
1795 secp256k1_scalar b;
1796 int i;
1797 /* Test add_bit. */
1798 int bit = secp256k1_testrand_bits(8);
1799 secp256k1_scalar_set_int(&b, 1);
1800 CHECK(secp256k1_scalar_is_one(&b));
1801 for (i = 0; i < bit; i++) {
1802 secp256k1_scalar_add(&b, &b, &b);
1803 }
1804 r1 = s1;
1805 r2 = s1;
1806 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1807 /* No overflow happened. */
1808 secp256k1_scalar_cadd_bit(&r2, bit, 1);
1809 CHECK(secp256k1_scalar_eq(&r1, &r2));
1810 /* cadd is a noop when flag is zero */
1811 secp256k1_scalar_cadd_bit(&r2, bit, 0);
1812 CHECK(secp256k1_scalar_eq(&r1, &r2));
1813 }
1814 }
1815
1816 {
1817 /* Test commutativity of mul. */
1818 secp256k1_scalar r1, r2;
1819 secp256k1_scalar_mul(&r1, &s1, &s2);
1820 secp256k1_scalar_mul(&r2, &s2, &s1);
1821 CHECK(secp256k1_scalar_eq(&r1, &r2));
1822 }
1823
1824 {
1825 /* Test associativity of add. */
1826 secp256k1_scalar r1, r2;
1827 secp256k1_scalar_add(&r1, &s1, &s2);
1828 secp256k1_scalar_add(&r1, &r1, &s);
1829 secp256k1_scalar_add(&r2, &s2, &s);
1830 secp256k1_scalar_add(&r2, &s1, &r2);
1831 CHECK(secp256k1_scalar_eq(&r1, &r2));
1832 }
1833
1834 {
1835 /* Test associativity of mul. */
1836 secp256k1_scalar r1, r2;
1837 secp256k1_scalar_mul(&r1, &s1, &s2);
1838 secp256k1_scalar_mul(&r1, &r1, &s);
1839 secp256k1_scalar_mul(&r2, &s2, &s);
1840 secp256k1_scalar_mul(&r2, &s1, &r2);
1841 CHECK(secp256k1_scalar_eq(&r1, &r2));
1842 }
1843
1844 {
1845 /* Test distributitivity of mul over add. */
1846 secp256k1_scalar r1, r2, t;
1847 secp256k1_scalar_add(&r1, &s1, &s2);
1848 secp256k1_scalar_mul(&r1, &r1, &s);
1849 secp256k1_scalar_mul(&r2, &s1, &s);
1850 secp256k1_scalar_mul(&t, &s2, &s);
1851 secp256k1_scalar_add(&r2, &r2, &t);
1852 CHECK(secp256k1_scalar_eq(&r1, &r2));
1853 }
1854
1855 {
1856 /* Test multiplicative identity. */
1857 secp256k1_scalar r1, v1;
1858 secp256k1_scalar_set_int(&v1,1);
1859 secp256k1_scalar_mul(&r1, &s1, &v1);
1860 CHECK(secp256k1_scalar_eq(&r1, &s1));
1861 }
1862
1863 {
1864 /* Test additive identity. */
1865 secp256k1_scalar r1, v0;
1866 secp256k1_scalar_set_int(&v0,0);
1867 secp256k1_scalar_add(&r1, &s1, &v0);
1868 CHECK(secp256k1_scalar_eq(&r1, &s1));
1869 }
1870
1871 {
1872 /* Test zero product property. */
1873 secp256k1_scalar r1, v0;
1874 secp256k1_scalar_set_int(&v0,0);
1875 secp256k1_scalar_mul(&r1, &s1, &v0);
1876 CHECK(secp256k1_scalar_eq(&r1, &v0));
1877 }
1878
1879}
1880
1881void run_scalar_set_b32_seckey_tests(void) {
1882 unsigned char b32[32];
1883 secp256k1_scalar s1;
1884 secp256k1_scalar s2;
1885
1886 /* Usually set_b32 and set_b32_seckey give the same result */
1887 random_scalar_order_b32(b32);
1888 secp256k1_scalar_set_b32(&s1, b32, NULL);
1889 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1890 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1891
1892 memset(b32, 0, sizeof(b32));
1893 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1894 memset(b32, 0xFF, sizeof(b32));
1895 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1896}
1897
1898void run_scalar_tests(void) {
1899 int i;
1900 for (i = 0; i < 128 * count; i++) {
1901 scalar_test();
1902 }
1903 for (i = 0; i < count; i++) {
1904 run_scalar_set_b32_seckey_tests();
1905 }
1906
1907 {
1908 /* (-1)+1 should be zero. */
1909 secp256k1_scalar s, o;
1910 secp256k1_scalar_set_int(&s, 1);
1911 CHECK(secp256k1_scalar_is_one(&s));
1912 secp256k1_scalar_negate(&o, &s);
1913 secp256k1_scalar_add(&o, &o, &s);
1914 CHECK(secp256k1_scalar_is_zero(&o));
1915 secp256k1_scalar_negate(&o, &o);
1916 CHECK(secp256k1_scalar_is_zero(&o));
1917 }
1918
1919 {
1920 /* Does check_overflow check catch all ones? */
1921 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1922 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1923 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1924 );
1925 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1926 }
1927
1928 {
1929 /* Static test vectors.
1930 * These were reduced from ~10^12 random vectors based on comparison-decision
1931 * and edge-case coverage on 32-bit and 64-bit implementations.
1932 * The responses were generated with Sage 5.9.
1933 */
1934 secp256k1_scalar x;
1935 secp256k1_scalar y;
1936 secp256k1_scalar z;
1937 secp256k1_scalar zz;
1938 secp256k1_scalar one;
1939 secp256k1_scalar r1;
1940 secp256k1_scalar r2;
1941 secp256k1_scalar zzv;
1942 int overflow;
1943 unsigned char chal[33][2][32] = {
1944 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1945 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1946 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1947 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1948 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1949 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1950 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1951 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1952 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1953 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1954 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1955 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1956 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1957 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1958 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1959 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1960 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1961 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1962 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1963 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1964 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1965 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1966 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1967 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1968 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1969 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1970 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1971 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1972 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1973 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1974 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1975 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1976 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1977 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1978 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1979 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1980 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1981 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1982 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1983 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1984 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1985 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1986 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1987 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1988 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1989 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1990 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1991 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1992 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1993 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1994 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1995 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1996 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1997 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1998 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1999 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2000 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2001 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2002 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2003 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2004 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2005 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2006 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2007 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2008 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2009 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2010 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2011 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2012 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2013 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2014 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2015 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2016 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2017 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2018 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2019 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2020 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2021 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2022 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2023 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2024 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2025 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2026 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2027 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2028 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2029 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2030 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2031 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2032 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2033 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2034 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2035 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2036 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2037 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2038 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2039 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2040 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2041 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2042 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2043 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2044 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2045 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2046 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2047 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2048 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2049 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2050 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2051 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2052 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2053 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2054 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2055 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2056 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2057 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2058 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2059 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2060 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2061 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2062 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2063 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2064 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2065 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2066 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2067 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2068 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2069 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2070 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2071 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2072 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2073 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2074 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2075 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2076 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2077 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2078 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2079 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2080 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2081 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2082 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2083 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2084 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2085 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2086 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2087 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2088 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2089 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2090 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2091 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2092 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2093 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2094 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2095 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2096 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2097 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2098 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2099 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2100 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2101 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2102 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2103 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2104 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2105 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2106 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2107 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2108 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2109 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2110 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2111 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2112 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2113 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2114 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2115 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2116 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2117 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2118 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2119 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2120 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2121 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2122 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2123 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2124 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2125 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2126 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2127 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2128 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2129 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2130 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2131 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2132 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2133 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2134 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2135 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2136 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2137 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2138 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2139 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2140 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2141 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2142 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2143 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2144 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2145 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2146 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2147 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2148 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2149 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2150 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2151 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2152 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2153 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2154 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2155 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2156 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2157 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2158 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2159 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2160 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2161 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2162 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2163 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2164 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2165 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2166 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2167 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2168 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2169 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2170 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2171 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2172 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2173 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2174 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2175 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2176 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2177 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2178 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2179 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2180 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2181 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2182 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2183 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2184 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2185 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2186 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2187 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2188 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2189 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2190 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2191 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2192 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2193 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2194 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2195 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2196 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2197 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2198 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2199 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2200 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2201 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2202 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2203 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2204 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2205 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2206 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2207 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2208 };
2209 unsigned char res[33][2][32] = {
2210 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2211 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2212 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2213 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2214 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2215 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2216 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2217 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2218 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2219 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2220 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2221 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2222 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2223 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2224 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2225 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2226 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2227 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2228 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2229 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2230 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2231 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2232 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2233 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2234 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2235 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2236 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2237 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2238 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2239 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2240 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2241 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2242 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2243 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2244 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2245 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2246 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2247 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2248 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2249 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2250 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2251 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2252 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2253 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2254 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2255 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2256 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2257 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2258 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2259 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2260 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2261 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2262 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2263 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2264 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2265 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2266 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2267 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2268 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2269 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2270 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2271 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2272 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2273 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2274 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2275 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2276 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2277 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2278 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2279 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2280 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2281 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2282 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2283 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2284 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2285 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2286 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2287 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2288 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2289 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2290 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2291 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2292 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2293 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2294 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2295 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2296 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2297 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2298 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2299 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2300 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2301 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2302 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2303 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2304 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2305 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2306 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2307 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2308 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2309 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2310 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2311 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2312 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2313 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2314 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2315 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2316 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2317 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2318 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2319 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2320 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2321 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2322 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2323 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2324 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2325 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2326 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2327 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2328 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2329 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2330 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2331 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2332 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2333 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2334 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2335 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2336 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2337 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2338 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2339 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2340 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2341 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2342 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2343 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2344 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2345 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2346 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2347 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2348 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2349 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2350 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2351 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2352 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2353 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2354 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2355 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2356 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2357 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2358 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2359 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2360 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2361 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2362 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2363 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2364 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2365 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2366 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2367 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2368 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2369 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2370 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2371 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2372 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2373 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2374 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2375 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2376 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2377 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2378 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2379 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2380 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2381 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2382 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2383 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2384 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2385 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2386 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2387 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2388 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2389 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2390 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2391 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2392 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2393 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2394 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2395 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2396 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2397 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2398 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2399 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2400 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2401 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2402 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2403 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2404 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2405 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2406 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2407 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2408 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2409 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2410 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2411 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2412 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2413 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2414 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2415 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2416 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2417 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2418 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2419 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2420 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2421 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2422 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2423 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2424 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2425 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2426 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2427 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2428 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2429 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2430 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2431 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2432 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2433 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2434 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2435 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2436 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2437 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2438 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2439 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2440 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2441 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2442 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2443 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2444 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2445 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2446 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2447 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2448 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2449 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2450 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2451 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2452 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2453 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2454 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2455 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2456 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2457 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2458 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2459 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2460 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2461 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2462 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2463 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2464 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2465 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2466 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2467 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2468 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2469 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2470 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2471 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2472 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2473 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2474 };
2475 secp256k1_scalar_set_int(&one, 1);
2476 for (i = 0; i < 33; i++) {
2477 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2478 CHECK(!overflow);
2479 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2480 CHECK(!overflow);
2481 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2482 CHECK(!overflow);
2483 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2484 CHECK(!overflow);
2485 secp256k1_scalar_mul(&z, &x, &y);
2486 CHECK(!secp256k1_scalar_check_overflow(&z));
2487 CHECK(secp256k1_scalar_eq(&r1, &z));
2488 if (!secp256k1_scalar_is_zero(&y)) {
2489 secp256k1_scalar_inverse(&zz, &y);
2490 CHECK(!secp256k1_scalar_check_overflow(&zz));
2491 secp256k1_scalar_inverse_var(&zzv, &y);
2492 CHECK(secp256k1_scalar_eq(&zzv, &zz));
2493 secp256k1_scalar_mul(&z, &z, &zz);
2494 CHECK(!secp256k1_scalar_check_overflow(&z));
2495 CHECK(secp256k1_scalar_eq(&x, &z));
2496 secp256k1_scalar_mul(&zz, &zz, &y);
2497 CHECK(!secp256k1_scalar_check_overflow(&zz));
2498 CHECK(secp256k1_scalar_eq(&one, &zz));
2499 }
2500 }
2501 }
2502}
2503
2504/***** FIELD TESTS *****/
2505
2506void random_fe(secp256k1_fe *x) {
2507 unsigned char bin[32];
2508 do {
2509 secp256k1_testrand256(bin);
2510 if (secp256k1_fe_set_b32(x, bin)) {
2511 return;
2512 }
2513 } while(1);
2514}
2515
2516void random_fe_test(secp256k1_fe *x) {
2517 unsigned char bin[32];
2518 do {
2519 secp256k1_testrand256_test(bin);
2520 if (secp256k1_fe_set_b32(x, bin)) {
2521 return;
2522 }
2523 } while(1);
2524}
2525
2526void random_fe_non_zero(secp256k1_fe *nz) {
2527 int tries = 10;
2528 while (--tries >= 0) {
2529 random_fe(nz);
2530 secp256k1_fe_normalize(nz);
2531 if (!secp256k1_fe_is_zero(nz)) {
2532 break;
2533 }
2534 }
2535 /* Infinitesimal probability of spurious failure here */
2536 CHECK(tries >= 0);
2537}
2538
2539void random_fe_non_square(secp256k1_fe *ns) {
2540 secp256k1_fe r;
2541 random_fe_non_zero(ns);
2542 if (secp256k1_fe_sqrt(&r, ns)) {
2543 secp256k1_fe_negate(ns, ns, 1);
2544 }
2545}
2546
2547int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2548 secp256k1_fe an = *a;
2549 secp256k1_fe bn = *b;
2550 secp256k1_fe_normalize_weak(&an);
2551 secp256k1_fe_normalize_var(&bn);
2552 return secp256k1_fe_equal_var(&an, &bn);
2553}
2554
2555void run_field_convert(void) {
2556 static const unsigned char b32[32] = {
2557 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2558 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2559 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2560 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2561 };
2562 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
2563 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2564 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2565 );
2566 static const secp256k1_fe fe = SECP256K1_FE_CONST(
2567 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2568 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2569 );
2570 secp256k1_fe fe2;
2571 unsigned char b322[32];
2572 secp256k1_fe_storage fes2;
2573 /* Check conversions to fe. */
2574 CHECK(secp256k1_fe_set_b32(&fe2, b32));
2575 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2576 secp256k1_fe_from_storage(&fe2, &fes);
2577 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2578 /* Check conversion from fe. */
2579 secp256k1_fe_get_b32(b322, &fe);
2580 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2581 secp256k1_fe_to_storage(&fes2, &fe);
2582 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2583}
2584
2585/* Returns true if two field elements have the same representation. */
2586int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
2587 int ret = 1;
2588#ifdef VERIFY
2589 ret &= (a->magnitude == b->magnitude);
2590 ret &= (a->normalized == b->normalized);
2591#endif
2592 /* Compare the struct member that holds the limbs. */
2593 ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
2594 return ret;
2595}
2596
2597void run_field_half(void) {
2598 secp256k1_fe t, u;
2599 int m;
2600
2601 /* Check magnitude 0 input */
2602 secp256k1_fe_get_bounds(&t, 0);
2603 secp256k1_fe_half(&t);
2604#ifdef VERIFY
2605 CHECK(t.magnitude == 1);
2606 CHECK(t.normalized == 0);
2607#endif
2608 CHECK(secp256k1_fe_normalizes_to_zero(&t));
2609
2610 /* Check non-zero magnitudes in the supported range */
2611 for (m = 1; m < 32; m++) {
2612 /* Check max-value input */
2613 secp256k1_fe_get_bounds(&t, m);
2614
2615 u = t;
2616 secp256k1_fe_half(&u);
2617#ifdef VERIFY
2618 CHECK(u.magnitude == (m >> 1) + 1);
2619 CHECK(u.normalized == 0);
2620#endif
2621 secp256k1_fe_normalize_weak(&u);
2622 secp256k1_fe_add(&u, &u);
2623 CHECK(check_fe_equal(&t, &u));
2624
2625 /* Check worst-case input: ensure the LSB is 1 so that P will be added,
2626 * which will also cause all carries to be 1, since all limbs that can
2627 * generate a carry are initially even and all limbs of P are odd in
2628 * every existing field implementation. */
2629 secp256k1_fe_get_bounds(&t, m);
2630 CHECK(t.n[0] > 0);
2631 CHECK((t.n[0] & 1) == 0);
2632 --t.n[0];
2633
2634 u = t;
2635 secp256k1_fe_half(&u);
2636#ifdef VERIFY
2637 CHECK(u.magnitude == (m >> 1) + 1);
2638 CHECK(u.normalized == 0);
2639#endif
2640 secp256k1_fe_normalize_weak(&u);
2641 secp256k1_fe_add(&u, &u);
2642 CHECK(check_fe_equal(&t, &u));
2643 }
2644}
2645
2646void run_field_misc(void) {
2647 secp256k1_fe x;
2648 secp256k1_fe y;
2649 secp256k1_fe z;
2650 secp256k1_fe q;
2651 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
2652 int i, j;
2653 for (i = 0; i < 1000 * count; i++) {
2654 secp256k1_fe_storage xs, ys, zs;
2655 if (i & 1) {
2656 random_fe(&x);
2657 } else {
2658 random_fe_test(&x);
2659 }
2660 random_fe_non_zero(&y);
2661 /* Test the fe equality and comparison operations. */
2662 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
2663 CHECK(secp256k1_fe_equal_var(&x, &x));
2664 z = x;
2665 secp256k1_fe_add(&z,&y);
2666 /* Test fe conditional move; z is not normalized here. */
2667 q = x;
2668 secp256k1_fe_cmov(&x, &z, 0);
2669#ifdef VERIFY
2670 CHECK(x.normalized && x.magnitude == 1);
2671#endif
2672 secp256k1_fe_cmov(&x, &x, 1);
2673 CHECK(!fe_identical(&x, &z));
2674 CHECK(fe_identical(&x, &q));
2675 secp256k1_fe_cmov(&q, &z, 1);
2676#ifdef VERIFY
2677 CHECK(!q.normalized && q.magnitude == z.magnitude);
2678#endif
2679 CHECK(fe_identical(&q, &z));
2680 secp256k1_fe_normalize_var(&x);
2681 secp256k1_fe_normalize_var(&z);
2682 CHECK(!secp256k1_fe_equal_var(&x, &z));
2683 secp256k1_fe_normalize_var(&q);
2684 secp256k1_fe_cmov(&q, &z, (i&1));
2685#ifdef VERIFY
2686 CHECK(q.normalized && q.magnitude == 1);
2687#endif
2688 for (j = 0; j < 6; j++) {
2689 secp256k1_fe_negate(&z, &z, j+1);
2690 secp256k1_fe_normalize_var(&q);
2691 secp256k1_fe_cmov(&q, &z, (j&1));
2692#ifdef VERIFY
2693 CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
2694#endif
2695 }
2696 secp256k1_fe_normalize_var(&z);
2697 /* Test storage conversion and conditional moves. */
2698 secp256k1_fe_to_storage(&xs, &x);
2699 secp256k1_fe_to_storage(&ys, &y);
2700 secp256k1_fe_to_storage(&zs, &z);
2701 secp256k1_fe_storage_cmov(&zs, &xs, 0);
2702 secp256k1_fe_storage_cmov(&zs, &zs, 1);
2703 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
2704 secp256k1_fe_storage_cmov(&ys, &xs, 1);
2705 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
2706 secp256k1_fe_from_storage(&x, &xs);
2707 secp256k1_fe_from_storage(&y, &ys);
2708 secp256k1_fe_from_storage(&z, &zs);
2709 /* Test that mul_int, mul, and add agree. */
2710 secp256k1_fe_add(&y, &x);
2711 secp256k1_fe_add(&y, &x);
2712 z = x;
2713 secp256k1_fe_mul_int(&z, 3);
2714 CHECK(check_fe_equal(&y, &z));
2715 secp256k1_fe_add(&y, &x);
2716 secp256k1_fe_add(&z, &x);
2717 CHECK(check_fe_equal(&z, &y));
2718 z = x;
2719 secp256k1_fe_mul_int(&z, 5);
2720 secp256k1_fe_mul(&q, &x, &fe5);
2721 CHECK(check_fe_equal(&z, &q));
2722 secp256k1_fe_negate(&x, &x, 1);
2723 secp256k1_fe_add(&z, &x);
2724 secp256k1_fe_add(&q, &x);
2725 CHECK(check_fe_equal(&y, &z));
2726 CHECK(check_fe_equal(&q, &y));
2727 /* Check secp256k1_fe_half. */
2728 z = x;
2729 secp256k1_fe_half(&z);
2730 secp256k1_fe_add(&z, &z);
2731 CHECK(check_fe_equal(&x, &z));
2732 secp256k1_fe_add(&z, &z);
2733 secp256k1_fe_half(&z);
2734 CHECK(check_fe_equal(&x, &z));
2735 }
2736}
2737
2738void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
2739{
2740 secp256k1_fe c, an, bn;
2741 /* Variables in BE 32-byte format. */
2742 unsigned char a32[32], b32[32], c32[32];
2743 /* Variables in LE 16x uint16_t format. */
2744 uint16_t a16[16], b16[16], c16[16];
2745 /* Field modulus in LE 16x uint16_t format. */
2746 static const uint16_t m16[16] = {
2747 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
2748 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
2749 };
2750 uint16_t t16[32];
2751 int i;
2752
2753 /* Compute C = A * B in fe format. */
2754 c = *a;
2755 if (use_sqr) {
2756 secp256k1_fe_sqr(&c, &c);
2757 } else {
2758 secp256k1_fe_mul(&c, &c, b);
2759 }
2760
2761 /* Convert A, B, C into LE 16x uint16_t format. */
2762 an = *a;
2763 bn = *b;
2764 secp256k1_fe_normalize_var(&c);
2765 secp256k1_fe_normalize_var(&an);
2766 secp256k1_fe_normalize_var(&bn);
2767 secp256k1_fe_get_b32(a32, &an);
2768 secp256k1_fe_get_b32(b32, &bn);
2769 secp256k1_fe_get_b32(c32, &c);
2770 for (i = 0; i < 16; ++i) {
2771 a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
2772 b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
2773 c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
2774 }
2775 /* Compute T = A * B in LE 16x uint16_t format. */
2776 mulmod256(t16, a16, b16, m16);
2777 /* Compare */
2778 CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
2779}
2780
2781void run_fe_mul(void) {
2782 int i;
2783 for (i = 0; i < 100 * count; ++i) {
2784 secp256k1_fe a, b, c, d;
2785 random_fe(&a);
2786 random_field_element_magnitude(&a);
2787 random_fe(&b);
2788 random_field_element_magnitude(&b);
2789 random_fe_test(&c);
2790 random_field_element_magnitude(&c);
2791 random_fe_test(&d);
2792 random_field_element_magnitude(&d);
2793 test_fe_mul(&a, &a, 1);
2794 test_fe_mul(&c, &c, 1);
2795 test_fe_mul(&a, &b, 0);
2796 test_fe_mul(&a, &c, 0);
2797 test_fe_mul(&c, &b, 0);
2798 test_fe_mul(&c, &d, 0);
2799 }
2800}
2801
2802void run_sqr(void) {
2803 secp256k1_fe x, s;
2804
2805 {
2806 int i;
2807 secp256k1_fe_set_int(&x, 1);
2808 secp256k1_fe_negate(&x, &x, 1);
2809
2810 for (i = 1; i <= 512; ++i) {
2811 secp256k1_fe_mul_int(&x, 2);
2812 secp256k1_fe_normalize(&x);
2813 secp256k1_fe_sqr(&s, &x);
2814 }
2815 }
2816}
2817
2818void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
2819 secp256k1_fe r1, r2;
2820 int v = secp256k1_fe_sqrt(&r1, a);
2821 CHECK((v == 0) == (k == NULL));
2822
2823 if (k != NULL) {
2824 /* Check that the returned root is +/- the given known answer */
2825 secp256k1_fe_negate(&r2, &r1, 1);
2826 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2827 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
2828 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
2829 }
2830}
2831
2832void run_sqrt(void) {
2833 secp256k1_fe ns, x, s, t;
2834 int i;
2835
2836 /* Check sqrt(0) is 0 */
2837 secp256k1_fe_set_int(&x, 0);
2838 secp256k1_fe_sqr(&s, &x);
2839 test_sqrt(&s, &x);
2840
2841 /* Check sqrt of small squares (and their negatives) */
2842 for (i = 1; i <= 100; i++) {
2843 secp256k1_fe_set_int(&x, i);
2844 secp256k1_fe_sqr(&s, &x);
2845 test_sqrt(&s, &x);
2846 secp256k1_fe_negate(&t, &s, 1);
2847 test_sqrt(&t, NULL);
2848 }
2849
2850 /* Consistency checks for large random values */
2851 for (i = 0; i < 10; i++) {
2852 int j;
2853 random_fe_non_square(&ns);
2854 for (j = 0; j < count; j++) {
2855 random_fe(&x);
2856 secp256k1_fe_sqr(&s, &x);
2857 test_sqrt(&s, &x);
2858 secp256k1_fe_negate(&t, &s, 1);
2859 test_sqrt(&t, NULL);
2860 secp256k1_fe_mul(&t, &s, &ns);
2861 test_sqrt(&t, NULL);
2862 }
2863 }
2864}
2865
2866/***** FIELD/SCALAR INVERSE TESTS *****/
2867
2868static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST(
2869 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
2870 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
2871);
2872
2873static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST(
2874 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
2875 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
2876);
2877
2878/* These tests test the following identities:
2879 *
2880 * for x==0: 1/x == 0
2881 * for x!=0: x*(1/x) == 1
2882 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
2883 */
2884
2885void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var)
2886{
2887 secp256k1_scalar l, r, t;
2888
2889 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
2890 if (out) *out = l;
2891 if (secp256k1_scalar_is_zero(x)) {
2892 CHECK(secp256k1_scalar_is_zero(&l));
2893 return;
2894 }
2895 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
2896 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
2897 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
2898 if (secp256k1_scalar_is_zero(&r)) return;
2899 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
2900 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
2901 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
2902 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
2903 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2904 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
2905}
2906
2907void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
2908{
2909 secp256k1_fe l, r, t;
2910
2911 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
2912 if (out) *out = l;
2913 t = *x; /* t = x */
2914 if (secp256k1_fe_normalizes_to_zero_var(&t)) {
2915 CHECK(secp256k1_fe_normalizes_to_zero(&l));
2916 return;
2917 }
2918 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
2919 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
2920 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
2921 r = *x; /* r = x */
2922 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
2923 if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
2924 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
2925 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
2926 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
2927 secp256k1_fe_add(&l, &secp256k1_fe_one); /* l = 1/(1/x-1)+1 */
2928 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2929 CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
2930}
2931
2932void run_inverse_tests(void)
2933{
2934 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
2935 static const secp256k1_fe fe_cases[][2] = {
2936 /* 0 */
2937 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2938 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2939 /* 1 */
2940 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2941 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2942 /* -1 */
2943 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
2944 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
2945 /* 2 */
2946 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2947 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
2948 /* 2**128 */
2949 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2950 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
2951 /* Input known to need 637 divsteps */
2952 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
2953 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
2954 /* Input known to need 567 divsteps starting with delta=1/2. */
2955 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
2956 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
2957 /* Input known to need 566 divsteps starting with delta=1/2. */
2958 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
2959 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
2960 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
2961 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
2962 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
2963 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
2964 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
2965 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
2966 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
2967 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
2968 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
2969 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
2970 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
2971 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
2972 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
2973 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
2974 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
2975 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
2976 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
2977 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
2978 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
2979 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
2980 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
2981 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
2982 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
2983 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
2984 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
2985 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
2986 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
2987 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
2988 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
2989 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
2990 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
2991 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
2992 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
2993 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
2994 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
2995 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
2996 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
2997 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
2998 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
2999 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3000 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3001 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3002 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3003 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3004 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3005 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3006 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3007 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3008 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3009 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3010 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3011 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3012 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3013 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3014 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3015 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3016 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3017 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3018 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3019 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3020 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3021 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3022 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3023 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3024 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3025 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3026 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3027 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3028 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3029 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3030 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3031 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3032 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3033 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3034 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3035 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3036 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3037 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3038 };
3039 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3040 static const secp256k1_scalar scalar_cases[][2] = {
3041 /* 0 */
3042 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3043 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3044 /* 1 */
3045 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3046 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3047 /* -1 */
3048 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3049 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3050 /* 2 */
3051 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3052 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3053 /* 2**128 */
3054 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3055 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3056 /* Input known to need 635 divsteps */
3057 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3058 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3059 /* Input known to need 566 divsteps starting with delta=1/2. */
3060 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3061 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3062 /* Input known to need 565 divsteps starting with delta=1/2. */
3063 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3064 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3065 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3066 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3067 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3068 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3069 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3070 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3071 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3072 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3073 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3074 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3075 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3076 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3077 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3078 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3079 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3080 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3081 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3082 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3083 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3084 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3085 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3086 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3087 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3088 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3089 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3090 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3091 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3092 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3093 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3094 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3095 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3096 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3097 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3098 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3099 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3100 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3101 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3102 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3103 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3104 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3105 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3106 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3107 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3108 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3109 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3110 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3111 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3112 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3113 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3114 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3115 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3116 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3117 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3118 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3119 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3120 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3121 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3122 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3123 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3124 };
3125 int i, var, testrand;
3126 unsigned char b32[32];
3127 secp256k1_fe x_fe;
3128 secp256k1_scalar x_scalar;
3129 memset(b32, 0, sizeof(b32));
3130 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3131 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3132 for (var = 0; var <= 1; ++var) {
3133 test_inverse_field(&x_fe, &fe_cases[i][0], var);
3134 check_fe_equal(&x_fe, &fe_cases[i][1]);
3135 test_inverse_field(&x_fe, &fe_cases[i][1], var);
3136 check_fe_equal(&x_fe, &fe_cases[i][0]);
3137 }
3138 }
3139 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3140 for (var = 0; var <= 1; ++var) {
3141 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3142 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3143 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3144 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3145 }
3146 }
3147 /* Test inputs 0..999 and their respective negations. */
3148 for (i = 0; i < 1000; ++i) {
3149 b32[31] = i & 0xff;
3150 b32[30] = (i >> 8) & 0xff;
3151 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3152 secp256k1_fe_set_b32(&x_fe, b32);
3153 for (var = 0; var <= 1; ++var) {
3154 test_inverse_scalar(NULL, &x_scalar, var);
3155 test_inverse_field(NULL, &x_fe, var);
3156 }
3157 secp256k1_scalar_negate(&x_scalar, &x_scalar);
3158 secp256k1_fe_negate(&x_fe, &x_fe, 1);
3159 for (var = 0; var <= 1; ++var) {
3160 test_inverse_scalar(NULL, &x_scalar, var);
3161 test_inverse_field(NULL, &x_fe, var);
3162 }
3163 }
3164 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3165 for (testrand = 0; testrand <= 1; ++testrand) {
3166 for (i = 0; i < 64 * count; ++i) {
3167 (testrand ? secp256k1_testrand256_test : secp256k1_testrand256)(b32);
3168 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3169 secp256k1_fe_set_b32(&x_fe, b32);
3170 for (var = 0; var <= 1; ++var) {
3171 test_inverse_scalar(NULL, &x_scalar, var);
3172 test_inverse_field(NULL, &x_fe, var);
3173 }
3174 }
3175 }
3176}
3177
3178/***** GROUP TESTS *****/
3179
3180void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
3181 CHECK(a->infinity == b->infinity);
3182 if (a->infinity) {
3183 return;
3184 }
3185 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
3186 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
3187}
3188
3189/* This compares jacobian points including their Z, not just their geometric meaning. */
3190int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3191 secp256k1_gej a2;
3192 secp256k1_gej b2;
3193 int ret = 1;
3194 ret &= a->infinity == b->infinity;
3195 if (ret && !a->infinity) {
3196 a2 = *a;
3197 b2 = *b;
3198 secp256k1_fe_normalize(&a2.x);
3199 secp256k1_fe_normalize(&a2.y);
3200 secp256k1_fe_normalize(&a2.z);
3201 secp256k1_fe_normalize(&b2.x);
3202 secp256k1_fe_normalize(&b2.y);
3203 secp256k1_fe_normalize(&b2.z);
3204 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3205 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3206 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3207 }
3208 return ret;
3209}
3210
3211void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
3212 secp256k1_fe z2s;
3213 secp256k1_fe u1, u2, s1, s2;
3214 CHECK(a->infinity == b->infinity);
3215 if (a->infinity) {
3216 return;
3217 }
3218 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
3219 secp256k1_fe_sqr(&z2s, &b->z);
3220 secp256k1_fe_mul(&u1, &a->x, &z2s);
3221 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
3222 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
3223 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
3224 CHECK(secp256k1_fe_equal_var(&u1, &u2));
3225 CHECK(secp256k1_fe_equal_var(&s1, &s2));
3226}
3227
3228void test_ge(void) {
3229 int i, i1;
3230 int runs = 6;
3231 /* 25 points are used:
3232 * - infinity
3233 * - for each of four random points p1 p2 p3 p4, we add the point, its
3234 * negation, and then those two again but with randomized Z coordinate.
3235 * - The same is then done for lambda*p1 and lambda^2*p1.
3236 */
3237 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3238 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3239 secp256k1_fe zf;
3240 secp256k1_fe zfi2, zfi3;
3241
3242 secp256k1_gej_set_infinity(&gej[0]);
3243 secp256k1_ge_clear(&ge[0]);
3244 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3245 for (i = 0; i < runs; i++) {
3246 int j;
3247 secp256k1_ge g;
3248 random_group_element_test(&g);
3249 if (i >= runs - 2) {
3250 secp256k1_ge_mul_lambda(&g, &ge[1]);
3251 }
3252 if (i >= runs - 1) {
3253 secp256k1_ge_mul_lambda(&g, &g);
3254 }
3255 ge[1 + 4 * i] = g;
3256 ge[2 + 4 * i] = g;
3257 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3258 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3259 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3260 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3261 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3262 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3263 for (j = 0; j < 4; j++) {
3264 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
3265 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
3266 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
3267 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
3268 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
3269 }
3270 }
3271
3272 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3273 do {
3274 random_field_element_test(&zf);
3275 } while(secp256k1_fe_is_zero(&zf));
3276 random_field_element_magnitude(&zf);
3277 secp256k1_fe_inv_var(&zfi3, &zf);
3278 secp256k1_fe_sqr(&zfi2, &zfi3);
3279 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3280
3281 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3282 int i2;
3283 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3284 /* Compute reference result using gej + gej (var). */
3285 secp256k1_gej refj, resj;
3286 secp256k1_ge ref;
3287 secp256k1_fe zr;
3288 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3289 /* Check Z ratio. */
3290 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3291 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3292 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
3293 }
3294 secp256k1_ge_set_gej_var(&ref, &refj);
3295
3296 /* Test gej + ge with Z ratio result (var). */
3297 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3298 ge_equals_gej(&ref, &resj);
3299 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3300 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3301 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
3302 }
3303
3304 /* Test gej + ge (var, with additional Z factor). */
3305 {
3306 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3307 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3308 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3309 random_field_element_magnitude(&ge2_zfi.x);
3310 random_field_element_magnitude(&ge2_zfi.y);
3311 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3312 ge_equals_gej(&ref, &resj);
3313 }
3314
3315 /* Test gej + ge (const). */
3316 if (i2 != 0) {
3317 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3318 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3319 ge_equals_gej(&ref, &resj);
3320 }
3321
3322 /* Test doubling (var). */
3323 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3324 secp256k1_fe zr2;
3325 /* Normal doubling with Z ratio result. */
3326 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3327 ge_equals_gej(&ref, &resj);
3328 /* Check Z ratio. */
3329 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3330 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
3331 /* Normal doubling. */
3332 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3333 ge_equals_gej(&ref, &resj);
3334 /* Constant-time doubling. */
3335 secp256k1_gej_double(&resj, &gej[i2]);
3336 ge_equals_gej(&ref, &resj);
3337 }
3338
3339 /* Test adding opposites. */
3340 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3341 CHECK(secp256k1_ge_is_infinity(&ref));
3342 }
3343
3344 /* Test adding infinity. */
3345 if (i1 == 0) {
3346 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3347 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3348 ge_equals_gej(&ref, &gej[i2]);
3349 }
3350 if (i2 == 0) {
3351 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3352 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3353 ge_equals_gej(&ref, &gej[i1]);
3354 }
3355 }
3356 }
3357
3358 /* Test adding all points together in random order equals infinity. */
3359 {
3360 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
3361 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3362 for (i = 0; i < 4 * runs + 1; i++) {
3363 gej_shuffled[i] = gej[i];
3364 }
3365 for (i = 0; i < 4 * runs + 1; i++) {
3366 int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3367 if (swap != i) {
3368 secp256k1_gej t = gej_shuffled[i];
3369 gej_shuffled[i] = gej_shuffled[swap];
3370 gej_shuffled[swap] = t;
3371 }
3372 }
3373 for (i = 0; i < 4 * runs + 1; i++) {
3374 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3375 }
3376 CHECK(secp256k1_gej_is_infinity(&sum));
3377 free(gej_shuffled);
3378 }
3379
3380 /* Test batch gej -> ge conversion without known z ratios. */
3381 {
3382 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3383 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3384 for (i = 0; i < 4 * runs + 1; i++) {
3385 secp256k1_fe s;
3386 random_fe_non_zero(&s);
3387 secp256k1_gej_rescale(&gej[i], &s);
3388 ge_equals_gej(&ge_set_all[i], &gej[i]);
3389 }
3390 free(ge_set_all);
3391 }
3392
3393 /* Test batch gej -> ge conversion with many infinities. */
3394 for (i = 0; i < 4 * runs + 1; i++) {
3395 int odd;
3396 random_group_element_test(&ge[i]);
3397 odd = secp256k1_fe_is_odd(&ge[i].x);
3398 CHECK(odd == 0 || odd == 1);
3399 /* randomly set half the points to infinity */
3400 if (odd == i % 2) {
3401 secp256k1_ge_set_infinity(&ge[i]);
3402 }
3403 secp256k1_gej_set_ge(&gej[i], &ge[i]);
3404 }
3405 /* batch convert */
3406 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3407 /* check result */
3408 for (i = 0; i < 4 * runs + 1; i++) {
3409 ge_equals_gej(&ge[i], &gej[i]);
3410 }
3411
3412 /* Test batch gej -> ge conversion with all infinities. */
3413 for (i = 0; i < 4 * runs + 1; i++) {
3414 secp256k1_gej_set_infinity(&gej[i]);
3415 }
3416 /* batch convert */
3417 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3418 /* check result */
3419 for (i = 0; i < 4 * runs + 1; i++) {
3420 CHECK(secp256k1_ge_is_infinity(&ge[i]));
3421 }
3422
3423 free(ge);
3424 free(gej);
3425}
3426
3427
3428void test_intialized_inf(void) {
3429 secp256k1_ge p;
3430 secp256k1_gej pj, npj, infj1, infj2, infj3;
3431 secp256k1_fe zinv;
3432
3433 /* Test that adding P+(-P) results in a fully initialized infinity*/
3434 random_group_element_test(&p);
3435 secp256k1_gej_set_ge(&pj, &p);
3436 secp256k1_gej_neg(&npj, &pj);
3437
3438 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3439 CHECK(secp256k1_gej_is_infinity(&infj1));
3440 CHECK(secp256k1_fe_is_zero(&infj1.x));
3441 CHECK(secp256k1_fe_is_zero(&infj1.y));
3442 CHECK(secp256k1_fe_is_zero(&infj1.z));
3443
3444 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3445 CHECK(secp256k1_gej_is_infinity(&infj2));
3446 CHECK(secp256k1_fe_is_zero(&infj2.x));
3447 CHECK(secp256k1_fe_is_zero(&infj2.y));
3448 CHECK(secp256k1_fe_is_zero(&infj2.z));
3449
3450 secp256k1_fe_set_int(&zinv, 1);
3451 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3452 CHECK(secp256k1_gej_is_infinity(&infj3));
3453 CHECK(secp256k1_fe_is_zero(&infj3.x));
3454 CHECK(secp256k1_fe_is_zero(&infj3.y));
3455 CHECK(secp256k1_fe_is_zero(&infj3.z));
3456
3457
3458}
3459
3460void test_add_neg_y_diff_x(void) {
3461 /* The point of this test is to check that we can add two points
3462 * whose y-coordinates are negatives of each other but whose x
3463 * coordinates differ. If the x-coordinates were the same, these
3464 * points would be negatives of each other and their sum is
3465 * infinity. This is cool because it "covers up" any degeneracy
3466 * in the addition algorithm that would cause the xy coordinates
3467 * of the sum to be wrong (since infinity has no xy coordinates).
3468 * HOWEVER, if the x-coordinates are different, infinity is the
3469 * wrong answer, and such degeneracies are exposed. This is the
3470 * root of https://github.com/bitcoin-core/secp256k1/issues/257
3471 * which this test is a regression test for.
3472 *
3473 * These points were generated in sage as
3474 * # secp256k1 params
3475 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
3476 * C = EllipticCurve ([F (0), F (7)])
3477 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
3478 * N = FiniteField(G.order())
3479 *
3480 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
3481 * x = polygen(N)
3482 * lam = (1 - x^3).roots()[1][0]
3483 *
3484 * # random "bad pair"
3485 * P = C.random_element()
3486 * Q = -int(lam) * P
3487 * print " P: %x %x" % P.xy()
3488 * print " Q: %x %x" % Q.xy()
3489 * print "P + Q: %x %x" % (P + Q).xy()
3490 */
3491 secp256k1_gej aj = SECP256K1_GEJ_CONST(
3492 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3493 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3494 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3495 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3496 );
3497 secp256k1_gej bj = SECP256K1_GEJ_CONST(
3498 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
3499 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
3500 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
3501 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
3502 );
3503 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
3504 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
3505 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
3506 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
3507 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
3508 );
3509 secp256k1_ge b;
3510 secp256k1_gej resj;
3511 secp256k1_ge res;
3512 secp256k1_ge_set_gej(&b, &bj);
3513
3514 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
3515 secp256k1_ge_set_gej(&res, &resj);
3516 ge_equals_gej(&res, &sumj);
3517
3518 secp256k1_gej_add_ge(&resj, &aj, &b);
3519 secp256k1_ge_set_gej(&res, &resj);
3520 ge_equals_gej(&res, &sumj);
3521
3522 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
3523 secp256k1_ge_set_gej(&res, &resj);
3524 ge_equals_gej(&res, &sumj);
3525}
3526
3527void run_ge(void) {
3528 int i;
3529 for (i = 0; i < count * 32; i++) {
3530 test_ge();
3531 }
3532 test_add_neg_y_diff_x();
3533 test_intialized_inf();
3534}
3535
3536void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
3537 secp256k1_gej t = *a;
3538 secp256k1_gej_cmov(&t, b, 0);
3539 CHECK(gej_xyz_equals_gej(&t, a));
3540 secp256k1_gej_cmov(&t, b, 1);
3541 CHECK(gej_xyz_equals_gej(&t, b));
3542}
3543
3544void run_gej(void) {
3545 int i;
3546 secp256k1_gej a, b;
3547
3548 /* Tests for secp256k1_gej_cmov */
3549 for (i = 0; i < count; i++) {
3550 secp256k1_gej_set_infinity(&a);
3551 secp256k1_gej_set_infinity(&b);
3552 test_gej_cmov(&a, &b);
3553
3554 random_gej_test(&a);
3555 test_gej_cmov(&a, &b);
3556 test_gej_cmov(&b, &a);
3557
3558 b = a;
3559 test_gej_cmov(&a, &b);
3560
3561 random_gej_test(&b);
3562 test_gej_cmov(&a, &b);
3563 test_gej_cmov(&b, &a);
3564 }
3565}
3566
3567void test_ec_combine(void) {
3568 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3569 secp256k1_pubkey data[6];
3570 const secp256k1_pubkey* d[6];
3571 secp256k1_pubkey sd;
3572 secp256k1_pubkey sd2;
3573 secp256k1_gej Qj;
3574 secp256k1_ge Q;
3575 int i;
3576 for (i = 1; i <= 6; i++) {
3577 secp256k1_scalar s;
3578 random_scalar_order_test(&s);
3579 secp256k1_scalar_add(&sum, &sum, &s);
3580 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
3581 secp256k1_ge_set_gej(&Q, &Qj);
3582 secp256k1_pubkey_save(&data[i - 1], &Q);
3583 d[i - 1] = &data[i - 1];
3584 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
3585 secp256k1_ge_set_gej(&Q, &Qj);
3586 secp256k1_pubkey_save(&sd, &Q);
3587 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
3588 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
3589 }
3590}
3591
3592void run_ec_combine(void) {
3593 int i;
3594 for (i = 0; i < count * 8; i++) {
3595 test_ec_combine();
3596 }
3597}
3598
3599void test_group_decompress(const secp256k1_fe* x) {
3600 /* The input itself, normalized. */
3601 secp256k1_fe fex = *x;
3602 secp256k1_fe fez;
3603 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
3604 secp256k1_ge ge_quad, ge_even, ge_odd;
3605 secp256k1_gej gej_quad;
3606 /* Return values of the above calls. */
3607 int res_quad, res_even, res_odd;
3608
3609 secp256k1_fe_normalize_var(&fex);
3610
3611 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
3612 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
3613 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
3614
3615 CHECK(res_quad == res_even);
3616 CHECK(res_quad == res_odd);
3617
3618 if (res_quad) {
3619 secp256k1_fe_normalize_var(&ge_quad.x);
3620 secp256k1_fe_normalize_var(&ge_odd.x);
3621 secp256k1_fe_normalize_var(&ge_even.x);
3622 secp256k1_fe_normalize_var(&ge_quad.y);
3623 secp256k1_fe_normalize_var(&ge_odd.y);
3624 secp256k1_fe_normalize_var(&ge_even.y);
3625
3626 /* No infinity allowed. */
3627 CHECK(!ge_quad.infinity);
3628 CHECK(!ge_even.infinity);
3629 CHECK(!ge_odd.infinity);
3630
3631 /* Check that the x coordinates check out. */
3632 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
3633 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
3634 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
3635
3636 /* Check that the Y coordinate result in ge_quad is a square. */
3637 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
3638
3639 /* Check odd/even Y in ge_odd, ge_even. */
3640 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
3641 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
3642
3643 /* Check secp256k1_gej_has_quad_y_var. */
3644 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
3645 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
3646 do {
3647 random_fe_test(&fez);
3648 } while (secp256k1_fe_is_zero(&fez));
3649 secp256k1_gej_rescale(&gej_quad, &fez);
3650 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
3651 secp256k1_gej_neg(&gej_quad, &gej_quad);
3652 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
3653 do {
3654 random_fe_test(&fez);
3655 } while (secp256k1_fe_is_zero(&fez));
3656 secp256k1_gej_rescale(&gej_quad, &fez);
3657 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
3658 secp256k1_gej_neg(&gej_quad, &gej_quad);
3659 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
3660 }
3661}
3662
3663void run_group_decompress(void) {
3664 int i;
3665 for (i = 0; i < count * 4; i++) {
3666 secp256k1_fe fe;
3667 random_fe_test(&fe);
3668 test_group_decompress(&fe);
3669 }
3670}
3671
3672/***** ECMULT TESTS *****/
3673
3674void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
3675 /* Tests the pre_g / pre_g_128 tables for consistency.
3676 * For independent verification we take a "geometric" approach to verification.
3677 * We check that every entry is on-curve.
3678 * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
3679 * (1) p, gg, and -q are colinear.
3680 * (2) p, gg, and -q are all distinct.
3681 * where gg is twice the generator, where the generator is the first table entry.
3682 *
3683 * Checking the table's generators are correct is done in run_ecmult_pre_g.
3684 */
3685 secp256k1_gej g2;
3686 secp256k1_ge p, q, gg;
3687 secp256k1_fe dpx, dpy, dqx, dqy;
3688 size_t i;
3689
3690 CHECK(0 < n);
3691
3692 secp256k1_ge_from_storage(&p, &pre_g[0]);
3693 CHECK(secp256k1_ge_is_valid_var(&p));
3694
3695 secp256k1_gej_set_ge(&g2, &p);
3696 secp256k1_gej_double_var(&g2, &g2, NULL);
3697 secp256k1_ge_set_gej_var(&gg, &g2);
3698 for (i = 1; i < n; ++i) {
3699 secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
3700 secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
3701 /* Check that p is not equal to gg */
3702 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dpx) || !secp256k1_fe_normalizes_to_zero_var(&dpy));
3703
3704 secp256k1_ge_from_storage(&q, &pre_g[i]);
3705 CHECK(secp256k1_ge_is_valid_var(&q));
3706
3707 secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x); secp256k1_fe_normalize_weak(&dqx);
3708 dqy = q.y; secp256k1_fe_add(&dqy, &gg.y); secp256k1_fe_normalize_weak(&dqy);
3709 /* Check that -q is not equal to gg */
3710 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dqx) || !secp256k1_fe_normalizes_to_zero_var(&dqy));
3711
3712 /* Check that -q is not equal to p */
3713 CHECK(!secp256k1_fe_equal_var(&dpx, &dqx) || !secp256k1_fe_equal_var(&dpy, &dqy));
3714
3715 /* Check that p, -q and gg are colinear */
3716 secp256k1_fe_mul(&dpx, &dpx, &dqy);
3717 secp256k1_fe_mul(&dpy, &dpy, &dqx);
3718 CHECK(secp256k1_fe_equal_var(&dpx, &dpy));
3719
3720 p = q;
3721 }
3722}
3723
3724void run_ecmult_pre_g(void) {
3725 secp256k1_ge_storage gs;
3726 secp256k1_gej gj;
3727 secp256k1_ge g;
3728 size_t i;
3729
3730 /* Check that the pre_g and pre_g_128 tables are consistent. */
3731 test_pre_g_table(secp256k1_pre_g, ECMULT_TABLE_SIZE(WINDOW_G));
3732 test_pre_g_table(secp256k1_pre_g_128, ECMULT_TABLE_SIZE(WINDOW_G));
3733
3734 /* Check the first entry from the pre_g table. */
3735 secp256k1_ge_to_storage(&gs, &secp256k1_ge_const_g);
3736 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
3737
3738 /* Check the first entry from the pre_g_128 table. */
3739 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
3740 for (i = 0; i < 128; ++i) {
3741 secp256k1_gej_double_var(&gj, &gj, NULL);
3742 }
3743 secp256k1_ge_set_gej(&g, &gj);
3744 secp256k1_ge_to_storage(&gs, &g);
3745 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
3746}
3747
3748void run_ecmult_chain(void) {
3749 /* random starting point A (on the curve) */
3750 secp256k1_gej a = SECP256K1_GEJ_CONST(
3751 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
3752 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
3753 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
3754 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
3755 );
3756 /* two random initial factors xn and gn */
3757 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
3758 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
3759 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
3760 );
3761 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
3762 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
3763 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
3764 );
3765 /* two small multipliers to be applied to xn and gn in every iteration: */
3766 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
3767 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
3768 /* accumulators with the resulting coefficients to A and G */
3769 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3770 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3771 /* actual points */
3772 secp256k1_gej x;
3773 secp256k1_gej x2;
3774 int i;
3775
3776 /* the point being computed */
3777 x = a;
3778 for (i = 0; i < 200*count; i++) {
3779 /* in each iteration, compute X = xn*X + gn*G; */
3780 secp256k1_ecmult(&x, &x, &xn, &gn);
3781 /* also compute ae and ge: the actual accumulated factors for A and G */
3782 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
3783 secp256k1_scalar_mul(&ae, &ae, &xn);
3784 secp256k1_scalar_mul(&ge, &ge, &xn);
3785 secp256k1_scalar_add(&ge, &ge, &gn);
3786 /* modify xn and gn */
3787 secp256k1_scalar_mul(&xn, &xn, &xf);
3788 secp256k1_scalar_mul(&gn, &gn, &gf);
3789
3790 /* verify */
3791 if (i == 19999) {
3792 /* expected result after 19999 iterations */
3793 secp256k1_gej rp = SECP256K1_GEJ_CONST(
3794 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
3795 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
3796 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
3797 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
3798 );
3799
3800 secp256k1_gej_neg(&rp, &rp);
3801 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
3802 CHECK(secp256k1_gej_is_infinity(&rp));
3803 }
3804 }
3805 /* redo the computation, but directly with the resulting ae and ge coefficients: */
3806 secp256k1_ecmult(&x2, &a, &ae, &ge);
3807 secp256k1_gej_neg(&x2, &x2);
3808 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
3809 CHECK(secp256k1_gej_is_infinity(&x2));
3810}
3811
3812void test_point_times_order(const secp256k1_gej *point) {
3813 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
3814 secp256k1_scalar x;
3815 secp256k1_scalar nx;
3816 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3817 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3818 secp256k1_gej res1, res2;
3819 secp256k1_ge res3;
3820 unsigned char pub[65];
3821 size_t psize = 65;
3822 random_scalar_order_test(&x);
3823 secp256k1_scalar_negate(&nx, &x);
3824 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
3825 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
3826 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
3827 CHECK(secp256k1_gej_is_infinity(&res1));
3828 secp256k1_ge_set_gej(&res3, &res1);
3829 CHECK(secp256k1_ge_is_infinity(&res3));
3830 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
3831 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
3832 psize = 65;
3833 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
3834 /* check zero/one edge cases */
3835 secp256k1_ecmult(&res1, point, &zero, &zero);
3836 secp256k1_ge_set_gej(&res3, &res1);
3837 CHECK(secp256k1_ge_is_infinity(&res3));
3838 secp256k1_ecmult(&res1, point, &one, &zero);
3839 secp256k1_ge_set_gej(&res3, &res1);
3840 ge_equals_gej(&res3, point);
3841 secp256k1_ecmult(&res1, point, &zero, &one);
3842 secp256k1_ge_set_gej(&res3, &res1);
3843 ge_equals_ge(&res3, &secp256k1_ge_const_g);
3844}
3845
3846/* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
3847 *
3848 * They are computed as:
3849 * - For a in [-2, -1, 0, 1, 2]:
3850 * - For b in [-3, -1, 1, 3]:
3851 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
3852 */
3853static const secp256k1_scalar scalars_near_split_bounds[20] = {
3854 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
3855 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
3856 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
3857 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
3858 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
3859 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
3860 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
3861 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
3862 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
3863 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
3864 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
3865 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
3866 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
3867 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
3868 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
3869 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
3870 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
3871 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
3872 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
3873 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
3874};
3875
3876void test_ecmult_target(const secp256k1_scalar* target, int mode) {
3877 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
3878 secp256k1_scalar n1, n2;
3879 secp256k1_ge p;
3880 secp256k1_gej pj, p1j, p2j, ptj;
3881 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3882
3883 /* Generate random n1,n2 such that n1+n2 = -target. */
3884 random_scalar_order_test(&n1);
3885 secp256k1_scalar_add(&n2, &n1, target);
3886 secp256k1_scalar_negate(&n2, &n2);
3887
3888 /* Generate a random input point. */
3889 if (mode != 0) {
3890 random_group_element_test(&p);
3891 secp256k1_gej_set_ge(&pj, &p);
3892 }
3893
3894 /* EC multiplications */
3895 if (mode == 0) {
3896 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
3897 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
3898 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
3899 } else if (mode == 1) {
3900 secp256k1_ecmult(&p1j, &pj, &n1, &zero);
3901 secp256k1_ecmult(&p2j, &pj, &n2, &zero);
3902 secp256k1_ecmult(&ptj, &pj, target, &zero);
3903 } else {
3904 secp256k1_ecmult_const(&p1j, &p, &n1, 256);
3905 secp256k1_ecmult_const(&p2j, &p, &n2, 256);
3906 secp256k1_ecmult_const(&ptj, &p, target, 256);
3907 }
3908
3909 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
3910 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
3911 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
3912 CHECK(secp256k1_gej_is_infinity(&ptj));
3913}
3914
3915void run_ecmult_near_split_bound(void) {
3916 int i;
3917 unsigned j;
3918 for (i = 0; i < 4*count; ++i) {
3919 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
3920 test_ecmult_target(&scalars_near_split_bounds[j], 0);
3921 test_ecmult_target(&scalars_near_split_bounds[j], 1);
3922 test_ecmult_target(&scalars_near_split_bounds[j], 2);
3923 }
3924 }
3925}
3926
3927void run_point_times_order(void) {
3928 int i;
3929 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
3930 static const secp256k1_fe xr = SECP256K1_FE_CONST(
3931 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
3932 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
3933 );
3934 for (i = 0; i < 500; i++) {
3935 secp256k1_ge p;
3936 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
3937 secp256k1_gej j;
3938 CHECK(secp256k1_ge_is_valid_var(&p));
3939 secp256k1_gej_set_ge(&j, &p);
3940 test_point_times_order(&j);
3941 }
3942 secp256k1_fe_sqr(&x, &x);
3943 }
3944 secp256k1_fe_normalize_var(&x);
3945 CHECK(secp256k1_fe_equal_var(&x, &xr));
3946}
3947
3948void ecmult_const_random_mult(void) {
3949 /* random starting point A (on the curve) */
3950 secp256k1_ge a = SECP256K1_GE_CONST(
3951 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
3952 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
3953 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
3954 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
3955 );
3956 /* random initial factor xn */
3957 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
3958 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
3959 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
3960 );
3961 /* expected xn * A (from sage) */
3962 secp256k1_ge expected_b = SECP256K1_GE_CONST(
3963 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
3964 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
3965 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
3966 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
3967 );
3968 secp256k1_gej b;
3969 secp256k1_ecmult_const(&b, &a, &xn, 256);
3970
3971 CHECK(secp256k1_ge_is_valid_var(&a));
3972 ge_equals_gej(&expected_b, &b);
3973}
3974
3975void ecmult_const_commutativity(void) {
3976 secp256k1_scalar a;
3977 secp256k1_scalar b;
3978 secp256k1_gej res1;
3979 secp256k1_gej res2;
3980 secp256k1_ge mid1;
3981 secp256k1_ge mid2;
3982 random_scalar_order_test(&a);
3983 random_scalar_order_test(&b);
3984
3985 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
3986 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
3987 secp256k1_ge_set_gej(&mid1, &res1);
3988 secp256k1_ge_set_gej(&mid2, &res2);
3989 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
3990 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
3991 secp256k1_ge_set_gej(&mid1, &res1);
3992 secp256k1_ge_set_gej(&mid2, &res2);
3993 ge_equals_ge(&mid1, &mid2);
3994}
3995
3996void ecmult_const_mult_zero_one(void) {
3997 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3998 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3999 secp256k1_scalar negone;
4000 secp256k1_gej res1;
4001 secp256k1_ge res2;
4002 secp256k1_ge point;
4003 secp256k1_scalar_negate(&negone, &one);
4004
4005 random_group_element_test(&point);
4006 secp256k1_ecmult_const(&res1, &point, &zero, 3);
4007 secp256k1_ge_set_gej(&res2, &res1);
4008 CHECK(secp256k1_ge_is_infinity(&res2));
4009 secp256k1_ecmult_const(&res1, &point, &one, 2);
4010 secp256k1_ge_set_gej(&res2, &res1);
4011 ge_equals_ge(&res2, &point);
4012 secp256k1_ecmult_const(&res1, &point, &negone, 256);
4013 secp256k1_gej_neg(&res1, &res1);
4014 secp256k1_ge_set_gej(&res2, &res1);
4015 ge_equals_ge(&res2, &point);
4016}
4017
4018void ecmult_const_chain_multiply(void) {
4019 /* Check known result (randomly generated test problem from sage) */
4020 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
4021 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4022 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4023 );
4024 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4025 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4026 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4027 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4028 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4029 );
4030 secp256k1_gej point;
4031 secp256k1_ge res;
4032 int i;
4033
4034 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
4035 for (i = 0; i < 100; ++i) {
4036 secp256k1_ge tmp;
4037 secp256k1_ge_set_gej(&tmp, &point);
4038 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
4039 }
4040 secp256k1_ge_set_gej(&res, &point);
4041 ge_equals_gej(&res, &expected_point);
4042}
4043
4044void run_ecmult_const_tests(void) {
4045 ecmult_const_mult_zero_one();
4046 ecmult_const_random_mult();
4047 ecmult_const_commutativity();
4048 ecmult_const_chain_multiply();
4049}
4050
4051typedef struct {
4052 secp256k1_scalar *sc;
4053 secp256k1_ge *pt;
4054} ecmult_multi_data;
4055
4056static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4057 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4058 *sc = data->sc[idx];
4059 *pt = data->pt[idx];
4060 return 1;
4061}
4062
4063static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4064 (void)sc;
4065 (void)pt;
4066 (void)idx;
4067 (void)cbdata;
4068 return 0;
4069}
4070
4071void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
4072 int ncount;
4073 secp256k1_scalar szero;
4074 secp256k1_scalar sc[32];
4075 secp256k1_ge pt[32];
4076 secp256k1_gej r;
4077 secp256k1_gej r2;
4078 ecmult_multi_data data;
4079
4080 data.sc = sc;
4081 data.pt = pt;
4082 secp256k1_scalar_set_int(&szero, 0);
4083
4084 /* No points to multiply */
4085 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4086
4087 /* Check 1- and 2-point multiplies against ecmult */
4088 for (ncount = 0; ncount < count; ncount++) {
4089 secp256k1_ge ptg;
4090 secp256k1_gej ptgj;
4091 random_scalar_order(&sc[0]);
4092 random_scalar_order(&sc[1]);
4093
4094 random_group_element_test(&ptg);
4095 secp256k1_gej_set_ge(&ptgj, &ptg);
4096 pt[0] = ptg;
4097 pt[1] = secp256k1_ge_const_g;
4098
4099 /* only G scalar */
4100 secp256k1_ecmult(&r2, &ptgj, &szero, &sc[0]);
4101 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4102 secp256k1_gej_neg(&r2, &r2);
4103 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4104 CHECK(secp256k1_gej_is_infinity(&r));
4105
4106 /* 1-point */
4107 secp256k1_ecmult(&r2, &ptgj, &sc[0], &szero);
4108 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
4109 secp256k1_gej_neg(&r2, &r2);
4110 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4111 CHECK(secp256k1_gej_is_infinity(&r));
4112
4113 /* Try to multiply 1 point, but callback returns false */
4114 CHECK(!ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
4115
4116 /* 2-point */
4117 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4118 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
4119 secp256k1_gej_neg(&r2, &r2);
4120 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4121 CHECK(secp256k1_gej_is_infinity(&r));
4122
4123 /* 2-point with G scalar */
4124 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4125 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4126 secp256k1_gej_neg(&r2, &r2);
4127 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4128 CHECK(secp256k1_gej_is_infinity(&r));
4129 }
4130
4131 /* Check infinite outputs of various forms */
4132 for (ncount = 0; ncount < count; ncount++) {
4133 secp256k1_ge ptg;
4134 size_t i, j;
4135 size_t sizes[] = { 2, 10, 32 };
4136
4137 for (j = 0; j < 3; j++) {
4138 for (i = 0; i < 32; i++) {
4139 random_scalar_order(&sc[i]);
4140 secp256k1_ge_set_infinity(&pt[i]);
4141 }
4142 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4143 CHECK(secp256k1_gej_is_infinity(&r));
4144 }
4145
4146 for (j = 0; j < 3; j++) {
4147 for (i = 0; i < 32; i++) {
4148 random_group_element_test(&ptg);
4149 pt[i] = ptg;
4150 secp256k1_scalar_set_int(&sc[i], 0);
4151 }
4152 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4153 CHECK(secp256k1_gej_is_infinity(&r));
4154 }
4155
4156 for (j = 0; j < 3; j++) {
4157 random_group_element_test(&ptg);
4158 for (i = 0; i < 16; i++) {
4159 random_scalar_order(&sc[2*i]);
4160 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4161 pt[2 * i] = ptg;
4162 pt[2 * i + 1] = ptg;
4163 }
4164
4165 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4166 CHECK(secp256k1_gej_is_infinity(&r));
4167
4168 random_scalar_order(&sc[0]);
4169 for (i = 0; i < 16; i++) {
4170 random_group_element_test(&ptg);
4171
4172 sc[2*i] = sc[0];
4173 sc[2*i+1] = sc[0];
4174 pt[2 * i] = ptg;
4175 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4176 }
4177
4178 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4179 CHECK(secp256k1_gej_is_infinity(&r));
4180 }
4181
4182 random_group_element_test(&ptg);
4183 secp256k1_scalar_set_int(&sc[0], 0);
4184 pt[0] = ptg;
4185 for (i = 1; i < 32; i++) {
4186 pt[i] = ptg;
4187
4188 random_scalar_order(&sc[i]);
4189 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4190 secp256k1_scalar_negate(&sc[i], &sc[i]);
4191 }
4192
4193 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
4194 CHECK(secp256k1_gej_is_infinity(&r));
4195 }
4196
4197 /* Check random points, constant scalar */
4198 for (ncount = 0; ncount < count; ncount++) {
4199 size_t i;
4200 secp256k1_gej_set_infinity(&r);
4201
4202 random_scalar_order(&sc[0]);
4203 for (i = 0; i < 20; i++) {
4204 secp256k1_ge ptg;
4205 sc[i] = sc[0];
4206 random_group_element_test(&ptg);
4207 pt[i] = ptg;
4208 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4209 }
4210
4211 secp256k1_ecmult(&r2, &r, &sc[0], &szero);
4212 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4213 secp256k1_gej_neg(&r2, &r2);
4214 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4215 CHECK(secp256k1_gej_is_infinity(&r));
4216 }
4217
4218 /* Check random scalars, constant point */
4219 for (ncount = 0; ncount < count; ncount++) {
4220 size_t i;
4221 secp256k1_ge ptg;
4222 secp256k1_gej p0j;
4223 secp256k1_scalar rs;
4224 secp256k1_scalar_set_int(&rs, 0);
4225
4226 random_group_element_test(&ptg);
4227 for (i = 0; i < 20; i++) {
4228 random_scalar_order(&sc[i]);
4229 pt[i] = ptg;
4230 secp256k1_scalar_add(&rs, &rs, &sc[i]);
4231 }
4232
4233 secp256k1_gej_set_ge(&p0j, &pt[0]);
4234 secp256k1_ecmult(&r2, &p0j, &rs, &szero);
4235 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4236 secp256k1_gej_neg(&r2, &r2);
4237 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4238 CHECK(secp256k1_gej_is_infinity(&r));
4239 }
4240
4241 /* Sanity check that zero scalars don't cause problems */
4242 for (ncount = 0; ncount < 20; ncount++) {
4243 random_scalar_order(&sc[ncount]);
4244 random_group_element_test(&pt[ncount]);
4245 }
4246 secp256k1_scalar_clear(&sc[0]);
4247 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4248 secp256k1_scalar_clear(&sc[1]);
4249 secp256k1_scalar_clear(&sc[2]);
4250 secp256k1_scalar_clear(&sc[3]);
4251 secp256k1_scalar_clear(&sc[4]);
4252 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
4253 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
4254 CHECK(secp256k1_gej_is_infinity(&r));
4255
4256 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4257 {
4258 const size_t TOP = 8;
4259 size_t s0i, s1i;
4260 size_t t0i, t1i;
4261 secp256k1_ge ptg;
4262 secp256k1_gej ptgj;
4263
4264 random_group_element_test(&ptg);
4265 secp256k1_gej_set_ge(&ptgj, &ptg);
4266
4267 for(t0i = 0; t0i < TOP; t0i++) {
4268 for(t1i = 0; t1i < TOP; t1i++) {
4269 secp256k1_gej t0p, t1p;
4270 secp256k1_scalar t0, t1;
4271
4272 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4273 secp256k1_scalar_cond_negate(&t0, t0i & 1);
4274 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4275 secp256k1_scalar_cond_negate(&t1, t1i & 1);
4276
4277 secp256k1_ecmult(&t0p, &ptgj, &t0, &szero);
4278 secp256k1_ecmult(&t1p, &ptgj, &t1, &szero);
4279
4280 for(s0i = 0; s0i < TOP; s0i++) {
4281 for(s1i = 0; s1i < TOP; s1i++) {
4282 secp256k1_scalar tmp1, tmp2;
4283 secp256k1_gej expected, actual;
4284
4285 secp256k1_ge_set_gej(&pt[0], &t0p);
4286 secp256k1_ge_set_gej(&pt[1], &t1p);
4287
4288 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4289 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4290 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4291 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4292
4293 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4294 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4295 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4296
4297 secp256k1_ecmult(&expected, &ptgj, &tmp1, &szero);
4298 CHECK(ecmult_multi(&ctx->error_callback, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
4299 secp256k1_gej_neg(&expected, &expected);
4300 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
4301 CHECK(secp256k1_gej_is_infinity(&actual));
4302 }
4303 }
4304 }
4305 }
4306 }
4307}
4308
4309int test_ecmult_multi_random(secp256k1_scratch *scratch) {
4310 /* Large random test for ecmult_multi_* functions which exercises:
4311 * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4312 * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4313 * - Including or excluding an nonzero a*G term (or such a term at all).
4314 * - Final expected result equal to infinity or not (roughly 50%).
4315 * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4316 */
4317
4318 /* These 4 variables define the eventual input to the ecmult_multi function.
4319 * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4320 * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4321 * which form its normal inputs. */
4322 int filled = 0;
4323 secp256k1_scalar g_scalar = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4324 secp256k1_scalar scalars[128];
4325 secp256k1_gej gejs[128];
4326 /* The expected result, and the computed result. */
4327 secp256k1_gej expected, computed;
4328 /* Temporaries. */
4329 secp256k1_scalar sc_tmp;
4330 secp256k1_ge ge_tmp;
4331 /* Variables needed for the actual input to ecmult_multi. */
4332 secp256k1_ge ges[128];
4333 ecmult_multi_data data;
4334
4335 int i;
4336 /* Which multiplication function to use */
4337 int fn = secp256k1_testrand_int(3);
4338 secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var :
4339 fn == 1 ? secp256k1_ecmult_strauss_batch_single :
4340 secp256k1_ecmult_pippenger_batch_single;
4341 /* Simulate exponentially distributed num. */
4342 int num_bits = 2 + secp256k1_testrand_int(6);
4343 /* Number of (scalar, point) inputs (excluding g). */
4344 int num = secp256k1_testrand_int((1 << num_bits) + 1);
4345 /* Number of those which are nonzero. */
4346 int num_nonzero = secp256k1_testrand_int(num + 1);
4347 /* Whether we're aiming to create an input with nonzero expected result. */
4348 int nonzero_result = secp256k1_testrand_bits(1);
4349 /* Whether we will provide nonzero g multiplicand. In some cases our hand
4350 * is forced here based on num_nonzero and nonzero_result. */
4351 int g_nonzero = num_nonzero == 0 ? nonzero_result :
4352 num_nonzero == 1 && !nonzero_result ? 1 :
4353 (int)secp256k1_testrand_bits(1);
4354 /* Which g_scalar pointer to pass into ecmult_multi(). */
4355 const secp256k1_scalar* g_scalar_ptr = (g_nonzero || secp256k1_testrand_bits(1)) ? &g_scalar : NULL;
4356 /* How many EC multiplications were performed in this function. */
4357 int mults = 0;
4358 /* How many randomization steps to apply to the input list. */
4359 int rands = (int)secp256k1_testrand_bits(3);
4360 if (rands > num_nonzero) rands = num_nonzero;
4361
4362 secp256k1_gej_set_infinity(&expected);
4363 secp256k1_gej_set_infinity(&gejs[0]);
4364 secp256k1_scalar_set_int(&scalars[0], 0);
4365
4366 if (g_nonzero) {
4367 /* If g_nonzero, set g_scalar to nonzero value r. */
4368 random_scalar_order_test(&g_scalar);
4369 if (!nonzero_result) {
4370 /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
4371 CHECK(num_nonzero > filled);
4372 random_scalar_order_test(&sc_tmp);
4373 secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
4374 secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
4375 secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
4376 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
4377 ++filled;
4378 ++mults;
4379 }
4380 }
4381
4382 if (nonzero_result && filled < num_nonzero) {
4383 /* If a nonzero result is desired, and there is space, add a random nonzero term. */
4384 random_scalar_order_test(&scalars[filled]);
4385 random_group_element_test(&ge_tmp);
4386 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4387 ++filled;
4388 }
4389
4390 if (nonzero_result) {
4391 /* Compute the expected result using normal ecmult. */
4392 CHECK(filled <= 1);
4393 secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
4394 mults += filled + g_nonzero;
4395 }
4396
4397 /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
4398 CHECK(filled <= 1 + !nonzero_result);
4399 CHECK(filled <= num_nonzero);
4400
4401 /* Add entries to scalars,gejs so that there are num of them. All the added entries
4402 * either have scalar=0 or point=infinity, so these do not change the expected result. */
4403 while (filled < num) {
4404 if (secp256k1_testrand_bits(1)) {
4405 secp256k1_gej_set_infinity(&gejs[filled]);
4406 random_scalar_order_test(&scalars[filled]);
4407 } else {
4408 secp256k1_scalar_set_int(&scalars[filled], 0);
4409 random_group_element_test(&ge_tmp);
4410 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4411 }
4412 ++filled;
4413 }
4414
4415 /* Now perform cheapish transformations on gejs and scalars, for indices
4416 * 0..num_nonzero-1, which do not change the expected result, but may
4417 * convert some of them to be both non-0-scalar and non-infinity-point. */
4418 for (i = 0; i < rands; ++i) {
4419 int j;
4420 secp256k1_scalar v, iv;
4421 /* Shuffle the entries. */
4422 for (j = 0; j < num_nonzero; ++j) {
4423 int k = secp256k1_testrand_int(num_nonzero - j);
4424 if (k != 0) {
4425 secp256k1_gej gej = gejs[j];
4426 secp256k1_scalar sc = scalars[j];
4427 gejs[j] = gejs[j + k];
4428 scalars[j] = scalars[j + k];
4429 gejs[j + k] = gej;
4430 scalars[j + k] = sc;
4431 }
4432 }
4433 /* Perturb all consecutive pairs of inputs:
4434 * a*P + b*Q -> (a+b)*P + b*(Q-P). */
4435 for (j = 0; j + 1 < num_nonzero; j += 2) {
4436 secp256k1_gej gej;
4437 secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
4438 secp256k1_gej_neg(&gej, &gejs[j]);
4439 secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
4440 }
4441 /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
4442 CHECK(num_nonzero >= 1);
4443 random_scalar_order_test(&v);
4444 secp256k1_scalar_inverse(&iv, &v);
4445 secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
4446 secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
4447 ++mults;
4448 }
4449
4450 /* Shuffle all entries (0..num-1). */
4451 for (i = 0; i < num; ++i) {
4452 int j = secp256k1_testrand_int(num - i);
4453 if (j != 0) {
4454 secp256k1_gej gej = gejs[i];
4455 secp256k1_scalar sc = scalars[i];
4456 gejs[i] = gejs[i + j];
4457 scalars[i] = scalars[i + j];
4458 gejs[i + j] = gej;
4459 scalars[i + j] = sc;
4460 }
4461 }
4462
4463 /* Compute affine versions of all inputs. */
4464 secp256k1_ge_set_all_gej_var(ges, gejs, filled);
4465 /* Invoke ecmult_multi code. */
4466 data.sc = scalars;
4467 data.pt = ges;
4468 CHECK(ecmult_multi(&ctx->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
4469 mults += num_nonzero + g_nonzero;
4470 /* Compare with expected result. */
4471 secp256k1_gej_neg(&computed, &computed);
4472 secp256k1_gej_add_var(&computed, &computed, &expected, NULL);
4473 CHECK(secp256k1_gej_is_infinity(&computed));
4474 return mults;
4475}
4476
4477void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
4478 secp256k1_scalar szero;
4479 secp256k1_scalar sc;
4480 secp256k1_ge pt;
4481 secp256k1_gej r;
4482 ecmult_multi_data data;
4483 secp256k1_scratch *scratch_empty;
4484
4485 random_group_element_test(&pt);
4486 random_scalar_order(&sc);
4487 data.sc = &sc;
4488 data.pt = &pt;
4489 secp256k1_scalar_set_int(&szero, 0);
4490
4491 /* Try to multiply 1 point, but scratch space is empty.*/
4492 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
4493 CHECK(!ecmult_multi(&ctx->error_callback, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
4494 secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
4495}
4496
4497void test_secp256k1_pippenger_bucket_window_inv(void) {
4498 int i;
4499
4500 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
4501 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
4502 /* Bucket_window of 8 is not used with endo */
4503 if (i == 8) {
4504 continue;
4505 }
4506 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
4507 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
4508 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
4509 }
4510 }
4511}
4512
4517void test_ecmult_multi_pippenger_max_points(void) {
4518 size_t scratch_size = secp256k1_testrand_bits(8);
4519 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
4520 secp256k1_scratch *scratch;
4521 size_t n_points_supported;
4522 int bucket_window = 0;
4523
4524 for(; scratch_size < max_size; scratch_size+=256) {
4525 size_t i;
4526 size_t total_alloc;
4527 size_t checkpoint;
4528 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
4529 CHECK(scratch != NULL);
4530 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
4531 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
4532 if (n_points_supported == 0) {
4533 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4534 continue;
4535 }
4536 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
4537 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
4538 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
4539 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
4540 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
4541 total_alloc--;
4542 }
4543 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
4544 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
4545 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4546 }
4547 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
4548}
4549
4550void test_ecmult_multi_batch_size_helper(void) {
4551 size_t n_batches, n_batch_points, max_n_batch_points, n;
4552
4553 max_n_batch_points = 0;
4554 n = 1;
4555 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
4556
4557 max_n_batch_points = 1;
4558 n = 0;
4559 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4560 CHECK(n_batches == 0);
4561 CHECK(n_batch_points == 0);
4562
4563 max_n_batch_points = 2;
4564 n = 5;
4565 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4566 CHECK(n_batches == 3);
4567 CHECK(n_batch_points == 2);
4568
4569 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
4570 n = ECMULT_MAX_POINTS_PER_BATCH;
4571 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4572 CHECK(n_batches == 1);
4573 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
4574
4575 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
4576 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
4577 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4578 CHECK(n_batches == 2);
4579 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
4580
4581 max_n_batch_points = 1;
4582 n = SIZE_MAX;
4583 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4584 CHECK(n_batches == SIZE_MAX);
4585 CHECK(n_batch_points == 1);
4586
4587 max_n_batch_points = 2;
4588 n = SIZE_MAX;
4589 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4590 CHECK(n_batches == SIZE_MAX/2 + 1);
4591 CHECK(n_batch_points == 2);
4592}
4593
4598void test_ecmult_multi_batching(void) {
4599 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
4600 secp256k1_scalar scG;
4601 secp256k1_scalar szero;
4602 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
4603 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
4604 secp256k1_gej r;
4605 secp256k1_gej r2;
4606 ecmult_multi_data data;
4607 int i;
4608 secp256k1_scratch *scratch;
4609
4610 secp256k1_gej_set_infinity(&r2);
4611 secp256k1_scalar_set_int(&szero, 0);
4612
4613 /* Get random scalars and group elements and compute result */
4614 random_scalar_order(&scG);
4615 secp256k1_ecmult(&r2, &r2, &szero, &scG);
4616 for(i = 0; i < n_points; i++) {
4617 secp256k1_ge ptg;
4618 secp256k1_gej ptgj;
4619 random_group_element_test(&ptg);
4620 secp256k1_gej_set_ge(&ptgj, &ptg);
4621 pt[i] = ptg;
4622 random_scalar_order(&sc[i]);
4623 secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
4624 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
4625 }
4626 data.sc = sc;
4627 data.pt = pt;
4628 secp256k1_gej_neg(&r2, &r2);
4629
4630 /* Test with empty scratch space. It should compute the correct result using
4631 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
4632 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
4633 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4634 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4635 CHECK(secp256k1_gej_is_infinity(&r));
4636 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4637
4638 /* Test with space for 1 point in pippenger. That's not enough because
4639 * ecmult_multi selects strauss which requires more memory. It should
4640 * therefore select the simple algorithm. */
4641 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
4642 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4643 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4644 CHECK(secp256k1_gej_is_infinity(&r));
4645 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4646
4647 for(i = 1; i <= n_points; i++) {
4648 if (i > ECMULT_PIPPENGER_THRESHOLD) {
4649 int bucket_window = secp256k1_pippenger_bucket_window(i);
4650 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
4651 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
4652 } else {
4653 size_t scratch_size = secp256k1_strauss_scratch_size(i);
4654 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
4655 }
4656 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4657 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4658 CHECK(secp256k1_gej_is_infinity(&r));
4659 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4660 }
4661 free(sc);
4662 free(pt);
4663}
4664
4665void run_ecmult_multi_tests(void) {
4666 secp256k1_scratch *scratch;
4667 int64_t todo = (int64_t)320 * count;
4668
4669 test_secp256k1_pippenger_bucket_window_inv();
4670 test_ecmult_multi_pippenger_max_points();
4671 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
4672 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
4673 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
4674 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
4675 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
4676 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
4677 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
4678 while (todo > 0) {
4679 todo -= test_ecmult_multi_random(scratch);
4680 }
4681 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4682
4683 /* Run test_ecmult_multi with space for exactly one point */
4684 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
4685 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
4686 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4687
4688 test_ecmult_multi_batch_size_helper();
4689 test_ecmult_multi_batching();
4690}
4691
4692void test_wnaf(const secp256k1_scalar *number, int w) {
4693 secp256k1_scalar x, two, t;
4694 int wnaf[256];
4695 int zeroes = -1;
4696 int i;
4697 int bits;
4698 secp256k1_scalar_set_int(&x, 0);
4699 secp256k1_scalar_set_int(&two, 2);
4700 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
4701 CHECK(bits <= 256);
4702 for (i = bits-1; i >= 0; i--) {
4703 int v = wnaf[i];
4704 secp256k1_scalar_mul(&x, &x, &two);
4705 if (v) {
4706 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4707 zeroes=0;
4708 CHECK((v & 1) == 1); /* check non-zero elements are odd */
4709 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
4710 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4711 } else {
4712 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4713 zeroes++;
4714 }
4715 if (v >= 0) {
4716 secp256k1_scalar_set_int(&t, v);
4717 } else {
4718 secp256k1_scalar_set_int(&t, -v);
4719 secp256k1_scalar_negate(&t, &t);
4720 }
4721 secp256k1_scalar_add(&x, &x, &t);
4722 }
4723 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4724}
4725
4726void test_constant_wnaf_negate(const secp256k1_scalar *number) {
4727 secp256k1_scalar neg1 = *number;
4728 secp256k1_scalar neg2 = *number;
4729 int sign1 = 1;
4730 int sign2 = 1;
4731
4732 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
4733 secp256k1_scalar_negate(&neg1, &neg1);
4734 sign1 = -1;
4735 }
4736 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
4737 CHECK(sign1 == sign2);
4738 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
4739}
4740
4741void test_constant_wnaf(const secp256k1_scalar *number, int w) {
4742 secp256k1_scalar x, shift;
4743 int wnaf[256] = {0};
4744 int i;
4745 int skew;
4746 int bits = 256;
4747 secp256k1_scalar num = *number;
4748 secp256k1_scalar scalar_skew;
4749
4750 secp256k1_scalar_set_int(&x, 0);
4751 secp256k1_scalar_set_int(&shift, 1 << w);
4752 for (i = 0; i < 16; ++i) {
4753 secp256k1_scalar_shr_int(&num, 8);
4754 }
4755 bits = 128;
4756 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
4757
4758 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
4759 secp256k1_scalar t;
4760 int v = wnaf[i];
4761 CHECK(v != 0); /* check nonzero */
4762 CHECK(v & 1); /* check parity */
4763 CHECK(v > -(1 << w)); /* check range above */
4764 CHECK(v < (1 << w)); /* check range below */
4765
4766 secp256k1_scalar_mul(&x, &x, &shift);
4767 if (v >= 0) {
4768 secp256k1_scalar_set_int(&t, v);
4769 } else {
4770 secp256k1_scalar_set_int(&t, -v);
4771 secp256k1_scalar_negate(&t, &t);
4772 }
4773 secp256k1_scalar_add(&x, &x, &t);
4774 }
4775 /* Skew num because when encoding numbers as odd we use an offset */
4776 secp256k1_scalar_set_int(&scalar_skew, skew);
4777 secp256k1_scalar_add(&num, &num, &scalar_skew);
4778 CHECK(secp256k1_scalar_eq(&x, &num));
4779}
4780
4781void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
4782 secp256k1_scalar x, shift;
4783 int wnaf[256] = {0};
4784 int i;
4785 int skew;
4786 secp256k1_scalar num = *number;
4787
4788 secp256k1_scalar_set_int(&x, 0);
4789 secp256k1_scalar_set_int(&shift, 1 << w);
4790 for (i = 0; i < 16; ++i) {
4791 secp256k1_scalar_shr_int(&num, 8);
4792 }
4793 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4794
4795 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
4796 secp256k1_scalar t;
4797 int v = wnaf[i];
4798 CHECK(v == 0 || v & 1); /* check parity */
4799 CHECK(v > -(1 << w)); /* check range above */
4800 CHECK(v < (1 << w)); /* check range below */
4801
4802 secp256k1_scalar_mul(&x, &x, &shift);
4803 if (v >= 0) {
4804 secp256k1_scalar_set_int(&t, v);
4805 } else {
4806 secp256k1_scalar_set_int(&t, -v);
4807 secp256k1_scalar_negate(&t, &t);
4808 }
4809 secp256k1_scalar_add(&x, &x, &t);
4810 }
4811 /* If skew is 1 then add 1 to num */
4812 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
4813 CHECK(secp256k1_scalar_eq(&x, &num));
4814}
4815
4816/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
4817 * rest is 0.*/
4818void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
4819 int i;
4820 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
4821 CHECK(wnaf[i] == 0);
4822 }
4823 for (i = 7; i >= 0; --i) {
4824 CHECK(wnaf[i] == wnaf_expected[i]);
4825 }
4826}
4827
4828void test_fixed_wnaf_small(void) {
4829 int w = 4;
4830 int wnaf[256] = {0};
4831 int i;
4832 int skew;
4833 secp256k1_scalar num;
4834
4835 secp256k1_scalar_set_int(&num, 0);
4836 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4837 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
4838 int v = wnaf[i];
4839 CHECK(v == 0);
4840 }
4841 CHECK(skew == 0);
4842
4843 secp256k1_scalar_set_int(&num, 1);
4844 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4845 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
4846 int v = wnaf[i];
4847 CHECK(v == 0);
4848 }
4849 CHECK(wnaf[0] == 1);
4850 CHECK(skew == 0);
4851
4852 {
4853 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
4854 secp256k1_scalar_set_int(&num, 0xffffffff);
4855 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4856 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4857 CHECK(skew == 0);
4858 }
4859 {
4860 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
4861 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
4862 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4863 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4864 CHECK(skew == 1);
4865 }
4866 {
4867 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
4868 secp256k1_scalar_set_int(&num, 0x01010101);
4869 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4870 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4871 CHECK(skew == 0);
4872 }
4873 {
4874 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
4875 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
4876 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
4877 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4878 CHECK(skew == 0);
4879 }
4880}
4881
4882void run_wnaf(void) {
4883 int i;
4884 secp256k1_scalar n = {{0}};
4885
4886 test_constant_wnaf(&n, 4);
4887 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
4888 * have easier-to-diagnose failure modes */
4889 n.d[0] = 1;
4890 test_constant_wnaf(&n, 4);
4891 n.d[0] = 2;
4892 test_constant_wnaf(&n, 4);
4893 /* Test -1, because it's a special case in wnaf_const */
4894 n = secp256k1_scalar_one;
4895 secp256k1_scalar_negate(&n, &n);
4896 test_constant_wnaf(&n, 4);
4897
4898 /* Test -2, which may not lead to overflows in wnaf_const */
4899 secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
4900 secp256k1_scalar_negate(&n, &n);
4901 test_constant_wnaf(&n, 4);
4902
4903 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
4904 as corner cases of negation handling in wnaf_const */
4905 secp256k1_scalar_inverse(&n, &n);
4906 test_constant_wnaf(&n, 4);
4907
4908 secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
4909 test_constant_wnaf(&n, 4);
4910
4911 /* Test 0 for fixed wnaf */
4912 test_fixed_wnaf_small();
4913 /* Random tests */
4914 for (i = 0; i < count; i++) {
4915 random_scalar_order(&n);
4916 test_wnaf(&n, 4+(i%10));
4917 test_constant_wnaf_negate(&n);
4918 test_constant_wnaf(&n, 4 + (i % 10));
4919 test_fixed_wnaf(&n, 4 + (i % 10));
4920 }
4921 secp256k1_scalar_set_int(&n, 0);
4922 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
4923 CHECK(secp256k1_scalar_is_zero(&n));
4924 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
4925 CHECK(secp256k1_scalar_is_zero(&n));
4926}
4927
4928static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
4929 const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
4930 *sc = *indata;
4931 *pt = secp256k1_ge_const_g;
4932 CHECK(idx == 0);
4933 return 1;
4934}
4935
4936void test_ecmult_accumulate(secp256k1_sha256* acc, const secp256k1_scalar* x, secp256k1_scratch* scratch) {
4937 /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */
4938 secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj;
4939 secp256k1_ge r;
4940 const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4941 unsigned char bytes[65];
4942 size_t size = 65;
4943 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
4944 secp256k1_gej_set_infinity(&infj);
4945 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj1, x);
4946 secp256k1_ecmult(&rj2, &gj, x, &zero);
4947 secp256k1_ecmult(&rj3, &infj, &zero, x);
4948 secp256k1_ecmult_multi_var(NULL, scratch, &rj4, x, NULL, NULL, 0);
4949 secp256k1_ecmult_multi_var(NULL, scratch, &rj5, &zero, test_ecmult_accumulate_cb, (void*)x, 1);
4950 secp256k1_ecmult_const(&rj6, &secp256k1_ge_const_g, x, 256);
4951 secp256k1_ge_set_gej_var(&r, &rj1);
4952 ge_equals_gej(&r, &rj2);
4953 ge_equals_gej(&r, &rj3);
4954 ge_equals_gej(&r, &rj4);
4955 ge_equals_gej(&r, &rj5);
4956 ge_equals_gej(&r, &rj6);
4957 if (secp256k1_ge_is_infinity(&r)) {
4958 /* Store infinity as 0x00 */
4959 const unsigned char zerobyte[1] = {0};
4960 secp256k1_sha256_write(acc, zerobyte, 1);
4961 } else {
4962 /* Store other points using their uncompressed serialization. */
4963 secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0);
4964 CHECK(size == 65);
4965 secp256k1_sha256_write(acc, bytes, size);
4966 }
4967}
4968
4969void test_ecmult_constants_2bit(void) {
4970 /* Using test_ecmult_accumulate, test ecmult for:
4971 * - For i in 0..36:
4972 * - Key i
4973 * - Key -i
4974 * - For i in 0..255:
4975 * - For j in 1..255 (only odd values):
4976 * - Key (j*2^i) mod order
4977 */
4978 secp256k1_scalar x;
4979 secp256k1_sha256 acc;
4980 unsigned char b32[32];
4981 int i, j;
4982 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 65536);
4983
4984 /* Expected hash of all the computed points; created with an independent
4985 * implementation. */
4986 static const unsigned char expected32[32] = {
4987 0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
4988 0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
4989 0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
4990 0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
4991 };
4992 secp256k1_sha256_initialize(&acc);
4993 for (i = 0; i <= 36; ++i) {
4994 secp256k1_scalar_set_int(&x, i);
4995 test_ecmult_accumulate(&acc, &x, scratch);
4996 secp256k1_scalar_negate(&x, &x);
4997 test_ecmult_accumulate(&acc, &x, scratch);
4998 };
4999 for (i = 0; i < 256; ++i) {
5000 for (j = 1; j < 256; j += 2) {
5001 int k;
5002 secp256k1_scalar_set_int(&x, j);
5003 for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
5004 test_ecmult_accumulate(&acc, &x, scratch);
5005 }
5006 }
5007 secp256k1_sha256_finalize(&acc, b32);
5008 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5009
5010 secp256k1_scratch_space_destroy(ctx, scratch);
5011}
5012
5013void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
5014 /* Using test_ecmult_accumulate, test ecmult for:
5015 * - Key 0
5016 * - Key 1
5017 * - Key -1
5018 * - For i in range(iter):
5019 * - Key SHA256(LE32(prefix) || LE16(i))
5020 */
5021 secp256k1_scalar x;
5022 secp256k1_sha256 acc;
5023 unsigned char b32[32];
5024 unsigned char inp[6];
5025 size_t i;
5026 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 65536);
5027
5028 inp[0] = prefix & 0xFF;
5029 inp[1] = (prefix >> 8) & 0xFF;
5030 inp[2] = (prefix >> 16) & 0xFF;
5031 inp[3] = (prefix >> 24) & 0xFF;
5032 secp256k1_sha256_initialize(&acc);
5033 secp256k1_scalar_set_int(&x, 0);
5034 test_ecmult_accumulate(&acc, &x, scratch);
5035 secp256k1_scalar_set_int(&x, 1);
5036 test_ecmult_accumulate(&acc, &x, scratch);
5037 secp256k1_scalar_negate(&x, &x);
5038 test_ecmult_accumulate(&acc, &x, scratch);
5039
5040 for (i = 0; i < iter; ++i) {
5041 secp256k1_sha256 gen;
5042 inp[4] = i & 0xff;
5043 inp[5] = (i >> 8) & 0xff;
5044 secp256k1_sha256_initialize(&gen);
5045 secp256k1_sha256_write(&gen, inp, sizeof(inp));
5046 secp256k1_sha256_finalize(&gen, b32);
5047 secp256k1_scalar_set_b32(&x, b32, NULL);
5048 test_ecmult_accumulate(&acc, &x, scratch);
5049 }
5050 secp256k1_sha256_finalize(&acc, b32);
5051 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5052
5053 secp256k1_scratch_space_destroy(ctx, scratch);
5054}
5055
5056void run_ecmult_constants(void) {
5057 /* Expected hashes of all points in the tests below. Computed using an
5058 * independent implementation. */
5059 static const unsigned char expected32_6bit20[32] = {
5060 0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5061 0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5062 0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5063 0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5064 };
5065 static const unsigned char expected32_8bit8[32] = {
5066 0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5067 0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5068 0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5069 0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5070 };
5071 /* For every combination of 6 bit positions out of 256, restricted to
5072 * 20-bit windows (i.e., the first and last bit position are no more than
5073 * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5074 * this test. */
5075 CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5076 test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5077 }
5078
5079 /* For every combination of 8 consecutive bit positions, all 256 bit
5080 * patterns occur in the input scalars used in this test. */
5081 CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5082 test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5083 }
5084
5085 CONDITIONAL_TEST(35, "test_ecmult_constants_2bit") {
5086 test_ecmult_constants_2bit();
5087 }
5088}
5089
5090void test_ecmult_gen_blind(void) {
5091 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5092 secp256k1_scalar key;
5093 secp256k1_scalar b;
5094 unsigned char seed32[32];
5095 secp256k1_gej pgej;
5096 secp256k1_gej pgej2;
5097 secp256k1_gej i;
5098 secp256k1_ge pge;
5099 random_scalar_order_test(&key);
5100 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
5101 secp256k1_testrand256(seed32);
5102 b = ctx->ecmult_gen_ctx.blind;
5103 i = ctx->ecmult_gen_ctx.initial;
5104 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
5105 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
5106 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
5107 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5108 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
5109 secp256k1_ge_set_gej(&pge, &pgej);
5110 ge_equals_gej(&pge, &pgej2);
5111}
5112
5113void test_ecmult_gen_blind_reset(void) {
5114 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5115 secp256k1_scalar b;
5116 secp256k1_gej initial;
5117 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
5118 b = ctx->ecmult_gen_ctx.blind;
5119 initial = ctx->ecmult_gen_ctx.initial;
5120 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
5121 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
5122 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
5123}
5124
5125void run_ecmult_gen_blind(void) {
5126 int i;
5127 test_ecmult_gen_blind_reset();
5128 for (i = 0; i < 10; i++) {
5129 test_ecmult_gen_blind();
5130 }
5131}
5132
5133/***** ENDOMORPHISH TESTS *****/
5134void test_scalar_split(const secp256k1_scalar* full) {
5135 secp256k1_scalar s, s1, slam;
5136 const unsigned char zero[32] = {0};
5137 unsigned char tmp[32];
5138
5139 secp256k1_scalar_split_lambda(&s1, &slam, full);
5140
5141 /* check slam*lambda + s1 == full */
5142 secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
5143 secp256k1_scalar_add(&s, &s, &s1);
5144 CHECK(secp256k1_scalar_eq(&s, full));
5145
5146 /* check that both are <= 128 bits in size */
5147 if (secp256k1_scalar_is_high(&s1)) {
5148 secp256k1_scalar_negate(&s1, &s1);
5149 }
5150 if (secp256k1_scalar_is_high(&slam)) {
5151 secp256k1_scalar_negate(&slam, &slam);
5152 }
5153
5154 secp256k1_scalar_get_b32(tmp, &s1);
5155 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5156 secp256k1_scalar_get_b32(tmp, &slam);
5157 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5158}
5159
5160
5161void run_endomorphism_tests(void) {
5162 unsigned i;
5163 static secp256k1_scalar s;
5164 test_scalar_split(&secp256k1_scalar_zero);
5165 test_scalar_split(&secp256k1_scalar_one);
5166 secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
5167 test_scalar_split(&s);
5168 test_scalar_split(&secp256k1_const_lambda);
5169 secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
5170 test_scalar_split(&s);
5171
5172 for (i = 0; i < 100U * count; ++i) {
5173 secp256k1_scalar full;
5174 random_scalar_order_test(&full);
5175 test_scalar_split(&full);
5176 }
5177 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
5178 test_scalar_split(&scalars_near_split_bounds[i]);
5179 }
5180}
5181
5182void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5183 unsigned char pubkeyc[65];
5184 secp256k1_pubkey pubkey;
5185 secp256k1_ge ge;
5186 size_t pubkeyclen;
5187 int32_t ecount;
5188 ecount = 0;
5189 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5190 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5191 /* Smaller sizes are tested exhaustively elsewhere. */
5192 int32_t i;
5193 memcpy(&pubkeyc[1], input, 64);
5194 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5195 for (i = 0; i < 256; i++) {
5196 /* Try all type bytes. */
5197 int xpass;
5198 int ypass;
5199 int ysign;
5200 pubkeyc[0] = i;
5201 /* What sign does this point have? */
5202 ysign = (input[63] & 1) + 2;
5203 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5204 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5205 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5206 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5207 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5208 if (xpass || ypass) {
5209 /* These cases must parse. */
5210 unsigned char pubkeyo[65];
5211 size_t outl;
5212 memset(&pubkey, 0, sizeof(pubkey));
5213 VG_UNDEF(&pubkey, sizeof(pubkey));
5214 ecount = 0;
5215 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
5216 VG_CHECK(&pubkey, sizeof(pubkey));
5217 outl = 65;
5218 VG_UNDEF(pubkeyo, 65);
5219 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5220 VG_CHECK(pubkeyo, outl);
5221 CHECK(outl == 33);
5222 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5223 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5224 if (ypass) {
5225 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5226 CHECK(pubkeyo[0] == ysign);
5227 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
5228 memset(&pubkey, 0, sizeof(pubkey));
5229 VG_UNDEF(&pubkey, sizeof(pubkey));
5230 secp256k1_pubkey_save(&pubkey, &ge);
5231 VG_CHECK(&pubkey, sizeof(pubkey));
5232 outl = 65;
5233 VG_UNDEF(pubkeyo, 65);
5234 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5235 VG_CHECK(pubkeyo, outl);
5236 CHECK(outl == 65);
5237 CHECK(pubkeyo[0] == 4);
5238 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5239 }
5240 CHECK(ecount == 0);
5241 } else {
5242 /* These cases must fail to parse. */
5243 memset(&pubkey, 0xfe, sizeof(pubkey));
5244 ecount = 0;
5245 VG_UNDEF(&pubkey, sizeof(pubkey));
5246 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
5247 VG_CHECK(&pubkey, sizeof(pubkey));
5248 CHECK(ecount == 0);
5249 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5250 CHECK(ecount == 1);
5251 }
5252 }
5253 }
5254 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5255}
5256
5257void run_ec_pubkey_parse_test(void) {
5258#define SECP256K1_EC_PARSE_TEST_NVALID (12)
5259 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5260 {
5261 /* Point with leading and trailing zeros in x and y serialization. */
5262 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5263 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5264 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5265 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5266 },
5267 {
5268 /* Point with x equal to a 3rd root of unity.*/
5269 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5270 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5271 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5272 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5273 },
5274 {
5275 /* Point with largest x. (1/2) */
5276 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5277 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5278 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5279 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5280 },
5281 {
5282 /* Point with largest x. (2/2) */
5283 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5284 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5285 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5286 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5287 },
5288 {
5289 /* Point with smallest x. (1/2) */
5290 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5291 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5292 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5293 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5294 },
5295 {
5296 /* Point with smallest x. (2/2) */
5297 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5298 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5299 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5300 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5301 },
5302 {
5303 /* Point with largest y. (1/3) */
5304 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5305 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5306 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5307 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5308 },
5309 {
5310 /* Point with largest y. (2/3) */
5311 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5312 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5313 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5314 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5315 },
5316 {
5317 /* Point with largest y. (3/3) */
5318 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5319 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5320 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5321 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5322 },
5323 {
5324 /* Point with smallest y. (1/3) */
5325 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5326 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5327 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5328 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5329 },
5330 {
5331 /* Point with smallest y. (2/3) */
5332 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5333 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5334 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5335 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5336 },
5337 {
5338 /* Point with smallest y. (3/3) */
5339 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5340 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5341 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5342 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
5343 }
5344 };
5345#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
5346 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
5347 {
5348 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
5349 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5350 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5351 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5352 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5353 },
5354 {
5355 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
5356 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5357 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5358 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5359 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5360 },
5361 {
5362 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
5363 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5364 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5365 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5366 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5367 },
5368 {
5369 /* x on curve, y is from y^2 = x^3 + 8. */
5370 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5371 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5372 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5373 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
5374 }
5375 };
5376#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
5377 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
5378 {
5379 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
5380 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
5381 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
5382 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5383 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5384 },
5385 {
5386 /* Valid if x overflow ignored (x = 1 mod p). */
5387 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5388 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5389 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5390 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5391 },
5392 {
5393 /* Valid if x overflow ignored (x = 1 mod p). */
5394 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5395 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5396 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5397 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5398 },
5399 {
5400 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5401 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5402 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5403 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
5404 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
5405 },
5406 {
5407 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5408 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5409 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5410 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
5411 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
5412 },
5413 {
5414 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5415 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5416 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5417 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
5418 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
5419 },
5420 {
5421 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5422 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5423 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5424 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
5425 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
5426 }
5427 };
5428 const unsigned char pubkeyc[66] = {
5429 /* Serialization of G. */
5430 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
5431 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
5432 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
5433 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
5434 0xB8, 0x00
5435 };
5436 unsigned char sout[65];
5437 unsigned char shortkey[2];
5438 secp256k1_ge ge;
5439 secp256k1_pubkey pubkey;
5440 size_t len;
5441 int32_t i;
5442 int32_t ecount;
5443 int32_t ecount2;
5444 ecount = 0;
5445 /* Nothing should be reading this far into pubkeyc. */
5446 VG_UNDEF(&pubkeyc[65], 1);
5447 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5448 /* Zero length claimed, fail, zeroize, no illegal arg error. */
5449 memset(&pubkey, 0xfe, sizeof(pubkey));
5450 ecount = 0;
5451 VG_UNDEF(shortkey, 2);
5452 VG_UNDEF(&pubkey, sizeof(pubkey));
5453 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
5454 VG_CHECK(&pubkey, sizeof(pubkey));
5455 CHECK(ecount == 0);
5456 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5457 CHECK(ecount == 1);
5458 /* Length one claimed, fail, zeroize, no illegal arg error. */
5459 for (i = 0; i < 256 ; i++) {
5460 memset(&pubkey, 0xfe, sizeof(pubkey));
5461 ecount = 0;
5462 shortkey[0] = i;
5463 VG_UNDEF(&shortkey[1], 1);
5464 VG_UNDEF(&pubkey, sizeof(pubkey));
5465 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
5466 VG_CHECK(&pubkey, sizeof(pubkey));
5467 CHECK(ecount == 0);
5468 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5469 CHECK(ecount == 1);
5470 }
5471 /* Length two claimed, fail, zeroize, no illegal arg error. */
5472 for (i = 0; i < 65536 ; i++) {
5473 memset(&pubkey, 0xfe, sizeof(pubkey));
5474 ecount = 0;
5475 shortkey[0] = i & 255;
5476 shortkey[1] = i >> 8;
5477 VG_UNDEF(&pubkey, sizeof(pubkey));
5478 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
5479 VG_CHECK(&pubkey, sizeof(pubkey));
5480 CHECK(ecount == 0);
5481 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5482 CHECK(ecount == 1);
5483 }
5484 memset(&pubkey, 0xfe, sizeof(pubkey));
5485 ecount = 0;
5486 VG_UNDEF(&pubkey, sizeof(pubkey));
5487 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
5488 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
5489 VG_CHECK(&pubkey, sizeof(pubkey));
5490 CHECK(ecount == 0);
5491 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5492 CHECK(ecount == 1);
5493 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
5494 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
5495 CHECK(ecount == 2);
5496 /* NULL input string. Illegal arg and zeroize output. */
5497 memset(&pubkey, 0xfe, sizeof(pubkey));
5498 ecount = 0;
5499 VG_UNDEF(&pubkey, sizeof(pubkey));
5500 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
5501 VG_CHECK(&pubkey, sizeof(pubkey));
5502 CHECK(ecount == 1);
5503 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5504 CHECK(ecount == 2);
5505 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
5506 memset(&pubkey, 0xfe, sizeof(pubkey));
5507 ecount = 0;
5508 VG_UNDEF(&pubkey, sizeof(pubkey));
5509 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
5510 VG_CHECK(&pubkey, sizeof(pubkey));
5511 CHECK(ecount == 0);
5512 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5513 CHECK(ecount == 1);
5514 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
5515 memset(&pubkey, 0xfe, sizeof(pubkey));
5516 ecount = 0;
5517 VG_UNDEF(&pubkey, sizeof(pubkey));
5518 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
5519 VG_CHECK(&pubkey, sizeof(pubkey));
5520 CHECK(ecount == 0);
5521 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5522 CHECK(ecount == 1);
5523 /* Valid parse. */
5524 memset(&pubkey, 0, sizeof(pubkey));
5525 ecount = 0;
5526 VG_UNDEF(&pubkey, sizeof(pubkey));
5527 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
5528 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
5529 VG_CHECK(&pubkey, sizeof(pubkey));
5530 CHECK(ecount == 0);
5531 VG_UNDEF(&ge, sizeof(ge));
5532 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
5533 VG_CHECK(&ge.x, sizeof(ge.x));
5534 VG_CHECK(&ge.y, sizeof(ge.y));
5535 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
5536 ge_equals_ge(&secp256k1_ge_const_g, &ge);
5537 CHECK(ecount == 0);
5538 /* secp256k1_ec_pubkey_serialize illegal args. */
5539 ecount = 0;
5540 len = 65;
5541 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
5542 CHECK(ecount == 1);
5543 CHECK(len == 0);
5544 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
5545 CHECK(ecount == 2);
5546 len = 65;
5547 VG_UNDEF(sout, 65);
5548 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
5549 VG_CHECK(sout, 65);
5550 CHECK(ecount == 3);
5551 CHECK(len == 0);
5552 len = 65;
5553 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
5554 CHECK(ecount == 4);
5555 CHECK(len == 0);
5556 len = 65;
5557 VG_UNDEF(sout, 65);
5558 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5559 VG_CHECK(sout, 65);
5560 CHECK(ecount == 4);
5561 CHECK(len == 65);
5562 /* Multiple illegal args. Should still set arg error only once. */
5563 ecount = 0;
5564 ecount2 = 11;
5565 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
5566 CHECK(ecount == 1);
5567 /* Does the illegal arg callback actually change the behavior? */
5568 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
5569 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
5570 CHECK(ecount == 1);
5571 CHECK(ecount2 == 10);
5572 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5573 /* Try a bunch of prefabbed points with all possible encodings. */
5574 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
5575 ec_pubkey_parse_pointtest(valid[i], 1, 1);
5576 }
5577 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
5578 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
5579 }
5580 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
5581 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
5582 }
5583}
5584
5585void run_eckey_edge_case_test(void) {
5586 const unsigned char orderc[32] = {
5587 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5588 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5589 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5590 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
5591 };
5592 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
5593 unsigned char ctmp[33];
5594 unsigned char ctmp2[33];
5595 secp256k1_pubkey pubkey;
5596 secp256k1_pubkey pubkey2;
5597 secp256k1_pubkey pubkey_one;
5598 secp256k1_pubkey pubkey_negone;
5599 const secp256k1_pubkey *pubkeys[3];
5600 size_t len;
5601 int32_t ecount;
5602 /* Group order is too large, reject. */
5603 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
5604 VG_UNDEF(&pubkey, sizeof(pubkey));
5605 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
5606 VG_CHECK(&pubkey, sizeof(pubkey));
5607 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5608 /* Maximum value is too large, reject. */
5609 memset(ctmp, 255, 32);
5610 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5611 memset(&pubkey, 1, sizeof(pubkey));
5612 VG_UNDEF(&pubkey, sizeof(pubkey));
5613 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5614 VG_CHECK(&pubkey, sizeof(pubkey));
5615 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5616 /* Zero is too small, reject. */
5617 memset(ctmp, 0, 32);
5618 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5619 memset(&pubkey, 1, sizeof(pubkey));
5620 VG_UNDEF(&pubkey, sizeof(pubkey));
5621 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5622 VG_CHECK(&pubkey, sizeof(pubkey));
5623 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5624 /* One must be accepted. */
5625 ctmp[31] = 0x01;
5626 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5627 memset(&pubkey, 0, sizeof(pubkey));
5628 VG_UNDEF(&pubkey, sizeof(pubkey));
5629 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
5630 VG_CHECK(&pubkey, sizeof(pubkey));
5631 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5632 pubkey_one = pubkey;
5633 /* Group order + 1 is too large, reject. */
5634 memcpy(ctmp, orderc, 32);
5635 ctmp[31] = 0x42;
5636 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5637 memset(&pubkey, 1, sizeof(pubkey));
5638 VG_UNDEF(&pubkey, sizeof(pubkey));
5639 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5640 VG_CHECK(&pubkey, sizeof(pubkey));
5641 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5642 /* -1 must be accepted. */
5643 ctmp[31] = 0x40;
5644 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5645 memset(&pubkey, 0, sizeof(pubkey));
5646 VG_UNDEF(&pubkey, sizeof(pubkey));
5647 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
5648 VG_CHECK(&pubkey, sizeof(pubkey));
5649 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5650 pubkey_negone = pubkey;
5651 /* Tweak of zero leaves the value unchanged. */
5652 memset(ctmp2, 0, 32);
5653 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
5654 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
5655 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
5656 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5657 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5658 /* Multiply tweak of zero zeroizes the output. */
5659 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
5660 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5661 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
5662 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5663 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5664 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
5665 seckey, the seckey is zeroized. */
5666 memcpy(ctmp, orderc, 32);
5667 memset(ctmp2, 0, 32);
5668 ctmp2[31] = 0x01;
5669 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
5670 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5671 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
5672 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5673 memcpy(ctmp, orderc, 32);
5674 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
5675 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5676 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
5677 tweak, the seckey is zeroized. */
5678 memcpy(ctmp, orderc, 32);
5679 ctmp[31] = 0x40;
5680 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
5681 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5682 memcpy(ctmp, orderc, 32);
5683 ctmp[31] = 0x40;
5684 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
5685 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5686 memcpy(ctmp, orderc, 32);
5687 ctmp[31] = 0x40;
5688 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
5689 tweak, the pubkey is zeroized. */
5690 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
5691 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5692 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5693 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
5694 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5695 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5696 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
5697 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
5698 * case the pubkey is zeroized. */
5699 memcpy(ctmp, orderc, 32);
5700 ctmp[31] = 0x40;
5701 memset(ctmp2, 0, 32);
5702 ctmp2[31] = 1;
5703 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
5704 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
5705 ctmp2[31] = 1;
5706 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
5707 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5708 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5709 /* Tweak computation wraps and results in a key of 1. */
5710 ctmp2[31] = 2;
5711 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
5712 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
5713 ctmp2[31] = 2;
5714 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5715 ctmp2[31] = 1;
5716 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
5717 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5718 /* Tweak mul * 2 = 1+1. */
5719 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5720 ctmp2[31] = 2;
5721 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
5722 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5723 /* Test argument errors. */
5724 ecount = 0;
5725 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5726 CHECK(ecount == 0);
5727 /* Zeroize pubkey on parse error. */
5728 memset(&pubkey, 0, 32);
5729 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
5730 CHECK(ecount == 1);
5731 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5732 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5733 memset(&pubkey2, 0, 32);
5734 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
5735 CHECK(ecount == 2);
5736 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
5737 /* Plain argument errors. */
5738 ecount = 0;
5739 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5740 CHECK(ecount == 0);
5741 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
5742 CHECK(ecount == 1);
5743 ecount = 0;
5744 memset(ctmp2, 0, 32);
5745 ctmp2[31] = 4;
5746 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
5747 CHECK(ecount == 1);
5748 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
5749 CHECK(ecount == 2);
5750 ecount = 0;
5751 memset(ctmp2, 0, 32);
5752 ctmp2[31] = 4;
5753 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
5754 CHECK(ecount == 1);
5755 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
5756 CHECK(ecount == 2);
5757 ecount = 0;
5758 memset(ctmp2, 0, 32);
5759 CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
5760 CHECK(ecount == 1);
5761 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
5762 CHECK(ecount == 2);
5763 ecount = 0;
5764 memset(ctmp2, 0, 32);
5765 ctmp2[31] = 1;
5766 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
5767 CHECK(ecount == 1);
5768 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
5769 CHECK(ecount == 2);
5770 ecount = 0;
5771 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
5772 CHECK(ecount == 1);
5773 memset(&pubkey, 1, sizeof(pubkey));
5774 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
5775 CHECK(ecount == 2);
5776 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5777 /* secp256k1_ec_pubkey_combine tests. */
5778 ecount = 0;
5779 pubkeys[0] = &pubkey_one;
5780 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
5781 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
5782 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
5783 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5784 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5785 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
5786 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5787 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5788 CHECK(ecount == 1);
5789 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
5790 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5791 CHECK(ecount == 2);
5792 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5793 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5794 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
5795 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5796 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5797 CHECK(ecount == 3);
5798 pubkeys[0] = &pubkey_negone;
5799 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5800 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5801 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
5802 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5803 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5804 CHECK(ecount == 3);
5805 len = 33;
5806 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5807 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
5808 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
5809 /* Result is infinity. */
5810 pubkeys[0] = &pubkey_one;
5811 pubkeys[1] = &pubkey_negone;
5812 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5813 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5814 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
5815 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5816 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5817 CHECK(ecount == 3);
5818 /* Passes through infinity but comes out one. */
5819 pubkeys[2] = &pubkey_one;
5820 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5821 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5822 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
5823 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5824 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5825 CHECK(ecount == 3);
5826 len = 33;
5827 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5828 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
5829 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
5830 /* Adds to two. */
5831 pubkeys[1] = &pubkey_one;
5832 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
5833 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
5834 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
5835 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
5836 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5837 CHECK(ecount == 3);
5838 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5839}
5840
5841void run_eckey_negate_test(void) {
5842 unsigned char seckey[32];
5843 unsigned char seckey_tmp[32];
5844
5845 random_scalar_order_b32(seckey);
5846 memcpy(seckey_tmp, seckey, 32);
5847
5848 /* Verify negation changes the key and changes it back */
5849 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
5850 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
5851 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
5852 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5853
5854 /* Check that privkey alias gives same result */
5855 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
5856 CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
5857 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5858
5859 /* Negating all 0s fails */
5860 memset(seckey, 0, 32);
5861 memset(seckey_tmp, 0, 32);
5862 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
5863 /* Check that seckey is not modified */
5864 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5865
5866 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
5867 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
5868 * doesn't just set seckey to a constant value in case of failure. */
5869 random_scalar_order_b32(seckey);
5870 memset(seckey, 0xFF, 16);
5871 memset(seckey_tmp, 0, 32);
5872 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
5873 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
5874}
5875
5876void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
5877 secp256k1_scalar nonce;
5878 do {
5879 random_scalar_order_test(&nonce);
5880 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
5881}
5882
5883void test_ecdsa_sign_verify(void) {
5884 secp256k1_gej pubj;
5885 secp256k1_ge pub;
5886 secp256k1_scalar one;
5887 secp256k1_scalar msg, key;
5888 secp256k1_scalar sigr, sigs;
5889 int getrec;
5890 int recid;
5891 random_scalar_order_test(&msg);
5892 random_scalar_order_test(&key);
5893 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
5894 secp256k1_ge_set_gej(&pub, &pubj);
5895 getrec = secp256k1_testrand_bits(1);
5896 /* The specific way in which this conditional is written sidesteps a potential bug in clang.
5897 See the commit messages of the commit that introduced this comment for details. */
5898 if (getrec) {
5899 random_sign(&sigr, &sigs, &key, &msg, &recid);
5900 CHECK(recid >= 0 && recid < 4);
5901 } else {
5902 random_sign(&sigr, &sigs, &key, &msg, NULL);
5903 }
5904 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
5905 secp256k1_scalar_set_int(&one, 1);
5906 secp256k1_scalar_add(&msg, &msg, &one);
5907 CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
5908}
5909
5910void run_ecdsa_sign_verify(void) {
5911 int i;
5912 for (i = 0; i < 10*count; i++) {
5913 test_ecdsa_sign_verify();
5914 }
5915}
5916
5918static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
5919 (void)msg32;
5920 (void)key32;
5921 (void)algo16;
5922 memcpy(nonce32, data, 32);
5923 return (counter == 0);
5924}
5925
5926static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
5927 /* Dummy nonce generator that has a fatal error on the first counter value. */
5928 if (counter == 0) {
5929 return 0;
5930 }
5931 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
5932}
5933
5934static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
5935 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
5936 if (counter < 3) {
5937 memset(nonce32, counter==0 ? 0 : 255, 32);
5938 if (counter == 2) {
5939 nonce32[31]--;
5940 }
5941 return 1;
5942 }
5943 if (counter < 5) {
5944 static const unsigned char order[] = {
5945 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
5946 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
5947 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
5948 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
5949 };
5950 memcpy(nonce32, order, 32);
5951 if (counter == 4) {
5952 nonce32[31]++;
5953 }
5954 return 1;
5955 }
5956 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
5957 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
5958 if (counter > 5) {
5959 return 0;
5960 }
5961 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
5962}
5963
5964int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
5965 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
5966 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
5967}
5968
5969void test_ecdsa_end_to_end(void) {
5970 unsigned char extra[32] = {0x00};
5971 unsigned char privkey[32];
5972 unsigned char message[32];
5973 unsigned char privkey2[32];
5974 secp256k1_ecdsa_signature signature[6];
5975 secp256k1_scalar r, s;
5976 unsigned char sig[74];
5977 size_t siglen = 74;
5978 unsigned char pubkeyc[65];
5979 size_t pubkeyclen = 65;
5980 secp256k1_pubkey pubkey;
5981 secp256k1_pubkey pubkey_tmp;
5982 unsigned char seckey[300];
5983 size_t seckeylen = 300;
5984
5985 /* Generate a random key and message. */
5986 {
5987 secp256k1_scalar msg, key;
5988 random_scalar_order_test(&msg);
5989 random_scalar_order_test(&key);
5990 secp256k1_scalar_get_b32(privkey, &key);
5991 secp256k1_scalar_get_b32(message, &msg);
5992 }
5993
5994 /* Construct and verify corresponding public key. */
5995 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
5996 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
5997
5998 /* Verify exporting and importing public key. */
5999 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
6000 memset(&pubkey, 0, sizeof(pubkey));
6001 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
6002
6003 /* Verify negation changes the key and changes it back */
6004 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
6005 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
6006 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
6007 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
6008 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
6009
6010 /* Verify private key import and export. */
6011 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
6012 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
6013 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
6014
6015 /* Optionally tweak the keys using addition. */
6016 if (secp256k1_testrand_int(3) == 0) {
6017 int ret1;
6018 int ret2;
6019 int ret3;
6020 unsigned char rnd[32];
6021 unsigned char privkey_tmp[32];
6022 secp256k1_pubkey pubkey2;
6023 secp256k1_testrand256_test(rnd);
6024 memcpy(privkey_tmp, privkey, 32);
6025 ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
6026 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
6027 /* Check that privkey alias gives same result */
6028 ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
6029 CHECK(ret1 == ret2);
6030 CHECK(ret2 == ret3);
6031 if (ret1 == 0) {
6032 return;
6033 }
6034 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6035 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
6036 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6037 }
6038
6039 /* Optionally tweak the keys using multiplication. */
6040 if (secp256k1_testrand_int(3) == 0) {
6041 int ret1;
6042 int ret2;
6043 int ret3;
6044 unsigned char rnd[32];
6045 unsigned char privkey_tmp[32];
6046 secp256k1_pubkey pubkey2;
6047 secp256k1_testrand256_test(rnd);
6048 memcpy(privkey_tmp, privkey, 32);
6049 ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
6050 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
6051 /* Check that privkey alias gives same result */
6052 ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
6053 CHECK(ret1 == ret2);
6054 CHECK(ret2 == ret3);
6055 if (ret1 == 0) {
6056 return;
6057 }
6058 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6059 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
6060 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6061 }
6062
6063 /* Sign. */
6064 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
6065 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
6066 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
6067 extra[31] = 1;
6068 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
6069 extra[31] = 0;
6070 extra[0] = 1;
6071 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
6072 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6073 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6074 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6075 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6076 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6077 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6078 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6079 /* Verify. */
6080 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
6081 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
6082 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
6083 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
6084 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6085 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
6086 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
6087 secp256k1_scalar_negate(&s, &s);
6088 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6089 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
6090 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
6091 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
6092 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
6093 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
6094 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
6095 secp256k1_scalar_negate(&s, &s);
6096 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6097 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
6098 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
6099 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
6100
6101 /* Serialize/parse DER and verify again */
6102 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
6103 memset(&signature[0], 0, sizeof(signature[0]));
6104 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
6105 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
6106 /* Serialize/destroy/parse DER and verify again. */
6107 siglen = 74;
6108 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
6109 sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
6110 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
6111 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
6112}
6113
6114void test_random_pubkeys(void) {
6115 secp256k1_ge elem;
6116 secp256k1_ge elem2;
6117 unsigned char in[65];
6118 /* Generate some randomly sized pubkeys. */
6119 size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
6120 if (secp256k1_testrand_bits(2) == 0) {
6121 len = secp256k1_testrand_bits(6);
6122 }
6123 if (len == 65) {
6124 in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
6125 } else {
6126 in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
6127 }
6128 if (secp256k1_testrand_bits(3) == 0) {
6129 in[0] = secp256k1_testrand_bits(8);
6130 }
6131 if (len > 1) {
6132 secp256k1_testrand256(&in[1]);
6133 }
6134 if (len > 33) {
6135 secp256k1_testrand256(&in[33]);
6136 }
6137 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
6138 unsigned char out[65];
6139 unsigned char firstb;
6140 int res;
6141 size_t size = len;
6142 firstb = in[0];
6143 /* If the pubkey can be parsed, it should round-trip... */
6144 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
6145 CHECK(size == len);
6146 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
6147 /* ... except for the type of hybrid inputs. */
6148 if ((in[0] != 6) && (in[0] != 7)) {
6149 CHECK(in[0] == out[0]);
6150 }
6151 size = 65;
6152 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
6153 CHECK(size == 65);
6154 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
6155 ge_equals_ge(&elem,&elem2);
6156 /* Check that the X9.62 hybrid type is checked. */
6157 in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
6158 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
6159 if (firstb == 2 || firstb == 3) {
6160 if (in[0] == firstb + 4) {
6161 CHECK(res);
6162 } else {
6163 CHECK(!res);
6164 }
6165 }
6166 if (res) {
6167 ge_equals_ge(&elem,&elem2);
6168 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
6169 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
6170 }
6171 }
6172}
6173
6174void run_pubkey_comparison(void) {
6175 unsigned char pk1_ser[33] = {
6176 0x02,
6177 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6178 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6179 };
6180 const unsigned char pk2_ser[33] = {
6181 0x02,
6182 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6183 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6184 };
6185 secp256k1_pubkey pk1;
6186 secp256k1_pubkey pk2;
6187 int32_t ecount = 0;
6188
6189 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6190 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6191
6192 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
6193 CHECK(secp256k1_ec_pubkey_cmp(ctx, NULL, &pk2) < 0);
6194 CHECK(ecount == 1);
6195 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, NULL) > 0);
6196 CHECK(ecount == 2);
6197 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0);
6198 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0);
6199 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk1) == 0);
6200 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk2) == 0);
6201 CHECK(ecount == 2);
6202 {
6203 secp256k1_pubkey pk_tmp;
6204 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6205 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk_tmp, &pk2) < 0);
6206 CHECK(ecount == 3);
6207 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk_tmp, &pk_tmp) == 0);
6208 CHECK(ecount == 5);
6209 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk_tmp) > 0);
6210 CHECK(ecount == 6);
6211 }
6212
6213 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
6214
6215 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6216 * an uncompressed encoding, these would have the opposite ordering */
6217 pk1_ser[0] = 3;
6218 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6219 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0);
6220 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0);
6221}
6222
6223void run_random_pubkeys(void) {
6224 int i;
6225 for (i = 0; i < 10*count; i++) {
6226 test_random_pubkeys();
6227 }
6228}
6229
6230void run_ecdsa_end_to_end(void) {
6231 int i;
6232 for (i = 0; i < 64*count; i++) {
6233 test_ecdsa_end_to_end();
6234 }
6235}
6236
6237int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
6238 static const unsigned char zeroes[32] = {0};
6239
6240 int ret = 0;
6241
6242 secp256k1_ecdsa_signature sig_der;
6243 unsigned char roundtrip_der[2048];
6244 unsigned char compact_der[64];
6245 size_t len_der = 2048;
6246 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
6247
6248 secp256k1_ecdsa_signature sig_der_lax;
6249 unsigned char roundtrip_der_lax[2048];
6250 unsigned char compact_der_lax[64];
6251 size_t len_der_lax = 2048;
6252 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
6253
6254 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
6255 if (parsed_der) {
6256 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
6257 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
6258 }
6259 if (valid_der) {
6260 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
6261 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
6262 }
6263
6264 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
6265 if (parsed_der_lax) {
6266 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
6267 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
6268 }
6269 if (valid_der_lax) {
6270 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
6271 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
6272 }
6273
6274 if (certainly_der) {
6275 ret |= (!parsed_der) << 2;
6276 }
6277 if (certainly_not_der) {
6278 ret |= (parsed_der) << 17;
6279 }
6280 if (valid_der) {
6281 ret |= (!roundtrips_der) << 3;
6282 }
6283
6284 if (valid_der) {
6285 ret |= (!roundtrips_der_lax) << 12;
6286 ret |= (len_der != len_der_lax) << 13;
6287 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
6288 }
6289 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
6290 if (parsed_der) {
6291 ret |= (!parsed_der_lax) << 16;
6292 }
6293
6294 return ret;
6295}
6296
6297static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
6298 size_t i;
6299 for (i = 0; i < ptrlen; i++) {
6300 int shift = ptrlen - 1 - i;
6301 if (shift >= 4) {
6302 ptr[i] = 0;
6303 } else {
6304 ptr[i] = (val >> shift) & 0xFF;
6305 }
6306 }
6307}
6308
6309static void damage_array(unsigned char *sig, size_t *len) {
6310 int pos;
6311 int action = secp256k1_testrand_bits(3);
6312 if (action < 1 && *len > 3) {
6313 /* Delete a byte. */
6314 pos = secp256k1_testrand_int(*len);
6315 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
6316 (*len)--;
6317 return;
6318 } else if (action < 2 && *len < 2048) {
6319 /* Insert a byte. */
6320 pos = secp256k1_testrand_int(1 + *len);
6321 memmove(sig + pos + 1, sig + pos, *len - pos);
6322 sig[pos] = secp256k1_testrand_bits(8);
6323 (*len)++;
6324 return;
6325 } else if (action < 4) {
6326 /* Modify a byte. */
6327 sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
6328 return;
6329 } else { /* action < 8 */
6330 /* Modify a bit. */
6331 sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
6332 return;
6333 }
6334}
6335
6336static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
6337 int der;
6338 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
6339 size_t tlen, elen, glen;
6340 int indet;
6341 int n;
6342
6343 *len = 0;
6344 der = secp256k1_testrand_bits(2) == 0;
6345 *certainly_der = der;
6346 *certainly_not_der = 0;
6347 indet = der ? 0 : secp256k1_testrand_int(10) == 0;
6348
6349 for (n = 0; n < 2; n++) {
6350 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
6351 nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
6352 /* The length of the number in bytes (the first byte of which will always be nonzero) */
6353 nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_bits(3) / 8;
6354 CHECK(nlen[n] <= 232);
6355 /* The top bit of the number. */
6356 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
6357 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
6358 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
6359 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
6360 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_bits(3) / 8);
6361 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
6362 *certainly_not_der = 1;
6363 }
6364 CHECK(nlen[n] + nzlen[n] <= 300);
6365 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
6366 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
6367 if (!der) {
6368 /* nlenlen[n] max 127 bytes */
6369 int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6370 nlenlen[n] += add;
6371 if (add != 0) {
6372 *certainly_not_der = 1;
6373 }
6374 }
6375 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
6376 }
6377
6378 /* The total length of the data to go, so far */
6379 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
6380 CHECK(tlen <= 856);
6381
6382 /* The length of the garbage inside the tuple. */
6383 elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_bits(3) / 8;
6384 if (elen != 0) {
6385 *certainly_not_der = 1;
6386 }
6387 tlen += elen;
6388 CHECK(tlen <= 980);
6389
6390 /* The length of the garbage after the end of the tuple. */
6391 glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_bits(3) / 8;
6392 if (glen != 0) {
6393 *certainly_not_der = 1;
6394 }
6395 CHECK(tlen + glen <= 990);
6396
6397 /* Write the tuple header. */
6398 sig[(*len)++] = 0x30;
6399 if (indet) {
6400 /* Indeterminate length */
6401 sig[(*len)++] = 0x80;
6402 *certainly_not_der = 1;
6403 } else {
6404 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
6405 if (!der) {
6406 int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6407 tlenlen += add;
6408 if (add != 0) {
6409 *certainly_not_der = 1;
6410 }
6411 }
6412 if (tlenlen == 0) {
6413 /* Short length notation */
6414 sig[(*len)++] = tlen;
6415 } else {
6416 /* Long length notation */
6417 sig[(*len)++] = 128 + tlenlen;
6418 assign_big_endian(sig + *len, tlenlen, tlen);
6419 *len += tlenlen;
6420 }
6421 tlen += tlenlen;
6422 }
6423 tlen += 2;
6424 CHECK(tlen + glen <= 1119);
6425
6426 for (n = 0; n < 2; n++) {
6427 /* Write the integer header. */
6428 sig[(*len)++] = 0x02;
6429 if (nlenlen[n] == 0) {
6430 /* Short length notation */
6431 sig[(*len)++] = nlen[n] + nzlen[n];
6432 } else {
6433 /* Long length notation. */
6434 sig[(*len)++] = 128 + nlenlen[n];
6435 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
6436 *len += nlenlen[n];
6437 }
6438 /* Write zero padding */
6439 while (nzlen[n] > 0) {
6440 sig[(*len)++] = 0x00;
6441 nzlen[n]--;
6442 }
6443 if (nlen[n] == 32 && !nlow[n]) {
6444 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
6445 int i;
6446 for (i = 0; i < 16; i++) {
6447 sig[(*len)++] = 0xFF;
6448 }
6449 nlen[n] -= 16;
6450 }
6451 /* Write first byte of number */
6452 if (nlen[n] > 0) {
6453 sig[(*len)++] = nhbyte[n];
6454 nlen[n]--;
6455 }
6456 /* Generate remaining random bytes of number */
6457 secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
6458 *len += nlen[n];
6459 nlen[n] = 0;
6460 }
6461
6462 /* Generate random garbage inside tuple. */
6463 secp256k1_testrand_bytes_test(sig + *len, elen);
6464 *len += elen;
6465
6466 /* Generate end-of-contents bytes. */
6467 if (indet) {
6468 sig[(*len)++] = 0;
6469 sig[(*len)++] = 0;
6470 tlen += 2;
6471 }
6472 CHECK(tlen + glen <= 1121);
6473
6474 /* Generate random garbage outside tuple. */
6475 secp256k1_testrand_bytes_test(sig + *len, glen);
6476 *len += glen;
6477 tlen += glen;
6478 CHECK(tlen <= 1121);
6479 CHECK(tlen == *len);
6480}
6481
6482void run_ecdsa_der_parse(void) {
6483 int i,j;
6484 for (i = 0; i < 200 * count; i++) {
6485 unsigned char buffer[2048];
6486 size_t buflen = 0;
6487 int certainly_der = 0;
6488 int certainly_not_der = 0;
6489 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
6490 CHECK(buflen <= 2048);
6491 for (j = 0; j < 16; j++) {
6492 int ret = 0;
6493 if (j > 0) {
6494 damage_array(buffer, &buflen);
6495 /* We don't know anything anymore about the DERness of the result */
6496 certainly_der = 0;
6497 certainly_not_der = 0;
6498 }
6499 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
6500 if (ret != 0) {
6501 size_t k;
6502 fprintf(stderr, "Failure %x on ", ret);
6503 for (k = 0; k < buflen; k++) {
6504 fprintf(stderr, "%02x ", buffer[k]);
6505 }
6506 fprintf(stderr, "\n");
6507 }
6508 CHECK(ret == 0);
6509 }
6510 }
6511}
6512
6513/* Tests several edge cases. */
6514void test_ecdsa_edge_cases(void) {
6515 int t;
6516 secp256k1_ecdsa_signature sig;
6517
6518 /* Test the case where ECDSA recomputes a point that is infinity. */
6519 {
6520 secp256k1_gej keyj;
6521 secp256k1_ge key;
6522 secp256k1_scalar msg;
6523 secp256k1_scalar sr, ss;
6524 secp256k1_scalar_set_int(&ss, 1);
6525 secp256k1_scalar_negate(&ss, &ss);
6526 secp256k1_scalar_inverse(&ss, &ss);
6527 secp256k1_scalar_set_int(&sr, 1);
6528 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
6529 secp256k1_ge_set_gej(&key, &keyj);
6530 msg = ss;
6531 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6532 }
6533
6534 /* Verify signature with r of zero fails. */
6535 {
6536 const unsigned char pubkey_mods_zero[33] = {
6537 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6538 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6539 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6540 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6541 0x41
6542 };
6543 secp256k1_ge key;
6544 secp256k1_scalar msg;
6545 secp256k1_scalar sr, ss;
6546 secp256k1_scalar_set_int(&ss, 1);
6547 secp256k1_scalar_set_int(&msg, 0);
6548 secp256k1_scalar_set_int(&sr, 0);
6549 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
6550 CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
6551 }
6552
6553 /* Verify signature with s of zero fails. */
6554 {
6555 const unsigned char pubkey[33] = {
6556 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6557 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6558 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6559 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6560 0x01
6561 };
6562 secp256k1_ge key;
6563 secp256k1_scalar msg;
6564 secp256k1_scalar sr, ss;
6565 secp256k1_scalar_set_int(&ss, 0);
6566 secp256k1_scalar_set_int(&msg, 0);
6567 secp256k1_scalar_set_int(&sr, 1);
6568 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6569 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6570 }
6571
6572 /* Verify signature with message 0 passes. */
6573 {
6574 const unsigned char pubkey[33] = {
6575 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6578 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6579 0x02
6580 };
6581 const unsigned char pubkey2[33] = {
6582 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6583 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6584 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6585 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6586 0x43
6587 };
6588 secp256k1_ge key;
6589 secp256k1_ge key2;
6590 secp256k1_scalar msg;
6591 secp256k1_scalar sr, ss;
6592 secp256k1_scalar_set_int(&ss, 2);
6593 secp256k1_scalar_set_int(&msg, 0);
6594 secp256k1_scalar_set_int(&sr, 2);
6595 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6596 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
6597 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6598 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6599 secp256k1_scalar_negate(&ss, &ss);
6600 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6601 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6602 secp256k1_scalar_set_int(&ss, 1);
6603 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6604 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
6605 }
6606
6607 /* Verify signature with message 1 passes. */
6608 {
6609 const unsigned char pubkey[33] = {
6610 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
6611 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
6612 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
6613 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
6614 0x25
6615 };
6616 const unsigned char pubkey2[33] = {
6617 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
6618 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
6619 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
6620 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
6621 0x62
6622 };
6623 const unsigned char csr[32] = {
6624 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6625 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6626 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
6627 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
6628 };
6629 secp256k1_ge key;
6630 secp256k1_ge key2;
6631 secp256k1_scalar msg;
6632 secp256k1_scalar sr, ss;
6633 secp256k1_scalar_set_int(&ss, 1);
6634 secp256k1_scalar_set_int(&msg, 1);
6635 secp256k1_scalar_set_b32(&sr, csr, NULL);
6636 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6637 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
6638 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6639 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6640 secp256k1_scalar_negate(&ss, &ss);
6641 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6642 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6643 secp256k1_scalar_set_int(&ss, 2);
6644 secp256k1_scalar_inverse_var(&ss, &ss);
6645 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6646 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
6647 }
6648
6649 /* Verify signature with message -1 passes. */
6650 {
6651 const unsigned char pubkey[33] = {
6652 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
6653 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
6654 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
6655 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
6656 0xf1
6657 };
6658 const unsigned char csr[32] = {
6659 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6660 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6661 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
6662 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
6663 };
6664 secp256k1_ge key;
6665 secp256k1_scalar msg;
6666 secp256k1_scalar sr, ss;
6667 secp256k1_scalar_set_int(&ss, 1);
6668 secp256k1_scalar_set_int(&msg, 1);
6669 secp256k1_scalar_negate(&msg, &msg);
6670 secp256k1_scalar_set_b32(&sr, csr, NULL);
6671 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6672 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6673 secp256k1_scalar_negate(&ss, &ss);
6674 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6675 secp256k1_scalar_set_int(&ss, 3);
6676 secp256k1_scalar_inverse_var(&ss, &ss);
6677 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6678 }
6679
6680 /* Signature where s would be zero. */
6681 {
6682 secp256k1_pubkey pubkey;
6683 size_t siglen;
6684 int32_t ecount;
6685 unsigned char signature[72];
6686 static const unsigned char nonce[32] = {
6687 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6688 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6689 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6691 };
6692 static const unsigned char nonce2[32] = {
6693 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6694 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6695 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6696 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
6697 };
6698 const unsigned char key[32] = {
6699 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6700 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6701 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6703 };
6704 unsigned char msg[32] = {
6705 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
6706 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
6707 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
6708 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
6709 };
6710 ecount = 0;
6711 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
6712 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
6713 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
6714 msg[31] = 0xaa;
6715 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
6716 CHECK(ecount == 0);
6717 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
6718 CHECK(ecount == 1);
6719 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
6720 CHECK(ecount == 2);
6721 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
6722 CHECK(ecount == 3);
6723 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
6724 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
6725 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
6726 CHECK(ecount == 4);
6727 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
6728 CHECK(ecount == 5);
6729 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
6730 CHECK(ecount == 6);
6731 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
6732 CHECK(ecount == 6);
6733 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
6734 CHECK(ecount == 7);
6735 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
6736 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
6737 CHECK(ecount == 8);
6738 siglen = 72;
6739 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
6740 CHECK(ecount == 9);
6741 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
6742 CHECK(ecount == 10);
6743 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
6744 CHECK(ecount == 11);
6745 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
6746 CHECK(ecount == 11);
6747 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
6748 CHECK(ecount == 12);
6749 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
6750 CHECK(ecount == 13);
6751 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
6752 CHECK(ecount == 13);
6753 siglen = 10;
6754 /* Too little room for a signature does not fail via ARGCHECK. */
6755 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
6756 CHECK(ecount == 13);
6757 ecount = 0;
6758 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
6759 CHECK(ecount == 1);
6760 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
6761 CHECK(ecount == 2);
6762 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
6763 CHECK(ecount == 3);
6764 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
6765 CHECK(ecount == 3);
6766 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
6767 CHECK(ecount == 4);
6768 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
6769 CHECK(ecount == 5);
6770 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
6771 CHECK(ecount == 5);
6772 memset(signature, 255, 64);
6773 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
6774 CHECK(ecount == 5);
6775 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
6776 }
6777
6778 /* Nonce function corner cases. */
6779 for (t = 0; t < 2; t++) {
6780 static const unsigned char zero[32] = {0x00};
6781 int i;
6782 unsigned char key[32];
6783 unsigned char msg[32];
6784 secp256k1_ecdsa_signature sig2;
6785 secp256k1_scalar sr[512], ss;
6786 const unsigned char *extra;
6787 extra = t == 0 ? NULL : zero;
6788 memset(msg, 0, 32);
6789 msg[31] = 1;
6790 /* High key results in signature failure. */
6791 memset(key, 0xFF, 32);
6792 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
6793 CHECK(is_empty_signature(&sig));
6794 /* Zero key results in signature failure. */
6795 memset(key, 0, 32);
6796 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
6797 CHECK(is_empty_signature(&sig));
6798 /* Nonce function failure results in signature failure. */
6799 key[31] = 1;
6800 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
6801 CHECK(is_empty_signature(&sig));
6802 /* The retry loop successfully makes its way to the first good value. */
6803 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
6804 CHECK(!is_empty_signature(&sig));
6805 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
6806 CHECK(!is_empty_signature(&sig2));
6807 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
6808 /* The default nonce function is deterministic. */
6809 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
6810 CHECK(!is_empty_signature(&sig2));
6811 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
6812 /* The default nonce function changes output with different messages. */
6813 for(i = 0; i < 256; i++) {
6814 int j;
6815 msg[0] = i;
6816 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
6817 CHECK(!is_empty_signature(&sig2));
6818 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
6819 for (j = 0; j < i; j++) {
6820 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
6821 }
6822 }
6823 msg[0] = 0;
6824 msg[31] = 2;
6825 /* The default nonce function changes output with different keys. */
6826 for(i = 256; i < 512; i++) {
6827 int j;
6828 key[0] = i - 256;
6829 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
6830 CHECK(!is_empty_signature(&sig2));
6831 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
6832 for (j = 0; j < i; j++) {
6833 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
6834 }
6835 }
6836 key[0] = 0;
6837 }
6838
6839 {
6840 /* Check that optional nonce arguments do not have equivalent effect. */
6841 const unsigned char zeros[32] = {0};
6842 unsigned char nonce[32];
6843 unsigned char nonce2[32];
6844 unsigned char nonce3[32];
6845 unsigned char nonce4[32];
6846 VG_UNDEF(nonce,32);
6847 VG_UNDEF(nonce2,32);
6848 VG_UNDEF(nonce3,32);
6849 VG_UNDEF(nonce4,32);
6850 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
6851 VG_CHECK(nonce,32);
6852 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
6853 VG_CHECK(nonce2,32);
6854 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
6855 VG_CHECK(nonce3,32);
6856 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
6857 VG_CHECK(nonce4,32);
6858 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
6859 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
6860 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
6861 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
6862 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
6863 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
6864 }
6865
6866
6867 /* Privkey export where pubkey is the point at infinity. */
6868 {
6869 unsigned char privkey[300];
6870 unsigned char seckey[32] = {
6871 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6872 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
6873 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
6874 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
6875 };
6876 size_t outlen = 300;
6877 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
6878 outlen = 300;
6879 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
6880 }
6881}
6882
6883void run_ecdsa_edge_cases(void) {
6884 test_ecdsa_edge_cases();
6885}
6886
6887#ifdef ENABLE_MODULE_ECDH
6888# include "modules/ecdh/tests_impl.h"
6889#endif
6890
6891#ifdef ENABLE_MODULE_MULTISET
6892# include "modules/multiset/tests_impl.h"
6893#endif
6894
6895#ifdef ENABLE_MODULE_RECOVERY
6896# include "modules/recovery/tests_impl.h"
6897#endif
6898
6899#ifdef ENABLE_MODULE_SCHNORR
6900# include "modules/schnorr/tests_impl.h"
6901#endif
6902
6903#ifdef ENABLE_MODULE_EXTRAKEYS
6904# include "modules/extrakeys/tests_impl.h"
6905#endif
6906
6907#ifdef ENABLE_MODULE_SCHNORRSIG
6908# include "modules/schnorrsig/tests_impl.h"
6909#endif
6910
6911void run_secp256k1_memczero_test(void) {
6912 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
6913 unsigned char buf2[sizeof(buf1)];
6914
6915 /* secp256k1_memczero(..., ..., 0) is a noop. */
6916 memcpy(buf2, buf1, sizeof(buf1));
6917 secp256k1_memczero(buf1, sizeof(buf1), 0);
6918 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
6919
6920 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
6921 memset(buf2, 0, sizeof(buf2));
6922 secp256k1_memczero(buf1, sizeof(buf1) , 1);
6923 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
6924}
6925
6926void run_secp256k1_byteorder_tests(void) {
6927 const uint32_t x = 0xFF03AB45;
6928 const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45};
6929 unsigned char buf[4];
6930 uint32_t x_;
6931
6932 secp256k1_write_be32(buf, x);
6933 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
6934
6935 x_ = secp256k1_read_be32(buf);
6936 CHECK(x == x_);
6937}
6938
6939void int_cmov_test(void) {
6940 int r = INT_MAX;
6941 int a = 0;
6942
6943 secp256k1_int_cmov(&r, &a, 0);
6944 CHECK(r == INT_MAX);
6945
6946 r = 0; a = INT_MAX;
6947 secp256k1_int_cmov(&r, &a, 1);
6948 CHECK(r == INT_MAX);
6949
6950 a = 0;
6951 secp256k1_int_cmov(&r, &a, 1);
6952 CHECK(r == 0);
6953
6954 a = 1;
6955 secp256k1_int_cmov(&r, &a, 1);
6956 CHECK(r == 1);
6957
6958 r = 1; a = 0;
6959 secp256k1_int_cmov(&r, &a, 0);
6960 CHECK(r == 1);
6961
6962}
6963
6964void fe_cmov_test(void) {
6965 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
6966 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
6967 static const secp256k1_fe max = SECP256K1_FE_CONST(
6968 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6969 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
6970 );
6971 secp256k1_fe r = max;
6972 secp256k1_fe a = zero;
6973
6974 secp256k1_fe_cmov(&r, &a, 0);
6975 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6976
6977 r = zero; a = max;
6978 secp256k1_fe_cmov(&r, &a, 1);
6979 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
6980
6981 a = zero;
6982 secp256k1_fe_cmov(&r, &a, 1);
6983 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
6984
6985 a = one;
6986 secp256k1_fe_cmov(&r, &a, 1);
6987 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6988
6989 r = one; a = zero;
6990 secp256k1_fe_cmov(&r, &a, 0);
6991 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
6992}
6993
6994void fe_storage_cmov_test(void) {
6995 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
6996 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
6997 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
6998 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
6999 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7000 );
7001 secp256k1_fe_storage r = max;
7002 secp256k1_fe_storage a = zero;
7003
7004 secp256k1_fe_storage_cmov(&r, &a, 0);
7005 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7006
7007 r = zero; a = max;
7008 secp256k1_fe_storage_cmov(&r, &a, 1);
7009 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7010
7011 a = zero;
7012 secp256k1_fe_storage_cmov(&r, &a, 1);
7013 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7014
7015 a = one;
7016 secp256k1_fe_storage_cmov(&r, &a, 1);
7017 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7018
7019 r = one; a = zero;
7020 secp256k1_fe_storage_cmov(&r, &a, 0);
7021 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7022}
7023
7024void scalar_cmov_test(void) {
7025 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7026 static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7027 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
7028 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7029 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7030 );
7031 secp256k1_scalar r = max;
7032 secp256k1_scalar a = zero;
7033
7034 secp256k1_scalar_cmov(&r, &a, 0);
7035 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7036
7037 r = zero; a = max;
7038 secp256k1_scalar_cmov(&r, &a, 1);
7039 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7040
7041 a = zero;
7042 secp256k1_scalar_cmov(&r, &a, 1);
7043 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7044
7045 a = one;
7046 secp256k1_scalar_cmov(&r, &a, 1);
7047 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7048
7049 r = one; a = zero;
7050 secp256k1_scalar_cmov(&r, &a, 0);
7051 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7052}
7053
7054void ge_storage_cmov_test(void) {
7055 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7056 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7057 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
7058 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7059 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7060 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7061 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7062 );
7063 secp256k1_ge_storage r = max;
7064 secp256k1_ge_storage a = zero;
7065
7066 secp256k1_ge_storage_cmov(&r, &a, 0);
7067 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7068
7069 r = zero; a = max;
7070 secp256k1_ge_storage_cmov(&r, &a, 1);
7071 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7072
7073 a = zero;
7074 secp256k1_ge_storage_cmov(&r, &a, 1);
7075 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7076
7077 a = one;
7078 secp256k1_ge_storage_cmov(&r, &a, 1);
7079 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7080
7081 r = one; a = zero;
7082 secp256k1_ge_storage_cmov(&r, &a, 0);
7083 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7084}
7085
7086void run_cmov_tests(void) {
7087 int_cmov_test();
7088 fe_cmov_test();
7089 fe_storage_cmov_test();
7090 scalar_cmov_test();
7091 ge_storage_cmov_test();
7092}
7093
7094int main(int argc, char **argv) {
7095 /* Disable buffering for stdout to improve reliability of getting
7096 * diagnostic information. Happens right at the start of main because
7097 * setbuf must be used before any other operation on the stream. */
7098 setbuf(stdout, NULL);
7099 /* Also disable buffering for stderr because it's not guaranteed that it's
7100 * unbuffered on all systems. */
7101 setbuf(stderr, NULL);
7102
7103 /* find iteration count */
7104 if (argc > 1) {
7105 count = strtol(argv[1], NULL, 0);
7106 } else {
7107 const char* env = getenv("SECP256K1_TEST_ITERS");
7108 if (env && strlen(env) > 0) {
7109 count = strtol(env, NULL, 0);
7110 }
7111 }
7112 if (count <= 0) {
7113 fputs("An iteration count of 0 or less is not allowed.\n", stderr);
7114 return EXIT_FAILURE;
7115 }
7116 printf("test count = %i\n", count);
7117
7118 /* find random seed */
7119 secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
7120
7121 /* initialize */
7122 run_context_tests(0);
7123 run_context_tests(1);
7124 run_scratch_tests();
7125
7126 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
7127 /* Randomize the context only with probability 15/16
7128 to make sure we test without context randomization from time to time.
7129 TODO Reconsider this when recalibrating the tests. */
7130 if (secp256k1_testrand_bits(4)) {
7131 unsigned char rand32[32];
7132 secp256k1_testrand256(rand32);
7133 CHECK(secp256k1_context_randomize(ctx, rand32));
7134 }
7135
7136 run_rand_bits();
7137 run_rand_int();
7138
7139 run_ctz_tests();
7140 run_modinv_tests();
7141 run_inverse_tests();
7142
7143 run_sha256_known_output_tests();
7144 run_sha256_counter_tests();
7145 run_hmac_sha256_tests();
7146 run_rfc6979_hmac_sha256_tests();
7147 run_tagged_sha256_tests();
7148
7149 /* scalar tests */
7150 run_scalar_tests();
7151
7152 /* field tests */
7153 run_field_half();
7154 run_field_misc();
7155 run_field_convert();
7156 run_fe_mul();
7157 run_sqr();
7158 run_sqrt();
7159
7160 /* group tests */
7161 run_ge();
7162 run_gej();
7163 run_group_decompress();
7164
7165 /* ecmult tests */
7166 run_ecmult_pre_g();
7167 run_wnaf();
7168 run_point_times_order();
7169 run_ecmult_near_split_bound();
7170 run_ecmult_chain();
7171 run_ecmult_constants();
7172 run_ecmult_gen_blind();
7173 run_ecmult_const_tests();
7174 run_ecmult_multi_tests();
7175 run_ec_combine();
7176
7177 /* endomorphism tests */
7178 run_endomorphism_tests();
7179
7180 /* EC point parser test */
7181 run_ec_pubkey_parse_test();
7182
7183 /* EC key edge cases */
7184 run_eckey_edge_case_test();
7185
7186 /* EC key arithmetic test */
7187 run_eckey_negate_test();
7188
7189#ifdef ENABLE_MODULE_ECDH
7190 /* ecdh tests */
7191 run_ecdh_tests();
7192#endif
7193
7194 /* ecdsa tests */
7195 run_pubkey_comparison();
7196 run_random_pubkeys();
7197 run_ecdsa_der_parse();
7198 run_ecdsa_sign_verify();
7199 run_ecdsa_end_to_end();
7200 run_ecdsa_edge_cases();
7201
7202#ifdef ENABLE_MODULE_MULTISET
7203 run_multiset_tests();
7204#endif
7205
7206#ifdef ENABLE_MODULE_RECOVERY
7207 /* ECDSA pubkey recovery tests */
7208 run_recovery_tests();
7209#endif
7210
7211#ifdef ENABLE_MODULE_SCHNORR
7212 /* Schnorr signature tests */
7213 run_schnorr_tests();
7214#endif
7215
7216#ifdef ENABLE_MODULE_EXTRAKEYS
7217 run_extrakeys_tests();
7218#endif
7219
7220#ifdef ENABLE_MODULE_SCHNORRSIG
7221 run_schnorrsig_tests();
7222#endif
7223
7224 /* util tests */
7225 run_secp256k1_memczero_test();
7226 run_secp256k1_byteorder_tests();
7227
7228 run_cmov_tests();
7229
7230 secp256k1_testrand_finish();
7231
7232 /* shutdown */
7233 secp256k1_context_destroy(ctx);
7234
7235 printf("no problems found\n");
7236 return 0;
7237}
tests_impl.h
run_ecdh_tests
void run_ecdh_tests(void)
Definition: tests_impl.h:158
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
secp256k1_ecmult_multi_var
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
ECMULT_TABLE_SIZE
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult.h:41
secp256k1_ecmult
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q, int bits)
Multiply: R = q*A (in constant-time) Here bits should be set to the maximum bitlength of the absolute...
secp256k1_wnaf_const
static int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w, int size)
Convert a number to WNAF notation.
Definition: ecmult_const_impl.h:67
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
STRAUSS_SCRATCH_OBJECTS
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:50
secp256k1_pippenger_bucket_window_inv
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:599
secp256k1_pippenger_max_points
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space.
Definition: ecmult_impl.h:729
WNAF_SIZE
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:46
secp256k1_ecmult_strauss_batch_single
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:395
secp256k1_wnaf_fixed
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:410
secp256k1_ecmult_wnaf
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:159
secp256k1_strauss_scratch_size
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:350
ECMULT_PIPPENGER_THRESHOLD
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:55
secp256k1_pippenger_bucket_window
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:570
secp256k1_ecmult_pippenger_batch_single
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:720
ECMULT_MAX_POINTS_PER_BATCH
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:57
PIPPENGER_MAX_BUCKET_WINDOW
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:52
PIPPENGER_SCRATCH_OBJECTS
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:49
secp256k1_ecmult_multi_batch_size_helper
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:792
secp256k1_pippenger_scratch_size
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:637
WNAF_SIZE_BITS
#define WNAF_SIZE_BITS(bits, w)
Definition: ecmult_impl.h:45
secp256k1_ecmult_multi_func
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:810
sum
volatile double sum
Definition: examples.cpp:10
tests_impl.h
run_extrakeys_tests
void run_extrakeys_tests(void)
Definition: tests_impl.h:582
secp256k1_fe_inv_var
static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *a)
Potentially faster version of secp256k1_fe_inv, without constant-time guarantee.
secp256k1_fe_normalizes_to_zero_var
static int secp256k1_fe_normalizes_to_zero_var(const secp256k1_fe *r)
Verify whether a field element represents zero i.e.
secp256k1_fe_normalize_weak
static void secp256k1_fe_normalize_weak(secp256k1_fe *r)
Weakly normalize a field element: reduce its magnitude to 1, but don't fully normalize.
secp256k1_fe_is_quad_var
static int secp256k1_fe_is_quad_var(const secp256k1_fe *a)
Checks whether a field element is a quadratic residue.
secp256k1_fe_equal_var
static int secp256k1_fe_equal_var(const secp256k1_fe *a, const secp256k1_fe *b)
Same as secp256k1_fe_equal, but may be variable time.
secp256k1_fe_sqrt
static int secp256k1_fe_sqrt(secp256k1_fe *r, const secp256k1_fe *a)
If a has a square root, it is computed in r and 1 is returned.
secp256k1_fe_normalize_var
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
secp256k1_fe_clear
static void secp256k1_fe_clear(secp256k1_fe *a)
Sets a field element equal to zero, initializing all fields.
secp256k1_fe_inv
static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *a)
Sets a field element to be the (modular) inverse of another.
secp256k1_fe_cmov
static void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_fe_mul_int
static void secp256k1_fe_mul_int(secp256k1_fe *r, int a)
Multiplies the passed field element with a small integer constant.
secp256k1_fe_negate
static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m)
Set a field element equal to the additive inverse of another.
secp256k1_fe_is_odd
static int secp256k1_fe_is_odd(const secp256k1_fe *a)
Check the "oddness" of a field element.
secp256k1_fe_set_int
static void secp256k1_fe_set_int(secp256k1_fe *r, int a)
Set a field element equal to a small (not greater than 0x7FFF), non-negative integer.
secp256k1_fe_get_bounds
static void secp256k1_fe_get_bounds(secp256k1_fe *r, int m)
Sets each limb of 'r' to its upper bound at magnitude 'm'.
secp256k1_fe_mul
static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe *SECP256K1_RESTRICT b)
Sets a field element to be the product of two others.
secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
secp256k1_fe_is_zero
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
Verify whether a field element is zero.
secp256k1_fe_from_storage
static void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a)
Convert a field element back from the storage type.
secp256k1_fe_sqr
static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a)
Sets a field element to be the square of another.
secp256k1_fe_one
static const secp256k1_fe secp256k1_fe_one
Field element module.
Definition: field.h:35
secp256k1_fe_normalizes_to_zero
static int secp256k1_fe_normalizes_to_zero(const secp256k1_fe *r)
Verify whether a field element represents zero i.e.
secp256k1_fe_add
static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a)
Adds a field element to another.
secp256k1_fe_normalize
static void secp256k1_fe_normalize(secp256k1_fe *r)
Normalize a field element.
secp256k1_fe_half
static void secp256k1_fe_half(secp256k1_fe *r)
Halves the value of a field element modulo the field prime.
secp256k1_fe_to_storage
static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a)
Convert a field element to the storage type.
secp256k1_fe_get_b32
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
secp256k1_fe_storage_cmov
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_fe_cmp_var
static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b)
Compare two field elements.
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:40
SECP256K1_FE_STORAGE_CONST
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:47
SECP256K1_GEJ_CONST_INFINITY
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:36
SECP256K1_GE_STORAGE_CONST
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:43
secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
secp256k1_ge_mul_lambda
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
secp256k1_ge_set_xo_var
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
secp256k1_ge_is_valid_var
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
secp256k1_ge_from_storage
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
secp256k1_gej_rescale
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
secp256k1_ge_storage_cmov
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ge_set_xquad
static int secp256k1_ge_set_xquad(secp256k1_ge *r, const secp256k1_fe *x)
Set a group element (affine) equal to the point with the given X coordinate and a Y coordinate that i...
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_ge_set_infinity
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
secp256k1_ge_set_all_gej_var
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set a batch of group elements equal to the inputs given in jacobian coordinates.
secp256k1_gej_double
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
secp256k1_ge_to_storage
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
SECP256K1_GE_CONST
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:22
secp256k1_gej_cmov
static void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_gej_has_quad_y_var
static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a)
Check whether a group element's y coordinate is a quadratic residue.
SECP256K1_GEJ_CONST
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:35
secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:62
ec_privkey_export_der
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
Definition: lax_der_privatekey_parsing.c:55
ec_privkey_import_der
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
Definition: lax_der_privatekey_parsing.c:11
cs
static void pool cs
Definition: mempool_eviction.cpp:13
secp256k1_modinv32_var
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_modinv32
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
modinv32_impl.h
secp256k1_modinv64
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_modinv64_var
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
modinv64_impl.h
tests_impl.h
run_multiset_tests
void run_multiset_tests(void)
Definition: tests_impl.h:336
tinyformat::printf
void printf(const char *fmt, const Args &...args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1126
secp256k1_pre_g_128
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:8240
secp256k1_pre_g
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:20
WINDOW_G
#define WINDOW_G
Definition: precomputed_ecmult.c:19
sig
SchnorrSig sig
Definition: processor.cpp:523
ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const uint8_t *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:28
tests_impl.h
run_recovery_tests
void run_recovery_tests(void)
Definition: tests_impl.h:387
prefix
const char * prefix
Definition: rest.cpp:812
secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_set_b32_seckey
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
secp256k1_scalar_is_even
static int secp256k1_scalar_is_even(const secp256k1_scalar *a)
Check whether a scalar, considered as an nonnegative integer, is even.
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
secp256k1_scalar_set_int
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
secp256k1_scalar_inverse_var
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
secp256k1_scalar_get_bits
static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
secp256k1_scalar_is_one
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_scalar_split_lambda
static void secp256k1_scalar_split_lambda(secp256k1_scalar *SECP256K1_RESTRICT r1, secp256k1_scalar *SECP256K1_RESTRICT r2, const secp256k1_scalar *SECP256K1_RESTRICT k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
secp256k1_scalar_get_bits_var
static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
secp256k1_scalar_cadd_bit
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
secp256k1_scalar_shr_int
static int secp256k1_scalar_shr_int(secp256k1_scalar *r, int n)
Shift a scalar right by some amount strictly between 0 and 16, returning the low bits that were shift...
SECP256K1_SCALAR_CONST
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
secp256k1_scalar_check_overflow
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
Definition: scalar_4x64_impl.h:59
secp256k1_scalar_zero
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:32
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:31
secp256k1_const_lambda
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is:
Definition: scalar_impl.h:67
tests_impl.h
run_schnorr_tests
void run_schnorr_tests(void)
Definition: tests_impl.h:512
tests_impl.h
run_schnorrsig_tests
void run_schnorrsig_tests(void)
Definition: tests_impl.h:891
secp256k1_scratch_apply_checkpoint
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
secp256k1_scratch_max_allocation
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
secp256k1_scratch_alloc
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
secp256k1_scratch_checkpoint
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
secp256k1_hmac_sha256_finalize
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
secp256k1_hmac_sha256_initialize
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
secp256k1_hmac_sha256_write
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_ctz64_var
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:304
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:201
secp256k1_int_cmov
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:215
VG_CHECK
#define VG_CHECK(x, y)
Definition: util.h:112
ALIGNMENT
#define ALIGNMENT
Definition: util.h:145
VG_UNDEF
#define VG_UNDEF(x, y)
Definition: util.h:111
secp256k1_read_be32
static SECP256K1_INLINE uint32_t secp256k1_read_be32(const unsigned char *p)
Definition: util.h:322
secp256k1_ctz32_var
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:286
secp256k1_write_be32
static SECP256K1_INLINE void secp256k1_write_be32(unsigned char *p, uint32_t x)
Definition: util.h:330
secp256k1_default_illegal_callback_fn
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:34
secp256k1_ctz64_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:275
CHECK
#define CHECK(cond)
Definition: util.h:85
secp256k1_ctz32_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:263
checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:123
secp256k1_memczero
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:182
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:320
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:206
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:225
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:432
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:306
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:157
secp256k1_ec_seckey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:671
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:200
secp256k1_scratch_space_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t size) SECP256K1_ARG_NONNULL(1)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:182
secp256k1_context_no_precomp
SECP256K1_API const secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:71
secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:718
secp256k1_ec_pubkey_combine
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:726
secp256k1_ec_seckey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:581
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:346
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:257
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:173
secp256k1_ec_pubkey_cmp
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:280
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:540
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:118
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:164
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:525
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:239
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:202
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:330
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:563
secp256k1_tagged_sha256
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:752
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:205
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:411
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:392
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:139
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:654
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:206
secp256k1_ecdsa_signature_serialize_der
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:367
secp256k1_ec_pubkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:600
secp256k1_ec_privkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_add instead")
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:643
secp256k1_scratch_space_destroy
SECP256K1_API void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:187
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:199
secp256k1_ec_privkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_negate instead")
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:596
secp256k1_ec_seckey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:627
secp256k1_ec_pubkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:695
secp256k1_ecdsa_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:379
secp256k1_ec_privkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_mul instead")
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:691
secp256k1_context_preallocated_clone_size
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:87
secp256k1_context_preallocated_destroy
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:150
secp256k1_context_preallocated_create
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:93
secp256k1_context_preallocated_size
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:73
secp256k1_context_preallocated_clone
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:129
ecmult_multi_data
Definition: tests.c:4051
ecmult_multi_data::sc
secp256k1_scalar * sc
Definition: tests.c:4052
ecmult_multi_data::pt
secp256k1_ge * pt
Definition: tests.c:4053
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:25
secp256k1_context_struct
Definition: secp256k1.c:58
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:61
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:59
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:83
secp256k1_ecmult_gen_context::initial
secp256k1_gej initial
Definition: ecmult_gen.h:37
secp256k1_ecmult_gen_context::blind
secp256k1_scalar blind
Definition: ecmult_gen.h:36
secp256k1_fe_storage
Definition: field_10x26.h:43
secp256k1_fe
Definition: field_10x26.h:12
secp256k1_fe::n
uint32_t n[10]
Definition: field_10x26.h:16
secp256k1_ge_storage
Definition: group.h:38
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_ge::infinity
int infinity
Definition: group.h:19
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:17
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:18
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_gej::y
secp256k1_fe y
Definition: group.h:30
secp256k1_gej::x
secp256k1_fe x
Definition: group.h:29
secp256k1_gej::infinity
int infinity
Definition: group.h:32
secp256k1_gej::z
secp256k1_fe z
Definition: group.h:31
secp256k1_hmac_sha256
Definition: hash.h:23
secp256k1_modinv32_modinfo
Definition: modinv32.h:23
secp256k1_modinv32_modinfo::modulus_inv30
uint32_t modulus_inv30
Definition: modinv32.h:28
secp256k1_modinv32_modinfo::modulus
secp256k1_modinv32_signed30 modulus
Definition: modinv32.h:25
secp256k1_modinv32_signed30
Definition: modinv32.h:19
secp256k1_modinv32_signed30::v
int32_t v[9]
Definition: modinv32.h:20
secp256k1_modinv64_modinfo
Definition: modinv64.h:27
secp256k1_modinv64_modinfo::modulus_inv62
uint64_t modulus_inv62
Definition: modinv64.h:32
secp256k1_modinv64_modinfo::modulus
secp256k1_modinv64_signed62 modulus
Definition: modinv64.h:29
secp256k1_modinv64_signed62
Definition: modinv64.h:23
secp256k1_modinv64_signed62::v
int64_t v[5]
Definition: modinv64.h:24
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:70
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:31
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_scalar::d
uint64_t d[4]
Definition: scalar_4x64.h:14
secp256k1_scratch_space_struct
Definition: scratch.h:12
secp256k1_scratch_space_struct::alloc_size
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
secp256k1_sha256
Definition: hash.h:13
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_testrand_init
static void secp256k1_testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL.
secp256k1_testrand_finish
static void secp256k1_testrand_finish(void)
Print final test information.
secp256k1_testrand32
static SECP256K1_INLINE uint32_t secp256k1_testrand32(void)
Generate a pseudorandom number in the range [0..2**32-1].
secp256k1_testrand256_test
static void secp256k1_testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_impl.h
test_ecmult_multi_batching
void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:4598
random_scalar_order
void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:124
run_group_decompress
void run_group_decompress(void)
Definition: tests.c:3663
run_random_pubkeys
void run_random_pubkeys(void)
Definition: tests.c:6223
ctx
static secp256k1_context * ctx
Definition: tests.c:34
scalar_test
void scalar_test(void)
Definition: tests.c:1716
fe_identical
int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2586
test_intialized_inf
void test_intialized_inf(void)
Definition: tests.c:3428
test_ecmult_target
void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:3876
fe_cmov_test
void fe_cmov_test(void)
Definition: tests.c:6964
test_inverse_field
void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:2907
run_modinv_tests
void run_modinv_tests(void)
Definition: tests.c:1077
test_ecdsa_der_parse
int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:6237
test_ecmult_multi_batch_size_helper
void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:4550
run_ec_pubkey_parse_test
void run_ec_pubkey_parse_test(void)
Definition: tests.c:5257
nonce_function_test_fail
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:5926
nonce_function_test_retry
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:5934
SECP256K1_EC_PARSE_TEST_NINVALID
#define SECP256K1_EC_PARSE_TEST_NINVALID
run_endomorphism_tests
void run_endomorphism_tests(void)
Definition: tests.c:5161
test_pre_g_table
void test_pre_g_table(const secp256k1_ge_storage *pre_g, size_t n)
Definition: tests.c:3674
test_gej_cmov
void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3536
ecmult_const_random_mult
void ecmult_const_random_mult(void)
Definition: tests.c:3948
test_ge
void test_ge(void)
Definition: tests.c:3228
run_eckey_edge_case_test
void run_eckey_edge_case_test(void)
Definition: tests.c:5585
test_ecmult_gen_blind_reset
void test_ecmult_gen_blind_reset(void)
Definition: tests.c:5113
run_fe_mul
void run_fe_mul(void)
Definition: tests.c:2781
run_ec_combine
void run_ec_combine(void)
Definition: tests.c:3592
run_ecmult_pre_g
void run_ecmult_pre_g(void)
Definition: tests.c:3724
test_fe_mul
void test_fe_mul(const secp256k1_fe *a, const secp256k1_fe *b, int use_sqr)
Definition: tests.c:2738
main
int main(int argc, char **argv)
Definition: tests.c:7094
test_secp256k1_pippenger_bucket_window_inv
void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:4497
run_cmov_tests
void run_cmov_tests(void)
Definition: tests.c:7086
run_field_convert
void run_field_convert(void)
Definition: tests.c:2555
test_ecdsa_end_to_end
void test_ecdsa_end_to_end(void)
Definition: tests.c:5969
SECP256K1_EC_PARSE_TEST_NVALID
#define SECP256K1_EC_PARSE_TEST_NVALID
run_field_misc
void run_field_misc(void)
Definition: tests.c:2646
test_sqrt
void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:2818
test_ecmult_constants_2bit
void test_ecmult_constants_2bit(void)
Definition: tests.c:4969
random_field_element_magnitude
void random_field_element_magnitude(secp256k1_fe *fe)
Definition: tests.c:62
run_secp256k1_byteorder_tests
void run_secp256k1_byteorder_tests(void)
Definition: tests.c:6926
mulmod256
void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:821
random_scalar_order_test
void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:111
run_sha256_counter_tests
void run_sha256_counter_tests(void)
SHA256 counter tests.
Definition: tests.c:555
test_point_times_order
void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:3812
random_ber_signature
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:6336
CONDITIONAL_TEST
#define CONDITIONAL_TEST(cnt, nam)
Definition: tests.c:31
test_ecmult_multi
void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4071
random_sign
void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:5876
int_cmov_test
void int_cmov_test(void)
Definition: tests.c:6939
run_ctz_tests
void run_ctz_tests(void)
Definition: tests.c:433
ecmult_const_chain_multiply
void ecmult_const_chain_multiply(void)
Definition: tests.c:4018
assign_big_endian
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:6297
random_group_element_test
void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:78
run_field_half
void run_field_half(void)
Definition: tests.c:2597
test_modinv32_uint16
void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:936
scalar_cmov_test
void scalar_cmov_test(void)
Definition: tests.c:7024
run_hmac_sha256_tests
void run_hmac_sha256_tests(void)
Definition: tests.c:613
ge_equals_ge
void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b)
Definition: tests.c:3180
test_rand_int
void test_rand_int(uint32_t range, uint32_t subrange)
Definition: tests.c:767
run_rand_int
void run_rand_int(void)
Definition: tests.c:791
random_fe_test
void random_fe_test(secp256k1_fe *x)
Definition: tests.c:2516
ge_equals_gej
void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b)
Definition: tests.c:3211
test_wnaf
void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:4692
is_empty_signature
int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:5964
random_fe_non_zero
void random_fe_non_zero(secp256k1_fe *nz)
Definition: tests.c:2526
precomputed_nonce_function
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted.
Definition: tests.c:5918
test_add_neg_y_diff_x
void test_add_neg_y_diff_x(void)
Definition: tests.c:3460
run_gej
void run_gej(void)
Definition: tests.c:3544
run_ecdsa_sign_verify
void run_ecdsa_sign_verify(void)
Definition: tests.c:5910
scalar_minus_one
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:2868
run_rand_bits
void run_rand_bits(void)
Definition: tests.c:783
test_ecmult_accumulate
void test_ecmult_accumulate(secp256k1_sha256 *acc, const secp256k1_scalar *x, secp256k1_scratch *scratch)
Definition: tests.c:4936
random_group_element_jacobian_test
void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:90
coprime
int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:1047
run_ecmult_constants
void run_ecmult_constants(void)
Definition: tests.c:5056
random_scalar_order_b32
void random_scalar_order_b32(unsigned char *b32)
Definition: tests.c:137
run_pubkey_comparison
void run_pubkey_comparison(void)
Definition: tests.c:6174
gej_xyz_equals_gej
int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3190
test_random_pubkeys
void test_random_pubkeys(void)
Definition: tests.c:6114
run_sqrt
void run_sqrt(void)
Definition: tests.c:2832
test_ecdsa_sign_verify
void test_ecdsa_sign_verify(void)
Definition: tests.c:5883
ge_storage_cmov_test
void ge_storage_cmov_test(void)
Definition: tests.c:7054
random_gej_test
void random_gej_test(secp256k1_gej *gej)
Definition: tests.c:105
run_inverse_tests
void run_inverse_tests(void)
Definition: tests.c:2932
run_ge
void run_ge(void)
Definition: tests.c:3527
ecmult_const_mult_zero_one
void ecmult_const_mult_zero_one(void)
Definition: tests.c:3996
run_ecdsa_end_to_end
void run_ecdsa_end_to_end(void)
Definition: tests.c:6230
ecmult_const_commutativity
void ecmult_const_commutativity(void)
Definition: tests.c:3975
test_constant_wnaf
void test_constant_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:4741
ec_pubkey_parse_pointtest
void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:5182
test_ecmult_gen_blind
void test_ecmult_gen_blind(void)
Definition: tests.c:5090
ecmult_multi_callback
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4056
fe_storage_cmov_test
void fe_storage_cmov_test(void)
Definition: tests.c:6994
run_ecmult_near_split_bound
void run_ecmult_near_split_bound(void)
Definition: tests.c:3915
test_fixed_wnaf
void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:4781
test_ecdsa_edge_cases
void test_ecdsa_edge_cases(void)
Definition: tests.c:6514
test_inverse_scalar
void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:2885
test_group_decompress
void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:3599
test_fixed_wnaf_small_helper
void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:4818
run_ecmult_gen_blind
void run_ecmult_gen_blind(void)
Definition: tests.c:5125
test_ecmult_multi_random
int test_ecmult_multi_random(secp256k1_scratch *scratch)
Definition: tests.c:4309
run_scalar_set_b32_seckey_tests
void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:1881
run_secp256k1_memczero_test
void run_secp256k1_memczero_test(void)
Definition: tests.c:6911
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:36
random_fe_non_square
void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:2539
run_point_times_order
void run_point_times_order(void)
Definition: tests.c:3927
uncounting_illegal_callback_fn
static void uncounting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:44
test_scalar_split
void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:5134
scalars_near_split_bounds
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:3853
run_eckey_negate_test
void run_eckey_negate_test(void)
Definition: tests.c:5841
uint16_to_signed30
void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:903
count
static int count
Definition: tests.c:33
random_fe
void random_fe(secp256k1_fe *x)
Definition: tests.c:2506
test_fixed_wnaf_small
void test_fixed_wnaf_small(void)
Definition: tests.c:4828
test_ecmult_multi_pippenger_max_points
void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:4517
run_ecmult_multi_tests
void run_ecmult_multi_tests(void)
Definition: tests.c:4665
run_ecdsa_edge_cases
void run_ecdsa_edge_cases(void)
Definition: tests.c:6883
test_ecmult_multi_batch_single
void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4477
run_sha256_known_output_tests
void run_sha256_known_output_tests(void)
Definition: tests.c:454
test_constant_wnaf_negate
void test_constant_wnaf_negate(const secp256k1_scalar *number)
Definition: tests.c:4726
test_ecmult_constants_sha
void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char *expected32)
Definition: tests.c:5013
run_rfc6979_hmac_sha256_tests
void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:657
test_ecmult_accumulate_cb
static int test_ecmult_accumulate_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data)
Definition: tests.c:4928
ecmult_multi_false_callback
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4063
run_tagged_sha256_tests
void run_tagged_sha256_tests(void)
Definition: tests.c:698
check_fe_equal
int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2547
run_sqr
void run_sqr(void)
Definition: tests.c:2802
run_ecmult_chain
void run_ecmult_chain(void)
Definition: tests.c:3748
run_ecdsa_der_parse
void run_ecdsa_der_parse(void)
Definition: tests.c:6482
mutate_sign_signed30
void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:921
modinv2p64
uint64_t modinv2p64(uint64_t x)
Definition: tests.c:805
random_field_element_test
void random_field_element_test(secp256k1_fe *fe)
Definition: tests.c:52
run_wnaf
void run_wnaf(void)
Definition: tests.c:4882
run_scratch_tests
void run_scratch_tests(void)
Definition: tests.c:350
run_context_tests
void run_context_tests(int use_prealloc)
Definition: tests.c:143
signed30_to_uint16
void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:912
test_ec_combine
void test_ec_combine(void)
Definition: tests.c:3567
run_ecmult_const_tests
void run_ecmult_const_tests(void)
Definition: tests.c:4044
SECP256K1_EC_PARSE_TEST_NXVALID
#define SECP256K1_EC_PARSE_TEST_NXVALID
damage_array
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:6309
test_rand_bits
void test_rand_bits(int rand32, int bits)
Definition: tests.c:732
run_scalar_tests
void run_scalar_tests(void)
Definition: tests.c:1898
fe_minus_one
static const secp256k1_fe fe_minus_one
Definition: tests.c:2873
Generated on Thu Feb 12 2026 19:47:06 for Bitcoin ABC by doxygen 1.9.4