Bitcoin ABC 0.33.8
P2P Digital Currency
tests.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#include <stdio.h>
8#include <stdlib.h>
9#include <string.h>
10
11#include <time.h>
12
13#ifdef USE_EXTERNAL_DEFAULT_CALLBACKS
14 #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.")
15 #undef USE_EXTERNAL_DEFAULT_CALLBACKS
16#endif
17#if defined(VERIFY) && defined(COVERAGE)
18 #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.")
19#endif
20#include "secp256k1.c"
21
22#include "../include/secp256k1.h"
23#include "../include/secp256k1_preallocated.h"
24#include "testrand_impl.h"
25#include "checkmem.h"
26#include "testutil.h"
27#include "util.h"
28
29#include "../contrib/lax_der_parsing.c"
30#include "../contrib/lax_der_privatekey_parsing.c"
31
32#include "modinv32_impl.h"
33#ifdef SECP256K1_WIDEMUL_INT128
34#include "modinv64_impl.h"
35#include "int128_impl.h"
36#endif
37
38#define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
39
40static int COUNT = 64;
41static secp256k1_context *CTX = NULL;
43
44static int all_bytes_equal(const void* s, unsigned char value, size_t n) {
45 const unsigned char *p = s;
46 size_t i;
47
48 for (i = 0; i < n; i++) {
49 if (p[i] != value) {
50 return 0;
51 }
52 }
53 return 1;
54}
55
56#define CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, callback, callback_setter) do { \
57 int32_t _calls_to_callback = 0; \
58 secp256k1_callback _saved_callback = ctx->callback; \
59 callback_setter(ctx, counting_callback_fn, &_calls_to_callback); \
60 { expr_or_stmt; } \
61 ctx->callback = _saved_callback; \
62 CHECK(_calls_to_callback == 1); \
63} while(0);
64
65/* CHECK that expr_or_stmt calls the error or illegal callback of ctx exactly once
66 *
67 * Useful for checking functions that return void (e.g., API functions that use ARG_CHECK_VOID) */
68#define CHECK_ERROR_VOID(ctx, expr_or_stmt) \
69 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, error_callback, secp256k1_context_set_error_callback)
70#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) \
71 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, illegal_callback, secp256k1_context_set_illegal_callback)
72
73/* CHECK that
74 * - expr calls the illegal callback of ctx exactly once and,
75 * - expr == 0 (or equivalently, expr == NULL)
76 *
77 * Useful for checking functions that return an integer or a pointer. */
78#define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0))
79#define CHECK_ERROR(ctx, expr) CHECK_ERROR_VOID(ctx, CHECK((expr) == 0))
80
81static void counting_callback_fn(const char* str, void* data) {
82 /* Dummy callback function that just counts. */
83 int32_t *p;
84 (void)str;
85 p = data;
86 CHECK(*p != INT32_MAX);
87 (*p)++;
88}
89
90static void uncounting_illegal_callback_fn(const char* str, void* data) {
91 /* Dummy callback function that just counts (backwards). */
92 int32_t *p;
93 (void)str;
94 p = data;
95 CHECK(*p != INT32_MIN);
96 (*p)--;
97}
98
100 secp256k1_fe zero;
101 int n = secp256k1_testrand_int(m + 1);
103 if (n == 0) {
104 return;
105 }
106 secp256k1_fe_clear(&zero);
107 secp256k1_fe_negate(&zero, &zero, 0);
108 secp256k1_fe_mul_int_unchecked(&zero, n - 1);
109 secp256k1_fe_add(fe, &zero);
110#ifdef VERIFY
111 CHECK(fe->magnitude == n);
112#endif
113}
114
116 unsigned char bin[32];
117 do {
119 if (secp256k1_fe_set_b32_limit(x, bin)) {
120 return;
121 }
122 } while(1);
123}
124
126 do {
127 random_fe_test(fe);
128 } while(secp256k1_fe_is_zero(fe));
129}
130
133}
134
137}
138
141}
142
145}
146
149}
150
153}
154
156 secp256k1_fe fe;
157 do {
158 random_fe_test(&fe);
161 break;
162 }
163 } while(1);
164 ge->infinity = 0;
165}
166
168 secp256k1_fe z2, z3;
170 secp256k1_fe_sqr(&z2, &gej->z);
171 secp256k1_fe_mul(&z3, &z2, &gej->z);
172 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
173 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
174 gej->infinity = ge->infinity;
175}
176
178 secp256k1_ge ge;
181}
182
184 do {
185 unsigned char b32[32];
186 int overflow = 0;
188 secp256k1_scalar_set_b32(num, b32, &overflow);
189 if (overflow || secp256k1_scalar_is_zero(num)) {
190 continue;
191 }
192 break;
193 } while(1);
194}
195
197 do {
198 unsigned char b32[32];
199 int overflow = 0;
201 secp256k1_scalar_set_b32(num, b32, &overflow);
202 if (overflow || secp256k1_scalar_is_zero(num)) {
203 continue;
204 }
205 break;
206 } while(1);
207}
208
209static void random_scalar_order_b32(unsigned char *b32) {
212 secp256k1_scalar_get_b32(b32, &num);
213}
214
215static void run_xoshiro256pp_tests(void) {
216 {
217 size_t i;
218 /* Sanity check that we run before the actual seeding. */
219 for (i = 0; i < sizeof(secp256k1_test_state)/sizeof(secp256k1_test_state[0]); i++) {
221 }
222 }
223 {
224 int i;
225 unsigned char buf32[32];
226 unsigned char seed16[16] = {
227 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
228 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
229 };
230 unsigned char buf32_expected[32] = {
231 0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0,
232 0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36,
233 0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF,
234 0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30,
235 };
237 for (i = 0; i < 17; i++) {
239 }
240 CHECK(secp256k1_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0);
241 }
242}
243
244static void run_selftest_tests(void) {
245 /* Test public API */
247}
248
250 return a->built == b->built
254}
255
256static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {
257 return a->declassify == b->declassify
263}
264
266 /* Check that a context created with any of the flags in the flags array is
267 * identical to the NONE context. */
268 unsigned int flags[] = { SECP256K1_CONTEXT_SIGN,
272 int i;
273 for (i = 0; i < (int)(sizeof(flags)/sizeof(flags[0])); i++) {
274 secp256k1_context *tmp_ctx;
276 tmp_ctx = secp256k1_context_create(flags[i]);
277 CHECK(context_eq(none_ctx, tmp_ctx));
279 }
281}
282
284 secp256k1_pubkey pubkey;
285 secp256k1_pubkey zero_pubkey;
287 unsigned char ctmp[32];
288
289 /* Setup */
290 memset(ctmp, 1, 32);
291 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
292
293 /* Verify context-type checking illegal-argument errors. */
295 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
296 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
297 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
298 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL));
300 CHECK(secp256k1_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1);
302 CHECK(secp256k1_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1);
303 CHECK(secp256k1_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1);
304 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1);
305 CHECK(secp256k1_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1);
306 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1);
308 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey) == 1);
311 CHECK(secp256k1_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1);
312}
313
314static void run_static_context_tests(int use_prealloc) {
315 /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */
317
318 {
319 unsigned char seed[32] = {0x17};
320
321 /* Randomizing secp256k1_context_static is not supported. */
324
325 /* Destroying or cloning secp256k1_context_static is not supported. */
326 if (use_prealloc) {
328 {
329 secp256k1_context *my_static_ctx = malloc(sizeof(*STATIC_CTX));
330 CHECK(my_static_ctx != NULL);
331 memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx));
333 CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx)));
334 free(my_static_ctx);
335 }
337 } else {
340 }
341 }
342
343 {
344 /* Verify that setting and resetting illegal callback works */
345 int32_t dummy = 0;
352 }
353}
354
355static void run_proper_context_tests(int use_prealloc) {
356 int32_t dummy = 0;
357 secp256k1_context *my_ctx, *my_ctx_fresh;
358 void *my_ctx_prealloc = NULL;
359 unsigned char seed[32] = {0x17};
360
361 secp256k1_gej pubj;
362 secp256k1_ge pub;
363 secp256k1_scalar msg, key, nonce;
364 secp256k1_scalar sigr, sigs;
365
366 /* Fresh reference context for comparison */
368
369 if (use_prealloc) {
371 CHECK(my_ctx_prealloc != NULL);
373 } else {
375 }
376
377 /* Randomize and reset randomization */
378 CHECK(context_eq(my_ctx, my_ctx_fresh));
379 CHECK(secp256k1_context_randomize(my_ctx, seed) == 1);
380 CHECK(!context_eq(my_ctx, my_ctx_fresh));
381 CHECK(secp256k1_context_randomize(my_ctx, NULL) == 1);
382 CHECK(context_eq(my_ctx, my_ctx_fresh));
383
384 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
388
389 /* check if sizes for cloning are consistent */
391
392 /*** clone and destroy all of them to make sure cloning was complete ***/
393 {
394 secp256k1_context *ctx_tmp;
395
396 if (use_prealloc) {
397 /* clone into a non-preallocated context and then again into a new preallocated one. */
398 ctx_tmp = my_ctx;
399 my_ctx = secp256k1_context_clone(my_ctx);
400 CHECK(context_eq(ctx_tmp, my_ctx));
402
403 free(my_ctx_prealloc);
405 CHECK(my_ctx_prealloc != NULL);
406 ctx_tmp = my_ctx;
407 my_ctx = secp256k1_context_preallocated_clone(my_ctx, my_ctx_prealloc);
408 CHECK(context_eq(ctx_tmp, my_ctx));
410 } else {
411 /* clone into a preallocated context and then again into a new non-preallocated one. */
412 void *prealloc_tmp;
413
415 CHECK(prealloc_tmp != NULL);
416 ctx_tmp = my_ctx;
417 my_ctx = secp256k1_context_preallocated_clone(my_ctx, prealloc_tmp);
418 CHECK(context_eq(ctx_tmp, my_ctx));
420
421 ctx_tmp = my_ctx;
422 my_ctx = secp256k1_context_clone(my_ctx);
423 CHECK(context_eq(ctx_tmp, my_ctx));
425 free(prealloc_tmp);
426 }
427 }
428
429 /* Verify that the error callback makes it across the clone. */
432 /* And that it resets back to default. */
433 secp256k1_context_set_error_callback(my_ctx, NULL, NULL);
435 CHECK(context_eq(my_ctx, my_ctx_fresh));
436
437 /* Verify that setting and resetting illegal callback works */
440 CHECK(my_ctx->illegal_callback.data == &dummy);
441 secp256k1_context_set_illegal_callback(my_ctx, NULL, NULL);
443 CHECK(my_ctx->illegal_callback.data == NULL);
444 CHECK(context_eq(my_ctx, my_ctx_fresh));
445
446 /*** attempt to use them ***/
449 secp256k1_ecmult_gen(&my_ctx->ecmult_gen_ctx, &pubj, &key);
450 secp256k1_ge_set_gej(&pub, &pubj);
451
452 /* obtain a working nonce */
453 do {
455 } while(!secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
456
457 /* try signing */
458 CHECK(secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
459
460 /* try verifying */
461 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
462
463 /* cleanup */
464 if (use_prealloc) {
466 free(my_ctx_prealloc);
467 } else {
469 }
470 secp256k1_context_destroy(my_ctx_fresh);
471
472 /* Defined as no-op. */
475}
476
477static void run_scratch_tests(void) {
478 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
479
480 size_t checkpoint;
481 size_t checkpoint_2;
483 secp256k1_scratch_space local_scratch;
484
485 /* Test public API */
486 scratch = secp256k1_scratch_space_create(CTX, 1000);
487 CHECK(scratch != NULL);
488
489 /* Test internal API */
491 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
492 CHECK(scratch->alloc_size == 0);
493 CHECK(scratch->alloc_size % ALIGNMENT == 0);
494
495 /* Allocating 500 bytes succeeds */
496 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
497 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
498 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
499 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
500 CHECK(scratch->alloc_size != 0);
501 CHECK(scratch->alloc_size % ALIGNMENT == 0);
502
503 /* Allocating another 501 bytes fails */
504 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL);
505 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
506 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
507 CHECK(scratch->alloc_size != 0);
508 CHECK(scratch->alloc_size % ALIGNMENT == 0);
509
510 /* ...but it succeeds once we apply the checkpoint to undo it */
512 CHECK(scratch->alloc_size == 0);
514 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
515 CHECK(scratch->alloc_size != 0);
516
517 /* try to apply a bad checkpoint */
518 checkpoint_2 = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
520 CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2)); /* checkpoint_2 is after checkpoint */
521 CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1)); /* this is just wildly invalid */
522
523 /* try to use badly initialized scratch space */
525 memset(&local_scratch, 0, sizeof(local_scratch));
526 scratch = &local_scratch;
530
531 /* Test that large integers do not wrap around in a bad way */
532 scratch = secp256k1_scratch_space_create(CTX, 1000);
533 /* Try max allocation with a large number of objects. Only makes sense if
534 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
535 * space. */
536 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
537 /* Try allocating SIZE_MAX to test wrap around which only happens if
538 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
539 * space is too small. */
540 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL);
542
543 /* cleanup */
544 secp256k1_scratch_space_destroy(CTX, NULL); /* no-op */
545}
546
547static void run_ctz_tests(void) {
548 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
549 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
550 int shift;
551 unsigned i;
552 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
553 for (shift = 0; shift < 32; ++shift) {
554 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
555 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
556 }
557 }
558 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
559 for (shift = 0; shift < 64; ++shift) {
560 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
561 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
562 }
563 }
564}
565
566/***** HASH TESTS *****/
567
569 static const char *inputs[] = {
570 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
571 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
572 "For this sample, this 63-byte string will be used as input data",
573 "This is exactly 64 bytes long, not counting the terminating byte",
574 "aaaaa",
575 };
576 static const unsigned int repeat[] = {
577 1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
578 };
579 static const unsigned char outputs[][32] = {
580 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
581 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
582 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
583 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
584 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
585 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
586 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
587 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
588 {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
589 };
590 unsigned int i, ninputs;
591
592 /* Skip last input vector for low iteration counts */
593 ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
594 CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
595
596 for (i = 0; i < ninputs; i++) {
597 unsigned char out[32];
598 secp256k1_sha256 hasher;
599 unsigned int j;
600 /* 1. Run: simply write the input bytestrings */
601 j = repeat[i];
603 while (j > 0) {
604 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
605 j--;
606 }
608 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
609 /* 2. Run: split the input bytestrings randomly before writing */
610 if (strlen(inputs[i]) > 0) {
611 int split = secp256k1_testrand_int(strlen(inputs[i]));
613 j = repeat[i];
614 while (j > 0) {
615 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
616 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
617 j--;
618 }
620 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
621 }
622 }
623}
624
669static void run_sha256_counter_tests(void) {
670 static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
671 static const secp256k1_sha256 midstates[] = {
672 {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
673 {0x00}, 0xfffc0},
674 {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
675 {0x00}, 0x1fffc0},
676 {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
677 {0x00}, 0x3fffc0},
678 {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
679 {0x00}, 0x7fffc0},
680 {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
681 {0x00}, 0xffffc0},
682 {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
683 {0x00}, 0x1ffffc0},
684 {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
685 {0x00}, 0x3ffffc0},
686 {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
687 {0x00}, 0x7ffffc0},
688 {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
689 {0x00}, 0xfffffc0},
690 {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
691 {0x00}, 0x1fffffc0},
692 {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
693 {0x00}, 0x3fffffc0},
694 {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
695 {0x00}, 0x7fffffc0},
696 {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
697 {0x00}, 0xffffffc0},
698 {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
699 {0x00}, 0x1ffffffc0},
700 };
701 static const unsigned char outputs[][32] = {
702 {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
703 {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
704 {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
705 {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
706 {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
707 {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
708 {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
709 {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
710 {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
711 {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
712 {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
713 {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
714 {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
715 {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
716 };
717 unsigned int i;
718 for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
719 unsigned char out[32];
720 secp256k1_sha256 hasher = midstates[i];
721 secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
723 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
724 }
725}
726
727/* Tests for the equality of two sha256 structs. This function only produces a
728 * correct result if an integer multiple of 64 many bytes have been written
729 * into the hash functions. This function is used by some module tests. */
730static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
731 /* Is buffer fully consumed? */
732 CHECK((sha1->bytes & 0x3F) == 0);
733
734 CHECK(sha1->bytes == sha2->bytes);
735 CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
736}
737
738static void run_hmac_sha256_tests(void) {
739 static const char *keys[6] = {
740 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
741 "\x4a\x65\x66\x65",
742 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
743 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
744 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
745 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
746 };
747 static const char *inputs[6] = {
748 "\x48\x69\x20\x54\x68\x65\x72\x65",
749 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
750 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
751 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
752 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
753 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
754 };
755 static const unsigned char outputs[6][32] = {
756 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
757 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
758 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
759 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
760 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
761 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
762 };
763 int i;
764 for (i = 0; i < 6; i++) {
766 unsigned char out[32];
767 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
768 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
770 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
771 if (strlen(inputs[i]) > 0) {
772 int split = secp256k1_testrand_int(strlen(inputs[i]));
773 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
774 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
775 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
777 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
778 }
779 }
780}
781
783 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
784 static const unsigned char out1[3][32] = {
785 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
786 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
787 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
788 };
789
790 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
791 static const unsigned char out2[3][32] = {
792 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
793 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
794 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
795 };
796
798 unsigned char out[32];
799 int i;
800
802 for (i = 0; i < 3; i++) {
804 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
805 }
807
809 for (i = 0; i < 3; i++) {
811 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
812 }
814
816 for (i = 0; i < 3; i++) {
818 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
819 }
821}
822
823static void run_tagged_sha256_tests(void) {
824 unsigned char tag[32] = { 0 };
825 unsigned char msg[32] = { 0 };
826 unsigned char hash32[32];
827 unsigned char hash_expected[32] = {
828 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
829 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
830 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
831 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
832 };
833
834 /* API test */
835 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
836 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg)));
837 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg)));
838 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0));
839
840 /* Static test vector */
841 memcpy(tag, "tag", 3);
842 memcpy(msg, "msg", 3);
843 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1);
844 CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
845}
846
847/***** MODINV TESTS *****/
848
849/* Compute the modular inverse of (odd) x mod 2^64. */
850static uint64_t modinv2p64(uint64_t x) {
851 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
852 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
853 * why. Start with L=0, for which it is true for every odd x that
854 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
855 int l;
856 uint64_t w = 1;
857 CHECK(x & 1);
858 for (l = 0; l < 6; ++l) w *= (2 - w*x);
859 return w;
860}
861
862
863/* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity.
864 *
865 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
866 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
867static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
868 uint16_t mul[32];
869 uint64_t c = 0;
870 int i, j;
871 int m_bitlen = 0;
872 int mul_bitlen = 0;
873
874 if (b != NULL) {
875 /* Compute the product of a and b, and put it in mul. */
876 for (i = 0; i < 32; ++i) {
877 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
878 c += (uint64_t)a[j] * b[i - j];
879 }
880 mul[i] = c & 0xFFFF;
881 c >>= 16;
882 }
883 CHECK(c == 0);
884
885 /* compute the highest set bit in mul */
886 for (i = 511; i >= 0; --i) {
887 if ((mul[i >> 4] >> (i & 15)) & 1) {
888 mul_bitlen = i;
889 break;
890 }
891 }
892 } else {
893 /* if b==NULL, set mul=a. */
894 memcpy(mul, a, 32);
895 memset(mul + 16, 0, 32);
896 /* compute the highest set bit in mul */
897 for (i = 255; i >= 0; --i) {
898 if ((mul[i >> 4] >> (i & 15)) & 1) {
899 mul_bitlen = i;
900 break;
901 }
902 }
903 }
904
905 if (m) {
906 /* Compute the highest set bit in m. */
907 for (i = 255; i >= 0; --i) {
908 if ((m[i >> 4] >> (i & 15)) & 1) {
909 m_bitlen = i;
910 break;
911 }
912 }
913
914 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
915 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
916 uint16_t mul2[32];
917 int64_t cs;
918
919 /* Compute mul2 = mul - m<<i. */
920 cs = 0; /* accumulator */
921 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
922 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
923 uint16_t sub = 0;
924 int p;
925 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
926 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
927 if (bitpos >= 0 && bitpos < 256) {
928 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
929 }
930 }
931 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
932 cs += mul[j];
933 cs -= sub;
934 mul2[j] = (cs & 0xFFFF);
935 cs >>= 16;
936 }
937 /* If remainder of subtraction is 0, set mul = mul2. */
938 if (cs == 0) {
939 memcpy(mul, mul2, sizeof(mul));
940 }
941 }
942 /* Sanity check: test that all limbs higher than m's highest are zero */
943 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
944 CHECK(mul[i] == 0);
945 }
946 }
947 memcpy(out, mul, 32);
948}
949
950/* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
951static void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
952 int i;
953 memset(out->v, 0, sizeof(out->v));
954 for (i = 0; i < 256; ++i) {
955 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
956 }
957}
958
959/* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
960static void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
961 int i;
962 memset(out, 0, 32);
963 for (i = 0; i < 256; ++i) {
964 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
965 }
966}
967
968/* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
970 int i;
971 for (i = 0; i < 16; ++i) {
972 int pos = secp256k1_testrand_bits(3);
973 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
974 x->v[pos] -= 0x40000000;
975 x->v[pos + 1] += 1;
976 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
977 x->v[pos] += 0x40000000;
978 x->v[pos + 1] -= 1;
979 }
980 }
981}
982
983/* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
984static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
985 uint16_t tmp[16];
988 int i, vartime, nonzero;
989
990 uint16_to_signed30(&x, in);
991 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
993
994 /* compute 1/modulus mod 2^30 */
995 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
996 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
997
998 /* Test secp256k1_jacobi32_maybe_var. */
999 if (nonzero) {
1000 int jac;
1001 uint16_t sqr[16], negone[16];
1002 mulmod256(sqr, in, in, mod);
1003 uint16_to_signed30(&x, sqr);
1004 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1005 jac = secp256k1_jacobi32_maybe_var(&x, &m);
1006 CHECK(jac == 0 || jac == 1);
1007 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1008 * jacobi symbols if and only if (mod % 4) == 3. */
1009 negone[0] = mod[0] - 1;
1010 for (i = 1; i < 16; ++i) negone[i] = mod[i];
1011 mulmod256(sqr, sqr, negone, mod);
1012 uint16_to_signed30(&x, sqr);
1013 jac = secp256k1_jacobi32_maybe_var(&x, &m);
1014 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1015 }
1016
1017 uint16_to_signed30(&x, in);
1019 for (vartime = 0; vartime < 2; ++vartime) {
1020 /* compute inverse */
1021 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1022
1023 /* produce output */
1025
1026 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1027 mulmod256(tmp, out, in, mod);
1028 CHECK(tmp[0] == nonzero);
1029 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1030
1031 /* invert again */
1032 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1033
1034 /* check if the result is equal to the input */
1035 signed30_to_uint16(tmp, &x);
1036 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1037 }
1038}
1039
1040#ifdef SECP256K1_WIDEMUL_INT128
1041/* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
1042static void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
1043 int i;
1044 memset(out->v, 0, sizeof(out->v));
1045 for (i = 0; i < 256; ++i) {
1046 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
1047 }
1048}
1049
1050/* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
1051static void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
1052 int i;
1053 memset(out, 0, 32);
1054 for (i = 0; i < 256; ++i) {
1055 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
1056 }
1057}
1058
1059/* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
1060static void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
1061 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1062 int i;
1063 for (i = 0; i < 8; ++i) {
1064 int pos = secp256k1_testrand_bits(2);
1065 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
1066 x->v[pos] -= (M62 + 1);
1067 x->v[pos + 1] += 1;
1068 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1069 x->v[pos] += (M62 + 1);
1070 x->v[pos + 1] -= 1;
1071 }
1072 }
1073}
1074
1075/* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1076static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1077 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1078 uint16_t tmp[16];
1081 int i, vartime, nonzero;
1082
1083 uint16_to_signed62(&x, in);
1084 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1085 uint16_to_signed62(&m.modulus, mod);
1086
1087 /* compute 1/modulus mod 2^62 */
1088 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1089 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1090
1091 /* Test secp256k1_jacobi64_maybe_var. */
1092 if (nonzero) {
1093 int jac;
1094 uint16_t sqr[16], negone[16];
1095 mulmod256(sqr, in, in, mod);
1096 uint16_to_signed62(&x, sqr);
1097 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1098 jac = secp256k1_jacobi64_maybe_var(&x, &m);
1099 CHECK(jac == 0 || jac == 1);
1100 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1101 * jacobi symbols if and only if (mod % 4) == 3. */
1102 negone[0] = mod[0] - 1;
1103 for (i = 1; i < 16; ++i) negone[i] = mod[i];
1104 mulmod256(sqr, sqr, negone, mod);
1105 uint16_to_signed62(&x, sqr);
1106 jac = secp256k1_jacobi64_maybe_var(&x, &m);
1107 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1108 }
1109
1110 uint16_to_signed62(&x, in);
1111 mutate_sign_signed62(&m.modulus);
1112 for (vartime = 0; vartime < 2; ++vartime) {
1113 /* compute inverse */
1114 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1115
1116 /* produce output */
1117 signed62_to_uint16(out, &x);
1118
1119 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1120 mulmod256(tmp, out, in, mod);
1121 CHECK(tmp[0] == nonzero);
1122 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1123
1124 /* invert again */
1125 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1126
1127 /* check if the result is equal to the input */
1128 signed62_to_uint16(tmp, &x);
1129 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1130 }
1131}
1132#endif
1133
1134/* test if a and b are coprime */
1135static int coprime(const uint16_t* a, const uint16_t* b) {
1136 uint16_t x[16], y[16], t[16];
1137 int i;
1138 int iszero;
1139 memcpy(x, a, 32);
1140 memcpy(y, b, 32);
1141
1142 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1143 while (1) {
1144 iszero = 1;
1145 for (i = 0; i < 16; ++i) {
1146 if (x[i] != 0) {
1147 iszero = 0;
1148 break;
1149 }
1150 }
1151 if (iszero) break;
1152 mulmod256(t, y, NULL, x);
1153 memcpy(y, x, 32);
1154 memcpy(x, t, 32);
1155 }
1156
1157 /* return whether y=1 */
1158 if (y[0] != 1) return 0;
1159 for (i = 1; i < 16; ++i) {
1160 if (y[i] != 0) return 0;
1161 }
1162 return 1;
1163}
1164
1165static void run_modinv_tests(void) {
1166 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1167 static const uint16_t CASES[][3][16] = {
1168 /* Test cases triggering edge cases in divsteps */
1169
1170 /* Test case known to need 713 divsteps */
1171 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1172 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1173 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1174 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1175 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1176 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1177 /* Test case known to need 589 divsteps, reaching delta=-140 and
1178 delta=141. */
1179 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1180 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1181 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1182 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1183 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1184 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1185 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1186 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1187 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1188 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1189 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1190 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1191 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1192 /* example needing 713 divsteps; delta=-2..3 */
1193 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1194 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1195 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1196 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1197 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1198 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1199 /* example needing 713 divsteps; delta=-2..3 */
1200 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1201 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1202 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1203 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1204 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1205 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1206 /* example needing 713 divsteps; delta=-2..3 */
1207 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1208 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1209 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1210 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1211 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1212 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1213 /* example reaching delta=-64..65; 661 divsteps */
1214 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1215 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1216 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1217 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1218 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1219 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1220 /* example reaching delta=-64..65; 661 divsteps */
1221 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1222 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1223 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1224 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1225 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1226 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1227 /* example reaching delta=-64..65; 661 divsteps */
1228 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1229 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1230 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1231 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1232 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1233 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1234 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1235 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1236 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1237 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1238 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1239 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1240 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1241 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1242 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1243 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1244 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1245 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1246 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1247 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1248 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1249 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1250 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1251 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1252 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1253 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1254 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1255 /* example doing 446 (f,g/2) steps; 523 divsteps */
1256 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1257 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1258 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1259 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1260 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1261 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1262 /* example doing 446 (f,g/2) steps; 523 divsteps */
1263 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1264 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1265 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1266 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1267 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1268 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1269 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1270 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1271 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1272 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1273 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1274 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1275 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1276 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1277 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1278 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1279 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1280 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1281 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1282 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1283 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1284 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1285 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1286 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1287 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1288 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1289 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1290 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1291 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1292 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1293 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1294 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1295 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1296 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1297
1298 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1299
1300 /* example needing 590 divsteps; delta=-5/2..7/2 */
1301 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1302 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1303 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1304 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1305 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1306 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1307 /* example needing 590 divsteps; delta=-3/2..5/2 */
1308 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1309 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1310 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1311 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1312 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1313 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1314 /* example needing 590 divsteps; delta=-3/2..5/2 */
1315 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1316 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1317 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1318 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1319 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1320 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1321 /* example needing 590 divsteps; delta=-5/2..7/2 */
1322 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1323 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1324 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1325 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1326 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1327 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1328 /* example needing 590 divsteps; delta=-3/2..5/2 */
1329 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1330 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1331 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1332 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1333 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1334 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1335 /* example reaching delta=-127/2..129/2; 571 divsteps */
1336 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1337 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1338 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1339 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1340 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1341 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1342 /* example reaching delta=-127/2..129/2; 571 divsteps */
1343 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1344 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1345 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1346 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1347 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1348 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1349 /* example reaching delta=-127/2..129/2; 571 divsteps */
1350 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1351 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1352 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1353 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1354 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1355 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1356 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1357 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1358 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1359 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1360 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1361 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1362 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1363 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1364 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1365 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1366 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1367 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1368 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1369 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1370 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1371 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1372 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1373 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1374 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1375 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1376 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1377 /* example doing 453 (f,g/2) steps; 514 divsteps */
1378 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1379 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1380 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1381 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1382 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1383 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1384 /* example doing 453 (f,g/2) steps; 514 divsteps */
1385 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1386 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1387 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1388 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1389 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1390 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1391 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1392 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1393 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1394 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1395 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1396 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1397 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1398 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1399 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1400 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1401 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1402 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1403 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1404 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1405 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1406 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1407 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1408 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1409 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1410 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1411 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1412 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1413 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1414 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1415 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1416 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1417 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1418 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1419
1420 /* Test cases with the group order as modulus. */
1421
1422 /* Test case with the group order as modulus, needing 635 divsteps. */
1423 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1424 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1425 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1426 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1427 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1428 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1429 /* example with group size as modulus needing 631 divsteps */
1430 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1431 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1432 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1433 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1434 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1435 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1436 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1437 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1438 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1439 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1440 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1441 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1442 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1443 /* Test case with the group size as modulus, needing 981 divsteps with
1444 broken eta handling. */
1445 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1446 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1447 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1448 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1449 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1450 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1451 /* Test case with the group size as modulus, input = 0. */
1452 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1453 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1454 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1455 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1456 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1457 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1458 /* Test case with the group size as modulus, input = 1. */
1459 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1460 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1461 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1462 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1463 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1464 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1465 /* Test case with the group size as modulus, input = 2. */
1466 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1467 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1468 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1469 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1470 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1471 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1472 /* Test case with the group size as modulus, input = group - 1. */
1473 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1474 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1475 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1476 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1477 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1478 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1479
1480 /* Test cases with the field size as modulus. */
1481
1482 /* Test case with the field size as modulus, needing 637 divsteps. */
1483 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1484 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1485 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1486 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1487 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1488 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1489 /* example with field size as modulus needing 637 divsteps */
1490 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1491 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1492 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1493 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1494 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1495 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1496 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1497 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1498 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1499 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1500 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1501 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1502 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1503 /* Test case with the field size as modulus, needing 935 divsteps with
1504 broken eta handling. */
1505 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1506 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1507 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1508 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1509 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1510 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1511 /* Test case with the field size as modulus, input = 0. */
1512 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1513 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1514 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1515 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1516 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1517 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1518 /* Test case with the field size as modulus, input = 1. */
1519 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1520 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1521 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1522 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1523 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1524 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1525 /* Test case with the field size as modulus, input = 2. */
1526 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1527 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1528 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1529 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1530 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1531 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1532 /* Test case with the field size as modulus, input = field - 1. */
1533 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1534 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1535 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1536 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1537 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1538 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1539
1540 /* Selected from a large number of random inputs to reach small/large
1541 * d/e values in various configurations. */
1542 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1543 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1544 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1545 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1546 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1547 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1548 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1549 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1550 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1551 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1552 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1553 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1554 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1555 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1556 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1557 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1558 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1559 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1560 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1561 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1562 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1563 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1564 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1565 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1566 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1567 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1568 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1569 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1570 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1571 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1572 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1573 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1574 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1575 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1576 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1577 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1578 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1579 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1580 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1581 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1582 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1583 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1584 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1585 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1586 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1587 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1588 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1589 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1590 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1591 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1592 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1593 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1594 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1595 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1596 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1597 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1598 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1599 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1600 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1601 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1602 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1603 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1604 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1605 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1606 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1607 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1608 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1609 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1610 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1611 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1612 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1613 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1614 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1615 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1616 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1617 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1618 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1619 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1620 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1621 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1622 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1623 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1624 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1625 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1626 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1627 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1628 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1629 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1630 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1631 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1632 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1633 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1634 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1635 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1636 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1637 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1638 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1639 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1640 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1641 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1642 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1643 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1644 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1645 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1646 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1647 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1648 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1649 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1650 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1651 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1652 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1653 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1654 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1655 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1656 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1657 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1658 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1659 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1660 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1661 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1662 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1663 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1664 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1665 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1666 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1667 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1668 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1669 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1670 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1671 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1672 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1673 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1674 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1675 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1676 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1677 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1678 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1679 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1680 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1681 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1682 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1683 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1684 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1685 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1686 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1687 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1688 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1689 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1690 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1691 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1692 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1693 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1694 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1695 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1696 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1697 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1698 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1699 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1700 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1701 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1702 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1703 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1704 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1705 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1706 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1707 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1708 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1709 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1710 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1711 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1712 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1713 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1714 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1715 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1716 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1717 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1718 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1719 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1720 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1721 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1722 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1723 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1724 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1725 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1726 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1727 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1728 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1729 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1730 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1731 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1732 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1733 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1734 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1735 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1736 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1737 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1738 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1739 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1740 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1741 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1742 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1743 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1744 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1745 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1746 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1747 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1748 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1749 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1750 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1751 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1752 };
1753
1754 int i, j, ok;
1755
1756 /* Test known inputs/outputs */
1757 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1758 uint16_t out[16];
1759 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1760 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1761#ifdef SECP256K1_WIDEMUL_INT128
1762 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1763 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1764#endif
1765 }
1766
1767 for (i = 0; i < 100 * COUNT; ++i) {
1768 /* 256-bit numbers in 16-uint16_t's notation */
1769 static const uint16_t ZERO[16] = {0};
1770 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1771 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1772 uint16_t id[16]; /* the inverse of xd mod md */
1773
1774 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1775 do {
1776 /* generate random xd and md (with many subsequent 0s and 1s) */
1777 secp256k1_testrand256_test((unsigned char*)xd);
1778 secp256k1_testrand256_test((unsigned char*)md);
1779 md[0] |= 1; /* modulus must be odd */
1780 /* If modulus is 1, find another one. */
1781 ok = md[0] != 1;
1782 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1783 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1784 } while (!(ok && coprime(xd, md)));
1785
1786 test_modinv32_uint16(id, xd, md);
1787#ifdef SECP256K1_WIDEMUL_INT128
1788 test_modinv64_uint16(id, xd, md);
1789#endif
1790
1791 /* In a few cases, also test with input=0 */
1792 if (i < COUNT) {
1793 test_modinv32_uint16(id, ZERO, md);
1794#ifdef SECP256K1_WIDEMUL_INT128
1795 test_modinv64_uint16(id, ZERO, md);
1796#endif
1797 }
1798 }
1799}
1800
1801/***** INT128 TESTS *****/
1802
1803#ifdef SECP256K1_WIDEMUL_INT128
1804/* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */
1805static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) {
1806 int i;
1807 uint32_t carry = 0;
1808 for (i = 0; i < 16; ++i) {
1809 carry += a[i];
1810 carry += b[i];
1811 out[i] = carry;
1812 carry >>= 16;
1813 }
1814}
1815
1816/* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */
1817static void neg256(uint16_t* out, const uint16_t* a) {
1818 int i;
1819 uint32_t carry = 1;
1820 for (i = 0; i < 16; ++i) {
1821 carry += (uint16_t)~a[i];
1822 out[i] = carry;
1823 carry >>= 16;
1824 }
1825}
1826
1827/* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */
1828static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) {
1829 uint16_t sign = sign_extend && (a[15] >> 15);
1830 int i, j;
1831 for (i = 15; i >= 0; --i) {
1832 uint16_t v = 0;
1833 for (j = 0; j < 16; ++j) {
1834 int frompos = i*16 + j + n;
1835 if (frompos >= 256) {
1836 v |= sign << j;
1837 } else {
1838 v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j;
1839 }
1840 }
1841 out[i] = v;
1842 }
1843}
1844
1845/* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1846static void load256u64(uint16_t* out, uint64_t v, int is_signed) {
1847 int i;
1848 uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0;
1849 for (i = 0; i < 4; ++i) {
1850 out[i] = v >> (16 * i);
1851 }
1852 for (i = 4; i < 16; ++i) {
1853 out[i] = sign;
1854 }
1855}
1856
1857/* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1858static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) {
1859 int i;
1860 uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0;
1861 for (i = 0; i < 4; ++i) {
1862 out[i] = lo >> (16 * i);
1863 }
1864 for (i = 4; i < 8; ++i) {
1865 out[i] = hi >> (16 * (i - 4));
1866 }
1867 for (i = 8; i < 16; ++i) {
1868 out[i] = sign;
1869 }
1870}
1871
1872/* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */
1873static int int256is127(const uint16_t* v) {
1874 int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000);
1875 int i;
1876 for (i = 8; i < 16; ++i) {
1877 if (v[i] != 0) all_0 = 0;
1878 if (v[i] != 0xffff) all_1 = 0;
1879 }
1880 return all_0 || all_1;
1881}
1882
1883static void load256u128(uint16_t* out, const secp256k1_uint128* v) {
1884 uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v);
1885 load256two64(out, hi, lo, 0);
1886}
1887
1888static void load256i128(uint16_t* out, const secp256k1_int128* v) {
1889 uint64_t lo;
1890 int64_t hi;
1891 secp256k1_int128 c = *v;
1892 lo = secp256k1_i128_to_u64(&c);
1893 secp256k1_i128_rshift(&c, 64);
1894 hi = secp256k1_i128_to_i64(&c);
1895 load256two64(out, hi, lo, 1);
1896}
1897
1898static void run_int128_test_case(void) {
1899 unsigned char buf[32];
1900 uint64_t v[4];
1901 secp256k1_int128 swa, swz;
1902 secp256k1_uint128 uwa, uwz;
1903 uint64_t ub, uc;
1904 int64_t sb, sc;
1905 uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32];
1906 uint16_t rub[16], ruc[16], rsb[16], rsc[16];
1907 int i;
1908
1909 /* Generate 32-byte random value. */
1911 /* Convert into 4 64-bit integers. */
1912 for (i = 0; i < 4; ++i) {
1913 uint64_t vi = 0;
1914 int j;
1915 for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j];
1916 v[i] = vi;
1917 }
1918 /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */
1919 secp256k1_u128_load(&uwa, v[1], v[0]);
1920 secp256k1_i128_load(&swa, v[1], v[0]);
1921 ub = v[2];
1922 sb = v[2];
1923 uc = v[3];
1924 sc = v[3];
1925 /* Load those also into 16-bit array representations. */
1926 load256u128(ruwa, &uwa);
1927 load256i128(rswa, &swa);
1928 load256u64(rub, ub, 0);
1929 load256u64(rsb, sb, 1);
1930 load256u64(ruc, uc, 0);
1931 load256u64(rsc, sc, 1);
1932 /* test secp256k1_u128_mul */
1933 mulmod256(ruwr, rub, ruc, NULL);
1934 secp256k1_u128_mul(&uwz, ub, uc);
1935 load256u128(ruwz, &uwz);
1936 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1937 /* test secp256k1_u128_accum_mul */
1938 mulmod256(ruwr, rub, ruc, NULL);
1939 add256(ruwr, ruwr, ruwa);
1940 uwz = uwa;
1941 secp256k1_u128_accum_mul(&uwz, ub, uc);
1942 load256u128(ruwz, &uwz);
1943 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1944 /* test secp256k1_u128_accum_u64 */
1945 add256(ruwr, rub, ruwa);
1946 uwz = uwa;
1947 secp256k1_u128_accum_u64(&uwz, ub);
1948 load256u128(ruwz, &uwz);
1949 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1950 /* test secp256k1_u128_rshift */
1951 rshift256(ruwr, ruwa, uc % 128, 0);
1952 uwz = uwa;
1953 secp256k1_u128_rshift(&uwz, uc % 128);
1954 load256u128(ruwz, &uwz);
1955 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1956 /* test secp256k1_u128_to_u64 */
1957 CHECK(secp256k1_u128_to_u64(&uwa) == v[0]);
1958 /* test secp256k1_u128_hi_u64 */
1959 CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]);
1960 /* test secp256k1_u128_from_u64 */
1961 secp256k1_u128_from_u64(&uwz, ub);
1962 load256u128(ruwz, &uwz);
1963 CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0);
1964 /* test secp256k1_u128_check_bits */
1965 {
1966 int uwa_bits = 0;
1967 int j;
1968 for (j = 0; j < 128; ++j) {
1969 if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j;
1970 }
1971 for (j = 0; j < 128; ++j) {
1972 CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j));
1973 }
1974 }
1975 /* test secp256k1_i128_mul */
1976 mulmod256(rswr, rsb, rsc, NULL);
1977 secp256k1_i128_mul(&swz, sb, sc);
1978 load256i128(rswz, &swz);
1979 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1980 /* test secp256k1_i128_accum_mul */
1981 mulmod256(rswr, rsb, rsc, NULL);
1982 add256(rswr, rswr, rswa);
1983 if (int256is127(rswr)) {
1984 swz = swa;
1985 secp256k1_i128_accum_mul(&swz, sb, sc);
1986 load256i128(rswz, &swz);
1987 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1988 }
1989 /* test secp256k1_i128_det */
1990 {
1991 uint16_t rsd[16], rse[16], rst[32];
1992 int64_t sd = v[0], se = v[1];
1993 load256u64(rsd, sd, 1);
1994 load256u64(rse, se, 1);
1995 mulmod256(rst, rsc, rsd, NULL);
1996 neg256(rst, rst);
1997 mulmod256(rswr, rsb, rse, NULL);
1998 add256(rswr, rswr, rst);
1999 secp256k1_i128_det(&swz, sb, sc, sd, se);
2000 load256i128(rswz, &swz);
2001 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2002 }
2003 /* test secp256k1_i128_rshift */
2004 rshift256(rswr, rswa, uc % 127, 1);
2005 swz = swa;
2006 secp256k1_i128_rshift(&swz, uc % 127);
2007 load256i128(rswz, &swz);
2008 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2009 /* test secp256k1_i128_to_u64 */
2010 CHECK(secp256k1_i128_to_u64(&swa) == v[0]);
2011 /* test secp256k1_i128_from_i64 */
2012 secp256k1_i128_from_i64(&swz, sb);
2013 load256i128(rswz, &swz);
2014 CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0);
2015 /* test secp256k1_i128_to_i64 */
2016 CHECK(secp256k1_i128_to_i64(&swz) == sb);
2017 /* test secp256k1_i128_eq_var */
2018 {
2019 int expect = (uc & 1);
2020 swz = swa;
2021 if (!expect) {
2022 /* Make sure swz != swa */
2023 uint64_t v0c = v[0], v1c = v[1];
2024 if (ub & 64) {
2025 v1c ^= (((uint64_t)1) << (ub & 63));
2026 } else {
2027 v0c ^= (((uint64_t)1) << (ub & 63));
2028 }
2029 secp256k1_i128_load(&swz, v1c, v0c);
2030 }
2031 CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect);
2032 }
2033 /* test secp256k1_i128_check_pow2 (sign == 1) */
2034 {
2035 int expect = (uc & 1);
2036 int pos = ub % 127;
2037 if (expect) {
2038 /* If expect==1, set swz to exactly 2^pos. */
2039 uint64_t hi = 0;
2040 uint64_t lo = 0;
2041 if (pos >= 64) {
2042 hi = (((uint64_t)1) << (pos & 63));
2043 } else {
2044 lo = (((uint64_t)1) << (pos & 63));
2045 }
2046 secp256k1_i128_load(&swz, hi, lo);
2047 } else {
2048 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */
2049 if (pos >= 64) {
2050 if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1;
2051 } else {
2052 if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1;
2053 }
2054 swz = swa;
2055 }
2056 CHECK(secp256k1_i128_check_pow2(&swz, pos, 1) == expect);
2057 }
2058 /* test secp256k1_i128_check_pow2 (sign == -1) */
2059 {
2060 int expect = (uc & 1);
2061 int pos = ub % 127;
2062 if (expect) {
2063 /* If expect==1, set swz to exactly -2^pos. */
2064 uint64_t hi = ~(uint64_t)0;
2065 uint64_t lo = ~(uint64_t)0;
2066 if (pos >= 64) {
2067 hi <<= (pos & 63);
2068 lo = 0;
2069 } else {
2070 lo <<= (pos & 63);
2071 }
2072 secp256k1_i128_load(&swz, hi, lo);
2073 } else {
2074 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */
2075 if (pos >= 64) {
2076 if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1;
2077 } else {
2078 if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1;
2079 }
2080 swz = swa;
2081 }
2082 CHECK(secp256k1_i128_check_pow2(&swz, pos, -1) == expect);
2083 }
2084}
2085
2086static void run_int128_tests(void) {
2087 { /* secp256k1_u128_accum_mul */
2089
2090 /* Check secp256k1_u128_accum_mul overflow */
2091 secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX);
2092 secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX);
2093 CHECK(secp256k1_u128_to_u64(&res) == 2);
2094 CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U);
2095 }
2096 { /* secp256k1_u128_accum_mul */
2097 secp256k1_int128 res;
2098
2099 /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */
2100 secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX);
2101 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX);
2102 CHECK(secp256k1_i128_to_u64(&res) == 2);
2103 secp256k1_i128_accum_mul(&res, 4, 9223372036854775807);
2104 secp256k1_i128_accum_mul(&res, 1, 1);
2105 CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX);
2106 secp256k1_i128_rshift(&res, 64);
2107 CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX);
2108
2109 /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */
2110 secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN);
2111 CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN);
2112 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN);
2113 CHECK(secp256k1_i128_to_u64(&res) == 0);
2114 secp256k1_i128_accum_mul(&res, 2, INT64_MIN);
2115 CHECK(secp256k1_i128_to_u64(&res) == 0);
2116 secp256k1_i128_rshift(&res, 64);
2117 CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN);
2118 }
2119 {
2120 /* Randomized tests. */
2121 int i;
2122 for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case();
2123 }
2124}
2125#endif
2126
2127/***** SCALAR TESTS *****/
2128
2129static void scalar_test(void) {
2133 unsigned char c[32];
2134
2135 /* Set 's' to a random scalar, with value 'snum'. */
2137
2138 /* Set 's1' to a random scalar, with value 's1num'. */
2140
2141 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
2144
2145 {
2146 int i;
2147 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
2150 for (i = 0; i < 256; i += 4) {
2152 int j;
2154 for (j = 0; j < 4; j++) {
2155 secp256k1_scalar_add(&n, &n, &n);
2156 }
2157 secp256k1_scalar_add(&n, &n, &t);
2158 }
2159 CHECK(secp256k1_scalar_eq(&n, &s));
2160 }
2161
2162 {
2163 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
2165 int i = 0;
2167 while (i < 256) {
2169 int j;
2170 int now = secp256k1_testrand_int(15) + 1;
2171 if (now + i > 256) {
2172 now = 256 - i;
2173 }
2174 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
2175 for (j = 0; j < now; j++) {
2176 secp256k1_scalar_add(&n, &n, &n);
2177 }
2178 secp256k1_scalar_add(&n, &n, &t);
2179 i += now;
2180 }
2181 CHECK(secp256k1_scalar_eq(&n, &s));
2182 }
2183
2184 {
2185 /* Test commutativity of add. */
2186 secp256k1_scalar r1, r2;
2187 secp256k1_scalar_add(&r1, &s1, &s2);
2188 secp256k1_scalar_add(&r2, &s2, &s1);
2189 CHECK(secp256k1_scalar_eq(&r1, &r2));
2190 }
2191
2192 {
2193 secp256k1_scalar r1, r2;
2195 int i;
2196 /* Test add_bit. */
2197 int bit = secp256k1_testrand_bits(8);
2200 for (i = 0; i < bit; i++) {
2201 secp256k1_scalar_add(&b, &b, &b);
2202 }
2203 r1 = s1;
2204 r2 = s1;
2205 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
2206 /* No overflow happened. */
2207 secp256k1_scalar_cadd_bit(&r2, bit, 1);
2208 CHECK(secp256k1_scalar_eq(&r1, &r2));
2209 /* cadd is a noop when flag is zero */
2210 secp256k1_scalar_cadd_bit(&r2, bit, 0);
2211 CHECK(secp256k1_scalar_eq(&r1, &r2));
2212 }
2213 }
2214
2215 {
2216 /* Test commutativity of mul. */
2217 secp256k1_scalar r1, r2;
2218 secp256k1_scalar_mul(&r1, &s1, &s2);
2219 secp256k1_scalar_mul(&r2, &s2, &s1);
2220 CHECK(secp256k1_scalar_eq(&r1, &r2));
2221 }
2222
2223 {
2224 /* Test associativity of add. */
2225 secp256k1_scalar r1, r2;
2226 secp256k1_scalar_add(&r1, &s1, &s2);
2227 secp256k1_scalar_add(&r1, &r1, &s);
2228 secp256k1_scalar_add(&r2, &s2, &s);
2229 secp256k1_scalar_add(&r2, &s1, &r2);
2230 CHECK(secp256k1_scalar_eq(&r1, &r2));
2231 }
2232
2233 {
2234 /* Test associativity of mul. */
2235 secp256k1_scalar r1, r2;
2236 secp256k1_scalar_mul(&r1, &s1, &s2);
2237 secp256k1_scalar_mul(&r1, &r1, &s);
2238 secp256k1_scalar_mul(&r2, &s2, &s);
2239 secp256k1_scalar_mul(&r2, &s1, &r2);
2240 CHECK(secp256k1_scalar_eq(&r1, &r2));
2241 }
2242
2243 {
2244 /* Test distributitivity of mul over add. */
2245 secp256k1_scalar r1, r2, t;
2246 secp256k1_scalar_add(&r1, &s1, &s2);
2247 secp256k1_scalar_mul(&r1, &r1, &s);
2248 secp256k1_scalar_mul(&r2, &s1, &s);
2249 secp256k1_scalar_mul(&t, &s2, &s);
2250 secp256k1_scalar_add(&r2, &r2, &t);
2251 CHECK(secp256k1_scalar_eq(&r1, &r2));
2252 }
2253
2254 {
2255 /* Test multiplicative identity. */
2258 CHECK(secp256k1_scalar_eq(&r1, &s1));
2259 }
2260
2261 {
2262 /* Test additive identity. */
2265 CHECK(secp256k1_scalar_eq(&r1, &s1));
2266 }
2267
2268 {
2269 /* Test zero product property. */
2273 }
2274
2275 {
2276 /* Test halving. */
2278 secp256k1_scalar_add(&r, &s, &s);
2279 secp256k1_scalar_half(&r, &r);
2280 CHECK(secp256k1_scalar_eq(&r, &s));
2281 }
2282}
2283
2285 unsigned char b32[32];
2288
2289 /* Usually set_b32 and set_b32_seckey give the same result */
2291 secp256k1_scalar_set_b32(&s1, b32, NULL);
2292 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
2293 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
2294
2295 memset(b32, 0, sizeof(b32));
2296 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2297 memset(b32, 0xFF, sizeof(b32));
2298 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2299}
2300
2301static void run_scalar_tests(void) {
2302 int i;
2303 for (i = 0; i < 128 * COUNT; i++) {
2304 scalar_test();
2305 }
2306 for (i = 0; i < COUNT; i++) {
2308 }
2309
2310 {
2311 /* Check that the scalar constants secp256k1_scalar_zero and
2312 secp256k1_scalar_one contain the expected values. */
2313 secp256k1_scalar zero, one;
2314
2316 secp256k1_scalar_set_int(&zero, 0);
2318
2320 secp256k1_scalar_set_int(&one, 1);
2322 }
2323
2324 {
2325 /* (-1)+1 should be zero. */
2332 }
2333
2334 {
2335 /* Test that halving and doubling roundtrips on some fixed values. */
2336 static const secp256k1_scalar HALF_TESTS[] = {
2337 /* 0 */
2338 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2339 /* 1 */
2340 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2341 /* -1 */
2342 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd0364140ul),
2343 /* -2 (largest odd value) */
2344 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd036413Ful),
2345 /* Half the secp256k1 order */
2346 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a0ul),
2347 /* Half the secp256k1 order + 1 */
2348 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a1ul),
2349 /* 2^255 */
2350 SECP256K1_SCALAR_CONST(0x80000000ul, 0, 0, 0, 0, 0, 0, 0),
2351 /* 2^255 - 1 */
2352 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful),
2353 };
2354 unsigned n;
2355 for (n = 0; n < sizeof(HALF_TESTS) / sizeof(HALF_TESTS[0]); ++n) {
2357 secp256k1_scalar_half(&s, &HALF_TESTS[n]);
2358 secp256k1_scalar_add(&s, &s, &s);
2359 CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2360 secp256k1_scalar_add(&s, &s, &s);
2361 secp256k1_scalar_half(&s, &s);
2362 CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2363 }
2364 }
2365
2366 {
2367 /* Does check_overflow check catch all ones? */
2368 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
2369 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2370 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2371 );
2373 }
2374
2375 {
2376 /* Static test vectors.
2377 * These were reduced from ~10^12 random vectors based on comparison-decision
2378 * and edge-case coverage on 32-bit and 64-bit implementations.
2379 * The responses were generated with Sage 5.9.
2380 */
2387 secp256k1_scalar zzv;
2388 int overflow;
2389 unsigned char chal[33][2][32] = {
2390 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2391 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2392 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2393 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2394 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2395 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2396 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2397 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2398 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2399 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2400 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2401 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2402 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2403 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2404 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2405 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2406 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2407 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2408 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2409 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2410 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2411 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2412 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2413 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2414 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2415 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2416 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2417 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2418 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2419 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2420 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2421 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2422 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2423 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2424 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2425 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2426 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2427 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2428 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2429 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2430 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2431 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2432 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2433 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2434 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2435 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2436 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2437 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2438 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2439 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2440 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2441 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2442 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2443 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2444 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2445 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2446 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2447 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2448 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2449 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2450 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2451 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2452 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2453 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2454 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2455 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2456 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2457 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2458 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2459 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2461 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2462 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2463 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2464 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2465 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2466 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2467 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2468 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2469 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2470 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2471 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2472 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2473 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2474 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2475 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2476 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2477 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2478 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2479 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2480 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2481 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2482 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2483 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2484 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2485 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2486 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2487 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2488 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2489 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2490 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2491 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2492 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2493 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2494 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2495 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2496 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2497 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2498 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2499 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2500 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2501 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2502 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2503 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2504 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2505 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2506 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2507 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2508 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2509 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2510 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2511 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2512 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2513 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2514 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2515 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2516 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2517 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2518 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2519 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2520 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2521 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2522 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2523 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2524 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2525 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2526 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2527 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2528 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2529 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2530 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2531 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2532 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2533 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2534 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2535 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2536 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2537 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2538 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2539 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2540 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2541 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2542 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2543 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2544 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2545 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2546 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2547 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2548 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2549 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2550 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2551 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2552 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2553 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2554 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2555 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2556 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2557 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2558 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2559 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2560 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2561 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2562 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2563 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2564 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2565 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2566 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2567 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2568 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2569 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2570 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2571 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2572 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2573 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2574 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2575 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2576 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2577 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2578 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2579 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2580 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2581 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2582 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2583 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2584 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2585 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2586 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2587 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2588 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2589 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2590 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2591 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2592 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2593 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2594 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2595 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2596 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2597 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2598 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2599 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2600 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2601 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2602 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2603 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2604 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2605 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2606 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2607 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2608 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2609 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2610 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2611 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2612 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2613 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2614 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2615 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2616 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2617 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2618 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2619 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2620 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2621 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2622 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2623 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2624 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2625 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2626 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2627 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2628 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2629 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2630 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2631 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2632 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2633 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2634 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2635 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2636 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2637 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2638 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2639 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2640 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2641 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2642 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2643 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2644 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2645 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2646 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2647 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2648 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2649 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2650 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2651 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2652 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2653 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2654 };
2655 unsigned char res[33][2][32] = {
2656 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2657 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2658 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2659 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2660 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2661 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2662 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2663 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2664 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2665 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2666 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2667 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2668 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2669 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2670 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2671 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2672 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2673 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2674 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2675 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2676 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2677 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2678 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2679 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2680 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2681 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2682 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2683 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2684 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2685 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2686 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2687 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2688 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2689 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2690 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2691 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2692 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2693 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2694 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2695 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2696 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2697 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2698 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2699 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2700 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2701 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2702 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2703 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2704 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2705 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2706 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2707 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2708 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2709 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2710 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2711 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2712 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2713 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2714 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2715 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2716 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2717 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2718 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2719 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2720 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2721 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2722 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2723 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2724 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2725 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2726 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2727 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2728 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2729 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2730 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2731 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2732 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2733 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2734 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2735 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2736 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2737 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2738 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2739 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2740 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2741 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2742 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2743 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2744 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2745 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2746 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2747 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2748 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2749 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2750 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2751 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2752 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2753 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2754 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2755 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2756 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2757 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2758 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2759 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2760 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2761 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2762 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2763 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2764 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2765 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2766 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2767 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2768 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2769 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2770 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2771 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2772 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2773 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2774 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2775 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2776 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2777 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2778 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2779 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2780 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2781 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2782 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2783 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2784 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2785 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2786 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2787 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2788 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2789 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2790 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2791 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2792 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2793 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2794 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2795 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2796 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2797 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2798 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2799 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2800 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2801 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2802 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2803 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2804 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2805 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2806 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2807 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2808 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2809 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2810 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2811 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2812 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2813 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2814 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2815 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2816 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2817 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2818 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2819 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2820 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2821 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2822 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2823 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2824 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2825 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2826 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2827 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2828 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2829 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2830 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2831 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2832 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2833 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2834 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2835 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2836 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2837 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2838 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2839 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2840 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2841 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2842 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2843 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2844 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2845 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2846 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2847 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2848 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2849 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2850 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2851 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2852 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2853 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2854 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2855 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2856 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2857 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2858 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2859 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2860 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2861 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2862 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2863 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2864 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2865 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2866 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2867 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2868 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2869 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2870 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2871 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2872 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2873 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2874 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2875 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2876 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2877 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2878 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2879 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2880 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2881 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2882 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2883 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2884 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2885 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2886 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2887 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2888 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2889 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2890 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2891 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2892 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2893 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2894 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2895 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2896 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2897 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2898 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2899 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2900 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2901 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2902 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2903 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2904 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2905 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2906 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2907 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2908 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2909 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2910 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2911 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2912 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2913 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2914 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2915 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2916 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2917 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2918 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2919 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2920 };
2921 for (i = 0; i < 33; i++) {
2922 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2923 CHECK(!overflow);
2924 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2925 CHECK(!overflow);
2926 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2927 CHECK(!overflow);
2928 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2929 CHECK(!overflow);
2930 secp256k1_scalar_mul(&z, &x, &y);
2931 CHECK(secp256k1_scalar_eq(&r1, &z));
2932 if (!secp256k1_scalar_is_zero(&y)) {
2933 secp256k1_scalar_inverse(&zz, &y);
2935 CHECK(secp256k1_scalar_eq(&zzv, &zz));
2936 secp256k1_scalar_mul(&z, &z, &zz);
2937 CHECK(secp256k1_scalar_eq(&x, &z));
2938 secp256k1_scalar_mul(&zz, &zz, &y);
2940 }
2941 secp256k1_scalar_mul(&z, &x, &x);
2942 CHECK(secp256k1_scalar_eq(&r2, &z));
2943 }
2944 }
2945}
2946
2947/***** FIELD TESTS *****/
2948
2950 secp256k1_fe r;
2952 if (secp256k1_fe_sqrt(&r, ns)) {
2953 secp256k1_fe_negate(ns, ns, 1);
2954 }
2955}
2956
2957static int fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2958 secp256k1_fe an = *a;
2959 secp256k1_fe bn = *b;
2961 return secp256k1_fe_equal(&an, &bn);
2962}
2963
2964static void run_field_convert(void) {
2965 static const unsigned char b32[32] = {
2966 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2967 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2968 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2969 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2970 };
2972 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2973 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2974 );
2975 static const secp256k1_fe fe = SECP256K1_FE_CONST(
2976 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2977 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2978 );
2979 secp256k1_fe fe2;
2980 unsigned char b322[32];
2982 /* Check conversions to fe. */
2984 CHECK(secp256k1_fe_equal(&fe, &fe2));
2985 secp256k1_fe_from_storage(&fe2, &fes);
2986 CHECK(secp256k1_fe_equal(&fe, &fe2));
2987 /* Check conversion from fe. */
2988 secp256k1_fe_get_b32(b322, &fe);
2989 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2990 secp256k1_fe_to_storage(&fes2, &fe);
2991 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2992}
2993
2994static void run_field_be32_overflow(void) {
2995 {
2996 static const unsigned char zero_overflow[32] = {
2997 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2998 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
2999 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3000 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
3001 };
3002 static const unsigned char zero[32] = { 0x00 };
3003 unsigned char out[32];
3004 secp256k1_fe fe;
3005 CHECK(secp256k1_fe_set_b32_limit(&fe, zero_overflow) == 0);
3006 secp256k1_fe_set_b32_mod(&fe, zero_overflow);
3009 CHECK(secp256k1_fe_is_zero(&fe) == 1);
3011 CHECK(secp256k1_memcmp_var(out, zero, 32) == 0);
3012 }
3013 {
3014 static const unsigned char one_overflow[32] = {
3015 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3016 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3017 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3018 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30,
3019 };
3020 static const unsigned char one[32] = {
3021 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3022 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3023 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3024 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3025 };
3026 unsigned char out[32];
3027 secp256k1_fe fe;
3028 CHECK(secp256k1_fe_set_b32_limit(&fe, one_overflow) == 0);
3029 secp256k1_fe_set_b32_mod(&fe, one_overflow);
3033 CHECK(secp256k1_memcmp_var(out, one, 32) == 0);
3034 }
3035 {
3036 static const unsigned char ff_overflow[32] = {
3037 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3038 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3039 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3040 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3041 };
3042 static const unsigned char ff[32] = {
3043 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3044 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3045 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3046 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0,
3047 };
3048 unsigned char out[32];
3049 secp256k1_fe fe;
3050 const secp256k1_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0);
3051 CHECK(secp256k1_fe_set_b32_limit(&fe, ff_overflow) == 0);
3052 secp256k1_fe_set_b32_mod(&fe, ff_overflow);
3054 CHECK(secp256k1_fe_cmp_var(&fe, &fe_ff) == 0);
3056 CHECK(secp256k1_memcmp_var(out, ff, 32) == 0);
3057 }
3058}
3059
3060/* Returns true if two field elements have the same representation. */
3061static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
3062 int ret = 1;
3063 /* Compare the struct member that holds the limbs. */
3064 ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
3065 return ret;
3066}
3067
3068static void run_field_half(void) {
3069 secp256k1_fe t, u;
3070 int m;
3071
3072 /* Check magnitude 0 input */
3075#ifdef VERIFY
3076 CHECK(t.magnitude == 1);
3077 CHECK(t.normalized == 0);
3078#endif
3080
3081 /* Check non-zero magnitudes in the supported range */
3082 for (m = 1; m < 32; m++) {
3083 /* Check max-value input */
3085
3086 u = t;
3088#ifdef VERIFY
3089 CHECK(u.magnitude == (m >> 1) + 1);
3090 CHECK(u.normalized == 0);
3091#endif
3093 secp256k1_fe_add(&u, &u);
3094 CHECK(fe_equal(&t, &u));
3095
3096 /* Check worst-case input: ensure the LSB is 1 so that P will be added,
3097 * which will also cause all carries to be 1, since all limbs that can
3098 * generate a carry are initially even and all limbs of P are odd in
3099 * every existing field implementation. */
3101 CHECK(t.n[0] > 0);
3102 CHECK((t.n[0] & 1) == 0);
3103 --t.n[0];
3104
3105 u = t;
3107#ifdef VERIFY
3108 CHECK(u.magnitude == (m >> 1) + 1);
3109 CHECK(u.normalized == 0);
3110#endif
3112 secp256k1_fe_add(&u, &u);
3113 CHECK(fe_equal(&t, &u));
3114 }
3115}
3116
3117static void run_field_misc(void) {
3118 secp256k1_fe x;
3119 secp256k1_fe y;
3120 secp256k1_fe z;
3121 secp256k1_fe q;
3122 int v;
3123 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3124 int i, j;
3125 for (i = 0; i < 1000 * COUNT; i++) {
3126 secp256k1_fe_storage xs, ys, zs;
3127 if (i & 1) {
3128 random_fe(&x);
3129 } else {
3130 random_fe_test(&x);
3131 }
3134 /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */
3135 secp256k1_fe_set_int(&q, v); /* q = v */
3136 z = x; /* z = x */
3137 secp256k1_fe_add(&z, &q); /* z = x+v */
3138 q = x; /* q = x */
3139 secp256k1_fe_add_int(&q, v); /* q = x+v */
3140 CHECK(fe_equal(&q, &z));
3141 /* Test the fe equality and comparison operations. */
3142 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
3143 CHECK(secp256k1_fe_equal(&x, &x));
3144 z = x;
3145 secp256k1_fe_add(&z,&y);
3146 /* Test fe conditional move; z is not normalized here. */
3147 q = x;
3148 secp256k1_fe_cmov(&x, &z, 0);
3149#ifdef VERIFY
3150 CHECK(!x.normalized);
3151 CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude));
3152 CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude));
3153#endif
3154 x = q;
3155 secp256k1_fe_cmov(&x, &x, 1);
3156 CHECK(!fe_identical(&x, &z));
3157 CHECK(fe_identical(&x, &q));
3158 secp256k1_fe_cmov(&q, &z, 1);
3159#ifdef VERIFY
3160 CHECK(!q.normalized);
3161 CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude));
3162 CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude));
3163#endif
3164 CHECK(fe_identical(&q, &z));
3165 q = z;
3168 CHECK(!secp256k1_fe_equal(&x, &z));
3170 secp256k1_fe_cmov(&q, &z, (i&1));
3171#ifdef VERIFY
3172 CHECK(q.normalized && q.magnitude == 1);
3173#endif
3174 for (j = 0; j < 6; j++) {
3175 secp256k1_fe_negate_unchecked(&z, &z, j+1);
3177 secp256k1_fe_cmov(&q, &z, (j&1));
3178#ifdef VERIFY
3179 CHECK(!q.normalized && q.magnitude == z.magnitude);
3180#endif
3181 }
3183 /* Test storage conversion and conditional moves. */
3184 secp256k1_fe_to_storage(&xs, &x);
3185 secp256k1_fe_to_storage(&ys, &y);
3186 secp256k1_fe_to_storage(&zs, &z);
3187 secp256k1_fe_storage_cmov(&zs, &xs, 0);
3188 secp256k1_fe_storage_cmov(&zs, &zs, 1);
3189 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
3190 secp256k1_fe_storage_cmov(&ys, &xs, 1);
3191 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
3195 /* Test that mul_int, mul, and add agree. */
3196 secp256k1_fe_add(&y, &x);
3197 secp256k1_fe_add(&y, &x);
3198 z = x;
3199 secp256k1_fe_mul_int(&z, 3);
3200 CHECK(fe_equal(&y, &z));
3201 secp256k1_fe_add(&y, &x);
3202 secp256k1_fe_add(&z, &x);
3203 CHECK(fe_equal(&z, &y));
3204 z = x;
3205 secp256k1_fe_mul_int(&z, 5);
3206 secp256k1_fe_mul(&q, &x, &fe5);
3207 CHECK(fe_equal(&z, &q));
3208 secp256k1_fe_negate(&x, &x, 1);
3209 secp256k1_fe_add(&z, &x);
3210 secp256k1_fe_add(&q, &x);
3211 CHECK(fe_equal(&y, &z));
3212 CHECK(fe_equal(&q, &y));
3213 /* Check secp256k1_fe_half. */
3214 z = x;
3216 secp256k1_fe_add(&z, &z);
3217 CHECK(fe_equal(&x, &z));
3218 secp256k1_fe_add(&z, &z);
3220 CHECK(fe_equal(&x, &z));
3221 }
3222}
3223
3224static void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
3225{
3226 secp256k1_fe c, an, bn;
3227 /* Variables in BE 32-byte format. */
3228 unsigned char a32[32], b32[32], c32[32];
3229 /* Variables in LE 16x uint16_t format. */
3230 uint16_t a16[16], b16[16], c16[16];
3231 /* Field modulus in LE 16x uint16_t format. */
3232 static const uint16_t m16[16] = {
3233 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3234 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3235 };
3236 uint16_t t16[32];
3237 int i;
3238
3239 /* Compute C = A * B in fe format. */
3240 c = *a;
3241 if (use_sqr) {
3242 secp256k1_fe_sqr(&c, &c);
3243 } else {
3244 secp256k1_fe_mul(&c, &c, b);
3245 }
3246
3247 /* Convert A, B, C into LE 16x uint16_t format. */
3248 an = *a;
3249 bn = *b;
3253 secp256k1_fe_get_b32(a32, &an);
3254 secp256k1_fe_get_b32(b32, &bn);
3255 secp256k1_fe_get_b32(c32, &c);
3256 for (i = 0; i < 16; ++i) {
3257 a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
3258 b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
3259 c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
3260 }
3261 /* Compute T = A * B in LE 16x uint16_t format. */
3262 mulmod256(t16, a16, b16, m16);
3263 /* Compare */
3264 CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
3265}
3266
3267static void run_fe_mul(void) {
3268 int i;
3269 for (i = 0; i < 100 * COUNT; ++i) {
3270 secp256k1_fe a, b, c, d;
3271 random_fe(&a);
3273 random_fe(&b);
3275 random_fe_test(&c);
3277 random_fe_test(&d);
3279 test_fe_mul(&a, &a, 1);
3280 test_fe_mul(&c, &c, 1);
3281 test_fe_mul(&a, &b, 0);
3282 test_fe_mul(&a, &c, 0);
3283 test_fe_mul(&c, &b, 0);
3284 test_fe_mul(&c, &d, 0);
3285 }
3286}
3287
3288static void run_sqr(void) {
3289 secp256k1_fe x, s;
3290
3291 {
3292 int i;
3293 secp256k1_fe_set_int(&x, 1);
3294 secp256k1_fe_negate(&x, &x, 1);
3295
3296 for (i = 1; i <= 512; ++i) {
3297 secp256k1_fe_mul_int(&x, 2);
3299 secp256k1_fe_sqr(&s, &x);
3300 }
3301 }
3302}
3303
3304static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
3305 secp256k1_fe r1, r2;
3306 int v = secp256k1_fe_sqrt(&r1, a);
3307 CHECK((v == 0) == (k == NULL));
3308
3309 if (k != NULL) {
3310 /* Check that the returned root is +/- the given known answer */
3311 secp256k1_fe_negate(&r2, &r1, 1);
3312 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
3315 }
3316}
3317
3318static void run_sqrt(void) {
3319 secp256k1_fe ns, x, s, t;
3320 int i;
3321
3322 /* Check sqrt(0) is 0 */
3323 secp256k1_fe_set_int(&x, 0);
3324 secp256k1_fe_sqr(&s, &x);
3325 test_sqrt(&s, &x);
3326
3327 /* Check sqrt of small squares (and their negatives) */
3328 for (i = 1; i <= 100; i++) {
3329 secp256k1_fe_set_int(&x, i);
3330 secp256k1_fe_sqr(&s, &x);
3331 test_sqrt(&s, &x);
3332 secp256k1_fe_negate(&t, &s, 1);
3333 test_sqrt(&t, NULL);
3334 }
3335
3336 /* Consistency checks for large random values */
3337 for (i = 0; i < 10; i++) {
3338 int j;
3340 for (j = 0; j < COUNT; j++) {
3341 random_fe(&x);
3342 secp256k1_fe_sqr(&s, &x);
3344 test_sqrt(&s, &x);
3345 secp256k1_fe_negate(&t, &s, 1);
3347 test_sqrt(&t, NULL);
3348 secp256k1_fe_mul(&t, &s, &ns);
3349 test_sqrt(&t, NULL);
3350 }
3351 }
3352}
3353
3354/***** FIELD/SCALAR INVERSE TESTS *****/
3355
3357 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
3358 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
3359);
3360
3362 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
3363 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
3364);
3365
3366/* These tests test the following identities:
3367 *
3368 * for x==0: 1/x == 0
3369 * for x!=0: x*(1/x) == 1
3370 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
3371 */
3372
3374{
3375 secp256k1_scalar l, r, t;
3376
3377 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
3378 if (out) *out = l;
3379 if (secp256k1_scalar_is_zero(x)) {
3381 return;
3382 }
3383 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
3384 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
3385 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
3386 if (secp256k1_scalar_is_zero(&r)) return;
3387 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
3388 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
3389 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
3390 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
3391 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3392 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
3393}
3394
3395static void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
3396{
3397 secp256k1_fe l, r, t;
3398
3399 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
3400 if (out) *out = l;
3401 t = *x; /* t = x */
3404 return;
3405 }
3406 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
3407 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3408 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3409 r = *x; /* r = x */
3410 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
3412 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
3413 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3414 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3415 secp256k1_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */
3416 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3418}
3419
3420static void run_inverse_tests(void)
3421{
3422 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3423 static const secp256k1_fe fe_cases[][2] = {
3424 /* 0 */
3425 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3426 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3427 /* 1 */
3428 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3429 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3430 /* -1 */
3431 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3432 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3433 /* 2 */
3434 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3435 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3436 /* 2**128 */
3437 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3438 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3439 /* Input known to need 637 divsteps */
3440 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3441 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3442 /* Input known to need 567 divsteps starting with delta=1/2. */
3443 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3444 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3445 /* Input known to need 566 divsteps starting with delta=1/2. */
3446 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3447 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3448 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3449 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3450 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3451 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3452 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3453 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3454 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3455 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3456 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3457 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3458 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3459 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3460 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3461 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3462 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3463 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3464 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3465 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3466 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3467 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3468 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3469 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3470 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3471 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3472 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3473 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3474 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3475 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3476 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3477 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3478 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3479 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3480 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3481 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3482 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3483 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3484 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3485 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3486 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3487 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3488 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3489 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3490 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3491 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3492 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3493 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3494 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3495 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3496 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3497 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3498 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3499 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3500 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3501 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3502 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3503 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3504 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3505 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3506 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3507 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3508 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3509 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3510 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3511 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3512 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3513 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3514 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3515 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3516 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3517 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3518 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3519 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3520 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3521 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3522 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3523 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3524 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3525 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3526 };
3527 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3528 static const secp256k1_scalar scalar_cases[][2] = {
3529 /* 0 */
3530 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3531 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3532 /* 1 */
3533 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3534 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3535 /* -1 */
3536 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3537 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3538 /* 2 */
3539 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3540 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3541 /* 2**128 */
3542 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3543 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3544 /* Input known to need 635 divsteps */
3545 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3546 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3547 /* Input known to need 566 divsteps starting with delta=1/2. */
3548 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3549 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3550 /* Input known to need 565 divsteps starting with delta=1/2. */
3551 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3552 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3553 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3554 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3555 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3556 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3557 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3558 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3559 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3560 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3561 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3562 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3563 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3564 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3565 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3566 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3567 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3568 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3569 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3570 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3571 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3572 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3573 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3574 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3575 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3576 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3577 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3578 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3579 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3580 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3581 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3582 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3583 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3584 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3585 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3586 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3587 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3588 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3589 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3590 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3591 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3592 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3593 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3594 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3595 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3596 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3597 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3598 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3599 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3600 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3601 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3602 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3603 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3604 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3605 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3606 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3607 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3608 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3609 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3610 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3611 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3612 };
3613 int i, var, testrand;
3614 unsigned char b32[32];
3615 secp256k1_fe x_fe;
3616 secp256k1_scalar x_scalar;
3617 memset(b32, 0, sizeof(b32));
3618 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3619 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3620 for (var = 0; var <= 1; ++var) {
3621 test_inverse_field(&x_fe, &fe_cases[i][0], var);
3622 CHECK(fe_equal(&x_fe, &fe_cases[i][1]));
3623 test_inverse_field(&x_fe, &fe_cases[i][1], var);
3624 CHECK(fe_equal(&x_fe, &fe_cases[i][0]));
3625 }
3626 }
3627 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3628 for (var = 0; var <= 1; ++var) {
3629 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3630 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3631 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3632 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3633 }
3634 }
3635 /* Test inputs 0..999 and their respective negations. */
3636 for (i = 0; i < 1000; ++i) {
3637 b32[31] = i & 0xff;
3638 b32[30] = (i >> 8) & 0xff;
3639 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3640 secp256k1_fe_set_b32_mod(&x_fe, b32);
3641 for (var = 0; var <= 1; ++var) {
3642 test_inverse_scalar(NULL, &x_scalar, var);
3643 test_inverse_field(NULL, &x_fe, var);
3644 }
3645 secp256k1_scalar_negate(&x_scalar, &x_scalar);
3646 secp256k1_fe_negate(&x_fe, &x_fe, 1);
3647 for (var = 0; var <= 1; ++var) {
3648 test_inverse_scalar(NULL, &x_scalar, var);
3649 test_inverse_field(NULL, &x_fe, var);
3650 }
3651 }
3652 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3653 for (testrand = 0; testrand <= 1; ++testrand) {
3654 for (i = 0; i < 64 * COUNT; ++i) {
3656 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3657 secp256k1_fe_set_b32_mod(&x_fe, b32);
3658 for (var = 0; var <= 1; ++var) {
3659 test_inverse_scalar(NULL, &x_scalar, var);
3660 test_inverse_field(NULL, &x_fe, var);
3661 }
3662 }
3663 }
3664}
3665
3666/***** GROUP TESTS *****/
3667
3668/* This compares jacobian points including their Z, not just their geometric meaning. */
3669static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3670 secp256k1_gej a2;
3671 secp256k1_gej b2;
3672 int ret = 1;
3673 ret &= a->infinity == b->infinity;
3674 if (ret && !a->infinity) {
3675 a2 = *a;
3676 b2 = *b;
3683 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3684 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3685 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3686 }
3687 return ret;
3688}
3689
3690static void test_ge(void) {
3691 int i, i1;
3692 int runs = 6;
3693 /* 25 points are used:
3694 * - infinity
3695 * - for each of four random points p1 p2 p3 p4, we add the point, its
3696 * negation, and then those two again but with randomized Z coordinate.
3697 * - The same is then done for lambda*p1 and lambda^2*p1.
3698 */
3699 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3700 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3701 secp256k1_fe zf, r;
3702 secp256k1_fe zfi2, zfi3;
3703
3705 secp256k1_ge_clear(&ge[0]);
3706 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3707 for (i = 0; i < runs; i++) {
3708 int j, k;
3709 secp256k1_ge g;
3711 if (i >= runs - 2) {
3712 secp256k1_ge_mul_lambda(&g, &ge[1]);
3713 CHECK(!secp256k1_ge_eq_var(&g, &ge[1]));
3714 }
3715 if (i >= runs - 1) {
3717 }
3718 ge[1 + 4 * i] = g;
3719 ge[2 + 4 * i] = g;
3720 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3721 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3722 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3723 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3724 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3725 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3726 for (j = 0; j < 4; j++) {
3727 random_ge_x_magnitude(&ge[1 + j + 4 * i]);
3728 random_ge_y_magnitude(&ge[1 + j + 4 * i]);
3729 random_gej_x_magnitude(&gej[1 + j + 4 * i]);
3730 random_gej_y_magnitude(&gej[1 + j + 4 * i]);
3731 random_gej_z_magnitude(&gej[1 + j + 4 * i]);
3732 }
3733
3734 for (j = 0; j < 4; ++j) {
3735 for (k = 0; k < 4; ++k) {
3736 int expect_equal = (j >> 1) == (k >> 1);
3737 CHECK(secp256k1_ge_eq_var(&ge[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3738 CHECK(secp256k1_gej_eq_var(&gej[1 + j + 4 * i], &gej[1 + k + 4 * i]) == expect_equal);
3739 CHECK(secp256k1_gej_eq_ge_var(&gej[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3740 CHECK(secp256k1_gej_eq_ge_var(&gej[1 + k + 4 * i], &ge[1 + j + 4 * i]) == expect_equal);
3741 }
3742 }
3743 }
3744
3745 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3748 secp256k1_fe_inv_var(&zfi3, &zf);
3749 secp256k1_fe_sqr(&zfi2, &zfi3);
3750 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3751
3752 /* Generate random r */
3754
3755 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3756 int i2;
3757 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3758 /* Compute reference result using gej + gej (var). */
3759 secp256k1_gej refj, resj;
3760 secp256k1_ge ref;
3761 secp256k1_fe zr;
3762 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3763 /* Check Z ratio. */
3764 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3765 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3766 CHECK(secp256k1_fe_equal(&zrz, &refj.z));
3767 }
3768 secp256k1_ge_set_gej_var(&ref, &refj);
3769
3770 /* Test gej + ge with Z ratio result (var). */
3771 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3772 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3773 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3774 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3775 CHECK(secp256k1_fe_equal(&zrz, &resj.z));
3776 }
3777
3778 /* Test gej + ge (var, with additional Z factor). */
3779 {
3780 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3781 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3782 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3783 random_ge_x_magnitude(&ge2_zfi);
3784 random_ge_y_magnitude(&ge2_zfi);
3785 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3786 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3787 }
3788
3789 /* Test gej + ge (const). */
3790 if (i2 != 0) {
3791 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3792 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3793 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3794 }
3795
3796 /* Test doubling (var). */
3797 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3798 secp256k1_fe zr2;
3799 /* Normal doubling with Z ratio result. */
3800 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3801 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3802 /* Check Z ratio. */
3803 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3804 CHECK(secp256k1_fe_equal(&zr2, &resj.z));
3805 /* Normal doubling. */
3806 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3807 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3808 /* Constant-time doubling. */
3809 secp256k1_gej_double(&resj, &gej[i2]);
3810 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3811 }
3812
3813 /* Test adding opposites. */
3814 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3816 }
3817
3818 /* Test adding infinity. */
3819 if (i1 == 0) {
3822 CHECK(secp256k1_gej_eq_ge_var(&gej[i2], &ref));
3823 }
3824 if (i2 == 0) {
3827 CHECK(secp256k1_gej_eq_ge_var(&gej[i1], &ref));
3828 }
3829 }
3830 }
3831
3832 /* Test adding all points together in random order equals infinity. */
3833 {
3835 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3836 for (i = 0; i < 4 * runs + 1; i++) {
3837 gej_shuffled[i] = gej[i];
3838 }
3839 for (i = 0; i < 4 * runs + 1; i++) {
3840 int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3841 if (swap != i) {
3842 secp256k1_gej t = gej_shuffled[i];
3843 gej_shuffled[i] = gej_shuffled[swap];
3844 gej_shuffled[swap] = t;
3845 }
3846 }
3847 for (i = 0; i < 4 * runs + 1; i++) {
3848 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3849 }
3851 free(gej_shuffled);
3852 }
3853
3854 /* Test batch gej -> ge conversion without known z ratios. */
3855 {
3856 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3857 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3858 for (i = 0; i < 4 * runs + 1; i++) {
3859 secp256k1_fe s;
3861 secp256k1_gej_rescale(&gej[i], &s);
3862 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge_set_all[i]));
3863 }
3864 free(ge_set_all);
3865 }
3866
3867 /* Test that all elements have X coordinates on the curve. */
3868 for (i = 1; i < 4 * runs + 1; i++) {
3869 secp256k1_fe n;
3871 /* And the same holds after random rescaling. */
3872 secp256k1_fe_mul(&n, &zf, &ge[i].x);
3874 }
3875
3876 /* Test correspondence of secp256k1_ge_x{,_frac}_on_curve_var with ge_set_xo. */
3877 {
3878 secp256k1_fe n;
3879 secp256k1_ge q;
3880 int ret_on_curve, ret_frac_on_curve, ret_set_xo;
3881 secp256k1_fe_mul(&n, &zf, &r);
3882 ret_on_curve = secp256k1_ge_x_on_curve_var(&r);
3883 ret_frac_on_curve = secp256k1_ge_x_frac_on_curve_var(&n, &zf);
3884 ret_set_xo = secp256k1_ge_set_xo_var(&q, &r, 0);
3885 CHECK(ret_on_curve == ret_frac_on_curve);
3886 CHECK(ret_on_curve == ret_set_xo);
3887 if (ret_set_xo) CHECK(secp256k1_fe_equal(&r, &q.x));
3888 }
3889
3890 /* Test batch gej -> ge conversion with many infinities. */
3891 for (i = 0; i < 4 * runs + 1; i++) {
3892 int odd;
3894 odd = secp256k1_fe_is_odd(&ge[i].x);
3895 CHECK(odd == 0 || odd == 1);
3896 /* randomly set half the points to infinity */
3897 if (odd == i % 2) {
3899 }
3900 secp256k1_gej_set_ge(&gej[i], &ge[i]);
3901 }
3902 /* batch convert */
3903 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3904 /* check result */
3905 for (i = 0; i < 4 * runs + 1; i++) {
3906 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge[i]));
3907 }
3908
3909 /* Test batch gej -> ge conversion with all infinities. */
3910 for (i = 0; i < 4 * runs + 1; i++) {
3912 }
3913 /* batch convert */
3914 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3915 /* check result */
3916 for (i = 0; i < 4 * runs + 1; i++) {
3918 }
3919
3920 free(ge);
3921 free(gej);
3922}
3923
3924static void test_intialized_inf(void) {
3925 secp256k1_ge p;
3926 secp256k1_gej pj, npj, infj1, infj2, infj3;
3927 secp256k1_fe zinv;
3928
3929 /* Test that adding P+(-P) results in a fully initialized infinity*/
3931 secp256k1_gej_set_ge(&pj, &p);
3932 secp256k1_gej_neg(&npj, &pj);
3933
3934 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3936 CHECK(secp256k1_fe_is_zero(&infj1.x));
3937 CHECK(secp256k1_fe_is_zero(&infj1.y));
3938 CHECK(secp256k1_fe_is_zero(&infj1.z));
3939
3940 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3942 CHECK(secp256k1_fe_is_zero(&infj2.x));
3943 CHECK(secp256k1_fe_is_zero(&infj2.y));
3944 CHECK(secp256k1_fe_is_zero(&infj2.z));
3945
3946 secp256k1_fe_set_int(&zinv, 1);
3947 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3949 CHECK(secp256k1_fe_is_zero(&infj3.x));
3950 CHECK(secp256k1_fe_is_zero(&infj3.y));
3951 CHECK(secp256k1_fe_is_zero(&infj3.z));
3952
3953
3954}
3955
3956static void test_add_neg_y_diff_x(void) {
3957 /* The point of this test is to check that we can add two points
3958 * whose y-coordinates are negatives of each other but whose x
3959 * coordinates differ. If the x-coordinates were the same, these
3960 * points would be negatives of each other and their sum is
3961 * infinity. This is cool because it "covers up" any degeneracy
3962 * in the addition algorithm that would cause the xy coordinates
3963 * of the sum to be wrong (since infinity has no xy coordinates).
3964 * HOWEVER, if the x-coordinates are different, infinity is the
3965 * wrong answer, and such degeneracies are exposed. This is the
3966 * root of https://github.com/bitcoin-core/secp256k1/issues/257
3967 * which this test is a regression test for.
3968 *
3969 * These points were generated in sage as
3970 *
3971 * load("secp256k1_params.sage")
3972 *
3973 * # random "bad pair"
3974 * P = C.random_element()
3975 * Q = -int(LAMBDA) * P
3976 * print(" P: %x %x" % P.xy())
3977 * print(" Q: %x %x" % Q.xy())
3978 * print("P + Q: %x %x" % (P + Q).xy())
3979 */
3981 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3982 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3983 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3984 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3985 );
3987 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
3988 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
3989 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
3990 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
3991 );
3993 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
3994 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
3995 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
3996 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
3997 );
3998 secp256k1_ge b;
3999 secp256k1_gej resj;
4000 secp256k1_ge res;
4001 secp256k1_ge_set_gej(&b, &bj);
4002
4003 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
4004 secp256k1_ge_set_gej(&res, &resj);
4005 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4006
4007 secp256k1_gej_add_ge(&resj, &aj, &b);
4008 secp256k1_ge_set_gej(&res, &resj);
4009 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4010
4011 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
4012 secp256k1_ge_set_gej(&res, &resj);
4013 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4014}
4015
4016static void run_ge(void) {
4017 int i;
4018 for (i = 0; i < COUNT * 32; i++) {
4019 test_ge();
4020 }
4023}
4024
4025static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
4026 secp256k1_gej t = *a;
4027 secp256k1_gej_cmov(&t, b, 0);
4028 CHECK(gej_xyz_equals_gej(&t, a));
4029 secp256k1_gej_cmov(&t, b, 1);
4030 CHECK(gej_xyz_equals_gej(&t, b));
4031}
4032
4033static void run_gej(void) {
4034 int i;
4035 secp256k1_gej a, b;
4036
4037 /* Tests for secp256k1_gej_cmov */
4038 for (i = 0; i < COUNT; i++) {
4041 test_gej_cmov(&a, &b);
4042
4043 random_gej_test(&a);
4044 test_gej_cmov(&a, &b);
4045 test_gej_cmov(&b, &a);
4046
4047 b = a;
4048 test_gej_cmov(&a, &b);
4049
4050 random_gej_test(&b);
4051 test_gej_cmov(&a, &b);
4052 test_gej_cmov(&b, &a);
4053 }
4054
4055 /* Tests for secp256k1_gej_eq_var */
4056 for (i = 0; i < COUNT; i++) {
4057 secp256k1_fe fe;
4058 random_gej_test(&a);
4059 random_gej_test(&b);
4060 CHECK(!secp256k1_gej_eq_var(&a, &b));
4061
4062 b = a;
4064 secp256k1_gej_rescale(&a, &fe);
4065 CHECK(secp256k1_gej_eq_var(&a, &b));
4066 }
4067}
4068
4069static void test_ec_combine(void) {
4071 secp256k1_pubkey data[6];
4072 const secp256k1_pubkey* d[6];
4074 secp256k1_pubkey sd2;
4075 secp256k1_gej Qj;
4076 secp256k1_ge Q;
4077 int i;
4078 for (i = 1; i <= 6; i++) {
4083 secp256k1_ge_set_gej(&Q, &Qj);
4084 secp256k1_pubkey_save(&data[i - 1], &Q);
4085 d[i - 1] = &data[i - 1];
4087 secp256k1_ge_set_gej(&Q, &Qj);
4088 secp256k1_pubkey_save(&sd, &Q);
4089 CHECK(secp256k1_ec_pubkey_combine(CTX, &sd2, d, i) == 1);
4090 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
4091 }
4092}
4093
4094static void run_ec_combine(void) {
4095 int i;
4096 for (i = 0; i < COUNT * 8; i++) {
4098 }
4099}
4100
4102 /* The input itself, normalized. */
4103 secp256k1_fe fex = *x;
4104 secp256k1_fe fez;
4105 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
4106 secp256k1_ge ge_quad, ge_even, ge_odd;
4107 secp256k1_gej gej_quad;
4108 /* Return values of the above calls. */
4109 int res_quad, res_even, res_odd;
4110
4112
4113 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
4114 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
4115 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
4116
4117 CHECK(res_quad == res_even);
4118 CHECK(res_quad == res_odd);
4119
4120 if (res_quad) {
4121 secp256k1_fe_normalize_var(&ge_quad.x);
4123 secp256k1_fe_normalize_var(&ge_even.x);
4124 secp256k1_fe_normalize_var(&ge_quad.y);
4126 secp256k1_fe_normalize_var(&ge_even.y);
4127
4128 /* No infinity allowed. */
4129 CHECK(!ge_quad.infinity);
4130 CHECK(!ge_even.infinity);
4131 CHECK(!ge_odd.infinity);
4132
4133 /* Check that the x coordinates check out. */
4134 CHECK(secp256k1_fe_equal(&ge_quad.x, x));
4135 CHECK(secp256k1_fe_equal(&ge_even.x, x));
4136 CHECK(secp256k1_fe_equal(&ge_odd.x, x));
4137
4138 /* Check that the Y coordinate result in ge_quad is a square. */
4139 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
4140
4141 /* Check odd/even Y in ge_odd, ge_even. */
4142 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
4143 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
4144
4145 /* Check secp256k1_gej_has_quad_y_var. */
4146 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
4148 do {
4149 random_fe_test(&fez);
4150 } while (secp256k1_fe_is_zero(&fez));
4151 secp256k1_gej_rescale(&gej_quad, &fez);
4153 secp256k1_gej_neg(&gej_quad, &gej_quad);
4155 do {
4156 random_fe_test(&fez);
4157 } while (secp256k1_fe_is_zero(&fez));
4158 secp256k1_gej_rescale(&gej_quad, &fez);
4160 secp256k1_gej_neg(&gej_quad, &gej_quad);
4162 }
4163}
4164
4165static void run_group_decompress(void) {
4166 int i;
4167 for (i = 0; i < COUNT * 4; i++) {
4168 secp256k1_fe fe;
4169 random_fe_test(&fe);
4171 }
4172}
4173
4174/***** ECMULT TESTS *****/
4175
4176static void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
4177 /* Tests the pre_g / pre_g_128 tables for consistency.
4178 * For independent verification we take a "geometric" approach to verification.
4179 * We check that every entry is on-curve.
4180 * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
4181 * (1) p, gg, and -q are colinear.
4182 * (2) p, gg, and -q are all distinct.
4183 * where gg is twice the generator, where the generator is the first table entry.
4184 *
4185 * Checking the table's generators are correct is done in run_ecmult_pre_g.
4186 */
4187 secp256k1_gej g2;
4188 secp256k1_ge p, q, gg;
4189 secp256k1_fe dpx, dpy, dqx, dqy;
4190 size_t i;
4191
4192 CHECK(0 < n);
4193
4194 secp256k1_ge_from_storage(&p, &pre_g[0]);
4196
4197 secp256k1_gej_set_ge(&g2, &p);
4198 secp256k1_gej_double_var(&g2, &g2, NULL);
4199 secp256k1_ge_set_gej_var(&gg, &g2);
4200 for (i = 1; i < n; ++i) {
4201 secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
4202 secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
4203 /* Check that p is not equal to gg */
4205
4206 secp256k1_ge_from_storage(&q, &pre_g[i]);
4208
4209 secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x);
4210 dqy = q.y; secp256k1_fe_add(&dqy, &gg.y);
4211 /* Check that -q is not equal to gg */
4213
4214 /* Check that -q is not equal to p */
4215 CHECK(!secp256k1_fe_equal(&dpx, &dqx) || !secp256k1_fe_equal(&dpy, &dqy));
4216
4217 /* Check that p, -q and gg are colinear */
4218 secp256k1_fe_mul(&dpx, &dpx, &dqy);
4219 secp256k1_fe_mul(&dpy, &dpy, &dqx);
4220 CHECK(secp256k1_fe_equal(&dpx, &dpy));
4221
4222 p = q;
4223 }
4224}
4225
4226static void run_ecmult_pre_g(void) {
4228 secp256k1_gej gj;
4229 secp256k1_ge g;
4230 size_t i;
4231
4232 /* Check that the pre_g and pre_g_128 tables are consistent. */
4235
4236 /* Check the first entry from the pre_g table. */
4238 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
4239
4240 /* Check the first entry from the pre_g_128 table. */
4242 for (i = 0; i < 128; ++i) {
4243 secp256k1_gej_double_var(&gj, &gj, NULL);
4244 }
4245 secp256k1_ge_set_gej(&g, &gj);
4246 secp256k1_ge_to_storage(&gs, &g);
4247 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
4248}
4249
4250static void run_ecmult_chain(void) {
4251 /* random starting point A (on the curve) */
4253 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
4254 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
4255 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
4256 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
4257 );
4258 /* two random initial factors xn and gn */
4260 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
4261 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
4262 );
4264 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
4265 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
4266 );
4267 /* two small multipliers to be applied to xn and gn in every iteration: */
4268 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
4269 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
4270 /* accumulators with the resulting coefficients to A and G */
4273 /* actual points */
4274 secp256k1_gej x;
4275 secp256k1_gej x2;
4276 int i;
4277
4278 /* the point being computed */
4279 x = a;
4280 for (i = 0; i < 200*COUNT; i++) {
4281 /* in each iteration, compute X = xn*X + gn*G; */
4282 secp256k1_ecmult(&x, &x, &xn, &gn);
4283 /* also compute ae and ge: the actual accumulated factors for A and G */
4284 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
4285 secp256k1_scalar_mul(&ae, &ae, &xn);
4286 secp256k1_scalar_mul(&ge, &ge, &xn);
4287 secp256k1_scalar_add(&ge, &ge, &gn);
4288 /* modify xn and gn */
4289 secp256k1_scalar_mul(&xn, &xn, &xf);
4290 secp256k1_scalar_mul(&gn, &gn, &gf);
4291
4292 /* verify */
4293 if (i == 19999) {
4294 /* expected result after 19999 iterations */
4296 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
4297 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
4298 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
4299 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
4300 );
4301 CHECK(secp256k1_gej_eq_var(&rp, &x));
4302 }
4303 }
4304 /* redo the computation, but directly with the resulting ae and ge coefficients: */
4305 secp256k1_ecmult(&x2, &a, &ae, &ge);
4306 CHECK(secp256k1_gej_eq_var(&x, &x2));
4307}
4308
4309static void test_point_times_order(const secp256k1_gej *point) {
4310 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
4313 secp256k1_gej res1, res2;
4314 secp256k1_ge res3;
4315 unsigned char pub[65];
4316 size_t psize = 65;
4318 secp256k1_scalar_negate(&nx, &x);
4319 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
4320 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4321 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
4323 secp256k1_ge_set_gej(&res3, &res1);
4325 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
4326 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
4327 psize = 65;
4328 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
4329 /* check zero/one edge cases */
4331 secp256k1_ge_set_gej(&res3, &res1);
4334 secp256k1_ge_set_gej(&res3, &res1);
4335 CHECK(secp256k1_gej_eq_ge_var(point, &res3));
4337 secp256k1_ge_set_gej(&res3, &res1);
4339}
4340
4341/* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
4342 *
4343 * They are computed as:
4344 * - For a in [-2, -1, 0, 1, 2]:
4345 * - For b in [-3, -1, 1, 3]:
4346 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
4347 */
4349 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
4350 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
4351 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
4352 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
4353 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
4354 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
4355 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
4356 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
4357 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
4358 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
4359 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
4360 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
4361 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
4362 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
4363 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
4364 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
4365 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
4366 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
4367 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
4368 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
4369};
4370
4371static void test_ecmult_target(const secp256k1_scalar* target, int mode) {
4372 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
4373 secp256k1_scalar n1, n2;
4374 secp256k1_ge p;
4375 secp256k1_gej pj, p1j, p2j, ptj;
4376
4377 /* Generate random n1,n2 such that n1+n2 = -target. */
4379 secp256k1_scalar_add(&n2, &n1, target);
4380 secp256k1_scalar_negate(&n2, &n2);
4381
4382 /* Generate a random input point. */
4383 if (mode != 0) {
4385 secp256k1_gej_set_ge(&pj, &p);
4386 }
4387
4388 /* EC multiplications */
4389 if (mode == 0) {
4392 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &ptj, target);
4393 } else if (mode == 1) {
4394 secp256k1_ecmult(&p1j, &pj, &n1, &secp256k1_scalar_zero);
4395 secp256k1_ecmult(&p2j, &pj, &n2, &secp256k1_scalar_zero);
4396 secp256k1_ecmult(&ptj, &pj, target, &secp256k1_scalar_zero);
4397 } else {
4398 secp256k1_ecmult_const(&p1j, &p, &n1);
4399 secp256k1_ecmult_const(&p2j, &p, &n2);
4400 secp256k1_ecmult_const(&ptj, &p, target);
4401 }
4402
4403 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
4404 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
4405 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
4407}
4408
4410 int i;
4411 unsigned j;
4412 for (i = 0; i < 4*COUNT; ++i) {
4413 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
4417 }
4418 }
4419}
4420
4421static void run_point_times_order(void) {
4422 int i;
4423 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
4424 static const secp256k1_fe xr = SECP256K1_FE_CONST(
4425 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
4426 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
4427 );
4428 for (i = 0; i < 500; i++) {
4429 secp256k1_ge p;
4430 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
4431 secp256k1_gej j;
4433 secp256k1_gej_set_ge(&j, &p);
4435 }
4436 secp256k1_fe_sqr(&x, &x);
4437 }
4439 CHECK(secp256k1_fe_equal(&x, &xr));
4440}
4441
4442static void ecmult_const_random_mult(void) {
4443 /* random starting point A (on the curve) */
4445 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4446 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4447 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4448 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4449 );
4450 /* random initial factor xn */
4452 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4453 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4454 );
4455 /* expected xn * A (from sage) */
4456 secp256k1_ge expected_b = SECP256K1_GE_CONST(
4457 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4458 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4459 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4460 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4461 );
4462 secp256k1_gej b;
4463 secp256k1_ecmult_const(&b, &a, &xn);
4464
4466 CHECK(secp256k1_gej_eq_ge_var(&b, &expected_b));
4467}
4468
4472 secp256k1_gej res1;
4473 secp256k1_gej res2;
4474 secp256k1_ge mid1;
4475 secp256k1_ge mid2;
4478
4481 secp256k1_ge_set_gej(&mid1, &res1);
4482 secp256k1_ge_set_gej(&mid2, &res2);
4483 secp256k1_ecmult_const(&res1, &mid1, &b);
4484 secp256k1_ecmult_const(&res2, &mid2, &a);
4485 secp256k1_ge_set_gej(&mid1, &res1);
4486 secp256k1_ge_set_gej(&mid2, &res2);
4487 CHECK(secp256k1_ge_eq_var(&mid1, &mid2));
4488}
4489
4492 secp256k1_scalar negone;
4493 secp256k1_gej res1;
4494 secp256k1_ge res2;
4495 secp256k1_ge point;
4496 secp256k1_ge inf;
4497
4502
4503 /* 0*point */
4506
4507 /* s*inf */
4508 secp256k1_ecmult_const(&res1, &inf, &s);
4510
4511 /* 1*point */
4513 secp256k1_ge_set_gej(&res2, &res1);
4514 CHECK(secp256k1_ge_eq_var(&res2, &point));
4515
4516 /* -1*point */
4517 secp256k1_ecmult_const(&res1, &point, &negone);
4518 secp256k1_gej_neg(&res1, &res1);
4519 secp256k1_ge_set_gej(&res2, &res1);
4520 CHECK(secp256k1_ge_eq_var(&res2, &point));
4521}
4522
4523static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar* q, const secp256k1_gej *res) {
4524 secp256k1_gej pointj, res2j;
4525 secp256k1_ge res2;
4526 secp256k1_gej_set_ge(&pointj, A);
4527 secp256k1_ecmult(&res2j, &pointj, q, &secp256k1_scalar_zero);
4528 secp256k1_ge_set_gej(&res2, &res2j);
4529 CHECK(secp256k1_gej_eq_ge_var(res, &res2));
4530}
4531
4532static void ecmult_const_edges(void) {
4534 secp256k1_ge point;
4535 secp256k1_gej res;
4536 size_t i;
4537 size_t cases = 1 + sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]);
4538
4539 /* We are trying to reach the following edge cases (variables are defined as
4540 * in ecmult_const_impl.h):
4541 * 1. i = 0: s = 0 <=> q = -K
4542 * 2. i > 0: v1, v2 large values
4543 * <=> s1, s2 large values
4544 * <=> s = scalars_near_split_bounds[i]
4545 * <=> q = 2*scalars_near_split_bounds[i] - K
4546 */
4547 for (i = 0; i < cases; ++i) {
4549 if (i > 0) {
4552 }
4554 secp256k1_ecmult_const(&res, &point, &q);
4555 ecmult_const_check_result(&point, &q, &res);
4556 }
4557}
4558
4559static void ecmult_const_mult_xonly(void) {
4560 int i;
4561
4562 /* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */
4563 for (i = 0; i < 2*COUNT; ++i) {
4564 secp256k1_ge base;
4565 secp256k1_gej basej, resj;
4566 secp256k1_fe n, d, resx, v;
4568 int res;
4569 /* Random base point. */
4571 /* Random scalar to multiply it with. */
4573 /* If i is odd, n=d*base.x for random non-zero d */
4574 if (i & 1) {
4576 secp256k1_fe_mul(&n, &base.x, &d);
4577 } else {
4578 n = base.x;
4579 }
4580 /* Perform x-only multiplication. */
4581 res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2);
4582 CHECK(res);
4583 /* Perform normal multiplication. */
4584 secp256k1_gej_set_ge(&basej, &base);
4585 secp256k1_ecmult(&resj, &basej, &q, NULL);
4586 /* Check that resj's X coordinate corresponds with resx. */
4587 secp256k1_fe_sqr(&v, &resj.z);
4588 secp256k1_fe_mul(&v, &v, &resx);
4589 CHECK(fe_equal(&v, &resj.x));
4590 }
4591
4592 /* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */
4593 for (i = 0; i < 2*COUNT; ++i) {
4594 secp256k1_fe x, n, d, r;
4595 int res;
4598 /* Generate random X coordinate not on the curve. */
4599 do {
4600 random_fe_test(&x);
4601 } while (secp256k1_ge_x_on_curve_var(&x));
4602 /* If i is odd, n=d*x for random non-zero d. */
4603 if (i & 1) {
4605 secp256k1_fe_mul(&n, &x, &d);
4606 } else {
4607 n = x;
4608 }
4609 res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0);
4610 CHECK(res == 0);
4611 }
4612}
4613
4615 /* Check known result (randomly generated test problem from sage) */
4617 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4618 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4619 );
4620 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4621 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4622 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4623 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4624 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4625 );
4626 secp256k1_gej point;
4627 secp256k1_ge res;
4628 int i;
4629
4631 for (i = 0; i < 100; ++i) {
4632 secp256k1_ge tmp;
4633 secp256k1_ge_set_gej(&tmp, &point);
4634 secp256k1_ecmult_const(&point, &tmp, &scalar);
4635 }
4636 secp256k1_ge_set_gej(&res, &point);
4637 CHECK(secp256k1_gej_eq_ge_var(&expected_point, &res));
4638}
4639
4640static void run_ecmult_const_tests(void) {
4647}
4648
4649typedef struct {
4653
4654static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4655 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4656 *sc = data->sc[idx];
4657 *pt = data->pt[idx];
4658 return 1;
4659}
4660
4661static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4662 (void)sc;
4663 (void)pt;
4664 (void)idx;
4665 (void)cbdata;
4666 return 0;
4667}
4668
4670 int ncount;
4671 secp256k1_scalar sc[32];
4672 secp256k1_ge pt[32];
4673 secp256k1_gej r;
4674 secp256k1_gej r2;
4675 ecmult_multi_data data;
4676
4677 data.sc = sc;
4678 data.pt = pt;
4679
4680 /* No points to multiply */
4681 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4682
4683 /* Check 1- and 2-point multiplies against ecmult */
4684 for (ncount = 0; ncount < COUNT; ncount++) {
4685 secp256k1_ge ptg;
4686 secp256k1_gej ptgj;
4687 random_scalar_order(&sc[0]);
4688 random_scalar_order(&sc[1]);
4689
4691 secp256k1_gej_set_ge(&ptgj, &ptg);
4692 pt[0] = ptg;
4693 pt[1] = secp256k1_ge_const_g;
4694
4695 /* only G scalar */
4696 secp256k1_ecmult(&r2, &ptgj, &secp256k1_scalar_zero, &sc[0]);
4697 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4698 CHECK(secp256k1_gej_eq_var(&r, &r2));
4699
4700 /* 1-point */
4701 secp256k1_ecmult(&r2, &ptgj, &sc[0], &secp256k1_scalar_zero);
4702 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
4703 CHECK(secp256k1_gej_eq_var(&r, &r2));
4704
4705 /* Try to multiply 1 point, but callback returns false */
4706 CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_false_callback, &data, 1));
4707
4708 /* 2-point */
4709 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4710 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4711 CHECK(secp256k1_gej_eq_var(&r, &r2));
4712
4713 /* 2-point with G scalar */
4714 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4715 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4716 CHECK(secp256k1_gej_eq_var(&r, &r2));
4717 }
4718
4719 /* Check infinite outputs of various forms */
4720 for (ncount = 0; ncount < COUNT; ncount++) {
4721 secp256k1_ge ptg;
4722 size_t i, j;
4723 size_t sizes[] = { 2, 10, 32 };
4724
4725 for (j = 0; j < 3; j++) {
4726 for (i = 0; i < 32; i++) {
4727 random_scalar_order(&sc[i]);
4729 }
4730 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4732 }
4733
4734 for (j = 0; j < 3; j++) {
4735 for (i = 0; i < 32; i++) {
4737 pt[i] = ptg;
4738 secp256k1_scalar_set_int(&sc[i], 0);
4739 }
4740 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4742 }
4743
4744 for (j = 0; j < 3; j++) {
4746 for (i = 0; i < 16; i++) {
4747 random_scalar_order(&sc[2*i]);
4748 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4749 pt[2 * i] = ptg;
4750 pt[2 * i + 1] = ptg;
4751 }
4752
4753 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4755
4756 random_scalar_order(&sc[0]);
4757 for (i = 0; i < 16; i++) {
4759
4760 sc[2*i] = sc[0];
4761 sc[2*i+1] = sc[0];
4762 pt[2 * i] = ptg;
4763 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4764 }
4765
4766 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4768 }
4769
4771 secp256k1_scalar_set_int(&sc[0], 0);
4772 pt[0] = ptg;
4773 for (i = 1; i < 32; i++) {
4774 pt[i] = ptg;
4775
4776 random_scalar_order(&sc[i]);
4777 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4778 secp256k1_scalar_negate(&sc[i], &sc[i]);
4779 }
4780
4781 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 32));
4783 }
4784
4785 /* Check random points, constant scalar */
4786 for (ncount = 0; ncount < COUNT; ncount++) {
4787 size_t i;
4789
4790 random_scalar_order(&sc[0]);
4791 for (i = 0; i < 20; i++) {
4792 secp256k1_ge ptg;
4793 sc[i] = sc[0];
4795 pt[i] = ptg;
4796 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4797 }
4798
4799 secp256k1_ecmult(&r2, &r, &sc[0], &secp256k1_scalar_zero);
4800 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4801 CHECK(secp256k1_gej_eq_var(&r, &r2));
4802 }
4803
4804 /* Check random scalars, constant point */
4805 for (ncount = 0; ncount < COUNT; ncount++) {
4806 size_t i;
4807 secp256k1_ge ptg;
4808 secp256k1_gej p0j;
4811
4813 for (i = 0; i < 20; i++) {
4814 random_scalar_order(&sc[i]);
4815 pt[i] = ptg;
4816 secp256k1_scalar_add(&rs, &rs, &sc[i]);
4817 }
4818
4819 secp256k1_gej_set_ge(&p0j, &pt[0]);
4820 secp256k1_ecmult(&r2, &p0j, &rs, &secp256k1_scalar_zero);
4821 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4822 CHECK(secp256k1_gej_eq_var(&r, &r2));
4823 }
4824
4825 /* Sanity check that zero scalars don't cause problems */
4826 for (ncount = 0; ncount < 20; ncount++) {
4827 random_scalar_order(&sc[ncount]);
4828 random_group_element_test(&pt[ncount]);
4829 }
4830 secp256k1_scalar_clear(&sc[0]);
4831 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4832 secp256k1_scalar_clear(&sc[1]);
4833 secp256k1_scalar_clear(&sc[2]);
4834 secp256k1_scalar_clear(&sc[3]);
4835 secp256k1_scalar_clear(&sc[4]);
4836 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 6));
4837 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 5));
4839
4840 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4841 {
4842 const size_t TOP = 8;
4843 size_t s0i, s1i;
4844 size_t t0i, t1i;
4845 secp256k1_ge ptg;
4846 secp256k1_gej ptgj;
4847
4849 secp256k1_gej_set_ge(&ptgj, &ptg);
4850
4851 for(t0i = 0; t0i < TOP; t0i++) {
4852 for(t1i = 0; t1i < TOP; t1i++) {
4853 secp256k1_gej t0p, t1p;
4854 secp256k1_scalar t0, t1;
4855
4856 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4857 secp256k1_scalar_cond_negate(&t0, t0i & 1);
4858 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4859 secp256k1_scalar_cond_negate(&t1, t1i & 1);
4860
4861 secp256k1_ecmult(&t0p, &ptgj, &t0, &secp256k1_scalar_zero);
4862 secp256k1_ecmult(&t1p, &ptgj, &t1, &secp256k1_scalar_zero);
4863
4864 for(s0i = 0; s0i < TOP; s0i++) {
4865 for(s1i = 0; s1i < TOP; s1i++) {
4866 secp256k1_scalar tmp1, tmp2;
4867 secp256k1_gej expected, actual;
4868
4869 secp256k1_ge_set_gej(&pt[0], &t0p);
4870 secp256k1_ge_set_gej(&pt[1], &t1p);
4871
4872 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4873 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4874 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4875 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4876
4877 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4878 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4879 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4880
4881 secp256k1_ecmult(&expected, &ptgj, &tmp1, &secp256k1_scalar_zero);
4882 CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4883 CHECK(secp256k1_gej_eq_var(&actual, &expected));
4884 }
4885 }
4886 }
4887 }
4888 }
4889}
4890
4892 /* Large random test for ecmult_multi_* functions which exercises:
4893 * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4894 * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4895 * - Including or excluding an nonzero a*G term (or such a term at all).
4896 * - Final expected result equal to infinity or not (roughly 50%).
4897 * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4898 */
4899
4900 /* These 4 variables define the eventual input to the ecmult_multi function.
4901 * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4902 * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4903 * which form its normal inputs. */
4904 int filled = 0;
4906 secp256k1_scalar scalars[128];
4907 secp256k1_gej gejs[128];
4908 /* The expected result, and the computed result. */
4909 secp256k1_gej expected, computed;
4910 /* Temporaries. */
4911 secp256k1_scalar sc_tmp;
4912 secp256k1_ge ge_tmp;
4913 /* Variables needed for the actual input to ecmult_multi. */
4914 secp256k1_ge ges[128];
4915 ecmult_multi_data data;
4916
4917 int i;
4918 /* Which multiplication function to use */
4919 int fn = secp256k1_testrand_int(3);
4923 /* Simulate exponentially distributed num. */
4924 int num_bits = 2 + secp256k1_testrand_int(6);
4925 /* Number of (scalar, point) inputs (excluding g). */
4926 int num = secp256k1_testrand_int((1 << num_bits) + 1);
4927 /* Number of those which are nonzero. */
4928 int num_nonzero = secp256k1_testrand_int(num + 1);
4929 /* Whether we're aiming to create an input with nonzero expected result. */
4930 int nonzero_result = secp256k1_testrand_bits(1);
4931 /* Whether we will provide nonzero g multiplicand. In some cases our hand
4932 * is forced here based on num_nonzero and nonzero_result. */
4933 int g_nonzero = num_nonzero == 0 ? nonzero_result :
4934 num_nonzero == 1 && !nonzero_result ? 1 :
4936 /* Which g_scalar pointer to pass into ecmult_multi(). */
4937 const secp256k1_scalar* g_scalar_ptr = (g_nonzero || secp256k1_testrand_bits(1)) ? &g_scalar : NULL;
4938 /* How many EC multiplications were performed in this function. */
4939 int mults = 0;
4940 /* How many randomization steps to apply to the input list. */
4941 int rands = (int)secp256k1_testrand_bits(3);
4942 if (rands > num_nonzero) rands = num_nonzero;
4943
4944 secp256k1_gej_set_infinity(&expected);
4946 secp256k1_scalar_set_int(&scalars[0], 0);
4947
4948 if (g_nonzero) {
4949 /* If g_nonzero, set g_scalar to nonzero value r. */
4950 random_scalar_order_test(&g_scalar);
4951 if (!nonzero_result) {
4952 /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
4953 CHECK(num_nonzero > filled);
4954 random_scalar_order_test(&sc_tmp);
4955 secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
4956 secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
4957 secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
4958 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
4959 ++filled;
4960 ++mults;
4961 }
4962 }
4963
4964 if (nonzero_result && filled < num_nonzero) {
4965 /* If a nonzero result is desired, and there is space, add a random nonzero term. */
4966 random_scalar_order_test(&scalars[filled]);
4968 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4969 ++filled;
4970 }
4971
4972 if (nonzero_result) {
4973 /* Compute the expected result using normal ecmult. */
4974 CHECK(filled <= 1);
4975 secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
4976 mults += filled + g_nonzero;
4977 }
4978
4979 /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
4980 CHECK(filled <= 1 + !nonzero_result);
4981 CHECK(filled <= num_nonzero);
4982
4983 /* Add entries to scalars,gejs so that there are num of them. All the added entries
4984 * either have scalar=0 or point=infinity, so these do not change the expected result. */
4985 while (filled < num) {
4986 if (secp256k1_testrand_bits(1)) {
4987 secp256k1_gej_set_infinity(&gejs[filled]);
4988 random_scalar_order_test(&scalars[filled]);
4989 } else {
4990 secp256k1_scalar_set_int(&scalars[filled], 0);
4992 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4993 }
4994 ++filled;
4995 }
4996
4997 /* Now perform cheapish transformations on gejs and scalars, for indices
4998 * 0..num_nonzero-1, which do not change the expected result, but may
4999 * convert some of them to be both non-0-scalar and non-infinity-point. */
5000 for (i = 0; i < rands; ++i) {
5001 int j;
5002 secp256k1_scalar v, iv;
5003 /* Shuffle the entries. */
5004 for (j = 0; j < num_nonzero; ++j) {
5005 int k = secp256k1_testrand_int(num_nonzero - j);
5006 if (k != 0) {
5007 secp256k1_gej gej = gejs[j];
5008 secp256k1_scalar sc = scalars[j];
5009 gejs[j] = gejs[j + k];
5010 scalars[j] = scalars[j + k];
5011 gejs[j + k] = gej;
5012 scalars[j + k] = sc;
5013 }
5014 }
5015 /* Perturb all consecutive pairs of inputs:
5016 * a*P + b*Q -> (a+b)*P + b*(Q-P). */
5017 for (j = 0; j + 1 < num_nonzero; j += 2) {
5018 secp256k1_gej gej;
5019 secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
5020 secp256k1_gej_neg(&gej, &gejs[j]);
5021 secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
5022 }
5023 /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
5024 CHECK(num_nonzero >= 1);
5026 secp256k1_scalar_inverse(&iv, &v);
5027 secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
5028 secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
5029 ++mults;
5030 }
5031
5032 /* Shuffle all entries (0..num-1). */
5033 for (i = 0; i < num; ++i) {
5034 int j = secp256k1_testrand_int(num - i);
5035 if (j != 0) {
5036 secp256k1_gej gej = gejs[i];
5037 secp256k1_scalar sc = scalars[i];
5038 gejs[i] = gejs[i + j];
5039 scalars[i] = scalars[i + j];
5040 gejs[i + j] = gej;
5041 scalars[i + j] = sc;
5042 }
5043 }
5044
5045 /* Compute affine versions of all inputs. */
5046 secp256k1_ge_set_all_gej_var(ges, gejs, filled);
5047 /* Invoke ecmult_multi code. */
5048 data.sc = scalars;
5049 data.pt = ges;
5050 CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
5051 mults += num_nonzero + g_nonzero;
5052 /* Compare with expected result. */
5053 CHECK(secp256k1_gej_eq_var(&computed, &expected));
5054 return mults;
5055}
5056
5059 secp256k1_ge pt;
5060 secp256k1_gej r;
5061 ecmult_multi_data data;
5062 secp256k1_scratch *scratch_empty;
5063
5066 data.sc = &sc;
5067 data.pt = &pt;
5068
5069 /* Try to multiply 1 point, but scratch space is empty.*/
5070 scratch_empty = secp256k1_scratch_create(&CTX->error_callback, 0);
5071 CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
5073}
5074
5076 int i;
5077
5079 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
5080 /* Bucket_window of 8 is not used with endo */
5081 if (i == 8) {
5082 continue;
5083 }
5085 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
5087 }
5088 }
5089}
5090
5096 size_t scratch_size = secp256k1_testrand_bits(8);
5098 secp256k1_scratch *scratch;
5099 size_t n_points_supported;
5100 int bucket_window = 0;
5101
5102 for(; scratch_size < max_size; scratch_size+=256) {
5103 size_t i;
5104 size_t total_alloc;
5105 size_t checkpoint;
5106 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size);
5107 CHECK(scratch != NULL);
5108 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
5109 n_points_supported = secp256k1_pippenger_max_points(&CTX->error_callback, scratch);
5110 if (n_points_supported == 0) {
5112 continue;
5113 }
5114 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
5115 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
5116 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
5117 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
5119 total_alloc--;
5120 }
5121 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, total_alloc));
5124 }
5125 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
5126}
5127
5129 size_t n_batches, n_batch_points, max_n_batch_points, n;
5130
5131 max_n_batch_points = 0;
5132 n = 1;
5133 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
5134
5135 max_n_batch_points = 1;
5136 n = 0;
5137 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5138 CHECK(n_batches == 0);
5139 CHECK(n_batch_points == 0);
5140
5141 max_n_batch_points = 2;
5142 n = 5;
5143 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5144 CHECK(n_batches == 3);
5145 CHECK(n_batch_points == 2);
5146
5147 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
5149 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5150 CHECK(n_batches == 1);
5151 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
5152
5153 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
5155 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5156 CHECK(n_batches == 2);
5157 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
5158
5159 max_n_batch_points = 1;
5160 n = SIZE_MAX;
5161 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5162 CHECK(n_batches == SIZE_MAX);
5163 CHECK(n_batch_points == 1);
5164
5165 max_n_batch_points = 2;
5166 n = SIZE_MAX;
5167 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5168 CHECK(n_batches == SIZE_MAX/2 + 1);
5169 CHECK(n_batch_points == 2);
5170}
5171
5177 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
5178 secp256k1_scalar scG;
5181 secp256k1_gej r;
5182 secp256k1_gej r2;
5183 ecmult_multi_data data;
5184 int i;
5185 secp256k1_scratch *scratch;
5186
5188
5189 /* Get random scalars and group elements and compute result */
5190 random_scalar_order(&scG);
5191 secp256k1_ecmult(&r2, &r2, &secp256k1_scalar_zero, &scG);
5192 for(i = 0; i < n_points; i++) {
5193 secp256k1_ge ptg;
5194 secp256k1_gej ptgj;
5196 secp256k1_gej_set_ge(&ptgj, &ptg);
5197 pt[i] = ptg;
5198 random_scalar_order(&sc[i]);
5199 secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
5200 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
5201 }
5202 data.sc = sc;
5203 data.pt = pt;
5204 secp256k1_gej_neg(&r2, &r2);
5205
5206 /* Test with empty scratch space. It should compute the correct result using
5207 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
5209 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5210 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5213
5214 /* Test with space for 1 point in pippenger. That's not enough because
5215 * ecmult_multi selects strauss which requires more memory. It should
5216 * therefore select the simple algorithm. */
5218 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5219 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5222
5223 for(i = 1; i <= n_points; i++) {
5225 int bucket_window = secp256k1_pippenger_bucket_window(i);
5226 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
5228 } else {
5229 size_t scratch_size = secp256k1_strauss_scratch_size(i);
5231 }
5232 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5233 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5236 }
5237 free(sc);
5238 free(pt);
5239}
5240
5241static void run_ecmult_multi_tests(void) {
5242 secp256k1_scratch *scratch;
5243 int64_t todo = (int64_t)320 * COUNT;
5244
5247 scratch = secp256k1_scratch_create(&CTX->error_callback, 819200);
5254 while (todo > 0) {
5255 todo -= test_ecmult_multi_random(scratch);
5256 }
5258
5259 /* Run test_ecmult_multi with space for exactly one point */
5263
5266}
5267
5268static void test_wnaf(const secp256k1_scalar *number, int w) {
5269 secp256k1_scalar x, two, t;
5270 int wnaf[256];
5271 int zeroes = -1;
5272 int i;
5273 int bits;
5275 secp256k1_scalar_set_int(&two, 2);
5276 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
5277 CHECK(bits <= 256);
5278 for (i = bits-1; i >= 0; i--) {
5279 int v = wnaf[i];
5280 secp256k1_scalar_mul(&x, &x, &two);
5281 if (v) {
5282 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
5283 zeroes=0;
5284 CHECK((v & 1) == 1); /* check non-zero elements are odd */
5285 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
5286 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
5287 } else {
5288 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
5289 zeroes++;
5290 }
5291 if (v >= 0) {
5293 } else {
5296 }
5297 secp256k1_scalar_add(&x, &x, &t);
5298 }
5299 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
5300}
5301
5302static void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
5303 secp256k1_scalar x, shift;
5304 int wnaf[256] = {0};
5305 int i;
5306 int skew;
5307 secp256k1_scalar num, unused;
5308
5310 secp256k1_scalar_set_int(&shift, 1 << w);
5311 /* Make num a 128-bit scalar. */
5312 secp256k1_scalar_split_128(&num, &unused, number);
5313 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5314
5315 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5317 int v = wnaf[i];
5318 CHECK(v == 0 || v & 1); /* check parity */
5319 CHECK(v > -(1 << w)); /* check range above */
5320 CHECK(v < (1 << w)); /* check range below */
5321
5322 secp256k1_scalar_mul(&x, &x, &shift);
5323 if (v >= 0) {
5325 } else {
5328 }
5329 secp256k1_scalar_add(&x, &x, &t);
5330 }
5331 /* If skew is 1 then add 1 to num */
5332 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
5333 CHECK(secp256k1_scalar_eq(&x, &num));
5334}
5335
5336/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
5337 * rest is 0.*/
5338static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
5339 int i;
5340 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
5341 CHECK(wnaf[i] == 0);
5342 }
5343 for (i = 7; i >= 0; --i) {
5344 CHECK(wnaf[i] == wnaf_expected[i]);
5345 }
5346}
5347
5348static void test_fixed_wnaf_small(void) {
5349 int w = 4;
5350 int wnaf[256] = {0};
5351 int i;
5352 int skew;
5353 secp256k1_scalar num;
5354
5355 secp256k1_scalar_set_int(&num, 0);
5356 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5357 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5358 int v = wnaf[i];
5359 CHECK(v == 0);
5360 }
5361 CHECK(skew == 0);
5362
5363 secp256k1_scalar_set_int(&num, 1);
5364 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5365 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
5366 int v = wnaf[i];
5367 CHECK(v == 0);
5368 }
5369 CHECK(wnaf[0] == 1);
5370 CHECK(skew == 0);
5371
5372 {
5373 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
5374 secp256k1_scalar_set_int(&num, 0xffffffff);
5375 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5376 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5377 CHECK(skew == 0);
5378 }
5379 {
5380 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
5381 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
5382 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5383 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5384 CHECK(skew == 1);
5385 }
5386 {
5387 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
5388 secp256k1_scalar_set_int(&num, 0x01010101);
5389 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5390 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5391 CHECK(skew == 0);
5392 }
5393 {
5394 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
5395 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
5396 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5397 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5398 CHECK(skew == 0);
5399 }
5400}
5401
5402static void run_wnaf(void) {
5403 int i;
5405
5406 /* Test 0 for fixed wnaf */
5408 /* Random tests */
5409 for (i = 0; i < COUNT; i++) {
5411 test_wnaf(&n, 4+(i%10));
5412 test_fixed_wnaf(&n, 4 + (i % 10));
5413 }
5415 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
5419}
5420
5421static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
5422 const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
5423 *sc = *indata;
5425 CHECK(idx == 0);
5426 return 1;
5427}
5428
5430 /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */
5431 secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj;
5432 secp256k1_ge r;
5433 unsigned char bytes[65];
5434 size_t size = 65;
5439 secp256k1_ecmult(&rj3, &infj, &secp256k1_scalar_zero, x);
5440 secp256k1_ecmult_multi_var(NULL, scratch, &rj4, x, NULL, NULL, 0);
5443 secp256k1_ge_set_gej_var(&r, &rj1);
5444 CHECK(secp256k1_gej_eq_ge_var(&rj2, &r));
5445 CHECK(secp256k1_gej_eq_ge_var(&rj3, &r));
5446 CHECK(secp256k1_gej_eq_ge_var(&rj4, &r));
5447 CHECK(secp256k1_gej_eq_ge_var(&rj5, &r));
5448 CHECK(secp256k1_gej_eq_ge_var(&rj6, &r));
5449 if (secp256k1_ge_is_infinity(&r)) {
5450 /* Store infinity as 0x00 */
5451 const unsigned char zerobyte[1] = {0};
5452 secp256k1_sha256_write(acc, zerobyte, 1);
5453 } else {
5454 /* Store other points using their uncompressed serialization. */
5455 secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0);
5456 CHECK(size == 65);
5457 secp256k1_sha256_write(acc, bytes, size);
5458 }
5459}
5460
5462 /* Using test_ecmult_accumulate, test ecmult for:
5463 * - For i in 0..36:
5464 * - Key i
5465 * - Key -i
5466 * - For i in 0..255:
5467 * - For j in 1..255 (only odd values):
5468 * - Key (j*2^i) mod order
5469 */
5471 secp256k1_sha256 acc;
5472 unsigned char b32[32];
5473 int i, j;
5475
5476 /* Expected hash of all the computed points; created with an independent
5477 * implementation. */
5478 static const unsigned char expected32[32] = {
5479 0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
5480 0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
5481 0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
5482 0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
5483 };
5485 for (i = 0; i <= 36; ++i) {
5487 test_ecmult_accumulate(&acc, &x, scratch);
5489 test_ecmult_accumulate(&acc, &x, scratch);
5490 };
5491 for (i = 0; i < 256; ++i) {
5492 for (j = 1; j < 256; j += 2) {
5493 int k;
5495 for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
5496 test_ecmult_accumulate(&acc, &x, scratch);
5497 }
5498 }
5499 secp256k1_sha256_finalize(&acc, b32);
5500 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5501
5503}
5504
5505static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
5506 /* Using test_ecmult_accumulate, test ecmult for:
5507 * - Key 0
5508 * - Key 1
5509 * - Key -1
5510 * - For i in range(iter):
5511 * - Key SHA256(LE32(prefix) || LE16(i))
5512 */
5514 secp256k1_sha256 acc;
5515 unsigned char b32[32];
5516 unsigned char inp[6];
5517 size_t i;
5519
5520 inp[0] = prefix & 0xFF;
5521 inp[1] = (prefix >> 8) & 0xFF;
5522 inp[2] = (prefix >> 16) & 0xFF;
5523 inp[3] = (prefix >> 24) & 0xFF;
5526 test_ecmult_accumulate(&acc, &x, scratch);
5528 test_ecmult_accumulate(&acc, &x, scratch);
5530 test_ecmult_accumulate(&acc, &x, scratch);
5531
5532 for (i = 0; i < iter; ++i) {
5533 secp256k1_sha256 gen;
5534 inp[4] = i & 0xff;
5535 inp[5] = (i >> 8) & 0xff;
5537 secp256k1_sha256_write(&gen, inp, sizeof(inp));
5538 secp256k1_sha256_finalize(&gen, b32);
5539 secp256k1_scalar_set_b32(&x, b32, NULL);
5540 test_ecmult_accumulate(&acc, &x, scratch);
5541 }
5542 secp256k1_sha256_finalize(&acc, b32);
5543 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5544
5546}
5547
5548static void run_ecmult_constants(void) {
5549 /* Expected hashes of all points in the tests below. Computed using an
5550 * independent implementation. */
5551 static const unsigned char expected32_6bit20[32] = {
5552 0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5553 0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5554 0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5555 0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5556 };
5557 static const unsigned char expected32_8bit8[32] = {
5558 0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5559 0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5560 0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5561 0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5562 };
5563 /* For every combination of 6 bit positions out of 256, restricted to
5564 * 20-bit windows (i.e., the first and last bit position are no more than
5565 * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5566 * this test. */
5567 CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5568 test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5569 }
5570
5571 /* For every combination of 8 consecutive bit positions, all 256 bit
5572 * patterns occur in the input scalars used in this test. */
5573 CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5574 test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5575 }
5576
5577 CONDITIONAL_TEST(35, "test_ecmult_constants_2bit") {
5579 }
5580}
5581
5582static void test_ecmult_gen_blind(void) {
5583 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5584 secp256k1_scalar key;
5586 unsigned char seed32[32];
5587 secp256k1_gej pgej;
5588 secp256k1_gej pgej2;
5589 secp256k1_ge p;
5590 secp256k1_ge pge;
5592 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej, &key);
5593 secp256k1_testrand256(seed32);
5598 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej2, &key);
5599 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5601 secp256k1_ge_set_gej(&pge, &pgej);
5602 CHECK(secp256k1_gej_eq_ge_var(&pgej2, &pge));
5603}
5604
5606 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5608 secp256k1_ge p1, p2;
5615 CHECK(secp256k1_ge_eq_var(&p1, &p2));
5616}
5617
5618/* Verify that ecmult_gen for scalars gn for which gn + scalar_offset = {-1,0,1}. */
5620 int i;
5621 secp256k1_gej res1, res2, res3;
5622 secp256k1_scalar gn = secp256k1_scalar_one; /* gn = 1 */
5623 secp256k1_scalar_add(&gn, &gn, &CTX->ecmult_gen_ctx.scalar_offset); /* gn = 1 + scalar_offset */
5624 secp256k1_scalar_negate(&gn, &gn); /* gn = -1 - scalar_offset */
5625
5626 for (i = -1; i < 2; ++i) {
5627 /* Run test with gn = i - scalar_offset (so that the ecmult_gen recoded value represents i). */
5629 secp256k1_ecmult(&res2, NULL, &secp256k1_scalar_zero, &gn);
5631 CHECK(secp256k1_gej_eq_var(&res1, &res2));
5632 CHECK(secp256k1_gej_eq_var(&res1, &res3));
5634 }
5635}
5636
5637static void run_ecmult_gen_blind(void) {
5638 int i;
5641 for (i = 0; i < 10; i++) {
5643 }
5644}
5645
5646/***** ENDOMORPHISH TESTS *****/
5647static void test_scalar_split(const secp256k1_scalar* full) {
5648 secp256k1_scalar s, s1, slam;
5649 const unsigned char zero[32] = {0};
5650 unsigned char tmp[32];
5651
5652 secp256k1_scalar_split_lambda(&s1, &slam, full);
5653
5654 /* check slam*lambda + s1 == full */
5656 secp256k1_scalar_add(&s, &s, &s1);
5657 CHECK(secp256k1_scalar_eq(&s, full));
5658
5659 /* check that both are <= 128 bits in size */
5660 if (secp256k1_scalar_is_high(&s1)) {
5661 secp256k1_scalar_negate(&s1, &s1);
5662 }
5663 if (secp256k1_scalar_is_high(&slam)) {
5664 secp256k1_scalar_negate(&slam, &slam);
5665 }
5666
5667 secp256k1_scalar_get_b32(tmp, &s1);
5668 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5669 secp256k1_scalar_get_b32(tmp, &slam);
5670 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5671}
5672
5673
5674static void run_endomorphism_tests(void) {
5675 unsigned i;
5676 static secp256k1_scalar s;
5684
5685 for (i = 0; i < 100U * COUNT; ++i) {
5686 secp256k1_scalar full;
5688 test_scalar_split(&full);
5689 }
5690 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
5692 }
5693}
5694
5695static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5696 unsigned char pubkeyc[65];
5697 secp256k1_pubkey pubkey;
5698 secp256k1_ge ge;
5699 size_t pubkeyclen;
5700
5701 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5702 /* Smaller sizes are tested exhaustively elsewhere. */
5703 int32_t i;
5704 memcpy(&pubkeyc[1], input, 64);
5705 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5706 for (i = 0; i < 256; i++) {
5707 /* Try all type bytes. */
5708 int xpass;
5709 int ypass;
5710 int ysign;
5711 pubkeyc[0] = i;
5712 /* What sign does this point have? */
5713 ysign = (input[63] & 1) + 2;
5714 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5715 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5716 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5717 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5718 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5719 if (xpass || ypass) {
5720 /* These cases must parse. */
5721 unsigned char pubkeyo[65];
5722 size_t outl;
5723 memset(&pubkey, 0, sizeof(pubkey));
5724 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5725 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
5726 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5727 outl = 65;
5728 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5729 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5730 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5731 CHECK(outl == 33);
5732 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5733 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5734 if (ypass) {
5735 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5736 CHECK(pubkeyo[0] == ysign);
5737 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
5738 memset(&pubkey, 0, sizeof(pubkey));
5739 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5740 secp256k1_pubkey_save(&pubkey, &ge);
5741 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5742 outl = 65;
5743 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5744 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5745 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5746 CHECK(outl == 65);
5747 CHECK(pubkeyo[0] == 4);
5748 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5749 }
5750 } else {
5751 /* These cases must fail to parse. */
5752 memset(&pubkey, 0xfe, sizeof(pubkey));
5753 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5754 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 0);
5755 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5756 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5757 }
5758 }
5759 }
5760}
5761
5762static void run_ec_pubkey_parse_test(void) {
5763#define SECP256K1_EC_PARSE_TEST_NVALID (12)
5764 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5765 {
5766 /* Point with leading and trailing zeros in x and y serialization. */
5767 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5768 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5769 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5770 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5771 },
5772 {
5773 /* Point with x equal to a 3rd root of unity.*/
5774 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5775 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5776 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5777 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5778 },
5779 {
5780 /* Point with largest x. (1/2) */
5781 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5782 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5783 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5784 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5785 },
5786 {
5787 /* Point with largest x. (2/2) */
5788 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5789 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5790 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5791 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5792 },
5793 {
5794 /* Point with smallest x. (1/2) */
5795 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5796 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5797 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5798 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5799 },
5800 {
5801 /* Point with smallest x. (2/2) */
5802 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5803 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5804 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5805 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5806 },
5807 {
5808 /* Point with largest y. (1/3) */
5809 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5810 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5811 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5812 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5813 },
5814 {
5815 /* Point with largest y. (2/3) */
5816 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5817 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5818 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5819 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5820 },
5821 {
5822 /* Point with largest y. (3/3) */
5823 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5824 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5825 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5826 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5827 },
5828 {
5829 /* Point with smallest y. (1/3) */
5830 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5831 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5832 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5833 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5834 },
5835 {
5836 /* Point with smallest y. (2/3) */
5837 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5838 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5839 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5840 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5841 },
5842 {
5843 /* Point with smallest y. (3/3) */
5844 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5845 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5846 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5847 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
5848 }
5849 };
5850#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
5851 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
5852 {
5853 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
5854 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5855 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5856 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5857 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5858 },
5859 {
5860 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
5861 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5862 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5863 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5864 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5865 },
5866 {
5867 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
5868 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5869 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5870 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5871 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5872 },
5873 {
5874 /* x on curve, y is from y^2 = x^3 + 8. */
5875 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5876 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5877 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5878 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
5879 }
5880 };
5881#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
5882 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
5883 {
5884 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
5885 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
5886 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
5887 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5888 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5889 },
5890 {
5891 /* Valid if x overflow ignored (x = 1 mod p). */
5892 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5893 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5894 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5895 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5896 },
5897 {
5898 /* Valid if x overflow ignored (x = 1 mod p). */
5899 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5900 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5901 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5902 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5903 },
5904 {
5905 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5906 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5907 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5908 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
5909 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
5910 },
5911 {
5912 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5913 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5914 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5915 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
5916 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
5917 },
5918 {
5919 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5920 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5921 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5922 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
5923 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
5924 },
5925 {
5926 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5927 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5928 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5929 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
5930 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
5931 }
5932 };
5933 const unsigned char pubkeyc[66] = {
5934 /* Serialization of G. */
5935 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
5936 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
5937 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
5938 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
5939 0xB8, 0x00
5940 };
5941 unsigned char sout[65];
5942 unsigned char shortkey[2] = { 0 };
5943 secp256k1_ge ge;
5944 secp256k1_pubkey pubkey;
5945 size_t len;
5946 int32_t i;
5947
5948 /* Nothing should be reading this far into pubkeyc. */
5949 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[65], 1);
5950 /* Zero length claimed, fail, zeroize, no illegal arg error. */
5951 memset(&pubkey, 0xfe, sizeof(pubkey));
5952 SECP256K1_CHECKMEM_UNDEFINE(shortkey, 2);
5953 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5954 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 0) == 0);
5955 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5956 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5957 /* Length one claimed, fail, zeroize, no illegal arg error. */
5958 for (i = 0; i < 256 ; i++) {
5959 memset(&pubkey, 0xfe, sizeof(pubkey));
5960 shortkey[0] = i;
5961 SECP256K1_CHECKMEM_UNDEFINE(&shortkey[1], 1);
5962 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5963 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 1) == 0);
5964 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5965 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5966 }
5967 /* Length two claimed, fail, zeroize, no illegal arg error. */
5968 for (i = 0; i < 65536 ; i++) {
5969 memset(&pubkey, 0xfe, sizeof(pubkey));
5970 shortkey[0] = i & 255;
5971 shortkey[1] = i >> 8;
5972 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5973 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 2) == 0);
5974 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5975 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5976 }
5977 memset(&pubkey, 0xfe, sizeof(pubkey));
5978 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5979 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
5980 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 33) == 0);
5981 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5982 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5983 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
5984 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, NULL, pubkeyc, 65));
5985 /* NULL input string. Illegal arg and zeroize output. */
5986 memset(&pubkey, 0xfe, sizeof(pubkey));
5987 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5988 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, &pubkey, NULL, 65));
5989 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5990 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5991 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
5992 memset(&pubkey, 0xfe, sizeof(pubkey));
5993 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5994 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 64) == 0);
5995 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5996 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5997 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
5998 memset(&pubkey, 0xfe, sizeof(pubkey));
5999 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6000 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 66) == 0);
6001 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6002 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6003 /* Valid parse. */
6004 memset(&pubkey, 0, sizeof(pubkey));
6005 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6006 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 65) == 1);
6007 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, pubkeyc, 65) == 1);
6008 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6009 SECP256K1_CHECKMEM_UNDEFINE(&ge, sizeof(ge));
6010 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
6011 SECP256K1_CHECKMEM_CHECK(&ge.x, sizeof(ge.x));
6012 SECP256K1_CHECKMEM_CHECK(&ge.y, sizeof(ge.y));
6015 /* secp256k1_ec_pubkey_serialize illegal args. */
6016 len = 65;
6018 CHECK(len == 0);
6020 len = 65;
6023 SECP256K1_CHECKMEM_CHECK(sout, 65);
6024 CHECK(len == 0);
6025 len = 65;
6026 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, ~0));
6027 CHECK(len == 0);
6028 len = 65;
6031 SECP256K1_CHECKMEM_CHECK(sout, 65);
6032 CHECK(len == 65);
6033 /* Multiple illegal args. Should still set arg error only once. */
6035 /* Try a bunch of prefabbed points with all possible encodings. */
6036 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
6037 ec_pubkey_parse_pointtest(valid[i], 1, 1);
6038 }
6039 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
6040 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
6041 }
6042 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
6043 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
6044 }
6045}
6046
6047static void run_eckey_edge_case_test(void) {
6048 const unsigned char orderc[32] = {
6049 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6050 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
6051 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
6052 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
6053 };
6054 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
6055 unsigned char ctmp[33];
6056 unsigned char ctmp2[33];
6057 secp256k1_pubkey pubkey;
6058 secp256k1_pubkey pubkey2;
6059 secp256k1_pubkey pubkey_one;
6060 secp256k1_pubkey pubkey_negone;
6061 const secp256k1_pubkey *pubkeys[3];
6062 size_t len;
6063 /* Group order is too large, reject. */
6064 CHECK(secp256k1_ec_seckey_verify(CTX, orderc) == 0);
6065 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6066 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, orderc) == 0);
6067 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6068 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6069 /* Maximum value is too large, reject. */
6070 memset(ctmp, 255, 32);
6072 memset(&pubkey, 1, sizeof(pubkey));
6073 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6074 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6075 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6076 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6077 /* Zero is too small, reject. */
6078 memset(ctmp, 0, 32);
6080 memset(&pubkey, 1, sizeof(pubkey));
6081 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6082 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6083 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6084 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6085 /* One must be accepted. */
6086 ctmp[31] = 0x01;
6088 memset(&pubkey, 0, sizeof(pubkey));
6089 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6090 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6091 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6092 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6093 pubkey_one = pubkey;
6094 /* Group order + 1 is too large, reject. */
6095 memcpy(ctmp, orderc, 32);
6096 ctmp[31] = 0x42;
6098 memset(&pubkey, 1, sizeof(pubkey));
6099 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6100 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6101 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6102 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6103 /* -1 must be accepted. */
6104 ctmp[31] = 0x40;
6106 memset(&pubkey, 0, sizeof(pubkey));
6107 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6108 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6109 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6110 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6111 pubkey_negone = pubkey;
6112 /* Tweak of zero leaves the value unchanged. */
6113 memset(ctmp2, 0, 32);
6114 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 1);
6115 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
6116 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
6117 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6118 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6119 /* Multiply tweak of zero zeroizes the output. */
6120 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6121 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6122 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp2) == 0);
6123 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6124 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6125 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6126 seckey, the seckey is zeroized. */
6127 memcpy(ctmp, orderc, 32);
6128 memset(ctmp2, 0, 32);
6129 ctmp2[31] = 0x01;
6130 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp2) == 1);
6132 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 0);
6133 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6134 memcpy(ctmp, orderc, 32);
6135 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6136 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6137 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6138 tweak, the seckey is zeroized. */
6139 memcpy(ctmp, orderc, 32);
6140 ctmp[31] = 0x40;
6141 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, orderc) == 0);
6142 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6143 memcpy(ctmp, orderc, 32);
6144 ctmp[31] = 0x40;
6145 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, orderc) == 0);
6146 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6147 memcpy(ctmp, orderc, 32);
6148 ctmp[31] = 0x40;
6149 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
6150 tweak, the pubkey is zeroized. */
6151 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, orderc) == 0);
6152 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6153 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6154 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, orderc) == 0);
6155 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6156 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6157 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
6158 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
6159 * case the pubkey is zeroized. */
6160 memcpy(ctmp, orderc, 32);
6161 ctmp[31] = 0x40;
6162 memset(ctmp2, 0, 32);
6163 ctmp2[31] = 1;
6164 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 0);
6165 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
6166 ctmp2[31] = 1;
6167 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0);
6168 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6169 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6170 /* Tweak computation wraps and results in a key of 1. */
6171 ctmp2[31] = 2;
6172 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 1);
6173 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
6174 ctmp2[31] = 2;
6175 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6176 ctmp2[31] = 1;
6177 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, ctmp2) == 1);
6178 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6179 /* Tweak mul * 2 = 1+1. */
6180 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6181 ctmp2[31] = 2;
6182 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 1);
6183 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6184 /* Zeroize pubkey on parse error. */
6185 memset(&pubkey, 0, 32);
6187 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6188 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6189 memset(&pubkey2, 0, 32);
6191 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
6192 /* Plain argument errors. */
6195 memset(ctmp2, 0, 32);
6196 ctmp2[31] = 4;
6199 memset(ctmp2, 0, 32);
6200 ctmp2[31] = 4;
6203 memset(ctmp2, 0, 32);
6206 memset(ctmp2, 0, 32);
6207 ctmp2[31] = 1;
6211 memset(&pubkey, 1, sizeof(pubkey));
6213 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6214 /* secp256k1_ec_pubkey_combine tests. */
6215 pubkeys[0] = &pubkey_one;
6216 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[0], sizeof(secp256k1_pubkey *));
6217 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[1], sizeof(secp256k1_pubkey *));
6218 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[2], sizeof(secp256k1_pubkey *));
6219 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6221 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 0));
6223 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6224 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, NULL, pubkeys, 1));
6225 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6226 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6228 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, NULL, 1));
6230 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6231 pubkeys[0] = &pubkey_negone;
6232 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6234 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 1) == 1);
6236 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6237 len = 33;
6239 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
6240 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6241 /* Result is infinity. */
6242 pubkeys[0] = &pubkey_one;
6243 pubkeys[1] = &pubkey_negone;
6244 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6246 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 0);
6248 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6249 /* Passes through infinity but comes out one. */
6250 pubkeys[2] = &pubkey_one;
6251 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6253 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 3) == 1);
6255 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6256 len = 33;
6258 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
6259 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6260 /* Adds to two. */
6261 pubkeys[1] = &pubkey_one;
6262 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6264 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 1);
6266 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6267}
6268
6269static void run_eckey_negate_test(void) {
6270 unsigned char seckey[32];
6271 unsigned char seckey_tmp[32];
6272
6274 memcpy(seckey_tmp, seckey, 32);
6275
6276 /* Verify negation changes the key and changes it back */
6277 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6278 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
6279 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6280 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6281
6282 /* Check that privkey alias gives same result */
6283 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6284 CHECK(secp256k1_ec_privkey_negate(CTX, seckey_tmp) == 1);
6285 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6286
6287 /* Negating all 0s fails */
6288 memset(seckey, 0, 32);
6289 memset(seckey_tmp, 0, 32);
6290 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6291 /* Check that seckey is not modified */
6292 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6293
6294 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
6295 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
6296 * doesn't just set seckey to a constant value in case of failure. */
6298 memset(seckey, 0xFF, 16);
6299 memset(seckey_tmp, 0, 32);
6300 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6301 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6302}
6303
6304static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
6305 secp256k1_scalar nonce;
6306 do {
6308 } while(!secp256k1_ecdsa_sig_sign(&CTX->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
6309}
6310
6311static void test_ecdsa_sign_verify(void) {
6312 secp256k1_gej pubj;
6313 secp256k1_ge pub;
6314 secp256k1_scalar one;
6315 secp256k1_scalar msg, key;
6316 secp256k1_scalar sigr, sigs;
6317 int getrec;
6318 int recid;
6321 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pubj, &key);
6322 secp256k1_ge_set_gej(&pub, &pubj);
6323 getrec = secp256k1_testrand_bits(1);
6324 /* The specific way in which this conditional is written sidesteps a potential bug in clang.
6325 See the commit messages of the commit that introduced this comment for details. */
6326 if (getrec) {
6327 random_sign(&sigr, &sigs, &key, &msg, &recid);
6328 CHECK(recid >= 0 && recid < 4);
6329 } else {
6330 random_sign(&sigr, &sigs, &key, &msg, NULL);
6331 }
6332 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6333 secp256k1_scalar_set_int(&one, 1);
6334 secp256k1_scalar_add(&msg, &msg, &one);
6335 CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6336}
6337
6338static void run_ecdsa_sign_verify(void) {
6339 int i;
6340 for (i = 0; i < 10*COUNT; i++) {
6342 }
6343}
6344
6346static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6347 (void)msg32;
6348 (void)key32;
6349 (void)algo16;
6350 memcpy(nonce32, data, 32);
6351 return (counter == 0);
6352}
6353
6354static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6355 /* Dummy nonce generator that has a fatal error on the first counter value. */
6356 if (counter == 0) {
6357 return 0;
6358 }
6359 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
6360}
6361
6362static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6363 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
6364 if (counter < 3) {
6365 memset(nonce32, counter==0 ? 0 : 255, 32);
6366 if (counter == 2) {
6367 nonce32[31]--;
6368 }
6369 return 1;
6370 }
6371 if (counter < 5) {
6372 static const unsigned char order[] = {
6373 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6374 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6375 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6376 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
6377 };
6378 memcpy(nonce32, order, 32);
6379 if (counter == 4) {
6380 nonce32[31]++;
6381 }
6382 return 1;
6383 }
6384 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
6385 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
6386 if (counter > 5) {
6387 return 0;
6388 }
6389 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
6390}
6391
6393 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
6394 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
6395}
6396
6397static void test_ecdsa_end_to_end(void) {
6398 unsigned char extra[32] = {0x00};
6399 unsigned char privkey[32];
6400 unsigned char message[32];
6401 unsigned char privkey2[32];
6402 secp256k1_ecdsa_signature signature[6];
6403 secp256k1_scalar r, s;
6404 unsigned char sig[74];
6405 size_t siglen = 74;
6406 unsigned char pubkeyc[65];
6407 size_t pubkeyclen = 65;
6408 secp256k1_pubkey pubkey;
6409 secp256k1_pubkey pubkey_tmp;
6410 unsigned char seckey[300];
6411 size_t seckeylen = 300;
6412
6413 /* Generate a random key and message. */
6414 {
6415 secp256k1_scalar msg, key;
6418 secp256k1_scalar_get_b32(privkey, &key);
6419 secp256k1_scalar_get_b32(message, &msg);
6420 }
6421
6422 /* Construct and verify corresponding public key. */
6423 CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
6424 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
6425
6426 /* Verify exporting and importing public key. */
6428 memset(&pubkey, 0, sizeof(pubkey));
6429 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
6430
6431 /* Verify negation changes the key and changes it back */
6432 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
6433 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6434 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
6435 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6436 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
6437
6438 /* Verify private key import and export. */
6439 CHECK(ec_privkey_export_der(CTX, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
6440 CHECK(ec_privkey_import_der(CTX, privkey2, seckey, seckeylen) == 1);
6441 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
6442
6443 /* Optionally tweak the keys using addition. */
6444 if (secp256k1_testrand_int(3) == 0) {
6445 int ret1;
6446 int ret2;
6447 int ret3;
6448 unsigned char rnd[32];
6449 unsigned char privkey_tmp[32];
6450 secp256k1_pubkey pubkey2;
6452 memcpy(privkey_tmp, privkey, 32);
6453 ret1 = secp256k1_ec_seckey_tweak_add(CTX, privkey, rnd);
6454 ret2 = secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, rnd);
6455 /* Check that privkey alias gives same result */
6456 ret3 = secp256k1_ec_privkey_tweak_add(CTX, privkey_tmp, rnd);
6457 CHECK(ret1 == ret2);
6458 CHECK(ret2 == ret3);
6459 if (ret1 == 0) {
6460 return;
6461 }
6462 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6463 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6464 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6465 }
6466
6467 /* Optionally tweak the keys using multiplication. */
6468 if (secp256k1_testrand_int(3) == 0) {
6469 int ret1;
6470 int ret2;
6471 int ret3;
6472 unsigned char rnd[32];
6473 unsigned char privkey_tmp[32];
6474 secp256k1_pubkey pubkey2;
6476 memcpy(privkey_tmp, privkey, 32);
6477 ret1 = secp256k1_ec_seckey_tweak_mul(CTX, privkey, rnd);
6478 ret2 = secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, rnd);
6479 /* Check that privkey alias gives same result */
6480 ret3 = secp256k1_ec_privkey_tweak_mul(CTX, privkey_tmp, rnd);
6481 CHECK(ret1 == ret2);
6482 CHECK(ret2 == ret3);
6483 if (ret1 == 0) {
6484 return;
6485 }
6486 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6487 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6488 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6489 }
6490
6491 /* Sign. */
6492 CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1);
6493 CHECK(secp256k1_ecdsa_sign(CTX, &signature[4], message, privkey, NULL, NULL) == 1);
6494 CHECK(secp256k1_ecdsa_sign(CTX, &signature[1], message, privkey, NULL, extra) == 1);
6495 extra[31] = 1;
6496 CHECK(secp256k1_ecdsa_sign(CTX, &signature[2], message, privkey, NULL, extra) == 1);
6497 extra[31] = 0;
6498 extra[0] = 1;
6499 CHECK(secp256k1_ecdsa_sign(CTX, &signature[3], message, privkey, NULL, extra) == 1);
6500 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6501 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6502 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6503 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6504 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6505 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6506 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6507 /* Verify. */
6508 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6509 CHECK(secp256k1_ecdsa_verify(CTX, &signature[1], message, &pubkey) == 1);
6510 CHECK(secp256k1_ecdsa_verify(CTX, &signature[2], message, &pubkey) == 1);
6511 CHECK(secp256k1_ecdsa_verify(CTX, &signature[3], message, &pubkey) == 1);
6512 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6513 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[0]));
6514 secp256k1_ecdsa_signature_load(CTX, &r, &s, &signature[0]);
6516 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6517 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 0);
6518 CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6519 CHECK(secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6520 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6521 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6522 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6524 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6525 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6526 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6527 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
6528
6529 /* Serialize/parse DER and verify again */
6530 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6531 memset(&signature[0], 0, sizeof(signature[0]));
6532 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 1);
6533 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6534 /* Serialize/destroy/parse DER and verify again. */
6535 siglen = 74;
6536 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6538 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 0 ||
6539 secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 0);
6540}
6541
6542static void test_random_pubkeys(void) {
6543 secp256k1_ge elem;
6544 secp256k1_ge elem2;
6545 unsigned char in[65];
6546 /* Generate some randomly sized pubkeys. */
6547 size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
6548 if (secp256k1_testrand_bits(2) == 0) {
6549 len = secp256k1_testrand_bits(6);
6550 }
6551 if (len == 65) {
6552 in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
6553 } else {
6554 in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
6555 }
6556 if (secp256k1_testrand_bits(3) == 0) {
6557 in[0] = secp256k1_testrand_bits(8);
6558 }
6559 if (len > 1) {
6560 secp256k1_testrand256(&in[1]);
6561 }
6562 if (len > 33) {
6563 secp256k1_testrand256(&in[33]);
6564 }
6565 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
6566 unsigned char out[65];
6567 unsigned char firstb;
6568 int res;
6569 size_t size = len;
6570 firstb = in[0];
6571 /* If the pubkey can be parsed, it should round-trip... */
6572 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
6573 CHECK(size == len);
6574 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
6575 /* ... except for the type of hybrid inputs. */
6576 if ((in[0] != 6) && (in[0] != 7)) {
6577 CHECK(in[0] == out[0]);
6578 }
6579 size = 65;
6580 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
6581 CHECK(size == 65);
6582 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
6583 CHECK(secp256k1_ge_eq_var(&elem2, &elem));
6584 /* Check that the X9.62 hybrid type is checked. */
6585 in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
6586 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
6587 if (firstb == 2 || firstb == 3) {
6588 if (in[0] == firstb + 4) {
6589 CHECK(res);
6590 } else {
6591 CHECK(!res);
6592 }
6593 }
6594 if (res) {
6595 CHECK(secp256k1_ge_eq_var(&elem, &elem2));
6596 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
6597 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
6598 }
6599 }
6600}
6601
6602static void run_pubkey_comparison(void) {
6603 unsigned char pk1_ser[33] = {
6604 0x02,
6605 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6606 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6607 };
6608 const unsigned char pk2_ser[33] = {
6609 0x02,
6610 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6611 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6612 };
6613 secp256k1_pubkey pk1;
6614 secp256k1_pubkey pk2;
6615
6616 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6617 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6618
6621 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6622 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6623 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk1) == 0);
6624 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk2) == 0);
6625 {
6626 secp256k1_pubkey pk_tmp;
6627 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6629 {
6630 int32_t ecount = 0;
6632 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk_tmp) == 0);
6633 CHECK(ecount == 2);
6635 }
6637 }
6638
6639 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6640 * an uncompressed encoding, these would have the opposite ordering */
6641 pk1_ser[0] = 3;
6642 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6643 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6644 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6645}
6646
6647static void run_random_pubkeys(void) {
6648 int i;
6649 for (i = 0; i < 10*COUNT; i++) {
6651 }
6652}
6653
6654static void run_ecdsa_end_to_end(void) {
6655 int i;
6656 for (i = 0; i < 64*COUNT; i++) {
6658 }
6659}
6660
6661static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
6662 static const unsigned char zeroes[32] = {0};
6663
6664 int ret = 0;
6665
6667 unsigned char roundtrip_der[2048];
6668 unsigned char compact_der[64];
6669 size_t len_der = 2048;
6670 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
6671
6672 secp256k1_ecdsa_signature sig_der_lax;
6673 unsigned char roundtrip_der_lax[2048];
6674 unsigned char compact_der_lax[64];
6675 size_t len_der_lax = 2048;
6676 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
6677
6678 parsed_der = secp256k1_ecdsa_signature_parse_der(CTX, &sig_der, sig, siglen);
6679 if (parsed_der) {
6680 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der, &sig_der)) << 0;
6681 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
6682 }
6683 if (valid_der) {
6684 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der, &len_der, &sig_der)) << 1;
6685 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
6686 }
6687
6688 parsed_der_lax = ecdsa_signature_parse_der_lax(CTX, &sig_der_lax, sig, siglen);
6689 if (parsed_der_lax) {
6690 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der_lax, &sig_der_lax)) << 10;
6691 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
6692 }
6693 if (valid_der_lax) {
6694 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
6695 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
6696 }
6697
6698 if (certainly_der) {
6699 ret |= (!parsed_der) << 2;
6700 }
6701 if (certainly_not_der) {
6702 ret |= (parsed_der) << 17;
6703 }
6704 if (valid_der) {
6705 ret |= (!roundtrips_der) << 3;
6706 }
6707
6708 if (valid_der) {
6709 ret |= (!roundtrips_der_lax) << 12;
6710 ret |= (len_der != len_der_lax) << 13;
6711 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
6712 }
6713 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
6714 if (parsed_der) {
6715 ret |= (!parsed_der_lax) << 16;
6716 }
6717
6718 return ret;
6719}
6720
6721static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
6722 size_t i;
6723 for (i = 0; i < ptrlen; i++) {
6724 int shift = ptrlen - 1 - i;
6725 if (shift >= 4) {
6726 ptr[i] = 0;
6727 } else {
6728 ptr[i] = (val >> shift) & 0xFF;
6729 }
6730 }
6731}
6732
6733static void damage_array(unsigned char *sig, size_t *len) {
6734 int pos;
6735 int action = secp256k1_testrand_bits(3);
6736 if (action < 1 && *len > 3) {
6737 /* Delete a byte. */
6738 pos = secp256k1_testrand_int(*len);
6739 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
6740 (*len)--;
6741 return;
6742 } else if (action < 2 && *len < 2048) {
6743 /* Insert a byte. */
6744 pos = secp256k1_testrand_int(1 + *len);
6745 memmove(sig + pos + 1, sig + pos, *len - pos);
6746 sig[pos] = secp256k1_testrand_bits(8);
6747 (*len)++;
6748 return;
6749 } else if (action < 4) {
6750 /* Modify a byte. */
6752 return;
6753 } else { /* action < 8 */
6754 /* Modify a bit. */
6756 return;
6757 }
6758}
6759
6760static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
6761 int der;
6762 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
6763 size_t tlen, elen, glen;
6764 int indet;
6765 int n;
6766
6767 *len = 0;
6768 der = secp256k1_testrand_bits(2) == 0;
6769 *certainly_der = der;
6770 *certainly_not_der = 0;
6771 indet = der ? 0 : secp256k1_testrand_int(10) == 0;
6772
6773 for (n = 0; n < 2; n++) {
6774 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
6775 nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
6776 /* The length of the number in bytes (the first byte of which will always be nonzero) */
6777 nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_bits(3) / 8;
6778 CHECK(nlen[n] <= 232);
6779 /* The top bit of the number. */
6780 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
6781 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
6782 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
6783 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
6784 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_bits(3) / 8);
6785 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
6786 *certainly_not_der = 1;
6787 }
6788 CHECK(nlen[n] + nzlen[n] <= 300);
6789 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
6790 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
6791 if (!der) {
6792 /* nlenlen[n] max 127 bytes */
6793 int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6794 nlenlen[n] += add;
6795 if (add != 0) {
6796 *certainly_not_der = 1;
6797 }
6798 }
6799 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
6800 }
6801
6802 /* The total length of the data to go, so far */
6803 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
6804 CHECK(tlen <= 856);
6805
6806 /* The length of the garbage inside the tuple. */
6807 elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_bits(3) / 8;
6808 if (elen != 0) {
6809 *certainly_not_der = 1;
6810 }
6811 tlen += elen;
6812 CHECK(tlen <= 980);
6813
6814 /* The length of the garbage after the end of the tuple. */
6815 glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_bits(3) / 8;
6816 if (glen != 0) {
6817 *certainly_not_der = 1;
6818 }
6819 CHECK(tlen + glen <= 990);
6820
6821 /* Write the tuple header. */
6822 sig[(*len)++] = 0x30;
6823 if (indet) {
6824 /* Indeterminate length */
6825 sig[(*len)++] = 0x80;
6826 *certainly_not_der = 1;
6827 } else {
6828 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
6829 if (!der) {
6830 int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6831 tlenlen += add;
6832 if (add != 0) {
6833 *certainly_not_der = 1;
6834 }
6835 }
6836 if (tlenlen == 0) {
6837 /* Short length notation */
6838 sig[(*len)++] = tlen;
6839 } else {
6840 /* Long length notation */
6841 sig[(*len)++] = 128 + tlenlen;
6842 assign_big_endian(sig + *len, tlenlen, tlen);
6843 *len += tlenlen;
6844 }
6845 tlen += tlenlen;
6846 }
6847 tlen += 2;
6848 CHECK(tlen + glen <= 1119);
6849
6850 for (n = 0; n < 2; n++) {
6851 /* Write the integer header. */
6852 sig[(*len)++] = 0x02;
6853 if (nlenlen[n] == 0) {
6854 /* Short length notation */
6855 sig[(*len)++] = nlen[n] + nzlen[n];
6856 } else {
6857 /* Long length notation. */
6858 sig[(*len)++] = 128 + nlenlen[n];
6859 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
6860 *len += nlenlen[n];
6861 }
6862 /* Write zero padding */
6863 while (nzlen[n] > 0) {
6864 sig[(*len)++] = 0x00;
6865 nzlen[n]--;
6866 }
6867 if (nlen[n] == 32 && !nlow[n]) {
6868 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
6869 int i;
6870 for (i = 0; i < 16; i++) {
6871 sig[(*len)++] = 0xFF;
6872 }
6873 nlen[n] -= 16;
6874 }
6875 /* Write first byte of number */
6876 if (nlen[n] > 0) {
6877 sig[(*len)++] = nhbyte[n];
6878 nlen[n]--;
6879 }
6880 /* Generate remaining random bytes of number */
6881 secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
6882 *len += nlen[n];
6883 nlen[n] = 0;
6884 }
6885
6886 /* Generate random garbage inside tuple. */
6887 secp256k1_testrand_bytes_test(sig + *len, elen);
6888 *len += elen;
6889
6890 /* Generate end-of-contents bytes. */
6891 if (indet) {
6892 sig[(*len)++] = 0;
6893 sig[(*len)++] = 0;
6894 tlen += 2;
6895 }
6896 CHECK(tlen + glen <= 1121);
6897
6898 /* Generate random garbage outside tuple. */
6899 secp256k1_testrand_bytes_test(sig + *len, glen);
6900 *len += glen;
6901 tlen += glen;
6902 CHECK(tlen <= 1121);
6903 CHECK(tlen == *len);
6904}
6905
6906static void run_ecdsa_der_parse(void) {
6907 int i,j;
6908 for (i = 0; i < 200 * COUNT; i++) {
6909 unsigned char buffer[2048];
6910 size_t buflen = 0;
6911 int certainly_der = 0;
6912 int certainly_not_der = 0;
6913 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
6914 CHECK(buflen <= 2048);
6915 for (j = 0; j < 16; j++) {
6916 int ret = 0;
6917 if (j > 0) {
6918 damage_array(buffer, &buflen);
6919 /* We don't know anything anymore about the DERness of the result */
6920 certainly_der = 0;
6921 certainly_not_der = 0;
6922 }
6923 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
6924 if (ret != 0) {
6925 size_t k;
6926 fprintf(stderr, "Failure %x on ", ret);
6927 for (k = 0; k < buflen; k++) {
6928 fprintf(stderr, "%02x ", buffer[k]);
6929 }
6930 fprintf(stderr, "\n");
6931 }
6932 CHECK(ret == 0);
6933 }
6934 }
6935}
6936
6937/* Tests several edge cases. */
6938static void test_ecdsa_edge_cases(void) {
6939 int t;
6941
6942 /* Test the case where ECDSA recomputes a point that is infinity. */
6943 {
6944 secp256k1_gej keyj;
6945 secp256k1_ge key;
6947 secp256k1_scalar sr, ss;
6949 secp256k1_scalar_negate(&ss, &ss);
6950 secp256k1_scalar_inverse(&ss, &ss);
6953 secp256k1_ge_set_gej(&key, &keyj);
6954 msg = ss;
6955 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6956 }
6957
6958 /* Verify signature with r of zero fails. */
6959 {
6960 const unsigned char pubkey_mods_zero[33] = {
6961 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6962 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6963 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6964 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6965 0x41
6966 };
6967 secp256k1_ge key;
6969 secp256k1_scalar sr, ss;
6973 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
6974 CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
6975 }
6976
6977 /* Verify signature with s of zero fails. */
6978 {
6979 const unsigned char pubkey[33] = {
6980 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6981 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6982 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6983 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6984 0x01
6985 };
6986 secp256k1_ge key;
6988 secp256k1_scalar sr, ss;
6992 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6993 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6994 }
6995
6996 /* Verify signature with message 0 passes. */
6997 {
6998 const unsigned char pubkey[33] = {
6999 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7000 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7001 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7002 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7003 0x02
7004 };
7005 const unsigned char pubkey2[33] = {
7006 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7007 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7008 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7009 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7010 0x43
7011 };
7012 secp256k1_ge key;
7013 secp256k1_ge key2;
7015 secp256k1_scalar sr, ss;
7019 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7020 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7021 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7022 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7023 secp256k1_scalar_negate(&ss, &ss);
7024 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7025 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7027 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7028 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7029 }
7030
7031 /* Verify signature with message 1 passes. */
7032 {
7033 const unsigned char pubkey[33] = {
7034 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
7035 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
7036 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
7037 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
7038 0x25
7039 };
7040 const unsigned char pubkey2[33] = {
7041 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
7042 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
7043 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
7044 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
7045 0x62
7046 };
7047 const unsigned char csr[32] = {
7048 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7049 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7050 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7051 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
7052 };
7053 secp256k1_ge key;
7054 secp256k1_ge key2;
7056 secp256k1_scalar sr, ss;
7059 secp256k1_scalar_set_b32(&sr, csr, NULL);
7060 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7061 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7062 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7063 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7064 secp256k1_scalar_negate(&ss, &ss);
7065 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7066 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7069 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7070 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7071 }
7072
7073 /* Verify signature with message -1 passes. */
7074 {
7075 const unsigned char pubkey[33] = {
7076 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
7077 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
7078 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
7079 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
7080 0xf1
7081 };
7082 const unsigned char csr[32] = {
7083 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7084 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7085 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7086 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
7087 };
7088 secp256k1_ge key;
7090 secp256k1_scalar sr, ss;
7094 secp256k1_scalar_set_b32(&sr, csr, NULL);
7095 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7096 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7097 secp256k1_scalar_negate(&ss, &ss);
7098 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7101 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7102 }
7103
7104 /* Signature where s would be zero. */
7105 {
7106 secp256k1_pubkey pubkey;
7107 size_t siglen;
7108 unsigned char signature[72];
7109 static const unsigned char nonce[32] = {
7110 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7111 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7112 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7113 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7114 };
7115 static const unsigned char nonce2[32] = {
7116 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
7117 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
7118 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
7119 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
7120 };
7121 const unsigned char key[32] = {
7122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7123 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7124 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7125 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7126 };
7127 unsigned char msg[32] = {
7128 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
7129 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
7130 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
7131 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
7132 };
7135 msg[31] = 0xaa;
7141 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, key) == 1);
7142 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, NULL, msg, &pubkey));
7143 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, NULL, &pubkey));
7145 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1);
7147 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
7149 siglen = 72;
7152 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, NULL));
7153 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 1);
7154 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_der(CTX, NULL, signature, siglen));
7156 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, signature, siglen) == 1);
7157 siglen = 10;
7158 /* Too little room for a signature does not fail via ARGCHECK. */
7159 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 0);
7167 memset(signature, 255, 64);
7169 }
7170
7171 /* Nonce function corner cases. */
7172 for (t = 0; t < 2; t++) {
7173 static const unsigned char zero[32] = {0x00};
7174 int i;
7175 unsigned char key[32];
7176 unsigned char msg[32];
7178 secp256k1_scalar sr[512], ss;
7179 const unsigned char *extra;
7180 extra = t == 0 ? NULL : zero;
7181 memset(msg, 0, 32);
7182 msg[31] = 1;
7183 /* High key results in signature failure. */
7184 memset(key, 0xFF, 32);
7185 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7187 /* Zero key results in signature failure. */
7188 memset(key, 0, 32);
7189 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7191 /* Nonce function failure results in signature failure. */
7192 key[31] = 1;
7195 /* The retry loop successfully makes its way to the first good value. */
7198 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
7199 CHECK(!is_empty_signature(&sig2));
7200 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7201 /* The default nonce function is deterministic. */
7202 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7203 CHECK(!is_empty_signature(&sig2));
7204 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7205 /* The default nonce function changes output with different messages. */
7206 for(i = 0; i < 256; i++) {
7207 int j;
7208 msg[0] = i;
7209 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7210 CHECK(!is_empty_signature(&sig2));
7211 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7212 for (j = 0; j < i; j++) {
7213 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7214 }
7215 }
7216 msg[0] = 0;
7217 msg[31] = 2;
7218 /* The default nonce function changes output with different keys. */
7219 for(i = 256; i < 512; i++) {
7220 int j;
7221 key[0] = i - 256;
7222 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7223 CHECK(!is_empty_signature(&sig2));
7224 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7225 for (j = 0; j < i; j++) {
7226 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7227 }
7228 }
7229 key[0] = 0;
7230 }
7231
7232 {
7233 /* Check that optional nonce arguments do not have equivalent effect. */
7234 const unsigned char zeros[32] = {0};
7235 unsigned char nonce[32];
7236 unsigned char nonce2[32];
7237 unsigned char nonce3[32];
7238 unsigned char nonce4[32];
7240 SECP256K1_CHECKMEM_UNDEFINE(nonce2,32);
7241 SECP256K1_CHECKMEM_UNDEFINE(nonce3,32);
7242 SECP256K1_CHECKMEM_UNDEFINE(nonce4,32);
7243 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
7244 SECP256K1_CHECKMEM_CHECK(nonce,32);
7245 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
7246 SECP256K1_CHECKMEM_CHECK(nonce2,32);
7247 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
7248 SECP256K1_CHECKMEM_CHECK(nonce3,32);
7249 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
7250 SECP256K1_CHECKMEM_CHECK(nonce4,32);
7251 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
7252 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
7253 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
7254 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
7255 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
7256 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
7257 }
7258
7259
7260 /* Privkey export where pubkey is the point at infinity. */
7261 {
7262 unsigned char privkey[300];
7263 unsigned char seckey[32] = {
7264 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7265 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
7266 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
7267 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
7268 };
7269 size_t outlen = 300;
7270 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 0));
7271 outlen = 300;
7272 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 1));
7273 }
7274}
7275
7276static void run_ecdsa_edge_cases(void) {
7278}
7279
7284static void test_ecdsa_wycheproof(void) {
7286
7287 int t;
7288 for (t = 0; t < SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS; t++) {
7289 secp256k1_ecdsa_signature signature;
7290 secp256k1_sha256 hasher;
7291 secp256k1_pubkey pubkey;
7292 const unsigned char *msg, *sig, *pk;
7293 unsigned char out[32] = {0};
7294 int actual_verify = 0;
7295
7296 memset(&pubkey, 0, sizeof(pubkey));
7298 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pk, 65) == 1);
7299
7302 secp256k1_sha256_write(&hasher, msg, testvectors[t].msg_len);
7304
7306 if (secp256k1_ecdsa_signature_parse_der(CTX, &signature, sig, testvectors[t].sig_len) == 1) {
7307 actual_verify = secp256k1_ecdsa_verify(CTX, (const secp256k1_ecdsa_signature *)&signature, out, &pubkey);
7308 }
7309 CHECK(testvectors[t].expected_verify == actual_verify);
7310 }
7311}
7312
7313/* Tests cases from Wycheproof test suite. */
7314static void run_ecdsa_wycheproof(void) {
7316}
7317
7318#ifdef ENABLE_MODULE_ECDH
7319# include "modules/ecdh/tests_impl.h"
7320#endif
7321
7322#ifdef ENABLE_MODULE_MULTISET
7324#endif
7325
7326#ifdef ENABLE_MODULE_RECOVERY
7328#endif
7329
7330#ifdef ENABLE_MODULE_SCHNORR
7332#endif
7333
7334#ifdef ENABLE_MODULE_EXTRAKEYS
7336#endif
7337
7338#ifdef ENABLE_MODULE_SCHNORRSIG
7340#endif
7341
7342#ifdef ENABLE_MODULE_ELLSWIFT
7344#endif
7345
7347 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
7348 unsigned char buf2[sizeof(buf1)];
7349
7350 /* secp256k1_memczero(..., ..., 0) is a noop. */
7351 memcpy(buf2, buf1, sizeof(buf1));
7352 secp256k1_memczero(buf1, sizeof(buf1), 0);
7353 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7354
7355 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
7356 memset(buf2, 0, sizeof(buf2));
7357 secp256k1_memczero(buf1, sizeof(buf1) , 1);
7358 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7359}
7360
7362 {
7363 const uint32_t x = 0xFF03AB45;
7364 const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45};
7365 unsigned char buf[4];
7366 uint32_t x_;
7367
7368 secp256k1_write_be32(buf, x);
7369 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7370
7371 x_ = secp256k1_read_be32(buf);
7372 CHECK(x == x_);
7373 }
7374
7375 {
7376 const uint64_t x = 0xCAFE0123BEEF4567;
7377 const unsigned char x_be[8] = {0xCA, 0xFE, 0x01, 0x23, 0xBE, 0xEF, 0x45, 0x67};
7378 unsigned char buf[8];
7379 uint64_t x_;
7380
7381 secp256k1_write_be64(buf, x);
7382 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7383
7384 x_ = secp256k1_read_be64(buf);
7385 CHECK(x == x_);
7386 }
7387}
7388
7389static void int_cmov_test(void) {
7390 int r = INT_MAX;
7391 int a = 0;
7392
7393 secp256k1_int_cmov(&r, &a, 0);
7394 CHECK(r == INT_MAX);
7395
7396 r = 0; a = INT_MAX;
7397 secp256k1_int_cmov(&r, &a, 1);
7398 CHECK(r == INT_MAX);
7399
7400 a = 0;
7401 secp256k1_int_cmov(&r, &a, 1);
7402 CHECK(r == 0);
7403
7404 a = 1;
7405 secp256k1_int_cmov(&r, &a, 1);
7406 CHECK(r == 1);
7407
7408 r = 1; a = 0;
7409 secp256k1_int_cmov(&r, &a, 0);
7410 CHECK(r == 1);
7411
7412}
7413
7414static void fe_cmov_test(void) {
7415 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7416 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7417 static const secp256k1_fe max = SECP256K1_FE_CONST(
7418 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7419 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7420 );
7421 secp256k1_fe r = max;
7422 secp256k1_fe a = zero;
7423
7424 secp256k1_fe_cmov(&r, &a, 0);
7425 CHECK(fe_identical(&r, &max));
7426
7427 r = zero; a = max;
7428 secp256k1_fe_cmov(&r, &a, 1);
7429 CHECK(fe_identical(&r, &max));
7430
7431 a = zero;
7432 secp256k1_fe_cmov(&r, &a, 1);
7433 CHECK(fe_identical(&r, &zero));
7434
7435 a = one;
7436 secp256k1_fe_cmov(&r, &a, 1);
7437 CHECK(fe_identical(&r, &one));
7438
7439 r = one; a = zero;
7440 secp256k1_fe_cmov(&r, &a, 0);
7441 CHECK(fe_identical(&r, &one));
7442}
7443
7444static void fe_storage_cmov_test(void) {
7445 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7446 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7448 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7449 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7450 );
7451 secp256k1_fe_storage r = max;
7452 secp256k1_fe_storage a = zero;
7453
7454 secp256k1_fe_storage_cmov(&r, &a, 0);
7455 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7456
7457 r = zero; a = max;
7458 secp256k1_fe_storage_cmov(&r, &a, 1);
7459 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7460
7461 a = zero;
7462 secp256k1_fe_storage_cmov(&r, &a, 1);
7463 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7464
7465 a = one;
7466 secp256k1_fe_storage_cmov(&r, &a, 1);
7467 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7468
7469 r = one; a = zero;
7470 secp256k1_fe_storage_cmov(&r, &a, 0);
7471 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7472}
7473
7474static void scalar_cmov_test(void) {
7475 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
7476 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
7477 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL
7478 );
7479 secp256k1_scalar r = max;
7481
7482 secp256k1_scalar_cmov(&r, &a, 0);
7483 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7484
7485 r = secp256k1_scalar_zero; a = max;
7486 secp256k1_scalar_cmov(&r, &a, 1);
7487 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7488
7490 secp256k1_scalar_cmov(&r, &a, 1);
7491 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_zero, sizeof(r)) == 0);
7492
7494 secp256k1_scalar_cmov(&r, &a, 1);
7495 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7496
7498 secp256k1_scalar_cmov(&r, &a, 0);
7499 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7500}
7501
7502static void ge_storage_cmov_test(void) {
7503 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7504 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7506 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7507 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7508 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7509 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7510 );
7511 secp256k1_ge_storage r = max;
7512 secp256k1_ge_storage a = zero;
7513
7514 secp256k1_ge_storage_cmov(&r, &a, 0);
7515 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7516
7517 r = zero; a = max;
7518 secp256k1_ge_storage_cmov(&r, &a, 1);
7519 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7520
7521 a = zero;
7522 secp256k1_ge_storage_cmov(&r, &a, 1);
7523 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7524
7525 a = one;
7526 secp256k1_ge_storage_cmov(&r, &a, 1);
7527 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7528
7529 r = one; a = zero;
7530 secp256k1_ge_storage_cmov(&r, &a, 0);
7531 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7532}
7533
7534static void run_cmov_tests(void) {
7535 int_cmov_test();
7536 fe_cmov_test();
7540}
7541
7542int main(int argc, char **argv) {
7543 /* Disable buffering for stdout to improve reliability of getting
7544 * diagnostic information. Happens right at the start of main because
7545 * setbuf must be used before any other operation on the stream. */
7546 setbuf(stdout, NULL);
7547 /* Also disable buffering for stderr because it's not guaranteed that it's
7548 * unbuffered on all systems. */
7549 setbuf(stderr, NULL);
7550
7551 /* find iteration count */
7552 if (argc > 1) {
7553 COUNT = strtol(argv[1], NULL, 0);
7554 } else {
7555 const char* env = getenv("SECP256K1_TEST_ITERS");
7556 if (env && strlen(env) > 0) {
7557 COUNT = strtol(env, NULL, 0);
7558 }
7559 }
7560 if (COUNT <= 0) {
7561 fputs("An iteration count of 0 or less is not allowed.\n", stderr);
7562 return EXIT_FAILURE;
7563 }
7564 printf("test count = %i\n", COUNT);
7565
7566 /* run test RNG tests (must run before we really initialize the test RNG) */
7568
7569 /* find random seed */
7570 secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
7571
7572 /*** Setup test environment ***/
7573
7574 /* Create a global context available to all tests */
7576 /* Randomize the context only with probability 15/16
7577 to make sure we test without context randomization from time to time.
7578 TODO Reconsider this when recalibrating the tests. */
7579 if (secp256k1_testrand_bits(4)) {
7580 unsigned char rand32[32];
7581 secp256k1_testrand256(rand32);
7583 }
7584 /* Make a writable copy of secp256k1_context_static in order to test the effect of API functions
7585 that write to the context. The API does not support cloning the static context, so we use
7586 memcpy instead. The user is not supposed to copy a context but we should still ensure that
7587 the API functions handle copies of the static context gracefully. */
7588 STATIC_CTX = malloc(sizeof(*secp256k1_context_static));
7589 CHECK(STATIC_CTX != NULL);
7592
7593 /*** Run actual tests ***/
7594
7595 /* selftest tests */
7597
7598 /* context tests */
7602
7603 /* scratch tests */
7605
7606 /* integer arithmetic tests */
7607#ifdef SECP256K1_WIDEMUL_INT128
7608 run_int128_tests();
7609#endif
7610 run_ctz_tests();
7613
7614 /* hash tests */
7620
7621 /* scalar tests */
7623
7624 /* field tests */
7629 run_fe_mul();
7630 run_sqr();
7631 run_sqrt();
7632
7633 /* group tests */
7634 run_ge();
7635 run_gej();
7637
7638 /* ecmult tests */
7640 run_wnaf();
7649
7650 /* endomorphism tests */
7652
7653 /* EC point parser test */
7655
7656 /* EC key edge cases */
7658
7659 /* EC key arithmetic test */
7661
7662#ifdef ENABLE_MODULE_ECDH
7663 /* ecdh tests */
7665#endif
7666
7667 /* ecdsa tests */
7676
7677#ifdef ENABLE_MODULE_MULTISET
7679#endif
7680
7681#ifdef ENABLE_MODULE_RECOVERY
7682 /* ECDSA pubkey recovery tests */
7684#endif
7685
7686#ifdef ENABLE_MODULE_SCHNORR
7687 /* Schnorr signature tests */
7689#endif
7690
7691#ifdef ENABLE_MODULE_EXTRAKEYS
7693#endif
7694
7695#ifdef ENABLE_MODULE_SCHNORRSIG
7697#endif
7698
7699#ifdef ENABLE_MODULE_ELLSWIFT
7701#endif
7702
7703 /* util tests */
7706
7708
7709 /*** Tear down test environment ***/
7710 free(STATIC_CTX);
7712
7714
7715 printf("no problems found\n");
7716 return 0;
7717}
int flags
Definition: bitcoin-tx.cpp:546
#define SECP256K1_CHECKMEM_UNDEFINE(p, len)
Definition: checkmem.h:76
#define SECP256K1_CHECKMEM_CHECK(p, len)
Definition: checkmem.h:78
static void run_ecdh_tests(void)
Definition: tests_impl.h:145
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
static const unsigned char wycheproof_ecdsa_signatures[]
static const unsigned char wycheproof_ecdsa_public_keys[]
static const unsigned char wycheproof_ecdsa_messages[]
#define SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
static const wycheproof_ecdsa_testvector testvectors[SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS]
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult.h:41
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
static int secp256k1_ecmult_const_xonly(secp256k1_fe *r, const secp256k1_fe *n, const secp256k1_fe *d, const secp256k1_scalar *q, int known_on_curve)
Same as secp256k1_ecmult_const, but takes in an x coordinate of the base point only,...
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q)
Multiply: R = q*A (in constant-time for q)
static const secp256k1_scalar secp256k1_ecmult_const_K
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:50
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:605
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space.
Definition: ecmult_impl.h:735
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:46
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:401
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:416
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:162
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:356
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:55
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:576
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:726
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:57
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:52
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:49
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:796
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:643
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:814
void run_ellswift_tests(void)
Definition: tests_impl.h:179
volatile double sum
Definition: examples.cpp:10
static void run_extrakeys_tests(void)
Definition: tests_impl.h:470
#define secp256k1_fe_cmov
Definition: field.h:96
static int secp256k1_fe_is_quad_var(const secp256k1_fe *a)
Checks whether a field element is a quadratic residue.
#define secp256k1_fe_negate(r, a, m)
Negate a field element.
Definition: field.h:216
#define secp256k1_fe_mul_int(r, a)
Multiply a field element with a small integer.
Definition: field.h:238
#define secp256k1_fe_normalizes_to_zero_var
Definition: field.h:82
#define secp256k1_fe_cmp_var
Definition: field.h:87
#define secp256k1_fe_normalize_weak
Definition: field.h:79
#define secp256k1_fe_is_odd
Definition: field.h:86
#define secp256k1_fe_mul
Definition: field.h:94
static const secp256k1_fe secp256k1_fe_one
Definition: field.h:68
static int secp256k1_fe_sqrt(secp256k1_fe *SECP256K1_RESTRICT r, const secp256k1_fe *SECP256K1_RESTRICT a)
Compute a square root of a field element.
#define secp256k1_fe_add
Definition: field.h:93
#define secp256k1_fe_clear
Definition: field.h:84
#define secp256k1_fe_normalize_var
Definition: field.h:80
#define secp256k1_fe_half
Definition: field.h:102
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
This expands to an initializer for a secp256k1_fe valued sum((i*32) * d_i, i=0..7) mod p.
Definition: field.h:66
#define secp256k1_fe_to_storage
Definition: field.h:97
#define secp256k1_fe_inv_var
Definition: field.h:100
#define secp256k1_fe_is_zero
Definition: field.h:85
#define secp256k1_fe_mul_int_unchecked
Definition: field.h:92
#define secp256k1_fe_set_b32_limit
Definition: field.h:89
#define secp256k1_fe_is_square_var
Definition: field.h:104
#define secp256k1_fe_get_bounds
Definition: field.h:101
#define secp256k1_fe_from_storage
Definition: field.h:98
#define secp256k1_fe_set_b32_mod
Definition: field.h:88
#define secp256k1_fe_negate_unchecked
Definition: field.h:91
#define secp256k1_fe_get_b32
Definition: field.h:90
#define secp256k1_fe_normalizes_to_zero
Definition: field.h:81
#define secp256k1_fe_inv
Definition: field.h:99
#define secp256k1_fe_sqr
Definition: field.h:95
#define secp256k1_fe_normalize
Definition: field.h:78
static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Determine whether two field elements are equal.
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
#define secp256k1_fe_add_int
Definition: field.h:103
#define secp256k1_fe_set_int
Definition: field.h:83
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:54
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:36
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:43
static int secp256k1_gej_eq_var(const secp256k1_gej *a, const secp256k1_gej *b)
Check two group elements (jacobian) for equality in variable time.
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
#define SECP256K1_GE_X_MAGNITUDE_MAX
Maximum allowed magnitudes for group element coordinates in affine (x, y) and jacobian (x,...
Definition: group.h:49
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
static int secp256k1_ge_eq_var(const secp256k1_ge *a, const secp256k1_ge *b)
Check two group elements (affine) for equality in variable time.
static int secp256k1_ge_x_on_curve_var(const secp256k1_fe *x)
Determine whether x is a valid X coordinate on the curve.
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
#define SECP256K1_GEJ_Y_MAGNITUDE_MAX
Definition: group.h:52
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
static int secp256k1_gej_eq_ge_var(const secp256k1_gej *a, const secp256k1_ge *b)
Check two group elements (jacobian and affine) for equality in variable time.
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
static int secp256k1_ge_x_frac_on_curve_var(const secp256k1_fe *xn, const secp256k1_fe *xd)
Determine whether fraction xn/xd is a valid X coordinate on the curve (xd != 0).
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static int secp256k1_ge_set_xquad(secp256k1_ge *r, const secp256k1_fe *x)
Set a group element (affine) equal to the point with the given X coordinate and a Y coordinate that i...
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
#define SECP256K1_GE_Y_MAGNITUDE_MAX
Definition: group.h:50
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set a batch of group elements equal to the inputs given in jacobian coordinates.
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:22
static void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a)
Check whether a group element's y coordinate is a quadratic residue.
#define SECP256K1_GEJ_Z_MAGNITUDE_MAX
Definition: group.h:53
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:35
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
#define SECP256K1_GEJ_X_MAGNITUDE_MAX
Definition: group.h:51
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:70
int128_t secp256k1_int128
Definition: int128_native.h:17
static SECP256K1_INLINE void secp256k1_i128_load(secp256k1_int128 *r, int64_t hi, uint64_t lo)
static SECP256K1_INLINE void secp256k1_i128_det(secp256k1_int128 *r, int64_t a, int64_t b, int64_t c, int64_t d)
static SECP256K1_INLINE int secp256k1_u128_check_bits(const secp256k1_uint128 *r, unsigned int n)
static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int n)
static SECP256K1_INLINE uint64_t secp256k1_u128_hi_u64(const secp256k1_uint128 *a)
static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a)
static SECP256K1_INLINE void secp256k1_i128_from_i64(secp256k1_int128 *r, int64_t a)
static SECP256K1_INLINE void secp256k1_u128_from_u64(secp256k1_uint128 *r, uint64_t a)
static SECP256K1_INLINE int secp256k1_i128_eq_var(const secp256k1_int128 *a, const secp256k1_int128 *b)
static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a)
static SECP256K1_INLINE void secp256k1_i128_mul(secp256k1_int128 *r, int64_t a, int64_t b)
static SECP256K1_INLINE void secp256k1_u128_rshift(secp256k1_uint128 *r, unsigned int n)
static SECP256K1_INLINE int secp256k1_i128_check_pow2(const secp256k1_int128 *r, unsigned int n, int sign)
static SECP256K1_INLINE void secp256k1_u128_accum_u64(secp256k1_uint128 *r, uint64_t a)
static SECP256K1_INLINE void secp256k1_i128_accum_mul(secp256k1_int128 *r, int64_t a, int64_t b)
static SECP256K1_INLINE void secp256k1_u128_accum_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
static SECP256K1_INLINE void secp256k1_u128_load(secp256k1_uint128 *r, uint64_t hi, uint64_t lo)
static SECP256K1_INLINE void secp256k1_u128_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
static SECP256K1_INLINE uint64_t secp256k1_u128_to_u64(const secp256k1_uint128 *a)
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
static void pool cs
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static int secp256k1_jacobi32_maybe_var(const secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static int secp256k1_jacobi64_maybe_var(const secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static void run_multiset_tests(void)
Definition: tests_impl.h:336
Internal SHA-1 implementation.
Definition: sha1.cpp:14
void printf(const char *fmt, const Args &...args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1126
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
#define WINDOW_G
SchnorrSig sig
Definition: processor.cpp:537
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature *sig, const uint8_t *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:36
static void run_recovery_tests(void)
Definition: tests_impl.h:326
const char * prefix
Definition: rest.cpp:813
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_scalar_half(secp256k1_scalar *r, const secp256k1_scalar *a)
Multiply a scalar with the multiplicative inverse of 2.
static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k)
Find r1 and r2 such that r1+r2*2^128 = k.
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
static uint32_t secp256k1_scalar_get_bits_limb32(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits (1 <= count <= 32) from a scalar.
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
static void secp256k1_scalar_split_lambda(secp256k1_scalar *SECP256K1_RESTRICT r1, secp256k1_scalar *SECP256K1_RESTRICT r2, const secp256k1_scalar *SECP256K1_RESTRICT k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
static uint32_t secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits (1 <= count <= 32) from a scalar.
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is:
Definition: scalar_impl.h:79
static void run_schnorr_tests(void)
Definition: tests_impl.h:512
static void run_schnorrsig_tests(void)
Definition: tests_impl.h:819
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:340
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:229
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:243
#define ALIGNMENT
Definition: util.h:170
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: util.h:96
static SECP256K1_INLINE uint32_t secp256k1_read_be32(const unsigned char *p)
Definition: util.h:358
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:322
static SECP256K1_INLINE void secp256k1_write_be32(unsigned char *p, uint32_t x)
Definition: util.h:366
static SECP256K1_INLINE void secp256k1_write_be64(unsigned char *p, uint64_t x)
Definition: util.h:386
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:91
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:311
#define CHECK(cond)
Definition: util.h:142
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:299
static SECP256K1_INLINE uint64_t secp256k1_read_be64(const unsigned char *p)
Definition: util.h:374
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:156
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:210
static void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Definition: secp256k1.c:227
static int secp256k1_context_is_proper(const secp256k1_context *ctx)
Definition: secp256k1.c:81
const secp256k1_context * secp256k1_context_no_precomp
Definition: secp256k1.c:74
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:342
static secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Definition: secp256k1.c:222
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:239
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:252
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:454
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:328
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:186
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:693
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:196
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:740
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:750
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:603
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:368
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:279
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:210
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:302
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:562
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:140
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:198
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:547
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:261
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:192
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:352
SECP256K1_API void secp256k1_selftest(void)
Perform basic self tests (to be used in conjunction with secp256k1_context_static)
Definition: secp256k1.c:85
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:585
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:776
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:202
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:433
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:414
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:162
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:676
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:203
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:389
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:622
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_add instead")
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:665
#define SECP256K1_CONTEXT_VERIFY
Deprecated context flags.
Definition: secp256k1.h:195
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_negate instead")
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:618
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:649
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:717
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:401
SECP256K1_API const secp256k1_context * secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:223
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_mul instead")
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:713
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:111
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:175
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:117
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:91
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:151
secp256k1_scalar * sc
Definition: tests.c:4650
secp256k1_ge * pt
Definition: tests.c:4651
void(* fn)(const char *text, void *data)
Definition: util.h:82
const void * data
Definition: util.h:83
secp256k1_callback illegal_callback
Definition: secp256k1.c:62
secp256k1_callback error_callback
Definition: secp256k1.c:63
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:61
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:74
secp256k1_scalar scalar_offset
Definition: ecmult_gen.h:127
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
uint32_t n[10]
Definition: field_10x26.h:22
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
int infinity
Definition: group.h:19
secp256k1_fe x
Definition: group.h:17
secp256k1_fe y
Definition: group.h:18
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_fe y
Definition: group.h:30
secp256k1_fe x
Definition: group.h:29
int infinity
Definition: group.h:32
secp256k1_fe z
Definition: group.h:31
secp256k1_modinv32_signed30 modulus
Definition: modinv32.h:21
secp256k1_modinv64_signed62 modulus
Definition: modinv64.h:25
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
uint64_t bytes
Definition: hash.h:16
uint32_t s[8]
Definition: hash.h:14
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
static SECP256K1_INLINE void secp256k1_testrand_seed(const unsigned char *seed16)
Seed the pseudorandom number generator for testing.
static void secp256k1_testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL.
static void secp256k1_testrand_finish(void)
Print final test information.
static void secp256k1_testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
static uint64_t secp256k1_test_state[4]
Definition: testrand_impl.h:18
static void run_random_pubkeys(void)
Definition: tests.c:6647
#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt)
Definition: tests.c:70
static void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5268
static void run_inverse_tests(void)
Definition: tests.c:3420
static void counting_callback_fn(const char *str, void *data)
Definition: tests.c:81
static void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:969
static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:5695
static void test_ecdsa_sign_verify(void)
Definition: tests.c:6311
static void test_ge(void)
Definition: tests.c:3690
#define CHECK_ERROR_VOID(ctx, expr_or_stmt)
Definition: tests.c:68
static void random_gej_x_magnitude(secp256k1_gej *gej)
Definition: tests.c:143
static void run_pubkey_comparison(void)
Definition: tests.c:6602
static void run_ecdsa_sign_verify(void)
Definition: tests.c:6338
static void run_field_misc(void)
Definition: tests.c:3117
static void test_ecmult_gen_blind_reset(void)
Definition: tests.c:5605
static void random_field_element_magnitude(secp256k1_fe *fe, int m)
Definition: tests.c:99
static void run_ec_pubkey_parse_test(void)
Definition: tests.c:5762
static void run_static_context_tests(int use_prealloc)
Definition: tests.c:314
static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:6304
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6354
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6362
#define SECP256K1_EC_PARSE_TEST_NINVALID
static int test_ecmult_multi_random(secp256k1_scratch *scratch)
Definition: tests.c:4891
static int COUNT
Definition: tests.c:40
static void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:867
static void random_fe_non_zero_test(secp256k1_fe *fe)
Definition: tests.c:125
static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar *q, const secp256k1_gej *res)
Definition: tests.c:4523
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:78
static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3669
static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b)
Definition: tests.c:249
static void run_tagged_sha256_tests(void)
Definition: tests.c:823
static void run_sha256_counter_tests(void)
SHA256 counter tests.
Definition: tests.c:669
static void random_scalar_order_b32(unsigned char *b32)
Definition: tests.c:209
static void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:167
static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:5338
static int all_bytes_equal(const void *s, unsigned char value, size_t n)
Definition: tests.c:44
static void test_intialized_inf(void)
Definition: tests.c:3924
static void test_fixed_wnaf_small(void)
Definition: tests.c:5348
int main(int argc, char **argv)
Definition: tests.c:7542
static void run_ecmult_const_tests(void)
Definition: tests.c:4640
static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:3061
#define SECP256K1_EC_PARSE_TEST_NVALID
static void run_eckey_edge_case_test(void)
Definition: tests.c:6047
static void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:2949
static void run_secp256k1_byteorder_tests(void)
Definition: tests.c:7361
static void run_ecmult_constants(void)
Definition: tests.c:5548
static void run_field_be32_overflow(void)
Definition: tests.c:2994
static void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:984
static void run_ecmult_chain(void)
Definition: tests.c:4250
static void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:3395
static void run_ec_combine(void)
Definition: tests.c:4094
static void run_deprecated_context_flags_test(void)
Definition: tests.c:265
static secp256k1_context * CTX
Definition: tests.c:41
static void run_point_times_order(void)
Definition: tests.c:4421
static void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:155
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:6760
#define CONDITIONAL_TEST(cnt, nam)
Definition: tests.c:38
static void ecmult_const_commutativity(void)
Definition: tests.c:4469
static void int_cmov_test(void)
Definition: tests.c:7389
static void test_add_neg_y_diff_x(void)
Definition: tests.c:3956
static void test_ecmult_accumulate(secp256k1_sha256 *acc, const secp256k1_scalar *x, secp256k1_scratch *scratch)
Definition: tests.c:5429
static void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:4309
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:6721
static void run_hmac_sha256_tests(void)
Definition: tests.c:738
static int fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2957
static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:5057
static void random_gej_test(secp256k1_gej *gej)
Definition: tests.c:177
static void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:960
static int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:6392
static void run_field_half(void)
Definition: tests.c:3068
static void run_eckey_negate_test(void)
Definition: tests.c:6269
static void scalar_test(void)
Definition: tests.c:2129
static void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:2284
static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4669
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted.
Definition: tests.c:6346
static void run_gej(void)
Definition: tests.c:4033
static void run_ge(void)
Definition: tests.c:4016
static void ge_storage_cmov_test(void)
Definition: tests.c:7502
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:3356
static void fe_storage_cmov_test(void)
Definition: tests.c:7444
static void test_ec_combine(void)
Definition: tests.c:4069
static void random_gej_y_magnitude(secp256k1_gej *gej)
Definition: tests.c:147
static void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:5075
static void test_ecmult_gen_edge_cases(void)
Definition: tests.c:5619
static void run_ctz_tests(void)
Definition: tests.c:547
static void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:5095
static void run_scalar_tests(void)
Definition: tests.c:2301
static void test_random_pubkeys(void)
Definition: tests.c:6542
static void random_fe_test(secp256k1_fe *x)
Definition: tests.c:115
static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:4025
static void random_ge_y_magnitude(secp256k1_ge *ge)
Definition: tests.c:139
static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:3304
static void scalar_cmov_test(void)
Definition: tests.c:7474
static void random_ge_x_magnitude(secp256k1_ge *ge)
Definition: tests.c:135
static void run_ecmult_gen_blind(void)
Definition: tests.c:5637
static void test_ecdsa_end_to_end(void)
Definition: tests.c:6397
static void run_sha256_known_output_tests(void)
Definition: tests.c:568
static void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:4371
#define CHECK_ERROR(ctx, expr)
Definition: tests.c:79
static void random_gej_z_magnitude(secp256k1_gej *gej)
Definition: tests.c:151
static void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:196
static void run_ecdsa_end_to_end(void)
Definition: tests.c:6654
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4654
static void ecmult_const_mult_xonly(void)
Definition: tests.c:4559
static void run_proper_context_tests(int use_prealloc)
Definition: tests.c:355
static void random_fe_magnitude(secp256k1_fe *fe)
Definition: tests.c:131
static void test_fe_mul(const secp256k1_fe *a, const secp256k1_fe *b, int use_sqr)
Definition: tests.c:3224
static void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:4101
static void test_ecmult_constants_2bit(void)
Definition: tests.c:5461
static void run_cmov_tests(void)
Definition: tests.c:7534
static void run_ecdsa_der_parse(void)
Definition: tests.c:6906
static void ecmult_const_random_mult(void)
Definition: tests.c:4442
static void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:5647
static void run_field_convert(void)
Definition: tests.c:2964
static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:6661
static void run_ec_illegal_argument_tests(void)
Definition: tests.c:283
static void run_ecdsa_wycheproof(void)
Definition: tests.c:7314
static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char *expected32)
Definition: tests.c:5505
static void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:5176
static void uncounting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:90
static void run_sqrt(void)
Definition: tests.c:3318
static void run_modinv_tests(void)
Definition: tests.c:1165
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:4348
static void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:951
static void run_xoshiro256pp_tests(void)
Definition: tests.c:215
static void run_wnaf(void)
Definition: tests.c:5402
static void run_ecmult_multi_tests(void)
Definition: tests.c:5241
static void run_selftest_tests(void)
Definition: tests.c:244
static int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:1135
static void run_sqr(void)
Definition: tests.c:3288
static int context_eq(const secp256k1_context *a, const secp256k1_context *b)
Definition: tests.c:256
static void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:5128
static void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:183
static void run_endomorphism_tests(void)
Definition: tests.c:5674
static void run_scratch_tests(void)
Definition: tests.c:477
static void test_ecdsa_wycheproof(void)
Wycheproof tests.
Definition: tests.c:7284
static void run_ecmult_near_split_bound(void)
Definition: tests.c:4409
static void run_ecdsa_edge_cases(void)
Definition: tests.c:7276
static void fe_cmov_test(void)
Definition: tests.c:7414
static void run_group_decompress(void)
Definition: tests.c:4165
static void ecmult_const_mult_zero_one(void)
Definition: tests.c:4490
static int test_ecmult_accumulate_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data)
Definition: tests.c:5421
static void ecmult_const_edges(void)
Definition: tests.c:4532
static void test_ecdsa_edge_cases(void)
Definition: tests.c:6938
static void ecmult_const_chain_multiply(void)
Definition: tests.c:4614
static void run_ecmult_pre_g(void)
Definition: tests.c:4226
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4661
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:730
static void test_pre_g_table(const secp256k1_ge_storage *pre_g, size_t n)
Definition: tests.c:4176
static secp256k1_context * STATIC_CTX
Definition: tests.c:42
static void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5302
static void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:3373
static void test_ecmult_gen_blind(void)
Definition: tests.c:5582
static void run_secp256k1_memczero_test(void)
Definition: tests.c:7346
static void run_fe_mul(void)
Definition: tests.c:3267
#define SECP256K1_EC_PARSE_TEST_NXVALID
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:6733
static const secp256k1_fe fe_minus_one
Definition: tests.c:3361
static void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:782
static uint64_t modinv2p64(uint64_t x)
Definition: tests.c:850
static void random_fe(secp256k1_fe *x)
Definition: testutil.h:13
static void random_fe_non_zero(secp256k1_fe *nz)
Definition: testutil.h:23
#define expect(bit)