Bitcoin ABC 0.33.5
P2P Digital Currency
tests.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#include <stdio.h>
8#include <stdlib.h>
9#include <string.h>
10
11#include <time.h>
12
13#ifdef USE_EXTERNAL_DEFAULT_CALLBACKS
14 #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.")
15 #undef USE_EXTERNAL_DEFAULT_CALLBACKS
16#endif
17#if defined(VERIFY) && defined(COVERAGE)
18 #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.")
19#endif
20#include "secp256k1.c"
21
22#include "../include/secp256k1.h"
23#include "../include/secp256k1_preallocated.h"
24#include "testrand_impl.h"
25#include "checkmem.h"
26#include "util.h"
27
28#include "../contrib/lax_der_parsing.c"
29#include "../contrib/lax_der_privatekey_parsing.c"
30
31#include "modinv32_impl.h"
32#ifdef SECP256K1_WIDEMUL_INT128
33#include "modinv64_impl.h"
34#include "int128_impl.h"
35#endif
36
37#define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
38
39static int COUNT = 64;
40static secp256k1_context *CTX = NULL;
41static secp256k1_context *STATIC_CTX = NULL;
42
43static int all_bytes_equal(const void* s, unsigned char value, size_t n) {
44 const unsigned char *p = s;
45 size_t i;
46
47 for (i = 0; i < n; i++) {
48 if (p[i] != value) {
49 return 0;
50 }
51 }
52 return 1;
53}
54
55/* TODO Use CHECK_ILLEGAL(_VOID) everywhere and get rid of the uncounting callback */
56/* CHECK that expr_or_stmt calls the illegal callback of ctx exactly once
57 *
58 * For checking functions that use ARG_CHECK_VOID */
59#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) do { \
60 int32_t _calls_to_illegal_callback = 0; \
61 secp256k1_callback _saved_illegal_cb = ctx->illegal_callback; \
62 secp256k1_context_set_illegal_callback(ctx, \
63 counting_illegal_callback_fn, &_calls_to_illegal_callback); \
64 { expr_or_stmt; } \
65 ctx->illegal_callback = _saved_illegal_cb; \
66 CHECK(_calls_to_illegal_callback == 1); \
67} while(0);
68
69/* CHECK that expr calls the illegal callback of ctx exactly once and that expr == 0
70 *
71 * For checking functions that use ARG_CHECK */
72#define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0))
73
74static void counting_illegal_callback_fn(const char* str, void* data) {
75 /* Dummy callback function that just counts. */
76 int32_t *p;
77 (void)str;
78 p = data;
79 CHECK(*p != INT32_MAX);
80 (*p)++;
81}
82
83static void uncounting_illegal_callback_fn(const char* str, void* data) {
84 /* Dummy callback function that just counts (backwards). */
85 int32_t *p;
86 (void)str;
87 p = data;
88 CHECK(*p != INT32_MIN);
89 (*p)--;
90}
91
92static void random_field_element_magnitude(secp256k1_fe *fe) {
93 secp256k1_fe zero;
94 int n = secp256k1_testrand_int(9);
95 secp256k1_fe_normalize(fe);
96 if (n == 0) {
97 return;
98 }
99 secp256k1_fe_clear(&zero);
100 secp256k1_fe_negate(&zero, &zero, 0);
101 secp256k1_fe_mul_int_unchecked(&zero, n - 1);
102 secp256k1_fe_add(fe, &zero);
103#ifdef VERIFY
104 CHECK(fe->magnitude == n);
105#endif
106}
107
108static void random_fe_test(secp256k1_fe *x) {
109 unsigned char bin[32];
110 do {
111 secp256k1_testrand256_test(bin);
112 if (secp256k1_fe_set_b32_limit(x, bin)) {
113 return;
114 }
115 } while(1);
116}
117
118static void random_fe_non_zero_test(secp256k1_fe *fe) {
119 do {
120 random_fe_test(fe);
121 } while(secp256k1_fe_is_zero(fe));
122}
123
124static void random_group_element_test(secp256k1_ge *ge) {
125 secp256k1_fe fe;
126 do {
127 random_fe_test(&fe);
128 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
129 secp256k1_fe_normalize(&ge->y);
130 break;
131 }
132 } while(1);
133 ge->infinity = 0;
134}
135
136static void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
137 secp256k1_fe z2, z3;
138 random_fe_non_zero_test(&gej->z);
139 secp256k1_fe_sqr(&z2, &gej->z);
140 secp256k1_fe_mul(&z3, &z2, &gej->z);
141 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
142 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
143 gej->infinity = ge->infinity;
144}
145
146static void random_gej_test(secp256k1_gej *gej) {
147 secp256k1_ge ge;
148 random_group_element_test(&ge);
149 random_group_element_jacobian_test(gej, &ge);
150}
151
152static void random_scalar_order_test(secp256k1_scalar *num) {
153 do {
154 unsigned char b32[32];
155 int overflow = 0;
156 secp256k1_testrand256_test(b32);
157 secp256k1_scalar_set_b32(num, b32, &overflow);
158 if (overflow || secp256k1_scalar_is_zero(num)) {
159 continue;
160 }
161 break;
162 } while(1);
163}
164
165static void random_scalar_order(secp256k1_scalar *num) {
166 do {
167 unsigned char b32[32];
168 int overflow = 0;
169 secp256k1_testrand256(b32);
170 secp256k1_scalar_set_b32(num, b32, &overflow);
171 if (overflow || secp256k1_scalar_is_zero(num)) {
172 continue;
173 }
174 break;
175 } while(1);
176}
177
178static void random_scalar_order_b32(unsigned char *b32) {
179 secp256k1_scalar num;
180 random_scalar_order(&num);
181 secp256k1_scalar_get_b32(b32, &num);
182}
183
184static void run_xoshiro256pp_tests(void) {
185 {
186 size_t i;
187 /* Sanity check that we run before the actual seeding. */
188 for (i = 0; i < sizeof(secp256k1_test_state)/sizeof(secp256k1_test_state[0]); i++) {
189 CHECK(secp256k1_test_state[i] == 0);
190 }
191 }
192 {
193 int i;
194 unsigned char buf32[32];
195 unsigned char seed16[16] = {
196 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
197 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
198 };
199 unsigned char buf32_expected[32] = {
200 0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0,
201 0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36,
202 0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF,
203 0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30,
204 };
205 secp256k1_testrand_seed(seed16);
206 for (i = 0; i < 17; i++) {
207 secp256k1_testrand256(buf32);
208 }
209 CHECK(secp256k1_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0);
210 }
211}
212
213static void run_selftest_tests(void) {
214 /* Test public API */
215 secp256k1_selftest();
216}
217
218static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b) {
219 return a->built == b->built
220 && secp256k1_scalar_eq(&a->blind, &b->blind)
221 && secp256k1_gej_eq_var(&a->initial, &b->initial);
222}
223
224static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {
225 return a->declassify == b->declassify
226 && ecmult_gen_context_eq(&a->ecmult_gen_ctx, &b->ecmult_gen_ctx)
227 && a->illegal_callback.fn == b->illegal_callback.fn
228 && a->illegal_callback.data == b->illegal_callback.data
229 && a->error_callback.fn == b->error_callback.fn
230 && a->error_callback.data == b->error_callback.data;
231}
232
233static void run_deprecated_context_flags_test(void) {
234 /* Check that a context created with any of the flags in the flags array is
235 * identical to the NONE context. */
236 unsigned int flags[] = { SECP256K1_CONTEXT_SIGN,
237 SECP256K1_CONTEXT_VERIFY,
238 SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY };
239 secp256k1_context *none_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
240 int i;
241 for (i = 0; i < (int)(sizeof(flags)/sizeof(flags[0])); i++) {
242 secp256k1_context *tmp_ctx;
243 CHECK(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE) == secp256k1_context_preallocated_size(flags[i]));
244 tmp_ctx = secp256k1_context_create(flags[i]);
245 CHECK(context_eq(none_ctx, tmp_ctx));
246 secp256k1_context_destroy(tmp_ctx);
247 }
248 secp256k1_context_destroy(none_ctx);
249}
250
251static void run_ec_illegal_argument_tests(void) {
252 int ecount = 0;
253 int ecount2 = 10;
254 secp256k1_pubkey pubkey;
255 secp256k1_pubkey zero_pubkey;
256 secp256k1_ecdsa_signature sig;
257 unsigned char ctmp[32];
258
259 /* Setup */
260 secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
261 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount2);
262 memset(ctmp, 1, 32);
263 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
264
265 /* Verify context-type checking illegal-argument errors. */
266 CHECK(secp256k1_ec_pubkey_create(STATIC_CTX, &pubkey, ctmp) == 0);
267 CHECK(ecount == 1);
268 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
269 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
270 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
271 CHECK(secp256k1_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL) == 0);
272 CHECK(ecount == 2);
273 SECP256K1_CHECKMEM_UNDEFINE(&sig, sizeof(sig));
274 CHECK(secp256k1_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1);
275 SECP256K1_CHECKMEM_CHECK(&sig, sizeof(sig));
276 CHECK(ecount2 == 10);
277 CHECK(secp256k1_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1);
278 CHECK(ecount2 == 10);
279 CHECK(secp256k1_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1);
280 CHECK(ecount == 2);
281 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1);
282 CHECK(ecount2 == 10);
283 CHECK(secp256k1_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1);
284 CHECK(ecount == 2);
285 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1);
286 CHECK(ecount2 == 10);
287 CHECK(secp256k1_ec_pubkey_negate(STATIC_CTX, &pubkey) == 1);
288 CHECK(ecount == 2);
289 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey) == 1);
290 CHECK(ecount == 2);
291 CHECK(secp256k1_ec_pubkey_negate(STATIC_CTX, &zero_pubkey) == 0);
292 CHECK(ecount == 3);
293 CHECK(secp256k1_ec_pubkey_negate(CTX, NULL) == 0);
294 CHECK(ecount2 == 11);
295 CHECK(secp256k1_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1);
296 CHECK(ecount == 3);
297
298 /* Clean up */
299 secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
300 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
301}
302
303static void run_static_context_tests(int use_prealloc) {
304 /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */
305 CHECK(secp256k1_context_no_precomp == secp256k1_context_static);
306
307 {
308 unsigned char seed[32] = {0x17};
309
310 /* Randomizing secp256k1_context_static is not supported. */
311 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, seed));
312 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, NULL));
313
314 /* Destroying or cloning secp256k1_context_static is not supported. */
315 if (use_prealloc) {
316 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone_size(STATIC_CTX));
317 {
318 secp256k1_context *my_static_ctx = malloc(sizeof(*STATIC_CTX));
319 CHECK(my_static_ctx != NULL);
320 memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx));
321 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone(STATIC_CTX, my_static_ctx));
322 CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx)));
323 free(my_static_ctx);
324 }
325 CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_preallocated_destroy(STATIC_CTX));
326 } else {
327 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_clone(STATIC_CTX));
328 CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_destroy(STATIC_CTX));
329 }
330 }
331
332 {
333 /* Verify that setting and resetting illegal callback works */
334 int32_t dummy = 0;
335 secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &dummy);
336 CHECK(STATIC_CTX->illegal_callback.fn == counting_illegal_callback_fn);
337 CHECK(STATIC_CTX->illegal_callback.data == &dummy);
338 secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
339 CHECK(STATIC_CTX->illegal_callback.fn == secp256k1_default_illegal_callback_fn);
340 CHECK(STATIC_CTX->illegal_callback.data == NULL);
341 }
342}
343
344static void run_proper_context_tests(int use_prealloc) {
345 int32_t dummy = 0;
346 secp256k1_context *my_ctx, *my_ctx_fresh;
347 void *my_ctx_prealloc = NULL;
348 unsigned char seed[32] = {0x17};
349
350 secp256k1_gej pubj;
351 secp256k1_ge pub;
352 secp256k1_scalar msg, key, nonce;
353 secp256k1_scalar sigr, sigs;
354
355 /* Fresh reference context for comparison */
356 my_ctx_fresh = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
357
358 if (use_prealloc) {
359 my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
360 CHECK(my_ctx_prealloc != NULL);
361 my_ctx = secp256k1_context_preallocated_create(my_ctx_prealloc, SECP256K1_CONTEXT_NONE);
362 } else {
363 my_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
364 }
365
366 /* Randomize and reset randomization */
367 CHECK(context_eq(my_ctx, my_ctx_fresh));
368 CHECK(secp256k1_context_randomize(my_ctx, seed) == 1);
369 CHECK(!context_eq(my_ctx, my_ctx_fresh));
370 CHECK(secp256k1_context_randomize(my_ctx, NULL) == 1);
371 CHECK(context_eq(my_ctx, my_ctx_fresh));
372
373 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
374 secp256k1_context_set_error_callback(my_ctx, secp256k1_default_illegal_callback_fn, NULL);
375 CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn);
376 CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn);
377
378 /* check if sizes for cloning are consistent */
379 CHECK(secp256k1_context_preallocated_clone_size(my_ctx) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
380
381 /*** clone and destroy all of them to make sure cloning was complete ***/
382 {
383 secp256k1_context *ctx_tmp;
384
385 if (use_prealloc) {
386 /* clone into a non-preallocated context and then again into a new preallocated one. */
387 ctx_tmp = my_ctx;
388 my_ctx = secp256k1_context_clone(my_ctx);
389 CHECK(context_eq(ctx_tmp, my_ctx));
390 secp256k1_context_preallocated_destroy(ctx_tmp);
391
392 free(my_ctx_prealloc);
393 my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
394 CHECK(my_ctx_prealloc != NULL);
395 ctx_tmp = my_ctx;
396 my_ctx = secp256k1_context_preallocated_clone(my_ctx, my_ctx_prealloc);
397 CHECK(context_eq(ctx_tmp, my_ctx));
398 secp256k1_context_destroy(ctx_tmp);
399 } else {
400 /* clone into a preallocated context and then again into a new non-preallocated one. */
401 void *prealloc_tmp;
402
403 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
404 CHECK(prealloc_tmp != NULL);
405 ctx_tmp = my_ctx;
406 my_ctx = secp256k1_context_preallocated_clone(my_ctx, prealloc_tmp);
407 CHECK(context_eq(ctx_tmp, my_ctx));
408 secp256k1_context_destroy(ctx_tmp);
409
410 ctx_tmp = my_ctx;
411 my_ctx = secp256k1_context_clone(my_ctx);
412 CHECK(context_eq(ctx_tmp, my_ctx));
413 secp256k1_context_preallocated_destroy(ctx_tmp);
414 free(prealloc_tmp);
415 }
416 }
417
418 /* Verify that the error callback makes it across the clone. */
419 CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn);
420 CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn);
421 /* And that it resets back to default. */
422 secp256k1_context_set_error_callback(my_ctx, NULL, NULL);
423 CHECK(my_ctx->error_callback.fn == secp256k1_default_error_callback_fn);
424 CHECK(context_eq(my_ctx, my_ctx_fresh));
425
426 /* Verify that setting and resetting illegal callback works */
427 secp256k1_context_set_illegal_callback(my_ctx, counting_illegal_callback_fn, &dummy);
428 CHECK(my_ctx->illegal_callback.fn == counting_illegal_callback_fn);
429 CHECK(my_ctx->illegal_callback.data == &dummy);
430 secp256k1_context_set_illegal_callback(my_ctx, NULL, NULL);
431 CHECK(my_ctx->illegal_callback.fn == secp256k1_default_illegal_callback_fn);
432 CHECK(my_ctx->illegal_callback.data == NULL);
433 CHECK(context_eq(my_ctx, my_ctx_fresh));
434
435 /*** attempt to use them ***/
436 random_scalar_order_test(&msg);
437 random_scalar_order_test(&key);
438 secp256k1_ecmult_gen(&my_ctx->ecmult_gen_ctx, &pubj, &key);
439 secp256k1_ge_set_gej(&pub, &pubj);
440
441 /* obtain a working nonce */
442 do {
443 random_scalar_order_test(&nonce);
444 } while(!secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
445
446 /* try signing */
447 CHECK(secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
448
449 /* try verifying */
450 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
451
452 /* cleanup */
453 if (use_prealloc) {
454 secp256k1_context_preallocated_destroy(my_ctx);
455 free(my_ctx_prealloc);
456 } else {
457 secp256k1_context_destroy(my_ctx);
458 }
459 secp256k1_context_destroy(my_ctx_fresh);
460
461 /* Defined as no-op. */
462 secp256k1_context_destroy(NULL);
463 secp256k1_context_preallocated_destroy(NULL);
464}
465
466static void run_scratch_tests(void) {
467 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
468
469 int32_t ecount = 0;
470 size_t checkpoint;
471 size_t checkpoint_2;
472 secp256k1_scratch_space *scratch;
473 secp256k1_scratch_space local_scratch;
474
475 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
476 secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount);
477
478 /* Test public API */
479 scratch = secp256k1_scratch_space_create(CTX, 1000);
480 CHECK(scratch != NULL);
481 CHECK(ecount == 0);
482
483 /* Test internal API */
484 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000);
485 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
486 CHECK(scratch->alloc_size == 0);
487 CHECK(scratch->alloc_size % ALIGNMENT == 0);
488
489 /* Allocating 500 bytes succeeds */
490 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
491 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
492 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
493 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
494 CHECK(scratch->alloc_size != 0);
495 CHECK(scratch->alloc_size % ALIGNMENT == 0);
496
497 /* Allocating another 501 bytes fails */
498 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL);
499 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
500 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
501 CHECK(scratch->alloc_size != 0);
502 CHECK(scratch->alloc_size % ALIGNMENT == 0);
503
504 /* ...but it succeeds once we apply the checkpoint to undo it */
505 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
506 CHECK(scratch->alloc_size == 0);
507 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000);
508 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
509 CHECK(scratch->alloc_size != 0);
510
511 /* try to apply a bad checkpoint */
512 checkpoint_2 = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
513 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
514 CHECK(ecount == 0);
515 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
516 CHECK(ecount == 1);
517 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
518 CHECK(ecount == 2);
519
520 /* try to use badly initialized scratch space */
521 secp256k1_scratch_space_destroy(CTX, scratch);
522 memset(&local_scratch, 0, sizeof(local_scratch));
523 scratch = &local_scratch;
524 CHECK(!secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0));
525 CHECK(ecount == 3);
526 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) == NULL);
527 CHECK(ecount == 4);
528 secp256k1_scratch_space_destroy(CTX, scratch);
529 CHECK(ecount == 5);
530
531 /* Test that large integers do not wrap around in a bad way */
532 scratch = secp256k1_scratch_space_create(CTX, 1000);
533 /* Try max allocation with a large number of objects. Only makes sense if
534 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
535 * space. */
536 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
537 /* Try allocating SIZE_MAX to test wrap around which only happens if
538 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
539 * space is too small. */
540 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL);
541 secp256k1_scratch_space_destroy(CTX, scratch);
542
543 /* cleanup */
544 secp256k1_scratch_space_destroy(CTX, NULL); /* no-op */
545
546 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
547 secp256k1_context_set_error_callback(CTX, NULL, NULL);
548}
549
550static void run_ctz_tests(void) {
551 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
552 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
553 int shift;
554 unsigned i;
555 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
556 for (shift = 0; shift < 32; ++shift) {
557 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
558 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
559 }
560 }
561 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
562 for (shift = 0; shift < 64; ++shift) {
563 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
564 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
565 }
566 }
567}
568
569/***** HASH TESTS *****/
570
571static void run_sha256_known_output_tests(void) {
572 static const char *inputs[] = {
573 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
574 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
575 "For this sample, this 63-byte string will be used as input data",
576 "This is exactly 64 bytes long, not counting the terminating byte",
577 "aaaaa",
578 };
579 static const unsigned int repeat[] = {
580 1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
581 };
582 static const unsigned char outputs[][32] = {
583 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
584 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
585 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
586 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
587 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
588 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
589 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
590 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
591 {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
592 };
593 unsigned int i, ninputs;
594
595 /* Skip last input vector for low iteration counts */
596 ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
597 CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
598
599 for (i = 0; i < ninputs; i++) {
600 unsigned char out[32];
601 secp256k1_sha256 hasher;
602 unsigned int j;
603 /* 1. Run: simply write the input bytestrings */
604 j = repeat[i];
605 secp256k1_sha256_initialize(&hasher);
606 while (j > 0) {
607 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
608 j--;
609 }
610 secp256k1_sha256_finalize(&hasher, out);
611 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
612 /* 2. Run: split the input bytestrings randomly before writing */
613 if (strlen(inputs[i]) > 0) {
614 int split = secp256k1_testrand_int(strlen(inputs[i]));
615 secp256k1_sha256_initialize(&hasher);
616 j = repeat[i];
617 while (j > 0) {
618 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
619 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
620 j--;
621 }
622 secp256k1_sha256_finalize(&hasher, out);
623 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
624 }
625 }
626}
627
672static void run_sha256_counter_tests(void) {
673 static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
674 static const secp256k1_sha256 midstates[] = {
675 {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
676 {0x00}, 0xfffc0},
677 {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
678 {0x00}, 0x1fffc0},
679 {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
680 {0x00}, 0x3fffc0},
681 {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
682 {0x00}, 0x7fffc0},
683 {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
684 {0x00}, 0xffffc0},
685 {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
686 {0x00}, 0x1ffffc0},
687 {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
688 {0x00}, 0x3ffffc0},
689 {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
690 {0x00}, 0x7ffffc0},
691 {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
692 {0x00}, 0xfffffc0},
693 {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
694 {0x00}, 0x1fffffc0},
695 {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
696 {0x00}, 0x3fffffc0},
697 {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
698 {0x00}, 0x7fffffc0},
699 {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
700 {0x00}, 0xffffffc0},
701 {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
702 {0x00}, 0x1ffffffc0},
703 };
704 static const unsigned char outputs[][32] = {
705 {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
706 {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
707 {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
708 {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
709 {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
710 {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
711 {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
712 {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
713 {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
714 {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
715 {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
716 {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
717 {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
718 {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
719 };
720 unsigned int i;
721 for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
722 unsigned char out[32];
723 secp256k1_sha256 hasher = midstates[i];
724 secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
725 secp256k1_sha256_finalize(&hasher, out);
726 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
727 }
728}
729
730/* Tests for the equality of two sha256 structs. This function only produces a
731 * correct result if an integer multiple of 64 many bytes have been written
732 * into the hash functions. This function is used by some module tests. */
733static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
734 /* Is buffer fully consumed? */
735 CHECK((sha1->bytes & 0x3F) == 0);
736
737 CHECK(sha1->bytes == sha2->bytes);
738 CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
739}
740
741static void run_hmac_sha256_tests(void) {
742 static const char *keys[6] = {
743 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
744 "\x4a\x65\x66\x65",
745 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
746 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
747 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
748 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
749 };
750 static const char *inputs[6] = {
751 "\x48\x69\x20\x54\x68\x65\x72\x65",
752 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
753 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
754 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
755 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
756 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
757 };
758 static const unsigned char outputs[6][32] = {
759 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
760 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
761 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
762 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
763 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
764 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
765 };
766 int i;
767 for (i = 0; i < 6; i++) {
768 secp256k1_hmac_sha256 hasher;
769 unsigned char out[32];
770 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
771 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
772 secp256k1_hmac_sha256_finalize(&hasher, out);
773 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
774 if (strlen(inputs[i]) > 0) {
775 int split = secp256k1_testrand_int(strlen(inputs[i]));
776 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
777 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
778 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
779 secp256k1_hmac_sha256_finalize(&hasher, out);
780 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
781 }
782 }
783}
784
785static void run_rfc6979_hmac_sha256_tests(void) {
786 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
787 static const unsigned char out1[3][32] = {
788 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
789 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
790 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
791 };
792
793 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
794 static const unsigned char out2[3][32] = {
795 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
796 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
797 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
798 };
799
800 secp256k1_rfc6979_hmac_sha256 rng;
801 unsigned char out[32];
802 int i;
803
804 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
805 for (i = 0; i < 3; i++) {
806 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
807 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
808 }
809 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
810
811 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
812 for (i = 0; i < 3; i++) {
813 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
814 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
815 }
816 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
817
818 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
819 for (i = 0; i < 3; i++) {
820 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
821 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
822 }
823 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
824}
825
826static void run_tagged_sha256_tests(void) {
827 int ecount = 0;
828 unsigned char tag[32] = { 0 };
829 unsigned char msg[32] = { 0 };
830 unsigned char hash32[32];
831 unsigned char hash_expected[32] = {
832 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
833 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
834 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
835 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
836 };
837
838 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
839
840 /* API test */
841 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
842 CHECK(secp256k1_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg)) == 0);
843 CHECK(ecount == 1);
844 CHECK(secp256k1_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg)) == 0);
845 CHECK(ecount == 2);
846 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0) == 0);
847 CHECK(ecount == 3);
848
849 /* Static test vector */
850 memcpy(tag, "tag", 3);
851 memcpy(msg, "msg", 3);
852 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1);
853 CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
854}
855
856/***** MODINV TESTS *****/
857
858/* Compute the modular inverse of (odd) x mod 2^64. */
859static uint64_t modinv2p64(uint64_t x) {
860 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
861 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
862 * why. Start with L=0, for which it is true for every odd x that
863 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
864 int l;
865 uint64_t w = 1;
866 CHECK(x & 1);
867 for (l = 0; l < 6; ++l) w *= (2 - w*x);
868 return w;
869}
870
871
872/* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity.
873 *
874 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
875 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
876static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
877 uint16_t mul[32];
878 uint64_t c = 0;
879 int i, j;
880 int m_bitlen = 0;
881 int mul_bitlen = 0;
882
883 if (b != NULL) {
884 /* Compute the product of a and b, and put it in mul. */
885 for (i = 0; i < 32; ++i) {
886 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
887 c += (uint64_t)a[j] * b[i - j];
888 }
889 mul[i] = c & 0xFFFF;
890 c >>= 16;
891 }
892 CHECK(c == 0);
893
894 /* compute the highest set bit in mul */
895 for (i = 511; i >= 0; --i) {
896 if ((mul[i >> 4] >> (i & 15)) & 1) {
897 mul_bitlen = i;
898 break;
899 }
900 }
901 } else {
902 /* if b==NULL, set mul=a. */
903 memcpy(mul, a, 32);
904 memset(mul + 16, 0, 32);
905 /* compute the highest set bit in mul */
906 for (i = 255; i >= 0; --i) {
907 if ((mul[i >> 4] >> (i & 15)) & 1) {
908 mul_bitlen = i;
909 break;
910 }
911 }
912 }
913
914 if (m) {
915 /* Compute the highest set bit in m. */
916 for (i = 255; i >= 0; --i) {
917 if ((m[i >> 4] >> (i & 15)) & 1) {
918 m_bitlen = i;
919 break;
920 }
921 }
922
923 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
924 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
925 uint16_t mul2[32];
926 int64_t cs;
927
928 /* Compute mul2 = mul - m<<i. */
929 cs = 0; /* accumulator */
930 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
931 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
932 uint16_t sub = 0;
933 int p;
934 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
935 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
936 if (bitpos >= 0 && bitpos < 256) {
937 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
938 }
939 }
940 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
941 cs += mul[j];
942 cs -= sub;
943 mul2[j] = (cs & 0xFFFF);
944 cs >>= 16;
945 }
946 /* If remainder of subtraction is 0, set mul = mul2. */
947 if (cs == 0) {
948 memcpy(mul, mul2, sizeof(mul));
949 }
950 }
951 /* Sanity check: test that all limbs higher than m's highest are zero */
952 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
953 CHECK(mul[i] == 0);
954 }
955 }
956 memcpy(out, mul, 32);
957}
958
959/* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
960static void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
961 int i;
962 memset(out->v, 0, sizeof(out->v));
963 for (i = 0; i < 256; ++i) {
964 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
965 }
966}
967
968/* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
969static void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
970 int i;
971 memset(out, 0, 32);
972 for (i = 0; i < 256; ++i) {
973 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
974 }
975}
976
977/* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
978static void mutate_sign_signed30(secp256k1_modinv32_signed30* x) {
979 int i;
980 for (i = 0; i < 16; ++i) {
981 int pos = secp256k1_testrand_bits(3);
982 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
983 x->v[pos] -= 0x40000000;
984 x->v[pos + 1] += 1;
985 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
986 x->v[pos] += 0x40000000;
987 x->v[pos + 1] -= 1;
988 }
989 }
990}
991
992/* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
993static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
994 uint16_t tmp[16];
995 secp256k1_modinv32_signed30 x;
996 secp256k1_modinv32_modinfo m;
997 int i, vartime, nonzero;
998
999 uint16_to_signed30(&x, in);
1000 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
1001 uint16_to_signed30(&m.modulus, mod);
1002
1003 /* compute 1/modulus mod 2^30 */
1004 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
1005 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
1006
1007 /* Test secp256k1_jacobi32_maybe_var. */
1008 if (nonzero) {
1009 int jac;
1010 uint16_t sqr[16], negone[16];
1011 mulmod256(sqr, in, in, mod);
1012 uint16_to_signed30(&x, sqr);
1013 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1014 jac = secp256k1_jacobi32_maybe_var(&x, &m);
1015 CHECK(jac == 0 || jac == 1);
1016 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1017 * jacobi symbols if and only if (mod % 4) == 3. */
1018 negone[0] = mod[0] - 1;
1019 for (i = 1; i < 16; ++i) negone[i] = mod[i];
1020 mulmod256(sqr, sqr, negone, mod);
1021 uint16_to_signed30(&x, sqr);
1022 jac = secp256k1_jacobi32_maybe_var(&x, &m);
1023 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1024 }
1025
1026 uint16_to_signed30(&x, in);
1027 mutate_sign_signed30(&m.modulus);
1028 for (vartime = 0; vartime < 2; ++vartime) {
1029 /* compute inverse */
1030 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1031
1032 /* produce output */
1033 signed30_to_uint16(out, &x);
1034
1035 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1036 mulmod256(tmp, out, in, mod);
1037 CHECK(tmp[0] == nonzero);
1038 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1039
1040 /* invert again */
1041 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1042
1043 /* check if the result is equal to the input */
1044 signed30_to_uint16(tmp, &x);
1045 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1046 }
1047}
1048
1049#ifdef SECP256K1_WIDEMUL_INT128
1050/* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
1051static void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
1052 int i;
1053 memset(out->v, 0, sizeof(out->v));
1054 for (i = 0; i < 256; ++i) {
1055 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
1056 }
1057}
1058
1059/* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
1060static void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
1061 int i;
1062 memset(out, 0, 32);
1063 for (i = 0; i < 256; ++i) {
1064 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
1065 }
1066}
1067
1068/* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
1069static void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
1070 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1071 int i;
1072 for (i = 0; i < 8; ++i) {
1073 int pos = secp256k1_testrand_bits(2);
1074 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
1075 x->v[pos] -= (M62 + 1);
1076 x->v[pos + 1] += 1;
1077 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1078 x->v[pos] += (M62 + 1);
1079 x->v[pos + 1] -= 1;
1080 }
1081 }
1082}
1083
1084/* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1085static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1086 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1087 uint16_t tmp[16];
1088 secp256k1_modinv64_signed62 x;
1089 secp256k1_modinv64_modinfo m;
1090 int i, vartime, nonzero;
1091
1092 uint16_to_signed62(&x, in);
1093 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1094 uint16_to_signed62(&m.modulus, mod);
1095
1096 /* compute 1/modulus mod 2^62 */
1097 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1098 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1099
1100 /* Test secp256k1_jacobi64_maybe_var. */
1101 if (nonzero) {
1102 int jac;
1103 uint16_t sqr[16], negone[16];
1104 mulmod256(sqr, in, in, mod);
1105 uint16_to_signed62(&x, sqr);
1106 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1107 jac = secp256k1_jacobi64_maybe_var(&x, &m);
1108 CHECK(jac == 0 || jac == 1);
1109 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1110 * jacobi symbols if and only if (mod % 4) == 3. */
1111 negone[0] = mod[0] - 1;
1112 for (i = 1; i < 16; ++i) negone[i] = mod[i];
1113 mulmod256(sqr, sqr, negone, mod);
1114 uint16_to_signed62(&x, sqr);
1115 jac = secp256k1_jacobi64_maybe_var(&x, &m);
1116 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1117 }
1118
1119 uint16_to_signed62(&x, in);
1120 mutate_sign_signed62(&m.modulus);
1121 for (vartime = 0; vartime < 2; ++vartime) {
1122 /* compute inverse */
1123 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1124
1125 /* produce output */
1126 signed62_to_uint16(out, &x);
1127
1128 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1129 mulmod256(tmp, out, in, mod);
1130 CHECK(tmp[0] == nonzero);
1131 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1132
1133 /* invert again */
1134 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1135
1136 /* check if the result is equal to the input */
1137 signed62_to_uint16(tmp, &x);
1138 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1139 }
1140}
1141#endif
1142
1143/* test if a and b are coprime */
1144static int coprime(const uint16_t* a, const uint16_t* b) {
1145 uint16_t x[16], y[16], t[16];
1146 int i;
1147 int iszero;
1148 memcpy(x, a, 32);
1149 memcpy(y, b, 32);
1150
1151 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1152 while (1) {
1153 iszero = 1;
1154 for (i = 0; i < 16; ++i) {
1155 if (x[i] != 0) {
1156 iszero = 0;
1157 break;
1158 }
1159 }
1160 if (iszero) break;
1161 mulmod256(t, y, NULL, x);
1162 memcpy(y, x, 32);
1163 memcpy(x, t, 32);
1164 }
1165
1166 /* return whether y=1 */
1167 if (y[0] != 1) return 0;
1168 for (i = 1; i < 16; ++i) {
1169 if (y[i] != 0) return 0;
1170 }
1171 return 1;
1172}
1173
1174static void run_modinv_tests(void) {
1175 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1176 static const uint16_t CASES[][3][16] = {
1177 /* Test cases triggering edge cases in divsteps */
1178
1179 /* Test case known to need 713 divsteps */
1180 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1181 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1182 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1183 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1184 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1185 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1186 /* Test case known to need 589 divsteps, reaching delta=-140 and
1187 delta=141. */
1188 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1189 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1190 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1191 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1192 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1193 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1194 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1195 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1196 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1197 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1198 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1199 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1200 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1201 /* example needing 713 divsteps; delta=-2..3 */
1202 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1203 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1204 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1205 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1206 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1207 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1208 /* example needing 713 divsteps; delta=-2..3 */
1209 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1210 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1211 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1212 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1213 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1214 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1215 /* example needing 713 divsteps; delta=-2..3 */
1216 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1217 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1218 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1219 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1220 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1221 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1222 /* example reaching delta=-64..65; 661 divsteps */
1223 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1224 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1225 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1226 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1227 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1228 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1229 /* example reaching delta=-64..65; 661 divsteps */
1230 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1231 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1232 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1233 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1234 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1235 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1236 /* example reaching delta=-64..65; 661 divsteps */
1237 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1238 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1239 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1240 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1241 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1242 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1243 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1244 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1245 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1246 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1247 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1248 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1249 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1250 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1251 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1252 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1253 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1254 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1255 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1256 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1257 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1258 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1259 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1260 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1261 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1262 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1263 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1264 /* example doing 446 (f,g/2) steps; 523 divsteps */
1265 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1266 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1267 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1268 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1269 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1270 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1271 /* example doing 446 (f,g/2) steps; 523 divsteps */
1272 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1273 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1274 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1275 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1276 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1277 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1278 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1279 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1280 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1281 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1282 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1283 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1284 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1285 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1286 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1287 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1288 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1289 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1290 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1291 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1292 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1293 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1294 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1295 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1296 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1297 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1298 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1299 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1300 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1301 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1302 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1303 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1304 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1305 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1306
1307 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1308
1309 /* example needing 590 divsteps; delta=-5/2..7/2 */
1310 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1311 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1312 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1313 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1314 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1315 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1316 /* example needing 590 divsteps; delta=-3/2..5/2 */
1317 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1318 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1319 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1320 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1321 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1322 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1323 /* example needing 590 divsteps; delta=-3/2..5/2 */
1324 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1325 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1326 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1327 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1328 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1329 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1330 /* example needing 590 divsteps; delta=-5/2..7/2 */
1331 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1332 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1333 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1334 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1335 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1336 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1337 /* example needing 590 divsteps; delta=-3/2..5/2 */
1338 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1339 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1340 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1341 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1342 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1343 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1344 /* example reaching delta=-127/2..129/2; 571 divsteps */
1345 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1346 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1347 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1348 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1349 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1350 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1351 /* example reaching delta=-127/2..129/2; 571 divsteps */
1352 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1353 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1354 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1355 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1356 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1357 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1358 /* example reaching delta=-127/2..129/2; 571 divsteps */
1359 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1360 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1361 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1362 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1363 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1364 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1365 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1366 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1367 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1368 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1369 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1370 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1371 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1372 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1373 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1374 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1375 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1376 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1377 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1378 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1379 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1380 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1381 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1382 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1383 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1384 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1385 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1386 /* example doing 453 (f,g/2) steps; 514 divsteps */
1387 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1388 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1389 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1390 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1391 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1392 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1393 /* example doing 453 (f,g/2) steps; 514 divsteps */
1394 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1395 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1396 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1397 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1398 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1399 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1400 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1401 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1402 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1403 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1404 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1405 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1406 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1407 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1408 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1409 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1410 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1411 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1412 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1413 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1414 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1415 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1416 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1417 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1418 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1419 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1420 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1421 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1422 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1423 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1424 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1425 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1426 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1427 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1428
1429 /* Test cases with the group order as modulus. */
1430
1431 /* Test case with the group order as modulus, needing 635 divsteps. */
1432 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1433 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1434 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1435 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1436 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1437 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1438 /* example with group size as modulus needing 631 divsteps */
1439 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1440 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1441 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1442 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1443 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1444 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1445 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1446 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1447 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1448 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1449 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1450 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1451 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1452 /* Test case with the group size as modulus, needing 981 divsteps with
1453 broken eta handling. */
1454 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1455 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1456 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1457 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1458 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1459 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1460 /* Test case with the group size as modulus, input = 0. */
1461 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1462 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1463 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1464 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1465 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1466 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1467 /* Test case with the group size as modulus, input = 1. */
1468 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1469 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1470 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1471 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1472 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1473 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1474 /* Test case with the group size as modulus, input = 2. */
1475 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1476 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1477 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1478 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1479 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1480 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1481 /* Test case with the group size as modulus, input = group - 1. */
1482 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1483 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1484 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1485 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1486 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1487 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1488
1489 /* Test cases with the field size as modulus. */
1490
1491 /* Test case with the field size as modulus, needing 637 divsteps. */
1492 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1493 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1494 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1495 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1496 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1497 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1498 /* example with field size as modulus needing 637 divsteps */
1499 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1500 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1501 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1502 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1503 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1504 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1505 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1506 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1507 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1508 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1509 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1510 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1511 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1512 /* Test case with the field size as modulus, needing 935 divsteps with
1513 broken eta handling. */
1514 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1515 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1516 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1517 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1518 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1519 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1520 /* Test case with the field size as modulus, input = 0. */
1521 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1522 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1523 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1524 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1525 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1526 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1527 /* Test case with the field size as modulus, input = 1. */
1528 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1529 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1530 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1531 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1532 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1533 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1534 /* Test case with the field size as modulus, input = 2. */
1535 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1536 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1537 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1538 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1539 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1540 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1541 /* Test case with the field size as modulus, input = field - 1. */
1542 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1543 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1544 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1545 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1546 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1547 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1548
1549 /* Selected from a large number of random inputs to reach small/large
1550 * d/e values in various configurations. */
1551 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1552 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1553 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1554 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1555 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1556 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1557 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1558 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1559 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1560 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1561 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1562 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1563 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1564 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1565 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1566 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1567 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1568 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1569 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1570 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1571 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1572 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1573 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1574 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1575 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1576 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1577 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1578 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1579 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1580 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1581 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1582 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1583 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1584 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1585 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1586 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1587 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1588 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1589 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1590 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1591 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1592 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1593 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1594 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1595 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1596 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1597 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1598 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1599 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1600 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1601 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1602 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1603 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1604 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1605 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1606 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1607 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1608 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1609 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1610 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1611 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1612 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1613 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1614 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1615 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1616 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1617 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1618 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1619 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1620 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1621 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1622 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1623 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1624 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1625 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1626 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1627 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1628 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1629 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1630 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1631 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1632 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1633 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1634 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1635 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1636 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1637 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1638 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1639 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1640 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1641 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1642 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1643 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1644 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1645 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1646 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1647 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1648 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1649 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1650 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1651 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1652 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1653 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1654 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1655 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1656 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1657 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1658 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1659 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1660 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1661 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1662 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1663 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1664 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1665 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1666 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1667 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1668 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1669 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1670 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1671 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1672 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1673 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1674 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1675 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1676 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1677 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1678 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1679 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1680 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1681 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1682 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1683 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1684 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1685 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1686 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1687 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1688 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1689 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1690 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1691 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1692 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1693 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1694 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1695 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1696 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1697 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1698 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1699 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1700 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1701 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1702 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1703 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1704 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1705 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1706 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1707 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1708 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1709 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1710 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1711 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1712 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1713 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1714 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1715 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1716 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1717 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1718 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1719 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1720 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1721 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1722 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1723 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1724 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1725 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1726 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1727 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1728 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1729 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1730 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1731 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1732 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1733 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1734 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1735 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1736 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1737 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1738 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1739 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1740 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1741 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1742 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1743 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1744 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1745 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1746 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1747 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1748 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1749 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1750 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1751 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1752 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1753 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1754 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1755 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1756 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1757 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1758 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1759 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1760 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1761 };
1762
1763 int i, j, ok;
1764
1765 /* Test known inputs/outputs */
1766 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1767 uint16_t out[16];
1768 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1769 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1770#ifdef SECP256K1_WIDEMUL_INT128
1771 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1772 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1773#endif
1774 }
1775
1776 for (i = 0; i < 100 * COUNT; ++i) {
1777 /* 256-bit numbers in 16-uint16_t's notation */
1778 static const uint16_t ZERO[16] = {0};
1779 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1780 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1781 uint16_t id[16]; /* the inverse of xd mod md */
1782
1783 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1784 do {
1785 /* generate random xd and md (with many subsequent 0s and 1s) */
1786 secp256k1_testrand256_test((unsigned char*)xd);
1787 secp256k1_testrand256_test((unsigned char*)md);
1788 md[0] |= 1; /* modulus must be odd */
1789 /* If modulus is 1, find another one. */
1790 ok = md[0] != 1;
1791 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1792 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1793 } while (!(ok && coprime(xd, md)));
1794
1795 test_modinv32_uint16(id, xd, md);
1796#ifdef SECP256K1_WIDEMUL_INT128
1797 test_modinv64_uint16(id, xd, md);
1798#endif
1799
1800 /* In a few cases, also test with input=0 */
1801 if (i < COUNT) {
1802 test_modinv32_uint16(id, ZERO, md);
1803#ifdef SECP256K1_WIDEMUL_INT128
1804 test_modinv64_uint16(id, ZERO, md);
1805#endif
1806 }
1807 }
1808}
1809
1810/***** INT128 TESTS *****/
1811
1812#ifdef SECP256K1_WIDEMUL_INT128
1813/* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */
1814static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) {
1815 int i;
1816 uint32_t carry = 0;
1817 for (i = 0; i < 16; ++i) {
1818 carry += a[i];
1819 carry += b[i];
1820 out[i] = carry;
1821 carry >>= 16;
1822 }
1823}
1824
1825/* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */
1826static void neg256(uint16_t* out, const uint16_t* a) {
1827 int i;
1828 uint32_t carry = 1;
1829 for (i = 0; i < 16; ++i) {
1830 carry += (uint16_t)~a[i];
1831 out[i] = carry;
1832 carry >>= 16;
1833 }
1834}
1835
1836/* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */
1837static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) {
1838 uint16_t sign = sign_extend && (a[15] >> 15);
1839 int i, j;
1840 for (i = 15; i >= 0; --i) {
1841 uint16_t v = 0;
1842 for (j = 0; j < 16; ++j) {
1843 int frompos = i*16 + j + n;
1844 if (frompos >= 256) {
1845 v |= sign << j;
1846 } else {
1847 v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j;
1848 }
1849 }
1850 out[i] = v;
1851 }
1852}
1853
1854/* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1855static void load256u64(uint16_t* out, uint64_t v, int is_signed) {
1856 int i;
1857 uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0;
1858 for (i = 0; i < 4; ++i) {
1859 out[i] = v >> (16 * i);
1860 }
1861 for (i = 4; i < 16; ++i) {
1862 out[i] = sign;
1863 }
1864}
1865
1866/* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1867static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) {
1868 int i;
1869 uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0;
1870 for (i = 0; i < 4; ++i) {
1871 out[i] = lo >> (16 * i);
1872 }
1873 for (i = 4; i < 8; ++i) {
1874 out[i] = hi >> (16 * (i - 4));
1875 }
1876 for (i = 8; i < 16; ++i) {
1877 out[i] = sign;
1878 }
1879}
1880
1881/* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */
1882static int int256is127(const uint16_t* v) {
1883 int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000);
1884 int i;
1885 for (i = 8; i < 16; ++i) {
1886 if (v[i] != 0) all_0 = 0;
1887 if (v[i] != 0xffff) all_1 = 0;
1888 }
1889 return all_0 || all_1;
1890}
1891
1892static void load256u128(uint16_t* out, const secp256k1_uint128* v) {
1893 uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v);
1894 load256two64(out, hi, lo, 0);
1895}
1896
1897static void load256i128(uint16_t* out, const secp256k1_int128* v) {
1898 uint64_t lo;
1899 int64_t hi;
1900 secp256k1_int128 c = *v;
1901 lo = secp256k1_i128_to_u64(&c);
1902 secp256k1_i128_rshift(&c, 64);
1903 hi = secp256k1_i128_to_i64(&c);
1904 load256two64(out, hi, lo, 1);
1905}
1906
1907static void run_int128_test_case(void) {
1908 unsigned char buf[32];
1909 uint64_t v[4];
1910 secp256k1_int128 swa, swz;
1911 secp256k1_uint128 uwa, uwz;
1912 uint64_t ub, uc;
1913 int64_t sb, sc;
1914 uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32];
1915 uint16_t rub[16], ruc[16], rsb[16], rsc[16];
1916 int i;
1917
1918 /* Generate 32-byte random value. */
1919 secp256k1_testrand256_test(buf);
1920 /* Convert into 4 64-bit integers. */
1921 for (i = 0; i < 4; ++i) {
1922 uint64_t vi = 0;
1923 int j;
1924 for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j];
1925 v[i] = vi;
1926 }
1927 /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */
1928 secp256k1_u128_load(&uwa, v[1], v[0]);
1929 secp256k1_i128_load(&swa, v[1], v[0]);
1930 ub = v[2];
1931 sb = v[2];
1932 uc = v[3];
1933 sc = v[3];
1934 /* Load those also into 16-bit array representations. */
1935 load256u128(ruwa, &uwa);
1936 load256i128(rswa, &swa);
1937 load256u64(rub, ub, 0);
1938 load256u64(rsb, sb, 1);
1939 load256u64(ruc, uc, 0);
1940 load256u64(rsc, sc, 1);
1941 /* test secp256k1_u128_mul */
1942 mulmod256(ruwr, rub, ruc, NULL);
1943 secp256k1_u128_mul(&uwz, ub, uc);
1944 load256u128(ruwz, &uwz);
1945 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1946 /* test secp256k1_u128_accum_mul */
1947 mulmod256(ruwr, rub, ruc, NULL);
1948 add256(ruwr, ruwr, ruwa);
1949 uwz = uwa;
1950 secp256k1_u128_accum_mul(&uwz, ub, uc);
1951 load256u128(ruwz, &uwz);
1952 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1953 /* test secp256k1_u128_accum_u64 */
1954 add256(ruwr, rub, ruwa);
1955 uwz = uwa;
1956 secp256k1_u128_accum_u64(&uwz, ub);
1957 load256u128(ruwz, &uwz);
1958 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1959 /* test secp256k1_u128_rshift */
1960 rshift256(ruwr, ruwa, uc % 128, 0);
1961 uwz = uwa;
1962 secp256k1_u128_rshift(&uwz, uc % 128);
1963 load256u128(ruwz, &uwz);
1964 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1965 /* test secp256k1_u128_to_u64 */
1966 CHECK(secp256k1_u128_to_u64(&uwa) == v[0]);
1967 /* test secp256k1_u128_hi_u64 */
1968 CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]);
1969 /* test secp256k1_u128_from_u64 */
1970 secp256k1_u128_from_u64(&uwz, ub);
1971 load256u128(ruwz, &uwz);
1972 CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0);
1973 /* test secp256k1_u128_check_bits */
1974 {
1975 int uwa_bits = 0;
1976 int j;
1977 for (j = 0; j < 128; ++j) {
1978 if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j;
1979 }
1980 for (j = 0; j < 128; ++j) {
1981 CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j));
1982 }
1983 }
1984 /* test secp256k1_i128_mul */
1985 mulmod256(rswr, rsb, rsc, NULL);
1986 secp256k1_i128_mul(&swz, sb, sc);
1987 load256i128(rswz, &swz);
1988 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1989 /* test secp256k1_i128_accum_mul */
1990 mulmod256(rswr, rsb, rsc, NULL);
1991 add256(rswr, rswr, rswa);
1992 if (int256is127(rswr)) {
1993 swz = swa;
1994 secp256k1_i128_accum_mul(&swz, sb, sc);
1995 load256i128(rswz, &swz);
1996 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1997 }
1998 /* test secp256k1_i128_det */
1999 {
2000 uint16_t rsd[16], rse[16], rst[32];
2001 int64_t sd = v[0], se = v[1];
2002 load256u64(rsd, sd, 1);
2003 load256u64(rse, se, 1);
2004 mulmod256(rst, rsc, rsd, NULL);
2005 neg256(rst, rst);
2006 mulmod256(rswr, rsb, rse, NULL);
2007 add256(rswr, rswr, rst);
2008 secp256k1_i128_det(&swz, sb, sc, sd, se);
2009 load256i128(rswz, &swz);
2010 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2011 }
2012 /* test secp256k1_i128_rshift */
2013 rshift256(rswr, rswa, uc % 127, 1);
2014 swz = swa;
2015 secp256k1_i128_rshift(&swz, uc % 127);
2016 load256i128(rswz, &swz);
2017 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2018 /* test secp256k1_i128_to_u64 */
2019 CHECK(secp256k1_i128_to_u64(&swa) == v[0]);
2020 /* test secp256k1_i128_from_i64 */
2021 secp256k1_i128_from_i64(&swz, sb);
2022 load256i128(rswz, &swz);
2023 CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0);
2024 /* test secp256k1_i128_to_i64 */
2025 CHECK(secp256k1_i128_to_i64(&swz) == sb);
2026 /* test secp256k1_i128_eq_var */
2027 {
2028 int expect = (uc & 1);
2029 swz = swa;
2030 if (!expect) {
2031 /* Make sure swz != swa */
2032 uint64_t v0c = v[0], v1c = v[1];
2033 if (ub & 64) {
2034 v1c ^= (((uint64_t)1) << (ub & 63));
2035 } else {
2036 v0c ^= (((uint64_t)1) << (ub & 63));
2037 }
2038 secp256k1_i128_load(&swz, v1c, v0c);
2039 }
2040 CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect);
2041 }
2042 /* test secp256k1_i128_check_pow2 (sign == 1) */
2043 {
2044 int expect = (uc & 1);
2045 int pos = ub % 127;
2046 if (expect) {
2047 /* If expect==1, set swz to exactly 2^pos. */
2048 uint64_t hi = 0;
2049 uint64_t lo = 0;
2050 if (pos >= 64) {
2051 hi = (((uint64_t)1) << (pos & 63));
2052 } else {
2053 lo = (((uint64_t)1) << (pos & 63));
2054 }
2055 secp256k1_i128_load(&swz, hi, lo);
2056 } else {
2057 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */
2058 if (pos >= 64) {
2059 if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1;
2060 } else {
2061 if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1;
2062 }
2063 swz = swa;
2064 }
2065 CHECK(secp256k1_i128_check_pow2(&swz, pos, 1) == expect);
2066 }
2067 /* test secp256k1_i128_check_pow2 (sign == -1) */
2068 {
2069 int expect = (uc & 1);
2070 int pos = ub % 127;
2071 if (expect) {
2072 /* If expect==1, set swz to exactly -2^pos. */
2073 uint64_t hi = ~(uint64_t)0;
2074 uint64_t lo = ~(uint64_t)0;
2075 if (pos >= 64) {
2076 hi <<= (pos & 63);
2077 lo = 0;
2078 } else {
2079 lo <<= (pos & 63);
2080 }
2081 secp256k1_i128_load(&swz, hi, lo);
2082 } else {
2083 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */
2084 if (pos >= 64) {
2085 if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1;
2086 } else {
2087 if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1;
2088 }
2089 swz = swa;
2090 }
2091 CHECK(secp256k1_i128_check_pow2(&swz, pos, -1) == expect);
2092 }
2093}
2094
2095static void run_int128_tests(void) {
2096 { /* secp256k1_u128_accum_mul */
2097 secp256k1_uint128 res;
2098
2099 /* Check secp256k1_u128_accum_mul overflow */
2100 secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX);
2101 secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX);
2102 CHECK(secp256k1_u128_to_u64(&res) == 2);
2103 CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U);
2104 }
2105 { /* secp256k1_u128_accum_mul */
2106 secp256k1_int128 res;
2107
2108 /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */
2109 secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX);
2110 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX);
2111 CHECK(secp256k1_i128_to_u64(&res) == 2);
2112 secp256k1_i128_accum_mul(&res, 4, 9223372036854775807);
2113 secp256k1_i128_accum_mul(&res, 1, 1);
2114 CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX);
2115 secp256k1_i128_rshift(&res, 64);
2116 CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX);
2117
2118 /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */
2119 secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN);
2120 CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN);
2121 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN);
2122 CHECK(secp256k1_i128_to_u64(&res) == 0);
2123 secp256k1_i128_accum_mul(&res, 2, INT64_MIN);
2124 CHECK(secp256k1_i128_to_u64(&res) == 0);
2125 secp256k1_i128_rshift(&res, 64);
2126 CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN);
2127 }
2128 {
2129 /* Randomized tests. */
2130 int i;
2131 for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case();
2132 }
2133}
2134#endif
2135
2136/***** SCALAR TESTS *****/
2137
2138static void scalar_test(void) {
2139 secp256k1_scalar s;
2140 secp256k1_scalar s1;
2141 secp256k1_scalar s2;
2142 unsigned char c[32];
2143
2144 /* Set 's' to a random scalar, with value 'snum'. */
2145 random_scalar_order_test(&s);
2146
2147 /* Set 's1' to a random scalar, with value 's1num'. */
2148 random_scalar_order_test(&s1);
2149
2150 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
2151 random_scalar_order_test(&s2);
2152 secp256k1_scalar_get_b32(c, &s2);
2153
2154 {
2155 int i;
2156 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
2157 secp256k1_scalar n;
2158 secp256k1_scalar_set_int(&n, 0);
2159 for (i = 0; i < 256; i += 4) {
2160 secp256k1_scalar t;
2161 int j;
2162 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
2163 for (j = 0; j < 4; j++) {
2164 secp256k1_scalar_add(&n, &n, &n);
2165 }
2166 secp256k1_scalar_add(&n, &n, &t);
2167 }
2168 CHECK(secp256k1_scalar_eq(&n, &s));
2169 }
2170
2171 {
2172 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
2173 secp256k1_scalar n;
2174 int i = 0;
2175 secp256k1_scalar_set_int(&n, 0);
2176 while (i < 256) {
2177 secp256k1_scalar t;
2178 int j;
2179 int now = secp256k1_testrand_int(15) + 1;
2180 if (now + i > 256) {
2181 now = 256 - i;
2182 }
2183 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
2184 for (j = 0; j < now; j++) {
2185 secp256k1_scalar_add(&n, &n, &n);
2186 }
2187 secp256k1_scalar_add(&n, &n, &t);
2188 i += now;
2189 }
2190 CHECK(secp256k1_scalar_eq(&n, &s));
2191 }
2192
2193 {
2194 /* test secp256k1_scalar_shr_int */
2195 secp256k1_scalar r;
2196 int i;
2197 random_scalar_order_test(&r);
2198 for (i = 0; i < 100; ++i) {
2199 int low;
2200 int shift = 1 + secp256k1_testrand_int(15);
2201 int expected = r.d[0] % (1 << shift);
2202 low = secp256k1_scalar_shr_int(&r, shift);
2203 CHECK(expected == low);
2204 }
2205 }
2206
2207 {
2208 /* Test commutativity of add. */
2209 secp256k1_scalar r1, r2;
2210 secp256k1_scalar_add(&r1, &s1, &s2);
2211 secp256k1_scalar_add(&r2, &s2, &s1);
2212 CHECK(secp256k1_scalar_eq(&r1, &r2));
2213 }
2214
2215 {
2216 secp256k1_scalar r1, r2;
2217 secp256k1_scalar b;
2218 int i;
2219 /* Test add_bit. */
2220 int bit = secp256k1_testrand_bits(8);
2221 secp256k1_scalar_set_int(&b, 1);
2222 CHECK(secp256k1_scalar_is_one(&b));
2223 for (i = 0; i < bit; i++) {
2224 secp256k1_scalar_add(&b, &b, &b);
2225 }
2226 r1 = s1;
2227 r2 = s1;
2228 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
2229 /* No overflow happened. */
2230 secp256k1_scalar_cadd_bit(&r2, bit, 1);
2231 CHECK(secp256k1_scalar_eq(&r1, &r2));
2232 /* cadd is a noop when flag is zero */
2233 secp256k1_scalar_cadd_bit(&r2, bit, 0);
2234 CHECK(secp256k1_scalar_eq(&r1, &r2));
2235 }
2236 }
2237
2238 {
2239 /* Test commutativity of mul. */
2240 secp256k1_scalar r1, r2;
2241 secp256k1_scalar_mul(&r1, &s1, &s2);
2242 secp256k1_scalar_mul(&r2, &s2, &s1);
2243 CHECK(secp256k1_scalar_eq(&r1, &r2));
2244 }
2245
2246 {
2247 /* Test associativity of add. */
2248 secp256k1_scalar r1, r2;
2249 secp256k1_scalar_add(&r1, &s1, &s2);
2250 secp256k1_scalar_add(&r1, &r1, &s);
2251 secp256k1_scalar_add(&r2, &s2, &s);
2252 secp256k1_scalar_add(&r2, &s1, &r2);
2253 CHECK(secp256k1_scalar_eq(&r1, &r2));
2254 }
2255
2256 {
2257 /* Test associativity of mul. */
2258 secp256k1_scalar r1, r2;
2259 secp256k1_scalar_mul(&r1, &s1, &s2);
2260 secp256k1_scalar_mul(&r1, &r1, &s);
2261 secp256k1_scalar_mul(&r2, &s2, &s);
2262 secp256k1_scalar_mul(&r2, &s1, &r2);
2263 CHECK(secp256k1_scalar_eq(&r1, &r2));
2264 }
2265
2266 {
2267 /* Test distributitivity of mul over add. */
2268 secp256k1_scalar r1, r2, t;
2269 secp256k1_scalar_add(&r1, &s1, &s2);
2270 secp256k1_scalar_mul(&r1, &r1, &s);
2271 secp256k1_scalar_mul(&r2, &s1, &s);
2272 secp256k1_scalar_mul(&t, &s2, &s);
2273 secp256k1_scalar_add(&r2, &r2, &t);
2274 CHECK(secp256k1_scalar_eq(&r1, &r2));
2275 }
2276
2277 {
2278 /* Test multiplicative identity. */
2279 secp256k1_scalar r1;
2280 secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_one);
2281 CHECK(secp256k1_scalar_eq(&r1, &s1));
2282 }
2283
2284 {
2285 /* Test additive identity. */
2286 secp256k1_scalar r1;
2287 secp256k1_scalar_add(&r1, &s1, &secp256k1_scalar_zero);
2288 CHECK(secp256k1_scalar_eq(&r1, &s1));
2289 }
2290
2291 {
2292 /* Test zero product property. */
2293 secp256k1_scalar r1;
2294 secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_zero);
2295 CHECK(secp256k1_scalar_eq(&r1, &secp256k1_scalar_zero));
2296 }
2297
2298}
2299
2300static void run_scalar_set_b32_seckey_tests(void) {
2301 unsigned char b32[32];
2302 secp256k1_scalar s1;
2303 secp256k1_scalar s2;
2304
2305 /* Usually set_b32 and set_b32_seckey give the same result */
2306 random_scalar_order_b32(b32);
2307 secp256k1_scalar_set_b32(&s1, b32, NULL);
2308 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
2309 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
2310
2311 memset(b32, 0, sizeof(b32));
2312 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2313 memset(b32, 0xFF, sizeof(b32));
2314 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2315}
2316
2317static void run_scalar_tests(void) {
2318 int i;
2319 for (i = 0; i < 128 * COUNT; i++) {
2320 scalar_test();
2321 }
2322 for (i = 0; i < COUNT; i++) {
2323 run_scalar_set_b32_seckey_tests();
2324 }
2325
2326 {
2327 /* Check that the scalar constants secp256k1_scalar_zero and
2328 secp256k1_scalar_one contain the expected values. */
2329 secp256k1_scalar zero, one;
2330
2331 CHECK(secp256k1_scalar_is_zero(&secp256k1_scalar_zero));
2332 secp256k1_scalar_set_int(&zero, 0);
2333 CHECK(secp256k1_scalar_eq(&zero, &secp256k1_scalar_zero));
2334
2335 CHECK(secp256k1_scalar_is_one(&secp256k1_scalar_one));
2336 secp256k1_scalar_set_int(&one, 1);
2337 CHECK(secp256k1_scalar_eq(&one, &secp256k1_scalar_one));
2338 }
2339
2340 {
2341 /* (-1)+1 should be zero. */
2342 secp256k1_scalar o;
2343 secp256k1_scalar_negate(&o, &secp256k1_scalar_one);
2344 secp256k1_scalar_add(&o, &o, &secp256k1_scalar_one);
2345 CHECK(secp256k1_scalar_is_zero(&o));
2346 secp256k1_scalar_negate(&o, &o);
2347 CHECK(secp256k1_scalar_is_zero(&o));
2348 }
2349
2350 {
2351 /* Does check_overflow check catch all ones? */
2352 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
2353 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2354 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2355 );
2356 CHECK(secp256k1_scalar_check_overflow(&overflowed));
2357 }
2358
2359 {
2360 /* Static test vectors.
2361 * These were reduced from ~10^12 random vectors based on comparison-decision
2362 * and edge-case coverage on 32-bit and 64-bit implementations.
2363 * The responses were generated with Sage 5.9.
2364 */
2365 secp256k1_scalar x;
2366 secp256k1_scalar y;
2367 secp256k1_scalar z;
2368 secp256k1_scalar zz;
2369 secp256k1_scalar r1;
2370 secp256k1_scalar r2;
2371 secp256k1_scalar zzv;
2372 int overflow;
2373 unsigned char chal[33][2][32] = {
2374 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2375 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2376 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2377 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2378 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2379 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2380 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2381 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2382 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2383 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2384 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2385 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2386 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2387 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2388 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2389 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2390 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2391 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2392 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2393 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2394 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2395 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2396 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2397 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2398 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2399 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2400 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2401 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2402 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2403 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2404 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2405 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2406 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2407 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2408 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2409 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2410 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2411 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2412 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2413 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2414 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2415 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2416 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2417 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2418 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2419 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2420 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2421 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2422 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2423 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2424 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2425 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2426 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2427 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2428 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2429 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2430 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2431 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2432 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2433 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2434 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2435 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2436 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2437 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2438 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2439 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2440 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2441 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2442 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2443 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2444 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2445 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2446 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2447 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2448 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2449 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2450 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2451 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2452 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2453 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2454 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2455 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2456 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2457 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2458 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2459 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2461 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2462 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2463 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2464 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2465 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2466 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2467 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2468 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2469 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2470 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2471 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2472 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2473 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2474 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2475 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2476 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2477 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2478 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2479 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2480 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2481 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2482 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2483 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2484 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2485 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2486 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2487 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2488 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2489 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2490 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2491 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2492 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2493 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2494 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2495 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2496 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2497 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2498 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2499 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2500 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2501 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2502 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2503 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2504 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2505 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2506 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2507 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2508 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2509 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2510 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2511 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2512 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2513 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2514 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2515 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2516 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2517 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2518 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2519 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2520 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2521 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2522 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2523 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2524 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2525 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2526 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2527 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2528 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2529 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2530 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2531 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2532 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2533 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2534 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2535 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2536 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2537 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2538 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2539 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2540 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2541 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2542 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2543 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2544 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2545 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2546 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2547 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2548 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2549 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2550 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2551 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2552 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2553 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2554 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2555 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2556 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2557 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2558 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2559 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2560 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2561 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2562 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2563 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2564 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2565 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2566 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2567 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2568 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2569 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2570 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2571 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2572 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2573 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2574 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2575 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2576 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2577 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2578 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2579 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2580 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2581 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2582 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2583 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2584 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2585 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2586 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2587 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2588 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2589 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2590 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2591 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2592 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2593 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2594 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2595 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2596 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2597 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2598 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2599 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2600 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2601 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2602 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2603 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2604 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2605 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2606 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2607 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2608 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2609 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2610 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2611 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2612 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2613 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2614 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2615 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2616 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2617 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2618 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2619 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2620 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2621 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2622 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2623 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2624 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2625 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2626 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2627 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2628 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2629 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2630 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2631 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2632 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2633 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2634 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2635 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2636 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2637 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2638 };
2639 unsigned char res[33][2][32] = {
2640 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2641 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2642 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2643 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2644 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2645 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2646 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2647 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2648 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2649 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2650 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2651 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2652 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2653 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2654 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2655 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2656 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2657 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2658 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2659 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2660 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2661 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2662 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2663 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2664 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2665 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2666 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2667 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2668 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2669 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2670 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2671 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2672 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2673 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2674 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2675 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2676 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2677 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2678 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2679 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2680 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2681 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2682 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2683 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2684 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2685 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2686 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2687 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2688 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2689 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2690 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2691 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2692 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2693 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2694 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2695 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2696 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2697 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2698 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2699 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2700 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2701 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2702 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2703 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2704 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2705 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2706 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2707 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2708 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2709 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2710 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2711 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2712 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2713 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2714 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2715 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2716 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2717 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2718 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2719 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2720 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2721 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2722 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2723 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2724 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2725 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2726 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2727 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2728 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2729 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2730 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2731 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2732 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2733 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2734 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2735 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2736 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2737 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2738 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2739 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2740 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2741 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2742 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2743 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2744 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2745 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2746 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2747 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2748 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2749 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2750 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2751 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2752 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2753 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2754 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2755 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2756 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2757 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2758 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2759 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2760 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2761 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2762 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2763 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2764 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2765 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2766 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2767 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2768 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2769 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2770 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2771 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2772 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2773 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2774 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2775 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2776 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2777 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2778 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2779 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2780 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2781 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2782 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2783 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2784 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2785 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2786 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2787 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2788 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2789 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2790 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2791 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2792 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2793 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2794 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2795 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2796 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2797 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2798 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2799 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2800 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2801 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2802 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2803 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2804 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2805 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2806 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2807 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2808 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2809 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2810 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2811 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2812 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2813 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2814 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2815 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2816 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2817 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2818 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2819 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2820 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2821 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2822 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2823 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2824 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2825 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2826 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2827 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2828 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2829 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2830 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2831 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2832 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2833 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2834 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2835 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2836 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2837 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2838 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2839 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2840 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2841 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2842 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2843 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2844 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2845 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2846 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2847 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2848 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2849 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2850 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2851 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2852 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2853 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2854 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2855 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2856 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2857 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2858 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2859 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2860 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2861 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2862 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2863 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2864 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2865 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2866 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2867 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2868 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2869 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2870 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2871 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2872 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2873 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2874 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2875 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2876 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2877 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2878 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2879 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2880 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2881 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2882 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2883 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2884 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2885 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2886 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2887 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2888 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2889 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2890 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2891 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2892 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2893 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2894 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2895 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2896 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2897 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2898 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2899 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2900 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2901 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2902 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2903 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2904 };
2905 for (i = 0; i < 33; i++) {
2906 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2907 CHECK(!overflow);
2908 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2909 CHECK(!overflow);
2910 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2911 CHECK(!overflow);
2912 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2913 CHECK(!overflow);
2914 secp256k1_scalar_mul(&z, &x, &y);
2915 CHECK(!secp256k1_scalar_check_overflow(&z));
2916 CHECK(secp256k1_scalar_eq(&r1, &z));
2917 if (!secp256k1_scalar_is_zero(&y)) {
2918 secp256k1_scalar_inverse(&zz, &y);
2919 CHECK(!secp256k1_scalar_check_overflow(&zz));
2920 secp256k1_scalar_inverse_var(&zzv, &y);
2921 CHECK(secp256k1_scalar_eq(&zzv, &zz));
2922 secp256k1_scalar_mul(&z, &z, &zz);
2923 CHECK(!secp256k1_scalar_check_overflow(&z));
2924 CHECK(secp256k1_scalar_eq(&x, &z));
2925 secp256k1_scalar_mul(&zz, &zz, &y);
2926 CHECK(!secp256k1_scalar_check_overflow(&zz));
2927 CHECK(secp256k1_scalar_eq(&secp256k1_scalar_one, &zz));
2928 }
2929 }
2930 }
2931}
2932
2933/***** FIELD TESTS *****/
2934
2935static void random_fe(secp256k1_fe *x) {
2936 unsigned char bin[32];
2937 do {
2938 secp256k1_testrand256(bin);
2939 if (secp256k1_fe_set_b32_limit(x, bin)) {
2940 return;
2941 }
2942 } while(1);
2943}
2944
2945static void random_fe_non_zero(secp256k1_fe *nz) {
2946 int tries = 10;
2947 while (--tries >= 0) {
2948 random_fe(nz);
2949 secp256k1_fe_normalize(nz);
2950 if (!secp256k1_fe_is_zero(nz)) {
2951 break;
2952 }
2953 }
2954 /* Infinitesimal probability of spurious failure here */
2955 CHECK(tries >= 0);
2956}
2957
2958static void random_fe_non_square(secp256k1_fe *ns) {
2959 secp256k1_fe r;
2960 random_fe_non_zero(ns);
2961 if (secp256k1_fe_sqrt(&r, ns)) {
2962 secp256k1_fe_negate(ns, ns, 1);
2963 }
2964}
2965
2966static int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2967 secp256k1_fe an = *a;
2968 secp256k1_fe bn = *b;
2969 secp256k1_fe_normalize_weak(&an);
2970 secp256k1_fe_normalize_var(&bn);
2971 return secp256k1_fe_equal_var(&an, &bn);
2972}
2973
2974static void run_field_convert(void) {
2975 static const unsigned char b32[32] = {
2976 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2977 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2978 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2979 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2980 };
2981 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
2982 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2983 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2984 );
2985 static const secp256k1_fe fe = SECP256K1_FE_CONST(
2986 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2987 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2988 );
2989 secp256k1_fe fe2;
2990 unsigned char b322[32];
2991 secp256k1_fe_storage fes2;
2992 /* Check conversions to fe. */
2993 CHECK(secp256k1_fe_set_b32_limit(&fe2, b32));
2994 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2995 secp256k1_fe_from_storage(&fe2, &fes);
2996 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2997 /* Check conversion from fe. */
2998 secp256k1_fe_get_b32(b322, &fe);
2999 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
3000 secp256k1_fe_to_storage(&fes2, &fe);
3001 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
3002}
3003
3004static void run_field_be32_overflow(void) {
3005 {
3006 static const unsigned char zero_overflow[32] = {
3007 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3008 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3009 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3010 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
3011 };
3012 static const unsigned char zero[32] = { 0x00 };
3013 unsigned char out[32];
3014 secp256k1_fe fe;
3015 CHECK(secp256k1_fe_set_b32_limit(&fe, zero_overflow) == 0);
3016 secp256k1_fe_set_b32_mod(&fe, zero_overflow);
3017 CHECK(secp256k1_fe_normalizes_to_zero(&fe) == 1);
3018 secp256k1_fe_normalize(&fe);
3019 CHECK(secp256k1_fe_is_zero(&fe) == 1);
3020 secp256k1_fe_get_b32(out, &fe);
3021 CHECK(secp256k1_memcmp_var(out, zero, 32) == 0);
3022 }
3023 {
3024 static const unsigned char one_overflow[32] = {
3025 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3026 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3027 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3028 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30,
3029 };
3030 static const unsigned char one[32] = {
3031 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3032 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3033 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3034 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3035 };
3036 unsigned char out[32];
3037 secp256k1_fe fe;
3038 CHECK(secp256k1_fe_set_b32_limit(&fe, one_overflow) == 0);
3039 secp256k1_fe_set_b32_mod(&fe, one_overflow);
3040 secp256k1_fe_normalize(&fe);
3041 CHECK(secp256k1_fe_cmp_var(&fe, &secp256k1_fe_one) == 0);
3042 secp256k1_fe_get_b32(out, &fe);
3043 CHECK(secp256k1_memcmp_var(out, one, 32) == 0);
3044 }
3045 {
3046 static const unsigned char ff_overflow[32] = {
3047 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3048 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3049 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3050 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3051 };
3052 static const unsigned char ff[32] = {
3053 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3054 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3055 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3056 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0,
3057 };
3058 unsigned char out[32];
3059 secp256k1_fe fe;
3060 const secp256k1_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0);
3061 CHECK(secp256k1_fe_set_b32_limit(&fe, ff_overflow) == 0);
3062 secp256k1_fe_set_b32_mod(&fe, ff_overflow);
3063 secp256k1_fe_normalize(&fe);
3064 CHECK(secp256k1_fe_cmp_var(&fe, &fe_ff) == 0);
3065 secp256k1_fe_get_b32(out, &fe);
3066 CHECK(secp256k1_memcmp_var(out, ff, 32) == 0);
3067 }
3068}
3069
3070/* Returns true if two field elements have the same representation. */
3071static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
3072 int ret = 1;
3073 /* Compare the struct member that holds the limbs. */
3074 ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
3075 return ret;
3076}
3077
3078static void run_field_half(void) {
3079 secp256k1_fe t, u;
3080 int m;
3081
3082 /* Check magnitude 0 input */
3083 secp256k1_fe_get_bounds(&t, 0);
3084 secp256k1_fe_half(&t);
3085#ifdef VERIFY
3086 CHECK(t.magnitude == 1);
3087 CHECK(t.normalized == 0);
3088#endif
3089 CHECK(secp256k1_fe_normalizes_to_zero(&t));
3090
3091 /* Check non-zero magnitudes in the supported range */
3092 for (m = 1; m < 32; m++) {
3093 /* Check max-value input */
3094 secp256k1_fe_get_bounds(&t, m);
3095
3096 u = t;
3097 secp256k1_fe_half(&u);
3098#ifdef VERIFY
3099 CHECK(u.magnitude == (m >> 1) + 1);
3100 CHECK(u.normalized == 0);
3101#endif
3102 secp256k1_fe_normalize_weak(&u);
3103 secp256k1_fe_add(&u, &u);
3104 CHECK(check_fe_equal(&t, &u));
3105
3106 /* Check worst-case input: ensure the LSB is 1 so that P will be added,
3107 * which will also cause all carries to be 1, since all limbs that can
3108 * generate a carry are initially even and all limbs of P are odd in
3109 * every existing field implementation. */
3110 secp256k1_fe_get_bounds(&t, m);
3111 CHECK(t.n[0] > 0);
3112 CHECK((t.n[0] & 1) == 0);
3113 --t.n[0];
3114
3115 u = t;
3116 secp256k1_fe_half(&u);
3117#ifdef VERIFY
3118 CHECK(u.magnitude == (m >> 1) + 1);
3119 CHECK(u.normalized == 0);
3120#endif
3121 secp256k1_fe_normalize_weak(&u);
3122 secp256k1_fe_add(&u, &u);
3123 CHECK(check_fe_equal(&t, &u));
3124 }
3125}
3126
3127static void run_field_misc(void) {
3128 secp256k1_fe x;
3129 secp256k1_fe y;
3130 secp256k1_fe z;
3131 secp256k1_fe q;
3132 int v;
3133 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3134 int i, j;
3135 for (i = 0; i < 1000 * COUNT; i++) {
3136 secp256k1_fe_storage xs, ys, zs;
3137 if (i & 1) {
3138 random_fe(&x);
3139 } else {
3140 random_fe_test(&x);
3141 }
3142 random_fe_non_zero(&y);
3143 v = secp256k1_testrand_bits(15);
3144 /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */
3145 secp256k1_fe_set_int(&q, v); /* q = v */
3146 z = x; /* z = x */
3147 secp256k1_fe_add(&z, &q); /* z = x+v */
3148 q = x; /* q = x */
3149 secp256k1_fe_add_int(&q, v); /* q = x+v */
3150 CHECK(check_fe_equal(&q, &z));
3151 /* Test the fe equality and comparison operations. */
3152 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
3153 CHECK(secp256k1_fe_equal_var(&x, &x));
3154 z = x;
3155 secp256k1_fe_add(&z,&y);
3156 /* Test fe conditional move; z is not normalized here. */
3157 q = x;
3158 secp256k1_fe_cmov(&x, &z, 0);
3159#ifdef VERIFY
3160 CHECK(!x.normalized);
3161 CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude));
3162 CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude));
3163#endif
3164 x = q;
3165 secp256k1_fe_cmov(&x, &x, 1);
3166 CHECK(!fe_identical(&x, &z));
3167 CHECK(fe_identical(&x, &q));
3168 secp256k1_fe_cmov(&q, &z, 1);
3169#ifdef VERIFY
3170 CHECK(!q.normalized);
3171 CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude));
3172 CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude));
3173#endif
3174 CHECK(fe_identical(&q, &z));
3175 q = z;
3176 secp256k1_fe_normalize_var(&x);
3177 secp256k1_fe_normalize_var(&z);
3178 CHECK(!secp256k1_fe_equal_var(&x, &z));
3179 secp256k1_fe_normalize_var(&q);
3180 secp256k1_fe_cmov(&q, &z, (i&1));
3181#ifdef VERIFY
3182 CHECK(q.normalized && q.magnitude == 1);
3183#endif
3184 for (j = 0; j < 6; j++) {
3185 secp256k1_fe_negate_unchecked(&z, &z, j+1);
3186 secp256k1_fe_normalize_var(&q);
3187 secp256k1_fe_cmov(&q, &z, (j&1));
3188#ifdef VERIFY
3189 CHECK(!q.normalized && q.magnitude == z.magnitude);
3190#endif
3191 }
3192 secp256k1_fe_normalize_var(&z);
3193 /* Test storage conversion and conditional moves. */
3194 secp256k1_fe_to_storage(&xs, &x);
3195 secp256k1_fe_to_storage(&ys, &y);
3196 secp256k1_fe_to_storage(&zs, &z);
3197 secp256k1_fe_storage_cmov(&zs, &xs, 0);
3198 secp256k1_fe_storage_cmov(&zs, &zs, 1);
3199 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
3200 secp256k1_fe_storage_cmov(&ys, &xs, 1);
3201 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
3202 secp256k1_fe_from_storage(&x, &xs);
3203 secp256k1_fe_from_storage(&y, &ys);
3204 secp256k1_fe_from_storage(&z, &zs);
3205 /* Test that mul_int, mul, and add agree. */
3206 secp256k1_fe_add(&y, &x);
3207 secp256k1_fe_add(&y, &x);
3208 z = x;
3209 secp256k1_fe_mul_int(&z, 3);
3210 CHECK(check_fe_equal(&y, &z));
3211 secp256k1_fe_add(&y, &x);
3212 secp256k1_fe_add(&z, &x);
3213 CHECK(check_fe_equal(&z, &y));
3214 z = x;
3215 secp256k1_fe_mul_int(&z, 5);
3216 secp256k1_fe_mul(&q, &x, &fe5);
3217 CHECK(check_fe_equal(&z, &q));
3218 secp256k1_fe_negate(&x, &x, 1);
3219 secp256k1_fe_add(&z, &x);
3220 secp256k1_fe_add(&q, &x);
3221 CHECK(check_fe_equal(&y, &z));
3222 CHECK(check_fe_equal(&q, &y));
3223 /* Check secp256k1_fe_half. */
3224 z = x;
3225 secp256k1_fe_half(&z);
3226 secp256k1_fe_add(&z, &z);
3227 CHECK(check_fe_equal(&x, &z));
3228 secp256k1_fe_add(&z, &z);
3229 secp256k1_fe_half(&z);
3230 CHECK(check_fe_equal(&x, &z));
3231 }
3232}
3233
3234static void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
3235{
3236 secp256k1_fe c, an, bn;
3237 /* Variables in BE 32-byte format. */
3238 unsigned char a32[32], b32[32], c32[32];
3239 /* Variables in LE 16x uint16_t format. */
3240 uint16_t a16[16], b16[16], c16[16];
3241 /* Field modulus in LE 16x uint16_t format. */
3242 static const uint16_t m16[16] = {
3243 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3244 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3245 };
3246 uint16_t t16[32];
3247 int i;
3248
3249 /* Compute C = A * B in fe format. */
3250 c = *a;
3251 if (use_sqr) {
3252 secp256k1_fe_sqr(&c, &c);
3253 } else {
3254 secp256k1_fe_mul(&c, &c, b);
3255 }
3256
3257 /* Convert A, B, C into LE 16x uint16_t format. */
3258 an = *a;
3259 bn = *b;
3260 secp256k1_fe_normalize_var(&c);
3261 secp256k1_fe_normalize_var(&an);
3262 secp256k1_fe_normalize_var(&bn);
3263 secp256k1_fe_get_b32(a32, &an);
3264 secp256k1_fe_get_b32(b32, &bn);
3265 secp256k1_fe_get_b32(c32, &c);
3266 for (i = 0; i < 16; ++i) {
3267 a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
3268 b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
3269 c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
3270 }
3271 /* Compute T = A * B in LE 16x uint16_t format. */
3272 mulmod256(t16, a16, b16, m16);
3273 /* Compare */
3274 CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
3275}
3276
3277static void run_fe_mul(void) {
3278 int i;
3279 for (i = 0; i < 100 * COUNT; ++i) {
3280 secp256k1_fe a, b, c, d;
3281 random_fe(&a);
3282 random_field_element_magnitude(&a);
3283 random_fe(&b);
3284 random_field_element_magnitude(&b);
3285 random_fe_test(&c);
3286 random_field_element_magnitude(&c);
3287 random_fe_test(&d);
3288 random_field_element_magnitude(&d);
3289 test_fe_mul(&a, &a, 1);
3290 test_fe_mul(&c, &c, 1);
3291 test_fe_mul(&a, &b, 0);
3292 test_fe_mul(&a, &c, 0);
3293 test_fe_mul(&c, &b, 0);
3294 test_fe_mul(&c, &d, 0);
3295 }
3296}
3297
3298static void run_sqr(void) {
3299 secp256k1_fe x, s;
3300
3301 {
3302 int i;
3303 secp256k1_fe_set_int(&x, 1);
3304 secp256k1_fe_negate(&x, &x, 1);
3305
3306 for (i = 1; i <= 512; ++i) {
3307 secp256k1_fe_mul_int(&x, 2);
3308 secp256k1_fe_normalize(&x);
3309 secp256k1_fe_sqr(&s, &x);
3310 }
3311 }
3312}
3313
3314static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
3315 secp256k1_fe r1, r2;
3316 int v = secp256k1_fe_sqrt(&r1, a);
3317 CHECK((v == 0) == (k == NULL));
3318
3319 if (k != NULL) {
3320 /* Check that the returned root is +/- the given known answer */
3321 secp256k1_fe_negate(&r2, &r1, 1);
3322 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
3323 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
3324 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
3325 }
3326}
3327
3328static void run_sqrt(void) {
3329 secp256k1_fe ns, x, s, t;
3330 int i;
3331
3332 /* Check sqrt(0) is 0 */
3333 secp256k1_fe_set_int(&x, 0);
3334 secp256k1_fe_sqr(&s, &x);
3335 test_sqrt(&s, &x);
3336
3337 /* Check sqrt of small squares (and their negatives) */
3338 for (i = 1; i <= 100; i++) {
3339 secp256k1_fe_set_int(&x, i);
3340 secp256k1_fe_sqr(&s, &x);
3341 test_sqrt(&s, &x);
3342 secp256k1_fe_negate(&t, &s, 1);
3343 test_sqrt(&t, NULL);
3344 }
3345
3346 /* Consistency checks for large random values */
3347 for (i = 0; i < 10; i++) {
3348 int j;
3349 random_fe_non_square(&ns);
3350 for (j = 0; j < COUNT; j++) {
3351 random_fe(&x);
3352 secp256k1_fe_sqr(&s, &x);
3353 CHECK(secp256k1_fe_is_square_var(&s));
3354 test_sqrt(&s, &x);
3355 secp256k1_fe_negate(&t, &s, 1);
3356 CHECK(!secp256k1_fe_is_square_var(&t));
3357 test_sqrt(&t, NULL);
3358 secp256k1_fe_mul(&t, &s, &ns);
3359 test_sqrt(&t, NULL);
3360 }
3361 }
3362}
3363
3364/***** FIELD/SCALAR INVERSE TESTS *****/
3365
3366static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST(
3367 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
3368 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
3369);
3370
3371static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST(
3372 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
3373 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
3374);
3375
3376/* These tests test the following identities:
3377 *
3378 * for x==0: 1/x == 0
3379 * for x!=0: x*(1/x) == 1
3380 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
3381 */
3382
3383static void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var)
3384{
3385 secp256k1_scalar l, r, t;
3386
3387 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
3388 if (out) *out = l;
3389 if (secp256k1_scalar_is_zero(x)) {
3390 CHECK(secp256k1_scalar_is_zero(&l));
3391 return;
3392 }
3393 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
3394 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
3395 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
3396 if (secp256k1_scalar_is_zero(&r)) return;
3397 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
3398 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
3399 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
3400 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
3401 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3402 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
3403}
3404
3405static void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
3406{
3407 secp256k1_fe l, r, t;
3408
3409 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
3410 if (out) *out = l;
3411 t = *x; /* t = x */
3412 if (secp256k1_fe_normalizes_to_zero_var(&t)) {
3413 CHECK(secp256k1_fe_normalizes_to_zero(&l));
3414 return;
3415 }
3416 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
3417 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3418 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3419 r = *x; /* r = x */
3420 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
3421 if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
3422 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
3423 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3424 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3425 secp256k1_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */
3426 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3427 CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
3428}
3429
3430static void run_inverse_tests(void)
3431{
3432 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3433 static const secp256k1_fe fe_cases[][2] = {
3434 /* 0 */
3435 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3436 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3437 /* 1 */
3438 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3439 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3440 /* -1 */
3441 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3442 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3443 /* 2 */
3444 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3445 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3446 /* 2**128 */
3447 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3448 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3449 /* Input known to need 637 divsteps */
3450 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3451 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3452 /* Input known to need 567 divsteps starting with delta=1/2. */
3453 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3454 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3455 /* Input known to need 566 divsteps starting with delta=1/2. */
3456 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3457 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3458 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3459 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3460 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3461 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3462 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3463 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3464 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3465 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3466 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3467 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3468 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3469 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3470 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3471 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3472 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3473 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3474 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3475 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3476 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3477 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3478 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3479 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3480 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3481 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3482 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3483 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3484 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3485 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3486 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3487 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3488 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3489 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3490 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3491 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3492 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3493 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3494 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3495 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3496 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3497 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3498 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3499 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3500 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3501 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3502 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3503 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3504 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3505 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3506 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3507 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3508 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3509 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3510 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3511 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3512 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3513 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3514 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3515 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3516 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3517 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3518 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3519 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3520 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3521 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3522 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3523 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3524 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3525 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3526 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3527 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3528 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3529 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3530 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3531 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3532 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3533 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3534 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3535 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3536 };
3537 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3538 static const secp256k1_scalar scalar_cases[][2] = {
3539 /* 0 */
3540 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3541 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3542 /* 1 */
3543 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3544 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3545 /* -1 */
3546 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3547 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3548 /* 2 */
3549 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3550 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3551 /* 2**128 */
3552 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3553 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3554 /* Input known to need 635 divsteps */
3555 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3556 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3557 /* Input known to need 566 divsteps starting with delta=1/2. */
3558 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3559 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3560 /* Input known to need 565 divsteps starting with delta=1/2. */
3561 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3562 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3563 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3564 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3565 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3566 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3567 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3568 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3569 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3570 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3571 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3572 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3573 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3574 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3575 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3576 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3577 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3578 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3579 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3580 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3581 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3582 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3583 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3584 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3585 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3586 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3587 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3588 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3589 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3590 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3591 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3592 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3593 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3594 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3595 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3596 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3597 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3598 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3599 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3600 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3601 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3602 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3603 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3604 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3605 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3606 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3607 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3608 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3609 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3610 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3611 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3612 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3613 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3614 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3615 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3616 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3617 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3618 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3619 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3620 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3621 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3622 };
3623 int i, var, testrand;
3624 unsigned char b32[32];
3625 secp256k1_fe x_fe;
3626 secp256k1_scalar x_scalar;
3627 memset(b32, 0, sizeof(b32));
3628 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3629 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3630 for (var = 0; var <= 1; ++var) {
3631 test_inverse_field(&x_fe, &fe_cases[i][0], var);
3632 check_fe_equal(&x_fe, &fe_cases[i][1]);
3633 test_inverse_field(&x_fe, &fe_cases[i][1], var);
3634 check_fe_equal(&x_fe, &fe_cases[i][0]);
3635 }
3636 }
3637 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3638 for (var = 0; var <= 1; ++var) {
3639 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3640 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3641 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3642 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3643 }
3644 }
3645 /* Test inputs 0..999 and their respective negations. */
3646 for (i = 0; i < 1000; ++i) {
3647 b32[31] = i & 0xff;
3648 b32[30] = (i >> 8) & 0xff;
3649 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3650 secp256k1_fe_set_b32_mod(&x_fe, b32);
3651 for (var = 0; var <= 1; ++var) {
3652 test_inverse_scalar(NULL, &x_scalar, var);
3653 test_inverse_field(NULL, &x_fe, var);
3654 }
3655 secp256k1_scalar_negate(&x_scalar, &x_scalar);
3656 secp256k1_fe_negate(&x_fe, &x_fe, 1);
3657 for (var = 0; var <= 1; ++var) {
3658 test_inverse_scalar(NULL, &x_scalar, var);
3659 test_inverse_field(NULL, &x_fe, var);
3660 }
3661 }
3662 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3663 for (testrand = 0; testrand <= 1; ++testrand) {
3664 for (i = 0; i < 64 * COUNT; ++i) {
3665 (testrand ? secp256k1_testrand256_test : secp256k1_testrand256)(b32);
3666 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3667 secp256k1_fe_set_b32_mod(&x_fe, b32);
3668 for (var = 0; var <= 1; ++var) {
3669 test_inverse_scalar(NULL, &x_scalar, var);
3670 test_inverse_field(NULL, &x_fe, var);
3671 }
3672 }
3673 }
3674}
3675
3676/***** GROUP TESTS *****/
3677
3678static void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
3679 CHECK(a->infinity == b->infinity);
3680 if (a->infinity) {
3681 return;
3682 }
3683 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
3684 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
3685}
3686
3687/* This compares jacobian points including their Z, not just their geometric meaning. */
3688static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3689 secp256k1_gej a2;
3690 secp256k1_gej b2;
3691 int ret = 1;
3692 ret &= a->infinity == b->infinity;
3693 if (ret && !a->infinity) {
3694 a2 = *a;
3695 b2 = *b;
3696 secp256k1_fe_normalize(&a2.x);
3697 secp256k1_fe_normalize(&a2.y);
3698 secp256k1_fe_normalize(&a2.z);
3699 secp256k1_fe_normalize(&b2.x);
3700 secp256k1_fe_normalize(&b2.y);
3701 secp256k1_fe_normalize(&b2.z);
3702 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3703 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3704 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3705 }
3706 return ret;
3707}
3708
3709static void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
3710 secp256k1_fe z2s;
3711 secp256k1_fe u1, u2, s1, s2;
3712 CHECK(a->infinity == b->infinity);
3713 if (a->infinity) {
3714 return;
3715 }
3716 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
3717 secp256k1_fe_sqr(&z2s, &b->z);
3718 secp256k1_fe_mul(&u1, &a->x, &z2s);
3719 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
3720 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
3721 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
3722 CHECK(secp256k1_fe_equal_var(&u1, &u2));
3723 CHECK(secp256k1_fe_equal_var(&s1, &s2));
3724}
3725
3726static void test_ge(void) {
3727 int i, i1;
3728 int runs = 6;
3729 /* 25 points are used:
3730 * - infinity
3731 * - for each of four random points p1 p2 p3 p4, we add the point, its
3732 * negation, and then those two again but with randomized Z coordinate.
3733 * - The same is then done for lambda*p1 and lambda^2*p1.
3734 */
3735 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3736 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3737 secp256k1_fe zf, r;
3738 secp256k1_fe zfi2, zfi3;
3739
3740 secp256k1_gej_set_infinity(&gej[0]);
3741 secp256k1_ge_clear(&ge[0]);
3742 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3743 for (i = 0; i < runs; i++) {
3744 int j;
3745 secp256k1_ge g;
3746 random_group_element_test(&g);
3747 if (i >= runs - 2) {
3748 secp256k1_ge_mul_lambda(&g, &ge[1]);
3749 }
3750 if (i >= runs - 1) {
3751 secp256k1_ge_mul_lambda(&g, &g);
3752 }
3753 ge[1 + 4 * i] = g;
3754 ge[2 + 4 * i] = g;
3755 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3756 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3757 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3758 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3759 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3760 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3761 for (j = 0; j < 4; j++) {
3762 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
3763 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
3764 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
3765 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
3766 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
3767 }
3768 }
3769
3770 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3771 random_fe_non_zero_test(&zf);
3772 random_field_element_magnitude(&zf);
3773 secp256k1_fe_inv_var(&zfi3, &zf);
3774 secp256k1_fe_sqr(&zfi2, &zfi3);
3775 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3776
3777 /* Generate random r */
3778 random_fe_non_zero_test(&r);
3779
3780 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3781 int i2;
3782 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3783 /* Compute reference result using gej + gej (var). */
3784 secp256k1_gej refj, resj;
3785 secp256k1_ge ref;
3786 secp256k1_fe zr;
3787 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3788 /* Check Z ratio. */
3789 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3790 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3791 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
3792 }
3793 secp256k1_ge_set_gej_var(&ref, &refj);
3794
3795 /* Test gej + ge with Z ratio result (var). */
3796 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3797 ge_equals_gej(&ref, &resj);
3798 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3799 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3800 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
3801 }
3802
3803 /* Test gej + ge (var, with additional Z factor). */
3804 {
3805 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3806 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3807 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3808 random_field_element_magnitude(&ge2_zfi.x);
3809 random_field_element_magnitude(&ge2_zfi.y);
3810 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3811 ge_equals_gej(&ref, &resj);
3812 }
3813
3814 /* Test gej + ge (const). */
3815 if (i2 != 0) {
3816 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3817 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3818 ge_equals_gej(&ref, &resj);
3819 }
3820
3821 /* Test doubling (var). */
3822 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3823 secp256k1_fe zr2;
3824 /* Normal doubling with Z ratio result. */
3825 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3826 ge_equals_gej(&ref, &resj);
3827 /* Check Z ratio. */
3828 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3829 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
3830 /* Normal doubling. */
3831 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3832 ge_equals_gej(&ref, &resj);
3833 /* Constant-time doubling. */
3834 secp256k1_gej_double(&resj, &gej[i2]);
3835 ge_equals_gej(&ref, &resj);
3836 }
3837
3838 /* Test adding opposites. */
3839 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3840 CHECK(secp256k1_ge_is_infinity(&ref));
3841 }
3842
3843 /* Test adding infinity. */
3844 if (i1 == 0) {
3845 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3846 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3847 ge_equals_gej(&ref, &gej[i2]);
3848 }
3849 if (i2 == 0) {
3850 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3851 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3852 ge_equals_gej(&ref, &gej[i1]);
3853 }
3854 }
3855 }
3856
3857 /* Test adding all points together in random order equals infinity. */
3858 {
3859 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
3860 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3861 for (i = 0; i < 4 * runs + 1; i++) {
3862 gej_shuffled[i] = gej[i];
3863 }
3864 for (i = 0; i < 4 * runs + 1; i++) {
3865 int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3866 if (swap != i) {
3867 secp256k1_gej t = gej_shuffled[i];
3868 gej_shuffled[i] = gej_shuffled[swap];
3869 gej_shuffled[swap] = t;
3870 }
3871 }
3872 for (i = 0; i < 4 * runs + 1; i++) {
3873 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3874 }
3875 CHECK(secp256k1_gej_is_infinity(&sum));
3876 free(gej_shuffled);
3877 }
3878
3879 /* Test batch gej -> ge conversion without known z ratios. */
3880 {
3881 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3882 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3883 for (i = 0; i < 4 * runs + 1; i++) {
3884 secp256k1_fe s;
3885 random_fe_non_zero(&s);
3886 secp256k1_gej_rescale(&gej[i], &s);
3887 ge_equals_gej(&ge_set_all[i], &gej[i]);
3888 }
3889 free(ge_set_all);
3890 }
3891
3892 /* Test that all elements have X coordinates on the curve. */
3893 for (i = 1; i < 4 * runs + 1; i++) {
3894 secp256k1_fe n;
3895 CHECK(secp256k1_ge_x_on_curve_var(&ge[i].x));
3896 /* And the same holds after random rescaling. */
3897 secp256k1_fe_mul(&n, &zf, &ge[i].x);
3898 CHECK(secp256k1_ge_x_frac_on_curve_var(&n, &zf));
3899 }
3900
3901 /* Test correspondence of secp256k1_ge_x{,_frac}_on_curve_var with ge_set_xo. */
3902 {
3903 secp256k1_fe n;
3904 secp256k1_ge q;
3905 int ret_on_curve, ret_frac_on_curve, ret_set_xo;
3906 secp256k1_fe_mul(&n, &zf, &r);
3907 ret_on_curve = secp256k1_ge_x_on_curve_var(&r);
3908 ret_frac_on_curve = secp256k1_ge_x_frac_on_curve_var(&n, &zf);
3909 ret_set_xo = secp256k1_ge_set_xo_var(&q, &r, 0);
3910 CHECK(ret_on_curve == ret_frac_on_curve);
3911 CHECK(ret_on_curve == ret_set_xo);
3912 if (ret_set_xo) CHECK(secp256k1_fe_equal_var(&r, &q.x));
3913 }
3914
3915 /* Test batch gej -> ge conversion with many infinities. */
3916 for (i = 0; i < 4 * runs + 1; i++) {
3917 int odd;
3918 random_group_element_test(&ge[i]);
3919 odd = secp256k1_fe_is_odd(&ge[i].x);
3920 CHECK(odd == 0 || odd == 1);
3921 /* randomly set half the points to infinity */
3922 if (odd == i % 2) {
3923 secp256k1_ge_set_infinity(&ge[i]);
3924 }
3925 secp256k1_gej_set_ge(&gej[i], &ge[i]);
3926 }
3927 /* batch convert */
3928 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3929 /* check result */
3930 for (i = 0; i < 4 * runs + 1; i++) {
3931 ge_equals_gej(&ge[i], &gej[i]);
3932 }
3933
3934 /* Test batch gej -> ge conversion with all infinities. */
3935 for (i = 0; i < 4 * runs + 1; i++) {
3936 secp256k1_gej_set_infinity(&gej[i]);
3937 }
3938 /* batch convert */
3939 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3940 /* check result */
3941 for (i = 0; i < 4 * runs + 1; i++) {
3942 CHECK(secp256k1_ge_is_infinity(&ge[i]));
3943 }
3944
3945 free(ge);
3946 free(gej);
3947}
3948
3949static void test_intialized_inf(void) {
3950 secp256k1_ge p;
3951 secp256k1_gej pj, npj, infj1, infj2, infj3;
3952 secp256k1_fe zinv;
3953
3954 /* Test that adding P+(-P) results in a fully initialized infinity*/
3955 random_group_element_test(&p);
3956 secp256k1_gej_set_ge(&pj, &p);
3957 secp256k1_gej_neg(&npj, &pj);
3958
3959 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3960 CHECK(secp256k1_gej_is_infinity(&infj1));
3961 CHECK(secp256k1_fe_is_zero(&infj1.x));
3962 CHECK(secp256k1_fe_is_zero(&infj1.y));
3963 CHECK(secp256k1_fe_is_zero(&infj1.z));
3964
3965 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3966 CHECK(secp256k1_gej_is_infinity(&infj2));
3967 CHECK(secp256k1_fe_is_zero(&infj2.x));
3968 CHECK(secp256k1_fe_is_zero(&infj2.y));
3969 CHECK(secp256k1_fe_is_zero(&infj2.z));
3970
3971 secp256k1_fe_set_int(&zinv, 1);
3972 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3973 CHECK(secp256k1_gej_is_infinity(&infj3));
3974 CHECK(secp256k1_fe_is_zero(&infj3.x));
3975 CHECK(secp256k1_fe_is_zero(&infj3.y));
3976 CHECK(secp256k1_fe_is_zero(&infj3.z));
3977
3978
3979}
3980
3981static void test_add_neg_y_diff_x(void) {
3982 /* The point of this test is to check that we can add two points
3983 * whose y-coordinates are negatives of each other but whose x
3984 * coordinates differ. If the x-coordinates were the same, these
3985 * points would be negatives of each other and their sum is
3986 * infinity. This is cool because it "covers up" any degeneracy
3987 * in the addition algorithm that would cause the xy coordinates
3988 * of the sum to be wrong (since infinity has no xy coordinates).
3989 * HOWEVER, if the x-coordinates are different, infinity is the
3990 * wrong answer, and such degeneracies are exposed. This is the
3991 * root of https://github.com/bitcoin-core/secp256k1/issues/257
3992 * which this test is a regression test for.
3993 *
3994 * These points were generated in sage as
3995 * # secp256k1 params
3996 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
3997 * C = EllipticCurve ([F (0), F (7)])
3998 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
3999 * N = FiniteField(G.order())
4000 *
4001 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
4002 * x = polygen(N)
4003 * lam = (1 - x^3).roots()[1][0]
4004 *
4005 * # random "bad pair"
4006 * P = C.random_element()
4007 * Q = -int(lam) * P
4008 * print " P: %x %x" % P.xy()
4009 * print " Q: %x %x" % Q.xy()
4010 * print "P + Q: %x %x" % (P + Q).xy()
4011 */
4012 secp256k1_gej aj = SECP256K1_GEJ_CONST(
4013 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
4014 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
4015 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
4016 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
4017 );
4018 secp256k1_gej bj = SECP256K1_GEJ_CONST(
4019 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
4020 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
4021 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
4022 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
4023 );
4024 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
4025 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
4026 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
4027 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
4028 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
4029 );
4030 secp256k1_ge b;
4031 secp256k1_gej resj;
4032 secp256k1_ge res;
4033 secp256k1_ge_set_gej(&b, &bj);
4034
4035 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
4036 secp256k1_ge_set_gej(&res, &resj);
4037 ge_equals_gej(&res, &sumj);
4038
4039 secp256k1_gej_add_ge(&resj, &aj, &b);
4040 secp256k1_ge_set_gej(&res, &resj);
4041 ge_equals_gej(&res, &sumj);
4042
4043 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
4044 secp256k1_ge_set_gej(&res, &resj);
4045 ge_equals_gej(&res, &sumj);
4046}
4047
4048static void run_ge(void) {
4049 int i;
4050 for (i = 0; i < COUNT * 32; i++) {
4051 test_ge();
4052 }
4053 test_add_neg_y_diff_x();
4054 test_intialized_inf();
4055}
4056
4057static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
4058 secp256k1_gej t = *a;
4059 secp256k1_gej_cmov(&t, b, 0);
4060 CHECK(gej_xyz_equals_gej(&t, a));
4061 secp256k1_gej_cmov(&t, b, 1);
4062 CHECK(gej_xyz_equals_gej(&t, b));
4063}
4064
4065static void run_gej(void) {
4066 int i;
4067 secp256k1_gej a, b;
4068
4069 /* Tests for secp256k1_gej_cmov */
4070 for (i = 0; i < COUNT; i++) {
4071 secp256k1_gej_set_infinity(&a);
4072 secp256k1_gej_set_infinity(&b);
4073 test_gej_cmov(&a, &b);
4074
4075 random_gej_test(&a);
4076 test_gej_cmov(&a, &b);
4077 test_gej_cmov(&b, &a);
4078
4079 b = a;
4080 test_gej_cmov(&a, &b);
4081
4082 random_gej_test(&b);
4083 test_gej_cmov(&a, &b);
4084 test_gej_cmov(&b, &a);
4085 }
4086
4087 /* Tests for secp256k1_gej_eq_var */
4088 for (i = 0; i < COUNT; i++) {
4089 secp256k1_fe fe;
4090 random_gej_test(&a);
4091 random_gej_test(&b);
4092 CHECK(!secp256k1_gej_eq_var(&a, &b));
4093
4094 b = a;
4095 random_fe_non_zero_test(&fe);
4096 secp256k1_gej_rescale(&a, &fe);
4097 CHECK(secp256k1_gej_eq_var(&a, &b));
4098 }
4099}
4100
4101static void test_ec_combine(void) {
4102 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4103 secp256k1_pubkey data[6];
4104 const secp256k1_pubkey* d[6];
4105 secp256k1_pubkey sd;
4106 secp256k1_pubkey sd2;
4107 secp256k1_gej Qj;
4108 secp256k1_ge Q;
4109 int i;
4110 for (i = 1; i <= 6; i++) {
4111 secp256k1_scalar s;
4112 random_scalar_order_test(&s);
4113 secp256k1_scalar_add(&sum, &sum, &s);
4114 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &s);
4115 secp256k1_ge_set_gej(&Q, &Qj);
4116 secp256k1_pubkey_save(&data[i - 1], &Q);
4117 d[i - 1] = &data[i - 1];
4118 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &sum);
4119 secp256k1_ge_set_gej(&Q, &Qj);
4120 secp256k1_pubkey_save(&sd, &Q);
4121 CHECK(secp256k1_ec_pubkey_combine(CTX, &sd2, d, i) == 1);
4122 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
4123 }
4124}
4125
4126static void run_ec_combine(void) {
4127 int i;
4128 for (i = 0; i < COUNT * 8; i++) {
4129 test_ec_combine();
4130 }
4131}
4132
4133static void test_group_decompress(const secp256k1_fe* x) {
4134 /* The input itself, normalized. */
4135 secp256k1_fe fex = *x;
4136 secp256k1_fe fez;
4137 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
4138 secp256k1_ge ge_quad, ge_even, ge_odd;
4139 secp256k1_gej gej_quad;
4140 /* Return values of the above calls. */
4141 int res_quad, res_even, res_odd;
4142
4143 secp256k1_fe_normalize_var(&fex);
4144
4145 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
4146 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
4147 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
4148
4149 CHECK(res_quad == res_even);
4150 CHECK(res_quad == res_odd);
4151
4152 if (res_quad) {
4153 secp256k1_fe_normalize_var(&ge_quad.x);
4154 secp256k1_fe_normalize_var(&ge_odd.x);
4155 secp256k1_fe_normalize_var(&ge_even.x);
4156 secp256k1_fe_normalize_var(&ge_quad.y);
4157 secp256k1_fe_normalize_var(&ge_odd.y);
4158 secp256k1_fe_normalize_var(&ge_even.y);
4159
4160 /* No infinity allowed. */
4161 CHECK(!ge_quad.infinity);
4162 CHECK(!ge_even.infinity);
4163 CHECK(!ge_odd.infinity);
4164
4165 /* Check that the x coordinates check out. */
4166 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
4167 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
4168 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
4169
4170 /* Check that the Y coordinate result in ge_quad is a square. */
4171 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
4172
4173 /* Check odd/even Y in ge_odd, ge_even. */
4174 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
4175 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
4176
4177 /* Check secp256k1_gej_has_quad_y_var. */
4178 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
4179 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
4180 do {
4181 random_fe_test(&fez);
4182 } while (secp256k1_fe_is_zero(&fez));
4183 secp256k1_gej_rescale(&gej_quad, &fez);
4184 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
4185 secp256k1_gej_neg(&gej_quad, &gej_quad);
4186 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
4187 do {
4188 random_fe_test(&fez);
4189 } while (secp256k1_fe_is_zero(&fez));
4190 secp256k1_gej_rescale(&gej_quad, &fez);
4191 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
4192 secp256k1_gej_neg(&gej_quad, &gej_quad);
4193 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
4194 }
4195}
4196
4197static void run_group_decompress(void) {
4198 int i;
4199 for (i = 0; i < COUNT * 4; i++) {
4200 secp256k1_fe fe;
4201 random_fe_test(&fe);
4202 test_group_decompress(&fe);
4203 }
4204}
4205
4206/***** ECMULT TESTS *****/
4207
4208static void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
4209 /* Tests the pre_g / pre_g_128 tables for consistency.
4210 * For independent verification we take a "geometric" approach to verification.
4211 * We check that every entry is on-curve.
4212 * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
4213 * (1) p, gg, and -q are colinear.
4214 * (2) p, gg, and -q are all distinct.
4215 * where gg is twice the generator, where the generator is the first table entry.
4216 *
4217 * Checking the table's generators are correct is done in run_ecmult_pre_g.
4218 */
4219 secp256k1_gej g2;
4220 secp256k1_ge p, q, gg;
4221 secp256k1_fe dpx, dpy, dqx, dqy;
4222 size_t i;
4223
4224 CHECK(0 < n);
4225
4226 secp256k1_ge_from_storage(&p, &pre_g[0]);
4227 CHECK(secp256k1_ge_is_valid_var(&p));
4228
4229 secp256k1_gej_set_ge(&g2, &p);
4230 secp256k1_gej_double_var(&g2, &g2, NULL);
4231 secp256k1_ge_set_gej_var(&gg, &g2);
4232 for (i = 1; i < n; ++i) {
4233 secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
4234 secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
4235 /* Check that p is not equal to gg */
4236 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dpx) || !secp256k1_fe_normalizes_to_zero_var(&dpy));
4237
4238 secp256k1_ge_from_storage(&q, &pre_g[i]);
4239 CHECK(secp256k1_ge_is_valid_var(&q));
4240
4241 secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x); secp256k1_fe_normalize_weak(&dqx);
4242 dqy = q.y; secp256k1_fe_add(&dqy, &gg.y); secp256k1_fe_normalize_weak(&dqy);
4243 /* Check that -q is not equal to gg */
4244 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dqx) || !secp256k1_fe_normalizes_to_zero_var(&dqy));
4245
4246 /* Check that -q is not equal to p */
4247 CHECK(!secp256k1_fe_equal_var(&dpx, &dqx) || !secp256k1_fe_equal_var(&dpy, &dqy));
4248
4249 /* Check that p, -q and gg are colinear */
4250 secp256k1_fe_mul(&dpx, &dpx, &dqy);
4251 secp256k1_fe_mul(&dpy, &dpy, &dqx);
4252 CHECK(secp256k1_fe_equal_var(&dpx, &dpy));
4253
4254 p = q;
4255 }
4256}
4257
4258static void run_ecmult_pre_g(void) {
4259 secp256k1_ge_storage gs;
4260 secp256k1_gej gj;
4261 secp256k1_ge g;
4262 size_t i;
4263
4264 /* Check that the pre_g and pre_g_128 tables are consistent. */
4265 test_pre_g_table(secp256k1_pre_g, ECMULT_TABLE_SIZE(WINDOW_G));
4266 test_pre_g_table(secp256k1_pre_g_128, ECMULT_TABLE_SIZE(WINDOW_G));
4267
4268 /* Check the first entry from the pre_g table. */
4269 secp256k1_ge_to_storage(&gs, &secp256k1_ge_const_g);
4270 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
4271
4272 /* Check the first entry from the pre_g_128 table. */
4273 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
4274 for (i = 0; i < 128; ++i) {
4275 secp256k1_gej_double_var(&gj, &gj, NULL);
4276 }
4277 secp256k1_ge_set_gej(&g, &gj);
4278 secp256k1_ge_to_storage(&gs, &g);
4279 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
4280}
4281
4282static void run_ecmult_chain(void) {
4283 /* random starting point A (on the curve) */
4284 secp256k1_gej a = SECP256K1_GEJ_CONST(
4285 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
4286 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
4287 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
4288 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
4289 );
4290 /* two random initial factors xn and gn */
4291 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4292 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
4293 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
4294 );
4295 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
4296 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
4297 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
4298 );
4299 /* two small multipliers to be applied to xn and gn in every iteration: */
4300 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
4301 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
4302 /* accumulators with the resulting coefficients to A and G */
4303 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
4304 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4305 /* actual points */
4306 secp256k1_gej x;
4307 secp256k1_gej x2;
4308 int i;
4309
4310 /* the point being computed */
4311 x = a;
4312 for (i = 0; i < 200*COUNT; i++) {
4313 /* in each iteration, compute X = xn*X + gn*G; */
4314 secp256k1_ecmult(&x, &x, &xn, &gn);
4315 /* also compute ae and ge: the actual accumulated factors for A and G */
4316 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
4317 secp256k1_scalar_mul(&ae, &ae, &xn);
4318 secp256k1_scalar_mul(&ge, &ge, &xn);
4319 secp256k1_scalar_add(&ge, &ge, &gn);
4320 /* modify xn and gn */
4321 secp256k1_scalar_mul(&xn, &xn, &xf);
4322 secp256k1_scalar_mul(&gn, &gn, &gf);
4323
4324 /* verify */
4325 if (i == 19999) {
4326 /* expected result after 19999 iterations */
4327 secp256k1_gej rp = SECP256K1_GEJ_CONST(
4328 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
4329 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
4330 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
4331 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
4332 );
4333 CHECK(secp256k1_gej_eq_var(&rp, &x));
4334 }
4335 }
4336 /* redo the computation, but directly with the resulting ae and ge coefficients: */
4337 secp256k1_ecmult(&x2, &a, &ae, &ge);
4338 CHECK(secp256k1_gej_eq_var(&x, &x2));
4339}
4340
4341static void test_point_times_order(const secp256k1_gej *point) {
4342 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
4343 secp256k1_scalar x;
4344 secp256k1_scalar nx;
4345 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4346 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
4347 secp256k1_gej res1, res2;
4348 secp256k1_ge res3;
4349 unsigned char pub[65];
4350 size_t psize = 65;
4351 random_scalar_order_test(&x);
4352 secp256k1_scalar_negate(&nx, &x);
4353 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
4354 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4355 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
4356 CHECK(secp256k1_gej_is_infinity(&res1));
4357 secp256k1_ge_set_gej(&res3, &res1);
4358 CHECK(secp256k1_ge_is_infinity(&res3));
4359 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
4360 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
4361 psize = 65;
4362 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
4363 /* check zero/one edge cases */
4364 secp256k1_ecmult(&res1, point, &zero, &zero);
4365 secp256k1_ge_set_gej(&res3, &res1);
4366 CHECK(secp256k1_ge_is_infinity(&res3));
4367 secp256k1_ecmult(&res1, point, &one, &zero);
4368 secp256k1_ge_set_gej(&res3, &res1);
4369 ge_equals_gej(&res3, point);
4370 secp256k1_ecmult(&res1, point, &zero, &one);
4371 secp256k1_ge_set_gej(&res3, &res1);
4372 ge_equals_ge(&res3, &secp256k1_ge_const_g);
4373}
4374
4375/* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
4376 *
4377 * They are computed as:
4378 * - For a in [-2, -1, 0, 1, 2]:
4379 * - For b in [-3, -1, 1, 3]:
4380 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
4381 */
4382static const secp256k1_scalar scalars_near_split_bounds[20] = {
4383 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
4384 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
4385 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
4386 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
4387 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
4388 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
4389 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
4390 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
4391 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
4392 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
4393 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
4394 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
4395 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
4396 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
4397 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
4398 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
4399 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
4400 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
4401 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
4402 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
4403};
4404
4405static void test_ecmult_target(const secp256k1_scalar* target, int mode) {
4406 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
4407 secp256k1_scalar n1, n2;
4408 secp256k1_ge p;
4409 secp256k1_gej pj, p1j, p2j, ptj;
4410 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4411
4412 /* Generate random n1,n2 such that n1+n2 = -target. */
4413 random_scalar_order_test(&n1);
4414 secp256k1_scalar_add(&n2, &n1, target);
4415 secp256k1_scalar_negate(&n2, &n2);
4416
4417 /* Generate a random input point. */
4418 if (mode != 0) {
4419 random_group_element_test(&p);
4420 secp256k1_gej_set_ge(&pj, &p);
4421 }
4422
4423 /* EC multiplications */
4424 if (mode == 0) {
4425 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p1j, &n1);
4426 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p2j, &n2);
4427 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &ptj, target);
4428 } else if (mode == 1) {
4429 secp256k1_ecmult(&p1j, &pj, &n1, &zero);
4430 secp256k1_ecmult(&p2j, &pj, &n2, &zero);
4431 secp256k1_ecmult(&ptj, &pj, target, &zero);
4432 } else {
4433 secp256k1_ecmult_const(&p1j, &p, &n1);
4434 secp256k1_ecmult_const(&p2j, &p, &n2);
4435 secp256k1_ecmult_const(&ptj, &p, target);
4436 }
4437
4438 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
4439 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
4440 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
4441 CHECK(secp256k1_gej_is_infinity(&ptj));
4442}
4443
4444static void run_ecmult_near_split_bound(void) {
4445 int i;
4446 unsigned j;
4447 for (i = 0; i < 4*COUNT; ++i) {
4448 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
4449 test_ecmult_target(&scalars_near_split_bounds[j], 0);
4450 test_ecmult_target(&scalars_near_split_bounds[j], 1);
4451 test_ecmult_target(&scalars_near_split_bounds[j], 2);
4452 }
4453 }
4454}
4455
4456static void run_point_times_order(void) {
4457 int i;
4458 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
4459 static const secp256k1_fe xr = SECP256K1_FE_CONST(
4460 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
4461 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
4462 );
4463 for (i = 0; i < 500; i++) {
4464 secp256k1_ge p;
4465 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
4466 secp256k1_gej j;
4467 CHECK(secp256k1_ge_is_valid_var(&p));
4468 secp256k1_gej_set_ge(&j, &p);
4469 test_point_times_order(&j);
4470 }
4471 secp256k1_fe_sqr(&x, &x);
4472 }
4473 secp256k1_fe_normalize_var(&x);
4474 CHECK(secp256k1_fe_equal_var(&x, &xr));
4475}
4476
4477static void ecmult_const_random_mult(void) {
4478 /* random starting point A (on the curve) */
4479 secp256k1_ge a = SECP256K1_GE_CONST(
4480 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4481 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4482 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4483 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4484 );
4485 /* random initial factor xn */
4486 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4487 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4488 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4489 );
4490 /* expected xn * A (from sage) */
4491 secp256k1_ge expected_b = SECP256K1_GE_CONST(
4492 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4493 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4494 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4495 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4496 );
4497 secp256k1_gej b;
4498 secp256k1_ecmult_const(&b, &a, &xn);
4499
4500 CHECK(secp256k1_ge_is_valid_var(&a));
4501 ge_equals_gej(&expected_b, &b);
4502}
4503
4504static void ecmult_const_commutativity(void) {
4505 secp256k1_scalar a;
4506 secp256k1_scalar b;
4507 secp256k1_gej res1;
4508 secp256k1_gej res2;
4509 secp256k1_ge mid1;
4510 secp256k1_ge mid2;
4511 random_scalar_order_test(&a);
4512 random_scalar_order_test(&b);
4513
4514 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a);
4515 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b);
4516 secp256k1_ge_set_gej(&mid1, &res1);
4517 secp256k1_ge_set_gej(&mid2, &res2);
4518 secp256k1_ecmult_const(&res1, &mid1, &b);
4519 secp256k1_ecmult_const(&res2, &mid2, &a);
4520 secp256k1_ge_set_gej(&mid1, &res1);
4521 secp256k1_ge_set_gej(&mid2, &res2);
4522 ge_equals_ge(&mid1, &mid2);
4523}
4524
4525static void ecmult_const_mult_zero_one(void) {
4526 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4527 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
4528 secp256k1_scalar negone;
4529 secp256k1_gej res1;
4530 secp256k1_ge res2;
4531 secp256k1_ge point;
4532 secp256k1_scalar_negate(&negone, &one);
4533
4534 random_group_element_test(&point);
4535 secp256k1_ecmult_const(&res1, &point, &zero);
4536 secp256k1_ge_set_gej(&res2, &res1);
4537 CHECK(secp256k1_ge_is_infinity(&res2));
4538 secp256k1_ecmult_const(&res1, &point, &one);
4539 secp256k1_ge_set_gej(&res2, &res1);
4540 ge_equals_ge(&res2, &point);
4541 secp256k1_ecmult_const(&res1, &point, &negone);
4542 secp256k1_gej_neg(&res1, &res1);
4543 secp256k1_ge_set_gej(&res2, &res1);
4544 ge_equals_ge(&res2, &point);
4545}
4546
4547static void ecmult_const_mult_xonly(void) {
4548 int i;
4549
4550 /* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */
4551 for (i = 0; i < 2*COUNT; ++i) {
4552 secp256k1_ge base;
4553 secp256k1_gej basej, resj;
4554 secp256k1_fe n, d, resx, v;
4555 secp256k1_scalar q;
4556 int res;
4557 /* Random base point. */
4558 random_group_element_test(&base);
4559 /* Random scalar to multiply it with. */
4560 random_scalar_order_test(&q);
4561 /* If i is odd, n=d*base.x for random non-zero d */
4562 if (i & 1) {
4563 random_fe_non_zero_test(&d);
4564 secp256k1_fe_mul(&n, &base.x, &d);
4565 } else {
4566 n = base.x;
4567 }
4568 /* Perform x-only multiplication. */
4569 res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2);
4570 CHECK(res);
4571 /* Perform normal multiplication. */
4572 secp256k1_gej_set_ge(&basej, &base);
4573 secp256k1_ecmult(&resj, &basej, &q, NULL);
4574 /* Check that resj's X coordinate corresponds with resx. */
4575 secp256k1_fe_sqr(&v, &resj.z);
4576 secp256k1_fe_mul(&v, &v, &resx);
4577 CHECK(check_fe_equal(&v, &resj.x));
4578 }
4579
4580 /* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */
4581 for (i = 0; i < 2*COUNT; ++i) {
4582 secp256k1_fe x, n, d, r;
4583 int res;
4584 secp256k1_scalar q;
4585 random_scalar_order_test(&q);
4586 /* Generate random X coordinate not on the curve. */
4587 do {
4588 random_fe_test(&x);
4589 } while (secp256k1_ge_x_on_curve_var(&x));
4590 /* If i is odd, n=d*x for random non-zero d. */
4591 if (i & 1) {
4592 random_fe_non_zero_test(&d);
4593 secp256k1_fe_mul(&n, &x, &d);
4594 } else {
4595 n = x;
4596 }
4597 res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0);
4598 CHECK(res == 0);
4599 }
4600}
4601
4602static void ecmult_const_chain_multiply(void) {
4603 /* Check known result (randomly generated test problem from sage) */
4604 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
4605 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4606 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4607 );
4608 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4609 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4610 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4611 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4612 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4613 );
4614 secp256k1_gej point;
4615 secp256k1_ge res;
4616 int i;
4617
4618 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
4619 for (i = 0; i < 100; ++i) {
4620 secp256k1_ge tmp;
4621 secp256k1_ge_set_gej(&tmp, &point);
4622 secp256k1_ecmult_const(&point, &tmp, &scalar);
4623 }
4624 secp256k1_ge_set_gej(&res, &point);
4625 ge_equals_gej(&res, &expected_point);
4626}
4627
4628static void run_ecmult_const_tests(void) {
4629 ecmult_const_mult_zero_one();
4630 ecmult_const_random_mult();
4631 ecmult_const_commutativity();
4632 ecmult_const_chain_multiply();
4633 ecmult_const_mult_xonly();
4634}
4635
4636typedef struct {
4637 secp256k1_scalar *sc;
4638 secp256k1_ge *pt;
4639} ecmult_multi_data;
4640
4641static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4642 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4643 *sc = data->sc[idx];
4644 *pt = data->pt[idx];
4645 return 1;
4646}
4647
4648static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4649 (void)sc;
4650 (void)pt;
4651 (void)idx;
4652 (void)cbdata;
4653 return 0;
4654}
4655
4656static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
4657 int ncount;
4658 secp256k1_scalar sc[32];
4659 secp256k1_ge pt[32];
4660 secp256k1_gej r;
4661 secp256k1_gej r2;
4662 ecmult_multi_data data;
4663
4664 data.sc = sc;
4665 data.pt = pt;
4666
4667 /* No points to multiply */
4668 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4669
4670 /* Check 1- and 2-point multiplies against ecmult */
4671 for (ncount = 0; ncount < COUNT; ncount++) {
4672 secp256k1_ge ptg;
4673 secp256k1_gej ptgj;
4674 random_scalar_order(&sc[0]);
4675 random_scalar_order(&sc[1]);
4676
4677 random_group_element_test(&ptg);
4678 secp256k1_gej_set_ge(&ptgj, &ptg);
4679 pt[0] = ptg;
4680 pt[1] = secp256k1_ge_const_g;
4681
4682 /* only G scalar */
4683 secp256k1_ecmult(&r2, &ptgj, &secp256k1_scalar_zero, &sc[0]);
4684 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4685 CHECK(secp256k1_gej_eq_var(&r, &r2));
4686
4687 /* 1-point */
4688 secp256k1_ecmult(&r2, &ptgj, &sc[0], &secp256k1_scalar_zero);
4689 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
4690 CHECK(secp256k1_gej_eq_var(&r, &r2));
4691
4692 /* Try to multiply 1 point, but callback returns false */
4693 CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_false_callback, &data, 1));
4694
4695 /* 2-point */
4696 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4697 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4698 CHECK(secp256k1_gej_eq_var(&r, &r2));
4699
4700 /* 2-point with G scalar */
4701 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4702 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4703 CHECK(secp256k1_gej_eq_var(&r, &r2));
4704 }
4705
4706 /* Check infinite outputs of various forms */
4707 for (ncount = 0; ncount < COUNT; ncount++) {
4708 secp256k1_ge ptg;
4709 size_t i, j;
4710 size_t sizes[] = { 2, 10, 32 };
4711
4712 for (j = 0; j < 3; j++) {
4713 for (i = 0; i < 32; i++) {
4714 random_scalar_order(&sc[i]);
4715 secp256k1_ge_set_infinity(&pt[i]);
4716 }
4717 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4718 CHECK(secp256k1_gej_is_infinity(&r));
4719 }
4720
4721 for (j = 0; j < 3; j++) {
4722 for (i = 0; i < 32; i++) {
4723 random_group_element_test(&ptg);
4724 pt[i] = ptg;
4725 secp256k1_scalar_set_int(&sc[i], 0);
4726 }
4727 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4728 CHECK(secp256k1_gej_is_infinity(&r));
4729 }
4730
4731 for (j = 0; j < 3; j++) {
4732 random_group_element_test(&ptg);
4733 for (i = 0; i < 16; i++) {
4734 random_scalar_order(&sc[2*i]);
4735 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4736 pt[2 * i] = ptg;
4737 pt[2 * i + 1] = ptg;
4738 }
4739
4740 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4741 CHECK(secp256k1_gej_is_infinity(&r));
4742
4743 random_scalar_order(&sc[0]);
4744 for (i = 0; i < 16; i++) {
4745 random_group_element_test(&ptg);
4746
4747 sc[2*i] = sc[0];
4748 sc[2*i+1] = sc[0];
4749 pt[2 * i] = ptg;
4750 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4751 }
4752
4753 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4754 CHECK(secp256k1_gej_is_infinity(&r));
4755 }
4756
4757 random_group_element_test(&ptg);
4758 secp256k1_scalar_set_int(&sc[0], 0);
4759 pt[0] = ptg;
4760 for (i = 1; i < 32; i++) {
4761 pt[i] = ptg;
4762
4763 random_scalar_order(&sc[i]);
4764 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4765 secp256k1_scalar_negate(&sc[i], &sc[i]);
4766 }
4767
4768 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 32));
4769 CHECK(secp256k1_gej_is_infinity(&r));
4770 }
4771
4772 /* Check random points, constant scalar */
4773 for (ncount = 0; ncount < COUNT; ncount++) {
4774 size_t i;
4775 secp256k1_gej_set_infinity(&r);
4776
4777 random_scalar_order(&sc[0]);
4778 for (i = 0; i < 20; i++) {
4779 secp256k1_ge ptg;
4780 sc[i] = sc[0];
4781 random_group_element_test(&ptg);
4782 pt[i] = ptg;
4783 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4784 }
4785
4786 secp256k1_ecmult(&r2, &r, &sc[0], &secp256k1_scalar_zero);
4787 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4788 CHECK(secp256k1_gej_eq_var(&r, &r2));
4789 }
4790
4791 /* Check random scalars, constant point */
4792 for (ncount = 0; ncount < COUNT; ncount++) {
4793 size_t i;
4794 secp256k1_ge ptg;
4795 secp256k1_gej p0j;
4796 secp256k1_scalar rs;
4797 secp256k1_scalar_set_int(&rs, 0);
4798
4799 random_group_element_test(&ptg);
4800 for (i = 0; i < 20; i++) {
4801 random_scalar_order(&sc[i]);
4802 pt[i] = ptg;
4803 secp256k1_scalar_add(&rs, &rs, &sc[i]);
4804 }
4805
4806 secp256k1_gej_set_ge(&p0j, &pt[0]);
4807 secp256k1_ecmult(&r2, &p0j, &rs, &secp256k1_scalar_zero);
4808 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4809 CHECK(secp256k1_gej_eq_var(&r, &r2));
4810 }
4811
4812 /* Sanity check that zero scalars don't cause problems */
4813 for (ncount = 0; ncount < 20; ncount++) {
4814 random_scalar_order(&sc[ncount]);
4815 random_group_element_test(&pt[ncount]);
4816 }
4817 secp256k1_scalar_clear(&sc[0]);
4818 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4819 secp256k1_scalar_clear(&sc[1]);
4820 secp256k1_scalar_clear(&sc[2]);
4821 secp256k1_scalar_clear(&sc[3]);
4822 secp256k1_scalar_clear(&sc[4]);
4823 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 6));
4824 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 5));
4825 CHECK(secp256k1_gej_is_infinity(&r));
4826
4827 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4828 {
4829 const size_t TOP = 8;
4830 size_t s0i, s1i;
4831 size_t t0i, t1i;
4832 secp256k1_ge ptg;
4833 secp256k1_gej ptgj;
4834
4835 random_group_element_test(&ptg);
4836 secp256k1_gej_set_ge(&ptgj, &ptg);
4837
4838 for(t0i = 0; t0i < TOP; t0i++) {
4839 for(t1i = 0; t1i < TOP; t1i++) {
4840 secp256k1_gej t0p, t1p;
4841 secp256k1_scalar t0, t1;
4842
4843 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4844 secp256k1_scalar_cond_negate(&t0, t0i & 1);
4845 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4846 secp256k1_scalar_cond_negate(&t1, t1i & 1);
4847
4848 secp256k1_ecmult(&t0p, &ptgj, &t0, &secp256k1_scalar_zero);
4849 secp256k1_ecmult(&t1p, &ptgj, &t1, &secp256k1_scalar_zero);
4850
4851 for(s0i = 0; s0i < TOP; s0i++) {
4852 for(s1i = 0; s1i < TOP; s1i++) {
4853 secp256k1_scalar tmp1, tmp2;
4854 secp256k1_gej expected, actual;
4855
4856 secp256k1_ge_set_gej(&pt[0], &t0p);
4857 secp256k1_ge_set_gej(&pt[1], &t1p);
4858
4859 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4860 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4861 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4862 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4863
4864 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4865 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4866 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4867
4868 secp256k1_ecmult(&expected, &ptgj, &tmp1, &secp256k1_scalar_zero);
4869 CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4870 CHECK(secp256k1_gej_eq_var(&actual, &expected));
4871 }
4872 }
4873 }
4874 }
4875 }
4876}
4877
4878static int test_ecmult_multi_random(secp256k1_scratch *scratch) {
4879 /* Large random test for ecmult_multi_* functions which exercises:
4880 * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4881 * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4882 * - Including or excluding an nonzero a*G term (or such a term at all).
4883 * - Final expected result equal to infinity or not (roughly 50%).
4884 * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4885 */
4886
4887 /* These 4 variables define the eventual input to the ecmult_multi function.
4888 * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4889 * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4890 * which form its normal inputs. */
4891 int filled = 0;
4892 secp256k1_scalar g_scalar = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4893 secp256k1_scalar scalars[128];
4894 secp256k1_gej gejs[128];
4895 /* The expected result, and the computed result. */
4896 secp256k1_gej expected, computed;
4897 /* Temporaries. */
4898 secp256k1_scalar sc_tmp;
4899 secp256k1_ge ge_tmp;
4900 /* Variables needed for the actual input to ecmult_multi. */
4901 secp256k1_ge ges[128];
4902 ecmult_multi_data data;
4903
4904 int i;
4905 /* Which multiplication function to use */
4906 int fn = secp256k1_testrand_int(3);
4907 secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var :
4908 fn == 1 ? secp256k1_ecmult_strauss_batch_single :
4909 secp256k1_ecmult_pippenger_batch_single;
4910 /* Simulate exponentially distributed num. */
4911 int num_bits = 2 + secp256k1_testrand_int(6);
4912 /* Number of (scalar, point) inputs (excluding g). */
4913 int num = secp256k1_testrand_int((1 << num_bits) + 1);
4914 /* Number of those which are nonzero. */
4915 int num_nonzero = secp256k1_testrand_int(num + 1);
4916 /* Whether we're aiming to create an input with nonzero expected result. */
4917 int nonzero_result = secp256k1_testrand_bits(1);
4918 /* Whether we will provide nonzero g multiplicand. In some cases our hand
4919 * is forced here based on num_nonzero and nonzero_result. */
4920 int g_nonzero = num_nonzero == 0 ? nonzero_result :
4921 num_nonzero == 1 && !nonzero_result ? 1 :
4922 (int)secp256k1_testrand_bits(1);
4923 /* Which g_scalar pointer to pass into ecmult_multi(). */
4924 const secp256k1_scalar* g_scalar_ptr = (g_nonzero || secp256k1_testrand_bits(1)) ? &g_scalar : NULL;
4925 /* How many EC multiplications were performed in this function. */
4926 int mults = 0;
4927 /* How many randomization steps to apply to the input list. */
4928 int rands = (int)secp256k1_testrand_bits(3);
4929 if (rands > num_nonzero) rands = num_nonzero;
4930
4931 secp256k1_gej_set_infinity(&expected);
4932 secp256k1_gej_set_infinity(&gejs[0]);
4933 secp256k1_scalar_set_int(&scalars[0], 0);
4934
4935 if (g_nonzero) {
4936 /* If g_nonzero, set g_scalar to nonzero value r. */
4937 random_scalar_order_test(&g_scalar);
4938 if (!nonzero_result) {
4939 /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
4940 CHECK(num_nonzero > filled);
4941 random_scalar_order_test(&sc_tmp);
4942 secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
4943 secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
4944 secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
4945 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
4946 ++filled;
4947 ++mults;
4948 }
4949 }
4950
4951 if (nonzero_result && filled < num_nonzero) {
4952 /* If a nonzero result is desired, and there is space, add a random nonzero term. */
4953 random_scalar_order_test(&scalars[filled]);
4954 random_group_element_test(&ge_tmp);
4955 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4956 ++filled;
4957 }
4958
4959 if (nonzero_result) {
4960 /* Compute the expected result using normal ecmult. */
4961 CHECK(filled <= 1);
4962 secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
4963 mults += filled + g_nonzero;
4964 }
4965
4966 /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
4967 CHECK(filled <= 1 + !nonzero_result);
4968 CHECK(filled <= num_nonzero);
4969
4970 /* Add entries to scalars,gejs so that there are num of them. All the added entries
4971 * either have scalar=0 or point=infinity, so these do not change the expected result. */
4972 while (filled < num) {
4973 if (secp256k1_testrand_bits(1)) {
4974 secp256k1_gej_set_infinity(&gejs[filled]);
4975 random_scalar_order_test(&scalars[filled]);
4976 } else {
4977 secp256k1_scalar_set_int(&scalars[filled], 0);
4978 random_group_element_test(&ge_tmp);
4979 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4980 }
4981 ++filled;
4982 }
4983
4984 /* Now perform cheapish transformations on gejs and scalars, for indices
4985 * 0..num_nonzero-1, which do not change the expected result, but may
4986 * convert some of them to be both non-0-scalar and non-infinity-point. */
4987 for (i = 0; i < rands; ++i) {
4988 int j;
4989 secp256k1_scalar v, iv;
4990 /* Shuffle the entries. */
4991 for (j = 0; j < num_nonzero; ++j) {
4992 int k = secp256k1_testrand_int(num_nonzero - j);
4993 if (k != 0) {
4994 secp256k1_gej gej = gejs[j];
4995 secp256k1_scalar sc = scalars[j];
4996 gejs[j] = gejs[j + k];
4997 scalars[j] = scalars[j + k];
4998 gejs[j + k] = gej;
4999 scalars[j + k] = sc;
5000 }
5001 }
5002 /* Perturb all consecutive pairs of inputs:
5003 * a*P + b*Q -> (a+b)*P + b*(Q-P). */
5004 for (j = 0; j + 1 < num_nonzero; j += 2) {
5005 secp256k1_gej gej;
5006 secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
5007 secp256k1_gej_neg(&gej, &gejs[j]);
5008 secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
5009 }
5010 /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
5011 CHECK(num_nonzero >= 1);
5012 random_scalar_order_test(&v);
5013 secp256k1_scalar_inverse(&iv, &v);
5014 secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
5015 secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
5016 ++mults;
5017 }
5018
5019 /* Shuffle all entries (0..num-1). */
5020 for (i = 0; i < num; ++i) {
5021 int j = secp256k1_testrand_int(num - i);
5022 if (j != 0) {
5023 secp256k1_gej gej = gejs[i];
5024 secp256k1_scalar sc = scalars[i];
5025 gejs[i] = gejs[i + j];
5026 scalars[i] = scalars[i + j];
5027 gejs[i + j] = gej;
5028 scalars[i + j] = sc;
5029 }
5030 }
5031
5032 /* Compute affine versions of all inputs. */
5033 secp256k1_ge_set_all_gej_var(ges, gejs, filled);
5034 /* Invoke ecmult_multi code. */
5035 data.sc = scalars;
5036 data.pt = ges;
5037 CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
5038 mults += num_nonzero + g_nonzero;
5039 /* Compare with expected result. */
5040 CHECK(secp256k1_gej_eq_var(&computed, &expected));
5041 return mults;
5042}
5043
5044static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
5045 secp256k1_scalar sc;
5046 secp256k1_ge pt;
5047 secp256k1_gej r;
5048 ecmult_multi_data data;
5049 secp256k1_scratch *scratch_empty;
5050
5051 random_group_element_test(&pt);
5052 random_scalar_order(&sc);
5053 data.sc = &sc;
5054 data.pt = &pt;
5055
5056 /* Try to multiply 1 point, but scratch space is empty.*/
5057 scratch_empty = secp256k1_scratch_create(&CTX->error_callback, 0);
5058 CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
5059 secp256k1_scratch_destroy(&CTX->error_callback, scratch_empty);
5060}
5061
5062static void test_secp256k1_pippenger_bucket_window_inv(void) {
5063 int i;
5064
5065 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
5066 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
5067 /* Bucket_window of 8 is not used with endo */
5068 if (i == 8) {
5069 continue;
5070 }
5071 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
5072 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
5073 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
5074 }
5075 }
5076}
5077
5082static void test_ecmult_multi_pippenger_max_points(void) {
5083 size_t scratch_size = secp256k1_testrand_bits(8);
5084 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
5085 secp256k1_scratch *scratch;
5086 size_t n_points_supported;
5087 int bucket_window = 0;
5088
5089 for(; scratch_size < max_size; scratch_size+=256) {
5090 size_t i;
5091 size_t total_alloc;
5092 size_t checkpoint;
5093 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size);
5094 CHECK(scratch != NULL);
5095 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
5096 n_points_supported = secp256k1_pippenger_max_points(&CTX->error_callback, scratch);
5097 if (n_points_supported == 0) {
5098 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5099 continue;
5100 }
5101 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
5102 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
5103 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
5104 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
5105 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 1));
5106 total_alloc--;
5107 }
5108 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, total_alloc));
5109 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
5110 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5111 }
5112 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
5113}
5114
5115static void test_ecmult_multi_batch_size_helper(void) {
5116 size_t n_batches, n_batch_points, max_n_batch_points, n;
5117
5118 max_n_batch_points = 0;
5119 n = 1;
5120 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
5121
5122 max_n_batch_points = 1;
5123 n = 0;
5124 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5125 CHECK(n_batches == 0);
5126 CHECK(n_batch_points == 0);
5127
5128 max_n_batch_points = 2;
5129 n = 5;
5130 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5131 CHECK(n_batches == 3);
5132 CHECK(n_batch_points == 2);
5133
5134 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
5135 n = ECMULT_MAX_POINTS_PER_BATCH;
5136 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5137 CHECK(n_batches == 1);
5138 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
5139
5140 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
5141 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
5142 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5143 CHECK(n_batches == 2);
5144 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
5145
5146 max_n_batch_points = 1;
5147 n = SIZE_MAX;
5148 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5149 CHECK(n_batches == SIZE_MAX);
5150 CHECK(n_batch_points == 1);
5151
5152 max_n_batch_points = 2;
5153 n = SIZE_MAX;
5154 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5155 CHECK(n_batches == SIZE_MAX/2 + 1);
5156 CHECK(n_batch_points == 2);
5157}
5158
5163static void test_ecmult_multi_batching(void) {
5164 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
5165 secp256k1_scalar scG;
5166 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_scalar) * n_points);
5167 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * n_points);
5168 secp256k1_gej r;
5169 secp256k1_gej r2;
5170 ecmult_multi_data data;
5171 int i;
5172 secp256k1_scratch *scratch;
5173
5174 secp256k1_gej_set_infinity(&r2);
5175
5176 /* Get random scalars and group elements and compute result */
5177 random_scalar_order(&scG);
5178 secp256k1_ecmult(&r2, &r2, &secp256k1_scalar_zero, &scG);
5179 for(i = 0; i < n_points; i++) {
5180 secp256k1_ge ptg;
5181 secp256k1_gej ptgj;
5182 random_group_element_test(&ptg);
5183 secp256k1_gej_set_ge(&ptgj, &ptg);
5184 pt[i] = ptg;
5185 random_scalar_order(&sc[i]);
5186 secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
5187 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
5188 }
5189 data.sc = sc;
5190 data.pt = pt;
5191 secp256k1_gej_neg(&r2, &r2);
5192
5193 /* Test with empty scratch space. It should compute the correct result using
5194 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
5195 scratch = secp256k1_scratch_create(&CTX->error_callback, 0);
5196 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5197 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5198 CHECK(secp256k1_gej_is_infinity(&r));
5199 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5200
5201 /* Test with space for 1 point in pippenger. That's not enough because
5202 * ecmult_multi selects strauss which requires more memory. It should
5203 * therefore select the simple algorithm. */
5204 scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
5205 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5206 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5207 CHECK(secp256k1_gej_is_infinity(&r));
5208 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5209
5210 for(i = 1; i <= n_points; i++) {
5211 if (i > ECMULT_PIPPENGER_THRESHOLD) {
5212 int bucket_window = secp256k1_pippenger_bucket_window(i);
5213 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
5214 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
5215 } else {
5216 size_t scratch_size = secp256k1_strauss_scratch_size(i);
5217 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
5218 }
5219 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5220 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5221 CHECK(secp256k1_gej_is_infinity(&r));
5222 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5223 }
5224 free(sc);
5225 free(pt);
5226}
5227
5228static void run_ecmult_multi_tests(void) {
5229 secp256k1_scratch *scratch;
5230 int64_t todo = (int64_t)320 * COUNT;
5231
5232 test_secp256k1_pippenger_bucket_window_inv();
5233 test_ecmult_multi_pippenger_max_points();
5234 scratch = secp256k1_scratch_create(&CTX->error_callback, 819200);
5235 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
5236 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
5237 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
5238 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
5239 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
5240 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
5241 while (todo > 0) {
5242 todo -= test_ecmult_multi_random(scratch);
5243 }
5244 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5245
5246 /* Run test_ecmult_multi with space for exactly one point */
5247 scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
5248 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
5249 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5250
5251 test_ecmult_multi_batch_size_helper();
5252 test_ecmult_multi_batching();
5253}
5254
5255static void test_wnaf(const secp256k1_scalar *number, int w) {
5256 secp256k1_scalar x, two, t;
5257 int wnaf[256];
5258 int zeroes = -1;
5259 int i;
5260 int bits;
5261 secp256k1_scalar_set_int(&x, 0);
5262 secp256k1_scalar_set_int(&two, 2);
5263 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
5264 CHECK(bits <= 256);
5265 for (i = bits-1; i >= 0; i--) {
5266 int v = wnaf[i];
5267 secp256k1_scalar_mul(&x, &x, &two);
5268 if (v) {
5269 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
5270 zeroes=0;
5271 CHECK((v & 1) == 1); /* check non-zero elements are odd */
5272 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
5273 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
5274 } else {
5275 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
5276 zeroes++;
5277 }
5278 if (v >= 0) {
5279 secp256k1_scalar_set_int(&t, v);
5280 } else {
5281 secp256k1_scalar_set_int(&t, -v);
5282 secp256k1_scalar_negate(&t, &t);
5283 }
5284 secp256k1_scalar_add(&x, &x, &t);
5285 }
5286 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
5287}
5288
5289static void test_constant_wnaf_negate(const secp256k1_scalar *number) {
5290 secp256k1_scalar neg1 = *number;
5291 secp256k1_scalar neg2 = *number;
5292 int sign1 = 1;
5293 int sign2 = 1;
5294
5295 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
5296 secp256k1_scalar_negate(&neg1, &neg1);
5297 sign1 = -1;
5298 }
5299 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
5300 CHECK(sign1 == sign2);
5301 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
5302}
5303
5304static void test_constant_wnaf(const secp256k1_scalar *number, int w) {
5305 secp256k1_scalar x, shift;
5306 int wnaf[256] = {0};
5307 int i;
5308 int skew;
5309 int bits = 256;
5310 secp256k1_scalar num = *number;
5311 secp256k1_scalar scalar_skew;
5312
5313 secp256k1_scalar_set_int(&x, 0);
5314 secp256k1_scalar_set_int(&shift, 1 << w);
5315 for (i = 0; i < 16; ++i) {
5316 secp256k1_scalar_shr_int(&num, 8);
5317 }
5318 bits = 128;
5319 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
5320
5321 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
5322 secp256k1_scalar t;
5323 int v = wnaf[i];
5324 CHECK(v != 0); /* check nonzero */
5325 CHECK(v & 1); /* check parity */
5326 CHECK(v > -(1 << w)); /* check range above */
5327 CHECK(v < (1 << w)); /* check range below */
5328
5329 secp256k1_scalar_mul(&x, &x, &shift);
5330 if (v >= 0) {
5331 secp256k1_scalar_set_int(&t, v);
5332 } else {
5333 secp256k1_scalar_set_int(&t, -v);
5334 secp256k1_scalar_negate(&t, &t);
5335 }
5336 secp256k1_scalar_add(&x, &x, &t);
5337 }
5338 /* Skew num because when encoding numbers as odd we use an offset */
5339 secp256k1_scalar_set_int(&scalar_skew, skew);
5340 secp256k1_scalar_add(&num, &num, &scalar_skew);
5341 CHECK(secp256k1_scalar_eq(&x, &num));
5342}
5343
5344static void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
5345 secp256k1_scalar x, shift;
5346 int wnaf[256] = {0};
5347 int i;
5348 int skew;
5349 secp256k1_scalar num = *number;
5350
5351 secp256k1_scalar_set_int(&x, 0);
5352 secp256k1_scalar_set_int(&shift, 1 << w);
5353 for (i = 0; i < 16; ++i) {
5354 secp256k1_scalar_shr_int(&num, 8);
5355 }
5356 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5357
5358 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5359 secp256k1_scalar t;
5360 int v = wnaf[i];
5361 CHECK(v == 0 || v & 1); /* check parity */
5362 CHECK(v > -(1 << w)); /* check range above */
5363 CHECK(v < (1 << w)); /* check range below */
5364
5365 secp256k1_scalar_mul(&x, &x, &shift);
5366 if (v >= 0) {
5367 secp256k1_scalar_set_int(&t, v);
5368 } else {
5369 secp256k1_scalar_set_int(&t, -v);
5370 secp256k1_scalar_negate(&t, &t);
5371 }
5372 secp256k1_scalar_add(&x, &x, &t);
5373 }
5374 /* If skew is 1 then add 1 to num */
5375 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
5376 CHECK(secp256k1_scalar_eq(&x, &num));
5377}
5378
5379/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
5380 * rest is 0.*/
5381static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
5382 int i;
5383 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
5384 CHECK(wnaf[i] == 0);
5385 }
5386 for (i = 7; i >= 0; --i) {
5387 CHECK(wnaf[i] == wnaf_expected[i]);
5388 }
5389}
5390
5391static void test_fixed_wnaf_small(void) {
5392 int w = 4;
5393 int wnaf[256] = {0};
5394 int i;
5395 int skew;
5396 secp256k1_scalar num;
5397
5398 secp256k1_scalar_set_int(&num, 0);
5399 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5400 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5401 int v = wnaf[i];
5402 CHECK(v == 0);
5403 }
5404 CHECK(skew == 0);
5405
5406 secp256k1_scalar_set_int(&num, 1);
5407 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5408 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
5409 int v = wnaf[i];
5410 CHECK(v == 0);
5411 }
5412 CHECK(wnaf[0] == 1);
5413 CHECK(skew == 0);
5414
5415 {
5416 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
5417 secp256k1_scalar_set_int(&num, 0xffffffff);
5418 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5419 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5420 CHECK(skew == 0);
5421 }
5422 {
5423 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
5424 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
5425 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5426 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5427 CHECK(skew == 1);
5428 }
5429 {
5430 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
5431 secp256k1_scalar_set_int(&num, 0x01010101);
5432 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5433 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5434 CHECK(skew == 0);
5435 }
5436 {
5437 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
5438 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
5439 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5440 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5441 CHECK(skew == 0);
5442 }
5443}
5444
5445static void run_wnaf(void) {
5446 int i;
5447 secp256k1_scalar n = {{0}};
5448
5449 test_constant_wnaf(&n, 4);
5450 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
5451 * have easier-to-diagnose failure modes */
5452 n.d[0] = 1;
5453 test_constant_wnaf(&n, 4);
5454 n.d[0] = 2;
5455 test_constant_wnaf(&n, 4);
5456 /* Test -1, because it's a special case in wnaf_const */
5457 n = secp256k1_scalar_one;
5458 secp256k1_scalar_negate(&n, &n);
5459 test_constant_wnaf(&n, 4);
5460
5461 /* Test -2, which may not lead to overflows in wnaf_const */
5462 secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
5463 secp256k1_scalar_negate(&n, &n);
5464 test_constant_wnaf(&n, 4);
5465
5466 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
5467 as corner cases of negation handling in wnaf_const */
5468 secp256k1_scalar_inverse(&n, &n);
5469 test_constant_wnaf(&n, 4);
5470
5471 secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
5472 test_constant_wnaf(&n, 4);
5473
5474 /* Test 0 for fixed wnaf */
5475 test_fixed_wnaf_small();
5476 /* Random tests */
5477 for (i = 0; i < COUNT; i++) {
5478 random_scalar_order(&n);
5479 test_wnaf(&n, 4+(i%10));
5480 test_constant_wnaf_negate(&n);
5481 test_constant_wnaf(&n, 4 + (i % 10));
5482 test_fixed_wnaf(&n, 4 + (i % 10));
5483 }
5484 secp256k1_scalar_set_int(&n, 0);
5485 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
5486 CHECK(secp256k1_scalar_is_zero(&n));
5487 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
5488 CHECK(secp256k1_scalar_is_zero(&n));
5489}
5490
5491static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
5492 const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
5493 *sc = *indata;
5494 *pt = secp256k1_ge_const_g;
5495 CHECK(idx == 0);
5496 return 1;
5497}
5498
5499static void test_ecmult_accumulate(secp256k1_sha256* acc, const secp256k1_scalar* x, secp256k1_scratch* scratch) {
5500 /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */
5501 secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj;
5502 secp256k1_ge r;
5503 const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5504 unsigned char bytes[65];
5505 size_t size = 65;
5506 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
5507 secp256k1_gej_set_infinity(&infj);
5508 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &rj1, x);
5509 secp256k1_ecmult(&rj2, &gj, x, &zero);
5510 secp256k1_ecmult(&rj3, &infj, &zero, x);
5511 secp256k1_ecmult_multi_var(NULL, scratch, &rj4, x, NULL, NULL, 0);
5512 secp256k1_ecmult_multi_var(NULL, scratch, &rj5, &zero, test_ecmult_accumulate_cb, (void*)x, 1);
5513 secp256k1_ecmult_const(&rj6, &secp256k1_ge_const_g, x);
5514 secp256k1_ge_set_gej_var(&r, &rj1);
5515 ge_equals_gej(&r, &rj2);
5516 ge_equals_gej(&r, &rj3);
5517 ge_equals_gej(&r, &rj4);
5518 ge_equals_gej(&r, &rj5);
5519 ge_equals_gej(&r, &rj6);
5520 if (secp256k1_ge_is_infinity(&r)) {
5521 /* Store infinity as 0x00 */
5522 const unsigned char zerobyte[1] = {0};
5523 secp256k1_sha256_write(acc, zerobyte, 1);
5524 } else {
5525 /* Store other points using their uncompressed serialization. */
5526 secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0);
5527 CHECK(size == 65);
5528 secp256k1_sha256_write(acc, bytes, size);
5529 }
5530}
5531
5532static void test_ecmult_constants_2bit(void) {
5533 /* Using test_ecmult_accumulate, test ecmult for:
5534 * - For i in 0..36:
5535 * - Key i
5536 * - Key -i
5537 * - For i in 0..255:
5538 * - For j in 1..255 (only odd values):
5539 * - Key (j*2^i) mod order
5540 */
5541 secp256k1_scalar x;
5542 secp256k1_sha256 acc;
5543 unsigned char b32[32];
5544 int i, j;
5545 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536);
5546
5547 /* Expected hash of all the computed points; created with an independent
5548 * implementation. */
5549 static const unsigned char expected32[32] = {
5550 0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
5551 0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
5552 0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
5553 0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
5554 };
5555 secp256k1_sha256_initialize(&acc);
5556 for (i = 0; i <= 36; ++i) {
5557 secp256k1_scalar_set_int(&x, i);
5558 test_ecmult_accumulate(&acc, &x, scratch);
5559 secp256k1_scalar_negate(&x, &x);
5560 test_ecmult_accumulate(&acc, &x, scratch);
5561 };
5562 for (i = 0; i < 256; ++i) {
5563 for (j = 1; j < 256; j += 2) {
5564 int k;
5565 secp256k1_scalar_set_int(&x, j);
5566 for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
5567 test_ecmult_accumulate(&acc, &x, scratch);
5568 }
5569 }
5570 secp256k1_sha256_finalize(&acc, b32);
5571 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5572
5573 secp256k1_scratch_space_destroy(CTX, scratch);
5574}
5575
5576static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
5577 /* Using test_ecmult_accumulate, test ecmult for:
5578 * - Key 0
5579 * - Key 1
5580 * - Key -1
5581 * - For i in range(iter):
5582 * - Key SHA256(LE32(prefix) || LE16(i))
5583 */
5584 secp256k1_scalar x;
5585 secp256k1_sha256 acc;
5586 unsigned char b32[32];
5587 unsigned char inp[6];
5588 size_t i;
5589 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536);
5590
5591 inp[0] = prefix & 0xFF;
5592 inp[1] = (prefix >> 8) & 0xFF;
5593 inp[2] = (prefix >> 16) & 0xFF;
5594 inp[3] = (prefix >> 24) & 0xFF;
5595 secp256k1_sha256_initialize(&acc);
5596 secp256k1_scalar_set_int(&x, 0);
5597 test_ecmult_accumulate(&acc, &x, scratch);
5598 secp256k1_scalar_set_int(&x, 1);
5599 test_ecmult_accumulate(&acc, &x, scratch);
5600 secp256k1_scalar_negate(&x, &x);
5601 test_ecmult_accumulate(&acc, &x, scratch);
5602
5603 for (i = 0; i < iter; ++i) {
5604 secp256k1_sha256 gen;
5605 inp[4] = i & 0xff;
5606 inp[5] = (i >> 8) & 0xff;
5607 secp256k1_sha256_initialize(&gen);
5608 secp256k1_sha256_write(&gen, inp, sizeof(inp));
5609 secp256k1_sha256_finalize(&gen, b32);
5610 secp256k1_scalar_set_b32(&x, b32, NULL);
5611 test_ecmult_accumulate(&acc, &x, scratch);
5612 }
5613 secp256k1_sha256_finalize(&acc, b32);
5614 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5615
5616 secp256k1_scratch_space_destroy(CTX, scratch);
5617}
5618
5619static void run_ecmult_constants(void) {
5620 /* Expected hashes of all points in the tests below. Computed using an
5621 * independent implementation. */
5622 static const unsigned char expected32_6bit20[32] = {
5623 0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5624 0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5625 0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5626 0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5627 };
5628 static const unsigned char expected32_8bit8[32] = {
5629 0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5630 0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5631 0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5632 0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5633 };
5634 /* For every combination of 6 bit positions out of 256, restricted to
5635 * 20-bit windows (i.e., the first and last bit position are no more than
5636 * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5637 * this test. */
5638 CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5639 test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5640 }
5641
5642 /* For every combination of 8 consecutive bit positions, all 256 bit
5643 * patterns occur in the input scalars used in this test. */
5644 CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5645 test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5646 }
5647
5648 CONDITIONAL_TEST(35, "test_ecmult_constants_2bit") {
5649 test_ecmult_constants_2bit();
5650 }
5651}
5652
5653static void test_ecmult_gen_blind(void) {
5654 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5655 secp256k1_scalar key;
5656 secp256k1_scalar b;
5657 unsigned char seed32[32];
5658 secp256k1_gej pgej;
5659 secp256k1_gej pgej2;
5660 secp256k1_gej i;
5661 secp256k1_ge pge;
5662 random_scalar_order_test(&key);
5663 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej, &key);
5664 secp256k1_testrand256(seed32);
5665 b = CTX->ecmult_gen_ctx.blind;
5666 i = CTX->ecmult_gen_ctx.initial;
5667 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, seed32);
5668 CHECK(!secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.blind));
5669 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej2, &key);
5670 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5671 CHECK(!gej_xyz_equals_gej(&i, &CTX->ecmult_gen_ctx.initial));
5672 secp256k1_ge_set_gej(&pge, &pgej);
5673 ge_equals_gej(&pge, &pgej2);
5674}
5675
5676static void test_ecmult_gen_blind_reset(void) {
5677 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5678 secp256k1_scalar b;
5679 secp256k1_gej initial;
5680 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, 0);
5681 b = CTX->ecmult_gen_ctx.blind;
5682 initial = CTX->ecmult_gen_ctx.initial;
5683 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, 0);
5684 CHECK(secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.blind));
5685 CHECK(gej_xyz_equals_gej(&initial, &CTX->ecmult_gen_ctx.initial));
5686}
5687
5688static void run_ecmult_gen_blind(void) {
5689 int i;
5690 test_ecmult_gen_blind_reset();
5691 for (i = 0; i < 10; i++) {
5692 test_ecmult_gen_blind();
5693 }
5694}
5695
5696/***** ENDOMORPHISH TESTS *****/
5697static void test_scalar_split(const secp256k1_scalar* full) {
5698 secp256k1_scalar s, s1, slam;
5699 const unsigned char zero[32] = {0};
5700 unsigned char tmp[32];
5701
5702 secp256k1_scalar_split_lambda(&s1, &slam, full);
5703
5704 /* check slam*lambda + s1 == full */
5705 secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
5706 secp256k1_scalar_add(&s, &s, &s1);
5707 CHECK(secp256k1_scalar_eq(&s, full));
5708
5709 /* check that both are <= 128 bits in size */
5710 if (secp256k1_scalar_is_high(&s1)) {
5711 secp256k1_scalar_negate(&s1, &s1);
5712 }
5713 if (secp256k1_scalar_is_high(&slam)) {
5714 secp256k1_scalar_negate(&slam, &slam);
5715 }
5716
5717 secp256k1_scalar_get_b32(tmp, &s1);
5718 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5719 secp256k1_scalar_get_b32(tmp, &slam);
5720 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5721}
5722
5723
5724static void run_endomorphism_tests(void) {
5725 unsigned i;
5726 static secp256k1_scalar s;
5727 test_scalar_split(&secp256k1_scalar_zero);
5728 test_scalar_split(&secp256k1_scalar_one);
5729 secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
5730 test_scalar_split(&s);
5731 test_scalar_split(&secp256k1_const_lambda);
5732 secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
5733 test_scalar_split(&s);
5734
5735 for (i = 0; i < 100U * COUNT; ++i) {
5736 secp256k1_scalar full;
5737 random_scalar_order_test(&full);
5738 test_scalar_split(&full);
5739 }
5740 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
5741 test_scalar_split(&scalars_near_split_bounds[i]);
5742 }
5743}
5744
5745static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5746 unsigned char pubkeyc[65];
5747 secp256k1_pubkey pubkey;
5748 secp256k1_ge ge;
5749 size_t pubkeyclen;
5750 int32_t ecount;
5751 ecount = 0;
5752 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
5753 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5754 /* Smaller sizes are tested exhaustively elsewhere. */
5755 int32_t i;
5756 memcpy(&pubkeyc[1], input, 64);
5757 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5758 for (i = 0; i < 256; i++) {
5759 /* Try all type bytes. */
5760 int xpass;
5761 int ypass;
5762 int ysign;
5763 pubkeyc[0] = i;
5764 /* What sign does this point have? */
5765 ysign = (input[63] & 1) + 2;
5766 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5767 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5768 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5769 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5770 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5771 if (xpass || ypass) {
5772 /* These cases must parse. */
5773 unsigned char pubkeyo[65];
5774 size_t outl;
5775 memset(&pubkey, 0, sizeof(pubkey));
5776 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5777 ecount = 0;
5778 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
5779 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5780 outl = 65;
5781 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5782 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5783 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5784 CHECK(outl == 33);
5785 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5786 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5787 if (ypass) {
5788 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5789 CHECK(pubkeyo[0] == ysign);
5790 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
5791 memset(&pubkey, 0, sizeof(pubkey));
5792 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5793 secp256k1_pubkey_save(&pubkey, &ge);
5794 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5795 outl = 65;
5796 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5797 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5798 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5799 CHECK(outl == 65);
5800 CHECK(pubkeyo[0] == 4);
5801 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5802 }
5803 CHECK(ecount == 0);
5804 } else {
5805 /* These cases must fail to parse. */
5806 memset(&pubkey, 0xfe, sizeof(pubkey));
5807 ecount = 0;
5808 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5809 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 0);
5810 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5811 CHECK(ecount == 0);
5812 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
5813 CHECK(ecount == 1);
5814 }
5815 }
5816 }
5817 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
5818}
5819
5820static void run_ec_pubkey_parse_test(void) {
5821#define SECP256K1_EC_PARSE_TEST_NVALID (12)
5822 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5823 {
5824 /* Point with leading and trailing zeros in x and y serialization. */
5825 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5826 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5827 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5828 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5829 },
5830 {
5831 /* Point with x equal to a 3rd root of unity.*/
5832 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5833 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5834 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5835 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5836 },
5837 {
5838 /* Point with largest x. (1/2) */
5839 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5840 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5841 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5842 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5843 },
5844 {
5845 /* Point with largest x. (2/2) */
5846 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5847 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5848 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5849 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5850 },
5851 {
5852 /* Point with smallest x. (1/2) */
5853 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5854 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5855 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5856 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5857 },
5858 {
5859 /* Point with smallest x. (2/2) */
5860 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5861 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5862 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5863 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5864 },
5865 {
5866 /* Point with largest y. (1/3) */
5867 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5868 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5869 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5870 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5871 },
5872 {
5873 /* Point with largest y. (2/3) */
5874 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5875 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5876 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5877 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5878 },
5879 {
5880 /* Point with largest y. (3/3) */
5881 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5882 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5883 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5884 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5885 },
5886 {
5887 /* Point with smallest y. (1/3) */
5888 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5889 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5890 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5891 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5892 },
5893 {
5894 /* Point with smallest y. (2/3) */
5895 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5896 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5897 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5898 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5899 },
5900 {
5901 /* Point with smallest y. (3/3) */
5902 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5903 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5904 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5905 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
5906 }
5907 };
5908#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
5909 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
5910 {
5911 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
5912 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5913 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5914 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5915 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5916 },
5917 {
5918 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
5919 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5920 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5921 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5922 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5923 },
5924 {
5925 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
5926 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5927 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5928 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5929 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5930 },
5931 {
5932 /* x on curve, y is from y^2 = x^3 + 8. */
5933 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5934 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5935 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5936 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
5937 }
5938 };
5939#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
5940 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
5941 {
5942 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
5943 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
5944 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
5945 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5946 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5947 },
5948 {
5949 /* Valid if x overflow ignored (x = 1 mod p). */
5950 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5951 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5952 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5953 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5954 },
5955 {
5956 /* Valid if x overflow ignored (x = 1 mod p). */
5957 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5958 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5959 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5960 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5961 },
5962 {
5963 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5964 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5965 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5966 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
5967 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
5968 },
5969 {
5970 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5971 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5972 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5973 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
5974 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
5975 },
5976 {
5977 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5978 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5979 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5980 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
5981 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
5982 },
5983 {
5984 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5985 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5986 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5987 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
5988 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
5989 }
5990 };
5991 const unsigned char pubkeyc[66] = {
5992 /* Serialization of G. */
5993 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
5994 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
5995 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
5996 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
5997 0xB8, 0x00
5998 };
5999 unsigned char sout[65];
6000 unsigned char shortkey[2];
6001 secp256k1_ge ge;
6002 secp256k1_pubkey pubkey;
6003 size_t len;
6004 int32_t i;
6005 int32_t ecount;
6006 int32_t ecount2;
6007 ecount = 0;
6008 /* Nothing should be reading this far into pubkeyc. */
6009 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[65], 1);
6010 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
6011 /* Zero length claimed, fail, zeroize, no illegal arg error. */
6012 memset(&pubkey, 0xfe, sizeof(pubkey));
6013 ecount = 0;
6014 SECP256K1_CHECKMEM_UNDEFINE(shortkey, 2);
6015 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6016 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 0) == 0);
6017 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6018 CHECK(ecount == 0);
6019 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6020 CHECK(ecount == 1);
6021 /* Length one claimed, fail, zeroize, no illegal arg error. */
6022 for (i = 0; i < 256 ; i++) {
6023 memset(&pubkey, 0xfe, sizeof(pubkey));
6024 ecount = 0;
6025 shortkey[0] = i;
6026 SECP256K1_CHECKMEM_UNDEFINE(&shortkey[1], 1);
6027 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6028 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 1) == 0);
6029 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6030 CHECK(ecount == 0);
6031 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6032 CHECK(ecount == 1);
6033 }
6034 /* Length two claimed, fail, zeroize, no illegal arg error. */
6035 for (i = 0; i < 65536 ; i++) {
6036 memset(&pubkey, 0xfe, sizeof(pubkey));
6037 ecount = 0;
6038 shortkey[0] = i & 255;
6039 shortkey[1] = i >> 8;
6040 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6041 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 2) == 0);
6042 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6043 CHECK(ecount == 0);
6044 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6045 CHECK(ecount == 1);
6046 }
6047 memset(&pubkey, 0xfe, sizeof(pubkey));
6048 ecount = 0;
6049 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6050 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
6051 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 33) == 0);
6052 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6053 CHECK(ecount == 0);
6054 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6055 CHECK(ecount == 1);
6056 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
6057 CHECK(secp256k1_ec_pubkey_parse(CTX, NULL, pubkeyc, 65) == 0);
6058 CHECK(ecount == 2);
6059 /* NULL input string. Illegal arg and zeroize output. */
6060 memset(&pubkey, 0xfe, sizeof(pubkey));
6061 ecount = 0;
6062 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6063 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, NULL, 65) == 0);
6064 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6065 CHECK(ecount == 1);
6066 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6067 CHECK(ecount == 2);
6068 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
6069 memset(&pubkey, 0xfe, sizeof(pubkey));
6070 ecount = 0;
6071 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6072 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 64) == 0);
6073 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6074 CHECK(ecount == 0);
6075 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6076 CHECK(ecount == 1);
6077 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
6078 memset(&pubkey, 0xfe, sizeof(pubkey));
6079 ecount = 0;
6080 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6081 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 66) == 0);
6082 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6083 CHECK(ecount == 0);
6084 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6085 CHECK(ecount == 1);
6086 /* Valid parse. */
6087 memset(&pubkey, 0, sizeof(pubkey));
6088 ecount = 0;
6089 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6090 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 65) == 1);
6091 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, pubkeyc, 65) == 1);
6092 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6093 CHECK(ecount == 0);
6094 SECP256K1_CHECKMEM_UNDEFINE(&ge, sizeof(ge));
6095 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
6096 SECP256K1_CHECKMEM_CHECK(&ge.x, sizeof(ge.x));
6097 SECP256K1_CHECKMEM_CHECK(&ge.y, sizeof(ge.y));
6098 SECP256K1_CHECKMEM_CHECK(&ge.infinity, sizeof(ge.infinity));
6099 ge_equals_ge(&secp256k1_ge_const_g, &ge);
6100 CHECK(ecount == 0);
6101 /* secp256k1_ec_pubkey_serialize illegal args. */
6102 ecount = 0;
6103 len = 65;
6104 CHECK(secp256k1_ec_pubkey_serialize(CTX, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
6105 CHECK(ecount == 1);
6106 CHECK(len == 0);
6107 CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
6108 CHECK(ecount == 2);
6109 len = 65;
6110 SECP256K1_CHECKMEM_UNDEFINE(sout, 65);
6111 CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
6112 SECP256K1_CHECKMEM_CHECK(sout, 65);
6113 CHECK(ecount == 3);
6114 CHECK(len == 0);
6115 len = 65;
6116 CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, ~0) == 0);
6117 CHECK(ecount == 4);
6118 CHECK(len == 0);
6119 len = 65;
6120 SECP256K1_CHECKMEM_UNDEFINE(sout, 65);
6121 CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
6122 SECP256K1_CHECKMEM_CHECK(sout, 65);
6123 CHECK(ecount == 4);
6124 CHECK(len == 65);
6125 /* Multiple illegal args. Should still set arg error only once. */
6126 ecount = 0;
6127 ecount2 = 11;
6128 CHECK(secp256k1_ec_pubkey_parse(CTX, NULL, NULL, 65) == 0);
6129 CHECK(ecount == 1);
6130 /* Does the illegal arg callback actually change the behavior? */
6131 secp256k1_context_set_illegal_callback(CTX, uncounting_illegal_callback_fn, &ecount2);
6132 CHECK(secp256k1_ec_pubkey_parse(CTX, NULL, NULL, 65) == 0);
6133 CHECK(ecount == 1);
6134 CHECK(ecount2 == 10);
6135 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
6136 /* Try a bunch of prefabbed points with all possible encodings. */
6137 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
6138 ec_pubkey_parse_pointtest(valid[i], 1, 1);
6139 }
6140 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
6141 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
6142 }
6143 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
6144 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
6145 }
6146}
6147
6148static void run_eckey_edge_case_test(void) {
6149 const unsigned char orderc[32] = {
6150 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6151 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
6152 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
6153 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
6154 };
6155 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
6156 unsigned char ctmp[33];
6157 unsigned char ctmp2[33];
6158 secp256k1_pubkey pubkey;
6159 secp256k1_pubkey pubkey2;
6160 secp256k1_pubkey pubkey_one;
6161 secp256k1_pubkey pubkey_negone;
6162 const secp256k1_pubkey *pubkeys[3];
6163 size_t len;
6164 int32_t ecount;
6165 /* Group order is too large, reject. */
6166 CHECK(secp256k1_ec_seckey_verify(CTX, orderc) == 0);
6167 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6168 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, orderc) == 0);
6169 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6170 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6171 /* Maximum value is too large, reject. */
6172 memset(ctmp, 255, 32);
6173 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6174 memset(&pubkey, 1, sizeof(pubkey));
6175 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6176 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6177 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6178 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6179 /* Zero is too small, reject. */
6180 memset(ctmp, 0, 32);
6181 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6182 memset(&pubkey, 1, sizeof(pubkey));
6183 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6184 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6185 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6186 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6187 /* One must be accepted. */
6188 ctmp[31] = 0x01;
6189 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6190 memset(&pubkey, 0, sizeof(pubkey));
6191 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6192 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6193 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6194 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6195 pubkey_one = pubkey;
6196 /* Group order + 1 is too large, reject. */
6197 memcpy(ctmp, orderc, 32);
6198 ctmp[31] = 0x42;
6199 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6200 memset(&pubkey, 1, sizeof(pubkey));
6201 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6202 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6203 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6204 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6205 /* -1 must be accepted. */
6206 ctmp[31] = 0x40;
6207 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6208 memset(&pubkey, 0, sizeof(pubkey));
6209 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6210 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6211 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6212 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6213 pubkey_negone = pubkey;
6214 /* Tweak of zero leaves the value unchanged. */
6215 memset(ctmp2, 0, 32);
6216 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 1);
6217 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
6218 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
6219 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6220 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6221 /* Multiply tweak of zero zeroizes the output. */
6222 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6223 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6224 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp2) == 0);
6225 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6226 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6227 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6228 seckey, the seckey is zeroized. */
6229 memcpy(ctmp, orderc, 32);
6230 memset(ctmp2, 0, 32);
6231 ctmp2[31] = 0x01;
6232 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp2) == 1);
6233 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6234 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 0);
6235 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6236 memcpy(ctmp, orderc, 32);
6237 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6238 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6239 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6240 tweak, the seckey is zeroized. */
6241 memcpy(ctmp, orderc, 32);
6242 ctmp[31] = 0x40;
6243 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, orderc) == 0);
6244 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6245 memcpy(ctmp, orderc, 32);
6246 ctmp[31] = 0x40;
6247 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, orderc) == 0);
6248 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6249 memcpy(ctmp, orderc, 32);
6250 ctmp[31] = 0x40;
6251 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
6252 tweak, the pubkey is zeroized. */
6253 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, orderc) == 0);
6254 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6255 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6256 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, orderc) == 0);
6257 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6258 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6259 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
6260 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
6261 * case the pubkey is zeroized. */
6262 memcpy(ctmp, orderc, 32);
6263 ctmp[31] = 0x40;
6264 memset(ctmp2, 0, 32);
6265 ctmp2[31] = 1;
6266 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 0);
6267 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
6268 ctmp2[31] = 1;
6269 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0);
6270 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6271 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6272 /* Tweak computation wraps and results in a key of 1. */
6273 ctmp2[31] = 2;
6274 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 1);
6275 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
6276 ctmp2[31] = 2;
6277 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6278 ctmp2[31] = 1;
6279 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, ctmp2) == 1);
6280 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6281 /* Tweak mul * 2 = 1+1. */
6282 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6283 ctmp2[31] = 2;
6284 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 1);
6285 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6286 /* Test argument errors. */
6287 ecount = 0;
6288 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
6289 CHECK(ecount == 0);
6290 /* Zeroize pubkey on parse error. */
6291 memset(&pubkey, 0, 32);
6292 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0);
6293 CHECK(ecount == 1);
6294 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6295 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6296 memset(&pubkey2, 0, 32);
6297 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 0);
6298 CHECK(ecount == 2);
6299 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
6300 /* Plain argument errors. */
6301 ecount = 0;
6302 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6303 CHECK(ecount == 0);
6304 CHECK(secp256k1_ec_seckey_verify(CTX, NULL) == 0);
6305 CHECK(ecount == 1);
6306 ecount = 0;
6307 memset(ctmp2, 0, 32);
6308 ctmp2[31] = 4;
6309 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, NULL, ctmp2) == 0);
6310 CHECK(ecount == 1);
6311 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, NULL) == 0);
6312 CHECK(ecount == 2);
6313 ecount = 0;
6314 memset(ctmp2, 0, 32);
6315 ctmp2[31] = 4;
6316 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, NULL, ctmp2) == 0);
6317 CHECK(ecount == 1);
6318 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, NULL) == 0);
6319 CHECK(ecount == 2);
6320 ecount = 0;
6321 memset(ctmp2, 0, 32);
6322 CHECK(secp256k1_ec_seckey_tweak_add(CTX, NULL, ctmp2) == 0);
6323 CHECK(ecount == 1);
6324 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, NULL) == 0);
6325 CHECK(ecount == 2);
6326 ecount = 0;
6327 memset(ctmp2, 0, 32);
6328 ctmp2[31] = 1;
6329 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, NULL, ctmp2) == 0);
6330 CHECK(ecount == 1);
6331 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, NULL) == 0);
6332 CHECK(ecount == 2);
6333 ecount = 0;
6334 CHECK(secp256k1_ec_pubkey_create(CTX, NULL, ctmp) == 0);
6335 CHECK(ecount == 1);
6336 memset(&pubkey, 1, sizeof(pubkey));
6337 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, NULL) == 0);
6338 CHECK(ecount == 2);
6339 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6340 /* secp256k1_ec_pubkey_combine tests. */
6341 ecount = 0;
6342 pubkeys[0] = &pubkey_one;
6343 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[0], sizeof(secp256k1_pubkey *));
6344 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[1], sizeof(secp256k1_pubkey *));
6345 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[2], sizeof(secp256k1_pubkey *));
6346 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6347 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6348 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 0) == 0);
6349 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6350 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6351 CHECK(ecount == 1);
6352 CHECK(secp256k1_ec_pubkey_combine(CTX, NULL, pubkeys, 1) == 0);
6353 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6354 CHECK(ecount == 2);
6355 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6356 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6357 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, NULL, 1) == 0);
6358 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6359 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6360 CHECK(ecount == 3);
6361 pubkeys[0] = &pubkey_negone;
6362 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6363 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6364 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 1) == 1);
6365 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6366 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6367 CHECK(ecount == 3);
6368 len = 33;
6369 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6370 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
6371 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6372 /* Result is infinity. */
6373 pubkeys[0] = &pubkey_one;
6374 pubkeys[1] = &pubkey_negone;
6375 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6376 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6377 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 0);
6378 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6379 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6380 CHECK(ecount == 3);
6381 /* Passes through infinity but comes out one. */
6382 pubkeys[2] = &pubkey_one;
6383 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6384 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6385 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 3) == 1);
6386 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6387 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6388 CHECK(ecount == 3);
6389 len = 33;
6390 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6391 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
6392 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6393 /* Adds to two. */
6394 pubkeys[1] = &pubkey_one;
6395 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6396 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6397 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 1);
6398 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6399 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6400 CHECK(ecount == 3);
6401 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
6402}
6403
6404static void run_eckey_negate_test(void) {
6405 unsigned char seckey[32];
6406 unsigned char seckey_tmp[32];
6407
6408 random_scalar_order_b32(seckey);
6409 memcpy(seckey_tmp, seckey, 32);
6410
6411 /* Verify negation changes the key and changes it back */
6412 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6413 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
6414 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6415 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6416
6417 /* Check that privkey alias gives same result */
6418 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6419 CHECK(secp256k1_ec_privkey_negate(CTX, seckey_tmp) == 1);
6420 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6421
6422 /* Negating all 0s fails */
6423 memset(seckey, 0, 32);
6424 memset(seckey_tmp, 0, 32);
6425 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6426 /* Check that seckey is not modified */
6427 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6428
6429 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
6430 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
6431 * doesn't just set seckey to a constant value in case of failure. */
6432 random_scalar_order_b32(seckey);
6433 memset(seckey, 0xFF, 16);
6434 memset(seckey_tmp, 0, 32);
6435 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6436 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6437}
6438
6439static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
6440 secp256k1_scalar nonce;
6441 do {
6442 random_scalar_order_test(&nonce);
6443 } while(!secp256k1_ecdsa_sig_sign(&CTX->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
6444}
6445
6446static void test_ecdsa_sign_verify(void) {
6447 secp256k1_gej pubj;
6448 secp256k1_ge pub;
6449 secp256k1_scalar one;
6450 secp256k1_scalar msg, key;
6451 secp256k1_scalar sigr, sigs;
6452 int getrec;
6453 int recid;
6454 random_scalar_order_test(&msg);
6455 random_scalar_order_test(&key);
6456 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pubj, &key);
6457 secp256k1_ge_set_gej(&pub, &pubj);
6458 getrec = secp256k1_testrand_bits(1);
6459 /* The specific way in which this conditional is written sidesteps a potential bug in clang.
6460 See the commit messages of the commit that introduced this comment for details. */
6461 if (getrec) {
6462 random_sign(&sigr, &sigs, &key, &msg, &recid);
6463 CHECK(recid >= 0 && recid < 4);
6464 } else {
6465 random_sign(&sigr, &sigs, &key, &msg, NULL);
6466 }
6467 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6468 secp256k1_scalar_set_int(&one, 1);
6469 secp256k1_scalar_add(&msg, &msg, &one);
6470 CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6471}
6472
6473static void run_ecdsa_sign_verify(void) {
6474 int i;
6475 for (i = 0; i < 10*COUNT; i++) {
6476 test_ecdsa_sign_verify();
6477 }
6478}
6479
6481static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6482 (void)msg32;
6483 (void)key32;
6484 (void)algo16;
6485 memcpy(nonce32, data, 32);
6486 return (counter == 0);
6487}
6488
6489static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6490 /* Dummy nonce generator that has a fatal error on the first counter value. */
6491 if (counter == 0) {
6492 return 0;
6493 }
6494 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
6495}
6496
6497static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6498 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
6499 if (counter < 3) {
6500 memset(nonce32, counter==0 ? 0 : 255, 32);
6501 if (counter == 2) {
6502 nonce32[31]--;
6503 }
6504 return 1;
6505 }
6506 if (counter < 5) {
6507 static const unsigned char order[] = {
6508 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6509 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6510 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6511 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
6512 };
6513 memcpy(nonce32, order, 32);
6514 if (counter == 4) {
6515 nonce32[31]++;
6516 }
6517 return 1;
6518 }
6519 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
6520 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
6521 if (counter > 5) {
6522 return 0;
6523 }
6524 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
6525}
6526
6527static int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
6528 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
6529 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
6530}
6531
6532static void test_ecdsa_end_to_end(void) {
6533 unsigned char extra[32] = {0x00};
6534 unsigned char privkey[32];
6535 unsigned char message[32];
6536 unsigned char privkey2[32];
6537 secp256k1_ecdsa_signature signature[6];
6538 secp256k1_scalar r, s;
6539 unsigned char sig[74];
6540 size_t siglen = 74;
6541 unsigned char pubkeyc[65];
6542 size_t pubkeyclen = 65;
6543 secp256k1_pubkey pubkey;
6544 secp256k1_pubkey pubkey_tmp;
6545 unsigned char seckey[300];
6546 size_t seckeylen = 300;
6547
6548 /* Generate a random key and message. */
6549 {
6550 secp256k1_scalar msg, key;
6551 random_scalar_order_test(&msg);
6552 random_scalar_order_test(&key);
6553 secp256k1_scalar_get_b32(privkey, &key);
6554 secp256k1_scalar_get_b32(message, &msg);
6555 }
6556
6557 /* Construct and verify corresponding public key. */
6558 CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
6559 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
6560
6561 /* Verify exporting and importing public key. */
6562 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
6563 memset(&pubkey, 0, sizeof(pubkey));
6564 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
6565
6566 /* Verify negation changes the key and changes it back */
6567 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
6568 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6569 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
6570 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6571 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
6572
6573 /* Verify private key import and export. */
6574 CHECK(ec_privkey_export_der(CTX, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
6575 CHECK(ec_privkey_import_der(CTX, privkey2, seckey, seckeylen) == 1);
6576 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
6577
6578 /* Optionally tweak the keys using addition. */
6579 if (secp256k1_testrand_int(3) == 0) {
6580 int ret1;
6581 int ret2;
6582 int ret3;
6583 unsigned char rnd[32];
6584 unsigned char privkey_tmp[32];
6585 secp256k1_pubkey pubkey2;
6586 secp256k1_testrand256_test(rnd);
6587 memcpy(privkey_tmp, privkey, 32);
6588 ret1 = secp256k1_ec_seckey_tweak_add(CTX, privkey, rnd);
6589 ret2 = secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, rnd);
6590 /* Check that privkey alias gives same result */
6591 ret3 = secp256k1_ec_privkey_tweak_add(CTX, privkey_tmp, rnd);
6592 CHECK(ret1 == ret2);
6593 CHECK(ret2 == ret3);
6594 if (ret1 == 0) {
6595 return;
6596 }
6597 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6598 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6599 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6600 }
6601
6602 /* Optionally tweak the keys using multiplication. */
6603 if (secp256k1_testrand_int(3) == 0) {
6604 int ret1;
6605 int ret2;
6606 int ret3;
6607 unsigned char rnd[32];
6608 unsigned char privkey_tmp[32];
6609 secp256k1_pubkey pubkey2;
6610 secp256k1_testrand256_test(rnd);
6611 memcpy(privkey_tmp, privkey, 32);
6612 ret1 = secp256k1_ec_seckey_tweak_mul(CTX, privkey, rnd);
6613 ret2 = secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, rnd);
6614 /* Check that privkey alias gives same result */
6615 ret3 = secp256k1_ec_privkey_tweak_mul(CTX, privkey_tmp, rnd);
6616 CHECK(ret1 == ret2);
6617 CHECK(ret2 == ret3);
6618 if (ret1 == 0) {
6619 return;
6620 }
6621 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6622 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6623 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6624 }
6625
6626 /* Sign. */
6627 CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1);
6628 CHECK(secp256k1_ecdsa_sign(CTX, &signature[4], message, privkey, NULL, NULL) == 1);
6629 CHECK(secp256k1_ecdsa_sign(CTX, &signature[1], message, privkey, NULL, extra) == 1);
6630 extra[31] = 1;
6631 CHECK(secp256k1_ecdsa_sign(CTX, &signature[2], message, privkey, NULL, extra) == 1);
6632 extra[31] = 0;
6633 extra[0] = 1;
6634 CHECK(secp256k1_ecdsa_sign(CTX, &signature[3], message, privkey, NULL, extra) == 1);
6635 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6636 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6637 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6638 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6639 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6640 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6641 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6642 /* Verify. */
6643 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6644 CHECK(secp256k1_ecdsa_verify(CTX, &signature[1], message, &pubkey) == 1);
6645 CHECK(secp256k1_ecdsa_verify(CTX, &signature[2], message, &pubkey) == 1);
6646 CHECK(secp256k1_ecdsa_verify(CTX, &signature[3], message, &pubkey) == 1);
6647 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6648 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[0]));
6649 secp256k1_ecdsa_signature_load(CTX, &r, &s, &signature[0]);
6650 secp256k1_scalar_negate(&s, &s);
6651 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6652 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 0);
6653 CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6654 CHECK(secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6655 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6656 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6657 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6658 secp256k1_scalar_negate(&s, &s);
6659 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6660 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6661 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6662 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
6663
6664 /* Serialize/parse DER and verify again */
6665 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6666 memset(&signature[0], 0, sizeof(signature[0]));
6667 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 1);
6668 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6669 /* Serialize/destroy/parse DER and verify again. */
6670 siglen = 74;
6671 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6672 sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
6673 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 0 ||
6674 secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 0);
6675}
6676
6677static void test_random_pubkeys(void) {
6678 secp256k1_ge elem;
6679 secp256k1_ge elem2;
6680 unsigned char in[65];
6681 /* Generate some randomly sized pubkeys. */
6682 size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
6683 if (secp256k1_testrand_bits(2) == 0) {
6684 len = secp256k1_testrand_bits(6);
6685 }
6686 if (len == 65) {
6687 in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
6688 } else {
6689 in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
6690 }
6691 if (secp256k1_testrand_bits(3) == 0) {
6692 in[0] = secp256k1_testrand_bits(8);
6693 }
6694 if (len > 1) {
6695 secp256k1_testrand256(&in[1]);
6696 }
6697 if (len > 33) {
6698 secp256k1_testrand256(&in[33]);
6699 }
6700 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
6701 unsigned char out[65];
6702 unsigned char firstb;
6703 int res;
6704 size_t size = len;
6705 firstb = in[0];
6706 /* If the pubkey can be parsed, it should round-trip... */
6707 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
6708 CHECK(size == len);
6709 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
6710 /* ... except for the type of hybrid inputs. */
6711 if ((in[0] != 6) && (in[0] != 7)) {
6712 CHECK(in[0] == out[0]);
6713 }
6714 size = 65;
6715 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
6716 CHECK(size == 65);
6717 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
6718 ge_equals_ge(&elem,&elem2);
6719 /* Check that the X9.62 hybrid type is checked. */
6720 in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
6721 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
6722 if (firstb == 2 || firstb == 3) {
6723 if (in[0] == firstb + 4) {
6724 CHECK(res);
6725 } else {
6726 CHECK(!res);
6727 }
6728 }
6729 if (res) {
6730 ge_equals_ge(&elem,&elem2);
6731 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
6732 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
6733 }
6734 }
6735}
6736
6737static void run_pubkey_comparison(void) {
6738 unsigned char pk1_ser[33] = {
6739 0x02,
6740 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6741 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6742 };
6743 const unsigned char pk2_ser[33] = {
6744 0x02,
6745 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6746 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6747 };
6748 secp256k1_pubkey pk1;
6749 secp256k1_pubkey pk2;
6750 int32_t ecount = 0;
6751
6752 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6753 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6754
6755 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
6756 CHECK(secp256k1_ec_pubkey_cmp(CTX, NULL, &pk2) < 0);
6757 CHECK(ecount == 1);
6758 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, NULL) > 0);
6759 CHECK(ecount == 2);
6760 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6761 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6762 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk1) == 0);
6763 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk2) == 0);
6764 CHECK(ecount == 2);
6765 {
6766 secp256k1_pubkey pk_tmp;
6767 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6768 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk2) < 0);
6769 CHECK(ecount == 3);
6770 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk_tmp) == 0);
6771 CHECK(ecount == 5);
6772 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk_tmp) > 0);
6773 CHECK(ecount == 6);
6774 }
6775
6776 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
6777
6778 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6779 * an uncompressed encoding, these would have the opposite ordering */
6780 pk1_ser[0] = 3;
6781 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6782 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6783 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6784}
6785
6786static void run_random_pubkeys(void) {
6787 int i;
6788 for (i = 0; i < 10*COUNT; i++) {
6789 test_random_pubkeys();
6790 }
6791}
6792
6793static void run_ecdsa_end_to_end(void) {
6794 int i;
6795 for (i = 0; i < 64*COUNT; i++) {
6796 test_ecdsa_end_to_end();
6797 }
6798}
6799
6800static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
6801 static const unsigned char zeroes[32] = {0};
6802
6803 int ret = 0;
6804
6805 secp256k1_ecdsa_signature sig_der;
6806 unsigned char roundtrip_der[2048];
6807 unsigned char compact_der[64];
6808 size_t len_der = 2048;
6809 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
6810
6811 secp256k1_ecdsa_signature sig_der_lax;
6812 unsigned char roundtrip_der_lax[2048];
6813 unsigned char compact_der_lax[64];
6814 size_t len_der_lax = 2048;
6815 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
6816
6817 parsed_der = secp256k1_ecdsa_signature_parse_der(CTX, &sig_der, sig, siglen);
6818 if (parsed_der) {
6819 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der, &sig_der)) << 0;
6820 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
6821 }
6822 if (valid_der) {
6823 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der, &len_der, &sig_der)) << 1;
6824 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
6825 }
6826
6827 parsed_der_lax = ecdsa_signature_parse_der_lax(CTX, &sig_der_lax, sig, siglen);
6828 if (parsed_der_lax) {
6829 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der_lax, &sig_der_lax)) << 10;
6830 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
6831 }
6832 if (valid_der_lax) {
6833 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
6834 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
6835 }
6836
6837 if (certainly_der) {
6838 ret |= (!parsed_der) << 2;
6839 }
6840 if (certainly_not_der) {
6841 ret |= (parsed_der) << 17;
6842 }
6843 if (valid_der) {
6844 ret |= (!roundtrips_der) << 3;
6845 }
6846
6847 if (valid_der) {
6848 ret |= (!roundtrips_der_lax) << 12;
6849 ret |= (len_der != len_der_lax) << 13;
6850 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
6851 }
6852 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
6853 if (parsed_der) {
6854 ret |= (!parsed_der_lax) << 16;
6855 }
6856
6857 return ret;
6858}
6859
6860static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
6861 size_t i;
6862 for (i = 0; i < ptrlen; i++) {
6863 int shift = ptrlen - 1 - i;
6864 if (shift >= 4) {
6865 ptr[i] = 0;
6866 } else {
6867 ptr[i] = (val >> shift) & 0xFF;
6868 }
6869 }
6870}
6871
6872static void damage_array(unsigned char *sig, size_t *len) {
6873 int pos;
6874 int action = secp256k1_testrand_bits(3);
6875 if (action < 1 && *len > 3) {
6876 /* Delete a byte. */
6877 pos = secp256k1_testrand_int(*len);
6878 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
6879 (*len)--;
6880 return;
6881 } else if (action < 2 && *len < 2048) {
6882 /* Insert a byte. */
6883 pos = secp256k1_testrand_int(1 + *len);
6884 memmove(sig + pos + 1, sig + pos, *len - pos);
6885 sig[pos] = secp256k1_testrand_bits(8);
6886 (*len)++;
6887 return;
6888 } else if (action < 4) {
6889 /* Modify a byte. */
6890 sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
6891 return;
6892 } else { /* action < 8 */
6893 /* Modify a bit. */
6894 sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
6895 return;
6896 }
6897}
6898
6899static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
6900 int der;
6901 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
6902 size_t tlen, elen, glen;
6903 int indet;
6904 int n;
6905
6906 *len = 0;
6907 der = secp256k1_testrand_bits(2) == 0;
6908 *certainly_der = der;
6909 *certainly_not_der = 0;
6910 indet = der ? 0 : secp256k1_testrand_int(10) == 0;
6911
6912 for (n = 0; n < 2; n++) {
6913 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
6914 nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
6915 /* The length of the number in bytes (the first byte of which will always be nonzero) */
6916 nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_bits(3) / 8;
6917 CHECK(nlen[n] <= 232);
6918 /* The top bit of the number. */
6919 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
6920 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
6921 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
6922 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
6923 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_bits(3) / 8);
6924 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
6925 *certainly_not_der = 1;
6926 }
6927 CHECK(nlen[n] + nzlen[n] <= 300);
6928 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
6929 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
6930 if (!der) {
6931 /* nlenlen[n] max 127 bytes */
6932 int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6933 nlenlen[n] += add;
6934 if (add != 0) {
6935 *certainly_not_der = 1;
6936 }
6937 }
6938 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
6939 }
6940
6941 /* The total length of the data to go, so far */
6942 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
6943 CHECK(tlen <= 856);
6944
6945 /* The length of the garbage inside the tuple. */
6946 elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_bits(3) / 8;
6947 if (elen != 0) {
6948 *certainly_not_der = 1;
6949 }
6950 tlen += elen;
6951 CHECK(tlen <= 980);
6952
6953 /* The length of the garbage after the end of the tuple. */
6954 glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_bits(3) / 8;
6955 if (glen != 0) {
6956 *certainly_not_der = 1;
6957 }
6958 CHECK(tlen + glen <= 990);
6959
6960 /* Write the tuple header. */
6961 sig[(*len)++] = 0x30;
6962 if (indet) {
6963 /* Indeterminate length */
6964 sig[(*len)++] = 0x80;
6965 *certainly_not_der = 1;
6966 } else {
6967 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
6968 if (!der) {
6969 int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6970 tlenlen += add;
6971 if (add != 0) {
6972 *certainly_not_der = 1;
6973 }
6974 }
6975 if (tlenlen == 0) {
6976 /* Short length notation */
6977 sig[(*len)++] = tlen;
6978 } else {
6979 /* Long length notation */
6980 sig[(*len)++] = 128 + tlenlen;
6981 assign_big_endian(sig + *len, tlenlen, tlen);
6982 *len += tlenlen;
6983 }
6984 tlen += tlenlen;
6985 }
6986 tlen += 2;
6987 CHECK(tlen + glen <= 1119);
6988
6989 for (n = 0; n < 2; n++) {
6990 /* Write the integer header. */
6991 sig[(*len)++] = 0x02;
6992 if (nlenlen[n] == 0) {
6993 /* Short length notation */
6994 sig[(*len)++] = nlen[n] + nzlen[n];
6995 } else {
6996 /* Long length notation. */
6997 sig[(*len)++] = 128 + nlenlen[n];
6998 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
6999 *len += nlenlen[n];
7000 }
7001 /* Write zero padding */
7002 while (nzlen[n] > 0) {
7003 sig[(*len)++] = 0x00;
7004 nzlen[n]--;
7005 }
7006 if (nlen[n] == 32 && !nlow[n]) {
7007 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
7008 int i;
7009 for (i = 0; i < 16; i++) {
7010 sig[(*len)++] = 0xFF;
7011 }
7012 nlen[n] -= 16;
7013 }
7014 /* Write first byte of number */
7015 if (nlen[n] > 0) {
7016 sig[(*len)++] = nhbyte[n];
7017 nlen[n]--;
7018 }
7019 /* Generate remaining random bytes of number */
7020 secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
7021 *len += nlen[n];
7022 nlen[n] = 0;
7023 }
7024
7025 /* Generate random garbage inside tuple. */
7026 secp256k1_testrand_bytes_test(sig + *len, elen);
7027 *len += elen;
7028
7029 /* Generate end-of-contents bytes. */
7030 if (indet) {
7031 sig[(*len)++] = 0;
7032 sig[(*len)++] = 0;
7033 tlen += 2;
7034 }
7035 CHECK(tlen + glen <= 1121);
7036
7037 /* Generate random garbage outside tuple. */
7038 secp256k1_testrand_bytes_test(sig + *len, glen);
7039 *len += glen;
7040 tlen += glen;
7041 CHECK(tlen <= 1121);
7042 CHECK(tlen == *len);
7043}
7044
7045static void run_ecdsa_der_parse(void) {
7046 int i,j;
7047 for (i = 0; i < 200 * COUNT; i++) {
7048 unsigned char buffer[2048];
7049 size_t buflen = 0;
7050 int certainly_der = 0;
7051 int certainly_not_der = 0;
7052 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
7053 CHECK(buflen <= 2048);
7054 for (j = 0; j < 16; j++) {
7055 int ret = 0;
7056 if (j > 0) {
7057 damage_array(buffer, &buflen);
7058 /* We don't know anything anymore about the DERness of the result */
7059 certainly_der = 0;
7060 certainly_not_der = 0;
7061 }
7062 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
7063 if (ret != 0) {
7064 size_t k;
7065 fprintf(stderr, "Failure %x on ", ret);
7066 for (k = 0; k < buflen; k++) {
7067 fprintf(stderr, "%02x ", buffer[k]);
7068 }
7069 fprintf(stderr, "\n");
7070 }
7071 CHECK(ret == 0);
7072 }
7073 }
7074}
7075
7076/* Tests several edge cases. */
7077static void test_ecdsa_edge_cases(void) {
7078 int t;
7079 secp256k1_ecdsa_signature sig;
7080
7081 /* Test the case where ECDSA recomputes a point that is infinity. */
7082 {
7083 secp256k1_gej keyj;
7084 secp256k1_ge key;
7085 secp256k1_scalar msg;
7086 secp256k1_scalar sr, ss;
7087 secp256k1_scalar_set_int(&ss, 1);
7088 secp256k1_scalar_negate(&ss, &ss);
7089 secp256k1_scalar_inverse(&ss, &ss);
7090 secp256k1_scalar_set_int(&sr, 1);
7091 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &keyj, &sr);
7092 secp256k1_ge_set_gej(&key, &keyj);
7093 msg = ss;
7094 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7095 }
7096
7097 /* Verify signature with r of zero fails. */
7098 {
7099 const unsigned char pubkey_mods_zero[33] = {
7100 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7101 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7102 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7103 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7104 0x41
7105 };
7106 secp256k1_ge key;
7107 secp256k1_scalar msg;
7108 secp256k1_scalar sr, ss;
7109 secp256k1_scalar_set_int(&ss, 1);
7110 secp256k1_scalar_set_int(&msg, 0);
7111 secp256k1_scalar_set_int(&sr, 0);
7112 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
7113 CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
7114 }
7115
7116 /* Verify signature with s of zero fails. */
7117 {
7118 const unsigned char pubkey[33] = {
7119 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7120 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7121 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7123 0x01
7124 };
7125 secp256k1_ge key;
7126 secp256k1_scalar msg;
7127 secp256k1_scalar sr, ss;
7128 secp256k1_scalar_set_int(&ss, 0);
7129 secp256k1_scalar_set_int(&msg, 0);
7130 secp256k1_scalar_set_int(&sr, 1);
7131 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7132 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7133 }
7134
7135 /* Verify signature with message 0 passes. */
7136 {
7137 const unsigned char pubkey[33] = {
7138 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7139 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7140 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7141 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7142 0x02
7143 };
7144 const unsigned char pubkey2[33] = {
7145 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7146 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7147 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7148 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7149 0x43
7150 };
7151 secp256k1_ge key;
7152 secp256k1_ge key2;
7153 secp256k1_scalar msg;
7154 secp256k1_scalar sr, ss;
7155 secp256k1_scalar_set_int(&ss, 2);
7156 secp256k1_scalar_set_int(&msg, 0);
7157 secp256k1_scalar_set_int(&sr, 2);
7158 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7159 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7160 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7161 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7162 secp256k1_scalar_negate(&ss, &ss);
7163 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7164 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7165 secp256k1_scalar_set_int(&ss, 1);
7166 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7167 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7168 }
7169
7170 /* Verify signature with message 1 passes. */
7171 {
7172 const unsigned char pubkey[33] = {
7173 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
7174 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
7175 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
7176 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
7177 0x25
7178 };
7179 const unsigned char pubkey2[33] = {
7180 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
7181 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
7182 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
7183 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
7184 0x62
7185 };
7186 const unsigned char csr[32] = {
7187 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7188 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7189 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7190 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
7191 };
7192 secp256k1_ge key;
7193 secp256k1_ge key2;
7194 secp256k1_scalar msg;
7195 secp256k1_scalar sr, ss;
7196 secp256k1_scalar_set_int(&ss, 1);
7197 secp256k1_scalar_set_int(&msg, 1);
7198 secp256k1_scalar_set_b32(&sr, csr, NULL);
7199 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7200 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7201 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7202 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7203 secp256k1_scalar_negate(&ss, &ss);
7204 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7205 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7206 secp256k1_scalar_set_int(&ss, 2);
7207 secp256k1_scalar_inverse_var(&ss, &ss);
7208 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7209 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7210 }
7211
7212 /* Verify signature with message -1 passes. */
7213 {
7214 const unsigned char pubkey[33] = {
7215 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
7216 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
7217 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
7218 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
7219 0xf1
7220 };
7221 const unsigned char csr[32] = {
7222 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7223 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7224 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7225 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
7226 };
7227 secp256k1_ge key;
7228 secp256k1_scalar msg;
7229 secp256k1_scalar sr, ss;
7230 secp256k1_scalar_set_int(&ss, 1);
7231 secp256k1_scalar_set_int(&msg, 1);
7232 secp256k1_scalar_negate(&msg, &msg);
7233 secp256k1_scalar_set_b32(&sr, csr, NULL);
7234 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7235 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7236 secp256k1_scalar_negate(&ss, &ss);
7237 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7238 secp256k1_scalar_set_int(&ss, 3);
7239 secp256k1_scalar_inverse_var(&ss, &ss);
7240 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7241 }
7242
7243 /* Signature where s would be zero. */
7244 {
7245 secp256k1_pubkey pubkey;
7246 size_t siglen;
7247 int32_t ecount;
7248 unsigned char signature[72];
7249 static const unsigned char nonce[32] = {
7250 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7251 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7252 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7253 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7254 };
7255 static const unsigned char nonce2[32] = {
7256 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
7257 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
7258 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
7259 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
7260 };
7261 const unsigned char key[32] = {
7262 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7263 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7264 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7265 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7266 };
7267 unsigned char msg[32] = {
7268 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
7269 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
7270 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
7271 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
7272 };
7273 ecount = 0;
7274 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
7275 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
7276 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
7277 msg[31] = 0xaa;
7278 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
7279 CHECK(ecount == 0);
7280 CHECK(secp256k1_ecdsa_sign(CTX, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
7281 CHECK(ecount == 1);
7282 CHECK(secp256k1_ecdsa_sign(CTX, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
7283 CHECK(ecount == 2);
7284 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
7285 CHECK(ecount == 3);
7286 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
7287 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, key) == 1);
7288 CHECK(secp256k1_ecdsa_verify(CTX, NULL, msg, &pubkey) == 0);
7289 CHECK(ecount == 4);
7290 CHECK(secp256k1_ecdsa_verify(CTX, &sig, NULL, &pubkey) == 0);
7291 CHECK(ecount == 5);
7292 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, NULL) == 0);
7293 CHECK(ecount == 6);
7294 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1);
7295 CHECK(ecount == 6);
7296 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, NULL) == 0);
7297 CHECK(ecount == 7);
7298 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
7299 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 0);
7300 CHECK(ecount == 8);
7301 siglen = 72;
7302 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, NULL, &siglen, &sig) == 0);
7303 CHECK(ecount == 9);
7304 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, NULL, &sig) == 0);
7305 CHECK(ecount == 10);
7306 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, NULL) == 0);
7307 CHECK(ecount == 11);
7308 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 1);
7309 CHECK(ecount == 11);
7310 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, NULL, signature, siglen) == 0);
7311 CHECK(ecount == 12);
7312 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, NULL, siglen) == 0);
7313 CHECK(ecount == 13);
7314 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, signature, siglen) == 1);
7315 CHECK(ecount == 13);
7316 siglen = 10;
7317 /* Too little room for a signature does not fail via ARGCHECK. */
7318 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 0);
7319 CHECK(ecount == 13);
7320 ecount = 0;
7321 CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, NULL) == 0);
7322 CHECK(ecount == 1);
7323 CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, NULL, &sig) == 0);
7324 CHECK(ecount == 2);
7325 CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, signature, NULL) == 0);
7326 CHECK(ecount == 3);
7327 CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, signature, &sig) == 1);
7328 CHECK(ecount == 3);
7329 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, NULL, signature) == 0);
7330 CHECK(ecount == 4);
7331 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, NULL) == 0);
7332 CHECK(ecount == 5);
7333 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 1);
7334 CHECK(ecount == 5);
7335 memset(signature, 255, 64);
7336 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 0);
7337 CHECK(ecount == 5);
7338 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
7339 }
7340
7341 /* Nonce function corner cases. */
7342 for (t = 0; t < 2; t++) {
7343 static const unsigned char zero[32] = {0x00};
7344 int i;
7345 unsigned char key[32];
7346 unsigned char msg[32];
7347 secp256k1_ecdsa_signature sig2;
7348 secp256k1_scalar sr[512], ss;
7349 const unsigned char *extra;
7350 extra = t == 0 ? NULL : zero;
7351 memset(msg, 0, 32);
7352 msg[31] = 1;
7353 /* High key results in signature failure. */
7354 memset(key, 0xFF, 32);
7355 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7356 CHECK(is_empty_signature(&sig));
7357 /* Zero key results in signature failure. */
7358 memset(key, 0, 32);
7359 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7360 CHECK(is_empty_signature(&sig));
7361 /* Nonce function failure results in signature failure. */
7362 key[31] = 1;
7363 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_fail, extra) == 0);
7364 CHECK(is_empty_signature(&sig));
7365 /* The retry loop successfully makes its way to the first good value. */
7366 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_retry, extra) == 1);
7367 CHECK(!is_empty_signature(&sig));
7368 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
7369 CHECK(!is_empty_signature(&sig2));
7370 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7371 /* The default nonce function is deterministic. */
7372 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7373 CHECK(!is_empty_signature(&sig2));
7374 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7375 /* The default nonce function changes output with different messages. */
7376 for(i = 0; i < 256; i++) {
7377 int j;
7378 msg[0] = i;
7379 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7380 CHECK(!is_empty_signature(&sig2));
7381 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7382 for (j = 0; j < i; j++) {
7383 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7384 }
7385 }
7386 msg[0] = 0;
7387 msg[31] = 2;
7388 /* The default nonce function changes output with different keys. */
7389 for(i = 256; i < 512; i++) {
7390 int j;
7391 key[0] = i - 256;
7392 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7393 CHECK(!is_empty_signature(&sig2));
7394 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7395 for (j = 0; j < i; j++) {
7396 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7397 }
7398 }
7399 key[0] = 0;
7400 }
7401
7402 {
7403 /* Check that optional nonce arguments do not have equivalent effect. */
7404 const unsigned char zeros[32] = {0};
7405 unsigned char nonce[32];
7406 unsigned char nonce2[32];
7407 unsigned char nonce3[32];
7408 unsigned char nonce4[32];
7409 SECP256K1_CHECKMEM_UNDEFINE(nonce,32);
7410 SECP256K1_CHECKMEM_UNDEFINE(nonce2,32);
7411 SECP256K1_CHECKMEM_UNDEFINE(nonce3,32);
7412 SECP256K1_CHECKMEM_UNDEFINE(nonce4,32);
7413 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
7414 SECP256K1_CHECKMEM_CHECK(nonce,32);
7415 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
7416 SECP256K1_CHECKMEM_CHECK(nonce2,32);
7417 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
7418 SECP256K1_CHECKMEM_CHECK(nonce3,32);
7419 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
7420 SECP256K1_CHECKMEM_CHECK(nonce4,32);
7421 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
7422 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
7423 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
7424 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
7425 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
7426 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
7427 }
7428
7429
7430 /* Privkey export where pubkey is the point at infinity. */
7431 {
7432 unsigned char privkey[300];
7433 unsigned char seckey[32] = {
7434 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7435 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
7436 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
7437 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
7438 };
7439 size_t outlen = 300;
7440 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 0));
7441 outlen = 300;
7442 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 1));
7443 }
7444}
7445
7446static void run_ecdsa_edge_cases(void) {
7447 test_ecdsa_edge_cases();
7448}
7449
7454static void test_ecdsa_wycheproof(void) {
7455 #include "wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.h"
7456
7457 int t;
7458 for (t = 0; t < SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS; t++) {
7459 secp256k1_ecdsa_signature signature;
7460 secp256k1_sha256 hasher;
7461 secp256k1_pubkey pubkey;
7462 const unsigned char *msg, *sig, *pk;
7463 unsigned char out[32] = {0};
7464 int actual_verify = 0;
7465
7466 memset(&pubkey, 0, sizeof(pubkey));
7467 pk = &wycheproof_ecdsa_public_keys[testvectors[t].pk_offset];
7468 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pk, 65) == 1);
7469
7470 secp256k1_sha256_initialize(&hasher);
7471 msg = &wycheproof_ecdsa_messages[testvectors[t].msg_offset];
7472 secp256k1_sha256_write(&hasher, msg, testvectors[t].msg_len);
7473 secp256k1_sha256_finalize(&hasher, out);
7474
7475 sig = &wycheproof_ecdsa_signatures[testvectors[t].sig_offset];
7476 if (secp256k1_ecdsa_signature_parse_der(CTX, &signature, sig, testvectors[t].sig_len) == 1) {
7477 actual_verify = secp256k1_ecdsa_verify(CTX, (const secp256k1_ecdsa_signature *)&signature, out, &pubkey);
7478 }
7479 CHECK(testvectors[t].expected_verify == actual_verify);
7480 }
7481}
7482
7483/* Tests cases from Wycheproof test suite. */
7484static void run_ecdsa_wycheproof(void) {
7485 test_ecdsa_wycheproof();
7486}
7487
7488#ifdef ENABLE_MODULE_ECDH
7489# include "modules/ecdh/tests_impl.h"
7490#endif
7491
7492#ifdef ENABLE_MODULE_MULTISET
7493# include "modules/multiset/tests_impl.h"
7494#endif
7495
7496#ifdef ENABLE_MODULE_RECOVERY
7497# include "modules/recovery/tests_impl.h"
7498#endif
7499
7500#ifdef ENABLE_MODULE_SCHNORR
7501# include "modules/schnorr/tests_impl.h"
7502#endif
7503
7504#ifdef ENABLE_MODULE_EXTRAKEYS
7505# include "modules/extrakeys/tests_impl.h"
7506#endif
7507
7508#ifdef ENABLE_MODULE_SCHNORRSIG
7509# include "modules/schnorrsig/tests_impl.h"
7510#endif
7511
7512#ifdef ENABLE_MODULE_ELLSWIFT
7513# include "modules/ellswift/tests_impl.h"
7514#endif
7515
7516static void run_secp256k1_memczero_test(void) {
7517 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
7518 unsigned char buf2[sizeof(buf1)];
7519
7520 /* secp256k1_memczero(..., ..., 0) is a noop. */
7521 memcpy(buf2, buf1, sizeof(buf1));
7522 secp256k1_memczero(buf1, sizeof(buf1), 0);
7523 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7524
7525 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
7526 memset(buf2, 0, sizeof(buf2));
7527 secp256k1_memczero(buf1, sizeof(buf1) , 1);
7528 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7529}
7530
7531static void run_secp256k1_byteorder_tests(void) {
7532 {
7533 const uint32_t x = 0xFF03AB45;
7534 const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45};
7535 unsigned char buf[4];
7536 uint32_t x_;
7537
7538 secp256k1_write_be32(buf, x);
7539 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7540
7541 x_ = secp256k1_read_be32(buf);
7542 CHECK(x == x_);
7543 }
7544
7545 {
7546 const uint64_t x = 0xCAFE0123BEEF4567;
7547 const unsigned char x_be[8] = {0xCA, 0xFE, 0x01, 0x23, 0xBE, 0xEF, 0x45, 0x67};
7548 unsigned char buf[8];
7549 uint64_t x_;
7550
7551 secp256k1_write_be64(buf, x);
7552 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7553
7554 x_ = secp256k1_read_be64(buf);
7555 CHECK(x == x_);
7556 }
7557}
7558
7559static void int_cmov_test(void) {
7560 int r = INT_MAX;
7561 int a = 0;
7562
7563 secp256k1_int_cmov(&r, &a, 0);
7564 CHECK(r == INT_MAX);
7565
7566 r = 0; a = INT_MAX;
7567 secp256k1_int_cmov(&r, &a, 1);
7568 CHECK(r == INT_MAX);
7569
7570 a = 0;
7571 secp256k1_int_cmov(&r, &a, 1);
7572 CHECK(r == 0);
7573
7574 a = 1;
7575 secp256k1_int_cmov(&r, &a, 1);
7576 CHECK(r == 1);
7577
7578 r = 1; a = 0;
7579 secp256k1_int_cmov(&r, &a, 0);
7580 CHECK(r == 1);
7581
7582}
7583
7584static void fe_cmov_test(void) {
7585 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7586 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7587 static const secp256k1_fe max = SECP256K1_FE_CONST(
7588 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7589 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7590 );
7591 secp256k1_fe r = max;
7592 secp256k1_fe a = zero;
7593
7594 secp256k1_fe_cmov(&r, &a, 0);
7595 CHECK(fe_identical(&r, &max));
7596
7597 r = zero; a = max;
7598 secp256k1_fe_cmov(&r, &a, 1);
7599 CHECK(fe_identical(&r, &max));
7600
7601 a = zero;
7602 secp256k1_fe_cmov(&r, &a, 1);
7603 CHECK(fe_identical(&r, &zero));
7604
7605 a = one;
7606 secp256k1_fe_cmov(&r, &a, 1);
7607 CHECK(fe_identical(&r, &one));
7608
7609 r = one; a = zero;
7610 secp256k1_fe_cmov(&r, &a, 0);
7611 CHECK(fe_identical(&r, &one));
7612}
7613
7614static void fe_storage_cmov_test(void) {
7615 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7616 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7617 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
7618 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7619 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7620 );
7621 secp256k1_fe_storage r = max;
7622 secp256k1_fe_storage a = zero;
7623
7624 secp256k1_fe_storage_cmov(&r, &a, 0);
7625 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7626
7627 r = zero; a = max;
7628 secp256k1_fe_storage_cmov(&r, &a, 1);
7629 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7630
7631 a = zero;
7632 secp256k1_fe_storage_cmov(&r, &a, 1);
7633 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7634
7635 a = one;
7636 secp256k1_fe_storage_cmov(&r, &a, 1);
7637 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7638
7639 r = one; a = zero;
7640 secp256k1_fe_storage_cmov(&r, &a, 0);
7641 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7642}
7643
7644static void scalar_cmov_test(void) {
7645 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7646 static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7647 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
7648 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7649 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7650 );
7651 secp256k1_scalar r = max;
7652 secp256k1_scalar a = zero;
7653
7654 secp256k1_scalar_cmov(&r, &a, 0);
7655 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7656
7657 r = zero; a = max;
7658 secp256k1_scalar_cmov(&r, &a, 1);
7659 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7660
7661 a = zero;
7662 secp256k1_scalar_cmov(&r, &a, 1);
7663 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7664
7665 a = one;
7666 secp256k1_scalar_cmov(&r, &a, 1);
7667 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7668
7669 r = one; a = zero;
7670 secp256k1_scalar_cmov(&r, &a, 0);
7671 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7672}
7673
7674static void ge_storage_cmov_test(void) {
7675 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7676 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7677 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
7678 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7679 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7680 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7681 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7682 );
7683 secp256k1_ge_storage r = max;
7684 secp256k1_ge_storage a = zero;
7685
7686 secp256k1_ge_storage_cmov(&r, &a, 0);
7687 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7688
7689 r = zero; a = max;
7690 secp256k1_ge_storage_cmov(&r, &a, 1);
7691 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7692
7693 a = zero;
7694 secp256k1_ge_storage_cmov(&r, &a, 1);
7695 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7696
7697 a = one;
7698 secp256k1_ge_storage_cmov(&r, &a, 1);
7699 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7700
7701 r = one; a = zero;
7702 secp256k1_ge_storage_cmov(&r, &a, 0);
7703 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7704}
7705
7706static void run_cmov_tests(void) {
7707 int_cmov_test();
7708 fe_cmov_test();
7709 fe_storage_cmov_test();
7710 scalar_cmov_test();
7711 ge_storage_cmov_test();
7712}
7713
7714int main(int argc, char **argv) {
7715 /* Disable buffering for stdout to improve reliability of getting
7716 * diagnostic information. Happens right at the start of main because
7717 * setbuf must be used before any other operation on the stream. */
7718 setbuf(stdout, NULL);
7719 /* Also disable buffering for stderr because it's not guaranteed that it's
7720 * unbuffered on all systems. */
7721 setbuf(stderr, NULL);
7722
7723 /* find iteration count */
7724 if (argc > 1) {
7725 COUNT = strtol(argv[1], NULL, 0);
7726 } else {
7727 const char* env = getenv("SECP256K1_TEST_ITERS");
7728 if (env && strlen(env) > 0) {
7729 COUNT = strtol(env, NULL, 0);
7730 }
7731 }
7732 if (COUNT <= 0) {
7733 fputs("An iteration count of 0 or less is not allowed.\n", stderr);
7734 return EXIT_FAILURE;
7735 }
7736 printf("test count = %i\n", COUNT);
7737
7738 /* run test RNG tests (must run before we really initialize the test RNG) */
7739 run_xoshiro256pp_tests();
7740
7741 /* find random seed */
7742 secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
7743
7744 /*** Setup test environment ***/
7745
7746 /* Create a global context available to all tests */
7747 CTX = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
7748 /* Randomize the context only with probability 15/16
7749 to make sure we test without context randomization from time to time.
7750 TODO Reconsider this when recalibrating the tests. */
7751 if (secp256k1_testrand_bits(4)) {
7752 unsigned char rand32[32];
7753 secp256k1_testrand256(rand32);
7754 CHECK(secp256k1_context_randomize(CTX, rand32));
7755 }
7756 /* Make a writable copy of secp256k1_context_static in order to test the effect of API functions
7757 that write to the context. The API does not support cloning the static context, so we use
7758 memcpy instead. The user is not supposed to copy a context but we should still ensure that
7759 the API functions handle copies of the static context gracefully. */
7760 STATIC_CTX = malloc(sizeof(*secp256k1_context_static));
7761 CHECK(STATIC_CTX != NULL);
7762 memcpy(STATIC_CTX, secp256k1_context_static, sizeof(secp256k1_context));
7763 CHECK(!secp256k1_context_is_proper(STATIC_CTX));
7764
7765 /*** Run actual tests ***/
7766
7767 /* selftest tests */
7768 run_selftest_tests();
7769
7770 /* context tests */
7771 run_proper_context_tests(0); run_proper_context_tests(1);
7772 run_static_context_tests(0); run_static_context_tests(1);
7773 run_deprecated_context_flags_test();
7774
7775 /* scratch tests */
7776 run_scratch_tests();
7777
7778 /* integer arithmetic tests */
7779#ifdef SECP256K1_WIDEMUL_INT128
7780 run_int128_tests();
7781#endif
7782 run_ctz_tests();
7783 run_modinv_tests();
7784 run_inverse_tests();
7785
7786 /* hash tests */
7787 run_sha256_known_output_tests();
7788 run_sha256_counter_tests();
7789 run_hmac_sha256_tests();
7790 run_rfc6979_hmac_sha256_tests();
7791 run_tagged_sha256_tests();
7792
7793 /* scalar tests */
7794 run_scalar_tests();
7795
7796 /* field tests */
7797 run_field_half();
7798 run_field_misc();
7799 run_field_convert();
7800 run_field_be32_overflow();
7801 run_fe_mul();
7802 run_sqr();
7803 run_sqrt();
7804
7805 /* group tests */
7806 run_ge();
7807 run_gej();
7808 run_group_decompress();
7809
7810 /* ecmult tests */
7811 run_ecmult_pre_g();
7812 run_wnaf();
7813 run_point_times_order();
7814 run_ecmult_near_split_bound();
7815 run_ecmult_chain();
7816 run_ecmult_constants();
7817 run_ecmult_gen_blind();
7818 run_ecmult_const_tests();
7819 run_ecmult_multi_tests();
7820 run_ec_combine();
7821
7822 /* endomorphism tests */
7823 run_endomorphism_tests();
7824
7825 /* EC point parser test */
7826 run_ec_pubkey_parse_test();
7827
7828 /* EC key edge cases */
7829 run_eckey_edge_case_test();
7830
7831 /* EC key arithmetic test */
7832 run_eckey_negate_test();
7833
7834#ifdef ENABLE_MODULE_ECDH
7835 /* ecdh tests */
7836 run_ecdh_tests();
7837#endif
7838
7839 /* ecdsa tests */
7840 run_ec_illegal_argument_tests();
7841 run_pubkey_comparison();
7842 run_random_pubkeys();
7843 run_ecdsa_der_parse();
7844 run_ecdsa_sign_verify();
7845 run_ecdsa_end_to_end();
7846 run_ecdsa_edge_cases();
7847 run_ecdsa_wycheproof();
7848
7849#ifdef ENABLE_MODULE_MULTISET
7850 run_multiset_tests();
7851#endif
7852
7853#ifdef ENABLE_MODULE_RECOVERY
7854 /* ECDSA pubkey recovery tests */
7855 run_recovery_tests();
7856#endif
7857
7858#ifdef ENABLE_MODULE_SCHNORR
7859 /* Schnorr signature tests */
7860 run_schnorr_tests();
7861#endif
7862
7863#ifdef ENABLE_MODULE_EXTRAKEYS
7864 run_extrakeys_tests();
7865#endif
7866
7867#ifdef ENABLE_MODULE_SCHNORRSIG
7868 run_schnorrsig_tests();
7869#endif
7870
7871#ifdef ENABLE_MODULE_ELLSWIFT
7872 run_ellswift_tests();
7873#endif
7874
7875 /* util tests */
7876 run_secp256k1_memczero_test();
7877 run_secp256k1_byteorder_tests();
7878
7879 run_cmov_tests();
7880
7881 /*** Tear down test environment ***/
7882 free(STATIC_CTX);
7883 secp256k1_context_destroy(CTX);
7884
7885 secp256k1_testrand_finish();
7886
7887 printf("no problems found\n");
7888 return 0;
7889}
flags
int flags
Definition: bitcoin-tx.cpp:546
SECP256K1_CHECKMEM_UNDEFINE
#define SECP256K1_CHECKMEM_UNDEFINE(p, len)
Definition: checkmem.h:76
SECP256K1_CHECKMEM_CHECK
#define SECP256K1_CHECKMEM_CHECK(p, len)
Definition: checkmem.h:78
tests_impl.h
run_ecdh_tests
static void run_ecdh_tests(void)
Definition: tests_impl.h:158
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
ecdsa_secp256k1_sha256_bitcoin_test.h
wycheproof_ecdsa_signatures
static const unsigned char wycheproof_ecdsa_signatures[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:173
wycheproof_ecdsa_public_keys
static const unsigned char wycheproof_ecdsa_public_keys[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:73
wycheproof_ecdsa_messages
static const unsigned char wycheproof_ecdsa_messages[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:13
SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
#define SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:2
testvectors
static const wycheproof_ecdsa_testvector testvectors[SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:636
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
secp256k1_ecmult_multi_var
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
ECMULT_TABLE_SIZE
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult.h:41
secp256k1_ecmult
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
secp256k1_ecmult_const_xonly
static int secp256k1_ecmult_const_xonly(secp256k1_fe *r, const secp256k1_fe *n, const secp256k1_fe *d, const secp256k1_scalar *q, int known_on_curve)
Same as secp256k1_ecmult_const, but takes in an x coordinate of the base point only,...
secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q)
Multiply: R = q*A (in constant-time for q)
secp256k1_wnaf_const
static int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w, int size)
Convert a number to WNAF notation.
Definition: ecmult_const_impl.h:67
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
STRAUSS_SCRATCH_OBJECTS
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:50
secp256k1_pippenger_bucket_window_inv
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:602
secp256k1_pippenger_max_points
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space.
Definition: ecmult_impl.h:732
WNAF_SIZE
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:46
secp256k1_ecmult_strauss_batch_single
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:398
secp256k1_wnaf_fixed
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:413
secp256k1_ecmult_wnaf
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:159
secp256k1_strauss_scratch_size
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:353
ECMULT_PIPPENGER_THRESHOLD
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:55
secp256k1_pippenger_bucket_window
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:573
secp256k1_ecmult_pippenger_batch_single
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:723
ECMULT_MAX_POINTS_PER_BATCH
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:57
PIPPENGER_MAX_BUCKET_WINDOW
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:52
PIPPENGER_SCRATCH_OBJECTS
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:49
secp256k1_ecmult_multi_batch_size_helper
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:793
secp256k1_pippenger_scratch_size
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:640
WNAF_SIZE_BITS
#define WNAF_SIZE_BITS(bits, w)
Definition: ecmult_impl.h:45
secp256k1_ecmult_multi_func
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:811
tests_impl.h
run_ellswift_tests
void run_ellswift_tests(void)
Definition: tests_impl.h:179
sum
volatile double sum
Definition: examples.cpp:10
tests_impl.h
run_extrakeys_tests
static void run_extrakeys_tests(void)
Definition: tests_impl.h:553
secp256k1_fe_cmov
#define secp256k1_fe_cmov
Definition: field.h:96
secp256k1_fe_is_quad_var
static int secp256k1_fe_is_quad_var(const secp256k1_fe *a)
Checks whether a field element is a quadratic residue.
secp256k1_fe_negate
#define secp256k1_fe_negate(r, a, m)
Negate a field element.
Definition: field.h:221
secp256k1_fe_equal_var
static int secp256k1_fe_equal_var(const secp256k1_fe *a, const secp256k1_fe *b)
Determine whether two field elements are equal, without constant-time guarantee.
secp256k1_fe_mul_int
#define secp256k1_fe_mul_int(r, a)
Multiply a field element with a small integer.
Definition: field.h:243
secp256k1_fe_normalizes_to_zero_var
#define secp256k1_fe_normalizes_to_zero_var
Definition: field.h:82
secp256k1_fe_cmp_var
#define secp256k1_fe_cmp_var
Definition: field.h:87
secp256k1_fe_normalize_weak
#define secp256k1_fe_normalize_weak
Definition: field.h:79
secp256k1_fe_is_odd
#define secp256k1_fe_is_odd
Definition: field.h:86
secp256k1_fe_mul
#define secp256k1_fe_mul
Definition: field.h:94
secp256k1_fe_one
static const secp256k1_fe secp256k1_fe_one
Definition: field.h:68
secp256k1_fe_sqrt
static int secp256k1_fe_sqrt(secp256k1_fe *SECP256K1_RESTRICT r, const secp256k1_fe *SECP256K1_RESTRICT a)
Compute a square root of a field element.
secp256k1_fe_add
#define secp256k1_fe_add
Definition: field.h:93
secp256k1_fe_clear
#define secp256k1_fe_clear
Definition: field.h:84
secp256k1_fe_normalize_var
#define secp256k1_fe_normalize_var
Definition: field.h:80
secp256k1_fe_half
#define secp256k1_fe_half
Definition: field.h:102
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
This expands to an initializer for a secp256k1_fe valued sum((i*32) * d_i, i=0..7) mod p.
Definition: field.h:66
secp256k1_fe_to_storage
#define secp256k1_fe_to_storage
Definition: field.h:97
secp256k1_fe_inv_var
#define secp256k1_fe_inv_var
Definition: field.h:100
secp256k1_fe_is_zero
#define secp256k1_fe_is_zero
Definition: field.h:85
secp256k1_fe_mul_int_unchecked
#define secp256k1_fe_mul_int_unchecked
Definition: field.h:92
secp256k1_fe_set_b32_limit
#define secp256k1_fe_set_b32_limit
Definition: field.h:89
secp256k1_fe_is_square_var
#define secp256k1_fe_is_square_var
Definition: field.h:104
secp256k1_fe_get_bounds
#define secp256k1_fe_get_bounds
Definition: field.h:101
secp256k1_fe_from_storage
#define secp256k1_fe_from_storage
Definition: field.h:98
secp256k1_fe_set_b32_mod
#define secp256k1_fe_set_b32_mod
Definition: field.h:88
secp256k1_fe_negate_unchecked
#define secp256k1_fe_negate_unchecked
Definition: field.h:91
secp256k1_fe_get_b32
#define secp256k1_fe_get_b32
Definition: field.h:90
secp256k1_fe_normalizes_to_zero
#define secp256k1_fe_normalizes_to_zero
Definition: field.h:81
secp256k1_fe_inv
#define secp256k1_fe_inv
Definition: field.h:99
secp256k1_fe_sqr
#define secp256k1_fe_sqr
Definition: field.h:95
secp256k1_fe_normalize
#define secp256k1_fe_normalize
Definition: field.h:78
secp256k1_fe_storage_cmov
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_fe_add_int
#define secp256k1_fe_add_int
Definition: field.h:103
secp256k1_fe_set_int
#define secp256k1_fe_set_int
Definition: field.h:83
SECP256K1_FE_STORAGE_CONST
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:54
SECP256K1_GEJ_CONST_INFINITY
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:36
SECP256K1_GE_STORAGE_CONST
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:43
secp256k1_gej_eq_var
static int secp256k1_gej_eq_var(const secp256k1_gej *a, const secp256k1_gej *b)
Check two group elements (jacobian) for equality in variable time.
secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
secp256k1_ge_mul_lambda
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
secp256k1_ge_set_xo_var
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
secp256k1_ge_x_on_curve_var
static int secp256k1_ge_x_on_curve_var(const secp256k1_fe *x)
Determine whether x is a valid X coordinate on the curve.
secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
secp256k1_ge_is_valid_var
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
secp256k1_ge_from_storage
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
secp256k1_gej_rescale
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
secp256k1_ge_x_frac_on_curve_var
static int secp256k1_ge_x_frac_on_curve_var(const secp256k1_fe *xn, const secp256k1_fe *xd)
Determine whether fraction xn/xd is a valid X coordinate on the curve (xd != 0).
secp256k1_ge_storage_cmov
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ge_set_xquad
static int secp256k1_ge_set_xquad(secp256k1_ge *r, const secp256k1_fe *x)
Set a group element (affine) equal to the point with the given X coordinate and a Y coordinate that i...
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_ge_set_infinity
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
secp256k1_ge_set_all_gej_var
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set a batch of group elements equal to the inputs given in jacobian coordinates.
secp256k1_gej_double
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
secp256k1_ge_to_storage
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
SECP256K1_GE_CONST
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:22
secp256k1_gej_cmov
static void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_gej_has_quad_y_var
static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a)
Check whether a group element's y coordinate is a quadratic residue.
SECP256K1_GEJ_CONST
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:35
secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:70
int128_impl.h
secp256k1_int128
int128_t secp256k1_int128
Definition: int128_native.h:17
secp256k1_i128_load
static SECP256K1_INLINE void secp256k1_i128_load(secp256k1_int128 *r, int64_t hi, uint64_t lo)
Definition: int128_native_impl.h:45
secp256k1_i128_det
static SECP256K1_INLINE void secp256k1_i128_det(secp256k1_int128 *r, int64_t a, int64_t b, int64_t c, int64_t d)
Definition: int128_native_impl.h:59
secp256k1_u128_check_bits
static SECP256K1_INLINE int secp256k1_u128_check_bits(const secp256k1_uint128 *r, unsigned int n)
Definition: int128_native_impl.h:40
secp256k1_i128_rshift
static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int n)
Definition: int128_native_impl.h:66
secp256k1_u128_hi_u64
static SECP256K1_INLINE uint64_t secp256k1_u128_hi_u64(const secp256k1_uint128 *a)
Definition: int128_native_impl.h:32
secp256k1_i128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:71
secp256k1_i128_from_i64
static SECP256K1_INLINE void secp256k1_i128_from_i64(secp256k1_int128 *r, int64_t a)
Definition: int128_native_impl.h:80
secp256k1_u128_from_u64
static SECP256K1_INLINE void secp256k1_u128_from_u64(secp256k1_uint128 *r, uint64_t a)
Definition: int128_native_impl.h:36
secp256k1_i128_eq_var
static SECP256K1_INLINE int secp256k1_i128_eq_var(const secp256k1_int128 *a, const secp256k1_int128 *b)
Definition: int128_native_impl.h:84
secp256k1_i128_to_i64
static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:75
secp256k1_i128_mul
static SECP256K1_INLINE void secp256k1_i128_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:49
secp256k1_u128_rshift
static SECP256K1_INLINE void secp256k1_u128_rshift(secp256k1_uint128 *r, unsigned int n)
Definition: int128_native_impl.h:23
secp256k1_i128_check_pow2
static SECP256K1_INLINE int secp256k1_i128_check_pow2(const secp256k1_int128 *r, unsigned int n, int sign)
Definition: int128_native_impl.h:88
secp256k1_u128_accum_u64
static SECP256K1_INLINE void secp256k1_u128_accum_u64(secp256k1_uint128 *r, uint64_t a)
Definition: int128_native_impl.h:19
secp256k1_i128_accum_mul
static SECP256K1_INLINE void secp256k1_i128_accum_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:53
secp256k1_u128_accum_mul
static SECP256K1_INLINE void secp256k1_u128_accum_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
Definition: int128_native_impl.h:15
secp256k1_u128_load
static SECP256K1_INLINE void secp256k1_u128_load(secp256k1_uint128 *r, uint64_t hi, uint64_t lo)
Definition: int128_native_impl.h:7
secp256k1_u128_mul
static SECP256K1_INLINE void secp256k1_u128_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
Definition: int128_native_impl.h:11
secp256k1_u128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_u128_to_u64(const secp256k1_uint128 *a)
Definition: int128_native_impl.h:28
ec_privkey_export_der
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
Definition: lax_der_privatekey_parsing.c:55
ec_privkey_import_der
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
Definition: lax_der_privatekey_parsing.c:11
cs
static void pool cs
Definition: mempool_eviction.cpp:13
secp256k1_modinv32_var
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_modinv32
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_jacobi32_maybe_var
static int secp256k1_jacobi32_maybe_var(const secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
modinv32_impl.h
secp256k1_modinv64
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_modinv64_var
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_jacobi64_maybe_var
static int secp256k1_jacobi64_maybe_var(const secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
modinv64_impl.h
tests_impl.h
run_multiset_tests
static void run_multiset_tests(void)
Definition: tests_impl.h:336
sha1
Internal SHA-1 implementation.
Definition: sha1.cpp:14
tests_wycheproof_generate.msg
def msg
Definition: tests_wycheproof_generate.py:56
tests_wycheproof_generate.pk
def pk
Definition: tests_wycheproof_generate.py:69
tests_wycheproof_generate.expected_verify
int expected_verify
Definition: tests_wycheproof_generate.py:46
tests_wycheproof_generate.out
string out
Definition: tests_wycheproof_generate.py:28
tinyformat::printf
void printf(const char *fmt, const Args &...args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1126
secp256k1_pre_g_128
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:8236
secp256k1_pre_g
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:16
WINDOW_G
#define WINDOW_G
Definition: precomputed_ecmult.c:15
sig
SchnorrSig sig
Definition: processor.cpp:537
ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature *sig, const uint8_t *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:36
tests_impl.h
run_recovery_tests
static void run_recovery_tests(void)
Definition: tests_impl.h:361
prefix
const char * prefix
Definition: rest.cpp:813
secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_set_b32_seckey
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
secp256k1_scalar_is_even
static int secp256k1_scalar_is_even(const secp256k1_scalar *a)
Check whether a scalar, considered as an nonnegative integer, is even.
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
secp256k1_scalar_set_int
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
secp256k1_scalar_inverse_var
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
secp256k1_scalar_get_bits
static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
secp256k1_scalar_is_one
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_scalar_split_lambda
static void secp256k1_scalar_split_lambda(secp256k1_scalar *SECP256K1_RESTRICT r1, secp256k1_scalar *SECP256K1_RESTRICT r2, const secp256k1_scalar *SECP256K1_RESTRICT k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
secp256k1_scalar_get_bits_var
static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
secp256k1_scalar_cadd_bit
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
secp256k1_scalar_shr_int
static int secp256k1_scalar_shr_int(secp256k1_scalar *r, int n)
Shift a scalar right by some amount strictly between 0 and 16, returning the low bits that were shift...
SECP256K1_SCALAR_CONST
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
secp256k1_scalar_check_overflow
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
Definition: scalar_4x64_impl.h:62
secp256k1_scalar_zero
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
secp256k1_const_lambda
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is:
Definition: scalar_impl.h:66
tests_impl.h
run_schnorr_tests
static void run_schnorr_tests(void)
Definition: tests_impl.h:512
tests_impl.h
run_schnorrsig_tests
static void run_schnorrsig_tests(void)
Definition: tests_impl.h:854
secp256k1_scratch_apply_checkpoint
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
secp256k1_scratch_max_allocation
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
secp256k1_scratch_alloc
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
secp256k1_scratch_checkpoint
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
secp256k1_hmac_sha256_finalize
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
secp256k1_hmac_sha256_initialize
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
secp256k1_hmac_sha256_write
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_ctz64_var
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:336
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:225
secp256k1_int_cmov
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:239
ALIGNMENT
#define ALIGNMENT
Definition: util.h:169
secp256k1_default_error_callback_fn
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: util.h:82
secp256k1_read_be32
static SECP256K1_INLINE uint32_t secp256k1_read_be32(const unsigned char *p)
Definition: util.h:354
secp256k1_ctz32_var
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:318
secp256k1_write_be32
static SECP256K1_INLINE void secp256k1_write_be32(unsigned char *p, uint32_t x)
Definition: util.h:362
secp256k1_write_be64
static SECP256K1_INLINE void secp256k1_write_be64(unsigned char *p, uint64_t x)
Definition: util.h:382
secp256k1_default_illegal_callback_fn
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:77
secp256k1_ctz64_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:307
CHECK
#define CHECK(cond)
Definition: util.h:128
secp256k1_ctz32_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:295
secp256k1_read_be64
static SECP256K1_INLINE uint64_t secp256k1_read_be64(const unsigned char *p)
Definition: util.h:370
checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:147
secp256k1_memczero
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:206
secp256k1_scratch_space_destroy
static void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Definition: secp256k1.c:227
secp256k1_context_is_proper
static int secp256k1_context_is_proper(const secp256k1_context *ctx)
Definition: secp256k1.c:81
secp256k1_context_no_precomp
const secp256k1_context * secp256k1_context_no_precomp
Definition: secp256k1.c:74
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:353
secp256k1_scratch_space_create
static secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Definition: secp256k1.c:222
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:239
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:258
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:465
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:339
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:186
secp256k1_ec_seckey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:704
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:196
secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:751
secp256k1_ec_pubkey_combine
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:761
secp256k1_ec_seckey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:614
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:379
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:290
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:210
secp256k1_ec_pubkey_cmp
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:313
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:573
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:140
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:198
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:558
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:272
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:192
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:363
secp256k1_selftest
SECP256K1_API void secp256k1_selftest(void)
Perform basic self tests (to be used in conjunction with secp256k1_context_static)
Definition: secp256k1.c:85
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:596
secp256k1_tagged_sha256
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:787
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:202
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:444
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:425
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:162
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:687
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:203
secp256k1_ecdsa_signature_serialize_der
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:400
secp256k1_ec_pubkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:633
secp256k1_ec_privkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_add instead")
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:676
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Deprecated context flags.
Definition: secp256k1.h:195
secp256k1_ec_privkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_negate instead")
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:629
secp256k1_ec_seckey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:660
secp256k1_ec_pubkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:728
secp256k1_ecdsa_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:412
secp256k1_context_static
SECP256K1_API const secp256k1_context * secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:223
secp256k1_ec_privkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_mul instead")
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:724
secp256k1_context_preallocated_clone_size
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:111
secp256k1_context_preallocated_destroy
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:175
secp256k1_context_preallocated_create
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:117
secp256k1_context_preallocated_size
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:91
secp256k1_context_preallocated_clone
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:151
ecmult_multi_data
Definition: tests.c:4636
ecmult_multi_data::sc
secp256k1_scalar * sc
Definition: tests.c:4637
ecmult_multi_data::pt
secp256k1_ge * pt
Definition: tests.c:4638
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:68
secp256k1_callback::data
const void * data
Definition: util.h:69
secp256k1_context_struct
Definition: secp256k1.c:60
secp256k1_context_struct::illegal_callback
secp256k1_callback illegal_callback
Definition: secp256k1.c:62
secp256k1_context_struct::declassify
int declassify
Definition: secp256k1.c:64
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:63
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:61
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:74
secp256k1_ecmult_gen_context
Definition: ecmult_gen.h:31
secp256k1_ecmult_gen_context::initial
secp256k1_gej initial
Definition: ecmult_gen.h:37
secp256k1_ecmult_gen_context::built
int built
Definition: ecmult_gen.h:33
secp256k1_ecmult_gen_context::blind
secp256k1_scalar blind
Definition: ecmult_gen.h:36
secp256k1_fe_storage
Definition: field_10x26.h:50
secp256k1_fe
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
secp256k1_fe::n
uint32_t n[10]
Definition: field_10x26.h:22
secp256k1_ge_storage
Definition: group.h:38
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_ge::infinity
int infinity
Definition: group.h:19
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:17
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:18
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_gej::y
secp256k1_fe y
Definition: group.h:30
secp256k1_gej::x
secp256k1_fe x
Definition: group.h:29
secp256k1_gej::infinity
int infinity
Definition: group.h:32
secp256k1_gej::z
secp256k1_fe z
Definition: group.h:31
secp256k1_hmac_sha256
Definition: hash.h:23
secp256k1_modinv32_modinfo
Definition: modinv32.h:19
secp256k1_modinv32_modinfo::modulus_inv30
uint32_t modulus_inv30
Definition: modinv32.h:24
secp256k1_modinv32_modinfo::modulus
secp256k1_modinv32_signed30 modulus
Definition: modinv32.h:21
secp256k1_modinv32_signed30
Definition: modinv32.h:15
secp256k1_modinv32_signed30::v
int32_t v[9]
Definition: modinv32.h:16
secp256k1_modinv64_modinfo
Definition: modinv64.h:23
secp256k1_modinv64_modinfo::modulus_inv62
uint64_t modulus_inv62
Definition: modinv64.h:28
secp256k1_modinv64_modinfo::modulus
secp256k1_modinv64_signed62 modulus
Definition: modinv64.h:25
secp256k1_modinv64_signed62
Definition: modinv64.h:19
secp256k1_modinv64_signed62::v
int64_t v[5]
Definition: modinv64.h:20
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:31
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_scalar::d
uint64_t d[4]
Definition: scalar_4x64.h:14
secp256k1_scratch_space_struct
Definition: scratch.h:12
secp256k1_scratch_space_struct::alloc_size
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
secp256k1_sha256
Definition: hash.h:13
secp256k1_sha256::bytes
uint64_t bytes
Definition: hash.h:16
secp256k1_sha256::s
uint32_t s[8]
Definition: hash.h:14
secp256k1_uint128
Definition: int128_struct.h:7
wycheproof_ecdsa_testvector::sig_offset
size_t sig_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:8
wycheproof_ecdsa_testvector::msg_offset
size_t msg_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:6
wycheproof_ecdsa_testvector::pk_offset
size_t pk_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:5
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_testrand_seed
static SECP256K1_INLINE void secp256k1_testrand_seed(const unsigned char *seed16)
Seed the pseudorandom number generator for testing.
secp256k1_testrand_init
static void secp256k1_testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL.
secp256k1_testrand_finish
static void secp256k1_testrand_finish(void)
Print final test information.
secp256k1_testrand256_test
static void secp256k1_testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_impl.h
secp256k1_test_state
static uint64_t secp256k1_test_state[4]
Definition: testrand_impl.h:18
run_random_pubkeys
static void run_random_pubkeys(void)
Definition: tests.c:6786
CHECK_ILLEGAL_VOID
#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt)
Definition: tests.c:59
test_wnaf
static void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5255
run_inverse_tests
static void run_inverse_tests(void)
Definition: tests.c:3430
mutate_sign_signed30
static void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:978
ec_pubkey_parse_pointtest
static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:5745
test_ecdsa_sign_verify
static void test_ecdsa_sign_verify(void)
Definition: tests.c:6446
test_ge
static void test_ge(void)
Definition: tests.c:3726
ge_equals_ge
static void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b)
Definition: tests.c:3678
run_pubkey_comparison
static void run_pubkey_comparison(void)
Definition: tests.c:6737
run_ecdsa_sign_verify
static void run_ecdsa_sign_verify(void)
Definition: tests.c:6473
run_field_misc
static void run_field_misc(void)
Definition: tests.c:3127
test_ecmult_gen_blind_reset
static void test_ecmult_gen_blind_reset(void)
Definition: tests.c:5676
run_ec_pubkey_parse_test
static void run_ec_pubkey_parse_test(void)
Definition: tests.c:5820
run_static_context_tests
static void run_static_context_tests(int use_prealloc)
Definition: tests.c:303
random_sign
static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:6439
nonce_function_test_fail
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6489
nonce_function_test_retry
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6497
SECP256K1_EC_PARSE_TEST_NINVALID
#define SECP256K1_EC_PARSE_TEST_NINVALID
test_ecmult_multi_random
static int test_ecmult_multi_random(secp256k1_scratch *scratch)
Definition: tests.c:4878
COUNT
static int COUNT
Definition: tests.c:39
mulmod256
static void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:876
random_fe_non_zero_test
static void random_fe_non_zero_test(secp256k1_fe *fe)
Definition: tests.c:118
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:72
gej_xyz_equals_gej
static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3688
ecmult_gen_context_eq
static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b)
Definition: tests.c:218
run_tagged_sha256_tests
static void run_tagged_sha256_tests(void)
Definition: tests.c:826
run_sha256_counter_tests
static void run_sha256_counter_tests(void)
SHA256 counter tests.
Definition: tests.c:672
random_scalar_order_b32
static void random_scalar_order_b32(unsigned char *b32)
Definition: tests.c:178
random_group_element_jacobian_test
static void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:136
test_fixed_wnaf_small_helper
static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:5381
ge_equals_gej
static void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b)
Definition: tests.c:3709
all_bytes_equal
static int all_bytes_equal(const void *s, unsigned char value, size_t n)
Definition: tests.c:43
test_intialized_inf
static void test_intialized_inf(void)
Definition: tests.c:3949
test_fixed_wnaf_small
static void test_fixed_wnaf_small(void)
Definition: tests.c:5391
main
int main(int argc, char **argv)
Definition: tests.c:7714
run_ecmult_const_tests
static void run_ecmult_const_tests(void)
Definition: tests.c:4628
test_constant_wnaf
static void test_constant_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5304
fe_identical
static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:3071
SECP256K1_EC_PARSE_TEST_NVALID
#define SECP256K1_EC_PARSE_TEST_NVALID
run_eckey_edge_case_test
static void run_eckey_edge_case_test(void)
Definition: tests.c:6148
random_fe_non_square
static void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:2958
run_secp256k1_byteorder_tests
static void run_secp256k1_byteorder_tests(void)
Definition: tests.c:7531
run_ecmult_constants
static void run_ecmult_constants(void)
Definition: tests.c:5619
run_field_be32_overflow
static void run_field_be32_overflow(void)
Definition: tests.c:3004
test_modinv32_uint16
static void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:993
run_ecmult_chain
static void run_ecmult_chain(void)
Definition: tests.c:4282
test_inverse_field
static void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:3405
run_ec_combine
static void run_ec_combine(void)
Definition: tests.c:4126
run_deprecated_context_flags_test
static void run_deprecated_context_flags_test(void)
Definition: tests.c:233
CTX
static secp256k1_context * CTX
Definition: tests.c:40
run_point_times_order
static void run_point_times_order(void)
Definition: tests.c:4456
random_group_element_test
static void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:124
random_ber_signature
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:6899
CONDITIONAL_TEST
#define CONDITIONAL_TEST(cnt, nam)
Definition: tests.c:37
ecmult_const_commutativity
static void ecmult_const_commutativity(void)
Definition: tests.c:4504
int_cmov_test
static void int_cmov_test(void)
Definition: tests.c:7559
test_add_neg_y_diff_x
static void test_add_neg_y_diff_x(void)
Definition: tests.c:3981
test_ecmult_accumulate
static void test_ecmult_accumulate(secp256k1_sha256 *acc, const secp256k1_scalar *x, secp256k1_scratch *scratch)
Definition: tests.c:5499
test_point_times_order
static void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:4341
assign_big_endian
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:6860
run_hmac_sha256_tests
static void run_hmac_sha256_tests(void)
Definition: tests.c:741
test_ecmult_multi_batch_single
static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:5044
random_gej_test
static void random_gej_test(secp256k1_gej *gej)
Definition: tests.c:146
signed30_to_uint16
static void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:969
is_empty_signature
static int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:6527
run_field_half
static void run_field_half(void)
Definition: tests.c:3078
run_eckey_negate_test
static void run_eckey_negate_test(void)
Definition: tests.c:6404
scalar_test
static void scalar_test(void)
Definition: tests.c:2138
run_scalar_set_b32_seckey_tests
static void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:2300
test_ecmult_multi
static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4656
precomputed_nonce_function
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted.
Definition: tests.c:6481
run_gej
static void run_gej(void)
Definition: tests.c:4065
random_fe
static void random_fe(secp256k1_fe *x)
Definition: tests.c:2935
random_fe_non_zero
static void random_fe_non_zero(secp256k1_fe *nz)
Definition: tests.c:2945
run_ge
static void run_ge(void)
Definition: tests.c:4048
ge_storage_cmov_test
static void ge_storage_cmov_test(void)
Definition: tests.c:7674
scalar_minus_one
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:3366
fe_storage_cmov_test
static void fe_storage_cmov_test(void)
Definition: tests.c:7614
test_ec_combine
static void test_ec_combine(void)
Definition: tests.c:4101
test_secp256k1_pippenger_bucket_window_inv
static void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:5062
run_ctz_tests
static void run_ctz_tests(void)
Definition: tests.c:550
test_ecmult_multi_pippenger_max_points
static void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:5082
run_scalar_tests
static void run_scalar_tests(void)
Definition: tests.c:2317
test_constant_wnaf_negate
static void test_constant_wnaf_negate(const secp256k1_scalar *number)
Definition: tests.c:5289
test_random_pubkeys
static void test_random_pubkeys(void)
Definition: tests.c:6677
random_fe_test
static void random_fe_test(secp256k1_fe *x)
Definition: tests.c:108
test_gej_cmov
static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:4057
test_sqrt
static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:3314
scalar_cmov_test
static void scalar_cmov_test(void)
Definition: tests.c:7644
run_ecmult_gen_blind
static void run_ecmult_gen_blind(void)
Definition: tests.c:5688
test_ecdsa_end_to_end
static void test_ecdsa_end_to_end(void)
Definition: tests.c:6532
run_sha256_known_output_tests
static void run_sha256_known_output_tests(void)
Definition: tests.c:571
test_ecmult_target
static void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:4405
random_scalar_order
static void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:165
random_field_element_magnitude
static void random_field_element_magnitude(secp256k1_fe *fe)
Definition: tests.c:92
run_ecdsa_end_to_end
static void run_ecdsa_end_to_end(void)
Definition: tests.c:6793
ecmult_multi_callback
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4641
ecmult_const_mult_xonly
static void ecmult_const_mult_xonly(void)
Definition: tests.c:4547
run_proper_context_tests
static void run_proper_context_tests(int use_prealloc)
Definition: tests.c:344
test_fe_mul
static void test_fe_mul(const secp256k1_fe *a, const secp256k1_fe *b, int use_sqr)
Definition: tests.c:3234
test_group_decompress
static void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:4133
test_ecmult_constants_2bit
static void test_ecmult_constants_2bit(void)
Definition: tests.c:5532
run_cmov_tests
static void run_cmov_tests(void)
Definition: tests.c:7706
run_ecdsa_der_parse
static void run_ecdsa_der_parse(void)
Definition: tests.c:7045
ecmult_const_random_mult
static void ecmult_const_random_mult(void)
Definition: tests.c:4477
test_scalar_split
static void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:5697
run_field_convert
static void run_field_convert(void)
Definition: tests.c:2974
test_ecdsa_der_parse
static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:6800
run_ec_illegal_argument_tests
static void run_ec_illegal_argument_tests(void)
Definition: tests.c:251
run_ecdsa_wycheproof
static void run_ecdsa_wycheproof(void)
Definition: tests.c:7484
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:74
test_ecmult_constants_sha
static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char *expected32)
Definition: tests.c:5576
test_ecmult_multi_batching
static void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:5163
uncounting_illegal_callback_fn
static void uncounting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:83
run_sqrt
static void run_sqrt(void)
Definition: tests.c:3328
run_modinv_tests
static void run_modinv_tests(void)
Definition: tests.c:1174
scalars_near_split_bounds
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:4382
uint16_to_signed30
static void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:960
run_xoshiro256pp_tests
static void run_xoshiro256pp_tests(void)
Definition: tests.c:184
run_wnaf
static void run_wnaf(void)
Definition: tests.c:5445
run_ecmult_multi_tests
static void run_ecmult_multi_tests(void)
Definition: tests.c:5228
run_selftest_tests
static void run_selftest_tests(void)
Definition: tests.c:213
coprime
static int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:1144
run_sqr
static void run_sqr(void)
Definition: tests.c:3298
context_eq
static int context_eq(const secp256k1_context *a, const secp256k1_context *b)
Definition: tests.c:224
test_ecmult_multi_batch_size_helper
static void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:5115
random_scalar_order_test
static void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:152
check_fe_equal
static int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2966
run_endomorphism_tests
static void run_endomorphism_tests(void)
Definition: tests.c:5724
run_scratch_tests
static void run_scratch_tests(void)
Definition: tests.c:466
test_ecdsa_wycheproof
static void test_ecdsa_wycheproof(void)
Wycheproof tests.
Definition: tests.c:7454
run_ecmult_near_split_bound
static void run_ecmult_near_split_bound(void)
Definition: tests.c:4444
run_ecdsa_edge_cases
static void run_ecdsa_edge_cases(void)
Definition: tests.c:7446
fe_cmov_test
static void fe_cmov_test(void)
Definition: tests.c:7584
run_group_decompress
static void run_group_decompress(void)
Definition: tests.c:4197
ecmult_const_mult_zero_one
static void ecmult_const_mult_zero_one(void)
Definition: tests.c:4525
test_ecmult_accumulate_cb
static int test_ecmult_accumulate_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data)
Definition: tests.c:5491
test_ecdsa_edge_cases
static void test_ecdsa_edge_cases(void)
Definition: tests.c:7077
ecmult_const_chain_multiply
static void ecmult_const_chain_multiply(void)
Definition: tests.c:4602
run_ecmult_pre_g
static void run_ecmult_pre_g(void)
Definition: tests.c:4258
ecmult_multi_false_callback
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4648
test_sha256_eq
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:733
test_pre_g_table
static void test_pre_g_table(const secp256k1_ge_storage *pre_g, size_t n)
Definition: tests.c:4208
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:41
test_fixed_wnaf
static void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5344
test_inverse_scalar
static void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:3383
test_ecmult_gen_blind
static void test_ecmult_gen_blind(void)
Definition: tests.c:5653
run_secp256k1_memczero_test
static void run_secp256k1_memczero_test(void)
Definition: tests.c:7516
run_fe_mul
static void run_fe_mul(void)
Definition: tests.c:3277
SECP256K1_EC_PARSE_TEST_NXVALID
#define SECP256K1_EC_PARSE_TEST_NXVALID
damage_array
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:6872
fe_minus_one
static const secp256k1_fe fe_minus_one
Definition: tests.c:3371
run_rfc6979_hmac_sha256_tests
static void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:785
modinv2p64
static uint64_t modinv2p64(uint64_t x)
Definition: tests.c:859
expect
#define expect(bit)
Definition: univalue_read.cpp:283
Generated on Fri May 29 2026 21:48:37 for Bitcoin ABC by doxygen 1.9.4