Bitcoin ABC 0.32.10
P2P Digital Currency
tests.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#include <stdio.h>
8#include <stdlib.h>
9#include <string.h>
10
11#include <time.h>
12
13#include "secp256k1.c"
14#include "../include/secp256k1.h"
15#include "../include/secp256k1_preallocated.h"
16#include "testrand_impl.h"
17#include "util.h"
18
19#include "../contrib/lax_der_parsing.c"
20#include "../contrib/lax_der_privatekey_parsing.c"
21
22#include "modinv32_impl.h"
23#ifdef SECP256K1_WIDEMUL_INT128
24#include "modinv64_impl.h"
25#include "int128_impl.h"
26#endif
27
28#define CONDITIONAL_TEST(cnt, nam) if (count < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
29
30static int count = 64;
31static secp256k1_context *ctx = NULL;
32
33static void counting_illegal_callback_fn(const char* str, void* data) {
34 /* Dummy callback function that just counts. */
35 int32_t *p;
36 (void)str;
37 p = data;
38 (*p)++;
39}
40
41static void uncounting_illegal_callback_fn(const char* str, void* data) {
42 /* Dummy callback function that just counts (backwards). */
43 int32_t *p;
44 (void)str;
45 p = data;
46 (*p)--;
47}
48
49void random_field_element_test(secp256k1_fe *fe) {
50 do {
51 unsigned char b32[32];
52 secp256k1_testrand256_test(b32);
53 if (secp256k1_fe_set_b32(fe, b32)) {
54 break;
55 }
56 } while(1);
57}
58
59void random_field_element_magnitude(secp256k1_fe *fe) {
60 secp256k1_fe zero;
61 int n = secp256k1_testrand_int(9);
62 secp256k1_fe_normalize(fe);
63 if (n == 0) {
64 return;
65 }
66 secp256k1_fe_clear(&zero);
67 secp256k1_fe_negate(&zero, &zero, 0);
68 secp256k1_fe_mul_int(&zero, n - 1);
69 secp256k1_fe_add(fe, &zero);
70#ifdef VERIFY
71 CHECK(fe->magnitude == n);
72#endif
73}
74
75void random_group_element_test(secp256k1_ge *ge) {
76 secp256k1_fe fe;
77 do {
78 random_field_element_test(&fe);
79 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
80 secp256k1_fe_normalize(&ge->y);
81 break;
82 }
83 } while(1);
84 ge->infinity = 0;
85}
86
87void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
88 secp256k1_fe z2, z3;
89 do {
90 random_field_element_test(&gej->z);
91 if (!secp256k1_fe_is_zero(&gej->z)) {
92 break;
93 }
94 } while(1);
95 secp256k1_fe_sqr(&z2, &gej->z);
96 secp256k1_fe_mul(&z3, &z2, &gej->z);
97 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
98 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
99 gej->infinity = ge->infinity;
100}
101
102void random_gej_test(secp256k1_gej *gej) {
103 secp256k1_ge ge;
104 random_group_element_test(&ge);
105 random_group_element_jacobian_test(gej, &ge);
106}
107
108void random_scalar_order_test(secp256k1_scalar *num) {
109 do {
110 unsigned char b32[32];
111 int overflow = 0;
112 secp256k1_testrand256_test(b32);
113 secp256k1_scalar_set_b32(num, b32, &overflow);
114 if (overflow || secp256k1_scalar_is_zero(num)) {
115 continue;
116 }
117 break;
118 } while(1);
119}
120
121void random_scalar_order(secp256k1_scalar *num) {
122 do {
123 unsigned char b32[32];
124 int overflow = 0;
125 secp256k1_testrand256(b32);
126 secp256k1_scalar_set_b32(num, b32, &overflow);
127 if (overflow || secp256k1_scalar_is_zero(num)) {
128 continue;
129 }
130 break;
131 } while(1);
132}
133
134void random_scalar_order_b32(unsigned char *b32) {
135 secp256k1_scalar num;
136 random_scalar_order(&num);
137 secp256k1_scalar_get_b32(b32, &num);
138}
139
140void run_selftest_tests(void) {
141 /* Test public API */
142 secp256k1_selftest();
143}
144
145int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b) {
146 return a->built == b->built
147 && secp256k1_scalar_eq(&a->blind, &b->blind)
148 && secp256k1_gej_eq_var(&a->initial, &b->initial);
149}
150
151int context_eq(const secp256k1_context *a, const secp256k1_context *b) {
152 return a->declassify == b->declassify
153 && ecmult_gen_context_eq(&a->ecmult_gen_ctx, &b->ecmult_gen_ctx)
154 && a->illegal_callback.fn == b->illegal_callback.fn
155 && a->illegal_callback.data == b->illegal_callback.data
156 && a->error_callback.fn == b->error_callback.fn
157 && a->error_callback.data == b->error_callback.data;
158}
159
160void test_deprecated_flags(void) {
161 unsigned int flags[] = { SECP256K1_CONTEXT_SIGN,
162 SECP256K1_CONTEXT_VERIFY,
163 SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY };
164 int i;
165 /* Check that a context created with any of the flags in the flags array is
166 * identical to the NONE context. */
167 for (i = 0; i < (int)(sizeof(flags)/sizeof(flags[0])); i++) {
168 secp256k1_context *tmp_ctx;
169 CHECK(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE) == secp256k1_context_preallocated_size(flags[i]));
170 tmp_ctx = secp256k1_context_create(flags[i]);
171 CHECK(context_eq(ctx, tmp_ctx));
172 secp256k1_context_destroy(tmp_ctx);
173 }
174}
175
176void run_context_tests(int use_prealloc) {
177 secp256k1_pubkey pubkey;
178 secp256k1_pubkey zero_pubkey;
179 secp256k1_ecdsa_signature sig;
180 unsigned char ctmp[32];
181 int32_t ecount;
182 int32_t ecount2;
183 secp256k1_context *sttc;
184 void *ctx_prealloc = NULL;
185 void *sttc_prealloc = NULL;
186
187 secp256k1_gej pubj;
188 secp256k1_ge pub;
189 secp256k1_scalar msg, key, nonce;
190 secp256k1_scalar sigr, sigs;
191
192 /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */
193 CHECK(secp256k1_context_no_precomp == secp256k1_context_static);
194
195 if (use_prealloc) {
196 ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
197 CHECK(ctx_prealloc != NULL);
198 ctx = secp256k1_context_preallocated_create(ctx_prealloc, SECP256K1_CONTEXT_NONE);
199 sttc_prealloc = malloc(secp256k1_context_preallocated_clone_size(secp256k1_context_static));
200 CHECK(sttc_prealloc != NULL);
201 sttc = secp256k1_context_preallocated_clone(secp256k1_context_static, sttc_prealloc);
202 } else {
203 sttc = secp256k1_context_clone(secp256k1_context_static);
204 ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
205 }
206
207 test_deprecated_flags();
208
209 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
210
211 ecount = 0;
212 ecount2 = 10;
213 secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
214 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount2);
215 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
216 secp256k1_context_set_error_callback(ctx, secp256k1_default_illegal_callback_fn, NULL);
217 CHECK(ctx->error_callback.fn != sttc->error_callback.fn);
218 CHECK(ctx->error_callback.fn == secp256k1_default_illegal_callback_fn);
219
220 /* check if sizes for cloning are consistent */
221 CHECK(secp256k1_context_preallocated_clone_size(ctx) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
222 CHECK(secp256k1_context_preallocated_clone_size(sttc) >= sizeof(secp256k1_context));
223
224 /*** clone and destroy all of them to make sure cloning was complete ***/
225 {
226 secp256k1_context *ctx_tmp;
227
228 if (use_prealloc) {
229 /* clone into a non-preallocated context and then again into a new preallocated one. */
230 ctx_tmp = ctx; ctx = secp256k1_context_clone(ctx); secp256k1_context_preallocated_destroy(ctx_tmp);
231 free(ctx_prealloc); ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(ctx_prealloc != NULL);
232 ctx_tmp = ctx; ctx = secp256k1_context_preallocated_clone(ctx, ctx_prealloc); secp256k1_context_destroy(ctx_tmp);
233 } else {
234 /* clone into a preallocated context and then again into a new non-preallocated one. */
235 void *prealloc_tmp;
236
237 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
238 ctx_tmp = ctx; ctx = secp256k1_context_preallocated_clone(ctx, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
239 ctx_tmp = ctx; ctx = secp256k1_context_clone(ctx); secp256k1_context_preallocated_destroy(ctx_tmp);
240 free(prealloc_tmp);
241 }
242 }
243
244 /* Verify that the error callback makes it across the clone. */
245 CHECK(ctx->error_callback.fn != sttc->error_callback.fn);
246 CHECK(ctx->error_callback.fn == secp256k1_default_illegal_callback_fn);
247 /* And that it resets back to default. */
248 secp256k1_context_set_error_callback(ctx, NULL, NULL);
249 CHECK(ctx->error_callback.fn == sttc->error_callback.fn);
250
251 /*** attempt to use them ***/
252 random_scalar_order_test(&msg);
253 random_scalar_order_test(&key);
254 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
255 secp256k1_ge_set_gej(&pub, &pubj);
256
257 /* Verify context-type checking illegal-argument errors. */
258 memset(ctmp, 1, 32);
259 CHECK(secp256k1_ec_pubkey_create(sttc, &pubkey, ctmp) == 0);
260 CHECK(ecount == 1);
261 VG_UNDEF(&pubkey, sizeof(pubkey));
262 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
263 VG_CHECK(&pubkey, sizeof(pubkey));
264 CHECK(secp256k1_ecdsa_sign(sttc, &sig, ctmp, ctmp, NULL, NULL) == 0);
265 CHECK(ecount == 2);
266 VG_UNDEF(&sig, sizeof(sig));
267 CHECK(secp256k1_ecdsa_sign(ctx, &sig, ctmp, ctmp, NULL, NULL) == 1);
268 VG_CHECK(&sig, sizeof(sig));
269 CHECK(ecount2 == 10);
270 CHECK(secp256k1_ecdsa_verify(ctx, &sig, ctmp, &pubkey) == 1);
271 CHECK(ecount2 == 10);
272 CHECK(secp256k1_ecdsa_verify(sttc, &sig, ctmp, &pubkey) == 1);
273 CHECK(ecount == 2);
274 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp) == 1);
275 CHECK(ecount2 == 10);
276 CHECK(secp256k1_ec_pubkey_tweak_add(sttc, &pubkey, ctmp) == 1);
277 CHECK(ecount == 2);
278 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp) == 1);
279 CHECK(ecount2 == 10);
280 CHECK(secp256k1_ec_pubkey_negate(sttc, &pubkey) == 1);
281 CHECK(ecount == 2);
282 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey) == 1);
283 CHECK(ecount == 2);
284 CHECK(secp256k1_ec_pubkey_negate(ctx, NULL) == 0);
285 CHECK(ecount2 == 11);
286 CHECK(secp256k1_ec_pubkey_negate(sttc, &zero_pubkey) == 0);
287 CHECK(ecount == 3);
288 CHECK(secp256k1_ec_pubkey_tweak_mul(sttc, &pubkey, ctmp) == 1);
289 CHECK(ecount == 3);
290 CHECK(secp256k1_context_randomize(sttc, ctmp) == 1);
291 CHECK(ecount == 3);
292 CHECK(secp256k1_context_randomize(sttc, NULL) == 1);
293 CHECK(ecount == 3);
294 CHECK(secp256k1_context_randomize(ctx, ctmp) == 1);
295 CHECK(ecount2 == 11);
296 CHECK(secp256k1_context_randomize(ctx, NULL) == 1);
297 CHECK(ecount2 == 11);
298 secp256k1_context_set_illegal_callback(sttc, NULL, NULL);
299 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
300
301 /* obtain a working nonce */
302 do {
303 random_scalar_order_test(&nonce);
304 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
305
306 /* try signing */
307 CHECK(secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
308
309 /* try verifying */
310 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
311
312 /* cleanup */
313 if (use_prealloc) {
314 secp256k1_context_preallocated_destroy(ctx);
315 secp256k1_context_preallocated_destroy(sttc);
316 free(ctx_prealloc);
317 free(sttc_prealloc);
318 } else {
319 secp256k1_context_destroy(ctx);
320 secp256k1_context_destroy(sttc);
321 }
322 /* Defined as no-op. */
323 secp256k1_context_destroy(NULL);
324 secp256k1_context_preallocated_destroy(NULL);
325}
326
327void run_scratch_tests(void) {
328 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
329
330 int32_t ecount = 0;
331 size_t checkpoint;
332 size_t checkpoint_2;
333 secp256k1_scratch_space *scratch;
334 secp256k1_scratch_space local_scratch;
335
336 ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
337
338 /* Test public API */
339 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
340 secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount);
341
342 scratch = secp256k1_scratch_space_create(ctx, 1000);
343 CHECK(scratch != NULL);
344 CHECK(ecount == 0);
345
346 /* Test internal API */
347 CHECK(secp256k1_scratch_max_allocation(&ctx->error_callback, scratch, 0) == 1000);
348 CHECK(secp256k1_scratch_max_allocation(&ctx->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
349 CHECK(scratch->alloc_size == 0);
350 CHECK(scratch->alloc_size % ALIGNMENT == 0);
351
352 /* Allocating 500 bytes succeeds */
353 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
354 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 500) != NULL);
355 CHECK(secp256k1_scratch_max_allocation(&ctx->error_callback, scratch, 0) == 1000 - adj_alloc);
356 CHECK(secp256k1_scratch_max_allocation(&ctx->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
357 CHECK(scratch->alloc_size != 0);
358 CHECK(scratch->alloc_size % ALIGNMENT == 0);
359
360 /* Allocating another 501 bytes fails */
361 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 501) == NULL);
362 CHECK(secp256k1_scratch_max_allocation(&ctx->error_callback, scratch, 0) == 1000 - adj_alloc);
363 CHECK(secp256k1_scratch_max_allocation(&ctx->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
364 CHECK(scratch->alloc_size != 0);
365 CHECK(scratch->alloc_size % ALIGNMENT == 0);
366
367 /* ...but it succeeds once we apply the checkpoint to undo it */
368 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
369 CHECK(scratch->alloc_size == 0);
370 CHECK(secp256k1_scratch_max_allocation(&ctx->error_callback, scratch, 0) == 1000);
371 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 500) != NULL);
372 CHECK(scratch->alloc_size != 0);
373
374 /* try to apply a bad checkpoint */
375 checkpoint_2 = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
376 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
377 CHECK(ecount == 0);
378 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
379 CHECK(ecount == 1);
380 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
381 CHECK(ecount == 2);
382
383 /* try to use badly initialized scratch space */
384 secp256k1_scratch_space_destroy(ctx, scratch);
385 memset(&local_scratch, 0, sizeof(local_scratch));
386 scratch = &local_scratch;
387 CHECK(!secp256k1_scratch_max_allocation(&ctx->error_callback, scratch, 0));
388 CHECK(ecount == 3);
389 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 500) == NULL);
390 CHECK(ecount == 4);
391 secp256k1_scratch_space_destroy(ctx, scratch);
392 CHECK(ecount == 5);
393
394 /* Test that large integers do not wrap around in a bad way */
395 scratch = secp256k1_scratch_space_create(ctx, 1000);
396 /* Try max allocation with a large number of objects. Only makes sense if
397 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
398 * space. */
399 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&ctx->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
400 /* Try allocating SIZE_MAX to test wrap around which only happens if
401 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
402 * space is too small. */
403 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, SIZE_MAX) == NULL);
404 secp256k1_scratch_space_destroy(ctx, scratch);
405
406 /* cleanup */
407 secp256k1_scratch_space_destroy(ctx, NULL); /* no-op */
408 secp256k1_context_destroy(ctx);
409}
410
411
412void run_ctz_tests(void) {
413 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
414 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
415 int shift;
416 unsigned i;
417 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
418 for (shift = 0; shift < 32; ++shift) {
419 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
420 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
421 }
422 }
423 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
424 for (shift = 0; shift < 64; ++shift) {
425 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
426 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
427 }
428 }
429}
430
431/***** HASH TESTS *****/
432
433void run_sha256_known_output_tests(void) {
434 static const char *inputs[] = {
435 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
436 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
437 "For this sample, this 63-byte string will be used as input data",
438 "This is exactly 64 bytes long, not counting the terminating byte",
439 "aaaaa",
440 };
441 static const unsigned int repeat[] = {
442 1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
443 };
444 static const unsigned char outputs[][32] = {
445 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
446 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
447 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
448 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
449 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
450 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
451 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
452 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
453 {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
454 };
455 unsigned int i, ninputs;
456
457 /* Skip last input vector for low iteration counts */
458 ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
459 CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
460
461 for (i = 0; i < ninputs; i++) {
462 unsigned char out[32];
463 secp256k1_sha256 hasher;
464 unsigned int j;
465 /* 1. Run: simply write the input bytestrings */
466 j = repeat[i];
467 secp256k1_sha256_initialize(&hasher);
468 while (j > 0) {
469 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
470 j--;
471 }
472 secp256k1_sha256_finalize(&hasher, out);
473 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
474 /* 2. Run: split the input bytestrings randomly before writing */
475 if (strlen(inputs[i]) > 0) {
476 int split = secp256k1_testrand_int(strlen(inputs[i]));
477 secp256k1_sha256_initialize(&hasher);
478 j = repeat[i];
479 while (j > 0) {
480 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
481 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
482 j--;
483 }
484 secp256k1_sha256_finalize(&hasher, out);
485 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
486 }
487 }
488}
489
534void run_sha256_counter_tests(void) {
535 static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
536 static const secp256k1_sha256 midstates[] = {
537 {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
538 {0x00}, 0xfffc0},
539 {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
540 {0x00}, 0x1fffc0},
541 {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
542 {0x00}, 0x3fffc0},
543 {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
544 {0x00}, 0x7fffc0},
545 {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
546 {0x00}, 0xffffc0},
547 {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
548 {0x00}, 0x1ffffc0},
549 {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
550 {0x00}, 0x3ffffc0},
551 {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
552 {0x00}, 0x7ffffc0},
553 {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
554 {0x00}, 0xfffffc0},
555 {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
556 {0x00}, 0x1fffffc0},
557 {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
558 {0x00}, 0x3fffffc0},
559 {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
560 {0x00}, 0x7fffffc0},
561 {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
562 {0x00}, 0xffffffc0},
563 {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
564 {0x00}, 0x1ffffffc0},
565 };
566 static const unsigned char outputs[][32] = {
567 {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
568 {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
569 {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
570 {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
571 {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
572 {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
573 {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
574 {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
575 {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
576 {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
577 {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
578 {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
579 {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
580 {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
581 };
582 unsigned int i;
583 for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
584 unsigned char out[32];
585 secp256k1_sha256 hasher = midstates[i];
586 secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
587 secp256k1_sha256_finalize(&hasher, out);
588 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
589 }
590}
591
592void run_hmac_sha256_tests(void) {
593 static const char *keys[6] = {
594 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
595 "\x4a\x65\x66\x65",
596 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
597 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
598 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
599 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
600 };
601 static const char *inputs[6] = {
602 "\x48\x69\x20\x54\x68\x65\x72\x65",
603 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
604 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
605 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
606 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
607 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
608 };
609 static const unsigned char outputs[6][32] = {
610 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
611 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
612 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
613 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
614 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
615 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
616 };
617 int i;
618 for (i = 0; i < 6; i++) {
619 secp256k1_hmac_sha256 hasher;
620 unsigned char out[32];
621 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
622 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
623 secp256k1_hmac_sha256_finalize(&hasher, out);
624 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
625 if (strlen(inputs[i]) > 0) {
626 int split = secp256k1_testrand_int(strlen(inputs[i]));
627 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
628 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
629 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
630 secp256k1_hmac_sha256_finalize(&hasher, out);
631 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
632 }
633 }
634}
635
636void run_rfc6979_hmac_sha256_tests(void) {
637 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
638 static const unsigned char out1[3][32] = {
639 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
640 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
641 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
642 };
643
644 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
645 static const unsigned char out2[3][32] = {
646 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
647 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
648 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
649 };
650
651 secp256k1_rfc6979_hmac_sha256 rng;
652 unsigned char out[32];
653 int i;
654
655 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
656 for (i = 0; i < 3; i++) {
657 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
658 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
659 }
660 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
661
662 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
663 for (i = 0; i < 3; i++) {
664 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
665 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
666 }
667 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
668
669 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
670 for (i = 0; i < 3; i++) {
671 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
672 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
673 }
674 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
675}
676
677void run_tagged_sha256_tests(void) {
678 int ecount = 0;
679 unsigned char tag[32] = { 0 };
680 unsigned char msg[32] = { 0 };
681 unsigned char hash32[32];
682 unsigned char hash_expected[32] = {
683 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
684 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
685 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
686 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
687 };
688
689 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
690
691 /* API test */
692 CHECK(secp256k1_tagged_sha256(ctx, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
693 CHECK(secp256k1_tagged_sha256(ctx, NULL, tag, sizeof(tag), msg, sizeof(msg)) == 0);
694 CHECK(ecount == 1);
695 CHECK(secp256k1_tagged_sha256(ctx, hash32, NULL, 0, msg, sizeof(msg)) == 0);
696 CHECK(ecount == 2);
697 CHECK(secp256k1_tagged_sha256(ctx, hash32, tag, sizeof(tag), NULL, 0) == 0);
698 CHECK(ecount == 3);
699
700 /* Static test vector */
701 memcpy(tag, "tag", 3);
702 memcpy(msg, "msg", 3);
703 CHECK(secp256k1_tagged_sha256(ctx, hash32, tag, 3, msg, 3) == 1);
704 CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
705}
706
707/***** RANDOM TESTS *****/
708
709void test_rand_bits(int rand32, int bits) {
710 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
711 * get a false negative chance below once in a billion */
712 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
713 /* We try multiplying the results with various odd numbers, which shouldn't
714 * influence the uniform distribution modulo a power of 2. */
715 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
716 /* We only select up to 6 bits from the output to analyse */
717 unsigned int usebits = bits > 6 ? 6 : bits;
718 unsigned int maxshift = bits - usebits;
719 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
720 number, track all observed outcomes, one per bit in a uint64_t. */
721 uint64_t x[6][27] = {{0}};
722 unsigned int i, shift, m;
723 /* Multiply the output of all rand calls with the odd number m, which
724 should not change the uniformity of its distribution. */
725 for (i = 0; i < rounds[usebits]; i++) {
726 uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
727 CHECK((((uint64_t)r) >> bits) == 0);
728 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
729 uint32_t rm = r * mults[m];
730 for (shift = 0; shift <= maxshift; shift++) {
731 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
732 }
733 }
734 }
735 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
736 for (shift = 0; shift <= maxshift; shift++) {
737 /* Test that the lower usebits bits of x[shift] are 1 */
738 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
739 }
740 }
741}
742
743/* Subrange must be a whole divisor of range, and at most 64 */
744void test_rand_int(uint32_t range, uint32_t subrange) {
745 /* (1-1/subrange)^rounds < 1/10^9 */
746 int rounds = (subrange * 2073) / 100;
747 int i;
748 uint64_t x = 0;
749 CHECK((range % subrange) == 0);
750 for (i = 0; i < rounds; i++) {
751 uint32_t r = secp256k1_testrand_int(range);
752 CHECK(r < range);
753 r = r % subrange;
754 x |= (((uint64_t)1) << r);
755 }
756 /* Test that the lower subrange bits of x are 1. */
757 CHECK(((~x) << (64 - subrange)) == 0);
758}
759
760void run_rand_bits(void) {
761 size_t b;
762 test_rand_bits(1, 32);
763 for (b = 1; b <= 32; b++) {
764 test_rand_bits(0, b);
765 }
766}
767
768void run_rand_int(void) {
769 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
770 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
771 unsigned int m, s;
772 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
773 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
774 test_rand_int(ms[m] * ss[s], ss[s]);
775 }
776 }
777}
778
779/***** MODINV TESTS *****/
780
781/* Compute the modular inverse of (odd) x mod 2^64. */
782uint64_t modinv2p64(uint64_t x) {
783 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
784 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
785 * why. Start with L=0, for which it is true for every odd x that
786 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
787 int l;
788 uint64_t w = 1;
789 CHECK(x & 1);
790 for (l = 0; l < 6; ++l) w *= (2 - w*x);
791 return w;
792}
793
794
795/* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity.
796 *
797 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
798 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
799void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
800 uint16_t mul[32];
801 uint64_t c = 0;
802 int i, j;
803 int m_bitlen = 0;
804 int mul_bitlen = 0;
805
806 if (b != NULL) {
807 /* Compute the product of a and b, and put it in mul. */
808 for (i = 0; i < 32; ++i) {
809 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
810 c += (uint64_t)a[j] * b[i - j];
811 }
812 mul[i] = c & 0xFFFF;
813 c >>= 16;
814 }
815 CHECK(c == 0);
816
817 /* compute the highest set bit in mul */
818 for (i = 511; i >= 0; --i) {
819 if ((mul[i >> 4] >> (i & 15)) & 1) {
820 mul_bitlen = i;
821 break;
822 }
823 }
824 } else {
825 /* if b==NULL, set mul=a. */
826 memcpy(mul, a, 32);
827 memset(mul + 16, 0, 32);
828 /* compute the highest set bit in mul */
829 for (i = 255; i >= 0; --i) {
830 if ((mul[i >> 4] >> (i & 15)) & 1) {
831 mul_bitlen = i;
832 break;
833 }
834 }
835 }
836
837 if (m) {
838 /* Compute the highest set bit in m. */
839 for (i = 255; i >= 0; --i) {
840 if ((m[i >> 4] >> (i & 15)) & 1) {
841 m_bitlen = i;
842 break;
843 }
844 }
845
846 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
847 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
848 uint16_t mul2[32];
849 int64_t cs;
850
851 /* Compute mul2 = mul - m<<i. */
852 cs = 0; /* accumulator */
853 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
854 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
855 uint16_t sub = 0;
856 int p;
857 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
858 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
859 if (bitpos >= 0 && bitpos < 256) {
860 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
861 }
862 }
863 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
864 cs += mul[j];
865 cs -= sub;
866 mul2[j] = (cs & 0xFFFF);
867 cs >>= 16;
868 }
869 /* If remainder of subtraction is 0, set mul = mul2. */
870 if (cs == 0) {
871 memcpy(mul, mul2, sizeof(mul));
872 }
873 }
874 /* Sanity check: test that all limbs higher than m's highest are zero */
875 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
876 CHECK(mul[i] == 0);
877 }
878 }
879 memcpy(out, mul, 32);
880}
881
882/* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
883void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
884 int i;
885 memset(out->v, 0, sizeof(out->v));
886 for (i = 0; i < 256; ++i) {
887 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
888 }
889}
890
891/* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
892void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
893 int i;
894 memset(out, 0, 32);
895 for (i = 0; i < 256; ++i) {
896 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
897 }
898}
899
900/* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
901void mutate_sign_signed30(secp256k1_modinv32_signed30* x) {
902 int i;
903 for (i = 0; i < 16; ++i) {
904 int pos = secp256k1_testrand_bits(3);
905 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
906 x->v[pos] -= 0x40000000;
907 x->v[pos + 1] += 1;
908 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
909 x->v[pos] += 0x40000000;
910 x->v[pos + 1] -= 1;
911 }
912 }
913}
914
915/* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
916void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
917 uint16_t tmp[16];
918 secp256k1_modinv32_signed30 x;
919 secp256k1_modinv32_modinfo m;
920 int i, vartime, nonzero;
921
922 uint16_to_signed30(&x, in);
923 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
924 uint16_to_signed30(&m.modulus, mod);
925 mutate_sign_signed30(&m.modulus);
926
927 /* compute 1/modulus mod 2^30 */
928 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
929 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
930
931 for (vartime = 0; vartime < 2; ++vartime) {
932 /* compute inverse */
933 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
934
935 /* produce output */
936 signed30_to_uint16(out, &x);
937
938 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
939 mulmod256(tmp, out, in, mod);
940 CHECK(tmp[0] == nonzero);
941 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
942
943 /* invert again */
944 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
945
946 /* check if the result is equal to the input */
947 signed30_to_uint16(tmp, &x);
948 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
949 }
950}
951
952#ifdef SECP256K1_WIDEMUL_INT128
953/* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
954void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
955 int i;
956 memset(out->v, 0, sizeof(out->v));
957 for (i = 0; i < 256; ++i) {
958 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
959 }
960}
961
962/* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
963void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
964 int i;
965 memset(out, 0, 32);
966 for (i = 0; i < 256; ++i) {
967 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
968 }
969}
970
971/* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
972void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
973 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
974 int i;
975 for (i = 0; i < 8; ++i) {
976 int pos = secp256k1_testrand_bits(2);
977 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
978 x->v[pos] -= (M62 + 1);
979 x->v[pos + 1] += 1;
980 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
981 x->v[pos] += (M62 + 1);
982 x->v[pos + 1] -= 1;
983 }
984 }
985}
986
987/* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
988void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
989 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
990 uint16_t tmp[16];
991 secp256k1_modinv64_signed62 x;
992 secp256k1_modinv64_modinfo m;
993 int i, vartime, nonzero;
994
995 uint16_to_signed62(&x, in);
996 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
997 uint16_to_signed62(&m.modulus, mod);
998 mutate_sign_signed62(&m.modulus);
999
1000 /* compute 1/modulus mod 2^62 */
1001 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1002 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1003
1004 for (vartime = 0; vartime < 2; ++vartime) {
1005 /* compute inverse */
1006 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1007
1008 /* produce output */
1009 signed62_to_uint16(out, &x);
1010
1011 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1012 mulmod256(tmp, out, in, mod);
1013 CHECK(tmp[0] == nonzero);
1014 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1015
1016 /* invert again */
1017 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1018
1019 /* check if the result is equal to the input */
1020 signed62_to_uint16(tmp, &x);
1021 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1022 }
1023}
1024#endif
1025
1026/* test if a and b are coprime */
1027int coprime(const uint16_t* a, const uint16_t* b) {
1028 uint16_t x[16], y[16], t[16];
1029 int i;
1030 int iszero;
1031 memcpy(x, a, 32);
1032 memcpy(y, b, 32);
1033
1034 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1035 while (1) {
1036 iszero = 1;
1037 for (i = 0; i < 16; ++i) {
1038 if (x[i] != 0) {
1039 iszero = 0;
1040 break;
1041 }
1042 }
1043 if (iszero) break;
1044 mulmod256(t, y, NULL, x);
1045 memcpy(y, x, 32);
1046 memcpy(x, t, 32);
1047 }
1048
1049 /* return whether y=1 */
1050 if (y[0] != 1) return 0;
1051 for (i = 1; i < 16; ++i) {
1052 if (y[i] != 0) return 0;
1053 }
1054 return 1;
1055}
1056
1057void run_modinv_tests(void) {
1058 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1059 static const uint16_t CASES[][3][16] = {
1060 /* Test cases triggering edge cases in divsteps */
1061
1062 /* Test case known to need 713 divsteps */
1063 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1064 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1065 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1066 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1067 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1068 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1069 /* Test case known to need 589 divsteps, reaching delta=-140 and
1070 delta=141. */
1071 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1072 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1073 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1074 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1075 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1076 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1077 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1078 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1079 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1080 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1081 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1082 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1083 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1084 /* example needing 713 divsteps; delta=-2..3 */
1085 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1086 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1087 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1088 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1089 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1090 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1091 /* example needing 713 divsteps; delta=-2..3 */
1092 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1093 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1094 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1095 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1096 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1097 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1098 /* example needing 713 divsteps; delta=-2..3 */
1099 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1100 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1101 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1102 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1103 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1104 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1105 /* example reaching delta=-64..65; 661 divsteps */
1106 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1107 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1108 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1109 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1110 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1111 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1112 /* example reaching delta=-64..65; 661 divsteps */
1113 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1114 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1115 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1116 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1117 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1118 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1119 /* example reaching delta=-64..65; 661 divsteps */
1120 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1121 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1122 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1123 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1124 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1125 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1126 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1127 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1128 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1129 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1130 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1131 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1132 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1133 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1134 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1135 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1136 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1137 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1138 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1139 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1140 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1141 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1142 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1143 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1144 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1145 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1146 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1147 /* example doing 446 (f,g/2) steps; 523 divsteps */
1148 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1149 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1150 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1151 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1152 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1153 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1154 /* example doing 446 (f,g/2) steps; 523 divsteps */
1155 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1156 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1157 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1158 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1159 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1160 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1161 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1162 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1163 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1164 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1165 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1166 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1167 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1168 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1169 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1170 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1171 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1172 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1173 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1174 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1175 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1176 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1177 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1178 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1179 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1180 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1181 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1182 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1183 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1184 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1185 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1186 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1187 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1188 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1189
1190 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1191
1192 /* example needing 590 divsteps; delta=-5/2..7/2 */
1193 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1194 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1195 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1196 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1197 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1198 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1199 /* example needing 590 divsteps; delta=-3/2..5/2 */
1200 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1201 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1202 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1203 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1204 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1205 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1206 /* example needing 590 divsteps; delta=-3/2..5/2 */
1207 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1208 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1209 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1210 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1211 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1212 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1213 /* example needing 590 divsteps; delta=-5/2..7/2 */
1214 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1215 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1216 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1217 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1218 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1219 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1220 /* example needing 590 divsteps; delta=-3/2..5/2 */
1221 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1222 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1223 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1224 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1225 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1226 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1227 /* example reaching delta=-127/2..129/2; 571 divsteps */
1228 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1229 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1230 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1231 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1232 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1233 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1234 /* example reaching delta=-127/2..129/2; 571 divsteps */
1235 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1236 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1237 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1238 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1239 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1240 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1241 /* example reaching delta=-127/2..129/2; 571 divsteps */
1242 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1243 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1244 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1245 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1246 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1247 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1248 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1249 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1250 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1251 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1252 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1253 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1254 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1255 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1256 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1257 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1258 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1259 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1260 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1261 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1262 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1263 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1264 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1265 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1266 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1267 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1268 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1269 /* example doing 453 (f,g/2) steps; 514 divsteps */
1270 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1271 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1272 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1273 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1274 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1275 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1276 /* example doing 453 (f,g/2) steps; 514 divsteps */
1277 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1278 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1279 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1280 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1281 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1282 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1283 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1284 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1285 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1286 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1287 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1288 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1289 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1290 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1291 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1292 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1293 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1294 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1295 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1296 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1297 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1298 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1299 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1300 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1301 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1302 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1303 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1304 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1305 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1306 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1307 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1308 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1309 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1310 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1311
1312 /* Test cases with the group order as modulus. */
1313
1314 /* Test case with the group order as modulus, needing 635 divsteps. */
1315 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1316 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1317 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1318 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1319 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1320 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1321 /* example with group size as modulus needing 631 divsteps */
1322 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1323 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1324 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1325 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1326 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1327 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1328 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1329 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1330 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1331 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1332 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1333 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1334 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1335 /* Test case with the group size as modulus, needing 981 divsteps with
1336 broken eta handling. */
1337 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1338 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1339 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1340 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1341 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1342 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1343 /* Test case with the group size as modulus, input = 0. */
1344 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1345 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1346 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1347 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1348 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1349 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1350 /* Test case with the group size as modulus, input = 1. */
1351 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1352 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1353 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1354 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1355 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1356 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1357 /* Test case with the group size as modulus, input = 2. */
1358 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1359 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1360 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1361 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1362 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1363 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1364 /* Test case with the group size as modulus, input = group - 1. */
1365 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1366 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1367 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1368 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1369 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1370 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1371
1372 /* Test cases with the field size as modulus. */
1373
1374 /* Test case with the field size as modulus, needing 637 divsteps. */
1375 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1376 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1377 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1378 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1379 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1380 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1381 /* example with field size as modulus needing 637 divsteps */
1382 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1383 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1384 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1385 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1386 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1387 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1388 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1389 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1390 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1391 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1392 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1393 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1394 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1395 /* Test case with the field size as modulus, needing 935 divsteps with
1396 broken eta handling. */
1397 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1398 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1399 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1400 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1401 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1402 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1403 /* Test case with the field size as modulus, input = 0. */
1404 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1405 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1406 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1407 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1408 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1409 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1410 /* Test case with the field size as modulus, input = 1. */
1411 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1412 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1413 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1414 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1415 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1416 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1417 /* Test case with the field size as modulus, input = 2. */
1418 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1419 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1420 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1421 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1422 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1423 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1424 /* Test case with the field size as modulus, input = field - 1. */
1425 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1426 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1427 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1428 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1429 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1430 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1431
1432 /* Selected from a large number of random inputs to reach small/large
1433 * d/e values in various configurations. */
1434 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1435 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1436 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1437 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1438 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1439 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1440 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1441 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1442 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1443 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1444 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1445 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1446 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1447 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1448 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1449 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1450 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1451 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1452 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1453 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1454 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1455 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1456 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1457 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1458 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1459 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1460 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1461 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1462 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1463 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1464 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1465 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1466 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1467 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1468 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1469 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1470 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1471 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1472 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1473 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1474 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1475 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1476 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1477 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1478 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1479 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1480 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1481 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1482 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1483 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1484 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1485 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1486 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1487 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1488 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1489 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1490 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1491 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1492 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1493 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1494 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1495 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1496 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1497 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1498 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1499 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1500 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1501 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1502 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1503 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1504 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1505 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1506 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1507 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1508 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1509 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1510 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1511 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1512 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1513 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1514 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1515 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1516 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1517 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1518 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1519 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1520 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1521 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1522 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1523 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1524 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1525 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1526 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1527 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1528 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1529 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1530 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1531 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1532 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1533 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1534 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1535 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1536 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1537 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1538 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1539 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1540 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1541 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1542 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1543 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1544 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1545 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1546 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1547 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1548 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1549 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1550 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1551 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1552 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1553 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1554 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1555 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1556 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1557 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1558 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1559 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1560 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1561 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1562 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1563 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1564 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1565 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1566 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1567 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1568 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1569 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1570 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1571 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1572 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1573 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1574 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1575 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1576 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1577 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1578 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1579 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1580 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1581 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1582 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1583 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1584 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1585 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1586 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1587 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1588 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1589 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1590 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1591 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1592 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1593 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1594 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1595 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1596 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1597 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1598 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1599 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1600 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1601 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1602 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1603 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1604 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1605 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1606 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1607 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1608 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1609 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1610 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1611 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1612 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1613 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1614 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1615 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1616 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1617 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1618 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1619 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1620 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1621 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1622 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1623 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1624 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1625 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1626 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1627 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1628 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1629 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1630 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1631 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1632 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1633 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1634 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1635 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1636 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1637 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1638 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1639 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1640 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1641 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1642 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1643 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1644 };
1645
1646 int i, j, ok;
1647
1648 /* Test known inputs/outputs */
1649 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1650 uint16_t out[16];
1651 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1652 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1653#ifdef SECP256K1_WIDEMUL_INT128
1654 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1655 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1656#endif
1657 }
1658
1659 for (i = 0; i < 100 * count; ++i) {
1660 /* 256-bit numbers in 16-uint16_t's notation */
1661 static const uint16_t ZERO[16] = {0};
1662 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1663 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1664 uint16_t id[16]; /* the inverse of xd mod md */
1665
1666 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1667 do {
1668 /* generate random xd and md (with many subsequent 0s and 1s) */
1669 secp256k1_testrand256_test((unsigned char*)xd);
1670 secp256k1_testrand256_test((unsigned char*)md);
1671 md[0] |= 1; /* modulus must be odd */
1672 /* If modulus is 1, find another one. */
1673 ok = md[0] != 1;
1674 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1675 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1676 } while (!(ok && coprime(xd, md)));
1677
1678 test_modinv32_uint16(id, xd, md);
1679#ifdef SECP256K1_WIDEMUL_INT128
1680 test_modinv64_uint16(id, xd, md);
1681#endif
1682
1683 /* In a few cases, also test with input=0 */
1684 if (i < count) {
1685 test_modinv32_uint16(id, ZERO, md);
1686#ifdef SECP256K1_WIDEMUL_INT128
1687 test_modinv64_uint16(id, ZERO, md);
1688#endif
1689 }
1690 }
1691}
1692
1693/***** INT128 TESTS *****/
1694
1695#ifdef SECP256K1_WIDEMUL_INT128
1696/* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */
1697void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) {
1698 int i;
1699 uint32_t carry = 0;
1700 for (i = 0; i < 16; ++i) {
1701 carry += a[i];
1702 carry += b[i];
1703 out[i] = carry;
1704 carry >>= 16;
1705 }
1706}
1707
1708/* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */
1709void neg256(uint16_t* out, const uint16_t* a) {
1710 int i;
1711 uint32_t carry = 1;
1712 for (i = 0; i < 16; ++i) {
1713 carry += (uint16_t)~a[i];
1714 out[i] = carry;
1715 carry >>= 16;
1716 }
1717}
1718
1719/* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */
1720void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) {
1721 uint16_t sign = sign_extend && (a[15] >> 15);
1722 int i, j;
1723 for (i = 15; i >= 0; --i) {
1724 uint16_t v = 0;
1725 for (j = 0; j < 16; ++j) {
1726 int frompos = i*16 + j + n;
1727 if (frompos >= 256) {
1728 v |= sign << j;
1729 } else {
1730 v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j;
1731 }
1732 }
1733 out[i] = v;
1734 }
1735}
1736
1737/* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1738void load256u64(uint16_t* out, uint64_t v, int is_signed) {
1739 int i;
1740 uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0;
1741 for (i = 0; i < 4; ++i) {
1742 out[i] = v >> (16 * i);
1743 }
1744 for (i = 4; i < 16; ++i) {
1745 out[i] = sign;
1746 }
1747}
1748
1749/* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1750void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) {
1751 int i;
1752 uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0;
1753 for (i = 0; i < 4; ++i) {
1754 out[i] = lo >> (16 * i);
1755 }
1756 for (i = 4; i < 8; ++i) {
1757 out[i] = hi >> (16 * (i - 4));
1758 }
1759 for (i = 8; i < 16; ++i) {
1760 out[i] = sign;
1761 }
1762}
1763
1764/* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */
1765int int256is127(const uint16_t* v) {
1766 int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000);
1767 int i;
1768 for (i = 8; i < 16; ++i) {
1769 if (v[i] != 0) all_0 = 0;
1770 if (v[i] != 0xffff) all_1 = 0;
1771 }
1772 return all_0 || all_1;
1773}
1774
1775void load256u128(uint16_t* out, const secp256k1_uint128* v) {
1776 uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v);
1777 load256two64(out, hi, lo, 0);
1778}
1779
1780void load256i128(uint16_t* out, const secp256k1_int128* v) {
1781 uint64_t lo;
1782 int64_t hi;
1783 secp256k1_int128 c = *v;
1784 lo = secp256k1_i128_to_u64(&c);
1785 secp256k1_i128_rshift(&c, 64);
1786 hi = secp256k1_i128_to_i64(&c);
1787 load256two64(out, hi, lo, 1);
1788}
1789
1790void run_int128_test_case(void) {
1791 unsigned char buf[32];
1792 uint64_t v[4];
1793 secp256k1_int128 swa, swz;
1794 secp256k1_uint128 uwa, uwz;
1795 uint64_t ub, uc;
1796 int64_t sb, sc;
1797 uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32];
1798 uint16_t rub[16], ruc[16], rsb[16], rsc[16];
1799 int i;
1800
1801 /* Generate 32-byte random value. */
1802 secp256k1_testrand256_test(buf);
1803 /* Convert into 4 64-bit integers. */
1804 for (i = 0; i < 4; ++i) {
1805 uint64_t vi = 0;
1806 int j;
1807 for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j];
1808 v[i] = vi;
1809 }
1810 /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */
1811 secp256k1_u128_load(&uwa, v[1], v[0]);
1812 secp256k1_i128_load(&swa, v[1], v[0]);
1813 ub = v[2];
1814 sb = v[2];
1815 uc = v[3];
1816 sc = v[3];
1817 /* Load those also into 16-bit array representations. */
1818 load256u128(ruwa, &uwa);
1819 load256i128(rswa, &swa);
1820 load256u64(rub, ub, 0);
1821 load256u64(rsb, sb, 1);
1822 load256u64(ruc, uc, 0);
1823 load256u64(rsc, sc, 1);
1824 /* test secp256k1_u128_mul */
1825 mulmod256(ruwr, rub, ruc, NULL);
1826 secp256k1_u128_mul(&uwz, ub, uc);
1827 load256u128(ruwz, &uwz);
1828 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1829 /* test secp256k1_u128_accum_mul */
1830 mulmod256(ruwr, rub, ruc, NULL);
1831 add256(ruwr, ruwr, ruwa);
1832 uwz = uwa;
1833 secp256k1_u128_accum_mul(&uwz, ub, uc);
1834 load256u128(ruwz, &uwz);
1835 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1836 /* test secp256k1_u128_accum_u64 */
1837 add256(ruwr, rub, ruwa);
1838 uwz = uwa;
1839 secp256k1_u128_accum_u64(&uwz, ub);
1840 load256u128(ruwz, &uwz);
1841 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1842 /* test secp256k1_u128_rshift */
1843 rshift256(ruwr, ruwa, uc % 128, 0);
1844 uwz = uwa;
1845 secp256k1_u128_rshift(&uwz, uc % 128);
1846 load256u128(ruwz, &uwz);
1847 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1848 /* test secp256k1_u128_to_u64 */
1849 CHECK(secp256k1_u128_to_u64(&uwa) == v[0]);
1850 /* test secp256k1_u128_hi_u64 */
1851 CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]);
1852 /* test secp256k1_u128_from_u64 */
1853 secp256k1_u128_from_u64(&uwz, ub);
1854 load256u128(ruwz, &uwz);
1855 CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0);
1856 /* test secp256k1_u128_check_bits */
1857 {
1858 int uwa_bits = 0;
1859 int j;
1860 for (j = 0; j < 128; ++j) {
1861 if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j;
1862 }
1863 for (j = 0; j < 128; ++j) {
1864 CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j));
1865 }
1866 }
1867 /* test secp256k1_i128_mul */
1868 mulmod256(rswr, rsb, rsc, NULL);
1869 secp256k1_i128_mul(&swz, sb, sc);
1870 load256i128(rswz, &swz);
1871 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1872 /* test secp256k1_i128_accum_mul */
1873 mulmod256(rswr, rsb, rsc, NULL);
1874 add256(rswr, rswr, rswa);
1875 if (int256is127(rswr)) {
1876 swz = swa;
1877 secp256k1_i128_accum_mul(&swz, sb, sc);
1878 load256i128(rswz, &swz);
1879 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1880 }
1881 /* test secp256k1_i128_det */
1882 {
1883 uint16_t rsd[16], rse[16], rst[32];
1884 int64_t sd = v[0], se = v[1];
1885 load256u64(rsd, sd, 1);
1886 load256u64(rse, se, 1);
1887 mulmod256(rst, rsc, rsd, NULL);
1888 neg256(rst, rst);
1889 mulmod256(rswr, rsb, rse, NULL);
1890 add256(rswr, rswr, rst);
1891 secp256k1_i128_det(&swz, sb, sc, sd, se);
1892 load256i128(rswz, &swz);
1893 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1894 }
1895 /* test secp256k1_i128_rshift */
1896 rshift256(rswr, rswa, uc % 127, 1);
1897 swz = swa;
1898 secp256k1_i128_rshift(&swz, uc % 127);
1899 load256i128(rswz, &swz);
1900 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1901 /* test secp256k1_i128_to_u64 */
1902 CHECK(secp256k1_i128_to_u64(&swa) == v[0]);
1903 /* test secp256k1_i128_from_i64 */
1904 secp256k1_i128_from_i64(&swz, sb);
1905 load256i128(rswz, &swz);
1906 CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0);
1907 /* test secp256k1_i128_to_i64 */
1908 CHECK(secp256k1_i128_to_i64(&swz) == sb);
1909 /* test secp256k1_i128_eq_var */
1910 {
1911 int expect = (uc & 1);
1912 swz = swa;
1913 if (!expect) {
1914 /* Make sure swz != swa */
1915 uint64_t v0c = v[0], v1c = v[1];
1916 if (ub & 64) {
1917 v1c ^= (((uint64_t)1) << (ub & 63));
1918 } else {
1919 v0c ^= (((uint64_t)1) << (ub & 63));
1920 }
1921 secp256k1_i128_load(&swz, v1c, v0c);
1922 }
1923 CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect);
1924 }
1925 /* test secp256k1_i128_check_pow2 */
1926 {
1927 int expect = (uc & 1);
1928 int pos = ub % 127;
1929 if (expect) {
1930 /* If expect==1, set swz to exactly (2 << pos). */
1931 uint64_t hi = 0;
1932 uint64_t lo = 0;
1933 if (pos & 64) {
1934 hi = (((uint64_t)1) << (pos & 63));
1935 } else {
1936 lo = (((uint64_t)1) << (pos & 63));
1937 }
1938 secp256k1_i128_load(&swz, hi, lo);
1939 } else {
1940 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal (2 << pos). */
1941 if (pos & 64) {
1942 if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1;
1943 } else {
1944 if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1;
1945 }
1946 swz = swa;
1947 }
1948 CHECK(secp256k1_i128_check_pow2(&swz, pos) == expect);
1949 }
1950}
1951
1952void run_int128_tests(void) {
1953 { /* secp256k1_u128_accum_mul */
1954 secp256k1_uint128 res;
1955
1956 /* Check secp256k1_u128_accum_mul overflow */
1957 secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX);
1958 secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX);
1959 CHECK(secp256k1_u128_to_u64(&res) == 2);
1960 CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U);
1961 }
1962 { /* secp256k1_u128_accum_mul */
1963 secp256k1_int128 res;
1964
1965 /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */
1966 secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX);
1967 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX);
1968 CHECK(secp256k1_i128_to_u64(&res) == 2);
1969 secp256k1_i128_accum_mul(&res, 4, 9223372036854775807);
1970 secp256k1_i128_accum_mul(&res, 1, 1);
1971 CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX);
1972 secp256k1_i128_rshift(&res, 64);
1973 CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX);
1974
1975 /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */
1976 secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN);
1977 CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN);
1978 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN);
1979 CHECK(secp256k1_i128_to_u64(&res) == 0);
1980 secp256k1_i128_accum_mul(&res, 2, INT64_MIN);
1981 CHECK(secp256k1_i128_to_u64(&res) == 0);
1982 secp256k1_i128_rshift(&res, 64);
1983 CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN);
1984 }
1985 {
1986 /* Randomized tests. */
1987 int i;
1988 for (i = 0; i < 256 * count; ++i) run_int128_test_case();
1989 }
1990}
1991#endif
1992
1993/***** SCALAR TESTS *****/
1994
1995void scalar_test(void) {
1996 secp256k1_scalar s;
1997 secp256k1_scalar s1;
1998 secp256k1_scalar s2;
1999 unsigned char c[32];
2000
2001 /* Set 's' to a random scalar, with value 'snum'. */
2002 random_scalar_order_test(&s);
2003
2004 /* Set 's1' to a random scalar, with value 's1num'. */
2005 random_scalar_order_test(&s1);
2006
2007 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
2008 random_scalar_order_test(&s2);
2009 secp256k1_scalar_get_b32(c, &s2);
2010
2011 {
2012 int i;
2013 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
2014 secp256k1_scalar n;
2015 secp256k1_scalar_set_int(&n, 0);
2016 for (i = 0; i < 256; i += 4) {
2017 secp256k1_scalar t;
2018 int j;
2019 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
2020 for (j = 0; j < 4; j++) {
2021 secp256k1_scalar_add(&n, &n, &n);
2022 }
2023 secp256k1_scalar_add(&n, &n, &t);
2024 }
2025 CHECK(secp256k1_scalar_eq(&n, &s));
2026 }
2027
2028 {
2029 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
2030 secp256k1_scalar n;
2031 int i = 0;
2032 secp256k1_scalar_set_int(&n, 0);
2033 while (i < 256) {
2034 secp256k1_scalar t;
2035 int j;
2036 int now = secp256k1_testrand_int(15) + 1;
2037 if (now + i > 256) {
2038 now = 256 - i;
2039 }
2040 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
2041 for (j = 0; j < now; j++) {
2042 secp256k1_scalar_add(&n, &n, &n);
2043 }
2044 secp256k1_scalar_add(&n, &n, &t);
2045 i += now;
2046 }
2047 CHECK(secp256k1_scalar_eq(&n, &s));
2048 }
2049
2050 {
2051 /* test secp256k1_scalar_shr_int */
2052 secp256k1_scalar r;
2053 int i;
2054 random_scalar_order_test(&r);
2055 for (i = 0; i < 100; ++i) {
2056 int low;
2057 int shift = 1 + secp256k1_testrand_int(15);
2058 int expected = r.d[0] % (1 << shift);
2059 low = secp256k1_scalar_shr_int(&r, shift);
2060 CHECK(expected == low);
2061 }
2062 }
2063
2064 {
2065 /* Test commutativity of add. */
2066 secp256k1_scalar r1, r2;
2067 secp256k1_scalar_add(&r1, &s1, &s2);
2068 secp256k1_scalar_add(&r2, &s2, &s1);
2069 CHECK(secp256k1_scalar_eq(&r1, &r2));
2070 }
2071
2072 {
2073 secp256k1_scalar r1, r2;
2074 secp256k1_scalar b;
2075 int i;
2076 /* Test add_bit. */
2077 int bit = secp256k1_testrand_bits(8);
2078 secp256k1_scalar_set_int(&b, 1);
2079 CHECK(secp256k1_scalar_is_one(&b));
2080 for (i = 0; i < bit; i++) {
2081 secp256k1_scalar_add(&b, &b, &b);
2082 }
2083 r1 = s1;
2084 r2 = s1;
2085 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
2086 /* No overflow happened. */
2087 secp256k1_scalar_cadd_bit(&r2, bit, 1);
2088 CHECK(secp256k1_scalar_eq(&r1, &r2));
2089 /* cadd is a noop when flag is zero */
2090 secp256k1_scalar_cadd_bit(&r2, bit, 0);
2091 CHECK(secp256k1_scalar_eq(&r1, &r2));
2092 }
2093 }
2094
2095 {
2096 /* Test commutativity of mul. */
2097 secp256k1_scalar r1, r2;
2098 secp256k1_scalar_mul(&r1, &s1, &s2);
2099 secp256k1_scalar_mul(&r2, &s2, &s1);
2100 CHECK(secp256k1_scalar_eq(&r1, &r2));
2101 }
2102
2103 {
2104 /* Test associativity of add. */
2105 secp256k1_scalar r1, r2;
2106 secp256k1_scalar_add(&r1, &s1, &s2);
2107 secp256k1_scalar_add(&r1, &r1, &s);
2108 secp256k1_scalar_add(&r2, &s2, &s);
2109 secp256k1_scalar_add(&r2, &s1, &r2);
2110 CHECK(secp256k1_scalar_eq(&r1, &r2));
2111 }
2112
2113 {
2114 /* Test associativity of mul. */
2115 secp256k1_scalar r1, r2;
2116 secp256k1_scalar_mul(&r1, &s1, &s2);
2117 secp256k1_scalar_mul(&r1, &r1, &s);
2118 secp256k1_scalar_mul(&r2, &s2, &s);
2119 secp256k1_scalar_mul(&r2, &s1, &r2);
2120 CHECK(secp256k1_scalar_eq(&r1, &r2));
2121 }
2122
2123 {
2124 /* Test distributitivity of mul over add. */
2125 secp256k1_scalar r1, r2, t;
2126 secp256k1_scalar_add(&r1, &s1, &s2);
2127 secp256k1_scalar_mul(&r1, &r1, &s);
2128 secp256k1_scalar_mul(&r2, &s1, &s);
2129 secp256k1_scalar_mul(&t, &s2, &s);
2130 secp256k1_scalar_add(&r2, &r2, &t);
2131 CHECK(secp256k1_scalar_eq(&r1, &r2));
2132 }
2133
2134 {
2135 /* Test multiplicative identity. */
2136 secp256k1_scalar r1, v1;
2137 secp256k1_scalar_set_int(&v1,1);
2138 secp256k1_scalar_mul(&r1, &s1, &v1);
2139 CHECK(secp256k1_scalar_eq(&r1, &s1));
2140 }
2141
2142 {
2143 /* Test additive identity. */
2144 secp256k1_scalar r1, v0;
2145 secp256k1_scalar_set_int(&v0,0);
2146 secp256k1_scalar_add(&r1, &s1, &v0);
2147 CHECK(secp256k1_scalar_eq(&r1, &s1));
2148 }
2149
2150 {
2151 /* Test zero product property. */
2152 secp256k1_scalar r1, v0;
2153 secp256k1_scalar_set_int(&v0,0);
2154 secp256k1_scalar_mul(&r1, &s1, &v0);
2155 CHECK(secp256k1_scalar_eq(&r1, &v0));
2156 }
2157
2158}
2159
2160void run_scalar_set_b32_seckey_tests(void) {
2161 unsigned char b32[32];
2162 secp256k1_scalar s1;
2163 secp256k1_scalar s2;
2164
2165 /* Usually set_b32 and set_b32_seckey give the same result */
2166 random_scalar_order_b32(b32);
2167 secp256k1_scalar_set_b32(&s1, b32, NULL);
2168 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
2169 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
2170
2171 memset(b32, 0, sizeof(b32));
2172 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2173 memset(b32, 0xFF, sizeof(b32));
2174 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2175}
2176
2177void run_scalar_tests(void) {
2178 int i;
2179 for (i = 0; i < 128 * count; i++) {
2180 scalar_test();
2181 }
2182 for (i = 0; i < count; i++) {
2183 run_scalar_set_b32_seckey_tests();
2184 }
2185
2186 {
2187 /* (-1)+1 should be zero. */
2188 secp256k1_scalar s, o;
2189 secp256k1_scalar_set_int(&s, 1);
2190 CHECK(secp256k1_scalar_is_one(&s));
2191 secp256k1_scalar_negate(&o, &s);
2192 secp256k1_scalar_add(&o, &o, &s);
2193 CHECK(secp256k1_scalar_is_zero(&o));
2194 secp256k1_scalar_negate(&o, &o);
2195 CHECK(secp256k1_scalar_is_zero(&o));
2196 }
2197
2198 {
2199 /* Does check_overflow check catch all ones? */
2200 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
2201 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2202 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2203 );
2204 CHECK(secp256k1_scalar_check_overflow(&overflowed));
2205 }
2206
2207 {
2208 /* Static test vectors.
2209 * These were reduced from ~10^12 random vectors based on comparison-decision
2210 * and edge-case coverage on 32-bit and 64-bit implementations.
2211 * The responses were generated with Sage 5.9.
2212 */
2213 secp256k1_scalar x;
2214 secp256k1_scalar y;
2215 secp256k1_scalar z;
2216 secp256k1_scalar zz;
2217 secp256k1_scalar one;
2218 secp256k1_scalar r1;
2219 secp256k1_scalar r2;
2220 secp256k1_scalar zzv;
2221 int overflow;
2222 unsigned char chal[33][2][32] = {
2223 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2224 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2225 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2226 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2227 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2228 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2229 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2230 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2231 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2232 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2233 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2234 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2235 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2236 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2237 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2238 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2239 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2240 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2241 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2242 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2243 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2244 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2245 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2246 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2247 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2248 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2249 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2250 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2251 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2252 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2253 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2254 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2255 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2256 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2257 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2258 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2259 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2260 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2261 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2262 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2263 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2264 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2265 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2266 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2267 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2268 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2269 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2270 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2271 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2272 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2273 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2274 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2275 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2276 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2277 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2278 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2279 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2280 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2281 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2282 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2283 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2284 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2285 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2286 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2287 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2288 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2289 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2290 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2291 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2292 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2293 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2294 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2295 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2296 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2297 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2298 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2299 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2300 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2301 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2302 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2303 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2304 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2305 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2306 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2307 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2308 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2309 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2310 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2311 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2312 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2313 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2314 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2315 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2316 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2317 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2318 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2319 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2320 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2321 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2322 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2323 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2324 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2325 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2326 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2327 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2328 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2329 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2330 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2331 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2332 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2333 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2334 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2335 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2336 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2337 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2338 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2339 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2340 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2341 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2342 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2343 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2344 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2345 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2346 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2347 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2348 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2349 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2350 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2351 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2352 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2353 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2354 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2355 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2356 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2357 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2358 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2359 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2360 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2361 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2362 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2363 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2364 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2365 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2366 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2367 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2368 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2369 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2370 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2371 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2372 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2373 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2374 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2375 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2376 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2377 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2378 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2379 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2380 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2381 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2382 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2383 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2384 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2385 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2386 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2387 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2388 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2389 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2390 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2391 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2392 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2393 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2394 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2395 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2396 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2397 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2398 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2399 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2400 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2401 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2402 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2403 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2404 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2405 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2406 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2407 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2408 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2409 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2410 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2411 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2412 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2413 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2414 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2415 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2416 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2417 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2418 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2419 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2420 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2421 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2422 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2423 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2424 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2425 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2426 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2427 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2428 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2429 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2430 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2431 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2432 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2433 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2434 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2435 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2436 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2437 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2438 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2439 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2440 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2441 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2442 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2443 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2444 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2445 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2446 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2447 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2448 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2449 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2450 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2451 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2452 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2453 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2454 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2455 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2456 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2457 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2458 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2459 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2460 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2461 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2462 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2463 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2464 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2465 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2466 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2467 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2468 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2469 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2470 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2471 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2472 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2473 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2474 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2475 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2476 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2477 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2478 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2479 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2480 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2481 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2482 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2483 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2484 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2485 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2486 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2487 };
2488 unsigned char res[33][2][32] = {
2489 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2490 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2491 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2492 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2493 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2494 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2495 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2496 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2497 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2498 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2499 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2500 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2501 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2502 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2503 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2504 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2505 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2506 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2507 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2508 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2509 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2510 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2511 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2512 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2513 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2514 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2515 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2516 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2517 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2518 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2519 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2520 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2521 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2522 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2523 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2524 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2525 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2526 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2527 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2528 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2529 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2530 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2531 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2532 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2533 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2534 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2535 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2536 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2537 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2538 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2539 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2540 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2541 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2542 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2543 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2544 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2545 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2546 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2547 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2548 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2549 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2550 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2551 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2552 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2553 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2554 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2555 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2556 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2557 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2558 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2559 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2560 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2561 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2562 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2563 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2564 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2565 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2566 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2567 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2568 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2569 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2570 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2571 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2572 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2573 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2574 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2575 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2576 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2577 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2578 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2579 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2580 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2581 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2582 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2583 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2584 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2585 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2586 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2587 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2588 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2589 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2590 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2591 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2592 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2593 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2594 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2595 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2596 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2597 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2598 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2599 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2600 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2601 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2602 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2603 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2604 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2605 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2606 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2607 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2608 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2609 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2610 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2611 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2612 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2613 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2614 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2615 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2616 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2617 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2618 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2619 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2620 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2621 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2622 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2623 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2624 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2625 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2626 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2627 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2628 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2629 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2630 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2631 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2632 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2633 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2634 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2635 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2636 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2637 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2638 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2639 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2640 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2641 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2642 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2643 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2644 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2645 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2646 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2647 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2648 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2649 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2650 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2651 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2652 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2653 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2654 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2655 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2656 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2657 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2658 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2659 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2660 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2661 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2662 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2663 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2664 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2665 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2666 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2667 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2668 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2669 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2670 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2671 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2672 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2673 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2674 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2675 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2676 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2677 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2678 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2679 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2680 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2681 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2682 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2683 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2684 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2685 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2686 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2687 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2688 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2689 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2690 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2691 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2692 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2693 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2694 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2695 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2696 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2697 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2698 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2699 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2700 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2701 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2702 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2703 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2704 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2705 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2706 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2707 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2708 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2709 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2710 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2711 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2712 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2713 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2714 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2715 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2716 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2717 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2718 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2719 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2720 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2721 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2722 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2723 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2724 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2725 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2726 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2727 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2728 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2729 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2730 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2731 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2732 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2733 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2734 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2735 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2736 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2737 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2738 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2739 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2740 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2741 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2742 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2743 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2744 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2745 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2746 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2747 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2748 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2749 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2750 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2751 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2752 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2753 };
2754 secp256k1_scalar_set_int(&one, 1);
2755 for (i = 0; i < 33; i++) {
2756 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2757 CHECK(!overflow);
2758 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2759 CHECK(!overflow);
2760 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2761 CHECK(!overflow);
2762 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2763 CHECK(!overflow);
2764 secp256k1_scalar_mul(&z, &x, &y);
2765 CHECK(!secp256k1_scalar_check_overflow(&z));
2766 CHECK(secp256k1_scalar_eq(&r1, &z));
2767 if (!secp256k1_scalar_is_zero(&y)) {
2768 secp256k1_scalar_inverse(&zz, &y);
2769 CHECK(!secp256k1_scalar_check_overflow(&zz));
2770 secp256k1_scalar_inverse_var(&zzv, &y);
2771 CHECK(secp256k1_scalar_eq(&zzv, &zz));
2772 secp256k1_scalar_mul(&z, &z, &zz);
2773 CHECK(!secp256k1_scalar_check_overflow(&z));
2774 CHECK(secp256k1_scalar_eq(&x, &z));
2775 secp256k1_scalar_mul(&zz, &zz, &y);
2776 CHECK(!secp256k1_scalar_check_overflow(&zz));
2777 CHECK(secp256k1_scalar_eq(&one, &zz));
2778 }
2779 }
2780 }
2781}
2782
2783/***** FIELD TESTS *****/
2784
2785void random_fe(secp256k1_fe *x) {
2786 unsigned char bin[32];
2787 do {
2788 secp256k1_testrand256(bin);
2789 if (secp256k1_fe_set_b32(x, bin)) {
2790 return;
2791 }
2792 } while(1);
2793}
2794
2795void random_fe_test(secp256k1_fe *x) {
2796 unsigned char bin[32];
2797 do {
2798 secp256k1_testrand256_test(bin);
2799 if (secp256k1_fe_set_b32(x, bin)) {
2800 return;
2801 }
2802 } while(1);
2803}
2804
2805void random_fe_non_zero(secp256k1_fe *nz) {
2806 int tries = 10;
2807 while (--tries >= 0) {
2808 random_fe(nz);
2809 secp256k1_fe_normalize(nz);
2810 if (!secp256k1_fe_is_zero(nz)) {
2811 break;
2812 }
2813 }
2814 /* Infinitesimal probability of spurious failure here */
2815 CHECK(tries >= 0);
2816}
2817
2818void random_fe_non_square(secp256k1_fe *ns) {
2819 secp256k1_fe r;
2820 random_fe_non_zero(ns);
2821 if (secp256k1_fe_sqrt(&r, ns)) {
2822 secp256k1_fe_negate(ns, ns, 1);
2823 }
2824}
2825
2826int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2827 secp256k1_fe an = *a;
2828 secp256k1_fe bn = *b;
2829 secp256k1_fe_normalize_weak(&an);
2830 secp256k1_fe_normalize_var(&bn);
2831 return secp256k1_fe_equal_var(&an, &bn);
2832}
2833
2834void run_field_convert(void) {
2835 static const unsigned char b32[32] = {
2836 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2837 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2838 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2839 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2840 };
2841 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
2842 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2843 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2844 );
2845 static const secp256k1_fe fe = SECP256K1_FE_CONST(
2846 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2847 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2848 );
2849 secp256k1_fe fe2;
2850 unsigned char b322[32];
2851 secp256k1_fe_storage fes2;
2852 /* Check conversions to fe. */
2853 CHECK(secp256k1_fe_set_b32(&fe2, b32));
2854 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2855 secp256k1_fe_from_storage(&fe2, &fes);
2856 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2857 /* Check conversion from fe. */
2858 secp256k1_fe_get_b32(b322, &fe);
2859 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2860 secp256k1_fe_to_storage(&fes2, &fe);
2861 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2862}
2863
2864/* Returns true if two field elements have the same representation. */
2865int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
2866 int ret = 1;
2867#ifdef VERIFY
2868 ret &= (a->magnitude == b->magnitude);
2869 ret &= (a->normalized == b->normalized);
2870#endif
2871 /* Compare the struct member that holds the limbs. */
2872 ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
2873 return ret;
2874}
2875
2876void run_field_half(void) {
2877 secp256k1_fe t, u;
2878 int m;
2879
2880 /* Check magnitude 0 input */
2881 secp256k1_fe_get_bounds(&t, 0);
2882 secp256k1_fe_half(&t);
2883#ifdef VERIFY
2884 CHECK(t.magnitude == 1);
2885 CHECK(t.normalized == 0);
2886#endif
2887 CHECK(secp256k1_fe_normalizes_to_zero(&t));
2888
2889 /* Check non-zero magnitudes in the supported range */
2890 for (m = 1; m < 32; m++) {
2891 /* Check max-value input */
2892 secp256k1_fe_get_bounds(&t, m);
2893
2894 u = t;
2895 secp256k1_fe_half(&u);
2896#ifdef VERIFY
2897 CHECK(u.magnitude == (m >> 1) + 1);
2898 CHECK(u.normalized == 0);
2899#endif
2900 secp256k1_fe_normalize_weak(&u);
2901 secp256k1_fe_add(&u, &u);
2902 CHECK(check_fe_equal(&t, &u));
2903
2904 /* Check worst-case input: ensure the LSB is 1 so that P will be added,
2905 * which will also cause all carries to be 1, since all limbs that can
2906 * generate a carry are initially even and all limbs of P are odd in
2907 * every existing field implementation. */
2908 secp256k1_fe_get_bounds(&t, m);
2909 CHECK(t.n[0] > 0);
2910 CHECK((t.n[0] & 1) == 0);
2911 --t.n[0];
2912
2913 u = t;
2914 secp256k1_fe_half(&u);
2915#ifdef VERIFY
2916 CHECK(u.magnitude == (m >> 1) + 1);
2917 CHECK(u.normalized == 0);
2918#endif
2919 secp256k1_fe_normalize_weak(&u);
2920 secp256k1_fe_add(&u, &u);
2921 CHECK(check_fe_equal(&t, &u));
2922 }
2923}
2924
2925void run_field_misc(void) {
2926 secp256k1_fe x;
2927 secp256k1_fe y;
2928 secp256k1_fe z;
2929 secp256k1_fe q;
2930 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
2931 int i, j;
2932 for (i = 0; i < 1000 * count; i++) {
2933 secp256k1_fe_storage xs, ys, zs;
2934 if (i & 1) {
2935 random_fe(&x);
2936 } else {
2937 random_fe_test(&x);
2938 }
2939 random_fe_non_zero(&y);
2940 /* Test the fe equality and comparison operations. */
2941 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
2942 CHECK(secp256k1_fe_equal_var(&x, &x));
2943 z = x;
2944 secp256k1_fe_add(&z,&y);
2945 /* Test fe conditional move; z is not normalized here. */
2946 q = x;
2947 secp256k1_fe_cmov(&x, &z, 0);
2948#ifdef VERIFY
2949 CHECK(x.normalized && x.magnitude == 1);
2950#endif
2951 secp256k1_fe_cmov(&x, &x, 1);
2952 CHECK(!fe_identical(&x, &z));
2953 CHECK(fe_identical(&x, &q));
2954 secp256k1_fe_cmov(&q, &z, 1);
2955#ifdef VERIFY
2956 CHECK(!q.normalized && q.magnitude == z.magnitude);
2957#endif
2958 CHECK(fe_identical(&q, &z));
2959 secp256k1_fe_normalize_var(&x);
2960 secp256k1_fe_normalize_var(&z);
2961 CHECK(!secp256k1_fe_equal_var(&x, &z));
2962 secp256k1_fe_normalize_var(&q);
2963 secp256k1_fe_cmov(&q, &z, (i&1));
2964#ifdef VERIFY
2965 CHECK(q.normalized && q.magnitude == 1);
2966#endif
2967 for (j = 0; j < 6; j++) {
2968 secp256k1_fe_negate(&z, &z, j+1);
2969 secp256k1_fe_normalize_var(&q);
2970 secp256k1_fe_cmov(&q, &z, (j&1));
2971#ifdef VERIFY
2972 CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
2973#endif
2974 }
2975 secp256k1_fe_normalize_var(&z);
2976 /* Test storage conversion and conditional moves. */
2977 secp256k1_fe_to_storage(&xs, &x);
2978 secp256k1_fe_to_storage(&ys, &y);
2979 secp256k1_fe_to_storage(&zs, &z);
2980 secp256k1_fe_storage_cmov(&zs, &xs, 0);
2981 secp256k1_fe_storage_cmov(&zs, &zs, 1);
2982 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
2983 secp256k1_fe_storage_cmov(&ys, &xs, 1);
2984 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
2985 secp256k1_fe_from_storage(&x, &xs);
2986 secp256k1_fe_from_storage(&y, &ys);
2987 secp256k1_fe_from_storage(&z, &zs);
2988 /* Test that mul_int, mul, and add agree. */
2989 secp256k1_fe_add(&y, &x);
2990 secp256k1_fe_add(&y, &x);
2991 z = x;
2992 secp256k1_fe_mul_int(&z, 3);
2993 CHECK(check_fe_equal(&y, &z));
2994 secp256k1_fe_add(&y, &x);
2995 secp256k1_fe_add(&z, &x);
2996 CHECK(check_fe_equal(&z, &y));
2997 z = x;
2998 secp256k1_fe_mul_int(&z, 5);
2999 secp256k1_fe_mul(&q, &x, &fe5);
3000 CHECK(check_fe_equal(&z, &q));
3001 secp256k1_fe_negate(&x, &x, 1);
3002 secp256k1_fe_add(&z, &x);
3003 secp256k1_fe_add(&q, &x);
3004 CHECK(check_fe_equal(&y, &z));
3005 CHECK(check_fe_equal(&q, &y));
3006 /* Check secp256k1_fe_half. */
3007 z = x;
3008 secp256k1_fe_half(&z);
3009 secp256k1_fe_add(&z, &z);
3010 CHECK(check_fe_equal(&x, &z));
3011 secp256k1_fe_add(&z, &z);
3012 secp256k1_fe_half(&z);
3013 CHECK(check_fe_equal(&x, &z));
3014 }
3015}
3016
3017void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
3018{
3019 secp256k1_fe c, an, bn;
3020 /* Variables in BE 32-byte format. */
3021 unsigned char a32[32], b32[32], c32[32];
3022 /* Variables in LE 16x uint16_t format. */
3023 uint16_t a16[16], b16[16], c16[16];
3024 /* Field modulus in LE 16x uint16_t format. */
3025 static const uint16_t m16[16] = {
3026 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3027 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3028 };
3029 uint16_t t16[32];
3030 int i;
3031
3032 /* Compute C = A * B in fe format. */
3033 c = *a;
3034 if (use_sqr) {
3035 secp256k1_fe_sqr(&c, &c);
3036 } else {
3037 secp256k1_fe_mul(&c, &c, b);
3038 }
3039
3040 /* Convert A, B, C into LE 16x uint16_t format. */
3041 an = *a;
3042 bn = *b;
3043 secp256k1_fe_normalize_var(&c);
3044 secp256k1_fe_normalize_var(&an);
3045 secp256k1_fe_normalize_var(&bn);
3046 secp256k1_fe_get_b32(a32, &an);
3047 secp256k1_fe_get_b32(b32, &bn);
3048 secp256k1_fe_get_b32(c32, &c);
3049 for (i = 0; i < 16; ++i) {
3050 a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
3051 b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
3052 c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
3053 }
3054 /* Compute T = A * B in LE 16x uint16_t format. */
3055 mulmod256(t16, a16, b16, m16);
3056 /* Compare */
3057 CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
3058}
3059
3060void run_fe_mul(void) {
3061 int i;
3062 for (i = 0; i < 100 * count; ++i) {
3063 secp256k1_fe a, b, c, d;
3064 random_fe(&a);
3065 random_field_element_magnitude(&a);
3066 random_fe(&b);
3067 random_field_element_magnitude(&b);
3068 random_fe_test(&c);
3069 random_field_element_magnitude(&c);
3070 random_fe_test(&d);
3071 random_field_element_magnitude(&d);
3072 test_fe_mul(&a, &a, 1);
3073 test_fe_mul(&c, &c, 1);
3074 test_fe_mul(&a, &b, 0);
3075 test_fe_mul(&a, &c, 0);
3076 test_fe_mul(&c, &b, 0);
3077 test_fe_mul(&c, &d, 0);
3078 }
3079}
3080
3081void run_sqr(void) {
3082 secp256k1_fe x, s;
3083
3084 {
3085 int i;
3086 secp256k1_fe_set_int(&x, 1);
3087 secp256k1_fe_negate(&x, &x, 1);
3088
3089 for (i = 1; i <= 512; ++i) {
3090 secp256k1_fe_mul_int(&x, 2);
3091 secp256k1_fe_normalize(&x);
3092 secp256k1_fe_sqr(&s, &x);
3093 }
3094 }
3095}
3096
3097void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
3098 secp256k1_fe r1, r2;
3099 int v = secp256k1_fe_sqrt(&r1, a);
3100 CHECK((v == 0) == (k == NULL));
3101
3102 if (k != NULL) {
3103 /* Check that the returned root is +/- the given known answer */
3104 secp256k1_fe_negate(&r2, &r1, 1);
3105 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
3106 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
3107 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
3108 }
3109}
3110
3111void run_sqrt(void) {
3112 secp256k1_fe ns, x, s, t;
3113 int i;
3114
3115 /* Check sqrt(0) is 0 */
3116 secp256k1_fe_set_int(&x, 0);
3117 secp256k1_fe_sqr(&s, &x);
3118 test_sqrt(&s, &x);
3119
3120 /* Check sqrt of small squares (and their negatives) */
3121 for (i = 1; i <= 100; i++) {
3122 secp256k1_fe_set_int(&x, i);
3123 secp256k1_fe_sqr(&s, &x);
3124 test_sqrt(&s, &x);
3125 secp256k1_fe_negate(&t, &s, 1);
3126 test_sqrt(&t, NULL);
3127 }
3128
3129 /* Consistency checks for large random values */
3130 for (i = 0; i < 10; i++) {
3131 int j;
3132 random_fe_non_square(&ns);
3133 for (j = 0; j < count; j++) {
3134 random_fe(&x);
3135 secp256k1_fe_sqr(&s, &x);
3136 test_sqrt(&s, &x);
3137 secp256k1_fe_negate(&t, &s, 1);
3138 test_sqrt(&t, NULL);
3139 secp256k1_fe_mul(&t, &s, &ns);
3140 test_sqrt(&t, NULL);
3141 }
3142 }
3143}
3144
3145/***** FIELD/SCALAR INVERSE TESTS *****/
3146
3147static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST(
3148 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
3149 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
3150);
3151
3152static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST(
3153 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
3154 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
3155);
3156
3157/* These tests test the following identities:
3158 *
3159 * for x==0: 1/x == 0
3160 * for x!=0: x*(1/x) == 1
3161 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
3162 */
3163
3164void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var)
3165{
3166 secp256k1_scalar l, r, t;
3167
3168 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
3169 if (out) *out = l;
3170 if (secp256k1_scalar_is_zero(x)) {
3171 CHECK(secp256k1_scalar_is_zero(&l));
3172 return;
3173 }
3174 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
3175 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
3176 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
3177 if (secp256k1_scalar_is_zero(&r)) return;
3178 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
3179 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
3180 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
3181 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
3182 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3183 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
3184}
3185
3186void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
3187{
3188 secp256k1_fe l, r, t;
3189
3190 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
3191 if (out) *out = l;
3192 t = *x; /* t = x */
3193 if (secp256k1_fe_normalizes_to_zero_var(&t)) {
3194 CHECK(secp256k1_fe_normalizes_to_zero(&l));
3195 return;
3196 }
3197 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
3198 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3199 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3200 r = *x; /* r = x */
3201 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
3202 if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
3203 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
3204 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3205 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3206 secp256k1_fe_add(&l, &secp256k1_fe_one); /* l = 1/(1/x-1)+1 */
3207 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3208 CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
3209}
3210
3211void run_inverse_tests(void)
3212{
3213 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3214 static const secp256k1_fe fe_cases[][2] = {
3215 /* 0 */
3216 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3217 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3218 /* 1 */
3219 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3220 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3221 /* -1 */
3222 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3223 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3224 /* 2 */
3225 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3226 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3227 /* 2**128 */
3228 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3229 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3230 /* Input known to need 637 divsteps */
3231 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3232 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3233 /* Input known to need 567 divsteps starting with delta=1/2. */
3234 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3235 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3236 /* Input known to need 566 divsteps starting with delta=1/2. */
3237 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3238 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3239 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3240 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3241 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3242 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3243 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3244 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3245 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3246 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3247 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3248 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3249 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3250 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3251 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3252 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3253 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3254 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3255 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3256 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3257 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3258 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3259 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3260 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3261 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3262 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3263 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3264 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3265 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3266 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3267 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3268 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3269 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3270 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3271 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3272 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3273 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3274 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3275 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3276 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3277 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3278 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3279 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3280 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3281 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3282 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3283 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3284 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3285 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3286 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3287 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3288 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3289 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3290 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3291 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3292 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3293 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3294 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3295 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3296 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3297 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3298 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3299 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3300 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3301 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3302 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3303 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3304 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3305 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3306 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3307 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3308 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3309 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3310 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3311 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3312 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3313 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3314 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3315 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3316 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3317 };
3318 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3319 static const secp256k1_scalar scalar_cases[][2] = {
3320 /* 0 */
3321 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3322 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3323 /* 1 */
3324 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3325 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3326 /* -1 */
3327 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3328 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3329 /* 2 */
3330 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3331 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3332 /* 2**128 */
3333 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3334 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3335 /* Input known to need 635 divsteps */
3336 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3337 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3338 /* Input known to need 566 divsteps starting with delta=1/2. */
3339 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3340 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3341 /* Input known to need 565 divsteps starting with delta=1/2. */
3342 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3343 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3344 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3345 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3346 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3347 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3348 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3349 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3350 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3351 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3352 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3353 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3354 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3355 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3356 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3357 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3358 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3359 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3360 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3361 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3362 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3363 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3364 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3365 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3366 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3367 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3368 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3369 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3370 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3371 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3372 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3373 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3374 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3375 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3376 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3377 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3378 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3379 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3380 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3381 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3382 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3383 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3384 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3385 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3386 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3387 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3388 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3389 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3390 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3391 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3392 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3393 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3394 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3395 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3396 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3397 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3398 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3399 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3400 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3401 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3402 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3403 };
3404 int i, var, testrand;
3405 unsigned char b32[32];
3406 secp256k1_fe x_fe;
3407 secp256k1_scalar x_scalar;
3408 memset(b32, 0, sizeof(b32));
3409 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3410 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3411 for (var = 0; var <= 1; ++var) {
3412 test_inverse_field(&x_fe, &fe_cases[i][0], var);
3413 check_fe_equal(&x_fe, &fe_cases[i][1]);
3414 test_inverse_field(&x_fe, &fe_cases[i][1], var);
3415 check_fe_equal(&x_fe, &fe_cases[i][0]);
3416 }
3417 }
3418 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3419 for (var = 0; var <= 1; ++var) {
3420 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3421 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3422 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3423 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3424 }
3425 }
3426 /* Test inputs 0..999 and their respective negations. */
3427 for (i = 0; i < 1000; ++i) {
3428 b32[31] = i & 0xff;
3429 b32[30] = (i >> 8) & 0xff;
3430 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3431 secp256k1_fe_set_b32(&x_fe, b32);
3432 for (var = 0; var <= 1; ++var) {
3433 test_inverse_scalar(NULL, &x_scalar, var);
3434 test_inverse_field(NULL, &x_fe, var);
3435 }
3436 secp256k1_scalar_negate(&x_scalar, &x_scalar);
3437 secp256k1_fe_negate(&x_fe, &x_fe, 1);
3438 for (var = 0; var <= 1; ++var) {
3439 test_inverse_scalar(NULL, &x_scalar, var);
3440 test_inverse_field(NULL, &x_fe, var);
3441 }
3442 }
3443 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3444 for (testrand = 0; testrand <= 1; ++testrand) {
3445 for (i = 0; i < 64 * count; ++i) {
3446 (testrand ? secp256k1_testrand256_test : secp256k1_testrand256)(b32);
3447 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3448 secp256k1_fe_set_b32(&x_fe, b32);
3449 for (var = 0; var <= 1; ++var) {
3450 test_inverse_scalar(NULL, &x_scalar, var);
3451 test_inverse_field(NULL, &x_fe, var);
3452 }
3453 }
3454 }
3455}
3456
3457/***** GROUP TESTS *****/
3458
3459void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
3460 CHECK(a->infinity == b->infinity);
3461 if (a->infinity) {
3462 return;
3463 }
3464 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
3465 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
3466}
3467
3468/* This compares jacobian points including their Z, not just their geometric meaning. */
3469int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3470 secp256k1_gej a2;
3471 secp256k1_gej b2;
3472 int ret = 1;
3473 ret &= a->infinity == b->infinity;
3474 if (ret && !a->infinity) {
3475 a2 = *a;
3476 b2 = *b;
3477 secp256k1_fe_normalize(&a2.x);
3478 secp256k1_fe_normalize(&a2.y);
3479 secp256k1_fe_normalize(&a2.z);
3480 secp256k1_fe_normalize(&b2.x);
3481 secp256k1_fe_normalize(&b2.y);
3482 secp256k1_fe_normalize(&b2.z);
3483 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3484 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3485 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3486 }
3487 return ret;
3488}
3489
3490void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
3491 secp256k1_fe z2s;
3492 secp256k1_fe u1, u2, s1, s2;
3493 CHECK(a->infinity == b->infinity);
3494 if (a->infinity) {
3495 return;
3496 }
3497 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
3498 secp256k1_fe_sqr(&z2s, &b->z);
3499 secp256k1_fe_mul(&u1, &a->x, &z2s);
3500 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
3501 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
3502 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
3503 CHECK(secp256k1_fe_equal_var(&u1, &u2));
3504 CHECK(secp256k1_fe_equal_var(&s1, &s2));
3505}
3506
3507void test_ge(void) {
3508 int i, i1;
3509 int runs = 6;
3510 /* 25 points are used:
3511 * - infinity
3512 * - for each of four random points p1 p2 p3 p4, we add the point, its
3513 * negation, and then those two again but with randomized Z coordinate.
3514 * - The same is then done for lambda*p1 and lambda^2*p1.
3515 */
3516 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3517 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3518 secp256k1_fe zf;
3519 secp256k1_fe zfi2, zfi3;
3520
3521 secp256k1_gej_set_infinity(&gej[0]);
3522 secp256k1_ge_clear(&ge[0]);
3523 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3524 for (i = 0; i < runs; i++) {
3525 int j;
3526 secp256k1_ge g;
3527 random_group_element_test(&g);
3528 if (i >= runs - 2) {
3529 secp256k1_ge_mul_lambda(&g, &ge[1]);
3530 }
3531 if (i >= runs - 1) {
3532 secp256k1_ge_mul_lambda(&g, &g);
3533 }
3534 ge[1 + 4 * i] = g;
3535 ge[2 + 4 * i] = g;
3536 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3537 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3538 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3539 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3540 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3541 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3542 for (j = 0; j < 4; j++) {
3543 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
3544 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
3545 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
3546 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
3547 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
3548 }
3549 }
3550
3551 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3552 do {
3553 random_field_element_test(&zf);
3554 } while(secp256k1_fe_is_zero(&zf));
3555 random_field_element_magnitude(&zf);
3556 secp256k1_fe_inv_var(&zfi3, &zf);
3557 secp256k1_fe_sqr(&zfi2, &zfi3);
3558 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3559
3560 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3561 int i2;
3562 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3563 /* Compute reference result using gej + gej (var). */
3564 secp256k1_gej refj, resj;
3565 secp256k1_ge ref;
3566 secp256k1_fe zr;
3567 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3568 /* Check Z ratio. */
3569 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3570 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3571 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
3572 }
3573 secp256k1_ge_set_gej_var(&ref, &refj);
3574
3575 /* Test gej + ge with Z ratio result (var). */
3576 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3577 ge_equals_gej(&ref, &resj);
3578 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3579 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3580 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
3581 }
3582
3583 /* Test gej + ge (var, with additional Z factor). */
3584 {
3585 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3586 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3587 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3588 random_field_element_magnitude(&ge2_zfi.x);
3589 random_field_element_magnitude(&ge2_zfi.y);
3590 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3591 ge_equals_gej(&ref, &resj);
3592 }
3593
3594 /* Test gej + ge (const). */
3595 if (i2 != 0) {
3596 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3597 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3598 ge_equals_gej(&ref, &resj);
3599 }
3600
3601 /* Test doubling (var). */
3602 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3603 secp256k1_fe zr2;
3604 /* Normal doubling with Z ratio result. */
3605 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3606 ge_equals_gej(&ref, &resj);
3607 /* Check Z ratio. */
3608 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3609 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
3610 /* Normal doubling. */
3611 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3612 ge_equals_gej(&ref, &resj);
3613 /* Constant-time doubling. */
3614 secp256k1_gej_double(&resj, &gej[i2]);
3615 ge_equals_gej(&ref, &resj);
3616 }
3617
3618 /* Test adding opposites. */
3619 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3620 CHECK(secp256k1_ge_is_infinity(&ref));
3621 }
3622
3623 /* Test adding infinity. */
3624 if (i1 == 0) {
3625 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3626 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3627 ge_equals_gej(&ref, &gej[i2]);
3628 }
3629 if (i2 == 0) {
3630 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3631 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3632 ge_equals_gej(&ref, &gej[i1]);
3633 }
3634 }
3635 }
3636
3637 /* Test adding all points together in random order equals infinity. */
3638 {
3639 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
3640 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3641 for (i = 0; i < 4 * runs + 1; i++) {
3642 gej_shuffled[i] = gej[i];
3643 }
3644 for (i = 0; i < 4 * runs + 1; i++) {
3645 int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3646 if (swap != i) {
3647 secp256k1_gej t = gej_shuffled[i];
3648 gej_shuffled[i] = gej_shuffled[swap];
3649 gej_shuffled[swap] = t;
3650 }
3651 }
3652 for (i = 0; i < 4 * runs + 1; i++) {
3653 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3654 }
3655 CHECK(secp256k1_gej_is_infinity(&sum));
3656 free(gej_shuffled);
3657 }
3658
3659 /* Test batch gej -> ge conversion without known z ratios. */
3660 {
3661 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3662 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3663 for (i = 0; i < 4 * runs + 1; i++) {
3664 secp256k1_fe s;
3665 random_fe_non_zero(&s);
3666 secp256k1_gej_rescale(&gej[i], &s);
3667 ge_equals_gej(&ge_set_all[i], &gej[i]);
3668 }
3669 free(ge_set_all);
3670 }
3671
3672 /* Test batch gej -> ge conversion with many infinities. */
3673 for (i = 0; i < 4 * runs + 1; i++) {
3674 int odd;
3675 random_group_element_test(&ge[i]);
3676 odd = secp256k1_fe_is_odd(&ge[i].x);
3677 CHECK(odd == 0 || odd == 1);
3678 /* randomly set half the points to infinity */
3679 if (odd == i % 2) {
3680 secp256k1_ge_set_infinity(&ge[i]);
3681 }
3682 secp256k1_gej_set_ge(&gej[i], &ge[i]);
3683 }
3684 /* batch convert */
3685 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3686 /* check result */
3687 for (i = 0; i < 4 * runs + 1; i++) {
3688 ge_equals_gej(&ge[i], &gej[i]);
3689 }
3690
3691 /* Test batch gej -> ge conversion with all infinities. */
3692 for (i = 0; i < 4 * runs + 1; i++) {
3693 secp256k1_gej_set_infinity(&gej[i]);
3694 }
3695 /* batch convert */
3696 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3697 /* check result */
3698 for (i = 0; i < 4 * runs + 1; i++) {
3699 CHECK(secp256k1_ge_is_infinity(&ge[i]));
3700 }
3701
3702 free(ge);
3703 free(gej);
3704}
3705
3706
3707void test_intialized_inf(void) {
3708 secp256k1_ge p;
3709 secp256k1_gej pj, npj, infj1, infj2, infj3;
3710 secp256k1_fe zinv;
3711
3712 /* Test that adding P+(-P) results in a fully initialized infinity*/
3713 random_group_element_test(&p);
3714 secp256k1_gej_set_ge(&pj, &p);
3715 secp256k1_gej_neg(&npj, &pj);
3716
3717 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3718 CHECK(secp256k1_gej_is_infinity(&infj1));
3719 CHECK(secp256k1_fe_is_zero(&infj1.x));
3720 CHECK(secp256k1_fe_is_zero(&infj1.y));
3721 CHECK(secp256k1_fe_is_zero(&infj1.z));
3722
3723 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3724 CHECK(secp256k1_gej_is_infinity(&infj2));
3725 CHECK(secp256k1_fe_is_zero(&infj2.x));
3726 CHECK(secp256k1_fe_is_zero(&infj2.y));
3727 CHECK(secp256k1_fe_is_zero(&infj2.z));
3728
3729 secp256k1_fe_set_int(&zinv, 1);
3730 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3731 CHECK(secp256k1_gej_is_infinity(&infj3));
3732 CHECK(secp256k1_fe_is_zero(&infj3.x));
3733 CHECK(secp256k1_fe_is_zero(&infj3.y));
3734 CHECK(secp256k1_fe_is_zero(&infj3.z));
3735
3736
3737}
3738
3739void test_add_neg_y_diff_x(void) {
3740 /* The point of this test is to check that we can add two points
3741 * whose y-coordinates are negatives of each other but whose x
3742 * coordinates differ. If the x-coordinates were the same, these
3743 * points would be negatives of each other and their sum is
3744 * infinity. This is cool because it "covers up" any degeneracy
3745 * in the addition algorithm that would cause the xy coordinates
3746 * of the sum to be wrong (since infinity has no xy coordinates).
3747 * HOWEVER, if the x-coordinates are different, infinity is the
3748 * wrong answer, and such degeneracies are exposed. This is the
3749 * root of https://github.com/bitcoin-core/secp256k1/issues/257
3750 * which this test is a regression test for.
3751 *
3752 * These points were generated in sage as
3753 * # secp256k1 params
3754 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
3755 * C = EllipticCurve ([F (0), F (7)])
3756 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
3757 * N = FiniteField(G.order())
3758 *
3759 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
3760 * x = polygen(N)
3761 * lam = (1 - x^3).roots()[1][0]
3762 *
3763 * # random "bad pair"
3764 * P = C.random_element()
3765 * Q = -int(lam) * P
3766 * print " P: %x %x" % P.xy()
3767 * print " Q: %x %x" % Q.xy()
3768 * print "P + Q: %x %x" % (P + Q).xy()
3769 */
3770 secp256k1_gej aj = SECP256K1_GEJ_CONST(
3771 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3772 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3773 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3774 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3775 );
3776 secp256k1_gej bj = SECP256K1_GEJ_CONST(
3777 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
3778 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
3779 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
3780 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
3781 );
3782 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
3783 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
3784 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
3785 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
3786 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
3787 );
3788 secp256k1_ge b;
3789 secp256k1_gej resj;
3790 secp256k1_ge res;
3791 secp256k1_ge_set_gej(&b, &bj);
3792
3793 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
3794 secp256k1_ge_set_gej(&res, &resj);
3795 ge_equals_gej(&res, &sumj);
3796
3797 secp256k1_gej_add_ge(&resj, &aj, &b);
3798 secp256k1_ge_set_gej(&res, &resj);
3799 ge_equals_gej(&res, &sumj);
3800
3801 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
3802 secp256k1_ge_set_gej(&res, &resj);
3803 ge_equals_gej(&res, &sumj);
3804}
3805
3806void run_ge(void) {
3807 int i;
3808 for (i = 0; i < count * 32; i++) {
3809 test_ge();
3810 }
3811 test_add_neg_y_diff_x();
3812 test_intialized_inf();
3813}
3814
3815void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
3816 secp256k1_gej t = *a;
3817 secp256k1_gej_cmov(&t, b, 0);
3818 CHECK(gej_xyz_equals_gej(&t, a));
3819 secp256k1_gej_cmov(&t, b, 1);
3820 CHECK(gej_xyz_equals_gej(&t, b));
3821}
3822
3823void run_gej(void) {
3824 int i;
3825 secp256k1_gej a, b;
3826
3827 /* Tests for secp256k1_gej_cmov */
3828 for (i = 0; i < count; i++) {
3829 secp256k1_gej_set_infinity(&a);
3830 secp256k1_gej_set_infinity(&b);
3831 test_gej_cmov(&a, &b);
3832
3833 random_gej_test(&a);
3834 test_gej_cmov(&a, &b);
3835 test_gej_cmov(&b, &a);
3836
3837 b = a;
3838 test_gej_cmov(&a, &b);
3839
3840 random_gej_test(&b);
3841 test_gej_cmov(&a, &b);
3842 test_gej_cmov(&b, &a);
3843 }
3844
3845 /* Tests for secp256k1_gej_eq_var */
3846 for (i = 0; i < count; i++) {
3847 secp256k1_fe fe;
3848 random_gej_test(&a);
3849 random_gej_test(&b);
3850 CHECK(!secp256k1_gej_eq_var(&a, &b));
3851
3852 b = a;
3853 random_field_element_test(&fe);
3854 if (secp256k1_fe_is_zero(&fe)) {
3855 continue;
3856 }
3857 secp256k1_gej_rescale(&a, &fe);
3858 CHECK(secp256k1_gej_eq_var(&a, &b));
3859 }
3860}
3861
3862void test_ec_combine(void) {
3863 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3864 secp256k1_pubkey data[6];
3865 const secp256k1_pubkey* d[6];
3866 secp256k1_pubkey sd;
3867 secp256k1_pubkey sd2;
3868 secp256k1_gej Qj;
3869 secp256k1_ge Q;
3870 int i;
3871 for (i = 1; i <= 6; i++) {
3872 secp256k1_scalar s;
3873 random_scalar_order_test(&s);
3874 secp256k1_scalar_add(&sum, &sum, &s);
3875 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
3876 secp256k1_ge_set_gej(&Q, &Qj);
3877 secp256k1_pubkey_save(&data[i - 1], &Q);
3878 d[i - 1] = &data[i - 1];
3879 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
3880 secp256k1_ge_set_gej(&Q, &Qj);
3881 secp256k1_pubkey_save(&sd, &Q);
3882 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
3883 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
3884 }
3885}
3886
3887void run_ec_combine(void) {
3888 int i;
3889 for (i = 0; i < count * 8; i++) {
3890 test_ec_combine();
3891 }
3892}
3893
3894void test_group_decompress(const secp256k1_fe* x) {
3895 /* The input itself, normalized. */
3896 secp256k1_fe fex = *x;
3897 secp256k1_fe fez;
3898 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
3899 secp256k1_ge ge_quad, ge_even, ge_odd;
3900 secp256k1_gej gej_quad;
3901 /* Return values of the above calls. */
3902 int res_quad, res_even, res_odd;
3903
3904 secp256k1_fe_normalize_var(&fex);
3905
3906 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
3907 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
3908 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
3909
3910 CHECK(res_quad == res_even);
3911 CHECK(res_quad == res_odd);
3912
3913 if (res_quad) {
3914 secp256k1_fe_normalize_var(&ge_quad.x);
3915 secp256k1_fe_normalize_var(&ge_odd.x);
3916 secp256k1_fe_normalize_var(&ge_even.x);
3917 secp256k1_fe_normalize_var(&ge_quad.y);
3918 secp256k1_fe_normalize_var(&ge_odd.y);
3919 secp256k1_fe_normalize_var(&ge_even.y);
3920
3921 /* No infinity allowed. */
3922 CHECK(!ge_quad.infinity);
3923 CHECK(!ge_even.infinity);
3924 CHECK(!ge_odd.infinity);
3925
3926 /* Check that the x coordinates check out. */
3927 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
3928 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
3929 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
3930
3931 /* Check that the Y coordinate result in ge_quad is a square. */
3932 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
3933
3934 /* Check odd/even Y in ge_odd, ge_even. */
3935 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
3936 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
3937
3938 /* Check secp256k1_gej_has_quad_y_var. */
3939 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
3940 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
3941 do {
3942 random_fe_test(&fez);
3943 } while (secp256k1_fe_is_zero(&fez));
3944 secp256k1_gej_rescale(&gej_quad, &fez);
3945 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
3946 secp256k1_gej_neg(&gej_quad, &gej_quad);
3947 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
3948 do {
3949 random_fe_test(&fez);
3950 } while (secp256k1_fe_is_zero(&fez));
3951 secp256k1_gej_rescale(&gej_quad, &fez);
3952 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
3953 secp256k1_gej_neg(&gej_quad, &gej_quad);
3954 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
3955 }
3956}
3957
3958void run_group_decompress(void) {
3959 int i;
3960 for (i = 0; i < count * 4; i++) {
3961 secp256k1_fe fe;
3962 random_fe_test(&fe);
3963 test_group_decompress(&fe);
3964 }
3965}
3966
3967/***** ECMULT TESTS *****/
3968
3969void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
3970 /* Tests the pre_g / pre_g_128 tables for consistency.
3971 * For independent verification we take a "geometric" approach to verification.
3972 * We check that every entry is on-curve.
3973 * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
3974 * (1) p, gg, and -q are colinear.
3975 * (2) p, gg, and -q are all distinct.
3976 * where gg is twice the generator, where the generator is the first table entry.
3977 *
3978 * Checking the table's generators are correct is done in run_ecmult_pre_g.
3979 */
3980 secp256k1_gej g2;
3981 secp256k1_ge p, q, gg;
3982 secp256k1_fe dpx, dpy, dqx, dqy;
3983 size_t i;
3984
3985 CHECK(0 < n);
3986
3987 secp256k1_ge_from_storage(&p, &pre_g[0]);
3988 CHECK(secp256k1_ge_is_valid_var(&p));
3989
3990 secp256k1_gej_set_ge(&g2, &p);
3991 secp256k1_gej_double_var(&g2, &g2, NULL);
3992 secp256k1_ge_set_gej_var(&gg, &g2);
3993 for (i = 1; i < n; ++i) {
3994 secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
3995 secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
3996 /* Check that p is not equal to gg */
3997 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dpx) || !secp256k1_fe_normalizes_to_zero_var(&dpy));
3998
3999 secp256k1_ge_from_storage(&q, &pre_g[i]);
4000 CHECK(secp256k1_ge_is_valid_var(&q));
4001
4002 secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x); secp256k1_fe_normalize_weak(&dqx);
4003 dqy = q.y; secp256k1_fe_add(&dqy, &gg.y); secp256k1_fe_normalize_weak(&dqy);
4004 /* Check that -q is not equal to gg */
4005 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dqx) || !secp256k1_fe_normalizes_to_zero_var(&dqy));
4006
4007 /* Check that -q is not equal to p */
4008 CHECK(!secp256k1_fe_equal_var(&dpx, &dqx) || !secp256k1_fe_equal_var(&dpy, &dqy));
4009
4010 /* Check that p, -q and gg are colinear */
4011 secp256k1_fe_mul(&dpx, &dpx, &dqy);
4012 secp256k1_fe_mul(&dpy, &dpy, &dqx);
4013 CHECK(secp256k1_fe_equal_var(&dpx, &dpy));
4014
4015 p = q;
4016 }
4017}
4018
4019void run_ecmult_pre_g(void) {
4020 secp256k1_ge_storage gs;
4021 secp256k1_gej gj;
4022 secp256k1_ge g;
4023 size_t i;
4024
4025 /* Check that the pre_g and pre_g_128 tables are consistent. */
4026 test_pre_g_table(secp256k1_pre_g, ECMULT_TABLE_SIZE(WINDOW_G));
4027 test_pre_g_table(secp256k1_pre_g_128, ECMULT_TABLE_SIZE(WINDOW_G));
4028
4029 /* Check the first entry from the pre_g table. */
4030 secp256k1_ge_to_storage(&gs, &secp256k1_ge_const_g);
4031 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
4032
4033 /* Check the first entry from the pre_g_128 table. */
4034 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
4035 for (i = 0; i < 128; ++i) {
4036 secp256k1_gej_double_var(&gj, &gj, NULL);
4037 }
4038 secp256k1_ge_set_gej(&g, &gj);
4039 secp256k1_ge_to_storage(&gs, &g);
4040 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
4041}
4042
4043void run_ecmult_chain(void) {
4044 /* random starting point A (on the curve) */
4045 secp256k1_gej a = SECP256K1_GEJ_CONST(
4046 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
4047 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
4048 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
4049 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
4050 );
4051 /* two random initial factors xn and gn */
4052 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4053 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
4054 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
4055 );
4056 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
4057 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
4058 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
4059 );
4060 /* two small multipliers to be applied to xn and gn in every iteration: */
4061 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
4062 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
4063 /* accumulators with the resulting coefficients to A and G */
4064 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
4065 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4066 /* actual points */
4067 secp256k1_gej x;
4068 secp256k1_gej x2;
4069 int i;
4070
4071 /* the point being computed */
4072 x = a;
4073 for (i = 0; i < 200*count; i++) {
4074 /* in each iteration, compute X = xn*X + gn*G; */
4075 secp256k1_ecmult(&x, &x, &xn, &gn);
4076 /* also compute ae and ge: the actual accumulated factors for A and G */
4077 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
4078 secp256k1_scalar_mul(&ae, &ae, &xn);
4079 secp256k1_scalar_mul(&ge, &ge, &xn);
4080 secp256k1_scalar_add(&ge, &ge, &gn);
4081 /* modify xn and gn */
4082 secp256k1_scalar_mul(&xn, &xn, &xf);
4083 secp256k1_scalar_mul(&gn, &gn, &gf);
4084
4085 /* verify */
4086 if (i == 19999) {
4087 /* expected result after 19999 iterations */
4088 secp256k1_gej rp = SECP256K1_GEJ_CONST(
4089 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
4090 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
4091 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
4092 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
4093 );
4094 CHECK(secp256k1_gej_eq_var(&rp, &x));
4095 }
4096 }
4097 /* redo the computation, but directly with the resulting ae and ge coefficients: */
4098 secp256k1_ecmult(&x2, &a, &ae, &ge);
4099 CHECK(secp256k1_gej_eq_var(&x, &x2));
4100}
4101
4102void test_point_times_order(const secp256k1_gej *point) {
4103 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
4104 secp256k1_scalar x;
4105 secp256k1_scalar nx;
4106 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4107 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
4108 secp256k1_gej res1, res2;
4109 secp256k1_ge res3;
4110 unsigned char pub[65];
4111 size_t psize = 65;
4112 random_scalar_order_test(&x);
4113 secp256k1_scalar_negate(&nx, &x);
4114 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
4115 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4116 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
4117 CHECK(secp256k1_gej_is_infinity(&res1));
4118 secp256k1_ge_set_gej(&res3, &res1);
4119 CHECK(secp256k1_ge_is_infinity(&res3));
4120 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
4121 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
4122 psize = 65;
4123 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
4124 /* check zero/one edge cases */
4125 secp256k1_ecmult(&res1, point, &zero, &zero);
4126 secp256k1_ge_set_gej(&res3, &res1);
4127 CHECK(secp256k1_ge_is_infinity(&res3));
4128 secp256k1_ecmult(&res1, point, &one, &zero);
4129 secp256k1_ge_set_gej(&res3, &res1);
4130 ge_equals_gej(&res3, point);
4131 secp256k1_ecmult(&res1, point, &zero, &one);
4132 secp256k1_ge_set_gej(&res3, &res1);
4133 ge_equals_ge(&res3, &secp256k1_ge_const_g);
4134}
4135
4136/* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
4137 *
4138 * They are computed as:
4139 * - For a in [-2, -1, 0, 1, 2]:
4140 * - For b in [-3, -1, 1, 3]:
4141 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
4142 */
4143static const secp256k1_scalar scalars_near_split_bounds[20] = {
4144 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
4145 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
4146 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
4147 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
4148 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
4149 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
4150 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
4151 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
4152 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
4153 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
4154 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
4155 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
4156 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
4157 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
4158 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
4159 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
4160 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
4161 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
4162 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
4163 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
4164};
4165
4166void test_ecmult_target(const secp256k1_scalar* target, int mode) {
4167 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
4168 secp256k1_scalar n1, n2;
4169 secp256k1_ge p;
4170 secp256k1_gej pj, p1j, p2j, ptj;
4171 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4172
4173 /* Generate random n1,n2 such that n1+n2 = -target. */
4174 random_scalar_order_test(&n1);
4175 secp256k1_scalar_add(&n2, &n1, target);
4176 secp256k1_scalar_negate(&n2, &n2);
4177
4178 /* Generate a random input point. */
4179 if (mode != 0) {
4180 random_group_element_test(&p);
4181 secp256k1_gej_set_ge(&pj, &p);
4182 }
4183
4184 /* EC multiplications */
4185 if (mode == 0) {
4186 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
4187 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
4188 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
4189 } else if (mode == 1) {
4190 secp256k1_ecmult(&p1j, &pj, &n1, &zero);
4191 secp256k1_ecmult(&p2j, &pj, &n2, &zero);
4192 secp256k1_ecmult(&ptj, &pj, target, &zero);
4193 } else {
4194 secp256k1_ecmult_const(&p1j, &p, &n1, 256);
4195 secp256k1_ecmult_const(&p2j, &p, &n2, 256);
4196 secp256k1_ecmult_const(&ptj, &p, target, 256);
4197 }
4198
4199 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
4200 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
4201 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
4202 CHECK(secp256k1_gej_is_infinity(&ptj));
4203}
4204
4205void run_ecmult_near_split_bound(void) {
4206 int i;
4207 unsigned j;
4208 for (i = 0; i < 4*count; ++i) {
4209 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
4210 test_ecmult_target(&scalars_near_split_bounds[j], 0);
4211 test_ecmult_target(&scalars_near_split_bounds[j], 1);
4212 test_ecmult_target(&scalars_near_split_bounds[j], 2);
4213 }
4214 }
4215}
4216
4217void run_point_times_order(void) {
4218 int i;
4219 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
4220 static const secp256k1_fe xr = SECP256K1_FE_CONST(
4221 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
4222 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
4223 );
4224 for (i = 0; i < 500; i++) {
4225 secp256k1_ge p;
4226 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
4227 secp256k1_gej j;
4228 CHECK(secp256k1_ge_is_valid_var(&p));
4229 secp256k1_gej_set_ge(&j, &p);
4230 test_point_times_order(&j);
4231 }
4232 secp256k1_fe_sqr(&x, &x);
4233 }
4234 secp256k1_fe_normalize_var(&x);
4235 CHECK(secp256k1_fe_equal_var(&x, &xr));
4236}
4237
4238void ecmult_const_random_mult(void) {
4239 /* random starting point A (on the curve) */
4240 secp256k1_ge a = SECP256K1_GE_CONST(
4241 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4242 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4243 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4244 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4245 );
4246 /* random initial factor xn */
4247 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4248 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4249 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4250 );
4251 /* expected xn * A (from sage) */
4252 secp256k1_ge expected_b = SECP256K1_GE_CONST(
4253 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4254 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4255 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4256 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4257 );
4258 secp256k1_gej b;
4259 secp256k1_ecmult_const(&b, &a, &xn, 256);
4260
4261 CHECK(secp256k1_ge_is_valid_var(&a));
4262 ge_equals_gej(&expected_b, &b);
4263}
4264
4265void ecmult_const_commutativity(void) {
4266 secp256k1_scalar a;
4267 secp256k1_scalar b;
4268 secp256k1_gej res1;
4269 secp256k1_gej res2;
4270 secp256k1_ge mid1;
4271 secp256k1_ge mid2;
4272 random_scalar_order_test(&a);
4273 random_scalar_order_test(&b);
4274
4275 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
4276 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
4277 secp256k1_ge_set_gej(&mid1, &res1);
4278 secp256k1_ge_set_gej(&mid2, &res2);
4279 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
4280 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
4281 secp256k1_ge_set_gej(&mid1, &res1);
4282 secp256k1_ge_set_gej(&mid2, &res2);
4283 ge_equals_ge(&mid1, &mid2);
4284}
4285
4286void ecmult_const_mult_zero_one(void) {
4287 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4288 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
4289 secp256k1_scalar negone;
4290 secp256k1_gej res1;
4291 secp256k1_ge res2;
4292 secp256k1_ge point;
4293 secp256k1_scalar_negate(&negone, &one);
4294
4295 random_group_element_test(&point);
4296 secp256k1_ecmult_const(&res1, &point, &zero, 3);
4297 secp256k1_ge_set_gej(&res2, &res1);
4298 CHECK(secp256k1_ge_is_infinity(&res2));
4299 secp256k1_ecmult_const(&res1, &point, &one, 2);
4300 secp256k1_ge_set_gej(&res2, &res1);
4301 ge_equals_ge(&res2, &point);
4302 secp256k1_ecmult_const(&res1, &point, &negone, 256);
4303 secp256k1_gej_neg(&res1, &res1);
4304 secp256k1_ge_set_gej(&res2, &res1);
4305 ge_equals_ge(&res2, &point);
4306}
4307
4308void ecmult_const_chain_multiply(void) {
4309 /* Check known result (randomly generated test problem from sage) */
4310 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
4311 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4312 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4313 );
4314 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4315 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4316 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4317 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4318 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4319 );
4320 secp256k1_gej point;
4321 secp256k1_ge res;
4322 int i;
4323
4324 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
4325 for (i = 0; i < 100; ++i) {
4326 secp256k1_ge tmp;
4327 secp256k1_ge_set_gej(&tmp, &point);
4328 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
4329 }
4330 secp256k1_ge_set_gej(&res, &point);
4331 ge_equals_gej(&res, &expected_point);
4332}
4333
4334void run_ecmult_const_tests(void) {
4335 ecmult_const_mult_zero_one();
4336 ecmult_const_random_mult();
4337 ecmult_const_commutativity();
4338 ecmult_const_chain_multiply();
4339}
4340
4341typedef struct {
4342 secp256k1_scalar *sc;
4343 secp256k1_ge *pt;
4344} ecmult_multi_data;
4345
4346static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4347 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4348 *sc = data->sc[idx];
4349 *pt = data->pt[idx];
4350 return 1;
4351}
4352
4353static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4354 (void)sc;
4355 (void)pt;
4356 (void)idx;
4357 (void)cbdata;
4358 return 0;
4359}
4360
4361void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
4362 int ncount;
4363 secp256k1_scalar szero;
4364 secp256k1_scalar sc[32];
4365 secp256k1_ge pt[32];
4366 secp256k1_gej r;
4367 secp256k1_gej r2;
4368 ecmult_multi_data data;
4369
4370 data.sc = sc;
4371 data.pt = pt;
4372 secp256k1_scalar_set_int(&szero, 0);
4373
4374 /* No points to multiply */
4375 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4376
4377 /* Check 1- and 2-point multiplies against ecmult */
4378 for (ncount = 0; ncount < count; ncount++) {
4379 secp256k1_ge ptg;
4380 secp256k1_gej ptgj;
4381 random_scalar_order(&sc[0]);
4382 random_scalar_order(&sc[1]);
4383
4384 random_group_element_test(&ptg);
4385 secp256k1_gej_set_ge(&ptgj, &ptg);
4386 pt[0] = ptg;
4387 pt[1] = secp256k1_ge_const_g;
4388
4389 /* only G scalar */
4390 secp256k1_ecmult(&r2, &ptgj, &szero, &sc[0]);
4391 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4392 CHECK(secp256k1_gej_eq_var(&r, &r2));
4393
4394 /* 1-point */
4395 secp256k1_ecmult(&r2, &ptgj, &sc[0], &szero);
4396 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
4397 CHECK(secp256k1_gej_eq_var(&r, &r2));
4398
4399 /* Try to multiply 1 point, but callback returns false */
4400 CHECK(!ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
4401
4402 /* 2-point */
4403 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4404 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
4405 CHECK(secp256k1_gej_eq_var(&r, &r2));
4406
4407 /* 2-point with G scalar */
4408 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4409 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4410 CHECK(secp256k1_gej_eq_var(&r, &r2));
4411 }
4412
4413 /* Check infinite outputs of various forms */
4414 for (ncount = 0; ncount < count; ncount++) {
4415 secp256k1_ge ptg;
4416 size_t i, j;
4417 size_t sizes[] = { 2, 10, 32 };
4418
4419 for (j = 0; j < 3; j++) {
4420 for (i = 0; i < 32; i++) {
4421 random_scalar_order(&sc[i]);
4422 secp256k1_ge_set_infinity(&pt[i]);
4423 }
4424 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4425 CHECK(secp256k1_gej_is_infinity(&r));
4426 }
4427
4428 for (j = 0; j < 3; j++) {
4429 for (i = 0; i < 32; i++) {
4430 random_group_element_test(&ptg);
4431 pt[i] = ptg;
4432 secp256k1_scalar_set_int(&sc[i], 0);
4433 }
4434 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4435 CHECK(secp256k1_gej_is_infinity(&r));
4436 }
4437
4438 for (j = 0; j < 3; j++) {
4439 random_group_element_test(&ptg);
4440 for (i = 0; i < 16; i++) {
4441 random_scalar_order(&sc[2*i]);
4442 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4443 pt[2 * i] = ptg;
4444 pt[2 * i + 1] = ptg;
4445 }
4446
4447 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4448 CHECK(secp256k1_gej_is_infinity(&r));
4449
4450 random_scalar_order(&sc[0]);
4451 for (i = 0; i < 16; i++) {
4452 random_group_element_test(&ptg);
4453
4454 sc[2*i] = sc[0];
4455 sc[2*i+1] = sc[0];
4456 pt[2 * i] = ptg;
4457 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4458 }
4459
4460 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4461 CHECK(secp256k1_gej_is_infinity(&r));
4462 }
4463
4464 random_group_element_test(&ptg);
4465 secp256k1_scalar_set_int(&sc[0], 0);
4466 pt[0] = ptg;
4467 for (i = 1; i < 32; i++) {
4468 pt[i] = ptg;
4469
4470 random_scalar_order(&sc[i]);
4471 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4472 secp256k1_scalar_negate(&sc[i], &sc[i]);
4473 }
4474
4475 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
4476 CHECK(secp256k1_gej_is_infinity(&r));
4477 }
4478
4479 /* Check random points, constant scalar */
4480 for (ncount = 0; ncount < count; ncount++) {
4481 size_t i;
4482 secp256k1_gej_set_infinity(&r);
4483
4484 random_scalar_order(&sc[0]);
4485 for (i = 0; i < 20; i++) {
4486 secp256k1_ge ptg;
4487 sc[i] = sc[0];
4488 random_group_element_test(&ptg);
4489 pt[i] = ptg;
4490 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4491 }
4492
4493 secp256k1_ecmult(&r2, &r, &sc[0], &szero);
4494 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4495 CHECK(secp256k1_gej_eq_var(&r, &r2));
4496 }
4497
4498 /* Check random scalars, constant point */
4499 for (ncount = 0; ncount < count; ncount++) {
4500 size_t i;
4501 secp256k1_ge ptg;
4502 secp256k1_gej p0j;
4503 secp256k1_scalar rs;
4504 secp256k1_scalar_set_int(&rs, 0);
4505
4506 random_group_element_test(&ptg);
4507 for (i = 0; i < 20; i++) {
4508 random_scalar_order(&sc[i]);
4509 pt[i] = ptg;
4510 secp256k1_scalar_add(&rs, &rs, &sc[i]);
4511 }
4512
4513 secp256k1_gej_set_ge(&p0j, &pt[0]);
4514 secp256k1_ecmult(&r2, &p0j, &rs, &szero);
4515 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4516 CHECK(secp256k1_gej_eq_var(&r, &r2));
4517 }
4518
4519 /* Sanity check that zero scalars don't cause problems */
4520 for (ncount = 0; ncount < 20; ncount++) {
4521 random_scalar_order(&sc[ncount]);
4522 random_group_element_test(&pt[ncount]);
4523 }
4524 secp256k1_scalar_clear(&sc[0]);
4525 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4526 secp256k1_scalar_clear(&sc[1]);
4527 secp256k1_scalar_clear(&sc[2]);
4528 secp256k1_scalar_clear(&sc[3]);
4529 secp256k1_scalar_clear(&sc[4]);
4530 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
4531 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
4532 CHECK(secp256k1_gej_is_infinity(&r));
4533
4534 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4535 {
4536 const size_t TOP = 8;
4537 size_t s0i, s1i;
4538 size_t t0i, t1i;
4539 secp256k1_ge ptg;
4540 secp256k1_gej ptgj;
4541
4542 random_group_element_test(&ptg);
4543 secp256k1_gej_set_ge(&ptgj, &ptg);
4544
4545 for(t0i = 0; t0i < TOP; t0i++) {
4546 for(t1i = 0; t1i < TOP; t1i++) {
4547 secp256k1_gej t0p, t1p;
4548 secp256k1_scalar t0, t1;
4549
4550 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4551 secp256k1_scalar_cond_negate(&t0, t0i & 1);
4552 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4553 secp256k1_scalar_cond_negate(&t1, t1i & 1);
4554
4555 secp256k1_ecmult(&t0p, &ptgj, &t0, &szero);
4556 secp256k1_ecmult(&t1p, &ptgj, &t1, &szero);
4557
4558 for(s0i = 0; s0i < TOP; s0i++) {
4559 for(s1i = 0; s1i < TOP; s1i++) {
4560 secp256k1_scalar tmp1, tmp2;
4561 secp256k1_gej expected, actual;
4562
4563 secp256k1_ge_set_gej(&pt[0], &t0p);
4564 secp256k1_ge_set_gej(&pt[1], &t1p);
4565
4566 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4567 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4568 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4569 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4570
4571 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4572 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4573 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4574
4575 secp256k1_ecmult(&expected, &ptgj, &tmp1, &szero);
4576 CHECK(ecmult_multi(&ctx->error_callback, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
4577 CHECK(secp256k1_gej_eq_var(&actual, &expected));
4578 }
4579 }
4580 }
4581 }
4582 }
4583}
4584
4585int test_ecmult_multi_random(secp256k1_scratch *scratch) {
4586 /* Large random test for ecmult_multi_* functions which exercises:
4587 * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4588 * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4589 * - Including or excluding an nonzero a*G term (or such a term at all).
4590 * - Final expected result equal to infinity or not (roughly 50%).
4591 * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4592 */
4593
4594 /* These 4 variables define the eventual input to the ecmult_multi function.
4595 * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4596 * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4597 * which form its normal inputs. */
4598 int filled = 0;
4599 secp256k1_scalar g_scalar = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4600 secp256k1_scalar scalars[128];
4601 secp256k1_gej gejs[128];
4602 /* The expected result, and the computed result. */
4603 secp256k1_gej expected, computed;
4604 /* Temporaries. */
4605 secp256k1_scalar sc_tmp;
4606 secp256k1_ge ge_tmp;
4607 /* Variables needed for the actual input to ecmult_multi. */
4608 secp256k1_ge ges[128];
4609 ecmult_multi_data data;
4610
4611 int i;
4612 /* Which multiplication function to use */
4613 int fn = secp256k1_testrand_int(3);
4614 secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var :
4615 fn == 1 ? secp256k1_ecmult_strauss_batch_single :
4616 secp256k1_ecmult_pippenger_batch_single;
4617 /* Simulate exponentially distributed num. */
4618 int num_bits = 2 + secp256k1_testrand_int(6);
4619 /* Number of (scalar, point) inputs (excluding g). */
4620 int num = secp256k1_testrand_int((1 << num_bits) + 1);
4621 /* Number of those which are nonzero. */
4622 int num_nonzero = secp256k1_testrand_int(num + 1);
4623 /* Whether we're aiming to create an input with nonzero expected result. */
4624 int nonzero_result = secp256k1_testrand_bits(1);
4625 /* Whether we will provide nonzero g multiplicand. In some cases our hand
4626 * is forced here based on num_nonzero and nonzero_result. */
4627 int g_nonzero = num_nonzero == 0 ? nonzero_result :
4628 num_nonzero == 1 && !nonzero_result ? 1 :
4629 (int)secp256k1_testrand_bits(1);
4630 /* Which g_scalar pointer to pass into ecmult_multi(). */
4631 const secp256k1_scalar* g_scalar_ptr = (g_nonzero || secp256k1_testrand_bits(1)) ? &g_scalar : NULL;
4632 /* How many EC multiplications were performed in this function. */
4633 int mults = 0;
4634 /* How many randomization steps to apply to the input list. */
4635 int rands = (int)secp256k1_testrand_bits(3);
4636 if (rands > num_nonzero) rands = num_nonzero;
4637
4638 secp256k1_gej_set_infinity(&expected);
4639 secp256k1_gej_set_infinity(&gejs[0]);
4640 secp256k1_scalar_set_int(&scalars[0], 0);
4641
4642 if (g_nonzero) {
4643 /* If g_nonzero, set g_scalar to nonzero value r. */
4644 random_scalar_order_test(&g_scalar);
4645 if (!nonzero_result) {
4646 /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
4647 CHECK(num_nonzero > filled);
4648 random_scalar_order_test(&sc_tmp);
4649 secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
4650 secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
4651 secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
4652 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
4653 ++filled;
4654 ++mults;
4655 }
4656 }
4657
4658 if (nonzero_result && filled < num_nonzero) {
4659 /* If a nonzero result is desired, and there is space, add a random nonzero term. */
4660 random_scalar_order_test(&scalars[filled]);
4661 random_group_element_test(&ge_tmp);
4662 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4663 ++filled;
4664 }
4665
4666 if (nonzero_result) {
4667 /* Compute the expected result using normal ecmult. */
4668 CHECK(filled <= 1);
4669 secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
4670 mults += filled + g_nonzero;
4671 }
4672
4673 /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
4674 CHECK(filled <= 1 + !nonzero_result);
4675 CHECK(filled <= num_nonzero);
4676
4677 /* Add entries to scalars,gejs so that there are num of them. All the added entries
4678 * either have scalar=0 or point=infinity, so these do not change the expected result. */
4679 while (filled < num) {
4680 if (secp256k1_testrand_bits(1)) {
4681 secp256k1_gej_set_infinity(&gejs[filled]);
4682 random_scalar_order_test(&scalars[filled]);
4683 } else {
4684 secp256k1_scalar_set_int(&scalars[filled], 0);
4685 random_group_element_test(&ge_tmp);
4686 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4687 }
4688 ++filled;
4689 }
4690
4691 /* Now perform cheapish transformations on gejs and scalars, for indices
4692 * 0..num_nonzero-1, which do not change the expected result, but may
4693 * convert some of them to be both non-0-scalar and non-infinity-point. */
4694 for (i = 0; i < rands; ++i) {
4695 int j;
4696 secp256k1_scalar v, iv;
4697 /* Shuffle the entries. */
4698 for (j = 0; j < num_nonzero; ++j) {
4699 int k = secp256k1_testrand_int(num_nonzero - j);
4700 if (k != 0) {
4701 secp256k1_gej gej = gejs[j];
4702 secp256k1_scalar sc = scalars[j];
4703 gejs[j] = gejs[j + k];
4704 scalars[j] = scalars[j + k];
4705 gejs[j + k] = gej;
4706 scalars[j + k] = sc;
4707 }
4708 }
4709 /* Perturb all consecutive pairs of inputs:
4710 * a*P + b*Q -> (a+b)*P + b*(Q-P). */
4711 for (j = 0; j + 1 < num_nonzero; j += 2) {
4712 secp256k1_gej gej;
4713 secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
4714 secp256k1_gej_neg(&gej, &gejs[j]);
4715 secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
4716 }
4717 /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
4718 CHECK(num_nonzero >= 1);
4719 random_scalar_order_test(&v);
4720 secp256k1_scalar_inverse(&iv, &v);
4721 secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
4722 secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
4723 ++mults;
4724 }
4725
4726 /* Shuffle all entries (0..num-1). */
4727 for (i = 0; i < num; ++i) {
4728 int j = secp256k1_testrand_int(num - i);
4729 if (j != 0) {
4730 secp256k1_gej gej = gejs[i];
4731 secp256k1_scalar sc = scalars[i];
4732 gejs[i] = gejs[i + j];
4733 scalars[i] = scalars[i + j];
4734 gejs[i + j] = gej;
4735 scalars[i + j] = sc;
4736 }
4737 }
4738
4739 /* Compute affine versions of all inputs. */
4740 secp256k1_ge_set_all_gej_var(ges, gejs, filled);
4741 /* Invoke ecmult_multi code. */
4742 data.sc = scalars;
4743 data.pt = ges;
4744 CHECK(ecmult_multi(&ctx->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
4745 mults += num_nonzero + g_nonzero;
4746 /* Compare with expected result. */
4747 CHECK(secp256k1_gej_eq_var(&computed, &expected));
4748 return mults;
4749}
4750
4751void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
4752 secp256k1_scalar szero;
4753 secp256k1_scalar sc;
4754 secp256k1_ge pt;
4755 secp256k1_gej r;
4756 ecmult_multi_data data;
4757 secp256k1_scratch *scratch_empty;
4758
4759 random_group_element_test(&pt);
4760 random_scalar_order(&sc);
4761 data.sc = &sc;
4762 data.pt = &pt;
4763 secp256k1_scalar_set_int(&szero, 0);
4764
4765 /* Try to multiply 1 point, but scratch space is empty.*/
4766 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
4767 CHECK(!ecmult_multi(&ctx->error_callback, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
4768 secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
4769}
4770
4771void test_secp256k1_pippenger_bucket_window_inv(void) {
4772 int i;
4773
4774 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
4775 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
4776 /* Bucket_window of 8 is not used with endo */
4777 if (i == 8) {
4778 continue;
4779 }
4780 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
4781 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
4782 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
4783 }
4784 }
4785}
4786
4791void test_ecmult_multi_pippenger_max_points(void) {
4792 size_t scratch_size = secp256k1_testrand_bits(8);
4793 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
4794 secp256k1_scratch *scratch;
4795 size_t n_points_supported;
4796 int bucket_window = 0;
4797
4798 for(; scratch_size < max_size; scratch_size+=256) {
4799 size_t i;
4800 size_t total_alloc;
4801 size_t checkpoint;
4802 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
4803 CHECK(scratch != NULL);
4804 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
4805 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
4806 if (n_points_supported == 0) {
4807 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4808 continue;
4809 }
4810 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
4811 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
4812 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
4813 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
4814 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
4815 total_alloc--;
4816 }
4817 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
4818 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
4819 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4820 }
4821 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
4822}
4823
4824void test_ecmult_multi_batch_size_helper(void) {
4825 size_t n_batches, n_batch_points, max_n_batch_points, n;
4826
4827 max_n_batch_points = 0;
4828 n = 1;
4829 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
4830
4831 max_n_batch_points = 1;
4832 n = 0;
4833 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4834 CHECK(n_batches == 0);
4835 CHECK(n_batch_points == 0);
4836
4837 max_n_batch_points = 2;
4838 n = 5;
4839 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4840 CHECK(n_batches == 3);
4841 CHECK(n_batch_points == 2);
4842
4843 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
4844 n = ECMULT_MAX_POINTS_PER_BATCH;
4845 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4846 CHECK(n_batches == 1);
4847 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
4848
4849 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
4850 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
4851 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4852 CHECK(n_batches == 2);
4853 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
4854
4855 max_n_batch_points = 1;
4856 n = SIZE_MAX;
4857 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4858 CHECK(n_batches == SIZE_MAX);
4859 CHECK(n_batch_points == 1);
4860
4861 max_n_batch_points = 2;
4862 n = SIZE_MAX;
4863 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4864 CHECK(n_batches == SIZE_MAX/2 + 1);
4865 CHECK(n_batch_points == 2);
4866}
4867
4872void test_ecmult_multi_batching(void) {
4873 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
4874 secp256k1_scalar scG;
4875 secp256k1_scalar szero;
4876 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
4877 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
4878 secp256k1_gej r;
4879 secp256k1_gej r2;
4880 ecmult_multi_data data;
4881 int i;
4882 secp256k1_scratch *scratch;
4883
4884 secp256k1_gej_set_infinity(&r2);
4885 secp256k1_scalar_set_int(&szero, 0);
4886
4887 /* Get random scalars and group elements and compute result */
4888 random_scalar_order(&scG);
4889 secp256k1_ecmult(&r2, &r2, &szero, &scG);
4890 for(i = 0; i < n_points; i++) {
4891 secp256k1_ge ptg;
4892 secp256k1_gej ptgj;
4893 random_group_element_test(&ptg);
4894 secp256k1_gej_set_ge(&ptgj, &ptg);
4895 pt[i] = ptg;
4896 random_scalar_order(&sc[i]);
4897 secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
4898 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
4899 }
4900 data.sc = sc;
4901 data.pt = pt;
4902 secp256k1_gej_neg(&r2, &r2);
4903
4904 /* Test with empty scratch space. It should compute the correct result using
4905 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
4906 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
4907 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4908 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4909 CHECK(secp256k1_gej_is_infinity(&r));
4910 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4911
4912 /* Test with space for 1 point in pippenger. That's not enough because
4913 * ecmult_multi selects strauss which requires more memory. It should
4914 * therefore select the simple algorithm. */
4915 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
4916 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4917 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4918 CHECK(secp256k1_gej_is_infinity(&r));
4919 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4920
4921 for(i = 1; i <= n_points; i++) {
4922 if (i > ECMULT_PIPPENGER_THRESHOLD) {
4923 int bucket_window = secp256k1_pippenger_bucket_window(i);
4924 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
4925 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
4926 } else {
4927 size_t scratch_size = secp256k1_strauss_scratch_size(i);
4928 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
4929 }
4930 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4931 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4932 CHECK(secp256k1_gej_is_infinity(&r));
4933 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4934 }
4935 free(sc);
4936 free(pt);
4937}
4938
4939void run_ecmult_multi_tests(void) {
4940 secp256k1_scratch *scratch;
4941 int64_t todo = (int64_t)320 * count;
4942
4943 test_secp256k1_pippenger_bucket_window_inv();
4944 test_ecmult_multi_pippenger_max_points();
4945 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
4946 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
4947 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
4948 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
4949 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
4950 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
4951 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
4952 while (todo > 0) {
4953 todo -= test_ecmult_multi_random(scratch);
4954 }
4955 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4956
4957 /* Run test_ecmult_multi with space for exactly one point */
4958 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
4959 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
4960 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4961
4962 test_ecmult_multi_batch_size_helper();
4963 test_ecmult_multi_batching();
4964}
4965
4966void test_wnaf(const secp256k1_scalar *number, int w) {
4967 secp256k1_scalar x, two, t;
4968 int wnaf[256];
4969 int zeroes = -1;
4970 int i;
4971 int bits;
4972 secp256k1_scalar_set_int(&x, 0);
4973 secp256k1_scalar_set_int(&two, 2);
4974 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
4975 CHECK(bits <= 256);
4976 for (i = bits-1; i >= 0; i--) {
4977 int v = wnaf[i];
4978 secp256k1_scalar_mul(&x, &x, &two);
4979 if (v) {
4980 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4981 zeroes=0;
4982 CHECK((v & 1) == 1); /* check non-zero elements are odd */
4983 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
4984 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4985 } else {
4986 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4987 zeroes++;
4988 }
4989 if (v >= 0) {
4990 secp256k1_scalar_set_int(&t, v);
4991 } else {
4992 secp256k1_scalar_set_int(&t, -v);
4993 secp256k1_scalar_negate(&t, &t);
4994 }
4995 secp256k1_scalar_add(&x, &x, &t);
4996 }
4997 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4998}
4999
5000void test_constant_wnaf_negate(const secp256k1_scalar *number) {
5001 secp256k1_scalar neg1 = *number;
5002 secp256k1_scalar neg2 = *number;
5003 int sign1 = 1;
5004 int sign2 = 1;
5005
5006 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
5007 secp256k1_scalar_negate(&neg1, &neg1);
5008 sign1 = -1;
5009 }
5010 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
5011 CHECK(sign1 == sign2);
5012 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
5013}
5014
5015void test_constant_wnaf(const secp256k1_scalar *number, int w) {
5016 secp256k1_scalar x, shift;
5017 int wnaf[256] = {0};
5018 int i;
5019 int skew;
5020 int bits = 256;
5021 secp256k1_scalar num = *number;
5022 secp256k1_scalar scalar_skew;
5023
5024 secp256k1_scalar_set_int(&x, 0);
5025 secp256k1_scalar_set_int(&shift, 1 << w);
5026 for (i = 0; i < 16; ++i) {
5027 secp256k1_scalar_shr_int(&num, 8);
5028 }
5029 bits = 128;
5030 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
5031
5032 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
5033 secp256k1_scalar t;
5034 int v = wnaf[i];
5035 CHECK(v != 0); /* check nonzero */
5036 CHECK(v & 1); /* check parity */
5037 CHECK(v > -(1 << w)); /* check range above */
5038 CHECK(v < (1 << w)); /* check range below */
5039
5040 secp256k1_scalar_mul(&x, &x, &shift);
5041 if (v >= 0) {
5042 secp256k1_scalar_set_int(&t, v);
5043 } else {
5044 secp256k1_scalar_set_int(&t, -v);
5045 secp256k1_scalar_negate(&t, &t);
5046 }
5047 secp256k1_scalar_add(&x, &x, &t);
5048 }
5049 /* Skew num because when encoding numbers as odd we use an offset */
5050 secp256k1_scalar_set_int(&scalar_skew, skew);
5051 secp256k1_scalar_add(&num, &num, &scalar_skew);
5052 CHECK(secp256k1_scalar_eq(&x, &num));
5053}
5054
5055void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
5056 secp256k1_scalar x, shift;
5057 int wnaf[256] = {0};
5058 int i;
5059 int skew;
5060 secp256k1_scalar num = *number;
5061
5062 secp256k1_scalar_set_int(&x, 0);
5063 secp256k1_scalar_set_int(&shift, 1 << w);
5064 for (i = 0; i < 16; ++i) {
5065 secp256k1_scalar_shr_int(&num, 8);
5066 }
5067 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5068
5069 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5070 secp256k1_scalar t;
5071 int v = wnaf[i];
5072 CHECK(v == 0 || v & 1); /* check parity */
5073 CHECK(v > -(1 << w)); /* check range above */
5074 CHECK(v < (1 << w)); /* check range below */
5075
5076 secp256k1_scalar_mul(&x, &x, &shift);
5077 if (v >= 0) {
5078 secp256k1_scalar_set_int(&t, v);
5079 } else {
5080 secp256k1_scalar_set_int(&t, -v);
5081 secp256k1_scalar_negate(&t, &t);
5082 }
5083 secp256k1_scalar_add(&x, &x, &t);
5084 }
5085 /* If skew is 1 then add 1 to num */
5086 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
5087 CHECK(secp256k1_scalar_eq(&x, &num));
5088}
5089
5090/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
5091 * rest is 0.*/
5092void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
5093 int i;
5094 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
5095 CHECK(wnaf[i] == 0);
5096 }
5097 for (i = 7; i >= 0; --i) {
5098 CHECK(wnaf[i] == wnaf_expected[i]);
5099 }
5100}
5101
5102void test_fixed_wnaf_small(void) {
5103 int w = 4;
5104 int wnaf[256] = {0};
5105 int i;
5106 int skew;
5107 secp256k1_scalar num;
5108
5109 secp256k1_scalar_set_int(&num, 0);
5110 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5111 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5112 int v = wnaf[i];
5113 CHECK(v == 0);
5114 }
5115 CHECK(skew == 0);
5116
5117 secp256k1_scalar_set_int(&num, 1);
5118 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5119 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
5120 int v = wnaf[i];
5121 CHECK(v == 0);
5122 }
5123 CHECK(wnaf[0] == 1);
5124 CHECK(skew == 0);
5125
5126 {
5127 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
5128 secp256k1_scalar_set_int(&num, 0xffffffff);
5129 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5130 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5131 CHECK(skew == 0);
5132 }
5133 {
5134 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
5135 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
5136 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5137 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5138 CHECK(skew == 1);
5139 }
5140 {
5141 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
5142 secp256k1_scalar_set_int(&num, 0x01010101);
5143 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5144 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5145 CHECK(skew == 0);
5146 }
5147 {
5148 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
5149 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
5150 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5151 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5152 CHECK(skew == 0);
5153 }
5154}
5155
5156void run_wnaf(void) {
5157 int i;
5158 secp256k1_scalar n = {{0}};
5159
5160 test_constant_wnaf(&n, 4);
5161 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
5162 * have easier-to-diagnose failure modes */
5163 n.d[0] = 1;
5164 test_constant_wnaf(&n, 4);
5165 n.d[0] = 2;
5166 test_constant_wnaf(&n, 4);
5167 /* Test -1, because it's a special case in wnaf_const */
5168 n = secp256k1_scalar_one;
5169 secp256k1_scalar_negate(&n, &n);
5170 test_constant_wnaf(&n, 4);
5171
5172 /* Test -2, which may not lead to overflows in wnaf_const */
5173 secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
5174 secp256k1_scalar_negate(&n, &n);
5175 test_constant_wnaf(&n, 4);
5176
5177 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
5178 as corner cases of negation handling in wnaf_const */
5179 secp256k1_scalar_inverse(&n, &n);
5180 test_constant_wnaf(&n, 4);
5181
5182 secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
5183 test_constant_wnaf(&n, 4);
5184
5185 /* Test 0 for fixed wnaf */
5186 test_fixed_wnaf_small();
5187 /* Random tests */
5188 for (i = 0; i < count; i++) {
5189 random_scalar_order(&n);
5190 test_wnaf(&n, 4+(i%10));
5191 test_constant_wnaf_negate(&n);
5192 test_constant_wnaf(&n, 4 + (i % 10));
5193 test_fixed_wnaf(&n, 4 + (i % 10));
5194 }
5195 secp256k1_scalar_set_int(&n, 0);
5196 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
5197 CHECK(secp256k1_scalar_is_zero(&n));
5198 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
5199 CHECK(secp256k1_scalar_is_zero(&n));
5200}
5201
5202static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
5203 const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
5204 *sc = *indata;
5205 *pt = secp256k1_ge_const_g;
5206 CHECK(idx == 0);
5207 return 1;
5208}
5209
5210void test_ecmult_accumulate(secp256k1_sha256* acc, const secp256k1_scalar* x, secp256k1_scratch* scratch) {
5211 /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */
5212 secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj;
5213 secp256k1_ge r;
5214 const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5215 unsigned char bytes[65];
5216 size_t size = 65;
5217 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
5218 secp256k1_gej_set_infinity(&infj);
5219 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj1, x);
5220 secp256k1_ecmult(&rj2, &gj, x, &zero);
5221 secp256k1_ecmult(&rj3, &infj, &zero, x);
5222 secp256k1_ecmult_multi_var(NULL, scratch, &rj4, x, NULL, NULL, 0);
5223 secp256k1_ecmult_multi_var(NULL, scratch, &rj5, &zero, test_ecmult_accumulate_cb, (void*)x, 1);
5224 secp256k1_ecmult_const(&rj6, &secp256k1_ge_const_g, x, 256);
5225 secp256k1_ge_set_gej_var(&r, &rj1);
5226 ge_equals_gej(&r, &rj2);
5227 ge_equals_gej(&r, &rj3);
5228 ge_equals_gej(&r, &rj4);
5229 ge_equals_gej(&r, &rj5);
5230 ge_equals_gej(&r, &rj6);
5231 if (secp256k1_ge_is_infinity(&r)) {
5232 /* Store infinity as 0x00 */
5233 const unsigned char zerobyte[1] = {0};
5234 secp256k1_sha256_write(acc, zerobyte, 1);
5235 } else {
5236 /* Store other points using their uncompressed serialization. */
5237 secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0);
5238 CHECK(size == 65);
5239 secp256k1_sha256_write(acc, bytes, size);
5240 }
5241}
5242
5243void test_ecmult_constants_2bit(void) {
5244 /* Using test_ecmult_accumulate, test ecmult for:
5245 * - For i in 0..36:
5246 * - Key i
5247 * - Key -i
5248 * - For i in 0..255:
5249 * - For j in 1..255 (only odd values):
5250 * - Key (j*2^i) mod order
5251 */
5252 secp256k1_scalar x;
5253 secp256k1_sha256 acc;
5254 unsigned char b32[32];
5255 int i, j;
5256 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 65536);
5257
5258 /* Expected hash of all the computed points; created with an independent
5259 * implementation. */
5260 static const unsigned char expected32[32] = {
5261 0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
5262 0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
5263 0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
5264 0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
5265 };
5266 secp256k1_sha256_initialize(&acc);
5267 for (i = 0; i <= 36; ++i) {
5268 secp256k1_scalar_set_int(&x, i);
5269 test_ecmult_accumulate(&acc, &x, scratch);
5270 secp256k1_scalar_negate(&x, &x);
5271 test_ecmult_accumulate(&acc, &x, scratch);
5272 };
5273 for (i = 0; i < 256; ++i) {
5274 for (j = 1; j < 256; j += 2) {
5275 int k;
5276 secp256k1_scalar_set_int(&x, j);
5277 for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
5278 test_ecmult_accumulate(&acc, &x, scratch);
5279 }
5280 }
5281 secp256k1_sha256_finalize(&acc, b32);
5282 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5283
5284 secp256k1_scratch_space_destroy(ctx, scratch);
5285}
5286
5287void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
5288 /* Using test_ecmult_accumulate, test ecmult for:
5289 * - Key 0
5290 * - Key 1
5291 * - Key -1
5292 * - For i in range(iter):
5293 * - Key SHA256(LE32(prefix) || LE16(i))
5294 */
5295 secp256k1_scalar x;
5296 secp256k1_sha256 acc;
5297 unsigned char b32[32];
5298 unsigned char inp[6];
5299 size_t i;
5300 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 65536);
5301
5302 inp[0] = prefix & 0xFF;
5303 inp[1] = (prefix >> 8) & 0xFF;
5304 inp[2] = (prefix >> 16) & 0xFF;
5305 inp[3] = (prefix >> 24) & 0xFF;
5306 secp256k1_sha256_initialize(&acc);
5307 secp256k1_scalar_set_int(&x, 0);
5308 test_ecmult_accumulate(&acc, &x, scratch);
5309 secp256k1_scalar_set_int(&x, 1);
5310 test_ecmult_accumulate(&acc, &x, scratch);
5311 secp256k1_scalar_negate(&x, &x);
5312 test_ecmult_accumulate(&acc, &x, scratch);
5313
5314 for (i = 0; i < iter; ++i) {
5315 secp256k1_sha256 gen;
5316 inp[4] = i & 0xff;
5317 inp[5] = (i >> 8) & 0xff;
5318 secp256k1_sha256_initialize(&gen);
5319 secp256k1_sha256_write(&gen, inp, sizeof(inp));
5320 secp256k1_sha256_finalize(&gen, b32);
5321 secp256k1_scalar_set_b32(&x, b32, NULL);
5322 test_ecmult_accumulate(&acc, &x, scratch);
5323 }
5324 secp256k1_sha256_finalize(&acc, b32);
5325 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5326
5327 secp256k1_scratch_space_destroy(ctx, scratch);
5328}
5329
5330void run_ecmult_constants(void) {
5331 /* Expected hashes of all points in the tests below. Computed using an
5332 * independent implementation. */
5333 static const unsigned char expected32_6bit20[32] = {
5334 0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5335 0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5336 0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5337 0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5338 };
5339 static const unsigned char expected32_8bit8[32] = {
5340 0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5341 0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5342 0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5343 0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5344 };
5345 /* For every combination of 6 bit positions out of 256, restricted to
5346 * 20-bit windows (i.e., the first and last bit position are no more than
5347 * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5348 * this test. */
5349 CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5350 test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5351 }
5352
5353 /* For every combination of 8 consecutive bit positions, all 256 bit
5354 * patterns occur in the input scalars used in this test. */
5355 CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5356 test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5357 }
5358
5359 CONDITIONAL_TEST(35, "test_ecmult_constants_2bit") {
5360 test_ecmult_constants_2bit();
5361 }
5362}
5363
5364void test_ecmult_gen_blind(void) {
5365 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5366 secp256k1_scalar key;
5367 secp256k1_scalar b;
5368 unsigned char seed32[32];
5369 secp256k1_gej pgej;
5370 secp256k1_gej pgej2;
5371 secp256k1_gej i;
5372 secp256k1_ge pge;
5373 random_scalar_order_test(&key);
5374 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
5375 secp256k1_testrand256(seed32);
5376 b = ctx->ecmult_gen_ctx.blind;
5377 i = ctx->ecmult_gen_ctx.initial;
5378 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
5379 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
5380 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
5381 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5382 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
5383 secp256k1_ge_set_gej(&pge, &pgej);
5384 ge_equals_gej(&pge, &pgej2);
5385}
5386
5387void test_ecmult_gen_blind_reset(void) {
5388 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5389 secp256k1_scalar b;
5390 secp256k1_gej initial;
5391 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
5392 b = ctx->ecmult_gen_ctx.blind;
5393 initial = ctx->ecmult_gen_ctx.initial;
5394 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
5395 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
5396 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
5397}
5398
5399void run_ecmult_gen_blind(void) {
5400 int i;
5401 test_ecmult_gen_blind_reset();
5402 for (i = 0; i < 10; i++) {
5403 test_ecmult_gen_blind();
5404 }
5405}
5406
5407/***** ENDOMORPHISH TESTS *****/
5408void test_scalar_split(const secp256k1_scalar* full) {
5409 secp256k1_scalar s, s1, slam;
5410 const unsigned char zero[32] = {0};
5411 unsigned char tmp[32];
5412
5413 secp256k1_scalar_split_lambda(&s1, &slam, full);
5414
5415 /* check slam*lambda + s1 == full */
5416 secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
5417 secp256k1_scalar_add(&s, &s, &s1);
5418 CHECK(secp256k1_scalar_eq(&s, full));
5419
5420 /* check that both are <= 128 bits in size */
5421 if (secp256k1_scalar_is_high(&s1)) {
5422 secp256k1_scalar_negate(&s1, &s1);
5423 }
5424 if (secp256k1_scalar_is_high(&slam)) {
5425 secp256k1_scalar_negate(&slam, &slam);
5426 }
5427
5428 secp256k1_scalar_get_b32(tmp, &s1);
5429 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5430 secp256k1_scalar_get_b32(tmp, &slam);
5431 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5432}
5433
5434
5435void run_endomorphism_tests(void) {
5436 unsigned i;
5437 static secp256k1_scalar s;
5438 test_scalar_split(&secp256k1_scalar_zero);
5439 test_scalar_split(&secp256k1_scalar_one);
5440 secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
5441 test_scalar_split(&s);
5442 test_scalar_split(&secp256k1_const_lambda);
5443 secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
5444 test_scalar_split(&s);
5445
5446 for (i = 0; i < 100U * count; ++i) {
5447 secp256k1_scalar full;
5448 random_scalar_order_test(&full);
5449 test_scalar_split(&full);
5450 }
5451 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
5452 test_scalar_split(&scalars_near_split_bounds[i]);
5453 }
5454}
5455
5456void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5457 unsigned char pubkeyc[65];
5458 secp256k1_pubkey pubkey;
5459 secp256k1_ge ge;
5460 size_t pubkeyclen;
5461 int32_t ecount;
5462 ecount = 0;
5463 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5464 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5465 /* Smaller sizes are tested exhaustively elsewhere. */
5466 int32_t i;
5467 memcpy(&pubkeyc[1], input, 64);
5468 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5469 for (i = 0; i < 256; i++) {
5470 /* Try all type bytes. */
5471 int xpass;
5472 int ypass;
5473 int ysign;
5474 pubkeyc[0] = i;
5475 /* What sign does this point have? */
5476 ysign = (input[63] & 1) + 2;
5477 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5478 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5479 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5480 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5481 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5482 if (xpass || ypass) {
5483 /* These cases must parse. */
5484 unsigned char pubkeyo[65];
5485 size_t outl;
5486 memset(&pubkey, 0, sizeof(pubkey));
5487 VG_UNDEF(&pubkey, sizeof(pubkey));
5488 ecount = 0;
5489 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
5490 VG_CHECK(&pubkey, sizeof(pubkey));
5491 outl = 65;
5492 VG_UNDEF(pubkeyo, 65);
5493 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5494 VG_CHECK(pubkeyo, outl);
5495 CHECK(outl == 33);
5496 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5497 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5498 if (ypass) {
5499 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5500 CHECK(pubkeyo[0] == ysign);
5501 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
5502 memset(&pubkey, 0, sizeof(pubkey));
5503 VG_UNDEF(&pubkey, sizeof(pubkey));
5504 secp256k1_pubkey_save(&pubkey, &ge);
5505 VG_CHECK(&pubkey, sizeof(pubkey));
5506 outl = 65;
5507 VG_UNDEF(pubkeyo, 65);
5508 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5509 VG_CHECK(pubkeyo, outl);
5510 CHECK(outl == 65);
5511 CHECK(pubkeyo[0] == 4);
5512 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5513 }
5514 CHECK(ecount == 0);
5515 } else {
5516 /* These cases must fail to parse. */
5517 memset(&pubkey, 0xfe, sizeof(pubkey));
5518 ecount = 0;
5519 VG_UNDEF(&pubkey, sizeof(pubkey));
5520 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
5521 VG_CHECK(&pubkey, sizeof(pubkey));
5522 CHECK(ecount == 0);
5523 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5524 CHECK(ecount == 1);
5525 }
5526 }
5527 }
5528 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5529}
5530
5531void run_ec_pubkey_parse_test(void) {
5532#define SECP256K1_EC_PARSE_TEST_NVALID (12)
5533 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5534 {
5535 /* Point with leading and trailing zeros in x and y serialization. */
5536 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5537 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5538 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5539 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5540 },
5541 {
5542 /* Point with x equal to a 3rd root of unity.*/
5543 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5544 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5545 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5546 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5547 },
5548 {
5549 /* Point with largest x. (1/2) */
5550 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5551 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5552 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5553 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5554 },
5555 {
5556 /* Point with largest x. (2/2) */
5557 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5558 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5559 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5560 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5561 },
5562 {
5563 /* Point with smallest x. (1/2) */
5564 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5565 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5566 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5567 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5568 },
5569 {
5570 /* Point with smallest x. (2/2) */
5571 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5572 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5573 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5574 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5575 },
5576 {
5577 /* Point with largest y. (1/3) */
5578 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5579 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5580 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5581 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5582 },
5583 {
5584 /* Point with largest y. (2/3) */
5585 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5586 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5587 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5588 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5589 },
5590 {
5591 /* Point with largest y. (3/3) */
5592 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5593 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5594 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5595 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5596 },
5597 {
5598 /* Point with smallest y. (1/3) */
5599 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5600 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5601 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5602 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5603 },
5604 {
5605 /* Point with smallest y. (2/3) */
5606 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5607 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5608 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5609 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5610 },
5611 {
5612 /* Point with smallest y. (3/3) */
5613 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5614 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5615 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5616 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
5617 }
5618 };
5619#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
5620 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
5621 {
5622 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
5623 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5624 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5625 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5626 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5627 },
5628 {
5629 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
5630 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5631 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5632 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5633 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5634 },
5635 {
5636 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
5637 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5638 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5639 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5640 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5641 },
5642 {
5643 /* x on curve, y is from y^2 = x^3 + 8. */
5644 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5645 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5646 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5647 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
5648 }
5649 };
5650#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
5651 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
5652 {
5653 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
5654 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
5655 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
5656 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5657 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5658 },
5659 {
5660 /* Valid if x overflow ignored (x = 1 mod p). */
5661 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5662 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5663 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5664 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5665 },
5666 {
5667 /* Valid if x overflow ignored (x = 1 mod p). */
5668 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5669 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5670 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5671 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5672 },
5673 {
5674 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5675 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5676 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5677 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
5678 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
5679 },
5680 {
5681 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5682 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5683 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5684 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
5685 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
5686 },
5687 {
5688 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5689 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5691 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
5692 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
5693 },
5694 {
5695 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5696 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5697 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5698 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
5699 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
5700 }
5701 };
5702 const unsigned char pubkeyc[66] = {
5703 /* Serialization of G. */
5704 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
5705 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
5706 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
5707 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
5708 0xB8, 0x00
5709 };
5710 unsigned char sout[65];
5711 unsigned char shortkey[2];
5712 secp256k1_ge ge;
5713 secp256k1_pubkey pubkey;
5714 size_t len;
5715 int32_t i;
5716 int32_t ecount;
5717 int32_t ecount2;
5718 ecount = 0;
5719 /* Nothing should be reading this far into pubkeyc. */
5720 VG_UNDEF(&pubkeyc[65], 1);
5721 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5722 /* Zero length claimed, fail, zeroize, no illegal arg error. */
5723 memset(&pubkey, 0xfe, sizeof(pubkey));
5724 ecount = 0;
5725 VG_UNDEF(shortkey, 2);
5726 VG_UNDEF(&pubkey, sizeof(pubkey));
5727 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
5728 VG_CHECK(&pubkey, sizeof(pubkey));
5729 CHECK(ecount == 0);
5730 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5731 CHECK(ecount == 1);
5732 /* Length one claimed, fail, zeroize, no illegal arg error. */
5733 for (i = 0; i < 256 ; i++) {
5734 memset(&pubkey, 0xfe, sizeof(pubkey));
5735 ecount = 0;
5736 shortkey[0] = i;
5737 VG_UNDEF(&shortkey[1], 1);
5738 VG_UNDEF(&pubkey, sizeof(pubkey));
5739 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
5740 VG_CHECK(&pubkey, sizeof(pubkey));
5741 CHECK(ecount == 0);
5742 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5743 CHECK(ecount == 1);
5744 }
5745 /* Length two claimed, fail, zeroize, no illegal arg error. */
5746 for (i = 0; i < 65536 ; i++) {
5747 memset(&pubkey, 0xfe, sizeof(pubkey));
5748 ecount = 0;
5749 shortkey[0] = i & 255;
5750 shortkey[1] = i >> 8;
5751 VG_UNDEF(&pubkey, sizeof(pubkey));
5752 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
5753 VG_CHECK(&pubkey, sizeof(pubkey));
5754 CHECK(ecount == 0);
5755 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5756 CHECK(ecount == 1);
5757 }
5758 memset(&pubkey, 0xfe, sizeof(pubkey));
5759 ecount = 0;
5760 VG_UNDEF(&pubkey, sizeof(pubkey));
5761 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
5762 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
5763 VG_CHECK(&pubkey, sizeof(pubkey));
5764 CHECK(ecount == 0);
5765 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5766 CHECK(ecount == 1);
5767 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
5768 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
5769 CHECK(ecount == 2);
5770 /* NULL input string. Illegal arg and zeroize output. */
5771 memset(&pubkey, 0xfe, sizeof(pubkey));
5772 ecount = 0;
5773 VG_UNDEF(&pubkey, sizeof(pubkey));
5774 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
5775 VG_CHECK(&pubkey, sizeof(pubkey));
5776 CHECK(ecount == 1);
5777 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5778 CHECK(ecount == 2);
5779 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
5780 memset(&pubkey, 0xfe, sizeof(pubkey));
5781 ecount = 0;
5782 VG_UNDEF(&pubkey, sizeof(pubkey));
5783 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
5784 VG_CHECK(&pubkey, sizeof(pubkey));
5785 CHECK(ecount == 0);
5786 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5787 CHECK(ecount == 1);
5788 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
5789 memset(&pubkey, 0xfe, sizeof(pubkey));
5790 ecount = 0;
5791 VG_UNDEF(&pubkey, sizeof(pubkey));
5792 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
5793 VG_CHECK(&pubkey, sizeof(pubkey));
5794 CHECK(ecount == 0);
5795 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5796 CHECK(ecount == 1);
5797 /* Valid parse. */
5798 memset(&pubkey, 0, sizeof(pubkey));
5799 ecount = 0;
5800 VG_UNDEF(&pubkey, sizeof(pubkey));
5801 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
5802 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, pubkeyc, 65) == 1);
5803 VG_CHECK(&pubkey, sizeof(pubkey));
5804 CHECK(ecount == 0);
5805 VG_UNDEF(&ge, sizeof(ge));
5806 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
5807 VG_CHECK(&ge.x, sizeof(ge.x));
5808 VG_CHECK(&ge.y, sizeof(ge.y));
5809 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
5810 ge_equals_ge(&secp256k1_ge_const_g, &ge);
5811 CHECK(ecount == 0);
5812 /* secp256k1_ec_pubkey_serialize illegal args. */
5813 ecount = 0;
5814 len = 65;
5815 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
5816 CHECK(ecount == 1);
5817 CHECK(len == 0);
5818 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
5819 CHECK(ecount == 2);
5820 len = 65;
5821 VG_UNDEF(sout, 65);
5822 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
5823 VG_CHECK(sout, 65);
5824 CHECK(ecount == 3);
5825 CHECK(len == 0);
5826 len = 65;
5827 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
5828 CHECK(ecount == 4);
5829 CHECK(len == 0);
5830 len = 65;
5831 VG_UNDEF(sout, 65);
5832 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5833 VG_CHECK(sout, 65);
5834 CHECK(ecount == 4);
5835 CHECK(len == 65);
5836 /* Multiple illegal args. Should still set arg error only once. */
5837 ecount = 0;
5838 ecount2 = 11;
5839 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
5840 CHECK(ecount == 1);
5841 /* Does the illegal arg callback actually change the behavior? */
5842 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
5843 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
5844 CHECK(ecount == 1);
5845 CHECK(ecount2 == 10);
5846 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5847 /* Try a bunch of prefabbed points with all possible encodings. */
5848 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
5849 ec_pubkey_parse_pointtest(valid[i], 1, 1);
5850 }
5851 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
5852 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
5853 }
5854 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
5855 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
5856 }
5857}
5858
5859void run_eckey_edge_case_test(void) {
5860 const unsigned char orderc[32] = {
5861 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5862 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5863 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5864 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
5865 };
5866 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
5867 unsigned char ctmp[33];
5868 unsigned char ctmp2[33];
5869 secp256k1_pubkey pubkey;
5870 secp256k1_pubkey pubkey2;
5871 secp256k1_pubkey pubkey_one;
5872 secp256k1_pubkey pubkey_negone;
5873 const secp256k1_pubkey *pubkeys[3];
5874 size_t len;
5875 int32_t ecount;
5876 /* Group order is too large, reject. */
5877 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
5878 VG_UNDEF(&pubkey, sizeof(pubkey));
5879 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
5880 VG_CHECK(&pubkey, sizeof(pubkey));
5881 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5882 /* Maximum value is too large, reject. */
5883 memset(ctmp, 255, 32);
5884 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5885 memset(&pubkey, 1, sizeof(pubkey));
5886 VG_UNDEF(&pubkey, sizeof(pubkey));
5887 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5888 VG_CHECK(&pubkey, sizeof(pubkey));
5889 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5890 /* Zero is too small, reject. */
5891 memset(ctmp, 0, 32);
5892 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5893 memset(&pubkey, 1, sizeof(pubkey));
5894 VG_UNDEF(&pubkey, sizeof(pubkey));
5895 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5896 VG_CHECK(&pubkey, sizeof(pubkey));
5897 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5898 /* One must be accepted. */
5899 ctmp[31] = 0x01;
5900 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5901 memset(&pubkey, 0, sizeof(pubkey));
5902 VG_UNDEF(&pubkey, sizeof(pubkey));
5903 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
5904 VG_CHECK(&pubkey, sizeof(pubkey));
5905 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5906 pubkey_one = pubkey;
5907 /* Group order + 1 is too large, reject. */
5908 memcpy(ctmp, orderc, 32);
5909 ctmp[31] = 0x42;
5910 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5911 memset(&pubkey, 1, sizeof(pubkey));
5912 VG_UNDEF(&pubkey, sizeof(pubkey));
5913 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5914 VG_CHECK(&pubkey, sizeof(pubkey));
5915 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5916 /* -1 must be accepted. */
5917 ctmp[31] = 0x40;
5918 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5919 memset(&pubkey, 0, sizeof(pubkey));
5920 VG_UNDEF(&pubkey, sizeof(pubkey));
5921 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
5922 VG_CHECK(&pubkey, sizeof(pubkey));
5923 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5924 pubkey_negone = pubkey;
5925 /* Tweak of zero leaves the value unchanged. */
5926 memset(ctmp2, 0, 32);
5927 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
5928 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
5929 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
5930 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5931 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5932 /* Multiply tweak of zero zeroizes the output. */
5933 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
5934 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5935 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
5936 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5937 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5938 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
5939 seckey, the seckey is zeroized. */
5940 memcpy(ctmp, orderc, 32);
5941 memset(ctmp2, 0, 32);
5942 ctmp2[31] = 0x01;
5943 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
5944 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5945 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
5946 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5947 memcpy(ctmp, orderc, 32);
5948 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
5949 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5950 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
5951 tweak, the seckey is zeroized. */
5952 memcpy(ctmp, orderc, 32);
5953 ctmp[31] = 0x40;
5954 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
5955 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5956 memcpy(ctmp, orderc, 32);
5957 ctmp[31] = 0x40;
5958 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
5959 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5960 memcpy(ctmp, orderc, 32);
5961 ctmp[31] = 0x40;
5962 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
5963 tweak, the pubkey is zeroized. */
5964 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
5965 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5966 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5967 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
5968 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5969 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5970 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
5971 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
5972 * case the pubkey is zeroized. */
5973 memcpy(ctmp, orderc, 32);
5974 ctmp[31] = 0x40;
5975 memset(ctmp2, 0, 32);
5976 ctmp2[31] = 1;
5977 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
5978 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
5979 ctmp2[31] = 1;
5980 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
5981 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5982 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5983 /* Tweak computation wraps and results in a key of 1. */
5984 ctmp2[31] = 2;
5985 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
5986 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
5987 ctmp2[31] = 2;
5988 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5989 ctmp2[31] = 1;
5990 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
5991 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5992 /* Tweak mul * 2 = 1+1. */
5993 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5994 ctmp2[31] = 2;
5995 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
5996 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5997 /* Test argument errors. */
5998 ecount = 0;
5999 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
6000 CHECK(ecount == 0);
6001 /* Zeroize pubkey on parse error. */
6002 memset(&pubkey, 0, 32);
6003 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
6004 CHECK(ecount == 1);
6005 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6006 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6007 memset(&pubkey2, 0, 32);
6008 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
6009 CHECK(ecount == 2);
6010 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
6011 /* Plain argument errors. */
6012 ecount = 0;
6013 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
6014 CHECK(ecount == 0);
6015 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
6016 CHECK(ecount == 1);
6017 ecount = 0;
6018 memset(ctmp2, 0, 32);
6019 ctmp2[31] = 4;
6020 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
6021 CHECK(ecount == 1);
6022 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
6023 CHECK(ecount == 2);
6024 ecount = 0;
6025 memset(ctmp2, 0, 32);
6026 ctmp2[31] = 4;
6027 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
6028 CHECK(ecount == 1);
6029 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
6030 CHECK(ecount == 2);
6031 ecount = 0;
6032 memset(ctmp2, 0, 32);
6033 CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
6034 CHECK(ecount == 1);
6035 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
6036 CHECK(ecount == 2);
6037 ecount = 0;
6038 memset(ctmp2, 0, 32);
6039 ctmp2[31] = 1;
6040 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
6041 CHECK(ecount == 1);
6042 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
6043 CHECK(ecount == 2);
6044 ecount = 0;
6045 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
6046 CHECK(ecount == 1);
6047 memset(&pubkey, 1, sizeof(pubkey));
6048 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
6049 CHECK(ecount == 2);
6050 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6051 /* secp256k1_ec_pubkey_combine tests. */
6052 ecount = 0;
6053 pubkeys[0] = &pubkey_one;
6054 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
6055 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
6056 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
6057 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6058 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
6059 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
6060 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6061 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6062 CHECK(ecount == 1);
6063 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
6064 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6065 CHECK(ecount == 2);
6066 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6067 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
6068 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
6069 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6070 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6071 CHECK(ecount == 3);
6072 pubkeys[0] = &pubkey_negone;
6073 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6074 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
6075 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
6076 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6077 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6078 CHECK(ecount == 3);
6079 len = 33;
6080 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6081 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
6082 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6083 /* Result is infinity. */
6084 pubkeys[0] = &pubkey_one;
6085 pubkeys[1] = &pubkey_negone;
6086 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6087 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
6088 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
6089 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6090 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6091 CHECK(ecount == 3);
6092 /* Passes through infinity but comes out one. */
6093 pubkeys[2] = &pubkey_one;
6094 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6095 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
6096 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
6097 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6098 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6099 CHECK(ecount == 3);
6100 len = 33;
6101 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6102 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
6103 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6104 /* Adds to two. */
6105 pubkeys[1] = &pubkey_one;
6106 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6107 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
6108 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
6109 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6110 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6111 CHECK(ecount == 3);
6112 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
6113}
6114
6115void run_eckey_negate_test(void) {
6116 unsigned char seckey[32];
6117 unsigned char seckey_tmp[32];
6118
6119 random_scalar_order_b32(seckey);
6120 memcpy(seckey_tmp, seckey, 32);
6121
6122 /* Verify negation changes the key and changes it back */
6123 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
6124 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
6125 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
6126 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6127
6128 /* Check that privkey alias gives same result */
6129 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
6130 CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
6131 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6132
6133 /* Negating all 0s fails */
6134 memset(seckey, 0, 32);
6135 memset(seckey_tmp, 0, 32);
6136 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
6137 /* Check that seckey is not modified */
6138 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6139
6140 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
6141 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
6142 * doesn't just set seckey to a constant value in case of failure. */
6143 random_scalar_order_b32(seckey);
6144 memset(seckey, 0xFF, 16);
6145 memset(seckey_tmp, 0, 32);
6146 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
6147 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6148}
6149
6150void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
6151 secp256k1_scalar nonce;
6152 do {
6153 random_scalar_order_test(&nonce);
6154 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
6155}
6156
6157void test_ecdsa_sign_verify(void) {
6158 secp256k1_gej pubj;
6159 secp256k1_ge pub;
6160 secp256k1_scalar one;
6161 secp256k1_scalar msg, key;
6162 secp256k1_scalar sigr, sigs;
6163 int getrec;
6164 int recid;
6165 random_scalar_order_test(&msg);
6166 random_scalar_order_test(&key);
6167 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
6168 secp256k1_ge_set_gej(&pub, &pubj);
6169 getrec = secp256k1_testrand_bits(1);
6170 /* The specific way in which this conditional is written sidesteps a potential bug in clang.
6171 See the commit messages of the commit that introduced this comment for details. */
6172 if (getrec) {
6173 random_sign(&sigr, &sigs, &key, &msg, &recid);
6174 CHECK(recid >= 0 && recid < 4);
6175 } else {
6176 random_sign(&sigr, &sigs, &key, &msg, NULL);
6177 }
6178 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6179 secp256k1_scalar_set_int(&one, 1);
6180 secp256k1_scalar_add(&msg, &msg, &one);
6181 CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6182}
6183
6184void run_ecdsa_sign_verify(void) {
6185 int i;
6186 for (i = 0; i < 10*count; i++) {
6187 test_ecdsa_sign_verify();
6188 }
6189}
6190
6192static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6193 (void)msg32;
6194 (void)key32;
6195 (void)algo16;
6196 memcpy(nonce32, data, 32);
6197 return (counter == 0);
6198}
6199
6200static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6201 /* Dummy nonce generator that has a fatal error on the first counter value. */
6202 if (counter == 0) {
6203 return 0;
6204 }
6205 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
6206}
6207
6208static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6209 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
6210 if (counter < 3) {
6211 memset(nonce32, counter==0 ? 0 : 255, 32);
6212 if (counter == 2) {
6213 nonce32[31]--;
6214 }
6215 return 1;
6216 }
6217 if (counter < 5) {
6218 static const unsigned char order[] = {
6219 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6220 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6221 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6222 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
6223 };
6224 memcpy(nonce32, order, 32);
6225 if (counter == 4) {
6226 nonce32[31]++;
6227 }
6228 return 1;
6229 }
6230 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
6231 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
6232 if (counter > 5) {
6233 return 0;
6234 }
6235 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
6236}
6237
6238int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
6239 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
6240 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
6241}
6242
6243void test_ecdsa_end_to_end(void) {
6244 unsigned char extra[32] = {0x00};
6245 unsigned char privkey[32];
6246 unsigned char message[32];
6247 unsigned char privkey2[32];
6248 secp256k1_ecdsa_signature signature[6];
6249 secp256k1_scalar r, s;
6250 unsigned char sig[74];
6251 size_t siglen = 74;
6252 unsigned char pubkeyc[65];
6253 size_t pubkeyclen = 65;
6254 secp256k1_pubkey pubkey;
6255 secp256k1_pubkey pubkey_tmp;
6256 unsigned char seckey[300];
6257 size_t seckeylen = 300;
6258
6259 /* Generate a random key and message. */
6260 {
6261 secp256k1_scalar msg, key;
6262 random_scalar_order_test(&msg);
6263 random_scalar_order_test(&key);
6264 secp256k1_scalar_get_b32(privkey, &key);
6265 secp256k1_scalar_get_b32(message, &msg);
6266 }
6267
6268 /* Construct and verify corresponding public key. */
6269 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
6270 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
6271
6272 /* Verify exporting and importing public key. */
6273 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
6274 memset(&pubkey, 0, sizeof(pubkey));
6275 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
6276
6277 /* Verify negation changes the key and changes it back */
6278 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
6279 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
6280 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
6281 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
6282 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
6283
6284 /* Verify private key import and export. */
6285 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
6286 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
6287 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
6288
6289 /* Optionally tweak the keys using addition. */
6290 if (secp256k1_testrand_int(3) == 0) {
6291 int ret1;
6292 int ret2;
6293 int ret3;
6294 unsigned char rnd[32];
6295 unsigned char privkey_tmp[32];
6296 secp256k1_pubkey pubkey2;
6297 secp256k1_testrand256_test(rnd);
6298 memcpy(privkey_tmp, privkey, 32);
6299 ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
6300 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
6301 /* Check that privkey alias gives same result */
6302 ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
6303 CHECK(ret1 == ret2);
6304 CHECK(ret2 == ret3);
6305 if (ret1 == 0) {
6306 return;
6307 }
6308 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6309 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
6310 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6311 }
6312
6313 /* Optionally tweak the keys using multiplication. */
6314 if (secp256k1_testrand_int(3) == 0) {
6315 int ret1;
6316 int ret2;
6317 int ret3;
6318 unsigned char rnd[32];
6319 unsigned char privkey_tmp[32];
6320 secp256k1_pubkey pubkey2;
6321 secp256k1_testrand256_test(rnd);
6322 memcpy(privkey_tmp, privkey, 32);
6323 ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
6324 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
6325 /* Check that privkey alias gives same result */
6326 ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
6327 CHECK(ret1 == ret2);
6328 CHECK(ret2 == ret3);
6329 if (ret1 == 0) {
6330 return;
6331 }
6332 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6333 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
6334 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6335 }
6336
6337 /* Sign. */
6338 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
6339 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
6340 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
6341 extra[31] = 1;
6342 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
6343 extra[31] = 0;
6344 extra[0] = 1;
6345 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
6346 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6347 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6348 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6349 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6350 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6351 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6352 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6353 /* Verify. */
6354 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
6355 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
6356 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
6357 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
6358 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6359 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
6360 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
6361 secp256k1_scalar_negate(&s, &s);
6362 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6363 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
6364 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
6365 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
6366 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
6367 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
6368 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
6369 secp256k1_scalar_negate(&s, &s);
6370 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6371 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
6372 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
6373 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
6374
6375 /* Serialize/parse DER and verify again */
6376 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
6377 memset(&signature[0], 0, sizeof(signature[0]));
6378 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
6379 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
6380 /* Serialize/destroy/parse DER and verify again. */
6381 siglen = 74;
6382 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
6383 sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
6384 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
6385 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
6386}
6387
6388void test_random_pubkeys(void) {
6389 secp256k1_ge elem;
6390 secp256k1_ge elem2;
6391 unsigned char in[65];
6392 /* Generate some randomly sized pubkeys. */
6393 size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
6394 if (secp256k1_testrand_bits(2) == 0) {
6395 len = secp256k1_testrand_bits(6);
6396 }
6397 if (len == 65) {
6398 in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
6399 } else {
6400 in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
6401 }
6402 if (secp256k1_testrand_bits(3) == 0) {
6403 in[0] = secp256k1_testrand_bits(8);
6404 }
6405 if (len > 1) {
6406 secp256k1_testrand256(&in[1]);
6407 }
6408 if (len > 33) {
6409 secp256k1_testrand256(&in[33]);
6410 }
6411 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
6412 unsigned char out[65];
6413 unsigned char firstb;
6414 int res;
6415 size_t size = len;
6416 firstb = in[0];
6417 /* If the pubkey can be parsed, it should round-trip... */
6418 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
6419 CHECK(size == len);
6420 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
6421 /* ... except for the type of hybrid inputs. */
6422 if ((in[0] != 6) && (in[0] != 7)) {
6423 CHECK(in[0] == out[0]);
6424 }
6425 size = 65;
6426 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
6427 CHECK(size == 65);
6428 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
6429 ge_equals_ge(&elem,&elem2);
6430 /* Check that the X9.62 hybrid type is checked. */
6431 in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
6432 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
6433 if (firstb == 2 || firstb == 3) {
6434 if (in[0] == firstb + 4) {
6435 CHECK(res);
6436 } else {
6437 CHECK(!res);
6438 }
6439 }
6440 if (res) {
6441 ge_equals_ge(&elem,&elem2);
6442 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
6443 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
6444 }
6445 }
6446}
6447
6448void run_pubkey_comparison(void) {
6449 unsigned char pk1_ser[33] = {
6450 0x02,
6451 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6452 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6453 };
6454 const unsigned char pk2_ser[33] = {
6455 0x02,
6456 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6457 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6458 };
6459 secp256k1_pubkey pk1;
6460 secp256k1_pubkey pk2;
6461 int32_t ecount = 0;
6462
6463 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6464 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6465
6466 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
6467 CHECK(secp256k1_ec_pubkey_cmp(ctx, NULL, &pk2) < 0);
6468 CHECK(ecount == 1);
6469 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, NULL) > 0);
6470 CHECK(ecount == 2);
6471 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0);
6472 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0);
6473 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk1) == 0);
6474 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk2) == 0);
6475 CHECK(ecount == 2);
6476 {
6477 secp256k1_pubkey pk_tmp;
6478 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6479 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk_tmp, &pk2) < 0);
6480 CHECK(ecount == 3);
6481 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk_tmp, &pk_tmp) == 0);
6482 CHECK(ecount == 5);
6483 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk_tmp) > 0);
6484 CHECK(ecount == 6);
6485 }
6486
6487 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
6488
6489 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6490 * an uncompressed encoding, these would have the opposite ordering */
6491 pk1_ser[0] = 3;
6492 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6493 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0);
6494 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0);
6495}
6496
6497void run_random_pubkeys(void) {
6498 int i;
6499 for (i = 0; i < 10*count; i++) {
6500 test_random_pubkeys();
6501 }
6502}
6503
6504void run_ecdsa_end_to_end(void) {
6505 int i;
6506 for (i = 0; i < 64*count; i++) {
6507 test_ecdsa_end_to_end();
6508 }
6509}
6510
6511int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
6512 static const unsigned char zeroes[32] = {0};
6513
6514 int ret = 0;
6515
6516 secp256k1_ecdsa_signature sig_der;
6517 unsigned char roundtrip_der[2048];
6518 unsigned char compact_der[64];
6519 size_t len_der = 2048;
6520 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
6521
6522 secp256k1_ecdsa_signature sig_der_lax;
6523 unsigned char roundtrip_der_lax[2048];
6524 unsigned char compact_der_lax[64];
6525 size_t len_der_lax = 2048;
6526 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
6527
6528 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
6529 if (parsed_der) {
6530 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
6531 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
6532 }
6533 if (valid_der) {
6534 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
6535 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
6536 }
6537
6538 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
6539 if (parsed_der_lax) {
6540 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
6541 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
6542 }
6543 if (valid_der_lax) {
6544 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
6545 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
6546 }
6547
6548 if (certainly_der) {
6549 ret |= (!parsed_der) << 2;
6550 }
6551 if (certainly_not_der) {
6552 ret |= (parsed_der) << 17;
6553 }
6554 if (valid_der) {
6555 ret |= (!roundtrips_der) << 3;
6556 }
6557
6558 if (valid_der) {
6559 ret |= (!roundtrips_der_lax) << 12;
6560 ret |= (len_der != len_der_lax) << 13;
6561 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
6562 }
6563 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
6564 if (parsed_der) {
6565 ret |= (!parsed_der_lax) << 16;
6566 }
6567
6568 return ret;
6569}
6570
6571static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
6572 size_t i;
6573 for (i = 0; i < ptrlen; i++) {
6574 int shift = ptrlen - 1 - i;
6575 if (shift >= 4) {
6576 ptr[i] = 0;
6577 } else {
6578 ptr[i] = (val >> shift) & 0xFF;
6579 }
6580 }
6581}
6582
6583static void damage_array(unsigned char *sig, size_t *len) {
6584 int pos;
6585 int action = secp256k1_testrand_bits(3);
6586 if (action < 1 && *len > 3) {
6587 /* Delete a byte. */
6588 pos = secp256k1_testrand_int(*len);
6589 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
6590 (*len)--;
6591 return;
6592 } else if (action < 2 && *len < 2048) {
6593 /* Insert a byte. */
6594 pos = secp256k1_testrand_int(1 + *len);
6595 memmove(sig + pos + 1, sig + pos, *len - pos);
6596 sig[pos] = secp256k1_testrand_bits(8);
6597 (*len)++;
6598 return;
6599 } else if (action < 4) {
6600 /* Modify a byte. */
6601 sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
6602 return;
6603 } else { /* action < 8 */
6604 /* Modify a bit. */
6605 sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
6606 return;
6607 }
6608}
6609
6610static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
6611 int der;
6612 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
6613 size_t tlen, elen, glen;
6614 int indet;
6615 int n;
6616
6617 *len = 0;
6618 der = secp256k1_testrand_bits(2) == 0;
6619 *certainly_der = der;
6620 *certainly_not_der = 0;
6621 indet = der ? 0 : secp256k1_testrand_int(10) == 0;
6622
6623 for (n = 0; n < 2; n++) {
6624 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
6625 nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
6626 /* The length of the number in bytes (the first byte of which will always be nonzero) */
6627 nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_bits(3) / 8;
6628 CHECK(nlen[n] <= 232);
6629 /* The top bit of the number. */
6630 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
6631 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
6632 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
6633 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
6634 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_bits(3) / 8);
6635 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
6636 *certainly_not_der = 1;
6637 }
6638 CHECK(nlen[n] + nzlen[n] <= 300);
6639 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
6640 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
6641 if (!der) {
6642 /* nlenlen[n] max 127 bytes */
6643 int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6644 nlenlen[n] += add;
6645 if (add != 0) {
6646 *certainly_not_der = 1;
6647 }
6648 }
6649 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
6650 }
6651
6652 /* The total length of the data to go, so far */
6653 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
6654 CHECK(tlen <= 856);
6655
6656 /* The length of the garbage inside the tuple. */
6657 elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_bits(3) / 8;
6658 if (elen != 0) {
6659 *certainly_not_der = 1;
6660 }
6661 tlen += elen;
6662 CHECK(tlen <= 980);
6663
6664 /* The length of the garbage after the end of the tuple. */
6665 glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_bits(3) / 8;
6666 if (glen != 0) {
6667 *certainly_not_der = 1;
6668 }
6669 CHECK(tlen + glen <= 990);
6670
6671 /* Write the tuple header. */
6672 sig[(*len)++] = 0x30;
6673 if (indet) {
6674 /* Indeterminate length */
6675 sig[(*len)++] = 0x80;
6676 *certainly_not_der = 1;
6677 } else {
6678 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
6679 if (!der) {
6680 int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6681 tlenlen += add;
6682 if (add != 0) {
6683 *certainly_not_der = 1;
6684 }
6685 }
6686 if (tlenlen == 0) {
6687 /* Short length notation */
6688 sig[(*len)++] = tlen;
6689 } else {
6690 /* Long length notation */
6691 sig[(*len)++] = 128 + tlenlen;
6692 assign_big_endian(sig + *len, tlenlen, tlen);
6693 *len += tlenlen;
6694 }
6695 tlen += tlenlen;
6696 }
6697 tlen += 2;
6698 CHECK(tlen + glen <= 1119);
6699
6700 for (n = 0; n < 2; n++) {
6701 /* Write the integer header. */
6702 sig[(*len)++] = 0x02;
6703 if (nlenlen[n] == 0) {
6704 /* Short length notation */
6705 sig[(*len)++] = nlen[n] + nzlen[n];
6706 } else {
6707 /* Long length notation. */
6708 sig[(*len)++] = 128 + nlenlen[n];
6709 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
6710 *len += nlenlen[n];
6711 }
6712 /* Write zero padding */
6713 while (nzlen[n] > 0) {
6714 sig[(*len)++] = 0x00;
6715 nzlen[n]--;
6716 }
6717 if (nlen[n] == 32 && !nlow[n]) {
6718 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
6719 int i;
6720 for (i = 0; i < 16; i++) {
6721 sig[(*len)++] = 0xFF;
6722 }
6723 nlen[n] -= 16;
6724 }
6725 /* Write first byte of number */
6726 if (nlen[n] > 0) {
6727 sig[(*len)++] = nhbyte[n];
6728 nlen[n]--;
6729 }
6730 /* Generate remaining random bytes of number */
6731 secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
6732 *len += nlen[n];
6733 nlen[n] = 0;
6734 }
6735
6736 /* Generate random garbage inside tuple. */
6737 secp256k1_testrand_bytes_test(sig + *len, elen);
6738 *len += elen;
6739
6740 /* Generate end-of-contents bytes. */
6741 if (indet) {
6742 sig[(*len)++] = 0;
6743 sig[(*len)++] = 0;
6744 tlen += 2;
6745 }
6746 CHECK(tlen + glen <= 1121);
6747
6748 /* Generate random garbage outside tuple. */
6749 secp256k1_testrand_bytes_test(sig + *len, glen);
6750 *len += glen;
6751 tlen += glen;
6752 CHECK(tlen <= 1121);
6753 CHECK(tlen == *len);
6754}
6755
6756void run_ecdsa_der_parse(void) {
6757 int i,j;
6758 for (i = 0; i < 200 * count; i++) {
6759 unsigned char buffer[2048];
6760 size_t buflen = 0;
6761 int certainly_der = 0;
6762 int certainly_not_der = 0;
6763 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
6764 CHECK(buflen <= 2048);
6765 for (j = 0; j < 16; j++) {
6766 int ret = 0;
6767 if (j > 0) {
6768 damage_array(buffer, &buflen);
6769 /* We don't know anything anymore about the DERness of the result */
6770 certainly_der = 0;
6771 certainly_not_der = 0;
6772 }
6773 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
6774 if (ret != 0) {
6775 size_t k;
6776 fprintf(stderr, "Failure %x on ", ret);
6777 for (k = 0; k < buflen; k++) {
6778 fprintf(stderr, "%02x ", buffer[k]);
6779 }
6780 fprintf(stderr, "\n");
6781 }
6782 CHECK(ret == 0);
6783 }
6784 }
6785}
6786
6787/* Tests several edge cases. */
6788void test_ecdsa_edge_cases(void) {
6789 int t;
6790 secp256k1_ecdsa_signature sig;
6791
6792 /* Test the case where ECDSA recomputes a point that is infinity. */
6793 {
6794 secp256k1_gej keyj;
6795 secp256k1_ge key;
6796 secp256k1_scalar msg;
6797 secp256k1_scalar sr, ss;
6798 secp256k1_scalar_set_int(&ss, 1);
6799 secp256k1_scalar_negate(&ss, &ss);
6800 secp256k1_scalar_inverse(&ss, &ss);
6801 secp256k1_scalar_set_int(&sr, 1);
6802 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
6803 secp256k1_ge_set_gej(&key, &keyj);
6804 msg = ss;
6805 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6806 }
6807
6808 /* Verify signature with r of zero fails. */
6809 {
6810 const unsigned char pubkey_mods_zero[33] = {
6811 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6812 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6813 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6814 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6815 0x41
6816 };
6817 secp256k1_ge key;
6818 secp256k1_scalar msg;
6819 secp256k1_scalar sr, ss;
6820 secp256k1_scalar_set_int(&ss, 1);
6821 secp256k1_scalar_set_int(&msg, 0);
6822 secp256k1_scalar_set_int(&sr, 0);
6823 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
6824 CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
6825 }
6826
6827 /* Verify signature with s of zero fails. */
6828 {
6829 const unsigned char pubkey[33] = {
6830 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6831 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6832 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6833 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6834 0x01
6835 };
6836 secp256k1_ge key;
6837 secp256k1_scalar msg;
6838 secp256k1_scalar sr, ss;
6839 secp256k1_scalar_set_int(&ss, 0);
6840 secp256k1_scalar_set_int(&msg, 0);
6841 secp256k1_scalar_set_int(&sr, 1);
6842 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6843 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6844 }
6845
6846 /* Verify signature with message 0 passes. */
6847 {
6848 const unsigned char pubkey[33] = {
6849 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6850 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6851 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6852 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6853 0x02
6854 };
6855 const unsigned char pubkey2[33] = {
6856 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6857 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6858 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6859 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6860 0x43
6861 };
6862 secp256k1_ge key;
6863 secp256k1_ge key2;
6864 secp256k1_scalar msg;
6865 secp256k1_scalar sr, ss;
6866 secp256k1_scalar_set_int(&ss, 2);
6867 secp256k1_scalar_set_int(&msg, 0);
6868 secp256k1_scalar_set_int(&sr, 2);
6869 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6870 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
6871 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6872 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6873 secp256k1_scalar_negate(&ss, &ss);
6874 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6875 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6876 secp256k1_scalar_set_int(&ss, 1);
6877 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6878 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
6879 }
6880
6881 /* Verify signature with message 1 passes. */
6882 {
6883 const unsigned char pubkey[33] = {
6884 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
6885 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
6886 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
6887 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
6888 0x25
6889 };
6890 const unsigned char pubkey2[33] = {
6891 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
6892 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
6893 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
6894 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
6895 0x62
6896 };
6897 const unsigned char csr[32] = {
6898 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6899 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6900 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
6901 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
6902 };
6903 secp256k1_ge key;
6904 secp256k1_ge key2;
6905 secp256k1_scalar msg;
6906 secp256k1_scalar sr, ss;
6907 secp256k1_scalar_set_int(&ss, 1);
6908 secp256k1_scalar_set_int(&msg, 1);
6909 secp256k1_scalar_set_b32(&sr, csr, NULL);
6910 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6911 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
6912 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6913 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6914 secp256k1_scalar_negate(&ss, &ss);
6915 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6916 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6917 secp256k1_scalar_set_int(&ss, 2);
6918 secp256k1_scalar_inverse_var(&ss, &ss);
6919 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6920 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
6921 }
6922
6923 /* Verify signature with message -1 passes. */
6924 {
6925 const unsigned char pubkey[33] = {
6926 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
6927 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
6928 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
6929 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
6930 0xf1
6931 };
6932 const unsigned char csr[32] = {
6933 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6934 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6935 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
6936 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
6937 };
6938 secp256k1_ge key;
6939 secp256k1_scalar msg;
6940 secp256k1_scalar sr, ss;
6941 secp256k1_scalar_set_int(&ss, 1);
6942 secp256k1_scalar_set_int(&msg, 1);
6943 secp256k1_scalar_negate(&msg, &msg);
6944 secp256k1_scalar_set_b32(&sr, csr, NULL);
6945 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6946 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6947 secp256k1_scalar_negate(&ss, &ss);
6948 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6949 secp256k1_scalar_set_int(&ss, 3);
6950 secp256k1_scalar_inverse_var(&ss, &ss);
6951 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6952 }
6953
6954 /* Signature where s would be zero. */
6955 {
6956 secp256k1_pubkey pubkey;
6957 size_t siglen;
6958 int32_t ecount;
6959 unsigned char signature[72];
6960 static const unsigned char nonce[32] = {
6961 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6962 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6963 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6964 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6965 };
6966 static const unsigned char nonce2[32] = {
6967 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6968 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6969 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6970 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
6971 };
6972 const unsigned char key[32] = {
6973 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6974 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6975 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6976 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6977 };
6978 unsigned char msg[32] = {
6979 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
6980 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
6981 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
6982 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
6983 };
6984 ecount = 0;
6985 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
6986 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
6987 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
6988 msg[31] = 0xaa;
6989 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
6990 CHECK(ecount == 0);
6991 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
6992 CHECK(ecount == 1);
6993 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
6994 CHECK(ecount == 2);
6995 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
6996 CHECK(ecount == 3);
6997 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
6998 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
6999 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
7000 CHECK(ecount == 4);
7001 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
7002 CHECK(ecount == 5);
7003 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
7004 CHECK(ecount == 6);
7005 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
7006 CHECK(ecount == 6);
7007 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
7008 CHECK(ecount == 7);
7009 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
7010 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
7011 CHECK(ecount == 8);
7012 siglen = 72;
7013 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
7014 CHECK(ecount == 9);
7015 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
7016 CHECK(ecount == 10);
7017 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
7018 CHECK(ecount == 11);
7019 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
7020 CHECK(ecount == 11);
7021 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
7022 CHECK(ecount == 12);
7023 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
7024 CHECK(ecount == 13);
7025 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
7026 CHECK(ecount == 13);
7027 siglen = 10;
7028 /* Too little room for a signature does not fail via ARGCHECK. */
7029 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
7030 CHECK(ecount == 13);
7031 ecount = 0;
7032 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
7033 CHECK(ecount == 1);
7034 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
7035 CHECK(ecount == 2);
7036 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
7037 CHECK(ecount == 3);
7038 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
7039 CHECK(ecount == 3);
7040 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
7041 CHECK(ecount == 4);
7042 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
7043 CHECK(ecount == 5);
7044 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
7045 CHECK(ecount == 5);
7046 memset(signature, 255, 64);
7047 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
7048 CHECK(ecount == 5);
7049 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
7050 }
7051
7052 /* Nonce function corner cases. */
7053 for (t = 0; t < 2; t++) {
7054 static const unsigned char zero[32] = {0x00};
7055 int i;
7056 unsigned char key[32];
7057 unsigned char msg[32];
7058 secp256k1_ecdsa_signature sig2;
7059 secp256k1_scalar sr[512], ss;
7060 const unsigned char *extra;
7061 extra = t == 0 ? NULL : zero;
7062 memset(msg, 0, 32);
7063 msg[31] = 1;
7064 /* High key results in signature failure. */
7065 memset(key, 0xFF, 32);
7066 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
7067 CHECK(is_empty_signature(&sig));
7068 /* Zero key results in signature failure. */
7069 memset(key, 0, 32);
7070 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
7071 CHECK(is_empty_signature(&sig));
7072 /* Nonce function failure results in signature failure. */
7073 key[31] = 1;
7074 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
7075 CHECK(is_empty_signature(&sig));
7076 /* The retry loop successfully makes its way to the first good value. */
7077 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
7078 CHECK(!is_empty_signature(&sig));
7079 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
7080 CHECK(!is_empty_signature(&sig2));
7081 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7082 /* The default nonce function is deterministic. */
7083 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
7084 CHECK(!is_empty_signature(&sig2));
7085 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7086 /* The default nonce function changes output with different messages. */
7087 for(i = 0; i < 256; i++) {
7088 int j;
7089 msg[0] = i;
7090 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
7091 CHECK(!is_empty_signature(&sig2));
7092 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
7093 for (j = 0; j < i; j++) {
7094 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7095 }
7096 }
7097 msg[0] = 0;
7098 msg[31] = 2;
7099 /* The default nonce function changes output with different keys. */
7100 for(i = 256; i < 512; i++) {
7101 int j;
7102 key[0] = i - 256;
7103 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
7104 CHECK(!is_empty_signature(&sig2));
7105 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
7106 for (j = 0; j < i; j++) {
7107 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7108 }
7109 }
7110 key[0] = 0;
7111 }
7112
7113 {
7114 /* Check that optional nonce arguments do not have equivalent effect. */
7115 const unsigned char zeros[32] = {0};
7116 unsigned char nonce[32];
7117 unsigned char nonce2[32];
7118 unsigned char nonce3[32];
7119 unsigned char nonce4[32];
7120 VG_UNDEF(nonce,32);
7121 VG_UNDEF(nonce2,32);
7122 VG_UNDEF(nonce3,32);
7123 VG_UNDEF(nonce4,32);
7124 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
7125 VG_CHECK(nonce,32);
7126 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
7127 VG_CHECK(nonce2,32);
7128 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
7129 VG_CHECK(nonce3,32);
7130 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
7131 VG_CHECK(nonce4,32);
7132 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
7133 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
7134 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
7135 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
7136 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
7137 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
7138 }
7139
7140
7141 /* Privkey export where pubkey is the point at infinity. */
7142 {
7143 unsigned char privkey[300];
7144 unsigned char seckey[32] = {
7145 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7146 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
7147 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
7148 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
7149 };
7150 size_t outlen = 300;
7151 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
7152 outlen = 300;
7153 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
7154 }
7155}
7156
7157void run_ecdsa_edge_cases(void) {
7158 test_ecdsa_edge_cases();
7159}
7160
7161#ifdef ENABLE_MODULE_ECDH
7162# include "modules/ecdh/tests_impl.h"
7163#endif
7164
7165#ifdef ENABLE_MODULE_MULTISET
7166# include "modules/multiset/tests_impl.h"
7167#endif
7168
7169#ifdef ENABLE_MODULE_RECOVERY
7170# include "modules/recovery/tests_impl.h"
7171#endif
7172
7173#ifdef ENABLE_MODULE_SCHNORR
7174# include "modules/schnorr/tests_impl.h"
7175#endif
7176
7177#ifdef ENABLE_MODULE_EXTRAKEYS
7178# include "modules/extrakeys/tests_impl.h"
7179#endif
7180
7181#ifdef ENABLE_MODULE_SCHNORRSIG
7182# include "modules/schnorrsig/tests_impl.h"
7183#endif
7184
7185void run_secp256k1_memczero_test(void) {
7186 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
7187 unsigned char buf2[sizeof(buf1)];
7188
7189 /* secp256k1_memczero(..., ..., 0) is a noop. */
7190 memcpy(buf2, buf1, sizeof(buf1));
7191 secp256k1_memczero(buf1, sizeof(buf1), 0);
7192 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7193
7194 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
7195 memset(buf2, 0, sizeof(buf2));
7196 secp256k1_memczero(buf1, sizeof(buf1) , 1);
7197 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7198}
7199
7200void run_secp256k1_byteorder_tests(void) {
7201 const uint32_t x = 0xFF03AB45;
7202 const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45};
7203 unsigned char buf[4];
7204 uint32_t x_;
7205
7206 secp256k1_write_be32(buf, x);
7207 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7208
7209 x_ = secp256k1_read_be32(buf);
7210 CHECK(x == x_);
7211}
7212
7213void int_cmov_test(void) {
7214 int r = INT_MAX;
7215 int a = 0;
7216
7217 secp256k1_int_cmov(&r, &a, 0);
7218 CHECK(r == INT_MAX);
7219
7220 r = 0; a = INT_MAX;
7221 secp256k1_int_cmov(&r, &a, 1);
7222 CHECK(r == INT_MAX);
7223
7224 a = 0;
7225 secp256k1_int_cmov(&r, &a, 1);
7226 CHECK(r == 0);
7227
7228 a = 1;
7229 secp256k1_int_cmov(&r, &a, 1);
7230 CHECK(r == 1);
7231
7232 r = 1; a = 0;
7233 secp256k1_int_cmov(&r, &a, 0);
7234 CHECK(r == 1);
7235
7236}
7237
7238void fe_cmov_test(void) {
7239 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7240 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7241 static const secp256k1_fe max = SECP256K1_FE_CONST(
7242 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7243 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7244 );
7245 secp256k1_fe r = max;
7246 secp256k1_fe a = zero;
7247
7248 secp256k1_fe_cmov(&r, &a, 0);
7249 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7250
7251 r = zero; a = max;
7252 secp256k1_fe_cmov(&r, &a, 1);
7253 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7254
7255 a = zero;
7256 secp256k1_fe_cmov(&r, &a, 1);
7257 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7258
7259 a = one;
7260 secp256k1_fe_cmov(&r, &a, 1);
7261 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7262
7263 r = one; a = zero;
7264 secp256k1_fe_cmov(&r, &a, 0);
7265 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7266}
7267
7268void fe_storage_cmov_test(void) {
7269 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7270 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7271 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
7272 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7273 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7274 );
7275 secp256k1_fe_storage r = max;
7276 secp256k1_fe_storage a = zero;
7277
7278 secp256k1_fe_storage_cmov(&r, &a, 0);
7279 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7280
7281 r = zero; a = max;
7282 secp256k1_fe_storage_cmov(&r, &a, 1);
7283 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7284
7285 a = zero;
7286 secp256k1_fe_storage_cmov(&r, &a, 1);
7287 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7288
7289 a = one;
7290 secp256k1_fe_storage_cmov(&r, &a, 1);
7291 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7292
7293 r = one; a = zero;
7294 secp256k1_fe_storage_cmov(&r, &a, 0);
7295 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7296}
7297
7298void scalar_cmov_test(void) {
7299 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7300 static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7301 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
7302 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7303 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7304 );
7305 secp256k1_scalar r = max;
7306 secp256k1_scalar a = zero;
7307
7308 secp256k1_scalar_cmov(&r, &a, 0);
7309 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7310
7311 r = zero; a = max;
7312 secp256k1_scalar_cmov(&r, &a, 1);
7313 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7314
7315 a = zero;
7316 secp256k1_scalar_cmov(&r, &a, 1);
7317 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7318
7319 a = one;
7320 secp256k1_scalar_cmov(&r, &a, 1);
7321 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7322
7323 r = one; a = zero;
7324 secp256k1_scalar_cmov(&r, &a, 0);
7325 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7326}
7327
7328void ge_storage_cmov_test(void) {
7329 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7330 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7331 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
7332 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7333 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7334 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7335 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7336 );
7337 secp256k1_ge_storage r = max;
7338 secp256k1_ge_storage a = zero;
7339
7340 secp256k1_ge_storage_cmov(&r, &a, 0);
7341 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7342
7343 r = zero; a = max;
7344 secp256k1_ge_storage_cmov(&r, &a, 1);
7345 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7346
7347 a = zero;
7348 secp256k1_ge_storage_cmov(&r, &a, 1);
7349 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7350
7351 a = one;
7352 secp256k1_ge_storage_cmov(&r, &a, 1);
7353 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7354
7355 r = one; a = zero;
7356 secp256k1_ge_storage_cmov(&r, &a, 0);
7357 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7358}
7359
7360void run_cmov_tests(void) {
7361 int_cmov_test();
7362 fe_cmov_test();
7363 fe_storage_cmov_test();
7364 scalar_cmov_test();
7365 ge_storage_cmov_test();
7366}
7367
7368int main(int argc, char **argv) {
7369 /* Disable buffering for stdout to improve reliability of getting
7370 * diagnostic information. Happens right at the start of main because
7371 * setbuf must be used before any other operation on the stream. */
7372 setbuf(stdout, NULL);
7373 /* Also disable buffering for stderr because it's not guaranteed that it's
7374 * unbuffered on all systems. */
7375 setbuf(stderr, NULL);
7376
7377 /* find iteration count */
7378 if (argc > 1) {
7379 count = strtol(argv[1], NULL, 0);
7380 } else {
7381 const char* env = getenv("SECP256K1_TEST_ITERS");
7382 if (env && strlen(env) > 0) {
7383 count = strtol(env, NULL, 0);
7384 }
7385 }
7386 if (count <= 0) {
7387 fputs("An iteration count of 0 or less is not allowed.\n", stderr);
7388 return EXIT_FAILURE;
7389 }
7390 printf("test count = %i\n", count);
7391
7392 /* find random seed */
7393 secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
7394
7395 /* initialize */
7396 run_selftest_tests();
7397 run_context_tests(0);
7398 run_context_tests(1);
7399 run_scratch_tests();
7400
7401 ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
7402 /* Randomize the context only with probability 15/16
7403 to make sure we test without context randomization from time to time.
7404 TODO Reconsider this when recalibrating the tests. */
7405 if (secp256k1_testrand_bits(4)) {
7406 unsigned char rand32[32];
7407 secp256k1_testrand256(rand32);
7408 CHECK(secp256k1_context_randomize(ctx, rand32));
7409 }
7410
7411 run_rand_bits();
7412 run_rand_int();
7413
7414#ifdef SECP256K1_WIDEMUL_INT128
7415 run_int128_tests();
7416#endif
7417 run_ctz_tests();
7418 run_modinv_tests();
7419 run_inverse_tests();
7420
7421 run_sha256_known_output_tests();
7422 run_sha256_counter_tests();
7423 run_hmac_sha256_tests();
7424 run_rfc6979_hmac_sha256_tests();
7425 run_tagged_sha256_tests();
7426
7427 /* scalar tests */
7428 run_scalar_tests();
7429
7430 /* field tests */
7431 run_field_half();
7432 run_field_misc();
7433 run_field_convert();
7434 run_fe_mul();
7435 run_sqr();
7436 run_sqrt();
7437
7438 /* group tests */
7439 run_ge();
7440 run_gej();
7441 run_group_decompress();
7442
7443 /* ecmult tests */
7444 run_ecmult_pre_g();
7445 run_wnaf();
7446 run_point_times_order();
7447 run_ecmult_near_split_bound();
7448 run_ecmult_chain();
7449 run_ecmult_constants();
7450 run_ecmult_gen_blind();
7451 run_ecmult_const_tests();
7452 run_ecmult_multi_tests();
7453 run_ec_combine();
7454
7455 /* endomorphism tests */
7456 run_endomorphism_tests();
7457
7458 /* EC point parser test */
7459 run_ec_pubkey_parse_test();
7460
7461 /* EC key edge cases */
7462 run_eckey_edge_case_test();
7463
7464 /* EC key arithmetic test */
7465 run_eckey_negate_test();
7466
7467#ifdef ENABLE_MODULE_ECDH
7468 /* ecdh tests */
7469 run_ecdh_tests();
7470#endif
7471
7472 /* ecdsa tests */
7473 run_pubkey_comparison();
7474 run_random_pubkeys();
7475 run_ecdsa_der_parse();
7476 run_ecdsa_sign_verify();
7477 run_ecdsa_end_to_end();
7478 run_ecdsa_edge_cases();
7479
7480#ifdef ENABLE_MODULE_MULTISET
7481 run_multiset_tests();
7482#endif
7483
7484#ifdef ENABLE_MODULE_RECOVERY
7485 /* ECDSA pubkey recovery tests */
7486 run_recovery_tests();
7487#endif
7488
7489#ifdef ENABLE_MODULE_SCHNORR
7490 /* Schnorr signature tests */
7491 run_schnorr_tests();
7492#endif
7493
7494#ifdef ENABLE_MODULE_EXTRAKEYS
7495 run_extrakeys_tests();
7496#endif
7497
7498#ifdef ENABLE_MODULE_SCHNORRSIG
7499 run_schnorrsig_tests();
7500#endif
7501
7502 /* util tests */
7503 run_secp256k1_memczero_test();
7504 run_secp256k1_byteorder_tests();
7505
7506 run_cmov_tests();
7507
7508 secp256k1_testrand_finish();
7509
7510 /* shutdown */
7511 secp256k1_context_destroy(ctx);
7512
7513 printf("no problems found\n");
7514 return 0;
7515}
flags
int flags
Definition: bitcoin-tx.cpp:542
tests_impl.h
run_ecdh_tests
void run_ecdh_tests(void)
Definition: tests_impl.h:158
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
secp256k1_ecmult_multi_var
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
ECMULT_TABLE_SIZE
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult.h:41
secp256k1_ecmult
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q, int bits)
Multiply: R = q*A (in constant-time) Here bits should be set to the maximum bitlength of the absolute...
secp256k1_wnaf_const
static int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w, int size)
Convert a number to WNAF notation.
Definition: ecmult_const_impl.h:67
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
STRAUSS_SCRATCH_OBJECTS
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:50
secp256k1_pippenger_bucket_window_inv
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:605
secp256k1_pippenger_max_points
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space.
Definition: ecmult_impl.h:735
WNAF_SIZE
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:46
secp256k1_ecmult_strauss_batch_single
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:401
secp256k1_wnaf_fixed
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:416
secp256k1_ecmult_wnaf
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:159
secp256k1_strauss_scratch_size
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:356
ECMULT_PIPPENGER_THRESHOLD
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:55
secp256k1_pippenger_bucket_window
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:576
secp256k1_ecmult_pippenger_batch_single
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:726
ECMULT_MAX_POINTS_PER_BATCH
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:57
PIPPENGER_MAX_BUCKET_WINDOW
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:52
PIPPENGER_SCRATCH_OBJECTS
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:49
secp256k1_ecmult_multi_batch_size_helper
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:798
secp256k1_pippenger_scratch_size
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:643
WNAF_SIZE_BITS
#define WNAF_SIZE_BITS(bits, w)
Definition: ecmult_impl.h:45
secp256k1_ecmult_multi_func
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:816
sum
volatile double sum
Definition: examples.cpp:10
tests_impl.h
run_extrakeys_tests
void run_extrakeys_tests(void)
Definition: tests_impl.h:552
secp256k1_fe_inv_var
static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *a)
Potentially faster version of secp256k1_fe_inv, without constant-time guarantee.
secp256k1_fe_normalizes_to_zero_var
static int secp256k1_fe_normalizes_to_zero_var(const secp256k1_fe *r)
Verify whether a field element represents zero i.e.
secp256k1_fe_normalize_weak
static void secp256k1_fe_normalize_weak(secp256k1_fe *r)
Weakly normalize a field element: reduce its magnitude to 1, but don't fully normalize.
secp256k1_fe_is_quad_var
static int secp256k1_fe_is_quad_var(const secp256k1_fe *a)
Checks whether a field element is a quadratic residue.
secp256k1_fe_equal_var
static int secp256k1_fe_equal_var(const secp256k1_fe *a, const secp256k1_fe *b)
Same as secp256k1_fe_equal, but may be variable time.
secp256k1_fe_sqrt
static int secp256k1_fe_sqrt(secp256k1_fe *r, const secp256k1_fe *a)
If a has a square root, it is computed in r and 1 is returned.
secp256k1_fe_normalize_var
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
secp256k1_fe_clear
static void secp256k1_fe_clear(secp256k1_fe *a)
Sets a field element equal to zero, initializing all fields.
secp256k1_fe_inv
static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *a)
Sets a field element to be the (modular) inverse of another.
secp256k1_fe_cmov
static void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_fe_mul_int
static void secp256k1_fe_mul_int(secp256k1_fe *r, int a)
Multiplies the passed field element with a small integer constant.
secp256k1_fe_negate
static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m)
Set a field element equal to the additive inverse of another.
secp256k1_fe_is_odd
static int secp256k1_fe_is_odd(const secp256k1_fe *a)
Check the "oddness" of a field element.
secp256k1_fe_set_int
static void secp256k1_fe_set_int(secp256k1_fe *r, int a)
Set a field element equal to a small (not greater than 0x7FFF), non-negative integer.
secp256k1_fe_get_bounds
static void secp256k1_fe_get_bounds(secp256k1_fe *r, int m)
Sets each limb of 'r' to its upper bound at magnitude 'm'.
secp256k1_fe_mul
static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe *SECP256K1_RESTRICT b)
Sets a field element to be the product of two others.
secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
secp256k1_fe_is_zero
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
Verify whether a field element is zero.
secp256k1_fe_from_storage
static void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a)
Convert a field element back from the storage type.
secp256k1_fe_sqr
static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a)
Sets a field element to be the square of another.
secp256k1_fe_one
static const secp256k1_fe secp256k1_fe_one
Field element module.
Definition: field.h:31
secp256k1_fe_normalizes_to_zero
static int secp256k1_fe_normalizes_to_zero(const secp256k1_fe *r)
Verify whether a field element represents zero i.e.
secp256k1_fe_add
static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a)
Adds a field element to another.
secp256k1_fe_normalize
static void secp256k1_fe_normalize(secp256k1_fe *r)
Normalize a field element.
secp256k1_fe_half
static void secp256k1_fe_half(secp256k1_fe *r)
Halves the value of a field element modulo the field prime.
secp256k1_fe_to_storage
static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a)
Convert a field element to the storage type.
secp256k1_fe_get_b32
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
secp256k1_fe_storage_cmov
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_fe_cmp_var
static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b)
Compare two field elements.
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:40
SECP256K1_FE_STORAGE_CONST
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:47
SECP256K1_GEJ_CONST_INFINITY
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:36
SECP256K1_GE_STORAGE_CONST
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:43
secp256k1_gej_eq_var
static int secp256k1_gej_eq_var(const secp256k1_gej *a, const secp256k1_gej *b)
Check two group elements (jacobian) for equality in variable time.
secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
secp256k1_ge_mul_lambda
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
secp256k1_ge_set_xo_var
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
secp256k1_ge_is_valid_var
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
secp256k1_ge_from_storage
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
secp256k1_gej_rescale
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
secp256k1_ge_storage_cmov
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ge_set_xquad
static int secp256k1_ge_set_xquad(secp256k1_ge *r, const secp256k1_fe *x)
Set a group element (affine) equal to the point with the given X coordinate and a Y coordinate that i...
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_ge_set_infinity
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
secp256k1_ge_set_all_gej_var
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set a batch of group elements equal to the inputs given in jacobian coordinates.
secp256k1_gej_double
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
secp256k1_ge_to_storage
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
SECP256K1_GE_CONST
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:22
secp256k1_gej_cmov
static void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_gej_has_quad_y_var
static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a)
Check whether a group element's y coordinate is a quadratic residue.
SECP256K1_GEJ_CONST
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:35
secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:62
int128_impl.h
secp256k1_int128
int128_t secp256k1_int128
Definition: int128_native.h:17
secp256k1_i128_load
static SECP256K1_INLINE void secp256k1_i128_load(secp256k1_int128 *r, int64_t hi, uint64_t lo)
Definition: int128_native_impl.h:44
secp256k1_i128_det
static SECP256K1_INLINE void secp256k1_i128_det(secp256k1_int128 *r, int64_t a, int64_t b, int64_t c, int64_t d)
Definition: int128_native_impl.h:58
secp256k1_u128_check_bits
static SECP256K1_INLINE int secp256k1_u128_check_bits(const secp256k1_uint128 *r, unsigned int n)
Definition: int128_native_impl.h:39
secp256k1_i128_rshift
static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int n)
Definition: int128_native_impl.h:65
secp256k1_u128_hi_u64
static SECP256K1_INLINE uint64_t secp256k1_u128_hi_u64(const secp256k1_uint128 *a)
Definition: int128_native_impl.h:31
secp256k1_i128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:70
secp256k1_i128_from_i64
static SECP256K1_INLINE void secp256k1_i128_from_i64(secp256k1_int128 *r, int64_t a)
Definition: int128_native_impl.h:79
secp256k1_u128_from_u64
static SECP256K1_INLINE void secp256k1_u128_from_u64(secp256k1_uint128 *r, uint64_t a)
Definition: int128_native_impl.h:35
secp256k1_i128_eq_var
static SECP256K1_INLINE int secp256k1_i128_eq_var(const secp256k1_int128 *a, const secp256k1_int128 *b)
Definition: int128_native_impl.h:83
secp256k1_i128_to_i64
static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:74
secp256k1_i128_mul
static SECP256K1_INLINE void secp256k1_i128_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:48
secp256k1_u128_rshift
static SECP256K1_INLINE void secp256k1_u128_rshift(secp256k1_uint128 *r, unsigned int n)
Definition: int128_native_impl.h:22
secp256k1_u128_accum_u64
static SECP256K1_INLINE void secp256k1_u128_accum_u64(secp256k1_uint128 *r, uint64_t a)
Definition: int128_native_impl.h:18
secp256k1_i128_check_pow2
static SECP256K1_INLINE int secp256k1_i128_check_pow2(const secp256k1_int128 *r, unsigned int n)
Definition: int128_native_impl.h:87
secp256k1_i128_accum_mul
static SECP256K1_INLINE void secp256k1_i128_accum_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:52
secp256k1_u128_accum_mul
static SECP256K1_INLINE void secp256k1_u128_accum_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
Definition: int128_native_impl.h:14
secp256k1_u128_load
static SECP256K1_INLINE void secp256k1_u128_load(secp256k1_uint128 *r, uint64_t hi, uint64_t lo)
Definition: int128_native_impl.h:6
secp256k1_u128_mul
static SECP256K1_INLINE void secp256k1_u128_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
Definition: int128_native_impl.h:10
secp256k1_u128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_u128_to_u64(const secp256k1_uint128 *a)
Definition: int128_native_impl.h:27
ec_privkey_export_der
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
Definition: lax_der_privatekey_parsing.c:55
ec_privkey_import_der
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
Definition: lax_der_privatekey_parsing.c:11
cs
static void pool cs
Definition: mempool_eviction.cpp:13
secp256k1_modinv32_var
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_modinv32
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
modinv32_impl.h
secp256k1_modinv64
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_modinv64_var
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
modinv64_impl.h
tests_impl.h
run_multiset_tests
void run_multiset_tests(void)
Definition: tests_impl.h:336
tinyformat::printf
void printf(const char *fmt, const Args &...args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1126
secp256k1_pre_g_128
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:8237
secp256k1_pre_g
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:17
WINDOW_G
#define WINDOW_G
Definition: precomputed_ecmult.c:16
sig
SchnorrSig sig
Definition: processor.cpp:523
ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature *sig, const uint8_t *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:36
tests_impl.h
run_recovery_tests
void run_recovery_tests(void)
Definition: tests_impl.h:361
prefix
const char * prefix
Definition: rest.cpp:812
secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_set_b32_seckey
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
secp256k1_scalar_is_even
static int secp256k1_scalar_is_even(const secp256k1_scalar *a)
Check whether a scalar, considered as an nonnegative integer, is even.
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
secp256k1_scalar_set_int
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
secp256k1_scalar_inverse_var
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
secp256k1_scalar_get_bits
static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
secp256k1_scalar_is_one
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_scalar_split_lambda
static void secp256k1_scalar_split_lambda(secp256k1_scalar *SECP256K1_RESTRICT r1, secp256k1_scalar *SECP256K1_RESTRICT r2, const secp256k1_scalar *SECP256K1_RESTRICT k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
secp256k1_scalar_get_bits_var
static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
secp256k1_scalar_cadd_bit
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
secp256k1_scalar_shr_int
static int secp256k1_scalar_shr_int(secp256k1_scalar *r, int n)
Shift a scalar right by some amount strictly between 0 and 16, returning the low bits that were shift...
SECP256K1_SCALAR_CONST
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
secp256k1_scalar_check_overflow
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
Definition: scalar_4x64_impl.h:60
secp256k1_scalar_zero
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
secp256k1_const_lambda
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is:
Definition: scalar_impl.h:63
tests_impl.h
run_schnorr_tests
void run_schnorr_tests(void)
Definition: tests_impl.h:512
tests_impl.h
run_schnorrsig_tests
void run_schnorrsig_tests(void)
Definition: tests_impl.h:865
secp256k1_scratch_apply_checkpoint
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
secp256k1_scratch_max_allocation
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
secp256k1_scratch_alloc
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
secp256k1_scratch_checkpoint
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
secp256k1_hmac_sha256_finalize
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
secp256k1_hmac_sha256_initialize
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
secp256k1_hmac_sha256_write
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_ctz64_var
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:308
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:197
secp256k1_int_cmov
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:211
VG_CHECK
#define VG_CHECK(x, y)
Definition: util.h:108
ALIGNMENT
#define ALIGNMENT
Definition: util.h:141
VG_UNDEF
#define VG_UNDEF(x, y)
Definition: util.h:107
secp256k1_read_be32
static SECP256K1_INLINE uint32_t secp256k1_read_be32(const unsigned char *p)
Definition: util.h:326
secp256k1_ctz32_var
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:290
secp256k1_write_be32
static SECP256K1_INLINE void secp256k1_write_be32(unsigned char *p, uint32_t x)
Definition: util.h:334
secp256k1_default_illegal_callback_fn
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:30
secp256k1_ctz64_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:279
CHECK
#define CHECK(cond)
Definition: util.h:81
secp256k1_ctz32_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:267
checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:119
secp256k1_memczero
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:178
secp256k1_context_no_precomp
const secp256k1_context * secp256k1_context_no_precomp
Definition: secp256k1.c:77
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:345
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:231
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:250
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:457
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:331
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:176
secp256k1_ec_seckey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:696
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:207
secp256k1_scratch_space_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t size) SECP256K1_ARG_NONNULL(1)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:207
secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:743
secp256k1_ec_pubkey_combine
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:751
secp256k1_ec_seckey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:606
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:371
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:282
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:195
secp256k1_ec_pubkey_cmp
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:305
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:565
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:137
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:183
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:550
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:264
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:203
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:355
secp256k1_selftest
SECP256K1_API void secp256k1_selftest(void)
Perform basic self tests (to be used in conjunction with secp256k1_context_static)
Definition: secp256k1.c:88
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:588
secp256k1_tagged_sha256
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:777
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:213
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:436
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:417
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:158
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:679
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:214
secp256k1_ecdsa_signature_serialize_der
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:392
secp256k1_ec_pubkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:625
secp256k1_ec_privkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_add instead")
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:668
secp256k1_scratch_space_destroy
SECP256K1_API void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:212
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Deprecated context flags.
Definition: secp256k1.h:206
secp256k1_ec_privkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_negate instead")
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:621
secp256k1_ec_seckey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:652
secp256k1_ec_pubkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:720
secp256k1_ecdsa_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:404
secp256k1_context_static
SECP256K1_API const secp256k1_context * secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.c:76
secp256k1_ec_privkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_mul instead")
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:716
secp256k1_context_preallocated_clone_size
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:108
secp256k1_context_preallocated_destroy
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:169
secp256k1_context_preallocated_create
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:114
secp256k1_context_preallocated_size
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:94
secp256k1_context_preallocated_clone
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:148
ecmult_multi_data
Definition: tests.c:4341
ecmult_multi_data::sc
secp256k1_scalar * sc
Definition: tests.c:4342
ecmult_multi_data::pt
secp256k1_ge * pt
Definition: tests.c:4343
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:21
secp256k1_callback::data
const void * data
Definition: util.h:22
secp256k1_context_struct
Definition: secp256k1.c:63
secp256k1_context_struct::illegal_callback
secp256k1_callback illegal_callback
Definition: secp256k1.c:65
secp256k1_context_struct::declassify
int declassify
Definition: secp256k1.c:67
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:66
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:64
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:87
secp256k1_ecmult_gen_context
Definition: ecmult_gen.h:31
secp256k1_ecmult_gen_context::initial
secp256k1_gej initial
Definition: ecmult_gen.h:37
secp256k1_ecmult_gen_context::built
int built
Definition: ecmult_gen.h:33
secp256k1_ecmult_gen_context::blind
secp256k1_scalar blind
Definition: ecmult_gen.h:36
secp256k1_fe_storage
Definition: field_10x26.h:43
secp256k1_fe
Definition: field_10x26.h:12
secp256k1_fe::n
uint32_t n[10]
Definition: field_10x26.h:16
secp256k1_ge_storage
Definition: group.h:38
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_ge::infinity
int infinity
Definition: group.h:19
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:17
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:18
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_gej::y
secp256k1_fe y
Definition: group.h:30
secp256k1_gej::x
secp256k1_fe x
Definition: group.h:29
secp256k1_gej::infinity
int infinity
Definition: group.h:32
secp256k1_gej::z
secp256k1_fe z
Definition: group.h:31
secp256k1_hmac_sha256
Definition: hash.h:23
secp256k1_modinv32_modinfo
Definition: modinv32.h:19
secp256k1_modinv32_modinfo::modulus_inv30
uint32_t modulus_inv30
Definition: modinv32.h:24
secp256k1_modinv32_modinfo::modulus
secp256k1_modinv32_signed30 modulus
Definition: modinv32.h:21
secp256k1_modinv32_signed30
Definition: modinv32.h:15
secp256k1_modinv32_signed30::v
int32_t v[9]
Definition: modinv32.h:16
secp256k1_modinv64_modinfo
Definition: modinv64.h:23
secp256k1_modinv64_modinfo::modulus_inv62
uint64_t modulus_inv62
Definition: modinv64.h:28
secp256k1_modinv64_modinfo::modulus
secp256k1_modinv64_signed62 modulus
Definition: modinv64.h:25
secp256k1_modinv64_signed62
Definition: modinv64.h:19
secp256k1_modinv64_signed62::v
int64_t v[5]
Definition: modinv64.h:20
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:74
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:31
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_scalar::d
uint64_t d[4]
Definition: scalar_4x64.h:14
secp256k1_scratch_space_struct
Definition: scratch.h:12
secp256k1_scratch_space_struct::alloc_size
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
secp256k1_sha256
Definition: hash.h:13
secp256k1_uint128
Definition: int128_struct.h:7
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_testrand_init
static void secp256k1_testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL.
secp256k1_testrand_finish
static void secp256k1_testrand_finish(void)
Print final test information.
secp256k1_testrand32
static SECP256K1_INLINE uint32_t secp256k1_testrand32(void)
Generate a pseudorandom number in the range [0..2**32-1].
secp256k1_testrand256_test
static void secp256k1_testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_impl.h
test_ecmult_multi_batching
void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:4872
random_scalar_order
void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:121
run_group_decompress
void run_group_decompress(void)
Definition: tests.c:3958
run_random_pubkeys
void run_random_pubkeys(void)
Definition: tests.c:6497
ctx
static secp256k1_context * ctx
Definition: tests.c:31
scalar_test
void scalar_test(void)
Definition: tests.c:1995
fe_identical
int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2865
test_intialized_inf
void test_intialized_inf(void)
Definition: tests.c:3707
test_ecmult_target
void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:4166
fe_cmov_test
void fe_cmov_test(void)
Definition: tests.c:7238
test_inverse_field
void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:3186
run_modinv_tests
void run_modinv_tests(void)
Definition: tests.c:1057
test_ecdsa_der_parse
int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:6511
test_ecmult_multi_batch_size_helper
void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:4824
run_ec_pubkey_parse_test
void run_ec_pubkey_parse_test(void)
Definition: tests.c:5531
nonce_function_test_fail
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6200
nonce_function_test_retry
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6208
SECP256K1_EC_PARSE_TEST_NINVALID
#define SECP256K1_EC_PARSE_TEST_NINVALID
test_deprecated_flags
void test_deprecated_flags(void)
Definition: tests.c:160
run_endomorphism_tests
void run_endomorphism_tests(void)
Definition: tests.c:5435
test_pre_g_table
void test_pre_g_table(const secp256k1_ge_storage *pre_g, size_t n)
Definition: tests.c:3969
test_gej_cmov
void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3815
ecmult_const_random_mult
void ecmult_const_random_mult(void)
Definition: tests.c:4238
test_ge
void test_ge(void)
Definition: tests.c:3507
run_eckey_edge_case_test
void run_eckey_edge_case_test(void)
Definition: tests.c:5859
test_ecmult_gen_blind_reset
void test_ecmult_gen_blind_reset(void)
Definition: tests.c:5387
run_fe_mul
void run_fe_mul(void)
Definition: tests.c:3060
run_ec_combine
void run_ec_combine(void)
Definition: tests.c:3887
run_ecmult_pre_g
void run_ecmult_pre_g(void)
Definition: tests.c:4019
test_fe_mul
void test_fe_mul(const secp256k1_fe *a, const secp256k1_fe *b, int use_sqr)
Definition: tests.c:3017
main
int main(int argc, char **argv)
Definition: tests.c:7368
test_secp256k1_pippenger_bucket_window_inv
void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:4771
run_cmov_tests
void run_cmov_tests(void)
Definition: tests.c:7360
run_field_convert
void run_field_convert(void)
Definition: tests.c:2834
test_ecdsa_end_to_end
void test_ecdsa_end_to_end(void)
Definition: tests.c:6243
SECP256K1_EC_PARSE_TEST_NVALID
#define SECP256K1_EC_PARSE_TEST_NVALID
run_field_misc
void run_field_misc(void)
Definition: tests.c:2925
test_sqrt
void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:3097
test_ecmult_constants_2bit
void test_ecmult_constants_2bit(void)
Definition: tests.c:5243
random_field_element_magnitude
void random_field_element_magnitude(secp256k1_fe *fe)
Definition: tests.c:59
run_secp256k1_byteorder_tests
void run_secp256k1_byteorder_tests(void)
Definition: tests.c:7200
mulmod256
void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:799
random_scalar_order_test
void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:108
run_sha256_counter_tests
void run_sha256_counter_tests(void)
SHA256 counter tests.
Definition: tests.c:534
test_point_times_order
void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:4102
random_ber_signature
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:6610
CONDITIONAL_TEST
#define CONDITIONAL_TEST(cnt, nam)
Definition: tests.c:28
test_ecmult_multi
void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4361
random_sign
void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:6150
int_cmov_test
void int_cmov_test(void)
Definition: tests.c:7213
run_ctz_tests
void run_ctz_tests(void)
Definition: tests.c:412
ecmult_const_chain_multiply
void ecmult_const_chain_multiply(void)
Definition: tests.c:4308
assign_big_endian
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:6571
random_group_element_test
void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:75
run_field_half
void run_field_half(void)
Definition: tests.c:2876
test_modinv32_uint16
void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:916
scalar_cmov_test
void scalar_cmov_test(void)
Definition: tests.c:7298
run_hmac_sha256_tests
void run_hmac_sha256_tests(void)
Definition: tests.c:592
ge_equals_ge
void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b)
Definition: tests.c:3459
test_rand_int
void test_rand_int(uint32_t range, uint32_t subrange)
Definition: tests.c:744
run_rand_int
void run_rand_int(void)
Definition: tests.c:768
random_fe_test
void random_fe_test(secp256k1_fe *x)
Definition: tests.c:2795
ge_equals_gej
void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b)
Definition: tests.c:3490
test_wnaf
void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:4966
is_empty_signature
int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:6238
random_fe_non_zero
void random_fe_non_zero(secp256k1_fe *nz)
Definition: tests.c:2805
precomputed_nonce_function
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted.
Definition: tests.c:6192
test_add_neg_y_diff_x
void test_add_neg_y_diff_x(void)
Definition: tests.c:3739
run_gej
void run_gej(void)
Definition: tests.c:3823
run_ecdsa_sign_verify
void run_ecdsa_sign_verify(void)
Definition: tests.c:6184
scalar_minus_one
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:3147
run_rand_bits
void run_rand_bits(void)
Definition: tests.c:760
test_ecmult_accumulate
void test_ecmult_accumulate(secp256k1_sha256 *acc, const secp256k1_scalar *x, secp256k1_scratch *scratch)
Definition: tests.c:5210
random_group_element_jacobian_test
void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:87
coprime
int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:1027
run_ecmult_constants
void run_ecmult_constants(void)
Definition: tests.c:5330
random_scalar_order_b32
void random_scalar_order_b32(unsigned char *b32)
Definition: tests.c:134
run_pubkey_comparison
void run_pubkey_comparison(void)
Definition: tests.c:6448
run_selftest_tests
void run_selftest_tests(void)
Definition: tests.c:140
gej_xyz_equals_gej
int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3469
test_random_pubkeys
void test_random_pubkeys(void)
Definition: tests.c:6388
run_sqrt
void run_sqrt(void)
Definition: tests.c:3111
test_ecdsa_sign_verify
void test_ecdsa_sign_verify(void)
Definition: tests.c:6157
ge_storage_cmov_test
void ge_storage_cmov_test(void)
Definition: tests.c:7328
random_gej_test
void random_gej_test(secp256k1_gej *gej)
Definition: tests.c:102
run_inverse_tests
void run_inverse_tests(void)
Definition: tests.c:3211
run_ge
void run_ge(void)
Definition: tests.c:3806
ecmult_const_mult_zero_one
void ecmult_const_mult_zero_one(void)
Definition: tests.c:4286
run_ecdsa_end_to_end
void run_ecdsa_end_to_end(void)
Definition: tests.c:6504
ecmult_const_commutativity
void ecmult_const_commutativity(void)
Definition: tests.c:4265
test_constant_wnaf
void test_constant_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5015
ec_pubkey_parse_pointtest
void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:5456
test_ecmult_gen_blind
void test_ecmult_gen_blind(void)
Definition: tests.c:5364
ecmult_multi_callback
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4346
fe_storage_cmov_test
void fe_storage_cmov_test(void)
Definition: tests.c:7268
run_ecmult_near_split_bound
void run_ecmult_near_split_bound(void)
Definition: tests.c:4205
test_fixed_wnaf
void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5055
test_ecdsa_edge_cases
void test_ecdsa_edge_cases(void)
Definition: tests.c:6788
test_inverse_scalar
void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:3164
test_group_decompress
void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:3894
test_fixed_wnaf_small_helper
void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:5092
run_ecmult_gen_blind
void run_ecmult_gen_blind(void)
Definition: tests.c:5399
test_ecmult_multi_random
int test_ecmult_multi_random(secp256k1_scratch *scratch)
Definition: tests.c:4585
run_scalar_set_b32_seckey_tests
void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:2160
run_secp256k1_memczero_test
void run_secp256k1_memczero_test(void)
Definition: tests.c:7185
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:33
random_fe_non_square
void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:2818
run_point_times_order
void run_point_times_order(void)
Definition: tests.c:4217
uncounting_illegal_callback_fn
static void uncounting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:41
test_scalar_split
void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:5408
scalars_near_split_bounds
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:4143
run_eckey_negate_test
void run_eckey_negate_test(void)
Definition: tests.c:6115
uint16_to_signed30
void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:883
count
static int count
Definition: tests.c:30
random_fe
void random_fe(secp256k1_fe *x)
Definition: tests.c:2785
test_fixed_wnaf_small
void test_fixed_wnaf_small(void)
Definition: tests.c:5102
test_ecmult_multi_pippenger_max_points
void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:4791
run_ecmult_multi_tests
void run_ecmult_multi_tests(void)
Definition: tests.c:4939
run_ecdsa_edge_cases
void run_ecdsa_edge_cases(void)
Definition: tests.c:7157
test_ecmult_multi_batch_single
void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4751
run_sha256_known_output_tests
void run_sha256_known_output_tests(void)
Definition: tests.c:433
test_constant_wnaf_negate
void test_constant_wnaf_negate(const secp256k1_scalar *number)
Definition: tests.c:5000
test_ecmult_constants_sha
void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char *expected32)
Definition: tests.c:5287
run_rfc6979_hmac_sha256_tests
void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:636
ecmult_gen_context_eq
int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b)
Definition: tests.c:145
test_ecmult_accumulate_cb
static int test_ecmult_accumulate_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data)
Definition: tests.c:5202
context_eq
int context_eq(const secp256k1_context *a, const secp256k1_context *b)
Definition: tests.c:151
ecmult_multi_false_callback
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4353
run_tagged_sha256_tests
void run_tagged_sha256_tests(void)
Definition: tests.c:677
check_fe_equal
int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2826
run_sqr
void run_sqr(void)
Definition: tests.c:3081
run_ecmult_chain
void run_ecmult_chain(void)
Definition: tests.c:4043
run_ecdsa_der_parse
void run_ecdsa_der_parse(void)
Definition: tests.c:6756
mutate_sign_signed30
void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:901
modinv2p64
uint64_t modinv2p64(uint64_t x)
Definition: tests.c:782
random_field_element_test
void random_field_element_test(secp256k1_fe *fe)
Definition: tests.c:49
run_wnaf
void run_wnaf(void)
Definition: tests.c:5156
run_scratch_tests
void run_scratch_tests(void)
Definition: tests.c:327
run_context_tests
void run_context_tests(int use_prealloc)
Definition: tests.c:176
signed30_to_uint16
void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:892
test_ec_combine
void test_ec_combine(void)
Definition: tests.c:3862
run_ecmult_const_tests
void run_ecmult_const_tests(void)
Definition: tests.c:4334
SECP256K1_EC_PARSE_TEST_NXVALID
#define SECP256K1_EC_PARSE_TEST_NXVALID
damage_array
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:6583
test_rand_bits
void test_rand_bits(int rand32, int bits)
Definition: tests.c:709
run_scalar_tests
void run_scalar_tests(void)
Definition: tests.c:2177
fe_minus_one
static const secp256k1_fe fe_minus_one
Definition: tests.c:3152
expect
#define expect(bit)
Definition: univalue_read.cpp:283
Generated on Fri Mar 6 2026 19:59:55 for Bitcoin ABC by doxygen 1.9.4