Bitcoin ABC 0.33.3
P2P Digital Currency
tests.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#include <stdio.h>
8#include <stdlib.h>
9#include <string.h>
10
11#include <time.h>
12
13#ifdef USE_EXTERNAL_DEFAULT_CALLBACKS
14 #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.")
15 #undef USE_EXTERNAL_DEFAULT_CALLBACKS
16#endif
17#if defined(VERIFY) && defined(COVERAGE)
18 #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.")
19#endif
20#include "secp256k1.c"
21
22#include "../include/secp256k1.h"
23#include "../include/secp256k1_preallocated.h"
24#include "testrand_impl.h"
25#include "checkmem.h"
26#include "util.h"
27
28#include "../contrib/lax_der_parsing.c"
29#include "../contrib/lax_der_privatekey_parsing.c"
30
31#include "modinv32_impl.h"
32#ifdef SECP256K1_WIDEMUL_INT128
33#include "modinv64_impl.h"
34#include "int128_impl.h"
35#endif
36
37#define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
38
39static int COUNT = 64;
40static secp256k1_context *CTX = NULL;
41static secp256k1_context *STATIC_CTX = NULL;
42
43static int all_bytes_equal(const void* s, unsigned char value, size_t n) {
44 const unsigned char *p = s;
45 size_t i;
46
47 for (i = 0; i < n; i++) {
48 if (p[i] != value) {
49 return 0;
50 }
51 }
52 return 1;
53}
54
55/* TODO Use CHECK_ILLEGAL(_VOID) everywhere and get rid of the uncounting callback */
56/* CHECK that expr_or_stmt calls the illegal callback of ctx exactly once
57 *
58 * For checking functions that use ARG_CHECK_VOID */
59#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) do { \
60 int32_t _calls_to_illegal_callback = 0; \
61 secp256k1_callback _saved_illegal_cb = ctx->illegal_callback; \
62 secp256k1_context_set_illegal_callback(ctx, \
63 counting_illegal_callback_fn, &_calls_to_illegal_callback); \
64 { expr_or_stmt; } \
65 ctx->illegal_callback = _saved_illegal_cb; \
66 CHECK(_calls_to_illegal_callback == 1); \
67} while(0);
68
69/* CHECK that expr calls the illegal callback of ctx exactly once and that expr == 0
70 *
71 * For checking functions that use ARG_CHECK */
72#define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0))
73
74static void counting_illegal_callback_fn(const char* str, void* data) {
75 /* Dummy callback function that just counts. */
76 int32_t *p;
77 (void)str;
78 p = data;
79 CHECK(*p != INT32_MAX);
80 (*p)++;
81}
82
83static void uncounting_illegal_callback_fn(const char* str, void* data) {
84 /* Dummy callback function that just counts (backwards). */
85 int32_t *p;
86 (void)str;
87 p = data;
88 CHECK(*p != INT32_MIN);
89 (*p)--;
90}
91
92static void random_field_element_test(secp256k1_fe *fe) {
93 do {
94 unsigned char b32[32];
95 secp256k1_testrand256_test(b32);
96 if (secp256k1_fe_set_b32_limit(fe, b32)) {
97 break;
98 }
99 } while(1);
100}
101
102static void random_field_element_magnitude(secp256k1_fe *fe) {
103 secp256k1_fe zero;
104 int n = secp256k1_testrand_int(9);
105 secp256k1_fe_normalize(fe);
106 if (n == 0) {
107 return;
108 }
109 secp256k1_fe_clear(&zero);
110 secp256k1_fe_negate(&zero, &zero, 0);
111 secp256k1_fe_mul_int(&zero, n - 1);
112 secp256k1_fe_add(fe, &zero);
113#ifdef VERIFY
114 CHECK(fe->magnitude == n);
115#endif
116}
117
118static void random_group_element_test(secp256k1_ge *ge) {
119 secp256k1_fe fe;
120 do {
121 random_field_element_test(&fe);
122 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
123 secp256k1_fe_normalize(&ge->y);
124 break;
125 }
126 } while(1);
127 ge->infinity = 0;
128}
129
130static void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
131 secp256k1_fe z2, z3;
132 do {
133 random_field_element_test(&gej->z);
134 if (!secp256k1_fe_is_zero(&gej->z)) {
135 break;
136 }
137 } while(1);
138 secp256k1_fe_sqr(&z2, &gej->z);
139 secp256k1_fe_mul(&z3, &z2, &gej->z);
140 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
141 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
142 gej->infinity = ge->infinity;
143}
144
145static void random_gej_test(secp256k1_gej *gej) {
146 secp256k1_ge ge;
147 random_group_element_test(&ge);
148 random_group_element_jacobian_test(gej, &ge);
149}
150
151static void random_scalar_order_test(secp256k1_scalar *num) {
152 do {
153 unsigned char b32[32];
154 int overflow = 0;
155 secp256k1_testrand256_test(b32);
156 secp256k1_scalar_set_b32(num, b32, &overflow);
157 if (overflow || secp256k1_scalar_is_zero(num)) {
158 continue;
159 }
160 break;
161 } while(1);
162}
163
164static void random_scalar_order(secp256k1_scalar *num) {
165 do {
166 unsigned char b32[32];
167 int overflow = 0;
168 secp256k1_testrand256(b32);
169 secp256k1_scalar_set_b32(num, b32, &overflow);
170 if (overflow || secp256k1_scalar_is_zero(num)) {
171 continue;
172 }
173 break;
174 } while(1);
175}
176
177static void random_scalar_order_b32(unsigned char *b32) {
178 secp256k1_scalar num;
179 random_scalar_order(&num);
180 secp256k1_scalar_get_b32(b32, &num);
181}
182
183static void run_xoshiro256pp_tests(void) {
184 {
185 size_t i;
186 /* Sanity check that we run before the actual seeding. */
187 for (i = 0; i < sizeof(secp256k1_test_state)/sizeof(secp256k1_test_state[0]); i++) {
188 CHECK(secp256k1_test_state[i] == 0);
189 }
190 }
191 {
192 int i;
193 unsigned char buf32[32];
194 unsigned char seed16[16] = {
195 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
196 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
197 };
198 unsigned char buf32_expected[32] = {
199 0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0,
200 0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36,
201 0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF,
202 0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30,
203 };
204 secp256k1_testrand_seed(seed16);
205 for (i = 0; i < 17; i++) {
206 secp256k1_testrand256(buf32);
207 }
208 CHECK(secp256k1_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0);
209 }
210}
211
212static void run_selftest_tests(void) {
213 /* Test public API */
214 secp256k1_selftest();
215}
216
217static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b) {
218 return a->built == b->built
219 && secp256k1_scalar_eq(&a->blind, &b->blind)
220 && secp256k1_gej_eq_var(&a->initial, &b->initial);
221}
222
223static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {
224 return a->declassify == b->declassify
225 && ecmult_gen_context_eq(&a->ecmult_gen_ctx, &b->ecmult_gen_ctx)
226 && a->illegal_callback.fn == b->illegal_callback.fn
227 && a->illegal_callback.data == b->illegal_callback.data
228 && a->error_callback.fn == b->error_callback.fn
229 && a->error_callback.data == b->error_callback.data;
230}
231
232static void run_deprecated_context_flags_test(void) {
233 /* Check that a context created with any of the flags in the flags array is
234 * identical to the NONE context. */
235 unsigned int flags[] = { SECP256K1_CONTEXT_SIGN,
236 SECP256K1_CONTEXT_VERIFY,
237 SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY };
238 secp256k1_context *none_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
239 int i;
240 for (i = 0; i < (int)(sizeof(flags)/sizeof(flags[0])); i++) {
241 secp256k1_context *tmp_ctx;
242 CHECK(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE) == secp256k1_context_preallocated_size(flags[i]));
243 tmp_ctx = secp256k1_context_create(flags[i]);
244 CHECK(context_eq(none_ctx, tmp_ctx));
245 secp256k1_context_destroy(tmp_ctx);
246 }
247 secp256k1_context_destroy(none_ctx);
248}
249
250static void run_ec_illegal_argument_tests(void) {
251 int ecount = 0;
252 int ecount2 = 10;
253 secp256k1_pubkey pubkey;
254 secp256k1_pubkey zero_pubkey;
255 secp256k1_ecdsa_signature sig;
256 unsigned char ctmp[32];
257
258 /* Setup */
259 secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
260 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount2);
261 memset(ctmp, 1, 32);
262 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
263
264 /* Verify context-type checking illegal-argument errors. */
265 CHECK(secp256k1_ec_pubkey_create(STATIC_CTX, &pubkey, ctmp) == 0);
266 CHECK(ecount == 1);
267 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
268 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
269 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
270 CHECK(secp256k1_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL) == 0);
271 CHECK(ecount == 2);
272 SECP256K1_CHECKMEM_UNDEFINE(&sig, sizeof(sig));
273 CHECK(secp256k1_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1);
274 SECP256K1_CHECKMEM_CHECK(&sig, sizeof(sig));
275 CHECK(ecount2 == 10);
276 CHECK(secp256k1_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1);
277 CHECK(ecount2 == 10);
278 CHECK(secp256k1_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1);
279 CHECK(ecount == 2);
280 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1);
281 CHECK(ecount2 == 10);
282 CHECK(secp256k1_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1);
283 CHECK(ecount == 2);
284 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1);
285 CHECK(ecount2 == 10);
286 CHECK(secp256k1_ec_pubkey_negate(STATIC_CTX, &pubkey) == 1);
287 CHECK(ecount == 2);
288 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey) == 1);
289 CHECK(ecount == 2);
290 CHECK(secp256k1_ec_pubkey_negate(STATIC_CTX, &zero_pubkey) == 0);
291 CHECK(ecount == 3);
292 CHECK(secp256k1_ec_pubkey_negate(CTX, NULL) == 0);
293 CHECK(ecount2 == 11);
294 CHECK(secp256k1_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1);
295 CHECK(ecount == 3);
296
297 /* Clean up */
298 secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
299 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
300}
301
302static void run_static_context_tests(int use_prealloc) {
303 /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */
304 CHECK(secp256k1_context_no_precomp == secp256k1_context_static);
305
306 {
307 unsigned char seed[32] = {0x17};
308
309 /* Randomizing secp256k1_context_static is not supported. */
310 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, seed));
311 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, NULL));
312
313 /* Destroying or cloning secp256k1_context_static is not supported. */
314 if (use_prealloc) {
315 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone_size(STATIC_CTX));
316 {
317 secp256k1_context *my_static_ctx = malloc(sizeof(*STATIC_CTX));
318 CHECK(my_static_ctx != NULL);
319 memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx));
320 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone(STATIC_CTX, my_static_ctx));
321 CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx)));
322 free(my_static_ctx);
323 }
324 CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_preallocated_destroy(STATIC_CTX));
325 } else {
326 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_clone(STATIC_CTX));
327 CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_destroy(STATIC_CTX));
328 }
329 }
330
331 {
332 /* Verify that setting and resetting illegal callback works */
333 int32_t dummy = 0;
334 secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &dummy);
335 CHECK(STATIC_CTX->illegal_callback.fn == counting_illegal_callback_fn);
336 CHECK(STATIC_CTX->illegal_callback.data == &dummy);
337 secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
338 CHECK(STATIC_CTX->illegal_callback.fn == secp256k1_default_illegal_callback_fn);
339 CHECK(STATIC_CTX->illegal_callback.data == NULL);
340 }
341}
342
343static void run_proper_context_tests(int use_prealloc) {
344 int32_t dummy = 0;
345 secp256k1_context *my_ctx, *my_ctx_fresh;
346 void *my_ctx_prealloc = NULL;
347 unsigned char seed[32] = {0x17};
348
349 secp256k1_gej pubj;
350 secp256k1_ge pub;
351 secp256k1_scalar msg, key, nonce;
352 secp256k1_scalar sigr, sigs;
353
354 /* Fresh reference context for comparison */
355 my_ctx_fresh = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
356
357 if (use_prealloc) {
358 my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
359 CHECK(my_ctx_prealloc != NULL);
360 my_ctx = secp256k1_context_preallocated_create(my_ctx_prealloc, SECP256K1_CONTEXT_NONE);
361 } else {
362 my_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
363 }
364
365 /* Randomize and reset randomization */
366 CHECK(context_eq(my_ctx, my_ctx_fresh));
367 CHECK(secp256k1_context_randomize(my_ctx, seed) == 1);
368 CHECK(!context_eq(my_ctx, my_ctx_fresh));
369 CHECK(secp256k1_context_randomize(my_ctx, NULL) == 1);
370 CHECK(context_eq(my_ctx, my_ctx_fresh));
371
372 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
373 secp256k1_context_set_error_callback(my_ctx, secp256k1_default_illegal_callback_fn, NULL);
374 CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn);
375 CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn);
376
377 /* check if sizes for cloning are consistent */
378 CHECK(secp256k1_context_preallocated_clone_size(my_ctx) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
379
380 /*** clone and destroy all of them to make sure cloning was complete ***/
381 {
382 secp256k1_context *ctx_tmp;
383
384 if (use_prealloc) {
385 /* clone into a non-preallocated context and then again into a new preallocated one. */
386 ctx_tmp = my_ctx;
387 my_ctx = secp256k1_context_clone(my_ctx);
388 CHECK(context_eq(ctx_tmp, my_ctx));
389 secp256k1_context_preallocated_destroy(ctx_tmp);
390
391 free(my_ctx_prealloc);
392 my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
393 CHECK(my_ctx_prealloc != NULL);
394 ctx_tmp = my_ctx;
395 my_ctx = secp256k1_context_preallocated_clone(my_ctx, my_ctx_prealloc);
396 CHECK(context_eq(ctx_tmp, my_ctx));
397 secp256k1_context_destroy(ctx_tmp);
398 } else {
399 /* clone into a preallocated context and then again into a new non-preallocated one. */
400 void *prealloc_tmp;
401
402 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
403 CHECK(prealloc_tmp != NULL);
404 ctx_tmp = my_ctx;
405 my_ctx = secp256k1_context_preallocated_clone(my_ctx, prealloc_tmp);
406 CHECK(context_eq(ctx_tmp, my_ctx));
407 secp256k1_context_destroy(ctx_tmp);
408
409 ctx_tmp = my_ctx;
410 my_ctx = secp256k1_context_clone(my_ctx);
411 CHECK(context_eq(ctx_tmp, my_ctx));
412 secp256k1_context_preallocated_destroy(ctx_tmp);
413 free(prealloc_tmp);
414 }
415 }
416
417 /* Verify that the error callback makes it across the clone. */
418 CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn);
419 CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn);
420 /* And that it resets back to default. */
421 secp256k1_context_set_error_callback(my_ctx, NULL, NULL);
422 CHECK(my_ctx->error_callback.fn == secp256k1_default_error_callback_fn);
423 CHECK(context_eq(my_ctx, my_ctx_fresh));
424
425 /* Verify that setting and resetting illegal callback works */
426 secp256k1_context_set_illegal_callback(my_ctx, counting_illegal_callback_fn, &dummy);
427 CHECK(my_ctx->illegal_callback.fn == counting_illegal_callback_fn);
428 CHECK(my_ctx->illegal_callback.data == &dummy);
429 secp256k1_context_set_illegal_callback(my_ctx, NULL, NULL);
430 CHECK(my_ctx->illegal_callback.fn == secp256k1_default_illegal_callback_fn);
431 CHECK(my_ctx->illegal_callback.data == NULL);
432 CHECK(context_eq(my_ctx, my_ctx_fresh));
433
434 /*** attempt to use them ***/
435 random_scalar_order_test(&msg);
436 random_scalar_order_test(&key);
437 secp256k1_ecmult_gen(&my_ctx->ecmult_gen_ctx, &pubj, &key);
438 secp256k1_ge_set_gej(&pub, &pubj);
439
440 /* obtain a working nonce */
441 do {
442 random_scalar_order_test(&nonce);
443 } while(!secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
444
445 /* try signing */
446 CHECK(secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
447
448 /* try verifying */
449 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
450
451 /* cleanup */
452 if (use_prealloc) {
453 secp256k1_context_preallocated_destroy(my_ctx);
454 free(my_ctx_prealloc);
455 } else {
456 secp256k1_context_destroy(my_ctx);
457 }
458 secp256k1_context_destroy(my_ctx_fresh);
459
460 /* Defined as no-op. */
461 secp256k1_context_destroy(NULL);
462 secp256k1_context_preallocated_destroy(NULL);
463}
464
465static void run_scratch_tests(void) {
466 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
467
468 int32_t ecount = 0;
469 size_t checkpoint;
470 size_t checkpoint_2;
471 secp256k1_scratch_space *scratch;
472 secp256k1_scratch_space local_scratch;
473
474 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
475 secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount);
476
477 /* Test public API */
478 scratch = secp256k1_scratch_space_create(CTX, 1000);
479 CHECK(scratch != NULL);
480 CHECK(ecount == 0);
481
482 /* Test internal API */
483 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000);
484 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
485 CHECK(scratch->alloc_size == 0);
486 CHECK(scratch->alloc_size % ALIGNMENT == 0);
487
488 /* Allocating 500 bytes succeeds */
489 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
490 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
491 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
492 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
493 CHECK(scratch->alloc_size != 0);
494 CHECK(scratch->alloc_size % ALIGNMENT == 0);
495
496 /* Allocating another 501 bytes fails */
497 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL);
498 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
499 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
500 CHECK(scratch->alloc_size != 0);
501 CHECK(scratch->alloc_size % ALIGNMENT == 0);
502
503 /* ...but it succeeds once we apply the checkpoint to undo it */
504 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
505 CHECK(scratch->alloc_size == 0);
506 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000);
507 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
508 CHECK(scratch->alloc_size != 0);
509
510 /* try to apply a bad checkpoint */
511 checkpoint_2 = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
512 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
513 CHECK(ecount == 0);
514 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
515 CHECK(ecount == 1);
516 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
517 CHECK(ecount == 2);
518
519 /* try to use badly initialized scratch space */
520 secp256k1_scratch_space_destroy(CTX, scratch);
521 memset(&local_scratch, 0, sizeof(local_scratch));
522 scratch = &local_scratch;
523 CHECK(!secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0));
524 CHECK(ecount == 3);
525 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) == NULL);
526 CHECK(ecount == 4);
527 secp256k1_scratch_space_destroy(CTX, scratch);
528 CHECK(ecount == 5);
529
530 /* Test that large integers do not wrap around in a bad way */
531 scratch = secp256k1_scratch_space_create(CTX, 1000);
532 /* Try max allocation with a large number of objects. Only makes sense if
533 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
534 * space. */
535 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
536 /* Try allocating SIZE_MAX to test wrap around which only happens if
537 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
538 * space is too small. */
539 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL);
540 secp256k1_scratch_space_destroy(CTX, scratch);
541
542 /* cleanup */
543 secp256k1_scratch_space_destroy(CTX, NULL); /* no-op */
544
545 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
546 secp256k1_context_set_error_callback(CTX, NULL, NULL);
547}
548
549static void run_ctz_tests(void) {
550 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
551 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
552 int shift;
553 unsigned i;
554 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
555 for (shift = 0; shift < 32; ++shift) {
556 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
557 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
558 }
559 }
560 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
561 for (shift = 0; shift < 64; ++shift) {
562 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
563 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
564 }
565 }
566}
567
568/***** HASH TESTS *****/
569
570static void run_sha256_known_output_tests(void) {
571 static const char *inputs[] = {
572 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
573 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
574 "For this sample, this 63-byte string will be used as input data",
575 "This is exactly 64 bytes long, not counting the terminating byte",
576 "aaaaa",
577 };
578 static const unsigned int repeat[] = {
579 1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
580 };
581 static const unsigned char outputs[][32] = {
582 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
583 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
584 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
585 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
586 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
587 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
588 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
589 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
590 {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
591 };
592 unsigned int i, ninputs;
593
594 /* Skip last input vector for low iteration counts */
595 ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
596 CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
597
598 for (i = 0; i < ninputs; i++) {
599 unsigned char out[32];
600 secp256k1_sha256 hasher;
601 unsigned int j;
602 /* 1. Run: simply write the input bytestrings */
603 j = repeat[i];
604 secp256k1_sha256_initialize(&hasher);
605 while (j > 0) {
606 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
607 j--;
608 }
609 secp256k1_sha256_finalize(&hasher, out);
610 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
611 /* 2. Run: split the input bytestrings randomly before writing */
612 if (strlen(inputs[i]) > 0) {
613 int split = secp256k1_testrand_int(strlen(inputs[i]));
614 secp256k1_sha256_initialize(&hasher);
615 j = repeat[i];
616 while (j > 0) {
617 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
618 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
619 j--;
620 }
621 secp256k1_sha256_finalize(&hasher, out);
622 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
623 }
624 }
625}
626
671static void run_sha256_counter_tests(void) {
672 static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
673 static const secp256k1_sha256 midstates[] = {
674 {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
675 {0x00}, 0xfffc0},
676 {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
677 {0x00}, 0x1fffc0},
678 {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
679 {0x00}, 0x3fffc0},
680 {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
681 {0x00}, 0x7fffc0},
682 {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
683 {0x00}, 0xffffc0},
684 {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
685 {0x00}, 0x1ffffc0},
686 {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
687 {0x00}, 0x3ffffc0},
688 {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
689 {0x00}, 0x7ffffc0},
690 {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
691 {0x00}, 0xfffffc0},
692 {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
693 {0x00}, 0x1fffffc0},
694 {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
695 {0x00}, 0x3fffffc0},
696 {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
697 {0x00}, 0x7fffffc0},
698 {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
699 {0x00}, 0xffffffc0},
700 {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
701 {0x00}, 0x1ffffffc0},
702 };
703 static const unsigned char outputs[][32] = {
704 {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
705 {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
706 {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
707 {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
708 {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
709 {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
710 {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
711 {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
712 {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
713 {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
714 {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
715 {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
716 {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
717 {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
718 };
719 unsigned int i;
720 for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
721 unsigned char out[32];
722 secp256k1_sha256 hasher = midstates[i];
723 secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
724 secp256k1_sha256_finalize(&hasher, out);
725 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
726 }
727}
728
729static void run_hmac_sha256_tests(void) {
730 static const char *keys[6] = {
731 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
732 "\x4a\x65\x66\x65",
733 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
734 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
735 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
736 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
737 };
738 static const char *inputs[6] = {
739 "\x48\x69\x20\x54\x68\x65\x72\x65",
740 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
741 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
742 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
743 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
744 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
745 };
746 static const unsigned char outputs[6][32] = {
747 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
748 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
749 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
750 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
751 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
752 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
753 };
754 int i;
755 for (i = 0; i < 6; i++) {
756 secp256k1_hmac_sha256 hasher;
757 unsigned char out[32];
758 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
759 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
760 secp256k1_hmac_sha256_finalize(&hasher, out);
761 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
762 if (strlen(inputs[i]) > 0) {
763 int split = secp256k1_testrand_int(strlen(inputs[i]));
764 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
765 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
766 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
767 secp256k1_hmac_sha256_finalize(&hasher, out);
768 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
769 }
770 }
771}
772
773static void run_rfc6979_hmac_sha256_tests(void) {
774 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
775 static const unsigned char out1[3][32] = {
776 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
777 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
778 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
779 };
780
781 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
782 static const unsigned char out2[3][32] = {
783 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
784 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
785 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
786 };
787
788 secp256k1_rfc6979_hmac_sha256 rng;
789 unsigned char out[32];
790 int i;
791
792 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
793 for (i = 0; i < 3; i++) {
794 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
795 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
796 }
797 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
798
799 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
800 for (i = 0; i < 3; i++) {
801 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
802 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
803 }
804 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
805
806 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
807 for (i = 0; i < 3; i++) {
808 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
809 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
810 }
811 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
812}
813
814static void run_tagged_sha256_tests(void) {
815 int ecount = 0;
816 unsigned char tag[32] = { 0 };
817 unsigned char msg[32] = { 0 };
818 unsigned char hash32[32];
819 unsigned char hash_expected[32] = {
820 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
821 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
822 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
823 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
824 };
825
826 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
827
828 /* API test */
829 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
830 CHECK(secp256k1_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg)) == 0);
831 CHECK(ecount == 1);
832 CHECK(secp256k1_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg)) == 0);
833 CHECK(ecount == 2);
834 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0) == 0);
835 CHECK(ecount == 3);
836
837 /* Static test vector */
838 memcpy(tag, "tag", 3);
839 memcpy(msg, "msg", 3);
840 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1);
841 CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
842}
843
844/***** MODINV TESTS *****/
845
846/* Compute the modular inverse of (odd) x mod 2^64. */
847static uint64_t modinv2p64(uint64_t x) {
848 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
849 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
850 * why. Start with L=0, for which it is true for every odd x that
851 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
852 int l;
853 uint64_t w = 1;
854 CHECK(x & 1);
855 for (l = 0; l < 6; ++l) w *= (2 - w*x);
856 return w;
857}
858
859
860/* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity.
861 *
862 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
863 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
864static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
865 uint16_t mul[32];
866 uint64_t c = 0;
867 int i, j;
868 int m_bitlen = 0;
869 int mul_bitlen = 0;
870
871 if (b != NULL) {
872 /* Compute the product of a and b, and put it in mul. */
873 for (i = 0; i < 32; ++i) {
874 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
875 c += (uint64_t)a[j] * b[i - j];
876 }
877 mul[i] = c & 0xFFFF;
878 c >>= 16;
879 }
880 CHECK(c == 0);
881
882 /* compute the highest set bit in mul */
883 for (i = 511; i >= 0; --i) {
884 if ((mul[i >> 4] >> (i & 15)) & 1) {
885 mul_bitlen = i;
886 break;
887 }
888 }
889 } else {
890 /* if b==NULL, set mul=a. */
891 memcpy(mul, a, 32);
892 memset(mul + 16, 0, 32);
893 /* compute the highest set bit in mul */
894 for (i = 255; i >= 0; --i) {
895 if ((mul[i >> 4] >> (i & 15)) & 1) {
896 mul_bitlen = i;
897 break;
898 }
899 }
900 }
901
902 if (m) {
903 /* Compute the highest set bit in m. */
904 for (i = 255; i >= 0; --i) {
905 if ((m[i >> 4] >> (i & 15)) & 1) {
906 m_bitlen = i;
907 break;
908 }
909 }
910
911 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
912 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
913 uint16_t mul2[32];
914 int64_t cs;
915
916 /* Compute mul2 = mul - m<<i. */
917 cs = 0; /* accumulator */
918 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
919 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
920 uint16_t sub = 0;
921 int p;
922 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
923 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
924 if (bitpos >= 0 && bitpos < 256) {
925 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
926 }
927 }
928 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
929 cs += mul[j];
930 cs -= sub;
931 mul2[j] = (cs & 0xFFFF);
932 cs >>= 16;
933 }
934 /* If remainder of subtraction is 0, set mul = mul2. */
935 if (cs == 0) {
936 memcpy(mul, mul2, sizeof(mul));
937 }
938 }
939 /* Sanity check: test that all limbs higher than m's highest are zero */
940 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
941 CHECK(mul[i] == 0);
942 }
943 }
944 memcpy(out, mul, 32);
945}
946
947/* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
948static void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
949 int i;
950 memset(out->v, 0, sizeof(out->v));
951 for (i = 0; i < 256; ++i) {
952 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
953 }
954}
955
956/* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
957static void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
958 int i;
959 memset(out, 0, 32);
960 for (i = 0; i < 256; ++i) {
961 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
962 }
963}
964
965/* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
966static void mutate_sign_signed30(secp256k1_modinv32_signed30* x) {
967 int i;
968 for (i = 0; i < 16; ++i) {
969 int pos = secp256k1_testrand_bits(3);
970 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
971 x->v[pos] -= 0x40000000;
972 x->v[pos + 1] += 1;
973 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
974 x->v[pos] += 0x40000000;
975 x->v[pos + 1] -= 1;
976 }
977 }
978}
979
980/* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
981static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
982 uint16_t tmp[16];
983 secp256k1_modinv32_signed30 x;
984 secp256k1_modinv32_modinfo m;
985 int i, vartime, nonzero;
986
987 uint16_to_signed30(&x, in);
988 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
989 uint16_to_signed30(&m.modulus, mod);
990
991 /* compute 1/modulus mod 2^30 */
992 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
993 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
994
995 /* Test secp256k1_jacobi32_maybe_var. */
996 if (nonzero) {
997 int jac;
998 uint16_t sqr[16], negone[16];
999 mulmod256(sqr, in, in, mod);
1000 uint16_to_signed30(&x, sqr);
1001 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1002 jac = secp256k1_jacobi32_maybe_var(&x, &m);
1003 CHECK(jac == 0 || jac == 1);
1004 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1005 * jacobi symbols if and only if (mod % 4) == 3. */
1006 negone[0] = mod[0] - 1;
1007 for (i = 1; i < 16; ++i) negone[i] = mod[i];
1008 mulmod256(sqr, sqr, negone, mod);
1009 uint16_to_signed30(&x, sqr);
1010 jac = secp256k1_jacobi32_maybe_var(&x, &m);
1011 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1012 }
1013
1014 uint16_to_signed30(&x, in);
1015 mutate_sign_signed30(&m.modulus);
1016 for (vartime = 0; vartime < 2; ++vartime) {
1017 /* compute inverse */
1018 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1019
1020 /* produce output */
1021 signed30_to_uint16(out, &x);
1022
1023 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1024 mulmod256(tmp, out, in, mod);
1025 CHECK(tmp[0] == nonzero);
1026 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1027
1028 /* invert again */
1029 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1030
1031 /* check if the result is equal to the input */
1032 signed30_to_uint16(tmp, &x);
1033 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1034 }
1035}
1036
1037#ifdef SECP256K1_WIDEMUL_INT128
1038/* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
1039static void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
1040 int i;
1041 memset(out->v, 0, sizeof(out->v));
1042 for (i = 0; i < 256; ++i) {
1043 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
1044 }
1045}
1046
1047/* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
1048static void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
1049 int i;
1050 memset(out, 0, 32);
1051 for (i = 0; i < 256; ++i) {
1052 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
1053 }
1054}
1055
1056/* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
1057static void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
1058 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1059 int i;
1060 for (i = 0; i < 8; ++i) {
1061 int pos = secp256k1_testrand_bits(2);
1062 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
1063 x->v[pos] -= (M62 + 1);
1064 x->v[pos + 1] += 1;
1065 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1066 x->v[pos] += (M62 + 1);
1067 x->v[pos + 1] -= 1;
1068 }
1069 }
1070}
1071
1072/* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1073static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1074 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1075 uint16_t tmp[16];
1076 secp256k1_modinv64_signed62 x;
1077 secp256k1_modinv64_modinfo m;
1078 int i, vartime, nonzero;
1079
1080 uint16_to_signed62(&x, in);
1081 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1082 uint16_to_signed62(&m.modulus, mod);
1083
1084 /* compute 1/modulus mod 2^62 */
1085 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1086 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1087
1088 /* Test secp256k1_jacobi64_maybe_var. */
1089 if (nonzero) {
1090 int jac;
1091 uint16_t sqr[16], negone[16];
1092 mulmod256(sqr, in, in, mod);
1093 uint16_to_signed62(&x, sqr);
1094 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1095 jac = secp256k1_jacobi64_maybe_var(&x, &m);
1096 CHECK(jac == 0 || jac == 1);
1097 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1098 * jacobi symbols if and only if (mod % 4) == 3. */
1099 negone[0] = mod[0] - 1;
1100 for (i = 1; i < 16; ++i) negone[i] = mod[i];
1101 mulmod256(sqr, sqr, negone, mod);
1102 uint16_to_signed62(&x, sqr);
1103 jac = secp256k1_jacobi64_maybe_var(&x, &m);
1104 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1105 }
1106
1107 uint16_to_signed62(&x, in);
1108 mutate_sign_signed62(&m.modulus);
1109 for (vartime = 0; vartime < 2; ++vartime) {
1110 /* compute inverse */
1111 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1112
1113 /* produce output */
1114 signed62_to_uint16(out, &x);
1115
1116 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1117 mulmod256(tmp, out, in, mod);
1118 CHECK(tmp[0] == nonzero);
1119 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1120
1121 /* invert again */
1122 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1123
1124 /* check if the result is equal to the input */
1125 signed62_to_uint16(tmp, &x);
1126 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1127 }
1128}
1129#endif
1130
1131/* test if a and b are coprime */
1132static int coprime(const uint16_t* a, const uint16_t* b) {
1133 uint16_t x[16], y[16], t[16];
1134 int i;
1135 int iszero;
1136 memcpy(x, a, 32);
1137 memcpy(y, b, 32);
1138
1139 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1140 while (1) {
1141 iszero = 1;
1142 for (i = 0; i < 16; ++i) {
1143 if (x[i] != 0) {
1144 iszero = 0;
1145 break;
1146 }
1147 }
1148 if (iszero) break;
1149 mulmod256(t, y, NULL, x);
1150 memcpy(y, x, 32);
1151 memcpy(x, t, 32);
1152 }
1153
1154 /* return whether y=1 */
1155 if (y[0] != 1) return 0;
1156 for (i = 1; i < 16; ++i) {
1157 if (y[i] != 0) return 0;
1158 }
1159 return 1;
1160}
1161
1162static void run_modinv_tests(void) {
1163 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1164 static const uint16_t CASES[][3][16] = {
1165 /* Test cases triggering edge cases in divsteps */
1166
1167 /* Test case known to need 713 divsteps */
1168 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1169 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1170 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1171 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1172 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1173 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1174 /* Test case known to need 589 divsteps, reaching delta=-140 and
1175 delta=141. */
1176 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1177 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1178 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1179 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1180 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1181 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1182 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1183 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1184 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1185 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1186 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1187 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1188 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1189 /* example needing 713 divsteps; delta=-2..3 */
1190 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1191 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1192 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1193 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1194 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1195 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1196 /* example needing 713 divsteps; delta=-2..3 */
1197 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1198 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1199 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1200 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1201 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1202 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1203 /* example needing 713 divsteps; delta=-2..3 */
1204 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1205 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1206 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1207 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1208 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1209 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1210 /* example reaching delta=-64..65; 661 divsteps */
1211 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1212 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1213 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1214 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1215 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1216 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1217 /* example reaching delta=-64..65; 661 divsteps */
1218 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1219 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1220 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1221 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1222 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1223 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1224 /* example reaching delta=-64..65; 661 divsteps */
1225 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1226 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1227 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1228 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1229 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1230 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1231 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1232 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1233 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1234 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1235 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1236 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1237 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1238 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1239 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1240 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1241 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1242 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1243 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1244 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1245 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1246 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1247 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1248 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1249 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1250 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1251 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1252 /* example doing 446 (f,g/2) steps; 523 divsteps */
1253 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1254 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1255 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1256 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1257 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1258 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1259 /* example doing 446 (f,g/2) steps; 523 divsteps */
1260 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1261 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1262 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1263 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1264 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1265 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1266 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1267 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1268 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1269 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1270 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1271 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1272 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1273 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1274 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1275 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1276 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1277 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1278 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1279 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1280 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1281 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1282 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1283 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1284 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1285 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1286 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1287 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1288 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1289 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1290 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1291 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1292 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1293 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1294
1295 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1296
1297 /* example needing 590 divsteps; delta=-5/2..7/2 */
1298 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1299 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1300 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1301 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1302 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1303 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1304 /* example needing 590 divsteps; delta=-3/2..5/2 */
1305 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1306 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1307 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1308 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1309 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1310 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1311 /* example needing 590 divsteps; delta=-3/2..5/2 */
1312 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1313 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1314 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1315 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1316 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1317 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1318 /* example needing 590 divsteps; delta=-5/2..7/2 */
1319 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1320 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1321 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1322 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1323 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1324 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1325 /* example needing 590 divsteps; delta=-3/2..5/2 */
1326 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1327 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1328 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1329 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1330 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1331 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1332 /* example reaching delta=-127/2..129/2; 571 divsteps */
1333 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1334 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1335 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1336 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1337 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1338 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1339 /* example reaching delta=-127/2..129/2; 571 divsteps */
1340 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1341 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1342 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1343 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1344 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1345 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1346 /* example reaching delta=-127/2..129/2; 571 divsteps */
1347 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1348 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1349 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1350 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1351 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1352 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1353 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1354 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1355 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1356 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1357 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1358 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1359 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1360 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1361 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1362 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1363 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1364 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1365 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1366 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1367 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1368 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1369 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1370 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1371 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1372 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1373 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1374 /* example doing 453 (f,g/2) steps; 514 divsteps */
1375 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1376 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1377 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1378 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1379 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1380 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1381 /* example doing 453 (f,g/2) steps; 514 divsteps */
1382 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1383 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1384 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1385 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1386 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1387 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1388 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1389 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1390 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1391 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1392 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1393 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1394 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1395 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1396 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1397 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1398 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1399 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1400 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1401 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1402 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1403 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1404 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1405 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1406 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1407 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1408 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1409 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1410 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1411 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1412 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1413 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1414 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1415 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1416
1417 /* Test cases with the group order as modulus. */
1418
1419 /* Test case with the group order as modulus, needing 635 divsteps. */
1420 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1421 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1422 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1423 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1424 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1425 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1426 /* example with group size as modulus needing 631 divsteps */
1427 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1428 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1429 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1430 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1431 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1432 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1433 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1434 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1435 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1436 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1437 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1438 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1439 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1440 /* Test case with the group size as modulus, needing 981 divsteps with
1441 broken eta handling. */
1442 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1443 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1444 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1445 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1446 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1447 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1448 /* Test case with the group size as modulus, input = 0. */
1449 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1450 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1451 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1452 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1453 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1454 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1455 /* Test case with the group size as modulus, input = 1. */
1456 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1457 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1458 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1459 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1460 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1461 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1462 /* Test case with the group size as modulus, input = 2. */
1463 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1464 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1465 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1466 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1467 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1468 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1469 /* Test case with the group size as modulus, input = group - 1. */
1470 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1471 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1472 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1473 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1474 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1475 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1476
1477 /* Test cases with the field size as modulus. */
1478
1479 /* Test case with the field size as modulus, needing 637 divsteps. */
1480 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1481 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1482 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1483 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1484 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1485 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1486 /* example with field size as modulus needing 637 divsteps */
1487 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1488 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1489 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1490 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1491 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1492 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1493 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1494 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1495 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1496 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1497 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1498 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1499 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1500 /* Test case with the field size as modulus, needing 935 divsteps with
1501 broken eta handling. */
1502 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1503 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1504 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1505 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1506 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1507 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1508 /* Test case with the field size as modulus, input = 0. */
1509 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1510 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1511 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1512 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1513 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1514 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1515 /* Test case with the field size as modulus, input = 1. */
1516 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1517 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1518 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1519 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1520 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1521 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1522 /* Test case with the field size as modulus, input = 2. */
1523 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1524 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1525 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1526 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1527 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1528 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1529 /* Test case with the field size as modulus, input = field - 1. */
1530 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1531 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1532 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1533 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1534 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1535 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1536
1537 /* Selected from a large number of random inputs to reach small/large
1538 * d/e values in various configurations. */
1539 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1540 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1541 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1542 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1543 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1544 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1545 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1546 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1547 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1548 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1549 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1550 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1551 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1552 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1553 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1554 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1555 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1556 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1557 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1558 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1559 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1560 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1561 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1562 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1563 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1564 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1565 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1566 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1567 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1568 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1569 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1570 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1571 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1572 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1573 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1574 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1575 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1576 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1577 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1578 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1579 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1580 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1581 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1582 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1583 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1584 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1585 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1586 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1587 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1588 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1589 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1590 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1591 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1592 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1593 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1594 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1595 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1596 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1597 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1598 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1599 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1600 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1601 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1602 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1603 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1604 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1605 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1606 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1607 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1608 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1609 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1610 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1611 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1612 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1613 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1614 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1615 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1616 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1617 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1618 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1619 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1620 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1621 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1622 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1623 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1624 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1625 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1626 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1627 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1628 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1629 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1630 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1631 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1632 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1633 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1634 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1635 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1636 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1637 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1638 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1639 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1640 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1641 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1642 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1643 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1644 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1645 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1646 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1647 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1648 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1649 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1650 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1651 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1652 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1653 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1654 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1655 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1656 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1657 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1658 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1659 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1660 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1661 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1662 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1663 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1664 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1665 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1666 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1667 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1668 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1669 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1670 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1671 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1672 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1673 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1674 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1675 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1676 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1677 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1678 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1679 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1680 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1681 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1682 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1683 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1684 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1685 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1686 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1687 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1688 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1689 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1690 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1691 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1692 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1693 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1694 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1695 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1696 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1697 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1698 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1699 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1700 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1701 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1702 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1703 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1704 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1705 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1706 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1707 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1708 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1709 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1710 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1711 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1712 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1713 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1714 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1715 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1716 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1717 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1718 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1719 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1720 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1721 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1722 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1723 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1724 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1725 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1726 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1727 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1728 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1729 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1730 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1731 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1732 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1733 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1734 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1735 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1736 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1737 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1738 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1739 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1740 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1741 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1742 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1743 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1744 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1745 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1746 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1747 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1748 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1749 };
1750
1751 int i, j, ok;
1752
1753 /* Test known inputs/outputs */
1754 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1755 uint16_t out[16];
1756 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1757 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1758#ifdef SECP256K1_WIDEMUL_INT128
1759 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1760 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1761#endif
1762 }
1763
1764 for (i = 0; i < 100 * COUNT; ++i) {
1765 /* 256-bit numbers in 16-uint16_t's notation */
1766 static const uint16_t ZERO[16] = {0};
1767 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1768 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1769 uint16_t id[16]; /* the inverse of xd mod md */
1770
1771 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1772 do {
1773 /* generate random xd and md (with many subsequent 0s and 1s) */
1774 secp256k1_testrand256_test((unsigned char*)xd);
1775 secp256k1_testrand256_test((unsigned char*)md);
1776 md[0] |= 1; /* modulus must be odd */
1777 /* If modulus is 1, find another one. */
1778 ok = md[0] != 1;
1779 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1780 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1781 } while (!(ok && coprime(xd, md)));
1782
1783 test_modinv32_uint16(id, xd, md);
1784#ifdef SECP256K1_WIDEMUL_INT128
1785 test_modinv64_uint16(id, xd, md);
1786#endif
1787
1788 /* In a few cases, also test with input=0 */
1789 if (i < COUNT) {
1790 test_modinv32_uint16(id, ZERO, md);
1791#ifdef SECP256K1_WIDEMUL_INT128
1792 test_modinv64_uint16(id, ZERO, md);
1793#endif
1794 }
1795 }
1796}
1797
1798/***** INT128 TESTS *****/
1799
1800#ifdef SECP256K1_WIDEMUL_INT128
1801/* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */
1802static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) {
1803 int i;
1804 uint32_t carry = 0;
1805 for (i = 0; i < 16; ++i) {
1806 carry += a[i];
1807 carry += b[i];
1808 out[i] = carry;
1809 carry >>= 16;
1810 }
1811}
1812
1813/* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */
1814static void neg256(uint16_t* out, const uint16_t* a) {
1815 int i;
1816 uint32_t carry = 1;
1817 for (i = 0; i < 16; ++i) {
1818 carry += (uint16_t)~a[i];
1819 out[i] = carry;
1820 carry >>= 16;
1821 }
1822}
1823
1824/* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */
1825static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) {
1826 uint16_t sign = sign_extend && (a[15] >> 15);
1827 int i, j;
1828 for (i = 15; i >= 0; --i) {
1829 uint16_t v = 0;
1830 for (j = 0; j < 16; ++j) {
1831 int frompos = i*16 + j + n;
1832 if (frompos >= 256) {
1833 v |= sign << j;
1834 } else {
1835 v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j;
1836 }
1837 }
1838 out[i] = v;
1839 }
1840}
1841
1842/* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1843static void load256u64(uint16_t* out, uint64_t v, int is_signed) {
1844 int i;
1845 uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0;
1846 for (i = 0; i < 4; ++i) {
1847 out[i] = v >> (16 * i);
1848 }
1849 for (i = 4; i < 16; ++i) {
1850 out[i] = sign;
1851 }
1852}
1853
1854/* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1855static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) {
1856 int i;
1857 uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0;
1858 for (i = 0; i < 4; ++i) {
1859 out[i] = lo >> (16 * i);
1860 }
1861 for (i = 4; i < 8; ++i) {
1862 out[i] = hi >> (16 * (i - 4));
1863 }
1864 for (i = 8; i < 16; ++i) {
1865 out[i] = sign;
1866 }
1867}
1868
1869/* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */
1870static int int256is127(const uint16_t* v) {
1871 int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000);
1872 int i;
1873 for (i = 8; i < 16; ++i) {
1874 if (v[i] != 0) all_0 = 0;
1875 if (v[i] != 0xffff) all_1 = 0;
1876 }
1877 return all_0 || all_1;
1878}
1879
1880static void load256u128(uint16_t* out, const secp256k1_uint128* v) {
1881 uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v);
1882 load256two64(out, hi, lo, 0);
1883}
1884
1885static void load256i128(uint16_t* out, const secp256k1_int128* v) {
1886 uint64_t lo;
1887 int64_t hi;
1888 secp256k1_int128 c = *v;
1889 lo = secp256k1_i128_to_u64(&c);
1890 secp256k1_i128_rshift(&c, 64);
1891 hi = secp256k1_i128_to_i64(&c);
1892 load256two64(out, hi, lo, 1);
1893}
1894
1895static void run_int128_test_case(void) {
1896 unsigned char buf[32];
1897 uint64_t v[4];
1898 secp256k1_int128 swa, swz;
1899 secp256k1_uint128 uwa, uwz;
1900 uint64_t ub, uc;
1901 int64_t sb, sc;
1902 uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32];
1903 uint16_t rub[16], ruc[16], rsb[16], rsc[16];
1904 int i;
1905
1906 /* Generate 32-byte random value. */
1907 secp256k1_testrand256_test(buf);
1908 /* Convert into 4 64-bit integers. */
1909 for (i = 0; i < 4; ++i) {
1910 uint64_t vi = 0;
1911 int j;
1912 for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j];
1913 v[i] = vi;
1914 }
1915 /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */
1916 secp256k1_u128_load(&uwa, v[1], v[0]);
1917 secp256k1_i128_load(&swa, v[1], v[0]);
1918 ub = v[2];
1919 sb = v[2];
1920 uc = v[3];
1921 sc = v[3];
1922 /* Load those also into 16-bit array representations. */
1923 load256u128(ruwa, &uwa);
1924 load256i128(rswa, &swa);
1925 load256u64(rub, ub, 0);
1926 load256u64(rsb, sb, 1);
1927 load256u64(ruc, uc, 0);
1928 load256u64(rsc, sc, 1);
1929 /* test secp256k1_u128_mul */
1930 mulmod256(ruwr, rub, ruc, NULL);
1931 secp256k1_u128_mul(&uwz, ub, uc);
1932 load256u128(ruwz, &uwz);
1933 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1934 /* test secp256k1_u128_accum_mul */
1935 mulmod256(ruwr, rub, ruc, NULL);
1936 add256(ruwr, ruwr, ruwa);
1937 uwz = uwa;
1938 secp256k1_u128_accum_mul(&uwz, ub, uc);
1939 load256u128(ruwz, &uwz);
1940 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1941 /* test secp256k1_u128_accum_u64 */
1942 add256(ruwr, rub, ruwa);
1943 uwz = uwa;
1944 secp256k1_u128_accum_u64(&uwz, ub);
1945 load256u128(ruwz, &uwz);
1946 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1947 /* test secp256k1_u128_rshift */
1948 rshift256(ruwr, ruwa, uc % 128, 0);
1949 uwz = uwa;
1950 secp256k1_u128_rshift(&uwz, uc % 128);
1951 load256u128(ruwz, &uwz);
1952 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1953 /* test secp256k1_u128_to_u64 */
1954 CHECK(secp256k1_u128_to_u64(&uwa) == v[0]);
1955 /* test secp256k1_u128_hi_u64 */
1956 CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]);
1957 /* test secp256k1_u128_from_u64 */
1958 secp256k1_u128_from_u64(&uwz, ub);
1959 load256u128(ruwz, &uwz);
1960 CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0);
1961 /* test secp256k1_u128_check_bits */
1962 {
1963 int uwa_bits = 0;
1964 int j;
1965 for (j = 0; j < 128; ++j) {
1966 if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j;
1967 }
1968 for (j = 0; j < 128; ++j) {
1969 CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j));
1970 }
1971 }
1972 /* test secp256k1_i128_mul */
1973 mulmod256(rswr, rsb, rsc, NULL);
1974 secp256k1_i128_mul(&swz, sb, sc);
1975 load256i128(rswz, &swz);
1976 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1977 /* test secp256k1_i128_accum_mul */
1978 mulmod256(rswr, rsb, rsc, NULL);
1979 add256(rswr, rswr, rswa);
1980 if (int256is127(rswr)) {
1981 swz = swa;
1982 secp256k1_i128_accum_mul(&swz, sb, sc);
1983 load256i128(rswz, &swz);
1984 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1985 }
1986 /* test secp256k1_i128_det */
1987 {
1988 uint16_t rsd[16], rse[16], rst[32];
1989 int64_t sd = v[0], se = v[1];
1990 load256u64(rsd, sd, 1);
1991 load256u64(rse, se, 1);
1992 mulmod256(rst, rsc, rsd, NULL);
1993 neg256(rst, rst);
1994 mulmod256(rswr, rsb, rse, NULL);
1995 add256(rswr, rswr, rst);
1996 secp256k1_i128_det(&swz, sb, sc, sd, se);
1997 load256i128(rswz, &swz);
1998 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
1999 }
2000 /* test secp256k1_i128_rshift */
2001 rshift256(rswr, rswa, uc % 127, 1);
2002 swz = swa;
2003 secp256k1_i128_rshift(&swz, uc % 127);
2004 load256i128(rswz, &swz);
2005 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2006 /* test secp256k1_i128_to_u64 */
2007 CHECK(secp256k1_i128_to_u64(&swa) == v[0]);
2008 /* test secp256k1_i128_from_i64 */
2009 secp256k1_i128_from_i64(&swz, sb);
2010 load256i128(rswz, &swz);
2011 CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0);
2012 /* test secp256k1_i128_to_i64 */
2013 CHECK(secp256k1_i128_to_i64(&swz) == sb);
2014 /* test secp256k1_i128_eq_var */
2015 {
2016 int expect = (uc & 1);
2017 swz = swa;
2018 if (!expect) {
2019 /* Make sure swz != swa */
2020 uint64_t v0c = v[0], v1c = v[1];
2021 if (ub & 64) {
2022 v1c ^= (((uint64_t)1) << (ub & 63));
2023 } else {
2024 v0c ^= (((uint64_t)1) << (ub & 63));
2025 }
2026 secp256k1_i128_load(&swz, v1c, v0c);
2027 }
2028 CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect);
2029 }
2030 /* test secp256k1_i128_check_pow2 (sign == 1) */
2031 {
2032 int expect = (uc & 1);
2033 int pos = ub % 127;
2034 if (expect) {
2035 /* If expect==1, set swz to exactly 2^pos. */
2036 uint64_t hi = 0;
2037 uint64_t lo = 0;
2038 if (pos >= 64) {
2039 hi = (((uint64_t)1) << (pos & 63));
2040 } else {
2041 lo = (((uint64_t)1) << (pos & 63));
2042 }
2043 secp256k1_i128_load(&swz, hi, lo);
2044 } else {
2045 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */
2046 if (pos >= 64) {
2047 if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1;
2048 } else {
2049 if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1;
2050 }
2051 swz = swa;
2052 }
2053 CHECK(secp256k1_i128_check_pow2(&swz, pos, 1) == expect);
2054 }
2055 /* test secp256k1_i128_check_pow2 (sign == -1) */
2056 {
2057 int expect = (uc & 1);
2058 int pos = ub % 127;
2059 if (expect) {
2060 /* If expect==1, set swz to exactly -2^pos. */
2061 uint64_t hi = ~(uint64_t)0;
2062 uint64_t lo = ~(uint64_t)0;
2063 if (pos >= 64) {
2064 hi <<= (pos & 63);
2065 lo = 0;
2066 } else {
2067 lo <<= (pos & 63);
2068 }
2069 secp256k1_i128_load(&swz, hi, lo);
2070 } else {
2071 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */
2072 if (pos >= 64) {
2073 if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1;
2074 } else {
2075 if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1;
2076 }
2077 swz = swa;
2078 }
2079 CHECK(secp256k1_i128_check_pow2(&swz, pos, -1) == expect);
2080 }
2081}
2082
2083static void run_int128_tests(void) {
2084 { /* secp256k1_u128_accum_mul */
2085 secp256k1_uint128 res;
2086
2087 /* Check secp256k1_u128_accum_mul overflow */
2088 secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX);
2089 secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX);
2090 CHECK(secp256k1_u128_to_u64(&res) == 2);
2091 CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U);
2092 }
2093 { /* secp256k1_u128_accum_mul */
2094 secp256k1_int128 res;
2095
2096 /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */
2097 secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX);
2098 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX);
2099 CHECK(secp256k1_i128_to_u64(&res) == 2);
2100 secp256k1_i128_accum_mul(&res, 4, 9223372036854775807);
2101 secp256k1_i128_accum_mul(&res, 1, 1);
2102 CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX);
2103 secp256k1_i128_rshift(&res, 64);
2104 CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX);
2105
2106 /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */
2107 secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN);
2108 CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN);
2109 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN);
2110 CHECK(secp256k1_i128_to_u64(&res) == 0);
2111 secp256k1_i128_accum_mul(&res, 2, INT64_MIN);
2112 CHECK(secp256k1_i128_to_u64(&res) == 0);
2113 secp256k1_i128_rshift(&res, 64);
2114 CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN);
2115 }
2116 {
2117 /* Randomized tests. */
2118 int i;
2119 for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case();
2120 }
2121}
2122#endif
2123
2124/***** SCALAR TESTS *****/
2125
2126static void scalar_test(void) {
2127 secp256k1_scalar s;
2128 secp256k1_scalar s1;
2129 secp256k1_scalar s2;
2130 unsigned char c[32];
2131
2132 /* Set 's' to a random scalar, with value 'snum'. */
2133 random_scalar_order_test(&s);
2134
2135 /* Set 's1' to a random scalar, with value 's1num'. */
2136 random_scalar_order_test(&s1);
2137
2138 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
2139 random_scalar_order_test(&s2);
2140 secp256k1_scalar_get_b32(c, &s2);
2141
2142 {
2143 int i;
2144 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
2145 secp256k1_scalar n;
2146 secp256k1_scalar_set_int(&n, 0);
2147 for (i = 0; i < 256; i += 4) {
2148 secp256k1_scalar t;
2149 int j;
2150 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
2151 for (j = 0; j < 4; j++) {
2152 secp256k1_scalar_add(&n, &n, &n);
2153 }
2154 secp256k1_scalar_add(&n, &n, &t);
2155 }
2156 CHECK(secp256k1_scalar_eq(&n, &s));
2157 }
2158
2159 {
2160 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
2161 secp256k1_scalar n;
2162 int i = 0;
2163 secp256k1_scalar_set_int(&n, 0);
2164 while (i < 256) {
2165 secp256k1_scalar t;
2166 int j;
2167 int now = secp256k1_testrand_int(15) + 1;
2168 if (now + i > 256) {
2169 now = 256 - i;
2170 }
2171 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
2172 for (j = 0; j < now; j++) {
2173 secp256k1_scalar_add(&n, &n, &n);
2174 }
2175 secp256k1_scalar_add(&n, &n, &t);
2176 i += now;
2177 }
2178 CHECK(secp256k1_scalar_eq(&n, &s));
2179 }
2180
2181 {
2182 /* test secp256k1_scalar_shr_int */
2183 secp256k1_scalar r;
2184 int i;
2185 random_scalar_order_test(&r);
2186 for (i = 0; i < 100; ++i) {
2187 int low;
2188 int shift = 1 + secp256k1_testrand_int(15);
2189 int expected = r.d[0] % (1 << shift);
2190 low = secp256k1_scalar_shr_int(&r, shift);
2191 CHECK(expected == low);
2192 }
2193 }
2194
2195 {
2196 /* Test commutativity of add. */
2197 secp256k1_scalar r1, r2;
2198 secp256k1_scalar_add(&r1, &s1, &s2);
2199 secp256k1_scalar_add(&r2, &s2, &s1);
2200 CHECK(secp256k1_scalar_eq(&r1, &r2));
2201 }
2202
2203 {
2204 secp256k1_scalar r1, r2;
2205 secp256k1_scalar b;
2206 int i;
2207 /* Test add_bit. */
2208 int bit = secp256k1_testrand_bits(8);
2209 secp256k1_scalar_set_int(&b, 1);
2210 CHECK(secp256k1_scalar_is_one(&b));
2211 for (i = 0; i < bit; i++) {
2212 secp256k1_scalar_add(&b, &b, &b);
2213 }
2214 r1 = s1;
2215 r2 = s1;
2216 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
2217 /* No overflow happened. */
2218 secp256k1_scalar_cadd_bit(&r2, bit, 1);
2219 CHECK(secp256k1_scalar_eq(&r1, &r2));
2220 /* cadd is a noop when flag is zero */
2221 secp256k1_scalar_cadd_bit(&r2, bit, 0);
2222 CHECK(secp256k1_scalar_eq(&r1, &r2));
2223 }
2224 }
2225
2226 {
2227 /* Test commutativity of mul. */
2228 secp256k1_scalar r1, r2;
2229 secp256k1_scalar_mul(&r1, &s1, &s2);
2230 secp256k1_scalar_mul(&r2, &s2, &s1);
2231 CHECK(secp256k1_scalar_eq(&r1, &r2));
2232 }
2233
2234 {
2235 /* Test associativity of add. */
2236 secp256k1_scalar r1, r2;
2237 secp256k1_scalar_add(&r1, &s1, &s2);
2238 secp256k1_scalar_add(&r1, &r1, &s);
2239 secp256k1_scalar_add(&r2, &s2, &s);
2240 secp256k1_scalar_add(&r2, &s1, &r2);
2241 CHECK(secp256k1_scalar_eq(&r1, &r2));
2242 }
2243
2244 {
2245 /* Test associativity of mul. */
2246 secp256k1_scalar r1, r2;
2247 secp256k1_scalar_mul(&r1, &s1, &s2);
2248 secp256k1_scalar_mul(&r1, &r1, &s);
2249 secp256k1_scalar_mul(&r2, &s2, &s);
2250 secp256k1_scalar_mul(&r2, &s1, &r2);
2251 CHECK(secp256k1_scalar_eq(&r1, &r2));
2252 }
2253
2254 {
2255 /* Test distributitivity of mul over add. */
2256 secp256k1_scalar r1, r2, t;
2257 secp256k1_scalar_add(&r1, &s1, &s2);
2258 secp256k1_scalar_mul(&r1, &r1, &s);
2259 secp256k1_scalar_mul(&r2, &s1, &s);
2260 secp256k1_scalar_mul(&t, &s2, &s);
2261 secp256k1_scalar_add(&r2, &r2, &t);
2262 CHECK(secp256k1_scalar_eq(&r1, &r2));
2263 }
2264
2265 {
2266 /* Test multiplicative identity. */
2267 secp256k1_scalar r1;
2268 secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_one);
2269 CHECK(secp256k1_scalar_eq(&r1, &s1));
2270 }
2271
2272 {
2273 /* Test additive identity. */
2274 secp256k1_scalar r1;
2275 secp256k1_scalar_add(&r1, &s1, &secp256k1_scalar_zero);
2276 CHECK(secp256k1_scalar_eq(&r1, &s1));
2277 }
2278
2279 {
2280 /* Test zero product property. */
2281 secp256k1_scalar r1;
2282 secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_zero);
2283 CHECK(secp256k1_scalar_eq(&r1, &secp256k1_scalar_zero));
2284 }
2285
2286}
2287
2288static void run_scalar_set_b32_seckey_tests(void) {
2289 unsigned char b32[32];
2290 secp256k1_scalar s1;
2291 secp256k1_scalar s2;
2292
2293 /* Usually set_b32 and set_b32_seckey give the same result */
2294 random_scalar_order_b32(b32);
2295 secp256k1_scalar_set_b32(&s1, b32, NULL);
2296 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
2297 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
2298
2299 memset(b32, 0, sizeof(b32));
2300 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2301 memset(b32, 0xFF, sizeof(b32));
2302 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2303}
2304
2305static void run_scalar_tests(void) {
2306 int i;
2307 for (i = 0; i < 128 * COUNT; i++) {
2308 scalar_test();
2309 }
2310 for (i = 0; i < COUNT; i++) {
2311 run_scalar_set_b32_seckey_tests();
2312 }
2313
2314 {
2315 /* Check that the scalar constants secp256k1_scalar_zero and
2316 secp256k1_scalar_one contain the expected values. */
2317 secp256k1_scalar zero, one;
2318
2319 CHECK(secp256k1_scalar_is_zero(&secp256k1_scalar_zero));
2320 secp256k1_scalar_set_int(&zero, 0);
2321 CHECK(secp256k1_scalar_eq(&zero, &secp256k1_scalar_zero));
2322
2323 CHECK(secp256k1_scalar_is_one(&secp256k1_scalar_one));
2324 secp256k1_scalar_set_int(&one, 1);
2325 CHECK(secp256k1_scalar_eq(&one, &secp256k1_scalar_one));
2326 }
2327
2328 {
2329 /* (-1)+1 should be zero. */
2330 secp256k1_scalar o;
2331 secp256k1_scalar_negate(&o, &secp256k1_scalar_one);
2332 secp256k1_scalar_add(&o, &o, &secp256k1_scalar_one);
2333 CHECK(secp256k1_scalar_is_zero(&o));
2334 secp256k1_scalar_negate(&o, &o);
2335 CHECK(secp256k1_scalar_is_zero(&o));
2336 }
2337
2338 {
2339 /* Does check_overflow check catch all ones? */
2340 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
2341 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2342 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2343 );
2344 CHECK(secp256k1_scalar_check_overflow(&overflowed));
2345 }
2346
2347 {
2348 /* Static test vectors.
2349 * These were reduced from ~10^12 random vectors based on comparison-decision
2350 * and edge-case coverage on 32-bit and 64-bit implementations.
2351 * The responses were generated with Sage 5.9.
2352 */
2353 secp256k1_scalar x;
2354 secp256k1_scalar y;
2355 secp256k1_scalar z;
2356 secp256k1_scalar zz;
2357 secp256k1_scalar r1;
2358 secp256k1_scalar r2;
2359 secp256k1_scalar zzv;
2360 int overflow;
2361 unsigned char chal[33][2][32] = {
2362 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2363 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2364 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2365 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2366 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2367 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2368 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2369 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2370 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2371 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2372 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2373 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2374 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2375 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2376 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2377 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2378 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2379 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2380 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2381 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2382 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2383 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2384 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2385 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2386 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2387 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2388 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2389 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2390 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2391 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2392 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2393 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2394 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2395 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2396 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2397 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2398 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2399 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2400 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2401 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2402 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2403 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2404 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2405 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2406 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2407 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2408 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2409 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2410 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2411 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2412 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2413 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2414 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2415 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2416 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2417 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2418 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2419 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2420 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2421 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2422 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2423 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2424 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2425 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2426 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2427 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2428 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2429 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2430 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2431 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2432 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2433 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2434 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2435 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2436 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2437 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2438 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2439 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2440 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2441 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2442 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2443 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2444 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2445 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2446 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2447 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2448 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2449 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2450 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2451 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2452 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2453 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2454 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2455 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2456 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2457 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2458 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2459 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2461 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2462 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2463 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2464 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2465 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2466 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2467 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2468 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2469 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2470 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2471 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2472 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2473 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2474 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2475 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2476 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2477 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2478 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2479 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2480 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2481 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2482 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2483 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2484 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2485 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2486 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2487 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2488 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2489 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2490 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2491 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2492 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2493 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2494 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2495 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2496 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2497 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2498 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2499 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2500 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2501 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2502 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2503 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2504 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2505 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2506 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2507 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2508 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2509 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2510 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2511 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2512 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2513 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2514 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2515 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2516 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2517 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2518 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2519 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2520 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2521 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2522 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2523 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2525 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2526 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2527 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2528 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2529 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2530 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2531 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2532 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2533 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2534 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2535 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2536 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2537 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2538 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2539 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2540 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2541 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2542 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2543 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2544 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2545 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2546 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2547 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2548 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2549 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2550 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2551 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2552 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2553 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2554 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2555 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2556 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2557 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2558 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2559 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2560 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2561 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2562 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2563 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2564 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2565 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2566 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2567 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2568 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2569 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2570 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2571 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2572 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2573 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2574 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2575 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2576 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2577 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2578 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2579 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2580 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2581 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2582 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2583 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2584 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2585 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2586 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2587 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2588 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2589 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2590 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2591 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2592 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2593 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2594 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2595 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2596 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2597 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2598 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2599 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2600 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2601 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2602 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2603 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2604 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2605 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2606 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2607 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2608 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2609 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2610 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2611 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2612 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2613 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2614 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2615 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2616 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2617 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2618 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2619 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2620 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2621 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2622 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2623 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2624 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2625 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2626 };
2627 unsigned char res[33][2][32] = {
2628 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2629 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2630 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2631 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2632 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2633 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2634 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2635 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2636 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2637 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2638 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2639 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2640 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2641 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2642 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2643 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2644 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2645 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2646 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2647 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2648 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2649 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2650 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2651 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2652 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2653 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2654 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2655 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2656 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2657 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2658 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2659 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2660 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2661 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2662 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2663 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2664 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2665 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2666 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2667 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2668 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2669 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2670 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2671 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2672 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2673 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2674 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2675 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2676 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2677 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2678 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2679 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2680 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2681 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2682 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2683 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2684 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2685 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2686 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2687 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2688 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2689 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2690 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2691 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2692 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2693 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2694 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2695 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2696 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2697 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2698 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2699 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2700 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2701 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2702 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2703 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2704 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2705 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2706 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2707 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2708 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2709 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2710 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2711 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2712 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2713 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2714 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2715 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2716 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2717 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2718 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2719 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2720 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2721 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2722 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2723 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2724 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2725 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2726 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2727 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2728 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2729 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2730 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2731 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2732 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2733 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2734 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2735 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2736 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2737 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2738 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2739 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2740 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2741 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2742 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2743 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2744 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2745 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2746 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2747 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2748 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2749 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2750 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2751 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2752 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2753 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2754 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2755 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2756 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2757 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2758 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2759 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2760 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2761 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2762 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2763 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2764 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2765 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2766 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2767 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2768 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2769 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2770 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2771 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2772 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2773 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2774 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2775 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2776 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2777 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2778 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2779 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2780 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2781 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2782 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2783 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2784 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2785 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2786 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2787 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2788 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2789 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2790 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2791 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2792 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2793 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2794 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2795 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2796 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2797 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2798 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2799 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2800 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2801 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2802 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2803 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2804 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2805 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2806 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2807 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2808 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2809 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2810 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2811 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2812 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2813 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2814 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2815 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2816 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2817 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2818 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2819 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2820 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2821 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2822 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2823 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2824 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2825 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2826 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2827 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2828 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2829 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2830 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2831 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2832 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2833 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2834 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2835 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2836 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2837 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2838 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2839 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2840 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2841 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2842 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2843 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2844 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2845 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2846 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2847 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2848 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2849 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2850 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2851 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2852 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2853 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2854 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2855 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2856 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2857 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2858 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2859 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2860 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2861 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2862 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2863 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2864 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2865 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2866 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2867 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2868 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2869 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2870 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2871 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2872 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2873 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2874 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2875 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2876 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2877 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2878 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2879 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2880 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2881 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2882 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2883 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2884 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2885 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2886 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2887 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2888 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2889 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2890 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2891 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2892 };
2893 for (i = 0; i < 33; i++) {
2894 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2895 CHECK(!overflow);
2896 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2897 CHECK(!overflow);
2898 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2899 CHECK(!overflow);
2900 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2901 CHECK(!overflow);
2902 secp256k1_scalar_mul(&z, &x, &y);
2903 CHECK(!secp256k1_scalar_check_overflow(&z));
2904 CHECK(secp256k1_scalar_eq(&r1, &z));
2905 if (!secp256k1_scalar_is_zero(&y)) {
2906 secp256k1_scalar_inverse(&zz, &y);
2907 CHECK(!secp256k1_scalar_check_overflow(&zz));
2908 secp256k1_scalar_inverse_var(&zzv, &y);
2909 CHECK(secp256k1_scalar_eq(&zzv, &zz));
2910 secp256k1_scalar_mul(&z, &z, &zz);
2911 CHECK(!secp256k1_scalar_check_overflow(&z));
2912 CHECK(secp256k1_scalar_eq(&x, &z));
2913 secp256k1_scalar_mul(&zz, &zz, &y);
2914 CHECK(!secp256k1_scalar_check_overflow(&zz));
2915 CHECK(secp256k1_scalar_eq(&secp256k1_scalar_one, &zz));
2916 }
2917 }
2918 }
2919}
2920
2921/***** FIELD TESTS *****/
2922
2923static void random_fe(secp256k1_fe *x) {
2924 unsigned char bin[32];
2925 do {
2926 secp256k1_testrand256(bin);
2927 if (secp256k1_fe_set_b32_limit(x, bin)) {
2928 return;
2929 }
2930 } while(1);
2931}
2932
2933static void random_fe_test(secp256k1_fe *x) {
2934 unsigned char bin[32];
2935 do {
2936 secp256k1_testrand256_test(bin);
2937 if (secp256k1_fe_set_b32_limit(x, bin)) {
2938 return;
2939 }
2940 } while(1);
2941}
2942
2943static void random_fe_non_zero(secp256k1_fe *nz) {
2944 int tries = 10;
2945 while (--tries >= 0) {
2946 random_fe(nz);
2947 secp256k1_fe_normalize(nz);
2948 if (!secp256k1_fe_is_zero(nz)) {
2949 break;
2950 }
2951 }
2952 /* Infinitesimal probability of spurious failure here */
2953 CHECK(tries >= 0);
2954}
2955
2956static void random_fe_non_square(secp256k1_fe *ns) {
2957 secp256k1_fe r;
2958 random_fe_non_zero(ns);
2959 if (secp256k1_fe_sqrt(&r, ns)) {
2960 secp256k1_fe_negate(ns, ns, 1);
2961 }
2962}
2963
2964static int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2965 secp256k1_fe an = *a;
2966 secp256k1_fe bn = *b;
2967 secp256k1_fe_normalize_weak(&an);
2968 secp256k1_fe_normalize_var(&bn);
2969 return secp256k1_fe_equal_var(&an, &bn);
2970}
2971
2972static void run_field_convert(void) {
2973 static const unsigned char b32[32] = {
2974 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2975 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2976 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2977 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2978 };
2979 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
2980 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2981 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2982 );
2983 static const secp256k1_fe fe = SECP256K1_FE_CONST(
2984 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2985 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2986 );
2987 secp256k1_fe fe2;
2988 unsigned char b322[32];
2989 secp256k1_fe_storage fes2;
2990 /* Check conversions to fe. */
2991 CHECK(secp256k1_fe_set_b32_limit(&fe2, b32));
2992 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2993 secp256k1_fe_from_storage(&fe2, &fes);
2994 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2995 /* Check conversion from fe. */
2996 secp256k1_fe_get_b32(b322, &fe);
2997 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2998 secp256k1_fe_to_storage(&fes2, &fe);
2999 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
3000}
3001
3002static void run_field_be32_overflow(void) {
3003 {
3004 static const unsigned char zero_overflow[32] = {
3005 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3006 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3007 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3008 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
3009 };
3010 static const unsigned char zero[32] = { 0x00 };
3011 unsigned char out[32];
3012 secp256k1_fe fe;
3013 CHECK(secp256k1_fe_set_b32_limit(&fe, zero_overflow) == 0);
3014 secp256k1_fe_set_b32_mod(&fe, zero_overflow);
3015 CHECK(secp256k1_fe_normalizes_to_zero(&fe) == 1);
3016 secp256k1_fe_normalize(&fe);
3017 CHECK(secp256k1_fe_is_zero(&fe) == 1);
3018 secp256k1_fe_get_b32(out, &fe);
3019 CHECK(secp256k1_memcmp_var(out, zero, 32) == 0);
3020 }
3021 {
3022 static const unsigned char one_overflow[32] = {
3023 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3024 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3025 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3026 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30,
3027 };
3028 static const unsigned char one[32] = {
3029 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3030 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3031 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3032 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3033 };
3034 unsigned char out[32];
3035 secp256k1_fe fe;
3036 CHECK(secp256k1_fe_set_b32_limit(&fe, one_overflow) == 0);
3037 secp256k1_fe_set_b32_mod(&fe, one_overflow);
3038 secp256k1_fe_normalize(&fe);
3039 CHECK(secp256k1_fe_cmp_var(&fe, &secp256k1_fe_one) == 0);
3040 secp256k1_fe_get_b32(out, &fe);
3041 CHECK(secp256k1_memcmp_var(out, one, 32) == 0);
3042 }
3043 {
3044 static const unsigned char ff_overflow[32] = {
3045 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3046 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3047 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3048 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3049 };
3050 static const unsigned char ff[32] = {
3051 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3052 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3053 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3054 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0,
3055 };
3056 unsigned char out[32];
3057 secp256k1_fe fe;
3058 const secp256k1_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0);
3059 CHECK(secp256k1_fe_set_b32_limit(&fe, ff_overflow) == 0);
3060 secp256k1_fe_set_b32_mod(&fe, ff_overflow);
3061 secp256k1_fe_normalize(&fe);
3062 CHECK(secp256k1_fe_cmp_var(&fe, &fe_ff) == 0);
3063 secp256k1_fe_get_b32(out, &fe);
3064 CHECK(secp256k1_memcmp_var(out, ff, 32) == 0);
3065 }
3066}
3067
3068/* Returns true if two field elements have the same representation. */
3069static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
3070 int ret = 1;
3071 /* Compare the struct member that holds the limbs. */
3072 ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
3073 return ret;
3074}
3075
3076static void run_field_half(void) {
3077 secp256k1_fe t, u;
3078 int m;
3079
3080 /* Check magnitude 0 input */
3081 secp256k1_fe_get_bounds(&t, 0);
3082 secp256k1_fe_half(&t);
3083#ifdef VERIFY
3084 CHECK(t.magnitude == 1);
3085 CHECK(t.normalized == 0);
3086#endif
3087 CHECK(secp256k1_fe_normalizes_to_zero(&t));
3088
3089 /* Check non-zero magnitudes in the supported range */
3090 for (m = 1; m < 32; m++) {
3091 /* Check max-value input */
3092 secp256k1_fe_get_bounds(&t, m);
3093
3094 u = t;
3095 secp256k1_fe_half(&u);
3096#ifdef VERIFY
3097 CHECK(u.magnitude == (m >> 1) + 1);
3098 CHECK(u.normalized == 0);
3099#endif
3100 secp256k1_fe_normalize_weak(&u);
3101 secp256k1_fe_add(&u, &u);
3102 CHECK(check_fe_equal(&t, &u));
3103
3104 /* Check worst-case input: ensure the LSB is 1 so that P will be added,
3105 * which will also cause all carries to be 1, since all limbs that can
3106 * generate a carry are initially even and all limbs of P are odd in
3107 * every existing field implementation. */
3108 secp256k1_fe_get_bounds(&t, m);
3109 CHECK(t.n[0] > 0);
3110 CHECK((t.n[0] & 1) == 0);
3111 --t.n[0];
3112
3113 u = t;
3114 secp256k1_fe_half(&u);
3115#ifdef VERIFY
3116 CHECK(u.magnitude == (m >> 1) + 1);
3117 CHECK(u.normalized == 0);
3118#endif
3119 secp256k1_fe_normalize_weak(&u);
3120 secp256k1_fe_add(&u, &u);
3121 CHECK(check_fe_equal(&t, &u));
3122 }
3123}
3124
3125static void run_field_misc(void) {
3126 secp256k1_fe x;
3127 secp256k1_fe y;
3128 secp256k1_fe z;
3129 secp256k1_fe q;
3130 int v;
3131 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3132 int i, j;
3133 for (i = 0; i < 1000 * COUNT; i++) {
3134 secp256k1_fe_storage xs, ys, zs;
3135 if (i & 1) {
3136 random_fe(&x);
3137 } else {
3138 random_fe_test(&x);
3139 }
3140 random_fe_non_zero(&y);
3141 v = secp256k1_testrand_bits(15);
3142 /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */
3143 secp256k1_fe_set_int(&q, v); /* q = v */
3144 z = x; /* z = x */
3145 secp256k1_fe_add(&z, &q); /* z = x+v */
3146 q = x; /* q = x */
3147 secp256k1_fe_add_int(&q, v); /* q = x+v */
3148 CHECK(check_fe_equal(&q, &z));
3149 /* Test the fe equality and comparison operations. */
3150 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
3151 CHECK(secp256k1_fe_equal_var(&x, &x));
3152 z = x;
3153 secp256k1_fe_add(&z,&y);
3154 /* Test fe conditional move; z is not normalized here. */
3155 q = x;
3156 secp256k1_fe_cmov(&x, &z, 0);
3157#ifdef VERIFY
3158 CHECK(!x.normalized);
3159 CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude));
3160 CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude));
3161#endif
3162 x = q;
3163 secp256k1_fe_cmov(&x, &x, 1);
3164 CHECK(!fe_identical(&x, &z));
3165 CHECK(fe_identical(&x, &q));
3166 secp256k1_fe_cmov(&q, &z, 1);
3167#ifdef VERIFY
3168 CHECK(!q.normalized);
3169 CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude));
3170 CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude));
3171#endif
3172 CHECK(fe_identical(&q, &z));
3173 q = z;
3174 secp256k1_fe_normalize_var(&x);
3175 secp256k1_fe_normalize_var(&z);
3176 CHECK(!secp256k1_fe_equal_var(&x, &z));
3177 secp256k1_fe_normalize_var(&q);
3178 secp256k1_fe_cmov(&q, &z, (i&1));
3179#ifdef VERIFY
3180 CHECK(q.normalized && q.magnitude == 1);
3181#endif
3182 for (j = 0; j < 6; j++) {
3183 secp256k1_fe_negate(&z, &z, j+1);
3184 secp256k1_fe_normalize_var(&q);
3185 secp256k1_fe_cmov(&q, &z, (j&1));
3186#ifdef VERIFY
3187 CHECK(!q.normalized && q.magnitude == z.magnitude);
3188#endif
3189 }
3190 secp256k1_fe_normalize_var(&z);
3191 /* Test storage conversion and conditional moves. */
3192 secp256k1_fe_to_storage(&xs, &x);
3193 secp256k1_fe_to_storage(&ys, &y);
3194 secp256k1_fe_to_storage(&zs, &z);
3195 secp256k1_fe_storage_cmov(&zs, &xs, 0);
3196 secp256k1_fe_storage_cmov(&zs, &zs, 1);
3197 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
3198 secp256k1_fe_storage_cmov(&ys, &xs, 1);
3199 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
3200 secp256k1_fe_from_storage(&x, &xs);
3201 secp256k1_fe_from_storage(&y, &ys);
3202 secp256k1_fe_from_storage(&z, &zs);
3203 /* Test that mul_int, mul, and add agree. */
3204 secp256k1_fe_add(&y, &x);
3205 secp256k1_fe_add(&y, &x);
3206 z = x;
3207 secp256k1_fe_mul_int(&z, 3);
3208 CHECK(check_fe_equal(&y, &z));
3209 secp256k1_fe_add(&y, &x);
3210 secp256k1_fe_add(&z, &x);
3211 CHECK(check_fe_equal(&z, &y));
3212 z = x;
3213 secp256k1_fe_mul_int(&z, 5);
3214 secp256k1_fe_mul(&q, &x, &fe5);
3215 CHECK(check_fe_equal(&z, &q));
3216 secp256k1_fe_negate(&x, &x, 1);
3217 secp256k1_fe_add(&z, &x);
3218 secp256k1_fe_add(&q, &x);
3219 CHECK(check_fe_equal(&y, &z));
3220 CHECK(check_fe_equal(&q, &y));
3221 /* Check secp256k1_fe_half. */
3222 z = x;
3223 secp256k1_fe_half(&z);
3224 secp256k1_fe_add(&z, &z);
3225 CHECK(check_fe_equal(&x, &z));
3226 secp256k1_fe_add(&z, &z);
3227 secp256k1_fe_half(&z);
3228 CHECK(check_fe_equal(&x, &z));
3229 }
3230}
3231
3232static void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
3233{
3234 secp256k1_fe c, an, bn;
3235 /* Variables in BE 32-byte format. */
3236 unsigned char a32[32], b32[32], c32[32];
3237 /* Variables in LE 16x uint16_t format. */
3238 uint16_t a16[16], b16[16], c16[16];
3239 /* Field modulus in LE 16x uint16_t format. */
3240 static const uint16_t m16[16] = {
3241 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3242 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3243 };
3244 uint16_t t16[32];
3245 int i;
3246
3247 /* Compute C = A * B in fe format. */
3248 c = *a;
3249 if (use_sqr) {
3250 secp256k1_fe_sqr(&c, &c);
3251 } else {
3252 secp256k1_fe_mul(&c, &c, b);
3253 }
3254
3255 /* Convert A, B, C into LE 16x uint16_t format. */
3256 an = *a;
3257 bn = *b;
3258 secp256k1_fe_normalize_var(&c);
3259 secp256k1_fe_normalize_var(&an);
3260 secp256k1_fe_normalize_var(&bn);
3261 secp256k1_fe_get_b32(a32, &an);
3262 secp256k1_fe_get_b32(b32, &bn);
3263 secp256k1_fe_get_b32(c32, &c);
3264 for (i = 0; i < 16; ++i) {
3265 a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
3266 b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
3267 c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
3268 }
3269 /* Compute T = A * B in LE 16x uint16_t format. */
3270 mulmod256(t16, a16, b16, m16);
3271 /* Compare */
3272 CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
3273}
3274
3275static void run_fe_mul(void) {
3276 int i;
3277 for (i = 0; i < 100 * COUNT; ++i) {
3278 secp256k1_fe a, b, c, d;
3279 random_fe(&a);
3280 random_field_element_magnitude(&a);
3281 random_fe(&b);
3282 random_field_element_magnitude(&b);
3283 random_fe_test(&c);
3284 random_field_element_magnitude(&c);
3285 random_fe_test(&d);
3286 random_field_element_magnitude(&d);
3287 test_fe_mul(&a, &a, 1);
3288 test_fe_mul(&c, &c, 1);
3289 test_fe_mul(&a, &b, 0);
3290 test_fe_mul(&a, &c, 0);
3291 test_fe_mul(&c, &b, 0);
3292 test_fe_mul(&c, &d, 0);
3293 }
3294}
3295
3296static void run_sqr(void) {
3297 secp256k1_fe x, s;
3298
3299 {
3300 int i;
3301 secp256k1_fe_set_int(&x, 1);
3302 secp256k1_fe_negate(&x, &x, 1);
3303
3304 for (i = 1; i <= 512; ++i) {
3305 secp256k1_fe_mul_int(&x, 2);
3306 secp256k1_fe_normalize(&x);
3307 secp256k1_fe_sqr(&s, &x);
3308 }
3309 }
3310}
3311
3312static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
3313 secp256k1_fe r1, r2;
3314 int v = secp256k1_fe_sqrt(&r1, a);
3315 CHECK((v == 0) == (k == NULL));
3316
3317 if (k != NULL) {
3318 /* Check that the returned root is +/- the given known answer */
3319 secp256k1_fe_negate(&r2, &r1, 1);
3320 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
3321 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
3322 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
3323 }
3324}
3325
3326static void run_sqrt(void) {
3327 secp256k1_fe ns, x, s, t;
3328 int i;
3329
3330 /* Check sqrt(0) is 0 */
3331 secp256k1_fe_set_int(&x, 0);
3332 secp256k1_fe_sqr(&s, &x);
3333 test_sqrt(&s, &x);
3334
3335 /* Check sqrt of small squares (and their negatives) */
3336 for (i = 1; i <= 100; i++) {
3337 secp256k1_fe_set_int(&x, i);
3338 secp256k1_fe_sqr(&s, &x);
3339 test_sqrt(&s, &x);
3340 secp256k1_fe_negate(&t, &s, 1);
3341 test_sqrt(&t, NULL);
3342 }
3343
3344 /* Consistency checks for large random values */
3345 for (i = 0; i < 10; i++) {
3346 int j;
3347 random_fe_non_square(&ns);
3348 for (j = 0; j < COUNT; j++) {
3349 random_fe(&x);
3350 secp256k1_fe_sqr(&s, &x);
3351 CHECK(secp256k1_fe_is_square_var(&s));
3352 test_sqrt(&s, &x);
3353 secp256k1_fe_negate(&t, &s, 1);
3354 CHECK(!secp256k1_fe_is_square_var(&t));
3355 test_sqrt(&t, NULL);
3356 secp256k1_fe_mul(&t, &s, &ns);
3357 test_sqrt(&t, NULL);
3358 }
3359 }
3360}
3361
3362/***** FIELD/SCALAR INVERSE TESTS *****/
3363
3364static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST(
3365 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
3366 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
3367);
3368
3369static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST(
3370 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
3371 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
3372);
3373
3374/* These tests test the following identities:
3375 *
3376 * for x==0: 1/x == 0
3377 * for x!=0: x*(1/x) == 1
3378 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
3379 */
3380
3381static void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var)
3382{
3383 secp256k1_scalar l, r, t;
3384
3385 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
3386 if (out) *out = l;
3387 if (secp256k1_scalar_is_zero(x)) {
3388 CHECK(secp256k1_scalar_is_zero(&l));
3389 return;
3390 }
3391 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
3392 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
3393 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
3394 if (secp256k1_scalar_is_zero(&r)) return;
3395 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
3396 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
3397 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
3398 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
3399 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3400 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
3401}
3402
3403static void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
3404{
3405 secp256k1_fe l, r, t;
3406
3407 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
3408 if (out) *out = l;
3409 t = *x; /* t = x */
3410 if (secp256k1_fe_normalizes_to_zero_var(&t)) {
3411 CHECK(secp256k1_fe_normalizes_to_zero(&l));
3412 return;
3413 }
3414 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
3415 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3416 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3417 r = *x; /* r = x */
3418 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
3419 if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
3420 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
3421 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3422 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3423 secp256k1_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */
3424 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3425 CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
3426}
3427
3428static void run_inverse_tests(void)
3429{
3430 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3431 static const secp256k1_fe fe_cases[][2] = {
3432 /* 0 */
3433 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3434 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3435 /* 1 */
3436 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3437 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3438 /* -1 */
3439 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3440 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3441 /* 2 */
3442 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3443 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3444 /* 2**128 */
3445 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3446 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3447 /* Input known to need 637 divsteps */
3448 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3449 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3450 /* Input known to need 567 divsteps starting with delta=1/2. */
3451 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3452 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3453 /* Input known to need 566 divsteps starting with delta=1/2. */
3454 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3455 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3456 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3457 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3458 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3459 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3460 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3461 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3462 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3463 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3464 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3465 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3466 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3467 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3468 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3469 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3470 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3471 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3472 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3473 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3474 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3475 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3476 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3477 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3478 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3479 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3480 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3481 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3482 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3483 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3484 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3485 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3486 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3487 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3488 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3489 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3490 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3491 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3492 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3493 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3494 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3495 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3496 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3497 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3498 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3499 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3500 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3501 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3502 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3503 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3504 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3505 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3506 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3507 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3508 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3509 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3510 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3511 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3512 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3513 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3514 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3515 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3516 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3517 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3518 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3519 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3520 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3521 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3522 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3523 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3524 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3525 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3526 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3527 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3528 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3529 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3530 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3531 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3532 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3533 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3534 };
3535 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3536 static const secp256k1_scalar scalar_cases[][2] = {
3537 /* 0 */
3538 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3539 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3540 /* 1 */
3541 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3542 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3543 /* -1 */
3544 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3545 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3546 /* 2 */
3547 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3548 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3549 /* 2**128 */
3550 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3551 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3552 /* Input known to need 635 divsteps */
3553 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3554 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3555 /* Input known to need 566 divsteps starting with delta=1/2. */
3556 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3557 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3558 /* Input known to need 565 divsteps starting with delta=1/2. */
3559 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3560 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3561 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3562 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3563 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3564 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3565 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3566 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3567 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3568 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3569 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3570 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3571 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3572 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3573 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3574 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3575 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3576 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3577 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3578 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3579 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3580 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3581 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3582 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3583 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3584 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3585 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3586 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3587 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3588 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3589 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3590 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3591 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3592 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3593 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3594 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3595 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3596 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3597 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3598 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3599 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3600 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3601 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3602 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3603 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3604 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3605 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3606 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3607 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3608 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3609 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3610 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3611 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3612 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3613 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3614 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3615 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3616 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3617 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3618 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3619 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3620 };
3621 int i, var, testrand;
3622 unsigned char b32[32];
3623 secp256k1_fe x_fe;
3624 secp256k1_scalar x_scalar;
3625 memset(b32, 0, sizeof(b32));
3626 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3627 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3628 for (var = 0; var <= 1; ++var) {
3629 test_inverse_field(&x_fe, &fe_cases[i][0], var);
3630 check_fe_equal(&x_fe, &fe_cases[i][1]);
3631 test_inverse_field(&x_fe, &fe_cases[i][1], var);
3632 check_fe_equal(&x_fe, &fe_cases[i][0]);
3633 }
3634 }
3635 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3636 for (var = 0; var <= 1; ++var) {
3637 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3638 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3639 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3640 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3641 }
3642 }
3643 /* Test inputs 0..999 and their respective negations. */
3644 for (i = 0; i < 1000; ++i) {
3645 b32[31] = i & 0xff;
3646 b32[30] = (i >> 8) & 0xff;
3647 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3648 secp256k1_fe_set_b32_mod(&x_fe, b32);
3649 for (var = 0; var <= 1; ++var) {
3650 test_inverse_scalar(NULL, &x_scalar, var);
3651 test_inverse_field(NULL, &x_fe, var);
3652 }
3653 secp256k1_scalar_negate(&x_scalar, &x_scalar);
3654 secp256k1_fe_negate(&x_fe, &x_fe, 1);
3655 for (var = 0; var <= 1; ++var) {
3656 test_inverse_scalar(NULL, &x_scalar, var);
3657 test_inverse_field(NULL, &x_fe, var);
3658 }
3659 }
3660 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3661 for (testrand = 0; testrand <= 1; ++testrand) {
3662 for (i = 0; i < 64 * COUNT; ++i) {
3663 (testrand ? secp256k1_testrand256_test : secp256k1_testrand256)(b32);
3664 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3665 secp256k1_fe_set_b32_mod(&x_fe, b32);
3666 for (var = 0; var <= 1; ++var) {
3667 test_inverse_scalar(NULL, &x_scalar, var);
3668 test_inverse_field(NULL, &x_fe, var);
3669 }
3670 }
3671 }
3672}
3673
3674/***** GROUP TESTS *****/
3675
3676static void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
3677 CHECK(a->infinity == b->infinity);
3678 if (a->infinity) {
3679 return;
3680 }
3681 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
3682 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
3683}
3684
3685/* This compares jacobian points including their Z, not just their geometric meaning. */
3686static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3687 secp256k1_gej a2;
3688 secp256k1_gej b2;
3689 int ret = 1;
3690 ret &= a->infinity == b->infinity;
3691 if (ret && !a->infinity) {
3692 a2 = *a;
3693 b2 = *b;
3694 secp256k1_fe_normalize(&a2.x);
3695 secp256k1_fe_normalize(&a2.y);
3696 secp256k1_fe_normalize(&a2.z);
3697 secp256k1_fe_normalize(&b2.x);
3698 secp256k1_fe_normalize(&b2.y);
3699 secp256k1_fe_normalize(&b2.z);
3700 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3701 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3702 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3703 }
3704 return ret;
3705}
3706
3707static void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
3708 secp256k1_fe z2s;
3709 secp256k1_fe u1, u2, s1, s2;
3710 CHECK(a->infinity == b->infinity);
3711 if (a->infinity) {
3712 return;
3713 }
3714 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
3715 secp256k1_fe_sqr(&z2s, &b->z);
3716 secp256k1_fe_mul(&u1, &a->x, &z2s);
3717 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
3718 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
3719 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
3720 CHECK(secp256k1_fe_equal_var(&u1, &u2));
3721 CHECK(secp256k1_fe_equal_var(&s1, &s2));
3722}
3723
3724static void test_ge(void) {
3725 int i, i1;
3726 int runs = 6;
3727 /* 25 points are used:
3728 * - infinity
3729 * - for each of four random points p1 p2 p3 p4, we add the point, its
3730 * negation, and then those two again but with randomized Z coordinate.
3731 * - The same is then done for lambda*p1 and lambda^2*p1.
3732 */
3733 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3734 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3735 secp256k1_fe zf;
3736 secp256k1_fe zfi2, zfi3;
3737
3738 secp256k1_gej_set_infinity(&gej[0]);
3739 secp256k1_ge_clear(&ge[0]);
3740 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3741 for (i = 0; i < runs; i++) {
3742 int j;
3743 secp256k1_ge g;
3744 random_group_element_test(&g);
3745 if (i >= runs - 2) {
3746 secp256k1_ge_mul_lambda(&g, &ge[1]);
3747 }
3748 if (i >= runs - 1) {
3749 secp256k1_ge_mul_lambda(&g, &g);
3750 }
3751 ge[1 + 4 * i] = g;
3752 ge[2 + 4 * i] = g;
3753 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3754 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3755 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3756 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3757 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3758 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3759 for (j = 0; j < 4; j++) {
3760 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
3761 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
3762 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
3763 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
3764 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
3765 }
3766 }
3767
3768 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3769 do {
3770 random_field_element_test(&zf);
3771 } while(secp256k1_fe_is_zero(&zf));
3772 random_field_element_magnitude(&zf);
3773 secp256k1_fe_inv_var(&zfi3, &zf);
3774 secp256k1_fe_sqr(&zfi2, &zfi3);
3775 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3776
3777 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3778 int i2;
3779 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3780 /* Compute reference result using gej + gej (var). */
3781 secp256k1_gej refj, resj;
3782 secp256k1_ge ref;
3783 secp256k1_fe zr;
3784 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3785 /* Check Z ratio. */
3786 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3787 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3788 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
3789 }
3790 secp256k1_ge_set_gej_var(&ref, &refj);
3791
3792 /* Test gej + ge with Z ratio result (var). */
3793 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3794 ge_equals_gej(&ref, &resj);
3795 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3796 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3797 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
3798 }
3799
3800 /* Test gej + ge (var, with additional Z factor). */
3801 {
3802 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3803 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3804 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3805 random_field_element_magnitude(&ge2_zfi.x);
3806 random_field_element_magnitude(&ge2_zfi.y);
3807 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3808 ge_equals_gej(&ref, &resj);
3809 }
3810
3811 /* Test gej + ge (const). */
3812 if (i2 != 0) {
3813 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3814 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3815 ge_equals_gej(&ref, &resj);
3816 }
3817
3818 /* Test doubling (var). */
3819 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3820 secp256k1_fe zr2;
3821 /* Normal doubling with Z ratio result. */
3822 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3823 ge_equals_gej(&ref, &resj);
3824 /* Check Z ratio. */
3825 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3826 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
3827 /* Normal doubling. */
3828 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3829 ge_equals_gej(&ref, &resj);
3830 /* Constant-time doubling. */
3831 secp256k1_gej_double(&resj, &gej[i2]);
3832 ge_equals_gej(&ref, &resj);
3833 }
3834
3835 /* Test adding opposites. */
3836 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3837 CHECK(secp256k1_ge_is_infinity(&ref));
3838 }
3839
3840 /* Test adding infinity. */
3841 if (i1 == 0) {
3842 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3843 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3844 ge_equals_gej(&ref, &gej[i2]);
3845 }
3846 if (i2 == 0) {
3847 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3848 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3849 ge_equals_gej(&ref, &gej[i1]);
3850 }
3851 }
3852 }
3853
3854 /* Test adding all points together in random order equals infinity. */
3855 {
3856 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
3857 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3858 for (i = 0; i < 4 * runs + 1; i++) {
3859 gej_shuffled[i] = gej[i];
3860 }
3861 for (i = 0; i < 4 * runs + 1; i++) {
3862 int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3863 if (swap != i) {
3864 secp256k1_gej t = gej_shuffled[i];
3865 gej_shuffled[i] = gej_shuffled[swap];
3866 gej_shuffled[swap] = t;
3867 }
3868 }
3869 for (i = 0; i < 4 * runs + 1; i++) {
3870 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3871 }
3872 CHECK(secp256k1_gej_is_infinity(&sum));
3873 free(gej_shuffled);
3874 }
3875
3876 /* Test batch gej -> ge conversion without known z ratios. */
3877 {
3878 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3879 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3880 for (i = 0; i < 4 * runs + 1; i++) {
3881 secp256k1_fe s;
3882 random_fe_non_zero(&s);
3883 secp256k1_gej_rescale(&gej[i], &s);
3884 ge_equals_gej(&ge_set_all[i], &gej[i]);
3885 }
3886 free(ge_set_all);
3887 }
3888
3889 /* Test batch gej -> ge conversion with many infinities. */
3890 for (i = 0; i < 4 * runs + 1; i++) {
3891 int odd;
3892 random_group_element_test(&ge[i]);
3893 odd = secp256k1_fe_is_odd(&ge[i].x);
3894 CHECK(odd == 0 || odd == 1);
3895 /* randomly set half the points to infinity */
3896 if (odd == i % 2) {
3897 secp256k1_ge_set_infinity(&ge[i]);
3898 }
3899 secp256k1_gej_set_ge(&gej[i], &ge[i]);
3900 }
3901 /* batch convert */
3902 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3903 /* check result */
3904 for (i = 0; i < 4 * runs + 1; i++) {
3905 ge_equals_gej(&ge[i], &gej[i]);
3906 }
3907
3908 /* Test batch gej -> ge conversion with all infinities. */
3909 for (i = 0; i < 4 * runs + 1; i++) {
3910 secp256k1_gej_set_infinity(&gej[i]);
3911 }
3912 /* batch convert */
3913 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3914 /* check result */
3915 for (i = 0; i < 4 * runs + 1; i++) {
3916 CHECK(secp256k1_ge_is_infinity(&ge[i]));
3917 }
3918
3919 free(ge);
3920 free(gej);
3921}
3922
3923static void test_intialized_inf(void) {
3924 secp256k1_ge p;
3925 secp256k1_gej pj, npj, infj1, infj2, infj3;
3926 secp256k1_fe zinv;
3927
3928 /* Test that adding P+(-P) results in a fully initialized infinity*/
3929 random_group_element_test(&p);
3930 secp256k1_gej_set_ge(&pj, &p);
3931 secp256k1_gej_neg(&npj, &pj);
3932
3933 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3934 CHECK(secp256k1_gej_is_infinity(&infj1));
3935 CHECK(secp256k1_fe_is_zero(&infj1.x));
3936 CHECK(secp256k1_fe_is_zero(&infj1.y));
3937 CHECK(secp256k1_fe_is_zero(&infj1.z));
3938
3939 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3940 CHECK(secp256k1_gej_is_infinity(&infj2));
3941 CHECK(secp256k1_fe_is_zero(&infj2.x));
3942 CHECK(secp256k1_fe_is_zero(&infj2.y));
3943 CHECK(secp256k1_fe_is_zero(&infj2.z));
3944
3945 secp256k1_fe_set_int(&zinv, 1);
3946 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3947 CHECK(secp256k1_gej_is_infinity(&infj3));
3948 CHECK(secp256k1_fe_is_zero(&infj3.x));
3949 CHECK(secp256k1_fe_is_zero(&infj3.y));
3950 CHECK(secp256k1_fe_is_zero(&infj3.z));
3951
3952
3953}
3954
3955static void test_add_neg_y_diff_x(void) {
3956 /* The point of this test is to check that we can add two points
3957 * whose y-coordinates are negatives of each other but whose x
3958 * coordinates differ. If the x-coordinates were the same, these
3959 * points would be negatives of each other and their sum is
3960 * infinity. This is cool because it "covers up" any degeneracy
3961 * in the addition algorithm that would cause the xy coordinates
3962 * of the sum to be wrong (since infinity has no xy coordinates).
3963 * HOWEVER, if the x-coordinates are different, infinity is the
3964 * wrong answer, and such degeneracies are exposed. This is the
3965 * root of https://github.com/bitcoin-core/secp256k1/issues/257
3966 * which this test is a regression test for.
3967 *
3968 * These points were generated in sage as
3969 * # secp256k1 params
3970 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
3971 * C = EllipticCurve ([F (0), F (7)])
3972 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
3973 * N = FiniteField(G.order())
3974 *
3975 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
3976 * x = polygen(N)
3977 * lam = (1 - x^3).roots()[1][0]
3978 *
3979 * # random "bad pair"
3980 * P = C.random_element()
3981 * Q = -int(lam) * P
3982 * print " P: %x %x" % P.xy()
3983 * print " Q: %x %x" % Q.xy()
3984 * print "P + Q: %x %x" % (P + Q).xy()
3985 */
3986 secp256k1_gej aj = SECP256K1_GEJ_CONST(
3987 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3988 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3989 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3990 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3991 );
3992 secp256k1_gej bj = SECP256K1_GEJ_CONST(
3993 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
3994 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
3995 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
3996 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
3997 );
3998 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
3999 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
4000 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
4001 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
4002 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
4003 );
4004 secp256k1_ge b;
4005 secp256k1_gej resj;
4006 secp256k1_ge res;
4007 secp256k1_ge_set_gej(&b, &bj);
4008
4009 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
4010 secp256k1_ge_set_gej(&res, &resj);
4011 ge_equals_gej(&res, &sumj);
4012
4013 secp256k1_gej_add_ge(&resj, &aj, &b);
4014 secp256k1_ge_set_gej(&res, &resj);
4015 ge_equals_gej(&res, &sumj);
4016
4017 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
4018 secp256k1_ge_set_gej(&res, &resj);
4019 ge_equals_gej(&res, &sumj);
4020}
4021
4022static void run_ge(void) {
4023 int i;
4024 for (i = 0; i < COUNT * 32; i++) {
4025 test_ge();
4026 }
4027 test_add_neg_y_diff_x();
4028 test_intialized_inf();
4029}
4030
4031static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
4032 secp256k1_gej t = *a;
4033 secp256k1_gej_cmov(&t, b, 0);
4034 CHECK(gej_xyz_equals_gej(&t, a));
4035 secp256k1_gej_cmov(&t, b, 1);
4036 CHECK(gej_xyz_equals_gej(&t, b));
4037}
4038
4039static void run_gej(void) {
4040 int i;
4041 secp256k1_gej a, b;
4042
4043 /* Tests for secp256k1_gej_cmov */
4044 for (i = 0; i < COUNT; i++) {
4045 secp256k1_gej_set_infinity(&a);
4046 secp256k1_gej_set_infinity(&b);
4047 test_gej_cmov(&a, &b);
4048
4049 random_gej_test(&a);
4050 test_gej_cmov(&a, &b);
4051 test_gej_cmov(&b, &a);
4052
4053 b = a;
4054 test_gej_cmov(&a, &b);
4055
4056 random_gej_test(&b);
4057 test_gej_cmov(&a, &b);
4058 test_gej_cmov(&b, &a);
4059 }
4060
4061 /* Tests for secp256k1_gej_eq_var */
4062 for (i = 0; i < COUNT; i++) {
4063 secp256k1_fe fe;
4064 random_gej_test(&a);
4065 random_gej_test(&b);
4066 CHECK(!secp256k1_gej_eq_var(&a, &b));
4067
4068 b = a;
4069 random_field_element_test(&fe);
4070 if (secp256k1_fe_is_zero(&fe)) {
4071 continue;
4072 }
4073 secp256k1_gej_rescale(&a, &fe);
4074 CHECK(secp256k1_gej_eq_var(&a, &b));
4075 }
4076}
4077
4078static void test_ec_combine(void) {
4079 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4080 secp256k1_pubkey data[6];
4081 const secp256k1_pubkey* d[6];
4082 secp256k1_pubkey sd;
4083 secp256k1_pubkey sd2;
4084 secp256k1_gej Qj;
4085 secp256k1_ge Q;
4086 int i;
4087 for (i = 1; i <= 6; i++) {
4088 secp256k1_scalar s;
4089 random_scalar_order_test(&s);
4090 secp256k1_scalar_add(&sum, &sum, &s);
4091 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &s);
4092 secp256k1_ge_set_gej(&Q, &Qj);
4093 secp256k1_pubkey_save(&data[i - 1], &Q);
4094 d[i - 1] = &data[i - 1];
4095 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &sum);
4096 secp256k1_ge_set_gej(&Q, &Qj);
4097 secp256k1_pubkey_save(&sd, &Q);
4098 CHECK(secp256k1_ec_pubkey_combine(CTX, &sd2, d, i) == 1);
4099 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
4100 }
4101}
4102
4103static void run_ec_combine(void) {
4104 int i;
4105 for (i = 0; i < COUNT * 8; i++) {
4106 test_ec_combine();
4107 }
4108}
4109
4110static void test_group_decompress(const secp256k1_fe* x) {
4111 /* The input itself, normalized. */
4112 secp256k1_fe fex = *x;
4113 secp256k1_fe fez;
4114 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
4115 secp256k1_ge ge_quad, ge_even, ge_odd;
4116 secp256k1_gej gej_quad;
4117 /* Return values of the above calls. */
4118 int res_quad, res_even, res_odd;
4119
4120 secp256k1_fe_normalize_var(&fex);
4121
4122 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
4123 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
4124 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
4125
4126 CHECK(res_quad == res_even);
4127 CHECK(res_quad == res_odd);
4128
4129 if (res_quad) {
4130 secp256k1_fe_normalize_var(&ge_quad.x);
4131 secp256k1_fe_normalize_var(&ge_odd.x);
4132 secp256k1_fe_normalize_var(&ge_even.x);
4133 secp256k1_fe_normalize_var(&ge_quad.y);
4134 secp256k1_fe_normalize_var(&ge_odd.y);
4135 secp256k1_fe_normalize_var(&ge_even.y);
4136
4137 /* No infinity allowed. */
4138 CHECK(!ge_quad.infinity);
4139 CHECK(!ge_even.infinity);
4140 CHECK(!ge_odd.infinity);
4141
4142 /* Check that the x coordinates check out. */
4143 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
4144 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
4145 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
4146
4147 /* Check that the Y coordinate result in ge_quad is a square. */
4148 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
4149
4150 /* Check odd/even Y in ge_odd, ge_even. */
4151 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
4152 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
4153
4154 /* Check secp256k1_gej_has_quad_y_var. */
4155 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
4156 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
4157 do {
4158 random_fe_test(&fez);
4159 } while (secp256k1_fe_is_zero(&fez));
4160 secp256k1_gej_rescale(&gej_quad, &fez);
4161 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
4162 secp256k1_gej_neg(&gej_quad, &gej_quad);
4163 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
4164 do {
4165 random_fe_test(&fez);
4166 } while (secp256k1_fe_is_zero(&fez));
4167 secp256k1_gej_rescale(&gej_quad, &fez);
4168 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
4169 secp256k1_gej_neg(&gej_quad, &gej_quad);
4170 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
4171 }
4172}
4173
4174static void run_group_decompress(void) {
4175 int i;
4176 for (i = 0; i < COUNT * 4; i++) {
4177 secp256k1_fe fe;
4178 random_fe_test(&fe);
4179 test_group_decompress(&fe);
4180 }
4181}
4182
4183/***** ECMULT TESTS *****/
4184
4185static void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
4186 /* Tests the pre_g / pre_g_128 tables for consistency.
4187 * For independent verification we take a "geometric" approach to verification.
4188 * We check that every entry is on-curve.
4189 * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
4190 * (1) p, gg, and -q are colinear.
4191 * (2) p, gg, and -q are all distinct.
4192 * where gg is twice the generator, where the generator is the first table entry.
4193 *
4194 * Checking the table's generators are correct is done in run_ecmult_pre_g.
4195 */
4196 secp256k1_gej g2;
4197 secp256k1_ge p, q, gg;
4198 secp256k1_fe dpx, dpy, dqx, dqy;
4199 size_t i;
4200
4201 CHECK(0 < n);
4202
4203 secp256k1_ge_from_storage(&p, &pre_g[0]);
4204 CHECK(secp256k1_ge_is_valid_var(&p));
4205
4206 secp256k1_gej_set_ge(&g2, &p);
4207 secp256k1_gej_double_var(&g2, &g2, NULL);
4208 secp256k1_ge_set_gej_var(&gg, &g2);
4209 for (i = 1; i < n; ++i) {
4210 secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
4211 secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
4212 /* Check that p is not equal to gg */
4213 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dpx) || !secp256k1_fe_normalizes_to_zero_var(&dpy));
4214
4215 secp256k1_ge_from_storage(&q, &pre_g[i]);
4216 CHECK(secp256k1_ge_is_valid_var(&q));
4217
4218 secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x); secp256k1_fe_normalize_weak(&dqx);
4219 dqy = q.y; secp256k1_fe_add(&dqy, &gg.y); secp256k1_fe_normalize_weak(&dqy);
4220 /* Check that -q is not equal to gg */
4221 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dqx) || !secp256k1_fe_normalizes_to_zero_var(&dqy));
4222
4223 /* Check that -q is not equal to p */
4224 CHECK(!secp256k1_fe_equal_var(&dpx, &dqx) || !secp256k1_fe_equal_var(&dpy, &dqy));
4225
4226 /* Check that p, -q and gg are colinear */
4227 secp256k1_fe_mul(&dpx, &dpx, &dqy);
4228 secp256k1_fe_mul(&dpy, &dpy, &dqx);
4229 CHECK(secp256k1_fe_equal_var(&dpx, &dpy));
4230
4231 p = q;
4232 }
4233}
4234
4235static void run_ecmult_pre_g(void) {
4236 secp256k1_ge_storage gs;
4237 secp256k1_gej gj;
4238 secp256k1_ge g;
4239 size_t i;
4240
4241 /* Check that the pre_g and pre_g_128 tables are consistent. */
4242 test_pre_g_table(secp256k1_pre_g, ECMULT_TABLE_SIZE(WINDOW_G));
4243 test_pre_g_table(secp256k1_pre_g_128, ECMULT_TABLE_SIZE(WINDOW_G));
4244
4245 /* Check the first entry from the pre_g table. */
4246 secp256k1_ge_to_storage(&gs, &secp256k1_ge_const_g);
4247 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
4248
4249 /* Check the first entry from the pre_g_128 table. */
4250 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
4251 for (i = 0; i < 128; ++i) {
4252 secp256k1_gej_double_var(&gj, &gj, NULL);
4253 }
4254 secp256k1_ge_set_gej(&g, &gj);
4255 secp256k1_ge_to_storage(&gs, &g);
4256 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
4257}
4258
4259static void run_ecmult_chain(void) {
4260 /* random starting point A (on the curve) */
4261 secp256k1_gej a = SECP256K1_GEJ_CONST(
4262 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
4263 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
4264 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
4265 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
4266 );
4267 /* two random initial factors xn and gn */
4268 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4269 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
4270 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
4271 );
4272 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
4273 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
4274 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
4275 );
4276 /* two small multipliers to be applied to xn and gn in every iteration: */
4277 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
4278 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
4279 /* accumulators with the resulting coefficients to A and G */
4280 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
4281 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4282 /* actual points */
4283 secp256k1_gej x;
4284 secp256k1_gej x2;
4285 int i;
4286
4287 /* the point being computed */
4288 x = a;
4289 for (i = 0; i < 200*COUNT; i++) {
4290 /* in each iteration, compute X = xn*X + gn*G; */
4291 secp256k1_ecmult(&x, &x, &xn, &gn);
4292 /* also compute ae and ge: the actual accumulated factors for A and G */
4293 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
4294 secp256k1_scalar_mul(&ae, &ae, &xn);
4295 secp256k1_scalar_mul(&ge, &ge, &xn);
4296 secp256k1_scalar_add(&ge, &ge, &gn);
4297 /* modify xn and gn */
4298 secp256k1_scalar_mul(&xn, &xn, &xf);
4299 secp256k1_scalar_mul(&gn, &gn, &gf);
4300
4301 /* verify */
4302 if (i == 19999) {
4303 /* expected result after 19999 iterations */
4304 secp256k1_gej rp = SECP256K1_GEJ_CONST(
4305 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
4306 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
4307 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
4308 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
4309 );
4310 CHECK(secp256k1_gej_eq_var(&rp, &x));
4311 }
4312 }
4313 /* redo the computation, but directly with the resulting ae and ge coefficients: */
4314 secp256k1_ecmult(&x2, &a, &ae, &ge);
4315 CHECK(secp256k1_gej_eq_var(&x, &x2));
4316}
4317
4318static void test_point_times_order(const secp256k1_gej *point) {
4319 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
4320 secp256k1_scalar x;
4321 secp256k1_scalar nx;
4322 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4323 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
4324 secp256k1_gej res1, res2;
4325 secp256k1_ge res3;
4326 unsigned char pub[65];
4327 size_t psize = 65;
4328 random_scalar_order_test(&x);
4329 secp256k1_scalar_negate(&nx, &x);
4330 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
4331 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4332 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
4333 CHECK(secp256k1_gej_is_infinity(&res1));
4334 secp256k1_ge_set_gej(&res3, &res1);
4335 CHECK(secp256k1_ge_is_infinity(&res3));
4336 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
4337 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
4338 psize = 65;
4339 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
4340 /* check zero/one edge cases */
4341 secp256k1_ecmult(&res1, point, &zero, &zero);
4342 secp256k1_ge_set_gej(&res3, &res1);
4343 CHECK(secp256k1_ge_is_infinity(&res3));
4344 secp256k1_ecmult(&res1, point, &one, &zero);
4345 secp256k1_ge_set_gej(&res3, &res1);
4346 ge_equals_gej(&res3, point);
4347 secp256k1_ecmult(&res1, point, &zero, &one);
4348 secp256k1_ge_set_gej(&res3, &res1);
4349 ge_equals_ge(&res3, &secp256k1_ge_const_g);
4350}
4351
4352/* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
4353 *
4354 * They are computed as:
4355 * - For a in [-2, -1, 0, 1, 2]:
4356 * - For b in [-3, -1, 1, 3]:
4357 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
4358 */
4359static const secp256k1_scalar scalars_near_split_bounds[20] = {
4360 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
4361 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
4362 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
4363 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
4364 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
4365 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
4366 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
4367 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
4368 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
4369 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
4370 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
4371 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
4372 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
4373 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
4374 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
4375 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
4376 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
4377 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
4378 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
4379 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
4380};
4381
4382static void test_ecmult_target(const secp256k1_scalar* target, int mode) {
4383 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
4384 secp256k1_scalar n1, n2;
4385 secp256k1_ge p;
4386 secp256k1_gej pj, p1j, p2j, ptj;
4387 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4388
4389 /* Generate random n1,n2 such that n1+n2 = -target. */
4390 random_scalar_order_test(&n1);
4391 secp256k1_scalar_add(&n2, &n1, target);
4392 secp256k1_scalar_negate(&n2, &n2);
4393
4394 /* Generate a random input point. */
4395 if (mode != 0) {
4396 random_group_element_test(&p);
4397 secp256k1_gej_set_ge(&pj, &p);
4398 }
4399
4400 /* EC multiplications */
4401 if (mode == 0) {
4402 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p1j, &n1);
4403 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p2j, &n2);
4404 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &ptj, target);
4405 } else if (mode == 1) {
4406 secp256k1_ecmult(&p1j, &pj, &n1, &zero);
4407 secp256k1_ecmult(&p2j, &pj, &n2, &zero);
4408 secp256k1_ecmult(&ptj, &pj, target, &zero);
4409 } else {
4410 secp256k1_ecmult_const(&p1j, &p, &n1);
4411 secp256k1_ecmult_const(&p2j, &p, &n2);
4412 secp256k1_ecmult_const(&ptj, &p, target);
4413 }
4414
4415 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
4416 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
4417 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
4418 CHECK(secp256k1_gej_is_infinity(&ptj));
4419}
4420
4421static void run_ecmult_near_split_bound(void) {
4422 int i;
4423 unsigned j;
4424 for (i = 0; i < 4*COUNT; ++i) {
4425 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
4426 test_ecmult_target(&scalars_near_split_bounds[j], 0);
4427 test_ecmult_target(&scalars_near_split_bounds[j], 1);
4428 test_ecmult_target(&scalars_near_split_bounds[j], 2);
4429 }
4430 }
4431}
4432
4433static void run_point_times_order(void) {
4434 int i;
4435 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
4436 static const secp256k1_fe xr = SECP256K1_FE_CONST(
4437 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
4438 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
4439 );
4440 for (i = 0; i < 500; i++) {
4441 secp256k1_ge p;
4442 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
4443 secp256k1_gej j;
4444 CHECK(secp256k1_ge_is_valid_var(&p));
4445 secp256k1_gej_set_ge(&j, &p);
4446 test_point_times_order(&j);
4447 }
4448 secp256k1_fe_sqr(&x, &x);
4449 }
4450 secp256k1_fe_normalize_var(&x);
4451 CHECK(secp256k1_fe_equal_var(&x, &xr));
4452}
4453
4454static void ecmult_const_random_mult(void) {
4455 /* random starting point A (on the curve) */
4456 secp256k1_ge a = SECP256K1_GE_CONST(
4457 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4458 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4459 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4460 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4461 );
4462 /* random initial factor xn */
4463 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4464 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4465 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4466 );
4467 /* expected xn * A (from sage) */
4468 secp256k1_ge expected_b = SECP256K1_GE_CONST(
4469 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4470 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4471 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4472 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4473 );
4474 secp256k1_gej b;
4475 secp256k1_ecmult_const(&b, &a, &xn);
4476
4477 CHECK(secp256k1_ge_is_valid_var(&a));
4478 ge_equals_gej(&expected_b, &b);
4479}
4480
4481static void ecmult_const_commutativity(void) {
4482 secp256k1_scalar a;
4483 secp256k1_scalar b;
4484 secp256k1_gej res1;
4485 secp256k1_gej res2;
4486 secp256k1_ge mid1;
4487 secp256k1_ge mid2;
4488 random_scalar_order_test(&a);
4489 random_scalar_order_test(&b);
4490
4491 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a);
4492 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b);
4493 secp256k1_ge_set_gej(&mid1, &res1);
4494 secp256k1_ge_set_gej(&mid2, &res2);
4495 secp256k1_ecmult_const(&res1, &mid1, &b);
4496 secp256k1_ecmult_const(&res2, &mid2, &a);
4497 secp256k1_ge_set_gej(&mid1, &res1);
4498 secp256k1_ge_set_gej(&mid2, &res2);
4499 ge_equals_ge(&mid1, &mid2);
4500}
4501
4502static void ecmult_const_mult_zero_one(void) {
4503 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4504 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
4505 secp256k1_scalar negone;
4506 secp256k1_gej res1;
4507 secp256k1_ge res2;
4508 secp256k1_ge point;
4509 secp256k1_scalar_negate(&negone, &one);
4510
4511 random_group_element_test(&point);
4512 secp256k1_ecmult_const(&res1, &point, &zero);
4513 secp256k1_ge_set_gej(&res2, &res1);
4514 CHECK(secp256k1_ge_is_infinity(&res2));
4515 secp256k1_ecmult_const(&res1, &point, &one);
4516 secp256k1_ge_set_gej(&res2, &res1);
4517 ge_equals_ge(&res2, &point);
4518 secp256k1_ecmult_const(&res1, &point, &negone);
4519 secp256k1_gej_neg(&res1, &res1);
4520 secp256k1_ge_set_gej(&res2, &res1);
4521 ge_equals_ge(&res2, &point);
4522}
4523
4524static void ecmult_const_mult_xonly(void) {
4525 int i;
4526
4527 /* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */
4528 for (i = 0; i < 2*COUNT; ++i) {
4529 secp256k1_ge base;
4530 secp256k1_gej basej, resj;
4531 secp256k1_fe n, d, resx, v;
4532 secp256k1_scalar q;
4533 int res;
4534 /* Random base point. */
4535 random_group_element_test(&base);
4536 /* Random scalar to multiply it with. */
4537 random_scalar_order_test(&q);
4538 /* If i is odd, n=d*base.x for random non-zero d */
4539 if (i & 1) {
4540 do {
4541 random_field_element_test(&d);
4542 } while (secp256k1_fe_normalizes_to_zero_var(&d));
4543 secp256k1_fe_mul(&n, &base.x, &d);
4544 } else {
4545 n = base.x;
4546 }
4547 /* Perform x-only multiplication. */
4548 res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2);
4549 CHECK(res);
4550 /* Perform normal multiplication. */
4551 secp256k1_gej_set_ge(&basej, &base);
4552 secp256k1_ecmult(&resj, &basej, &q, NULL);
4553 /* Check that resj's X coordinate corresponds with resx. */
4554 secp256k1_fe_sqr(&v, &resj.z);
4555 secp256k1_fe_mul(&v, &v, &resx);
4556 CHECK(check_fe_equal(&v, &resj.x));
4557 }
4558
4559 /* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */
4560 for (i = 0; i < 2*COUNT; ++i) {
4561 secp256k1_fe x, n, d, c, r;
4562 int res;
4563 secp256k1_scalar q;
4564 random_scalar_order_test(&q);
4565 /* Generate random X coordinate not on the curve. */
4566 do {
4567 random_field_element_test(&x);
4568 secp256k1_fe_sqr(&c, &x);
4569 secp256k1_fe_mul(&c, &c, &x);
4570 secp256k1_fe_add_int(&c, SECP256K1_B);
4571 } while (secp256k1_fe_is_square_var(&c));
4572 /* If i is odd, n=d*x for random non-zero d. */
4573 if (i & 1) {
4574 do {
4575 random_field_element_test(&d);
4576 } while (secp256k1_fe_normalizes_to_zero_var(&d));
4577 secp256k1_fe_mul(&n, &x, &d);
4578 } else {
4579 n = x;
4580 }
4581 res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0);
4582 CHECK(res == 0);
4583 }
4584}
4585
4586static void ecmult_const_chain_multiply(void) {
4587 /* Check known result (randomly generated test problem from sage) */
4588 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
4589 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4590 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4591 );
4592 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4593 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4594 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4595 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4596 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4597 );
4598 secp256k1_gej point;
4599 secp256k1_ge res;
4600 int i;
4601
4602 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
4603 for (i = 0; i < 100; ++i) {
4604 secp256k1_ge tmp;
4605 secp256k1_ge_set_gej(&tmp, &point);
4606 secp256k1_ecmult_const(&point, &tmp, &scalar);
4607 }
4608 secp256k1_ge_set_gej(&res, &point);
4609 ge_equals_gej(&res, &expected_point);
4610}
4611
4612static void run_ecmult_const_tests(void) {
4613 ecmult_const_mult_zero_one();
4614 ecmult_const_random_mult();
4615 ecmult_const_commutativity();
4616 ecmult_const_chain_multiply();
4617 ecmult_const_mult_xonly();
4618}
4619
4620typedef struct {
4621 secp256k1_scalar *sc;
4622 secp256k1_ge *pt;
4623} ecmult_multi_data;
4624
4625static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4626 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4627 *sc = data->sc[idx];
4628 *pt = data->pt[idx];
4629 return 1;
4630}
4631
4632static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4633 (void)sc;
4634 (void)pt;
4635 (void)idx;
4636 (void)cbdata;
4637 return 0;
4638}
4639
4640static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
4641 int ncount;
4642 secp256k1_scalar sc[32];
4643 secp256k1_ge pt[32];
4644 secp256k1_gej r;
4645 secp256k1_gej r2;
4646 ecmult_multi_data data;
4647
4648 data.sc = sc;
4649 data.pt = pt;
4650
4651 /* No points to multiply */
4652 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4653
4654 /* Check 1- and 2-point multiplies against ecmult */
4655 for (ncount = 0; ncount < COUNT; ncount++) {
4656 secp256k1_ge ptg;
4657 secp256k1_gej ptgj;
4658 random_scalar_order(&sc[0]);
4659 random_scalar_order(&sc[1]);
4660
4661 random_group_element_test(&ptg);
4662 secp256k1_gej_set_ge(&ptgj, &ptg);
4663 pt[0] = ptg;
4664 pt[1] = secp256k1_ge_const_g;
4665
4666 /* only G scalar */
4667 secp256k1_ecmult(&r2, &ptgj, &secp256k1_scalar_zero, &sc[0]);
4668 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4669 CHECK(secp256k1_gej_eq_var(&r, &r2));
4670
4671 /* 1-point */
4672 secp256k1_ecmult(&r2, &ptgj, &sc[0], &secp256k1_scalar_zero);
4673 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
4674 CHECK(secp256k1_gej_eq_var(&r, &r2));
4675
4676 /* Try to multiply 1 point, but callback returns false */
4677 CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_false_callback, &data, 1));
4678
4679 /* 2-point */
4680 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4681 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4682 CHECK(secp256k1_gej_eq_var(&r, &r2));
4683
4684 /* 2-point with G scalar */
4685 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4686 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4687 CHECK(secp256k1_gej_eq_var(&r, &r2));
4688 }
4689
4690 /* Check infinite outputs of various forms */
4691 for (ncount = 0; ncount < COUNT; ncount++) {
4692 secp256k1_ge ptg;
4693 size_t i, j;
4694 size_t sizes[] = { 2, 10, 32 };
4695
4696 for (j = 0; j < 3; j++) {
4697 for (i = 0; i < 32; i++) {
4698 random_scalar_order(&sc[i]);
4699 secp256k1_ge_set_infinity(&pt[i]);
4700 }
4701 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4702 CHECK(secp256k1_gej_is_infinity(&r));
4703 }
4704
4705 for (j = 0; j < 3; j++) {
4706 for (i = 0; i < 32; i++) {
4707 random_group_element_test(&ptg);
4708 pt[i] = ptg;
4709 secp256k1_scalar_set_int(&sc[i], 0);
4710 }
4711 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4712 CHECK(secp256k1_gej_is_infinity(&r));
4713 }
4714
4715 for (j = 0; j < 3; j++) {
4716 random_group_element_test(&ptg);
4717 for (i = 0; i < 16; i++) {
4718 random_scalar_order(&sc[2*i]);
4719 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4720 pt[2 * i] = ptg;
4721 pt[2 * i + 1] = ptg;
4722 }
4723
4724 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4725 CHECK(secp256k1_gej_is_infinity(&r));
4726
4727 random_scalar_order(&sc[0]);
4728 for (i = 0; i < 16; i++) {
4729 random_group_element_test(&ptg);
4730
4731 sc[2*i] = sc[0];
4732 sc[2*i+1] = sc[0];
4733 pt[2 * i] = ptg;
4734 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4735 }
4736
4737 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4738 CHECK(secp256k1_gej_is_infinity(&r));
4739 }
4740
4741 random_group_element_test(&ptg);
4742 secp256k1_scalar_set_int(&sc[0], 0);
4743 pt[0] = ptg;
4744 for (i = 1; i < 32; i++) {
4745 pt[i] = ptg;
4746
4747 random_scalar_order(&sc[i]);
4748 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4749 secp256k1_scalar_negate(&sc[i], &sc[i]);
4750 }
4751
4752 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 32));
4753 CHECK(secp256k1_gej_is_infinity(&r));
4754 }
4755
4756 /* Check random points, constant scalar */
4757 for (ncount = 0; ncount < COUNT; ncount++) {
4758 size_t i;
4759 secp256k1_gej_set_infinity(&r);
4760
4761 random_scalar_order(&sc[0]);
4762 for (i = 0; i < 20; i++) {
4763 secp256k1_ge ptg;
4764 sc[i] = sc[0];
4765 random_group_element_test(&ptg);
4766 pt[i] = ptg;
4767 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4768 }
4769
4770 secp256k1_ecmult(&r2, &r, &sc[0], &secp256k1_scalar_zero);
4771 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4772 CHECK(secp256k1_gej_eq_var(&r, &r2));
4773 }
4774
4775 /* Check random scalars, constant point */
4776 for (ncount = 0; ncount < COUNT; ncount++) {
4777 size_t i;
4778 secp256k1_ge ptg;
4779 secp256k1_gej p0j;
4780 secp256k1_scalar rs;
4781 secp256k1_scalar_set_int(&rs, 0);
4782
4783 random_group_element_test(&ptg);
4784 for (i = 0; i < 20; i++) {
4785 random_scalar_order(&sc[i]);
4786 pt[i] = ptg;
4787 secp256k1_scalar_add(&rs, &rs, &sc[i]);
4788 }
4789
4790 secp256k1_gej_set_ge(&p0j, &pt[0]);
4791 secp256k1_ecmult(&r2, &p0j, &rs, &secp256k1_scalar_zero);
4792 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4793 CHECK(secp256k1_gej_eq_var(&r, &r2));
4794 }
4795
4796 /* Sanity check that zero scalars don't cause problems */
4797 for (ncount = 0; ncount < 20; ncount++) {
4798 random_scalar_order(&sc[ncount]);
4799 random_group_element_test(&pt[ncount]);
4800 }
4801 secp256k1_scalar_clear(&sc[0]);
4802 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
4803 secp256k1_scalar_clear(&sc[1]);
4804 secp256k1_scalar_clear(&sc[2]);
4805 secp256k1_scalar_clear(&sc[3]);
4806 secp256k1_scalar_clear(&sc[4]);
4807 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 6));
4808 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 5));
4809 CHECK(secp256k1_gej_is_infinity(&r));
4810
4811 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4812 {
4813 const size_t TOP = 8;
4814 size_t s0i, s1i;
4815 size_t t0i, t1i;
4816 secp256k1_ge ptg;
4817 secp256k1_gej ptgj;
4818
4819 random_group_element_test(&ptg);
4820 secp256k1_gej_set_ge(&ptgj, &ptg);
4821
4822 for(t0i = 0; t0i < TOP; t0i++) {
4823 for(t1i = 0; t1i < TOP; t1i++) {
4824 secp256k1_gej t0p, t1p;
4825 secp256k1_scalar t0, t1;
4826
4827 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4828 secp256k1_scalar_cond_negate(&t0, t0i & 1);
4829 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4830 secp256k1_scalar_cond_negate(&t1, t1i & 1);
4831
4832 secp256k1_ecmult(&t0p, &ptgj, &t0, &secp256k1_scalar_zero);
4833 secp256k1_ecmult(&t1p, &ptgj, &t1, &secp256k1_scalar_zero);
4834
4835 for(s0i = 0; s0i < TOP; s0i++) {
4836 for(s1i = 0; s1i < TOP; s1i++) {
4837 secp256k1_scalar tmp1, tmp2;
4838 secp256k1_gej expected, actual;
4839
4840 secp256k1_ge_set_gej(&pt[0], &t0p);
4841 secp256k1_ge_set_gej(&pt[1], &t1p);
4842
4843 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4844 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4845 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4846 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4847
4848 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4849 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4850 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4851
4852 secp256k1_ecmult(&expected, &ptgj, &tmp1, &secp256k1_scalar_zero);
4853 CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4854 CHECK(secp256k1_gej_eq_var(&actual, &expected));
4855 }
4856 }
4857 }
4858 }
4859 }
4860}
4861
4862static int test_ecmult_multi_random(secp256k1_scratch *scratch) {
4863 /* Large random test for ecmult_multi_* functions which exercises:
4864 * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4865 * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4866 * - Including or excluding an nonzero a*G term (or such a term at all).
4867 * - Final expected result equal to infinity or not (roughly 50%).
4868 * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4869 */
4870
4871 /* These 4 variables define the eventual input to the ecmult_multi function.
4872 * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4873 * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4874 * which form its normal inputs. */
4875 int filled = 0;
4876 secp256k1_scalar g_scalar = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4877 secp256k1_scalar scalars[128];
4878 secp256k1_gej gejs[128];
4879 /* The expected result, and the computed result. */
4880 secp256k1_gej expected, computed;
4881 /* Temporaries. */
4882 secp256k1_scalar sc_tmp;
4883 secp256k1_ge ge_tmp;
4884 /* Variables needed for the actual input to ecmult_multi. */
4885 secp256k1_ge ges[128];
4886 ecmult_multi_data data;
4887
4888 int i;
4889 /* Which multiplication function to use */
4890 int fn = secp256k1_testrand_int(3);
4891 secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var :
4892 fn == 1 ? secp256k1_ecmult_strauss_batch_single :
4893 secp256k1_ecmult_pippenger_batch_single;
4894 /* Simulate exponentially distributed num. */
4895 int num_bits = 2 + secp256k1_testrand_int(6);
4896 /* Number of (scalar, point) inputs (excluding g). */
4897 int num = secp256k1_testrand_int((1 << num_bits) + 1);
4898 /* Number of those which are nonzero. */
4899 int num_nonzero = secp256k1_testrand_int(num + 1);
4900 /* Whether we're aiming to create an input with nonzero expected result. */
4901 int nonzero_result = secp256k1_testrand_bits(1);
4902 /* Whether we will provide nonzero g multiplicand. In some cases our hand
4903 * is forced here based on num_nonzero and nonzero_result. */
4904 int g_nonzero = num_nonzero == 0 ? nonzero_result :
4905 num_nonzero == 1 && !nonzero_result ? 1 :
4906 (int)secp256k1_testrand_bits(1);
4907 /* Which g_scalar pointer to pass into ecmult_multi(). */
4908 const secp256k1_scalar* g_scalar_ptr = (g_nonzero || secp256k1_testrand_bits(1)) ? &g_scalar : NULL;
4909 /* How many EC multiplications were performed in this function. */
4910 int mults = 0;
4911 /* How many randomization steps to apply to the input list. */
4912 int rands = (int)secp256k1_testrand_bits(3);
4913 if (rands > num_nonzero) rands = num_nonzero;
4914
4915 secp256k1_gej_set_infinity(&expected);
4916 secp256k1_gej_set_infinity(&gejs[0]);
4917 secp256k1_scalar_set_int(&scalars[0], 0);
4918
4919 if (g_nonzero) {
4920 /* If g_nonzero, set g_scalar to nonzero value r. */
4921 random_scalar_order_test(&g_scalar);
4922 if (!nonzero_result) {
4923 /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
4924 CHECK(num_nonzero > filled);
4925 random_scalar_order_test(&sc_tmp);
4926 secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
4927 secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
4928 secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
4929 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
4930 ++filled;
4931 ++mults;
4932 }
4933 }
4934
4935 if (nonzero_result && filled < num_nonzero) {
4936 /* If a nonzero result is desired, and there is space, add a random nonzero term. */
4937 random_scalar_order_test(&scalars[filled]);
4938 random_group_element_test(&ge_tmp);
4939 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4940 ++filled;
4941 }
4942
4943 if (nonzero_result) {
4944 /* Compute the expected result using normal ecmult. */
4945 CHECK(filled <= 1);
4946 secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
4947 mults += filled + g_nonzero;
4948 }
4949
4950 /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
4951 CHECK(filled <= 1 + !nonzero_result);
4952 CHECK(filled <= num_nonzero);
4953
4954 /* Add entries to scalars,gejs so that there are num of them. All the added entries
4955 * either have scalar=0 or point=infinity, so these do not change the expected result. */
4956 while (filled < num) {
4957 if (secp256k1_testrand_bits(1)) {
4958 secp256k1_gej_set_infinity(&gejs[filled]);
4959 random_scalar_order_test(&scalars[filled]);
4960 } else {
4961 secp256k1_scalar_set_int(&scalars[filled], 0);
4962 random_group_element_test(&ge_tmp);
4963 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4964 }
4965 ++filled;
4966 }
4967
4968 /* Now perform cheapish transformations on gejs and scalars, for indices
4969 * 0..num_nonzero-1, which do not change the expected result, but may
4970 * convert some of them to be both non-0-scalar and non-infinity-point. */
4971 for (i = 0; i < rands; ++i) {
4972 int j;
4973 secp256k1_scalar v, iv;
4974 /* Shuffle the entries. */
4975 for (j = 0; j < num_nonzero; ++j) {
4976 int k = secp256k1_testrand_int(num_nonzero - j);
4977 if (k != 0) {
4978 secp256k1_gej gej = gejs[j];
4979 secp256k1_scalar sc = scalars[j];
4980 gejs[j] = gejs[j + k];
4981 scalars[j] = scalars[j + k];
4982 gejs[j + k] = gej;
4983 scalars[j + k] = sc;
4984 }
4985 }
4986 /* Perturb all consecutive pairs of inputs:
4987 * a*P + b*Q -> (a+b)*P + b*(Q-P). */
4988 for (j = 0; j + 1 < num_nonzero; j += 2) {
4989 secp256k1_gej gej;
4990 secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
4991 secp256k1_gej_neg(&gej, &gejs[j]);
4992 secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
4993 }
4994 /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
4995 CHECK(num_nonzero >= 1);
4996 random_scalar_order_test(&v);
4997 secp256k1_scalar_inverse(&iv, &v);
4998 secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
4999 secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
5000 ++mults;
5001 }
5002
5003 /* Shuffle all entries (0..num-1). */
5004 for (i = 0; i < num; ++i) {
5005 int j = secp256k1_testrand_int(num - i);
5006 if (j != 0) {
5007 secp256k1_gej gej = gejs[i];
5008 secp256k1_scalar sc = scalars[i];
5009 gejs[i] = gejs[i + j];
5010 scalars[i] = scalars[i + j];
5011 gejs[i + j] = gej;
5012 scalars[i + j] = sc;
5013 }
5014 }
5015
5016 /* Compute affine versions of all inputs. */
5017 secp256k1_ge_set_all_gej_var(ges, gejs, filled);
5018 /* Invoke ecmult_multi code. */
5019 data.sc = scalars;
5020 data.pt = ges;
5021 CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
5022 mults += num_nonzero + g_nonzero;
5023 /* Compare with expected result. */
5024 CHECK(secp256k1_gej_eq_var(&computed, &expected));
5025 return mults;
5026}
5027
5028static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
5029 secp256k1_scalar sc;
5030 secp256k1_ge pt;
5031 secp256k1_gej r;
5032 ecmult_multi_data data;
5033 secp256k1_scratch *scratch_empty;
5034
5035 random_group_element_test(&pt);
5036 random_scalar_order(&sc);
5037 data.sc = &sc;
5038 data.pt = &pt;
5039
5040 /* Try to multiply 1 point, but scratch space is empty.*/
5041 scratch_empty = secp256k1_scratch_create(&CTX->error_callback, 0);
5042 CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
5043 secp256k1_scratch_destroy(&CTX->error_callback, scratch_empty);
5044}
5045
5046static void test_secp256k1_pippenger_bucket_window_inv(void) {
5047 int i;
5048
5049 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
5050 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
5051 /* Bucket_window of 8 is not used with endo */
5052 if (i == 8) {
5053 continue;
5054 }
5055 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
5056 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
5057 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
5058 }
5059 }
5060}
5061
5066static void test_ecmult_multi_pippenger_max_points(void) {
5067 size_t scratch_size = secp256k1_testrand_bits(8);
5068 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
5069 secp256k1_scratch *scratch;
5070 size_t n_points_supported;
5071 int bucket_window = 0;
5072
5073 for(; scratch_size < max_size; scratch_size+=256) {
5074 size_t i;
5075 size_t total_alloc;
5076 size_t checkpoint;
5077 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size);
5078 CHECK(scratch != NULL);
5079 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
5080 n_points_supported = secp256k1_pippenger_max_points(&CTX->error_callback, scratch);
5081 if (n_points_supported == 0) {
5082 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5083 continue;
5084 }
5085 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
5086 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
5087 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
5088 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
5089 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 1));
5090 total_alloc--;
5091 }
5092 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, total_alloc));
5093 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
5094 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5095 }
5096 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
5097}
5098
5099static void test_ecmult_multi_batch_size_helper(void) {
5100 size_t n_batches, n_batch_points, max_n_batch_points, n;
5101
5102 max_n_batch_points = 0;
5103 n = 1;
5104 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
5105
5106 max_n_batch_points = 1;
5107 n = 0;
5108 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5109 CHECK(n_batches == 0);
5110 CHECK(n_batch_points == 0);
5111
5112 max_n_batch_points = 2;
5113 n = 5;
5114 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5115 CHECK(n_batches == 3);
5116 CHECK(n_batch_points == 2);
5117
5118 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
5119 n = ECMULT_MAX_POINTS_PER_BATCH;
5120 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5121 CHECK(n_batches == 1);
5122 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
5123
5124 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
5125 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
5126 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5127 CHECK(n_batches == 2);
5128 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
5129
5130 max_n_batch_points = 1;
5131 n = SIZE_MAX;
5132 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5133 CHECK(n_batches == SIZE_MAX);
5134 CHECK(n_batch_points == 1);
5135
5136 max_n_batch_points = 2;
5137 n = SIZE_MAX;
5138 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5139 CHECK(n_batches == SIZE_MAX/2 + 1);
5140 CHECK(n_batch_points == 2);
5141}
5142
5147static void test_ecmult_multi_batching(void) {
5148 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
5149 secp256k1_scalar scG;
5150 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_scalar) * n_points);
5151 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * n_points);
5152 secp256k1_gej r;
5153 secp256k1_gej r2;
5154 ecmult_multi_data data;
5155 int i;
5156 secp256k1_scratch *scratch;
5157
5158 secp256k1_gej_set_infinity(&r2);
5159
5160 /* Get random scalars and group elements and compute result */
5161 random_scalar_order(&scG);
5162 secp256k1_ecmult(&r2, &r2, &secp256k1_scalar_zero, &scG);
5163 for(i = 0; i < n_points; i++) {
5164 secp256k1_ge ptg;
5165 secp256k1_gej ptgj;
5166 random_group_element_test(&ptg);
5167 secp256k1_gej_set_ge(&ptgj, &ptg);
5168 pt[i] = ptg;
5169 random_scalar_order(&sc[i]);
5170 secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
5171 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
5172 }
5173 data.sc = sc;
5174 data.pt = pt;
5175 secp256k1_gej_neg(&r2, &r2);
5176
5177 /* Test with empty scratch space. It should compute the correct result using
5178 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
5179 scratch = secp256k1_scratch_create(&CTX->error_callback, 0);
5180 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5181 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5182 CHECK(secp256k1_gej_is_infinity(&r));
5183 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5184
5185 /* Test with space for 1 point in pippenger. That's not enough because
5186 * ecmult_multi selects strauss which requires more memory. It should
5187 * therefore select the simple algorithm. */
5188 scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
5189 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5190 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5191 CHECK(secp256k1_gej_is_infinity(&r));
5192 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5193
5194 for(i = 1; i <= n_points; i++) {
5195 if (i > ECMULT_PIPPENGER_THRESHOLD) {
5196 int bucket_window = secp256k1_pippenger_bucket_window(i);
5197 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
5198 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
5199 } else {
5200 size_t scratch_size = secp256k1_strauss_scratch_size(i);
5201 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
5202 }
5203 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5204 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5205 CHECK(secp256k1_gej_is_infinity(&r));
5206 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5207 }
5208 free(sc);
5209 free(pt);
5210}
5211
5212static void run_ecmult_multi_tests(void) {
5213 secp256k1_scratch *scratch;
5214 int64_t todo = (int64_t)320 * COUNT;
5215
5216 test_secp256k1_pippenger_bucket_window_inv();
5217 test_ecmult_multi_pippenger_max_points();
5218 scratch = secp256k1_scratch_create(&CTX->error_callback, 819200);
5219 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
5220 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
5221 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
5222 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
5223 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
5224 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
5225 while (todo > 0) {
5226 todo -= test_ecmult_multi_random(scratch);
5227 }
5228 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5229
5230 /* Run test_ecmult_multi with space for exactly one point */
5231 scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
5232 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
5233 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5234
5235 test_ecmult_multi_batch_size_helper();
5236 test_ecmult_multi_batching();
5237}
5238
5239static void test_wnaf(const secp256k1_scalar *number, int w) {
5240 secp256k1_scalar x, two, t;
5241 int wnaf[256];
5242 int zeroes = -1;
5243 int i;
5244 int bits;
5245 secp256k1_scalar_set_int(&x, 0);
5246 secp256k1_scalar_set_int(&two, 2);
5247 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
5248 CHECK(bits <= 256);
5249 for (i = bits-1; i >= 0; i--) {
5250 int v = wnaf[i];
5251 secp256k1_scalar_mul(&x, &x, &two);
5252 if (v) {
5253 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
5254 zeroes=0;
5255 CHECK((v & 1) == 1); /* check non-zero elements are odd */
5256 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
5257 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
5258 } else {
5259 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
5260 zeroes++;
5261 }
5262 if (v >= 0) {
5263 secp256k1_scalar_set_int(&t, v);
5264 } else {
5265 secp256k1_scalar_set_int(&t, -v);
5266 secp256k1_scalar_negate(&t, &t);
5267 }
5268 secp256k1_scalar_add(&x, &x, &t);
5269 }
5270 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
5271}
5272
5273static void test_constant_wnaf_negate(const secp256k1_scalar *number) {
5274 secp256k1_scalar neg1 = *number;
5275 secp256k1_scalar neg2 = *number;
5276 int sign1 = 1;
5277 int sign2 = 1;
5278
5279 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
5280 secp256k1_scalar_negate(&neg1, &neg1);
5281 sign1 = -1;
5282 }
5283 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
5284 CHECK(sign1 == sign2);
5285 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
5286}
5287
5288static void test_constant_wnaf(const secp256k1_scalar *number, int w) {
5289 secp256k1_scalar x, shift;
5290 int wnaf[256] = {0};
5291 int i;
5292 int skew;
5293 int bits = 256;
5294 secp256k1_scalar num = *number;
5295 secp256k1_scalar scalar_skew;
5296
5297 secp256k1_scalar_set_int(&x, 0);
5298 secp256k1_scalar_set_int(&shift, 1 << w);
5299 for (i = 0; i < 16; ++i) {
5300 secp256k1_scalar_shr_int(&num, 8);
5301 }
5302 bits = 128;
5303 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
5304
5305 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
5306 secp256k1_scalar t;
5307 int v = wnaf[i];
5308 CHECK(v != 0); /* check nonzero */
5309 CHECK(v & 1); /* check parity */
5310 CHECK(v > -(1 << w)); /* check range above */
5311 CHECK(v < (1 << w)); /* check range below */
5312
5313 secp256k1_scalar_mul(&x, &x, &shift);
5314 if (v >= 0) {
5315 secp256k1_scalar_set_int(&t, v);
5316 } else {
5317 secp256k1_scalar_set_int(&t, -v);
5318 secp256k1_scalar_negate(&t, &t);
5319 }
5320 secp256k1_scalar_add(&x, &x, &t);
5321 }
5322 /* Skew num because when encoding numbers as odd we use an offset */
5323 secp256k1_scalar_set_int(&scalar_skew, skew);
5324 secp256k1_scalar_add(&num, &num, &scalar_skew);
5325 CHECK(secp256k1_scalar_eq(&x, &num));
5326}
5327
5328static void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
5329 secp256k1_scalar x, shift;
5330 int wnaf[256] = {0};
5331 int i;
5332 int skew;
5333 secp256k1_scalar num = *number;
5334
5335 secp256k1_scalar_set_int(&x, 0);
5336 secp256k1_scalar_set_int(&shift, 1 << w);
5337 for (i = 0; i < 16; ++i) {
5338 secp256k1_scalar_shr_int(&num, 8);
5339 }
5340 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5341
5342 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5343 secp256k1_scalar t;
5344 int v = wnaf[i];
5345 CHECK(v == 0 || v & 1); /* check parity */
5346 CHECK(v > -(1 << w)); /* check range above */
5347 CHECK(v < (1 << w)); /* check range below */
5348
5349 secp256k1_scalar_mul(&x, &x, &shift);
5350 if (v >= 0) {
5351 secp256k1_scalar_set_int(&t, v);
5352 } else {
5353 secp256k1_scalar_set_int(&t, -v);
5354 secp256k1_scalar_negate(&t, &t);
5355 }
5356 secp256k1_scalar_add(&x, &x, &t);
5357 }
5358 /* If skew is 1 then add 1 to num */
5359 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
5360 CHECK(secp256k1_scalar_eq(&x, &num));
5361}
5362
5363/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
5364 * rest is 0.*/
5365static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
5366 int i;
5367 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
5368 CHECK(wnaf[i] == 0);
5369 }
5370 for (i = 7; i >= 0; --i) {
5371 CHECK(wnaf[i] == wnaf_expected[i]);
5372 }
5373}
5374
5375static void test_fixed_wnaf_small(void) {
5376 int w = 4;
5377 int wnaf[256] = {0};
5378 int i;
5379 int skew;
5380 secp256k1_scalar num;
5381
5382 secp256k1_scalar_set_int(&num, 0);
5383 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5384 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5385 int v = wnaf[i];
5386 CHECK(v == 0);
5387 }
5388 CHECK(skew == 0);
5389
5390 secp256k1_scalar_set_int(&num, 1);
5391 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5392 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
5393 int v = wnaf[i];
5394 CHECK(v == 0);
5395 }
5396 CHECK(wnaf[0] == 1);
5397 CHECK(skew == 0);
5398
5399 {
5400 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
5401 secp256k1_scalar_set_int(&num, 0xffffffff);
5402 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5403 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5404 CHECK(skew == 0);
5405 }
5406 {
5407 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
5408 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
5409 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5410 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5411 CHECK(skew == 1);
5412 }
5413 {
5414 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
5415 secp256k1_scalar_set_int(&num, 0x01010101);
5416 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5417 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5418 CHECK(skew == 0);
5419 }
5420 {
5421 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
5422 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
5423 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5424 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5425 CHECK(skew == 0);
5426 }
5427}
5428
5429static void run_wnaf(void) {
5430 int i;
5431 secp256k1_scalar n = {{0}};
5432
5433 test_constant_wnaf(&n, 4);
5434 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
5435 * have easier-to-diagnose failure modes */
5436 n.d[0] = 1;
5437 test_constant_wnaf(&n, 4);
5438 n.d[0] = 2;
5439 test_constant_wnaf(&n, 4);
5440 /* Test -1, because it's a special case in wnaf_const */
5441 n = secp256k1_scalar_one;
5442 secp256k1_scalar_negate(&n, &n);
5443 test_constant_wnaf(&n, 4);
5444
5445 /* Test -2, which may not lead to overflows in wnaf_const */
5446 secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
5447 secp256k1_scalar_negate(&n, &n);
5448 test_constant_wnaf(&n, 4);
5449
5450 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
5451 as corner cases of negation handling in wnaf_const */
5452 secp256k1_scalar_inverse(&n, &n);
5453 test_constant_wnaf(&n, 4);
5454
5455 secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
5456 test_constant_wnaf(&n, 4);
5457
5458 /* Test 0 for fixed wnaf */
5459 test_fixed_wnaf_small();
5460 /* Random tests */
5461 for (i = 0; i < COUNT; i++) {
5462 random_scalar_order(&n);
5463 test_wnaf(&n, 4+(i%10));
5464 test_constant_wnaf_negate(&n);
5465 test_constant_wnaf(&n, 4 + (i % 10));
5466 test_fixed_wnaf(&n, 4 + (i % 10));
5467 }
5468 secp256k1_scalar_set_int(&n, 0);
5469 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
5470 CHECK(secp256k1_scalar_is_zero(&n));
5471 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
5472 CHECK(secp256k1_scalar_is_zero(&n));
5473}
5474
5475static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
5476 const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
5477 *sc = *indata;
5478 *pt = secp256k1_ge_const_g;
5479 CHECK(idx == 0);
5480 return 1;
5481}
5482
5483static void test_ecmult_accumulate(secp256k1_sha256* acc, const secp256k1_scalar* x, secp256k1_scratch* scratch) {
5484 /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */
5485 secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj;
5486 secp256k1_ge r;
5487 const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5488 unsigned char bytes[65];
5489 size_t size = 65;
5490 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
5491 secp256k1_gej_set_infinity(&infj);
5492 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &rj1, x);
5493 secp256k1_ecmult(&rj2, &gj, x, &zero);
5494 secp256k1_ecmult(&rj3, &infj, &zero, x);
5495 secp256k1_ecmult_multi_var(NULL, scratch, &rj4, x, NULL, NULL, 0);
5496 secp256k1_ecmult_multi_var(NULL, scratch, &rj5, &zero, test_ecmult_accumulate_cb, (void*)x, 1);
5497 secp256k1_ecmult_const(&rj6, &secp256k1_ge_const_g, x);
5498 secp256k1_ge_set_gej_var(&r, &rj1);
5499 ge_equals_gej(&r, &rj2);
5500 ge_equals_gej(&r, &rj3);
5501 ge_equals_gej(&r, &rj4);
5502 ge_equals_gej(&r, &rj5);
5503 ge_equals_gej(&r, &rj6);
5504 if (secp256k1_ge_is_infinity(&r)) {
5505 /* Store infinity as 0x00 */
5506 const unsigned char zerobyte[1] = {0};
5507 secp256k1_sha256_write(acc, zerobyte, 1);
5508 } else {
5509 /* Store other points using their uncompressed serialization. */
5510 secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0);
5511 CHECK(size == 65);
5512 secp256k1_sha256_write(acc, bytes, size);
5513 }
5514}
5515
5516static void test_ecmult_constants_2bit(void) {
5517 /* Using test_ecmult_accumulate, test ecmult for:
5518 * - For i in 0..36:
5519 * - Key i
5520 * - Key -i
5521 * - For i in 0..255:
5522 * - For j in 1..255 (only odd values):
5523 * - Key (j*2^i) mod order
5524 */
5525 secp256k1_scalar x;
5526 secp256k1_sha256 acc;
5527 unsigned char b32[32];
5528 int i, j;
5529 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536);
5530
5531 /* Expected hash of all the computed points; created with an independent
5532 * implementation. */
5533 static const unsigned char expected32[32] = {
5534 0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
5535 0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
5536 0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
5537 0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
5538 };
5539 secp256k1_sha256_initialize(&acc);
5540 for (i = 0; i <= 36; ++i) {
5541 secp256k1_scalar_set_int(&x, i);
5542 test_ecmult_accumulate(&acc, &x, scratch);
5543 secp256k1_scalar_negate(&x, &x);
5544 test_ecmult_accumulate(&acc, &x, scratch);
5545 };
5546 for (i = 0; i < 256; ++i) {
5547 for (j = 1; j < 256; j += 2) {
5548 int k;
5549 secp256k1_scalar_set_int(&x, j);
5550 for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
5551 test_ecmult_accumulate(&acc, &x, scratch);
5552 }
5553 }
5554 secp256k1_sha256_finalize(&acc, b32);
5555 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5556
5557 secp256k1_scratch_space_destroy(CTX, scratch);
5558}
5559
5560static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
5561 /* Using test_ecmult_accumulate, test ecmult for:
5562 * - Key 0
5563 * - Key 1
5564 * - Key -1
5565 * - For i in range(iter):
5566 * - Key SHA256(LE32(prefix) || LE16(i))
5567 */
5568 secp256k1_scalar x;
5569 secp256k1_sha256 acc;
5570 unsigned char b32[32];
5571 unsigned char inp[6];
5572 size_t i;
5573 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536);
5574
5575 inp[0] = prefix & 0xFF;
5576 inp[1] = (prefix >> 8) & 0xFF;
5577 inp[2] = (prefix >> 16) & 0xFF;
5578 inp[3] = (prefix >> 24) & 0xFF;
5579 secp256k1_sha256_initialize(&acc);
5580 secp256k1_scalar_set_int(&x, 0);
5581 test_ecmult_accumulate(&acc, &x, scratch);
5582 secp256k1_scalar_set_int(&x, 1);
5583 test_ecmult_accumulate(&acc, &x, scratch);
5584 secp256k1_scalar_negate(&x, &x);
5585 test_ecmult_accumulate(&acc, &x, scratch);
5586
5587 for (i = 0; i < iter; ++i) {
5588 secp256k1_sha256 gen;
5589 inp[4] = i & 0xff;
5590 inp[5] = (i >> 8) & 0xff;
5591 secp256k1_sha256_initialize(&gen);
5592 secp256k1_sha256_write(&gen, inp, sizeof(inp));
5593 secp256k1_sha256_finalize(&gen, b32);
5594 secp256k1_scalar_set_b32(&x, b32, NULL);
5595 test_ecmult_accumulate(&acc, &x, scratch);
5596 }
5597 secp256k1_sha256_finalize(&acc, b32);
5598 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5599
5600 secp256k1_scratch_space_destroy(CTX, scratch);
5601}
5602
5603static void run_ecmult_constants(void) {
5604 /* Expected hashes of all points in the tests below. Computed using an
5605 * independent implementation. */
5606 static const unsigned char expected32_6bit20[32] = {
5607 0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5608 0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5609 0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5610 0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5611 };
5612 static const unsigned char expected32_8bit8[32] = {
5613 0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5614 0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5615 0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5616 0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5617 };
5618 /* For every combination of 6 bit positions out of 256, restricted to
5619 * 20-bit windows (i.e., the first and last bit position are no more than
5620 * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5621 * this test. */
5622 CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5623 test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5624 }
5625
5626 /* For every combination of 8 consecutive bit positions, all 256 bit
5627 * patterns occur in the input scalars used in this test. */
5628 CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5629 test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5630 }
5631
5632 CONDITIONAL_TEST(35, "test_ecmult_constants_2bit") {
5633 test_ecmult_constants_2bit();
5634 }
5635}
5636
5637static void test_ecmult_gen_blind(void) {
5638 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5639 secp256k1_scalar key;
5640 secp256k1_scalar b;
5641 unsigned char seed32[32];
5642 secp256k1_gej pgej;
5643 secp256k1_gej pgej2;
5644 secp256k1_gej i;
5645 secp256k1_ge pge;
5646 random_scalar_order_test(&key);
5647 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej, &key);
5648 secp256k1_testrand256(seed32);
5649 b = CTX->ecmult_gen_ctx.blind;
5650 i = CTX->ecmult_gen_ctx.initial;
5651 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, seed32);
5652 CHECK(!secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.blind));
5653 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej2, &key);
5654 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5655 CHECK(!gej_xyz_equals_gej(&i, &CTX->ecmult_gen_ctx.initial));
5656 secp256k1_ge_set_gej(&pge, &pgej);
5657 ge_equals_gej(&pge, &pgej2);
5658}
5659
5660static void test_ecmult_gen_blind_reset(void) {
5661 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5662 secp256k1_scalar b;
5663 secp256k1_gej initial;
5664 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, 0);
5665 b = CTX->ecmult_gen_ctx.blind;
5666 initial = CTX->ecmult_gen_ctx.initial;
5667 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, 0);
5668 CHECK(secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.blind));
5669 CHECK(gej_xyz_equals_gej(&initial, &CTX->ecmult_gen_ctx.initial));
5670}
5671
5672static void run_ecmult_gen_blind(void) {
5673 int i;
5674 test_ecmult_gen_blind_reset();
5675 for (i = 0; i < 10; i++) {
5676 test_ecmult_gen_blind();
5677 }
5678}
5679
5680/***** ENDOMORPHISH TESTS *****/
5681static void test_scalar_split(const secp256k1_scalar* full) {
5682 secp256k1_scalar s, s1, slam;
5683 const unsigned char zero[32] = {0};
5684 unsigned char tmp[32];
5685
5686 secp256k1_scalar_split_lambda(&s1, &slam, full);
5687
5688 /* check slam*lambda + s1 == full */
5689 secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
5690 secp256k1_scalar_add(&s, &s, &s1);
5691 CHECK(secp256k1_scalar_eq(&s, full));
5692
5693 /* check that both are <= 128 bits in size */
5694 if (secp256k1_scalar_is_high(&s1)) {
5695 secp256k1_scalar_negate(&s1, &s1);
5696 }
5697 if (secp256k1_scalar_is_high(&slam)) {
5698 secp256k1_scalar_negate(&slam, &slam);
5699 }
5700
5701 secp256k1_scalar_get_b32(tmp, &s1);
5702 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5703 secp256k1_scalar_get_b32(tmp, &slam);
5704 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5705}
5706
5707
5708static void run_endomorphism_tests(void) {
5709 unsigned i;
5710 static secp256k1_scalar s;
5711 test_scalar_split(&secp256k1_scalar_zero);
5712 test_scalar_split(&secp256k1_scalar_one);
5713 secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
5714 test_scalar_split(&s);
5715 test_scalar_split(&secp256k1_const_lambda);
5716 secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
5717 test_scalar_split(&s);
5718
5719 for (i = 0; i < 100U * COUNT; ++i) {
5720 secp256k1_scalar full;
5721 random_scalar_order_test(&full);
5722 test_scalar_split(&full);
5723 }
5724 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
5725 test_scalar_split(&scalars_near_split_bounds[i]);
5726 }
5727}
5728
5729static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5730 unsigned char pubkeyc[65];
5731 secp256k1_pubkey pubkey;
5732 secp256k1_ge ge;
5733 size_t pubkeyclen;
5734 int32_t ecount;
5735 ecount = 0;
5736 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
5737 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5738 /* Smaller sizes are tested exhaustively elsewhere. */
5739 int32_t i;
5740 memcpy(&pubkeyc[1], input, 64);
5741 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5742 for (i = 0; i < 256; i++) {
5743 /* Try all type bytes. */
5744 int xpass;
5745 int ypass;
5746 int ysign;
5747 pubkeyc[0] = i;
5748 /* What sign does this point have? */
5749 ysign = (input[63] & 1) + 2;
5750 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5751 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5752 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5753 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5754 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5755 if (xpass || ypass) {
5756 /* These cases must parse. */
5757 unsigned char pubkeyo[65];
5758 size_t outl;
5759 memset(&pubkey, 0, sizeof(pubkey));
5760 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5761 ecount = 0;
5762 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
5763 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5764 outl = 65;
5765 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5766 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5767 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5768 CHECK(outl == 33);
5769 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5770 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5771 if (ypass) {
5772 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5773 CHECK(pubkeyo[0] == ysign);
5774 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
5775 memset(&pubkey, 0, sizeof(pubkey));
5776 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5777 secp256k1_pubkey_save(&pubkey, &ge);
5778 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5779 outl = 65;
5780 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5781 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5782 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5783 CHECK(outl == 65);
5784 CHECK(pubkeyo[0] == 4);
5785 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5786 }
5787 CHECK(ecount == 0);
5788 } else {
5789 /* These cases must fail to parse. */
5790 memset(&pubkey, 0xfe, sizeof(pubkey));
5791 ecount = 0;
5792 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5793 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 0);
5794 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5795 CHECK(ecount == 0);
5796 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
5797 CHECK(ecount == 1);
5798 }
5799 }
5800 }
5801 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
5802}
5803
5804static void run_ec_pubkey_parse_test(void) {
5805#define SECP256K1_EC_PARSE_TEST_NVALID (12)
5806 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5807 {
5808 /* Point with leading and trailing zeros in x and y serialization. */
5809 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5810 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5811 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5812 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5813 },
5814 {
5815 /* Point with x equal to a 3rd root of unity.*/
5816 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5817 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5818 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5819 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5820 },
5821 {
5822 /* Point with largest x. (1/2) */
5823 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5824 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5825 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5826 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5827 },
5828 {
5829 /* Point with largest x. (2/2) */
5830 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5831 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5832 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5833 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5834 },
5835 {
5836 /* Point with smallest x. (1/2) */
5837 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5838 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5839 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5840 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5841 },
5842 {
5843 /* Point with smallest x. (2/2) */
5844 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5845 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5846 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5847 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5848 },
5849 {
5850 /* Point with largest y. (1/3) */
5851 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5852 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5853 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5854 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5855 },
5856 {
5857 /* Point with largest y. (2/3) */
5858 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5859 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5860 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5861 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5862 },
5863 {
5864 /* Point with largest y. (3/3) */
5865 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5866 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5867 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5868 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5869 },
5870 {
5871 /* Point with smallest y. (1/3) */
5872 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5873 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5874 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5875 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5876 },
5877 {
5878 /* Point with smallest y. (2/3) */
5879 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5880 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5881 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5882 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5883 },
5884 {
5885 /* Point with smallest y. (3/3) */
5886 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5887 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5888 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5889 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
5890 }
5891 };
5892#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
5893 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
5894 {
5895 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
5896 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5897 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5898 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5899 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5900 },
5901 {
5902 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
5903 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5904 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5905 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5906 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5907 },
5908 {
5909 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
5910 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5911 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5912 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5913 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5914 },
5915 {
5916 /* x on curve, y is from y^2 = x^3 + 8. */
5917 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5918 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5919 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5920 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
5921 }
5922 };
5923#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
5924 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
5925 {
5926 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
5927 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
5928 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
5929 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5930 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5931 },
5932 {
5933 /* Valid if x overflow ignored (x = 1 mod p). */
5934 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5935 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5936 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5937 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5938 },
5939 {
5940 /* Valid if x overflow ignored (x = 1 mod p). */
5941 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5942 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5943 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5944 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5945 },
5946 {
5947 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5948 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5949 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5950 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
5951 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
5952 },
5953 {
5954 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5955 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5956 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5957 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
5958 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
5959 },
5960 {
5961 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5962 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5963 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5964 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
5965 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
5966 },
5967 {
5968 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5969 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5970 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5971 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
5972 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
5973 }
5974 };
5975 const unsigned char pubkeyc[66] = {
5976 /* Serialization of G. */
5977 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
5978 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
5979 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
5980 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
5981 0xB8, 0x00
5982 };
5983 unsigned char sout[65];
5984 unsigned char shortkey[2];
5985 secp256k1_ge ge;
5986 secp256k1_pubkey pubkey;
5987 size_t len;
5988 int32_t i;
5989 int32_t ecount;
5990 int32_t ecount2;
5991 ecount = 0;
5992 /* Nothing should be reading this far into pubkeyc. */
5993 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[65], 1);
5994 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
5995 /* Zero length claimed, fail, zeroize, no illegal arg error. */
5996 memset(&pubkey, 0xfe, sizeof(pubkey));
5997 ecount = 0;
5998 SECP256K1_CHECKMEM_UNDEFINE(shortkey, 2);
5999 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6000 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 0) == 0);
6001 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6002 CHECK(ecount == 0);
6003 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6004 CHECK(ecount == 1);
6005 /* Length one claimed, fail, zeroize, no illegal arg error. */
6006 for (i = 0; i < 256 ; i++) {
6007 memset(&pubkey, 0xfe, sizeof(pubkey));
6008 ecount = 0;
6009 shortkey[0] = i;
6010 SECP256K1_CHECKMEM_UNDEFINE(&shortkey[1], 1);
6011 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6012 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 1) == 0);
6013 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6014 CHECK(ecount == 0);
6015 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6016 CHECK(ecount == 1);
6017 }
6018 /* Length two claimed, fail, zeroize, no illegal arg error. */
6019 for (i = 0; i < 65536 ; i++) {
6020 memset(&pubkey, 0xfe, sizeof(pubkey));
6021 ecount = 0;
6022 shortkey[0] = i & 255;
6023 shortkey[1] = i >> 8;
6024 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6025 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 2) == 0);
6026 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6027 CHECK(ecount == 0);
6028 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6029 CHECK(ecount == 1);
6030 }
6031 memset(&pubkey, 0xfe, sizeof(pubkey));
6032 ecount = 0;
6033 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6034 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
6035 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 33) == 0);
6036 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6037 CHECK(ecount == 0);
6038 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6039 CHECK(ecount == 1);
6040 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
6041 CHECK(secp256k1_ec_pubkey_parse(CTX, NULL, pubkeyc, 65) == 0);
6042 CHECK(ecount == 2);
6043 /* NULL input string. Illegal arg and zeroize output. */
6044 memset(&pubkey, 0xfe, sizeof(pubkey));
6045 ecount = 0;
6046 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6047 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, NULL, 65) == 0);
6048 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6049 CHECK(ecount == 1);
6050 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6051 CHECK(ecount == 2);
6052 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
6053 memset(&pubkey, 0xfe, sizeof(pubkey));
6054 ecount = 0;
6055 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6056 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 64) == 0);
6057 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6058 CHECK(ecount == 0);
6059 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6060 CHECK(ecount == 1);
6061 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
6062 memset(&pubkey, 0xfe, sizeof(pubkey));
6063 ecount = 0;
6064 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6065 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 66) == 0);
6066 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6067 CHECK(ecount == 0);
6068 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 0);
6069 CHECK(ecount == 1);
6070 /* Valid parse. */
6071 memset(&pubkey, 0, sizeof(pubkey));
6072 ecount = 0;
6073 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6074 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 65) == 1);
6075 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, pubkeyc, 65) == 1);
6076 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6077 CHECK(ecount == 0);
6078 SECP256K1_CHECKMEM_UNDEFINE(&ge, sizeof(ge));
6079 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
6080 SECP256K1_CHECKMEM_CHECK(&ge.x, sizeof(ge.x));
6081 SECP256K1_CHECKMEM_CHECK(&ge.y, sizeof(ge.y));
6082 SECP256K1_CHECKMEM_CHECK(&ge.infinity, sizeof(ge.infinity));
6083 ge_equals_ge(&secp256k1_ge_const_g, &ge);
6084 CHECK(ecount == 0);
6085 /* secp256k1_ec_pubkey_serialize illegal args. */
6086 ecount = 0;
6087 len = 65;
6088 CHECK(secp256k1_ec_pubkey_serialize(CTX, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
6089 CHECK(ecount == 1);
6090 CHECK(len == 0);
6091 CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
6092 CHECK(ecount == 2);
6093 len = 65;
6094 SECP256K1_CHECKMEM_UNDEFINE(sout, 65);
6095 CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
6096 SECP256K1_CHECKMEM_CHECK(sout, 65);
6097 CHECK(ecount == 3);
6098 CHECK(len == 0);
6099 len = 65;
6100 CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, ~0) == 0);
6101 CHECK(ecount == 4);
6102 CHECK(len == 0);
6103 len = 65;
6104 SECP256K1_CHECKMEM_UNDEFINE(sout, 65);
6105 CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
6106 SECP256K1_CHECKMEM_CHECK(sout, 65);
6107 CHECK(ecount == 4);
6108 CHECK(len == 65);
6109 /* Multiple illegal args. Should still set arg error only once. */
6110 ecount = 0;
6111 ecount2 = 11;
6112 CHECK(secp256k1_ec_pubkey_parse(CTX, NULL, NULL, 65) == 0);
6113 CHECK(ecount == 1);
6114 /* Does the illegal arg callback actually change the behavior? */
6115 secp256k1_context_set_illegal_callback(CTX, uncounting_illegal_callback_fn, &ecount2);
6116 CHECK(secp256k1_ec_pubkey_parse(CTX, NULL, NULL, 65) == 0);
6117 CHECK(ecount == 1);
6118 CHECK(ecount2 == 10);
6119 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
6120 /* Try a bunch of prefabbed points with all possible encodings. */
6121 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
6122 ec_pubkey_parse_pointtest(valid[i], 1, 1);
6123 }
6124 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
6125 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
6126 }
6127 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
6128 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
6129 }
6130}
6131
6132static void run_eckey_edge_case_test(void) {
6133 const unsigned char orderc[32] = {
6134 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6135 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
6136 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
6137 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
6138 };
6139 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
6140 unsigned char ctmp[33];
6141 unsigned char ctmp2[33];
6142 secp256k1_pubkey pubkey;
6143 secp256k1_pubkey pubkey2;
6144 secp256k1_pubkey pubkey_one;
6145 secp256k1_pubkey pubkey_negone;
6146 const secp256k1_pubkey *pubkeys[3];
6147 size_t len;
6148 int32_t ecount;
6149 /* Group order is too large, reject. */
6150 CHECK(secp256k1_ec_seckey_verify(CTX, orderc) == 0);
6151 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6152 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, orderc) == 0);
6153 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6154 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6155 /* Maximum value is too large, reject. */
6156 memset(ctmp, 255, 32);
6157 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6158 memset(&pubkey, 1, sizeof(pubkey));
6159 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6160 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6161 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6162 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6163 /* Zero is too small, reject. */
6164 memset(ctmp, 0, 32);
6165 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6166 memset(&pubkey, 1, sizeof(pubkey));
6167 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6168 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6169 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6170 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6171 /* One must be accepted. */
6172 ctmp[31] = 0x01;
6173 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6174 memset(&pubkey, 0, sizeof(pubkey));
6175 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6176 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6177 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6178 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6179 pubkey_one = pubkey;
6180 /* Group order + 1 is too large, reject. */
6181 memcpy(ctmp, orderc, 32);
6182 ctmp[31] = 0x42;
6183 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6184 memset(&pubkey, 1, sizeof(pubkey));
6185 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6186 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6187 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6188 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6189 /* -1 must be accepted. */
6190 ctmp[31] = 0x40;
6191 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6192 memset(&pubkey, 0, sizeof(pubkey));
6193 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6194 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6195 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6196 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6197 pubkey_negone = pubkey;
6198 /* Tweak of zero leaves the value unchanged. */
6199 memset(ctmp2, 0, 32);
6200 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 1);
6201 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
6202 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
6203 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6204 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6205 /* Multiply tweak of zero zeroizes the output. */
6206 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6207 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6208 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp2) == 0);
6209 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6210 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6211 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6212 seckey, the seckey is zeroized. */
6213 memcpy(ctmp, orderc, 32);
6214 memset(ctmp2, 0, 32);
6215 ctmp2[31] = 0x01;
6216 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp2) == 1);
6217 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6218 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 0);
6219 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6220 memcpy(ctmp, orderc, 32);
6221 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6222 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6223 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6224 tweak, the seckey is zeroized. */
6225 memcpy(ctmp, orderc, 32);
6226 ctmp[31] = 0x40;
6227 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, orderc) == 0);
6228 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6229 memcpy(ctmp, orderc, 32);
6230 ctmp[31] = 0x40;
6231 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, orderc) == 0);
6232 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6233 memcpy(ctmp, orderc, 32);
6234 ctmp[31] = 0x40;
6235 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
6236 tweak, the pubkey is zeroized. */
6237 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, orderc) == 0);
6238 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6239 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6240 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, orderc) == 0);
6241 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6242 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6243 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
6244 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
6245 * case the pubkey is zeroized. */
6246 memcpy(ctmp, orderc, 32);
6247 ctmp[31] = 0x40;
6248 memset(ctmp2, 0, 32);
6249 ctmp2[31] = 1;
6250 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 0);
6251 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
6252 ctmp2[31] = 1;
6253 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0);
6254 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6255 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6256 /* Tweak computation wraps and results in a key of 1. */
6257 ctmp2[31] = 2;
6258 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 1);
6259 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
6260 ctmp2[31] = 2;
6261 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6262 ctmp2[31] = 1;
6263 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, ctmp2) == 1);
6264 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6265 /* Tweak mul * 2 = 1+1. */
6266 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6267 ctmp2[31] = 2;
6268 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 1);
6269 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6270 /* Test argument errors. */
6271 ecount = 0;
6272 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
6273 CHECK(ecount == 0);
6274 /* Zeroize pubkey on parse error. */
6275 memset(&pubkey, 0, 32);
6276 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0);
6277 CHECK(ecount == 1);
6278 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6279 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6280 memset(&pubkey2, 0, 32);
6281 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 0);
6282 CHECK(ecount == 2);
6283 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
6284 /* Plain argument errors. */
6285 ecount = 0;
6286 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6287 CHECK(ecount == 0);
6288 CHECK(secp256k1_ec_seckey_verify(CTX, NULL) == 0);
6289 CHECK(ecount == 1);
6290 ecount = 0;
6291 memset(ctmp2, 0, 32);
6292 ctmp2[31] = 4;
6293 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, NULL, ctmp2) == 0);
6294 CHECK(ecount == 1);
6295 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, NULL) == 0);
6296 CHECK(ecount == 2);
6297 ecount = 0;
6298 memset(ctmp2, 0, 32);
6299 ctmp2[31] = 4;
6300 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, NULL, ctmp2) == 0);
6301 CHECK(ecount == 1);
6302 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, NULL) == 0);
6303 CHECK(ecount == 2);
6304 ecount = 0;
6305 memset(ctmp2, 0, 32);
6306 CHECK(secp256k1_ec_seckey_tweak_add(CTX, NULL, ctmp2) == 0);
6307 CHECK(ecount == 1);
6308 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, NULL) == 0);
6309 CHECK(ecount == 2);
6310 ecount = 0;
6311 memset(ctmp2, 0, 32);
6312 ctmp2[31] = 1;
6313 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, NULL, ctmp2) == 0);
6314 CHECK(ecount == 1);
6315 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, NULL) == 0);
6316 CHECK(ecount == 2);
6317 ecount = 0;
6318 CHECK(secp256k1_ec_pubkey_create(CTX, NULL, ctmp) == 0);
6319 CHECK(ecount == 1);
6320 memset(&pubkey, 1, sizeof(pubkey));
6321 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, NULL) == 0);
6322 CHECK(ecount == 2);
6323 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6324 /* secp256k1_ec_pubkey_combine tests. */
6325 ecount = 0;
6326 pubkeys[0] = &pubkey_one;
6327 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[0], sizeof(secp256k1_pubkey *));
6328 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[1], sizeof(secp256k1_pubkey *));
6329 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[2], sizeof(secp256k1_pubkey *));
6330 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6331 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6332 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 0) == 0);
6333 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6334 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6335 CHECK(ecount == 1);
6336 CHECK(secp256k1_ec_pubkey_combine(CTX, NULL, pubkeys, 1) == 0);
6337 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6338 CHECK(ecount == 2);
6339 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6340 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6341 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, NULL, 1) == 0);
6342 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6343 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6344 CHECK(ecount == 3);
6345 pubkeys[0] = &pubkey_negone;
6346 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6347 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6348 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 1) == 1);
6349 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6350 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6351 CHECK(ecount == 3);
6352 len = 33;
6353 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6354 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
6355 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6356 /* Result is infinity. */
6357 pubkeys[0] = &pubkey_one;
6358 pubkeys[1] = &pubkey_negone;
6359 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6360 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6361 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 0);
6362 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6363 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6364 CHECK(ecount == 3);
6365 /* Passes through infinity but comes out one. */
6366 pubkeys[2] = &pubkey_one;
6367 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6368 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6369 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 3) == 1);
6370 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6371 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6372 CHECK(ecount == 3);
6373 len = 33;
6374 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6375 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
6376 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6377 /* Adds to two. */
6378 pubkeys[1] = &pubkey_one;
6379 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6380 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6381 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 1);
6382 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6383 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6384 CHECK(ecount == 3);
6385 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
6386}
6387
6388static void run_eckey_negate_test(void) {
6389 unsigned char seckey[32];
6390 unsigned char seckey_tmp[32];
6391
6392 random_scalar_order_b32(seckey);
6393 memcpy(seckey_tmp, seckey, 32);
6394
6395 /* Verify negation changes the key and changes it back */
6396 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6397 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
6398 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6399 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6400
6401 /* Check that privkey alias gives same result */
6402 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6403 CHECK(secp256k1_ec_privkey_negate(CTX, seckey_tmp) == 1);
6404 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6405
6406 /* Negating all 0s fails */
6407 memset(seckey, 0, 32);
6408 memset(seckey_tmp, 0, 32);
6409 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6410 /* Check that seckey is not modified */
6411 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6412
6413 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
6414 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
6415 * doesn't just set seckey to a constant value in case of failure. */
6416 random_scalar_order_b32(seckey);
6417 memset(seckey, 0xFF, 16);
6418 memset(seckey_tmp, 0, 32);
6419 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6420 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6421}
6422
6423static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
6424 secp256k1_scalar nonce;
6425 do {
6426 random_scalar_order_test(&nonce);
6427 } while(!secp256k1_ecdsa_sig_sign(&CTX->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
6428}
6429
6430static void test_ecdsa_sign_verify(void) {
6431 secp256k1_gej pubj;
6432 secp256k1_ge pub;
6433 secp256k1_scalar one;
6434 secp256k1_scalar msg, key;
6435 secp256k1_scalar sigr, sigs;
6436 int getrec;
6437 int recid;
6438 random_scalar_order_test(&msg);
6439 random_scalar_order_test(&key);
6440 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pubj, &key);
6441 secp256k1_ge_set_gej(&pub, &pubj);
6442 getrec = secp256k1_testrand_bits(1);
6443 /* The specific way in which this conditional is written sidesteps a potential bug in clang.
6444 See the commit messages of the commit that introduced this comment for details. */
6445 if (getrec) {
6446 random_sign(&sigr, &sigs, &key, &msg, &recid);
6447 CHECK(recid >= 0 && recid < 4);
6448 } else {
6449 random_sign(&sigr, &sigs, &key, &msg, NULL);
6450 }
6451 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6452 secp256k1_scalar_set_int(&one, 1);
6453 secp256k1_scalar_add(&msg, &msg, &one);
6454 CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6455}
6456
6457static void run_ecdsa_sign_verify(void) {
6458 int i;
6459 for (i = 0; i < 10*COUNT; i++) {
6460 test_ecdsa_sign_verify();
6461 }
6462}
6463
6465static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6466 (void)msg32;
6467 (void)key32;
6468 (void)algo16;
6469 memcpy(nonce32, data, 32);
6470 return (counter == 0);
6471}
6472
6473static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6474 /* Dummy nonce generator that has a fatal error on the first counter value. */
6475 if (counter == 0) {
6476 return 0;
6477 }
6478 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
6479}
6480
6481static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6482 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
6483 if (counter < 3) {
6484 memset(nonce32, counter==0 ? 0 : 255, 32);
6485 if (counter == 2) {
6486 nonce32[31]--;
6487 }
6488 return 1;
6489 }
6490 if (counter < 5) {
6491 static const unsigned char order[] = {
6492 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6493 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6494 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6495 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
6496 };
6497 memcpy(nonce32, order, 32);
6498 if (counter == 4) {
6499 nonce32[31]++;
6500 }
6501 return 1;
6502 }
6503 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
6504 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
6505 if (counter > 5) {
6506 return 0;
6507 }
6508 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
6509}
6510
6511static int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
6512 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
6513 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
6514}
6515
6516static void test_ecdsa_end_to_end(void) {
6517 unsigned char extra[32] = {0x00};
6518 unsigned char privkey[32];
6519 unsigned char message[32];
6520 unsigned char privkey2[32];
6521 secp256k1_ecdsa_signature signature[6];
6522 secp256k1_scalar r, s;
6523 unsigned char sig[74];
6524 size_t siglen = 74;
6525 unsigned char pubkeyc[65];
6526 size_t pubkeyclen = 65;
6527 secp256k1_pubkey pubkey;
6528 secp256k1_pubkey pubkey_tmp;
6529 unsigned char seckey[300];
6530 size_t seckeylen = 300;
6531
6532 /* Generate a random key and message. */
6533 {
6534 secp256k1_scalar msg, key;
6535 random_scalar_order_test(&msg);
6536 random_scalar_order_test(&key);
6537 secp256k1_scalar_get_b32(privkey, &key);
6538 secp256k1_scalar_get_b32(message, &msg);
6539 }
6540
6541 /* Construct and verify corresponding public key. */
6542 CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
6543 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
6544
6545 /* Verify exporting and importing public key. */
6546 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
6547 memset(&pubkey, 0, sizeof(pubkey));
6548 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
6549
6550 /* Verify negation changes the key and changes it back */
6551 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
6552 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6553 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
6554 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6555 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
6556
6557 /* Verify private key import and export. */
6558 CHECK(ec_privkey_export_der(CTX, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
6559 CHECK(ec_privkey_import_der(CTX, privkey2, seckey, seckeylen) == 1);
6560 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
6561
6562 /* Optionally tweak the keys using addition. */
6563 if (secp256k1_testrand_int(3) == 0) {
6564 int ret1;
6565 int ret2;
6566 int ret3;
6567 unsigned char rnd[32];
6568 unsigned char privkey_tmp[32];
6569 secp256k1_pubkey pubkey2;
6570 secp256k1_testrand256_test(rnd);
6571 memcpy(privkey_tmp, privkey, 32);
6572 ret1 = secp256k1_ec_seckey_tweak_add(CTX, privkey, rnd);
6573 ret2 = secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, rnd);
6574 /* Check that privkey alias gives same result */
6575 ret3 = secp256k1_ec_privkey_tweak_add(CTX, privkey_tmp, rnd);
6576 CHECK(ret1 == ret2);
6577 CHECK(ret2 == ret3);
6578 if (ret1 == 0) {
6579 return;
6580 }
6581 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6582 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6583 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6584 }
6585
6586 /* Optionally tweak the keys using multiplication. */
6587 if (secp256k1_testrand_int(3) == 0) {
6588 int ret1;
6589 int ret2;
6590 int ret3;
6591 unsigned char rnd[32];
6592 unsigned char privkey_tmp[32];
6593 secp256k1_pubkey pubkey2;
6594 secp256k1_testrand256_test(rnd);
6595 memcpy(privkey_tmp, privkey, 32);
6596 ret1 = secp256k1_ec_seckey_tweak_mul(CTX, privkey, rnd);
6597 ret2 = secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, rnd);
6598 /* Check that privkey alias gives same result */
6599 ret3 = secp256k1_ec_privkey_tweak_mul(CTX, privkey_tmp, rnd);
6600 CHECK(ret1 == ret2);
6601 CHECK(ret2 == ret3);
6602 if (ret1 == 0) {
6603 return;
6604 }
6605 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6606 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6607 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6608 }
6609
6610 /* Sign. */
6611 CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1);
6612 CHECK(secp256k1_ecdsa_sign(CTX, &signature[4], message, privkey, NULL, NULL) == 1);
6613 CHECK(secp256k1_ecdsa_sign(CTX, &signature[1], message, privkey, NULL, extra) == 1);
6614 extra[31] = 1;
6615 CHECK(secp256k1_ecdsa_sign(CTX, &signature[2], message, privkey, NULL, extra) == 1);
6616 extra[31] = 0;
6617 extra[0] = 1;
6618 CHECK(secp256k1_ecdsa_sign(CTX, &signature[3], message, privkey, NULL, extra) == 1);
6619 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6620 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6621 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6622 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6623 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6624 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6625 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6626 /* Verify. */
6627 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6628 CHECK(secp256k1_ecdsa_verify(CTX, &signature[1], message, &pubkey) == 1);
6629 CHECK(secp256k1_ecdsa_verify(CTX, &signature[2], message, &pubkey) == 1);
6630 CHECK(secp256k1_ecdsa_verify(CTX, &signature[3], message, &pubkey) == 1);
6631 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6632 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[0]));
6633 secp256k1_ecdsa_signature_load(CTX, &r, &s, &signature[0]);
6634 secp256k1_scalar_negate(&s, &s);
6635 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6636 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 0);
6637 CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6638 CHECK(secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6639 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6640 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6641 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6642 secp256k1_scalar_negate(&s, &s);
6643 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6644 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6645 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6646 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
6647
6648 /* Serialize/parse DER and verify again */
6649 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6650 memset(&signature[0], 0, sizeof(signature[0]));
6651 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 1);
6652 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6653 /* Serialize/destroy/parse DER and verify again. */
6654 siglen = 74;
6655 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6656 sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
6657 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 0 ||
6658 secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 0);
6659}
6660
6661static void test_random_pubkeys(void) {
6662 secp256k1_ge elem;
6663 secp256k1_ge elem2;
6664 unsigned char in[65];
6665 /* Generate some randomly sized pubkeys. */
6666 size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
6667 if (secp256k1_testrand_bits(2) == 0) {
6668 len = secp256k1_testrand_bits(6);
6669 }
6670 if (len == 65) {
6671 in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
6672 } else {
6673 in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
6674 }
6675 if (secp256k1_testrand_bits(3) == 0) {
6676 in[0] = secp256k1_testrand_bits(8);
6677 }
6678 if (len > 1) {
6679 secp256k1_testrand256(&in[1]);
6680 }
6681 if (len > 33) {
6682 secp256k1_testrand256(&in[33]);
6683 }
6684 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
6685 unsigned char out[65];
6686 unsigned char firstb;
6687 int res;
6688 size_t size = len;
6689 firstb = in[0];
6690 /* If the pubkey can be parsed, it should round-trip... */
6691 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
6692 CHECK(size == len);
6693 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
6694 /* ... except for the type of hybrid inputs. */
6695 if ((in[0] != 6) && (in[0] != 7)) {
6696 CHECK(in[0] == out[0]);
6697 }
6698 size = 65;
6699 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
6700 CHECK(size == 65);
6701 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
6702 ge_equals_ge(&elem,&elem2);
6703 /* Check that the X9.62 hybrid type is checked. */
6704 in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
6705 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
6706 if (firstb == 2 || firstb == 3) {
6707 if (in[0] == firstb + 4) {
6708 CHECK(res);
6709 } else {
6710 CHECK(!res);
6711 }
6712 }
6713 if (res) {
6714 ge_equals_ge(&elem,&elem2);
6715 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
6716 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
6717 }
6718 }
6719}
6720
6721static void run_pubkey_comparison(void) {
6722 unsigned char pk1_ser[33] = {
6723 0x02,
6724 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6725 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6726 };
6727 const unsigned char pk2_ser[33] = {
6728 0x02,
6729 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6730 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6731 };
6732 secp256k1_pubkey pk1;
6733 secp256k1_pubkey pk2;
6734 int32_t ecount = 0;
6735
6736 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6737 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6738
6739 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
6740 CHECK(secp256k1_ec_pubkey_cmp(CTX, NULL, &pk2) < 0);
6741 CHECK(ecount == 1);
6742 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, NULL) > 0);
6743 CHECK(ecount == 2);
6744 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6745 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6746 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk1) == 0);
6747 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk2) == 0);
6748 CHECK(ecount == 2);
6749 {
6750 secp256k1_pubkey pk_tmp;
6751 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6752 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk2) < 0);
6753 CHECK(ecount == 3);
6754 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk_tmp) == 0);
6755 CHECK(ecount == 5);
6756 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk_tmp) > 0);
6757 CHECK(ecount == 6);
6758 }
6759
6760 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
6761
6762 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6763 * an uncompressed encoding, these would have the opposite ordering */
6764 pk1_ser[0] = 3;
6765 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6766 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6767 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6768}
6769
6770static void run_random_pubkeys(void) {
6771 int i;
6772 for (i = 0; i < 10*COUNT; i++) {
6773 test_random_pubkeys();
6774 }
6775}
6776
6777static void run_ecdsa_end_to_end(void) {
6778 int i;
6779 for (i = 0; i < 64*COUNT; i++) {
6780 test_ecdsa_end_to_end();
6781 }
6782}
6783
6784static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
6785 static const unsigned char zeroes[32] = {0};
6786
6787 int ret = 0;
6788
6789 secp256k1_ecdsa_signature sig_der;
6790 unsigned char roundtrip_der[2048];
6791 unsigned char compact_der[64];
6792 size_t len_der = 2048;
6793 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
6794
6795 secp256k1_ecdsa_signature sig_der_lax;
6796 unsigned char roundtrip_der_lax[2048];
6797 unsigned char compact_der_lax[64];
6798 size_t len_der_lax = 2048;
6799 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
6800
6801 parsed_der = secp256k1_ecdsa_signature_parse_der(CTX, &sig_der, sig, siglen);
6802 if (parsed_der) {
6803 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der, &sig_der)) << 0;
6804 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
6805 }
6806 if (valid_der) {
6807 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der, &len_der, &sig_der)) << 1;
6808 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
6809 }
6810
6811 parsed_der_lax = ecdsa_signature_parse_der_lax(CTX, &sig_der_lax, sig, siglen);
6812 if (parsed_der_lax) {
6813 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der_lax, &sig_der_lax)) << 10;
6814 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
6815 }
6816 if (valid_der_lax) {
6817 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
6818 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
6819 }
6820
6821 if (certainly_der) {
6822 ret |= (!parsed_der) << 2;
6823 }
6824 if (certainly_not_der) {
6825 ret |= (parsed_der) << 17;
6826 }
6827 if (valid_der) {
6828 ret |= (!roundtrips_der) << 3;
6829 }
6830
6831 if (valid_der) {
6832 ret |= (!roundtrips_der_lax) << 12;
6833 ret |= (len_der != len_der_lax) << 13;
6834 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
6835 }
6836 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
6837 if (parsed_der) {
6838 ret |= (!parsed_der_lax) << 16;
6839 }
6840
6841 return ret;
6842}
6843
6844static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
6845 size_t i;
6846 for (i = 0; i < ptrlen; i++) {
6847 int shift = ptrlen - 1 - i;
6848 if (shift >= 4) {
6849 ptr[i] = 0;
6850 } else {
6851 ptr[i] = (val >> shift) & 0xFF;
6852 }
6853 }
6854}
6855
6856static void damage_array(unsigned char *sig, size_t *len) {
6857 int pos;
6858 int action = secp256k1_testrand_bits(3);
6859 if (action < 1 && *len > 3) {
6860 /* Delete a byte. */
6861 pos = secp256k1_testrand_int(*len);
6862 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
6863 (*len)--;
6864 return;
6865 } else if (action < 2 && *len < 2048) {
6866 /* Insert a byte. */
6867 pos = secp256k1_testrand_int(1 + *len);
6868 memmove(sig + pos + 1, sig + pos, *len - pos);
6869 sig[pos] = secp256k1_testrand_bits(8);
6870 (*len)++;
6871 return;
6872 } else if (action < 4) {
6873 /* Modify a byte. */
6874 sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
6875 return;
6876 } else { /* action < 8 */
6877 /* Modify a bit. */
6878 sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
6879 return;
6880 }
6881}
6882
6883static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
6884 int der;
6885 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
6886 size_t tlen, elen, glen;
6887 int indet;
6888 int n;
6889
6890 *len = 0;
6891 der = secp256k1_testrand_bits(2) == 0;
6892 *certainly_der = der;
6893 *certainly_not_der = 0;
6894 indet = der ? 0 : secp256k1_testrand_int(10) == 0;
6895
6896 for (n = 0; n < 2; n++) {
6897 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
6898 nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
6899 /* The length of the number in bytes (the first byte of which will always be nonzero) */
6900 nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_bits(3) / 8;
6901 CHECK(nlen[n] <= 232);
6902 /* The top bit of the number. */
6903 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
6904 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
6905 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
6906 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
6907 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_bits(3) / 8);
6908 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
6909 *certainly_not_der = 1;
6910 }
6911 CHECK(nlen[n] + nzlen[n] <= 300);
6912 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
6913 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
6914 if (!der) {
6915 /* nlenlen[n] max 127 bytes */
6916 int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6917 nlenlen[n] += add;
6918 if (add != 0) {
6919 *certainly_not_der = 1;
6920 }
6921 }
6922 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
6923 }
6924
6925 /* The total length of the data to go, so far */
6926 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
6927 CHECK(tlen <= 856);
6928
6929 /* The length of the garbage inside the tuple. */
6930 elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_bits(3) / 8;
6931 if (elen != 0) {
6932 *certainly_not_der = 1;
6933 }
6934 tlen += elen;
6935 CHECK(tlen <= 980);
6936
6937 /* The length of the garbage after the end of the tuple. */
6938 glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_bits(3) / 8;
6939 if (glen != 0) {
6940 *certainly_not_der = 1;
6941 }
6942 CHECK(tlen + glen <= 990);
6943
6944 /* Write the tuple header. */
6945 sig[(*len)++] = 0x30;
6946 if (indet) {
6947 /* Indeterminate length */
6948 sig[(*len)++] = 0x80;
6949 *certainly_not_der = 1;
6950 } else {
6951 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
6952 if (!der) {
6953 int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6954 tlenlen += add;
6955 if (add != 0) {
6956 *certainly_not_der = 1;
6957 }
6958 }
6959 if (tlenlen == 0) {
6960 /* Short length notation */
6961 sig[(*len)++] = tlen;
6962 } else {
6963 /* Long length notation */
6964 sig[(*len)++] = 128 + tlenlen;
6965 assign_big_endian(sig + *len, tlenlen, tlen);
6966 *len += tlenlen;
6967 }
6968 tlen += tlenlen;
6969 }
6970 tlen += 2;
6971 CHECK(tlen + glen <= 1119);
6972
6973 for (n = 0; n < 2; n++) {
6974 /* Write the integer header. */
6975 sig[(*len)++] = 0x02;
6976 if (nlenlen[n] == 0) {
6977 /* Short length notation */
6978 sig[(*len)++] = nlen[n] + nzlen[n];
6979 } else {
6980 /* Long length notation. */
6981 sig[(*len)++] = 128 + nlenlen[n];
6982 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
6983 *len += nlenlen[n];
6984 }
6985 /* Write zero padding */
6986 while (nzlen[n] > 0) {
6987 sig[(*len)++] = 0x00;
6988 nzlen[n]--;
6989 }
6990 if (nlen[n] == 32 && !nlow[n]) {
6991 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
6992 int i;
6993 for (i = 0; i < 16; i++) {
6994 sig[(*len)++] = 0xFF;
6995 }
6996 nlen[n] -= 16;
6997 }
6998 /* Write first byte of number */
6999 if (nlen[n] > 0) {
7000 sig[(*len)++] = nhbyte[n];
7001 nlen[n]--;
7002 }
7003 /* Generate remaining random bytes of number */
7004 secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
7005 *len += nlen[n];
7006 nlen[n] = 0;
7007 }
7008
7009 /* Generate random garbage inside tuple. */
7010 secp256k1_testrand_bytes_test(sig + *len, elen);
7011 *len += elen;
7012
7013 /* Generate end-of-contents bytes. */
7014 if (indet) {
7015 sig[(*len)++] = 0;
7016 sig[(*len)++] = 0;
7017 tlen += 2;
7018 }
7019 CHECK(tlen + glen <= 1121);
7020
7021 /* Generate random garbage outside tuple. */
7022 secp256k1_testrand_bytes_test(sig + *len, glen);
7023 *len += glen;
7024 tlen += glen;
7025 CHECK(tlen <= 1121);
7026 CHECK(tlen == *len);
7027}
7028
7029static void run_ecdsa_der_parse(void) {
7030 int i,j;
7031 for (i = 0; i < 200 * COUNT; i++) {
7032 unsigned char buffer[2048];
7033 size_t buflen = 0;
7034 int certainly_der = 0;
7035 int certainly_not_der = 0;
7036 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
7037 CHECK(buflen <= 2048);
7038 for (j = 0; j < 16; j++) {
7039 int ret = 0;
7040 if (j > 0) {
7041 damage_array(buffer, &buflen);
7042 /* We don't know anything anymore about the DERness of the result */
7043 certainly_der = 0;
7044 certainly_not_der = 0;
7045 }
7046 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
7047 if (ret != 0) {
7048 size_t k;
7049 fprintf(stderr, "Failure %x on ", ret);
7050 for (k = 0; k < buflen; k++) {
7051 fprintf(stderr, "%02x ", buffer[k]);
7052 }
7053 fprintf(stderr, "\n");
7054 }
7055 CHECK(ret == 0);
7056 }
7057 }
7058}
7059
7060/* Tests several edge cases. */
7061static void test_ecdsa_edge_cases(void) {
7062 int t;
7063 secp256k1_ecdsa_signature sig;
7064
7065 /* Test the case where ECDSA recomputes a point that is infinity. */
7066 {
7067 secp256k1_gej keyj;
7068 secp256k1_ge key;
7069 secp256k1_scalar msg;
7070 secp256k1_scalar sr, ss;
7071 secp256k1_scalar_set_int(&ss, 1);
7072 secp256k1_scalar_negate(&ss, &ss);
7073 secp256k1_scalar_inverse(&ss, &ss);
7074 secp256k1_scalar_set_int(&sr, 1);
7075 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &keyj, &sr);
7076 secp256k1_ge_set_gej(&key, &keyj);
7077 msg = ss;
7078 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7079 }
7080
7081 /* Verify signature with r of zero fails. */
7082 {
7083 const unsigned char pubkey_mods_zero[33] = {
7084 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7085 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7086 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7087 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7088 0x41
7089 };
7090 secp256k1_ge key;
7091 secp256k1_scalar msg;
7092 secp256k1_scalar sr, ss;
7093 secp256k1_scalar_set_int(&ss, 1);
7094 secp256k1_scalar_set_int(&msg, 0);
7095 secp256k1_scalar_set_int(&sr, 0);
7096 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
7097 CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
7098 }
7099
7100 /* Verify signature with s of zero fails. */
7101 {
7102 const unsigned char pubkey[33] = {
7103 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7104 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7105 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7106 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7107 0x01
7108 };
7109 secp256k1_ge key;
7110 secp256k1_scalar msg;
7111 secp256k1_scalar sr, ss;
7112 secp256k1_scalar_set_int(&ss, 0);
7113 secp256k1_scalar_set_int(&msg, 0);
7114 secp256k1_scalar_set_int(&sr, 1);
7115 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7116 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7117 }
7118
7119 /* Verify signature with message 0 passes. */
7120 {
7121 const unsigned char pubkey[33] = {
7122 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7123 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7124 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7125 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7126 0x02
7127 };
7128 const unsigned char pubkey2[33] = {
7129 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7130 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7131 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7132 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7133 0x43
7134 };
7135 secp256k1_ge key;
7136 secp256k1_ge key2;
7137 secp256k1_scalar msg;
7138 secp256k1_scalar sr, ss;
7139 secp256k1_scalar_set_int(&ss, 2);
7140 secp256k1_scalar_set_int(&msg, 0);
7141 secp256k1_scalar_set_int(&sr, 2);
7142 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7143 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7144 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7145 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7146 secp256k1_scalar_negate(&ss, &ss);
7147 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7148 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7149 secp256k1_scalar_set_int(&ss, 1);
7150 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7151 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7152 }
7153
7154 /* Verify signature with message 1 passes. */
7155 {
7156 const unsigned char pubkey[33] = {
7157 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
7158 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
7159 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
7160 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
7161 0x25
7162 };
7163 const unsigned char pubkey2[33] = {
7164 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
7165 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
7166 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
7167 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
7168 0x62
7169 };
7170 const unsigned char csr[32] = {
7171 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7172 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7173 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7174 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
7175 };
7176 secp256k1_ge key;
7177 secp256k1_ge key2;
7178 secp256k1_scalar msg;
7179 secp256k1_scalar sr, ss;
7180 secp256k1_scalar_set_int(&ss, 1);
7181 secp256k1_scalar_set_int(&msg, 1);
7182 secp256k1_scalar_set_b32(&sr, csr, NULL);
7183 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7184 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7185 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7186 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7187 secp256k1_scalar_negate(&ss, &ss);
7188 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7189 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7190 secp256k1_scalar_set_int(&ss, 2);
7191 secp256k1_scalar_inverse_var(&ss, &ss);
7192 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7193 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7194 }
7195
7196 /* Verify signature with message -1 passes. */
7197 {
7198 const unsigned char pubkey[33] = {
7199 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
7200 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
7201 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
7202 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
7203 0xf1
7204 };
7205 const unsigned char csr[32] = {
7206 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7207 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7208 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7209 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
7210 };
7211 secp256k1_ge key;
7212 secp256k1_scalar msg;
7213 secp256k1_scalar sr, ss;
7214 secp256k1_scalar_set_int(&ss, 1);
7215 secp256k1_scalar_set_int(&msg, 1);
7216 secp256k1_scalar_negate(&msg, &msg);
7217 secp256k1_scalar_set_b32(&sr, csr, NULL);
7218 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7219 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7220 secp256k1_scalar_negate(&ss, &ss);
7221 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7222 secp256k1_scalar_set_int(&ss, 3);
7223 secp256k1_scalar_inverse_var(&ss, &ss);
7224 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7225 }
7226
7227 /* Signature where s would be zero. */
7228 {
7229 secp256k1_pubkey pubkey;
7230 size_t siglen;
7231 int32_t ecount;
7232 unsigned char signature[72];
7233 static const unsigned char nonce[32] = {
7234 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7236 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7237 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7238 };
7239 static const unsigned char nonce2[32] = {
7240 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
7241 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
7242 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
7243 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
7244 };
7245 const unsigned char key[32] = {
7246 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7247 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7248 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7249 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7250 };
7251 unsigned char msg[32] = {
7252 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
7253 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
7254 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
7255 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
7256 };
7257 ecount = 0;
7258 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
7259 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
7260 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
7261 msg[31] = 0xaa;
7262 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
7263 CHECK(ecount == 0);
7264 CHECK(secp256k1_ecdsa_sign(CTX, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
7265 CHECK(ecount == 1);
7266 CHECK(secp256k1_ecdsa_sign(CTX, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
7267 CHECK(ecount == 2);
7268 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
7269 CHECK(ecount == 3);
7270 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
7271 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, key) == 1);
7272 CHECK(secp256k1_ecdsa_verify(CTX, NULL, msg, &pubkey) == 0);
7273 CHECK(ecount == 4);
7274 CHECK(secp256k1_ecdsa_verify(CTX, &sig, NULL, &pubkey) == 0);
7275 CHECK(ecount == 5);
7276 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, NULL) == 0);
7277 CHECK(ecount == 6);
7278 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1);
7279 CHECK(ecount == 6);
7280 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, NULL) == 0);
7281 CHECK(ecount == 7);
7282 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
7283 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 0);
7284 CHECK(ecount == 8);
7285 siglen = 72;
7286 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, NULL, &siglen, &sig) == 0);
7287 CHECK(ecount == 9);
7288 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, NULL, &sig) == 0);
7289 CHECK(ecount == 10);
7290 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, NULL) == 0);
7291 CHECK(ecount == 11);
7292 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 1);
7293 CHECK(ecount == 11);
7294 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, NULL, signature, siglen) == 0);
7295 CHECK(ecount == 12);
7296 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, NULL, siglen) == 0);
7297 CHECK(ecount == 13);
7298 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, signature, siglen) == 1);
7299 CHECK(ecount == 13);
7300 siglen = 10;
7301 /* Too little room for a signature does not fail via ARGCHECK. */
7302 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 0);
7303 CHECK(ecount == 13);
7304 ecount = 0;
7305 CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, NULL) == 0);
7306 CHECK(ecount == 1);
7307 CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, NULL, &sig) == 0);
7308 CHECK(ecount == 2);
7309 CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, signature, NULL) == 0);
7310 CHECK(ecount == 3);
7311 CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, signature, &sig) == 1);
7312 CHECK(ecount == 3);
7313 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, NULL, signature) == 0);
7314 CHECK(ecount == 4);
7315 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, NULL) == 0);
7316 CHECK(ecount == 5);
7317 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 1);
7318 CHECK(ecount == 5);
7319 memset(signature, 255, 64);
7320 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 0);
7321 CHECK(ecount == 5);
7322 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
7323 }
7324
7325 /* Nonce function corner cases. */
7326 for (t = 0; t < 2; t++) {
7327 static const unsigned char zero[32] = {0x00};
7328 int i;
7329 unsigned char key[32];
7330 unsigned char msg[32];
7331 secp256k1_ecdsa_signature sig2;
7332 secp256k1_scalar sr[512], ss;
7333 const unsigned char *extra;
7334 extra = t == 0 ? NULL : zero;
7335 memset(msg, 0, 32);
7336 msg[31] = 1;
7337 /* High key results in signature failure. */
7338 memset(key, 0xFF, 32);
7339 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7340 CHECK(is_empty_signature(&sig));
7341 /* Zero key results in signature failure. */
7342 memset(key, 0, 32);
7343 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7344 CHECK(is_empty_signature(&sig));
7345 /* Nonce function failure results in signature failure. */
7346 key[31] = 1;
7347 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_fail, extra) == 0);
7348 CHECK(is_empty_signature(&sig));
7349 /* The retry loop successfully makes its way to the first good value. */
7350 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_retry, extra) == 1);
7351 CHECK(!is_empty_signature(&sig));
7352 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
7353 CHECK(!is_empty_signature(&sig2));
7354 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7355 /* The default nonce function is deterministic. */
7356 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7357 CHECK(!is_empty_signature(&sig2));
7358 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7359 /* The default nonce function changes output with different messages. */
7360 for(i = 0; i < 256; i++) {
7361 int j;
7362 msg[0] = i;
7363 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7364 CHECK(!is_empty_signature(&sig2));
7365 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7366 for (j = 0; j < i; j++) {
7367 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7368 }
7369 }
7370 msg[0] = 0;
7371 msg[31] = 2;
7372 /* The default nonce function changes output with different keys. */
7373 for(i = 256; i < 512; i++) {
7374 int j;
7375 key[0] = i - 256;
7376 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7377 CHECK(!is_empty_signature(&sig2));
7378 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7379 for (j = 0; j < i; j++) {
7380 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7381 }
7382 }
7383 key[0] = 0;
7384 }
7385
7386 {
7387 /* Check that optional nonce arguments do not have equivalent effect. */
7388 const unsigned char zeros[32] = {0};
7389 unsigned char nonce[32];
7390 unsigned char nonce2[32];
7391 unsigned char nonce3[32];
7392 unsigned char nonce4[32];
7393 SECP256K1_CHECKMEM_UNDEFINE(nonce,32);
7394 SECP256K1_CHECKMEM_UNDEFINE(nonce2,32);
7395 SECP256K1_CHECKMEM_UNDEFINE(nonce3,32);
7396 SECP256K1_CHECKMEM_UNDEFINE(nonce4,32);
7397 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
7398 SECP256K1_CHECKMEM_CHECK(nonce,32);
7399 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
7400 SECP256K1_CHECKMEM_CHECK(nonce2,32);
7401 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
7402 SECP256K1_CHECKMEM_CHECK(nonce3,32);
7403 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
7404 SECP256K1_CHECKMEM_CHECK(nonce4,32);
7405 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
7406 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
7407 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
7408 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
7409 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
7410 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
7411 }
7412
7413
7414 /* Privkey export where pubkey is the point at infinity. */
7415 {
7416 unsigned char privkey[300];
7417 unsigned char seckey[32] = {
7418 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7419 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
7420 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
7421 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
7422 };
7423 size_t outlen = 300;
7424 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 0));
7425 outlen = 300;
7426 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 1));
7427 }
7428}
7429
7430static void run_ecdsa_edge_cases(void) {
7431 test_ecdsa_edge_cases();
7432}
7433
7438static void test_ecdsa_wycheproof(void) {
7439 #include "wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.h"
7440
7441 int t;
7442 for (t = 0; t < SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS; t++) {
7443 secp256k1_ecdsa_signature signature;
7444 secp256k1_sha256 hasher;
7445 secp256k1_pubkey pubkey;
7446 const unsigned char *msg, *sig, *pk;
7447 unsigned char out[32] = {0};
7448 int actual_verify = 0;
7449
7450 memset(&pubkey, 0, sizeof(pubkey));
7451 pk = &wycheproof_ecdsa_public_keys[testvectors[t].pk_offset];
7452 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pk, 65) == 1);
7453
7454 secp256k1_sha256_initialize(&hasher);
7455 msg = &wycheproof_ecdsa_messages[testvectors[t].msg_offset];
7456 secp256k1_sha256_write(&hasher, msg, testvectors[t].msg_len);
7457 secp256k1_sha256_finalize(&hasher, out);
7458
7459 sig = &wycheproof_ecdsa_signatures[testvectors[t].sig_offset];
7460 if (secp256k1_ecdsa_signature_parse_der(CTX, &signature, sig, testvectors[t].sig_len) == 1) {
7461 actual_verify = secp256k1_ecdsa_verify(CTX, (const secp256k1_ecdsa_signature *)&signature, out, &pubkey);
7462 }
7463 CHECK(testvectors[t].expected_verify == actual_verify);
7464 }
7465}
7466
7467/* Tests cases from Wycheproof test suite. */
7468static void run_ecdsa_wycheproof(void) {
7469 test_ecdsa_wycheproof();
7470}
7471
7472#ifdef ENABLE_MODULE_ECDH
7473# include "modules/ecdh/tests_impl.h"
7474#endif
7475
7476#ifdef ENABLE_MODULE_MULTISET
7477# include "modules/multiset/tests_impl.h"
7478#endif
7479
7480#ifdef ENABLE_MODULE_RECOVERY
7481# include "modules/recovery/tests_impl.h"
7482#endif
7483
7484#ifdef ENABLE_MODULE_SCHNORR
7485# include "modules/schnorr/tests_impl.h"
7486#endif
7487
7488#ifdef ENABLE_MODULE_EXTRAKEYS
7489# include "modules/extrakeys/tests_impl.h"
7490#endif
7491
7492#ifdef ENABLE_MODULE_SCHNORRSIG
7493# include "modules/schnorrsig/tests_impl.h"
7494#endif
7495
7496static void run_secp256k1_memczero_test(void) {
7497 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
7498 unsigned char buf2[sizeof(buf1)];
7499
7500 /* secp256k1_memczero(..., ..., 0) is a noop. */
7501 memcpy(buf2, buf1, sizeof(buf1));
7502 secp256k1_memczero(buf1, sizeof(buf1), 0);
7503 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7504
7505 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
7506 memset(buf2, 0, sizeof(buf2));
7507 secp256k1_memczero(buf1, sizeof(buf1) , 1);
7508 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7509}
7510
7511static void run_secp256k1_byteorder_tests(void) {
7512 const uint32_t x = 0xFF03AB45;
7513 const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45};
7514 unsigned char buf[4];
7515 uint32_t x_;
7516
7517 secp256k1_write_be32(buf, x);
7518 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7519
7520 x_ = secp256k1_read_be32(buf);
7521 CHECK(x == x_);
7522}
7523
7524static void int_cmov_test(void) {
7525 int r = INT_MAX;
7526 int a = 0;
7527
7528 secp256k1_int_cmov(&r, &a, 0);
7529 CHECK(r == INT_MAX);
7530
7531 r = 0; a = INT_MAX;
7532 secp256k1_int_cmov(&r, &a, 1);
7533 CHECK(r == INT_MAX);
7534
7535 a = 0;
7536 secp256k1_int_cmov(&r, &a, 1);
7537 CHECK(r == 0);
7538
7539 a = 1;
7540 secp256k1_int_cmov(&r, &a, 1);
7541 CHECK(r == 1);
7542
7543 r = 1; a = 0;
7544 secp256k1_int_cmov(&r, &a, 0);
7545 CHECK(r == 1);
7546
7547}
7548
7549static void fe_cmov_test(void) {
7550 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7551 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7552 static const secp256k1_fe max = SECP256K1_FE_CONST(
7553 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7554 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7555 );
7556 secp256k1_fe r = max;
7557 secp256k1_fe a = zero;
7558
7559 secp256k1_fe_cmov(&r, &a, 0);
7560 CHECK(fe_identical(&r, &max));
7561
7562 r = zero; a = max;
7563 secp256k1_fe_cmov(&r, &a, 1);
7564 CHECK(fe_identical(&r, &max));
7565
7566 a = zero;
7567 secp256k1_fe_cmov(&r, &a, 1);
7568 CHECK(fe_identical(&r, &zero));
7569
7570 a = one;
7571 secp256k1_fe_cmov(&r, &a, 1);
7572 CHECK(fe_identical(&r, &one));
7573
7574 r = one; a = zero;
7575 secp256k1_fe_cmov(&r, &a, 0);
7576 CHECK(fe_identical(&r, &one));
7577}
7578
7579static void fe_storage_cmov_test(void) {
7580 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7581 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7582 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
7583 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7584 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7585 );
7586 secp256k1_fe_storage r = max;
7587 secp256k1_fe_storage a = zero;
7588
7589 secp256k1_fe_storage_cmov(&r, &a, 0);
7590 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7591
7592 r = zero; a = max;
7593 secp256k1_fe_storage_cmov(&r, &a, 1);
7594 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7595
7596 a = zero;
7597 secp256k1_fe_storage_cmov(&r, &a, 1);
7598 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7599
7600 a = one;
7601 secp256k1_fe_storage_cmov(&r, &a, 1);
7602 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7603
7604 r = one; a = zero;
7605 secp256k1_fe_storage_cmov(&r, &a, 0);
7606 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7607}
7608
7609static void scalar_cmov_test(void) {
7610 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7611 static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7612 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
7613 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7614 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7615 );
7616 secp256k1_scalar r = max;
7617 secp256k1_scalar a = zero;
7618
7619 secp256k1_scalar_cmov(&r, &a, 0);
7620 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7621
7622 r = zero; a = max;
7623 secp256k1_scalar_cmov(&r, &a, 1);
7624 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7625
7626 a = zero;
7627 secp256k1_scalar_cmov(&r, &a, 1);
7628 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7629
7630 a = one;
7631 secp256k1_scalar_cmov(&r, &a, 1);
7632 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7633
7634 r = one; a = zero;
7635 secp256k1_scalar_cmov(&r, &a, 0);
7636 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7637}
7638
7639static void ge_storage_cmov_test(void) {
7640 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7641 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7642 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
7643 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7644 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7645 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7646 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7647 );
7648 secp256k1_ge_storage r = max;
7649 secp256k1_ge_storage a = zero;
7650
7651 secp256k1_ge_storage_cmov(&r, &a, 0);
7652 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7653
7654 r = zero; a = max;
7655 secp256k1_ge_storage_cmov(&r, &a, 1);
7656 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7657
7658 a = zero;
7659 secp256k1_ge_storage_cmov(&r, &a, 1);
7660 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7661
7662 a = one;
7663 secp256k1_ge_storage_cmov(&r, &a, 1);
7664 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7665
7666 r = one; a = zero;
7667 secp256k1_ge_storage_cmov(&r, &a, 0);
7668 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7669}
7670
7671static void run_cmov_tests(void) {
7672 int_cmov_test();
7673 fe_cmov_test();
7674 fe_storage_cmov_test();
7675 scalar_cmov_test();
7676 ge_storage_cmov_test();
7677}
7678
7679int main(int argc, char **argv) {
7680 /* Disable buffering for stdout to improve reliability of getting
7681 * diagnostic information. Happens right at the start of main because
7682 * setbuf must be used before any other operation on the stream. */
7683 setbuf(stdout, NULL);
7684 /* Also disable buffering for stderr because it's not guaranteed that it's
7685 * unbuffered on all systems. */
7686 setbuf(stderr, NULL);
7687
7688 /* find iteration count */
7689 if (argc > 1) {
7690 COUNT = strtol(argv[1], NULL, 0);
7691 } else {
7692 const char* env = getenv("SECP256K1_TEST_ITERS");
7693 if (env && strlen(env) > 0) {
7694 COUNT = strtol(env, NULL, 0);
7695 }
7696 }
7697 if (COUNT <= 0) {
7698 fputs("An iteration count of 0 or less is not allowed.\n", stderr);
7699 return EXIT_FAILURE;
7700 }
7701 printf("test count = %i\n", COUNT);
7702
7703 /* run test RNG tests (must run before we really initialize the test RNG) */
7704 run_xoshiro256pp_tests();
7705
7706 /* find random seed */
7707 secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
7708
7709 /*** Setup test environment ***/
7710
7711 /* Create a global context available to all tests */
7712 CTX = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
7713 /* Randomize the context only with probability 15/16
7714 to make sure we test without context randomization from time to time.
7715 TODO Reconsider this when recalibrating the tests. */
7716 if (secp256k1_testrand_bits(4)) {
7717 unsigned char rand32[32];
7718 secp256k1_testrand256(rand32);
7719 CHECK(secp256k1_context_randomize(CTX, rand32));
7720 }
7721 /* Make a writable copy of secp256k1_context_static in order to test the effect of API functions
7722 that write to the context. The API does not support cloning the static context, so we use
7723 memcpy instead. The user is not supposed to copy a context but we should still ensure that
7724 the API functions handle copies of the static context gracefully. */
7725 STATIC_CTX = malloc(sizeof(*secp256k1_context_static));
7726 CHECK(STATIC_CTX != NULL);
7727 memcpy(STATIC_CTX, secp256k1_context_static, sizeof(secp256k1_context));
7728 CHECK(!secp256k1_context_is_proper(STATIC_CTX));
7729
7730 /*** Run actual tests ***/
7731
7732 /* selftest tests */
7733 run_selftest_tests();
7734
7735 /* context tests */
7736 run_proper_context_tests(0); run_proper_context_tests(1);
7737 run_static_context_tests(0); run_static_context_tests(1);
7738 run_deprecated_context_flags_test();
7739
7740 /* scratch tests */
7741 run_scratch_tests();
7742
7743 /* integer arithmetic tests */
7744#ifdef SECP256K1_WIDEMUL_INT128
7745 run_int128_tests();
7746#endif
7747 run_ctz_tests();
7748 run_modinv_tests();
7749 run_inverse_tests();
7750
7751 /* hash tests */
7752 run_sha256_known_output_tests();
7753 run_sha256_counter_tests();
7754 run_hmac_sha256_tests();
7755 run_rfc6979_hmac_sha256_tests();
7756 run_tagged_sha256_tests();
7757
7758 /* scalar tests */
7759 run_scalar_tests();
7760
7761 /* field tests */
7762 run_field_half();
7763 run_field_misc();
7764 run_field_convert();
7765 run_field_be32_overflow();
7766 run_fe_mul();
7767 run_sqr();
7768 run_sqrt();
7769
7770 /* group tests */
7771 run_ge();
7772 run_gej();
7773 run_group_decompress();
7774
7775 /* ecmult tests */
7776 run_ecmult_pre_g();
7777 run_wnaf();
7778 run_point_times_order();
7779 run_ecmult_near_split_bound();
7780 run_ecmult_chain();
7781 run_ecmult_constants();
7782 run_ecmult_gen_blind();
7783 run_ecmult_const_tests();
7784 run_ecmult_multi_tests();
7785 run_ec_combine();
7786
7787 /* endomorphism tests */
7788 run_endomorphism_tests();
7789
7790 /* EC point parser test */
7791 run_ec_pubkey_parse_test();
7792
7793 /* EC key edge cases */
7794 run_eckey_edge_case_test();
7795
7796 /* EC key arithmetic test */
7797 run_eckey_negate_test();
7798
7799#ifdef ENABLE_MODULE_ECDH
7800 /* ecdh tests */
7801 run_ecdh_tests();
7802#endif
7803
7804 /* ecdsa tests */
7805 run_ec_illegal_argument_tests();
7806 run_pubkey_comparison();
7807 run_random_pubkeys();
7808 run_ecdsa_der_parse();
7809 run_ecdsa_sign_verify();
7810 run_ecdsa_end_to_end();
7811 run_ecdsa_edge_cases();
7812 run_ecdsa_wycheproof();
7813
7814#ifdef ENABLE_MODULE_MULTISET
7815 run_multiset_tests();
7816#endif
7817
7818#ifdef ENABLE_MODULE_RECOVERY
7819 /* ECDSA pubkey recovery tests */
7820 run_recovery_tests();
7821#endif
7822
7823#ifdef ENABLE_MODULE_SCHNORR
7824 /* Schnorr signature tests */
7825 run_schnorr_tests();
7826#endif
7827
7828#ifdef ENABLE_MODULE_EXTRAKEYS
7829 run_extrakeys_tests();
7830#endif
7831
7832#ifdef ENABLE_MODULE_SCHNORRSIG
7833 run_schnorrsig_tests();
7834#endif
7835
7836 /* util tests */
7837 run_secp256k1_memczero_test();
7838 run_secp256k1_byteorder_tests();
7839
7840 run_cmov_tests();
7841
7842 /*** Tear down test environment ***/
7843 free(STATIC_CTX);
7844 secp256k1_context_destroy(CTX);
7845
7846 secp256k1_testrand_finish();
7847
7848 printf("no problems found\n");
7849 return 0;
7850}
flags
int flags
Definition: bitcoin-tx.cpp:546
SECP256K1_CHECKMEM_UNDEFINE
#define SECP256K1_CHECKMEM_UNDEFINE(p, len)
Definition: checkmem.h:76
SECP256K1_CHECKMEM_CHECK
#define SECP256K1_CHECKMEM_CHECK(p, len)
Definition: checkmem.h:78
tests_impl.h
run_ecdh_tests
static void run_ecdh_tests(void)
Definition: tests_impl.h:158
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
ecdsa_secp256k1_sha256_bitcoin_test.h
wycheproof_ecdsa_signatures
static const unsigned char wycheproof_ecdsa_signatures[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:173
wycheproof_ecdsa_public_keys
static const unsigned char wycheproof_ecdsa_public_keys[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:73
wycheproof_ecdsa_messages
static const unsigned char wycheproof_ecdsa_messages[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:13
SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
#define SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:2
testvectors
static const wycheproof_ecdsa_testvector testvectors[SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:636
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
secp256k1_ecmult_multi_var
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
ECMULT_TABLE_SIZE
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult.h:41
secp256k1_ecmult
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
secp256k1_ecmult_const_xonly
static int secp256k1_ecmult_const_xonly(secp256k1_fe *r, const secp256k1_fe *n, const secp256k1_fe *d, const secp256k1_scalar *q, int known_on_curve)
Same as secp256k1_ecmult_const, but takes in an x coordinate of the base point only,...
secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q)
Multiply: R = q*A (in constant-time for q)
secp256k1_wnaf_const
static int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w, int size)
Convert a number to WNAF notation.
Definition: ecmult_const_impl.h:67
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
STRAUSS_SCRATCH_OBJECTS
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:50
secp256k1_pippenger_bucket_window_inv
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:602
secp256k1_pippenger_max_points
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space.
Definition: ecmult_impl.h:732
WNAF_SIZE
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:46
secp256k1_ecmult_strauss_batch_single
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:398
secp256k1_wnaf_fixed
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:413
secp256k1_ecmult_wnaf
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:159
secp256k1_strauss_scratch_size
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:353
ECMULT_PIPPENGER_THRESHOLD
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:55
secp256k1_pippenger_bucket_window
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:573
secp256k1_ecmult_pippenger_batch_single
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:723
ECMULT_MAX_POINTS_PER_BATCH
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:57
PIPPENGER_MAX_BUCKET_WINDOW
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:52
PIPPENGER_SCRATCH_OBJECTS
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:49
secp256k1_ecmult_multi_batch_size_helper
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:793
secp256k1_pippenger_scratch_size
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:640
WNAF_SIZE_BITS
#define WNAF_SIZE_BITS(bits, w)
Definition: ecmult_impl.h:45
secp256k1_ecmult_multi_func
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:811
sum
volatile double sum
Definition: examples.cpp:10
tests_impl.h
run_extrakeys_tests
static void run_extrakeys_tests(void)
Definition: tests_impl.h:553
secp256k1_fe_cmov
#define secp256k1_fe_cmov
Definition: field.h:96
secp256k1_fe_is_quad_var
static int secp256k1_fe_is_quad_var(const secp256k1_fe *a)
Checks whether a field element is a quadratic residue.
secp256k1_fe_equal_var
static int secp256k1_fe_equal_var(const secp256k1_fe *a, const secp256k1_fe *b)
Determine whether two field elements are equal, without constant-time guarantee.
secp256k1_fe_normalizes_to_zero_var
#define secp256k1_fe_normalizes_to_zero_var
Definition: field.h:82
secp256k1_fe_mul_int
#define secp256k1_fe_mul_int
Definition: field.h:92
secp256k1_fe_negate
#define secp256k1_fe_negate
Definition: field.h:91
secp256k1_fe_cmp_var
#define secp256k1_fe_cmp_var
Definition: field.h:87
secp256k1_fe_normalize_weak
#define secp256k1_fe_normalize_weak
Definition: field.h:79
secp256k1_fe_is_odd
#define secp256k1_fe_is_odd
Definition: field.h:86
secp256k1_fe_mul
#define secp256k1_fe_mul
Definition: field.h:94
secp256k1_fe_one
static const secp256k1_fe secp256k1_fe_one
Definition: field.h:68
secp256k1_fe_sqrt
static int secp256k1_fe_sqrt(secp256k1_fe *SECP256K1_RESTRICT r, const secp256k1_fe *SECP256K1_RESTRICT a)
Compute a square root of a field element.
secp256k1_fe_add
#define secp256k1_fe_add
Definition: field.h:93
secp256k1_fe_clear
#define secp256k1_fe_clear
Definition: field.h:84
secp256k1_fe_normalize_var
#define secp256k1_fe_normalize_var
Definition: field.h:80
secp256k1_fe_half
#define secp256k1_fe_half
Definition: field.h:102
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
This expands to an initializer for a secp256k1_fe valued sum((i*32) * d_i, i=0..7) mod p.
Definition: field.h:66
secp256k1_fe_to_storage
#define secp256k1_fe_to_storage
Definition: field.h:97
secp256k1_fe_inv_var
#define secp256k1_fe_inv_var
Definition: field.h:100
secp256k1_fe_is_zero
#define secp256k1_fe_is_zero
Definition: field.h:85
secp256k1_fe_set_b32_limit
#define secp256k1_fe_set_b32_limit
Definition: field.h:89
secp256k1_fe_is_square_var
#define secp256k1_fe_is_square_var
Definition: field.h:104
secp256k1_fe_get_bounds
#define secp256k1_fe_get_bounds
Definition: field.h:101
secp256k1_fe_from_storage
#define secp256k1_fe_from_storage
Definition: field.h:98
secp256k1_fe_set_b32_mod
#define secp256k1_fe_set_b32_mod
Definition: field.h:88
secp256k1_fe_get_b32
#define secp256k1_fe_get_b32
Definition: field.h:90
secp256k1_fe_normalizes_to_zero
#define secp256k1_fe_normalizes_to_zero
Definition: field.h:81
secp256k1_fe_inv
#define secp256k1_fe_inv
Definition: field.h:99
secp256k1_fe_sqr
#define secp256k1_fe_sqr
Definition: field.h:95
secp256k1_fe_normalize
#define secp256k1_fe_normalize
Definition: field.h:78
secp256k1_fe_storage_cmov
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_fe_add_int
#define secp256k1_fe_add_int
Definition: field.h:103
secp256k1_fe_set_int
#define secp256k1_fe_set_int
Definition: field.h:83
SECP256K1_FE_STORAGE_CONST
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:54
SECP256K1_GEJ_CONST_INFINITY
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:36
SECP256K1_GE_STORAGE_CONST
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:43
secp256k1_gej_eq_var
static int secp256k1_gej_eq_var(const secp256k1_gej *a, const secp256k1_gej *b)
Check two group elements (jacobian) for equality in variable time.
secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
secp256k1_ge_mul_lambda
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
secp256k1_ge_set_xo_var
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
secp256k1_ge_is_valid_var
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
secp256k1_ge_from_storage
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
secp256k1_gej_rescale
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
secp256k1_ge_storage_cmov
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ge_set_xquad
static int secp256k1_ge_set_xquad(secp256k1_ge *r, const secp256k1_fe *x)
Set a group element (affine) equal to the point with the given X coordinate and a Y coordinate that i...
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_ge_set_infinity
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
secp256k1_ge_set_all_gej_var
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set a batch of group elements equal to the inputs given in jacobian coordinates.
secp256k1_gej_double
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
secp256k1_ge_to_storage
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
SECP256K1_GE_CONST
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:22
secp256k1_gej_cmov
static void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_gej_has_quad_y_var
static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a)
Check whether a group element's y coordinate is a quadratic residue.
SECP256K1_GEJ_CONST
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:35
secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
SECP256K1_B
#define SECP256K1_B
Definition: group_impl.h:71
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:70
int128_impl.h
secp256k1_int128
int128_t secp256k1_int128
Definition: int128_native.h:17
secp256k1_i128_load
static SECP256K1_INLINE void secp256k1_i128_load(secp256k1_int128 *r, int64_t hi, uint64_t lo)
Definition: int128_native_impl.h:45
secp256k1_i128_det
static SECP256K1_INLINE void secp256k1_i128_det(secp256k1_int128 *r, int64_t a, int64_t b, int64_t c, int64_t d)
Definition: int128_native_impl.h:59
secp256k1_u128_check_bits
static SECP256K1_INLINE int secp256k1_u128_check_bits(const secp256k1_uint128 *r, unsigned int n)
Definition: int128_native_impl.h:40
secp256k1_i128_rshift
static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int n)
Definition: int128_native_impl.h:66
secp256k1_u128_hi_u64
static SECP256K1_INLINE uint64_t secp256k1_u128_hi_u64(const secp256k1_uint128 *a)
Definition: int128_native_impl.h:32
secp256k1_i128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:71
secp256k1_i128_from_i64
static SECP256K1_INLINE void secp256k1_i128_from_i64(secp256k1_int128 *r, int64_t a)
Definition: int128_native_impl.h:80
secp256k1_u128_from_u64
static SECP256K1_INLINE void secp256k1_u128_from_u64(secp256k1_uint128 *r, uint64_t a)
Definition: int128_native_impl.h:36
secp256k1_i128_eq_var
static SECP256K1_INLINE int secp256k1_i128_eq_var(const secp256k1_int128 *a, const secp256k1_int128 *b)
Definition: int128_native_impl.h:84
secp256k1_i128_to_i64
static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:75
secp256k1_i128_mul
static SECP256K1_INLINE void secp256k1_i128_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:49
secp256k1_u128_rshift
static SECP256K1_INLINE void secp256k1_u128_rshift(secp256k1_uint128 *r, unsigned int n)
Definition: int128_native_impl.h:23
secp256k1_i128_check_pow2
static SECP256K1_INLINE int secp256k1_i128_check_pow2(const secp256k1_int128 *r, unsigned int n, int sign)
Definition: int128_native_impl.h:88
secp256k1_u128_accum_u64
static SECP256K1_INLINE void secp256k1_u128_accum_u64(secp256k1_uint128 *r, uint64_t a)
Definition: int128_native_impl.h:19
secp256k1_i128_accum_mul
static SECP256K1_INLINE void secp256k1_i128_accum_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:53
secp256k1_u128_accum_mul
static SECP256K1_INLINE void secp256k1_u128_accum_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
Definition: int128_native_impl.h:15
secp256k1_u128_load
static SECP256K1_INLINE void secp256k1_u128_load(secp256k1_uint128 *r, uint64_t hi, uint64_t lo)
Definition: int128_native_impl.h:7
secp256k1_u128_mul
static SECP256K1_INLINE void secp256k1_u128_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
Definition: int128_native_impl.h:11
secp256k1_u128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_u128_to_u64(const secp256k1_uint128 *a)
Definition: int128_native_impl.h:28
ec_privkey_export_der
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
Definition: lax_der_privatekey_parsing.c:55
ec_privkey_import_der
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
Definition: lax_der_privatekey_parsing.c:11
cs
static void pool cs
Definition: mempool_eviction.cpp:13
secp256k1_modinv32_var
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_modinv32
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_jacobi32_maybe_var
static int secp256k1_jacobi32_maybe_var(const secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
modinv32_impl.h
secp256k1_modinv64
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_modinv64_var
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_jacobi64_maybe_var
static int secp256k1_jacobi64_maybe_var(const secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
modinv64_impl.h
tests_impl.h
run_multiset_tests
static void run_multiset_tests(void)
Definition: tests_impl.h:336
tests_wycheproof_generate.msg
def msg
Definition: tests_wycheproof_generate.py:56
tests_wycheproof_generate.pk
def pk
Definition: tests_wycheproof_generate.py:69
tests_wycheproof_generate.expected_verify
int expected_verify
Definition: tests_wycheproof_generate.py:46
tests_wycheproof_generate.out
string out
Definition: tests_wycheproof_generate.py:28
tinyformat::printf
void printf(const char *fmt, const Args &...args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1126
secp256k1_pre_g_128
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:8237
secp256k1_pre_g
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:17
WINDOW_G
#define WINDOW_G
Definition: precomputed_ecmult.c:16
sig
SchnorrSig sig
Definition: processor.cpp:537
ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature *sig, const uint8_t *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:36
tests_impl.h
run_recovery_tests
static void run_recovery_tests(void)
Definition: tests_impl.h:361
prefix
const char * prefix
Definition: rest.cpp:813
secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_set_b32_seckey
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
secp256k1_scalar_is_even
static int secp256k1_scalar_is_even(const secp256k1_scalar *a)
Check whether a scalar, considered as an nonnegative integer, is even.
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
secp256k1_scalar_set_int
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
secp256k1_scalar_inverse_var
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
secp256k1_scalar_get_bits
static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
secp256k1_scalar_is_one
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_scalar_split_lambda
static void secp256k1_scalar_split_lambda(secp256k1_scalar *SECP256K1_RESTRICT r1, secp256k1_scalar *SECP256K1_RESTRICT r2, const secp256k1_scalar *SECP256K1_RESTRICT k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
secp256k1_scalar_get_bits_var
static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
secp256k1_scalar_cadd_bit
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
secp256k1_scalar_shr_int
static int secp256k1_scalar_shr_int(secp256k1_scalar *r, int n)
Shift a scalar right by some amount strictly between 0 and 16, returning the low bits that were shift...
SECP256K1_SCALAR_CONST
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
secp256k1_scalar_check_overflow
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
Definition: scalar_4x64_impl.h:62
secp256k1_scalar_zero
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
secp256k1_const_lambda
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is:
Definition: scalar_impl.h:66
tests_impl.h
run_schnorr_tests
static void run_schnorr_tests(void)
Definition: tests_impl.h:512
tests_impl.h
run_schnorrsig_tests
static void run_schnorrsig_tests(void)
Definition: tests_impl.h:865
secp256k1_scratch_apply_checkpoint
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
secp256k1_scratch_max_allocation
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
secp256k1_scratch_alloc
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
secp256k1_scratch_checkpoint
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
secp256k1_hmac_sha256_finalize
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
secp256k1_hmac_sha256_initialize
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
secp256k1_hmac_sha256_write
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_ctz64_var
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:323
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:212
secp256k1_int_cmov
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:226
ALIGNMENT
#define ALIGNMENT
Definition: util.h:156
secp256k1_default_error_callback_fn
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: util.h:69
secp256k1_read_be32
static SECP256K1_INLINE uint32_t secp256k1_read_be32(const unsigned char *p)
Definition: util.h:341
secp256k1_ctz32_var
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:305
secp256k1_write_be32
static SECP256K1_INLINE void secp256k1_write_be32(unsigned char *p, uint32_t x)
Definition: util.h:349
secp256k1_default_illegal_callback_fn
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:64
secp256k1_ctz64_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:294
CHECK
#define CHECK(cond)
Definition: util.h:115
secp256k1_ctz32_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:282
checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:134
secp256k1_memczero
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:193
secp256k1_scratch_space_destroy
static void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Definition: secp256k1.c:227
secp256k1_context_is_proper
static int secp256k1_context_is_proper(const secp256k1_context *ctx)
Definition: secp256k1.c:81
secp256k1_context_no_precomp
const secp256k1_context * secp256k1_context_no_precomp
Definition: secp256k1.c:74
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:353
secp256k1_scratch_space_create
static secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Definition: secp256k1.c:222
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:239
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:258
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:465
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:339
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:186
secp256k1_ec_seckey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:704
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:182
secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:751
secp256k1_ec_pubkey_combine
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:761
secp256k1_ec_seckey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:614
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:379
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:290
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:210
secp256k1_ec_pubkey_cmp
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:313
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:573
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:140
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:198
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:558
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:272
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:178
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:363
secp256k1_selftest
SECP256K1_API void secp256k1_selftest(void)
Perform basic self tests (to be used in conjunction with secp256k1_context_static)
Definition: secp256k1.c:85
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:596
secp256k1_tagged_sha256
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:787
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:188
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:444
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:425
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:162
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:687
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:189
secp256k1_ecdsa_signature_serialize_der
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:400
secp256k1_ec_pubkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:633
secp256k1_ec_privkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_add instead")
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:676
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Deprecated context flags.
Definition: secp256k1.h:181
secp256k1_ec_privkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_negate instead")
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:629
secp256k1_ec_seckey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:660
secp256k1_ec_pubkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:728
secp256k1_ecdsa_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:412
secp256k1_context_static
SECP256K1_API const secp256k1_context * secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.c:73
secp256k1_ec_privkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_DEPRECATED("Use secp256k1_ec_seckey_tweak_mul instead")
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:724
secp256k1_context_preallocated_clone_size
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:111
secp256k1_context_preallocated_destroy
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:175
secp256k1_context_preallocated_create
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:117
secp256k1_context_preallocated_size
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:91
secp256k1_context_preallocated_clone
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:151
ecmult_multi_data
Definition: tests.c:4620
ecmult_multi_data::sc
secp256k1_scalar * sc
Definition: tests.c:4621
ecmult_multi_data::pt
secp256k1_ge * pt
Definition: tests.c:4622
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:55
secp256k1_callback::data
const void * data
Definition: util.h:56
secp256k1_context_struct
Definition: secp256k1.c:60
secp256k1_context_struct::illegal_callback
secp256k1_callback illegal_callback
Definition: secp256k1.c:62
secp256k1_context_struct::declassify
int declassify
Definition: secp256k1.c:64
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:63
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:61
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:74
secp256k1_ecmult_gen_context
Definition: ecmult_gen.h:31
secp256k1_ecmult_gen_context::initial
secp256k1_gej initial
Definition: ecmult_gen.h:37
secp256k1_ecmult_gen_context::built
int built
Definition: ecmult_gen.h:33
secp256k1_ecmult_gen_context::blind
secp256k1_scalar blind
Definition: ecmult_gen.h:36
secp256k1_fe_storage
Definition: field_10x26.h:50
secp256k1_fe
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
secp256k1_fe::n
uint32_t n[10]
Definition: field_10x26.h:22
secp256k1_ge_storage
Definition: group.h:38
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_ge::infinity
int infinity
Definition: group.h:19
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:17
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:18
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_gej::y
secp256k1_fe y
Definition: group.h:30
secp256k1_gej::x
secp256k1_fe x
Definition: group.h:29
secp256k1_gej::infinity
int infinity
Definition: group.h:32
secp256k1_gej::z
secp256k1_fe z
Definition: group.h:31
secp256k1_hmac_sha256
Definition: hash.h:23
secp256k1_modinv32_modinfo
Definition: modinv32.h:19
secp256k1_modinv32_modinfo::modulus_inv30
uint32_t modulus_inv30
Definition: modinv32.h:24
secp256k1_modinv32_modinfo::modulus
secp256k1_modinv32_signed30 modulus
Definition: modinv32.h:21
secp256k1_modinv32_signed30
Definition: modinv32.h:15
secp256k1_modinv32_signed30::v
int32_t v[9]
Definition: modinv32.h:16
secp256k1_modinv64_modinfo
Definition: modinv64.h:23
secp256k1_modinv64_modinfo::modulus_inv62
uint64_t modulus_inv62
Definition: modinv64.h:28
secp256k1_modinv64_modinfo::modulus
secp256k1_modinv64_signed62 modulus
Definition: modinv64.h:25
secp256k1_modinv64_signed62
Definition: modinv64.h:19
secp256k1_modinv64_signed62::v
int64_t v[5]
Definition: modinv64.h:20
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:31
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_scalar::d
uint64_t d[4]
Definition: scalar_4x64.h:14
secp256k1_scratch_space_struct
Definition: scratch.h:12
secp256k1_scratch_space_struct::alloc_size
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
secp256k1_sha256
Definition: hash.h:13
secp256k1_uint128
Definition: int128_struct.h:7
wycheproof_ecdsa_testvector::sig_offset
size_t sig_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:8
wycheproof_ecdsa_testvector::msg_offset
size_t msg_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:6
wycheproof_ecdsa_testvector::pk_offset
size_t pk_offset
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:5
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_testrand_seed
static SECP256K1_INLINE void secp256k1_testrand_seed(const unsigned char *seed16)
Seed the pseudorandom number generator for testing.
secp256k1_testrand_init
static void secp256k1_testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL.
secp256k1_testrand_finish
static void secp256k1_testrand_finish(void)
Print final test information.
secp256k1_testrand256_test
static void secp256k1_testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_impl.h
secp256k1_test_state
static uint64_t secp256k1_test_state[4]
Definition: testrand_impl.h:18
run_random_pubkeys
static void run_random_pubkeys(void)
Definition: tests.c:6770
CHECK_ILLEGAL_VOID
#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt)
Definition: tests.c:59
test_wnaf
static void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5239
run_inverse_tests
static void run_inverse_tests(void)
Definition: tests.c:3428
mutate_sign_signed30
static void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:966
ec_pubkey_parse_pointtest
static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:5729
test_ecdsa_sign_verify
static void test_ecdsa_sign_verify(void)
Definition: tests.c:6430
test_ge
static void test_ge(void)
Definition: tests.c:3724
ge_equals_ge
static void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b)
Definition: tests.c:3676
run_pubkey_comparison
static void run_pubkey_comparison(void)
Definition: tests.c:6721
run_ecdsa_sign_verify
static void run_ecdsa_sign_verify(void)
Definition: tests.c:6457
run_field_misc
static void run_field_misc(void)
Definition: tests.c:3125
test_ecmult_gen_blind_reset
static void test_ecmult_gen_blind_reset(void)
Definition: tests.c:5660
run_ec_pubkey_parse_test
static void run_ec_pubkey_parse_test(void)
Definition: tests.c:5804
run_static_context_tests
static void run_static_context_tests(int use_prealloc)
Definition: tests.c:302
random_sign
static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:6423
nonce_function_test_fail
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6473
nonce_function_test_retry
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6481
SECP256K1_EC_PARSE_TEST_NINVALID
#define SECP256K1_EC_PARSE_TEST_NINVALID
test_ecmult_multi_random
static int test_ecmult_multi_random(secp256k1_scratch *scratch)
Definition: tests.c:4862
COUNT
static int COUNT
Definition: tests.c:39
mulmod256
static void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:864
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:72
gej_xyz_equals_gej
static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3686
ecmult_gen_context_eq
static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b)
Definition: tests.c:217
run_tagged_sha256_tests
static void run_tagged_sha256_tests(void)
Definition: tests.c:814
run_sha256_counter_tests
static void run_sha256_counter_tests(void)
SHA256 counter tests.
Definition: tests.c:671
random_scalar_order_b32
static void random_scalar_order_b32(unsigned char *b32)
Definition: tests.c:177
random_group_element_jacobian_test
static void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:130
test_fixed_wnaf_small_helper
static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:5365
ge_equals_gej
static void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b)
Definition: tests.c:3707
all_bytes_equal
static int all_bytes_equal(const void *s, unsigned char value, size_t n)
Definition: tests.c:43
test_intialized_inf
static void test_intialized_inf(void)
Definition: tests.c:3923
test_fixed_wnaf_small
static void test_fixed_wnaf_small(void)
Definition: tests.c:5375
main
int main(int argc, char **argv)
Definition: tests.c:7679
run_ecmult_const_tests
static void run_ecmult_const_tests(void)
Definition: tests.c:4612
test_constant_wnaf
static void test_constant_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5288
fe_identical
static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:3069
SECP256K1_EC_PARSE_TEST_NVALID
#define SECP256K1_EC_PARSE_TEST_NVALID
run_eckey_edge_case_test
static void run_eckey_edge_case_test(void)
Definition: tests.c:6132
random_fe_non_square
static void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:2956
run_secp256k1_byteorder_tests
static void run_secp256k1_byteorder_tests(void)
Definition: tests.c:7511
run_ecmult_constants
static void run_ecmult_constants(void)
Definition: tests.c:5603
run_field_be32_overflow
static void run_field_be32_overflow(void)
Definition: tests.c:3002
test_modinv32_uint16
static void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:981
run_ecmult_chain
static void run_ecmult_chain(void)
Definition: tests.c:4259
test_inverse_field
static void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:3403
run_ec_combine
static void run_ec_combine(void)
Definition: tests.c:4103
run_deprecated_context_flags_test
static void run_deprecated_context_flags_test(void)
Definition: tests.c:232
CTX
static secp256k1_context * CTX
Definition: tests.c:40
run_point_times_order
static void run_point_times_order(void)
Definition: tests.c:4433
random_group_element_test
static void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:118
random_ber_signature
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:6883
CONDITIONAL_TEST
#define CONDITIONAL_TEST(cnt, nam)
Definition: tests.c:37
ecmult_const_commutativity
static void ecmult_const_commutativity(void)
Definition: tests.c:4481
int_cmov_test
static void int_cmov_test(void)
Definition: tests.c:7524
test_add_neg_y_diff_x
static void test_add_neg_y_diff_x(void)
Definition: tests.c:3955
test_ecmult_accumulate
static void test_ecmult_accumulate(secp256k1_sha256 *acc, const secp256k1_scalar *x, secp256k1_scratch *scratch)
Definition: tests.c:5483
test_point_times_order
static void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:4318
assign_big_endian
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:6844
run_hmac_sha256_tests
static void run_hmac_sha256_tests(void)
Definition: tests.c:729
test_ecmult_multi_batch_single
static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:5028
random_gej_test
static void random_gej_test(secp256k1_gej *gej)
Definition: tests.c:145
signed30_to_uint16
static void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:957
is_empty_signature
static int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:6511
run_field_half
static void run_field_half(void)
Definition: tests.c:3076
run_eckey_negate_test
static void run_eckey_negate_test(void)
Definition: tests.c:6388
scalar_test
static void scalar_test(void)
Definition: tests.c:2126
run_scalar_set_b32_seckey_tests
static void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:2288
test_ecmult_multi
static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4640
precomputed_nonce_function
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted.
Definition: tests.c:6465
run_gej
static void run_gej(void)
Definition: tests.c:4039
random_fe
static void random_fe(secp256k1_fe *x)
Definition: tests.c:2923
random_fe_non_zero
static void random_fe_non_zero(secp256k1_fe *nz)
Definition: tests.c:2943
run_ge
static void run_ge(void)
Definition: tests.c:4022
ge_storage_cmov_test
static void ge_storage_cmov_test(void)
Definition: tests.c:7639
scalar_minus_one
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:3364
fe_storage_cmov_test
static void fe_storage_cmov_test(void)
Definition: tests.c:7579
test_ec_combine
static void test_ec_combine(void)
Definition: tests.c:4078
test_secp256k1_pippenger_bucket_window_inv
static void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:5046
run_ctz_tests
static void run_ctz_tests(void)
Definition: tests.c:549
test_ecmult_multi_pippenger_max_points
static void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:5066
random_field_element_test
static void random_field_element_test(secp256k1_fe *fe)
Definition: tests.c:92
run_scalar_tests
static void run_scalar_tests(void)
Definition: tests.c:2305
test_constant_wnaf_negate
static void test_constant_wnaf_negate(const secp256k1_scalar *number)
Definition: tests.c:5273
test_random_pubkeys
static void test_random_pubkeys(void)
Definition: tests.c:6661
random_fe_test
static void random_fe_test(secp256k1_fe *x)
Definition: tests.c:2933
test_gej_cmov
static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:4031
test_sqrt
static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:3312
scalar_cmov_test
static void scalar_cmov_test(void)
Definition: tests.c:7609
run_ecmult_gen_blind
static void run_ecmult_gen_blind(void)
Definition: tests.c:5672
test_ecdsa_end_to_end
static void test_ecdsa_end_to_end(void)
Definition: tests.c:6516
run_sha256_known_output_tests
static void run_sha256_known_output_tests(void)
Definition: tests.c:570
test_ecmult_target
static void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:4382
random_scalar_order
static void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:164
random_field_element_magnitude
static void random_field_element_magnitude(secp256k1_fe *fe)
Definition: tests.c:102
run_ecdsa_end_to_end
static void run_ecdsa_end_to_end(void)
Definition: tests.c:6777
ecmult_multi_callback
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4625
ecmult_const_mult_xonly
static void ecmult_const_mult_xonly(void)
Definition: tests.c:4524
run_proper_context_tests
static void run_proper_context_tests(int use_prealloc)
Definition: tests.c:343
test_fe_mul
static void test_fe_mul(const secp256k1_fe *a, const secp256k1_fe *b, int use_sqr)
Definition: tests.c:3232
test_group_decompress
static void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:4110
test_ecmult_constants_2bit
static void test_ecmult_constants_2bit(void)
Definition: tests.c:5516
run_cmov_tests
static void run_cmov_tests(void)
Definition: tests.c:7671
run_ecdsa_der_parse
static void run_ecdsa_der_parse(void)
Definition: tests.c:7029
ecmult_const_random_mult
static void ecmult_const_random_mult(void)
Definition: tests.c:4454
test_scalar_split
static void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:5681
run_field_convert
static void run_field_convert(void)
Definition: tests.c:2972
test_ecdsa_der_parse
static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:6784
run_ec_illegal_argument_tests
static void run_ec_illegal_argument_tests(void)
Definition: tests.c:250
run_ecdsa_wycheproof
static void run_ecdsa_wycheproof(void)
Definition: tests.c:7468
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:74
test_ecmult_constants_sha
static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char *expected32)
Definition: tests.c:5560
test_ecmult_multi_batching
static void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:5147
uncounting_illegal_callback_fn
static void uncounting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:83
run_sqrt
static void run_sqrt(void)
Definition: tests.c:3326
run_modinv_tests
static void run_modinv_tests(void)
Definition: tests.c:1162
scalars_near_split_bounds
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:4359
uint16_to_signed30
static void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:948
run_xoshiro256pp_tests
static void run_xoshiro256pp_tests(void)
Definition: tests.c:183
run_wnaf
static void run_wnaf(void)
Definition: tests.c:5429
run_ecmult_multi_tests
static void run_ecmult_multi_tests(void)
Definition: tests.c:5212
run_selftest_tests
static void run_selftest_tests(void)
Definition: tests.c:212
coprime
static int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:1132
run_sqr
static void run_sqr(void)
Definition: tests.c:3296
context_eq
static int context_eq(const secp256k1_context *a, const secp256k1_context *b)
Definition: tests.c:223
test_ecmult_multi_batch_size_helper
static void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:5099
random_scalar_order_test
static void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:151
check_fe_equal
static int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:2964
run_endomorphism_tests
static void run_endomorphism_tests(void)
Definition: tests.c:5708
run_scratch_tests
static void run_scratch_tests(void)
Definition: tests.c:465
test_ecdsa_wycheproof
static void test_ecdsa_wycheproof(void)
Wycheproof tests.
Definition: tests.c:7438
run_ecmult_near_split_bound
static void run_ecmult_near_split_bound(void)
Definition: tests.c:4421
run_ecdsa_edge_cases
static void run_ecdsa_edge_cases(void)
Definition: tests.c:7430
fe_cmov_test
static void fe_cmov_test(void)
Definition: tests.c:7549
run_group_decompress
static void run_group_decompress(void)
Definition: tests.c:4174
ecmult_const_mult_zero_one
static void ecmult_const_mult_zero_one(void)
Definition: tests.c:4502
test_ecmult_accumulate_cb
static int test_ecmult_accumulate_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data)
Definition: tests.c:5475
test_ecdsa_edge_cases
static void test_ecdsa_edge_cases(void)
Definition: tests.c:7061
ecmult_const_chain_multiply
static void ecmult_const_chain_multiply(void)
Definition: tests.c:4586
run_ecmult_pre_g
static void run_ecmult_pre_g(void)
Definition: tests.c:4235
ecmult_multi_false_callback
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4632
test_pre_g_table
static void test_pre_g_table(const secp256k1_ge_storage *pre_g, size_t n)
Definition: tests.c:4185
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:41
test_fixed_wnaf
static void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5328
test_inverse_scalar
static void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:3381
test_ecmult_gen_blind
static void test_ecmult_gen_blind(void)
Definition: tests.c:5637
run_secp256k1_memczero_test
static void run_secp256k1_memczero_test(void)
Definition: tests.c:7496
run_fe_mul
static void run_fe_mul(void)
Definition: tests.c:3275
SECP256K1_EC_PARSE_TEST_NXVALID
#define SECP256K1_EC_PARSE_TEST_NXVALID
damage_array
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:6856
fe_minus_one
static const secp256k1_fe fe_minus_one
Definition: tests.c:3369
run_rfc6979_hmac_sha256_tests
static void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:773
modinv2p64
static uint64_t modinv2p64(uint64_t x)
Definition: tests.c:847
expect
#define expect(bit)
Definition: univalue_read.cpp:283
Generated on Thu May 7 2026 21:35:45 for Bitcoin ABC by doxygen 1.9.4